1*4d7e907cSAndroid Build Coastguard Worker /*
2*4d7e907cSAndroid Build Coastguard Worker * Copyright (C) 2020 The Android Open Source Project
3*4d7e907cSAndroid Build Coastguard Worker *
4*4d7e907cSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
5*4d7e907cSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
6*4d7e907cSAndroid Build Coastguard Worker * You may obtain a copy of the License at
7*4d7e907cSAndroid Build Coastguard Worker *
8*4d7e907cSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
9*4d7e907cSAndroid Build Coastguard Worker *
10*4d7e907cSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
11*4d7e907cSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
12*4d7e907cSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*4d7e907cSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
14*4d7e907cSAndroid Build Coastguard Worker * limitations under the License.
15*4d7e907cSAndroid Build Coastguard Worker */
16*4d7e907cSAndroid Build Coastguard Worker
17*4d7e907cSAndroid Build Coastguard Worker #define LOG_TAG "TestCredentialTests"
18*4d7e907cSAndroid Build Coastguard Worker
19*4d7e907cSAndroid Build Coastguard Worker #include <aidl/Gtest.h>
20*4d7e907cSAndroid Build Coastguard Worker #include <aidl/Vintf.h>
21*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/keymaster/HardwareAuthToken.h>
22*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/keymaster/VerificationToken.h>
23*4d7e907cSAndroid Build Coastguard Worker #include <android-base/logging.h>
24*4d7e907cSAndroid Build Coastguard Worker #include <android/hardware/identity/IIdentityCredentialStore.h>
25*4d7e907cSAndroid Build Coastguard Worker #include <android/hardware/identity/support/IdentityCredentialSupport.h>
26*4d7e907cSAndroid Build Coastguard Worker #include <binder/IServiceManager.h>
27*4d7e907cSAndroid Build Coastguard Worker #include <binder/ProcessState.h>
28*4d7e907cSAndroid Build Coastguard Worker #include <cppbor.h>
29*4d7e907cSAndroid Build Coastguard Worker #include <cppbor_parse.h>
30*4d7e907cSAndroid Build Coastguard Worker #include <gtest/gtest.h>
31*4d7e907cSAndroid Build Coastguard Worker #include <future>
32*4d7e907cSAndroid Build Coastguard Worker #include <map>
33*4d7e907cSAndroid Build Coastguard Worker #include <utility>
34*4d7e907cSAndroid Build Coastguard Worker
35*4d7e907cSAndroid Build Coastguard Worker #include "Util.h"
36*4d7e907cSAndroid Build Coastguard Worker
37*4d7e907cSAndroid Build Coastguard Worker namespace android::hardware::identity {
38*4d7e907cSAndroid Build Coastguard Worker
39*4d7e907cSAndroid Build Coastguard Worker using std::endl;
40*4d7e907cSAndroid Build Coastguard Worker using std::make_pair;
41*4d7e907cSAndroid Build Coastguard Worker using std::map;
42*4d7e907cSAndroid Build Coastguard Worker using std::optional;
43*4d7e907cSAndroid Build Coastguard Worker using std::pair;
44*4d7e907cSAndroid Build Coastguard Worker using std::string;
45*4d7e907cSAndroid Build Coastguard Worker using std::tie;
46*4d7e907cSAndroid Build Coastguard Worker using std::vector;
47*4d7e907cSAndroid Build Coastguard Worker
48*4d7e907cSAndroid Build Coastguard Worker using ::android::sp;
49*4d7e907cSAndroid Build Coastguard Worker using ::android::String16;
50*4d7e907cSAndroid Build Coastguard Worker using ::android::binder::Status;
51*4d7e907cSAndroid Build Coastguard Worker
52*4d7e907cSAndroid Build Coastguard Worker using ::android::hardware::keymaster::HardwareAuthToken;
53*4d7e907cSAndroid Build Coastguard Worker using ::android::hardware::keymaster::VerificationToken;
54*4d7e907cSAndroid Build Coastguard Worker
55*4d7e907cSAndroid Build Coastguard Worker class TestCredentialTests : public testing::TestWithParam<string> {
56*4d7e907cSAndroid Build Coastguard Worker public:
SetUp()57*4d7e907cSAndroid Build Coastguard Worker virtual void SetUp() override {
58*4d7e907cSAndroid Build Coastguard Worker string halInstanceName = GetParam();
59*4d7e907cSAndroid Build Coastguard Worker credentialStore_ = android::waitForDeclaredService<IIdentityCredentialStore>(
60*4d7e907cSAndroid Build Coastguard Worker String16(halInstanceName.c_str()));
61*4d7e907cSAndroid Build Coastguard Worker ASSERT_NE(credentialStore_, nullptr);
62*4d7e907cSAndroid Build Coastguard Worker halApiVersion_ = credentialStore_->getInterfaceVersion();
63*4d7e907cSAndroid Build Coastguard Worker }
64*4d7e907cSAndroid Build Coastguard Worker
65*4d7e907cSAndroid Build Coastguard Worker sp<IIdentityCredentialStore> credentialStore_;
66*4d7e907cSAndroid Build Coastguard Worker int halApiVersion_;
67*4d7e907cSAndroid Build Coastguard Worker };
68*4d7e907cSAndroid Build Coastguard Worker
TEST_P(TestCredentialTests,testCredential)69*4d7e907cSAndroid Build Coastguard Worker TEST_P(TestCredentialTests, testCredential) {
70*4d7e907cSAndroid Build Coastguard Worker string docType = "org.iso.18013-5.2019.mdl";
71*4d7e907cSAndroid Build Coastguard Worker sp<IWritableIdentityCredential> wc;
72*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(credentialStore_
73*4d7e907cSAndroid Build Coastguard Worker ->createCredential(docType,
74*4d7e907cSAndroid Build Coastguard Worker true, // testCredential
75*4d7e907cSAndroid Build Coastguard Worker &wc)
76*4d7e907cSAndroid Build Coastguard Worker .isOk());
77*4d7e907cSAndroid Build Coastguard Worker
78*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> attestationApplicationId = {};
79*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> attestationChallenge = {1};
80*4d7e907cSAndroid Build Coastguard Worker vector<Certificate> certChain;
81*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->getAttestationCertificate(attestationApplicationId, attestationChallenge,
82*4d7e907cSAndroid Build Coastguard Worker &certChain)
83*4d7e907cSAndroid Build Coastguard Worker .isOk());
84*4d7e907cSAndroid Build Coastguard Worker
85*4d7e907cSAndroid Build Coastguard Worker optional<vector<uint8_t>> optCredentialPubKey =
86*4d7e907cSAndroid Build Coastguard Worker support::certificateChainGetTopMostKey(certChain[0].encodedCertificate);
87*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(optCredentialPubKey);
88*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> credentialPubKey;
89*4d7e907cSAndroid Build Coastguard Worker credentialPubKey = optCredentialPubKey.value();
90*4d7e907cSAndroid Build Coastguard Worker
91*4d7e907cSAndroid Build Coastguard Worker size_t proofOfProvisioningSize = 112;
92*4d7e907cSAndroid Build Coastguard Worker // Not in v1 HAL, may fail
93*4d7e907cSAndroid Build Coastguard Worker wc->setExpectedProofOfProvisioningSize(proofOfProvisioningSize);
94*4d7e907cSAndroid Build Coastguard Worker
95*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->startPersonalization(1 /* numAccessControlProfiles */,
96*4d7e907cSAndroid Build Coastguard Worker {1} /* numDataElementsPerNamespace */)
97*4d7e907cSAndroid Build Coastguard Worker .isOk());
98*4d7e907cSAndroid Build Coastguard Worker
99*4d7e907cSAndroid Build Coastguard Worker // Access control profile 0: open access - don't care about the returned SACP
100*4d7e907cSAndroid Build Coastguard Worker SecureAccessControlProfile sacp;
101*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->addAccessControlProfile(1, {}, false, 0, 0, &sacp).isOk());
102*4d7e907cSAndroid Build Coastguard Worker
103*4d7e907cSAndroid Build Coastguard Worker // Single entry - don't care about the returned encrypted data
104*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> encryptedData;
105*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> tstrLastName = cppbor::Tstr("Turing").encode();
106*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->beginAddEntry({1}, "ns", "Last name", tstrLastName.size()).isOk());
107*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->addEntryValue(tstrLastName, &encryptedData).isOk());
108*4d7e907cSAndroid Build Coastguard Worker
109*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> proofOfProvisioningSignature;
110*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> credentialData;
111*4d7e907cSAndroid Build Coastguard Worker Status status = wc->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
112*4d7e907cSAndroid Build Coastguard Worker EXPECT_TRUE(status.isOk()) << status.exceptionCode() << ": " << status.exceptionMessage();
113*4d7e907cSAndroid Build Coastguard Worker
114*4d7e907cSAndroid Build Coastguard Worker optional<vector<uint8_t>> proofOfProvisioning =
115*4d7e907cSAndroid Build Coastguard Worker support::coseSignGetPayload(proofOfProvisioningSignature);
116*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(proofOfProvisioning);
117*4d7e907cSAndroid Build Coastguard Worker string cborPretty = cppbor::prettyPrint(proofOfProvisioning.value(), 32, {});
118*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(
119*4d7e907cSAndroid Build Coastguard Worker "[\n"
120*4d7e907cSAndroid Build Coastguard Worker " 'ProofOfProvisioning',\n"
121*4d7e907cSAndroid Build Coastguard Worker " 'org.iso.18013-5.2019.mdl',\n"
122*4d7e907cSAndroid Build Coastguard Worker " [\n"
123*4d7e907cSAndroid Build Coastguard Worker " {\n"
124*4d7e907cSAndroid Build Coastguard Worker " 'id' : 1,\n"
125*4d7e907cSAndroid Build Coastguard Worker " },\n"
126*4d7e907cSAndroid Build Coastguard Worker " ],\n"
127*4d7e907cSAndroid Build Coastguard Worker " {\n"
128*4d7e907cSAndroid Build Coastguard Worker " 'ns' : [\n"
129*4d7e907cSAndroid Build Coastguard Worker " {\n"
130*4d7e907cSAndroid Build Coastguard Worker " 'name' : 'Last name',\n"
131*4d7e907cSAndroid Build Coastguard Worker " 'value' : 'Turing',\n"
132*4d7e907cSAndroid Build Coastguard Worker " 'accessControlProfiles' : [1, ],\n"
133*4d7e907cSAndroid Build Coastguard Worker " },\n"
134*4d7e907cSAndroid Build Coastguard Worker " ],\n"
135*4d7e907cSAndroid Build Coastguard Worker " },\n"
136*4d7e907cSAndroid Build Coastguard Worker " true,\n"
137*4d7e907cSAndroid Build Coastguard Worker "]",
138*4d7e907cSAndroid Build Coastguard Worker cborPretty);
139*4d7e907cSAndroid Build Coastguard Worker // Make sure it's signed by the CredentialKey in the returned cert chain.
140*4d7e907cSAndroid Build Coastguard Worker EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature,
141*4d7e907cSAndroid Build Coastguard Worker {}, // Additional data
142*4d7e907cSAndroid Build Coastguard Worker credentialPubKey));
143*4d7e907cSAndroid Build Coastguard Worker
144*4d7e907cSAndroid Build Coastguard Worker // Now analyze credentialData..
145*4d7e907cSAndroid Build Coastguard Worker auto [item, _, message] = cppbor::parse(credentialData);
146*4d7e907cSAndroid Build Coastguard Worker ASSERT_NE(item, nullptr);
147*4d7e907cSAndroid Build Coastguard Worker const cppbor::Array* arrayItem = item->asArray();
148*4d7e907cSAndroid Build Coastguard Worker ASSERT_NE(arrayItem, nullptr);
149*4d7e907cSAndroid Build Coastguard Worker ASSERT_EQ(arrayItem->size(), 3);
150*4d7e907cSAndroid Build Coastguard Worker const cppbor::Tstr* docTypeItem = (*arrayItem)[0]->asTstr();
151*4d7e907cSAndroid Build Coastguard Worker const cppbor::Bool* testCredentialItem =
152*4d7e907cSAndroid Build Coastguard Worker ((*arrayItem)[1]->asSimple() != nullptr ? ((*arrayItem)[1]->asSimple()->asBool())
153*4d7e907cSAndroid Build Coastguard Worker : nullptr);
154*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(docTypeItem->value(), docType);
155*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(testCredentialItem->value(), true);
156*4d7e907cSAndroid Build Coastguard Worker
157*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> hardwareBoundKey = support::getTestHardwareBoundKey();
158*4d7e907cSAndroid Build Coastguard Worker const cppbor::Bstr* encryptedCredentialKeysItem = (*arrayItem)[2]->asBstr();
159*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t>& encryptedCredentialKeys = encryptedCredentialKeysItem->value();
160*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t> docTypeVec(docType.begin(), docType.end());
161*4d7e907cSAndroid Build Coastguard Worker optional<vector<uint8_t>> decryptedCredentialKeys =
162*4d7e907cSAndroid Build Coastguard Worker support::decryptAes128Gcm(hardwareBoundKey, encryptedCredentialKeys, docTypeVec);
163*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(decryptedCredentialKeys);
164*4d7e907cSAndroid Build Coastguard Worker auto [dckItem, dckPos, dckMessage] = cppbor::parse(decryptedCredentialKeys.value());
165*4d7e907cSAndroid Build Coastguard Worker ASSERT_NE(dckItem, nullptr) << dckMessage;
166*4d7e907cSAndroid Build Coastguard Worker const cppbor::Array* dckArrayItem = dckItem->asArray();
167*4d7e907cSAndroid Build Coastguard Worker ASSERT_NE(dckArrayItem, nullptr);
168*4d7e907cSAndroid Build Coastguard Worker // In HAL API version 1 and 2 this array has two items, in version 3 and later it has three.
169*4d7e907cSAndroid Build Coastguard Worker if (halApiVersion_ < 3) {
170*4d7e907cSAndroid Build Coastguard Worker ASSERT_EQ(dckArrayItem->size(), 2);
171*4d7e907cSAndroid Build Coastguard Worker } else {
172*4d7e907cSAndroid Build Coastguard Worker ASSERT_EQ(dckArrayItem->size(), 3);
173*4d7e907cSAndroid Build Coastguard Worker }
174*4d7e907cSAndroid Build Coastguard Worker const cppbor::Bstr* storageKeyItem = (*dckArrayItem)[0]->asBstr();
175*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t> storageKey = storageKeyItem->value();
176*4d7e907cSAndroid Build Coastguard Worker // const cppbor::Bstr* credentialPrivKeyItem = (*dckArrayItem)[1]->asBstr();
177*4d7e907cSAndroid Build Coastguard Worker // const vector<uint8_t> credentialPrivKey = credentialPrivKeyItem->value();
178*4d7e907cSAndroid Build Coastguard Worker
179*4d7e907cSAndroid Build Coastguard Worker // Check storageKey can be used to decrypt |encryptedData| to |tstrLastName|
180*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> additionalData = cppbor::Map()
181*4d7e907cSAndroid Build Coastguard Worker .add("Namespace", "ns")
182*4d7e907cSAndroid Build Coastguard Worker .add("Name", "Last name")
183*4d7e907cSAndroid Build Coastguard Worker .add("AccessControlProfileIds", cppbor::Array().add(1))
184*4d7e907cSAndroid Build Coastguard Worker .encode();
185*4d7e907cSAndroid Build Coastguard Worker optional<vector<uint8_t>> decryptedDataItemValue =
186*4d7e907cSAndroid Build Coastguard Worker support::decryptAes128Gcm(storageKey, encryptedData, additionalData);
187*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(decryptedDataItemValue);
188*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(decryptedDataItemValue.value(), tstrLastName);
189*4d7e907cSAndroid Build Coastguard Worker
190*4d7e907cSAndroid Build Coastguard Worker // Check that SHA-256(ProofOfProvisioning) matches (only in HAL API version 3)
191*4d7e907cSAndroid Build Coastguard Worker if (halApiVersion_ >= 3) {
192*4d7e907cSAndroid Build Coastguard Worker const cppbor::Bstr* popSha256Item = (*dckArrayItem)[2]->asBstr();
193*4d7e907cSAndroid Build Coastguard Worker const vector<uint8_t> popSha256 = popSha256Item->value();
194*4d7e907cSAndroid Build Coastguard Worker ASSERT_EQ(popSha256, support::sha256(proofOfProvisioning.value()));
195*4d7e907cSAndroid Build Coastguard Worker }
196*4d7e907cSAndroid Build Coastguard Worker }
197*4d7e907cSAndroid Build Coastguard Worker
198*4d7e907cSAndroid Build Coastguard Worker GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(TestCredentialTests);
199*4d7e907cSAndroid Build Coastguard Worker INSTANTIATE_TEST_SUITE_P(
200*4d7e907cSAndroid Build Coastguard Worker Identity, TestCredentialTests,
201*4d7e907cSAndroid Build Coastguard Worker testing::ValuesIn(android::getAidlHalInstanceNames(IIdentityCredentialStore::descriptor)),
202*4d7e907cSAndroid Build Coastguard Worker android::PrintInstanceNameToString);
203*4d7e907cSAndroid Build Coastguard Worker
204*4d7e907cSAndroid Build Coastguard Worker } // namespace android::hardware::identity
205