1*4d7e907cSAndroid Build Coastguard Worker /*
2*4d7e907cSAndroid Build Coastguard Worker * Copyright (C) 2020 The Android Open Source Project
3*4d7e907cSAndroid Build Coastguard Worker *
4*4d7e907cSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
5*4d7e907cSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
6*4d7e907cSAndroid Build Coastguard Worker * You may obtain a copy of the License at
7*4d7e907cSAndroid Build Coastguard Worker *
8*4d7e907cSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
9*4d7e907cSAndroid Build Coastguard Worker *
10*4d7e907cSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
11*4d7e907cSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
12*4d7e907cSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*4d7e907cSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
14*4d7e907cSAndroid Build Coastguard Worker * limitations under the License.
15*4d7e907cSAndroid Build Coastguard Worker */
16*4d7e907cSAndroid Build Coastguard Worker
17*4d7e907cSAndroid Build Coastguard Worker #define LOG_TAG "UpdateCredentialTests"
18*4d7e907cSAndroid Build Coastguard Worker
19*4d7e907cSAndroid Build Coastguard Worker #include <aidl/Gtest.h>
20*4d7e907cSAndroid Build Coastguard Worker #include <aidl/Vintf.h>
21*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/keymaster/HardwareAuthToken.h>
22*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/keymaster/VerificationToken.h>
23*4d7e907cSAndroid Build Coastguard Worker #include <android-base/logging.h>
24*4d7e907cSAndroid Build Coastguard Worker #include <android/hardware/identity/IIdentityCredentialStore.h>
25*4d7e907cSAndroid Build Coastguard Worker #include <android/hardware/identity/support/IdentityCredentialSupport.h>
26*4d7e907cSAndroid Build Coastguard Worker #include <binder/IServiceManager.h>
27*4d7e907cSAndroid Build Coastguard Worker #include <binder/ProcessState.h>
28*4d7e907cSAndroid Build Coastguard Worker #include <cppbor.h>
29*4d7e907cSAndroid Build Coastguard Worker #include <cppbor_parse.h>
30*4d7e907cSAndroid Build Coastguard Worker #include <gtest/gtest.h>
31*4d7e907cSAndroid Build Coastguard Worker #include <future>
32*4d7e907cSAndroid Build Coastguard Worker #include <map>
33*4d7e907cSAndroid Build Coastguard Worker #include <utility>
34*4d7e907cSAndroid Build Coastguard Worker
35*4d7e907cSAndroid Build Coastguard Worker #include "Util.h"
36*4d7e907cSAndroid Build Coastguard Worker
37*4d7e907cSAndroid Build Coastguard Worker namespace android::hardware::identity {
38*4d7e907cSAndroid Build Coastguard Worker
39*4d7e907cSAndroid Build Coastguard Worker using std::endl;
40*4d7e907cSAndroid Build Coastguard Worker using std::make_pair;
41*4d7e907cSAndroid Build Coastguard Worker using std::map;
42*4d7e907cSAndroid Build Coastguard Worker using std::optional;
43*4d7e907cSAndroid Build Coastguard Worker using std::pair;
44*4d7e907cSAndroid Build Coastguard Worker using std::string;
45*4d7e907cSAndroid Build Coastguard Worker using std::tie;
46*4d7e907cSAndroid Build Coastguard Worker using std::vector;
47*4d7e907cSAndroid Build Coastguard Worker
48*4d7e907cSAndroid Build Coastguard Worker using ::android::sp;
49*4d7e907cSAndroid Build Coastguard Worker using ::android::String16;
50*4d7e907cSAndroid Build Coastguard Worker using ::android::binder::Status;
51*4d7e907cSAndroid Build Coastguard Worker
52*4d7e907cSAndroid Build Coastguard Worker using ::android::hardware::keymaster::HardwareAuthToken;
53*4d7e907cSAndroid Build Coastguard Worker using ::android::hardware::keymaster::VerificationToken;
54*4d7e907cSAndroid Build Coastguard Worker
55*4d7e907cSAndroid Build Coastguard Worker class UpdateCredentialTests : public testing::TestWithParam<string> {
56*4d7e907cSAndroid Build Coastguard Worker public:
SetUp()57*4d7e907cSAndroid Build Coastguard Worker virtual void SetUp() override {
58*4d7e907cSAndroid Build Coastguard Worker credentialStore_ = android::waitForDeclaredService<IIdentityCredentialStore>(
59*4d7e907cSAndroid Build Coastguard Worker String16(GetParam().c_str()));
60*4d7e907cSAndroid Build Coastguard Worker ASSERT_NE(credentialStore_, nullptr);
61*4d7e907cSAndroid Build Coastguard Worker halApiVersion_ = credentialStore_->getInterfaceVersion();
62*4d7e907cSAndroid Build Coastguard Worker }
63*4d7e907cSAndroid Build Coastguard Worker
64*4d7e907cSAndroid Build Coastguard Worker void provisionData();
65*4d7e907cSAndroid Build Coastguard Worker
66*4d7e907cSAndroid Build Coastguard Worker // Set by provisionData
67*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> credentialData_;
68*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> credentialPubKey_;
69*4d7e907cSAndroid Build Coastguard Worker
70*4d7e907cSAndroid Build Coastguard Worker sp<IIdentityCredentialStore> credentialStore_;
71*4d7e907cSAndroid Build Coastguard Worker int halApiVersion_;
72*4d7e907cSAndroid Build Coastguard Worker };
73*4d7e907cSAndroid Build Coastguard Worker
provisionData()74*4d7e907cSAndroid Build Coastguard Worker void UpdateCredentialTests::provisionData() {
75*4d7e907cSAndroid Build Coastguard Worker string docType = "org.iso.18013-5.2019.mdl";
76*4d7e907cSAndroid Build Coastguard Worker bool testCredential = true;
77*4d7e907cSAndroid Build Coastguard Worker sp<IWritableIdentityCredential> wc;
78*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(credentialStore_->createCredential(docType, testCredential, &wc).isOk());
79*4d7e907cSAndroid Build Coastguard Worker
80*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> attestationApplicationId = {};
81*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> attestationChallenge = {1};
82*4d7e907cSAndroid Build Coastguard Worker vector<Certificate> certChain;
83*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->getAttestationCertificate(attestationApplicationId, attestationChallenge,
84*4d7e907cSAndroid Build Coastguard Worker &certChain)
85*4d7e907cSAndroid Build Coastguard Worker .isOk());
86*4d7e907cSAndroid Build Coastguard Worker
87*4d7e907cSAndroid Build Coastguard Worker optional<vector<uint8_t>> optCredentialPubKey =
88*4d7e907cSAndroid Build Coastguard Worker support::certificateChainGetTopMostKey(certChain[0].encodedCertificate);
89*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(optCredentialPubKey);
90*4d7e907cSAndroid Build Coastguard Worker credentialPubKey_ = optCredentialPubKey.value();
91*4d7e907cSAndroid Build Coastguard Worker
92*4d7e907cSAndroid Build Coastguard Worker size_t proofOfProvisioningSize = 112;
93*4d7e907cSAndroid Build Coastguard Worker // Not in v1 HAL, may fail
94*4d7e907cSAndroid Build Coastguard Worker wc->setExpectedProofOfProvisioningSize(proofOfProvisioningSize);
95*4d7e907cSAndroid Build Coastguard Worker
96*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->startPersonalization(1 /* numAccessControlProfiles */,
97*4d7e907cSAndroid Build Coastguard Worker {1} /* numDataElementsPerNamespace */)
98*4d7e907cSAndroid Build Coastguard Worker .isOk());
99*4d7e907cSAndroid Build Coastguard Worker
100*4d7e907cSAndroid Build Coastguard Worker // Access control profile 0: open access - don't care about the returned SACP
101*4d7e907cSAndroid Build Coastguard Worker SecureAccessControlProfile sacp;
102*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->addAccessControlProfile(1, {}, false, 0, 0, &sacp).isOk());
103*4d7e907cSAndroid Build Coastguard Worker
104*4d7e907cSAndroid Build Coastguard Worker // Single entry - don't care about the returned encrypted data
105*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> encryptedData;
106*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> tstrLastName = cppbor::Tstr("Prince").encode();
107*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->beginAddEntry({1}, "ns", "Last name", tstrLastName.size()).isOk());
108*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->addEntryValue(tstrLastName, &encryptedData).isOk());
109*4d7e907cSAndroid Build Coastguard Worker
110*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> proofOfProvisioningSignature;
111*4d7e907cSAndroid Build Coastguard Worker Status status = wc->finishAddingEntries(&credentialData_, &proofOfProvisioningSignature);
112*4d7e907cSAndroid Build Coastguard Worker EXPECT_TRUE(status.isOk()) << status.exceptionCode() << ": " << status.exceptionMessage();
113*4d7e907cSAndroid Build Coastguard Worker
114*4d7e907cSAndroid Build Coastguard Worker optional<vector<uint8_t>> proofOfProvisioning =
115*4d7e907cSAndroid Build Coastguard Worker support::coseSignGetPayload(proofOfProvisioningSignature);
116*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(proofOfProvisioning);
117*4d7e907cSAndroid Build Coastguard Worker string cborPretty = cppbor::prettyPrint(proofOfProvisioning.value(), 32, {});
118*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(
119*4d7e907cSAndroid Build Coastguard Worker "[\n"
120*4d7e907cSAndroid Build Coastguard Worker " 'ProofOfProvisioning',\n"
121*4d7e907cSAndroid Build Coastguard Worker " 'org.iso.18013-5.2019.mdl',\n"
122*4d7e907cSAndroid Build Coastguard Worker " [\n"
123*4d7e907cSAndroid Build Coastguard Worker " {\n"
124*4d7e907cSAndroid Build Coastguard Worker " 'id' : 1,\n"
125*4d7e907cSAndroid Build Coastguard Worker " },\n"
126*4d7e907cSAndroid Build Coastguard Worker " ],\n"
127*4d7e907cSAndroid Build Coastguard Worker " {\n"
128*4d7e907cSAndroid Build Coastguard Worker " 'ns' : [\n"
129*4d7e907cSAndroid Build Coastguard Worker " {\n"
130*4d7e907cSAndroid Build Coastguard Worker " 'name' : 'Last name',\n"
131*4d7e907cSAndroid Build Coastguard Worker " 'value' : 'Prince',\n"
132*4d7e907cSAndroid Build Coastguard Worker " 'accessControlProfiles' : [1, ],\n"
133*4d7e907cSAndroid Build Coastguard Worker " },\n"
134*4d7e907cSAndroid Build Coastguard Worker " ],\n"
135*4d7e907cSAndroid Build Coastguard Worker " },\n"
136*4d7e907cSAndroid Build Coastguard Worker " true,\n"
137*4d7e907cSAndroid Build Coastguard Worker "]",
138*4d7e907cSAndroid Build Coastguard Worker cborPretty);
139*4d7e907cSAndroid Build Coastguard Worker // Make sure it's signed by the CredentialKey in the returned cert chain.
140*4d7e907cSAndroid Build Coastguard Worker EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature,
141*4d7e907cSAndroid Build Coastguard Worker {}, // Additional data
142*4d7e907cSAndroid Build Coastguard Worker credentialPubKey_));
143*4d7e907cSAndroid Build Coastguard Worker }
144*4d7e907cSAndroid Build Coastguard Worker
TEST_P(UpdateCredentialTests,updateCredential)145*4d7e907cSAndroid Build Coastguard Worker TEST_P(UpdateCredentialTests, updateCredential) {
146*4d7e907cSAndroid Build Coastguard Worker if (halApiVersion_ < 3) {
147*4d7e907cSAndroid Build Coastguard Worker GTEST_SKIP() << "Need HAL API version 3, have " << halApiVersion_;
148*4d7e907cSAndroid Build Coastguard Worker }
149*4d7e907cSAndroid Build Coastguard Worker
150*4d7e907cSAndroid Build Coastguard Worker provisionData();
151*4d7e907cSAndroid Build Coastguard Worker
152*4d7e907cSAndroid Build Coastguard Worker sp<IIdentityCredential> credential;
153*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(credentialStore_
154*4d7e907cSAndroid Build Coastguard Worker ->getCredential(
155*4d7e907cSAndroid Build Coastguard Worker CipherSuite::CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256,
156*4d7e907cSAndroid Build Coastguard Worker credentialData_, &credential)
157*4d7e907cSAndroid Build Coastguard Worker .isOk());
158*4d7e907cSAndroid Build Coastguard Worker
159*4d7e907cSAndroid Build Coastguard Worker sp<IWritableIdentityCredential> wc;
160*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(credential->updateCredential(&wc).isOk());
161*4d7e907cSAndroid Build Coastguard Worker
162*4d7e907cSAndroid Build Coastguard Worker // Getting an attestation cert should fail (because it's an update).
163*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> attestationApplicationId = {};
164*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> attestationChallenge = {1};
165*4d7e907cSAndroid Build Coastguard Worker vector<Certificate> certChain;
166*4d7e907cSAndroid Build Coastguard Worker Status result = wc->getAttestationCertificate(attestationApplicationId, attestationChallenge,
167*4d7e907cSAndroid Build Coastguard Worker &certChain);
168*4d7e907cSAndroid Build Coastguard Worker ASSERT_FALSE(result.isOk());
169*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
170*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
171*4d7e907cSAndroid Build Coastguard Worker
172*4d7e907cSAndroid Build Coastguard Worker // Now provision some new data...
173*4d7e907cSAndroid Build Coastguard Worker //
174*4d7e907cSAndroid Build Coastguard Worker size_t proofOfProvisioningSize = 117;
175*4d7e907cSAndroid Build Coastguard Worker // Not in v1 HAL, may fail
176*4d7e907cSAndroid Build Coastguard Worker wc->setExpectedProofOfProvisioningSize(proofOfProvisioningSize);
177*4d7e907cSAndroid Build Coastguard Worker
178*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->startPersonalization(1 /* numAccessControlProfiles */,
179*4d7e907cSAndroid Build Coastguard Worker {1} /* numDataElementsPerNamespace */)
180*4d7e907cSAndroid Build Coastguard Worker .isOk());
181*4d7e907cSAndroid Build Coastguard Worker
182*4d7e907cSAndroid Build Coastguard Worker // Access control profile 0: open access - don't care about the returned SACP
183*4d7e907cSAndroid Build Coastguard Worker SecureAccessControlProfile sacp;
184*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->addAccessControlProfile(2, {}, false, 0, 0, &sacp).isOk());
185*4d7e907cSAndroid Build Coastguard Worker
186*4d7e907cSAndroid Build Coastguard Worker // Single entry - don't care about the returned encrypted data
187*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> encryptedData;
188*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> tstrLastName = cppbor::Tstr("T.A.F.K.A.P").encode();
189*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->beginAddEntry({2}, "ns", "Last name", tstrLastName.size()).isOk());
190*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->addEntryValue(tstrLastName, &encryptedData).isOk());
191*4d7e907cSAndroid Build Coastguard Worker
192*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> proofOfProvisioningSignature;
193*4d7e907cSAndroid Build Coastguard Worker Status status = wc->finishAddingEntries(&credentialData_, &proofOfProvisioningSignature);
194*4d7e907cSAndroid Build Coastguard Worker EXPECT_TRUE(status.isOk()) << status.exceptionCode() << ": " << status.exceptionMessage();
195*4d7e907cSAndroid Build Coastguard Worker optional<vector<uint8_t>> proofOfProvisioning =
196*4d7e907cSAndroid Build Coastguard Worker support::coseSignGetPayload(proofOfProvisioningSignature);
197*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(proofOfProvisioning);
198*4d7e907cSAndroid Build Coastguard Worker string cborPretty = cppbor::prettyPrint(proofOfProvisioning.value(), 32, {});
199*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(
200*4d7e907cSAndroid Build Coastguard Worker "[\n"
201*4d7e907cSAndroid Build Coastguard Worker " 'ProofOfProvisioning',\n"
202*4d7e907cSAndroid Build Coastguard Worker " 'org.iso.18013-5.2019.mdl',\n"
203*4d7e907cSAndroid Build Coastguard Worker " [\n"
204*4d7e907cSAndroid Build Coastguard Worker " {\n"
205*4d7e907cSAndroid Build Coastguard Worker " 'id' : 2,\n"
206*4d7e907cSAndroid Build Coastguard Worker " },\n"
207*4d7e907cSAndroid Build Coastguard Worker " ],\n"
208*4d7e907cSAndroid Build Coastguard Worker " {\n"
209*4d7e907cSAndroid Build Coastguard Worker " 'ns' : [\n"
210*4d7e907cSAndroid Build Coastguard Worker " {\n"
211*4d7e907cSAndroid Build Coastguard Worker " 'name' : 'Last name',\n"
212*4d7e907cSAndroid Build Coastguard Worker " 'value' : 'T.A.F.K.A.P',\n"
213*4d7e907cSAndroid Build Coastguard Worker " 'accessControlProfiles' : [2, ],\n"
214*4d7e907cSAndroid Build Coastguard Worker " },\n"
215*4d7e907cSAndroid Build Coastguard Worker " ],\n"
216*4d7e907cSAndroid Build Coastguard Worker " },\n"
217*4d7e907cSAndroid Build Coastguard Worker " true,\n"
218*4d7e907cSAndroid Build Coastguard Worker "]",
219*4d7e907cSAndroid Build Coastguard Worker cborPretty);
220*4d7e907cSAndroid Build Coastguard Worker // Make sure it's signed by the same CredentialKey we originally provisioned with.
221*4d7e907cSAndroid Build Coastguard Worker EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature,
222*4d7e907cSAndroid Build Coastguard Worker {}, // Additional data
223*4d7e907cSAndroid Build Coastguard Worker credentialPubKey_));
224*4d7e907cSAndroid Build Coastguard Worker }
225*4d7e907cSAndroid Build Coastguard Worker
226*4d7e907cSAndroid Build Coastguard Worker GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(UpdateCredentialTests);
227*4d7e907cSAndroid Build Coastguard Worker INSTANTIATE_TEST_SUITE_P(
228*4d7e907cSAndroid Build Coastguard Worker Identity, UpdateCredentialTests,
229*4d7e907cSAndroid Build Coastguard Worker testing::ValuesIn(android::getAidlHalInstanceNames(IIdentityCredentialStore::descriptor)),
230*4d7e907cSAndroid Build Coastguard Worker android::PrintInstanceNameToString);
231*4d7e907cSAndroid Build Coastguard Worker
232*4d7e907cSAndroid Build Coastguard Worker } // namespace android::hardware::identity
233