| /* |
| * Copyright (C) 2020 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #define LOG_TAG "TestCredentialTests" |
| |
| #include <aidl/Gtest.h> |
| #include <aidl/Vintf.h> |
| #include <aidl/android/hardware/keymaster/HardwareAuthToken.h> |
| #include <aidl/android/hardware/keymaster/VerificationToken.h> |
| #include <android-base/logging.h> |
| #include <android/hardware/identity/IIdentityCredentialStore.h> |
| #include <android/hardware/identity/support/IdentityCredentialSupport.h> |
| #include <binder/IServiceManager.h> |
| #include <binder/ProcessState.h> |
| #include <cppbor.h> |
| #include <cppbor_parse.h> |
| #include <gtest/gtest.h> |
| #include <future> |
| #include <map> |
| #include <utility> |
| |
| #include "Util.h" |
| |
| namespace android::hardware::identity { |
| |
| using std::endl; |
| using std::make_pair; |
| using std::map; |
| using std::optional; |
| using std::pair; |
| using std::string; |
| using std::tie; |
| using std::vector; |
| |
| using ::android::sp; |
| using ::android::String16; |
| using ::android::binder::Status; |
| |
| using ::android::hardware::keymaster::HardwareAuthToken; |
| using ::android::hardware::keymaster::VerificationToken; |
| |
| class TestCredentialTests : public testing::TestWithParam<string> { |
| public: |
| virtual void SetUp() override { |
| string halInstanceName = GetParam(); |
| credentialStore_ = android::waitForDeclaredService<IIdentityCredentialStore>( |
| String16(halInstanceName.c_str())); |
| ASSERT_NE(credentialStore_, nullptr); |
| halApiVersion_ = credentialStore_->getInterfaceVersion(); |
| } |
| |
| sp<IIdentityCredentialStore> credentialStore_; |
| int halApiVersion_; |
| }; |
| |
| TEST_P(TestCredentialTests, testCredential) { |
| string docType = "org.iso.18013-5.2019.mdl"; |
| sp<IWritableIdentityCredential> wc; |
| ASSERT_TRUE(credentialStore_ |
| ->createCredential(docType, |
| true, // testCredential |
| &wc) |
| .isOk()); |
| |
| vector<uint8_t> attestationApplicationId = {}; |
| vector<uint8_t> attestationChallenge = {1}; |
| vector<Certificate> certChain; |
| ASSERT_TRUE(wc->getAttestationCertificate(attestationApplicationId, attestationChallenge, |
| &certChain) |
| .isOk()); |
| |
| optional<vector<uint8_t>> optCredentialPubKey = |
| support::certificateChainGetTopMostKey(certChain[0].encodedCertificate); |
| ASSERT_TRUE(optCredentialPubKey); |
| vector<uint8_t> credentialPubKey; |
| credentialPubKey = optCredentialPubKey.value(); |
| |
| size_t proofOfProvisioningSize = 112; |
| // Not in v1 HAL, may fail |
| wc->setExpectedProofOfProvisioningSize(proofOfProvisioningSize); |
| |
| ASSERT_TRUE(wc->startPersonalization(1 /* numAccessControlProfiles */, |
| {1} /* numDataElementsPerNamespace */) |
| .isOk()); |
| |
| // Access control profile 0: open access - don't care about the returned SACP |
| SecureAccessControlProfile sacp; |
| ASSERT_TRUE(wc->addAccessControlProfile(1, {}, false, 0, 0, &sacp).isOk()); |
| |
| // Single entry - don't care about the returned encrypted data |
| vector<uint8_t> encryptedData; |
| vector<uint8_t> tstrLastName = cppbor::Tstr("Turing").encode(); |
| ASSERT_TRUE(wc->beginAddEntry({1}, "ns", "Last name", tstrLastName.size()).isOk()); |
| ASSERT_TRUE(wc->addEntryValue(tstrLastName, &encryptedData).isOk()); |
| |
| vector<uint8_t> proofOfProvisioningSignature; |
| vector<uint8_t> credentialData; |
| Status status = wc->finishAddingEntries(&credentialData, &proofOfProvisioningSignature); |
| EXPECT_TRUE(status.isOk()) << status.exceptionCode() << ": " << status.exceptionMessage(); |
| |
| optional<vector<uint8_t>> proofOfProvisioning = |
| support::coseSignGetPayload(proofOfProvisioningSignature); |
| ASSERT_TRUE(proofOfProvisioning); |
| string cborPretty = cppbor::prettyPrint(proofOfProvisioning.value(), 32, {}); |
| EXPECT_EQ( |
| "[\n" |
| " 'ProofOfProvisioning',\n" |
| " 'org.iso.18013-5.2019.mdl',\n" |
| " [\n" |
| " {\n" |
| " 'id' : 1,\n" |
| " },\n" |
| " ],\n" |
| " {\n" |
| " 'ns' : [\n" |
| " {\n" |
| " 'name' : 'Last name',\n" |
| " 'value' : 'Turing',\n" |
| " 'accessControlProfiles' : [1, ],\n" |
| " },\n" |
| " ],\n" |
| " },\n" |
| " true,\n" |
| "]", |
| cborPretty); |
| // Make sure it's signed by the CredentialKey in the returned cert chain. |
| EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature, |
| {}, // Additional data |
| credentialPubKey)); |
| |
| // Now analyze credentialData.. |
| auto [item, _, message] = cppbor::parse(credentialData); |
| ASSERT_NE(item, nullptr); |
| const cppbor::Array* arrayItem = item->asArray(); |
| ASSERT_NE(arrayItem, nullptr); |
| ASSERT_EQ(arrayItem->size(), 3); |
| const cppbor::Tstr* docTypeItem = (*arrayItem)[0]->asTstr(); |
| const cppbor::Bool* testCredentialItem = |
| ((*arrayItem)[1]->asSimple() != nullptr ? ((*arrayItem)[1]->asSimple()->asBool()) |
| : nullptr); |
| EXPECT_EQ(docTypeItem->value(), docType); |
| EXPECT_EQ(testCredentialItem->value(), true); |
| |
| vector<uint8_t> hardwareBoundKey = support::getTestHardwareBoundKey(); |
| const cppbor::Bstr* encryptedCredentialKeysItem = (*arrayItem)[2]->asBstr(); |
| const vector<uint8_t>& encryptedCredentialKeys = encryptedCredentialKeysItem->value(); |
| const vector<uint8_t> docTypeVec(docType.begin(), docType.end()); |
| optional<vector<uint8_t>> decryptedCredentialKeys = |
| support::decryptAes128Gcm(hardwareBoundKey, encryptedCredentialKeys, docTypeVec); |
| ASSERT_TRUE(decryptedCredentialKeys); |
| auto [dckItem, dckPos, dckMessage] = cppbor::parse(decryptedCredentialKeys.value()); |
| ASSERT_NE(dckItem, nullptr) << dckMessage; |
| const cppbor::Array* dckArrayItem = dckItem->asArray(); |
| ASSERT_NE(dckArrayItem, nullptr); |
| // In HAL API version 1 and 2 this array has two items, in version 3 and later it has three. |
| if (halApiVersion_ < 3) { |
| ASSERT_EQ(dckArrayItem->size(), 2); |
| } else { |
| ASSERT_EQ(dckArrayItem->size(), 3); |
| } |
| const cppbor::Bstr* storageKeyItem = (*dckArrayItem)[0]->asBstr(); |
| const vector<uint8_t> storageKey = storageKeyItem->value(); |
| // const cppbor::Bstr* credentialPrivKeyItem = (*dckArrayItem)[1]->asBstr(); |
| // const vector<uint8_t> credentialPrivKey = credentialPrivKeyItem->value(); |
| |
| // Check storageKey can be used to decrypt |encryptedData| to |tstrLastName| |
| vector<uint8_t> additionalData = cppbor::Map() |
| .add("Namespace", "ns") |
| .add("Name", "Last name") |
| .add("AccessControlProfileIds", cppbor::Array().add(1)) |
| .encode(); |
| optional<vector<uint8_t>> decryptedDataItemValue = |
| support::decryptAes128Gcm(storageKey, encryptedData, additionalData); |
| ASSERT_TRUE(decryptedDataItemValue); |
| EXPECT_EQ(decryptedDataItemValue.value(), tstrLastName); |
| |
| // Check that SHA-256(ProofOfProvisioning) matches (only in HAL API version 3) |
| if (halApiVersion_ >= 3) { |
| const cppbor::Bstr* popSha256Item = (*dckArrayItem)[2]->asBstr(); |
| const vector<uint8_t> popSha256 = popSha256Item->value(); |
| ASSERT_EQ(popSha256, support::sha256(proofOfProvisioning.value())); |
| } |
| } |
| |
| GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(TestCredentialTests); |
| INSTANTIATE_TEST_SUITE_P( |
| Identity, TestCredentialTests, |
| testing::ValuesIn(android::getAidlHalInstanceNames(IIdentityCredentialStore::descriptor)), |
| android::PrintInstanceNameToString); |
| |
| } // namespace android::hardware::identity |