security/secretkeeper/aidl/vts/secretkeeper_test_client.rs - LeafOS-Project/android_hardware_interfaces - Gitiles

 /*
  * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #[cfg(test)]
 use binder::StatusCode;
 use coset::{CborSerializable, CoseEncrypt0};
 use log::warn;
 use secretkeeper_core::cipher;
 use secretkeeper_comm::data_types::error::SecretkeeperError;
 use secretkeeper_comm::data_types::request::Request;
 use secretkeeper_comm::data_types::request_response_impl::{
     GetVersionRequest, GetVersionResponse, GetSecretRequest, GetSecretResponse, StoreSecretRequest,
     StoreSecretResponse };
 use secretkeeper_comm::data_types::{Id, ID_SIZE, Secret, SECRET_SIZE};
 use secretkeeper_comm::data_types::response::Response;
 use secretkeeper_comm::data_types::packet::{ResponsePacket, ResponseType};
 use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::ISecretkeeper::ISecretkeeper;
 use authgraph_vts_test as ag_vts;
 use authgraph_boringssl as boring;
 use authgraph_core::key;

 const SECRETKEEPER_IDENTIFIER: &str =
     "android.hardware.security.secretkeeper.ISecretkeeper/nonsecure";
 const CURRENT_VERSION: u64 = 1;

 // TODO(b/291238565): This will change once libdice_policy switches to Explicit-key DiceCertChain
 // This is generated by patching libdice_policy such that it dumps an example dice chain &
 // a policy, such that the former matches the latter.
 const HYPOTHETICAL_DICE_POLICY: [u8; 43] = [
     0x83, 0x01, 0x81, 0x83, 0x01, 0x80, 0xA1, 0x01, 0x00, 0x82, 0x83, 0x01, 0x81, 0x01, 0x73, 0x74,
     0x65, 0x73, 0x74, 0x69, 0x6E, 0x67, 0x5F, 0x64, 0x69, 0x63, 0x65, 0x5F, 0x70, 0x6F, 0x6C, 0x69,
     0x63, 0x79, 0x83, 0x02, 0x82, 0x03, 0x18, 0x64, 0x19, 0xE9, 0x75,
 ];

 // Random bytes (of ID_SIZE/SECRET_SIZE) generated for tests.
 const ID_EXAMPLE: [u8; ID_SIZE] = [
     0xF1, 0xB2, 0xED, 0x3B, 0xD1, 0xBD, 0xF0, 0x7D, 0xE1, 0xF0, 0x01, 0xFC, 0x61, 0x71, 0xD3, 0x42,
     0xE5, 0x8A, 0xAF, 0x33, 0x6C, 0x11, 0xDC, 0xC8, 0x6F, 0xAE, 0x12, 0x5C, 0x26, 0x44, 0x6B, 0x86,
     0xCC, 0x24, 0xFD, 0xBF, 0x91, 0x4A, 0x54, 0x84, 0xF9, 0x01, 0x59, 0x25, 0x70, 0x89, 0x38, 0x8D,
     0x5E, 0xE6, 0x91, 0xDF, 0x68, 0x60, 0x69, 0x26, 0xBE, 0xFE, 0x79, 0x58, 0xF7, 0xEA, 0x81, 0x7D,
 ];
 const ID_NOT_STORED: [u8; ID_SIZE] = [
     0x56, 0xD0, 0x4E, 0xAA, 0xC1, 0x7B, 0x55, 0x6B, 0xA0, 0x2C, 0x65, 0x43, 0x39, 0x0A, 0x6C, 0xE9,
     0x1F, 0xD0, 0x0E, 0x20, 0x3E, 0xFB, 0xF5, 0xF9, 0x3F, 0x5B, 0x11, 0x1B, 0x18, 0x73, 0xF6, 0xBB,
     0xAB, 0x9F, 0xF2, 0xD6, 0xBD, 0xBA, 0x25, 0x68, 0x22, 0x30, 0xF2, 0x1F, 0x90, 0x05, 0xF3, 0x64,
     0xE7, 0xEF, 0xC6, 0xB6, 0xA0, 0x85, 0xC9, 0x40, 0x40, 0xF0, 0xB4, 0xB9, 0xD8, 0x28, 0xEE, 0x9C,
 ];
 const SECRET_EXAMPLE: [u8; SECRET_SIZE] = [
     0xA9, 0x89, 0x97, 0xFE, 0xAE, 0x97, 0x55, 0x4B, 0x32, 0x35, 0xF0, 0xE8, 0x93, 0xDA, 0xEA, 0x24,
     0x06, 0xAC, 0x36, 0x8B, 0x3C, 0x95, 0x50, 0x16, 0x67, 0x71, 0x65, 0x26, 0xEB, 0xD0, 0xC3, 0x98,
 ];

 fn get_connection() -> Option<binder::Strong<dyn ISecretkeeper>> {
     match binder::get_interface(SECRETKEEPER_IDENTIFIER) {
         Ok(sk) => Some(sk),
         Err(StatusCode::NAME_NOT_FOUND) => None,
         Err(e) => {
             panic!(
                 "unexpected error while fetching connection to Secretkeeper {:?}",
                 e
             );
         }
     }
 }

 /// Secretkeeper client information.
 struct SkClient {
     sk: binder::Strong<dyn ISecretkeeper>,
     aes_keys: [key::AesKey; 2],
     session_id: Vec<u8>,
 }

 impl SkClient {
     fn new() -> Option<Self> {
         let sk = get_connection()?;
         let (aes_keys, session_id) = authgraph_key_exchange(sk.clone());
         Some(Self {
             sk,
             aes_keys,
             session_id,
         })
     }
     /// Wrapper around `ISecretkeeper::processSecretManagementRequest` that handles
     /// encryption and decryption.
     fn secret_management_request(&self, req_data: &[u8]) -> Vec<u8> {
         let aes_gcm = boring::BoringAes;
         let rng = boring::BoringRng;
         let request_bytes = cipher::encrypt_message(
             &aes_gcm,
             &rng,
             &self.aes_keys[0],
             &self.session_id,
             &req_data,
         )
         .unwrap();

         let response_bytes = self
             .sk
             .processSecretManagementRequest(&request_bytes)
             .unwrap();

         let response_encrypt0 = CoseEncrypt0::from_slice(&response_bytes).unwrap();
         cipher::decrypt_message(&aes_gcm, &self.aes_keys[1], &response_encrypt0).unwrap()
     }
 }

 /// Perform AuthGraph key exchange, returning the session keys and session ID.
 fn authgraph_key_exchange(sk: binder::Strong<dyn ISecretkeeper>) -> ([key::AesKey; 2], Vec<u8>) {
     let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
     let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
     ag_vts::sink::test_mainline(&mut source, sink)
 }

 /// Test that the AuthGraph instance returned by SecretKeeper correctly performs
 /// mainline key exchange against a local source implementation.
 #[test]
 fn authgraph_mainline() {
     let sk = match get_connection() {
         Some(sk) => sk,
         None => {
             warn!("Secretkeeper HAL is unavailable, skipping test");
             return;
         }
     };
     let (_aes_keys, _session_id) = authgraph_key_exchange(sk);
 }

 /// Test that the AuthGraph instance returned by SecretKeeper correctly rejects
 /// a corrupted session ID signature.
 #[test]
 fn authgraph_corrupt_sig() {
     let sk = match get_connection() {
         Some(sk) => sk,
         None => {
             warn!("Secretkeeper HAL is unavailable, skipping test");
             return;
         }
     };
     let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
     let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
     ag_vts::sink::test_corrupt_sig(&mut source, sink);
 }

 /// Test that the AuthGraph instance returned by SecretKeeper correctly detects
 /// when corrupted keys are returned to it.
 #[test]
 fn authgraph_corrupt_keys() {
     let sk = match get_connection() {
         Some(sk) => sk,
         None => {
             warn!("Secretkeeper HAL is unavailable, skipping test");
             return;
         }
     };
     let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
     let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
     ag_vts::sink::test_corrupt_keys(&mut source, sink);
 }

 // TODO(b/2797757): Add tests that match different HAL defined objects (like request/response)
 // with expected bytes.

 #[test]
 fn secret_management_get_version() {
     let sk_client = match SkClient::new() {
         Some(sk) => sk,
         None => {
             warn!("Secretkeeper HAL is unavailable, skipping test");
             return;
         }
     };

     let request = GetVersionRequest {};
     let request_packet = request.serialize_to_packet();
     let request_bytes = request_packet.to_vec().unwrap();

     let response_bytes = sk_client.secret_management_request(&request_bytes);

     let response_packet = ResponsePacket::from_slice(&response_bytes).unwrap();
     assert_eq!(
         response_packet.response_type().unwrap(),
         ResponseType::Success
     );
     let get_version_response =
         *GetVersionResponse::deserialize_from_packet(response_packet).unwrap();
     assert_eq!(get_version_response.version, CURRENT_VERSION);
 }

 #[test]
 fn secret_management_malformed_request() {
     let sk_client = match SkClient::new() {
         Some(sk) => sk,
         None => {
             warn!("Secretkeeper HAL is unavailable, skipping test");
             return;
         }
     };

     let request = GetVersionRequest {};
     let request_packet = request.serialize_to_packet();
     let mut request_bytes = request_packet.to_vec().unwrap();

     // Deform the request
     request_bytes[0] = !request_bytes[0];

     let response_bytes = sk_client.secret_management_request(&request_bytes);

     let response_packet = ResponsePacket::from_slice(&response_bytes).unwrap();
     assert_eq!(
         response_packet.response_type().unwrap(),
         ResponseType::Error
     );
     let err = *SecretkeeperError::deserialize_from_packet(response_packet).unwrap();
     assert_eq!(err, SecretkeeperError::RequestMalformed);
 }

 #[test]
 fn secret_management_store_get_secret_found() {
     let sk_client = match SkClient::new() {
         Some(sk) => sk,
         None => {
             warn!("Secretkeeper HAL is unavailable, skipping test");
             return;
         }
     };

     let store_request = StoreSecretRequest {
         id: Id(ID_EXAMPLE),
         secret: Secret(SECRET_EXAMPLE),
         sealing_policy: HYPOTHETICAL_DICE_POLICY.to_vec(),
     };

     let store_request = store_request.serialize_to_packet().to_vec().unwrap();

     let store_response = sk_client.secret_management_request(&store_request);
     let store_response = ResponsePacket::from_slice(&store_response).unwrap();

     assert_eq!(
         store_response.response_type().unwrap(),
         ResponseType::Success
     );
     // Really just checking that the response is indeed StoreSecretResponse
     let _ = StoreSecretResponse::deserialize_from_packet(store_response).unwrap();

     // Get the secret that was just stored
     let get_request = GetSecretRequest {
         id: Id(ID_EXAMPLE),
         updated_sealing_policy: None,
     };
     let get_request = get_request.serialize_to_packet().to_vec().unwrap();

     let get_response = sk_client.secret_management_request(&get_request);
     let get_response = ResponsePacket::from_slice(&get_response).unwrap();
     assert_eq!(get_response.response_type().unwrap(), ResponseType::Success);
     let get_response = *GetSecretResponse::deserialize_from_packet(get_response).unwrap();
     assert_eq!(get_response.secret.0, SECRET_EXAMPLE);
 }

 #[test]
 fn secret_management_store_get_secret_not_found() {
     let sk_client = match SkClient::new() {
         Some(sk) => sk,
         None => {
             warn!("Secretkeeper HAL is unavailable, skipping test");
             return;
         }
     };

     // Store a secret (corresponding to an id).
     let store_request = StoreSecretRequest {
         id: Id(ID_EXAMPLE),
         secret: Secret(SECRET_EXAMPLE),
         sealing_policy: HYPOTHETICAL_DICE_POLICY.to_vec(),
     };

     let store_request = store_request.serialize_to_packet().to_vec().unwrap();
     let store_response = sk_client.secret_management_request(&store_request);
     let store_response = ResponsePacket::from_slice(&store_response).unwrap();

     assert_eq!(
         store_response.response_type().unwrap(),
         ResponseType::Success
     );

     // (Try to) Get the secret that was never stored
     let get_request = GetSecretRequest {
         id: Id(ID_NOT_STORED),
         updated_sealing_policy: None,
     };
     let get_request = get_request.serialize_to_packet().to_vec().unwrap();
     let get_response = sk_client.secret_management_request(&get_request);

     // Check that response is `SecretkeeperError::EntryNotFound`
     let get_response = ResponsePacket::from_slice(&get_response).unwrap();
     assert_eq!(get_response.response_type().unwrap(), ResponseType::Error);
     let err = *SecretkeeperError::deserialize_from_packet(get_response).unwrap();
     assert_eq!(err, SecretkeeperError::EntryNotFound);
 }
	/*
	* Copyright (C) 2023 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#[cfg(test)]
	use binder::StatusCode;
	use coset::{CborSerializable, CoseEncrypt0};
	use log::warn;
	use secretkeeper_core::cipher;
	use secretkeeper_comm::data_types::error::SecretkeeperError;
	use secretkeeper_comm::data_types::request::Request;
	use secretkeeper_comm::data_types::request_response_impl::{
	GetVersionRequest, GetVersionResponse, GetSecretRequest, GetSecretResponse, StoreSecretRequest,
	StoreSecretResponse };
	use secretkeeper_comm::data_types::{Id, ID_SIZE, Secret, SECRET_SIZE};
	use secretkeeper_comm::data_types::response::Response;
	use secretkeeper_comm::data_types::packet::{ResponsePacket, ResponseType};
	use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::ISecretkeeper::ISecretkeeper;
	use authgraph_vts_test as ag_vts;
	use authgraph_boringssl as boring;
	use authgraph_core::key;

	const SECRETKEEPER_IDENTIFIER: &str =
	"android.hardware.security.secretkeeper.ISecretkeeper/nonsecure";
	const CURRENT_VERSION: u64 = 1;

	// TODO(b/291238565): This will change once libdice_policy switches to Explicit-key DiceCertChain
	// This is generated by patching libdice_policy such that it dumps an example dice chain &
	// a policy, such that the former matches the latter.
	const HYPOTHETICAL_DICE_POLICY: [u8; 43] = [
	0x83, 0x01, 0x81, 0x83, 0x01, 0x80, 0xA1, 0x01, 0x00, 0x82, 0x83, 0x01, 0x81, 0x01, 0x73, 0x74,
	0x65, 0x73, 0x74, 0x69, 0x6E, 0x67, 0x5F, 0x64, 0x69, 0x63, 0x65, 0x5F, 0x70, 0x6F, 0x6C, 0x69,
	0x63, 0x79, 0x83, 0x02, 0x82, 0x03, 0x18, 0x64, 0x19, 0xE9, 0x75,
	];

	// Random bytes (of ID_SIZE/SECRET_SIZE) generated for tests.
	const ID_EXAMPLE: [u8; ID_SIZE] = [
	0xF1, 0xB2, 0xED, 0x3B, 0xD1, 0xBD, 0xF0, 0x7D, 0xE1, 0xF0, 0x01, 0xFC, 0x61, 0x71, 0xD3, 0x42,
	0xE5, 0x8A, 0xAF, 0x33, 0x6C, 0x11, 0xDC, 0xC8, 0x6F, 0xAE, 0x12, 0x5C, 0x26, 0x44, 0x6B, 0x86,
	0xCC, 0x24, 0xFD, 0xBF, 0x91, 0x4A, 0x54, 0x84, 0xF9, 0x01, 0x59, 0x25, 0x70, 0x89, 0x38, 0x8D,
	0x5E, 0xE6, 0x91, 0xDF, 0x68, 0x60, 0x69, 0x26, 0xBE, 0xFE, 0x79, 0x58, 0xF7, 0xEA, 0x81, 0x7D,
	];
	const ID_NOT_STORED: [u8; ID_SIZE] = [
	0x56, 0xD0, 0x4E, 0xAA, 0xC1, 0x7B, 0x55, 0x6B, 0xA0, 0x2C, 0x65, 0x43, 0x39, 0x0A, 0x6C, 0xE9,
	0x1F, 0xD0, 0x0E, 0x20, 0x3E, 0xFB, 0xF5, 0xF9, 0x3F, 0x5B, 0x11, 0x1B, 0x18, 0x73, 0xF6, 0xBB,
	0xAB, 0x9F, 0xF2, 0xD6, 0xBD, 0xBA, 0x25, 0x68, 0x22, 0x30, 0xF2, 0x1F, 0x90, 0x05, 0xF3, 0x64,
	0xE7, 0xEF, 0xC6, 0xB6, 0xA0, 0x85, 0xC9, 0x40, 0x40, 0xF0, 0xB4, 0xB9, 0xD8, 0x28, 0xEE, 0x9C,
	];
	const SECRET_EXAMPLE: [u8; SECRET_SIZE] = [
	0xA9, 0x89, 0x97, 0xFE, 0xAE, 0x97, 0x55, 0x4B, 0x32, 0x35, 0xF0, 0xE8, 0x93, 0xDA, 0xEA, 0x24,
	0x06, 0xAC, 0x36, 0x8B, 0x3C, 0x95, 0x50, 0x16, 0x67, 0x71, 0x65, 0x26, 0xEB, 0xD0, 0xC3, 0x98,
	];

	fn get_connection() -> Option<binder::Strong<dyn ISecretkeeper>> {
	match binder::get_interface(SECRETKEEPER_IDENTIFIER) {
	Ok(sk) => Some(sk),
	Err(StatusCode::NAME_NOT_FOUND) => None,
	Err(e) => {
	panic!(
	"unexpected error while fetching connection to Secretkeeper {:?}",
	e
	);
	}
	}
	}

	/// Secretkeeper client information.
	struct SkClient {
	sk: binder::Strong<dyn ISecretkeeper>,
	aes_keys: [key::AesKey; 2],
	session_id: Vec<u8>,
	}

	impl SkClient {
	fn new() -> Option<Self> {
	let sk = get_connection()?;
	let (aes_keys, session_id) = authgraph_key_exchange(sk.clone());
	Some(Self {
	sk,
	aes_keys,
	session_id,
	})
	}
	/// Wrapper around `ISecretkeeper::processSecretManagementRequest` that handles
	/// encryption and decryption.
	fn secret_management_request(&self, req_data: &[u8]) -> Vec<u8> {
	let aes_gcm = boring::BoringAes;
	let rng = boring::BoringRng;
	let request_bytes = cipher::encrypt_message(
	&aes_gcm,
	&rng,
	&self.aes_keys[0],
	&self.session_id,
	&req_data,
	)
	.unwrap();

	let response_bytes = self
	.sk
	.processSecretManagementRequest(&request_bytes)
	.unwrap();

	let response_encrypt0 = CoseEncrypt0::from_slice(&response_bytes).unwrap();
	cipher::decrypt_message(&aes_gcm, &self.aes_keys[1], &response_encrypt0).unwrap()
	}
	}

	/// Perform AuthGraph key exchange, returning the session keys and session ID.
	fn authgraph_key_exchange(sk: binder::Strong<dyn ISecretkeeper>) -> ([key::AesKey; 2], Vec<u8>) {
	let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
	let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
	ag_vts::sink::test_mainline(&mut source, sink)
	}

	/// Test that the AuthGraph instance returned by SecretKeeper correctly performs
	/// mainline key exchange against a local source implementation.
	#[test]
	fn authgraph_mainline() {
	let sk = match get_connection() {
	Some(sk) => sk,
	None => {
	warn!("Secretkeeper HAL is unavailable, skipping test");
	return;
	}
	};
	let (_aes_keys, _session_id) = authgraph_key_exchange(sk);
	}

	/// Test that the AuthGraph instance returned by SecretKeeper correctly rejects
	/// a corrupted session ID signature.
	#[test]
	fn authgraph_corrupt_sig() {
	let sk = match get_connection() {
	Some(sk) => sk,
	None => {
	warn!("Secretkeeper HAL is unavailable, skipping test");
	return;
	}
	};
	let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
	let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
	ag_vts::sink::test_corrupt_sig(&mut source, sink);
	}

	/// Test that the AuthGraph instance returned by SecretKeeper correctly detects
	/// when corrupted keys are returned to it.
	#[test]
	fn authgraph_corrupt_keys() {
	let sk = match get_connection() {
	Some(sk) => sk,
	None => {
	warn!("Secretkeeper HAL is unavailable, skipping test");
	return;
	}
	};
	let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
	let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
	ag_vts::sink::test_corrupt_keys(&mut source, sink);
	}

	// TODO(b/2797757): Add tests that match different HAL defined objects (like request/response)
	// with expected bytes.

	#[test]
	fn secret_management_get_version() {
	let sk_client = match SkClient::new() {
	Some(sk) => sk,
	None => {
	warn!("Secretkeeper HAL is unavailable, skipping test");
	return;
	}
	};

	let request = GetVersionRequest {};
	let request_packet = request.serialize_to_packet();
	let request_bytes = request_packet.to_vec().unwrap();

	let response_bytes = sk_client.secret_management_request(&request_bytes);

	let response_packet = ResponsePacket::from_slice(&response_bytes).unwrap();
	assert_eq!(
	response_packet.response_type().unwrap(),
	ResponseType::Success
	);
	let get_version_response =
	*GetVersionResponse::deserialize_from_packet(response_packet).unwrap();
	assert_eq!(get_version_response.version, CURRENT_VERSION);
	}

	#[test]
	fn secret_management_malformed_request() {
	let sk_client = match SkClient::new() {
	Some(sk) => sk,
	None => {
	warn!("Secretkeeper HAL is unavailable, skipping test");
	return;
	}
	};

	let request = GetVersionRequest {};
	let request_packet = request.serialize_to_packet();
	let mut request_bytes = request_packet.to_vec().unwrap();

	// Deform the request
	request_bytes[0] = !request_bytes[0];

	let response_bytes = sk_client.secret_management_request(&request_bytes);

	let response_packet = ResponsePacket::from_slice(&response_bytes).unwrap();
	assert_eq!(
	response_packet.response_type().unwrap(),
	ResponseType::Error
	);
	let err = *SecretkeeperError::deserialize_from_packet(response_packet).unwrap();
	assert_eq!(err, SecretkeeperError::RequestMalformed);
	}

	#[test]
	fn secret_management_store_get_secret_found() {
	let sk_client = match SkClient::new() {
	Some(sk) => sk,
	None => {
	warn!("Secretkeeper HAL is unavailable, skipping test");
	return;
	}
	};

	let store_request = StoreSecretRequest {
	id: Id(ID_EXAMPLE),
	secret: Secret(SECRET_EXAMPLE),
	sealing_policy: HYPOTHETICAL_DICE_POLICY.to_vec(),
	};

	let store_request = store_request.serialize_to_packet().to_vec().unwrap();

	let store_response = sk_client.secret_management_request(&store_request);
	let store_response = ResponsePacket::from_slice(&store_response).unwrap();

	assert_eq!(
	store_response.response_type().unwrap(),
	ResponseType::Success
	);
	// Really just checking that the response is indeed StoreSecretResponse
	let _ = StoreSecretResponse::deserialize_from_packet(store_response).unwrap();

	// Get the secret that was just stored
	let get_request = GetSecretRequest {
	id: Id(ID_EXAMPLE),
	updated_sealing_policy: None,
	};
	let get_request = get_request.serialize_to_packet().to_vec().unwrap();

	let get_response = sk_client.secret_management_request(&get_request);
	let get_response = ResponsePacket::from_slice(&get_response).unwrap();
	assert_eq!(get_response.response_type().unwrap(), ResponseType::Success);
	let get_response = *GetSecretResponse::deserialize_from_packet(get_response).unwrap();
	assert_eq!(get_response.secret.0, SECRET_EXAMPLE);
	}

	#[test]
	fn secret_management_store_get_secret_not_found() {
	let sk_client = match SkClient::new() {
	Some(sk) => sk,
	None => {
	warn!("Secretkeeper HAL is unavailable, skipping test");
	return;
	}
	};

	// Store a secret (corresponding to an id).
	let store_request = StoreSecretRequest {
	id: Id(ID_EXAMPLE),
	secret: Secret(SECRET_EXAMPLE),
	sealing_policy: HYPOTHETICAL_DICE_POLICY.to_vec(),
	};

	let store_request = store_request.serialize_to_packet().to_vec().unwrap();
	let store_response = sk_client.secret_management_request(&store_request);
	let store_response = ResponsePacket::from_slice(&store_response).unwrap();

	assert_eq!(
	store_response.response_type().unwrap(),
	ResponseType::Success
	);

	// (Try to) Get the secret that was never stored
	let get_request = GetSecretRequest {
	id: Id(ID_NOT_STORED),
	updated_sealing_policy: None,
	};
	let get_request = get_request.serialize_to_packet().to_vec().unwrap();
	let get_response = sk_client.secret_management_request(&get_request);

	// Check that response is `SecretkeeperError::EntryNotFound`
	let get_response = ResponsePacket::from_slice(&get_response).unwrap();
	assert_eq!(get_response.response_type().unwrap(), ResponseType::Error);
	let err = *SecretkeeperError::deserialize_from_packet(get_response).unwrap();
	assert_eq!(err, SecretkeeperError::EntryNotFound);
	}