Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-01 16:50:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix IC vts bugs and add tests for IC IWritableIdentityCredential.aidl interface.

Browse Source 
Fixed following bugs in WritableIdentityCredential.cpp
  - Do not allow startPersonalization to be called more than once per
  aidl.
  - Do not preceed with beginAddEntry if addAccessControlProfile and
  startPersonalization profile count mismatch.
  - Verify access control profile ids are unique.
  - Do not let empty name space to mess up beginAddEntry.
  - Do not allow beginAddEntry to add entries interleaving namespace
    groupings. Enforce all entries must be added in namespace "groups"
    per aidl.
  - Fix counting error that allowed one entries to be added per name
    space than startPersonalization limit.
  - Do not approve finishAddingEntries if there are more profiles or
    entries to be added than startPersonalization set accounting.
  - Add testing utilities library for identity credential.
  - Refactored end to end tests.

Bug: 154909726
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Merged-In: I51902681776c6230e49589fc75a8145e79d7d1a6

Change-Id: Ib7c108f67c61125edba6177dcac61cfbf58da671
This commit is contained in:
Selene Huang
2020-03-04 02:24:16 -08:00
committed by David Zeuthen
parent d78626d962
commit d39b9fb604
8 changed files with 1036 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
identity/aidl/default/WritableIdentityCredential.cpp
View File

@@ -44,6 +44,8 @@ bool WritableIdentityCredential::initialize() {
return false;
}
storageKey_ = random.value();
startPersonalizationCalled_ = false;
firstEntry_ = true;
return true;
}
@@ -105,6 +107,12 @@ ndk::ScopedAStatus WritableIdentityCredential::getAttestationCertificate(
ndk::ScopedAStatus WritableIdentityCredential::startPersonalization(
int32_t accessControlProfileCount, const vector<int32_t>& entryCounts) {
if (startPersonalizationCalled_) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
IIdentityCredentialStore::STATUS_FAILED, "startPersonalization called already"));
}
startPersonalizationCalled_ = true;
numAccessControlProfileRemaining_ = accessControlProfileCount;
remainingEntryCounts_ = entryCounts;
entryNameSpace_ = "";
@@ -128,6 +136,13 @@ ndk::ScopedAStatus WritableIdentityCredential::addAccessControlProfile(
"numAccessControlProfileRemaining_ is 0 and expected non-zero"));
}
if (accessControlProfileIds_.find(id) != accessControlProfileIds_.end()) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
IIdentityCredentialStore::STATUS_INVALID_DATA,
"Access Control Profile id must be unique"));
}
accessControlProfileIds_.insert(id);
// Spec requires if |userAuthenticationRequired| is false, then |timeoutMillis| must also
// be zero.
if (!userAuthenticationRequired && timeoutMillis != 0) {
@@ -184,12 +199,20 @@ ndk::ScopedAStatus WritableIdentityCredential::beginAddEntry(
}
// Handle initial beginEntry() call.
if (entryNameSpace_ == "") {
if (firstEntry_) {
firstEntry_ = false;
entryNameSpace_ = nameSpace;
allNameSpaces_.insert(nameSpace);
}
// If the namespace changed...
if (nameSpace != entryNameSpace_) {
if (allNameSpaces_.find(nameSpace) != allNameSpaces_.end()) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
IIdentityCredentialStore::STATUS_INVALID_DATA,
"Name space cannot be added in interleaving fashion"));
}
// Then check that all entries in the previous namespace have been added..
if (remainingEntryCounts_[0] != 0) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
@@ -197,6 +220,8 @@ ndk::ScopedAStatus WritableIdentityCredential::beginAddEntry(
"New namespace but a non-zero number of entries remain to be added"));
}
remainingEntryCounts_.erase(remainingEntryCounts_.begin());
remainingEntryCounts_[0] -= 1;
allNameSpaces_.insert(nameSpace);
if (signedDataCurrentNamespace_.size() > 0) {
signedDataNamespaces_.add(entryNameSpace_, std::move(signedDataCurrentNamespace_));
@@ -330,6 +355,18 @@ bool generateCredentialData(const vector<uint8_t>& hardwareBoundKey, const strin
ndk::ScopedAStatus WritableIdentityCredential::finishAddingEntries(
vector<int8_t>* outCredentialData, vector<int8_t>* outProofOfProvisioningSignature) {
if (numAccessControlProfileRemaining_ != 0) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
IIdentityCredentialStore::STATUS_INVALID_DATA,
"numAccessControlProfileRemaining_ is not 0 and expected zero"));
}
if (remainingEntryCounts_.size() > 1 || remainingEntryCounts_[0] != 0) {
return ndk::ScopedAStatus(AStatus_fromServiceSpecificErrorWithMessage(
IIdentityCredentialStore::STATUS_INVALID_DATA,
"More entry spaces remain than startPersonalization configured"));
}
if (signedDataCurrentNamespace_.size() > 0) {
signedDataNamespaces_.add(entryNameSpace_, std::move(signedDataCurrentNamespace_));
}

8
identity/aidl/default/WritableIdentityCredential.h
View File

@@ -21,9 +21,11 @@
#include <android/hardware/identity/support/IdentityCredentialSupport.h>
#include <cppbor.h>
#include <set>
namespace aidl::android::hardware::identity {
using ::std::set;
using ::std::string;
using ::std::vector;
@@ -66,6 +68,8 @@ class WritableIdentityCredential : public BnWritableIdentityCredential {
// This is set in initialize().
vector<uint8_t> storageKey_;
bool startPersonalizationCalled_;
bool firstEntry_;
// These are set in getAttestationCertificate().
vector<uint8_t> credentialPrivKey_;
@@ -79,6 +83,9 @@ class WritableIdentityCredential : public BnWritableIdentityCredential {
cppbor::Map signedDataNamespaces_;
cppbor::Array signedDataCurrentNamespace_;
// This field is initialized in addAccessControlProfile
set<int32_t> accessControlProfileIds_;
// These fields are initialized during beginAddEntry()
size_t entryRemainingBytes_;
vector<uint8_t> entryAdditionalData_;
@@ -86,6 +93,7 @@ class WritableIdentityCredential : public BnWritableIdentityCredential {
string entryName_;
vector<int32_t> entryAccessControlProfileIds_;
vector<uint8_t> entryBytes_;
set<string> allNameSpaces_;
};
} // namespace aidl::android::hardware::identity

6
identity/aidl/vts/Android.bp
View File

@@ -4,7 +4,11 @@ cc_test {
"VtsHalTargetTestDefaults",
"use_libaidlvintf_gtest_helper_static",
],
srcs: ["VtsHalIdentityTargetTest.cpp"],
srcs: [
"VtsHalIdentityEndToEndTest.cpp",
"VtsIWritableIdentityCredentialTests.cpp",
"VtsIdentityTestUtils.cpp",
],
shared_libs: [
"libbinder",
"libcrypto",

153
identity/aidl/vts/VtsHalIdentityTargetTest.cpp → identity/aidl/vts/VtsHalIdentityEndToEndTest.cpp
View File

@@ -28,8 +28,11 @@
#include <future>
#include <map>
#include "VtsIdentityTestUtils.h"
namespace android::hardware::identity {
using std::endl;
using std::map;
using std::optional;
using std::string;
@@ -41,51 +44,6 @@ using ::android::binder::Status;
using ::android::hardware::keymaster::HardwareAuthToken;
// ---------------------------------------------------------------------------
// Test Data.
// ---------------------------------------------------------------------------
struct TestEntryData {
TestEntryData(string nameSpace, string name, vector<int32_t> profileIds)
: nameSpace(nameSpace), name(name), profileIds(profileIds) {}
TestEntryData(string nameSpace, string name, const string& value, vector<int32_t> profileIds)
: TestEntryData(nameSpace, name, profileIds) {
valueCbor = cppbor::Tstr(((const char*)value.data())).encode();
}
TestEntryData(string nameSpace, string name, const vector<uint8_t>& value,
vector<int32_t> profileIds)
: TestEntryData(nameSpace, name, profileIds) {
valueCbor = cppbor::Bstr(value).encode();
}
TestEntryData(string nameSpace, string name, bool value, vector<int32_t> profileIds)
: TestEntryData(nameSpace, name, profileIds) {
valueCbor = cppbor::Bool(value).encode();
}
TestEntryData(string nameSpace, string name, int64_t value, vector<int32_t> profileIds)
: TestEntryData(nameSpace, name, profileIds) {
if (value >= 0) {
valueCbor = cppbor::Uint(value).encode();
} else {
valueCbor = cppbor::Nint(-value).encode();
}
}
string nameSpace;
string name;
vector<uint8_t> valueCbor;
vector<int32_t> profileIds;
};
struct TestProfile {
uint16_t id;
vector<uint8_t> readerCertificate;
bool userAuthenticationRequired;
uint64_t timeoutMillis;
};
// ----------------------------------------------------------------
class IdentityAidl : public testing::TestWithParam<std::string> {
public:
virtual void SetUp() override {
@@ -108,39 +66,26 @@ TEST_P(IdentityAidl, hardwareInformation) {
TEST_P(IdentityAidl, createAndRetrieveCredential) {
// First, generate a key-pair for the reader since its public key will be
// part of the request data.
optional<vector<uint8_t>> readerKeyPKCS8 = support::createEcKeyPair();
ASSERT_TRUE(readerKeyPKCS8);
optional<vector<uint8_t>> readerPublicKey =
support::ecKeyPairGetPublicKey(readerKeyPKCS8.value());
optional<vector<uint8_t>> readerKey = support::ecKeyPairGetPrivateKey(readerKeyPKCS8.value());
string serialDecimal = "1234";
string issuer = "Android Open Source Project";
string subject = "Android IdentityCredential VTS Test";
time_t validityNotBefore = time(nullptr);
time_t validityNotAfter = validityNotBefore + 365 * 24 * 3600;
optional<vector<uint8_t>> readerCertificate = support::ecPublicKeyGenerateCertificate(
readerPublicKey.value(), readerKey.value(), serialDecimal, issuer, subject,
validityNotBefore, validityNotAfter);
vector<uint8_t> readerKey;
optional<vector<uint8_t>> readerCertificate =
test_utils::GenerateReaderCertificate("1234", readerKey);
ASSERT_TRUE(readerCertificate);
// Make the portrait image really big (just shy of 256 KiB) to ensure that
// the chunking code gets exercised.
vector<uint8_t> portraitImage;
portraitImage.resize(256 * 1024 - 10);
for (size_t n = 0; n < portraitImage.size(); n++) {
portraitImage[n] = (uint8_t)n;
}
test_utils::SetImageData(portraitImage);
// Access control profiles:
const vector<TestProfile> testProfiles = {// Profile 0 (reader authentication)
{0, readerCertificate.value(), false, 0},
// Profile 1 (no authentication)
{1, {}, false, 0}};
const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication)
{0, readerCertificate.value(), false, 0},
// Profile 1 (no authentication)
{1, {}, false, 0}};
HardwareAuthToken authToken;
// Here's the actual test data:
const vector<TestEntryData> testEntries = {
const vector<test_utils::TestEntryData> testEntries = {
{"PersonalData", "Last name", string("Turing"), vector<int32_t>{0, 1}},
{"PersonalData", "Birth date", string("19120623"), vector<int32_t>{0, 1}},
{"PersonalData", "First name", string("Alan"), vector<int32_t>{0, 1}},
@@ -155,67 +100,33 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
string cborPretty;
sp<IWritableIdentityCredential> writableCredential;
string docType = "org.iso.18013-5.2019.mdl";
bool testCredential = true;
ASSERT_TRUE(credentialStore_->createCredential(docType, testCredential, &writableCredential)
.isOk());
ASSERT_NE(writableCredential, nullptr);
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
string challenge = "attestationChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
ASSERT_EQ(binder::Status::EX_NONE, attData.result.exceptionCode());
ASSERT_EQ(IIdentityCredentialStore::STATUS_OK, attData.result.serviceSpecificErrorCode());
// TODO: set it to something random and check it's in the cert chain
vector<uint8_t> attestationApplicationId = {};
vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end());
vector<Certificate> attestationCertificates;
ASSERT_TRUE(writableCredential
->getAttestationCertificate(attestationApplicationId, attestationChallenge,
&attestationCertificates)
.isOk());
ASSERT_GE(attestationCertificates.size(), 2);
ASSERT_GE(attData.attestationCertificate.size(), 2);
ASSERT_TRUE(
writableCredential->startPersonalization(testProfiles.size(), testEntriesEntryCounts)
.isOk());
vector<SecureAccessControlProfile> returnedSecureProfiles;
for (const auto& testProfile : testProfiles) {
SecureAccessControlProfile profile;
Certificate cert;
cert.encodedCertificate = testProfile.readerCertificate;
ASSERT_TRUE(writableCredential
->addAccessControlProfile(testProfile.id, cert,
testProfile.userAuthenticationRequired,
testProfile.timeoutMillis,
0, // secureUserId
&profile)
.isOk());
ASSERT_EQ(testProfile.id, profile.id);
ASSERT_EQ(testProfile.readerCertificate, profile.readerCertificate.encodedCertificate);
ASSERT_EQ(testProfile.userAuthenticationRequired, profile.userAuthenticationRequired);
ASSERT_EQ(testProfile.timeoutMillis, profile.timeoutMillis);
ASSERT_EQ(support::kAesGcmTagSize + support::kAesGcmIvSize, profile.mac.size());
returnedSecureProfiles.push_back(profile);
}
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
// Uses TestEntryData* pointer as key and values are the encrypted blobs. This
// is a little hacky but it works well enough.
map<const TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries) {
vector<vector<uint8_t>> chunks =
support::chunkVector(entry.valueCbor, hwInfo.dataChunkSize);
ASSERT_TRUE(writableCredential
->beginAddEntry(entry.profileIds, entry.nameSpace, entry.name,
entry.valueCbor.size())
.isOk());
vector<vector<uint8_t>> encryptedChunks;
for (const auto& chunk : chunks) {
vector<uint8_t> encryptedChunk;
ASSERT_TRUE(writableCredential->addEntryValue(chunk, &encryptedChunk).isOk());
encryptedChunks.push_back(encryptedChunk);
}
encryptedBlobs[&entry] = encryptedChunks;
ASSERT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}
vector<uint8_t> credentialData;
@@ -276,8 +187,8 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
"]",
cborPretty);
optional<vector<uint8_t>> credentialPubKey =
support::certificateChainGetTopMostKey(attestationCertificates[0].encodedCertificate);
optional<vector<uint8_t>> credentialPubKey = support::certificateChainGetTopMostKey(
attData.attestationCertificate[0].encodedCertificate);
ASSERT_TRUE(credentialPubKey);
EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature,
{}, // Additional data
@@ -347,8 +258,8 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
.add(cppbor::Semantic(24, itemsRequestBytes))
.encode();
optional<vector<uint8_t>> readerSignature =
support::coseSignEcDsa(readerKey.value(), {}, // content
dataToSign, // detached content
support::coseSignEcDsa(readerKey, {}, // content
dataToSign, // detached content
readerCertificate.value());
ASSERT_TRUE(readerSignature);
@@ -358,7 +269,7 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
ASSERT_TRUE(credential->generateSigningKeyPair(&signingKeyBlob, &signingKeyCertificate).isOk());
ASSERT_TRUE(credential
->startRetrieval(returnedSecureProfiles, authToken, itemsRequestBytes,
->startRetrieval(secureProfiles.value(), authToken, itemsRequestBytes,
signingKeyBlob, sessionTranscriptBytes,
readerSignature.value(), testEntriesEntryCounts)
.isOk());
@@ -405,6 +316,8 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
cppbor::Array deviceAuthentication;
deviceAuthentication.add("DeviceAuthentication");
deviceAuthentication.add(sessionTranscript.clone());
string docType = "org.iso.18013-5.2019.mdl";
deviceAuthentication.add(docType);
deviceAuthentication.add(cppbor::Semantic(24, deviceNameSpacesBytes));
vector<uint8_t> encodedDeviceAuthentication = deviceAuthentication.encode();

649
identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp Normal file
View File

@@ -0,0 +1,649 @@
/*
* Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "VtsIWritableIdentityCredentialTests"
#include <aidl/Gtest.h>
#include <aidl/Vintf.h>
#include <android-base/logging.h>
#include <android/hardware/identity/IIdentityCredentialStore.h>
#include <android/hardware/identity/support/IdentityCredentialSupport.h>
#include <binder/IServiceManager.h>
#include <binder/ProcessState.h>
#include <cppbor.h>
#include <cppbor_parse.h>
#include <gtest/gtest.h>
#include <future>
#include <map>
#include "VtsIdentityTestUtils.h"
namespace android::hardware::identity {
using std::endl;
using std::map;
using std::optional;
using std::string;
using std::vector;
using ::android::sp;
using ::android::String16;
using ::android::binder::Status;
class IdentityCredentialTests : public testing::TestWithParam<string> {
public:
virtual void SetUp() override {
credentialStore_ = android::waitForDeclaredService<IIdentityCredentialStore>(
String16(GetParam().c_str()));
ASSERT_NE(credentialStore_, nullptr);
}
sp<IIdentityCredentialStore> credentialStore_;
};
TEST_P(IdentityCredentialTests, verifyAttestationWithEmptyChallenge) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
vector<uint8_t> attestationChallenge;
vector<Certificate> attestationCertificate;
vector<uint8_t> attestationApplicationId = {};
result = writableCredential->getAttestationCertificate(
attestationApplicationId, attestationChallenge, &attestationCertificate);
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
EXPECT_TRUE(test_utils::ValidateAttestationCertificate(attestationCertificate));
}
TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithChallenge) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge1NotSoRandomChallenge1NotSoRandomChallenge1";
vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end());
vector<Certificate> attestationCertificate;
vector<uint8_t> attestationApplicationId = {};
result = writableCredential->getAttestationCertificate(
attestationApplicationId, attestationChallenge, &attestationCertificate);
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
EXPECT_TRUE(test_utils::ValidateAttestationCertificate(attestationCertificate));
}
TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge1";
test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(test_utils::ValidateAttestationCertificate(attData.attestationCertificate));
string challenge2 = "NotSoRandomChallenge2";
test_utils::AttestationData attData2(writableCredential, challenge2, {});
EXPECT_FALSE(attData2.result.isOk()) << attData2.result.exceptionCode() << "; "
<< attData2.result.exceptionMessage() << endl;
EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, attData2.result.exceptionCode());
EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, attData2.result.serviceSpecificErrorCode());
}
TEST_P(IdentityCredentialTests, verifyStartPersonalization) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
// First call should go through
const vector<int32_t> entryCounts = {2, 4};
result = writableCredential->startPersonalization(5, entryCounts);
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
// Call personalization again to check if repeat call is allowed.
result = writableCredential->startPersonalization(7, entryCounts);
// Second call to startPersonalization should have failed.
EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
}
TEST_P(IdentityCredentialTests, verifyStartPersonalizationMin) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
// Verify minimal number of profile count and entry count
const vector<int32_t> entryCounts = {1, 1};
writableCredential->startPersonalization(1, entryCounts);
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
}
TEST_P(IdentityCredentialTests, verifyStartPersonalizationZero) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
const vector<int32_t> entryCounts = {0};
writableCredential->startPersonalization(0, entryCounts);
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
}
TEST_P(IdentityCredentialTests, verifyStartPersonalizationOne) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
// Verify minimal number of profile count and entry count
const vector<int32_t> entryCounts = {1};
writableCredential->startPersonalization(1, entryCounts);
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
}
TEST_P(IdentityCredentialTests, verifyStartPersonalizationLarge) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
// Verify set a large number of profile count and entry count is ok
const vector<int32_t> entryCounts = {3000};
writableCredential->startPersonalization(3500, entryCounts);
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
}
TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
// Enter mismatched entry and profile numbers
const vector<int32_t> entryCounts = {5, 6};
writableCredential->startPersonalization(5, entryCounts);
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
optional<vector<uint8_t>> readerCertificate = test_utils::GenerateReaderCertificate("12345");
ASSERT_TRUE(readerCertificate);
const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication)
{1, readerCertificate.value(), false, 0},
{2, readerCertificate.value(), true, 1},
// Profile 4 (no authentication)
{4, {}, false, 0}};
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
vector<uint8_t> credentialData;
vector<uint8_t> proofOfProvisioningSignature;
result =
writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
// finishAddingEntries should fail because the number of addAccessControlProfile mismatched with
// startPersonalization, and begintest_utils::AddEntry was not called.
EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
EXPECT_EQ(IIdentityCredentialStore::STATUS_INVALID_DATA, result.serviceSpecificErrorCode());
}
TEST_P(IdentityCredentialTests, verifyDuplicateProfileId) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
const vector<int32_t> entryCounts = {3, 6};
writableCredential->startPersonalization(3, entryCounts);
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
const vector<test_utils::TestProfile> testProfiles = {// first profile should go though
{1, {}, true, 2},
// same id, different
// authentication requirement
{1, {}, true, 1},
// same id, different certificate
{1, {}, false, 0}};
bool expectOk = true;
for (const auto& testProfile : testProfiles) {
SecureAccessControlProfile profile;
Certificate cert;
cert.encodedCertificate = testProfile.readerCertificate;
result = writableCredential->addAccessControlProfile(
testProfile.id, cert, testProfile.userAuthenticationRequired,
testProfile.timeoutMillis, 0, &profile);
if (expectOk) {
expectOk = false;
// for profile should be allowed though as there are no duplications
// yet.
ASSERT_TRUE(result.isOk())
<< result.exceptionCode() << "; " << result.exceptionMessage()
<< "test profile id = " << testProfile.id << endl;
ASSERT_EQ(testProfile.id, profile.id);
ASSERT_EQ(testProfile.readerCertificate, profile.readerCertificate.encodedCertificate);
ASSERT_EQ(testProfile.userAuthenticationRequired, profile.userAuthenticationRequired);
ASSERT_EQ(testProfile.timeoutMillis, profile.timeoutMillis);
ASSERT_EQ(support::kAesGcmTagSize + support::kAesGcmIvSize, profile.mac.size());
} else {
// should not allow duplicate id profiles.
ASSERT_FALSE(result.isOk())
<< result.exceptionCode() << "; " << result.exceptionMessage()
<< ". Test profile id = " << testProfile.id
<< ", timeout=" << testProfile.timeoutMillis << endl;
ASSERT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
ASSERT_EQ(IIdentityCredentialStore::STATUS_INVALID_DATA,
result.serviceSpecificErrorCode());
}
}
}
TEST_P(IdentityCredentialTests, verifyOneProfileAndEntryPass) {
Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge1";
test_utils::AttestationData attData(writableCredential, challenge, {});
EXPECT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
const vector<int32_t> entryCounts = {1u};
writableCredential->startPersonalization(1, entryCounts);
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
const vector<test_utils::TestProfile> testProfiles = {{1, readerCertificate1.value(), true, 1}};
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
const vector<test_utils::TestEntryData> testEntries1 = {
{"Name Space", "Last name", string("Turing"), vector<int32_t>{0, 1}},
};
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) {
ASSERT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}
vector<uint8_t> credentialData;
vector<uint8_t> proofOfProvisioningSignature;
result =
writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
optional<vector<uint8_t>> proofOfProvisioning =
support::coseSignGetPayload(proofOfProvisioningSignature);
ASSERT_TRUE(proofOfProvisioning);
string cborPretty =
support::cborPrettyPrint(proofOfProvisioning.value(), 32, {"readerCertificate"});
EXPECT_EQ(
"[\n"
" 'ProofOfProvisioning',\n"
" 'org.iso.18013-5.2019.mdl',\n"
" [\n"
" {\n"
" 'id' : 1,\n"
" 'readerCertificate' : <not printed>,\n"
" 'userAuthenticationRequired' : true,\n"
" 'timeoutMillis' : 1,\n"
" },\n"
" ],\n"
" {\n"
" 'Name Space' : [\n"
" {\n"
" 'name' : 'Last name',\n"
" 'value' : 'Turing',\n"
" 'accessControlProfiles' : [0, 1, ],\n"
" },\n"
" ],\n"
" },\n"
" true,\n"
"]",
cborPretty);
optional<vector<uint8_t>> credentialPubKey = support::certificateChainGetTopMostKey(
attData.attestationCertificate[0].encodedCertificate);
ASSERT_TRUE(credentialPubKey);
EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature,
{}, // Additional data
credentialPubKey.value()));
}
TEST_P(IdentityCredentialTests, verifyManyProfilesAndEntriesPass) {
Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {});
EXPECT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
optional<vector<uint8_t>> readerCertificate2 = test_utils::GenerateReaderCertificate("1256");
ASSERT_TRUE(readerCertificate2);
const vector<test_utils::TestProfile> testProfiles = {
{1, readerCertificate1.value(), true, 1},
{2, readerCertificate2.value(), true, 2},
};
const vector<int32_t> entryCounts = {1u, 3u, 1u, 1u, 2u};
writableCredential->startPersonalization(testProfiles.size(), entryCounts);
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
vector<uint8_t> portraitImage1;
test_utils::SetImageData(portraitImage1);
vector<uint8_t> portraitImage2;
test_utils::SetImageData(portraitImage2);
const vector<test_utils::TestEntryData> testEntries1 = {
{"Name Space 1", "Last name", string("Turing"), vector<int32_t>{1, 2}},
{"Name Space2", "Home address", string("Maida Vale, London, England"),
vector<int32_t>{1}},
{"Name Space2", "Work address", string("Maida Vale2, London, England"),
vector<int32_t>{2}},
{"Name Space2", "Trailer address", string("Maida, London, England"),
vector<int32_t>{1}},
{"Image", "Portrait image", portraitImage1, vector<int32_t>{1}},
{"Image2", "Work image", portraitImage2, vector<int32_t>{1, 2}},
{"Name Space3", "xyzw", string("random stuff"), vector<int32_t>{1, 2}},
{"Name Space3", "Something", string("Some string"), vector<int32_t>{2}},
};
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) {
EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}
vector<uint8_t> credentialData;
vector<uint8_t> proofOfProvisioningSignature;
result =
writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
optional<vector<uint8_t>> proofOfProvisioning =
support::coseSignGetPayload(proofOfProvisioningSignature);
ASSERT_TRUE(proofOfProvisioning);
string cborPretty = support::cborPrettyPrint(proofOfProvisioning.value(),
32, //
{"readerCertificate"});
EXPECT_EQ(
"[\n"
" 'ProofOfProvisioning',\n"
" 'org.iso.18013-5.2019.mdl',\n"
" [\n"
" {\n"
" 'id' : 1,\n"
" 'readerCertificate' : <not printed>,\n"
" 'userAuthenticationRequired' : true,\n"
" 'timeoutMillis' : 1,\n"
" },\n"
" {\n"
" 'id' : 2,\n"
" 'readerCertificate' : <not printed>,\n"
" 'userAuthenticationRequired' : true,\n"
" 'timeoutMillis' : 2,\n"
" },\n"
" ],\n"
" {\n"
" 'Name Space 1' : [\n"
" {\n"
" 'name' : 'Last name',\n"
" 'value' : 'Turing',\n"
" 'accessControlProfiles' : [1, 2, ],\n"
" },\n"
" ],\n"
" 'Name Space2' : [\n"
" {\n"
" 'name' : 'Home address',\n"
" 'value' : 'Maida Vale, London, England',\n"
" 'accessControlProfiles' : [1, ],\n"
" },\n"
" {\n"
" 'name' : 'Work address',\n"
" 'value' : 'Maida Vale2, London, England',\n"
" 'accessControlProfiles' : [2, ],\n"
" },\n"
" {\n"
" 'name' : 'Trailer address',\n"
" 'value' : 'Maida, London, England',\n"
" 'accessControlProfiles' : [1, ],\n"
" },\n"
" ],\n"
" 'Image' : [\n"
" {\n"
" 'name' : 'Portrait image',\n"
" 'value' : <bstr size=262134 sha1=941e372f654d86c32d88fae9e41b706afbfd02bb>,\n"
" 'accessControlProfiles' : [1, ],\n"
" },\n"
" ],\n"
" 'Image2' : [\n"
" {\n"
" 'name' : 'Work image',\n"
" 'value' : <bstr size=262134 sha1=941e372f654d86c32d88fae9e41b706afbfd02bb>,\n"
" 'accessControlProfiles' : [1, 2, ],\n"
" },\n"
" ],\n"
" 'Name Space3' : [\n"
" {\n"
" 'name' : 'xyzw',\n"
" 'value' : 'random stuff',\n"
" 'accessControlProfiles' : [1, 2, ],\n"
" },\n"
" {\n"
" 'name' : 'Something',\n"
" 'value' : 'Some string',\n"
" 'accessControlProfiles' : [2, ],\n"
" },\n"
" ],\n"
" },\n"
" true,\n"
"]",
cborPretty);
optional<vector<uint8_t>> credentialPubKey = support::certificateChainGetTopMostKey(
attData.attestationCertificate[0].encodedCertificate);
ASSERT_TRUE(credentialPubKey);
EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature,
{}, // Additional data
credentialPubKey.value()));
}
TEST_P(IdentityCredentialTests, verifyEmptyNameSpaceMixedWithNonEmptyWorks) {
Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
const vector<int32_t> entryCounts = {2u, 2u};
writableCredential->startPersonalization(3, entryCounts);
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
optional<vector<uint8_t>> readerCertificate2 =
test_utils::GenerateReaderCertificate("123456987987987987987987");
ASSERT_TRUE(readerCertificate2);
const vector<test_utils::TestProfile> testProfiles = {{0, readerCertificate1.value(), false, 0},
{1, readerCertificate2.value(), true, 1},
{2, {}, false, 0}};
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
const vector<test_utils::TestEntryData> testEntries1 = {
// test empty name space
{"", "t name", string("Turing"), vector<int32_t>{2}},
{"", "Birth", string("19120623"), vector<int32_t>{2}},
{"Name Space", "Last name", string("Turing"), vector<int32_t>{0, 1}},
{"Name Space", "Birth date", string("19120623"), vector<int32_t>{0, 1}},
};
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) {
EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}
vector<uint8_t> credentialData;
vector<uint8_t> proofOfProvisioningSignature;
result =
writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
}
TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
// Enter mismatched entry and profile numbers.
// Technically the 2nd name space of "Name Space" occurs intermittently, 2
// before "Image" and 2 after image, which is not correct. All of same name
// space should occur together. Let's see if this fails.
const vector<int32_t> entryCounts = {2u, 1u, 2u};
writableCredential->startPersonalization(3, entryCounts);
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
optional<vector<uint8_t>> readerCertificate2 =
test_utils::GenerateReaderCertificate("123456987987987987987987");
ASSERT_TRUE(readerCertificate2);
const vector<test_utils::TestProfile> testProfiles = {{0, readerCertificate1.value(), false, 0},
{1, readerCertificate2.value(), true, 1},
{2, {}, false, 0}};
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
const vector<test_utils::TestEntryData> testEntries1 = {
// test empty name space
{"Name Space", "Last name", string("Turing"), vector<int32_t>{0, 1}},
{"Name Space", "Birth date", string("19120623"), vector<int32_t>{0, 1}},
};
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) {
EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}
const test_utils::TestEntryData testEntry2 = {"Image", "Portrait image", string("asdfs"),
vector<int32_t>{0, 1}};
EXPECT_TRUE(test_utils::AddEntry(writableCredential, testEntry2, hwInfo.dataChunkSize,
encryptedBlobs, true));
// We expect this to fail because the namespace is out of order, all "Name Space"
// should have been called together
const vector<test_utils::TestEntryData> testEntries3 = {
{"Name Space", "First name", string("Alan"), vector<int32_t>{0, 1}},
{"Name Space", "Home address", string("Maida Vale, London, England"),
vector<int32_t>{0}},
};
for (const auto& entry : testEntries3) {
EXPECT_FALSE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, false));
}
vector<uint8_t> credentialData;
vector<uint8_t> proofOfProvisioningSignature;
result =
writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
// should fail because test_utils::AddEntry should have failed earlier.
EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
EXPECT_EQ(IIdentityCredentialStore::STATUS_INVALID_DATA, result.serviceSpecificErrorCode());
}
INSTANTIATE_TEST_SUITE_P(
Identity, IdentityCredentialTests,
testing::ValuesIn(android::getAidlHalInstanceNames(IIdentityCredentialStore::descriptor)),
android::PrintInstanceNameToString);
} // namespace android::hardware::identity

179
identity/aidl/vts/VtsIdentityTestUtils.cpp Normal file
View File

@@ -0,0 +1,179 @@
/*
* Copyright 2019, The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "VtsIdentityTestUtils.h"
#include <aidl/Gtest.h>
#include <map>
namespace android::hardware::identity::test_utils {
using std::endl;
using std::map;
using std::optional;
using std::string;
using std::vector;
using ::android::sp;
using ::android::String16;
using ::android::binder::Status;
bool SetupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
sp<IIdentityCredentialStore>& credentialStore) {
if (credentialStore == nullptr) {
return false;
}
string docType = "org.iso.18013-5.2019.mdl";
bool testCredential = true;
Status result = credentialStore->createCredential(docType, testCredential, &writableCredential);
if (result.isOk() && writableCredential != nullptr) {
return true;
} else {
return false;
}
}
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal) {
vector<uint8_t> privKey;
return GenerateReaderCertificate(serialDecimal, privKey);
}
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal,
vector<uint8_t>& readerPrivateKey) {
optional<vector<uint8_t>> readerKeyPKCS8 = support::createEcKeyPair();
if (!readerKeyPKCS8) {
return {};
}
optional<vector<uint8_t>> readerPublicKey =
support::ecKeyPairGetPublicKey(readerKeyPKCS8.value());
optional<vector<uint8_t>> readerKey = support::ecKeyPairGetPrivateKey(readerKeyPKCS8.value());
if (!readerPublicKey || !readerKey) {
return {};
}
readerPrivateKey = readerKey.value();
string issuer = "Android Open Source Project";
string subject = "Android IdentityCredential VTS Test";
time_t validityNotBefore = time(nullptr);
time_t validityNotAfter = validityNotBefore + 365 * 24 * 3600;
return support::ecPublicKeyGenerateCertificate(readerPublicKey.value(), readerKey.value(),
serialDecimal, issuer, subject,
validityNotBefore, validityNotAfter);
}
optional<vector<SecureAccessControlProfile>> AddAccessControlProfiles(
sp<IWritableIdentityCredential>& writableCredential,
const vector<TestProfile>& testProfiles) {
Status result;
vector<SecureAccessControlProfile> secureProfiles;
for (const auto& testProfile : testProfiles) {
SecureAccessControlProfile profile;
Certificate cert;
cert.encodedCertificate = testProfile.readerCertificate;
result = writableCredential->addAccessControlProfile(
testProfile.id, cert, testProfile.userAuthenticationRequired,
testProfile.timeoutMillis, 0, &profile);
// Don't use assert so all errors can be outputed. Then return
// instead of exit even on errors so caller can decide.
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< "test profile id = " << testProfile.id << endl;
EXPECT_EQ(testProfile.id, profile.id);
EXPECT_EQ(testProfile.readerCertificate, profile.readerCertificate.encodedCertificate);
EXPECT_EQ(testProfile.userAuthenticationRequired, profile.userAuthenticationRequired);
EXPECT_EQ(testProfile.timeoutMillis, profile.timeoutMillis);
EXPECT_EQ(support::kAesGcmTagSize + support::kAesGcmIvSize, profile.mac.size());
if (!result.isOk() || testProfile.id != profile.id ||
testProfile.readerCertificate != profile.readerCertificate.encodedCertificate ||
testProfile.userAuthenticationRequired != profile.userAuthenticationRequired ||
testProfile.timeoutMillis != profile.timeoutMillis ||
support::kAesGcmTagSize + support::kAesGcmIvSize != profile.mac.size()) {
return {};
}
secureProfiles.push_back(profile);
}
return secureProfiles;
}
// Most test expects this function to pass. So we will print out additional
// value if failed so more debug data can be provided.
bool AddEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,
int dataChunkSize, map<const TestEntryData*, vector<vector<uint8_t>>>& encryptedBlobs,
bool expectSuccess) {
Status result;
vector<vector<uint8_t>> chunks = support::chunkVector(entry.valueCbor, dataChunkSize);
result = writableCredential->beginAddEntry(entry.profileIds, entry.nameSpace, entry.name,
entry.valueCbor.size());
if (expectSuccess) {
EXPECT_TRUE(result.isOk())
<< result.exceptionCode() << "; " << result.exceptionMessage() << endl
<< "entry name = " << entry.name << ", name space=" << entry.nameSpace << endl;
}
if (!result.isOk()) {
return false;
}
vector<vector<uint8_t>> encryptedChunks;
for (const auto& chunk : chunks) {
vector<uint8_t> encryptedContent;
result = writableCredential->addEntryValue(chunk, &encryptedContent);
if (expectSuccess) {
EXPECT_TRUE(result.isOk())
<< result.exceptionCode() << "; " << result.exceptionMessage() << endl
<< "entry name = " << entry.name << ", name space = " << entry.nameSpace
<< endl;
EXPECT_GT(encryptedContent.size(), 0u) << "entry name = " << entry.name
<< ", name space = " << entry.nameSpace << endl;
}
if (!result.isOk() || encryptedContent.size() <= 0u) {
return false;
}
encryptedChunks.push_back(encryptedContent);
}
encryptedBlobs[&entry] = encryptedChunks;
return true;
}
bool ValidateAttestationCertificate(vector<Certificate>& inputCertificates) {
return (inputCertificates.size() >= 2);
// TODO: add parsing of the certificate and make sure it is genuine.
}
void SetImageData(vector<uint8_t>& image) {
image.resize(256 * 1024 - 10);
for (size_t n = 0; n < image.size(); n++) {
image[n] = (uint8_t)n;
}
}
} // namespace android::hardware::identity::test_utils

118
identity/aidl/vts/VtsIdentityTestUtils.h Normal file
View File

@@ -0,0 +1,118 @@
/*
* Copyright 2019, The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef VTS_IDENTITY_TEST_UTILS_H
#define VTS_IDENTITY_TEST_UTILS_H
#include <android/hardware/identity/IIdentityCredentialStore.h>
#include <android/hardware/identity/support/IdentityCredentialSupport.h>
#include <cppbor.h>
#include <cppbor_parse.h>
namespace android::hardware::identity::test_utils {
using ::std::map;
using ::std::optional;
using ::std::string;
using ::std::vector;
using ::android::sp;
using ::android::binder::Status;
struct AttestationData {
AttestationData(sp<IWritableIdentityCredential>& writableCredential, string challenge,
vector<uint8_t> applicationId)
: attestationApplicationId(applicationId) {
// ASSERT_NE(writableCredential, nullptr);
if (!challenge.empty()) {
attestationChallenge.assign(challenge.begin(), challenge.end());
}
result = writableCredential->getAttestationCertificate(
attestationApplicationId, attestationChallenge, &attestationCertificate);
}
AttestationData() {}
vector<uint8_t> attestationChallenge;
vector<uint8_t> attestationApplicationId;
vector<Certificate> attestationCertificate;
Status result;
};
struct TestEntryData {
TestEntryData(string nameSpace, string name, vector<int32_t> profileIds)
: nameSpace(nameSpace), name(name), profileIds(profileIds) {}
TestEntryData(string nameSpace, string name, const string& value, vector<int32_t> profileIds)
: TestEntryData(nameSpace, name, profileIds) {
valueCbor = cppbor::Tstr(((const char*)value.data())).encode();
}
TestEntryData(string nameSpace, string name, const vector<uint8_t>& value,
vector<int32_t> profileIds)
: TestEntryData(nameSpace, name, profileIds) {
valueCbor = cppbor::Bstr(value).encode();
}
TestEntryData(string nameSpace, string name, bool value, vector<int32_t> profileIds)
: TestEntryData(nameSpace, name, profileIds) {
valueCbor = cppbor::Bool(value).encode();
}
TestEntryData(string nameSpace, string name, int64_t value, vector<int32_t> profileIds)
: TestEntryData(nameSpace, name, profileIds) {
if (value >= 0) {
valueCbor = cppbor::Uint(value).encode();
} else {
valueCbor = cppbor::Nint(-value).encode();
}
}
string nameSpace;
string name;
vector<uint8_t> valueCbor;
vector<int32_t> profileIds;
};
struct TestProfile {
uint16_t id;
vector<uint8_t> readerCertificate;
bool userAuthenticationRequired;
uint64_t timeoutMillis;
};
bool SetupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
sp<IIdentityCredentialStore>& credentialStore);
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal);
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal,
vector<uint8_t>& readerPrivateKey);
optional<vector<SecureAccessControlProfile>> AddAccessControlProfiles(
sp<IWritableIdentityCredential>& writableCredential,
const vector<TestProfile>& testProfiles);
bool AddEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,
int dataChunkSize, map<const TestEntryData*, vector<vector<uint8_t>>>& encryptedBlobs,
bool expectSuccess);
bool ValidateAttestationCertificate(vector<Certificate>& inputCertificates);
void SetImageData(vector<uint8_t>& image);
} // namespace android::hardware::identity::test_utils
#endif // VTS_IDENTITY_TEST_UTILS_H