tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add attestation certificate parsing and validate for IC vts.

Browse source 
- Added attestation certificate parsing support.
 - Added various certificate conversion support.
 - Added certification verification support.
 - Added tests for the attestation certificate verification.
 - Updated the old tests to use the new attestation validation
   implementation.
 - Updated GenerateReaderCertificate to use pointer reader private key.

Bug: 154909726
Test: VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Merged-In: Ibe770e6eaf0b0018d60876926d824204e4eaf732
Change-Id: I07c2eaf92ed60fa31761816c4b45684806c3305e
This commit is contained in:
Selene Huang 2020-05-29 15:43:11 -04:00 committed by David Zeuthen
parent 38ca6961e3
commit 57b3479394
5 changed files with 157 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
identity/aidl/vts/Android.bp
View file

@ -8,10 +8,16 @@ cc_test {
"VtsHalIdentityEndToEndTest.cpp", "VtsHalIdentityEndToEndTest.cpp",
"VtsIWritableIdentityCredentialTests.cpp", "VtsIWritableIdentityCredentialTests.cpp",
"VtsIdentityTestUtils.cpp", "VtsIdentityTestUtils.cpp",
"VtsAttestationTests.cpp",
"VtsAttestationParserSupport.cpp",
], ],
shared_libs: [ shared_libs: [
"android.hardware.keymaster@4.0",
"libbinder", "libbinder",
"libcrypto", "libcrypto",
"libkeymaster_portable",
"libsoft_attestation_cert",
"libpuresoftkeymasterdevice",
], ],
static_libs: [ static_libs: [
"libcppbor", "libcppbor",

21
identity/aidl/vts/VtsHalIdentityEndToEndTest.cpp
View file

@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
#define LOG_TAG "VtsHalIdentityTargetTest" #define LOG_TAG "VtsHalIdentityEndToEndTest"
#include <aidl/Gtest.h> #include <aidl/Gtest.h>
#include <aidl/Vintf.h> #include <aidl/Vintf.h>
@ -45,6 +45,8 @@ using ::android::binder::Status;
using ::android::hardware::keymaster::HardwareAuthToken; using ::android::hardware::keymaster::HardwareAuthToken;
using ::android::hardware::keymaster::VerificationToken; using ::android::hardware::keymaster::VerificationToken;
using test_utils::validateAttestationCertificate;
class IdentityAidl : public testing::TestWithParam<std::string> { class IdentityAidl : public testing::TestWithParam<std::string> {
public: public:
virtual void SetUp() override { virtual void SetUp() override {
@ -69,13 +71,13 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
// part of the request data. // part of the request data.
vector<uint8_t> readerKey; vector<uint8_t> readerKey;
optional<vector<uint8_t>> readerCertificate = optional<vector<uint8_t>> readerCertificate =
test_utils::GenerateReaderCertificate("1234", readerKey); test_utils::generateReaderCertificate("1234", &readerKey);
ASSERT_TRUE(readerCertificate); ASSERT_TRUE(readerCertificate);
// Make the portrait image really big (just shy of 256 KiB) to ensure that // Make the portrait image really big (just shy of 256 KiB) to ensure that
// the chunking code gets exercised. // the chunking code gets exercised.
vector<uint8_t> portraitImage; vector<uint8_t> portraitImage;
test_utils::SetImageData(portraitImage); test_utils::setImageData(portraitImage);
// Access control profiles: // Access control profiles:
const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication) const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication)
@ -114,17 +116,16 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
string cborPretty; string cborPretty;
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "attestationChallenge"; string challenge = "attestationChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {}); test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(attData.result.isOk()) ASSERT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl; << attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
ASSERT_EQ(binder::Status::EX_NONE, attData.result.exceptionCode());
ASSERT_EQ(IIdentityCredentialStore::STATUS_OK, attData.result.serviceSpecificErrorCode());
// TODO: set it to something random and check it's in the cert chain EXPECT_TRUE(validateAttestationCertificate(attData.attestationCertificate,
ASSERT_GE(attData.attestationCertificate.size(), 2); attData.attestationChallenge,
attData.attestationApplicationId, hwInfo));
// This is kinda of a hack but we need to give the size of // This is kinda of a hack but we need to give the size of
// ProofOfProvisioning that we'll expect to receive. // ProofOfProvisioning that we'll expect to receive.
@ -136,7 +137,7 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
.isOk()); .isOk());
optional<vector<SecureAccessControlProfile>> secureProfiles = optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles); test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles); ASSERT_TRUE(secureProfiles);
// Uses TestEntryData* pointer as key and values are the encrypted blobs. This // Uses TestEntryData* pointer as key and values are the encrypted blobs. This
@ -144,7 +145,7 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs; map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries) { for (const auto& entry : testEntries) {
ASSERT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize, ASSERT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true)); encryptedBlobs, true));
} }

98
identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
View file

@ -56,8 +56,12 @@ class IdentityCredentialTests : public testing::TestWithParam<string> {
TEST_P(IdentityCredentialTests, verifyAttestationWithEmptyChallenge) { TEST_P(IdentityCredentialTests, verifyAttestationWithEmptyChallenge) {
Status result; Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
vector<uint8_t> attestationChallenge; vector<uint8_t> attestationChallenge;
vector<Certificate> attestationCertificate; vector<Certificate> attestationCertificate;
@ -68,13 +72,18 @@ TEST_P(IdentityCredentialTests, verifyAttestationWithEmptyChallenge) {
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage() EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl; << endl;
EXPECT_TRUE(test_utils::ValidateAttestationCertificate(attestationCertificate)); EXPECT_TRUE(test_utils::validateAttestationCertificate(
attestationCertificate, attestationChallenge, attestationApplicationId, hwInfo));
} }
TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithChallenge) { TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithChallenge) {
Status result; Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge1NotSoRandomChallenge1NotSoRandomChallenge1"; string challenge = "NotSoRandomChallenge1NotSoRandomChallenge1NotSoRandomChallenge1";
vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end()); vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end());
@ -87,17 +96,24 @@ TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithChallenge) {
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage() EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl; << endl;
EXPECT_TRUE(test_utils::ValidateAttestationCertificate(attestationCertificate)); EXPECT_TRUE(test_utils::validateAttestationCertificate(
attestationCertificate, attestationChallenge, attestationApplicationId, hwInfo));
} }
TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) { TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) {
Status result; Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge1"; string challenge = "NotSoRandomChallenge1";
test_utils::AttestationData attData(writableCredential, challenge, {}); test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(test_utils::ValidateAttestationCertificate(attData.attestationCertificate)); ASSERT_TRUE(test_utils::validateAttestationCertificate(
attData.attestationCertificate, attData.attestationChallenge,
attData.attestationApplicationId, hwInfo));
string challenge2 = "NotSoRandomChallenge2"; string challenge2 = "NotSoRandomChallenge2";
test_utils::AttestationData attData2(writableCredential, challenge2, {}); test_utils::AttestationData attData2(writableCredential, challenge2, {});
@ -110,7 +126,7 @@ TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) {
TEST_P(IdentityCredentialTests, verifyStartPersonalization) { TEST_P(IdentityCredentialTests, verifyStartPersonalization) {
Status result; Status result;
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// First call should go through // First call should go through
const vector<int32_t> entryCounts = {2, 4}; const vector<int32_t> entryCounts = {2, 4};
@ -131,7 +147,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalization) {
TEST_P(IdentityCredentialTests, verifyStartPersonalizationMin) { TEST_P(IdentityCredentialTests, verifyStartPersonalizationMin) {
Status result; Status result;
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// Verify minimal number of profile count and entry count // Verify minimal number of profile count and entry count
const vector<int32_t> entryCounts = {1, 1}; const vector<int32_t> entryCounts = {1, 1};
@ -143,7 +159,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalizationMin) {
TEST_P(IdentityCredentialTests, verifyStartPersonalizationZero) { TEST_P(IdentityCredentialTests, verifyStartPersonalizationZero) {
Status result; Status result;
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
const vector<int32_t> entryCounts = {0}; const vector<int32_t> entryCounts = {0};
writableCredential->startPersonalization(0, entryCounts); writableCredential->startPersonalization(0, entryCounts);
@ -154,7 +170,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalizationZero) {
TEST_P(IdentityCredentialTests, verifyStartPersonalizationOne) { TEST_P(IdentityCredentialTests, verifyStartPersonalizationOne) {
Status result; Status result;
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// Verify minimal number of profile count and entry count // Verify minimal number of profile count and entry count
const vector<int32_t> entryCounts = {1}; const vector<int32_t> entryCounts = {1};
@ -166,7 +182,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalizationOne) {
TEST_P(IdentityCredentialTests, verifyStartPersonalizationLarge) { TEST_P(IdentityCredentialTests, verifyStartPersonalizationLarge) {
Status result; Status result;
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// Verify set a large number of profile count and entry count is ok // Verify set a large number of profile count and entry count is ok
const vector<int32_t> entryCounts = {3000}; const vector<int32_t> entryCounts = {3000};
@ -178,7 +194,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalizationLarge) {
TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) { TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
Status result; Status result;
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// Enter mismatched entry and profile numbers // Enter mismatched entry and profile numbers
const vector<int32_t> entryCounts = {5, 6}; const vector<int32_t> entryCounts = {5, 6};
@ -186,7 +202,7 @@ TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage() ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl; << endl;
optional<vector<uint8_t>> readerCertificate = test_utils::GenerateReaderCertificate("12345"); optional<vector<uint8_t>> readerCertificate = test_utils::generateReaderCertificate("12345");
ASSERT_TRUE(readerCertificate); ASSERT_TRUE(readerCertificate);
const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication) const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication)
@ -196,7 +212,7 @@ TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
{4, {}, false, 0}}; {4, {}, false, 0}};
optional<vector<SecureAccessControlProfile>> secureProfiles = optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles); test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles); ASSERT_TRUE(secureProfiles);
vector<uint8_t> credentialData; vector<uint8_t> credentialData;
@ -205,7 +221,7 @@ TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature); writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
// finishAddingEntries should fail because the number of addAccessControlProfile mismatched with // finishAddingEntries should fail because the number of addAccessControlProfile mismatched with
// startPersonalization, and begintest_utils::AddEntry was not called. // startPersonalization, and begintest_utils::addEntry was not called.
EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage() EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl; << endl;
EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode()); EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
@ -215,7 +231,7 @@ TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
TEST_P(IdentityCredentialTests, verifyDuplicateProfileId) { TEST_P(IdentityCredentialTests, verifyDuplicateProfileId) {
Status result; Status result;
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
const vector<int32_t> entryCounts = {3, 6}; const vector<int32_t> entryCounts = {3, 6};
writableCredential->startPersonalization(3, entryCounts); writableCredential->startPersonalization(3, entryCounts);
@ -272,14 +288,14 @@ TEST_P(IdentityCredentialTests, verifyOneProfileAndEntryPass) {
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk()); ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge1"; string challenge = "NotSoRandomChallenge1";
test_utils::AttestationData attData(writableCredential, challenge, {}); test_utils::AttestationData attData(writableCredential, challenge, {});
EXPECT_TRUE(attData.result.isOk()) EXPECT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl; << attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456"); optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1); ASSERT_TRUE(readerCertificate1);
const vector<int32_t> entryCounts = {1u}; const vector<int32_t> entryCounts = {1u};
@ -293,7 +309,7 @@ TEST_P(IdentityCredentialTests, verifyOneProfileAndEntryPass) {
const vector<test_utils::TestProfile> testProfiles = {{1, readerCertificate1.value(), true, 1}}; const vector<test_utils::TestProfile> testProfiles = {{1, readerCertificate1.value(), true, 1}};
optional<vector<SecureAccessControlProfile>> secureProfiles = optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles); test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles); ASSERT_TRUE(secureProfiles);
const vector<test_utils::TestEntryData> testEntries1 = { const vector<test_utils::TestEntryData> testEntries1 = {
@ -302,7 +318,7 @@ TEST_P(IdentityCredentialTests, verifyOneProfileAndEntryPass) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs; map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) { for (const auto& entry : testEntries1) {
ASSERT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize, ASSERT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true)); encryptedBlobs, true));
} }
@ -359,17 +375,17 @@ TEST_P(IdentityCredentialTests, verifyManyProfilesAndEntriesPass) {
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk()); ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge"; string challenge = "NotSoRandomChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {}); test_utils::AttestationData attData(writableCredential, challenge, {});
EXPECT_TRUE(attData.result.isOk()) EXPECT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl; << attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456"); optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1); ASSERT_TRUE(readerCertificate1);
optional<vector<uint8_t>> readerCertificate2 = test_utils::GenerateReaderCertificate("1256"); optional<vector<uint8_t>> readerCertificate2 = test_utils::generateReaderCertificate("1256");
ASSERT_TRUE(readerCertificate2); ASSERT_TRUE(readerCertificate2);
const vector<test_utils::TestProfile> testProfiles = { const vector<test_utils::TestProfile> testProfiles = {
@ -386,14 +402,14 @@ TEST_P(IdentityCredentialTests, verifyManyProfilesAndEntriesPass) {
<< endl; << endl;
optional<vector<SecureAccessControlProfile>> secureProfiles = optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles); test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles); ASSERT_TRUE(secureProfiles);
vector<uint8_t> portraitImage1; vector<uint8_t> portraitImage1;
test_utils::SetImageData(portraitImage1); test_utils::setImageData(portraitImage1);
vector<uint8_t> portraitImage2; vector<uint8_t> portraitImage2;
test_utils::SetImageData(portraitImage2); test_utils::setImageData(portraitImage2);
const vector<test_utils::TestEntryData> testEntries1 = { const vector<test_utils::TestEntryData> testEntries1 = {
{"Name Space 1", "Last name", string("Turing"), vector<int32_t>{1, 2}}, {"Name Space 1", "Last name", string("Turing"), vector<int32_t>{1, 2}},
@ -411,7 +427,7 @@ TEST_P(IdentityCredentialTests, verifyManyProfilesAndEntriesPass) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs; map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) { for (const auto& entry : testEntries1) {
EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize, EXPECT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true)); encryptedBlobs, true));
} }
@ -518,18 +534,18 @@ TEST_P(IdentityCredentialTests, verifyEmptyNameSpaceMixedWithNonEmptyWorks) {
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk()); ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge"; string challenge = "NotSoRandomChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {}); test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(attData.result.isOk()) ASSERT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl; << attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456"); optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1); ASSERT_TRUE(readerCertificate1);
optional<vector<uint8_t>> readerCertificate2 = optional<vector<uint8_t>> readerCertificate2 =
test_utils::GenerateReaderCertificate("123456987987987987987987"); test_utils::generateReaderCertificate("123456987987987987987987");
ASSERT_TRUE(readerCertificate2); ASSERT_TRUE(readerCertificate2);
const vector<int32_t> entryCounts = {2u, 2u}; const vector<int32_t> entryCounts = {2u, 2u};
@ -547,7 +563,7 @@ TEST_P(IdentityCredentialTests, verifyEmptyNameSpaceMixedWithNonEmptyWorks) {
{2, {}, false, 0}}; {2, {}, false, 0}};
optional<vector<SecureAccessControlProfile>> secureProfiles = optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles); test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles); ASSERT_TRUE(secureProfiles);
const vector<test_utils::TestEntryData> testEntries1 = { const vector<test_utils::TestEntryData> testEntries1 = {
@ -560,7 +576,7 @@ TEST_P(IdentityCredentialTests, verifyEmptyNameSpaceMixedWithNonEmptyWorks) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs; map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) { for (const auto& entry : testEntries1) {
EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize, EXPECT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true)); encryptedBlobs, true));
} }
@ -580,7 +596,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk()); ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge"; string challenge = "NotSoRandomChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {}); test_utils::AttestationData attData(writableCredential, challenge, {});
@ -596,11 +612,11 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage() ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl; << endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456"); optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1); ASSERT_TRUE(readerCertificate1);
optional<vector<uint8_t>> readerCertificate2 = optional<vector<uint8_t>> readerCertificate2 =
test_utils::GenerateReaderCertificate("123456987987987987987987"); test_utils::generateReaderCertificate("123456987987987987987987");
ASSERT_TRUE(readerCertificate2); ASSERT_TRUE(readerCertificate2);
const vector<test_utils::TestProfile> testProfiles = {{0, readerCertificate1.value(), false, 0}, const vector<test_utils::TestProfile> testProfiles = {{0, readerCertificate1.value(), false, 0},
@ -608,7 +624,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
{2, {}, false, 0}}; {2, {}, false, 0}};
optional<vector<SecureAccessControlProfile>> secureProfiles = optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles); test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles); ASSERT_TRUE(secureProfiles);
const vector<test_utils::TestEntryData> testEntries1 = { const vector<test_utils::TestEntryData> testEntries1 = {
@ -619,13 +635,13 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs; map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) { for (const auto& entry : testEntries1) {
EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize, EXPECT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true)); encryptedBlobs, true));
} }
const test_utils::TestEntryData testEntry2 = {"Image", "Portrait image", string("asdfs"), const test_utils::TestEntryData testEntry2 = {"Image", "Portrait image", string("asdfs"),
vector<int32_t>{0, 1}}; vector<int32_t>{0, 1}};
EXPECT_TRUE(test_utils::AddEntry(writableCredential, testEntry2, hwInfo.dataChunkSize, EXPECT_TRUE(test_utils::addEntry(writableCredential, testEntry2, hwInfo.dataChunkSize,
encryptedBlobs, true)); encryptedBlobs, true));
// We expect this to fail because the namespace is out of order, all "Name Space" // We expect this to fail because the namespace is out of order, all "Name Space"
@ -637,7 +653,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
}; };
for (const auto& entry : testEntries3) { for (const auto& entry : testEntries3) {
EXPECT_FALSE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize, EXPECT_FALSE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, false)); encryptedBlobs, false));
} }
@ -646,7 +662,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
result = result =
writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature); writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
// should fail because test_utils::AddEntry should have failed earlier. // should fail because test_utils::addEntry should have failed earlier.
EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage() EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl; << endl;
EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode()); EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
@ -655,7 +671,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
TEST_P(IdentityCredentialTests, verifyAccessControlProfileIdOutOfRange) { TEST_P(IdentityCredentialTests, verifyAccessControlProfileIdOutOfRange) {
sp<IWritableIdentityCredential> writableCredential; sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_)); ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
const vector<int32_t> entryCounts = {1}; const vector<int32_t> entryCounts = {1};
Status result = writableCredential->startPersonalization(1, entryCounts); Status result = writableCredential->startPersonalization(1, entryCounts);

86
identity/aidl/vts/VtsIdentityTestUtils.cpp
View file

@ -19,6 +19,8 @@
#include <aidl/Gtest.h> #include <aidl/Gtest.h>
#include <map> #include <map>
#include "VtsAttestationParserSupport.h"
namespace android::hardware::identity::test_utils { namespace android::hardware::identity::test_utils {
using std::endl; using std::endl;
@ -31,7 +33,7 @@ using ::android::sp;
using ::android::String16; using ::android::String16;
using ::android::binder::Status; using ::android::binder::Status;
bool SetupWritableCredential(sp<IWritableIdentityCredential>& writableCredential, bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
sp<IIdentityCredentialStore>& credentialStore) { sp<IIdentityCredentialStore>& credentialStore) {
if (credentialStore == nullptr) { if (credentialStore == nullptr) {
return false; return false;
@ -48,13 +50,13 @@ bool SetupWritableCredential(sp<IWritableIdentityCredential>& writableCredential
} }
} }
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal) { optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal) {
vector<uint8_t> privKey; vector<uint8_t> privKey;
return GenerateReaderCertificate(serialDecimal, privKey); return generateReaderCertificate(serialDecimal, &privKey);
} }
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal, optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal,
vector<uint8_t>& readerPrivateKey) { vector<uint8_t>* outReaderPrivateKey) {
optional<vector<uint8_t>> readerKeyPKCS8 = support::createEcKeyPair(); optional<vector<uint8_t>> readerKeyPKCS8 = support::createEcKeyPair();
if (!readerKeyPKCS8) { if (!readerKeyPKCS8) {
return {}; return {};
@ -67,7 +69,11 @@ optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal,
return {}; return {};
} }
readerPrivateKey = readerKey.value(); if (outReaderPrivateKey == nullptr) {
return {};
}
*outReaderPrivateKey = readerKey.value();
string issuer = "Android Open Source Project"; string issuer = "Android Open Source Project";
string subject = "Android IdentityCredential VTS Test"; string subject = "Android IdentityCredential VTS Test";
@ -79,7 +85,7 @@ optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal,
validityNotBefore, validityNotAfter); validityNotBefore, validityNotAfter);
} }
optional<vector<SecureAccessControlProfile>> AddAccessControlProfiles( optional<vector<SecureAccessControlProfile>> addAccessControlProfiles(
sp<IWritableIdentityCredential>& writableCredential, sp<IWritableIdentityCredential>& writableCredential,
const vector<TestProfile>& testProfiles) { const vector<TestProfile>& testProfiles) {
Status result; Status result;
@ -120,7 +126,7 @@ optional<vector<SecureAccessControlProfile>> AddAccessControlProfiles(
// Most test expects this function to pass. So we will print out additional // Most test expects this function to pass. So we will print out additional
// value if failed so more debug data can be provided. // value if failed so more debug data can be provided.
bool AddEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry, bool addEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,
int dataChunkSize, map<const TestEntryData*, vector<vector<uint8_t>>>& encryptedBlobs, int dataChunkSize, map<const TestEntryData*, vector<vector<uint8_t>>>& encryptedBlobs,
bool expectSuccess) { bool expectSuccess) {
Status result; Status result;
@ -164,18 +170,70 @@ bool AddEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEnt
return true; return true;
} }
bool ValidateAttestationCertificate(vector<Certificate>& inputCertificates) { void setImageData(vector<uint8_t>& image) {
return (inputCertificates.size() >= 2);
// TODO: add parsing of the certificate and make sure it is genuine.
}
void SetImageData(vector<uint8_t>& image) {
image.resize(256 * 1024 - 10); image.resize(256 * 1024 - 10);
for (size_t n = 0; n < image.size(); n++) { for (size_t n = 0; n < image.size(); n++) {
image[n] = (uint8_t)n; image[n] = (uint8_t)n;
} }
} }
bool validateAttestationCertificate(const vector<Certificate>& inputCertificates,
const vector<uint8_t>& expectedChallenge,
const vector<uint8_t>& expectedAppId,
const HardwareInformation& hwInfo) {
AttestationCertificateParser certParser_(inputCertificates);
bool ret = certParser_.parse();
EXPECT_TRUE(ret);
if (!ret) {
return false;
}
// As per the IC HAL, the version of the Identity
// Credential HAL is 1.0 - and this is encoded as major*10 + minor. This field is used by
// Keymaster which is known to report integers less than or equal to 4 (for KM up to 4.0)
// and integers greater or equal than 41 (for KM starting with 4.1).
//
// Since we won't get to version 4.0 of the IC HAL for a while, let's also check that a KM
// version isn't errornously returned.
EXPECT_LE(10, certParser_.getKeymasterVersion());
EXPECT_GT(40, certParser_.getKeymasterVersion());
EXPECT_LE(3, certParser_.getAttestationVersion());
// Verify the app id matches to whatever we set it to be.
optional<vector<uint8_t>> appId =
certParser_.getSwEnforcedBlob(::keymaster::TAG_ATTESTATION_APPLICATION_ID);
if (appId) {
EXPECT_EQ(expectedAppId.size(), appId.value().size());
EXPECT_EQ(0, memcmp(expectedAppId.data(), appId.value().data(), expectedAppId.size()));
} else {
// app id not found
EXPECT_EQ(0, expectedAppId.size());
}
EXPECT_TRUE(certParser_.getHwEnforcedBool(::keymaster::TAG_IDENTITY_CREDENTIAL_KEY));
EXPECT_FALSE(certParser_.getHwEnforcedBool(::keymaster::TAG_INCLUDE_UNIQUE_ID));
// Verify the challenge always matches in size and data of what is passed
// in.
vector<uint8_t> attChallenge = certParser_.getAttestationChallenge();
EXPECT_EQ(expectedChallenge.size(), attChallenge.size());
EXPECT_EQ(0, memcmp(expectedChallenge.data(), attChallenge.data(), expectedChallenge.size()));
// Ensure the attestation conveys that it's implemented in secure hardware (with carve-out
// for the reference implementation which cannot be implemented in secure hardware).
if (hwInfo.credentialStoreName == "Identity Credential Reference Implementation" &&
hwInfo.credentialStoreAuthorName == "Google") {
EXPECT_LE(KM_SECURITY_LEVEL_SOFTWARE, certParser_.getKeymasterSecurityLevel());
EXPECT_LE(KM_SECURITY_LEVEL_SOFTWARE, certParser_.getAttestationSecurityLevel());
} else {
// Actual devices should use TrustedEnvironment or StrongBox.
EXPECT_LE(KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT, certParser_.getKeymasterSecurityLevel());
EXPECT_LE(KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT, certParser_.getAttestationSecurityLevel());
}
return true;
}
vector<RequestNamespace> buildRequestNamespaces(const vector<TestEntryData> entries) { vector<RequestNamespace> buildRequestNamespaces(const vector<TestEntryData> entries) {
vector<RequestNamespace> ret; vector<RequestNamespace> ret;
RequestNamespace curNs; RequestNamespace curNs;

19
identity/aidl/vts/VtsIdentityTestUtils.h
View file

@ -93,25 +93,28 @@ struct TestProfile {
uint64_t timeoutMillis; uint64_t timeoutMillis;
}; };
bool SetupWritableCredential(sp<IWritableIdentityCredential>& writableCredential, bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
sp<IIdentityCredentialStore>& credentialStore); sp<IIdentityCredentialStore>& credentialStore);
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal); optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal);
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal, optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal,
vector<uint8_t>& readerPrivateKey); vector<uint8_t>* outReaderPrivateKey);
optional<vector<SecureAccessControlProfile>> AddAccessControlProfiles( optional<vector<SecureAccessControlProfile>> addAccessControlProfiles(
sp<IWritableIdentityCredential>& writableCredential, sp<IWritableIdentityCredential>& writableCredential,
const vector<TestProfile>& testProfiles); const vector<TestProfile>& testProfiles);
bool AddEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry, bool addEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,
int dataChunkSize, map<const TestEntryData*, vector<vector<uint8_t>>>& encryptedBlobs, int dataChunkSize, map<const TestEntryData*, vector<vector<uint8_t>>>& encryptedBlobs,
bool expectSuccess); bool expectSuccess);
bool ValidateAttestationCertificate(vector<Certificate>& inputCertificates); void setImageData(vector<uint8_t>& image);
void SetImageData(vector<uint8_t>& image); bool validateAttestationCertificate(const vector<Certificate>& inputCertificates,
const vector<uint8_t>& expectedChallenge,
const vector<uint8_t>& expectedAppId,
const HardwareInformation& hwInfo);
vector<RequestNamespace> buildRequestNamespaces(const vector<TestEntryData> entries); vector<RequestNamespace> buildRequestNamespaces(const vector<TestEntryData> entries);