tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add attestation certificate parsing and validate for IC vts.

Browse source 
- Added attestation certificate parsing support.
 - Added various certificate conversion support.
 - Added certification verification support.
 - Added tests for the attestation certificate verification.
 - Updated the old tests to use the new attestation validation
   implementation.
 - Updated GenerateReaderCertificate to use pointer reader private key.

Bug: 154909726
Test: VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Merged-In: Ibe770e6eaf0b0018d60876926d824204e4eaf732
Change-Id: I07c2eaf92ed60fa31761816c4b45684806c3305e
This commit is contained in:
Selene Huang 2020-05-29 15:43:11 -04:00 committed by David Zeuthen
parent 38ca6961e3
commit 57b3479394
5 changed files with 157 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
identity/aidl/vts/Android.bp
View file

@ -8,10 +8,16 @@ cc_test {
"VtsHalIdentityEndToEndTest.cpp",
"VtsIWritableIdentityCredentialTests.cpp",
"VtsIdentityTestUtils.cpp",
"VtsAttestationTests.cpp",
"VtsAttestationParserSupport.cpp",
],
shared_libs: [
"android.hardware.keymaster@4.0",
"libbinder",
"libcrypto",
"libkeymaster_portable",
"libsoft_attestation_cert",
"libpuresoftkeymasterdevice",
],
static_libs: [
"libcppbor",

21
identity/aidl/vts/VtsHalIdentityEndToEndTest.cpp
View file

@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "VtsHalIdentityTargetTest"
#define LOG_TAG "VtsHalIdentityEndToEndTest"
#include <aidl/Gtest.h>
#include <aidl/Vintf.h>
@ -45,6 +45,8 @@ using ::android::binder::Status;
using ::android::hardware::keymaster::HardwareAuthToken;
using ::android::hardware::keymaster::VerificationToken;
using test_utils::validateAttestationCertificate;
class IdentityAidl : public testing::TestWithParam<std::string> {
public:
virtual void SetUp() override {
@ -69,13 +71,13 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
// part of the request data.
vector<uint8_t> readerKey;
optional<vector<uint8_t>> readerCertificate =
test_utils::GenerateReaderCertificate("1234", readerKey);
test_utils::generateReaderCertificate("1234", &readerKey);
ASSERT_TRUE(readerCertificate);
// Make the portrait image really big (just shy of 256 KiB) to ensure that
// the chunking code gets exercised.
vector<uint8_t> portraitImage;
test_utils::SetImageData(portraitImage);
test_utils::setImageData(portraitImage);
// Access control profiles:
const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication)
@ -114,17 +116,16 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
string cborPretty;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "attestationChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
ASSERT_EQ(binder::Status::EX_NONE, attData.result.exceptionCode());
ASSERT_EQ(IIdentityCredentialStore::STATUS_OK, attData.result.serviceSpecificErrorCode());
// TODO: set it to something random and check it's in the cert chain
ASSERT_GE(attData.attestationCertificate.size(), 2);
EXPECT_TRUE(validateAttestationCertificate(attData.attestationCertificate,
attData.attestationChallenge,
attData.attestationApplicationId, hwInfo));
// This is kinda of a hack but we need to give the size of
// ProofOfProvisioning that we'll expect to receive.
@ -136,7 +137,7 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
.isOk());
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
// Uses TestEntryData* pointer as key and values are the encrypted blobs. This
@ -144,7 +145,7 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries) {
ASSERT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
ASSERT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}

98
identity/aidl/vts/VtsIWritableIdentityCredentialTests.cpp
View file

@ -56,8 +56,12 @@ class IdentityCredentialTests : public testing::TestWithParam<string> {
TEST_P(IdentityCredentialTests, verifyAttestationWithEmptyChallenge) {
Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
vector<uint8_t> attestationChallenge;
vector<Certificate> attestationCertificate;
@ -68,13 +72,18 @@ TEST_P(IdentityCredentialTests, verifyAttestationWithEmptyChallenge) {
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
EXPECT_TRUE(test_utils::ValidateAttestationCertificate(attestationCertificate));
EXPECT_TRUE(test_utils::validateAttestationCertificate(
attestationCertificate, attestationChallenge, attestationApplicationId, hwInfo));
}
TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithChallenge) {
Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge1NotSoRandomChallenge1NotSoRandomChallenge1";
vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end());
@ -87,17 +96,24 @@ TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithChallenge) {
EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
EXPECT_TRUE(test_utils::ValidateAttestationCertificate(attestationCertificate));
EXPECT_TRUE(test_utils::validateAttestationCertificate(
attestationCertificate, attestationChallenge, attestationApplicationId, hwInfo));
}
TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) {
Status result;
HardwareInformation hwInfo;
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge1";
test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(test_utils::ValidateAttestationCertificate(attData.attestationCertificate));
ASSERT_TRUE(test_utils::validateAttestationCertificate(
attData.attestationCertificate, attData.attestationChallenge,
attData.attestationApplicationId, hwInfo));
string challenge2 = "NotSoRandomChallenge2";
test_utils::AttestationData attData2(writableCredential, challenge2, {});
@ -110,7 +126,7 @@ TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) {
TEST_P(IdentityCredentialTests, verifyStartPersonalization) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// First call should go through
const vector<int32_t> entryCounts = {2, 4};
@ -131,7 +147,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalization) {
TEST_P(IdentityCredentialTests, verifyStartPersonalizationMin) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// Verify minimal number of profile count and entry count
const vector<int32_t> entryCounts = {1, 1};
@ -143,7 +159,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalizationMin) {
TEST_P(IdentityCredentialTests, verifyStartPersonalizationZero) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
const vector<int32_t> entryCounts = {0};
writableCredential->startPersonalization(0, entryCounts);
@ -154,7 +170,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalizationZero) {
TEST_P(IdentityCredentialTests, verifyStartPersonalizationOne) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// Verify minimal number of profile count and entry count
const vector<int32_t> entryCounts = {1};
@ -166,7 +182,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalizationOne) {
TEST_P(IdentityCredentialTests, verifyStartPersonalizationLarge) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// Verify set a large number of profile count and entry count is ok
const vector<int32_t> entryCounts = {3000};
@ -178,7 +194,7 @@ TEST_P(IdentityCredentialTests, verifyStartPersonalizationLarge) {
TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
// Enter mismatched entry and profile numbers
const vector<int32_t> entryCounts = {5, 6};
@ -186,7 +202,7 @@ TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
optional<vector<uint8_t>> readerCertificate = test_utils::GenerateReaderCertificate("12345");
optional<vector<uint8_t>> readerCertificate = test_utils::generateReaderCertificate("12345");
ASSERT_TRUE(readerCertificate);
const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication)
@ -196,7 +212,7 @@ TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
{4, {}, false, 0}};
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
vector<uint8_t> credentialData;
@ -205,7 +221,7 @@ TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
// finishAddingEntries should fail because the number of addAccessControlProfile mismatched with
// startPersonalization, and begintest_utils::AddEntry was not called.
// startPersonalization, and begintest_utils::addEntry was not called.
EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
@ -215,7 +231,7 @@ TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {
TEST_P(IdentityCredentialTests, verifyDuplicateProfileId) {
Status result;
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
const vector<int32_t> entryCounts = {3, 6};
writableCredential->startPersonalization(3, entryCounts);
@ -272,14 +288,14 @@ TEST_P(IdentityCredentialTests, verifyOneProfileAndEntryPass) {
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge1";
test_utils::AttestationData attData(writableCredential, challenge, {});
EXPECT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
const vector<int32_t> entryCounts = {1u};
@ -293,7 +309,7 @@ TEST_P(IdentityCredentialTests, verifyOneProfileAndEntryPass) {
const vector<test_utils::TestProfile> testProfiles = {{1, readerCertificate1.value(), true, 1}};
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
const vector<test_utils::TestEntryData> testEntries1 = {
@ -302,7 +318,7 @@ TEST_P(IdentityCredentialTests, verifyOneProfileAndEntryPass) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) {
ASSERT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
ASSERT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}
@ -359,17 +375,17 @@ TEST_P(IdentityCredentialTests, verifyManyProfilesAndEntriesPass) {
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {});
EXPECT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
optional<vector<uint8_t>> readerCertificate2 = test_utils::GenerateReaderCertificate("1256");
optional<vector<uint8_t>> readerCertificate2 = test_utils::generateReaderCertificate("1256");
ASSERT_TRUE(readerCertificate2);
const vector<test_utils::TestProfile> testProfiles = {
@ -386,14 +402,14 @@ TEST_P(IdentityCredentialTests, verifyManyProfilesAndEntriesPass) {
<< endl;
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
vector<uint8_t> portraitImage1;
test_utils::SetImageData(portraitImage1);
test_utils::setImageData(portraitImage1);
vector<uint8_t> portraitImage2;
test_utils::SetImageData(portraitImage2);
test_utils::setImageData(portraitImage2);
const vector<test_utils::TestEntryData> testEntries1 = {
{"Name Space 1", "Last name", string("Turing"), vector<int32_t>{1, 2}},
@ -411,7 +427,7 @@ TEST_P(IdentityCredentialTests, verifyManyProfilesAndEntriesPass) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) {
EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
EXPECT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}
@ -518,18 +534,18 @@ TEST_P(IdentityCredentialTests, verifyEmptyNameSpaceMixedWithNonEmptyWorks) {
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {});
ASSERT_TRUE(attData.result.isOk())
<< attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
optional<vector<uint8_t>> readerCertificate2 =
test_utils::GenerateReaderCertificate("123456987987987987987987");
test_utils::generateReaderCertificate("123456987987987987987987");
ASSERT_TRUE(readerCertificate2);
const vector<int32_t> entryCounts = {2u, 2u};
@ -547,7 +563,7 @@ TEST_P(IdentityCredentialTests, verifyEmptyNameSpaceMixedWithNonEmptyWorks) {
{2, {}, false, 0}};
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
const vector<test_utils::TestEntryData> testEntries1 = {
@ -560,7 +576,7 @@ TEST_P(IdentityCredentialTests, verifyEmptyNameSpaceMixedWithNonEmptyWorks) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) {
EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
EXPECT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}
@ -580,7 +596,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
string challenge = "NotSoRandomChallenge";
test_utils::AttestationData attData(writableCredential, challenge, {});
@ -596,11 +612,11 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");
optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");
ASSERT_TRUE(readerCertificate1);
optional<vector<uint8_t>> readerCertificate2 =
test_utils::GenerateReaderCertificate("123456987987987987987987");
test_utils::generateReaderCertificate("123456987987987987987987");
ASSERT_TRUE(readerCertificate2);
const vector<test_utils::TestProfile> testProfiles = {{0, readerCertificate1.value(), false, 0},
@ -608,7 +624,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
{2, {}, false, 0}};
optional<vector<SecureAccessControlProfile>> secureProfiles =
test_utils::AddAccessControlProfiles(writableCredential, testProfiles);
test_utils::addAccessControlProfiles(writableCredential, testProfiles);
ASSERT_TRUE(secureProfiles);
const vector<test_utils::TestEntryData> testEntries1 = {
@ -619,13 +635,13 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
for (const auto& entry : testEntries1) {
EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
EXPECT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, true));
}
const test_utils::TestEntryData testEntry2 = {"Image", "Portrait image", string("asdfs"),
vector<int32_t>{0, 1}};
EXPECT_TRUE(test_utils::AddEntry(writableCredential, testEntry2, hwInfo.dataChunkSize,
EXPECT_TRUE(test_utils::addEntry(writableCredential, testEntry2, hwInfo.dataChunkSize,
encryptedBlobs, true));
// We expect this to fail because the namespace is out of order, all "Name Space"
@ -637,7 +653,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
};
for (const auto& entry : testEntries3) {
EXPECT_FALSE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,
EXPECT_FALSE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,
encryptedBlobs, false));
}
@ -646,7 +662,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
result =
writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
// should fail because test_utils::AddEntry should have failed earlier.
// should fail because test_utils::addEntry should have failed earlier.
EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()
<< endl;
EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
@ -655,7 +671,7 @@ TEST_P(IdentityCredentialTests, verifyInterleavingEntryNameSpaceOrderingFails) {
TEST_P(IdentityCredentialTests, verifyAccessControlProfileIdOutOfRange) {
sp<IWritableIdentityCredential> writableCredential;
ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));
ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));
const vector<int32_t> entryCounts = {1};
Status result = writableCredential->startPersonalization(1, entryCounts);

86
identity/aidl/vts/VtsIdentityTestUtils.cpp
View file

@ -19,6 +19,8 @@
#include <aidl/Gtest.h>
#include <map>
#include "VtsAttestationParserSupport.h"
namespace android::hardware::identity::test_utils {
using std::endl;
@ -31,7 +33,7 @@ using ::android::sp;
using ::android::String16;
using ::android::binder::Status;
bool SetupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
sp<IIdentityCredentialStore>& credentialStore) {
if (credentialStore == nullptr) {
return false;
@ -48,13 +50,13 @@ bool SetupWritableCredential(sp<IWritableIdentityCredential>& writableCredential
}
}
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal) {
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal) {
vector<uint8_t> privKey;
return GenerateReaderCertificate(serialDecimal, privKey);
return generateReaderCertificate(serialDecimal, &privKey);
}
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal,
vector<uint8_t>& readerPrivateKey) {
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal,
vector<uint8_t>* outReaderPrivateKey) {
optional<vector<uint8_t>> readerKeyPKCS8 = support::createEcKeyPair();
if (!readerKeyPKCS8) {
return {};
@ -67,7 +69,11 @@ optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal,
return {};
}
readerPrivateKey = readerKey.value();
if (outReaderPrivateKey == nullptr) {
return {};
}
*outReaderPrivateKey = readerKey.value();
string issuer = "Android Open Source Project";
string subject = "Android IdentityCredential VTS Test";
@ -79,7 +85,7 @@ optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal,
validityNotBefore, validityNotAfter);
}
optional<vector<SecureAccessControlProfile>> AddAccessControlProfiles(
optional<vector<SecureAccessControlProfile>> addAccessControlProfiles(
sp<IWritableIdentityCredential>& writableCredential,
const vector<TestProfile>& testProfiles) {
Status result;
@ -120,7 +126,7 @@ optional<vector<SecureAccessControlProfile>> AddAccessControlProfiles(
// Most test expects this function to pass. So we will print out additional
// value if failed so more debug data can be provided.
bool AddEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,
bool addEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,
int dataChunkSize, map<const TestEntryData*, vector<vector<uint8_t>>>& encryptedBlobs,
bool expectSuccess) {
Status result;
@ -164,18 +170,70 @@ bool AddEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEnt
return true;
}
bool ValidateAttestationCertificate(vector<Certificate>& inputCertificates) {
return (inputCertificates.size() >= 2);
// TODO: add parsing of the certificate and make sure it is genuine.
}
void SetImageData(vector<uint8_t>& image) {
void setImageData(vector<uint8_t>& image) {
image.resize(256 * 1024 - 10);
for (size_t n = 0; n < image.size(); n++) {
image[n] = (uint8_t)n;
}
}
bool validateAttestationCertificate(const vector<Certificate>& inputCertificates,
const vector<uint8_t>& expectedChallenge,
const vector<uint8_t>& expectedAppId,
const HardwareInformation& hwInfo) {
AttestationCertificateParser certParser_(inputCertificates);
bool ret = certParser_.parse();
EXPECT_TRUE(ret);
if (!ret) {
return false;
}
// As per the IC HAL, the version of the Identity
// Credential HAL is 1.0 - and this is encoded as major*10 + minor. This field is used by
// Keymaster which is known to report integers less than or equal to 4 (for KM up to 4.0)
// and integers greater or equal than 41 (for KM starting with 4.1).
//
// Since we won't get to version 4.0 of the IC HAL for a while, let's also check that a KM
// version isn't errornously returned.
EXPECT_LE(10, certParser_.getKeymasterVersion());
EXPECT_GT(40, certParser_.getKeymasterVersion());
EXPECT_LE(3, certParser_.getAttestationVersion());
// Verify the app id matches to whatever we set it to be.
optional<vector<uint8_t>> appId =
certParser_.getSwEnforcedBlob(::keymaster::TAG_ATTESTATION_APPLICATION_ID);
if (appId) {
EXPECT_EQ(expectedAppId.size(), appId.value().size());
EXPECT_EQ(0, memcmp(expectedAppId.data(), appId.value().data(), expectedAppId.size()));
} else {
// app id not found
EXPECT_EQ(0, expectedAppId.size());
}
EXPECT_TRUE(certParser_.getHwEnforcedBool(::keymaster::TAG_IDENTITY_CREDENTIAL_KEY));
EXPECT_FALSE(certParser_.getHwEnforcedBool(::keymaster::TAG_INCLUDE_UNIQUE_ID));
// Verify the challenge always matches in size and data of what is passed
// in.
vector<uint8_t> attChallenge = certParser_.getAttestationChallenge();
EXPECT_EQ(expectedChallenge.size(), attChallenge.size());
EXPECT_EQ(0, memcmp(expectedChallenge.data(), attChallenge.data(), expectedChallenge.size()));
// Ensure the attestation conveys that it's implemented in secure hardware (with carve-out
// for the reference implementation which cannot be implemented in secure hardware).
if (hwInfo.credentialStoreName == "Identity Credential Reference Implementation" &&
hwInfo.credentialStoreAuthorName == "Google") {
EXPECT_LE(KM_SECURITY_LEVEL_SOFTWARE, certParser_.getKeymasterSecurityLevel());
EXPECT_LE(KM_SECURITY_LEVEL_SOFTWARE, certParser_.getAttestationSecurityLevel());
} else {
// Actual devices should use TrustedEnvironment or StrongBox.
EXPECT_LE(KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT, certParser_.getKeymasterSecurityLevel());
EXPECT_LE(KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT, certParser_.getAttestationSecurityLevel());
}
return true;
}
vector<RequestNamespace> buildRequestNamespaces(const vector<TestEntryData> entries) {
vector<RequestNamespace> ret;
RequestNamespace curNs;

19
identity/aidl/vts/VtsIdentityTestUtils.h
View file

@ -93,25 +93,28 @@ struct TestProfile {
uint64_t timeoutMillis;
};
bool SetupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,
sp<IIdentityCredentialStore>& credentialStore);
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal);
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal);
optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal,
vector<uint8_t>& readerPrivateKey);
optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal,
vector<uint8_t>* outReaderPrivateKey);
optional<vector<SecureAccessControlProfile>> AddAccessControlProfiles(
optional<vector<SecureAccessControlProfile>> addAccessControlProfiles(
sp<IWritableIdentityCredential>& writableCredential,
const vector<TestProfile>& testProfiles);
bool AddEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,
bool addEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,
int dataChunkSize, map<const TestEntryData*, vector<vector<uint8_t>>>& encryptedBlobs,
bool expectSuccess);
bool ValidateAttestationCertificate(vector<Certificate>& inputCertificates);
void setImageData(vector<uint8_t>& image);
void SetImageData(vector<uint8_t>& image);
bool validateAttestationCertificate(const vector<Certificate>& inputCertificates,
const vector<uint8_t>& expectedChallenge,
const vector<uint8_t>& expectedAppId,
const HardwareInformation& hwInfo);
vector<RequestNamespace> buildRequestNamespaces(const vector<TestEntryData> entries);