Merge "Secretkeeper: move VTS to rdroidtest" into main am: 2796188ec6
am: 3079b96051
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2885128 Change-Id: Ia658023b52eef698aa53e04c910a9b392975e207 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
7e3ebb4582
2 changed files with 79 additions and 162 deletions
|
@ -21,6 +21,9 @@ package {
|
||||||
rust_test {
|
rust_test {
|
||||||
name: "VtsSecretkeeperTargetTest",
|
name: "VtsSecretkeeperTargetTest",
|
||||||
srcs: ["secretkeeper_test_client.rs"],
|
srcs: ["secretkeeper_test_client.rs"],
|
||||||
|
defaults: [
|
||||||
|
"rdroidtest.defaults",
|
||||||
|
],
|
||||||
test_suites: [
|
test_suites: [
|
||||||
"general-tests",
|
"general-tests",
|
||||||
"vts",
|
"vts",
|
||||||
|
@ -38,7 +41,6 @@ rust_test {
|
||||||
"libbinder_rs",
|
"libbinder_rs",
|
||||||
"libcoset",
|
"libcoset",
|
||||||
"liblog_rust",
|
"liblog_rust",
|
||||||
"liblogger",
|
|
||||||
],
|
],
|
||||||
require_root: true,
|
require_root: true,
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,14 +16,13 @@
|
||||||
|
|
||||||
#![cfg(test)]
|
#![cfg(test)]
|
||||||
|
|
||||||
|
use rdroidtest_macro::{ignore_if, rdroidtest};
|
||||||
use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::ISecretkeeper::ISecretkeeper;
|
use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::ISecretkeeper::ISecretkeeper;
|
||||||
use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::SecretId::SecretId;
|
use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::SecretId::SecretId;
|
||||||
use authgraph_vts_test as ag_vts;
|
use authgraph_vts_test as ag_vts;
|
||||||
use authgraph_boringssl as boring;
|
use authgraph_boringssl as boring;
|
||||||
use authgraph_core::key;
|
use authgraph_core::key;
|
||||||
use binder::StatusCode;
|
|
||||||
use coset::{CborSerializable, CoseEncrypt0};
|
use coset::{CborSerializable, CoseEncrypt0};
|
||||||
use log::{info, warn};
|
|
||||||
use secretkeeper_client::SkSession;
|
use secretkeeper_client::SkSession;
|
||||||
use secretkeeper_core::cipher;
|
use secretkeeper_core::cipher;
|
||||||
use secretkeeper_comm::data_types::error::SecretkeeperError;
|
use secretkeeper_comm::data_types::error::SecretkeeperError;
|
||||||
|
@ -36,7 +35,6 @@ use secretkeeper_comm::data_types::response::Response;
|
||||||
use secretkeeper_comm::data_types::packet::{ResponsePacket, ResponseType};
|
use secretkeeper_comm::data_types::packet::{ResponsePacket, ResponseType};
|
||||||
|
|
||||||
const SECRETKEEPER_SERVICE: &str = "android.hardware.security.secretkeeper.ISecretkeeper";
|
const SECRETKEEPER_SERVICE: &str = "android.hardware.security.secretkeeper.ISecretkeeper";
|
||||||
const SECRETKEEPER_INSTANCES: [&'static str; 2] = ["default", "nonsecure"];
|
|
||||||
const CURRENT_VERSION: u64 = 1;
|
const CURRENT_VERSION: u64 = 1;
|
||||||
|
|
||||||
// TODO(b/291238565): This will change once libdice_policy switches to Explicit-key DiceCertChain
|
// TODO(b/291238565): This will change once libdice_policy switches to Explicit-key DiceCertChain
|
||||||
|
@ -72,58 +70,23 @@ const SECRET_EXAMPLE: Secret = Secret([
|
||||||
0x06, 0xAC, 0x36, 0x8B, 0x3C, 0x95, 0x50, 0x16, 0x67, 0x71, 0x65, 0x26, 0xEB, 0xD0, 0xC3, 0x98,
|
0x06, 0xAC, 0x36, 0x8B, 0x3C, 0x95, 0x50, 0x16, 0x67, 0x71, 0x65, 0x26, 0xEB, 0xD0, 0xC3, 0x98,
|
||||||
]);
|
]);
|
||||||
|
|
||||||
fn get_connection() -> Option<(binder::Strong<dyn ISecretkeeper>, String)> {
|
fn get_instances() -> Vec<(String, String)> {
|
||||||
// Initialize logging (which is OK to call multiple times).
|
|
||||||
logger::init(logger::Config::default().with_min_level(log::Level::Debug));
|
|
||||||
|
|
||||||
// Determine which instances are available.
|
// Determine which instances are available.
|
||||||
let available = binder::get_declared_instances(SECRETKEEPER_SERVICE).unwrap_or_default();
|
binder::get_declared_instances(SECRETKEEPER_SERVICE)
|
||||||
|
.unwrap_or_default()
|
||||||
// TODO: replace this with a parameterized set of tests that run for each available instance of
|
.into_iter()
|
||||||
// ISecretkeeper (rather than having a fixed set of instance names to look for).
|
.map(|v| (v.clone(), v))
|
||||||
for instance in &SECRETKEEPER_INSTANCES {
|
.collect()
|
||||||
if available.iter().find(|s| s == instance).is_none() {
|
|
||||||
// Skip undeclared instances.
|
|
||||||
continue;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn get_connection(instance: &str) -> binder::Strong<dyn ISecretkeeper> {
|
||||||
let name = format!("{SECRETKEEPER_SERVICE}/{instance}");
|
let name = format!("{SECRETKEEPER_SERVICE}/{instance}");
|
||||||
match binder::get_interface(&name) {
|
binder::get_interface(&name).unwrap()
|
||||||
Ok(sk) => {
|
|
||||||
info!("Running test against /{instance}");
|
|
||||||
return Some((sk, name));
|
|
||||||
}
|
|
||||||
Err(StatusCode::NAME_NOT_FOUND) => {
|
|
||||||
info!("No /{instance} instance of ISecretkeeper present");
|
|
||||||
}
|
|
||||||
Err(e) => {
|
|
||||||
panic!(
|
|
||||||
"unexpected error while fetching connection to Secretkeeper {:?}",
|
|
||||||
e
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
info!("no Secretkeeper instances in {SECRETKEEPER_INSTANCES:?} are declared and present");
|
|
||||||
None
|
|
||||||
}
|
|
||||||
|
|
||||||
/// Macro to perform test setup. Invokes `return` if no Secretkeeper instance available.
|
|
||||||
macro_rules! setup_client {
|
|
||||||
{} => {
|
|
||||||
match SkClient::new() {
|
|
||||||
Some(sk) => sk,
|
|
||||||
None => {
|
|
||||||
warn!("Secretkeeper HAL is unavailable, skipping test");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Secretkeeper client information.
|
/// Secretkeeper client information.
|
||||||
struct SkClient {
|
struct SkClient {
|
||||||
sk: binder::Strong<dyn ISecretkeeper>,
|
sk: binder::Strong<dyn ISecretkeeper>,
|
||||||
name: String,
|
|
||||||
session: SkSession,
|
session: SkSession,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -135,13 +98,9 @@ impl Drop for SkClient {
|
||||||
}
|
}
|
||||||
|
|
||||||
impl SkClient {
|
impl SkClient {
|
||||||
fn new() -> Option<Self> {
|
fn new(instance: &str) -> Self {
|
||||||
let (sk, name) = get_connection()?;
|
let sk = get_connection(instance);
|
||||||
Some(Self {
|
Self { sk: sk.clone(), session: SkSession::new(sk).unwrap() }
|
||||||
sk: sk.clone(),
|
|
||||||
name,
|
|
||||||
session: SkSession::new(sk).unwrap(),
|
|
||||||
})
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// This method is wrapper that use `SkSession::secret_management_request` which handles
|
/// This method is wrapper that use `SkSession::secret_management_request` which handles
|
||||||
|
@ -172,10 +131,7 @@ impl SkClient {
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
// Binder call!
|
// Binder call!
|
||||||
let response_bytes = self
|
let response_bytes = self.sk.processSecretManagementRequest(&request_bytes).unwrap();
|
||||||
.sk
|
|
||||||
.processSecretManagementRequest(&request_bytes)
|
|
||||||
.unwrap();
|
|
||||||
|
|
||||||
let response_encrypt0 = CoseEncrypt0::from_slice(&response_bytes).unwrap();
|
let response_encrypt0 = CoseEncrypt0::from_slice(&response_bytes).unwrap();
|
||||||
cipher::decrypt_message(
|
cipher::decrypt_message(
|
||||||
|
@ -199,20 +155,14 @@ impl SkClient {
|
||||||
let store_response = self.secret_management_request(&store_request);
|
let store_response = self.secret_management_request(&store_request);
|
||||||
let store_response = ResponsePacket::from_slice(&store_response).unwrap();
|
let store_response = ResponsePacket::from_slice(&store_response).unwrap();
|
||||||
|
|
||||||
assert_eq!(
|
assert_eq!(store_response.response_type().unwrap(), ResponseType::Success);
|
||||||
store_response.response_type().unwrap(),
|
|
||||||
ResponseType::Success
|
|
||||||
);
|
|
||||||
// Really just checking that the response is indeed StoreSecretResponse
|
// Really just checking that the response is indeed StoreSecretResponse
|
||||||
let _ = StoreSecretResponse::deserialize_from_packet(store_response).unwrap();
|
let _ = StoreSecretResponse::deserialize_from_packet(store_response).unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Helper method to get a secret.
|
/// Helper method to get a secret.
|
||||||
fn get(&mut self, id: &Id) -> Option<Secret> {
|
fn get(&mut self, id: &Id) -> Option<Secret> {
|
||||||
let get_request = GetSecretRequest {
|
let get_request = GetSecretRequest { id: id.clone(), updated_sealing_policy: None };
|
||||||
id: id.clone(),
|
|
||||||
updated_sealing_policy: None,
|
|
||||||
};
|
|
||||||
let get_request = get_request.serialize_to_packet().to_vec().unwrap();
|
let get_request = get_request.serialize_to_packet().to_vec().unwrap();
|
||||||
|
|
||||||
let get_response = self.secret_management_request(&get_request);
|
let get_response = self.secret_management_request(&get_request);
|
||||||
|
@ -231,10 +181,7 @@ impl SkClient {
|
||||||
|
|
||||||
/// Helper method to delete secrets.
|
/// Helper method to delete secrets.
|
||||||
fn delete(&self, ids: &[&Id]) {
|
fn delete(&self, ids: &[&Id]) {
|
||||||
let ids: Vec<SecretId> = ids
|
let ids: Vec<SecretId> = ids.iter().map(|id| SecretId { id: id.0 }).collect();
|
||||||
.iter()
|
|
||||||
.map(|id| SecretId { id: id.0 })
|
|
||||||
.collect();
|
|
||||||
self.sk.deleteIds(&ids).unwrap();
|
self.sk.deleteIds(&ids).unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -251,47 +198,29 @@ fn authgraph_key_exchange(sk: binder::Strong<dyn ISecretkeeper>) -> ([key::AesKe
|
||||||
ag_vts::sink::test_mainline(&mut source, sink)
|
ag_vts::sink::test_mainline(&mut source, sink)
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Test that the AuthGraph instance returned by SecretKeeper correctly performs
|
// Test that the AuthGraph instance returned by SecretKeeper correctly performs
|
||||||
/// mainline key exchange against a local source implementation.
|
// mainline key exchange against a local source implementation.
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn authgraph_mainline() {
|
fn authgraph_mainline(instance: String) {
|
||||||
let (sk, _) = match get_connection() {
|
let sk = get_connection(&instance);
|
||||||
Some(sk) => sk,
|
|
||||||
None => {
|
|
||||||
warn!("Secretkeeper HAL is unavailable, skipping test");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
let (_aes_keys, _session_id) = authgraph_key_exchange(sk);
|
let (_aes_keys, _session_id) = authgraph_key_exchange(sk);
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Test that the AuthGraph instance returned by SecretKeeper correctly rejects
|
// Test that the AuthGraph instance returned by SecretKeeper correctly rejects
|
||||||
/// a corrupted session ID signature.
|
// a corrupted session ID signature.
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn authgraph_corrupt_sig() {
|
fn authgraph_corrupt_sig(instance: String) {
|
||||||
let (sk, _) = match get_connection() {
|
let sk = get_connection(&instance);
|
||||||
Some(sk) => sk,
|
|
||||||
None => {
|
|
||||||
warn!("Secretkeeper HAL is unavailable, skipping test");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
|
let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
|
||||||
let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
|
let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
|
||||||
ag_vts::sink::test_corrupt_sig(&mut source, sink);
|
ag_vts::sink::test_corrupt_sig(&mut source, sink);
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Test that the AuthGraph instance returned by SecretKeeper correctly detects
|
// Test that the AuthGraph instance returned by SecretKeeper correctly detects
|
||||||
/// when corrupted keys are returned to it.
|
// when corrupted keys are returned to it.
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn authgraph_corrupt_keys() {
|
fn authgraph_corrupt_keys(instance: String) {
|
||||||
let (sk, _) = match get_connection() {
|
let sk = get_connection(&instance);
|
||||||
Some(sk) => sk,
|
|
||||||
None => {
|
|
||||||
warn!("Secretkeeper HAL is unavailable, skipping test");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
|
let sink = sk.getAuthGraphKe().expect("failed to get AuthGraph");
|
||||||
let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
|
let mut source = ag_vts::test_ag_participant().expect("failed to create a local source");
|
||||||
ag_vts::sink::test_corrupt_keys(&mut source, sink);
|
ag_vts::sink::test_corrupt_keys(&mut source, sink);
|
||||||
|
@ -300,9 +229,9 @@ fn authgraph_corrupt_keys() {
|
||||||
// TODO(b/2797757): Add tests that match different HAL defined objects (like request/response)
|
// TODO(b/2797757): Add tests that match different HAL defined objects (like request/response)
|
||||||
// with expected bytes.
|
// with expected bytes.
|
||||||
|
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn secret_management_get_version() {
|
fn secret_management_get_version(instance: String) {
|
||||||
let mut sk_client = setup_client!();
|
let mut sk_client = SkClient::new(&instance);
|
||||||
|
|
||||||
let request = GetVersionRequest {};
|
let request = GetVersionRequest {};
|
||||||
let request_packet = request.serialize_to_packet();
|
let request_packet = request.serialize_to_packet();
|
||||||
|
@ -311,18 +240,15 @@ fn secret_management_get_version() {
|
||||||
let response_bytes = sk_client.secret_management_request(&request_bytes);
|
let response_bytes = sk_client.secret_management_request(&request_bytes);
|
||||||
|
|
||||||
let response_packet = ResponsePacket::from_slice(&response_bytes).unwrap();
|
let response_packet = ResponsePacket::from_slice(&response_bytes).unwrap();
|
||||||
assert_eq!(
|
assert_eq!(response_packet.response_type().unwrap(), ResponseType::Success);
|
||||||
response_packet.response_type().unwrap(),
|
|
||||||
ResponseType::Success
|
|
||||||
);
|
|
||||||
let get_version_response =
|
let get_version_response =
|
||||||
*GetVersionResponse::deserialize_from_packet(response_packet).unwrap();
|
*GetVersionResponse::deserialize_from_packet(response_packet).unwrap();
|
||||||
assert_eq!(get_version_response.version, CURRENT_VERSION);
|
assert_eq!(get_version_response.version, CURRENT_VERSION);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn secret_management_malformed_request() {
|
fn secret_management_malformed_request(instance: String) {
|
||||||
let mut sk_client = setup_client!();
|
let mut sk_client = SkClient::new(&instance);
|
||||||
|
|
||||||
let request = GetVersionRequest {};
|
let request = GetVersionRequest {};
|
||||||
let request_packet = request.serialize_to_packet();
|
let request_packet = request.serialize_to_packet();
|
||||||
|
@ -334,17 +260,14 @@ fn secret_management_malformed_request() {
|
||||||
let response_bytes = sk_client.secret_management_request(&request_bytes);
|
let response_bytes = sk_client.secret_management_request(&request_bytes);
|
||||||
|
|
||||||
let response_packet = ResponsePacket::from_slice(&response_bytes).unwrap();
|
let response_packet = ResponsePacket::from_slice(&response_bytes).unwrap();
|
||||||
assert_eq!(
|
assert_eq!(response_packet.response_type().unwrap(), ResponseType::Error);
|
||||||
response_packet.response_type().unwrap(),
|
|
||||||
ResponseType::Error
|
|
||||||
);
|
|
||||||
let err = *SecretkeeperError::deserialize_from_packet(response_packet).unwrap();
|
let err = *SecretkeeperError::deserialize_from_packet(response_packet).unwrap();
|
||||||
assert_eq!(err, SecretkeeperError::RequestMalformed);
|
assert_eq!(err, SecretkeeperError::RequestMalformed);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn secret_management_store_get_secret_found() {
|
fn secret_management_store_get_secret_found(instance: String) {
|
||||||
let mut sk_client = setup_client!();
|
let mut sk_client = SkClient::new(&instance);
|
||||||
|
|
||||||
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
||||||
|
|
||||||
|
@ -352,9 +275,9 @@ fn secret_management_store_get_secret_found() {
|
||||||
assert_eq!(sk_client.get(&ID_EXAMPLE), Some(SECRET_EXAMPLE));
|
assert_eq!(sk_client.get(&ID_EXAMPLE), Some(SECRET_EXAMPLE));
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn secret_management_store_get_secret_not_found() {
|
fn secret_management_store_get_secret_not_found(instance: String) {
|
||||||
let mut sk_client = setup_client!();
|
let mut sk_client = SkClient::new(&instance);
|
||||||
|
|
||||||
// Store a secret (corresponding to an id).
|
// Store a secret (corresponding to an id).
|
||||||
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
||||||
|
@ -363,9 +286,9 @@ fn secret_management_store_get_secret_not_found() {
|
||||||
assert_eq!(sk_client.get(&ID_NOT_STORED), None);
|
assert_eq!(sk_client.get(&ID_NOT_STORED), None);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn secretkeeper_store_delete_ids() {
|
fn secretkeeper_store_delete_ids(instance: String) {
|
||||||
let mut sk_client = setup_client!();
|
let mut sk_client = SkClient::new(&instance);
|
||||||
|
|
||||||
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
||||||
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
||||||
|
@ -380,9 +303,9 @@ fn secretkeeper_store_delete_ids() {
|
||||||
assert_eq!(sk_client.get(&ID_EXAMPLE_2), None);
|
assert_eq!(sk_client.get(&ID_EXAMPLE_2), None);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn secretkeeper_store_delete_multiple_ids() {
|
fn secretkeeper_store_delete_multiple_ids(instance: String) {
|
||||||
let mut sk_client = setup_client!();
|
let mut sk_client = SkClient::new(&instance);
|
||||||
|
|
||||||
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
||||||
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
||||||
|
@ -391,10 +314,9 @@ fn secretkeeper_store_delete_multiple_ids() {
|
||||||
assert_eq!(sk_client.get(&ID_EXAMPLE), None);
|
assert_eq!(sk_client.get(&ID_EXAMPLE), None);
|
||||||
assert_eq!(sk_client.get(&ID_EXAMPLE_2), None);
|
assert_eq!(sk_client.get(&ID_EXAMPLE_2), None);
|
||||||
}
|
}
|
||||||
|
#[rdroidtest(get_instances())]
|
||||||
#[test]
|
fn secretkeeper_store_delete_duplicate_ids(instance: String) {
|
||||||
fn secretkeeper_store_delete_duplicate_ids() {
|
let mut sk_client = SkClient::new(&instance);
|
||||||
let mut sk_client = setup_client!();
|
|
||||||
|
|
||||||
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
||||||
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
||||||
|
@ -405,9 +327,9 @@ fn secretkeeper_store_delete_duplicate_ids() {
|
||||||
assert_eq!(sk_client.get(&ID_EXAMPLE_2), Some(SECRET_EXAMPLE));
|
assert_eq!(sk_client.get(&ID_EXAMPLE_2), Some(SECRET_EXAMPLE));
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn secretkeeper_store_delete_nonexistent() {
|
fn secretkeeper_store_delete_nonexistent(instance: String) {
|
||||||
let mut sk_client = setup_client!();
|
let mut sk_client = SkClient::new(&instance);
|
||||||
|
|
||||||
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
||||||
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
||||||
|
@ -418,16 +340,11 @@ fn secretkeeper_store_delete_nonexistent() {
|
||||||
assert_eq!(sk_client.get(&ID_NOT_STORED), None);
|
assert_eq!(sk_client.get(&ID_NOT_STORED), None);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
// Don't run deleteAll() on a secure device, as it might affect real secrets.
|
||||||
fn secretkeeper_store_delete_all() {
|
#[rdroidtest(get_instances())]
|
||||||
let mut sk_client = setup_client!();
|
#[ignore_if(|p| p != "nonsecure")]
|
||||||
|
fn secretkeeper_store_delete_all(instance: String) {
|
||||||
if sk_client.name != "nonsecure" {
|
let mut sk_client = SkClient::new(&instance);
|
||||||
// Don't run deleteAll() on a secure device, as it might affect
|
|
||||||
// real secrets.
|
|
||||||
warn!("skipping deleteAll test due to real impl");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE);
|
||||||
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
sk_client.store(&ID_EXAMPLE_2, &SECRET_EXAMPLE);
|
||||||
|
@ -450,9 +367,9 @@ fn secretkeeper_store_delete_all() {
|
||||||
// This test checks that Secretkeeper uses the expected [`RequestSeqNum`] as aad while
|
// This test checks that Secretkeeper uses the expected [`RequestSeqNum`] as aad while
|
||||||
// decrypting requests and the responses are encrypted with correct [`ResponseSeqNum`] for the
|
// decrypting requests and the responses are encrypted with correct [`ResponseSeqNum`] for the
|
||||||
// first few messages.
|
// first few messages.
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn secret_management_replay_protection_seq_num() {
|
fn secret_management_replay_protection_seq_num(instance: String) {
|
||||||
let sk_client = setup_client!();
|
let sk_client = SkClient::new(&instance);
|
||||||
// Construct encoded request packets for the test
|
// Construct encoded request packets for the test
|
||||||
let (req_1, req_2, req_3) = construct_secret_management_requests();
|
let (req_1, req_2, req_3) = construct_secret_management_requests();
|
||||||
|
|
||||||
|
@ -484,9 +401,9 @@ fn secret_management_replay_protection_seq_num() {
|
||||||
|
|
||||||
// This test checks that Secretkeeper uses fresh [`RequestSeqNum`] & [`ResponseSeqNum`]
|
// This test checks that Secretkeeper uses fresh [`RequestSeqNum`] & [`ResponseSeqNum`]
|
||||||
// for new sessions.
|
// for new sessions.
|
||||||
#[test]
|
#[rdroidtest(get_instances())]
|
||||||
fn secret_management_replay_protection_seq_num_per_session() {
|
fn secret_management_replay_protection_seq_num_per_session(instance: String) {
|
||||||
let sk_client = setup_client!();
|
let sk_client = SkClient::new(&instance);
|
||||||
|
|
||||||
// Construct encoded request packets for the test
|
// Construct encoded request packets for the test
|
||||||
let (req_1, _, _) = construct_secret_management_requests();
|
let (req_1, _, _) = construct_secret_management_requests();
|
||||||
|
@ -502,7 +419,7 @@ fn secret_management_replay_protection_seq_num_per_session() {
|
||||||
assert_eq!(res.response_type().unwrap(), ResponseType::Success);
|
assert_eq!(res.response_type().unwrap(), ResponseType::Success);
|
||||||
|
|
||||||
// Start another session
|
// Start another session
|
||||||
let sk_client_diff = setup_client!();
|
let sk_client_diff = SkClient::new(&instance);
|
||||||
// Check first request/response is with seq_0 is successful
|
// Check first request/response is with seq_0 is successful
|
||||||
let res = ResponsePacket::from_slice(
|
let res = ResponsePacket::from_slice(
|
||||||
&sk_client_diff.secret_management_request_custom_aad(&req_1, &seq_0, &seq_0),
|
&sk_client_diff.secret_management_request_custom_aad(&req_1, &seq_0, &seq_0),
|
||||||
|
@ -512,12 +429,11 @@ fn secret_management_replay_protection_seq_num_per_session() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// This test checks that Secretkeeper rejects requests with out of order [`RequestSeqNum`]
|
// This test checks that Secretkeeper rejects requests with out of order [`RequestSeqNum`]
|
||||||
#[test]
|
|
||||||
// TODO(b/317416663): This test fails, when HAL is not present in the device. Refactor to fix this.
|
// TODO(b/317416663): This test fails, when HAL is not present in the device. Refactor to fix this.
|
||||||
|
#[rdroidtest(get_instances())]
|
||||||
#[ignore]
|
#[ignore]
|
||||||
#[should_panic]
|
fn secret_management_replay_protection_out_of_seq_req_not_accepted(instance: String) {
|
||||||
fn secret_management_replay_protection_out_of_seq_req_not_accepted() {
|
let sk_client = SkClient::new(&instance);
|
||||||
let sk_client = setup_client!();
|
|
||||||
|
|
||||||
// Construct encoded request packets for the test
|
// Construct encoded request packets for the test
|
||||||
let (req_1, req_2, _) = construct_secret_management_requests();
|
let (req_1, req_2, _) = construct_secret_management_requests();
|
||||||
|
@ -543,10 +459,9 @@ fn construct_secret_management_requests() -> (Vec<u8>, Vec<u8>, Vec<u8>) {
|
||||||
sealing_policy: HYPOTHETICAL_DICE_POLICY.to_vec(),
|
sealing_policy: HYPOTHETICAL_DICE_POLICY.to_vec(),
|
||||||
};
|
};
|
||||||
let store_request = store_request.serialize_to_packet().to_vec().unwrap();
|
let store_request = store_request.serialize_to_packet().to_vec().unwrap();
|
||||||
let get_request = GetSecretRequest {
|
let get_request = GetSecretRequest { id: ID_EXAMPLE, updated_sealing_policy: None };
|
||||||
id: ID_EXAMPLE,
|
|
||||||
updated_sealing_policy: None,
|
|
||||||
};
|
|
||||||
let get_request = get_request.serialize_to_packet().to_vec().unwrap();
|
let get_request = get_request.serialize_to_packet().to_vec().unwrap();
|
||||||
(version_request, store_request, get_request)
|
(version_request, store_request, get_request)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rdroidtest::test_main!();
|
||||||
|
|
Loading…
Reference in a new issue