• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <gtest/gtest.h>
18 
19 #include <keymaster/authorization_set.h>
20 #include <keymaster/android_keymaster_utils.h>
21 
22 #include "android_keymaster_test_utils.h"
23 
24 namespace keymaster {
25 
26 namespace test {
27 
TEST(Construction,ListProvided)28 TEST(Construction, ListProvided) {
29     keymaster_key_param_t params[] = {
30         Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
31         Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
32         Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
33         Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
34         Authorization(TAG_AUTH_TIMEOUT, 300),
35     };
36     AuthorizationSet set(params, array_length(params));
37     EXPECT_EQ(8U, set.size());
38 }
39 
TEST(Construction,Copy)40 TEST(Construction, Copy) {
41     keymaster_key_param_t params[] = {
42         Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
43         Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
44         Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
45         Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
46         Authorization(TAG_AUTH_TIMEOUT, 300),
47     };
48     AuthorizationSet set(params, array_length(params));
49     AuthorizationSet set2(set);
50     EXPECT_EQ(set, set2);
51 }
52 
TEST(Construction,NullProvided)53 TEST(Construction, NullProvided) {
54     keymaster_key_param_t params[] = {
55         Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
56     };
57 
58     AuthorizationSet set1(params, 0);
59     EXPECT_EQ(0U, set1.size());
60     EXPECT_EQ(AuthorizationSet::OK, set1.is_valid());
61 
62     AuthorizationSet set2(reinterpret_cast<keymaster_key_param_t*>(NULL), array_length(params));
63     EXPECT_EQ(0U, set2.size());
64     EXPECT_EQ(AuthorizationSet::OK, set2.is_valid());
65 }
66 
TEST(Lookup,NonRepeated)67 TEST(Lookup, NonRepeated) {
68     AuthorizationSet set(AuthorizationSetBuilder()
69                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
70                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
71                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
72                              .Authorization(TAG_USER_ID, 7)
73                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
74                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
75                              .Authorization(TAG_KEY_SIZE, 256)
76                              .Authorization(TAG_AUTH_TIMEOUT, 300));
77 
78     EXPECT_EQ(8U, set.size());
79 
80     int pos = set.find(TAG_ALGORITHM);
81     ASSERT_NE(-1, pos);
82     EXPECT_EQ(KM_TAG_ALGORITHM, set[pos].tag);
83     EXPECT_EQ(KM_ALGORITHM_RSA, set[pos].enumerated);
84 
85     pos = set.find(TAG_MAC_LENGTH);
86     EXPECT_EQ(-1, pos);
87 
88     uint32_t int_val = 0;
89     EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &int_val));
90     EXPECT_EQ(7U, int_val);
91 
92     keymaster_blob_t blob_val;
93     EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &blob_val));
94     EXPECT_EQ(6U, blob_val.data_length);
95     EXPECT_EQ(0, memcmp(blob_val.data, "my_app", 6));
96 }
97 
TEST(Lookup,Repeated)98 TEST(Lookup, Repeated) {
99     AuthorizationSet set(AuthorizationSetBuilder()
100                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
101                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
102                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
103                              .Authorization(TAG_USER_ID, 7)
104                              .Authorization(TAG_USER_SECURE_ID, 47727)
105                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
106                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
107                              .Authorization(TAG_KEY_SIZE, 256)
108                              .Authorization(TAG_AUTH_TIMEOUT, 300));
109     EXPECT_EQ(9U, set.size());
110 
111     int pos = set.find(TAG_PURPOSE);
112     ASSERT_FALSE(pos == -1);
113     EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
114     EXPECT_EQ(KM_PURPOSE_SIGN, set[pos].enumerated);
115 
116     pos = set.find(TAG_PURPOSE, pos);
117     EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
118     EXPECT_EQ(KM_PURPOSE_VERIFY, set[pos].enumerated);
119 
120     EXPECT_EQ(-1, set.find(TAG_PURPOSE, pos));
121 
122     pos = set.find(TAG_USER_SECURE_ID, pos);
123     EXPECT_EQ(KM_TAG_USER_SECURE_ID, set[pos].tag);
124     EXPECT_EQ(47727U, set[pos].long_integer);
125 }
126 
TEST(Lookup,Indexed)127 TEST(Lookup, Indexed) {
128     AuthorizationSet set(AuthorizationSetBuilder()
129                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
130                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
131                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
132                              .Authorization(TAG_USER_ID, 7)
133                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
134                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
135                              .Authorization(TAG_KEY_SIZE, 256)
136                              .Authorization(TAG_AUTH_TIMEOUT, 300));
137     EXPECT_EQ(8U, set.size());
138 
139     EXPECT_EQ(KM_TAG_PURPOSE, set[0].tag);
140     EXPECT_EQ(KM_PURPOSE_SIGN, set[0].enumerated);
141 
142     // Lookup beyond end doesn't work, just returns zeros, but doens't blow up either (verify by
143     // running under valgrind).
144     EXPECT_EQ(KM_TAG_INVALID, set[10].tag);
145 }
146 
TEST(Serialization,RoundTrip)147 TEST(Serialization, RoundTrip) {
148     AuthorizationSet set(AuthorizationSetBuilder()
149                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
150                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
151                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
152                              .Authorization(TAG_USER_ID, 7)
153                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
154                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
155                              .Authorization(TAG_KEY_SIZE, 256)
156                              .Authorization(TAG_USER_SECURE_ID, 47727)
157                              .Authorization(TAG_AUTH_TIMEOUT, 300)
158                              .Authorization(TAG_ALL_USERS)
159                              .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
160                              .Authorization(TAG_ACTIVE_DATETIME, 10));
161 
162     size_t size = set.SerializedSize();
163     EXPECT_TRUE(size > 0);
164 
165     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
166     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
167     AuthorizationSet deserialized(buf.get(), size);
168 
169     EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
170     EXPECT_EQ(set, deserialized);
171 
172     int pos = deserialized.find(TAG_APPLICATION_ID);
173     ASSERT_NE(-1, pos);
174     EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
175     EXPECT_EQ(6U, deserialized[pos].blob.data_length);
176     EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
177 }
178 
TEST(Deserialization,Deserialize)179 TEST(Deserialization, Deserialize) {
180     AuthorizationSet set(AuthorizationSetBuilder()
181                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
182                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
183                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
184                              .Authorization(TAG_USER_ID, 7)
185                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
186                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
187                              .Authorization(TAG_KEY_SIZE, 256)
188                              .Authorization(TAG_AUTH_TIMEOUT, 300));
189 
190     size_t size = set.SerializedSize();
191     EXPECT_TRUE(size > 0);
192 
193     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
194     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
195     AuthorizationSet deserialized;
196     const uint8_t* p = buf.get();
197     EXPECT_TRUE(deserialized.Deserialize(&p, p + size));
198     EXPECT_EQ(p, buf.get() + size);
199 
200     EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
201 
202     EXPECT_EQ(set.size(), deserialized.size());
203     for (size_t i = 0; i < set.size(); ++i) {
204         EXPECT_EQ(set[i].tag, deserialized[i].tag);
205     }
206 
207     int pos = deserialized.find(TAG_APPLICATION_ID);
208     ASSERT_NE(-1, pos);
209     EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
210     EXPECT_EQ(6U, deserialized[pos].blob.data_length);
211     EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
212 }
213 
TEST(Deserialization,TooShortBuffer)214 TEST(Deserialization, TooShortBuffer) {
215     uint8_t buf[] = {0, 0, 0};
216     AuthorizationSet deserialized(buf, array_length(buf));
217     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
218 
219     const uint8_t* p = buf;
220     EXPECT_FALSE(deserialized.Deserialize(&p, p + array_length(buf)));
221     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
222 }
223 
TEST(Deserialization,InvalidLengthField)224 TEST(Deserialization, InvalidLengthField) {
225     AuthorizationSet set(AuthorizationSetBuilder()
226                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
227                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
228                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
229                              .Authorization(TAG_USER_ID, 7)
230                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
231                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
232                              .Authorization(TAG_KEY_SIZE, 256)
233                              .Authorization(TAG_AUTH_TIMEOUT, 300));
234 
235     size_t size = set.SerializedSize();
236     EXPECT_TRUE(size > 0);
237 
238     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
239     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
240     *reinterpret_cast<uint32_t*>(buf.get()) = 9;
241 
242     AuthorizationSet deserialized(buf.get(), size);
243     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
244 
245     const uint8_t* p = buf.get();
246     EXPECT_FALSE(deserialized.Deserialize(&p, p + size));
247     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
248 }
249 
TEST(Clear,ClearRecoversFromError)250 TEST(Clear, ClearRecoversFromError) {
251     uint8_t buf[] = {0, 0, 0};
252     AuthorizationSet deserialized(buf, array_length(buf));
253     ASSERT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
254 
255     deserialized.Clear();
256     ASSERT_EQ(AuthorizationSet::OK, deserialized.is_valid());
257 }
258 
read_uint32(const uint8_t * buf)259 static uint32_t read_uint32(const uint8_t* buf) {
260     uint32_t val;
261     memcpy(&val, buf, sizeof(val));
262     return val;
263 }
264 
add_to_uint32(uint8_t * buf,int delta)265 static void add_to_uint32(uint8_t* buf, int delta) {
266     uint32_t val;
267     memcpy(&val, buf, sizeof(val));
268     val += delta;
269     memcpy(buf, &val, sizeof(val));
270 }
271 
TEST(Deserialization,MalformedIndirectData)272 TEST(Deserialization, MalformedIndirectData) {
273     AuthorizationSet set(AuthorizationSetBuilder()
274                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
275                              .Authorization(TAG_APPLICATION_DATA, "foo", 3));
276     size_t size = set.SerializedSize();
277 
278     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
279     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
280 
281     // This sucks.  This test, as written, requires intimate knowledge of the serialized layout of
282     // this particular set, which means it's brittle.  But it's important to test that we handle
283     // broken serialized data and I can't think of a better way to write this.
284     //
285     // The contents of buf are:
286     //
287     // Bytes:   Content:
288     // 0-3      Length of string data, which is 9.
289     // 4-9      "my_app"
290     // 10-12    "foo"
291     // 13-16    Number of elements, which is 2.
292     // 17-20    Length of elements, which is 24.
293     // 21-24    First tag, TAG_APPLICATION_ID
294     // 25-28    Length of string "my_app", 6
295     // 29-32    Offset of string "my_app", 0
296     // 33-36    Second tag, TAG_APPLICATION_DATA
297     // 37-40    Length of string "foo", 3
298     // 41-44    Offset of string "foo", 6
299 
300     // Check that stuff is where we think.
301     EXPECT_EQ('m', buf[4]);
302     EXPECT_EQ('f', buf[10]);
303     // Length of "my_app"
304     EXPECT_EQ(6U, read_uint32(buf.get() + 25));
305     // Offset of "my_app"
306     EXPECT_EQ(0U, read_uint32(buf.get() + 29));
307     // Length of "foo"
308     EXPECT_EQ(3U, read_uint32(buf.get() + 37));
309     // Offset of "foo"
310     EXPECT_EQ(6U, read_uint32(buf.get() + 41));
311 
312     // Check that deserialization works.
313     AuthorizationSet deserialized1(buf.get(), size);
314     EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
315 
316     const uint8_t* p = buf.get();
317     EXPECT_TRUE(deserialized1.Deserialize(&p, p + size));
318     EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
319 
320     //
321     // Now mess them up in various ways:
322     //
323 
324     // Move "foo" offset so offset + length goes off the end
325     add_to_uint32(buf.get() + 41, 1);
326     AuthorizationSet deserialized2(buf.get(), size);
327     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized2.is_valid());
328     add_to_uint32(buf.get() + 41, -1);
329 
330     // Shorten the "my_app" length to make a gap between the blobs.
331     add_to_uint32(buf.get() + 25, -1);
332     AuthorizationSet deserialized3(buf.get(), size);
333     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized3.is_valid());
334     add_to_uint32(buf.get() + 25, 1);
335 
336     // Extend the "my_app" length to make them overlap, and decrease the "foo" length to keep the
337     // total length the same.  We don't detect this but should.
338     // TODO(swillden): Detect overlaps and holes that leave total size correct.
339     add_to_uint32(buf.get() + 25, 1);
340     add_to_uint32(buf.get() + 37, -1);
341     AuthorizationSet deserialized4(buf.get(), size);
342     EXPECT_EQ(AuthorizationSet::OK, deserialized4.is_valid());
343 }
344 
TEST(Growable,SuccessfulRoundTrip)345 TEST(Growable, SuccessfulRoundTrip) {
346     AuthorizationSet growable;
347     EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
348     EXPECT_EQ(1U, growable.size());
349 
350     EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)));
351     EXPECT_EQ(2U, growable.size());
352 
353     EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
354     EXPECT_EQ(3U, growable.size());
355 
356     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "data", 4)));
357     EXPECT_EQ(4U, growable.size());
358 
359     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "some more data", 14)));
360     EXPECT_EQ(5U, growable.size());
361 
362     size_t serialize_size = growable.SerializedSize();
363     UniquePtr<uint8_t[]> serialized(new uint8_t[serialize_size]);
364     EXPECT_EQ(serialized.get() + serialize_size,
365               growable.Serialize(serialized.get(), serialized.get() + serialize_size));
366 
367     AuthorizationSet deserialized(serialized.get(), serialize_size);
368     EXPECT_EQ(growable, deserialized);
369 }
370 
TEST(Growable,InsufficientElemBuf)371 TEST(Growable, InsufficientElemBuf) {
372     AuthorizationSet growable;
373     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
374 
375     // First insertion fits.
376     EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
377     EXPECT_EQ(1U, growable.size());
378     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
379 
380     // Second does too.
381     EXPECT_TRUE(growable.push_back(Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)));
382     EXPECT_EQ(2U, growable.size());
383 }
384 
TEST(Growable,InsufficientIndirectBuf)385 TEST(Growable, InsufficientIndirectBuf) {
386     AuthorizationSet growable;
387     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
388 
389     EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
390     EXPECT_EQ(1U, growable.size());
391     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
392 
393     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "1234567890", 10)));
394     EXPECT_EQ(2U, growable.size());
395     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
396 
397     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "1", 1)));
398     EXPECT_EQ(3U, growable.size());
399     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
400 
401     // Can still add another entry without indirect data.  Now it's full.
402     EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
403     EXPECT_EQ(4U, growable.size());
404     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
405 }
406 
TEST(Growable,PushBackSets)407 TEST(Growable, PushBackSets) {
408     AuthorizationSetBuilder builder;
409     builder.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
410         .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
411         .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
412         .Authorization(TAG_USER_ID, 7)
413         .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
414         .Authorization(TAG_APPLICATION_ID, "my_app", 6)
415         .Authorization(TAG_KEY_SIZE, 256)
416         .Authorization(TAG_AUTH_TIMEOUT, 300);
417 
418     AuthorizationSet set1(builder.build());
419     AuthorizationSet set2(builder.build());
420 
421     AuthorizationSet combined;
422     EXPECT_TRUE(combined.push_back(set1));
423     EXPECT_TRUE(combined.push_back(set2));
424     EXPECT_EQ(set1.size() + set2.size(), combined.size());
425     EXPECT_EQ(12U, combined.indirect_size());
426 }
427 
TEST(GetValue,GetInt)428 TEST(GetValue, GetInt) {
429     AuthorizationSet set(AuthorizationSetBuilder()
430                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
431                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
432                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
433                              .Authorization(TAG_USER_ID, 7)
434                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
435                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
436                              .Authorization(TAG_AUTH_TIMEOUT, 300));
437 
438     uint32_t val;
439     EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &val));
440     EXPECT_EQ(7U, val);
441 
442     // Find one that isn't there
443     EXPECT_FALSE(set.GetTagValue(TAG_KEY_SIZE, &val));
444 }
445 
TEST(GetValue,GetLong)446 TEST(GetValue, GetLong) {
447     AuthorizationSet set1(AuthorizationSetBuilder()
448                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
449                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
450                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
451                               .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
452 
453     AuthorizationSet set2(AuthorizationSetBuilder()
454                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
455                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
456                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
457 
458     uint64_t val;
459     EXPECT_TRUE(set1.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
460     EXPECT_EQ(3U, val);
461 
462     // Find one that isn't there
463     EXPECT_FALSE(set2.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
464 }
465 
TEST(GetValue,GetLongRep)466 TEST(GetValue, GetLongRep) {
467     AuthorizationSet set1(AuthorizationSetBuilder()
468                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
469                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
470                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
471                               .Authorization(TAG_USER_SECURE_ID, 8338)
472                               .Authorization(TAG_USER_SECURE_ID, 4334)
473                               .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
474 
475     AuthorizationSet set2(AuthorizationSetBuilder()
476                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
477                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
478                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
479 
480     uint64_t val;
481     EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 0, &val));
482     EXPECT_EQ(8338U, val);
483     EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 1, &val));
484     EXPECT_EQ(4334U, val);
485 
486     // Find one that isn't there
487     EXPECT_FALSE(set2.GetTagValue(TAG_USER_SECURE_ID, &val));
488 }
489 
TEST(GetValue,GetEnum)490 TEST(GetValue, GetEnum) {
491     AuthorizationSet set(AuthorizationSetBuilder()
492                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
493                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
494                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
495                              .Authorization(TAG_USER_ID, 7)
496                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
497                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
498                              .Authorization(TAG_AUTH_TIMEOUT, 300));
499 
500     keymaster_algorithm_t val;
501     EXPECT_TRUE(set.GetTagValue(TAG_ALGORITHM, &val));
502     EXPECT_EQ(KM_ALGORITHM_RSA, val);
503 
504     // Find one that isn't there
505     keymaster_padding_t val2;
506     EXPECT_FALSE(set.GetTagValue(TAG_PADDING, &val2));
507 }
508 
TEST(GetValue,GetEnumRep)509 TEST(GetValue, GetEnumRep) {
510     AuthorizationSet set(AuthorizationSetBuilder()
511                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
512                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
513                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
514                              .Authorization(TAG_USER_ID, 7)
515                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
516                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
517                              .Authorization(TAG_AUTH_TIMEOUT, 300));
518 
519     keymaster_purpose_t val;
520     EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 0, &val));
521     EXPECT_EQ(KM_PURPOSE_SIGN, val);
522     EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 1, &val));
523     EXPECT_EQ(KM_PURPOSE_VERIFY, val);
524 
525     // Find one that isn't there
526     EXPECT_FALSE(set.GetTagValue(TAG_PURPOSE, 2, &val));
527 }
528 
TEST(GetValue,GetDate)529 TEST(GetValue, GetDate) {
530     AuthorizationSet set(AuthorizationSetBuilder()
531                              .Authorization(TAG_ACTIVE_DATETIME, 10)
532                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
533                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
534                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
535                              .Authorization(TAG_USER_ID, 7)
536                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
537                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
538                              .Authorization(TAG_AUTH_TIMEOUT, 300));
539 
540     uint64_t val;
541     EXPECT_TRUE(set.GetTagValue(TAG_ACTIVE_DATETIME, &val));
542     EXPECT_EQ(10U, val);
543 
544     // Find one that isn't there
545     EXPECT_FALSE(set.GetTagValue(TAG_USAGE_EXPIRE_DATETIME, &val));
546 }
547 
TEST(GetValue,GetBlob)548 TEST(GetValue, GetBlob) {
549     AuthorizationSet set(AuthorizationSetBuilder()
550                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
551                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
552                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
553                              .Authorization(TAG_USER_ID, 7)
554                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
555                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
556                              .Authorization(TAG_AUTH_TIMEOUT, 300));
557 
558     keymaster_blob_t val;
559     EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &val));
560     EXPECT_EQ(6U, val.data_length);
561     EXPECT_EQ(0, memcmp(val.data, "my_app", 6));
562 
563     // Find one that isn't there
564     EXPECT_FALSE(set.GetTagValue(TAG_APPLICATION_DATA, &val));
565 }
566 
TEST(Deduplication,NoDuplicates)567 TEST(Deduplication, NoDuplicates) {
568     AuthorizationSet set(AuthorizationSetBuilder()
569                              .Authorization(TAG_ACTIVE_DATETIME, 10)
570                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
571                              .Authorization(TAG_USER_ID, 7)
572                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
573     AuthorizationSet copy(set);
574 
575     EXPECT_EQ(copy, set);
576     set.Deduplicate();
577     EXPECT_EQ(copy.size(), set.size());
578 
579     // Sets no longer compare equal, because of ordering (ugh, maybe it should be
580     // AuthorizationList, not AuthorizationSet).
581     EXPECT_NE(copy, set);
582 }
583 
TEST(Deduplication,NoDuplicatesHasInvalid)584 TEST(Deduplication, NoDuplicatesHasInvalid) {
585     AuthorizationSet set(AuthorizationSetBuilder()
586                              .Authorization(TAG_ACTIVE_DATETIME, 10)
587                              .Authorization(TAG_INVALID)
588                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
589                              .Authorization(TAG_USER_ID, 7)
590                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
591     AuthorizationSet copy(set);
592 
593     EXPECT_EQ(copy, set);
594     set.Deduplicate();
595 
596     // Deduplicate should have removed the invalid.
597     EXPECT_EQ(copy.size() - 1, set.size());
598     EXPECT_NE(copy, set);
599 }
600 
TEST(Deduplication,DuplicateEnum)601 TEST(Deduplication, DuplicateEnum) {
602     AuthorizationSet set(AuthorizationSetBuilder()
603                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
604                              .Authorization(TAG_ACTIVE_DATETIME, 10)
605                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
606                              .Authorization(TAG_USER_ID, 7)
607                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
608                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
609     AuthorizationSet copy(set);
610 
611     EXPECT_EQ(copy, set);
612     set.Deduplicate();
613     EXPECT_EQ(copy.size() - 2, set.size());
614     EXPECT_NE(copy, set);
615 }
616 
TEST(Deduplication,DuplicateBlob)617 TEST(Deduplication, DuplicateBlob) {
618     AuthorizationSet set(AuthorizationSetBuilder()
619                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
620                              .Authorization(TAG_ACTIVE_DATETIME, 10)
621                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
622                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
623                              .Authorization(TAG_USER_ID, 7)
624                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
625                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
626                              .Authorization(TAG_APPLICATION_DATA, "foo", 3)
627                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
628     AuthorizationSet copy(set);
629 
630     EXPECT_EQ(copy, set);
631     set.Deduplicate();
632     EXPECT_EQ(copy.size() - 3, set.size());
633     EXPECT_NE(copy, set);
634 
635     // The real test here is that valgrind reports no leak.
636 }
637 
TEST(Union,Disjoint)638 TEST(Union, Disjoint) {
639     AuthorizationSet set1(AuthorizationSetBuilder()
640                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
641                              .Authorization(TAG_ACTIVE_DATETIME, 10)
642                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
643 
644     AuthorizationSet set2(AuthorizationSetBuilder()
645                              .Authorization(TAG_USER_ID, 7)
646                              .Authorization(TAG_APPLICATION_DATA, "foo", 3)
647                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
648 
649     AuthorizationSet expected(AuthorizationSetBuilder()
650                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
651                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
652                              .Authorization(TAG_USER_ID, 7)
653                              .Authorization(TAG_ACTIVE_DATETIME, 10)
654                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
655                              .Authorization(TAG_APPLICATION_DATA, "foo", 3));
656 
657     set1.Union(set2);
658     EXPECT_EQ(expected, set1);
659 }
660 
TEST(Union,Overlap)661 TEST(Union, Overlap) {
662     AuthorizationSet set1(AuthorizationSetBuilder()
663                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
664                              .Authorization(TAG_ACTIVE_DATETIME, 10)
665                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
666 
667     AuthorizationSet set2(AuthorizationSetBuilder()
668                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
669                              .Authorization(TAG_ACTIVE_DATETIME, 10)
670                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
671 
672     AuthorizationSet expected(AuthorizationSetBuilder()
673                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
674                              .Authorization(TAG_ACTIVE_DATETIME, 10)
675                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
676 
677     set1.Union(set2);
678     EXPECT_EQ(expected, set1);
679 }
680 
TEST(Union,Empty)681 TEST(Union, Empty) {
682     AuthorizationSet set1(AuthorizationSetBuilder()
683                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
684                              .Authorization(TAG_ACTIVE_DATETIME, 10)
685                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
686 
687     AuthorizationSet set2;
688 
689     AuthorizationSet expected(AuthorizationSetBuilder()
690                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
691                              .Authorization(TAG_ACTIVE_DATETIME, 10)
692                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
693 
694     set1.Union(set2);
695     EXPECT_EQ(expected, set1);
696 }
697 
TEST(Difference,Disjoint)698 TEST(Difference, Disjoint) {
699     AuthorizationSet set1(AuthorizationSetBuilder()
700                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
701                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
702                              .Authorization(TAG_ACTIVE_DATETIME, 10));
703 
704     AuthorizationSet set2(AuthorizationSetBuilder()
705                              .Authorization(TAG_USER_ID, 7)
706                              .Authorization(TAG_APPLICATION_DATA, "foo", 3)
707                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
708 
709     // Elements are the same as set1, but happen to be in a different order
710     AuthorizationSet expected(AuthorizationSetBuilder()
711                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
712                              .Authorization(TAG_ACTIVE_DATETIME, 10)
713                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
714 
715     set1.Difference(set2);
716     EXPECT_EQ(expected, set1);
717 }
718 
TEST(Difference,Overlap)719 TEST(Difference, Overlap) {
720     AuthorizationSet set1(AuthorizationSetBuilder()
721                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
722                              .Authorization(TAG_ACTIVE_DATETIME, 10)
723                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
724 
725     AuthorizationSet set2(AuthorizationSetBuilder()
726                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
727                              .Authorization(TAG_ACTIVE_DATETIME, 10)
728                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
729 
730     AuthorizationSet empty;
731     set1.Difference(set2);
732     EXPECT_EQ(empty, set1);
733     EXPECT_EQ(0U, set1.size());
734 }
735 
TEST(Difference,NullSet)736 TEST(Difference, NullSet) {
737     AuthorizationSet set1(AuthorizationSetBuilder()
738                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
739                              .Authorization(TAG_ACTIVE_DATETIME, 10)
740                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
741 
742     AuthorizationSet set2;
743 
744     AuthorizationSet expected(AuthorizationSetBuilder()
745                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
746                              .Authorization(TAG_ACTIVE_DATETIME, 10)
747                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
748 
749     set1.Difference(set2);
750     EXPECT_EQ(expected, set1);
751 }
752 
753 }  // namespace test
754 }  // namespace keymaster
755