1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <gtest/gtest.h>
18
19 #include <keymaster/authorization_set.h>
20 #include <keymaster/android_keymaster_utils.h>
21
22 #include "android_keymaster_test_utils.h"
23
24 namespace keymaster {
25
26 namespace test {
27
TEST(Construction,ListProvided)28 TEST(Construction, ListProvided) {
29 keymaster_key_param_t params[] = {
30 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
31 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
32 Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
33 Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
34 Authorization(TAG_AUTH_TIMEOUT, 300),
35 };
36 AuthorizationSet set(params, array_length(params));
37 EXPECT_EQ(8U, set.size());
38 }
39
TEST(Construction,Copy)40 TEST(Construction, Copy) {
41 keymaster_key_param_t params[] = {
42 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
43 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
44 Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
45 Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
46 Authorization(TAG_AUTH_TIMEOUT, 300),
47 };
48 AuthorizationSet set(params, array_length(params));
49 AuthorizationSet set2(set);
50 EXPECT_EQ(set, set2);
51 }
52
TEST(Construction,NullProvided)53 TEST(Construction, NullProvided) {
54 keymaster_key_param_t params[] = {
55 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
56 };
57
58 AuthorizationSet set1(params, 0);
59 EXPECT_EQ(0U, set1.size());
60 EXPECT_EQ(AuthorizationSet::OK, set1.is_valid());
61
62 AuthorizationSet set2(reinterpret_cast<keymaster_key_param_t*>(NULL), array_length(params));
63 EXPECT_EQ(0U, set2.size());
64 EXPECT_EQ(AuthorizationSet::OK, set2.is_valid());
65 }
66
TEST(Lookup,NonRepeated)67 TEST(Lookup, NonRepeated) {
68 AuthorizationSet set(AuthorizationSetBuilder()
69 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
70 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
71 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
72 .Authorization(TAG_USER_ID, 7)
73 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
74 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
75 .Authorization(TAG_KEY_SIZE, 256)
76 .Authorization(TAG_AUTH_TIMEOUT, 300));
77
78 EXPECT_EQ(8U, set.size());
79
80 int pos = set.find(TAG_ALGORITHM);
81 ASSERT_NE(-1, pos);
82 EXPECT_EQ(KM_TAG_ALGORITHM, set[pos].tag);
83 EXPECT_EQ(KM_ALGORITHM_RSA, set[pos].enumerated);
84
85 pos = set.find(TAG_MAC_LENGTH);
86 EXPECT_EQ(-1, pos);
87
88 uint32_t int_val = 0;
89 EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &int_val));
90 EXPECT_EQ(7U, int_val);
91
92 keymaster_blob_t blob_val;
93 EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &blob_val));
94 EXPECT_EQ(6U, blob_val.data_length);
95 EXPECT_EQ(0, memcmp(blob_val.data, "my_app", 6));
96 }
97
TEST(Lookup,Repeated)98 TEST(Lookup, Repeated) {
99 AuthorizationSet set(AuthorizationSetBuilder()
100 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
101 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
102 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
103 .Authorization(TAG_USER_ID, 7)
104 .Authorization(TAG_USER_SECURE_ID, 47727)
105 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
106 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
107 .Authorization(TAG_KEY_SIZE, 256)
108 .Authorization(TAG_AUTH_TIMEOUT, 300));
109 EXPECT_EQ(9U, set.size());
110
111 int pos = set.find(TAG_PURPOSE);
112 ASSERT_FALSE(pos == -1);
113 EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
114 EXPECT_EQ(KM_PURPOSE_SIGN, set[pos].enumerated);
115
116 pos = set.find(TAG_PURPOSE, pos);
117 EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
118 EXPECT_EQ(KM_PURPOSE_VERIFY, set[pos].enumerated);
119
120 EXPECT_EQ(-1, set.find(TAG_PURPOSE, pos));
121
122 pos = set.find(TAG_USER_SECURE_ID, pos);
123 EXPECT_EQ(KM_TAG_USER_SECURE_ID, set[pos].tag);
124 EXPECT_EQ(47727U, set[pos].long_integer);
125 }
126
TEST(Lookup,Indexed)127 TEST(Lookup, Indexed) {
128 AuthorizationSet set(AuthorizationSetBuilder()
129 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
130 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
131 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
132 .Authorization(TAG_USER_ID, 7)
133 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
134 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
135 .Authorization(TAG_KEY_SIZE, 256)
136 .Authorization(TAG_AUTH_TIMEOUT, 300));
137 EXPECT_EQ(8U, set.size());
138
139 EXPECT_EQ(KM_TAG_PURPOSE, set[0].tag);
140 EXPECT_EQ(KM_PURPOSE_SIGN, set[0].enumerated);
141
142 // Lookup beyond end doesn't work, just returns zeros, but doens't blow up either (verify by
143 // running under valgrind).
144 EXPECT_EQ(KM_TAG_INVALID, set[10].tag);
145 }
146
TEST(Serialization,RoundTrip)147 TEST(Serialization, RoundTrip) {
148 AuthorizationSet set(AuthorizationSetBuilder()
149 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
150 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
151 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
152 .Authorization(TAG_USER_ID, 7)
153 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
154 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
155 .Authorization(TAG_KEY_SIZE, 256)
156 .Authorization(TAG_USER_SECURE_ID, 47727)
157 .Authorization(TAG_AUTH_TIMEOUT, 300)
158 .Authorization(TAG_ALL_USERS)
159 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
160 .Authorization(TAG_ACTIVE_DATETIME, 10));
161
162 size_t size = set.SerializedSize();
163 EXPECT_TRUE(size > 0);
164
165 UniquePtr<uint8_t[]> buf(new uint8_t[size]);
166 EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
167 AuthorizationSet deserialized(buf.get(), size);
168
169 EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
170 EXPECT_EQ(set, deserialized);
171
172 int pos = deserialized.find(TAG_APPLICATION_ID);
173 ASSERT_NE(-1, pos);
174 EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
175 EXPECT_EQ(6U, deserialized[pos].blob.data_length);
176 EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
177 }
178
TEST(Deserialization,Deserialize)179 TEST(Deserialization, Deserialize) {
180 AuthorizationSet set(AuthorizationSetBuilder()
181 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
182 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
183 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
184 .Authorization(TAG_USER_ID, 7)
185 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
186 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
187 .Authorization(TAG_KEY_SIZE, 256)
188 .Authorization(TAG_AUTH_TIMEOUT, 300));
189
190 size_t size = set.SerializedSize();
191 EXPECT_TRUE(size > 0);
192
193 UniquePtr<uint8_t[]> buf(new uint8_t[size]);
194 EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
195 AuthorizationSet deserialized;
196 const uint8_t* p = buf.get();
197 EXPECT_TRUE(deserialized.Deserialize(&p, p + size));
198 EXPECT_EQ(p, buf.get() + size);
199
200 EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
201
202 EXPECT_EQ(set.size(), deserialized.size());
203 for (size_t i = 0; i < set.size(); ++i) {
204 EXPECT_EQ(set[i].tag, deserialized[i].tag);
205 }
206
207 int pos = deserialized.find(TAG_APPLICATION_ID);
208 ASSERT_NE(-1, pos);
209 EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
210 EXPECT_EQ(6U, deserialized[pos].blob.data_length);
211 EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
212 }
213
TEST(Deserialization,TooShortBuffer)214 TEST(Deserialization, TooShortBuffer) {
215 uint8_t buf[] = {0, 0, 0};
216 AuthorizationSet deserialized(buf, array_length(buf));
217 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
218
219 const uint8_t* p = buf;
220 EXPECT_FALSE(deserialized.Deserialize(&p, p + array_length(buf)));
221 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
222 }
223
TEST(Deserialization,InvalidLengthField)224 TEST(Deserialization, InvalidLengthField) {
225 AuthorizationSet set(AuthorizationSetBuilder()
226 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
227 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
228 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
229 .Authorization(TAG_USER_ID, 7)
230 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
231 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
232 .Authorization(TAG_KEY_SIZE, 256)
233 .Authorization(TAG_AUTH_TIMEOUT, 300));
234
235 size_t size = set.SerializedSize();
236 EXPECT_TRUE(size > 0);
237
238 UniquePtr<uint8_t[]> buf(new uint8_t[size]);
239 EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
240 *reinterpret_cast<uint32_t*>(buf.get()) = 9;
241
242 AuthorizationSet deserialized(buf.get(), size);
243 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
244
245 const uint8_t* p = buf.get();
246 EXPECT_FALSE(deserialized.Deserialize(&p, p + size));
247 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
248 }
249
TEST(Clear,ClearRecoversFromError)250 TEST(Clear, ClearRecoversFromError) {
251 uint8_t buf[] = {0, 0, 0};
252 AuthorizationSet deserialized(buf, array_length(buf));
253 ASSERT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
254
255 deserialized.Clear();
256 ASSERT_EQ(AuthorizationSet::OK, deserialized.is_valid());
257 }
258
read_uint32(const uint8_t * buf)259 static uint32_t read_uint32(const uint8_t* buf) {
260 uint32_t val;
261 memcpy(&val, buf, sizeof(val));
262 return val;
263 }
264
add_to_uint32(uint8_t * buf,int delta)265 static void add_to_uint32(uint8_t* buf, int delta) {
266 uint32_t val;
267 memcpy(&val, buf, sizeof(val));
268 val += delta;
269 memcpy(buf, &val, sizeof(val));
270 }
271
TEST(Deserialization,MalformedIndirectData)272 TEST(Deserialization, MalformedIndirectData) {
273 AuthorizationSet set(AuthorizationSetBuilder()
274 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
275 .Authorization(TAG_APPLICATION_DATA, "foo", 3));
276 size_t size = set.SerializedSize();
277
278 UniquePtr<uint8_t[]> buf(new uint8_t[size]);
279 EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
280
281 // This sucks. This test, as written, requires intimate knowledge of the serialized layout of
282 // this particular set, which means it's brittle. But it's important to test that we handle
283 // broken serialized data and I can't think of a better way to write this.
284 //
285 // The contents of buf are:
286 //
287 // Bytes: Content:
288 // 0-3 Length of string data, which is 9.
289 // 4-9 "my_app"
290 // 10-12 "foo"
291 // 13-16 Number of elements, which is 2.
292 // 17-20 Length of elements, which is 24.
293 // 21-24 First tag, TAG_APPLICATION_ID
294 // 25-28 Length of string "my_app", 6
295 // 29-32 Offset of string "my_app", 0
296 // 33-36 Second tag, TAG_APPLICATION_DATA
297 // 37-40 Length of string "foo", 3
298 // 41-44 Offset of string "foo", 6
299
300 // Check that stuff is where we think.
301 EXPECT_EQ('m', buf[4]);
302 EXPECT_EQ('f', buf[10]);
303 // Length of "my_app"
304 EXPECT_EQ(6U, read_uint32(buf.get() + 25));
305 // Offset of "my_app"
306 EXPECT_EQ(0U, read_uint32(buf.get() + 29));
307 // Length of "foo"
308 EXPECT_EQ(3U, read_uint32(buf.get() + 37));
309 // Offset of "foo"
310 EXPECT_EQ(6U, read_uint32(buf.get() + 41));
311
312 // Check that deserialization works.
313 AuthorizationSet deserialized1(buf.get(), size);
314 EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
315
316 const uint8_t* p = buf.get();
317 EXPECT_TRUE(deserialized1.Deserialize(&p, p + size));
318 EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
319
320 //
321 // Now mess them up in various ways:
322 //
323
324 // Move "foo" offset so offset + length goes off the end
325 add_to_uint32(buf.get() + 41, 1);
326 AuthorizationSet deserialized2(buf.get(), size);
327 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized2.is_valid());
328 add_to_uint32(buf.get() + 41, -1);
329
330 // Shorten the "my_app" length to make a gap between the blobs.
331 add_to_uint32(buf.get() + 25, -1);
332 AuthorizationSet deserialized3(buf.get(), size);
333 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized3.is_valid());
334 add_to_uint32(buf.get() + 25, 1);
335
336 // Extend the "my_app" length to make them overlap, and decrease the "foo" length to keep the
337 // total length the same. We don't detect this but should.
338 // TODO(swillden): Detect overlaps and holes that leave total size correct.
339 add_to_uint32(buf.get() + 25, 1);
340 add_to_uint32(buf.get() + 37, -1);
341 AuthorizationSet deserialized4(buf.get(), size);
342 EXPECT_EQ(AuthorizationSet::OK, deserialized4.is_valid());
343 }
344
TEST(Growable,SuccessfulRoundTrip)345 TEST(Growable, SuccessfulRoundTrip) {
346 AuthorizationSet growable;
347 EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
348 EXPECT_EQ(1U, growable.size());
349
350 EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)));
351 EXPECT_EQ(2U, growable.size());
352
353 EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
354 EXPECT_EQ(3U, growable.size());
355
356 EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "data", 4)));
357 EXPECT_EQ(4U, growable.size());
358
359 EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "some more data", 14)));
360 EXPECT_EQ(5U, growable.size());
361
362 size_t serialize_size = growable.SerializedSize();
363 UniquePtr<uint8_t[]> serialized(new uint8_t[serialize_size]);
364 EXPECT_EQ(serialized.get() + serialize_size,
365 growable.Serialize(serialized.get(), serialized.get() + serialize_size));
366
367 AuthorizationSet deserialized(serialized.get(), serialize_size);
368 EXPECT_EQ(growable, deserialized);
369 }
370
TEST(Growable,InsufficientElemBuf)371 TEST(Growable, InsufficientElemBuf) {
372 AuthorizationSet growable;
373 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
374
375 // First insertion fits.
376 EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
377 EXPECT_EQ(1U, growable.size());
378 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
379
380 // Second does too.
381 EXPECT_TRUE(growable.push_back(Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)));
382 EXPECT_EQ(2U, growable.size());
383 }
384
TEST(Growable,InsufficientIndirectBuf)385 TEST(Growable, InsufficientIndirectBuf) {
386 AuthorizationSet growable;
387 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
388
389 EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
390 EXPECT_EQ(1U, growable.size());
391 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
392
393 EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "1234567890", 10)));
394 EXPECT_EQ(2U, growable.size());
395 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
396
397 EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "1", 1)));
398 EXPECT_EQ(3U, growable.size());
399 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
400
401 // Can still add another entry without indirect data. Now it's full.
402 EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
403 EXPECT_EQ(4U, growable.size());
404 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
405 }
406
TEST(Growable,PushBackSets)407 TEST(Growable, PushBackSets) {
408 AuthorizationSetBuilder builder;
409 builder.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
410 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
411 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
412 .Authorization(TAG_USER_ID, 7)
413 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
414 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
415 .Authorization(TAG_KEY_SIZE, 256)
416 .Authorization(TAG_AUTH_TIMEOUT, 300);
417
418 AuthorizationSet set1(builder.build());
419 AuthorizationSet set2(builder.build());
420
421 AuthorizationSet combined;
422 EXPECT_TRUE(combined.push_back(set1));
423 EXPECT_TRUE(combined.push_back(set2));
424 EXPECT_EQ(set1.size() + set2.size(), combined.size());
425 EXPECT_EQ(12U, combined.indirect_size());
426 }
427
TEST(GetValue,GetInt)428 TEST(GetValue, GetInt) {
429 AuthorizationSet set(AuthorizationSetBuilder()
430 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
431 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
432 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
433 .Authorization(TAG_USER_ID, 7)
434 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
435 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
436 .Authorization(TAG_AUTH_TIMEOUT, 300));
437
438 uint32_t val;
439 EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &val));
440 EXPECT_EQ(7U, val);
441
442 // Find one that isn't there
443 EXPECT_FALSE(set.GetTagValue(TAG_KEY_SIZE, &val));
444 }
445
TEST(GetValue,GetLong)446 TEST(GetValue, GetLong) {
447 AuthorizationSet set1(AuthorizationSetBuilder()
448 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
449 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
450 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
451 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
452
453 AuthorizationSet set2(AuthorizationSetBuilder()
454 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
455 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
456 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
457
458 uint64_t val;
459 EXPECT_TRUE(set1.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
460 EXPECT_EQ(3U, val);
461
462 // Find one that isn't there
463 EXPECT_FALSE(set2.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
464 }
465
TEST(GetValue,GetLongRep)466 TEST(GetValue, GetLongRep) {
467 AuthorizationSet set1(AuthorizationSetBuilder()
468 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
469 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
470 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
471 .Authorization(TAG_USER_SECURE_ID, 8338)
472 .Authorization(TAG_USER_SECURE_ID, 4334)
473 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
474
475 AuthorizationSet set2(AuthorizationSetBuilder()
476 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
477 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
478 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
479
480 uint64_t val;
481 EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 0, &val));
482 EXPECT_EQ(8338U, val);
483 EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 1, &val));
484 EXPECT_EQ(4334U, val);
485
486 // Find one that isn't there
487 EXPECT_FALSE(set2.GetTagValue(TAG_USER_SECURE_ID, &val));
488 }
489
TEST(GetValue,GetEnum)490 TEST(GetValue, GetEnum) {
491 AuthorizationSet set(AuthorizationSetBuilder()
492 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
493 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
494 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
495 .Authorization(TAG_USER_ID, 7)
496 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
497 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
498 .Authorization(TAG_AUTH_TIMEOUT, 300));
499
500 keymaster_algorithm_t val;
501 EXPECT_TRUE(set.GetTagValue(TAG_ALGORITHM, &val));
502 EXPECT_EQ(KM_ALGORITHM_RSA, val);
503
504 // Find one that isn't there
505 keymaster_padding_t val2;
506 EXPECT_FALSE(set.GetTagValue(TAG_PADDING, &val2));
507 }
508
TEST(GetValue,GetEnumRep)509 TEST(GetValue, GetEnumRep) {
510 AuthorizationSet set(AuthorizationSetBuilder()
511 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
512 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
513 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
514 .Authorization(TAG_USER_ID, 7)
515 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
516 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
517 .Authorization(TAG_AUTH_TIMEOUT, 300));
518
519 keymaster_purpose_t val;
520 EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 0, &val));
521 EXPECT_EQ(KM_PURPOSE_SIGN, val);
522 EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 1, &val));
523 EXPECT_EQ(KM_PURPOSE_VERIFY, val);
524
525 // Find one that isn't there
526 EXPECT_FALSE(set.GetTagValue(TAG_PURPOSE, 2, &val));
527 }
528
TEST(GetValue,GetDate)529 TEST(GetValue, GetDate) {
530 AuthorizationSet set(AuthorizationSetBuilder()
531 .Authorization(TAG_ACTIVE_DATETIME, 10)
532 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
533 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
534 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
535 .Authorization(TAG_USER_ID, 7)
536 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
537 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
538 .Authorization(TAG_AUTH_TIMEOUT, 300));
539
540 uint64_t val;
541 EXPECT_TRUE(set.GetTagValue(TAG_ACTIVE_DATETIME, &val));
542 EXPECT_EQ(10U, val);
543
544 // Find one that isn't there
545 EXPECT_FALSE(set.GetTagValue(TAG_USAGE_EXPIRE_DATETIME, &val));
546 }
547
TEST(GetValue,GetBlob)548 TEST(GetValue, GetBlob) {
549 AuthorizationSet set(AuthorizationSetBuilder()
550 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
551 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
552 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
553 .Authorization(TAG_USER_ID, 7)
554 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
555 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
556 .Authorization(TAG_AUTH_TIMEOUT, 300));
557
558 keymaster_blob_t val;
559 EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &val));
560 EXPECT_EQ(6U, val.data_length);
561 EXPECT_EQ(0, memcmp(val.data, "my_app", 6));
562
563 // Find one that isn't there
564 EXPECT_FALSE(set.GetTagValue(TAG_APPLICATION_DATA, &val));
565 }
566
TEST(Deduplication,NoDuplicates)567 TEST(Deduplication, NoDuplicates) {
568 AuthorizationSet set(AuthorizationSetBuilder()
569 .Authorization(TAG_ACTIVE_DATETIME, 10)
570 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
571 .Authorization(TAG_USER_ID, 7)
572 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
573 AuthorizationSet copy(set);
574
575 EXPECT_EQ(copy, set);
576 set.Deduplicate();
577 EXPECT_EQ(copy.size(), set.size());
578
579 // Sets no longer compare equal, because of ordering (ugh, maybe it should be
580 // AuthorizationList, not AuthorizationSet).
581 EXPECT_NE(copy, set);
582 }
583
TEST(Deduplication,NoDuplicatesHasInvalid)584 TEST(Deduplication, NoDuplicatesHasInvalid) {
585 AuthorizationSet set(AuthorizationSetBuilder()
586 .Authorization(TAG_ACTIVE_DATETIME, 10)
587 .Authorization(TAG_INVALID)
588 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
589 .Authorization(TAG_USER_ID, 7)
590 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
591 AuthorizationSet copy(set);
592
593 EXPECT_EQ(copy, set);
594 set.Deduplicate();
595
596 // Deduplicate should have removed the invalid.
597 EXPECT_EQ(copy.size() - 1, set.size());
598 EXPECT_NE(copy, set);
599 }
600
TEST(Deduplication,DuplicateEnum)601 TEST(Deduplication, DuplicateEnum) {
602 AuthorizationSet set(AuthorizationSetBuilder()
603 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
604 .Authorization(TAG_ACTIVE_DATETIME, 10)
605 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
606 .Authorization(TAG_USER_ID, 7)
607 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
608 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
609 AuthorizationSet copy(set);
610
611 EXPECT_EQ(copy, set);
612 set.Deduplicate();
613 EXPECT_EQ(copy.size() - 2, set.size());
614 EXPECT_NE(copy, set);
615 }
616
TEST(Deduplication,DuplicateBlob)617 TEST(Deduplication, DuplicateBlob) {
618 AuthorizationSet set(AuthorizationSetBuilder()
619 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
620 .Authorization(TAG_ACTIVE_DATETIME, 10)
621 .Authorization(TAG_APPLICATION_DATA, "data", 4)
622 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
623 .Authorization(TAG_USER_ID, 7)
624 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
625 .Authorization(TAG_APPLICATION_DATA, "data", 4)
626 .Authorization(TAG_APPLICATION_DATA, "foo", 3)
627 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
628 AuthorizationSet copy(set);
629
630 EXPECT_EQ(copy, set);
631 set.Deduplicate();
632 EXPECT_EQ(copy.size() - 3, set.size());
633 EXPECT_NE(copy, set);
634
635 // The real test here is that valgrind reports no leak.
636 }
637
TEST(Union,Disjoint)638 TEST(Union, Disjoint) {
639 AuthorizationSet set1(AuthorizationSetBuilder()
640 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
641 .Authorization(TAG_ACTIVE_DATETIME, 10)
642 .Authorization(TAG_APPLICATION_DATA, "data", 4));
643
644 AuthorizationSet set2(AuthorizationSetBuilder()
645 .Authorization(TAG_USER_ID, 7)
646 .Authorization(TAG_APPLICATION_DATA, "foo", 3)
647 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
648
649 AuthorizationSet expected(AuthorizationSetBuilder()
650 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
651 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
652 .Authorization(TAG_USER_ID, 7)
653 .Authorization(TAG_ACTIVE_DATETIME, 10)
654 .Authorization(TAG_APPLICATION_DATA, "data", 4)
655 .Authorization(TAG_APPLICATION_DATA, "foo", 3));
656
657 set1.Union(set2);
658 EXPECT_EQ(expected, set1);
659 }
660
TEST(Union,Overlap)661 TEST(Union, Overlap) {
662 AuthorizationSet set1(AuthorizationSetBuilder()
663 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
664 .Authorization(TAG_ACTIVE_DATETIME, 10)
665 .Authorization(TAG_APPLICATION_DATA, "data", 4));
666
667 AuthorizationSet set2(AuthorizationSetBuilder()
668 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
669 .Authorization(TAG_ACTIVE_DATETIME, 10)
670 .Authorization(TAG_APPLICATION_DATA, "data", 4));
671
672 AuthorizationSet expected(AuthorizationSetBuilder()
673 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
674 .Authorization(TAG_ACTIVE_DATETIME, 10)
675 .Authorization(TAG_APPLICATION_DATA, "data", 4));
676
677 set1.Union(set2);
678 EXPECT_EQ(expected, set1);
679 }
680
TEST(Union,Empty)681 TEST(Union, Empty) {
682 AuthorizationSet set1(AuthorizationSetBuilder()
683 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
684 .Authorization(TAG_ACTIVE_DATETIME, 10)
685 .Authorization(TAG_APPLICATION_DATA, "data", 4));
686
687 AuthorizationSet set2;
688
689 AuthorizationSet expected(AuthorizationSetBuilder()
690 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
691 .Authorization(TAG_ACTIVE_DATETIME, 10)
692 .Authorization(TAG_APPLICATION_DATA, "data", 4));
693
694 set1.Union(set2);
695 EXPECT_EQ(expected, set1);
696 }
697
TEST(Difference,Disjoint)698 TEST(Difference, Disjoint) {
699 AuthorizationSet set1(AuthorizationSetBuilder()
700 .Authorization(TAG_APPLICATION_DATA, "data", 4)
701 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
702 .Authorization(TAG_ACTIVE_DATETIME, 10));
703
704 AuthorizationSet set2(AuthorizationSetBuilder()
705 .Authorization(TAG_USER_ID, 7)
706 .Authorization(TAG_APPLICATION_DATA, "foo", 3)
707 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
708
709 // Elements are the same as set1, but happen to be in a different order
710 AuthorizationSet expected(AuthorizationSetBuilder()
711 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
712 .Authorization(TAG_ACTIVE_DATETIME, 10)
713 .Authorization(TAG_APPLICATION_DATA, "data", 4));
714
715 set1.Difference(set2);
716 EXPECT_EQ(expected, set1);
717 }
718
TEST(Difference,Overlap)719 TEST(Difference, Overlap) {
720 AuthorizationSet set1(AuthorizationSetBuilder()
721 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
722 .Authorization(TAG_ACTIVE_DATETIME, 10)
723 .Authorization(TAG_APPLICATION_DATA, "data", 4));
724
725 AuthorizationSet set2(AuthorizationSetBuilder()
726 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
727 .Authorization(TAG_ACTIVE_DATETIME, 10)
728 .Authorization(TAG_APPLICATION_DATA, "data", 4));
729
730 AuthorizationSet empty;
731 set1.Difference(set2);
732 EXPECT_EQ(empty, set1);
733 EXPECT_EQ(0U, set1.size());
734 }
735
TEST(Difference,NullSet)736 TEST(Difference, NullSet) {
737 AuthorizationSet set1(AuthorizationSetBuilder()
738 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
739 .Authorization(TAG_ACTIVE_DATETIME, 10)
740 .Authorization(TAG_APPLICATION_DATA, "data", 4));
741
742 AuthorizationSet set2;
743
744 AuthorizationSet expected(AuthorizationSetBuilder()
745 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
746 .Authorization(TAG_ACTIVE_DATETIME, 10)
747 .Authorization(TAG_APPLICATION_DATA, "data", 4));
748
749 set1.Difference(set2);
750 EXPECT_EQ(expected, set1);
751 }
752
753 } // namespace test
754 } // namespace keymaster
755