1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <gtest/gtest.h>
18
19 #include <keymaster/android_keymaster_utils.h>
20 #include <keymaster/authorization_set.h>
21
22 #include "android_keymaster_test_utils.h"
23
24 namespace keymaster {
25
26 namespace test {
27
TEST(Construction,ListProvided)28 TEST(Construction, ListProvided) {
29 keymaster_key_param_t params[] = {
30 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
31 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
32 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA),
33 Authorization(TAG_USER_ID, 7),
34 Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
35 Authorization(TAG_APPLICATION_ID, "my_app", 6),
36 Authorization(TAG_KEY_SIZE, 256),
37 Authorization(TAG_AUTH_TIMEOUT, 300),
38 };
39 AuthorizationSet set(params, array_length(params));
40 EXPECT_EQ(8U, set.size());
41 }
42
TEST(Construction,Copy)43 TEST(Construction, Copy) {
44 keymaster_key_param_t params[] = {
45 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
46 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
47 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA),
48 Authorization(TAG_USER_ID, 7),
49 Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
50 Authorization(TAG_APPLICATION_ID, "my_app", 6),
51 Authorization(TAG_KEY_SIZE, 256),
52 Authorization(TAG_AUTH_TIMEOUT, 300),
53 };
54 AuthorizationSet set(params, array_length(params));
55 AuthorizationSet set2(set);
56 EXPECT_EQ(set, set2);
57 }
58
TEST(Construction,NullProvided)59 TEST(Construction, NullProvided) {
60 keymaster_key_param_t params[] = {
61 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
62 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
63 };
64
65 AuthorizationSet set1(params, 0);
66 EXPECT_EQ(0U, set1.size());
67 EXPECT_EQ(AuthorizationSet::OK, set1.is_valid());
68
69 AuthorizationSet set2(reinterpret_cast<keymaster_key_param_t*>(NULL), array_length(params));
70 EXPECT_EQ(0U, set2.size());
71 EXPECT_EQ(AuthorizationSet::OK, set2.is_valid());
72 }
73
TEST(Lookup,NonRepeated)74 TEST(Lookup, NonRepeated) {
75 AuthorizationSet set(AuthorizationSetBuilder()
76 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
77 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
78 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
79 .Authorization(TAG_USER_ID, 7)
80 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
81 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
82 .Authorization(TAG_KEY_SIZE, 256)
83 .Authorization(TAG_AUTH_TIMEOUT, 300));
84
85 EXPECT_EQ(8U, set.size());
86
87 int pos = set.find(TAG_ALGORITHM);
88 ASSERT_NE(-1, pos);
89 EXPECT_EQ(KM_TAG_ALGORITHM, set[pos].tag);
90 EXPECT_EQ(KM_ALGORITHM_RSA, set[pos].enumerated);
91
92 pos = set.find(TAG_MAC_LENGTH);
93 EXPECT_EQ(-1, pos);
94
95 uint32_t int_val = 0;
96 EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &int_val));
97 EXPECT_EQ(7U, int_val);
98
99 keymaster_blob_t blob_val;
100 EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &blob_val));
101 EXPECT_EQ(6U, blob_val.data_length);
102 EXPECT_EQ(0, memcmp(blob_val.data, "my_app", 6));
103 }
104
TEST(Lookup,Repeated)105 TEST(Lookup, Repeated) {
106 AuthorizationSet set(AuthorizationSetBuilder()
107 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
108 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
109 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
110 .Authorization(TAG_USER_ID, 7)
111 .Authorization(TAG_USER_SECURE_ID, 47727)
112 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
113 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
114 .Authorization(TAG_KEY_SIZE, 256)
115 .Authorization(TAG_AUTH_TIMEOUT, 300));
116 EXPECT_EQ(9U, set.size());
117
118 int pos = set.find(TAG_PURPOSE);
119 ASSERT_FALSE(pos == -1);
120 EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
121 EXPECT_EQ(KM_PURPOSE_SIGN, set[pos].enumerated);
122
123 pos = set.find(TAG_PURPOSE, pos);
124 EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
125 EXPECT_EQ(KM_PURPOSE_VERIFY, set[pos].enumerated);
126
127 EXPECT_EQ(-1, set.find(TAG_PURPOSE, pos));
128
129 pos = set.find(TAG_USER_SECURE_ID, pos);
130 EXPECT_EQ(KM_TAG_USER_SECURE_ID, set[pos].tag);
131 EXPECT_EQ(47727U, set[pos].long_integer);
132 }
133
TEST(Lookup,Indexed)134 TEST(Lookup, Indexed) {
135 AuthorizationSet set(AuthorizationSetBuilder()
136 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
137 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
138 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
139 .Authorization(TAG_USER_ID, 7)
140 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
141 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
142 .Authorization(TAG_KEY_SIZE, 256)
143 .Authorization(TAG_AUTH_TIMEOUT, 300));
144 EXPECT_EQ(8U, set.size());
145
146 EXPECT_EQ(KM_TAG_PURPOSE, set[0].tag);
147 EXPECT_EQ(KM_PURPOSE_SIGN, set[0].enumerated);
148
149 // Lookup beyond end doesn't work, just returns zeros, but doens't blow up either (verify by
150 // running under valgrind).
151 EXPECT_EQ(KM_TAG_INVALID, set[10].tag);
152 }
153
TEST(Serialization,RoundTrip)154 TEST(Serialization, RoundTrip) {
155 AuthorizationSet set(AuthorizationSetBuilder()
156 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
157 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
158 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
159 .Authorization(TAG_USER_ID, 7)
160 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
161 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
162 .Authorization(TAG_KEY_SIZE, 256)
163 .Authorization(TAG_USER_SECURE_ID, 47727)
164 .Authorization(TAG_AUTH_TIMEOUT, 300)
165 .Authorization(TAG_ALL_USERS)
166 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
167 .Authorization(TAG_ACTIVE_DATETIME, 10));
168
169 size_t size = set.SerializedSize();
170 EXPECT_TRUE(size > 0);
171
172 UniquePtr<uint8_t[]> buf(new uint8_t[size]);
173 EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
174 AuthorizationSet deserialized(buf.get(), size);
175
176 EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
177 EXPECT_EQ(set, deserialized);
178
179 int pos = deserialized.find(TAG_APPLICATION_ID);
180 ASSERT_NE(-1, pos);
181 EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
182 EXPECT_EQ(6U, deserialized[pos].blob.data_length);
183 EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
184 }
185
TEST(Deserialization,Deserialize)186 TEST(Deserialization, Deserialize) {
187 AuthorizationSet set(AuthorizationSetBuilder()
188 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
189 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
190 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
191 .Authorization(TAG_USER_ID, 7)
192 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
193 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
194 .Authorization(TAG_KEY_SIZE, 256)
195 .Authorization(TAG_AUTH_TIMEOUT, 300));
196
197 size_t size = set.SerializedSize();
198 EXPECT_TRUE(size > 0);
199
200 UniquePtr<uint8_t[]> buf(new uint8_t[size]);
201 EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
202 AuthorizationSet deserialized;
203 const uint8_t* p = buf.get();
204 EXPECT_TRUE(deserialized.Deserialize(&p, p + size));
205 EXPECT_EQ(p, buf.get() + size);
206
207 EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
208
209 EXPECT_EQ(set.size(), deserialized.size());
210 for (size_t i = 0; i < set.size(); ++i) {
211 EXPECT_EQ(set[i].tag, deserialized[i].tag);
212 }
213
214 int pos = deserialized.find(TAG_APPLICATION_ID);
215 ASSERT_NE(-1, pos);
216 EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
217 EXPECT_EQ(6U, deserialized[pos].blob.data_length);
218 EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
219 }
220
TEST(Deserialization,TooShortBuffer)221 TEST(Deserialization, TooShortBuffer) {
222 uint8_t buf[] = {0, 0, 0};
223 AuthorizationSet deserialized(buf, array_length(buf));
224 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
225
226 const uint8_t* p = buf;
227 EXPECT_FALSE(deserialized.Deserialize(&p, p + array_length(buf)));
228 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
229 }
230
TEST(Deserialization,InvalidLengthField)231 TEST(Deserialization, InvalidLengthField) {
232 AuthorizationSet set(AuthorizationSetBuilder()
233 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
234 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
235 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
236 .Authorization(TAG_USER_ID, 7)
237 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
238 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
239 .Authorization(TAG_KEY_SIZE, 256)
240 .Authorization(TAG_AUTH_TIMEOUT, 300));
241
242 size_t size = set.SerializedSize();
243 EXPECT_TRUE(size > 0);
244
245 UniquePtr<uint8_t[]> buf(new uint8_t[size]);
246 EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
247 *reinterpret_cast<uint32_t*>(buf.get()) = 9;
248
249 AuthorizationSet deserialized(buf.get(), size);
250 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
251
252 const uint8_t* p = buf.get();
253 EXPECT_FALSE(deserialized.Deserialize(&p, p + size));
254 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
255 }
256
TEST(Clear,ClearRecoversFromError)257 TEST(Clear, ClearRecoversFromError) {
258 uint8_t buf[] = {0, 0, 0};
259 AuthorizationSet deserialized(buf, array_length(buf));
260 ASSERT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
261
262 deserialized.Clear();
263 ASSERT_EQ(AuthorizationSet::OK, deserialized.is_valid());
264 }
265
read_uint32(const uint8_t * buf)266 static uint32_t read_uint32(const uint8_t* buf) {
267 uint32_t val;
268 memcpy(&val, buf, sizeof(val));
269 return val;
270 }
271
add_to_uint32(uint8_t * buf,int delta)272 static void add_to_uint32(uint8_t* buf, int delta) {
273 uint32_t val;
274 memcpy(&val, buf, sizeof(val));
275 val += delta;
276 memcpy(buf, &val, sizeof(val));
277 }
278
TEST(Deserialization,MalformedIndirectData)279 TEST(Deserialization, MalformedIndirectData) {
280 AuthorizationSet set(AuthorizationSetBuilder()
281 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
282 .Authorization(TAG_APPLICATION_DATA, "foo", 3));
283 size_t size = set.SerializedSize();
284
285 UniquePtr<uint8_t[]> buf(new uint8_t[size]);
286 EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
287
288 // This sucks. This test, as written, requires intimate knowledge of the serialized layout of
289 // this particular set, which means it's brittle. But it's important to test that we handle
290 // broken serialized data and I can't think of a better way to write this.
291 //
292 // The contents of buf are:
293 //
294 // Bytes: Content:
295 // 0-3 Length of string data, which is 9.
296 // 4-9 "my_app"
297 // 10-12 "foo"
298 // 13-16 Number of elements, which is 2.
299 // 17-20 Length of elements, which is 24.
300 // 21-24 First tag, TAG_APPLICATION_ID
301 // 25-28 Length of string "my_app", 6
302 // 29-32 Offset of string "my_app", 0
303 // 33-36 Second tag, TAG_APPLICATION_DATA
304 // 37-40 Length of string "foo", 3
305 // 41-44 Offset of string "foo", 6
306
307 // Check that stuff is where we think.
308 EXPECT_EQ('m', buf[4]);
309 EXPECT_EQ('f', buf[10]);
310 // Length of "my_app"
311 EXPECT_EQ(6U, read_uint32(buf.get() + 25));
312 // Offset of "my_app"
313 EXPECT_EQ(0U, read_uint32(buf.get() + 29));
314 // Length of "foo"
315 EXPECT_EQ(3U, read_uint32(buf.get() + 37));
316 // Offset of "foo"
317 EXPECT_EQ(6U, read_uint32(buf.get() + 41));
318
319 // Check that deserialization works.
320 AuthorizationSet deserialized1(buf.get(), size);
321 EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
322
323 const uint8_t* p = buf.get();
324 EXPECT_TRUE(deserialized1.Deserialize(&p, p + size));
325 EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
326
327 //
328 // Now mess them up in various ways:
329 //
330
331 // Move "foo" offset so offset + length goes off the end
332 add_to_uint32(buf.get() + 41, 1);
333 AuthorizationSet deserialized2(buf.get(), size);
334 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized2.is_valid());
335 add_to_uint32(buf.get() + 41, -1);
336
337 // Shorten the "my_app" length to make a gap between the blobs.
338 add_to_uint32(buf.get() + 25, -1);
339 AuthorizationSet deserialized3(buf.get(), size);
340 EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized3.is_valid());
341 add_to_uint32(buf.get() + 25, 1);
342
343 // Extend the "my_app" length to make them overlap, and decrease the "foo" length to keep the
344 // total length the same. We don't detect this but should.
345 // TODO(swillden): Detect overlaps and holes that leave total size correct.
346 add_to_uint32(buf.get() + 25, 1);
347 add_to_uint32(buf.get() + 37, -1);
348 AuthorizationSet deserialized4(buf.get(), size);
349 EXPECT_EQ(AuthorizationSet::OK, deserialized4.is_valid());
350 }
351
TEST(Growable,SuccessfulRoundTrip)352 TEST(Growable, SuccessfulRoundTrip) {
353 AuthorizationSet growable;
354 EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
355 EXPECT_EQ(1U, growable.size());
356
357 EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)));
358 EXPECT_EQ(2U, growable.size());
359
360 EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
361 EXPECT_EQ(3U, growable.size());
362
363 EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "data", 4)));
364 EXPECT_EQ(4U, growable.size());
365
366 EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "some more data", 14)));
367 EXPECT_EQ(5U, growable.size());
368
369 size_t serialize_size = growable.SerializedSize();
370 UniquePtr<uint8_t[]> serialized(new uint8_t[serialize_size]);
371 EXPECT_EQ(serialized.get() + serialize_size,
372 growable.Serialize(serialized.get(), serialized.get() + serialize_size));
373
374 AuthorizationSet deserialized(serialized.get(), serialize_size);
375 EXPECT_EQ(growable, deserialized);
376 }
377
TEST(Growable,InsufficientElemBuf)378 TEST(Growable, InsufficientElemBuf) {
379 AuthorizationSet growable;
380 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
381
382 // First insertion fits.
383 EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
384 EXPECT_EQ(1U, growable.size());
385 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
386
387 // Second does too.
388 EXPECT_TRUE(growable.push_back(Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)));
389 EXPECT_EQ(2U, growable.size());
390 }
391
TEST(Growable,InsufficientIndirectBuf)392 TEST(Growable, InsufficientIndirectBuf) {
393 AuthorizationSet growable;
394 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
395
396 EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
397 EXPECT_EQ(1U, growable.size());
398 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
399
400 EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "1234567890", 10)));
401 EXPECT_EQ(2U, growable.size());
402 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
403
404 EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "1", 1)));
405 EXPECT_EQ(3U, growable.size());
406 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
407
408 // Can still add another entry without indirect data. Now it's full.
409 EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
410 EXPECT_EQ(4U, growable.size());
411 EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
412 }
413
TEST(Growable,PushBackSets)414 TEST(Growable, PushBackSets) {
415 AuthorizationSetBuilder builder;
416 builder.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
417 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
418 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
419 .Authorization(TAG_USER_ID, 7)
420 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
421 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
422 .Authorization(TAG_KEY_SIZE, 256)
423 .Authorization(TAG_AUTH_TIMEOUT, 300);
424
425 AuthorizationSet set1(builder.build());
426 AuthorizationSet set2(builder.build());
427
428 AuthorizationSet combined;
429 EXPECT_TRUE(combined.push_back(set1));
430 EXPECT_TRUE(combined.push_back(set2));
431 EXPECT_EQ(set1.size() + set2.size(), combined.size());
432 EXPECT_EQ(12U, combined.indirect_size());
433 }
434
TEST(GetValue,GetInt)435 TEST(GetValue, GetInt) {
436 AuthorizationSet set(AuthorizationSetBuilder()
437 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
438 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
439 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
440 .Authorization(TAG_USER_ID, 7)
441 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
442 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
443 .Authorization(TAG_AUTH_TIMEOUT, 300));
444
445 uint32_t val;
446 EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &val));
447 EXPECT_EQ(7U, val);
448
449 // Find one that isn't there
450 EXPECT_FALSE(set.GetTagValue(TAG_KEY_SIZE, &val));
451 }
452
TEST(GetValue,GetLong)453 TEST(GetValue, GetLong) {
454 AuthorizationSet set1(AuthorizationSetBuilder()
455 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
456 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
457 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
458 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
459
460 AuthorizationSet set2(AuthorizationSetBuilder()
461 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
462 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
463 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
464
465 uint64_t val;
466 EXPECT_TRUE(set1.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
467 EXPECT_EQ(3U, val);
468
469 // Find one that isn't there
470 EXPECT_FALSE(set2.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
471 }
472
TEST(GetValue,GetLongRep)473 TEST(GetValue, GetLongRep) {
474 AuthorizationSet set1(AuthorizationSetBuilder()
475 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
476 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
477 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
478 .Authorization(TAG_USER_SECURE_ID, 8338)
479 .Authorization(TAG_USER_SECURE_ID, 4334)
480 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
481
482 AuthorizationSet set2(AuthorizationSetBuilder()
483 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
484 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
485 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
486
487 uint64_t val;
488 EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 0, &val));
489 EXPECT_EQ(8338U, val);
490 EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 1, &val));
491 EXPECT_EQ(4334U, val);
492
493 // Find one that isn't there
494 EXPECT_FALSE(set2.GetTagValue(TAG_USER_SECURE_ID, &val));
495 }
496
TEST(GetValue,GetEnum)497 TEST(GetValue, GetEnum) {
498 AuthorizationSet set(AuthorizationSetBuilder()
499 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
500 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
501 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
502 .Authorization(TAG_USER_ID, 7)
503 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
504 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
505 .Authorization(TAG_AUTH_TIMEOUT, 300));
506
507 keymaster_algorithm_t val;
508 EXPECT_TRUE(set.GetTagValue(TAG_ALGORITHM, &val));
509 EXPECT_EQ(KM_ALGORITHM_RSA, val);
510
511 // Find one that isn't there
512 keymaster_padding_t val2;
513 EXPECT_FALSE(set.GetTagValue(TAG_PADDING, &val2));
514 }
515
TEST(GetValue,GetEnumRep)516 TEST(GetValue, GetEnumRep) {
517 AuthorizationSet set(AuthorizationSetBuilder()
518 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
519 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
520 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
521 .Authorization(TAG_USER_ID, 7)
522 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
523 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
524 .Authorization(TAG_AUTH_TIMEOUT, 300));
525
526 keymaster_purpose_t val;
527 EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 0, &val));
528 EXPECT_EQ(KM_PURPOSE_SIGN, val);
529 EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 1, &val));
530 EXPECT_EQ(KM_PURPOSE_VERIFY, val);
531
532 // Find one that isn't there
533 EXPECT_FALSE(set.GetTagValue(TAG_PURPOSE, 2, &val));
534 }
535
TEST(GetValue,GetDate)536 TEST(GetValue, GetDate) {
537 AuthorizationSet set(AuthorizationSetBuilder()
538 .Authorization(TAG_ACTIVE_DATETIME, 10)
539 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
540 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
541 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
542 .Authorization(TAG_USER_ID, 7)
543 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
544 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
545 .Authorization(TAG_AUTH_TIMEOUT, 300));
546
547 uint64_t val;
548 EXPECT_TRUE(set.GetTagValue(TAG_ACTIVE_DATETIME, &val));
549 EXPECT_EQ(10U, val);
550
551 // Find one that isn't there
552 EXPECT_FALSE(set.GetTagValue(TAG_USAGE_EXPIRE_DATETIME, &val));
553 }
554
TEST(GetValue,GetBlob)555 TEST(GetValue, GetBlob) {
556 AuthorizationSet set(AuthorizationSetBuilder()
557 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
558 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
559 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
560 .Authorization(TAG_USER_ID, 7)
561 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
562 .Authorization(TAG_APPLICATION_ID, "my_app", 6)
563 .Authorization(TAG_AUTH_TIMEOUT, 300));
564
565 keymaster_blob_t val;
566 EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &val));
567 EXPECT_EQ(6U, val.data_length);
568 EXPECT_EQ(0, memcmp(val.data, "my_app", 6));
569
570 // Find one that isn't there
571 EXPECT_FALSE(set.GetTagValue(TAG_APPLICATION_DATA, &val));
572 }
573
TEST(Deduplication,NoDuplicates)574 TEST(Deduplication, NoDuplicates) {
575 AuthorizationSet set(AuthorizationSetBuilder()
576 .Authorization(TAG_ACTIVE_DATETIME, 10)
577 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
578 .Authorization(TAG_USER_ID, 7)
579 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
580 AuthorizationSet copy(set);
581
582 EXPECT_EQ(copy, set);
583 set.Deduplicate();
584 EXPECT_EQ(copy.size(), set.size());
585
586 // Sets no longer compare equal, because of ordering (ugh, maybe it should be
587 // AuthorizationList, not AuthorizationSet).
588 EXPECT_NE(copy, set);
589 }
590
TEST(Deduplication,NoDuplicatesHasInvalid)591 TEST(Deduplication, NoDuplicatesHasInvalid) {
592 AuthorizationSet set(AuthorizationSetBuilder()
593 .Authorization(TAG_ACTIVE_DATETIME, 10)
594 .Authorization(TAG_INVALID)
595 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
596 .Authorization(TAG_USER_ID, 7)
597 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
598 AuthorizationSet copy(set);
599
600 EXPECT_EQ(copy, set);
601 set.Deduplicate();
602
603 // Deduplicate should have removed the invalid.
604 EXPECT_EQ(copy.size() - 1, set.size());
605 EXPECT_NE(copy, set);
606 }
607
TEST(Deduplication,DuplicateEnum)608 TEST(Deduplication, DuplicateEnum) {
609 AuthorizationSet set(AuthorizationSetBuilder()
610 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
611 .Authorization(TAG_ACTIVE_DATETIME, 10)
612 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
613 .Authorization(TAG_USER_ID, 7)
614 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
615 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
616 AuthorizationSet copy(set);
617
618 EXPECT_EQ(copy, set);
619 set.Deduplicate();
620 EXPECT_EQ(copy.size() - 2, set.size());
621 EXPECT_NE(copy, set);
622 }
623
TEST(Deduplication,DuplicateBlob)624 TEST(Deduplication, DuplicateBlob) {
625 AuthorizationSet set(AuthorizationSetBuilder()
626 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
627 .Authorization(TAG_ACTIVE_DATETIME, 10)
628 .Authorization(TAG_APPLICATION_DATA, "data", 4)
629 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
630 .Authorization(TAG_USER_ID, 7)
631 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
632 .Authorization(TAG_APPLICATION_DATA, "data", 4)
633 .Authorization(TAG_APPLICATION_DATA, "foo", 3)
634 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
635 AuthorizationSet copy(set);
636
637 EXPECT_EQ(copy, set);
638 set.Deduplicate();
639 EXPECT_EQ(copy.size() - 3, set.size());
640 EXPECT_NE(copy, set);
641
642 // The real test here is that valgrind reports no leak.
643 }
644
TEST(Difference,Disjoint)645 TEST(Difference, Disjoint) {
646 AuthorizationSet set1(AuthorizationSetBuilder()
647 .Authorization(TAG_APPLICATION_DATA, "data", 4)
648 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
649 .Authorization(TAG_ACTIVE_DATETIME, 10));
650
651 AuthorizationSet set2(AuthorizationSetBuilder()
652 .Authorization(TAG_USER_ID, 7)
653 .Authorization(TAG_APPLICATION_DATA, "foo", 3)
654 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
655
656 // Elements are the same as set1, but happen to be in a different order
657 AuthorizationSet expected(AuthorizationSetBuilder()
658 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
659 .Authorization(TAG_ACTIVE_DATETIME, 10)
660 .Authorization(TAG_APPLICATION_DATA, "data", 4));
661
662 set1.Difference(set2);
663 EXPECT_EQ(expected, set1);
664 }
665
TEST(Difference,Overlap)666 TEST(Difference, Overlap) {
667 AuthorizationSet set1(AuthorizationSetBuilder()
668 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
669 .Authorization(TAG_ACTIVE_DATETIME, 10)
670 .Authorization(TAG_APPLICATION_DATA, "data", 4));
671
672 AuthorizationSet set2(AuthorizationSetBuilder()
673 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
674 .Authorization(TAG_ACTIVE_DATETIME, 10)
675 .Authorization(TAG_APPLICATION_DATA, "data", 4));
676
677 AuthorizationSet empty;
678 set1.Difference(set2);
679 EXPECT_EQ(empty, set1);
680 EXPECT_EQ(0U, set1.size());
681 }
682
TEST(Difference,NullSet)683 TEST(Difference, NullSet) {
684 AuthorizationSet set1(AuthorizationSetBuilder()
685 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
686 .Authorization(TAG_ACTIVE_DATETIME, 10)
687 .Authorization(TAG_APPLICATION_DATA, "data", 4));
688
689 AuthorizationSet set2;
690
691 AuthorizationSet expected(AuthorizationSetBuilder()
692 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
693 .Authorization(TAG_ACTIVE_DATETIME, 10)
694 .Authorization(TAG_APPLICATION_DATA, "data", 4));
695
696 set1.Difference(set2);
697 EXPECT_EQ(expected, set1);
698 }
699
700 } // namespace test
701 } // namespace keymaster
702