1 // 2 // Copyright (C) 2015 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef TRUNKS_TRUNKS_CLIENT_TEST_H_ 18 #define TRUNKS_TRUNKS_CLIENT_TEST_H_ 19 20 #include <string> 21 22 #include <base/memory/scoped_ptr.h> 23 24 #include "trunks/scoped_key_handle.h" 25 #include "trunks/tpm_generated.h" 26 #include "trunks/trunks_factory.h" 27 28 namespace trunks { 29 30 // This class is used to perform integration tests on the TPM. Each public 31 // method defines a different test to perform. 32 // NOTE: All these tests require that the TPM be owned, and SRKs exist. 33 // Example usage: 34 // TrunksClientTest test; 35 // CHECK(test.RNGTest()); 36 // CHECK(test.SimplePolicyTest()); 37 class TrunksClientTest { 38 public: 39 TrunksClientTest(); 40 // Takes ownership of factory. 41 explicit TrunksClientTest(scoped_ptr<TrunksFactory> factory); 42 virtual ~TrunksClientTest(); 43 44 // This test verifies that the Random Number Generator on the TPM is working 45 // correctly. 46 bool RNGTest(); 47 48 // This test verifies that we can create an unrestricted RSA signing key and 49 // use it to sign arbitrary data. 50 bool SignTest(); 51 52 // This test verfifies that we can create an unrestricted RSA decryption key 53 // and use it to encrypt and decrypt arbitrary data. 54 bool DecryptTest(); 55 56 // This test verifies that we can import a RSA key into the TPM and use it 57 // to encrypt and decrypt some data. 58 bool ImportTest(); 59 60 // This test verifies that we can change a key's authorization data and 61 // still use it to encrypt/decrypt data. 62 bool AuthChangeTest(); 63 64 // This test verifies that we can create a key and then confirm that it 65 // was created by the TPM. 66 bool VerifyKeyCreationTest(); 67 68 // This test verifies that we can seal a secret to the TPM and access 69 // it later. 70 bool SealedDataTest(); 71 72 // This test performs a simple PCR extension and then reads the value in the 73 // PCR to verify if it is correct. 74 // NOTE: PCR banks need to be configured for this test to succeed. Normally 75 // this is done by the platform firmware. 76 bool PCRTest(); 77 78 // This test sets up a PolicySession with the PolicyAuthValue assertion. 79 // This policy is then used to create a key and use it to sign/verify and 80 // encrypt/decrypt. 81 bool PolicyAuthValueTest(); 82 83 // This test sets up a PolicySession that is based on the current PCR value 84 // and a CommandCode for signing. The key created this way is restricted to 85 // be only used for signing, and only if the PCR remains unchanged. The key 86 // is then used to sign arbitrary data, and the signature verified. 87 bool PolicyAndTest(); 88 89 // This test performs a complex assertion using PolicyOR. 90 // We create an unrestricted key, and restricts it to signing 91 // and decryption using Policy Sessions. 92 bool PolicyOrTest(); 93 94 // This test verfies that we can create, write, read, lock and delete 95 // NV spaces in the TPM. 96 // NOTE: This test needs the |owner_password| to work. 97 bool NvramTest(const std::string& owner_password); 98 99 // This test uses many key handles simultaneously. 100 bool ManyKeysTest(); 101 102 // This test uses many sessions simultaneously. 103 bool ManySessionsTest(); 104 105 private: 106 // This method verifies that plaintext == decrypt(encrypt(plaintext)) using 107 // a given key. 108 // TODO(usanghi): Remove |session| argument once we can support multiple 109 // sessions. 110 bool PerformRSAEncrpytAndDecrpyt(TPM_HANDLE key_handle, 111 const std::string& key_authorization, 112 HmacSession* session); 113 114 // Generates an RSA key pair in software. The |modulus| and |prime_factor| 115 // must not be NULL and will be populated with values that can be imported 116 // into the TPM. The |public_key| may be NULL, but if it is not, will be 117 // populated with a value that can be used with VerifyRSASignature. 118 void GenerateRSAKeyPair(std::string* modulus, 119 std::string* prime_factor, 120 std::string* public_key); 121 122 // Verifies an RSA-SSA-SHA256 |signature| over the given |data|. The 123 // |public_key| is as produced by GenerateRSAKeyPair(). Returns true on 124 // success. 125 bool VerifyRSASignature(const std::string& public_key, 126 const std::string& data, 127 const std::string& signature); 128 129 // Loads an arbitrary RSA signing key and provides the |key_handle| and the 130 // |public_key|. Returns true on success. 131 bool LoadSigningKey(ScopedKeyHandle* key_handle, std::string* public_key); 132 133 // Signs arbitrary data with |key_handle| authorized by |delegate| and 134 // verifies the signature with |public_key|. Returns true on success. 135 bool SignAndVerify(const ScopedKeyHandle& key_handle, 136 const std::string& public_key, 137 AuthorizationDelegate* delegate); 138 139 // Factory for instantiation of Tpm classes 140 scoped_ptr<TrunksFactory> factory_; 141 142 DISALLOW_COPY_AND_ASSIGN(TrunksClientTest); 143 }; 144 145 } // namespace trunks 146 147 #endif // TRUNKS_TRUNKS_CLIENT_TEST_H_ 148