1 /*
2 * Copyright 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <fstream>
18
19 #include <gtest/gtest.h>
20
21 #include <keymaster/keymaster_context.h>
22
23 #include "android_keymaster_test_utils.h"
24 #include <keymaster/attestation_record.h>
25
26 namespace keymaster {
27 namespace test {
28
29 class TestContext : public AttestationRecordContext {
30 public:
GetSecurityLevel() const31 keymaster_security_level_t GetSecurityLevel() const override {
32 return KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
33 }
GenerateUniqueId(uint64_t,const keymaster_blob_t & application_id,bool,Buffer * unique_id) const34 keymaster_error_t GenerateUniqueId(uint64_t /* creation_date_time */,
35 const keymaster_blob_t& application_id,
36 bool /* reset_since_rotation */,
37 Buffer* unique_id) const override {
38 // Use the application ID directly as the unique ID.
39 unique_id->Reinitialize(application_id.data, application_id.data_length);
40 return KM_ERROR_OK;
41 }
GetVerifiedBootParams(keymaster_blob_t * verified_boot_key,keymaster_verified_boot_t * verified_boot_state,bool * device_locked) const42 keymaster_error_t GetVerifiedBootParams(keymaster_blob_t* verified_boot_key,
43 keymaster_verified_boot_t* verified_boot_state,
44 bool* device_locked) const override {
45 verified_boot_key->data = vboot_key_;
46 verified_boot_key->data_length = sizeof(vboot_key_);
47 *verified_boot_state = KM_VERIFIED_BOOT_VERIFIED;
48 *device_locked = true;
49 return KM_ERROR_OK;
50 }
51
VerifyRootOfTrust(const keymaster_blob_t & verified_boot_key,keymaster_verified_boot_t verified_boot_state,bool device_locked)52 void VerifyRootOfTrust(const keymaster_blob_t& verified_boot_key,
53 keymaster_verified_boot_t verified_boot_state, bool device_locked) {
54 EXPECT_EQ(sizeof(vboot_key_), verified_boot_key.data_length);
55 if (sizeof(vboot_key_) == verified_boot_key.data_length) {
56 EXPECT_EQ(0, memcmp(verified_boot_key.data, vboot_key_, sizeof(vboot_key_)));
57 }
58 EXPECT_TRUE(device_locked);
59 EXPECT_EQ(KM_VERIFIED_BOOT_VERIFIED, verified_boot_state);
60 }
61
62 private:
63 uint8_t vboot_key_[32]{"test_vboot_key"};
64 };
65
TEST(AttestTest,Simple)66 TEST(AttestTest, Simple) {
67 TestContext context;
68 AuthorizationSet hw_set(AuthorizationSetBuilder()
69 .RsaSigningKey(512, 3)
70 .Digest(KM_DIGEST_SHA_2_256)
71 .Digest(KM_DIGEST_SHA_2_384)
72 .Authorization(TAG_OS_VERSION, 60000)
73 .Authorization(TAG_OS_PATCHLEVEL, 201512)
74 .Authorization(TAG_INCLUDE_UNIQUE_ID));
75 AuthorizationSet sw_set(AuthorizationSetBuilder()
76 .Authorization(TAG_ACTIVE_DATETIME, 10)
77 .Authorization(TAG_CREATION_DATETIME, 10)
78 .Authorization(TAG_APPLICATION_ID, "fake_app_id", 11));
79
80 UniquePtr<uint8_t[]> asn1;
81 size_t asn1_len = 0;
82 AuthorizationSet attest_params(
83 AuthorizationSetBuilder()
84 .Authorization(TAG_ATTESTATION_CHALLENGE, "fake_challenge", 14)
85 .Authorization(TAG_ATTESTATION_APPLICATION_ID, "fake_attest_app_id", 18));
86 ASSERT_EQ(KM_ERROR_OK,
87 build_attestation_record(attest_params, sw_set, hw_set, context, &asn1, &asn1_len));
88 EXPECT_GT(asn1_len, 0U);
89
90 std::ofstream output("attest.der",
91 std::ofstream::out | std::ofstream::binary | std::ofstream::trunc);
92 if (output)
93 output.write(reinterpret_cast<const char*>(asn1.get()), asn1_len);
94 output.close();
95
96 AuthorizationSet parsed_hw_set;
97 AuthorizationSet parsed_sw_set;
98 uint32_t attestation_version;
99 uint32_t keymaster_version;
100 keymaster_security_level_t attestation_security_level;
101 keymaster_security_level_t keymaster_security_level;
102 keymaster_blob_t attestation_challenge = {};
103 keymaster_blob_t unique_id = {};
104 EXPECT_EQ(KM_ERROR_OK,
105 parse_attestation_record(asn1.get(), asn1_len, &attestation_version,
106 &attestation_security_level, &keymaster_version,
107 &keymaster_security_level, &attestation_challenge,
108 &parsed_sw_set, &parsed_hw_set, &unique_id));
109
110 // Check that the challenge is consistent across build and parse.
111 EXPECT_EQ("fake_challenge",
112 std::string(reinterpret_cast<const char*>(attestation_challenge.data), 14));
113 delete[] attestation_challenge.data;
114
115 // Check that the unique id was populated as expected.
116 EXPECT_EQ("fake_app_id", std::string(reinterpret_cast<const char*>(unique_id.data), 11));
117 delete[] unique_id.data;
118
119 // The attestation ID is expected to appear in parsed_sw_set.
120 sw_set.push_back(TAG_ATTESTATION_APPLICATION_ID, "fake_attest_app_id", 18);
121
122 // The TAG_INCLUDE_UNIQUE_ID tag is not expected to appear in parsed_hw_set.
123 hw_set.erase(hw_set.find(TAG_INCLUDE_UNIQUE_ID));
124
125 // Check that the list of tags is consistent across build and parse.
126 hw_set.Sort();
127 sw_set.Sort();
128 parsed_hw_set.Sort();
129 parsed_sw_set.Sort();
130 EXPECT_EQ(hw_set, parsed_hw_set);
131 EXPECT_EQ(sw_set, parsed_sw_set);
132
133 // Check the root of trust values.
134 keymaster_blob_t verified_boot_key;
135 keymaster_verified_boot_t verified_boot_state;
136 bool device_locked;
137 EXPECT_EQ(KM_ERROR_OK, parse_root_of_trust(asn1.get(), asn1_len, &verified_boot_key,
138 &verified_boot_state, &device_locked));
139 context.VerifyRootOfTrust(verified_boot_key, verified_boot_state, device_locked);
140 delete[] verified_boot_key.data;
141 }
142
143 } // namespace test
144 } // namespace keymaster
145