1# Use of this source code is governed by a BSD-style license that can be
2# found in the LICENSE file.
3
4import hashlib
5import logging
6import re
7
8from autotest_lib.client.common_lib import error
9from autotest_lib.client.common_lib.cros import g2f_utils
10from autotest_lib.client.common_lib.cros import tpm_utils
11from autotest_lib.server import test
12
13
14class firmware_Cr50U2fPowerwash(test.test):
15    """
16    A test that runs sanity checks for U2F register and authenticate functions,
17    and checks that key handles are invalidated after TPM clear.
18    """
19    version = 1
20
21    def parse_g2ftool_output(self, stdout):
22      return dict((k, v)
23                  for k,v in (line.split('=')
24                              for line in stdout.strip().split('\n')))
25
26    def run_once(self, host=None):
27        self.client = host
28
29        # Start by clearing TPM to make sure the device is in a known state.
30        tpm_utils.ClearTPMOwnerRequest(self.client, wait_for_ready=True)
31
32        # U2fd does will not start normally if the device has not gone
33        # through OOBE. Force it to startup.
34        cr50_dev = g2f_utils.StartU2fd(self.client)
35
36        # Register to create a new key handle.
37        g2f_reg = g2f_utils.G2fRegister(
38            self.client,
39            cr50_dev,
40            hashlib.sha256('test_challenge').hexdigest(),
41            hashlib.sha256('test_application').hexdigest())
42
43        # Sanity check that we managed to register.
44        if not g2f_reg.exit_status == 0:
45          raise error.TestError('Register failed.')
46
47        # Extract newly created key handle.
48        key_handle = self.parse_g2ftool_output(g2f_reg.stdout)['key_handle']
49
50        # Sanity check that we can authenticate with the new key handle.
51        g2f_auth = g2f_utils.G2fAuth(
52            self.client,
53            cr50_dev,
54            hashlib.sha256('test_challenge').hexdigest(),
55            hashlib.sha256('test_application').hexdigest(),
56            key_handle)
57
58        if not g2f_auth.exit_status == 0:
59          raise error.TestError('Authenticate failed.')
60
61        # Clear TPM. We should no longer be able to authenticate with the
62        # key handle after this.
63        tpm_utils.ClearTPMOwnerRequest(self.client, wait_for_ready=True)
64
65        # U2fd does will not start normally if the device has not gone
66        # through OOBE. Force it to startup.
67        cr50_dev = g2f_utils.StartU2fd(self.client)
68
69        # Check the key handle is no longer valid.
70        g2f_auth_clear = g2f_utils.G2fAuth(
71            self.client,
72            cr50_dev,
73            hashlib.sha256('test_challenge').hexdigest(),
74            hashlib.sha256('test_application').hexdigest(),
75            key_handle)
76
77        if g2f_auth_clear.exit_status == 0:
78          raise error.TestError('Authenticate succeeded; should have failed')
79