1 /*
2  * Copyright (C) 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <gtest/gtest.h>
18 
19 #include <keymaster/authorization_set.h>
20 #include <keymaster/android_keymaster_utils.h>
21 
22 #include "android_keymaster_test_utils.h"
23 
24 namespace keymaster {
25 
26 namespace test {
27 
TEST(Construction,ListProvided)28 TEST(Construction, ListProvided) {
29     keymaster_key_param_t params[] = {
30         Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
31         Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
32         Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
33         Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
34         Authorization(TAG_AUTH_TIMEOUT, 300),
35     };
36     AuthorizationSet set(params, array_length(params));
37     EXPECT_EQ(8U, set.size());
38 }
39 
TEST(Construction,Copy)40 TEST(Construction, Copy) {
41     keymaster_key_param_t params[] = {
42         Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
43         Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
44         Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
45         Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
46         Authorization(TAG_AUTH_TIMEOUT, 300),
47     };
48     AuthorizationSet set(params, array_length(params));
49     AuthorizationSet set2(set);
50     EXPECT_EQ(set, set2);
51 }
52 
TEST(Construction,NullProvided)53 TEST(Construction, NullProvided) {
54     keymaster_key_param_t params[] = {
55         Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
56     };
57 
58     AuthorizationSet set1(params, 0);
59     EXPECT_EQ(0U, set1.size());
60     EXPECT_EQ(AuthorizationSet::OK, set1.is_valid());
61 
62     AuthorizationSet set2(reinterpret_cast<keymaster_key_param_t*>(NULL), array_length(params));
63     EXPECT_EQ(0U, set2.size());
64     EXPECT_EQ(AuthorizationSet::OK, set2.is_valid());
65 }
66 
TEST(Lookup,NonRepeated)67 TEST(Lookup, NonRepeated) {
68     AuthorizationSet set(AuthorizationSetBuilder()
69                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
70                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
71                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
72                              .Authorization(TAG_USER_ID, 7)
73                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
74                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
75                              .Authorization(TAG_KEY_SIZE, 256)
76                              .Authorization(TAG_AUTH_TIMEOUT, 300));
77 
78     EXPECT_EQ(8U, set.size());
79 
80     int pos = set.find(TAG_ALGORITHM);
81     ASSERT_NE(-1, pos);
82     EXPECT_EQ(KM_TAG_ALGORITHM, set[pos].tag);
83     EXPECT_EQ(KM_ALGORITHM_RSA, set[pos].enumerated);
84 
85     pos = set.find(TAG_MAC_LENGTH);
86     EXPECT_EQ(-1, pos);
87 
88     uint32_t int_val = 0;
89     EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &int_val));
90     EXPECT_EQ(7U, int_val);
91 
92     keymaster_blob_t blob_val;
93     EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &blob_val));
94     EXPECT_EQ(6U, blob_val.data_length);
95     EXPECT_EQ(0, memcmp(blob_val.data, "my_app", 6));
96 }
97 
TEST(Lookup,Repeated)98 TEST(Lookup, Repeated) {
99     AuthorizationSet set(AuthorizationSetBuilder()
100                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
101                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
102                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
103                              .Authorization(TAG_USER_ID, 7)
104                              .Authorization(TAG_USER_SECURE_ID, 47727)
105                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
106                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
107                              .Authorization(TAG_KEY_SIZE, 256)
108                              .Authorization(TAG_AUTH_TIMEOUT, 300));
109     EXPECT_EQ(9U, set.size());
110 
111     int pos = set.find(TAG_PURPOSE);
112     ASSERT_FALSE(pos == -1);
113     EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
114     EXPECT_EQ(KM_PURPOSE_SIGN, set[pos].enumerated);
115 
116     pos = set.find(TAG_PURPOSE, pos);
117     EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
118     EXPECT_EQ(KM_PURPOSE_VERIFY, set[pos].enumerated);
119 
120     EXPECT_EQ(-1, set.find(TAG_PURPOSE, pos));
121 
122     pos = set.find(TAG_USER_SECURE_ID, pos);
123     EXPECT_EQ(KM_TAG_USER_SECURE_ID, set[pos].tag);
124     EXPECT_EQ(47727U, set[pos].long_integer);
125 }
126 
TEST(Lookup,Indexed)127 TEST(Lookup, Indexed) {
128     AuthorizationSet set(AuthorizationSetBuilder()
129                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
130                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
131                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
132                              .Authorization(TAG_USER_ID, 7)
133                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
134                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
135                              .Authorization(TAG_KEY_SIZE, 256)
136                              .Authorization(TAG_AUTH_TIMEOUT, 300));
137     EXPECT_EQ(8U, set.size());
138 
139     EXPECT_EQ(KM_TAG_PURPOSE, set[0].tag);
140     EXPECT_EQ(KM_PURPOSE_SIGN, set[0].enumerated);
141 
142     // Lookup beyond end doesn't work, just returns zeros, but doens't blow up either (verify by
143     // running under valgrind).
144     EXPECT_EQ(KM_TAG_INVALID, set[10].tag);
145 }
146 
TEST(Serialization,RoundTrip)147 TEST(Serialization, RoundTrip) {
148     AuthorizationSet set(AuthorizationSetBuilder()
149                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
150                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
151                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
152                              .Authorization(TAG_USER_ID, 7)
153                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
154                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
155                              .Authorization(TAG_KEY_SIZE, 256)
156                              .Authorization(TAG_USER_SECURE_ID, 47727)
157                              .Authorization(TAG_AUTH_TIMEOUT, 300)
158                              .Authorization(TAG_ALL_USERS)
159                              .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
160                              .Authorization(TAG_ACTIVE_DATETIME, 10));
161 
162     size_t size = set.SerializedSize();
163     EXPECT_TRUE(size > 0);
164 
165     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
166     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
167     AuthorizationSet deserialized(buf.get(), size);
168 
169     EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
170     EXPECT_EQ(set, deserialized);
171 
172     int pos = deserialized.find(TAG_APPLICATION_ID);
173     ASSERT_NE(-1, pos);
174     EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
175     EXPECT_EQ(6U, deserialized[pos].blob.data_length);
176     EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
177 }
178 
TEST(Deserialization,Deserialize)179 TEST(Deserialization, Deserialize) {
180     AuthorizationSet set(AuthorizationSetBuilder()
181                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
182                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
183                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
184                              .Authorization(TAG_USER_ID, 7)
185                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
186                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
187                              .Authorization(TAG_KEY_SIZE, 256)
188                              .Authorization(TAG_AUTH_TIMEOUT, 300));
189 
190     size_t size = set.SerializedSize();
191     EXPECT_TRUE(size > 0);
192 
193     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
194     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
195     AuthorizationSet deserialized;
196     const uint8_t* p = buf.get();
197     EXPECT_TRUE(deserialized.Deserialize(&p, p + size));
198     EXPECT_EQ(p, buf.get() + size);
199 
200     EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
201 
202     EXPECT_EQ(set.size(), deserialized.size());
203     for (size_t i = 0; i < set.size(); ++i) {
204         EXPECT_EQ(set[i].tag, deserialized[i].tag);
205     }
206 
207     int pos = deserialized.find(TAG_APPLICATION_ID);
208     ASSERT_NE(-1, pos);
209     EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
210     EXPECT_EQ(6U, deserialized[pos].blob.data_length);
211     EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
212 }
213 
TEST(Deserialization,TooShortBuffer)214 TEST(Deserialization, TooShortBuffer) {
215     uint8_t buf[] = {0, 0, 0};
216     AuthorizationSet deserialized(buf, array_length(buf));
217     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
218 
219     const uint8_t* p = buf;
220     EXPECT_FALSE(deserialized.Deserialize(&p, p + array_length(buf)));
221     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
222 }
223 
TEST(Deserialization,InvalidLengthField)224 TEST(Deserialization, InvalidLengthField) {
225     AuthorizationSet set(AuthorizationSetBuilder()
226                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
227                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
228                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
229                              .Authorization(TAG_USER_ID, 7)
230                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
231                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
232                              .Authorization(TAG_KEY_SIZE, 256)
233                              .Authorization(TAG_AUTH_TIMEOUT, 300));
234 
235     size_t size = set.SerializedSize();
236     EXPECT_TRUE(size > 0);
237 
238     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
239     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
240     *reinterpret_cast<uint32_t*>(buf.get()) = 9;
241 
242     AuthorizationSet deserialized(buf.get(), size);
243     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
244 
245     const uint8_t* p = buf.get();
246     EXPECT_FALSE(deserialized.Deserialize(&p, p + size));
247     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
248 }
249 
read_uint32(const uint8_t * buf)250 static uint32_t read_uint32(const uint8_t* buf) {
251     uint32_t val;
252     memcpy(&val, buf, sizeof(val));
253     return val;
254 }
255 
add_to_uint32(uint8_t * buf,int delta)256 static void add_to_uint32(uint8_t* buf, int delta) {
257     uint32_t val;
258     memcpy(&val, buf, sizeof(val));
259     val += delta;
260     memcpy(buf, &val, sizeof(val));
261 }
262 
TEST(Deserialization,MalformedIndirectData)263 TEST(Deserialization, MalformedIndirectData) {
264     AuthorizationSet set(AuthorizationSetBuilder()
265                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
266                              .Authorization(TAG_APPLICATION_DATA, "foo", 3));
267     size_t size = set.SerializedSize();
268 
269     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
270     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
271 
272     // This sucks.  This test, as written, requires intimate knowledge of the serialized layout of
273     // this particular set, which means it's brittle.  But it's important to test that we handle
274     // broken serialized data and I can't think of a better way to write this.
275     //
276     // The contents of buf are:
277     //
278     // Bytes:   Content:
279     // 0-3      Length of string data, which is 9.
280     // 4-9      "my_app"
281     // 10-12    "foo"
282     // 13-16    Number of elements, which is 2.
283     // 17-20    Length of elements, which is 24.
284     // 21-24    First tag, TAG_APPLICATION_ID
285     // 25-28    Length of string "my_app", 6
286     // 29-32    Offset of string "my_app", 0
287     // 33-36    Second tag, TAG_APPLICATION_DATA
288     // 37-40    Length of string "foo", 3
289     // 41-44    Offset of string "foo", 6
290 
291     // Check that stuff is where we think.
292     EXPECT_EQ('m', buf[4]);
293     EXPECT_EQ('f', buf[10]);
294     // Length of "my_app"
295     EXPECT_EQ(6U, read_uint32(buf.get() + 25));
296     // Offset of "my_app"
297     EXPECT_EQ(0U, read_uint32(buf.get() + 29));
298     // Length of "foo"
299     EXPECT_EQ(3U, read_uint32(buf.get() + 37));
300     // Offset of "foo"
301     EXPECT_EQ(6U, read_uint32(buf.get() + 41));
302 
303     // Check that deserialization works.
304     AuthorizationSet deserialized1(buf.get(), size);
305     EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
306 
307     const uint8_t* p = buf.get();
308     EXPECT_TRUE(deserialized1.Deserialize(&p, p + size));
309     EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
310 
311     //
312     // Now mess them up in various ways:
313     //
314 
315     // Move "foo" offset so offset + length goes off the end
316     add_to_uint32(buf.get() + 41, 1);
317     AuthorizationSet deserialized2(buf.get(), size);
318     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized2.is_valid());
319     add_to_uint32(buf.get() + 41, -1);
320 
321     // Shorten the "my_app" length to make a gap between the blobs.
322     add_to_uint32(buf.get() + 25, -1);
323     AuthorizationSet deserialized3(buf.get(), size);
324     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized3.is_valid());
325     add_to_uint32(buf.get() + 25, 1);
326 
327     // Extend the "my_app" length to make them overlap, and decrease the "foo" length to keep the
328     // total length the same.  We don't detect this but should.
329     // TODO(swillden): Detect overlaps and holes that leave total size correct.
330     add_to_uint32(buf.get() + 25, 1);
331     add_to_uint32(buf.get() + 37, -1);
332     AuthorizationSet deserialized4(buf.get(), size);
333     EXPECT_EQ(AuthorizationSet::OK, deserialized4.is_valid());
334 }
335 
TEST(Growable,SuccessfulRoundTrip)336 TEST(Growable, SuccessfulRoundTrip) {
337     AuthorizationSet growable;
338     EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
339     EXPECT_EQ(1U, growable.size());
340 
341     EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)));
342     EXPECT_EQ(2U, growable.size());
343 
344     EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
345     EXPECT_EQ(3U, growable.size());
346 
347     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "data", 4)));
348     EXPECT_EQ(4U, growable.size());
349 
350     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "some more data", 14)));
351     EXPECT_EQ(5U, growable.size());
352 
353     size_t serialize_size = growable.SerializedSize();
354     UniquePtr<uint8_t[]> serialized(new uint8_t[serialize_size]);
355     EXPECT_EQ(serialized.get() + serialize_size,
356               growable.Serialize(serialized.get(), serialized.get() + serialize_size));
357 
358     AuthorizationSet deserialized(serialized.get(), serialize_size);
359     EXPECT_EQ(growable, deserialized);
360 }
361 
TEST(Growable,InsufficientElemBuf)362 TEST(Growable, InsufficientElemBuf) {
363     AuthorizationSet growable;
364     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
365 
366     // First insertion fits.
367     EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
368     EXPECT_EQ(1U, growable.size());
369     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
370 
371     // Second does too.
372     EXPECT_TRUE(growable.push_back(Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)));
373     EXPECT_EQ(2U, growable.size());
374 }
375 
TEST(Growable,InsufficientIndirectBuf)376 TEST(Growable, InsufficientIndirectBuf) {
377     AuthorizationSet growable;
378     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
379 
380     EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
381     EXPECT_EQ(1U, growable.size());
382     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
383 
384     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "1234567890", 10)));
385     EXPECT_EQ(2U, growable.size());
386     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
387 
388     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "1", 1)));
389     EXPECT_EQ(3U, growable.size());
390     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
391 
392     // Can still add another entry without indirect data.  Now it's full.
393     EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
394     EXPECT_EQ(4U, growable.size());
395     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
396 }
397 
TEST(Growable,PushBackSets)398 TEST(Growable, PushBackSets) {
399     AuthorizationSetBuilder builder;
400     builder.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
401         .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
402         .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
403         .Authorization(TAG_USER_ID, 7)
404         .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
405         .Authorization(TAG_APPLICATION_ID, "my_app", 6)
406         .Authorization(TAG_KEY_SIZE, 256)
407         .Authorization(TAG_AUTH_TIMEOUT, 300);
408 
409     AuthorizationSet set1(builder.build());
410     AuthorizationSet set2(builder.build());
411 
412     AuthorizationSet combined;
413     EXPECT_TRUE(combined.push_back(set1));
414     EXPECT_TRUE(combined.push_back(set2));
415     EXPECT_EQ(set1.size() + set2.size(), combined.size());
416     EXPECT_EQ(12U, combined.indirect_size());
417 }
418 
TEST(GetValue,GetInt)419 TEST(GetValue, GetInt) {
420     AuthorizationSet set(AuthorizationSetBuilder()
421                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
422                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
423                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
424                              .Authorization(TAG_USER_ID, 7)
425                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
426                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
427                              .Authorization(TAG_AUTH_TIMEOUT, 300));
428 
429     uint32_t val;
430     EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &val));
431     EXPECT_EQ(7U, val);
432 
433     // Find one that isn't there
434     EXPECT_FALSE(set.GetTagValue(TAG_KEY_SIZE, &val));
435 }
436 
TEST(GetValue,GetLong)437 TEST(GetValue, GetLong) {
438     AuthorizationSet set1(AuthorizationSetBuilder()
439                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
440                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
441                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
442                               .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
443 
444     AuthorizationSet set2(AuthorizationSetBuilder()
445                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
446                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
447                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
448 
449     uint64_t val;
450     EXPECT_TRUE(set1.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
451     EXPECT_EQ(3U, val);
452 
453     // Find one that isn't there
454     EXPECT_FALSE(set2.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
455 }
456 
TEST(GetValue,GetLongRep)457 TEST(GetValue, GetLongRep) {
458     AuthorizationSet set1(AuthorizationSetBuilder()
459                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
460                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
461                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
462                               .Authorization(TAG_USER_SECURE_ID, 8338)
463                               .Authorization(TAG_USER_SECURE_ID, 4334)
464                               .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
465 
466     AuthorizationSet set2(AuthorizationSetBuilder()
467                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
468                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
469                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
470 
471     uint64_t val;
472     EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 0, &val));
473     EXPECT_EQ(8338U, val);
474     EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 1, &val));
475     EXPECT_EQ(4334U, val);
476 
477     // Find one that isn't there
478     EXPECT_FALSE(set2.GetTagValue(TAG_USER_SECURE_ID, &val));
479 }
480 
TEST(GetValue,GetEnum)481 TEST(GetValue, GetEnum) {
482     AuthorizationSet set(AuthorizationSetBuilder()
483                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
484                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
485                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
486                              .Authorization(TAG_USER_ID, 7)
487                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
488                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
489                              .Authorization(TAG_AUTH_TIMEOUT, 300));
490 
491     keymaster_algorithm_t val;
492     EXPECT_TRUE(set.GetTagValue(TAG_ALGORITHM, &val));
493     EXPECT_EQ(KM_ALGORITHM_RSA, val);
494 
495     // Find one that isn't there
496     keymaster_padding_t val2;
497     EXPECT_FALSE(set.GetTagValue(TAG_PADDING, &val2));
498 }
499 
TEST(GetValue,GetEnumRep)500 TEST(GetValue, GetEnumRep) {
501     AuthorizationSet set(AuthorizationSetBuilder()
502                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
503                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
504                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
505                              .Authorization(TAG_USER_ID, 7)
506                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
507                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
508                              .Authorization(TAG_AUTH_TIMEOUT, 300));
509 
510     keymaster_purpose_t val;
511     EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 0, &val));
512     EXPECT_EQ(KM_PURPOSE_SIGN, val);
513     EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 1, &val));
514     EXPECT_EQ(KM_PURPOSE_VERIFY, val);
515 
516     // Find one that isn't there
517     EXPECT_FALSE(set.GetTagValue(TAG_PURPOSE, 2, &val));
518 }
519 
TEST(GetValue,GetDate)520 TEST(GetValue, GetDate) {
521     AuthorizationSet set(AuthorizationSetBuilder()
522                              .Authorization(TAG_ACTIVE_DATETIME, 10)
523                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
524                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
525                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
526                              .Authorization(TAG_USER_ID, 7)
527                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
528                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
529                              .Authorization(TAG_AUTH_TIMEOUT, 300));
530 
531     uint64_t val;
532     EXPECT_TRUE(set.GetTagValue(TAG_ACTIVE_DATETIME, &val));
533     EXPECT_EQ(10U, val);
534 
535     // Find one that isn't there
536     EXPECT_FALSE(set.GetTagValue(TAG_USAGE_EXPIRE_DATETIME, &val));
537 }
538 
TEST(GetValue,GetBlob)539 TEST(GetValue, GetBlob) {
540     AuthorizationSet set(AuthorizationSetBuilder()
541                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
542                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
543                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
544                              .Authorization(TAG_USER_ID, 7)
545                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
546                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
547                              .Authorization(TAG_AUTH_TIMEOUT, 300));
548 
549     keymaster_blob_t val;
550     EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &val));
551     EXPECT_EQ(6U, val.data_length);
552     EXPECT_EQ(0, memcmp(val.data, "my_app", 6));
553 
554     // Find one that isn't there
555     EXPECT_FALSE(set.GetTagValue(TAG_APPLICATION_DATA, &val));
556 }
557 
TEST(Deduplication,NoDuplicates)558 TEST(Deduplication, NoDuplicates) {
559     AuthorizationSet set(AuthorizationSetBuilder()
560                              .Authorization(TAG_ACTIVE_DATETIME, 10)
561                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
562                              .Authorization(TAG_USER_ID, 7)
563                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
564     AuthorizationSet copy(set);
565 
566     EXPECT_EQ(copy, set);
567     set.Deduplicate();
568     EXPECT_EQ(copy.size(), set.size());
569 
570     // Sets no longer compare equal, because of ordering (ugh, maybe it should be
571     // AuthorizationList, not AuthorizationSet).
572     EXPECT_NE(copy, set);
573 }
574 
TEST(Deduplication,NoDuplicatesHasInvalid)575 TEST(Deduplication, NoDuplicatesHasInvalid) {
576     AuthorizationSet set(AuthorizationSetBuilder()
577                              .Authorization(TAG_ACTIVE_DATETIME, 10)
578                              .Authorization(TAG_INVALID)
579                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
580                              .Authorization(TAG_USER_ID, 7)
581                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
582     AuthorizationSet copy(set);
583 
584     EXPECT_EQ(copy, set);
585     set.Deduplicate();
586 
587     // Deduplicate should have removed the invalid.
588     EXPECT_EQ(copy.size() - 1, set.size());
589     EXPECT_NE(copy, set);
590 }
591 
TEST(Deduplication,DuplicateEnum)592 TEST(Deduplication, DuplicateEnum) {
593     AuthorizationSet set(AuthorizationSetBuilder()
594                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
595                              .Authorization(TAG_ACTIVE_DATETIME, 10)
596                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
597                              .Authorization(TAG_USER_ID, 7)
598                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
599                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
600     AuthorizationSet copy(set);
601 
602     EXPECT_EQ(copy, set);
603     set.Deduplicate();
604     EXPECT_EQ(copy.size() - 2, set.size());
605     EXPECT_NE(copy, set);
606 }
607 
TEST(Deduplication,DuplicateBlob)608 TEST(Deduplication, DuplicateBlob) {
609     AuthorizationSet set(AuthorizationSetBuilder()
610                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
611                              .Authorization(TAG_ACTIVE_DATETIME, 10)
612                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
613                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
614                              .Authorization(TAG_USER_ID, 7)
615                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
616                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
617                              .Authorization(TAG_APPLICATION_DATA, "foo", 3)
618                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
619     AuthorizationSet copy(set);
620 
621     EXPECT_EQ(copy, set);
622     set.Deduplicate();
623     EXPECT_EQ(copy.size() - 3, set.size());
624     EXPECT_NE(copy, set);
625 
626     // The real test here is that valgrind reports no leak.
627 }
628 
TEST(Union,Disjoint)629 TEST(Union, Disjoint) {
630     AuthorizationSet set1(AuthorizationSetBuilder()
631                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
632                              .Authorization(TAG_ACTIVE_DATETIME, 10)
633                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
634 
635     AuthorizationSet set2(AuthorizationSetBuilder()
636                              .Authorization(TAG_USER_ID, 7)
637                              .Authorization(TAG_APPLICATION_DATA, "foo", 3)
638                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
639 
640     AuthorizationSet expected(AuthorizationSetBuilder()
641                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
642                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
643                              .Authorization(TAG_USER_ID, 7)
644                              .Authorization(TAG_ACTIVE_DATETIME, 10)
645                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
646                              .Authorization(TAG_APPLICATION_DATA, "foo", 3));
647 
648     set1.Union(set2);
649     EXPECT_EQ(expected, set1);
650 }
651 
TEST(Union,Overlap)652 TEST(Union, Overlap) {
653     AuthorizationSet set1(AuthorizationSetBuilder()
654                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
655                              .Authorization(TAG_ACTIVE_DATETIME, 10)
656                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
657 
658     AuthorizationSet set2(AuthorizationSetBuilder()
659                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
660                              .Authorization(TAG_ACTIVE_DATETIME, 10)
661                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
662 
663     AuthorizationSet expected(AuthorizationSetBuilder()
664                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
665                              .Authorization(TAG_ACTIVE_DATETIME, 10)
666                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
667 
668     set1.Union(set2);
669     EXPECT_EQ(expected, set1);
670 }
671 
TEST(Union,Empty)672 TEST(Union, Empty) {
673     AuthorizationSet set1(AuthorizationSetBuilder()
674                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
675                              .Authorization(TAG_ACTIVE_DATETIME, 10)
676                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
677 
678     AuthorizationSet set2;
679 
680     AuthorizationSet expected(AuthorizationSetBuilder()
681                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
682                              .Authorization(TAG_ACTIVE_DATETIME, 10)
683                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
684 
685     set1.Union(set2);
686     EXPECT_EQ(expected, set1);
687 }
688 
TEST(Difference,Disjoint)689 TEST(Difference, Disjoint) {
690     AuthorizationSet set1(AuthorizationSetBuilder()
691                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
692                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
693                              .Authorization(TAG_ACTIVE_DATETIME, 10));
694 
695     AuthorizationSet set2(AuthorizationSetBuilder()
696                              .Authorization(TAG_USER_ID, 7)
697                              .Authorization(TAG_APPLICATION_DATA, "foo", 3)
698                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
699 
700     // Elements are the same as set1, but happen to be in a different order
701     AuthorizationSet expected(AuthorizationSetBuilder()
702                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
703                              .Authorization(TAG_ACTIVE_DATETIME, 10)
704                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
705 
706     set1.Difference(set2);
707     EXPECT_EQ(expected, set1);
708 }
709 
TEST(Difference,Overlap)710 TEST(Difference, Overlap) {
711     AuthorizationSet set1(AuthorizationSetBuilder()
712                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
713                              .Authorization(TAG_ACTIVE_DATETIME, 10)
714                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
715 
716     AuthorizationSet set2(AuthorizationSetBuilder()
717                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
718                              .Authorization(TAG_ACTIVE_DATETIME, 10)
719                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
720 
721     AuthorizationSet empty;
722     set1.Difference(set2);
723     EXPECT_EQ(empty, set1);
724     EXPECT_EQ(0U, set1.size());
725 }
726 
TEST(Difference,NullSet)727 TEST(Difference, NullSet) {
728     AuthorizationSet set1(AuthorizationSetBuilder()
729                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
730                              .Authorization(TAG_ACTIVE_DATETIME, 10)
731                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
732 
733     AuthorizationSet set2;
734 
735     AuthorizationSet expected(AuthorizationSetBuilder()
736                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
737                              .Authorization(TAG_ACTIVE_DATETIME, 10)
738                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
739 
740     set1.Difference(set2);
741     EXPECT_EQ(expected, set1);
742 }
743 
744 }  // namespace test
745 }  // namespace keymaster
746