Home | History | Annotate | Download | only in tests 
      1 /*
      2  * Copyright 2015 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #include <arpa/inet.h>
     18 #include <iostream>
     19 
     20 #include <gtest/gtest.h>
     21 #include <UniquePtr.h>
     22 
     23 #include <hardware/hw_auth_token.h>
     24 
     25 #include "../SoftGateKeeper.h"
     26 
     27 using ::gatekeeper::SizedBuffer;
     28 using ::testing::Test;
     29 using ::gatekeeper::EnrollRequest;
     30 using ::gatekeeper::EnrollResponse;
     31 using ::gatekeeper::VerifyRequest;
     32 using ::gatekeeper::VerifyResponse;
     33 using ::gatekeeper::SoftGateKeeper;
     34 using ::gatekeeper::secure_id_t;
     35 
     36 static void do_enroll(SoftGateKeeper &gatekeeper, EnrollResponse *response) {
     37     SizedBuffer password;
     38 
     39     password.buffer.reset(new uint8_t[16]);
     40     password.length = 16;
     41     memset(password.buffer.get(), 0, 16);
     42     EnrollRequest request(0, NULL, &password, NULL);
     43 
     44     gatekeeper.Enroll(request, response);
     45 }
     46 
     47 TEST(GateKeeperTest, EnrollSuccess) {
     48     SoftGateKeeper gatekeeper;
     49     EnrollResponse response;
     50     do_enroll(gatekeeper, &response);
     51     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
     52 }
     53 
     54 TEST(GateKeeperTest, EnrollBogusData) {
     55     SoftGateKeeper gatekeeper;
     56     SizedBuffer password;
     57     EnrollResponse response;
     58 
     59     EnrollRequest request(0, NULL, &password, NULL);
     60 
     61     gatekeeper.Enroll(request, &response);
     62 
     63     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
     64 }
     65 
     66 TEST(GateKeeperTest, VerifySuccess) {
     67     SoftGateKeeper gatekeeper;
     68     SizedBuffer provided_password;
     69     EnrollResponse enroll_response;
     70 
     71     provided_password.buffer.reset(new uint8_t[16]);
     72     provided_password.length = 16;
     73     memset(provided_password.buffer.get(), 0, 16);
     74 
     75     do_enroll(gatekeeper, &enroll_response);
     76     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
     77     VerifyRequest request(0, 1, &enroll_response.enrolled_password_handle,
     78             &provided_password);
     79     VerifyResponse response;
     80 
     81     gatekeeper.Verify(request, &response);
     82 
     83     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
     84 
     85     hw_auth_token_t *auth_token =
     86         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
     87 
     88     ASSERT_EQ((uint32_t) HW_AUTH_PASSWORD, ntohl(auth_token->authenticator_type));
     89     ASSERT_EQ((uint64_t) 1, auth_token->challenge);
     90     ASSERT_NE(~((uint32_t) 0), auth_token->timestamp);
     91     ASSERT_NE((uint64_t) 0, auth_token->user_id);
     92     ASSERT_NE((uint64_t) 0, auth_token->authenticator_id);
     93 }
     94 
     95 TEST(GateKeeperTest, TrustedReEnroll) {
     96     SoftGateKeeper gatekeeper;
     97     SizedBuffer provided_password;
     98     EnrollResponse enroll_response;
     99     SizedBuffer password_handle;
    100 
    101     // do_enroll enrolls an all 0 password
    102     provided_password.buffer.reset(new uint8_t[16]);
    103     provided_password.length = 16;
    104     memset(provided_password.buffer.get(), 0, 16);
    105     do_enroll(gatekeeper, &enroll_response);
    106     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
    107 
    108     // keep a copy of the handle
    109     password_handle.buffer.reset(new uint8_t[enroll_response.enrolled_password_handle.length]);
    110     password_handle.length = enroll_response.enrolled_password_handle.length;
    111     memcpy(password_handle.buffer.get(), enroll_response.enrolled_password_handle.buffer.get(),
    112             password_handle.length);
    113 
    114     // verify first password
    115     VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
    116             &provided_password);
    117     VerifyResponse response;
    118     gatekeeper.Verify(request, &response);
    119     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    120     hw_auth_token_t *auth_token =
    121         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
    122 
    123     secure_id_t secure_id = auth_token->user_id;
    124 
    125     // enroll new password
    126     provided_password.buffer.reset(new uint8_t[16]);
    127     provided_password.length = 16;
    128     memset(provided_password.buffer.get(), 0, 16);
    129     SizedBuffer password;
    130     password.buffer.reset(new uint8_t[16]);
    131     memset(password.buffer.get(), 1, 16);
    132     password.length = 16;
    133     EnrollRequest enroll_request(0, &password_handle, &password, &provided_password);
    134     gatekeeper.Enroll(enroll_request, &enroll_response);
    135     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
    136 
    137     // verify new password
    138     password.buffer.reset(new uint8_t[16]);
    139     memset(password.buffer.get(), 1, 16);
    140     password.length = 16;
    141     VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
    142             &password);
    143     gatekeeper.Verify(new_request, &response);
    144     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    145     ASSERT_EQ(secure_id,
    146         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
    147 }
    148 
    149 
    150 TEST(GateKeeperTest, UntrustedReEnroll) {
    151     SoftGateKeeper gatekeeper;
    152     SizedBuffer provided_password;
    153     EnrollResponse enroll_response;
    154 
    155     // do_enroll enrolls an all 0 password
    156     provided_password.buffer.reset(new uint8_t[16]);
    157     provided_password.length = 16;
    158     memset(provided_password.buffer.get(), 0, 16);
    159     do_enroll(gatekeeper, &enroll_response);
    160     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
    161 
    162     // verify first password
    163     VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
    164             &provided_password);
    165     VerifyResponse response;
    166     gatekeeper.Verify(request, &response);
    167     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    168     hw_auth_token_t *auth_token =
    169         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
    170 
    171     secure_id_t secure_id = auth_token->user_id;
    172 
    173     // enroll new password
    174     SizedBuffer password;
    175     password.buffer.reset(new uint8_t[16]);
    176     memset(password.buffer.get(), 1, 16);
    177     password.length = 16;
    178     EnrollRequest enroll_request(0, NULL, &password, NULL);
    179     gatekeeper.Enroll(enroll_request, &enroll_response);
    180     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
    181 
    182     // verify new password
    183     password.buffer.reset(new uint8_t[16]);
    184     memset(password.buffer.get(), 1, 16);
    185     password.length = 16;
    186     VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
    187             &password);
    188     gatekeeper.Verify(new_request, &response);
    189     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    190     ASSERT_NE(secure_id,
    191         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
    192 }
    193 
    194 
    195 TEST(GateKeeperTest, VerifyBogusData) {
    196     SoftGateKeeper gatekeeper;
    197     SizedBuffer provided_password;
    198     SizedBuffer password_handle;
    199     VerifyResponse response;
    200 
    201     VerifyRequest request(0, 0, &provided_password, &password_handle);
    202 
    203     gatekeeper.Verify(request, &response);
    204 
    205     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
    206 }
    207