Home | History | Annotate | Download | only in keymaster
      1 /*
      2  * Copyright (C) 2014 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #include <gtest/gtest.h>
     18 
     19 #include <keymaster/authorization_set.h>
     20 #include <keymaster/android_keymaster_utils.h>
     21 
     22 #include "android_keymaster_test_utils.h"
     23 
     24 namespace keymaster {
     25 
     26 namespace test {
     27 
     28 TEST(Construction, ListProvided) {
     29     keymaster_key_param_t params[] = {
     30         Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
     31         Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
     32         Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
     33         Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
     34         Authorization(TAG_AUTH_TIMEOUT, 300),
     35     };
     36     AuthorizationSet set(params, array_length(params));
     37     EXPECT_EQ(8U, set.size());
     38 }
     39 
     40 TEST(Construction, Copy) {
     41     keymaster_key_param_t params[] = {
     42         Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
     43         Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
     44         Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
     45         Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
     46         Authorization(TAG_AUTH_TIMEOUT, 300),
     47     };
     48     AuthorizationSet set(params, array_length(params));
     49     AuthorizationSet set2(set);
     50     EXPECT_EQ(set, set2);
     51 }
     52 
     53 TEST(Construction, NullProvided) {
     54     keymaster_key_param_t params[] = {
     55         Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
     56     };
     57 
     58     AuthorizationSet set1(params, 0);
     59     EXPECT_EQ(0U, set1.size());
     60     EXPECT_EQ(AuthorizationSet::OK, set1.is_valid());
     61 
     62     AuthorizationSet set2(reinterpret_cast<keymaster_key_param_t*>(NULL), array_length(params));
     63     EXPECT_EQ(0U, set2.size());
     64     EXPECT_EQ(AuthorizationSet::OK, set2.is_valid());
     65 }
     66 
     67 TEST(Lookup, NonRepeated) {
     68     AuthorizationSet set(AuthorizationSetBuilder()
     69                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
     70                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
     71                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
     72                              .Authorization(TAG_USER_ID, 7)
     73                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
     74                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
     75                              .Authorization(TAG_KEY_SIZE, 256)
     76                              .Authorization(TAG_AUTH_TIMEOUT, 300));
     77 
     78     EXPECT_EQ(8U, set.size());
     79 
     80     int pos = set.find(TAG_ALGORITHM);
     81     ASSERT_NE(-1, pos);
     82     EXPECT_EQ(KM_TAG_ALGORITHM, set[pos].tag);
     83     EXPECT_EQ(KM_ALGORITHM_RSA, set[pos].enumerated);
     84 
     85     pos = set.find(TAG_MAC_LENGTH);
     86     EXPECT_EQ(-1, pos);
     87 
     88     uint32_t int_val = 0;
     89     EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &int_val));
     90     EXPECT_EQ(7U, int_val);
     91 
     92     keymaster_blob_t blob_val;
     93     EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &blob_val));
     94     EXPECT_EQ(6U, blob_val.data_length);
     95     EXPECT_EQ(0, memcmp(blob_val.data, "my_app", 6));
     96 }
     97 
     98 TEST(Lookup, Repeated) {
     99     AuthorizationSet set(AuthorizationSetBuilder()
    100                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    101                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    102                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    103                              .Authorization(TAG_USER_ID, 7)
    104                              .Authorization(TAG_USER_SECURE_ID, 47727)
    105                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    106                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    107                              .Authorization(TAG_KEY_SIZE, 256)
    108                              .Authorization(TAG_AUTH_TIMEOUT, 300));
    109     EXPECT_EQ(9U, set.size());
    110 
    111     int pos = set.find(TAG_PURPOSE);
    112     ASSERT_FALSE(pos == -1);
    113     EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
    114     EXPECT_EQ(KM_PURPOSE_SIGN, set[pos].enumerated);
    115 
    116     pos = set.find(TAG_PURPOSE, pos);
    117     EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
    118     EXPECT_EQ(KM_PURPOSE_VERIFY, set[pos].enumerated);
    119 
    120     EXPECT_EQ(-1, set.find(TAG_PURPOSE, pos));
    121 
    122     pos = set.find(TAG_USER_SECURE_ID, pos);
    123     EXPECT_EQ(KM_TAG_USER_SECURE_ID, set[pos].tag);
    124     EXPECT_EQ(47727U, set[pos].long_integer);
    125 }
    126 
    127 TEST(Lookup, Indexed) {
    128     AuthorizationSet set(AuthorizationSetBuilder()
    129                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    130                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    131                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    132                              .Authorization(TAG_USER_ID, 7)
    133                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    134                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    135                              .Authorization(TAG_KEY_SIZE, 256)
    136                              .Authorization(TAG_AUTH_TIMEOUT, 300));
    137     EXPECT_EQ(8U, set.size());
    138 
    139     EXPECT_EQ(KM_TAG_PURPOSE, set[0].tag);
    140     EXPECT_EQ(KM_PURPOSE_SIGN, set[0].enumerated);
    141 
    142     // Lookup beyond end doesn't work, just returns zeros, but doens't blow up either (verify by
    143     // running under valgrind).
    144     EXPECT_EQ(KM_TAG_INVALID, set[10].tag);
    145 }
    146 
    147 TEST(Serialization, RoundTrip) {
    148     AuthorizationSet set(AuthorizationSetBuilder()
    149                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    150                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    151                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    152                              .Authorization(TAG_USER_ID, 7)
    153                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    154                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    155                              .Authorization(TAG_KEY_SIZE, 256)
    156                              .Authorization(TAG_USER_SECURE_ID, 47727)
    157                              .Authorization(TAG_AUTH_TIMEOUT, 300)
    158                              .Authorization(TAG_ALL_USERS)
    159                              .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
    160                              .Authorization(TAG_ACTIVE_DATETIME, 10));
    161 
    162     size_t size = set.SerializedSize();
    163     EXPECT_TRUE(size > 0);
    164 
    165     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
    166     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
    167     AuthorizationSet deserialized(buf.get(), size);
    168 
    169     EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
    170     EXPECT_EQ(set, deserialized);
    171 
    172     int pos = deserialized.find(TAG_APPLICATION_ID);
    173     ASSERT_NE(-1, pos);
    174     EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
    175     EXPECT_EQ(6U, deserialized[pos].blob.data_length);
    176     EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
    177 }
    178 
    179 TEST(Deserialization, Deserialize) {
    180     AuthorizationSet set(AuthorizationSetBuilder()
    181                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    182                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    183                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    184                              .Authorization(TAG_USER_ID, 7)
    185                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    186                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    187                              .Authorization(TAG_KEY_SIZE, 256)
    188                              .Authorization(TAG_AUTH_TIMEOUT, 300));
    189 
    190     size_t size = set.SerializedSize();
    191     EXPECT_TRUE(size > 0);
    192 
    193     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
    194     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
    195     AuthorizationSet deserialized;
    196     const uint8_t* p = buf.get();
    197     EXPECT_TRUE(deserialized.Deserialize(&p, p + size));
    198     EXPECT_EQ(p, buf.get() + size);
    199 
    200     EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
    201 
    202     EXPECT_EQ(set.size(), deserialized.size());
    203     for (size_t i = 0; i < set.size(); ++i) {
    204         EXPECT_EQ(set[i].tag, deserialized[i].tag);
    205     }
    206 
    207     int pos = deserialized.find(TAG_APPLICATION_ID);
    208     ASSERT_NE(-1, pos);
    209     EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
    210     EXPECT_EQ(6U, deserialized[pos].blob.data_length);
    211     EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
    212 }
    213 
    214 TEST(Deserialization, TooShortBuffer) {
    215     uint8_t buf[] = {0, 0, 0};
    216     AuthorizationSet deserialized(buf, array_length(buf));
    217     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
    218 
    219     const uint8_t* p = buf;
    220     EXPECT_FALSE(deserialized.Deserialize(&p, p + array_length(buf)));
    221     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
    222 }
    223 
    224 TEST(Deserialization, InvalidLengthField) {
    225     AuthorizationSet set(AuthorizationSetBuilder()
    226                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    227                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    228                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    229                              .Authorization(TAG_USER_ID, 7)
    230                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    231                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    232                              .Authorization(TAG_KEY_SIZE, 256)
    233                              .Authorization(TAG_AUTH_TIMEOUT, 300));
    234 
    235     size_t size = set.SerializedSize();
    236     EXPECT_TRUE(size > 0);
    237 
    238     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
    239     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
    240     *reinterpret_cast<uint32_t*>(buf.get()) = 9;
    241 
    242     AuthorizationSet deserialized(buf.get(), size);
    243     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
    244 
    245     const uint8_t* p = buf.get();
    246     EXPECT_FALSE(deserialized.Deserialize(&p, p + size));
    247     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
    248 }
    249 
    250 static uint32_t read_uint32(const uint8_t* buf) {
    251     uint32_t val;
    252     memcpy(&val, buf, sizeof(val));
    253     return val;
    254 }
    255 
    256 static void add_to_uint32(uint8_t* buf, int delta) {
    257     uint32_t val;
    258     memcpy(&val, buf, sizeof(val));
    259     val += delta;
    260     memcpy(buf, &val, sizeof(val));
    261 }
    262 
    263 TEST(Deserialization, MalformedIndirectData) {
    264     AuthorizationSet set(AuthorizationSetBuilder()
    265                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    266                              .Authorization(TAG_APPLICATION_DATA, "foo", 3));
    267     size_t size = set.SerializedSize();
    268 
    269     UniquePtr<uint8_t[]> buf(new uint8_t[size]);
    270     EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
    271 
    272     // This sucks.  This test, as written, requires intimate knowledge of the serialized layout of
    273     // this particular set, which means it's brittle.  But it's important to test that we handle
    274     // broken serialized data and I can't think of a better way to write this.
    275     //
    276     // The contents of buf are:
    277     //
    278     // Bytes:   Content:
    279     // 0-3      Length of string data, which is 9.
    280     // 4-9      "my_app"
    281     // 10-12    "foo"
    282     // 13-16    Number of elements, which is 2.
    283     // 17-20    Length of elements, which is 24.
    284     // 21-24    First tag, TAG_APPLICATION_ID
    285     // 25-28    Length of string "my_app", 6
    286     // 29-32    Offset of string "my_app", 0
    287     // 33-36    Second tag, TAG_APPLICATION_DATA
    288     // 37-40    Length of string "foo", 3
    289     // 41-44    Offset of string "foo", 6
    290 
    291     // Check that stuff is where we think.
    292     EXPECT_EQ('m', buf[4]);
    293     EXPECT_EQ('f', buf[10]);
    294     // Length of "my_app"
    295     EXPECT_EQ(6U, read_uint32(buf.get() + 25));
    296     // Offset of "my_app"
    297     EXPECT_EQ(0U, read_uint32(buf.get() + 29));
    298     // Length of "foo"
    299     EXPECT_EQ(3U, read_uint32(buf.get() + 37));
    300     // Offset of "foo"
    301     EXPECT_EQ(6U, read_uint32(buf.get() + 41));
    302 
    303     // Check that deserialization works.
    304     AuthorizationSet deserialized1(buf.get(), size);
    305     EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
    306 
    307     const uint8_t* p = buf.get();
    308     EXPECT_TRUE(deserialized1.Deserialize(&p, p + size));
    309     EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
    310 
    311     //
    312     // Now mess them up in various ways:
    313     //
    314 
    315     // Move "foo" offset so offset + length goes off the end
    316     add_to_uint32(buf.get() + 41, 1);
    317     AuthorizationSet deserialized2(buf.get(), size);
    318     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized2.is_valid());
    319     add_to_uint32(buf.get() + 41, -1);
    320 
    321     // Shorten the "my_app" length to make a gap between the blobs.
    322     add_to_uint32(buf.get() + 25, -1);
    323     AuthorizationSet deserialized3(buf.get(), size);
    324     EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized3.is_valid());
    325     add_to_uint32(buf.get() + 25, 1);
    326 
    327     // Extend the "my_app" length to make them overlap, and decrease the "foo" length to keep the
    328     // total length the same.  We don't detect this but should.
    329     // TODO(swillden): Detect overlaps and holes that leave total size correct.
    330     add_to_uint32(buf.get() + 25, 1);
    331     add_to_uint32(buf.get() + 37, -1);
    332     AuthorizationSet deserialized4(buf.get(), size);
    333     EXPECT_EQ(AuthorizationSet::OK, deserialized4.is_valid());
    334 }
    335 
    336 TEST(Growable, SuccessfulRoundTrip) {
    337     AuthorizationSet growable;
    338     EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
    339     EXPECT_EQ(1U, growable.size());
    340 
    341     EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)));
    342     EXPECT_EQ(2U, growable.size());
    343 
    344     EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
    345     EXPECT_EQ(3U, growable.size());
    346 
    347     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "data", 4)));
    348     EXPECT_EQ(4U, growable.size());
    349 
    350     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "some more data", 14)));
    351     EXPECT_EQ(5U, growable.size());
    352 
    353     size_t serialize_size = growable.SerializedSize();
    354     UniquePtr<uint8_t[]> serialized(new uint8_t[serialize_size]);
    355     EXPECT_EQ(serialized.get() + serialize_size,
    356               growable.Serialize(serialized.get(), serialized.get() + serialize_size));
    357 
    358     AuthorizationSet deserialized(serialized.get(), serialize_size);
    359     EXPECT_EQ(growable, deserialized);
    360 }
    361 
    362 TEST(Growable, InsufficientElemBuf) {
    363     AuthorizationSet growable;
    364     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
    365 
    366     // First insertion fits.
    367     EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
    368     EXPECT_EQ(1U, growable.size());
    369     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
    370 
    371     // Second does too.
    372     EXPECT_TRUE(growable.push_back(Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)));
    373     EXPECT_EQ(2U, growable.size());
    374 }
    375 
    376 TEST(Growable, InsufficientIndirectBuf) {
    377     AuthorizationSet growable;
    378     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
    379 
    380     EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
    381     EXPECT_EQ(1U, growable.size());
    382     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
    383 
    384     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "1234567890", 10)));
    385     EXPECT_EQ(2U, growable.size());
    386     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
    387 
    388     EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "1", 1)));
    389     EXPECT_EQ(3U, growable.size());
    390     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
    391 
    392     // Can still add another entry without indirect data.  Now it's full.
    393     EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
    394     EXPECT_EQ(4U, growable.size());
    395     EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
    396 }
    397 
    398 TEST(Growable, PushBackSets) {
    399     AuthorizationSetBuilder builder;
    400     builder.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    401         .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    402         .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    403         .Authorization(TAG_USER_ID, 7)
    404         .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    405         .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    406         .Authorization(TAG_KEY_SIZE, 256)
    407         .Authorization(TAG_AUTH_TIMEOUT, 300);
    408 
    409     AuthorizationSet set1(builder.build());
    410     AuthorizationSet set2(builder.build());
    411 
    412     AuthorizationSet combined;
    413     EXPECT_TRUE(combined.push_back(set1));
    414     EXPECT_TRUE(combined.push_back(set2));
    415     EXPECT_EQ(set1.size() + set2.size(), combined.size());
    416     EXPECT_EQ(12U, combined.indirect_size());
    417 }
    418 
    419 TEST(GetValue, GetInt) {
    420     AuthorizationSet set(AuthorizationSetBuilder()
    421                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    422                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    423                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    424                              .Authorization(TAG_USER_ID, 7)
    425                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    426                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    427                              .Authorization(TAG_AUTH_TIMEOUT, 300));
    428 
    429     uint32_t val;
    430     EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &val));
    431     EXPECT_EQ(7U, val);
    432 
    433     // Find one that isn't there
    434     EXPECT_FALSE(set.GetTagValue(TAG_KEY_SIZE, &val));
    435 }
    436 
    437 TEST(GetValue, GetLong) {
    438     AuthorizationSet set1(AuthorizationSetBuilder()
    439                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    440                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    441                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    442                               .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
    443 
    444     AuthorizationSet set2(AuthorizationSetBuilder()
    445                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    446                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    447                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
    448 
    449     uint64_t val;
    450     EXPECT_TRUE(set1.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
    451     EXPECT_EQ(3U, val);
    452 
    453     // Find one that isn't there
    454     EXPECT_FALSE(set2.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
    455 }
    456 
    457 TEST(GetValue, GetLongRep) {
    458     AuthorizationSet set1(AuthorizationSetBuilder()
    459                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    460                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    461                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    462                               .Authorization(TAG_USER_SECURE_ID, 8338)
    463                               .Authorization(TAG_USER_SECURE_ID, 4334)
    464                               .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
    465 
    466     AuthorizationSet set2(AuthorizationSetBuilder()
    467                               .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    468                               .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    469                               .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
    470 
    471     uint64_t val;
    472     EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 0, &val));
    473     EXPECT_EQ(8338U, val);
    474     EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 1, &val));
    475     EXPECT_EQ(4334U, val);
    476 
    477     // Find one that isn't there
    478     EXPECT_FALSE(set2.GetTagValue(TAG_USER_SECURE_ID, &val));
    479 }
    480 
    481 TEST(GetValue, GetEnum) {
    482     AuthorizationSet set(AuthorizationSetBuilder()
    483                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    484                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    485                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    486                              .Authorization(TAG_USER_ID, 7)
    487                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    488                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    489                              .Authorization(TAG_AUTH_TIMEOUT, 300));
    490 
    491     keymaster_algorithm_t val;
    492     EXPECT_TRUE(set.GetTagValue(TAG_ALGORITHM, &val));
    493     EXPECT_EQ(KM_ALGORITHM_RSA, val);
    494 
    495     // Find one that isn't there
    496     keymaster_padding_t val2;
    497     EXPECT_FALSE(set.GetTagValue(TAG_PADDING, &val2));
    498 }
    499 
    500 TEST(GetValue, GetEnumRep) {
    501     AuthorizationSet set(AuthorizationSetBuilder()
    502                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    503                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    504                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    505                              .Authorization(TAG_USER_ID, 7)
    506                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    507                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    508                              .Authorization(TAG_AUTH_TIMEOUT, 300));
    509 
    510     keymaster_purpose_t val;
    511     EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 0, &val));
    512     EXPECT_EQ(KM_PURPOSE_SIGN, val);
    513     EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 1, &val));
    514     EXPECT_EQ(KM_PURPOSE_VERIFY, val);
    515 
    516     // Find one that isn't there
    517     EXPECT_FALSE(set.GetTagValue(TAG_PURPOSE, 2, &val));
    518 }
    519 
    520 TEST(GetValue, GetDate) {
    521     AuthorizationSet set(AuthorizationSetBuilder()
    522                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    523                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    524                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    525                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    526                              .Authorization(TAG_USER_ID, 7)
    527                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    528                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    529                              .Authorization(TAG_AUTH_TIMEOUT, 300));
    530 
    531     uint64_t val;
    532     EXPECT_TRUE(set.GetTagValue(TAG_ACTIVE_DATETIME, &val));
    533     EXPECT_EQ(10U, val);
    534 
    535     // Find one that isn't there
    536     EXPECT_FALSE(set.GetTagValue(TAG_USAGE_EXPIRE_DATETIME, &val));
    537 }
    538 
    539 TEST(GetValue, GetBlob) {
    540     AuthorizationSet set(AuthorizationSetBuilder()
    541                              .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
    542                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    543                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
    544                              .Authorization(TAG_USER_ID, 7)
    545                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    546                              .Authorization(TAG_APPLICATION_ID, "my_app", 6)
    547                              .Authorization(TAG_AUTH_TIMEOUT, 300));
    548 
    549     keymaster_blob_t val;
    550     EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &val));
    551     EXPECT_EQ(6U, val.data_length);
    552     EXPECT_EQ(0, memcmp(val.data, "my_app", 6));
    553 
    554     // Find one that isn't there
    555     EXPECT_FALSE(set.GetTagValue(TAG_APPLICATION_DATA, &val));
    556 }
    557 
    558 TEST(Deduplication, NoDuplicates) {
    559     AuthorizationSet set(AuthorizationSetBuilder()
    560                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    561                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    562                              .Authorization(TAG_USER_ID, 7)
    563                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
    564     AuthorizationSet copy(set);
    565 
    566     EXPECT_EQ(copy, set);
    567     set.Deduplicate();
    568     EXPECT_EQ(copy.size(), set.size());
    569 
    570     // Sets no longer compare equal, because of ordering (ugh, maybe it should be
    571     // AuthorizationList, not AuthorizationSet).
    572     EXPECT_NE(copy, set);
    573 }
    574 
    575 TEST(Deduplication, NoDuplicatesHasInvalid) {
    576     AuthorizationSet set(AuthorizationSetBuilder()
    577                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    578                              .Authorization(TAG_INVALID)
    579                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    580                              .Authorization(TAG_USER_ID, 7)
    581                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
    582     AuthorizationSet copy(set);
    583 
    584     EXPECT_EQ(copy, set);
    585     set.Deduplicate();
    586 
    587     // Deduplicate should have removed the invalid.
    588     EXPECT_EQ(copy.size() - 1, set.size());
    589     EXPECT_NE(copy, set);
    590 }
    591 
    592 TEST(Deduplication, DuplicateEnum) {
    593     AuthorizationSet set(AuthorizationSetBuilder()
    594                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    595                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    596                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    597                              .Authorization(TAG_USER_ID, 7)
    598                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    599                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
    600     AuthorizationSet copy(set);
    601 
    602     EXPECT_EQ(copy, set);
    603     set.Deduplicate();
    604     EXPECT_EQ(copy.size() - 2, set.size());
    605     EXPECT_NE(copy, set);
    606 }
    607 
    608 TEST(Deduplication, DuplicateBlob) {
    609     AuthorizationSet set(AuthorizationSetBuilder()
    610                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    611                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    612                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
    613                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    614                              .Authorization(TAG_USER_ID, 7)
    615                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    616                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
    617                              .Authorization(TAG_APPLICATION_DATA, "foo", 3)
    618                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
    619     AuthorizationSet copy(set);
    620 
    621     EXPECT_EQ(copy, set);
    622     set.Deduplicate();
    623     EXPECT_EQ(copy.size() - 3, set.size());
    624     EXPECT_NE(copy, set);
    625 
    626     // The real test here is that valgrind reports no leak.
    627 }
    628 
    629 TEST(Union, Disjoint) {
    630     AuthorizationSet set1(AuthorizationSetBuilder()
    631                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    632                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    633                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    634 
    635     AuthorizationSet set2(AuthorizationSetBuilder()
    636                              .Authorization(TAG_USER_ID, 7)
    637                              .Authorization(TAG_APPLICATION_DATA, "foo", 3)
    638                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
    639 
    640     AuthorizationSet expected(AuthorizationSetBuilder()
    641                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
    642                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    643                              .Authorization(TAG_USER_ID, 7)
    644                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    645                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
    646                              .Authorization(TAG_APPLICATION_DATA, "foo", 3));
    647 
    648     set1.Union(set2);
    649     EXPECT_EQ(expected, set1);
    650 }
    651 
    652 TEST(Union, Overlap) {
    653     AuthorizationSet set1(AuthorizationSetBuilder()
    654                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    655                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    656                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    657 
    658     AuthorizationSet set2(AuthorizationSetBuilder()
    659                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    660                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    661                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    662 
    663     AuthorizationSet expected(AuthorizationSetBuilder()
    664                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    665                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    666                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    667 
    668     set1.Union(set2);
    669     EXPECT_EQ(expected, set1);
    670 }
    671 
    672 TEST(Union, Empty) {
    673     AuthorizationSet set1(AuthorizationSetBuilder()
    674                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    675                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    676                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    677 
    678     AuthorizationSet set2;
    679 
    680     AuthorizationSet expected(AuthorizationSetBuilder()
    681                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    682                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    683                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    684 
    685     set1.Union(set2);
    686     EXPECT_EQ(expected, set1);
    687 }
    688 
    689 TEST(Difference, Disjoint) {
    690     AuthorizationSet set1(AuthorizationSetBuilder()
    691                              .Authorization(TAG_APPLICATION_DATA, "data", 4)
    692                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    693                              .Authorization(TAG_ACTIVE_DATETIME, 10));
    694 
    695     AuthorizationSet set2(AuthorizationSetBuilder()
    696                              .Authorization(TAG_USER_ID, 7)
    697                              .Authorization(TAG_APPLICATION_DATA, "foo", 3)
    698                              .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
    699 
    700     // Elements are the same as set1, but happen to be in a different order
    701     AuthorizationSet expected(AuthorizationSetBuilder()
    702                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    703                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    704                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    705 
    706     set1.Difference(set2);
    707     EXPECT_EQ(expected, set1);
    708 }
    709 
    710 TEST(Difference, Overlap) {
    711     AuthorizationSet set1(AuthorizationSetBuilder()
    712                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    713                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    714                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    715 
    716     AuthorizationSet set2(AuthorizationSetBuilder()
    717                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    718                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    719                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    720 
    721     AuthorizationSet empty;
    722     set1.Difference(set2);
    723     EXPECT_EQ(empty, set1);
    724     EXPECT_EQ(0U, set1.size());
    725 }
    726 
    727 TEST(Difference, NullSet) {
    728     AuthorizationSet set1(AuthorizationSetBuilder()
    729                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    730                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    731                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    732 
    733     AuthorizationSet set2;
    734 
    735     AuthorizationSet expected(AuthorizationSetBuilder()
    736                              .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
    737                              .Authorization(TAG_ACTIVE_DATETIME, 10)
    738                              .Authorization(TAG_APPLICATION_DATA, "data", 4));
    739 
    740     set1.Difference(set2);
    741     EXPECT_EQ(expected, set1);
    742 }
    743 
    744 }  // namespace test
    745 }  // namespace keymaster
    746