Home | History | Annotate | Download | only in tests 
      1 /*
      2  * Copyright 2015 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #include <arpa/inet.h>
     18 #include <iostream>
     19 
     20 #include <gtest/gtest.h>
     21 #include <hardware/hw_auth_token.h>
     22 
     23 #include "../SoftGateKeeper.h"
     24 
     25 using ::gatekeeper::SizedBuffer;
     26 using ::testing::Test;
     27 using ::gatekeeper::EnrollRequest;
     28 using ::gatekeeper::EnrollResponse;
     29 using ::gatekeeper::VerifyRequest;
     30 using ::gatekeeper::VerifyResponse;
     31 using ::gatekeeper::SoftGateKeeper;
     32 using ::gatekeeper::secure_id_t;
     33 
     34 static void do_enroll(SoftGateKeeper &gatekeeper, EnrollResponse *response) {
     35     SizedBuffer password;
     36 
     37     password.buffer.reset(new uint8_t[16]);
     38     password.length = 16;
     39     memset(password.buffer.get(), 0, 16);
     40     EnrollRequest request(0, NULL, &password, NULL);
     41 
     42     gatekeeper.Enroll(request, response);
     43 }
     44 
     45 TEST(GateKeeperTest, EnrollSuccess) {
     46     SoftGateKeeper gatekeeper;
     47     EnrollResponse response;
     48     do_enroll(gatekeeper, &response);
     49     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
     50 }
     51 
     52 TEST(GateKeeperTest, EnrollBogusData) {
     53     SoftGateKeeper gatekeeper;
     54     SizedBuffer password;
     55     EnrollResponse response;
     56 
     57     EnrollRequest request(0, NULL, &password, NULL);
     58 
     59     gatekeeper.Enroll(request, &response);
     60 
     61     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
     62 }
     63 
     64 TEST(GateKeeperTest, VerifySuccess) {
     65     SoftGateKeeper gatekeeper;
     66     SizedBuffer provided_password;
     67     EnrollResponse enroll_response;
     68 
     69     provided_password.buffer.reset(new uint8_t[16]);
     70     provided_password.length = 16;
     71     memset(provided_password.buffer.get(), 0, 16);
     72 
     73     do_enroll(gatekeeper, &enroll_response);
     74     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
     75     VerifyRequest request(0, 1, &enroll_response.enrolled_password_handle,
     76             &provided_password);
     77     VerifyResponse response;
     78 
     79     gatekeeper.Verify(request, &response);
     80 
     81     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
     82 
     83     hw_auth_token_t *auth_token =
     84         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
     85 
     86     ASSERT_EQ((uint32_t) HW_AUTH_PASSWORD, ntohl(auth_token->authenticator_type));
     87     ASSERT_EQ((uint64_t) 1, auth_token->challenge);
     88     ASSERT_NE(~((uint32_t) 0), auth_token->timestamp);
     89     ASSERT_NE((uint64_t) 0, auth_token->user_id);
     90     ASSERT_NE((uint64_t) 0, auth_token->authenticator_id);
     91 }
     92 
     93 TEST(GateKeeperTest, TrustedReEnroll) {
     94     SoftGateKeeper gatekeeper;
     95     SizedBuffer provided_password;
     96     EnrollResponse enroll_response;
     97     SizedBuffer password_handle;
     98 
     99     // do_enroll enrolls an all 0 password
    100     provided_password.buffer.reset(new uint8_t[16]);
    101     provided_password.length = 16;
    102     memset(provided_password.buffer.get(), 0, 16);
    103     do_enroll(gatekeeper, &enroll_response);
    104     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
    105 
    106     // keep a copy of the handle
    107     password_handle.buffer.reset(new uint8_t[enroll_response.enrolled_password_handle.length]);
    108     password_handle.length = enroll_response.enrolled_password_handle.length;
    109     memcpy(password_handle.buffer.get(), enroll_response.enrolled_password_handle.buffer.get(),
    110             password_handle.length);
    111 
    112     // verify first password
    113     VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
    114             &provided_password);
    115     VerifyResponse response;
    116     gatekeeper.Verify(request, &response);
    117     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    118     hw_auth_token_t *auth_token =
    119         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
    120 
    121     secure_id_t secure_id = auth_token->user_id;
    122 
    123     // enroll new password
    124     provided_password.buffer.reset(new uint8_t[16]);
    125     provided_password.length = 16;
    126     memset(provided_password.buffer.get(), 0, 16);
    127     SizedBuffer password;
    128     password.buffer.reset(new uint8_t[16]);
    129     memset(password.buffer.get(), 1, 16);
    130     password.length = 16;
    131     EnrollRequest enroll_request(0, &password_handle, &password, &provided_password);
    132     gatekeeper.Enroll(enroll_request, &enroll_response);
    133     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
    134 
    135     // verify new password
    136     password.buffer.reset(new uint8_t[16]);
    137     memset(password.buffer.get(), 1, 16);
    138     password.length = 16;
    139     VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
    140             &password);
    141     gatekeeper.Verify(new_request, &response);
    142     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    143     ASSERT_EQ(secure_id,
    144         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
    145 }
    146 
    147 
    148 TEST(GateKeeperTest, UntrustedReEnroll) {
    149     SoftGateKeeper gatekeeper;
    150     SizedBuffer provided_password;
    151     EnrollResponse enroll_response;
    152 
    153     // do_enroll enrolls an all 0 password
    154     provided_password.buffer.reset(new uint8_t[16]);
    155     provided_password.length = 16;
    156     memset(provided_password.buffer.get(), 0, 16);
    157     do_enroll(gatekeeper, &enroll_response);
    158     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
    159 
    160     // verify first password
    161     VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
    162             &provided_password);
    163     VerifyResponse response;
    164     gatekeeper.Verify(request, &response);
    165     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    166     hw_auth_token_t *auth_token =
    167         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
    168 
    169     secure_id_t secure_id = auth_token->user_id;
    170 
    171     // enroll new password
    172     SizedBuffer password;
    173     password.buffer.reset(new uint8_t[16]);
    174     memset(password.buffer.get(), 1, 16);
    175     password.length = 16;
    176     EnrollRequest enroll_request(0, NULL, &password, NULL);
    177     gatekeeper.Enroll(enroll_request, &enroll_response);
    178     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
    179 
    180     // verify new password
    181     password.buffer.reset(new uint8_t[16]);
    182     memset(password.buffer.get(), 1, 16);
    183     password.length = 16;
    184     VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
    185             &password);
    186     gatekeeper.Verify(new_request, &response);
    187     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    188     ASSERT_NE(secure_id,
    189         reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
    190 }
    191 
    192 
    193 TEST(GateKeeperTest, VerifyBogusData) {
    194     SoftGateKeeper gatekeeper;
    195     SizedBuffer provided_password;
    196     SizedBuffer password_handle;
    197     VerifyResponse response;
    198 
    199     VerifyRequest request(0, 0, &provided_password, &password_handle);
    200 
    201     gatekeeper.Verify(request, &response);
    202 
    203     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
    204 }
    205