xref: /aosp_15_r20/hardware/interfaces/identity/aidl/vts/DeleteCredentialTests.cpp (revision 4d7e907c777eeecc4c5bd7cf640a754fac206ff7) 
1  /*
2   * Copyright (C) 2020 The Android Open Source Project
3   *
4   * Licensed under the Apache License, Version 2.0 (the "License");
5   * you may not use this file except in compliance with the License.
6   * You may obtain a copy of the License at
7   *
8   *      http://www.apache.org/licenses/LICENSE-2.0
9   *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  #define LOG_TAG "DeleteCredentialTests"
18  
19  #include <aidl/Gtest.h>
20  #include <aidl/Vintf.h>
21  #include <aidl/android/hardware/keymaster/HardwareAuthToken.h>
22  #include <aidl/android/hardware/keymaster/VerificationToken.h>
23  #include <android-base/logging.h>
24  #include <android/hardware/identity/IIdentityCredentialStore.h>
25  #include <android/hardware/identity/support/IdentityCredentialSupport.h>
26  #include <binder/IServiceManager.h>
27  #include <binder/ProcessState.h>
28  #include <cppbor.h>
29  #include <cppbor_parse.h>
30  #include <gtest/gtest.h>
31  #include <future>
32  #include <map>
33  #include <utility>
34  
35  #include "Util.h"
36  
37  namespace android::hardware::identity {
38  
39  using std::endl;
40  using std::make_pair;
41  using std::map;
42  using std::optional;
43  using std::pair;
44  using std::string;
45  using std::tie;
46  using std::vector;
47  
48  using ::android::sp;
49  using ::android::String16;
50  using ::android::binder::Status;
51  
52  using ::android::hardware::keymaster::HardwareAuthToken;
53  using ::android::hardware::keymaster::VerificationToken;
54  
55  class DeleteCredentialTests : public testing::TestWithParam<string> {
56    public:
SetUp()57      virtual void SetUp() override {
58          credentialStore_ = android::waitForDeclaredService<IIdentityCredentialStore>(
59                  String16(GetParam().c_str()));
60          ASSERT_NE(credentialStore_, nullptr);
61          halApiVersion_ = credentialStore_->getInterfaceVersion();
62      }
63  
64      void provisionData();
65  
66      // Set by provisionData
67      vector<uint8_t> credentialData_;
68      vector<uint8_t> credentialPubKey_;
69  
70      sp<IIdentityCredentialStore> credentialStore_;
71      int halApiVersion_;
72  };
73  
provisionData()74  void DeleteCredentialTests::provisionData() {
75      string docType = "org.iso.18013-5.2019.mdl";
76      bool testCredential = true;
77      sp<IWritableIdentityCredential> wc;
78      ASSERT_TRUE(credentialStore_->createCredential(docType, testCredential, &wc).isOk());
79  
80      vector<uint8_t> attestationApplicationId = {};
81      vector<uint8_t> attestationChallenge = {1};
82      vector<Certificate> certChain;
83      ASSERT_TRUE(wc->getAttestationCertificate(attestationApplicationId, attestationChallenge,
84                                                &certChain)
85                          .isOk());
86  
87      optional<vector<uint8_t>> optCredentialPubKey =
88              support::certificateChainGetTopMostKey(certChain[0].encodedCertificate);
89      ASSERT_TRUE(optCredentialPubKey);
90      credentialPubKey_ = optCredentialPubKey.value();
91  
92      size_t proofOfProvisioningSize = 106;
93      // Not in v1 HAL, may fail
94      wc->setExpectedProofOfProvisioningSize(proofOfProvisioningSize);
95  
96      ASSERT_TRUE(wc->startPersonalization(1 /* numAccessControlProfiles */,
97                                           {1} /* numDataElementsPerNamespace */)
98                          .isOk());
99  
100      // Access control profile 0: open access - don't care about the returned SACP
101      SecureAccessControlProfile sacp;
102      ASSERT_TRUE(wc->addAccessControlProfile(1, {}, false, 0, 0, &sacp).isOk());
103  
104      // Single entry - don't care about the returned encrypted data
105      ASSERT_TRUE(wc->beginAddEntry({1}, "ns", "Some Data", 1).isOk());
106      vector<uint8_t> encryptedData;
107      ASSERT_TRUE(wc->addEntryValue({9}, &encryptedData).isOk());
108  
109      vector<uint8_t> proofOfProvisioningSignature;
110      Status status = wc->finishAddingEntries(&credentialData_, &proofOfProvisioningSignature);
111      EXPECT_TRUE(status.isOk()) << status.exceptionCode() << ": " << status.exceptionMessage();
112  }
113  
TEST_P(DeleteCredentialTests,Delete)114  TEST_P(DeleteCredentialTests, Delete) {
115      provisionData();
116  
117      sp<IIdentityCredential> credential;
118      ASSERT_TRUE(credentialStore_
119                          ->getCredential(
120                                  CipherSuite::CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256,
121                                  credentialData_, &credential)
122                          .isOk());
123  
124      vector<uint8_t> proofOfDeletionSignature;
125      ASSERT_TRUE(credential->deleteCredential(&proofOfDeletionSignature).isOk());
126      optional<vector<uint8_t>> proofOfDeletion =
127              support::coseSignGetPayload(proofOfDeletionSignature);
128      ASSERT_TRUE(proofOfDeletion);
129      string cborPretty = cppbor::prettyPrint(proofOfDeletion.value(), 32, {});
130      EXPECT_EQ("['ProofOfDeletion', 'org.iso.18013-5.2019.mdl', true, ]", cborPretty);
131      EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfDeletionSignature, {},  // Additional data
132                                                   credentialPubKey_));
133  }
134  
TEST_P(DeleteCredentialTests,DeleteWithChallenge)135  TEST_P(DeleteCredentialTests, DeleteWithChallenge) {
136      if (halApiVersion_ < 3) {
137          GTEST_SKIP() << "Need HAL API version 3, have " << halApiVersion_;
138      }
139  
140      provisionData();
141  
142      sp<IIdentityCredential> credential;
143      ASSERT_TRUE(credentialStore_
144                          ->getCredential(
145                                  CipherSuite::CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256,
146                                  credentialData_, &credential)
147                          .isOk());
148  
149      // Implementations must support at least 32 bytes.
150      string challengeString = "0123456789abcdef0123456789abcdef";
151      vector<uint8_t> challenge(challengeString.begin(), challengeString.end());
152      vector<uint8_t> proofOfDeletionSignature;
153      ASSERT_TRUE(
154              credential->deleteCredentialWithChallenge(challenge, &proofOfDeletionSignature).isOk());
155      optional<vector<uint8_t>> proofOfDeletion =
156              support::coseSignGetPayload(proofOfDeletionSignature);
157      ASSERT_TRUE(proofOfDeletion);
158      string cborPretty = cppbor::prettyPrint(proofOfDeletion.value(), 32, {});
159      EXPECT_EQ(
160              "['ProofOfDeletion', 'org.iso.18013-5.2019.mdl', {"
161              "0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, "
162              "0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, "
163              "0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, "
164              "0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66}, true, ]",
165              cborPretty);
166      EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfDeletionSignature, {},  // Additional data
167                                                   credentialPubKey_));
168  }
169  
170  GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(DeleteCredentialTests);
171  INSTANTIATE_TEST_SUITE_P(
172          Identity, DeleteCredentialTests,
173          testing::ValuesIn(android::getAidlHalInstanceNames(IIdentityCredentialStore::descriptor)),
174          android::PrintInstanceNameToString);
175  
176  }  // namespace android::hardware::identity
177