Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 035a6f32 authored by David Zeuthen's avatar David Zeuthen
Browse files

Identity: Add VTS test to check empty and semi-empty requests work properly. 

Some IC applications may perform two requests - one to get data
elements and a second empty request. The latter is to e.g. get an
empty DeviceSignedItems and corresponding MAC.

Extend VTS tests to check that the HAL does this correctly both for
the completely empty request and also for a request with an empty
namespace.

Bug: 160966911
Test: atest VtsHalIdentityTargetTest
Merged-In: I3205f2c0ded2ea315857438a3114ddcf8ef557f9
Change-Id: Ib718e6f0f0b287e39ff7dd3db5335cec1bc1804e
parent 32cbc59c

identity/aidl/vts/VtsHalIdentityEndToEndTest.cpp

+53 −2
Original line number Diff line number Diff line
@@ -386,7 +386,7 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) { 


    vector<RequestNamespace> requestedNamespaces = test_utils::buildRequestNamespaces(testEntries);

    // OK to fail, not available in v1 HAL

    credential->setRequestedNamespaces(requestedNamespaces).isOk();

    credential->setRequestedNamespaces(requestedNamespaces);

    // OK to fail, not available in v1 HAL

    credential->setVerificationToken(verificationToken);

    ASSERT_TRUE(credential
@@ -446,7 +446,6 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) { 
    deviceAuthentication.add(cppbor::Semantic(24, deviceNameSpacesBytes));

    vector<uint8_t> deviceAuthenticationBytes =

            cppbor::Semantic(24, deviceAuthentication.encode()).encode();



    // Derive the key used for MACing.

    optional<vector<uint8_t>> readerEphemeralPrivateKey =

            support::ecKeyPairGetPrivateKey(readerEphemeralKeyPair.value());
@@ -469,6 +468,58 @@ TEST_P(IdentityAidl, createAndRetrieveCredential) { 
                              deviceAuthenticationBytes);  // detached content

    ASSERT_TRUE(calculatedMac);

    EXPECT_EQ(mac, calculatedMac);



    // Also perform an additional empty request. This is what mDL applications

    // are envisioned to do - one call to get the data elements, another to get

    // an empty DeviceSignedItems and corresponding MAC.

    //

    credential->setRequestedNamespaces({});  // OK to fail, not available in v1 HAL

    ASSERT_TRUE(credential

                        ->startRetrieval(

                                secureProfiles.value(), authToken, {},         // itemsRequestBytes

                                signingKeyBlob, sessionTranscriptEncoded, {},  // readerSignature,

                                testEntriesEntryCounts)

                        .isOk());

    ASSERT_TRUE(credential->finishRetrieval(&mac, &deviceNameSpacesBytes).isOk());

    cborPretty = support::cborPrettyPrint(deviceNameSpacesBytes, 32, {});

    ASSERT_EQ("{}", cborPretty);

    // Calculate DeviceAuthentication and MAC (MACing key hasn't changed)

    deviceAuthentication = cppbor::Array();

    deviceAuthentication.add("DeviceAuthentication");

    deviceAuthentication.add(sessionTranscript.clone());

    deviceAuthentication.add(docType);

    deviceAuthentication.add(cppbor::Semantic(24, deviceNameSpacesBytes));

    deviceAuthenticationBytes = cppbor::Semantic(24, deviceAuthentication.encode()).encode();

    calculatedMac = support::coseMac0(derivedKey.value(), {},      // payload

                                      deviceAuthenticationBytes);  // detached content

    ASSERT_TRUE(calculatedMac);

    EXPECT_EQ(mac, calculatedMac);



    // Some mDL apps might send a request but with a single empty

    // namespace. Check that too.

    RequestNamespace emptyRequestNS;

    emptyRequestNS.namespaceName = "PersonalData";

    credential->setRequestedNamespaces({emptyRequestNS});  // OK to fail, not available in v1 HAL

    ASSERT_TRUE(credential

                        ->startRetrieval(

                                secureProfiles.value(), authToken, {},         // itemsRequestBytes

                                signingKeyBlob, sessionTranscriptEncoded, {},  // readerSignature,

                                testEntriesEntryCounts)

                        .isOk());

    ASSERT_TRUE(credential->finishRetrieval(&mac, &deviceNameSpacesBytes).isOk());

    cborPretty = support::cborPrettyPrint(deviceNameSpacesBytes, 32, {});

    ASSERT_EQ("{}", cborPretty);

    // Calculate DeviceAuthentication and MAC (MACing key hasn't changed)

    deviceAuthentication = cppbor::Array();

    deviceAuthentication.add("DeviceAuthentication");

    deviceAuthentication.add(sessionTranscript.clone());

    deviceAuthentication.add(docType);

    deviceAuthentication.add(cppbor::Semantic(24, deviceNameSpacesBytes));

    deviceAuthenticationBytes = cppbor::Semantic(24, deviceAuthentication.encode()).encode();

    calculatedMac = support::coseMac0(derivedKey.value(), {},      // payload

                                      deviceAuthenticationBytes);  // detached content

    ASSERT_TRUE(calculatedMac);

    EXPECT_EQ(mac, calculatedMac);

}



INSTANTIATE_TEST_SUITE_P(