Add attestation certificate parsing and validate for IC vts. am: 57b34793

        "VtsHalIdentityEndToEndTest.cpp",

        "VtsIWritableIdentityCredentialTests.cpp",

        "VtsIdentityTestUtils.cpp",

        "VtsAttestationTests.cpp",

        "VtsAttestationParserSupport.cpp",

    ],

    shared_libs: [

        "android.hardware.keymaster@4.0",

        "libbinder",

        "libcrypto",

        "libkeymaster_portable",

        "libsoft_attestation_cert",

        "libpuresoftkeymasterdevice",

    ],

    static_libs: [

        "libcppbor",

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#define LOG_TAG "VtsHalIdentityTargetTest"

#define LOG_TAG "VtsHalIdentityEndToEndTest"

#include <aidl/Gtest.h>

#include <aidl/Vintf.h>

using ::android::hardware::keymaster::HardwareAuthToken;

using ::android::hardware::keymaster::VerificationToken;

using test_utils::validateAttestationCertificate;

class IdentityAidl : public testing::TestWithParam<std::string> {

  public:

    virtual void SetUp() override {

    // part of the request data.

    vector<uint8_t> readerKey;

    optional<vector<uint8_t>> readerCertificate =

            test_utils::GenerateReaderCertificate("1234", readerKey);

            test_utils::generateReaderCertificate("1234", &readerKey);

    ASSERT_TRUE(readerCertificate);

    // Make the portrait image really big (just shy of 256 KiB) to ensure that

    // the chunking code gets exercised.

    vector<uint8_t> portraitImage;

    test_utils::SetImageData(portraitImage);

    test_utils::setImageData(portraitImage);

    // Access control profiles:

    const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication)

    string cborPretty;

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    string challenge = "attestationChallenge";

    test_utils::AttestationData attData(writableCredential, challenge, {});

    ASSERT_TRUE(attData.result.isOk())

            << attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;

    ASSERT_EQ(binder::Status::EX_NONE, attData.result.exceptionCode());

    ASSERT_EQ(IIdentityCredentialStore::STATUS_OK, attData.result.serviceSpecificErrorCode());

    // TODO: set it to something random and check it's in the cert chain

    ASSERT_GE(attData.attestationCertificate.size(), 2);

    EXPECT_TRUE(validateAttestationCertificate(attData.attestationCertificate,

                                               attData.attestationChallenge,

                                               attData.attestationApplicationId, hwInfo));

    // This is kinda of a hack but we need to give the size of

    // ProofOfProvisioning that we'll expect to receive.

                    .isOk());

    optional<vector<SecureAccessControlProfile>> secureProfiles =

            test_utils::AddAccessControlProfiles(writableCredential, testProfiles);

            test_utils::addAccessControlProfiles(writableCredential, testProfiles);

    ASSERT_TRUE(secureProfiles);

    // Uses TestEntryData* pointer as key and values are the encrypted blobs. This

    map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;

    for (const auto& entry : testEntries) {

        ASSERT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,

        ASSERT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,

                                         encryptedBlobs, true));

    }

TEST_P(IdentityCredentialTests, verifyAttestationWithEmptyChallenge) {

    Status result;

    HardwareInformation hwInfo;

    ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    vector<uint8_t> attestationChallenge;

    vector<Certificate> attestationCertificate;

    EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()

                               << endl;

    EXPECT_TRUE(test_utils::ValidateAttestationCertificate(attestationCertificate));

    EXPECT_TRUE(test_utils::validateAttestationCertificate(

            attestationCertificate, attestationChallenge, attestationApplicationId, hwInfo));

}

TEST_P(IdentityCredentialTests, verifyAttestationSuccessWithChallenge) {

    Status result;

    HardwareInformation hwInfo;

    ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    string challenge = "NotSoRandomChallenge1NotSoRandomChallenge1NotSoRandomChallenge1";

    vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end());

    EXPECT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()

                               << endl;

    EXPECT_TRUE(test_utils::ValidateAttestationCertificate(attestationCertificate));

    EXPECT_TRUE(test_utils::validateAttestationCertificate(

            attestationCertificate, attestationChallenge, attestationApplicationId, hwInfo));

}

TEST_P(IdentityCredentialTests, verifyAttestationDoubleCallFails) {

    Status result;

    HardwareInformation hwInfo;

    ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    string challenge = "NotSoRandomChallenge1";

    test_utils::AttestationData attData(writableCredential, challenge, {});

    ASSERT_TRUE(test_utils::ValidateAttestationCertificate(attData.attestationCertificate));

    ASSERT_TRUE(test_utils::validateAttestationCertificate(

            attData.attestationCertificate, attData.attestationChallenge,

            attData.attestationApplicationId, hwInfo));

    string challenge2 = "NotSoRandomChallenge2";

    test_utils::AttestationData attData2(writableCredential, challenge2, {});

TEST_P(IdentityCredentialTests, verifyStartPersonalization) {

    Status result;

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    // First call should go through

    const vector<int32_t> entryCounts = {2, 4};

TEST_P(IdentityCredentialTests, verifyStartPersonalizationMin) {

    Status result;

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    // Verify minimal number of profile count and entry count

    const vector<int32_t> entryCounts = {1, 1};

TEST_P(IdentityCredentialTests, verifyStartPersonalizationZero) {

    Status result;

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    const vector<int32_t> entryCounts = {0};

    writableCredential->startPersonalization(0, entryCounts);

TEST_P(IdentityCredentialTests, verifyStartPersonalizationOne) {

    Status result;

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    // Verify minimal number of profile count and entry count

    const vector<int32_t> entryCounts = {1};

TEST_P(IdentityCredentialTests, verifyStartPersonalizationLarge) {

    Status result;

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    // Verify set a large number of profile count and entry count is ok

    const vector<int32_t> entryCounts = {3000};

TEST_P(IdentityCredentialTests, verifyProfileNumberMismatchShouldFail) {

    Status result;

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    // Enter mismatched entry and profile numbers

    const vector<int32_t> entryCounts = {5, 6};

    ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()

                               << endl;

    optional<vector<uint8_t>> readerCertificate = test_utils::GenerateReaderCertificate("12345");

    optional<vector<uint8_t>> readerCertificate = test_utils::generateReaderCertificate("12345");

    ASSERT_TRUE(readerCertificate);

    const vector<test_utils::TestProfile> testProfiles = {// Profile 0 (reader authentication)

                                                          {4, {}, false, 0}};

    optional<vector<SecureAccessControlProfile>> secureProfiles =

            test_utils::AddAccessControlProfiles(writableCredential, testProfiles);

            test_utils::addAccessControlProfiles(writableCredential, testProfiles);

    ASSERT_TRUE(secureProfiles);

    vector<uint8_t> credentialData;

            writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);

    // finishAddingEntries should fail because the number of addAccessControlProfile mismatched with

    // startPersonalization, and begintest_utils::AddEntry was not called.

    // startPersonalization, and begintest_utils::addEntry was not called.

    EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()

                                << endl;

    EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());

TEST_P(IdentityCredentialTests, verifyDuplicateProfileId) {

    Status result;

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    const vector<int32_t> entryCounts = {3, 6};

    writableCredential->startPersonalization(3, entryCounts);

    ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    string challenge = "NotSoRandomChallenge1";

    test_utils::AttestationData attData(writableCredential, challenge, {});

    EXPECT_TRUE(attData.result.isOk())

            << attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;

    optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");

    optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");

    ASSERT_TRUE(readerCertificate1);

    const vector<int32_t> entryCounts = {1u};

    const vector<test_utils::TestProfile> testProfiles = {{1, readerCertificate1.value(), true, 1}};

    optional<vector<SecureAccessControlProfile>> secureProfiles =

            test_utils::AddAccessControlProfiles(writableCredential, testProfiles);

            test_utils::addAccessControlProfiles(writableCredential, testProfiles);

    ASSERT_TRUE(secureProfiles);

    const vector<test_utils::TestEntryData> testEntries1 = {

    map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;

    for (const auto& entry : testEntries1) {

        ASSERT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,

        ASSERT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,

                                         encryptedBlobs, true));

    }

    ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    string challenge = "NotSoRandomChallenge";

    test_utils::AttestationData attData(writableCredential, challenge, {});

    EXPECT_TRUE(attData.result.isOk())

            << attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;

    optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");

    optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");

    ASSERT_TRUE(readerCertificate1);

    optional<vector<uint8_t>> readerCertificate2 = test_utils::GenerateReaderCertificate("1256");

    optional<vector<uint8_t>> readerCertificate2 = test_utils::generateReaderCertificate("1256");

    ASSERT_TRUE(readerCertificate2);

    const vector<test_utils::TestProfile> testProfiles = {

                               << endl;

    optional<vector<SecureAccessControlProfile>> secureProfiles =

            test_utils::AddAccessControlProfiles(writableCredential, testProfiles);

            test_utils::addAccessControlProfiles(writableCredential, testProfiles);

    ASSERT_TRUE(secureProfiles);

    vector<uint8_t> portraitImage1;

    test_utils::SetImageData(portraitImage1);

    test_utils::setImageData(portraitImage1);

    vector<uint8_t> portraitImage2;

    test_utils::SetImageData(portraitImage2);

    test_utils::setImageData(portraitImage2);

    const vector<test_utils::TestEntryData> testEntries1 = {

            {"Name Space 1", "Last name", string("Turing"), vector<int32_t>{1, 2}},

    map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;

    for (const auto& entry : testEntries1) {

        EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,

        EXPECT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,

                                         encryptedBlobs, true));

    }

    ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    string challenge = "NotSoRandomChallenge";

    test_utils::AttestationData attData(writableCredential, challenge, {});

    ASSERT_TRUE(attData.result.isOk())

            << attData.result.exceptionCode() << "; " << attData.result.exceptionMessage() << endl;

    optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");

    optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");

    ASSERT_TRUE(readerCertificate1);

    optional<vector<uint8_t>> readerCertificate2 =

            test_utils::GenerateReaderCertificate("123456987987987987987987");

            test_utils::generateReaderCertificate("123456987987987987987987");

    ASSERT_TRUE(readerCertificate2);

    const vector<int32_t> entryCounts = {2u, 2u};

                                                          {2, {}, false, 0}};

    optional<vector<SecureAccessControlProfile>> secureProfiles =

            test_utils::AddAccessControlProfiles(writableCredential, testProfiles);

            test_utils::addAccessControlProfiles(writableCredential, testProfiles);

    ASSERT_TRUE(secureProfiles);

    const vector<test_utils::TestEntryData> testEntries1 = {

    map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;

    for (const auto& entry : testEntries1) {

        EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,

        EXPECT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,

                                         encryptedBlobs, true));

    }

    ASSERT_TRUE(credentialStore_->getHardwareInformation(&hwInfo).isOk());

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    string challenge = "NotSoRandomChallenge";

    test_utils::AttestationData attData(writableCredential, challenge, {});

    ASSERT_TRUE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()

                               << endl;

    optional<vector<uint8_t>> readerCertificate1 = test_utils::GenerateReaderCertificate("123456");

    optional<vector<uint8_t>> readerCertificate1 = test_utils::generateReaderCertificate("123456");

    ASSERT_TRUE(readerCertificate1);

    optional<vector<uint8_t>> readerCertificate2 =

            test_utils::GenerateReaderCertificate("123456987987987987987987");

            test_utils::generateReaderCertificate("123456987987987987987987");

    ASSERT_TRUE(readerCertificate2);

    const vector<test_utils::TestProfile> testProfiles = {{0, readerCertificate1.value(), false, 0},

                                                          {2, {}, false, 0}};

    optional<vector<SecureAccessControlProfile>> secureProfiles =

            test_utils::AddAccessControlProfiles(writableCredential, testProfiles);

            test_utils::addAccessControlProfiles(writableCredential, testProfiles);

    ASSERT_TRUE(secureProfiles);

    const vector<test_utils::TestEntryData> testEntries1 = {

    map<const test_utils::TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;

    for (const auto& entry : testEntries1) {

        EXPECT_TRUE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,

        EXPECT_TRUE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,

                                         encryptedBlobs, true));

    }

    const test_utils::TestEntryData testEntry2 = {"Image", "Portrait image", string("asdfs"),

                                                  vector<int32_t>{0, 1}};

    EXPECT_TRUE(test_utils::AddEntry(writableCredential, testEntry2, hwInfo.dataChunkSize,

    EXPECT_TRUE(test_utils::addEntry(writableCredential, testEntry2, hwInfo.dataChunkSize,

                                     encryptedBlobs, true));

    // We expect this to fail because the namespace is out of order, all "Name Space"

    };

    for (const auto& entry : testEntries3) {

        EXPECT_FALSE(test_utils::AddEntry(writableCredential, entry, hwInfo.dataChunkSize,

        EXPECT_FALSE(test_utils::addEntry(writableCredential, entry, hwInfo.dataChunkSize,

                                          encryptedBlobs, false));

    }

    result =

            writableCredential->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);

    // should fail because test_utils::AddEntry should have failed earlier.

    // should fail because test_utils::addEntry should have failed earlier.

    EXPECT_FALSE(result.isOk()) << result.exceptionCode() << "; " << result.exceptionMessage()

                                << endl;

    EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());

TEST_P(IdentityCredentialTests, verifyAccessControlProfileIdOutOfRange) {

    sp<IWritableIdentityCredential> writableCredential;

    ASSERT_TRUE(test_utils::SetupWritableCredential(writableCredential, credentialStore_));

    ASSERT_TRUE(test_utils::setupWritableCredential(writableCredential, credentialStore_));

    const vector<int32_t> entryCounts = {1};

    Status result = writableCredential->startPersonalization(1, entryCounts);

    uint64_t timeoutMillis;

};

bool SetupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,

bool setupWritableCredential(sp<IWritableIdentityCredential>& writableCredential,

                             sp<IIdentityCredentialStore>& credentialStore);

optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal);

optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal);

optional<vector<uint8_t>> GenerateReaderCertificate(string serialDecimal,

                                                    vector<uint8_t>& readerPrivateKey);

optional<vector<uint8_t>> generateReaderCertificate(string serialDecimal,

                                                    vector<uint8_t>* outReaderPrivateKey);

optional<vector<SecureAccessControlProfile>> AddAccessControlProfiles(

optional<vector<SecureAccessControlProfile>> addAccessControlProfiles(

        sp<IWritableIdentityCredential>& writableCredential,

        const vector<TestProfile>& testProfiles);

bool AddEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,

bool addEntry(sp<IWritableIdentityCredential>& writableCredential, const TestEntryData& entry,

              int dataChunkSize, map<const TestEntryData*, vector<vector<uint8_t>>>& encryptedBlobs,

              bool expectSuccess);

bool ValidateAttestationCertificate(vector<Certificate>& inputCertificates);

void setImageData(vector<uint8_t>& image);

void SetImageData(vector<uint8_t>& image);

bool validateAttestationCertificate(const vector<Certificate>& inputCertificates,

                                    const vector<uint8_t>& expectedChallenge,

                                    const vector<uint8_t>& expectedAppId,

                                    const HardwareInformation& hwInfo);

vector<RequestNamespace> buildRequestNamespaces(const vector<TestEntryData> entries);