path: root/unit_test/authorization_set_test.cpp (plain)
blob: f3f4412b92796e106e5203d45757b7c33165e660

1	/*
2	* Copyright (C) 2014 The Android Open Source Project
3	*
4	* Licensed under the Apache License, Version 2.0 (the "License");
5	* you may not use this file except in compliance with the License.
6	* You may obtain a copy of the License at
7	*
8	* http://www.apache.org/licenses/LICENSE-2.0
9	*
10	* Unless required by applicable law or agreed to in writing, software
11	* distributed under the License is distributed on an "AS IS" BASIS,
12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	* See the License for the specific language governing permissions and
14	* limitations under the License.
15	*/
16
17	#include <gtest/gtest.h>
18
19	#include <keymaster/authorization_set.h>
20	#include <keymaster/android_keymaster_utils.h>
21
22	#include "android_keymaster_test_utils.h"
23
24	namespace keymaster {
25
26	namespace test {
27
28	TEST(Construction, ListProvided) {
29	keymaster_key_param_t params[] = {
30	Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
31	Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
32	Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
33	Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
34	Authorization(TAG_AUTH_TIMEOUT, 300),
35	};
36	AuthorizationSet set(params, array_length(params));
37	EXPECT_EQ(8U, set.size());
38	}
39
40	TEST(Construction, Copy) {
41	keymaster_key_param_t params[] = {
42	Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
43	Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_USER_ID, 7),
44	Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD),
45	Authorization(TAG_APPLICATION_ID, "my_app", 6), Authorization(TAG_KEY_SIZE, 256),
46	Authorization(TAG_AUTH_TIMEOUT, 300),
47	};
48	AuthorizationSet set(params, array_length(params));
49	AuthorizationSet set2(set);
50	EXPECT_EQ(set, set2);
51	}
52
53	TEST(Construction, NullProvided) {
54	keymaster_key_param_t params[] = {
55	Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
56	};
57
58	AuthorizationSet set1(params, 0);
59	EXPECT_EQ(0U, set1.size());
60	EXPECT_EQ(AuthorizationSet::OK, set1.is_valid());
61
62	AuthorizationSet set2(reinterpret_cast<keymaster_key_param_t*>(NULL), array_length(params));
63	EXPECT_EQ(0U, set2.size());
64	EXPECT_EQ(AuthorizationSet::OK, set2.is_valid());
65	}
66
67	TEST(Lookup, NonRepeated) {
68	AuthorizationSet set(AuthorizationSetBuilder()
69	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
70	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
71	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
72	.Authorization(TAG_USER_ID, 7)
73	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
74	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
75	.Authorization(TAG_KEY_SIZE, 256)
76	.Authorization(TAG_AUTH_TIMEOUT, 300));
77
78	EXPECT_EQ(8U, set.size());
79
80	int pos = set.find(TAG_ALGORITHM);
81	ASSERT_NE(-1, pos);
82	EXPECT_EQ(KM_TAG_ALGORITHM, set[pos].tag);
83	EXPECT_EQ(KM_ALGORITHM_RSA, set[pos].enumerated);
84
85	pos = set.find(TAG_MAC_LENGTH);
86	EXPECT_EQ(-1, pos);
87
88	uint32_t int_val = 0;
89	EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &int_val));
90	EXPECT_EQ(7U, int_val);
91
92	keymaster_blob_t blob_val;
93	EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &blob_val));
94	EXPECT_EQ(6U, blob_val.data_length);
95	EXPECT_EQ(0, memcmp(blob_val.data, "my_app", 6));
96	}
97
98	TEST(Lookup, Repeated) {
99	AuthorizationSet set(AuthorizationSetBuilder()
100	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
101	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
102	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
103	.Authorization(TAG_USER_ID, 7)
104	.Authorization(TAG_USER_SECURE_ID, 47727)
105	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
106	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
107	.Authorization(TAG_KEY_SIZE, 256)
108	.Authorization(TAG_AUTH_TIMEOUT, 300));
109	EXPECT_EQ(9U, set.size());
110
111	int pos = set.find(TAG_PURPOSE);
112	ASSERT_FALSE(pos == -1);
113	EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
114	EXPECT_EQ(KM_PURPOSE_SIGN, set[pos].enumerated);
115
116	pos = set.find(TAG_PURPOSE, pos);
117	EXPECT_EQ(KM_TAG_PURPOSE, set[pos].tag);
118	EXPECT_EQ(KM_PURPOSE_VERIFY, set[pos].enumerated);
119
120	EXPECT_EQ(-1, set.find(TAG_PURPOSE, pos));
121
122	pos = set.find(TAG_USER_SECURE_ID, pos);
123	EXPECT_EQ(KM_TAG_USER_SECURE_ID, set[pos].tag);
124	EXPECT_EQ(47727U, set[pos].long_integer);
125	}
126
127	TEST(Lookup, Indexed) {
128	AuthorizationSet set(AuthorizationSetBuilder()
129	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
130	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
131	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
132	.Authorization(TAG_USER_ID, 7)
133	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
134	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
135	.Authorization(TAG_KEY_SIZE, 256)
136	.Authorization(TAG_AUTH_TIMEOUT, 300));
137	EXPECT_EQ(8U, set.size());
138
139	EXPECT_EQ(KM_TAG_PURPOSE, set[0].tag);
140	EXPECT_EQ(KM_PURPOSE_SIGN, set[0].enumerated);
141
142	// Lookup beyond end doesn't work, just returns zeros, but doens't blow up either (verify by
143	// running under valgrind).
144	EXPECT_EQ(KM_TAG_INVALID, set[10].tag);
145	}
146
147	TEST(Serialization, RoundTrip) {
148	AuthorizationSet set(AuthorizationSetBuilder()
149	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
150	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
151	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
152	.Authorization(TAG_USER_ID, 7)
153	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
154	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
155	.Authorization(TAG_KEY_SIZE, 256)
156	.Authorization(TAG_USER_SECURE_ID, 47727)
157	.Authorization(TAG_AUTH_TIMEOUT, 300)
158	.Authorization(TAG_ALL_USERS)
159	.Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
160	.Authorization(TAG_ACTIVE_DATETIME, 10));
161
162	size_t size = set.SerializedSize();
163	EXPECT_TRUE(size > 0);
164
165	UniquePtr<uint8_t[]> buf(new uint8_t[size]);
166	EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
167	AuthorizationSet deserialized(buf.get(), size);
168
169	EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
170	EXPECT_EQ(set, deserialized);
171
172	int pos = deserialized.find(TAG_APPLICATION_ID);
173	ASSERT_NE(-1, pos);
174	EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
175	EXPECT_EQ(6U, deserialized[pos].blob.data_length);
176	EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
177	}
178
179	TEST(Deserialization, Deserialize) {
180	AuthorizationSet set(AuthorizationSetBuilder()
181	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
182	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
183	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
184	.Authorization(TAG_USER_ID, 7)
185	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
186	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
187	.Authorization(TAG_KEY_SIZE, 256)
188	.Authorization(TAG_AUTH_TIMEOUT, 300));
189
190	size_t size = set.SerializedSize();
191	EXPECT_TRUE(size > 0);
192
193	UniquePtr<uint8_t[]> buf(new uint8_t[size]);
194	EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
195	AuthorizationSet deserialized;
196	const uint8_t* p = buf.get();
197	EXPECT_TRUE(deserialized.Deserialize(&p, p + size));
198	EXPECT_EQ(p, buf.get() + size);
199
200	EXPECT_EQ(AuthorizationSet::OK, deserialized.is_valid());
201
202	EXPECT_EQ(set.size(), deserialized.size());
203	for (size_t i = 0; i < set.size(); ++i) {
204	EXPECT_EQ(set[i].tag, deserialized[i].tag);
205	}
206
207	int pos = deserialized.find(TAG_APPLICATION_ID);
208	ASSERT_NE(-1, pos);
209	EXPECT_EQ(KM_TAG_APPLICATION_ID, deserialized[pos].tag);
210	EXPECT_EQ(6U, deserialized[pos].blob.data_length);
211	EXPECT_EQ(0, memcmp(deserialized[pos].blob.data, "my_app", 6));
212	}
213
214	TEST(Deserialization, TooShortBuffer) {
215	uint8_t buf[] = {0, 0, 0};
216	AuthorizationSet deserialized(buf, array_length(buf));
217	EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
218
219	const uint8_t* p = buf;
220	EXPECT_FALSE(deserialized.Deserialize(&p, p + array_length(buf)));
221	EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
222	}
223
224	TEST(Deserialization, InvalidLengthField) {
225	AuthorizationSet set(AuthorizationSetBuilder()
226	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
227	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
228	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
229	.Authorization(TAG_USER_ID, 7)
230	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
231	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
232	.Authorization(TAG_KEY_SIZE, 256)
233	.Authorization(TAG_AUTH_TIMEOUT, 300));
234
235	size_t size = set.SerializedSize();
236	EXPECT_TRUE(size > 0);
237
238	UniquePtr<uint8_t[]> buf(new uint8_t[size]);
239	EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
240	*reinterpret_cast<uint32_t*>(buf.get()) = 9;
241
242	AuthorizationSet deserialized(buf.get(), size);
243	EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
244
245	const uint8_t* p = buf.get();
246	EXPECT_FALSE(deserialized.Deserialize(&p, p + size));
247	EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized.is_valid());
248	}
249
250	static uint32_t read_uint32(const uint8_t* buf) {
251	uint32_t val;
252	memcpy(&val, buf, sizeof(val));
253	return val;
254	}
255
256	static void add_to_uint32(uint8_t* buf, int delta) {
257	uint32_t val;
258	memcpy(&val, buf, sizeof(val));
259	val += delta;
260	memcpy(buf, &val, sizeof(val));
261	}
262
263	TEST(Deserialization, MalformedIndirectData) {
264	AuthorizationSet set(AuthorizationSetBuilder()
265	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
266	.Authorization(TAG_APPLICATION_DATA, "foo", 3));
267	size_t size = set.SerializedSize();
268
269	UniquePtr<uint8_t[]> buf(new uint8_t[size]);
270	EXPECT_EQ(buf.get() + size, set.Serialize(buf.get(), buf.get() + size));
271
272	// This sucks. This test, as written, requires intimate knowledge of the serialized layout of
273	// this particular set, which means it's brittle. But it's important to test that we handle
274	// broken serialized data and I can't think of a better way to write this.
275	//
276	// The contents of buf are:
277	//
278	// Bytes: Content:
279	// 0-3 Length of string data, which is 9.
280	// 4-9 "my_app"
281	// 10-12 "foo"
282	// 13-16 Number of elements, which is 2.
283	// 17-20 Length of elements, which is 24.
284	// 21-24 First tag, TAG_APPLICATION_ID
285	// 25-28 Length of string "my_app", 6
286	// 29-32 Offset of string "my_app", 0
287	// 33-36 Second tag, TAG_APPLICATION_DATA
288	// 37-40 Length of string "foo", 3
289	// 41-44 Offset of string "foo", 6
290
291	// Check that stuff is where we think.
292	EXPECT_EQ('m', buf[4]);
293	EXPECT_EQ('f', buf[10]);
294	// Length of "my_app"
295	EXPECT_EQ(6U, read_uint32(buf.get() + 25));
296	// Offset of "my_app"
297	EXPECT_EQ(0U, read_uint32(buf.get() + 29));
298	// Length of "foo"
299	EXPECT_EQ(3U, read_uint32(buf.get() + 37));
300	// Offset of "foo"
301	EXPECT_EQ(6U, read_uint32(buf.get() + 41));
302
303	// Check that deserialization works.
304	AuthorizationSet deserialized1(buf.get(), size);
305	EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
306
307	const uint8_t* p = buf.get();
308	EXPECT_TRUE(deserialized1.Deserialize(&p, p + size));
309	EXPECT_EQ(AuthorizationSet::OK, deserialized1.is_valid());
310
311	//
312	// Now mess them up in various ways:
313	//
314
315	// Move "foo" offset so offset + length goes off the end
316	add_to_uint32(buf.get() + 41, 1);
317	AuthorizationSet deserialized2(buf.get(), size);
318	EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized2.is_valid());
319	add_to_uint32(buf.get() + 41, -1);
320
321	// Shorten the "my_app" length to make a gap between the blobs.
322	add_to_uint32(buf.get() + 25, -1);
323	AuthorizationSet deserialized3(buf.get(), size);
324	EXPECT_EQ(AuthorizationSet::MALFORMED_DATA, deserialized3.is_valid());
325	add_to_uint32(buf.get() + 25, 1);
326
327	// Extend the "my_app" length to make them overlap, and decrease the "foo" length to keep the
328	// total length the same. We don't detect this but should.
329	// TODO(swillden): Detect overlaps and holes that leave total size correct.
330	add_to_uint32(buf.get() + 25, 1);
331	add_to_uint32(buf.get() + 37, -1);
332	AuthorizationSet deserialized4(buf.get(), size);
333	EXPECT_EQ(AuthorizationSet::OK, deserialized4.is_valid());
334	}
335
336	TEST(Growable, SuccessfulRoundTrip) {
337	AuthorizationSet growable;
338	EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
339	EXPECT_EQ(1U, growable.size());
340
341	EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)));
342	EXPECT_EQ(2U, growable.size());
343
344	EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
345	EXPECT_EQ(3U, growable.size());
346
347	EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "data", 4)));
348	EXPECT_EQ(4U, growable.size());
349
350	EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "some more data", 14)));
351	EXPECT_EQ(5U, growable.size());
352
353	size_t serialize_size = growable.SerializedSize();
354	UniquePtr<uint8_t[]> serialized(new uint8_t[serialize_size]);
355	EXPECT_EQ(serialized.get() + serialize_size,
356	growable.Serialize(serialized.get(), serialized.get() + serialize_size));
357
358	AuthorizationSet deserialized(serialized.get(), serialize_size);
359	EXPECT_EQ(growable, deserialized);
360	}
361
362	TEST(Growable, InsufficientElemBuf) {
363	AuthorizationSet growable;
364	EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
365
366	// First insertion fits.
367	EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
368	EXPECT_EQ(1U, growable.size());
369	EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
370
371	// Second does too.
372	EXPECT_TRUE(growable.push_back(Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)));
373	EXPECT_EQ(2U, growable.size());
374	}
375
376	TEST(Growable, InsufficientIndirectBuf) {
377	AuthorizationSet growable;
378	EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
379
380	EXPECT_TRUE(growable.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)));
381	EXPECT_EQ(1U, growable.size());
382	EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
383
384	EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_ID, "1234567890", 10)));
385	EXPECT_EQ(2U, growable.size());
386	EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
387
388	EXPECT_TRUE(growable.push_back(Authorization(TAG_APPLICATION_DATA, "1", 1)));
389	EXPECT_EQ(3U, growable.size());
390	EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
391
392	// Can still add another entry without indirect data. Now it's full.
393	EXPECT_TRUE(growable.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)));
394	EXPECT_EQ(4U, growable.size());
395	EXPECT_EQ(AuthorizationSet::OK, growable.is_valid());
396	}
397
398	TEST(Growable, PushBackSets) {
399	AuthorizationSetBuilder builder;
400	builder.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
401	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
402	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
403	.Authorization(TAG_USER_ID, 7)
404	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
405	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
406	.Authorization(TAG_KEY_SIZE, 256)
407	.Authorization(TAG_AUTH_TIMEOUT, 300);
408
409	AuthorizationSet set1(builder.build());
410	AuthorizationSet set2(builder.build());
411
412	AuthorizationSet combined;
413	EXPECT_TRUE(combined.push_back(set1));
414	EXPECT_TRUE(combined.push_back(set2));
415	EXPECT_EQ(set1.size() + set2.size(), combined.size());
416	EXPECT_EQ(12U, combined.indirect_size());
417	}
418
419	TEST(GetValue, GetInt) {
420	AuthorizationSet set(AuthorizationSetBuilder()
421	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
422	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
423	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
424	.Authorization(TAG_USER_ID, 7)
425	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
426	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
427	.Authorization(TAG_AUTH_TIMEOUT, 300));
428
429	uint32_t val;
430	EXPECT_TRUE(set.GetTagValue(TAG_USER_ID, &val));
431	EXPECT_EQ(7U, val);
432
433	// Find one that isn't there
434	EXPECT_FALSE(set.GetTagValue(TAG_KEY_SIZE, &val));
435	}
436
437	TEST(GetValue, GetLong) {
438	AuthorizationSet set1(AuthorizationSetBuilder()
439	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
440	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
441	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
442	.Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
443
444	AuthorizationSet set2(AuthorizationSetBuilder()
445	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
446	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
447	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
448
449	uint64_t val;
450	EXPECT_TRUE(set1.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
451	EXPECT_EQ(3U, val);
452
453	// Find one that isn't there
454	EXPECT_FALSE(set2.GetTagValue(TAG_RSA_PUBLIC_EXPONENT, &val));
455	}
456
457	TEST(GetValue, GetLongRep) {
458	AuthorizationSet set1(AuthorizationSetBuilder()
459	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
460	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
461	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
462	.Authorization(TAG_USER_SECURE_ID, 8338)
463	.Authorization(TAG_USER_SECURE_ID, 4334)
464	.Authorization(TAG_RSA_PUBLIC_EXPONENT, 3));
465
466	AuthorizationSet set2(AuthorizationSetBuilder()
467	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
468	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
469	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA));
470
471	uint64_t val;
472	EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 0, &val));
473	EXPECT_EQ(8338U, val);
474	EXPECT_TRUE(set1.GetTagValue(TAG_USER_SECURE_ID, 1, &val));
475	EXPECT_EQ(4334U, val);
476
477	// Find one that isn't there
478	EXPECT_FALSE(set2.GetTagValue(TAG_USER_SECURE_ID, &val));
479	}
480
481	TEST(GetValue, GetEnum) {
482	AuthorizationSet set(AuthorizationSetBuilder()
483	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
484	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
485	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
486	.Authorization(TAG_USER_ID, 7)
487	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
488	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
489	.Authorization(TAG_AUTH_TIMEOUT, 300));
490
491	keymaster_algorithm_t val;
492	EXPECT_TRUE(set.GetTagValue(TAG_ALGORITHM, &val));
493	EXPECT_EQ(KM_ALGORITHM_RSA, val);
494
495	// Find one that isn't there
496	keymaster_padding_t val2;
497	EXPECT_FALSE(set.GetTagValue(TAG_PADDING, &val2));
498	}
499
500	TEST(GetValue, GetEnumRep) {
501	AuthorizationSet set(AuthorizationSetBuilder()
502	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
503	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
504	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
505	.Authorization(TAG_USER_ID, 7)
506	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
507	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
508	.Authorization(TAG_AUTH_TIMEOUT, 300));
509
510	keymaster_purpose_t val;
511	EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 0, &val));
512	EXPECT_EQ(KM_PURPOSE_SIGN, val);
513	EXPECT_TRUE(set.GetTagValue(TAG_PURPOSE, 1, &val));
514	EXPECT_EQ(KM_PURPOSE_VERIFY, val);
515
516	// Find one that isn't there
517	EXPECT_FALSE(set.GetTagValue(TAG_PURPOSE, 2, &val));
518	}
519
520	TEST(GetValue, GetDate) {
521	AuthorizationSet set(AuthorizationSetBuilder()
522	.Authorization(TAG_ACTIVE_DATETIME, 10)
523	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
524	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
525	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
526	.Authorization(TAG_USER_ID, 7)
527	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
528	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
529	.Authorization(TAG_AUTH_TIMEOUT, 300));
530
531	uint64_t val;
532	EXPECT_TRUE(set.GetTagValue(TAG_ACTIVE_DATETIME, &val));
533	EXPECT_EQ(10U, val);
534
535	// Find one that isn't there
536	EXPECT_FALSE(set.GetTagValue(TAG_USAGE_EXPIRE_DATETIME, &val));
537	}
538
539	TEST(GetValue, GetBlob) {
540	AuthorizationSet set(AuthorizationSetBuilder()
541	.Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
542	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
543	.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
544	.Authorization(TAG_USER_ID, 7)
545	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
546	.Authorization(TAG_APPLICATION_ID, "my_app", 6)
547	.Authorization(TAG_AUTH_TIMEOUT, 300));
548
549	keymaster_blob_t val;
550	EXPECT_TRUE(set.GetTagValue(TAG_APPLICATION_ID, &val));
551	EXPECT_EQ(6U, val.data_length);
552	EXPECT_EQ(0, memcmp(val.data, "my_app", 6));
553
554	// Find one that isn't there
555	EXPECT_FALSE(set.GetTagValue(TAG_APPLICATION_DATA, &val));
556	}
557
558	TEST(Deduplication, NoDuplicates) {
559	AuthorizationSet set(AuthorizationSetBuilder()
560	.Authorization(TAG_ACTIVE_DATETIME, 10)
561	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
562	.Authorization(TAG_USER_ID, 7)
563	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
564	AuthorizationSet copy(set);
565
566	EXPECT_EQ(copy, set);
567	set.Deduplicate();
568	EXPECT_EQ(copy.size(), set.size());
569
570	// Sets no longer compare equal, because of ordering (ugh, maybe it should be
571	// AuthorizationList, not AuthorizationSet).
572	EXPECT_NE(copy, set);
573	}
574
575	TEST(Deduplication, NoDuplicatesHasInvalid) {
576	AuthorizationSet set(AuthorizationSetBuilder()
577	.Authorization(TAG_ACTIVE_DATETIME, 10)
578	.Authorization(TAG_INVALID)
579	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
580	.Authorization(TAG_USER_ID, 7)
581	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
582	AuthorizationSet copy(set);
583
584	EXPECT_EQ(copy, set);
585	set.Deduplicate();
586
587	// Deduplicate should have removed the invalid.
588	EXPECT_EQ(copy.size() - 1, set.size());
589	EXPECT_NE(copy, set);
590	}
591
592	TEST(Deduplication, DuplicateEnum) {
593	AuthorizationSet set(AuthorizationSetBuilder()
594	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
595	.Authorization(TAG_ACTIVE_DATETIME, 10)
596	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
597	.Authorization(TAG_USER_ID, 7)
598	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
599	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
600	AuthorizationSet copy(set);
601
602	EXPECT_EQ(copy, set);
603	set.Deduplicate();
604	EXPECT_EQ(copy.size() - 2, set.size());
605	EXPECT_NE(copy, set);
606	}
607
608	TEST(Deduplication, DuplicateBlob) {
609	AuthorizationSet set(AuthorizationSetBuilder()
610	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
611	.Authorization(TAG_ACTIVE_DATETIME, 10)
612	.Authorization(TAG_APPLICATION_DATA, "data", 4)
613	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
614	.Authorization(TAG_USER_ID, 7)
615	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
616	.Authorization(TAG_APPLICATION_DATA, "data", 4)
617	.Authorization(TAG_APPLICATION_DATA, "foo", 3)
618	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
619	AuthorizationSet copy(set);
620
621	EXPECT_EQ(copy, set);
622	set.Deduplicate();
623	EXPECT_EQ(copy.size() - 3, set.size());
624	EXPECT_NE(copy, set);
625
626	// The real test here is that valgrind reports no leak.
627	}
628
629	TEST(Union, Disjoint) {
630	AuthorizationSet set1(AuthorizationSetBuilder()
631	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
632	.Authorization(TAG_ACTIVE_DATETIME, 10)
633	.Authorization(TAG_APPLICATION_DATA, "data", 4));
634
635	AuthorizationSet set2(AuthorizationSetBuilder()
636	.Authorization(TAG_USER_ID, 7)
637	.Authorization(TAG_APPLICATION_DATA, "foo", 3)
638	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
639
640	AuthorizationSet expected(AuthorizationSetBuilder()
641	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
642	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
643	.Authorization(TAG_USER_ID, 7)
644	.Authorization(TAG_ACTIVE_DATETIME, 10)
645	.Authorization(TAG_APPLICATION_DATA, "data", 4)
646	.Authorization(TAG_APPLICATION_DATA, "foo", 3));
647
648	set1.Union(set2);
649	EXPECT_EQ(expected, set1);
650	}
651
652	TEST(Union, Overlap) {
653	AuthorizationSet set1(AuthorizationSetBuilder()
654	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
655	.Authorization(TAG_ACTIVE_DATETIME, 10)
656	.Authorization(TAG_APPLICATION_DATA, "data", 4));
657
658	AuthorizationSet set2(AuthorizationSetBuilder()
659	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
660	.Authorization(TAG_ACTIVE_DATETIME, 10)
661	.Authorization(TAG_APPLICATION_DATA, "data", 4));
662
663	AuthorizationSet expected(AuthorizationSetBuilder()
664	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
665	.Authorization(TAG_ACTIVE_DATETIME, 10)
666	.Authorization(TAG_APPLICATION_DATA, "data", 4));
667
668	set1.Union(set2);
669	EXPECT_EQ(expected, set1);
670	}
671
672	TEST(Union, Empty) {
673	AuthorizationSet set1(AuthorizationSetBuilder()
674	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
675	.Authorization(TAG_ACTIVE_DATETIME, 10)
676	.Authorization(TAG_APPLICATION_DATA, "data", 4));
677
678	AuthorizationSet set2;
679
680	AuthorizationSet expected(AuthorizationSetBuilder()
681	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
682	.Authorization(TAG_ACTIVE_DATETIME, 10)
683	.Authorization(TAG_APPLICATION_DATA, "data", 4));
684
685	set1.Union(set2);
686	EXPECT_EQ(expected, set1);
687	}
688
689	TEST(Difference, Disjoint) {
690	AuthorizationSet set1(AuthorizationSetBuilder()
691	.Authorization(TAG_APPLICATION_DATA, "data", 4)
692	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
693	.Authorization(TAG_ACTIVE_DATETIME, 10));
694
695	AuthorizationSet set2(AuthorizationSetBuilder()
696	.Authorization(TAG_USER_ID, 7)
697	.Authorization(TAG_APPLICATION_DATA, "foo", 3)
698	.Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
699
700	// Elements are the same as set1, but happen to be in a different order
701	AuthorizationSet expected(AuthorizationSetBuilder()
702	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
703	.Authorization(TAG_ACTIVE_DATETIME, 10)
704	.Authorization(TAG_APPLICATION_DATA, "data", 4));
705
706	set1.Difference(set2);
707	EXPECT_EQ(expected, set1);
708	}
709
710	TEST(Difference, Overlap) {
711	AuthorizationSet set1(AuthorizationSetBuilder()
712	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
713	.Authorization(TAG_ACTIVE_DATETIME, 10)
714	.Authorization(TAG_APPLICATION_DATA, "data", 4));
715
716	AuthorizationSet set2(AuthorizationSetBuilder()
717	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
718	.Authorization(TAG_ACTIVE_DATETIME, 10)
719	.Authorization(TAG_APPLICATION_DATA, "data", 4));
720
721	AuthorizationSet empty;
722	set1.Difference(set2);
723	EXPECT_EQ(empty, set1);
724	EXPECT_EQ(0U, set1.size());
725	}
726
727	TEST(Difference, NullSet) {
728	AuthorizationSet set1(AuthorizationSetBuilder()
729	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
730	.Authorization(TAG_ACTIVE_DATETIME, 10)
731	.Authorization(TAG_APPLICATION_DATA, "data", 4));
732
733	AuthorizationSet set2;
734
735	AuthorizationSet expected(AuthorizationSetBuilder()
736	.Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
737	.Authorization(TAG_ACTIVE_DATETIME, 10)
738	.Authorization(TAG_APPLICATION_DATA, "data", 4));
739
740	set1.Difference(set2);
741	EXPECT_EQ(expected, set1);
742	}
743
744	} // namespace test
745	} // namespace keymaster
746