gatekeeperd/tests/gatekeeper_test.cpp

/*
 * Copyright 2015 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <arpa/inet.h>
#include <iostream>

#include <gtest/gtest.h>
#include <hardware/hw_auth_token.h>

#include "../SoftGateKeeper.h"

using ::gatekeeper::SizedBuffer;
using ::testing::Test;
using ::gatekeeper::EnrollRequest;
using ::gatekeeper::EnrollResponse;
using ::gatekeeper::VerifyRequest;
using ::gatekeeper::VerifyResponse;
using ::gatekeeper::SoftGateKeeper;
using ::gatekeeper::secure_id_t;

static void do_enroll(SoftGateKeeper &gatekeeper, EnrollResponse *response) {
    SizedBuffer password;

    password.buffer.reset(new uint8_t[16]);
    password.length = 16;
    memset(password.buffer.get(), 0, 16);
    EnrollRequest request(0, NULL, &password, NULL);

    gatekeeper.Enroll(request, response);
}

TEST(GateKeeperTest, EnrollSuccess) {
    SoftGateKeeper gatekeeper;
    EnrollResponse response;
    do_enroll(gatekeeper, &response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
}

TEST(GateKeeperTest, EnrollBogusData) {
    SoftGateKeeper gatekeeper;
    SizedBuffer password;
    EnrollResponse response;

    EnrollRequest request(0, NULL, &password, NULL);

    gatekeeper.Enroll(request, &response);

    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
}

TEST(GateKeeperTest, VerifySuccess) {
    SoftGateKeeper gatekeeper;
    SizedBuffer provided_password;
    EnrollResponse enroll_response;

    provided_password.buffer.reset(new uint8_t[16]);
    provided_password.length = 16;
    memset(provided_password.buffer.get(), 0, 16);

    do_enroll(gatekeeper, &enroll_response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
    VerifyRequest request(0, 1, &enroll_response.enrolled_password_handle,
            &provided_password);
    VerifyResponse response;

    gatekeeper.Verify(request, &response);

    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);

    hw_auth_token_t *auth_token =
        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());

    ASSERT_EQ((uint32_t) HW_AUTH_PASSWORD, ntohl(auth_token->authenticator_type));
    ASSERT_EQ((uint64_t) 1, auth_token->challenge);
    ASSERT_NE(~((uint32_t) 0), auth_token->timestamp);
    ASSERT_NE((uint64_t) 0, auth_token->user_id);
    ASSERT_NE((uint64_t) 0, auth_token->authenticator_id);
}

TEST(GateKeeperTest, TrustedReEnroll) {
    SoftGateKeeper gatekeeper;
    SizedBuffer provided_password;
    EnrollResponse enroll_response;
    SizedBuffer password_handle;

    // do_enroll enrolls an all 0 password
    provided_password.buffer.reset(new uint8_t[16]);
    provided_password.length = 16;
    memset(provided_password.buffer.get(), 0, 16);
    do_enroll(gatekeeper, &enroll_response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);

    // keep a copy of the handle
    password_handle.buffer.reset(new uint8_t[enroll_response.enrolled_password_handle.length]);
    password_handle.length = enroll_response.enrolled_password_handle.length;
    memcpy(password_handle.buffer.get(), enroll_response.enrolled_password_handle.buffer.get(),
            password_handle.length);

    // verify first password
    VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
            &provided_password);
    VerifyResponse response;
    gatekeeper.Verify(request, &response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    hw_auth_token_t *auth_token =
        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());

    secure_id_t secure_id = auth_token->user_id;

    // enroll new password
    provided_password.buffer.reset(new uint8_t[16]);
    provided_password.length = 16;
    memset(provided_password.buffer.get(), 0, 16);
    SizedBuffer password;
    password.buffer.reset(new uint8_t[16]);
    memset(password.buffer.get(), 1, 16);
    password.length = 16;
    EnrollRequest enroll_request(0, &password_handle, &password, &provided_password);
    gatekeeper.Enroll(enroll_request, &enroll_response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);

    // verify new password
    password.buffer.reset(new uint8_t[16]);
    memset(password.buffer.get(), 1, 16);
    password.length = 16;
    VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
            &password);
    gatekeeper.Verify(new_request, &response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    ASSERT_EQ(secure_id,
        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
}


TEST(GateKeeperTest, UntrustedReEnroll) {
    SoftGateKeeper gatekeeper;
    SizedBuffer provided_password;
    EnrollResponse enroll_response;

    // do_enroll enrolls an all 0 password
    provided_password.buffer.reset(new uint8_t[16]);
    provided_password.length = 16;
    memset(provided_password.buffer.get(), 0, 16);
    do_enroll(gatekeeper, &enroll_response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);

    // verify first password
    VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
            &provided_password);
    VerifyResponse response;
    gatekeeper.Verify(request, &response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    hw_auth_token_t *auth_token =
        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());

    secure_id_t secure_id = auth_token->user_id;

    // enroll new password
    SizedBuffer password;
    password.buffer.reset(new uint8_t[16]);
    memset(password.buffer.get(), 1, 16);
    password.length = 16;
    EnrollRequest enroll_request(0, NULL, &password, NULL);
    gatekeeper.Enroll(enroll_request, &enroll_response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);

    // verify new password
    password.buffer.reset(new uint8_t[16]);
    memset(password.buffer.get(), 1, 16);
    password.length = 16;
    VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
            &password);
    gatekeeper.Verify(new_request, &response);
    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
    ASSERT_NE(secure_id,
        reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
}


TEST(GateKeeperTest, VerifyBogusData) {
    SoftGateKeeper gatekeeper;
    SizedBuffer provided_password;
    SizedBuffer password_handle;
    VerifyResponse response;

    VerifyRequest request(0, 0, &provided_password, &password_handle);

    gatekeeper.Verify(request, &response);

    ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
}