1// 2// Copyright (C) 2015 The Android Open Source Project 3// 4// Licensed under the Apache License, Version 2.0 (the "License"); 5// you may not use this file except in compliance with the License. 6// You may obtain a copy of the License at 7// 8// http://www.apache.org/licenses/LICENSE-2.0 9// 10// Unless required by applicable law or agreed to in writing, software 11// distributed under the License is distributed on an "AS IS" BASIS, 12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13// See the License for the specific language governing permissions and 14// limitations under the License. 15// 16 17#include "attestation/server/pkcs11_key_store.h" 18 19#include <map> 20#include <string> 21#include <vector> 22 23#include <base/logging.h> 24#include <base/strings/string_number_conversions.h> 25#include <chaps/attributes.h> 26#include <chaps/chaps_proxy_mock.h> 27#include <chaps/token_manager_client_mock.h> 28#include <brillo/cryptohome.h> 29#include <brillo/map_utils.h> 30#include <gmock/gmock.h> 31#include <gtest/gtest.h> 32 33using ::testing::_; 34using ::testing::DoAll; 35using ::testing::Invoke; 36using ::testing::NiceMock; 37using ::testing::Return; 38using ::testing::SetArgumentPointee; 39 40namespace { 41 42const uint64_t kSession = 7; // Arbitrary non-zero value. 43const char kDefaultUser[] = "test_user"; 44 45const char kValidPublicKeyHex[] = 46 "3082010A0282010100" 47 "961037BC12D2A298BEBF06B2D5F8C9B64B832A2237F8CF27D5F96407A6041A4D" 48 "AD383CB5F88E625F412E8ACD5E9D69DF0F4FA81FCE7955829A38366CBBA5A2B1" 49 "CE3B48C14B59E9F094B51F0A39155874C8DE18A0C299EBF7A88114F806BE4F25" 50 "3C29A509B10E4B19E31675AFE3B2DA77077D94F43D8CE61C205781ED04D183B4" 51 "C349F61B1956C64B5398A3A98FAFF17D1B3D9120C832763EDFC8F4137F6EFBEF" 52 "46D8F6DE03BD00E49DEF987C10BDD5B6F8758B6A855C23C982DDA14D8F0F2B74" 53 "E6DEFA7EEE5A6FC717EB0FF103CB8049F693A2C8A5039EF1F5C025DC44BD8435" 54 "E8D8375DADE00E0C0F5C196E04B8483CC98B1D5B03DCD7E0048B2AB343FFC11F" 55 "0203" 56 "010001"; 57 58const char kValidCertificateHex[] = 59 "3082040f308202f7a003020102020900bd0f8fd6bf496b67300d06092a864886" 60 "f70d01010b050030819d310b3009060355040613025553311330110603550408" 61 "0c0a43616c69666f726e69613116301406035504070c0d4d6f756e7461696e20" 62 "5669657731133011060355040a0c0a4368726f6d69756d4f533111300f060355" 63 "040b0c08556e6974546573743117301506035504030c0e506b637331314b6579" 64 "53746f72653120301e06092a864886f70d010901161174657374406368726f6d" 65 "69756d2e6f7267301e170d3135303231383137303132345a170d313731313133" 66 "3137303132345a30819d310b3009060355040613025553311330110603550408" 67 "0c0a43616c69666f726e69613116301406035504070c0d4d6f756e7461696e20" 68 "5669657731133011060355040a0c0a4368726f6d69756d4f533111300f060355" 69 "040b0c08556e6974546573743117301506035504030c0e506b637331314b6579" 70 "53746f72653120301e06092a864886f70d010901161174657374406368726f6d" 71 "69756d2e6f726730820122300d06092a864886f70d01010105000382010f0030" 72 "82010a0282010100a8fb9e12b1e5298b9a24fabc3901d00c32057392c763836e" 73 "0b55cff8e67d39b9b9853920fd615688b3e13c03a10cb5668187819172d1d269" 74 "70f0ff8d4371ac581f6970a0e43a1d0d61a94741a771fe86aee45ab0ca059b1f" 75 "c067f7416f08544cc4d08ec884b6d4327bb3ec0dc0789639375bd159df0efd87" 76 "1cf4d605778c7a68c96b94cf0a6c29f9a23bc027e8250084eb2dfca817b20f57" 77 "a6fe09513f884389db7b90788aea70c6e1638f24e39553ac0f859e585965c425" 78 "9ed7b9680fde3e059f254d8c9494f6ab425ede80d63366dfcb7cc311f5bc6fb0" 79 "1c27d81f4c5112d04b7614c37ba19c014916816372c773e4e44564fac34565ad" 80 "ebf38fe56c1413170203010001a350304e301d0603551d0e04160414fe13c7db" 81 "459bd2881e9113198e1f072e16cea144301f0603551d23041830168014fe13c7" 82 "db459bd2881e9113198e1f072e16cea144300c0603551d13040530030101ff30" 83 "0d06092a864886f70d01010b05000382010100a163d636ac64bd6f67eca53708" 84 "5f92abc993a40fd0c0222a56b262c29f88057a3edf9abac024756ad85d7453d8" 85 "4782e0be65d176aecfb0fbfc88ca567d17124fa190cb5ce832264360dd6daee1" 86 "e121428de28dda0b8ba117a1be3cf438efd060a3b5fc812e7eba70cec12cb609" 87 "738fc7d0912546c42b5aaadb142adce2167c7f30cd9e0049687d384334335aff" 88 "72aebd1745a0aac4be816365969347f064f36f7fdec69f970f28b87061650470" 89 "c63be8475bb23d0485985fb77c7cdd9d9fe008211a9ddd0fe68efb0b47cf629c" 90 "941d31e3c2f88e670e7e4ef1129febad000e6a16222779fbfe34641e5243ca38" 91 "74e2ad06f9585a00bec014744d3175ecc4808d"; 92 93std::string HexDecode(const std::string hex) { 94 std::vector<uint8_t> output; 95 CHECK(base::HexStringToBytes(hex, &output)); 96 return std::string(reinterpret_cast<char*>(output.data()), output.size()); 97} 98 99class ScopedFakeSalt { 100 public: 101 ScopedFakeSalt() : salt_(128, 0) { 102 brillo::cryptohome::home::SetSystemSalt(&salt_); 103 } 104 ~ScopedFakeSalt() { brillo::cryptohome::home::SetSystemSalt(nullptr); } 105 106 private: 107 std::string salt_; 108}; 109 110class ScopedDisableVerboseLogging { 111 public: 112 ScopedDisableVerboseLogging() 113 : original_severity_(logging::GetMinLogLevel()) { 114 logging::SetMinLogLevel(logging::LOG_INFO); 115 } 116 ~ScopedDisableVerboseLogging() { 117 logging::SetMinLogLevel(original_severity_); 118 } 119 120 private: 121 logging::LogSeverity original_severity_; 122}; 123 124} // namespace 125 126namespace attestation { 127 128typedef chaps::ChapsProxyMock Pkcs11Mock; 129 130// Implements a fake PKCS #11 object store. Labeled data blobs can be stored 131// and later retrieved. The mocked interface is ChapsInterface so these 132// tests must be linked with the Chaps PKCS #11 library. The mock class itself 133// is part of the Chaps package; it is reused here to avoid duplication (see 134// chaps_proxy_mock.h). 135class KeyStoreTest : public testing::Test { 136 public: 137 KeyStoreTest() 138 : pkcs11_(false), // Do not pre-initialize the mock PKCS #11 library. 139 // This just controls whether the first call to 140 // C_Initialize returns 'already initialized'. 141 next_handle_(1) {} 142 ~KeyStoreTest() override = default; 143 144 void SetUp() override { 145 std::vector<uint64_t> slot_list = {0, 1}; 146 ON_CALL(pkcs11_, GetSlotList(_, _, _)) 147 .WillByDefault(DoAll(SetArgumentPointee<2>(slot_list), Return(0))); 148 ON_CALL(pkcs11_, OpenSession(_, _, _, _)) 149 .WillByDefault(DoAll(SetArgumentPointee<3>(kSession), Return(0))); 150 ON_CALL(pkcs11_, CloseSession(_, _)).WillByDefault(Return(0)); 151 ON_CALL(pkcs11_, CreateObject(_, _, _, _)) 152 .WillByDefault(Invoke(this, &KeyStoreTest::CreateObject)); 153 ON_CALL(pkcs11_, DestroyObject(_, _, _)) 154 .WillByDefault(Invoke(this, &KeyStoreTest::DestroyObject)); 155 ON_CALL(pkcs11_, GetAttributeValue(_, _, _, _, _)) 156 .WillByDefault(Invoke(this, &KeyStoreTest::GetAttributeValue)); 157 ON_CALL(pkcs11_, SetAttributeValue(_, _, _, _)) 158 .WillByDefault(Invoke(this, &KeyStoreTest::SetAttributeValue)); 159 ON_CALL(pkcs11_, FindObjectsInit(_, _, _)) 160 .WillByDefault(Invoke(this, &KeyStoreTest::FindObjectsInit)); 161 ON_CALL(pkcs11_, FindObjects(_, _, _, _)) 162 .WillByDefault(Invoke(this, &KeyStoreTest::FindObjects)); 163 ON_CALL(pkcs11_, FindObjectsFinal(_, _)).WillByDefault(Return(0)); 164 base::FilePath system_path("/var/lib/chaps"); 165 ON_CALL(token_manager_, GetTokenPath(_, 0, _)) 166 .WillByDefault(DoAll(SetArgumentPointee<2>(system_path), Return(true))); 167 base::FilePath user_path( 168 brillo::cryptohome::home::GetDaemonPath(kDefaultUser, "chaps")); 169 ON_CALL(token_manager_, GetTokenPath(_, 1, _)) 170 .WillByDefault(DoAll(SetArgumentPointee<2>(user_path), Return(true))); 171 } 172 173 // Stores a new labeled object, only CKA_LABEL and CKA_VALUE are relevant. 174 virtual uint32_t CreateObject(const brillo::SecureBlob& isolate, 175 uint64_t session_id, 176 const std::vector<uint8_t>& attributes, 177 uint64_t* new_object_handle) { 178 *new_object_handle = next_handle_++; 179 std::string label = GetValue(attributes, CKA_LABEL); 180 handles_[*new_object_handle] = label; 181 values_[label] = GetValue(attributes, CKA_VALUE); 182 labels_[label] = *new_object_handle; 183 return CKR_OK; 184 } 185 186 // Deletes a labeled object. 187 virtual uint32_t DestroyObject(const brillo::SecureBlob& isolate, 188 uint64_t session_id, 189 uint64_t object_handle) { 190 std::string label = handles_[object_handle]; 191 handles_.erase(object_handle); 192 values_.erase(label); 193 labels_.erase(label); 194 return CKR_OK; 195 } 196 197 // Supports reading CKA_VALUE. 198 virtual uint32_t GetAttributeValue(const brillo::SecureBlob& isolate, 199 uint64_t session_id, 200 uint64_t object_handle, 201 const std::vector<uint8_t>& attributes_in, 202 std::vector<uint8_t>* attributes_out) { 203 std::string label = handles_[object_handle]; 204 std::string value = values_[label]; 205 chaps::Attributes parsed; 206 parsed.Parse(attributes_in); 207 if (parsed.num_attributes() == 1 && 208 parsed.attributes()[0].type == CKA_LABEL) 209 value = label; 210 if (parsed.num_attributes() != 1 || 211 (parsed.attributes()[0].type != CKA_VALUE && 212 parsed.attributes()[0].type != CKA_LABEL) || 213 (parsed.attributes()[0].pValue && 214 parsed.attributes()[0].ulValueLen != value.size())) 215 return CKR_GENERAL_ERROR; 216 parsed.attributes()[0].ulValueLen = value.size(); 217 if (parsed.attributes()[0].pValue) 218 memcpy(parsed.attributes()[0].pValue, value.data(), value.size()); 219 parsed.Serialize(attributes_out); 220 return CKR_OK; 221 } 222 223 // Supports writing CKA_VALUE. 224 virtual uint32_t SetAttributeValue(const brillo::SecureBlob& isolate, 225 uint64_t session_id, 226 uint64_t object_handle, 227 const std::vector<uint8_t>& attributes) { 228 values_[handles_[object_handle]] = GetValue(attributes, CKA_VALUE); 229 return CKR_OK; 230 } 231 232 // Finds stored objects by CKA_LABEL or CKA_VALUE. If no CKA_LABEL or 233 // CKA_VALUE, find all objects. 234 virtual uint32_t FindObjectsInit(const brillo::SecureBlob& isolate, 235 uint64_t session_id, 236 const std::vector<uint8_t>& attributes) { 237 std::string label = GetValue(attributes, CKA_LABEL); 238 std::string value = GetValue(attributes, CKA_VALUE); 239 found_objects_.clear(); 240 if (label.empty() && value.empty()) { 241 // Find all objects. 242 found_objects_ = brillo::GetMapKeysAsVector(handles_); 243 } else if (!label.empty() && labels_.count(label) > 0) { 244 // Find only the object with |label|. 245 found_objects_.push_back(labels_[label]); 246 } else { 247 // Find all objects with |value|. 248 for (const auto& item : values_) { 249 if (item.second == value && labels_.count(item.first) > 0) { 250 found_objects_.push_back(labels_[item.first]); 251 } 252 } 253 } 254 return CKR_OK; 255 } 256 257 // Reports a 'found' object based on find_status_. 258 virtual uint32_t FindObjects(const brillo::SecureBlob& isolate, 259 uint64_t session_id, 260 uint64_t max_object_count, 261 std::vector<uint64_t>* object_list) { 262 while (!found_objects_.empty() && object_list->size() < max_object_count) { 263 object_list->push_back(found_objects_.back()); 264 found_objects_.pop_back(); 265 } 266 return CKR_OK; 267 } 268 269 protected: 270 NiceMock<Pkcs11Mock> pkcs11_; 271 NiceMock<chaps::TokenManagerClientMock> token_manager_; 272 273 private: 274 // A helper to pull the value for a given attribute out of a serialized 275 // template. 276 std::string GetValue(const std::vector<uint8_t>& attributes, 277 CK_ATTRIBUTE_TYPE type) { 278 chaps::Attributes parsed; 279 parsed.Parse(attributes); 280 CK_ATTRIBUTE_PTR array = parsed.attributes(); 281 for (CK_ULONG i = 0; i < parsed.num_attributes(); ++i) { 282 if (array[i].type == type) { 283 if (!array[i].pValue) 284 return ""; 285 return std::string(reinterpret_cast<char*>(array[i].pValue), 286 array[i].ulValueLen); 287 } 288 } 289 return ""; 290 } 291 292 std::map<std::string, std::string> values_; // The fake store: label->value 293 std::map<uint64_t, std::string> handles_; // The fake store: handle->label 294 std::map<std::string, uint64_t> labels_; // The fake store: label->handle 295 std::vector<uint64_t> found_objects_; // The most recent search results 296 uint64_t next_handle_; // Tracks handle assignment 297 ScopedFakeSalt fake_system_salt_; 298 // We want to avoid all the Chaps verbose logging. 299 ScopedDisableVerboseLogging no_verbose_logging; 300 301 DISALLOW_COPY_AND_ASSIGN(KeyStoreTest); 302}; 303 304// This test assumes that chaps in not available on the system running the test. 305// The purpose of this test is to exercise the C_Initialize failure code path. 306// Without a mock, the Chaps library will attempt to connect to the Chaps daemon 307// unsuccessfully, resulting in a C_Initialize failure. 308TEST(KeyStoreTest_NoMock, Pkcs11NotAvailable) { 309 chaps::TokenManagerClient token_manager; 310 Pkcs11KeyStore key_store(&token_manager); 311 std::string blob; 312 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 313 EXPECT_FALSE(key_store.Write(kDefaultUser, "test", blob)); 314 EXPECT_FALSE(key_store.Read("", "test", &blob)); 315 EXPECT_FALSE(key_store.Write("", "test", blob)); 316} 317 318// Exercises the key store when PKCS #11 returns success. This exercises all 319// non-error-handling code paths. 320TEST_F(KeyStoreTest, Pkcs11Success) { 321 Pkcs11KeyStore key_store(&token_manager_); 322 std::string blob; 323 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 324 EXPECT_TRUE(key_store.Write(kDefaultUser, "test", "test_data")); 325 EXPECT_TRUE(key_store.Read(kDefaultUser, "test", &blob)); 326 EXPECT_EQ("test_data", blob); 327 // Try with a different key name. 328 EXPECT_FALSE(key_store.Read(kDefaultUser, "test2", &blob)); 329 EXPECT_TRUE(key_store.Write(kDefaultUser, "test2", "test_data2")); 330 EXPECT_TRUE(key_store.Read(kDefaultUser, "test2", &blob)); 331 EXPECT_EQ("test_data2", blob); 332 // Read the original key again. 333 EXPECT_TRUE(key_store.Read(kDefaultUser, "test", &blob)); 334 EXPECT_EQ("test_data", blob); 335 // Replace key data. 336 EXPECT_TRUE(key_store.Write(kDefaultUser, "test", "test_data3")); 337 EXPECT_TRUE(key_store.Read(kDefaultUser, "test", &blob)); 338 EXPECT_EQ("test_data3", blob); 339 // Delete key data. 340 EXPECT_TRUE(key_store.Delete(kDefaultUser, "test2")); 341 EXPECT_FALSE(key_store.Read(kDefaultUser, "test2", &blob)); 342 EXPECT_TRUE(key_store.Read(kDefaultUser, "test", &blob)); 343} 344 345TEST_F(KeyStoreTest, Pkcs11Success_NoUser) { 346 Pkcs11KeyStore key_store(&token_manager_); 347 std::string blob; 348 EXPECT_FALSE(key_store.Read("", "test", &blob)); 349 EXPECT_TRUE(key_store.Write("", "test", "test_data")); 350 EXPECT_TRUE(key_store.Read("", "test", &blob)); 351 EXPECT_EQ("test_data", blob); 352 // Try with a different key name. 353 EXPECT_FALSE(key_store.Read("", "test2", &blob)); 354 EXPECT_TRUE(key_store.Write("", "test2", "test_data2")); 355 EXPECT_TRUE(key_store.Read("", "test2", &blob)); 356 EXPECT_EQ("test_data2", blob); 357 // Read the original key again. 358 EXPECT_TRUE(key_store.Read("", "test", &blob)); 359 EXPECT_EQ("test_data", blob); 360 // Replace key data. 361 EXPECT_TRUE(key_store.Write("", "test", "test_data3")); 362 EXPECT_TRUE(key_store.Read("", "test", &blob)); 363 EXPECT_EQ("test_data3", blob); 364 // Delete key data. 365 EXPECT_TRUE(key_store.Delete("", "test2")); 366 EXPECT_FALSE(key_store.Read("", "test2", &blob)); 367 EXPECT_TRUE(key_store.Read("", "test", &blob)); 368} 369 370// Tests the key store when PKCS #11 has no token for the given user. 371TEST_F(KeyStoreTest, TokenNotAvailable) { 372 EXPECT_CALL(token_manager_, GetTokenPath(_, _, _)) 373 .WillRepeatedly(Return(false)); 374 Pkcs11KeyStore key_store(&token_manager_); 375 std::string blob; 376 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 377 EXPECT_FALSE(key_store.Write(kDefaultUser, "test", blob)); 378 EXPECT_FALSE(key_store.Read("", "test", &blob)); 379 EXPECT_FALSE(key_store.Write("", "test", blob)); 380} 381 382// Tests the key store when PKCS #11 fails to open a session. 383TEST_F(KeyStoreTest, NoSession) { 384 EXPECT_CALL(pkcs11_, OpenSession(_, _, _, _)) 385 .WillRepeatedly(Return(CKR_GENERAL_ERROR)); 386 Pkcs11KeyStore key_store(&token_manager_); 387 std::string blob; 388 EXPECT_FALSE(key_store.Write(kDefaultUser, "test", "test_data")); 389 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 390} 391 392// Tests the key store when PKCS #11 fails to create an object. 393TEST_F(KeyStoreTest, CreateObjectFail) { 394 EXPECT_CALL(pkcs11_, CreateObject(_, _, _, _)) 395 .WillRepeatedly(Return(CKR_GENERAL_ERROR)); 396 Pkcs11KeyStore key_store(&token_manager_); 397 std::string blob; 398 EXPECT_FALSE(key_store.Write(kDefaultUser, "test", "test_data")); 399 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 400} 401 402// Tests the key store when PKCS #11 fails to read attribute values. 403TEST_F(KeyStoreTest, ReadValueFail) { 404 EXPECT_CALL(pkcs11_, GetAttributeValue(_, _, _, _, _)) 405 .WillRepeatedly(Return(CKR_GENERAL_ERROR)); 406 Pkcs11KeyStore key_store(&token_manager_); 407 std::string blob; 408 EXPECT_TRUE(key_store.Write(kDefaultUser, "test", "test_data")); 409 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 410} 411 412// Tests the key store when PKCS #11 fails to delete key data. 413TEST_F(KeyStoreTest, DeleteValueFail) { 414 EXPECT_CALL(pkcs11_, DestroyObject(_, _, _)) 415 .WillRepeatedly(Return(CKR_GENERAL_ERROR)); 416 Pkcs11KeyStore key_store(&token_manager_); 417 EXPECT_TRUE(key_store.Write(kDefaultUser, "test", "test_data")); 418 EXPECT_FALSE(key_store.Write(kDefaultUser, "test", "test_data2")); 419 EXPECT_FALSE(key_store.Delete(kDefaultUser, "test")); 420} 421 422// Tests the key store when PKCS #11 fails to find objects. Tests each part of 423// the multi-part find operation individually. 424TEST_F(KeyStoreTest, FindFail) { 425 EXPECT_CALL(pkcs11_, FindObjectsInit(_, _, _)) 426 .WillRepeatedly(Return(CKR_GENERAL_ERROR)); 427 Pkcs11KeyStore key_store(&token_manager_); 428 std::string blob; 429 EXPECT_TRUE(key_store.Write(kDefaultUser, "test", "test_data")); 430 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 431 432 EXPECT_CALL(pkcs11_, FindObjectsInit(_, _, _)).WillRepeatedly(Return(CKR_OK)); 433 EXPECT_CALL(pkcs11_, FindObjects(_, _, _, _)) 434 .WillRepeatedly(Return(CKR_GENERAL_ERROR)); 435 EXPECT_TRUE(key_store.Write(kDefaultUser, "test", "test_data")); 436 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 437 438 EXPECT_CALL(pkcs11_, FindObjects(_, _, _, _)).WillRepeatedly(Return(CKR_OK)); 439 EXPECT_CALL(pkcs11_, FindObjectsFinal(_, _)) 440 .WillRepeatedly(Return(CKR_GENERAL_ERROR)); 441 EXPECT_TRUE(key_store.Write(kDefaultUser, "test", "test_data")); 442 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 443} 444 445// Tests the key store when PKCS #11 successfully finds zero objects. 446TEST_F(KeyStoreTest, FindNoObjects) { 447 std::vector<uint64_t> empty; 448 EXPECT_CALL(pkcs11_, FindObjects(_, _, _, _)) 449 .WillRepeatedly(DoAll(SetArgumentPointee<3>(empty), Return(CKR_OK))); 450 Pkcs11KeyStore key_store(&token_manager_); 451 std::string blob; 452 EXPECT_TRUE(key_store.Write(kDefaultUser, "test", "test_data")); 453 EXPECT_FALSE(key_store.Read(kDefaultUser, "test", &blob)); 454} 455 456TEST_F(KeyStoreTest, RegisterKeyWithoutCertificate) { 457 Pkcs11KeyStore key_store(&token_manager_); 458 // Try with a malformed public key. 459 EXPECT_FALSE(key_store.Register(kDefaultUser, "test_label", KEY_TYPE_RSA, 460 KEY_USAGE_SIGN, "private_key_blob", 461 "bad_pubkey", "")); 462 // Try with a well-formed public key. 463 std::string public_key_der = HexDecode(kValidPublicKeyHex); 464 EXPECT_CALL(pkcs11_, CreateObject(_, _, _, _)) 465 .Times(2) // Public, private (no certificate). 466 .WillRepeatedly(Return(CKR_OK)); 467 EXPECT_TRUE(key_store.Register(kDefaultUser, "test_label", KEY_TYPE_RSA, 468 KEY_USAGE_SIGN, "private_key_blob", 469 public_key_der, "")); 470} 471 472TEST_F(KeyStoreTest, RegisterKeyWithCertificate) { 473 EXPECT_CALL(pkcs11_, CreateObject(_, _, _, _)) 474 .Times(3) // Public, private, and certificate. 475 .WillRepeatedly(Return(CKR_OK)); 476 Pkcs11KeyStore key_store(&token_manager_); 477 std::string public_key_der = HexDecode(kValidPublicKeyHex); 478 std::string certificate_der = HexDecode(kValidCertificateHex); 479 EXPECT_TRUE(key_store.Register(kDefaultUser, "test_label", KEY_TYPE_RSA, 480 KEY_USAGE_SIGN, "private_key_blob", 481 public_key_der, certificate_der)); 482 // Also try with the system token. 483 EXPECT_CALL(pkcs11_, CreateObject(_, _, _, _)) 484 .Times(3) // Public, private, and certificate. 485 .WillRepeatedly(Return(CKR_OK)); 486 EXPECT_TRUE(key_store.Register(kDefaultUser, "test_label", KEY_TYPE_RSA, 487 KEY_USAGE_SIGN, "private_key_blob", 488 public_key_der, certificate_der)); 489} 490 491TEST_F(KeyStoreTest, RegisterKeyWithBadCertificate) { 492 EXPECT_CALL(pkcs11_, CreateObject(_, _, _, _)) 493 .Times(3) // Public, private, and certificate. 494 .WillRepeatedly(Return(CKR_OK)); 495 Pkcs11KeyStore key_store(&token_manager_); 496 std::string public_key_der = HexDecode(kValidPublicKeyHex); 497 EXPECT_TRUE(key_store.Register(kDefaultUser, "test_label", KEY_TYPE_RSA, 498 KEY_USAGE_SIGN, "private_key_blob", 499 public_key_der, "bad_certificate")); 500} 501 502TEST_F(KeyStoreTest, RegisterWithUnsupportedKeyType) { 503 Pkcs11KeyStore key_store(&token_manager_); 504 std::string public_key_der = HexDecode(kValidPublicKeyHex); 505 EXPECT_FALSE(key_store.Register(kDefaultUser, "test_label", KEY_TYPE_ECC, 506 KEY_USAGE_SIGN, "private_key_blob", 507 public_key_der, "")); 508} 509 510TEST_F(KeyStoreTest, RegisterDecryptionKey) { 511 EXPECT_CALL(pkcs11_, CreateObject(_, _, _, _)).WillRepeatedly(Return(CKR_OK)); 512 Pkcs11KeyStore key_store(&token_manager_); 513 std::string public_key_der = HexDecode(kValidPublicKeyHex); 514 EXPECT_TRUE(key_store.Register(kDefaultUser, "test_label", KEY_TYPE_RSA, 515 KEY_USAGE_DECRYPT, "private_key_blob", 516 public_key_der, "")); 517} 518 519TEST_F(KeyStoreTest, RegisterCertificate) { 520 Pkcs11KeyStore key_store(&token_manager_); 521 std::string certificate_der = HexDecode(kValidCertificateHex); 522 EXPECT_CALL(pkcs11_, CreateObject(_, _, _, _)) 523 .Times(2); // Once for valid, once for invalid. 524 // Try with a valid certificate (hit multiple times to check dup logic). 525 EXPECT_TRUE(key_store.RegisterCertificate(kDefaultUser, certificate_der)); 526 EXPECT_TRUE(key_store.RegisterCertificate(kDefaultUser, certificate_der)); 527 EXPECT_TRUE(key_store.RegisterCertificate(kDefaultUser, certificate_der)); 528 // Try with an invalid certificate. 529 EXPECT_TRUE(key_store.RegisterCertificate(kDefaultUser, "bad_certificate")); 530} 531 532TEST_F(KeyStoreTest, RegisterCertificateError) { 533 Pkcs11KeyStore key_store(&token_manager_); 534 std::string certificate_der = HexDecode(kValidCertificateHex); 535 // Handle an error from PKCS #11. 536 EXPECT_CALL(pkcs11_, CreateObject(_, _, _, _)) 537 .WillOnce(Return(CKR_GENERAL_ERROR)); 538 EXPECT_FALSE(key_store.RegisterCertificate(kDefaultUser, certificate_der)); 539} 540 541TEST_F(KeyStoreTest, RegisterCertificateSystemToken) { 542 Pkcs11KeyStore key_store(&token_manager_); 543 std::string certificate_der = HexDecode(kValidCertificateHex); 544 // Try with the system token. 545 EXPECT_CALL(pkcs11_, CreateObject(_, _, _, _)).WillOnce(Return(CKR_OK)); 546 EXPECT_TRUE(key_store.RegisterCertificate(kDefaultUser, certificate_der)); 547} 548 549// Tests that the DeleteByPrefix() method removes the correct objects and only 550// the correct objects. 551TEST_F(KeyStoreTest, DeleteByPrefix) { 552 Pkcs11KeyStore key_store(&token_manager_); 553 554 // Test with no keys. 555 ASSERT_TRUE(key_store.DeleteByPrefix(kDefaultUser, "prefix")); 556 557 // Test with a single matching key. 558 ASSERT_TRUE(key_store.Write(kDefaultUser, "prefix_test", "test")); 559 ASSERT_TRUE(key_store.DeleteByPrefix(kDefaultUser, "prefix")); 560 std::string blob; 561 EXPECT_FALSE(key_store.Read(kDefaultUser, "prefix_test", &blob)); 562 563 // Test with a single non-matching key. 564 ASSERT_TRUE(key_store.Write(kDefaultUser, "_prefix_", "test")); 565 ASSERT_TRUE(key_store.DeleteByPrefix(kDefaultUser, "prefix")); 566 EXPECT_TRUE(key_store.Read(kDefaultUser, "_prefix_", &blob)); 567 568 // Test with an empty prefix. 569 ASSERT_TRUE(key_store.DeleteByPrefix(kDefaultUser, "")); 570 EXPECT_FALSE(key_store.Read(kDefaultUser, "_prefix_", &blob)); 571 572 // Test with multiple matching and non-matching keys. 573 const int kNumKeys = 110; // Pkcs11KeyStore max is 100 for FindObjects. 574 key_store.Write(kDefaultUser, "other1", "test"); 575 for (int i = 0; i < kNumKeys; ++i) { 576 std::string key_name = std::string("prefix") + base::IntToString(i); 577 key_store.Write(kDefaultUser, key_name, std::string(key_name)); 578 } 579 ASSERT_TRUE(key_store.Write(kDefaultUser, "other2", "test")); 580 ASSERT_TRUE(key_store.DeleteByPrefix(kDefaultUser, "prefix")); 581 EXPECT_TRUE(key_store.Read(kDefaultUser, "other1", &blob)); 582 EXPECT_TRUE(key_store.Read(kDefaultUser, "other2", &blob)); 583 for (int i = 0; i < kNumKeys; ++i) { 584 std::string key_name = std::string("prefix") + base::IntToString(i); 585 EXPECT_FALSE(key_store.Read(kDefaultUser, key_name, &blob)); 586 } 587} 588 589} // namespace attestation 590