trunks_client_test.h revision 30c921db09d27768acc1ea0d8b6a9c8e814f931a 
1//
2// Copyright (C) 2015 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8//      http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
16
17#ifndef TRUNKS_TRUNKS_CLIENT_TEST_H_
18#define TRUNKS_TRUNKS_CLIENT_TEST_H_
19
20#include <memory>
21#include <string>
22
23#include "trunks/scoped_key_handle.h"
24#include "trunks/tpm_generated.h"
25#include "trunks/trunks_factory.h"
26
27namespace trunks {
28
29// This class is used to perform integration tests on the TPM. Each public
30// method defines a different test to perform.
31// NOTE: All these tests require that the TPM be owned, and SRKs exist.
32// Example usage:
33// TrunksClientTest test;
34// CHECK(test.RNGTest());
35// CHECK(test.SimplePolicyTest());
36class TrunksClientTest {
37 public:
38  TrunksClientTest();
39  // Takes ownership of factory.
40  explicit TrunksClientTest(std::unique_ptr<TrunksFactory> factory);
41  virtual ~TrunksClientTest();
42
43  // This test verifies that the Random Number Generator on the TPM is working
44  // correctly.
45  bool RNGTest();
46
47  // This test verifies that we can create an unrestricted RSA signing key and
48  // use it to sign arbitrary data.
49  bool SignTest();
50
51  // This test verfifies that we can create an unrestricted RSA decryption key
52  // and use it to encrypt and decrypt arbitrary data.
53  bool DecryptTest();
54
55  // This test verifies that we can import a RSA key into the TPM and use it
56  // to encrypt and decrypt some data.
57  bool ImportTest();
58
59  // This test verifies that we can change a key's authorization data and
60  // still use it to encrypt/decrypt data.
61  bool AuthChangeTest();
62
63  // This test verifies that we can create a key and then confirm that it
64  // was created by the TPM.
65  bool VerifyKeyCreationTest();
66
67  // This test verifies that we can seal a secret to the TPM and access
68  // it later.
69  bool SealedDataTest();
70
71  // This test performs a simple PCR extension and then reads the value in the
72  // PCR to verify if it is correct.
73  // NOTE: PCR banks need to be configured for this test to succeed. Normally
74  // this is done by the platform firmware.
75  bool PCRTest();
76
77  // This test sets up a PolicySession with the PolicyAuthValue assertion.
78  // This policy is then used to create a key and use it to sign/verify and
79  // encrypt/decrypt.
80  bool PolicyAuthValueTest();
81
82  // This test sets up a PolicySession that is based on the current PCR value
83  // and a CommandCode for signing. The key created this way is restricted to
84  // be only used for signing, and only if the PCR remains unchanged. The key
85  // is then used to sign arbitrary data, and the signature verified.
86  bool PolicyAndTest();
87
88  // This test performs a complex assertion using PolicyOR.
89  // We create an unrestricted key, and restricts it to signing
90  // and decryption using Policy Sessions.
91  bool PolicyOrTest();
92
93  // This test verfies that we can create, write, read, lock and delete
94  // NV spaces in the TPM.
95  // NOTE: This test needs the |owner_password| to work.
96  bool NvramTest(const std::string& owner_password);
97
98  // This test uses many key handles simultaneously.
99  bool ManyKeysTest();
100
101  // This test uses many sessions simultaneously.
102  bool ManySessionsTest();
103
104 private:
105  // This method verifies that plaintext == decrypt(encrypt(plaintext)) using
106  // a given key.
107  // TODO(usanghi): Remove |session| argument once we can support multiple
108  // sessions.
109  bool PerformRSAEncrpytAndDecrpyt(TPM_HANDLE key_handle,
110                                   const std::string& key_authorization,
111                                   HmacSession* session);
112
113  // Generates an RSA key pair in software. The |modulus| and |prime_factor|
114  // must not be NULL and will be populated with values that can be imported
115  // into the TPM. The |public_key| may be NULL, but if it is not, will be
116  // populated with a value that can be used with VerifyRSASignature.
117  void GenerateRSAKeyPair(std::string* modulus,
118                          std::string* prime_factor,
119                          std::string* public_key);
120
121  // Verifies an RSA-SSA-SHA256 |signature| over the given |data|. The
122  // |public_key| is as produced by GenerateRSAKeyPair(). Returns true on
123  // success.
124  bool VerifyRSASignature(const std::string& public_key,
125                          const std::string& data,
126                          const std::string& signature);
127
128  // Loads an arbitrary RSA signing key and provides the |key_handle| and the
129  // |public_key|. Returns true on success.
130  bool LoadSigningKey(ScopedKeyHandle* key_handle, std::string* public_key);
131
132  // Signs arbitrary data with |key_handle| authorized by |delegate| and
133  // verifies the signature with |public_key|. Returns true on success.
134  bool SignAndVerify(const ScopedKeyHandle& key_handle,
135                     const std::string& public_key,
136                     AuthorizationDelegate* delegate);
137
138  // Factory for instantiation of Tpm classes
139  std::unique_ptr<TrunksFactory> factory_;
140
141  DISALLOW_COPY_AND_ASSIGN(TrunksClientTest);
142};
143
144}  // namespace trunks
145
146#endif  // TRUNKS_TRUNKS_CLIENT_TEST_H_
147