trunks_client_test.h revision 30c921db09d27768acc1ea0d8b6a9c8e814f931a
1// 2// Copyright (C) 2015 The Android Open Source Project 3// 4// Licensed under the Apache License, Version 2.0 (the "License"); 5// you may not use this file except in compliance with the License. 6// You may obtain a copy of the License at 7// 8// http://www.apache.org/licenses/LICENSE-2.0 9// 10// Unless required by applicable law or agreed to in writing, software 11// distributed under the License is distributed on an "AS IS" BASIS, 12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13// See the License for the specific language governing permissions and 14// limitations under the License. 15// 16 17#ifndef TRUNKS_TRUNKS_CLIENT_TEST_H_ 18#define TRUNKS_TRUNKS_CLIENT_TEST_H_ 19 20#include <memory> 21#include <string> 22 23#include "trunks/scoped_key_handle.h" 24#include "trunks/tpm_generated.h" 25#include "trunks/trunks_factory.h" 26 27namespace trunks { 28 29// This class is used to perform integration tests on the TPM. Each public 30// method defines a different test to perform. 31// NOTE: All these tests require that the TPM be owned, and SRKs exist. 32// Example usage: 33// TrunksClientTest test; 34// CHECK(test.RNGTest()); 35// CHECK(test.SimplePolicyTest()); 36class TrunksClientTest { 37 public: 38 TrunksClientTest(); 39 // Takes ownership of factory. 40 explicit TrunksClientTest(std::unique_ptr<TrunksFactory> factory); 41 virtual ~TrunksClientTest(); 42 43 // This test verifies that the Random Number Generator on the TPM is working 44 // correctly. 45 bool RNGTest(); 46 47 // This test verifies that we can create an unrestricted RSA signing key and 48 // use it to sign arbitrary data. 49 bool SignTest(); 50 51 // This test verfifies that we can create an unrestricted RSA decryption key 52 // and use it to encrypt and decrypt arbitrary data. 53 bool DecryptTest(); 54 55 // This test verifies that we can import a RSA key into the TPM and use it 56 // to encrypt and decrypt some data. 57 bool ImportTest(); 58 59 // This test verifies that we can change a key's authorization data and 60 // still use it to encrypt/decrypt data. 61 bool AuthChangeTest(); 62 63 // This test verifies that we can create a key and then confirm that it 64 // was created by the TPM. 65 bool VerifyKeyCreationTest(); 66 67 // This test verifies that we can seal a secret to the TPM and access 68 // it later. 69 bool SealedDataTest(); 70 71 // This test performs a simple PCR extension and then reads the value in the 72 // PCR to verify if it is correct. 73 // NOTE: PCR banks need to be configured for this test to succeed. Normally 74 // this is done by the platform firmware. 75 bool PCRTest(); 76 77 // This test sets up a PolicySession with the PolicyAuthValue assertion. 78 // This policy is then used to create a key and use it to sign/verify and 79 // encrypt/decrypt. 80 bool PolicyAuthValueTest(); 81 82 // This test sets up a PolicySession that is based on the current PCR value 83 // and a CommandCode for signing. The key created this way is restricted to 84 // be only used for signing, and only if the PCR remains unchanged. The key 85 // is then used to sign arbitrary data, and the signature verified. 86 bool PolicyAndTest(); 87 88 // This test performs a complex assertion using PolicyOR. 89 // We create an unrestricted key, and restricts it to signing 90 // and decryption using Policy Sessions. 91 bool PolicyOrTest(); 92 93 // This test verfies that we can create, write, read, lock and delete 94 // NV spaces in the TPM. 95 // NOTE: This test needs the |owner_password| to work. 96 bool NvramTest(const std::string& owner_password); 97 98 // This test uses many key handles simultaneously. 99 bool ManyKeysTest(); 100 101 // This test uses many sessions simultaneously. 102 bool ManySessionsTest(); 103 104 private: 105 // This method verifies that plaintext == decrypt(encrypt(plaintext)) using 106 // a given key. 107 // TODO(usanghi): Remove |session| argument once we can support multiple 108 // sessions. 109 bool PerformRSAEncrpytAndDecrpyt(TPM_HANDLE key_handle, 110 const std::string& key_authorization, 111 HmacSession* session); 112 113 // Generates an RSA key pair in software. The |modulus| and |prime_factor| 114 // must not be NULL and will be populated with values that can be imported 115 // into the TPM. The |public_key| may be NULL, but if it is not, will be 116 // populated with a value that can be used with VerifyRSASignature. 117 void GenerateRSAKeyPair(std::string* modulus, 118 std::string* prime_factor, 119 std::string* public_key); 120 121 // Verifies an RSA-SSA-SHA256 |signature| over the given |data|. The 122 // |public_key| is as produced by GenerateRSAKeyPair(). Returns true on 123 // success. 124 bool VerifyRSASignature(const std::string& public_key, 125 const std::string& data, 126 const std::string& signature); 127 128 // Loads an arbitrary RSA signing key and provides the |key_handle| and the 129 // |public_key|. Returns true on success. 130 bool LoadSigningKey(ScopedKeyHandle* key_handle, std::string* public_key); 131 132 // Signs arbitrary data with |key_handle| authorized by |delegate| and 133 // verifies the signature with |public_key|. Returns true on success. 134 bool SignAndVerify(const ScopedKeyHandle& key_handle, 135 const std::string& public_key, 136 AuthorizationDelegate* delegate); 137 138 // Factory for instantiation of Tpm classes 139 std::unique_ptr<TrunksFactory> factory_; 140 141 DISALLOW_COPY_AND_ASSIGN(TrunksClientTest); 142}; 143 144} // namespace trunks 145 146#endif // TRUNKS_TRUNKS_CLIENT_TEST_H_ 147