Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.server.locksettings.recoverablekeystore; |
| 18 | |
Robert Berry | 9e1bd36 | 2018-01-17 23:28:45 +0000 | [diff] [blame] | 19 | import static android.security.keystore.KeychainProtectionParams.TYPE_LOCKSCREEN; |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 20 | |
Robert Berry | 9e1bd36 | 2018-01-17 23:28:45 +0000 | [diff] [blame] | 21 | import static android.security.keystore.KeychainProtectionParams.TYPE_PASSWORD; |
| 22 | import static android.security.keystore.KeychainProtectionParams.TYPE_PATTERN; |
| 23 | import static android.security.keystore.KeychainProtectionParams.TYPE_PIN; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 24 | |
| 25 | import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
| 26 | import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN; |
| 27 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 28 | import static com.google.common.truth.Truth.assertThat; |
| 29 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 30 | import static org.junit.Assert.assertArrayEquals; |
| 31 | import static org.junit.Assert.assertEquals; |
| 32 | import static org.junit.Assert.assertFalse; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 33 | import static org.junit.Assert.assertNull; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 34 | import static org.junit.Assert.assertTrue; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 35 | import static org.mockito.Mockito.never; |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 36 | import static org.mockito.Mockito.verify; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 37 | import static org.mockito.Mockito.when; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 38 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 39 | import android.content.Context; |
| 40 | import android.security.keystore.AndroidKeyStoreSecretKey; |
| 41 | import android.security.keystore.KeyGenParameterSpec; |
| 42 | import android.security.keystore.KeyProperties; |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 43 | import android.security.keystore.KeyDerivationParams; |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 44 | import android.security.keystore.KeychainSnapshot; |
| 45 | import android.security.keystore.WrappedApplicationKey; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 46 | import android.support.test.InstrumentationRegistry; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 47 | import android.support.test.filters.SmallTest; |
| 48 | import android.support.test.runner.AndroidJUnit4; |
| 49 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 50 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 51 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 52 | |
| 53 | import org.junit.After; |
| 54 | import org.junit.Before; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 55 | import org.junit.Test; |
| 56 | import org.junit.runner.RunWith; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 57 | import org.mockito.Mock; |
| 58 | import org.mockito.MockitoAnnotations; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 59 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 60 | import java.io.File; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 61 | import java.nio.charset.StandardCharsets; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 62 | import java.security.KeyPair; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 63 | import java.util.Arrays; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 64 | import java.util.List; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 65 | import java.util.Random; |
| 66 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 67 | import javax.crypto.KeyGenerator; |
| 68 | import javax.crypto.SecretKey; |
| 69 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 70 | @SmallTest |
| 71 | @RunWith(AndroidJUnit4.class) |
| 72 | public class KeySyncTaskTest { |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 73 | private static final String KEY_ALGORITHM = "AES"; |
| 74 | private static final String ANDROID_KEY_STORE_PROVIDER = "AndroidKeyStore"; |
| 75 | private static final String WRAPPING_KEY_ALIAS = "KeySyncTaskTest/WrappingKey"; |
| 76 | private static final String DATABASE_FILE_NAME = "recoverablekeystore.db"; |
| 77 | private static final int TEST_USER_ID = 1000; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 78 | private static final int TEST_RECOVERY_AGENT_UID = 10009; |
| 79 | private static final int TEST_RECOVERY_AGENT_UID2 = 10010; |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 80 | private static final byte[] TEST_VAULT_HANDLE = |
| 81 | new byte[]{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 14, 15, 16, 17}; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 82 | private static final String TEST_APP_KEY_ALIAS = "rcleaver"; |
| 83 | private static final int TEST_GENERATION_ID = 2; |
| 84 | private static final int TEST_CREDENTIAL_TYPE = CREDENTIAL_TYPE_PASSWORD; |
| 85 | private static final String TEST_CREDENTIAL = "password1234"; |
| 86 | private static final byte[] THM_ENCRYPTED_RECOVERY_KEY_HEADER = |
| 87 | "V1 THM_encrypted_recovery_key".getBytes(StandardCharsets.UTF_8); |
| 88 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 89 | @Mock private PlatformKeyManager mPlatformKeyManager; |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 90 | @Mock private RecoverySnapshotListenersStorage mSnapshotListenersStorage; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 91 | |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 92 | private RecoverySnapshotStorage mRecoverySnapshotStorage; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 93 | private RecoverableKeyStoreDb mRecoverableKeyStoreDb; |
| 94 | private File mDatabaseFile; |
| 95 | private KeyPair mKeyPair; |
| 96 | private AndroidKeyStoreSecretKey mWrappingKey; |
| 97 | private PlatformEncryptionKey mEncryptKey; |
| 98 | |
| 99 | private KeySyncTask mKeySyncTask; |
| 100 | |
| 101 | @Before |
| 102 | public void setUp() throws Exception { |
| 103 | MockitoAnnotations.initMocks(this); |
| 104 | |
| 105 | Context context = InstrumentationRegistry.getTargetContext(); |
| 106 | mDatabaseFile = context.getDatabasePath(DATABASE_FILE_NAME); |
| 107 | mRecoverableKeyStoreDb = RecoverableKeyStoreDb.newInstance(context); |
| 108 | mKeyPair = SecureBox.genKeyPair(); |
| 109 | |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 110 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
| 111 | new int[] {TYPE_LOCKSCREEN}); |
| 112 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, |
| 113 | new int[] {TYPE_LOCKSCREEN}); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 114 | mRecoverySnapshotStorage = new RecoverySnapshotStorage(); |
| 115 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 116 | mKeySyncTask = new KeySyncTask( |
| 117 | mRecoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 118 | mRecoverySnapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 119 | mSnapshotListenersStorage, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 120 | TEST_USER_ID, |
| 121 | TEST_CREDENTIAL_TYPE, |
| 122 | TEST_CREDENTIAL, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 123 | /*credentialUpdated=*/ false, |
Robert Berry | aa3f4ca | 2017-12-27 10:53:58 +0000 | [diff] [blame] | 124 | () -> mPlatformKeyManager); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 125 | |
| 126 | mWrappingKey = generateAndroidKeyStoreKey(); |
| 127 | mEncryptKey = new PlatformEncryptionKey(TEST_GENERATION_ID, mWrappingKey); |
Bo Zhu | 3462c83 | 2018-01-04 22:42:36 -0800 | [diff] [blame] | 128 | when(mPlatformKeyManager.getDecryptKey(TEST_USER_ID)).thenReturn( |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 129 | new PlatformDecryptionKey(TEST_GENERATION_ID, mWrappingKey)); |
| 130 | } |
| 131 | |
| 132 | @After |
| 133 | public void tearDown() { |
| 134 | mRecoverableKeyStoreDb.close(); |
| 135 | mDatabaseFile.delete(); |
| 136 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 137 | |
| 138 | @Test |
| 139 | public void isPin_isTrueForNumericString() { |
| 140 | assertTrue(KeySyncTask.isPin("3298432574398654376547")); |
| 141 | } |
| 142 | |
| 143 | @Test |
| 144 | public void isPin_isFalseForStringContainingLetters() { |
| 145 | assertFalse(KeySyncTask.isPin("398i54369548654")); |
| 146 | } |
| 147 | |
| 148 | @Test |
| 149 | public void isPin_isFalseForStringContainingSymbols() { |
| 150 | assertFalse(KeySyncTask.isPin("-3987543643")); |
| 151 | } |
| 152 | |
| 153 | @Test |
| 154 | public void hashCredentials_returnsSameHashForSameCredentialsAndSalt() { |
| 155 | String credentials = "password1234"; |
| 156 | byte[] salt = randomBytes(16); |
| 157 | |
| 158 | assertArrayEquals( |
| 159 | KeySyncTask.hashCredentials(salt, credentials), |
| 160 | KeySyncTask.hashCredentials(salt, credentials)); |
| 161 | } |
| 162 | |
| 163 | @Test |
| 164 | public void hashCredentials_returnsDifferentHashForDifferentCredentials() { |
| 165 | byte[] salt = randomBytes(16); |
| 166 | |
| 167 | assertFalse( |
| 168 | Arrays.equals( |
| 169 | KeySyncTask.hashCredentials(salt, "password1234"), |
| 170 | KeySyncTask.hashCredentials(salt, "password12345"))); |
| 171 | } |
| 172 | |
| 173 | @Test |
| 174 | public void hashCredentials_returnsDifferentHashForDifferentSalt() { |
| 175 | String credentials = "wowmuch"; |
| 176 | |
| 177 | assertFalse( |
| 178 | Arrays.equals( |
| 179 | KeySyncTask.hashCredentials(randomBytes(64), credentials), |
| 180 | KeySyncTask.hashCredentials(randomBytes(64), credentials))); |
| 181 | } |
| 182 | |
| 183 | @Test |
| 184 | public void hashCredentials_returnsDifferentHashEvenIfConcatIsSame() { |
| 185 | assertFalse( |
| 186 | Arrays.equals( |
| 187 | KeySyncTask.hashCredentials(utf8Bytes("123"), "4567"), |
| 188 | KeySyncTask.hashCredentials(utf8Bytes("1234"), "567"))); |
| 189 | } |
| 190 | |
| 191 | @Test |
| 192 | public void getUiFormat_returnsPinIfPin() { |
| 193 | assertEquals(TYPE_PIN, |
| 194 | KeySyncTask.getUiFormat(CREDENTIAL_TYPE_PASSWORD, "1234")); |
| 195 | } |
| 196 | |
| 197 | @Test |
| 198 | public void getUiFormat_returnsPasswordIfPassword() { |
| 199 | assertEquals(TYPE_PASSWORD, |
| 200 | KeySyncTask.getUiFormat(CREDENTIAL_TYPE_PASSWORD, "1234a")); |
| 201 | } |
| 202 | |
| 203 | @Test |
| 204 | public void getUiFormat_returnsPatternIfPattern() { |
| 205 | assertEquals(TYPE_PATTERN, |
| 206 | KeySyncTask.getUiFormat(CREDENTIAL_TYPE_PATTERN, "1234")); |
| 207 | |
| 208 | } |
| 209 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 210 | @Test |
| 211 | public void run_doesNotSendAnythingIfNoKeysToSync() throws Exception { |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 212 | mKeySyncTask.run(); |
| 213 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 214 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
| 215 | } |
| 216 | |
| 217 | @Test |
| 218 | public void run_doesNotSendAnythingIfSnapshotIsUpToDate() throws Exception { |
| 219 | mKeySyncTask.run(); |
| 220 | |
| 221 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 222 | } |
| 223 | |
| 224 | @Test |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 225 | public void run_doesNotSendAnythingIfNoRecoveryAgentSet() throws Exception { |
| 226 | SecretKey applicationKey = generateKey(); |
| 227 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 228 | mRecoverableKeyStoreDb.insertKey( |
| 229 | TEST_USER_ID, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 230 | TEST_RECOVERY_AGENT_UID, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 231 | TEST_APP_KEY_ALIAS, |
| 232 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 233 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 234 | |
| 235 | mKeySyncTask.run(); |
| 236 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 237 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 238 | } |
| 239 | |
| 240 | @Test |
| 241 | public void run_doesNotSendAnythingIfNoRecoveryAgentPendingIntentRegistered() throws Exception { |
| 242 | SecretKey applicationKey = generateKey(); |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 243 | mRecoverableKeyStoreDb.setServerParams( |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 244 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 245 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 246 | mRecoverableKeyStoreDb.insertKey( |
| 247 | TEST_USER_ID, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 248 | TEST_RECOVERY_AGENT_UID, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 249 | TEST_APP_KEY_ALIAS, |
| 250 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 251 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 252 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 253 | |
| 254 | mKeySyncTask.run(); |
| 255 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 256 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 257 | } |
| 258 | |
| 259 | @Test |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 260 | public void run_doesNotSendAnythingIfNoDeviceIdIsSet() throws Exception { |
| 261 | SecretKey applicationKey = generateKey(); |
| 262 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 263 | mRecoverableKeyStoreDb.insertKey( |
| 264 | TEST_USER_ID, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 265 | TEST_RECOVERY_AGENT_UID, |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 266 | TEST_APP_KEY_ALIAS, |
| 267 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 268 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 269 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 270 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 271 | |
| 272 | mKeySyncTask.run(); |
| 273 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 274 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 275 | } |
| 276 | |
| 277 | @Test |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 278 | public void run_sendsEncryptedKeysIfAvailableToSync() throws Exception { |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 279 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 280 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 281 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 282 | SecretKey applicationKey = |
| 283 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 284 | mKeySyncTask.run(); |
| 285 | |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 286 | KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 287 | KeyDerivationParams KeyDerivationParams = |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 288 | keychainSnapshot.getKeychainProtectionParams().get(0).getKeyDerivationParams(); |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 289 | assertThat(KeyDerivationParams.getAlgorithm()).isEqualTo( |
| 290 | KeyDerivationParams.ALGORITHM_SHA256); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 291 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 292 | byte[] lockScreenHash = KeySyncTask.hashCredentials( |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 293 | KeyDerivationParams.getSalt(), |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 294 | TEST_CREDENTIAL); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 295 | Long counterId = mRecoverableKeyStoreDb.getCounterId(TEST_USER_ID, TEST_RECOVERY_AGENT_UID); |
| 296 | assertThat(counterId).isNotNull(); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 297 | byte[] recoveryKey = decryptThmEncryptedKey( |
| 298 | lockScreenHash, |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 299 | keychainSnapshot.getEncryptedRecoveryKeyBlob(), |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 300 | /*vaultParams=*/ KeySyncUtils.packVaultParams( |
| 301 | mKeyPair.getPublic(), |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 302 | counterId, |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 303 | /*maxAttempts=*/ 10, |
| 304 | TEST_VAULT_HANDLE)); |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 305 | List<WrappedApplicationKey> applicationKeys = keychainSnapshot.getWrappedApplicationKeys(); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 306 | assertThat(applicationKeys).hasSize(1); |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 307 | WrappedApplicationKey keyData = applicationKeys.get(0); |
Dmitry Dementyev | 07c76555 | 2018-01-08 17:31:59 -0800 | [diff] [blame] | 308 | assertEquals(TEST_APP_KEY_ALIAS, keyData.getAlias()); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 309 | assertThat(keyData.getAlias()).isEqualTo(keyData.getAlias()); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 310 | byte[] appKey = KeySyncUtils.decryptApplicationKey( |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 311 | recoveryKey, keyData.getEncryptedKeyMaterial()); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 312 | assertThat(appKey).isEqualTo(applicationKey.getEncoded()); |
| 313 | } |
| 314 | |
| 315 | @Test |
| 316 | public void run_setsCorrectSnapshotVersion() throws Exception { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 317 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 318 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 319 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 320 | SecretKey applicationKey = |
| 321 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 322 | |
| 323 | mKeySyncTask.run(); |
| 324 | |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 325 | KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 326 | assertThat(keychainSnapshot.getSnapshotVersion()).isEqualTo(1); // default value; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 327 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, true); |
| 328 | |
| 329 | mKeySyncTask.run(); |
| 330 | |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 331 | keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 332 | assertThat(keychainSnapshot.getSnapshotVersion()).isEqualTo(2); // Updated |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 333 | } |
| 334 | |
| 335 | @Test |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 336 | public void run_setsCorrectTypeForPassword() throws Exception { |
| 337 | mKeySyncTask = new KeySyncTask( |
| 338 | mRecoverableKeyStoreDb, |
| 339 | mRecoverySnapshotStorage, |
| 340 | mSnapshotListenersStorage, |
| 341 | TEST_USER_ID, |
| 342 | CREDENTIAL_TYPE_PASSWORD, |
| 343 | "password", |
| 344 | /*credentialUpdated=*/ false, |
| 345 | () -> mPlatformKeyManager); |
| 346 | |
| 347 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 348 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 349 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 350 | SecretKey applicationKey = |
| 351 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 352 | |
| 353 | mKeySyncTask.run(); |
| 354 | |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 355 | KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 356 | assertThat(keychainSnapshot.getKeychainProtectionParams()).hasSize(1); |
| 357 | assertThat(keychainSnapshot.getKeychainProtectionParams().get(0).getLockScreenUiFormat()). |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 358 | isEqualTo(TYPE_PASSWORD); |
| 359 | } |
| 360 | |
Dmitry Dementyev | ed89ea0 | 2018-01-11 13:53:52 -0800 | [diff] [blame] | 361 | @Test |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 362 | public void run_setsCorrectTypeForPin() throws Exception { |
| 363 | mKeySyncTask = new KeySyncTask( |
| 364 | mRecoverableKeyStoreDb, |
| 365 | mRecoverySnapshotStorage, |
| 366 | mSnapshotListenersStorage, |
| 367 | TEST_USER_ID, |
| 368 | CREDENTIAL_TYPE_PASSWORD, |
| 369 | /*credential=*/ "1234", |
| 370 | /*credentialUpdated=*/ false, |
| 371 | () -> mPlatformKeyManager); |
| 372 | |
| 373 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 374 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 375 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 376 | SecretKey applicationKey = |
| 377 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 378 | |
| 379 | mKeySyncTask.run(); |
| 380 | |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 381 | KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 382 | assertThat(keychainSnapshot.getKeychainProtectionParams()).hasSize(1); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 383 | // Password with only digits is changed to pin. |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 384 | assertThat(keychainSnapshot.getKeychainProtectionParams().get(0).getLockScreenUiFormat()). |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 385 | isEqualTo(TYPE_PIN); |
| 386 | } |
| 387 | |
| 388 | @Test |
| 389 | public void run_setsCorrectTypeForPattern() throws Exception { |
| 390 | mKeySyncTask = new KeySyncTask( |
| 391 | mRecoverableKeyStoreDb, |
| 392 | mRecoverySnapshotStorage, |
| 393 | mSnapshotListenersStorage, |
| 394 | TEST_USER_ID, |
| 395 | CREDENTIAL_TYPE_PATTERN, |
| 396 | "12345", |
| 397 | /*credentialUpdated=*/ false, |
| 398 | () -> mPlatformKeyManager); |
| 399 | |
| 400 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 401 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 402 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 403 | SecretKey applicationKey = |
| 404 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 405 | |
| 406 | mKeySyncTask.run(); |
| 407 | |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 408 | KeychainSnapshot keychainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 409 | assertThat(keychainSnapshot.getKeychainProtectionParams()).hasSize(1); |
| 410 | assertThat(keychainSnapshot.getKeychainProtectionParams().get(0).getLockScreenUiFormat()). |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 411 | isEqualTo(TYPE_PATTERN); |
| 412 | } |
| 413 | |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 414 | @Test |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 415 | public void run_sendsEncryptedKeysWithTwoRegisteredAgents() throws Exception { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 416 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 417 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 418 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 419 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, mKeyPair.getPublic()); |
| 420 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 421 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(true); |
| 422 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 423 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |
| 424 | mKeySyncTask.run(); |
| 425 | |
| 426 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 427 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); |
| 428 | } |
| 429 | |
| 430 | @Test |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 431 | public void run_sendsEncryptedKeysOnlyForAgentWhichActiveUserSecretType() throws Exception { |
| 432 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
Dmitry Dementyev | ed89ea0 | 2018-01-11 13:53:52 -0800 | [diff] [blame] | 433 | new int[] {TYPE_LOCKSCREEN, 1000}); |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 434 | // Snapshot will not be created during unlock event. |
| 435 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, |
Dmitry Dementyev | ed89ea0 | 2018-01-11 13:53:52 -0800 | [diff] [blame] | 436 | new int[] {1000}); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 437 | |
| 438 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 439 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 440 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 441 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, mKeyPair.getPublic()); |
| 442 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 443 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(true); |
| 444 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 445 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |
| 446 | mKeySyncTask.run(); |
| 447 | |
| 448 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 449 | verify(mSnapshotListenersStorage, never()). |
| 450 | recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); |
| 451 | } |
| 452 | |
| 453 | @Test |
| 454 | public void run_doesNotSendKeyToNonregisteredAgent() throws Exception { |
| 455 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 456 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 457 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 458 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, mKeyPair.getPublic()); |
| 459 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 460 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(false); |
| 461 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 462 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |
| 463 | mKeySyncTask.run(); |
| 464 | |
| 465 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 466 | verify(mSnapshotListenersStorage, never()). |
| 467 | recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); |
| 468 | } |
| 469 | |
| 470 | private SecretKey addApplicationKey(int userId, int recoveryAgentUid, String alias) |
| 471 | throws Exception{ |
| 472 | SecretKey applicationKey = generateKey(); |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 473 | mRecoverableKeyStoreDb.setServerParams( |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 474 | userId, recoveryAgentUid, TEST_VAULT_HANDLE); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 475 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(userId, TEST_GENERATION_ID); |
| 476 | |
| 477 | // Newly added key is not synced. |
| 478 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(userId, recoveryAgentUid, true); |
| 479 | |
| 480 | mRecoverableKeyStoreDb.insertKey( |
| 481 | userId, |
| 482 | recoveryAgentUid, |
| 483 | alias, |
| 484 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 485 | return applicationKey; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 486 | } |
| 487 | |
| 488 | private byte[] decryptThmEncryptedKey( |
| 489 | byte[] lockScreenHash, byte[] encryptedKey, byte[] vaultParams) throws Exception { |
| 490 | byte[] locallyEncryptedKey = SecureBox.decrypt( |
| 491 | mKeyPair.getPrivate(), |
| 492 | /*sharedSecret=*/ KeySyncUtils.calculateThmKfHash(lockScreenHash), |
| 493 | /*header=*/ KeySyncUtils.concat(THM_ENCRYPTED_RECOVERY_KEY_HEADER, vaultParams), |
| 494 | encryptedKey |
| 495 | ); |
| 496 | return KeySyncUtils.decryptRecoveryKey(lockScreenHash, locallyEncryptedKey); |
| 497 | } |
| 498 | |
| 499 | private SecretKey generateKey() throws Exception { |
| 500 | KeyGenerator keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM); |
| 501 | keyGenerator.init(/*keySize=*/ 256); |
| 502 | return keyGenerator.generateKey(); |
| 503 | } |
| 504 | |
| 505 | private AndroidKeyStoreSecretKey generateAndroidKeyStoreKey() throws Exception { |
| 506 | KeyGenerator keyGenerator = KeyGenerator.getInstance( |
| 507 | KEY_ALGORITHM, |
| 508 | ANDROID_KEY_STORE_PROVIDER); |
| 509 | keyGenerator.init(new KeyGenParameterSpec.Builder( |
| 510 | WRAPPING_KEY_ALIAS, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) |
| 511 | .setBlockModes(KeyProperties.BLOCK_MODE_GCM) |
| 512 | .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) |
| 513 | .build()); |
| 514 | return (AndroidKeyStoreSecretKey) keyGenerator.generateKey(); |
| 515 | } |
| 516 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 517 | private static byte[] utf8Bytes(String s) { |
| 518 | return s.getBytes(StandardCharsets.UTF_8); |
| 519 | } |
| 520 | |
| 521 | private static byte[] randomBytes(int n) { |
| 522 | byte[] bytes = new byte[n]; |
| 523 | new Random().nextBytes(bytes); |
| 524 | return bytes; |
| 525 | } |
| 526 | } |