Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.server.locksettings.recoverablekeystore; |
| 18 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 19 | import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN; |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 20 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 21 | import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PASSWORD; |
| 22 | import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PATTERN; |
| 23 | import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PIN; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 24 | |
| 25 | import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
| 26 | import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN; |
| 27 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 28 | import static com.google.common.truth.Truth.assertThat; |
| 29 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 30 | import static org.junit.Assert.assertArrayEquals; |
| 31 | import static org.junit.Assert.assertEquals; |
| 32 | import static org.junit.Assert.assertFalse; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 33 | import static org.junit.Assert.assertNull; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 34 | import static org.junit.Assert.assertTrue; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 35 | import static org.mockito.Mockito.never; |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 36 | import static org.mockito.Mockito.verify; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 37 | import static org.mockito.Mockito.when; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 38 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 39 | import android.content.Context; |
| 40 | import android.security.keystore.AndroidKeyStoreSecretKey; |
| 41 | import android.security.keystore.KeyGenParameterSpec; |
| 42 | import android.security.keystore.KeyProperties; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 43 | import android.security.keystore.recovery.KeyDerivationParams; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 44 | import android.security.keystore.recovery.KeyChainSnapshot; |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 45 | import android.security.keystore.recovery.RecoveryController; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 46 | import android.security.keystore.recovery.WrappedApplicationKey; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 47 | import android.support.test.InstrumentationRegistry; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 48 | import android.support.test.filters.SmallTest; |
| 49 | import android.support.test.runner.AndroidJUnit4; |
| 50 | |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 51 | import android.util.Log; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 52 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 53 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 54 | |
| 55 | import org.junit.After; |
| 56 | import org.junit.Before; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 57 | import org.junit.Test; |
| 58 | import org.junit.runner.RunWith; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 59 | import org.mockito.Mock; |
| 60 | import org.mockito.MockitoAnnotations; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 61 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 62 | import java.io.File; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 63 | import java.nio.charset.StandardCharsets; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 64 | import java.security.KeyPair; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 65 | import java.util.Arrays; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 66 | import java.util.List; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 67 | import java.util.Random; |
| 68 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 69 | import javax.crypto.KeyGenerator; |
| 70 | import javax.crypto.SecretKey; |
| 71 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 72 | @SmallTest |
| 73 | @RunWith(AndroidJUnit4.class) |
| 74 | public class KeySyncTaskTest { |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 75 | private static final String KEY_ALGORITHM = "AES"; |
| 76 | private static final String ANDROID_KEY_STORE_PROVIDER = "AndroidKeyStore"; |
| 77 | private static final String WRAPPING_KEY_ALIAS = "KeySyncTaskTest/WrappingKey"; |
| 78 | private static final String DATABASE_FILE_NAME = "recoverablekeystore.db"; |
| 79 | private static final int TEST_USER_ID = 1000; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 80 | private static final int TEST_RECOVERY_AGENT_UID = 10009; |
| 81 | private static final int TEST_RECOVERY_AGENT_UID2 = 10010; |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 82 | private static final byte[] TEST_VAULT_HANDLE = |
Bo Zhu | 31ccba1 | 2018-01-18 11:53:57 -0800 | [diff] [blame] | 83 | new byte[]{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17}; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 84 | private static final String TEST_APP_KEY_ALIAS = "rcleaver"; |
| 85 | private static final int TEST_GENERATION_ID = 2; |
| 86 | private static final int TEST_CREDENTIAL_TYPE = CREDENTIAL_TYPE_PASSWORD; |
| 87 | private static final String TEST_CREDENTIAL = "password1234"; |
| 88 | private static final byte[] THM_ENCRYPTED_RECOVERY_KEY_HEADER = |
| 89 | "V1 THM_encrypted_recovery_key".getBytes(StandardCharsets.UTF_8); |
| 90 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 91 | @Mock private PlatformKeyManager mPlatformKeyManager; |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 92 | @Mock private RecoverySnapshotListenersStorage mSnapshotListenersStorage; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 93 | |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 94 | private RecoverySnapshotStorage mRecoverySnapshotStorage; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 95 | private RecoverableKeyStoreDb mRecoverableKeyStoreDb; |
| 96 | private File mDatabaseFile; |
| 97 | private KeyPair mKeyPair; |
| 98 | private AndroidKeyStoreSecretKey mWrappingKey; |
| 99 | private PlatformEncryptionKey mEncryptKey; |
| 100 | |
| 101 | private KeySyncTask mKeySyncTask; |
| 102 | |
| 103 | @Before |
| 104 | public void setUp() throws Exception { |
| 105 | MockitoAnnotations.initMocks(this); |
| 106 | |
| 107 | Context context = InstrumentationRegistry.getTargetContext(); |
| 108 | mDatabaseFile = context.getDatabasePath(DATABASE_FILE_NAME); |
| 109 | mRecoverableKeyStoreDb = RecoverableKeyStoreDb.newInstance(context); |
| 110 | mKeyPair = SecureBox.genKeyPair(); |
| 111 | |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 112 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
| 113 | new int[] {TYPE_LOCKSCREEN}); |
| 114 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, |
| 115 | new int[] {TYPE_LOCKSCREEN}); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 116 | mRecoverySnapshotStorage = new RecoverySnapshotStorage(); |
| 117 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 118 | mKeySyncTask = new KeySyncTask( |
| 119 | mRecoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 120 | mRecoverySnapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 121 | mSnapshotListenersStorage, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 122 | TEST_USER_ID, |
| 123 | TEST_CREDENTIAL_TYPE, |
| 124 | TEST_CREDENTIAL, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 125 | /*credentialUpdated=*/ false, |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 126 | mPlatformKeyManager); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 127 | |
| 128 | mWrappingKey = generateAndroidKeyStoreKey(); |
| 129 | mEncryptKey = new PlatformEncryptionKey(TEST_GENERATION_ID, mWrappingKey); |
Bo Zhu | 3462c83 | 2018-01-04 22:42:36 -0800 | [diff] [blame] | 130 | when(mPlatformKeyManager.getDecryptKey(TEST_USER_ID)).thenReturn( |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 131 | new PlatformDecryptionKey(TEST_GENERATION_ID, mWrappingKey)); |
| 132 | } |
| 133 | |
| 134 | @After |
| 135 | public void tearDown() { |
| 136 | mRecoverableKeyStoreDb.close(); |
| 137 | mDatabaseFile.delete(); |
| 138 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 139 | |
| 140 | @Test |
| 141 | public void isPin_isTrueForNumericString() { |
| 142 | assertTrue(KeySyncTask.isPin("3298432574398654376547")); |
| 143 | } |
| 144 | |
| 145 | @Test |
| 146 | public void isPin_isFalseForStringContainingLetters() { |
| 147 | assertFalse(KeySyncTask.isPin("398i54369548654")); |
| 148 | } |
| 149 | |
| 150 | @Test |
| 151 | public void isPin_isFalseForStringContainingSymbols() { |
| 152 | assertFalse(KeySyncTask.isPin("-3987543643")); |
| 153 | } |
| 154 | |
| 155 | @Test |
| 156 | public void hashCredentials_returnsSameHashForSameCredentialsAndSalt() { |
| 157 | String credentials = "password1234"; |
| 158 | byte[] salt = randomBytes(16); |
| 159 | |
| 160 | assertArrayEquals( |
| 161 | KeySyncTask.hashCredentials(salt, credentials), |
| 162 | KeySyncTask.hashCredentials(salt, credentials)); |
| 163 | } |
| 164 | |
| 165 | @Test |
| 166 | public void hashCredentials_returnsDifferentHashForDifferentCredentials() { |
| 167 | byte[] salt = randomBytes(16); |
| 168 | |
| 169 | assertFalse( |
| 170 | Arrays.equals( |
| 171 | KeySyncTask.hashCredentials(salt, "password1234"), |
| 172 | KeySyncTask.hashCredentials(salt, "password12345"))); |
| 173 | } |
| 174 | |
| 175 | @Test |
| 176 | public void hashCredentials_returnsDifferentHashForDifferentSalt() { |
| 177 | String credentials = "wowmuch"; |
| 178 | |
| 179 | assertFalse( |
| 180 | Arrays.equals( |
| 181 | KeySyncTask.hashCredentials(randomBytes(64), credentials), |
| 182 | KeySyncTask.hashCredentials(randomBytes(64), credentials))); |
| 183 | } |
| 184 | |
| 185 | @Test |
| 186 | public void hashCredentials_returnsDifferentHashEvenIfConcatIsSame() { |
| 187 | assertFalse( |
| 188 | Arrays.equals( |
| 189 | KeySyncTask.hashCredentials(utf8Bytes("123"), "4567"), |
| 190 | KeySyncTask.hashCredentials(utf8Bytes("1234"), "567"))); |
| 191 | } |
| 192 | |
| 193 | @Test |
| 194 | public void getUiFormat_returnsPinIfPin() { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 195 | assertEquals(UI_FORMAT_PIN, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 196 | KeySyncTask.getUiFormat(CREDENTIAL_TYPE_PASSWORD, "1234")); |
| 197 | } |
| 198 | |
| 199 | @Test |
| 200 | public void getUiFormat_returnsPasswordIfPassword() { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 201 | assertEquals(UI_FORMAT_PASSWORD, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 202 | KeySyncTask.getUiFormat(CREDENTIAL_TYPE_PASSWORD, "1234a")); |
| 203 | } |
| 204 | |
| 205 | @Test |
| 206 | public void getUiFormat_returnsPatternIfPattern() { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 207 | assertEquals(UI_FORMAT_PATTERN, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 208 | KeySyncTask.getUiFormat(CREDENTIAL_TYPE_PATTERN, "1234")); |
| 209 | |
| 210 | } |
| 211 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 212 | @Test |
| 213 | public void run_doesNotSendAnythingIfNoKeysToSync() throws Exception { |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 214 | mKeySyncTask.run(); |
| 215 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 216 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
| 217 | } |
| 218 | |
| 219 | @Test |
| 220 | public void run_doesNotSendAnythingIfSnapshotIsUpToDate() throws Exception { |
| 221 | mKeySyncTask.run(); |
| 222 | |
| 223 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 224 | } |
| 225 | |
| 226 | @Test |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 227 | public void run_doesNotSendAnythingIfNoRecoveryAgentSet() throws Exception { |
| 228 | SecretKey applicationKey = generateKey(); |
| 229 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 230 | mRecoverableKeyStoreDb.insertKey( |
| 231 | TEST_USER_ID, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 232 | TEST_RECOVERY_AGENT_UID, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 233 | TEST_APP_KEY_ALIAS, |
| 234 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 235 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 236 | |
| 237 | mKeySyncTask.run(); |
| 238 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 239 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 240 | } |
| 241 | |
| 242 | @Test |
| 243 | public void run_doesNotSendAnythingIfNoRecoveryAgentPendingIntentRegistered() throws Exception { |
| 244 | SecretKey applicationKey = generateKey(); |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 245 | mRecoverableKeyStoreDb.setServerParams( |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 246 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 247 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 248 | mRecoverableKeyStoreDb.insertKey( |
| 249 | TEST_USER_ID, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 250 | TEST_RECOVERY_AGENT_UID, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 251 | TEST_APP_KEY_ALIAS, |
| 252 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 253 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 254 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 255 | |
| 256 | mKeySyncTask.run(); |
| 257 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 258 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 259 | } |
| 260 | |
| 261 | @Test |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 262 | public void run_doesNotSendAnythingIfNoDeviceIdIsSet() throws Exception { |
| 263 | SecretKey applicationKey = generateKey(); |
| 264 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 265 | mRecoverableKeyStoreDb.insertKey( |
| 266 | TEST_USER_ID, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 267 | TEST_RECOVERY_AGENT_UID, |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 268 | TEST_APP_KEY_ALIAS, |
| 269 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 270 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 271 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 272 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 273 | |
| 274 | mKeySyncTask.run(); |
| 275 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 276 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 277 | } |
| 278 | |
| 279 | @Test |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 280 | public void run_sendsEncryptedKeysIfAvailableToSync_withRawPublicKey() throws Exception { |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 281 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 282 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 283 | |
| 284 | mRecoverableKeyStoreDb.setServerParams( |
| 285 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 286 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 287 | SecretKey applicationKey = |
| 288 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 289 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 290 | mKeySyncTask.run(); |
| 291 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 292 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 293 | KeyDerivationParams keyDerivationParams = |
| 294 | keyChainSnapshot.getKeyChainProtectionParams().get(0).getKeyDerivationParams(); |
| 295 | assertThat(keyDerivationParams.getAlgorithm()).isEqualTo( |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 296 | KeyDerivationParams.ALGORITHM_SHA256); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 297 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 298 | byte[] lockScreenHash = KeySyncTask.hashCredentials( |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 299 | keyDerivationParams.getSalt(), |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 300 | TEST_CREDENTIAL); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 301 | Long counterId = mRecoverableKeyStoreDb.getCounterId(TEST_USER_ID, TEST_RECOVERY_AGENT_UID); |
Dmitry Dementyev | aea1e39 | 2018-01-18 16:57:01 -0800 | [diff] [blame] | 302 | counterId = 1L; // TODO: use value from the database. |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 303 | assertThat(counterId).isNotNull(); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 304 | byte[] recoveryKey = decryptThmEncryptedKey( |
| 305 | lockScreenHash, |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 306 | keyChainSnapshot.getEncryptedRecoveryKeyBlob(), |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 307 | /*vaultParams=*/ KeySyncUtils.packVaultParams( |
| 308 | mKeyPair.getPublic(), |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 309 | counterId, |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 310 | /*maxAttempts=*/ 10, |
| 311 | TEST_VAULT_HANDLE)); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 312 | List<WrappedApplicationKey> applicationKeys = keyChainSnapshot.getWrappedApplicationKeys(); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 313 | assertThat(applicationKeys).hasSize(1); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 314 | assertThat(keyChainSnapshot.getCounterId()).isEqualTo(counterId); |
| 315 | assertThat(keyChainSnapshot.getMaxAttempts()).isEqualTo(10); |
| 316 | assertThat(keyChainSnapshot.getTrustedHardwarePublicKey()) |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 317 | .isEqualTo(SecureBox.encodePublicKey(mKeyPair.getPublic())); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 318 | assertThat(keyChainSnapshot.getServerParams()).isEqualTo(TEST_VAULT_HANDLE); |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 319 | WrappedApplicationKey keyData = applicationKeys.get(0); |
Dmitry Dementyev | 07c76555 | 2018-01-08 17:31:59 -0800 | [diff] [blame] | 320 | assertEquals(TEST_APP_KEY_ALIAS, keyData.getAlias()); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 321 | assertThat(keyData.getAlias()).isEqualTo(keyData.getAlias()); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 322 | byte[] appKey = KeySyncUtils.decryptApplicationKey( |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 323 | recoveryKey, keyData.getEncryptedKeyMaterial()); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 324 | assertThat(appKey).isEqualTo(applicationKey.getEncoded()); |
| 325 | } |
| 326 | |
| 327 | @Test |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 328 | public void run_sendsEncryptedKeysIfAvailableToSync_withCertPath() throws Exception { |
| 329 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
| 330 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TestData.CERT_PATH_1); |
| 331 | mRecoverableKeyStoreDb.setServerParams( |
| 332 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 333 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 334 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 335 | |
| 336 | mKeySyncTask.run(); |
| 337 | |
| 338 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 339 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 340 | List<WrappedApplicationKey> applicationKeys = keyChainSnapshot.getWrappedApplicationKeys(); |
| 341 | assertThat(applicationKeys).hasSize(1); |
| 342 | assertThat(keyChainSnapshot.getTrustedHardwarePublicKey()) |
| 343 | .isEqualTo(SecureBox.encodePublicKey( |
| 344 | TestData.CERT_PATH_1.getCertificates().get(0).getPublicKey())); |
| 345 | } |
| 346 | |
| 347 | @Test |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 348 | public void run_setsCorrectSnapshotVersion() throws Exception { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 349 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 350 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 351 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 352 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 353 | |
| 354 | mKeySyncTask.run(); |
| 355 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 356 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 357 | assertThat(keyChainSnapshot.getSnapshotVersion()).isEqualTo(1); // default value; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 358 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, true); |
| 359 | |
| 360 | mKeySyncTask.run(); |
| 361 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 362 | keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 363 | assertThat(keyChainSnapshot.getSnapshotVersion()).isEqualTo(2); // Updated |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 364 | } |
| 365 | |
| 366 | @Test |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 367 | public void run_recreatesMissingSnapshot() throws Exception { |
| 368 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 369 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 370 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 371 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 372 | |
| 373 | mKeySyncTask.run(); |
| 374 | |
| 375 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 376 | assertThat(keyChainSnapshot.getSnapshotVersion()).isEqualTo(1); // default value; |
| 377 | |
| 378 | mRecoverySnapshotStorage.remove(TEST_RECOVERY_AGENT_UID); // corrupt snapshot. |
| 379 | |
| 380 | mKeySyncTask.run(); |
| 381 | |
| 382 | keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 383 | assertThat(keyChainSnapshot.getSnapshotVersion()).isEqualTo(1); // Same version |
| 384 | } |
| 385 | |
| 386 | @Test |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 387 | public void run_setsCorrectTypeForPassword() throws Exception { |
| 388 | mKeySyncTask = new KeySyncTask( |
| 389 | mRecoverableKeyStoreDb, |
| 390 | mRecoverySnapshotStorage, |
| 391 | mSnapshotListenersStorage, |
| 392 | TEST_USER_ID, |
| 393 | CREDENTIAL_TYPE_PASSWORD, |
| 394 | "password", |
| 395 | /*credentialUpdated=*/ false, |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 396 | mPlatformKeyManager); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 397 | |
| 398 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 399 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 400 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 401 | SecretKey applicationKey = |
| 402 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 403 | |
| 404 | mKeySyncTask.run(); |
| 405 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 406 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 407 | assertThat(keyChainSnapshot.getKeyChainProtectionParams()).hasSize(1); |
| 408 | assertThat(keyChainSnapshot.getKeyChainProtectionParams().get(0).getLockScreenUiFormat()). |
| 409 | isEqualTo(UI_FORMAT_PASSWORD); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 410 | } |
| 411 | |
Dmitry Dementyev | ed89ea0 | 2018-01-11 13:53:52 -0800 | [diff] [blame] | 412 | @Test |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 413 | public void run_setsCorrectTypeForPin() throws Exception { |
| 414 | mKeySyncTask = new KeySyncTask( |
| 415 | mRecoverableKeyStoreDb, |
| 416 | mRecoverySnapshotStorage, |
| 417 | mSnapshotListenersStorage, |
| 418 | TEST_USER_ID, |
| 419 | CREDENTIAL_TYPE_PASSWORD, |
| 420 | /*credential=*/ "1234", |
| 421 | /*credentialUpdated=*/ false, |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 422 | mPlatformKeyManager); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 423 | |
| 424 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 425 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 426 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 427 | SecretKey applicationKey = |
| 428 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 429 | |
| 430 | mKeySyncTask.run(); |
| 431 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 432 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 433 | assertThat(keyChainSnapshot.getKeyChainProtectionParams()).hasSize(1); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 434 | // Password with only digits is changed to pin. |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 435 | assertThat(keyChainSnapshot.getKeyChainProtectionParams().get(0).getLockScreenUiFormat()). |
| 436 | isEqualTo(UI_FORMAT_PIN); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 437 | } |
| 438 | |
| 439 | @Test |
| 440 | public void run_setsCorrectTypeForPattern() throws Exception { |
| 441 | mKeySyncTask = new KeySyncTask( |
| 442 | mRecoverableKeyStoreDb, |
| 443 | mRecoverySnapshotStorage, |
| 444 | mSnapshotListenersStorage, |
| 445 | TEST_USER_ID, |
| 446 | CREDENTIAL_TYPE_PATTERN, |
| 447 | "12345", |
| 448 | /*credentialUpdated=*/ false, |
Dmitry Dementyev | 6e16724 | 2018-01-25 15:29:50 -0800 | [diff] [blame] | 449 | mPlatformKeyManager); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 450 | |
| 451 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 452 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 453 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 454 | SecretKey applicationKey = |
| 455 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 456 | |
| 457 | mKeySyncTask.run(); |
| 458 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 459 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 460 | assertThat(keyChainSnapshot.getKeyChainProtectionParams()).hasSize(1); |
| 461 | assertThat(keyChainSnapshot.getKeyChainProtectionParams().get(0).getLockScreenUiFormat()). |
| 462 | isEqualTo(UI_FORMAT_PATTERN); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 463 | } |
| 464 | |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 465 | @Test |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 466 | public void run_sendsEncryptedKeysWithTwoRegisteredAgents() throws Exception { |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 467 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 468 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 469 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 470 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, mKeyPair.getPublic()); |
| 471 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 472 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(true); |
| 473 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 474 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |
| 475 | mKeySyncTask.run(); |
| 476 | |
| 477 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 478 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); |
| 479 | } |
| 480 | |
| 481 | @Test |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 482 | public void run_sendsEncryptedKeysOnlyForAgentWhichActiveUserSecretType() throws Exception { |
| 483 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
Dmitry Dementyev | ed89ea0 | 2018-01-11 13:53:52 -0800 | [diff] [blame] | 484 | new int[] {TYPE_LOCKSCREEN, 1000}); |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 485 | // Snapshot will not be created during unlock event. |
| 486 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, |
Dmitry Dementyev | ed89ea0 | 2018-01-11 13:53:52 -0800 | [diff] [blame] | 487 | new int[] {1000}); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 488 | |
| 489 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 490 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 491 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 492 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, mKeyPair.getPublic()); |
| 493 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 494 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(true); |
| 495 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 496 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |
| 497 | mKeySyncTask.run(); |
| 498 | |
| 499 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 500 | verify(mSnapshotListenersStorage, never()). |
| 501 | recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); |
| 502 | } |
| 503 | |
| 504 | @Test |
| 505 | public void run_doesNotSendKeyToNonregisteredAgent() throws Exception { |
| 506 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 507 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, mKeyPair.getPublic()); |
| 508 | mRecoverableKeyStoreDb.setRecoveryServicePublicKey( |
| 509 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, mKeyPair.getPublic()); |
| 510 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 511 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(false); |
| 512 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 513 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |
| 514 | mKeySyncTask.run(); |
| 515 | |
| 516 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 517 | verify(mSnapshotListenersStorage, never()). |
| 518 | recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); |
| 519 | } |
| 520 | |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 521 | @Test |
| 522 | public void run_customLockScreen_RecoveryStatusFailure() throws Exception { |
| 523 | mKeySyncTask = new KeySyncTask( |
| 524 | mRecoverableKeyStoreDb, |
| 525 | mRecoverySnapshotStorage, |
| 526 | mSnapshotListenersStorage, |
| 527 | TEST_USER_ID, |
| 528 | /*credentialType=*/ 3, |
| 529 | "12345", |
| 530 | /*credentialUpdated=*/ false, |
| 531 | mPlatformKeyManager); |
| 532 | |
| 533 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 534 | |
| 535 | int status = |
| 536 | mRecoverableKeyStoreDb |
| 537 | .getStatusForAllKeys(TEST_RECOVERY_AGENT_UID) |
| 538 | .get(TEST_APP_KEY_ALIAS); |
| 539 | assertEquals(RecoveryController.RECOVERY_STATUS_SYNC_IN_PROGRESS, status); |
| 540 | |
| 541 | mKeySyncTask.run(); |
| 542 | |
| 543 | status = mRecoverableKeyStoreDb |
| 544 | .getStatusForAllKeys(TEST_RECOVERY_AGENT_UID) |
| 545 | .get(TEST_APP_KEY_ALIAS); |
| 546 | assertEquals(RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE, status); |
| 547 | } |
| 548 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 549 | private SecretKey addApplicationKey(int userId, int recoveryAgentUid, String alias) |
| 550 | throws Exception{ |
| 551 | SecretKey applicationKey = generateKey(); |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 552 | mRecoverableKeyStoreDb.setServerParams( |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 553 | userId, recoveryAgentUid, TEST_VAULT_HANDLE); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 554 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(userId, TEST_GENERATION_ID); |
| 555 | |
| 556 | // Newly added key is not synced. |
| 557 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(userId, recoveryAgentUid, true); |
| 558 | |
| 559 | mRecoverableKeyStoreDb.insertKey( |
| 560 | userId, |
| 561 | recoveryAgentUid, |
| 562 | alias, |
| 563 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 564 | return applicationKey; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 565 | } |
| 566 | |
| 567 | private byte[] decryptThmEncryptedKey( |
| 568 | byte[] lockScreenHash, byte[] encryptedKey, byte[] vaultParams) throws Exception { |
| 569 | byte[] locallyEncryptedKey = SecureBox.decrypt( |
| 570 | mKeyPair.getPrivate(), |
| 571 | /*sharedSecret=*/ KeySyncUtils.calculateThmKfHash(lockScreenHash), |
| 572 | /*header=*/ KeySyncUtils.concat(THM_ENCRYPTED_RECOVERY_KEY_HEADER, vaultParams), |
| 573 | encryptedKey |
| 574 | ); |
| 575 | return KeySyncUtils.decryptRecoveryKey(lockScreenHash, locallyEncryptedKey); |
| 576 | } |
| 577 | |
| 578 | private SecretKey generateKey() throws Exception { |
| 579 | KeyGenerator keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM); |
| 580 | keyGenerator.init(/*keySize=*/ 256); |
| 581 | return keyGenerator.generateKey(); |
| 582 | } |
| 583 | |
| 584 | private AndroidKeyStoreSecretKey generateAndroidKeyStoreKey() throws Exception { |
| 585 | KeyGenerator keyGenerator = KeyGenerator.getInstance( |
| 586 | KEY_ALGORITHM, |
| 587 | ANDROID_KEY_STORE_PROVIDER); |
| 588 | keyGenerator.init(new KeyGenParameterSpec.Builder( |
| 589 | WRAPPING_KEY_ALIAS, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) |
| 590 | .setBlockModes(KeyProperties.BLOCK_MODE_GCM) |
| 591 | .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) |
| 592 | .build()); |
| 593 | return (AndroidKeyStoreSecretKey) keyGenerator.generateKey(); |
| 594 | } |
| 595 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 596 | private static byte[] utf8Bytes(String s) { |
| 597 | return s.getBytes(StandardCharsets.UTF_8); |
| 598 | } |
| 599 | |
| 600 | private static byte[] randomBytes(int n) { |
| 601 | byte[] bytes = new byte[n]; |
| 602 | new Random().nextBytes(bytes); |
| 603 | return bytes; |
| 604 | } |
| 605 | } |