Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.server.locksettings.recoverablekeystore; |
| 18 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 19 | import static android.security.keystore.recovery.KeyChainProtectionParams.TYPE_LOCKSCREEN; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 20 | import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PASSWORD; |
| 21 | import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PATTERN; |
| 22 | import static android.security.keystore.recovery.KeyChainProtectionParams.UI_FORMAT_PIN; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 23 | import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD; |
| 24 | import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PATTERN; |
| 25 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 26 | import static com.google.common.truth.Truth.assertThat; |
| 27 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 28 | import static org.junit.Assert.assertArrayEquals; |
| 29 | import static org.junit.Assert.assertEquals; |
| 30 | import static org.junit.Assert.assertFalse; |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 31 | import static org.junit.Assert.assertNotNull; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 32 | import static org.junit.Assert.assertNull; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 33 | import static org.junit.Assert.assertTrue; |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 34 | |
| 35 | import static org.mockito.ArgumentMatchers.any; |
| 36 | import static org.mockito.ArgumentMatchers.anyInt; |
| 37 | import static org.mockito.ArgumentMatchers.eq; |
| 38 | import static org.mockito.Mockito.atLeast; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 39 | import static org.mockito.Mockito.never; |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 40 | import static org.mockito.Mockito.verify; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 41 | import static org.mockito.Mockito.when; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 42 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 43 | import android.content.Context; |
Robert Berry | 5658837 | 2018-03-29 12:07:17 +0100 | [diff] [blame] | 44 | import android.os.FileUtils; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 45 | import android.security.keystore.AndroidKeyStoreSecretKey; |
| 46 | import android.security.keystore.KeyGenParameterSpec; |
| 47 | import android.security.keystore.KeyProperties; |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 48 | import android.security.keystore.recovery.KeyChainSnapshot; |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 49 | import android.security.keystore.recovery.KeyDerivationParams; |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 50 | import android.security.keystore.recovery.RecoveryController; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 51 | import android.security.keystore.recovery.TrustedRootCertificates; |
Robert Berry | 81ee34b | 2018-01-23 11:59:59 +0000 | [diff] [blame] | 52 | import android.security.keystore.recovery.WrappedApplicationKey; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 53 | import android.support.test.InstrumentationRegistry; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 54 | import android.support.test.filters.SmallTest; |
| 55 | import android.support.test.runner.AndroidJUnit4; |
| 56 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 57 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverableKeyStoreDb; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 58 | import com.android.server.locksettings.recoverablekeystore.storage.RecoverySnapshotStorage; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 59 | |
| 60 | import org.junit.After; |
| 61 | import org.junit.Before; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 62 | import org.junit.Test; |
| 63 | import org.junit.runner.RunWith; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 64 | import org.mockito.Mock; |
| 65 | import org.mockito.MockitoAnnotations; |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 66 | import org.mockito.Spy; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 67 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 68 | import java.io.File; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 69 | import java.nio.charset.StandardCharsets; |
| 70 | import java.util.Arrays; |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 71 | import java.util.List; |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 72 | import java.util.Random; |
| 73 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 74 | import javax.crypto.KeyGenerator; |
| 75 | import javax.crypto.SecretKey; |
| 76 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 77 | @SmallTest |
| 78 | @RunWith(AndroidJUnit4.class) |
| 79 | public class KeySyncTaskTest { |
Robert Berry | 5658837 | 2018-03-29 12:07:17 +0100 | [diff] [blame] | 80 | |
| 81 | private static final String SNAPSHOT_TOP_LEVEL_DIRECTORY = "recoverablekeystore"; |
| 82 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 83 | private static final String KEY_ALGORITHM = "AES"; |
| 84 | private static final String ANDROID_KEY_STORE_PROVIDER = "AndroidKeyStore"; |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 85 | private static final String TEST_ROOT_CERT_ALIAS = "trusted_root"; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 86 | private static final String WRAPPING_KEY_ALIAS = "KeySyncTaskTest/WrappingKey"; |
| 87 | private static final String DATABASE_FILE_NAME = "recoverablekeystore.db"; |
| 88 | private static final int TEST_USER_ID = 1000; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 89 | private static final int TEST_RECOVERY_AGENT_UID = 10009; |
| 90 | private static final int TEST_RECOVERY_AGENT_UID2 = 10010; |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 91 | private static final byte[] TEST_VAULT_HANDLE = |
Bo Zhu | 31ccba1 | 2018-01-18 11:53:57 -0800 | [diff] [blame] | 92 | new byte[]{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17}; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 93 | private static final String TEST_APP_KEY_ALIAS = "rcleaver"; |
| 94 | private static final int TEST_GENERATION_ID = 2; |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 95 | private static final int TEST_CREDENTIAL_TYPE = CREDENTIAL_TYPE_PATTERN; |
| 96 | private static final String TEST_CREDENTIAL = "pas123"; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 97 | private static final byte[] THM_ENCRYPTED_RECOVERY_KEY_HEADER = |
| 98 | "V1 THM_encrypted_recovery_key".getBytes(StandardCharsets.UTF_8); |
| 99 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 100 | @Mock private PlatformKeyManager mPlatformKeyManager; |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 101 | @Mock private RecoverySnapshotListenersStorage mSnapshotListenersStorage; |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 102 | @Spy private TestOnlyInsecureCertificateHelper mTestOnlyInsecureCertificateHelper; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 103 | @Spy private MockScrypt mMockScrypt; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 104 | |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 105 | private RecoverySnapshotStorage mRecoverySnapshotStorage; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 106 | private RecoverableKeyStoreDb mRecoverableKeyStoreDb; |
| 107 | private File mDatabaseFile; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 108 | private AndroidKeyStoreSecretKey mWrappingKey; |
| 109 | private PlatformEncryptionKey mEncryptKey; |
| 110 | |
| 111 | private KeySyncTask mKeySyncTask; |
| 112 | |
| 113 | @Before |
| 114 | public void setUp() throws Exception { |
| 115 | MockitoAnnotations.initMocks(this); |
| 116 | |
| 117 | Context context = InstrumentationRegistry.getTargetContext(); |
| 118 | mDatabaseFile = context.getDatabasePath(DATABASE_FILE_NAME); |
| 119 | mRecoverableKeyStoreDb = RecoverableKeyStoreDb.newInstance(context); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 120 | |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 121 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
| 122 | new int[] {TYPE_LOCKSCREEN}); |
| 123 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, |
| 124 | new int[] {TYPE_LOCKSCREEN}); |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 125 | |
| 126 | mRecoverableKeyStoreDb.setActiveRootOfTrust(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
| 127 | TEST_ROOT_CERT_ALIAS); |
| 128 | mRecoverableKeyStoreDb.setActiveRootOfTrust(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, |
| 129 | TEST_ROOT_CERT_ALIAS); |
Robert Berry | 5658837 | 2018-03-29 12:07:17 +0100 | [diff] [blame] | 130 | mRecoverySnapshotStorage = new RecoverySnapshotStorage(context.getFilesDir()); |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 131 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 132 | mKeySyncTask = new KeySyncTask( |
| 133 | mRecoverableKeyStoreDb, |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 134 | mRecoverySnapshotStorage, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 135 | mSnapshotListenersStorage, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 136 | TEST_USER_ID, |
| 137 | TEST_CREDENTIAL_TYPE, |
| 138 | TEST_CREDENTIAL, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 139 | /*credentialUpdated=*/ false, |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 140 | mPlatformKeyManager, |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 141 | mTestOnlyInsecureCertificateHelper, |
| 142 | mMockScrypt); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 143 | |
| 144 | mWrappingKey = generateAndroidKeyStoreKey(); |
| 145 | mEncryptKey = new PlatformEncryptionKey(TEST_GENERATION_ID, mWrappingKey); |
Bo Zhu | 3462c83 | 2018-01-04 22:42:36 -0800 | [diff] [blame] | 146 | when(mPlatformKeyManager.getDecryptKey(TEST_USER_ID)).thenReturn( |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 147 | new PlatformDecryptionKey(TEST_GENERATION_ID, mWrappingKey)); |
| 148 | } |
| 149 | |
| 150 | @After |
| 151 | public void tearDown() { |
| 152 | mRecoverableKeyStoreDb.close(); |
| 153 | mDatabaseFile.delete(); |
Robert Berry | 5658837 | 2018-03-29 12:07:17 +0100 | [diff] [blame] | 154 | |
| 155 | File file = new File(InstrumentationRegistry.getTargetContext().getFilesDir(), |
| 156 | SNAPSHOT_TOP_LEVEL_DIRECTORY); |
| 157 | FileUtils.deleteContentsAndDir(file); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 158 | } |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 159 | |
| 160 | @Test |
| 161 | public void isPin_isTrueForNumericString() { |
| 162 | assertTrue(KeySyncTask.isPin("3298432574398654376547")); |
| 163 | } |
| 164 | |
| 165 | @Test |
| 166 | public void isPin_isFalseForStringContainingLetters() { |
| 167 | assertFalse(KeySyncTask.isPin("398i54369548654")); |
| 168 | } |
| 169 | |
| 170 | @Test |
| 171 | public void isPin_isFalseForStringContainingSymbols() { |
| 172 | assertFalse(KeySyncTask.isPin("-3987543643")); |
| 173 | } |
| 174 | |
| 175 | @Test |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 176 | public void hashCredentialsBySaltedSha256_returnsSameHashForSameCredentialsAndSalt() { |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 177 | String credentials = "password1234"; |
| 178 | byte[] salt = randomBytes(16); |
| 179 | |
| 180 | assertArrayEquals( |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 181 | KeySyncTask.hashCredentialsBySaltedSha256(salt, credentials), |
| 182 | KeySyncTask.hashCredentialsBySaltedSha256(salt, credentials)); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 183 | } |
| 184 | |
| 185 | @Test |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 186 | public void hashCredentialsBySaltedSha256_returnsDifferentHashForDifferentCredentials() { |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 187 | byte[] salt = randomBytes(16); |
| 188 | |
| 189 | assertFalse( |
| 190 | Arrays.equals( |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 191 | KeySyncTask.hashCredentialsBySaltedSha256(salt, "password1234"), |
| 192 | KeySyncTask.hashCredentialsBySaltedSha256(salt, "password12345"))); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 193 | } |
| 194 | |
| 195 | @Test |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 196 | public void hashCredentialsBySaltedSha256_returnsDifferentHashForDifferentSalt() { |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 197 | String credentials = "wowmuch"; |
| 198 | |
| 199 | assertFalse( |
| 200 | Arrays.equals( |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 201 | KeySyncTask.hashCredentialsBySaltedSha256(randomBytes(64), credentials), |
| 202 | KeySyncTask.hashCredentialsBySaltedSha256(randomBytes(64), credentials))); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 203 | } |
| 204 | |
| 205 | @Test |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 206 | public void hashCredentialsBySaltedSha256_returnsDifferentHashEvenIfConcatIsSame() { |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 207 | assertFalse( |
| 208 | Arrays.equals( |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 209 | KeySyncTask.hashCredentialsBySaltedSha256(utf8Bytes("123"), "4567"), |
| 210 | KeySyncTask.hashCredentialsBySaltedSha256(utf8Bytes("1234"), "567"))); |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 211 | } |
| 212 | |
| 213 | @Test |
| 214 | public void getUiFormat_returnsPinIfPin() { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 215 | assertEquals(UI_FORMAT_PIN, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 216 | KeySyncTask.getUiFormat(CREDENTIAL_TYPE_PASSWORD, "1234")); |
| 217 | } |
| 218 | |
| 219 | @Test |
| 220 | public void getUiFormat_returnsPasswordIfPassword() { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 221 | assertEquals(UI_FORMAT_PASSWORD, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 222 | KeySyncTask.getUiFormat(CREDENTIAL_TYPE_PASSWORD, "1234a")); |
| 223 | } |
| 224 | |
| 225 | @Test |
| 226 | public void getUiFormat_returnsPatternIfPattern() { |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 227 | assertEquals(UI_FORMAT_PATTERN, |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 228 | KeySyncTask.getUiFormat(CREDENTIAL_TYPE_PATTERN, "1234")); |
| 229 | |
| 230 | } |
| 231 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 232 | @Test |
| 233 | public void run_doesNotSendAnythingIfNoKeysToSync() throws Exception { |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 234 | mKeySyncTask.run(); |
| 235 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 236 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
| 237 | } |
| 238 | |
| 239 | @Test |
| 240 | public void run_doesNotSendAnythingIfSnapshotIsUpToDate() throws Exception { |
| 241 | mKeySyncTask.run(); |
| 242 | |
| 243 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 244 | } |
| 245 | |
| 246 | @Test |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 247 | public void run_doesNotSendAnythingIfNoRecoveryAgentSet() throws Exception { |
| 248 | SecretKey applicationKey = generateKey(); |
| 249 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 250 | mRecoverableKeyStoreDb.insertKey( |
| 251 | TEST_USER_ID, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 252 | TEST_RECOVERY_AGENT_UID, |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 253 | TEST_APP_KEY_ALIAS, |
| 254 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 255 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 256 | |
| 257 | mKeySyncTask.run(); |
| 258 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 259 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 260 | } |
| 261 | |
| 262 | @Test |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 263 | public void run_doesNotSendAnythingIfNoDeviceIdIsSet() throws Exception { |
| 264 | SecretKey applicationKey = generateKey(); |
| 265 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 266 | mRecoverableKeyStoreDb.insertKey( |
| 267 | TEST_USER_ID, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 268 | TEST_RECOVERY_AGENT_UID, |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 269 | TEST_APP_KEY_ALIAS, |
| 270 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 271 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 272 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 273 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 274 | |
| 275 | mKeySyncTask.run(); |
| 276 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 277 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 278 | } |
| 279 | |
| 280 | @Test |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 281 | public void run_useScryptToHashPasswordInTestMode() throws Exception { |
| 282 | String password = TrustedRootCertificates.INSECURE_PASSWORD_PREFIX + ""; // The shortest |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 283 | String appKeyAlias = TrustedRootCertificates.INSECURE_KEY_ALIAS_PREFIX + "alias"; |
| 284 | mKeySyncTask = new KeySyncTask( |
| 285 | mRecoverableKeyStoreDb, |
| 286 | mRecoverySnapshotStorage, |
| 287 | mSnapshotListenersStorage, |
| 288 | TEST_USER_ID, |
| 289 | CREDENTIAL_TYPE_PASSWORD, |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 290 | /*credential=*/ password, |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 291 | /*credentialUpdated=*/ false, |
| 292 | mPlatformKeyManager, |
| 293 | mTestOnlyInsecureCertificateHelper, |
| 294 | mMockScrypt); |
| 295 | mRecoverableKeyStoreDb.setServerParams( |
| 296 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 297 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 298 | mRecoverableKeyStoreDb.setActiveRootOfTrust(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
| 299 | TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS); |
| 300 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
| 301 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
| 302 | TrustedRootCertificates.TEST_ONLY_INSECURE_CERTIFICATE_ALIAS, |
| 303 | TestData.getInsecureCertPathForEndpoint1()); |
| 304 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, appKeyAlias); |
| 305 | |
| 306 | mKeySyncTask.run(); |
| 307 | |
| 308 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 309 | assertThat(keyChainSnapshot.getKeyChainProtectionParams()).hasSize(1); |
| 310 | assertThat(keyChainSnapshot.getKeyChainProtectionParams().get(0).getLockScreenUiFormat()). |
| 311 | isEqualTo(UI_FORMAT_PASSWORD); |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 312 | verify(mMockScrypt).scrypt(eq(password.getBytes()), any(), |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 313 | eq(KeySyncTask.SCRYPT_PARAM_N), eq(KeySyncTask.SCRYPT_PARAM_R), |
| 314 | eq(KeySyncTask.SCRYPT_PARAM_P), eq(KeySyncTask.SCRYPT_PARAM_OUTLEN_BYTES)); |
| 315 | KeyDerivationParams keyDerivationParams = |
| 316 | keyChainSnapshot.getKeyChainProtectionParams().get(0).getKeyDerivationParams(); |
| 317 | assertThat(keyDerivationParams.getAlgorithm()).isEqualTo( |
| 318 | KeyDerivationParams.ALGORITHM_SCRYPT); |
| 319 | assertThat(keyDerivationParams.getMemoryDifficulty()).isEqualTo(KeySyncTask.SCRYPT_PARAM_N); |
| 320 | } |
| 321 | |
| 322 | @Test |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 323 | public void run_useSha256ToHashPatternInProdMode() throws Exception { |
| 324 | String pattern = "123456"; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 325 | mKeySyncTask = new KeySyncTask( |
| 326 | mRecoverableKeyStoreDb, |
| 327 | mRecoverySnapshotStorage, |
| 328 | mSnapshotListenersStorage, |
| 329 | TEST_USER_ID, |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 330 | CREDENTIAL_TYPE_PATTERN, |
| 331 | /*credential=*/ pattern, |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 332 | /*credentialUpdated=*/ false, |
| 333 | mPlatformKeyManager, |
| 334 | mTestOnlyInsecureCertificateHelper, |
| 335 | mMockScrypt); |
| 336 | mRecoverableKeyStoreDb.setServerParams( |
| 337 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 338 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 339 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 340 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 341 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 342 | |
| 343 | mKeySyncTask.run(); |
| 344 | |
| 345 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 346 | assertThat(keyChainSnapshot.getKeyChainProtectionParams()).hasSize(1); |
| 347 | assertThat(keyChainSnapshot.getKeyChainProtectionParams().get(0).getLockScreenUiFormat()). |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 348 | isEqualTo(UI_FORMAT_PATTERN); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 349 | verify(mMockScrypt, never()).scrypt(any(), any(), anyInt(), anyInt(), anyInt(), anyInt()); |
| 350 | KeyDerivationParams keyDerivationParams = |
| 351 | keyChainSnapshot.getKeyChainProtectionParams().get(0).getKeyDerivationParams(); |
| 352 | assertThat(keyDerivationParams.getAlgorithm()).isEqualTo( |
| 353 | KeyDerivationParams.ALGORITHM_SHA256); |
| 354 | } |
| 355 | |
| 356 | @Test |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 357 | public void run_useScryptToHashPasswordInProdMode() throws Exception { |
| 358 | String shortPassword = "abc"; |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 359 | mKeySyncTask = new KeySyncTask( |
| 360 | mRecoverableKeyStoreDb, |
| 361 | mRecoverySnapshotStorage, |
| 362 | mSnapshotListenersStorage, |
| 363 | TEST_USER_ID, |
| 364 | CREDENTIAL_TYPE_PASSWORD, |
| 365 | /*credential=*/ shortPassword, |
| 366 | /*credentialUpdated=*/ false, |
| 367 | mPlatformKeyManager, |
| 368 | mTestOnlyInsecureCertificateHelper, |
| 369 | mMockScrypt); |
| 370 | mRecoverableKeyStoreDb.setServerParams( |
| 371 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 372 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 373 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 374 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
| 375 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
| 376 | |
| 377 | mKeySyncTask.run(); |
| 378 | |
| 379 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 380 | assertThat(keyChainSnapshot.getKeyChainProtectionParams()).hasSize(1); |
| 381 | assertThat(keyChainSnapshot.getKeyChainProtectionParams().get(0).getLockScreenUiFormat()). |
| 382 | isEqualTo(UI_FORMAT_PASSWORD); |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 383 | verify(mMockScrypt).scrypt(eq(shortPassword.getBytes()), any(), |
| 384 | eq(KeySyncTask.SCRYPT_PARAM_N), eq(KeySyncTask.SCRYPT_PARAM_R), |
| 385 | eq(KeySyncTask.SCRYPT_PARAM_P), eq(KeySyncTask.SCRYPT_PARAM_OUTLEN_BYTES)); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 386 | KeyDerivationParams keyDerivationParams = |
| 387 | keyChainSnapshot.getKeyChainProtectionParams().get(0).getKeyDerivationParams(); |
| 388 | assertThat(keyDerivationParams.getAlgorithm()).isEqualTo( |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 389 | KeyDerivationParams.ALGORITHM_SCRYPT); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 390 | } |
| 391 | |
| 392 | @Test |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 393 | public void run_stillCreatesSnapshotIfNoRecoveryAgentPendingIntentRegistered() |
| 394 | throws Exception { |
| 395 | mRecoverableKeyStoreDb.setServerParams( |
| 396 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 397 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 398 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 399 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 400 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 401 | |
| 402 | mKeySyncTask.run(); |
| 403 | |
| 404 | assertNotNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
| 405 | } |
| 406 | |
| 407 | @Test |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 408 | public void run_InTestModeWithWhitelistedCredentials() throws Exception { |
| 409 | mRecoverableKeyStoreDb.setServerParams( |
| 410 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 411 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 412 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 413 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
| 414 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
| 415 | |
| 416 | // Enter test mode with whitelisted credentials |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 417 | when(mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(any())).thenReturn(true); |
| 418 | when(mTestOnlyInsecureCertificateHelper.doesCredentialSupportInsecureMode(anyInt(), any())) |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 419 | .thenReturn(true); |
| 420 | mKeySyncTask.run(); |
| 421 | |
| 422 | verify(mTestOnlyInsecureCertificateHelper) |
| 423 | .getDefaultCertificateAliasIfEmpty(eq(TEST_ROOT_CERT_ALIAS)); |
| 424 | |
| 425 | // run whitelist checks |
| 426 | verify(mTestOnlyInsecureCertificateHelper) |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 427 | .doesCredentialSupportInsecureMode(anyInt(), any()); |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 428 | verify(mTestOnlyInsecureCertificateHelper) |
| 429 | .keepOnlyWhitelistedInsecureKeys(any()); |
| 430 | |
| 431 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 432 | assertNotNull(keyChainSnapshot); // created snapshot |
| 433 | List<WrappedApplicationKey> applicationKeys = keyChainSnapshot.getWrappedApplicationKeys(); |
| 434 | assertThat(applicationKeys).hasSize(0); // non whitelisted key is not included |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 435 | verify(mMockScrypt, never()).scrypt(any(), any(), anyInt(), anyInt(), anyInt(), anyInt()); |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 436 | } |
| 437 | |
| 438 | @Test |
| 439 | public void run_InTestModeWithNonWhitelistedCredentials() throws Exception { |
| 440 | mRecoverableKeyStoreDb.setServerParams( |
| 441 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 442 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 443 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 444 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
| 445 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
| 446 | |
| 447 | // Enter test mode with non whitelisted credentials |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 448 | when(mTestOnlyInsecureCertificateHelper.isTestOnlyCertificateAlias(any())).thenReturn(true); |
| 449 | when(mTestOnlyInsecureCertificateHelper.doesCredentialSupportInsecureMode(anyInt(), any())) |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 450 | .thenReturn(false); |
| 451 | mKeySyncTask.run(); |
| 452 | |
| 453 | assertNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); // not created |
| 454 | verify(mTestOnlyInsecureCertificateHelper) |
| 455 | .getDefaultCertificateAliasIfEmpty(eq(TEST_ROOT_CERT_ALIAS)); |
| 456 | verify(mTestOnlyInsecureCertificateHelper) |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 457 | .doesCredentialSupportInsecureMode(anyInt(), any()); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 458 | verify(mMockScrypt, never()).scrypt(any(), any(), anyInt(), anyInt(), anyInt(), anyInt()); |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 459 | } |
| 460 | |
| 461 | @Test |
| 462 | public void run_doesNotFilterCredentialsAndAliasesInProd() throws Exception { |
| 463 | mRecoverableKeyStoreDb.setServerParams( |
| 464 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 465 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 466 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 467 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
| 468 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
| 469 | |
| 470 | mKeySyncTask.run(); |
| 471 | assertNotNull(mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID)); |
| 472 | |
| 473 | verify(mTestOnlyInsecureCertificateHelper) |
| 474 | .getDefaultCertificateAliasIfEmpty(eq(TEST_ROOT_CERT_ALIAS)); |
| 475 | verify(mTestOnlyInsecureCertificateHelper, atLeast(1)) |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 476 | .isTestOnlyCertificateAlias(eq(TEST_ROOT_CERT_ALIAS)); |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 477 | |
| 478 | // no whitelists check |
| 479 | verify(mTestOnlyInsecureCertificateHelper, never()) |
Bo Zhu | 0b8c82e | 2018-03-30 11:31:53 -0700 | [diff] [blame] | 480 | .doesCredentialSupportInsecureMode(anyInt(), any()); |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 481 | verify(mTestOnlyInsecureCertificateHelper, never()) |
| 482 | .keepOnlyWhitelistedInsecureKeys(any()); |
| 483 | } |
| 484 | |
| 485 | @Test |
| 486 | public void run_replacesNullActiveRootAliasWithDefaultValue() throws Exception { |
| 487 | mRecoverableKeyStoreDb.setServerParams( |
| 488 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 489 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(TEST_USER_ID, TEST_GENERATION_ID); |
| 490 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 491 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
| 492 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
| 493 | mRecoverableKeyStoreDb.setActiveRootOfTrust(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
| 494 | /*alias=*/ null); |
| 495 | |
| 496 | when(mTestOnlyInsecureCertificateHelper.getDefaultCertificateAliasIfEmpty(null)) |
| 497 | .thenReturn(TEST_ROOT_CERT_ALIAS); // override default. |
| 498 | mKeySyncTask.run(); |
| 499 | |
| 500 | verify(mTestOnlyInsecureCertificateHelper).getDefaultCertificateAliasIfEmpty(null); |
| 501 | } |
| 502 | |
| 503 | @Test |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 504 | public void run_sendsEncryptedKeysIfAvailableToSync_withRawPublicKey() throws Exception { |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 505 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 506 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 507 | |
| 508 | mRecoverableKeyStoreDb.setServerParams( |
| 509 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 510 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 511 | SecretKey applicationKey = |
| 512 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
Dmitry Dementyev | add1bad | 2018-01-18 16:44:08 -0800 | [diff] [blame] | 513 | |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 514 | mKeySyncTask.run(); |
| 515 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 516 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 517 | KeyDerivationParams keyDerivationParams = |
| 518 | keyChainSnapshot.getKeyChainProtectionParams().get(0).getKeyDerivationParams(); |
| 519 | assertThat(keyDerivationParams.getAlgorithm()).isEqualTo( |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 520 | KeyDerivationParams.ALGORITHM_SHA256); |
Robert Berry | 9104404 | 2017-12-27 12:05:58 +0000 | [diff] [blame] | 521 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 522 | byte[] lockScreenHash = KeySyncTask.hashCredentialsBySaltedSha256( |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 523 | keyDerivationParams.getSalt(), |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 524 | TEST_CREDENTIAL); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 525 | Long counterId = mRecoverableKeyStoreDb.getCounterId(TEST_USER_ID, TEST_RECOVERY_AGENT_UID); |
| 526 | assertThat(counterId).isNotNull(); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 527 | byte[] recoveryKey = decryptThmEncryptedKey( |
| 528 | lockScreenHash, |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 529 | keyChainSnapshot.getEncryptedRecoveryKeyBlob(), |
Robert Berry | 94ea4e4 | 2017-12-28 12:08:30 +0000 | [diff] [blame] | 530 | /*vaultParams=*/ KeySyncUtils.packVaultParams( |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 531 | TestData.CERT_1_PUBLIC_KEY, |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 532 | counterId, |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 533 | /*maxAttempts=*/ 10, |
| 534 | TEST_VAULT_HANDLE)); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 535 | List<WrappedApplicationKey> applicationKeys = keyChainSnapshot.getWrappedApplicationKeys(); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 536 | assertThat(applicationKeys).hasSize(1); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 537 | assertThat(keyChainSnapshot.getCounterId()).isEqualTo(counterId); |
| 538 | assertThat(keyChainSnapshot.getMaxAttempts()).isEqualTo(10); |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 539 | assertThat(keyChainSnapshot.getTrustedHardwareCertPath()) |
| 540 | .isEqualTo(TestData.CERT_PATH_1); |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 541 | assertThat(keyChainSnapshot.getServerParams()).isEqualTo(TEST_VAULT_HANDLE); |
Robert Berry | 5f13870 | 2018-01-17 15:18:05 +0000 | [diff] [blame] | 542 | WrappedApplicationKey keyData = applicationKeys.get(0); |
Dmitry Dementyev | 07c76555 | 2018-01-08 17:31:59 -0800 | [diff] [blame] | 543 | assertEquals(TEST_APP_KEY_ALIAS, keyData.getAlias()); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 544 | assertThat(keyData.getAlias()).isEqualTo(keyData.getAlias()); |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 545 | byte[] appKey = KeySyncUtils.decryptApplicationKey( |
Robert Berry | bd086f1 | 2017-12-27 13:29:39 +0000 | [diff] [blame] | 546 | recoveryKey, keyData.getEncryptedKeyMaterial()); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 547 | assertThat(appKey).isEqualTo(applicationKey.getEncoded()); |
| 548 | } |
| 549 | |
| 550 | @Test |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 551 | public void run_sendsEncryptedKeysIfAvailableToSync_withCertPath() throws Exception { |
| 552 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 553 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 554 | mRecoverableKeyStoreDb.setServerParams( |
| 555 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_VAULT_HANDLE); |
| 556 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 557 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 558 | |
| 559 | mKeySyncTask.run(); |
| 560 | |
| 561 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 562 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 563 | List<WrappedApplicationKey> applicationKeys = keyChainSnapshot.getWrappedApplicationKeys(); |
| 564 | assertThat(applicationKeys).hasSize(1); |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 565 | assertThat(keyChainSnapshot.getTrustedHardwareCertPath()) |
| 566 | .isEqualTo(TestData.CERT_PATH_1); |
Bo Zhu | 14d993d | 2018-02-03 21:38:48 -0800 | [diff] [blame] | 567 | } |
| 568 | |
| 569 | @Test |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 570 | public void run_setsCorrectSnapshotVersion() throws Exception { |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 571 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 572 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 573 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 574 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 575 | |
| 576 | mKeySyncTask.run(); |
| 577 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 578 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 579 | assertThat(keyChainSnapshot.getSnapshotVersion()).isEqualTo(1); // default value; |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 580 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, true); |
| 581 | |
| 582 | mKeySyncTask.run(); |
| 583 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 584 | keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 585 | assertThat(keyChainSnapshot.getSnapshotVersion()).isEqualTo(2); // Updated |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 586 | } |
| 587 | |
| 588 | @Test |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 589 | public void run_recreatesMissingSnapshot() throws Exception { |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 590 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 591 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | 907e275 | 2018-01-26 10:54:52 -0800 | [diff] [blame] | 592 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 593 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 594 | |
| 595 | mKeySyncTask.run(); |
| 596 | |
| 597 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 598 | assertThat(keyChainSnapshot.getSnapshotVersion()).isEqualTo(1); // default value; |
| 599 | |
| 600 | mRecoverySnapshotStorage.remove(TEST_RECOVERY_AGENT_UID); // corrupt snapshot. |
| 601 | |
| 602 | mKeySyncTask.run(); |
| 603 | |
| 604 | keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 605 | assertThat(keyChainSnapshot.getSnapshotVersion()).isEqualTo(1); // Same version |
| 606 | } |
| 607 | |
| 608 | @Test |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 609 | public void run_setsCorrectTypeForPassword() throws Exception { |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 610 | String password = "password"; |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 611 | mKeySyncTask = new KeySyncTask( |
| 612 | mRecoverableKeyStoreDb, |
| 613 | mRecoverySnapshotStorage, |
| 614 | mSnapshotListenersStorage, |
| 615 | TEST_USER_ID, |
| 616 | CREDENTIAL_TYPE_PASSWORD, |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 617 | password, |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 618 | /*credentialUpdated=*/ false, |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 619 | mPlatformKeyManager, |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 620 | mTestOnlyInsecureCertificateHelper, |
| 621 | mMockScrypt); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 622 | |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 623 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 624 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 625 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 626 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 627 | |
| 628 | mKeySyncTask.run(); |
| 629 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 630 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 631 | assertThat(keyChainSnapshot.getKeyChainProtectionParams()).hasSize(1); |
| 632 | assertThat(keyChainSnapshot.getKeyChainProtectionParams().get(0).getLockScreenUiFormat()). |
| 633 | isEqualTo(UI_FORMAT_PASSWORD); |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 634 | verify(mMockScrypt).scrypt(eq(password.getBytes()), any(), |
| 635 | eq(KeySyncTask.SCRYPT_PARAM_N), eq(KeySyncTask.SCRYPT_PARAM_R), |
| 636 | eq(KeySyncTask.SCRYPT_PARAM_P), eq(KeySyncTask.SCRYPT_PARAM_OUTLEN_BYTES)); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 637 | } |
| 638 | |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 639 | @Test |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 640 | public void run_setsCorrectTypeForPin() throws Exception { |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 641 | String pin = "1234"; |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 642 | mKeySyncTask = new KeySyncTask( |
| 643 | mRecoverableKeyStoreDb, |
| 644 | mRecoverySnapshotStorage, |
| 645 | mSnapshotListenersStorage, |
| 646 | TEST_USER_ID, |
| 647 | CREDENTIAL_TYPE_PASSWORD, |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 648 | /*credential=*/ pin, |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 649 | /*credentialUpdated=*/ false, |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 650 | mPlatformKeyManager, |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 651 | mTestOnlyInsecureCertificateHelper, |
| 652 | mMockScrypt); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 653 | |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 654 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 655 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 656 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 657 | SecretKey applicationKey = |
| 658 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 659 | |
| 660 | mKeySyncTask.run(); |
| 661 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 662 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 663 | assertThat(keyChainSnapshot.getKeyChainProtectionParams()).hasSize(1); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 664 | // Password with only digits is changed to pin. |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 665 | assertThat(keyChainSnapshot.getKeyChainProtectionParams().get(0).getLockScreenUiFormat()). |
| 666 | isEqualTo(UI_FORMAT_PIN); |
Bo Zhu | c3aefbd | 2018-04-06 09:57:02 -0700 | [diff] [blame] | 667 | verify(mMockScrypt).scrypt(eq(pin.getBytes()), any(), |
| 668 | eq(KeySyncTask.SCRYPT_PARAM_N), eq(KeySyncTask.SCRYPT_PARAM_R), |
| 669 | eq(KeySyncTask.SCRYPT_PARAM_P), eq(KeySyncTask.SCRYPT_PARAM_OUTLEN_BYTES)); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 670 | } |
| 671 | |
| 672 | @Test |
| 673 | public void run_setsCorrectTypeForPattern() throws Exception { |
| 674 | mKeySyncTask = new KeySyncTask( |
| 675 | mRecoverableKeyStoreDb, |
| 676 | mRecoverySnapshotStorage, |
| 677 | mSnapshotListenersStorage, |
| 678 | TEST_USER_ID, |
| 679 | CREDENTIAL_TYPE_PATTERN, |
| 680 | "12345", |
| 681 | /*credentialUpdated=*/ false, |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 682 | mPlatformKeyManager, |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 683 | mTestOnlyInsecureCertificateHelper, |
| 684 | mMockScrypt); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 685 | |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 686 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 687 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 688 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 689 | SecretKey applicationKey = |
| 690 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 691 | |
| 692 | mKeySyncTask.run(); |
| 693 | |
Dmitry Dementyev | 0916e7c | 2018-01-23 13:02:08 -0800 | [diff] [blame] | 694 | KeyChainSnapshot keyChainSnapshot = mRecoverySnapshotStorage.get(TEST_RECOVERY_AGENT_UID); |
| 695 | assertThat(keyChainSnapshot.getKeyChainProtectionParams()).hasSize(1); |
| 696 | assertThat(keyChainSnapshot.getKeyChainProtectionParams().get(0).getLockScreenUiFormat()). |
| 697 | isEqualTo(UI_FORMAT_PATTERN); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 698 | verify(mMockScrypt, never()).scrypt(any(), any(), anyInt(), anyInt(), anyInt(), anyInt()); |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 699 | } |
| 700 | |
Dmitry Dementyev | abd713c | 2018-01-09 15:08:13 -0800 | [diff] [blame] | 701 | @Test |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 702 | public void run_sendsEncryptedKeysWithTwoRegisteredAgents() throws Exception { |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 703 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 704 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 705 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 706 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 707 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
| 708 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(true); |
| 709 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 710 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |
| 711 | mKeySyncTask.run(); |
| 712 | |
| 713 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 714 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); |
| 715 | } |
| 716 | |
| 717 | @Test |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 718 | public void run_sendsEncryptedKeysOnlyForAgentWhichActiveUserSecretType() throws Exception { |
| 719 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, |
Dmitry Dementyev | ed89ea0 | 2018-01-11 13:53:52 -0800 | [diff] [blame] | 720 | new int[] {TYPE_LOCKSCREEN, 1000}); |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 721 | // Snapshot will not be created during unlock event. |
| 722 | mRecoverableKeyStoreDb.setRecoverySecretTypes(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, |
Dmitry Dementyev | ed89ea0 | 2018-01-11 13:53:52 -0800 | [diff] [blame] | 723 | new int[] {1000}); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 724 | |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 725 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 726 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 727 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 728 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 729 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 730 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(true); |
| 731 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 732 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |
| 733 | mKeySyncTask.run(); |
| 734 | |
| 735 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
| 736 | verify(mSnapshotListenersStorage, never()). |
| 737 | recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); |
| 738 | } |
| 739 | |
| 740 | @Test |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 741 | public void run_notifiesNonregisteredAgent() throws Exception { |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 742 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 743 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 744 | mRecoverableKeyStoreDb.setRecoveryServiceCertPath( |
Dmitry Dementyev | f34fc7e | 2018-03-26 17:31:29 -0700 | [diff] [blame] | 745 | TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_ROOT_CERT_ALIAS, TestData.CERT_PATH_1); |
Dmitry Dementyev | 122bfe1 | 2018-01-10 18:56:36 -0800 | [diff] [blame] | 746 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID)).thenReturn(true); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 747 | when(mSnapshotListenersStorage.hasListener(TEST_RECOVERY_AGENT_UID2)).thenReturn(false); |
| 748 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 749 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID2, TEST_APP_KEY_ALIAS); |
| 750 | mKeySyncTask.run(); |
| 751 | |
| 752 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID); |
Robert Berry | 2fd4b59 | 2018-03-15 15:28:05 +0000 | [diff] [blame] | 753 | verify(mSnapshotListenersStorage).recoverySnapshotAvailable(TEST_RECOVERY_AGENT_UID2); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 754 | } |
| 755 | |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 756 | @Test |
| 757 | public void run_customLockScreen_RecoveryStatusFailure() throws Exception { |
| 758 | mKeySyncTask = new KeySyncTask( |
| 759 | mRecoverableKeyStoreDb, |
| 760 | mRecoverySnapshotStorage, |
| 761 | mSnapshotListenersStorage, |
| 762 | TEST_USER_ID, |
| 763 | /*credentialType=*/ 3, |
| 764 | "12345", |
| 765 | /*credentialUpdated=*/ false, |
Dmitry Dementyev | 57ca3da | 2018-03-28 12:36:45 -0700 | [diff] [blame] | 766 | mPlatformKeyManager, |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 767 | mTestOnlyInsecureCertificateHelper, |
| 768 | mMockScrypt); |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 769 | |
| 770 | addApplicationKey(TEST_USER_ID, TEST_RECOVERY_AGENT_UID, TEST_APP_KEY_ALIAS); |
| 771 | |
| 772 | int status = |
| 773 | mRecoverableKeyStoreDb |
| 774 | .getStatusForAllKeys(TEST_RECOVERY_AGENT_UID) |
| 775 | .get(TEST_APP_KEY_ALIAS); |
| 776 | assertEquals(RecoveryController.RECOVERY_STATUS_SYNC_IN_PROGRESS, status); |
| 777 | |
| 778 | mKeySyncTask.run(); |
| 779 | |
| 780 | status = mRecoverableKeyStoreDb |
| 781 | .getStatusForAllKeys(TEST_RECOVERY_AGENT_UID) |
| 782 | .get(TEST_APP_KEY_ALIAS); |
| 783 | assertEquals(RecoveryController.RECOVERY_STATUS_PERMANENT_FAILURE, status); |
Bo Zhu | 7697343 | 2018-04-03 00:37:51 -0700 | [diff] [blame] | 784 | verify(mMockScrypt, never()).scrypt(any(), any(), anyInt(), anyInt(), anyInt(), anyInt()); |
Aseem Kumar | 3326da5 | 2018-03-12 18:05:16 -0700 | [diff] [blame] | 785 | } |
| 786 | |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 787 | private SecretKey addApplicationKey(int userId, int recoveryAgentUid, String alias) |
| 788 | throws Exception{ |
| 789 | SecretKey applicationKey = generateKey(); |
Dmitry Dementyev | 7d8c78a | 2018-01-12 19:14:07 -0800 | [diff] [blame] | 790 | mRecoverableKeyStoreDb.setServerParams( |
Bo Zhu | 4ff2b3f | 2018-01-17 17:34:26 -0800 | [diff] [blame] | 791 | userId, recoveryAgentUid, TEST_VAULT_HANDLE); |
Dmitry Dementyev | 77183ef | 2018-01-05 15:46:00 -0800 | [diff] [blame] | 792 | mRecoverableKeyStoreDb.setPlatformKeyGenerationId(userId, TEST_GENERATION_ID); |
| 793 | |
| 794 | // Newly added key is not synced. |
| 795 | mRecoverableKeyStoreDb.setShouldCreateSnapshot(userId, recoveryAgentUid, true); |
| 796 | |
| 797 | mRecoverableKeyStoreDb.insertKey( |
| 798 | userId, |
| 799 | recoveryAgentUid, |
| 800 | alias, |
| 801 | WrappedKey.fromSecretKey(mEncryptKey, applicationKey)); |
| 802 | return applicationKey; |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 803 | } |
| 804 | |
| 805 | private byte[] decryptThmEncryptedKey( |
| 806 | byte[] lockScreenHash, byte[] encryptedKey, byte[] vaultParams) throws Exception { |
| 807 | byte[] locallyEncryptedKey = SecureBox.decrypt( |
Dmitry Dementyev | 3b67e06 | 2018-03-22 17:55:27 -0700 | [diff] [blame] | 808 | TestData.CERT_1_PRIVATE_KEY, |
Robert Berry | f0a4bea | 2017-12-22 13:17:32 +0000 | [diff] [blame] | 809 | /*sharedSecret=*/ KeySyncUtils.calculateThmKfHash(lockScreenHash), |
| 810 | /*header=*/ KeySyncUtils.concat(THM_ENCRYPTED_RECOVERY_KEY_HEADER, vaultParams), |
| 811 | encryptedKey |
| 812 | ); |
| 813 | return KeySyncUtils.decryptRecoveryKey(lockScreenHash, locallyEncryptedKey); |
| 814 | } |
| 815 | |
| 816 | private SecretKey generateKey() throws Exception { |
| 817 | KeyGenerator keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM); |
| 818 | keyGenerator.init(/*keySize=*/ 256); |
| 819 | return keyGenerator.generateKey(); |
| 820 | } |
| 821 | |
| 822 | private AndroidKeyStoreSecretKey generateAndroidKeyStoreKey() throws Exception { |
| 823 | KeyGenerator keyGenerator = KeyGenerator.getInstance( |
| 824 | KEY_ALGORITHM, |
| 825 | ANDROID_KEY_STORE_PROVIDER); |
| 826 | keyGenerator.init(new KeyGenParameterSpec.Builder( |
| 827 | WRAPPING_KEY_ALIAS, KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) |
| 828 | .setBlockModes(KeyProperties.BLOCK_MODE_GCM) |
| 829 | .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) |
| 830 | .build()); |
| 831 | return (AndroidKeyStoreSecretKey) keyGenerator.generateKey(); |
| 832 | } |
| 833 | |
Robert Berry | 4a534ec | 2017-12-21 15:44:02 +0000 | [diff] [blame] | 834 | private static byte[] utf8Bytes(String s) { |
| 835 | return s.getBytes(StandardCharsets.UTF_8); |
| 836 | } |
| 837 | |
| 838 | private static byte[] randomBytes(int n) { |
| 839 | byte[] bytes = new byte[n]; |
| 840 | new Random().nextBytes(bytes); |
| 841 | return bytes; |
| 842 | } |
| 843 | } |