Google Git
Sign in
chromium / aosp / platform / system / tpm / 481cd9a33104037da8eae0dd667097f178f6e237 / . / trunks / tpm_utility_test.cc
blob: 43b054a5f73a598c3131e8a3a30305206420e282 [file] [log] [blame]
//
// Copyright (C) 2014 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
#include <base/stl_util.h>
#include <crypto/sha2.h>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include <openssl/aes.h>
#include "trunks/error_codes.h"
#include "trunks/hmac_authorization_delegate.h"
#include "trunks/mock_authorization_delegate.h"
#include "trunks/mock_blob_parser.h"
#include "trunks/mock_command_transceiver.h"
#include "trunks/mock_hmac_session.h"
#include "trunks/mock_policy_session.h"
#include "trunks/mock_tpm.h"
#include "trunks/mock_tpm_state.h"
#include "trunks/tpm_constants.h"
#include "trunks/tpm_utility_impl.h"
#include "trunks/trunks_factory_for_test.h"
using testing::_;
using testing::DoAll;
using testing::NiceMock;
using testing::Return;
using testing::SaveArg;
using testing::SetArgPointee;
namespace {
// Cr50 Vendor ID ("CROS").
const uint32_t kVendorIdCr50 = 0x43524f53;
} // namespace
namespace trunks {
// A test fixture for TpmUtility tests.
class TpmUtilityTest : public testing::Test {
public:
TpmUtilityTest() : mock_tpm_(&mock_transceiver_), utility_(factory_) {}
~TpmUtilityTest() override {}
void SetUp() override {
factory_.set_blob_parser(&mock_blob_parser_);
factory_.set_tpm_state(&mock_tpm_state_);
factory_.set_tpm(&mock_tpm_);
factory_.set_hmac_session(&mock_hmac_session_);
factory_.set_trial_session(&mock_trial_session_);
}
TPM_RC ComputeKeyName(const TPMT_PUBLIC& public_area,
std::string* object_name) {
return utility_.ComputeKeyName(public_area, object_name);
}
void SetNVRAMMap(uint32_t index, const TPMS_NV_PUBLIC& public_area) {
utility_.nvram_public_area_map_[index] = public_area;
}
TPM_RC GetNVRAMMap(uint32_t index, TPMS_NV_PUBLIC* public_area) {
auto it = utility_.nvram_public_area_map_.find(index);
if (it == utility_.nvram_public_area_map_.end()) {
return TPM_RC_FAILURE;
}
*public_area = it->second;
return TPM_RC_SUCCESS;
}
TPM_RC SetKnownOwnerPassword(const std::string& owner_password) {
return utility_.SetKnownOwnerPassword(owner_password);
}
TPM_RC CreateStorageRootKeys(const std::string& owner_password) {
return utility_.CreateStorageRootKeys(owner_password);
}
TPM_RC CreateSaltingKey(const std::string& owner_password) {
return utility_.CreateSaltingKey(owner_password);
}
void SetExistingKeyHandleExpectation(TPM_HANDLE handle) {
TPMS_CAPABILITY_DATA capability_data = {};
TPML_HANDLE& handles = capability_data.data.handles;
handles.count = 1;
handles.handle[0] = handle;
EXPECT_CALL(mock_tpm_,
GetCapabilitySync(TPM_CAP_HANDLES, handle, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<4>(capability_data), Return(TPM_RC_SUCCESS)));
}
void PopulatePCRSelection(bool has_sha1_pcrs,
bool make_sha1_bank_empty,
bool has_sha256_pcrs,
TPML_PCR_SELECTION* pcrs) {
memset(pcrs, 0, sizeof(TPML_PCR_SELECTION));
// By convention fill SHA-256 first. This is a bit brittle because order is
// not important but it simplifies comparison to memcmp.
if (has_sha256_pcrs) {
pcrs->pcr_selections[pcrs->count].hash = TPM_ALG_SHA256;
pcrs->pcr_selections[pcrs->count].sizeof_select = PCR_SELECT_MIN;
for (int i = 0; i < PCR_SELECT_MIN; ++i) {
pcrs->pcr_selections[pcrs->count].pcr_select[i] = 0xff;
}
++pcrs->count;
}
if (has_sha1_pcrs) {
pcrs->pcr_selections[pcrs->count].hash = TPM_ALG_SHA1;
if (make_sha1_bank_empty) {
pcrs->pcr_selections[pcrs->count].sizeof_select = PCR_SELECT_MAX;
} else {
pcrs->pcr_selections[pcrs->count].sizeof_select = PCR_SELECT_MIN;
for (int i = 0; i < PCR_SELECT_MIN; ++i) {
pcrs->pcr_selections[pcrs->count].pcr_select[i] = 0xff;
}
}
++pcrs->count;
}
}
void SetExistingPCRSExpectation(bool has_sha1_pcrs, bool has_sha256_pcrs) {
TPMS_CAPABILITY_DATA capability_data = {};
TPML_PCR_SELECTION& pcrs = capability_data.data.assigned_pcr;
PopulatePCRSelection(has_sha1_pcrs, false, has_sha256_pcrs, &pcrs);
EXPECT_CALL(mock_tpm_, GetCapabilitySync(TPM_CAP_PCRS, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<4>(capability_data), Return(TPM_RC_SUCCESS)));
}
void SetCr50(bool is_cr50) {
EXPECT_CALL(mock_tpm_state_, Initialize())
.WillOnce(Return(TPM_RC_SUCCESS));
uint32_t vendor_id = is_cr50 ? kVendorIdCr50 : 1;
EXPECT_CALL(mock_tpm_state_, GetTpmProperty(TPM_PT_MANUFACTURER, _))
.WillOnce(DoAll(SetArgPointee<1>(vendor_id), Return(true)));
}
protected:
TrunksFactoryForTest factory_;
NiceMock<MockCommandTransceiver> mock_transceiver_;
NiceMock<MockBlobParser> mock_blob_parser_;
NiceMock<MockTpmState> mock_tpm_state_;
NiceMock<MockTpm> mock_tpm_;
NiceMock<MockAuthorizationDelegate> mock_authorization_delegate_;
NiceMock<MockHmacSession> mock_hmac_session_;
NiceMock<MockPolicySession> mock_trial_session_;
TpmUtilityImpl utility_;
};
TEST_F(TpmUtilityTest, StartupSuccess) {
EXPECT_EQ(TPM_RC_SUCCESS, utility_.Startup());
}
TEST_F(TpmUtilityTest, StartupAlreadyStarted) {
EXPECT_CALL(mock_tpm_, StartupSync(_, _))
.WillRepeatedly(Return(TPM_RC_INITIALIZE));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.Startup());
}
TEST_F(TpmUtilityTest, StartupFailure) {
EXPECT_CALL(mock_tpm_, StartupSync(_, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.Startup());
}
TEST_F(TpmUtilityTest, StartupSelfTestFailure) {
EXPECT_CALL(mock_tpm_, SelfTestSync(_, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.Startup());
}
TEST_F(TpmUtilityTest, ClearSuccess) {
EXPECT_EQ(TPM_RC_SUCCESS, utility_.Clear());
}
TEST_F(TpmUtilityTest, ClearAfterBadInit) {
EXPECT_CALL(mock_tpm_, ClearSync(_, _, _))
.WillOnce(Return(TPM_RC_AUTH_MISSING))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.Clear());
}
TEST_F(TpmUtilityTest, ClearFail) {
EXPECT_CALL(mock_tpm_, ClearSync(_, _, _)).WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.Clear());
}
TEST_F(TpmUtilityTest, ShutdownTest) {
EXPECT_CALL(mock_tpm_, ShutdownSync(TPM_SU_CLEAR, _));
utility_.Shutdown();
}
TEST_F(TpmUtilityTest, InitializeTpmAlreadyInit) {
SetExistingPCRSExpectation(false, true);
EXPECT_EQ(TPM_RC_SUCCESS, utility_.InitializeTpm());
EXPECT_EQ(TPM_RC_SUCCESS, utility_.InitializeTpm());
}
TEST_F(TpmUtilityTest, InitializeTpmSuccess) {
SetExistingPCRSExpectation(false, true);
EXPECT_EQ(TPM_RC_SUCCESS, utility_.InitializeTpm());
}
TEST_F(TpmUtilityTest, InitializeTpmBadAuth) {
SetExistingPCRSExpectation(false, true);
// Reject attempts to set platform auth.
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(TPM_RH_PLATFORM, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.InitializeTpm());
}
TEST_F(TpmUtilityTest, InitializeTpmDisablePHFails) {
SetExistingPCRSExpectation(false, true);
// Reject attempts to disable the platform hierarchy.
EXPECT_CALL(mock_tpm_, HierarchyControlSync(_, _, TPM_RH_PLATFORM, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.InitializeTpm());
}
TEST_F(TpmUtilityTest, AllocatePCRFromNone) {
SetExistingPCRSExpectation(false, false);
TPML_PCR_SELECTION new_pcr_allocation;
EXPECT_CALL(mock_tpm_, PCR_AllocateSync(TPM_RH_PLATFORM, _, _, _, _, _, _, _))
.WillOnce(DoAll(SaveArg<2>(&new_pcr_allocation), SetArgPointee<3>(YES),
Return(TPM_RC_SUCCESS)));
ASSERT_EQ(TPM_RC_SUCCESS, utility_.AllocatePCR(""));
ASSERT_EQ(1u, new_pcr_allocation.count);
TPML_PCR_SELECTION expected_pcr_allocation;
PopulatePCRSelection(false, false, true, &expected_pcr_allocation);
ASSERT_EQ(0, memcmp(&expected_pcr_allocation, &new_pcr_allocation,
sizeof(TPML_PCR_SELECTION)));
}
TEST_F(TpmUtilityTest, AllocatePCRFromSHA1Only) {
SetExistingPCRSExpectation(true, false);
TPML_PCR_SELECTION new_pcr_allocation;
EXPECT_CALL(mock_tpm_, PCR_AllocateSync(TPM_RH_PLATFORM, _, _, _, _, _, _, _))
.WillOnce(DoAll(SaveArg<2>(&new_pcr_allocation), SetArgPointee<3>(YES),
Return(TPM_RC_SUCCESS)));
ASSERT_EQ(TPM_RC_SUCCESS, utility_.AllocatePCR(""));
ASSERT_EQ(2u, new_pcr_allocation.count);
TPML_PCR_SELECTION expected_pcr_allocation;
PopulatePCRSelection(true, true, true, &expected_pcr_allocation);
ASSERT_EQ(0, memcmp(&expected_pcr_allocation, &new_pcr_allocation,
sizeof(TPML_PCR_SELECTION)));
}
TEST_F(TpmUtilityTest, AllocatePCRFromSHA1AndSHA256) {
SetExistingPCRSExpectation(true, true);
TPML_PCR_SELECTION new_pcr_allocation;
EXPECT_CALL(mock_tpm_, PCR_AllocateSync(TPM_RH_PLATFORM, _, _, _, _, _, _, _))
.WillOnce(DoAll(SaveArg<2>(&new_pcr_allocation), SetArgPointee<3>(YES),
Return(TPM_RC_SUCCESS)));
ASSERT_EQ(TPM_RC_SUCCESS, utility_.AllocatePCR(""));
ASSERT_EQ(1u, new_pcr_allocation.count);
TPML_PCR_SELECTION expected_pcr_allocation;
PopulatePCRSelection(true, true, false, &expected_pcr_allocation);
ASSERT_EQ(0, memcmp(&expected_pcr_allocation, &new_pcr_allocation,
sizeof(TPML_PCR_SELECTION)));
}
TEST_F(TpmUtilityTest, AllocatePCRFromSHA256Only) {
SetExistingPCRSExpectation(false, true);
EXPECT_CALL(mock_tpm_, PCR_AllocateSync(TPM_RH_PLATFORM, _, _, _, _, _, _, _))
.Times(0);
ASSERT_EQ(TPM_RC_SUCCESS, utility_.AllocatePCR(""));
}
TEST_F(TpmUtilityTest, AllocatePCRCommandFailure) {
SetExistingPCRSExpectation(false, false);
EXPECT_CALL(mock_tpm_, PCR_AllocateSync(_, _, _, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.AllocatePCR(""));
}
TEST_F(TpmUtilityTest, AllocatePCRTpmFailure) {
SetExistingPCRSExpectation(false, false);
EXPECT_CALL(mock_tpm_, PCR_AllocateSync(_, _, _, _, _, _, _, _))
.WillOnce(DoAll(SetArgPointee<3>(NO), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_FAILURE, utility_.AllocatePCR(""));
}
TEST_F(TpmUtilityTest, PrepareForOwnershipSuccess) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(TPM_RH_OWNER, _, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.PrepareForOwnership());
}
TEST_F(TpmUtilityTest, PrepareForOwnershipFailure) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(TPM_RH_OWNER, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.PrepareForOwnership());
}
TEST_F(TpmUtilityTest, PrepareForOwnershipAlreadyOwned) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet())
.WillOnce(Return(true));
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(_, _, _, _))
.Times(0);
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.PrepareForOwnership());
}
TEST_F(TpmUtilityTest, TakeOwnershipSuccess) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_state_, IsEndorsementPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_state_, IsLockoutPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.TakeOwnership("owner", "endorsement", "lockout"));
}
TEST_F(TpmUtilityTest, TakeOwnershipOwnershipDone) {
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.TakeOwnership("owner", "endorsement", "lockout"));
}
TEST_F(TpmUtilityTest, TakeOwnershipBadSession) {
EXPECT_CALL(mock_hmac_session_, StartUnboundSession(true))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.TakeOwnership("owner", "endorsement", "lockout"));
}
TEST_F(TpmUtilityTest, TakeOwnershipFailure) {
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(TPM_RH_OWNER, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.TakeOwnership("owner", "endorsement", "lockout"));
}
TEST_F(TpmUtilityTest, ChangeOwnerPasswordEndorsementDone) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_state_, IsLockoutPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.TakeOwnership("owner", "endorsement", "lockout"));
}
TEST_F(TpmUtilityTest, ChangeOwnerPasswordLockoutDone) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_state_, IsEndorsementPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.TakeOwnership("owner", "endorsement", "lockout"));
}
TEST_F(TpmUtilityTest, ChangeOwnerPasswordEndorsementLockoutDone) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.TakeOwnership("owner", "endorsement", "lockout"));
}
TEST_F(TpmUtilityTest, ChangeOwnerPasswordEndorsementFail) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_state_, IsEndorsementPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(_, _, _, _))
.WillRepeatedly(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(TPM_RH_ENDORSEMENT, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.TakeOwnership("owner", "endorsement", "lockout"));
}
TEST_F(TpmUtilityTest, ChangeOwnerPasswordLockoutFailure) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_state_, IsEndorsementPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_state_, IsLockoutPasswordSet())
.WillRepeatedly(Return(false));
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(_, _, _, _))
.WillRepeatedly(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(TPM_RH_LOCKOUT, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.TakeOwnership("owner", "endorsement", "lockout"));
}
TEST_F(TpmUtilityTest, StirRandomSuccess) {
std::string entropy_data("large test data", 100);
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.StirRandom(entropy_data, &mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, StirRandomFails) {
std::string entropy_data("test data");
EXPECT_CALL(mock_tpm_, StirRandomSync(_, nullptr))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.StirRandom(entropy_data, nullptr));
}
TEST_F(TpmUtilityTest, GenerateRandomSuccess) {
// This number is larger than the max bytes the GetRandom call can return.
// Therefore we expect software to make multiple calls to fill this many
// bytes.
size_t num_bytes = 72;
std::string random_data;
TPM2B_DIGEST large_random;
large_random.size = 32;
TPM2B_DIGEST small_random;
small_random.size = 8;
EXPECT_CALL(mock_tpm_, GetRandomSync(_, _, &mock_authorization_delegate_))
.Times(2)
.WillRepeatedly(
DoAll(SetArgPointee<1>(large_random), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, GetRandomSync(8, _, &mock_authorization_delegate_))
.WillOnce(DoAll(SetArgPointee<1>(small_random), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.GenerateRandom(num_bytes, &mock_authorization_delegate_,
&random_data));
EXPECT_EQ(num_bytes, random_data.size());
}
TEST_F(TpmUtilityTest, GenerateRandomFails) {
size_t num_bytes = 5;
std::string random_data;
EXPECT_CALL(mock_tpm_, GetRandomSync(_, _, nullptr))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.GenerateRandom(num_bytes, nullptr, &random_data));
}
TEST_F(TpmUtilityTest, ExtendPCRSuccess) {
TPM_HANDLE pcr_handle = HR_PCR + 1;
TPML_DIGEST_VALUES digests;
EXPECT_CALL(mock_tpm_,
PCR_ExtendSync(pcr_handle, _, _, &mock_authorization_delegate_))
.WillOnce(DoAll(SaveArg<2>(&digests), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.ExtendPCR(1, "test digest",
&mock_authorization_delegate_));
EXPECT_EQ(1u, digests.count);
EXPECT_EQ(TPM_ALG_SHA256, digests.digests[0].hash_alg);
std::string hash_string = crypto::SHA256HashString("test digest");
EXPECT_EQ(0, memcmp(hash_string.data(), digests.digests[0].digest.sha256,
crypto::kSHA256Length));
}
TEST_F(TpmUtilityTest, ExtendPCRFail) {
int pcr_index = 0;
TPM_HANDLE pcr_handle = HR_PCR + pcr_index;
EXPECT_CALL(mock_tpm_, PCR_ExtendSync(pcr_handle, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.ExtendPCR(pcr_index, "test digest", nullptr));
}
TEST_F(TpmUtilityTest, ExtendPCRBadParam) {
EXPECT_EQ(TPM_RC_FAILURE, utility_.ExtendPCR(-1, "test digest", nullptr));
}
TEST_F(TpmUtilityTest, ReadPCRSuccess) {
// The |pcr_index| is chosen to match the structure for |pcr_select|.
// If you change |pcr_index|, remember to change |pcr_select|.
int pcr_index = 1;
std::string pcr_value;
TPML_PCR_SELECTION pcr_select;
pcr_select.count = 1;
pcr_select.pcr_selections[0].hash = TPM_ALG_SHA256;
pcr_select.pcr_selections[0].sizeof_select = 1;
pcr_select.pcr_selections[0].pcr_select[0] = 2;
TPML_DIGEST pcr_values;
pcr_values.count = 1;
pcr_values.digests[0].size = 5;
EXPECT_CALL(mock_tpm_, PCR_ReadSync(_, _, _, _, _))
.WillOnce(DoAll(SetArgPointee<2>(pcr_select),
SetArgPointee<3>(pcr_values), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.ReadPCR(pcr_index, &pcr_value));
}
TEST_F(TpmUtilityTest, ReadPCRFail) {
std::string pcr_value;
EXPECT_CALL(mock_tpm_, PCR_ReadSync(_, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.ReadPCR(1, &pcr_value));
}
TEST_F(TpmUtilityTest, ReadPCRBadReturn) {
std::string pcr_value;
EXPECT_EQ(TPM_RC_FAILURE, utility_.ReadPCR(1, &pcr_value));
}
TEST_F(TpmUtilityTest, AsymmetricEncryptSuccess) {
TPM_HANDLE key_handle;
std::string plaintext;
std::string output_ciphertext("ciphertext");
std::string ciphertext;
TPM2B_PUBLIC_KEY_RSA out_message =
Make_TPM2B_PUBLIC_KEY_RSA(output_ciphertext);
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, RSA_EncryptSync(key_handle, _, _, _, _, _,
&mock_authorization_delegate_))
.WillOnce(DoAll(SetArgPointee<5>(out_message), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.AsymmetricEncrypt(key_handle, TPM_ALG_NULL, TPM_ALG_NULL,
plaintext, &mock_authorization_delegate_,
&ciphertext));
EXPECT_EQ(0, ciphertext.compare(output_ciphertext));
}
TEST_F(TpmUtilityTest, AsymmetricEncryptFail) {
TPM_HANDLE key_handle;
std::string plaintext;
std::string ciphertext;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, RSA_EncryptSync(key_handle, _, _, _, _, _, nullptr))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.AsymmetricEncrypt(key_handle, TPM_ALG_NULL, TPM_ALG_NULL,
plaintext, nullptr, &ciphertext));
}
TEST_F(TpmUtilityTest, AsymmetricEncryptBadParams) {
TPM_HANDLE key_handle = TPM_RH_FIRST;
std::string plaintext;
std::string ciphertext;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt | kRestricted;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, nullptr))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.AsymmetricEncrypt(key_handle, TPM_ALG_RSAES, TPM_ALG_NULL,
plaintext, nullptr, &ciphertext));
}
TEST_F(TpmUtilityTest, AsymmetricEncryptNullSchemeForward) {
TPM_HANDLE key_handle;
std::string plaintext;
std::string output_ciphertext("ciphertext");
std::string ciphertext;
TPM2B_PUBLIC_KEY_RSA out_message =
Make_TPM2B_PUBLIC_KEY_RSA(output_ciphertext);
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
TPMT_RSA_DECRYPT scheme;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, RSA_EncryptSync(key_handle, _, _, _, _, _, nullptr))
.WillOnce(DoAll(SetArgPointee<5>(out_message), SaveArg<3>(&scheme),
Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.AsymmetricEncrypt(key_handle, TPM_ALG_NULL, TPM_ALG_NULL,
plaintext, nullptr, &ciphertext));
EXPECT_EQ(scheme.scheme, TPM_ALG_OAEP);
EXPECT_EQ(scheme.details.oaep.hash_alg, TPM_ALG_SHA256);
}
TEST_F(TpmUtilityTest, AsymmetricEncryptSchemeForward) {
TPM_HANDLE key_handle;
std::string plaintext;
std::string output_ciphertext("ciphertext");
std::string ciphertext;
TPM2B_PUBLIC_KEY_RSA out_message =
Make_TPM2B_PUBLIC_KEY_RSA(output_ciphertext);
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
TPMT_RSA_DECRYPT scheme;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, RSA_EncryptSync(key_handle, _, _, _, _, _, nullptr))
.WillOnce(DoAll(SetArgPointee<5>(out_message), SaveArg<3>(&scheme),
Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.AsymmetricEncrypt(key_handle, TPM_ALG_RSAES, TPM_ALG_NULL,
plaintext, nullptr, &ciphertext));
EXPECT_EQ(scheme.scheme, TPM_ALG_RSAES);
}
TEST_F(TpmUtilityTest, AsymmetricDecryptSuccess) {
TPM_HANDLE key_handle;
std::string plaintext;
std::string output_plaintext("plaintext");
std::string ciphertext;
std::string password("password");
TPM2B_PUBLIC_KEY_RSA out_message =
Make_TPM2B_PUBLIC_KEY_RSA(output_plaintext);
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, RSA_DecryptSync(key_handle, _, _, _, _, _,
&mock_authorization_delegate_))
.WillOnce(DoAll(SetArgPointee<5>(out_message), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.AsymmetricDecrypt(
key_handle, TPM_ALG_NULL, TPM_ALG_NULL, ciphertext,
&mock_authorization_delegate_, &plaintext));
EXPECT_EQ(0, plaintext.compare(output_plaintext));
}
TEST_F(TpmUtilityTest, AsymmetricDecryptFail) {
TPM_HANDLE key_handle;
std::string key_name;
std::string plaintext;
std::string ciphertext;
std::string password;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, RSA_DecryptSync(key_handle, _, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.AsymmetricDecrypt(
key_handle, TPM_ALG_NULL, TPM_ALG_NULL, ciphertext,
&mock_authorization_delegate_, &plaintext));
}
TEST_F(TpmUtilityTest, AsymmetricDecryptBadParams) {
TPM_HANDLE key_handle = TPM_RH_FIRST;
std::string plaintext;
std::string ciphertext;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt | kRestricted;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.AsymmetricDecrypt(
key_handle, TPM_ALG_RSAES, TPM_ALG_NULL, ciphertext,
&mock_authorization_delegate_, &plaintext));
}
TEST_F(TpmUtilityTest, AsymmetricDecryptBadSession) {
TPM_HANDLE key_handle = TPM_RH_FIRST;
std::string key_name;
std::string plaintext;
std::string ciphertext;
std::string password;
EXPECT_EQ(SAPI_RC_INVALID_SESSIONS,
utility_.AsymmetricDecrypt(key_handle, TPM_ALG_RSAES, TPM_ALG_NULL,
ciphertext, nullptr, &plaintext));
}
TEST_F(TpmUtilityTest, AsymmetricDecryptNullHashAlgorithmForward) {
TPM_HANDLE key_handle;
std::string plaintext;
std::string output_plaintext("plaintext");
std::string ciphertext;
std::string password;
TPM2B_PUBLIC_KEY_RSA out_message =
Make_TPM2B_PUBLIC_KEY_RSA(output_plaintext);
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
TPMT_RSA_DECRYPT scheme;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, RSA_DecryptSync(key_handle, _, _, _, _, _, _))
.WillOnce(DoAll(SetArgPointee<5>(out_message), SaveArg<3>(&scheme),
Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.AsymmetricDecrypt(
key_handle, TPM_ALG_OAEP, TPM_ALG_NULL, ciphertext,
&mock_authorization_delegate_, &plaintext));
EXPECT_EQ(scheme.scheme, TPM_ALG_OAEP);
EXPECT_EQ(scheme.details.oaep.hash_alg, TPM_ALG_SHA256);
}
TEST_F(TpmUtilityTest, AsymmetricDecryptSchemeForward) {
TPM_HANDLE key_handle;
std::string plaintext;
std::string output_plaintext("plaintext");
std::string ciphertext;
std::string password;
TPM2B_PUBLIC_KEY_RSA out_message =
Make_TPM2B_PUBLIC_KEY_RSA(output_plaintext);
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
TPMT_RSA_DECRYPT scheme;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, RSA_DecryptSync(key_handle, _, _, _, _, _, _))
.WillOnce(DoAll(SetArgPointee<5>(out_message), SaveArg<3>(&scheme),
Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.AsymmetricDecrypt(
key_handle, TPM_ALG_RSAES, TPM_ALG_NULL, ciphertext,
&mock_authorization_delegate_, &plaintext));
EXPECT_EQ(scheme.scheme, TPM_ALG_RSAES);
}
TEST_F(TpmUtilityTest, SignSuccess) {
TPM_HANDLE key_handle;
std::string password("password");
std::string digest(32, 'a');
TPMT_SIGNATURE signature_out;
signature_out.signature.rsassa.sig.size = 2;
signature_out.signature.rsassa.sig.buffer[0] = 'h';
signature_out.signature.rsassa.sig.buffer[1] = 'i';
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, SignSync(key_handle, _, _, _, _, _,
&mock_authorization_delegate_))
.WillOnce(DoAll(SetArgPointee<5>(signature_out), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.Sign(key_handle, TPM_ALG_RSASSA, TPM_ALG_SHA256, digest,
true /* generate_hash */,
&mock_authorization_delegate_, &signature));
EXPECT_EQ(0, signature.compare("hi"));
}
TEST_F(TpmUtilityTest, SignFail) {
TPM_HANDLE key_handle;
std::string password;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, SignSync(key_handle, _, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.Sign(key_handle, TPM_ALG_RSASSA, TPM_ALG_SHA256, digest,
true /* generate_hash */,
&mock_authorization_delegate_, &signature));
}
TEST_F(TpmUtilityTest, SignBadParams1) {
TPM_HANDLE key_handle;
std::string password;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign | kRestricted;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.Sign(key_handle, TPM_ALG_RSAPSS, TPM_ALG_NULL, digest,
true /* generate_hash */,
&mock_authorization_delegate_, &signature));
}
TEST_F(TpmUtilityTest, SignBadAuthorizationSession) {
TPM_HANDLE key_handle = TPM_RH_FIRST;
std::string password;
std::string digest(32, 'a');
std::string signature;
EXPECT_EQ(SAPI_RC_INVALID_SESSIONS,
utility_.Sign(key_handle, TPM_ALG_RSAPSS, TPM_ALG_NULL, digest,
true /* generate_hash */,
nullptr, &signature));
}
TEST_F(TpmUtilityTest, SignBadParams2) {
TPM_HANDLE key_handle;
std::string password;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.Sign(key_handle, TPM_ALG_RSAPSS, TPM_ALG_NULL, digest,
true /* generate_hash */,
&mock_authorization_delegate_, &signature));
}
TEST_F(TpmUtilityTest, SignBadParams3) {
TPM_HANDLE key_handle;
std::string password;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_ECC;
public_area.public_area.object_attributes = kSign;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.Sign(key_handle, TPM_ALG_RSAPSS, TPM_ALG_NULL, digest,
true /* generate_hash */,
&mock_authorization_delegate_, &signature));
}
TEST_F(TpmUtilityTest, SignBadParams4) {
TPM_HANDLE key_handle;
std::string password;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_FAILURE)));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.Sign(key_handle, TPM_ALG_RSAPSS, TPM_ALG_NULL, digest,
true /* generate_hash */,
&mock_authorization_delegate_, &signature));
}
TEST_F(TpmUtilityTest, SignBadParams5) {
TPM_HANDLE key_handle = 0;
std::string password;
std::string digest(32, 'a');
std::string signature;
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.Sign(key_handle, TPM_ALG_AES, TPM_ALG_NULL, digest,
true /* generate_hash */,
&mock_authorization_delegate_, &signature));
}
TEST_F(TpmUtilityTest, SignNullSchemeForward) {
TPM_HANDLE key_handle;
std::string password;
std::string digest(32, 'a');
TPMT_SIGNATURE signature_out;
signature_out.signature.rsassa.sig.size = 0;
std::string signature;
TPM2B_PUBLIC public_area;
TPMT_SIG_SCHEME scheme;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, SignSync(key_handle, _, _, _, _, _, _))
.WillOnce(DoAll(SetArgPointee<5>(signature_out), SaveArg<3>(&scheme),
Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.Sign(key_handle, TPM_ALG_NULL, TPM_ALG_SHA256, digest,
true /* generate_hash */,
&mock_authorization_delegate_, &signature));
EXPECT_EQ(scheme.scheme, TPM_ALG_RSASSA);
EXPECT_EQ(scheme.details.rsassa.hash_alg, TPM_ALG_SHA256);
}
TEST_F(TpmUtilityTest, SignRSASSAWithNullAlgorithm) {
TPM_HANDLE key_handle;
std::string password;
std::string digest(32, 'a');
TPMT_SIGNATURE signature_out;
signature_out.signature.rsassa.sig.size = 0;
std::string signature;
TPM2B_PUBLIC public_area;
TPMT_SIG_SCHEME scheme;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, SignSync(key_handle, _, _, _, _, _, _))
.WillOnce(DoAll(SetArgPointee<5>(signature_out), SaveArg<3>(&scheme),
Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.Sign(key_handle, TPM_ALG_NULL, TPM_ALG_NULL, digest,
false /* generate_hash */,
&mock_authorization_delegate_, &signature));
EXPECT_EQ(scheme.scheme, TPM_ALG_RSASSA);
EXPECT_EQ(scheme.details.rsassa.hash_alg, TPM_ALG_NULL);
}
TEST_F(TpmUtilityTest, SignSchemeForward) {
TPM_HANDLE key_handle;
std::string password;
std::string digest(64, 'a');
TPMT_SIGNATURE signature_out;
signature_out.signature.rsassa.sig.size = 0;
std::string signature;
TPM2B_PUBLIC public_area;
TPMT_SIG_SCHEME scheme;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, SignSync(key_handle, _, _, _, _, _, _))
.WillOnce(DoAll(SetArgPointee<5>(signature_out), SaveArg<3>(&scheme),
Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.Sign(key_handle, TPM_ALG_RSAPSS, TPM_ALG_SHA1, digest,
true /* generate_hash */,
&mock_authorization_delegate_, &signature));
EXPECT_EQ(scheme.scheme, TPM_ALG_RSAPSS);
EXPECT_EQ(scheme.details.rsapss.hash_alg, TPM_ALG_SHA1);
}
TEST_F(TpmUtilityTest, VerifySuccess) {
TPM_HANDLE key_handle;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, VerifySignatureSync(key_handle, _, _, _, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.Verify(key_handle, TPM_ALG_NULL, TPM_ALG_NULL, digest,
true /* generate_hash */, signature, nullptr));
}
TEST_F(TpmUtilityTest, VerifyFail) {
TPM_HANDLE key_handle;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, VerifySignatureSync(key_handle, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.Verify(key_handle, TPM_ALG_NULL, TPM_ALG_NULL, digest,
true /* generate_hash */, signature, nullptr));
}
TEST_F(TpmUtilityTest, VerifyBadParams1) {
TPM_HANDLE key_handle;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign | kRestricted;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.Verify(key_handle, TPM_ALG_NULL, TPM_ALG_NULL, digest,
true /* generate_hash */, signature, nullptr));
}
TEST_F(TpmUtilityTest, VerifyBadParams2) {
TPM_HANDLE key_handle;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kDecrypt;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.Verify(key_handle, TPM_ALG_NULL, TPM_ALG_NULL, digest,
true /* generate_hash */, signature, nullptr));
}
TEST_F(TpmUtilityTest, VerifyBadParams3) {
TPM_HANDLE key_handle;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_ECC;
public_area.public_area.object_attributes = kSign;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.Verify(key_handle, TPM_ALG_NULL, TPM_ALG_NULL, digest,
true /* generate_hash */, signature, nullptr));
}
TEST_F(TpmUtilityTest, VerifyBadParams4) {
TPM_HANDLE key_handle;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_FAILURE)));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.Verify(key_handle, TPM_ALG_NULL, TPM_ALG_NULL, digest,
true /* generate_hash */, signature, nullptr));
}
TEST_F(TpmUtilityTest, VerifyBadParams5) {
TPM_HANDLE key_handle;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.Verify(key_handle, TPM_ALG_AES, TPM_ALG_NULL, digest,
true /* generate_hash */, signature, nullptr));
}
TEST_F(TpmUtilityTest, VerifyNullSchemeForward) {
TPM_HANDLE key_handle;
std::string digest(32, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
TPMT_SIGNATURE signature_in;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, VerifySignatureSync(key_handle, _, _, _, _, _))
.WillOnce(DoAll(SaveArg<3>(&signature_in), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.Verify(key_handle, TPM_ALG_NULL, TPM_ALG_NULL, digest,
true /* generate_hash */, signature, nullptr));
EXPECT_EQ(signature_in.sig_alg, TPM_ALG_RSASSA);
EXPECT_EQ(signature_in.signature.rsassa.hash, TPM_ALG_SHA256);
}
TEST_F(TpmUtilityTest, VerifySchemeForward) {
TPM_HANDLE key_handle;
std::string digest(64, 'a');
std::string signature;
TPM2B_PUBLIC public_area;
TPMT_SIGNATURE signature_in;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.object_attributes = kSign;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, VerifySignatureSync(key_handle, _, _, _, _, _))
.WillOnce(DoAll(SaveArg<3>(&signature_in), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.Verify(key_handle, TPM_ALG_RSAPSS, TPM_ALG_SHA1, digest,
true /* generate_hash */, signature, nullptr));
EXPECT_EQ(signature_in.sig_alg, TPM_ALG_RSAPSS);
EXPECT_EQ(signature_in.signature.rsassa.hash, TPM_ALG_SHA1);
}
TEST_F(TpmUtilityTest, CertifyCreationSuccess) {
TPM_HANDLE key_handle = 42;
std::string creation_blob;
EXPECT_CALL(mock_tpm_, CertifyCreationSyncShort(TPM_RH_NULL, key_handle, _, _,
_, _, _, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.CertifyCreation(key_handle, creation_blob));
}
TEST_F(TpmUtilityTest, CertifyCreationParserError) {
TPM_HANDLE key_handle = 42;
std::string creation_blob;
EXPECT_CALL(mock_blob_parser_, ParseCreationBlob(creation_blob, _, _, _))
.WillOnce(Return(false));
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.CertifyCreation(key_handle, creation_blob));
}
TEST_F(TpmUtilityTest, CertifyCreationFailure) {
TPM_HANDLE key_handle = 42;
std::string creation_blob;
EXPECT_CALL(mock_tpm_, CertifyCreationSyncShort(TPM_RH_NULL, key_handle, _, _,
_, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.CertifyCreation(key_handle, creation_blob));
}
TEST_F(TpmUtilityTest, ChangeAuthDataSuccess) {
TPM_HANDLE key_handle = 1;
std::string new_password;
std::string key_blob;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(_, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.ChangeKeyAuthorizationData(
key_handle, new_password,
&mock_authorization_delegate_, &key_blob));
}
TEST_F(TpmUtilityTest, ChangeAuthDataKeyNameFail) {
TPM_HANDLE key_handle = 1;
std::string old_password;
std::string new_password;
EXPECT_CALL(mock_tpm_, ReadPublicSync(key_handle, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.ChangeKeyAuthorizationData(
key_handle, new_password,
&mock_authorization_delegate_, nullptr));
}
TEST_F(TpmUtilityTest, ChangeAuthDataFailure) {
TPM_HANDLE key_handle = 1;
std::string new_password;
EXPECT_CALL(mock_tpm_, ObjectChangeAuthSync(key_handle, _, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.ChangeKeyAuthorizationData(
key_handle, new_password,
&mock_authorization_delegate_, nullptr));
}
TEST_F(TpmUtilityTest, ChangeAuthDataParserFail) {
TPM_HANDLE key_handle = 1;
std::string new_password;
std::string key_blob;
TPM2B_PUBLIC public_area;
public_area.public_area.type = TPM_ALG_RSA;
public_area.public_area.auth_policy.size = 0;
public_area.public_area.unique.rsa.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(_, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_area), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_blob_parser_, SerializeKeyBlob(_, _, &key_blob))
.WillOnce(Return(false));
EXPECT_EQ(
SAPI_RC_BAD_TCTI_STRUCTURE,
utility_.ChangeKeyAuthorizationData(
key_handle, new_password, &mock_authorization_delegate_, &key_blob));
}
TEST_F(TpmUtilityTest, ImportRSAKeySuccess) {
uint32_t public_exponent = 0x10001;
std::string modulus(256, 'a');
std::string prime_factor(128, 'b');
std::string password("password");
std::string key_blob;
TPM2B_DATA encryption_key;
TPM2B_PUBLIC public_data;
TPM2B_PRIVATE private_data;
EXPECT_CALL(mock_tpm_, ImportSync(_, _, _, _, _, _, _, _, _))
.WillOnce(DoAll(SaveArg<2>(&encryption_key), SaveArg<3>(&public_data),
SaveArg<4>(&private_data), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(
TPM_RC_SUCCESS,
utility_.ImportRSAKey(TpmUtility::AsymmetricKeyUsage::kDecryptKey,
modulus, public_exponent, prime_factor, password,
&mock_authorization_delegate_, &key_blob));
// Validate that the public area was properly constructed.
EXPECT_EQ(public_data.public_area.parameters.rsa_detail.key_bits,
modulus.size() * 8);
EXPECT_EQ(public_data.public_area.parameters.rsa_detail.exponent,
public_exponent);
EXPECT_EQ(public_data.public_area.unique.rsa.size, modulus.size());
EXPECT_EQ(0, memcmp(public_data.public_area.unique.rsa.buffer, modulus.data(),
modulus.size()));
// Validate the private struct construction.
EXPECT_EQ(kAesKeySize, encryption_key.size);
AES_KEY key;
AES_set_encrypt_key(encryption_key.buffer, kAesKeySize * 8, &key);
unsigned char iv[MAX_AES_BLOCK_SIZE_BYTES] = {0};
int iv_in = 0;
std::string unencrypted_private(private_data.size, 0);
AES_cfb128_encrypt(
reinterpret_cast<const unsigned char*>(private_data.buffer),
reinterpret_cast<unsigned char*>(string_as_array(&unencrypted_private)),
private_data.size, &key, iv, &iv_in, AES_DECRYPT);
TPM2B_DIGEST inner_integrity;
EXPECT_EQ(TPM_RC_SUCCESS, Parse_TPM2B_DIGEST(&unencrypted_private,
&inner_integrity, nullptr));
std::string object_name;
EXPECT_EQ(TPM_RC_SUCCESS,
ComputeKeyName(public_data.public_area, &object_name));
std::string integrity_value =
crypto::SHA256HashString(unencrypted_private + object_name);
EXPECT_EQ(integrity_value.size(), inner_integrity.size);
EXPECT_EQ(0, memcmp(inner_integrity.buffer, integrity_value.data(),
inner_integrity.size));
TPM2B_SENSITIVE sensitive_data;
EXPECT_EQ(TPM_RC_SUCCESS, Parse_TPM2B_SENSITIVE(&unencrypted_private,
&sensitive_data, nullptr));
EXPECT_EQ(sensitive_data.sensitive_area.auth_value.size, password.size());
EXPECT_EQ(0, memcmp(sensitive_data.sensitive_area.auth_value.buffer,
password.data(), password.size()));
EXPECT_EQ(sensitive_data.sensitive_area.sensitive.rsa.size,
prime_factor.size());
EXPECT_EQ(0, memcmp(sensitive_data.sensitive_area.sensitive.rsa.buffer,
prime_factor.data(), prime_factor.size()));
}
TEST_F(TpmUtilityTest, ImportRSAKeySuccessWithNoBlob) {
uint32_t public_exponent = 0x10001;
std::string modulus(256, 'a');
std::string prime_factor(128, 'b');
std::string password;
EXPECT_EQ(
TPM_RC_SUCCESS,
utility_.ImportRSAKey(TpmUtility::AsymmetricKeyUsage::kDecryptKey,
modulus, public_exponent, prime_factor, password,
&mock_authorization_delegate_, nullptr));
}
TEST_F(TpmUtilityTest, ImportRSAKeyParentNameFail) {
uint32_t public_exponent = 0x10001;
std::string modulus(256, 'a');
std::string prime_factor(128, 'b');
std::string password;
EXPECT_CALL(mock_tpm_, ReadPublicSync(_, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(
TPM_RC_FAILURE,
utility_.ImportRSAKey(TpmUtility::AsymmetricKeyUsage::kDecryptKey,
modulus, public_exponent, prime_factor, password,
&mock_authorization_delegate_, nullptr));
}
TEST_F(TpmUtilityTest, ImportRSAKeyFail) {
std::string modulus;
std::string prime_factor;
std::string password;
EXPECT_CALL(mock_tpm_, ImportSync(_, _, _, _, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.ImportRSAKey(TpmUtility::AsymmetricKeyUsage::kDecryptKey,
modulus, 0x10001, prime_factor, password,
&mock_authorization_delegate_, nullptr));
}
TEST_F(TpmUtilityTest, ImportRSAKeyParserFail) {
std::string modulus;
std::string prime_factor;
std::string password;
std::string key_blob;
EXPECT_CALL(mock_blob_parser_, SerializeKeyBlob(_, _, &key_blob))
.WillOnce(Return(false));
EXPECT_EQ(SAPI_RC_BAD_TCTI_STRUCTURE,
utility_.ImportRSAKey(TpmUtility::AsymmetricKeyUsage::kDecryptKey,
modulus, 0x10001, prime_factor, password,
&mock_authorization_delegate_, &key_blob));
}
TEST_F(TpmUtilityTest, CreateRSAKeyPairSuccess) {
TPM2B_PUBLIC public_area;
TPML_PCR_SELECTION creation_pcrs;
EXPECT_CALL(mock_tpm_, CreateSyncShort(kRSAStorageRootKey, _, _, _, _, _, _,
_, _, &mock_authorization_delegate_))
.WillOnce(DoAll(SaveArg<2>(&public_area), SaveArg<3>(&creation_pcrs),
Return(TPM_RC_SUCCESS)));
std::string key_blob;
std::string creation_blob;
int creation_pcr = 12;
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.CreateRSAKeyPair(
TpmUtility::AsymmetricKeyUsage::kDecryptAndSignKey, 2048,
0x10001, "password", "", false, creation_pcr,
&mock_authorization_delegate_, &key_blob, &creation_blob));
EXPECT_EQ(public_area.public_area.object_attributes & kDecrypt, kDecrypt);
EXPECT_EQ(public_area.public_area.object_attributes & kSign, kSign);
EXPECT_EQ(public_area.public_area.object_attributes & kUserWithAuth,
kUserWithAuth);
EXPECT_EQ(public_area.public_area.object_attributes & kAdminWithPolicy, 0u);
EXPECT_EQ(public_area.public_area.parameters.rsa_detail.scheme.scheme,
TPM_ALG_NULL);
EXPECT_EQ(1u, creation_pcrs.count);
EXPECT_EQ(TPM_ALG_SHA256, creation_pcrs.pcr_selections[0].hash);
EXPECT_EQ(PCR_SELECT_MIN, creation_pcrs.pcr_selections[0].sizeof_select);
EXPECT_EQ(1u << (creation_pcr % 8),
creation_pcrs.pcr_selections[0].pcr_select[creation_pcr / 8]);
}
TEST_F(TpmUtilityTest, CreateRSAKeyPairDecryptKeySuccess) {
TPM2B_PUBLIC public_area;
EXPECT_CALL(mock_tpm_, CreateSyncShort(kRSAStorageRootKey, _, _, _, _, _, _,
_, _, &mock_authorization_delegate_))
.WillOnce(DoAll(SaveArg<2>(&public_area), Return(TPM_RC_SUCCESS)));
std::string key_blob;
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.CreateRSAKeyPair(
TpmUtility::AsymmetricKeyUsage::kDecryptKey, 2048, 0x10001,
"password", "", false, kNoCreationPCR,
&mock_authorization_delegate_, &key_blob, nullptr));
EXPECT_EQ(public_area.public_area.object_attributes & kDecrypt, kDecrypt);
EXPECT_EQ(public_area.public_area.object_attributes & kSign, 0u);
EXPECT_EQ(public_area.public_area.parameters.rsa_detail.scheme.scheme,
TPM_ALG_NULL);
}
TEST_F(TpmUtilityTest, CreateRSAKeyPairSignKeySuccess) {
TPM2B_PUBLIC public_area;
TPM2B_SENSITIVE_CREATE sensitive_create;
EXPECT_CALL(mock_tpm_state_, Initialize())
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_state_, GetTpmProperty(TPM_PT_MANUFACTURER, _))
.WillOnce(DoAll(SetArgPointee<1>(kVendorIdCr50), Return(true)));
EXPECT_CALL(mock_tpm_, CreateSyncShort(kRSAStorageRootKey, _, _, _, _, _, _,
_, _, &mock_authorization_delegate_))
.WillOnce(DoAll(SaveArg<1>(&sensitive_create), SaveArg<2>(&public_area),
Return(TPM_RC_SUCCESS)));
std::string key_blob;
std::string policy_digest(32, 'a');
std::string key_auth("password");
EXPECT_EQ(
TPM_RC_SUCCESS,
utility_.CreateRSAKeyPair(
TpmUtility::AsymmetricKeyUsage::kSignKey, 2048, 0x10001, key_auth,
policy_digest, true /* use_only_policy_authorization */,
kNoCreationPCR, &mock_authorization_delegate_, &key_blob, nullptr));
EXPECT_EQ(public_area.public_area.object_attributes & kDecrypt, 0u);
EXPECT_EQ(public_area.public_area.object_attributes & kSign, kSign);
EXPECT_EQ(public_area.public_area.object_attributes & kUserWithAuth, 0u);
EXPECT_EQ(public_area.public_area.object_attributes & kAdminWithPolicy,
kAdminWithPolicy);
EXPECT_EQ(public_area.public_area.parameters.rsa_detail.scheme.scheme,
TPM_ALG_NULL);
EXPECT_EQ(public_area.public_area.parameters.rsa_detail.key_bits, 2048);
EXPECT_EQ(public_area.public_area.parameters.rsa_detail.exponent, 0x10001u);
EXPECT_EQ(public_area.public_area.auth_policy.size, policy_digest.size());
EXPECT_EQ(0, memcmp(public_area.public_area.auth_policy.buffer,
policy_digest.data(), policy_digest.size()));
EXPECT_EQ(sensitive_create.sensitive.user_auth.size, key_auth.size());
EXPECT_EQ(0, memcmp(sensitive_create.sensitive.user_auth.buffer,
key_auth.data(), key_auth.size()));
}
TEST_F(TpmUtilityTest, CreateRSAKeyPairSignKeySuccessNoPaddingOnlyAlg) {
// Unknown vendor - no padding-only alg support expected for TPM.
uint32_t vendor_id = 0xaabbccdd;
TPM2B_PUBLIC public_area;
EXPECT_CALL(mock_tpm_state_, Initialize())
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_state_, GetTpmProperty(TPM_PT_MANUFACTURER, _))
.WillOnce(DoAll(SetArgPointee<1>(vendor_id), Return(true)));
EXPECT_CALL(mock_tpm_, CreateSyncShort(_, _, _, _, _, _, _, _, _, _))
.WillOnce(DoAll(SaveArg<2>(&public_area), Return(TPM_RC_SUCCESS)));
std::string key_blob;
std::string policy_digest(32, 'a');
std::string key_auth("password");
EXPECT_EQ(
TPM_RC_SUCCESS,
utility_.CreateRSAKeyPair(
TpmUtility::AsymmetricKeyUsage::kSignKey, 2048, 0x10001, key_auth,
policy_digest, true /* use_only_policy_authorization */,
kNoCreationPCR, &mock_authorization_delegate_, &key_blob, nullptr));
EXPECT_EQ(public_area.public_area.object_attributes & kDecrypt, kDecrypt);
EXPECT_EQ(public_area.public_area.object_attributes & kSign, kSign);
}
TEST_F(TpmUtilityTest, CreateRSAKeyPairBadDelegate) {
std::string key_blob;
EXPECT_EQ(
SAPI_RC_INVALID_SESSIONS,
utility_.CreateRSAKeyPair(TpmUtility::AsymmetricKeyUsage::kDecryptKey,
2048, 0x10001, "password", "", false,
kNoCreationPCR, nullptr, &key_blob, nullptr));
}
TEST_F(TpmUtilityTest, CreateRSAKeyPairFailure) {
EXPECT_CALL(mock_tpm_state_, Initialize())
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_state_, GetTpmProperty(TPM_PT_MANUFACTURER, _))
.WillOnce(DoAll(SetArgPointee<1>(kVendorIdCr50), Return(true)));
EXPECT_CALL(mock_tpm_, CreateSyncShort(kRSAStorageRootKey, _, _, _, _, _, _,
_, _, &mock_authorization_delegate_))
.WillOnce(Return(TPM_RC_FAILURE));
std::string key_blob;
EXPECT_EQ(TPM_RC_FAILURE,
utility_.CreateRSAKeyPair(
TpmUtility::AsymmetricKeyUsage::kSignKey, 2048, 0x10001,
"password", "", false, kNoCreationPCR,
&mock_authorization_delegate_, &key_blob, nullptr));
}
TEST_F(TpmUtilityTest, CreateRSAKeyPairKeyParserFail) {
std::string key_blob;
EXPECT_CALL(mock_tpm_state_, Initialize())
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_state_, GetTpmProperty(TPM_PT_MANUFACTURER, _))
.WillOnce(DoAll(SetArgPointee<1>(kVendorIdCr50), Return(true)));
EXPECT_CALL(mock_blob_parser_, SerializeKeyBlob(_, _, &key_blob))
.WillOnce(Return(false));
EXPECT_EQ(SAPI_RC_BAD_TCTI_STRUCTURE,
utility_.CreateRSAKeyPair(
TpmUtility::AsymmetricKeyUsage::kSignKey, 2048, 0x10001,
"password", "", false, kNoCreationPCR,
&mock_authorization_delegate_, &key_blob, nullptr));
}
TEST_F(TpmUtilityTest, CreateRSAKeyPairCreationParserFail) {
std::string creation_blob;
std::string key_blob;
EXPECT_CALL(mock_tpm_state_, Initialize())
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_state_, GetTpmProperty(TPM_PT_MANUFACTURER, _))
.WillOnce(DoAll(SetArgPointee<1>(kVendorIdCr50), Return(true)));
EXPECT_CALL(mock_blob_parser_, SerializeCreationBlob(_, _, _, &creation_blob))
.WillOnce(Return(false));
EXPECT_EQ(SAPI_RC_BAD_TCTI_STRUCTURE,
utility_.CreateRSAKeyPair(
TpmUtility::AsymmetricKeyUsage::kSignKey, 2048, 0x10001,
"password", "", false, kNoCreationPCR,
&mock_authorization_delegate_, &key_blob, &creation_blob));
}
TEST_F(TpmUtilityTest, LoadKeySuccess) {
TPM_HANDLE key_handle = TPM_RH_FIRST;
TPM_HANDLE loaded_handle;
EXPECT_CALL(mock_tpm_, LoadSync(kRSAStorageRootKey, _, _, _, _, _,
&mock_authorization_delegate_))
.WillOnce(DoAll(SetArgPointee<4>(key_handle), Return(TPM_RC_SUCCESS)));
std::string key_blob;
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.LoadKey(key_blob, &mock_authorization_delegate_,
&loaded_handle));
EXPECT_EQ(loaded_handle, key_handle);
}
TEST_F(TpmUtilityTest, LoadKeyFailure) {
TPM_HANDLE key_handle;
EXPECT_CALL(mock_tpm_, LoadSync(_, _, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
std::string key_blob;
EXPECT_EQ(
TPM_RC_FAILURE,
utility_.LoadKey(key_blob, &mock_authorization_delegate_, &key_handle));
}
TEST_F(TpmUtilityTest, LoadKeyBadDelegate) {
TPM_HANDLE key_handle;
std::string key_blob;
EXPECT_EQ(SAPI_RC_INVALID_SESSIONS,
utility_.LoadKey(key_blob, nullptr, &key_handle));
}
TEST_F(TpmUtilityTest, LoadKeyParserFail) {
TPM_HANDLE key_handle;
std::string key_blob;
EXPECT_CALL(mock_blob_parser_, ParseKeyBlob(key_blob, _, _))
.WillOnce(Return(false));
EXPECT_EQ(
SAPI_RC_BAD_TCTI_STRUCTURE,
utility_.LoadKey(key_blob, &mock_authorization_delegate_, &key_handle));
}
TEST_F(TpmUtilityTest, SealedDataSuccess) {
std::string data_to_seal("seal_data");
std::string sealed_data;
TPM2B_SENSITIVE_CREATE sensitive_create;
TPM2B_PUBLIC in_public;
EXPECT_CALL(mock_tpm_,
CreateSyncShort(kRSAStorageRootKey, _, _, _, _, _, _, _, _, _))
.WillOnce(DoAll(SaveArg<1>(&sensitive_create), SaveArg<2>(&in_public),
Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.SealData(data_to_seal, "", &mock_authorization_delegate_,
&sealed_data));
EXPECT_EQ(sensitive_create.sensitive.data.size, data_to_seal.size());
EXPECT_EQ(0, memcmp(sensitive_create.sensitive.data.buffer,
data_to_seal.data(), data_to_seal.size()));
EXPECT_EQ(in_public.public_area.type, TPM_ALG_KEYEDHASH);
EXPECT_EQ(in_public.public_area.name_alg, TPM_ALG_SHA256);
}
TEST_F(TpmUtilityTest, SealDataBadDelegate) {
std::string data_to_seal("seal_data");
std::string sealed_data;
EXPECT_EQ(SAPI_RC_INVALID_SESSIONS,
utility_.SealData(data_to_seal, "", nullptr, &sealed_data));
}
TEST_F(TpmUtilityTest, SealDataFailure) {
std::string data_to_seal("seal_data");
std::string sealed_data;
EXPECT_CALL(mock_tpm_,
CreateSyncShort(kRSAStorageRootKey, _, _, _, _, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.SealData(data_to_seal, "", &mock_authorization_delegate_,
&sealed_data));
}
TEST_F(TpmUtilityTest, SealDataParserFail) {
std::string data_to_seal("seal_data");
std::string sealed_data;
EXPECT_CALL(mock_blob_parser_, SerializeKeyBlob(_, _, &sealed_data))
.WillOnce(Return(false));
EXPECT_EQ(SAPI_RC_BAD_TCTI_STRUCTURE,
utility_.SealData(data_to_seal, "", &mock_authorization_delegate_,
&sealed_data));
}
TEST_F(TpmUtilityTest, UnsealDataSuccess) {
std::string sealed_data;
std::string tpm_unsealed_data("password");
std::string unsealed_data;
TPM_HANDLE object_handle = 42;
TPM2B_PUBLIC public_data;
public_data.public_area.auth_policy.size = 0;
EXPECT_CALL(mock_tpm_, ReadPublicSync(_, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_data), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, ReadPublicSync(object_handle, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<2>(public_data), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, LoadSync(_, _, _, _, _, _, _))
.WillOnce(DoAll(SetArgPointee<4>(object_handle), Return(TPM_RC_SUCCESS)));
TPM2B_SENSITIVE_DATA out_data = Make_TPM2B_SENSITIVE_DATA(tpm_unsealed_data);
EXPECT_CALL(mock_tpm_, UnsealSync(object_handle, _, _, _))
.WillOnce(DoAll(SetArgPointee<2>(out_data), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.UnsealData(sealed_data, &mock_authorization_delegate_,
&unsealed_data));
EXPECT_EQ(unsealed_data, tpm_unsealed_data);
}
TEST_F(TpmUtilityTest, UnsealDataBadDelegate) {
std::string sealed_data;
std::string unsealed_data;
EXPECT_EQ(SAPI_RC_INVALID_SESSIONS,
utility_.UnsealData(sealed_data, nullptr, &unsealed_data));
}
TEST_F(TpmUtilityTest, UnsealDataLoadFail) {
std::string sealed_data;
std::string unsealed_data;
EXPECT_CALL(mock_tpm_, LoadSync(_, _, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.UnsealData(sealed_data, &mock_authorization_delegate_,
&unsealed_data));
}
TEST_F(TpmUtilityTest, UnsealDataBadKeyName) {
std::string sealed_data;
std::string unsealed_data;
EXPECT_CALL(mock_tpm_, ReadPublicSync(_, _, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.UnsealData(sealed_data, &mock_authorization_delegate_,
&unsealed_data));
}
TEST_F(TpmUtilityTest, UnsealObjectFailure) {
std::string sealed_data;
std::string unsealed_data;
EXPECT_CALL(mock_tpm_, UnsealSync(_, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.UnsealData(sealed_data, &mock_authorization_delegate_,
&unsealed_data));
}
TEST_F(TpmUtilityTest, StartSessionSuccess) {
EXPECT_CALL(mock_hmac_session_, StartUnboundSession(true))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.StartSession(&mock_hmac_session_));
}
TEST_F(TpmUtilityTest, StartSessionFailure) {
EXPECT_CALL(mock_hmac_session_, StartUnboundSession(true))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.StartSession(&mock_hmac_session_));
}
TEST_F(TpmUtilityTest, GetPolicyDigestForPcrValueSuccess) {
int index = 5;
std::string pcr_value("pcr_value");
std::string policy_digest;
TPML_PCR_SELECTION pcr_select;
pcr_select.count = 1;
pcr_select.pcr_selections[0].hash = TPM_ALG_SHA256;
pcr_select.pcr_selections[0].sizeof_select = 1;
pcr_select.pcr_selections[0].pcr_select[index / 8] = 1 << (index % 8);
TPML_DIGEST pcr_values;
pcr_values.count = 1;
pcr_values.digests[0] = Make_TPM2B_DIGEST(pcr_value);
EXPECT_CALL(mock_tpm_, PCR_ReadSync(_, _, _, _, _))
.WillOnce(DoAll(SetArgPointee<2>(pcr_select),
SetArgPointee<3>(pcr_values), Return(TPM_RC_SUCCESS)));
std::string tpm_pcr_value;
EXPECT_CALL(mock_trial_session_, PolicyPCR(index, _))
.WillOnce(DoAll(SaveArg<1>(&tpm_pcr_value), Return(TPM_RC_SUCCESS)));
std::string tpm_policy_digest("digest");
EXPECT_CALL(mock_trial_session_, GetDigest(_))
.WillOnce(
DoAll(SetArgPointee<0>(tpm_policy_digest), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.GetPolicyDigestForPcrValue(index, "", &policy_digest));
EXPECT_EQ(policy_digest, tpm_policy_digest);
EXPECT_EQ(pcr_value, tpm_pcr_value);
}
TEST_F(TpmUtilityTest, GetPolicyDigestForPcrValueSuccessWithPcrValue) {
int index = 5;
std::string pcr_value("pcr_value");
std::string policy_digest;
std::string tpm_pcr_value;
EXPECT_CALL(mock_trial_session_, PolicyPCR(index, _))
.WillOnce(DoAll(SaveArg<1>(&tpm_pcr_value), Return(TPM_RC_SUCCESS)));
std::string tpm_policy_digest("digest");
EXPECT_CALL(mock_trial_session_, GetDigest(_))
.WillOnce(
DoAll(SetArgPointee<0>(tpm_policy_digest), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.GetPolicyDigestForPcrValue(
index, pcr_value, &policy_digest));
EXPECT_EQ(policy_digest, tpm_policy_digest);
EXPECT_EQ(pcr_value, tpm_pcr_value);
}
TEST_F(TpmUtilityTest, GetPolicyDigestForPcrValueBadSession) {
int index = 5;
std::string pcr_value("value");
std::string policy_digest;
EXPECT_CALL(mock_trial_session_, StartUnboundSession(false))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.GetPolicyDigestForPcrValue(
index, pcr_value, &policy_digest));
}
TEST_F(TpmUtilityTest, GetPolicyDigestForPcrValuePcrReadFail) {
int index = 5;
std::string policy_digest;
EXPECT_CALL(mock_tpm_, PCR_ReadSync(_, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.GetPolicyDigestForPcrValue(index, "", &policy_digest));
}
TEST_F(TpmUtilityTest, GetPolicyDigestForPcrValueBadPcr) {
int index = 5;
std::string pcr_value("value");
std::string policy_digest;
EXPECT_CALL(mock_trial_session_, PolicyPCR(index, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.GetPolicyDigestForPcrValue(
index, pcr_value, &policy_digest));
}
TEST_F(TpmUtilityTest, GetPolicyDigestForPcrValueBadDigest) {
int index = 5;
std::string pcr_value("value");
std::string policy_digest;
EXPECT_CALL(mock_trial_session_, GetDigest(&policy_digest))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.GetPolicyDigestForPcrValue(
index, pcr_value, &policy_digest));
}
TEST_F(TpmUtilityTest, DefineNVSpaceSuccess) {
uint32_t index = 59;
uint32_t nvram_index = NV_INDEX_FIRST + index;
size_t length = 256;
TPMA_NV attributes = TPMA_NV_WRITEDEFINE;
TPM2B_NV_PUBLIC public_data;
EXPECT_CALL(mock_tpm_, NV_DefineSpaceSync(TPM_RH_OWNER, _, _, _, _))
.WillOnce(DoAll(SaveArg<3>(&public_data), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.DefineNVSpace(index, length, attributes, "", "",
&mock_authorization_delegate_));
EXPECT_EQ(public_data.nv_public.nv_index, nvram_index);
EXPECT_EQ(public_data.nv_public.name_alg, TPM_ALG_SHA256);
EXPECT_EQ(public_data.nv_public.attributes, attributes);
EXPECT_EQ(public_data.nv_public.data_size, length);
}
TEST_F(TpmUtilityTest, DefineNVSpaceBadLength) {
size_t bad_length = 3000;
EXPECT_EQ(SAPI_RC_BAD_SIZE,
utility_.DefineNVSpace(0, bad_length, 0, "", "",
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, DefineNVSpaceBadIndex) {
uint32_t bad_index = 1 << 29;
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.DefineNVSpace(bad_index, 2, 0, "", "",
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, DefineNVSpaceBadSession) {
EXPECT_EQ(SAPI_RC_INVALID_SESSIONS,
utility_.DefineNVSpace(0, 2, 0, "", "", nullptr));
}
TEST_F(TpmUtilityTest, DefineNVSpaceFail) {
uint32_t index = 59;
size_t length = 256;
EXPECT_CALL(mock_tpm_, NV_DefineSpaceSync(TPM_RH_OWNER, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.DefineNVSpace(index, length, 0, "", "",
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, DestroyNVSpaceSuccess) {
uint32_t index = 53;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_,
NV_UndefineSpaceSync(TPM_RH_OWNER, _, nvram_index, _, _));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.DestroyNVSpace(index, &mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, DestroyNVSpaceBadIndex) {
uint32_t bad_index = 1 << 29;
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.DestroyNVSpace(bad_index, &mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, DestroyNVSpaceBadSession) {
EXPECT_EQ(SAPI_RC_INVALID_SESSIONS, utility_.DestroyNVSpace(3, nullptr));
}
TEST_F(TpmUtilityTest, DestroyNVSpaceFailure) {
uint32_t index = 53;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_,
NV_UndefineSpaceSync(TPM_RH_OWNER, _, nvram_index, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.DestroyNVSpace(index, &mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, LockNVSpaceWriteSuccess) {
uint32_t index = 53;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_, NV_WriteLockSync(TPM_RH_OWNER, _, nvram_index, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_, NV_ReadLockSync(TPM_RH_OWNER, _, nvram_index, _, _))
.Times(0);
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.LockNVSpace(index, false, true, true,
&mock_authorization_delegate_));
TPMS_NV_PUBLIC public_area;
EXPECT_EQ(TPM_RC_SUCCESS, GetNVRAMMap(index, &public_area));
EXPECT_EQ(TPMA_NV_WRITELOCKED, public_area.attributes & TPMA_NV_WRITELOCKED);
}
TEST_F(TpmUtilityTest, LockNVSpaceReadSuccess) {
uint32_t index = 53;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_, NV_WriteLockSync(TPM_RH_OWNER, _, nvram_index, _, _))
.Times(0);
EXPECT_CALL(mock_tpm_, NV_ReadLockSync(TPM_RH_OWNER, _, nvram_index, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.LockNVSpace(index, true, false, true,
&mock_authorization_delegate_));
TPMS_NV_PUBLIC public_area;
EXPECT_EQ(TPM_RC_SUCCESS, GetNVRAMMap(index, &public_area));
EXPECT_EQ(TPMA_NV_READLOCKED, public_area.attributes & TPMA_NV_READLOCKED);
}
TEST_F(TpmUtilityTest, LockNVSpaceBothSuccess) {
uint32_t index = 53;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_, NV_WriteLockSync(TPM_RH_OWNER, _, nvram_index, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_, NV_ReadLockSync(TPM_RH_OWNER, _, nvram_index, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.LockNVSpace(index, true, true, true,
&mock_authorization_delegate_));
TPMS_NV_PUBLIC public_area;
EXPECT_EQ(TPM_RC_SUCCESS, GetNVRAMMap(index, &public_area));
EXPECT_EQ(
(TPMA_NV_READLOCKED | TPMA_NV_WRITELOCKED),
public_area.attributes & (TPMA_NV_READLOCKED | TPMA_NV_WRITELOCKED));
}
TEST_F(TpmUtilityTest, LockNVSpaceBothNotOwner) {
uint32_t index = 53;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_, NV_WriteLockSync(nvram_index, _, nvram_index, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_CALL(mock_tpm_, NV_ReadLockSync(nvram_index, _, nvram_index, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.LockNVSpace(index, true, true, false,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, LockNVSpaceBadIndex) {
uint32_t bad_index = 1 << 24;
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.LockNVSpace(bad_index, true, true, true,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, LockNVSpaceFailure) {
uint32_t index = 53;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_, NV_WriteLockSync(TPM_RH_OWNER, _, nvram_index, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.LockNVSpace(index, true, true, true,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, WriteNVSpaceSuccess) {
uint32_t index = 53;
uint32_t offset = 5;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_,
NV_WriteSync(TPM_RH_OWNER, _, nvram_index, _, _, offset, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.WriteNVSpace(index, offset, "", true, false,
&mock_authorization_delegate_));
TPMS_NV_PUBLIC public_area;
EXPECT_EQ(TPM_RC_SUCCESS, GetNVRAMMap(index, &public_area));
EXPECT_EQ(public_area.attributes & TPMA_NV_WRITTEN, TPMA_NV_WRITTEN);
}
TEST_F(TpmUtilityTest, WriteNVSpaceNotOwner) {
uint32_t index = 53;
uint32_t offset = 5;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_,
NV_WriteSync(nvram_index, _, nvram_index, _, _, offset, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.WriteNVSpace(index, offset, "", false, false,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, ExtendNVSpace) {
uint32_t index = 53;
uint32_t offset = 5;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_, NV_ExtendSync(TPM_RH_OWNER, _, nvram_index, _, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.WriteNVSpace(index, offset, "", true, true,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, WriteNVSpaceBadSize) {
uint32_t index = 53;
std::string nvram_data(1025, 0);
EXPECT_EQ(SAPI_RC_BAD_SIZE,
utility_.WriteNVSpace(index, 0, nvram_data, true, false,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, WriteNVSpaceBadIndex) {
uint32_t bad_index = 1 << 24;
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.WriteNVSpace(bad_index, 0, "", true, false,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, WriteNVSpaceFailure) {
uint32_t index = 53;
uint32_t offset = 5;
uint32_t nvram_index = NV_INDEX_FIRST + index;
EXPECT_CALL(mock_tpm_,
NV_WriteSync(TPM_RH_OWNER, _, nvram_index, _, _, offset, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.WriteNVSpace(index, offset, "", true, false,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, ReadNVSpaceSuccess) {
uint32_t index = 53;
uint32_t offset = 5;
uint32_t nv_index = NV_INDEX_FIRST + index;
size_t length = 24;
std::string nvram_data;
EXPECT_CALL(mock_tpm_,
NV_ReadSync(nv_index, _, nv_index, _, length, offset, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.ReadNVSpace(index, offset, length, false, &nvram_data,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, ReadNVSpaceOwner) {
uint32_t index = 53;
uint32_t offset = 5;
uint32_t nv_index = NV_INDEX_FIRST + index;
size_t length = 24;
std::string nvram_data;
EXPECT_CALL(mock_tpm_,
NV_ReadSync(TPM_RH_OWNER, _, nv_index, _, length, offset, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.ReadNVSpace(index, offset, length, true, &nvram_data,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, ReadNVSpaceBadReadLength) {
size_t length = 1025;
std::string nvram_data;
EXPECT_EQ(SAPI_RC_BAD_SIZE,
utility_.ReadNVSpace(52, 0, length, true, &nvram_data,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, ReadNVSpaceBadIndex) {
uint32_t bad_index = 1 << 24;
std::string nvram_data;
EXPECT_EQ(SAPI_RC_BAD_PARAMETER,
utility_.ReadNVSpace(bad_index, 0, 5, true, &nvram_data,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, ReadNVSpaceFailure) {
uint32_t index = 53;
uint32_t offset = 5;
uint32_t nv_index = NV_INDEX_FIRST + index;
size_t length = 24;
std::string nvram_data;
EXPECT_CALL(mock_tpm_,
NV_ReadSync(nv_index, _, nv_index, _, length, offset, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.ReadNVSpace(index, offset, length, false, &nvram_data,
&mock_authorization_delegate_));
}
TEST_F(TpmUtilityTest, GetNVSpaceNameSuccess) {
uint32_t index = 53;
uint32_t nvram_index = NV_INDEX_FIRST + index;
std::string name;
EXPECT_CALL(mock_tpm_, NV_ReadPublicSync(nvram_index, _, _, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.GetNVSpaceName(index, &name));
}
TEST_F(TpmUtilityTest, GetNVSpaceNameFailure) {
uint32_t index = 53;
std::string name;
EXPECT_CALL(mock_tpm_, NV_ReadPublicSync(_, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.GetNVSpaceName(index, &name));
}
TEST_F(TpmUtilityTest, GetNVSpacePublicAreaCachedSuccess) {
uint32_t index = 53;
TPMS_NV_PUBLIC public_area;
SetNVRAMMap(index, public_area);
EXPECT_CALL(mock_tpm_, NV_ReadPublicSync(_, _, _, _, _)).Times(0);
EXPECT_EQ(TPM_RC_SUCCESS, utility_.GetNVSpacePublicArea(index, &public_area));
}
TEST_F(TpmUtilityTest, GetNVSpacePublicAreaSuccess) {
uint32_t index = 53;
uint32_t nvram_index = NV_INDEX_FIRST + index;
TPMS_NV_PUBLIC public_area;
EXPECT_CALL(mock_tpm_, NV_ReadPublicSync(nvram_index, _, _, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.GetNVSpacePublicArea(index, &public_area));
}
TEST_F(TpmUtilityTest, GetNVSpacePublicAreaFailure) {
uint32_t index = 53;
TPMS_NV_PUBLIC public_area;
EXPECT_CALL(mock_tpm_, NV_ReadPublicSync(_, _, _, _, _))
.WillOnce(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.GetNVSpacePublicArea(index, &public_area));
}
TEST_F(TpmUtilityTest, SetKnownPasswordSuccess) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet()).WillOnce(Return(false));
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(TPM_RH_OWNER, _, _, _))
.WillOnce(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS, SetKnownOwnerPassword("password"));
}
TEST_F(TpmUtilityTest, SetKnownPasswordOwnershipDone) {
EXPECT_EQ(TPM_RC_SUCCESS, SetKnownOwnerPassword("password"));
}
TEST_F(TpmUtilityTest, SetKnownPasswordFailure) {
EXPECT_CALL(mock_tpm_state_, IsOwnerPasswordSet()).WillOnce(Return(false));
EXPECT_CALL(mock_tpm_, HierarchyChangeAuthSync(TPM_RH_OWNER, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, SetKnownOwnerPassword("password"));
}
TEST_F(TpmUtilityTest, RootKeysSuccess) {
EXPECT_EQ(TPM_RC_SUCCESS, CreateStorageRootKeys("password"));
}
TEST_F(TpmUtilityTest, RootKeysHandleConsistency) {
TPM_HANDLE test_handle = 42;
EXPECT_CALL(mock_tpm_, CreatePrimarySyncShort(_, _, _, _, _, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<3>(test_handle), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, EvictControlSync(_, _, test_handle, _, _, _))
.WillRepeatedly(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS, CreateStorageRootKeys("password"));
}
TEST_F(TpmUtilityTest, RootKeysCreateFailure) {
EXPECT_CALL(mock_tpm_, CreatePrimarySyncShort(_, _, _, _, _, _, _, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, CreateStorageRootKeys("password"));
}
TEST_F(TpmUtilityTest, RootKeysPersistFailure) {
EXPECT_CALL(mock_tpm_, EvictControlSync(_, _, _, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, CreateStorageRootKeys("password"));
}
TEST_F(TpmUtilityTest, RootKeysAlreadyExist) {
SetExistingKeyHandleExpectation(kRSAStorageRootKey);
SetExistingKeyHandleExpectation(kECCStorageRootKey);
EXPECT_EQ(TPM_RC_SUCCESS, CreateStorageRootKeys("password"));
}
TEST_F(TpmUtilityTest, SaltingKeySuccess) {
TPM2B_PUBLIC public_area;
EXPECT_CALL(mock_tpm_, CreateSyncShort(_, _, _, _, _, _, _, _, _, _))
.WillOnce(DoAll(SaveArg<2>(&public_area), Return(TPM_RC_SUCCESS)));
EXPECT_EQ(TPM_RC_SUCCESS, CreateSaltingKey("password"));
EXPECT_EQ(TPM_ALG_SHA256, public_area.public_area.name_alg);
}
TEST_F(TpmUtilityTest, SaltingKeyConsistency) {
TPM_HANDLE test_handle = 42;
EXPECT_CALL(mock_tpm_, LoadSync(_, _, _, _, _, _, _))
.WillRepeatedly(
DoAll(SetArgPointee<4>(test_handle), Return(TPM_RC_SUCCESS)));
EXPECT_CALL(mock_tpm_, EvictControlSync(_, _, test_handle, _, _, _))
.WillRepeatedly(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS, CreateSaltingKey("password"));
}
TEST_F(TpmUtilityTest, SaltingKeyCreateFailure) {
EXPECT_CALL(mock_tpm_, CreateSyncShort(_, _, _, _, _, _, _, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, CreateSaltingKey("password"));
}
TEST_F(TpmUtilityTest, SaltingKeyLoadFailure) {
EXPECT_CALL(mock_tpm_, LoadSync(_, _, _, _, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, CreateSaltingKey("password"));
}
TEST_F(TpmUtilityTest, SaltingKeyPersistFailure) {
EXPECT_CALL(mock_tpm_, EvictControlSync(_, _, _, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, CreateSaltingKey("password"));
}
TEST_F(TpmUtilityTest, SaltingKeyAlreadyExists) {
SetExistingKeyHandleExpectation(kSaltingKey);
EXPECT_EQ(TPM_RC_SUCCESS, CreateSaltingKey("password"));
}
TEST_F(TpmUtilityTest, SetDictionaryAttackParametersSuccess) {
EXPECT_CALL(mock_tpm_, DictionaryAttackParametersSync(TPM_RH_LOCKOUT, _, 1, 2,
3, nullptr))
.WillRepeatedly(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.SetDictionaryAttackParameters(1, 2, 3, nullptr));
}
TEST_F(TpmUtilityTest, SetDictionaryAttackParametersFailure) {
EXPECT_CALL(mock_tpm_, DictionaryAttackParametersSync(TPM_RH_LOCKOUT, _, 1, 2,
3, nullptr))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE,
utility_.SetDictionaryAttackParameters(1, 2, 3, nullptr));
}
TEST_F(TpmUtilityTest, ResetDictionaryAttackLockSuccess) {
EXPECT_CALL(mock_tpm_,
DictionaryAttackLockResetSync(TPM_RH_LOCKOUT, _, nullptr))
.WillRepeatedly(Return(TPM_RC_SUCCESS));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.ResetDictionaryAttackLock(nullptr));
}
TEST_F(TpmUtilityTest, ResetDictionaryAttackLockFailure) {
EXPECT_CALL(mock_tpm_,
DictionaryAttackLockResetSync(TPM_RH_LOCKOUT, _, nullptr))
.WillRepeatedly(Return(TPM_RC_FAILURE));
EXPECT_EQ(TPM_RC_FAILURE, utility_.ResetDictionaryAttackLock(nullptr));
}
TEST_F(TpmUtilityTest, GetEndorsementKey) {
EXPECT_CALL(mock_tpm_, CreatePrimarySyncShort(TPM_RH_ENDORSEMENT, _, _, _, _,
_, _, _, _, _))
.WillRepeatedly(Return(TPM_RC_SUCCESS));
TPM_HANDLE key_handle;
EXPECT_EQ(TPM_RC_SUCCESS, utility_.GetEndorsementKey(TPM_ALG_RSA, nullptr,
nullptr, &key_handle));
}
TEST_F(TpmUtilityTest, GetEndorsementKeyFail) {
EXPECT_CALL(mock_tpm_, CreatePrimarySyncShort(TPM_RH_ENDORSEMENT, _, _, _, _,
_, _, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
TPM_HANDLE key_handle;
EXPECT_EQ(TPM_RC_FAILURE, utility_.GetEndorsementKey(TPM_ALG_RSA, nullptr,
nullptr, &key_handle));
}
TEST_F(TpmUtilityTest, CreateIdentityKey) {
EXPECT_CALL(mock_tpm_, CreateSyncShort(_, _, _, _, _, _, _, _, _, _))
.WillRepeatedly(Return(TPM_RC_SUCCESS));
std::string key_blob;
EXPECT_EQ(TPM_RC_SUCCESS,
utility_.CreateIdentityKey(TPM_ALG_RSA, nullptr, &key_blob));
}
TEST_F(TpmUtilityTest, CreateIdentityKeyFail) {
EXPECT_CALL(mock_tpm_, CreateSyncShort(_, _, _, _, _, _, _, _, _, _))
.WillRepeatedly(Return(TPM_RC_FAILURE));
std::string key_blob;
EXPECT_EQ(TPM_RC_FAILURE,
utility_.CreateIdentityKey(TPM_ALG_RSA, nullptr, &key_blob));
}
TEST_F(TpmUtilityTest, DeclareTpmFirmwareStableNonCr50) {
SetCr50(false);
EXPECT_CALL(mock_transceiver_, SendCommandAndWait(_))
.Times(0);
EXPECT_EQ(TPM_RC_SUCCESS, utility_.DeclareTpmFirmwareStable());
}
TEST_F(TpmUtilityTest, DeclareTpmFirmwareStableCr50Success) {
// A hand-coded kCr50SubcmdInvalidateInactiveRW command and response.
std::string expected_command(
"\x80\x01" // tag=TPM_ST_NO_SESSIONS
"\x00\x00\x00\x0C" // size=12
"\x20\x00\x00\x00" // code=kCr50VendorCC
"\x00\x14", // subcommand=kCr50SubcmdInvalidateInactiveRW
12);
std::string command_response(
"\x80\x01" // tag=TPM_ST_NO_SESSIONS
"\x00\x00\x00\x0A" // size=10
"\x00\x00\x00\x00", // code=TPM_RC_SUCCESS
10);
SetCr50(true);
EXPECT_CALL(mock_transceiver_, SendCommandAndWait(expected_command))
.WillOnce(Return(command_response));
EXPECT_EQ(TPM_RC_SUCCESS, utility_.DeclareTpmFirmwareStable());
}
TEST_F(TpmUtilityTest, DeclareTpmFirmwareStableCr50Failure) {
// A hand-coded kCr50SubcmdInvalidateInactiveRW command and response.
std::string expected_command(
"\x80\x01" // tag=TPM_ST_NO_SESSIONS
"\x00\x00\x00\x0C" // size=12
"\x20\x00\x00\x00" // code=kCr50VendorCC
"\x00\x14", // subcommand=kCr50SubcmdInvalidateInactiveRW
12);
std::string command_response(
"\x80\x01" // tag=TPM_ST_NO_SESSIONS
"\x00\x00\x00\x0A" // size=10
"\x00\x00\x01\x01", // code=TPM_RC_FAILURE
10);
SetCr50(true);
EXPECT_CALL(mock_transceiver_, SendCommandAndWait(expected_command))
.WillOnce(Return(command_response));
EXPECT_EQ(TPM_RC_FAILURE, utility_.DeclareTpmFirmwareStable());
}
} // namespace trunks