Google Git
Sign in
fuchsia / fuchsia / refs/heads/releases/canary / . / src / connectivity / weave / adaptation / tests / platform_auth_delegate_unittests.cpp
blob: c181408f1bd5ccb49d4854d751f3de6b2508723b [file] [log] [blame]
// Copyright 2020 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// clang-format off
#include "platform_auth_delegate.h"
// clang-format on
#include <lib/fit/defer.h>
#include <lib/sys/cpp/testing/component_context_provider.h>
#include <Weave/Core/WeaveTLV.h>
#include "fake_weave_signer.h"
#include "test_configuration_manager.h"
#include "test_thread_stack_manager.h"
#include "weave_test_fixture.h"
namespace weave::adaptation::testing {
namespace {
using nl::Ble::PacketBuffer;
using nl::Weave::WeaveKeyExport;
using nl::Weave::DeviceLayer::ConfigurationMgr;
using nl::Weave::DeviceLayer::ConfigurationMgrImpl;
using nl::Weave::DeviceLayer::PlatformMgrImpl;
using nl::Weave::DeviceLayer::ThreadStackMgrImpl;
using nl::Weave::DeviceLayer::Internal::BeginSessionContext;
using nl::Weave::DeviceLayer::Internal::PlatformAuthDelegate;
using nl::Weave::DeviceLayer::Internal::ValidationContext;
using nl::Weave::DeviceLayer::Internal::testing::WeaveTestFixture;
using nl::Weave::Profiles::DeviceDescription::WeaveDeviceDescriptor;
using nl::Weave::Profiles::Security::WeaveCertificateData;
using nl::Weave::Profiles::Security::WeaveCertificateSet;
namespace ASN1 = nl::Weave::ASN1;
namespace Profiles = nl::Weave::Profiles;
namespace Security = nl::Weave::Profiles::Security;
namespace TLV = nl::Weave::TLV;
namespace Weave = nl::Weave;
using WeaveKeyId = nl::Weave::WeaveKeyId;
// A dummy account certificate, provided by openweave-core.
constexpr char kTestDeviceCertName[] = "DUMMY-ACCOUNT-ID";
constexpr uint8_t kTestDeviceCert[] = {
0xd5, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x30, 0x01, 0x08, 0x4e, 0x2f, 0x32, 0x4b, 0x41, 0xd7,
0x3a, 0xdb, 0x24, 0x02, 0x04, 0x37, 0x03, 0x2c, 0x81, 0x10, 0x44, 0x55, 0x4d, 0x4d, 0x59, 0x2d,
0x41, 0x43, 0x43, 0x4f, 0x55, 0x4e, 0x54, 0x2d, 0x49, 0x44, 0x18, 0x26, 0x04, 0xcb, 0xa8, 0xfa,
0x1b, 0x26, 0x05, 0x4b, 0x35, 0x4f, 0x42, 0x37, 0x06, 0x2c, 0x81, 0x10, 0x44, 0x55, 0x4d, 0x4d,
0x59, 0x2d, 0x41, 0x43, 0x43, 0x4f, 0x55, 0x4e, 0x54, 0x2d, 0x49, 0x44, 0x18, 0x24, 0x07, 0x02,
0x26, 0x08, 0x25, 0x00, 0x5a, 0x23, 0x30, 0x0a, 0x39, 0x04, 0x2b, 0xd9, 0xdb, 0x5a, 0x62, 0xef,
0xba, 0xb1, 0x53, 0x2a, 0x0f, 0x99, 0x63, 0xb7, 0x8a, 0x30, 0xc5, 0x8a, 0x41, 0x29, 0xa5, 0x19,
0x4e, 0x4b, 0x0b, 0xf3, 0x7e, 0xda, 0xc5, 0xe9, 0xb3, 0x35, 0xf0, 0x75, 0x18, 0x6d, 0x49, 0x5d,
0x86, 0xc4, 0x44, 0x25, 0x07, 0x41, 0xb4, 0xd3, 0xa9, 0xef, 0xee, 0xb4, 0x2a, 0xd6, 0x0a, 0x5d,
0x9d, 0xe0, 0x35, 0x83, 0x29, 0x01, 0x18, 0x35, 0x82, 0x29, 0x01, 0x24, 0x02, 0x05, 0x18, 0x35,
0x84, 0x29, 0x01, 0x36, 0x02, 0x04, 0x02, 0x04, 0x01, 0x18, 0x18, 0x35, 0x81, 0x30, 0x02, 0x08,
0x42, 0x3c, 0x95, 0x5f, 0x46, 0x1e, 0x52, 0xdb, 0x18, 0x35, 0x80, 0x30, 0x02, 0x08, 0x42, 0x3c,
0x95, 0x5f, 0x46, 0x1e, 0x52, 0xdb, 0x18, 0x35, 0x0c, 0x30, 0x01, 0x1d, 0x00, 0x8a, 0x61, 0x86,
0x62, 0x3d, 0x17, 0xb2, 0xd2, 0xcf, 0xd2, 0x6d, 0x39, 0x3d, 0xe4, 0x25, 0x69, 0xe0, 0x91, 0xea,
0x05, 0x6a, 0x75, 0xce, 0xdd, 0x45, 0xeb, 0x83, 0xcf, 0x30, 0x02, 0x1c, 0x74, 0xb4, 0x2b, 0xa4,
0x6d, 0x14, 0x65, 0xb7, 0xb7, 0x71, 0x9a, 0x5a, 0xaf, 0x64, 0xd2, 0x88, 0x60, 0x6e, 0xb3, 0xb1,
0xa0, 0x31, 0xca, 0x92, 0x6f, 0xca, 0xf2, 0x43, 0x18, 0x18};
// The below hash was generated with the following process, using the dummy
// private key provided by openweave-core.
//
// weave convert-key --pem weave-dummy.key weave-dummy.key.pem
// openssl dgst -sha256 -sign weave-dummy.key.pem hash > signed-hash
constexpr uint8_t kTestHash[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456";
constexpr uint8_t kTestSignedHash[] = {
0x30, 0x3d, 0x02, 0x1d, 0x00, 0xdf, 0x70, 0x31, 0xb3, 0xbe, 0x63, 0x80, 0xc9, 0xd0, 0xd8, 0x67,
0x70, 0xf5, 0xa6, 0x50, 0xf1, 0x18, 0xb4, 0x42, 0x1a, 0x5a, 0x72, 0x68, 0xd0, 0x13, 0x0c, 0xd6,
0xda, 0x02, 0x1c, 0x59, 0xba, 0x2d, 0x92, 0xc0, 0x49, 0x94, 0x22, 0xbd, 0xb2, 0x46, 0x8c, 0x78,
0x8c, 0x44, 0x59, 0xd9, 0xbc, 0x13, 0xe6, 0x3a, 0x93, 0x85, 0x5c, 0xe9, 0x04, 0x53, 0xe7};
// Using test-dev-18B4300000000000-key.pem from openweave.
constexpr uint8_t kTestPrivateKey[] = {
0xD5, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x26, 0x01, 0x25, 0x00, 0x5A, 0x23, 0x30, 0x02,
0x1C, 0x31, 0xBD, 0xA7, 0x6B, 0xDD, 0x92, 0x3C, 0xBB, 0x56, 0x80, 0xBA, 0x90, 0xF6, 0xDC,
0x49, 0xC8, 0x0B, 0x89, 0xC6, 0xCF, 0x7A, 0x54, 0x94, 0xB0, 0x8C, 0xED, 0x05, 0x5E, 0x30,
0x03, 0x39, 0x04, 0x15, 0xF7, 0xC7, 0xD3, 0xCF, 0xD4, 0xCE, 0x17, 0x71, 0x7C, 0x15, 0x4E,
0x62, 0xCA, 0xB0, 0x03, 0x0A, 0xE0, 0x7F, 0xA9, 0x86, 0x69, 0xA3, 0x94, 0x41, 0xFA, 0xAB,
0xF2, 0xED, 0x80, 0xDF, 0x69, 0x7C, 0x86, 0x91, 0xDC, 0x1B, 0xE9, 0x67, 0xD2, 0x3C, 0x10,
0x06, 0xD9, 0x6C, 0x03, 0xCC, 0xFE, 0x84, 0xE5, 0x49, 0x88, 0xA1, 0x35, 0x0C, 0xBC, 0x18};
// A dummy service configuration, provided by openweave-core. This is the
// contents of the configuration after base64 decoding.
constexpr uint8_t kTestServiceConfig[] = {
0xd5, 0x00, 0x00, 0x0f, 0x00, 0x01, 0x00, 0x36, 0x01, 0x15, 0x30, 0x01, 0x08, 0x4e, 0x2f, 0x32,
0x4b, 0x41, 0xd7, 0x3a, 0xdb, 0x24, 0x02, 0x04, 0x37, 0x03, 0x2c, 0x81, 0x10, 0x44, 0x55, 0x4d,
0x4d, 0x59, 0x2d, 0x41, 0x43, 0x43, 0x4f, 0x55, 0x4e, 0x54, 0x2d, 0x49, 0x44, 0x18, 0x26, 0x04,
0xcb, 0xa8, 0xfa, 0x1b, 0x26, 0x05, 0x4b, 0x35, 0x4f, 0x42, 0x37, 0x06, 0x2c, 0x81, 0x10, 0x44,
0x55, 0x4d, 0x4d, 0x59, 0x2d, 0x41, 0x43, 0x43, 0x4f, 0x55, 0x4e, 0x54, 0x2d, 0x49, 0x44, 0x18,
0x24, 0x07, 0x02, 0x26, 0x08, 0x25, 0x00, 0x5a, 0x23, 0x30, 0x0a, 0x39, 0x04, 0x2b, 0xd9, 0xdb,
0x5a, 0x62, 0xef, 0xba, 0xb1, 0x53, 0x2a, 0x0f, 0x99, 0x63, 0xb7, 0x8a, 0x30, 0xc5, 0x8a, 0x41,
0x29, 0xa5, 0x19, 0x4e, 0x4b, 0x0b, 0xf3, 0x7e, 0xda, 0xc5, 0xe9, 0xb3, 0x35, 0xf0, 0x75, 0x18,
0x6d, 0x49, 0x5d, 0x86, 0xc4, 0x44, 0x25, 0x07, 0x41, 0xb4, 0xd3, 0xa9, 0xef, 0xee, 0xb4, 0x2a,
0xd6, 0x0a, 0x5d, 0x9d, 0xe0, 0x35, 0x83, 0x29, 0x01, 0x18, 0x35, 0x82, 0x29, 0x01, 0x24, 0x02,
0x05, 0x18, 0x35, 0x84, 0x29, 0x01, 0x36, 0x02, 0x04, 0x02, 0x04, 0x01, 0x18, 0x18, 0x35, 0x81,
0x30, 0x02, 0x08, 0x42, 0x3c, 0x95, 0x5f, 0x46, 0x1e, 0x52, 0xdb, 0x18, 0x35, 0x80, 0x30, 0x02,
0x08, 0x42, 0x3c, 0x95, 0x5f, 0x46, 0x1e, 0x52, 0xdb, 0x18, 0x35, 0x0c, 0x30, 0x01, 0x1d, 0x00,
0x8a, 0x61, 0x86, 0x62, 0x3d, 0x17, 0xb2, 0xd2, 0xcf, 0xd2, 0x6d, 0x39, 0x3d, 0xe4, 0x25, 0x69,
0xe0, 0x91, 0xea, 0x05, 0x6a, 0x75, 0xce, 0xdd, 0x45, 0xeb, 0x83, 0xcf, 0x30, 0x02, 0x1c, 0x74,
0xb4, 0x2b, 0xa4, 0x6d, 0x14, 0x65, 0xb7, 0xb7, 0x71, 0x9a, 0x5a, 0xaf, 0x64, 0xd2, 0x88, 0x60,
0x6e, 0xb3, 0xb1, 0xa0, 0x31, 0xca, 0x92, 0x6f, 0xca, 0xf2, 0x43, 0x18, 0x18, 0x15, 0x30, 0x01,
0x09, 0x00, 0xa8, 0x34, 0x22, 0xe9, 0xd9, 0x75, 0xe4, 0x55, 0x24, 0x02, 0x04, 0x57, 0x03, 0x00,
0x27, 0x13, 0x01, 0x00, 0x00, 0xee, 0xee, 0x30, 0xb4, 0x18, 0x18, 0x26, 0x04, 0x95, 0x23, 0xa9,
0x19, 0x26, 0x05, 0x15, 0xc1, 0xd2, 0x2c, 0x57, 0x06, 0x00, 0x27, 0x13, 0x01, 0x00, 0x00, 0xee,
0xee, 0x30, 0xb4, 0x18, 0x18, 0x24, 0x07, 0x02, 0x24, 0x08, 0x15, 0x30, 0x0a, 0x31, 0x04, 0x78,
0x52, 0xe2, 0x9c, 0x92, 0xba, 0x70, 0x19, 0x58, 0x46, 0x6d, 0xae, 0x18, 0x72, 0x4a, 0xfb, 0x43,
0x0d, 0xf6, 0x07, 0x29, 0x33, 0x0d, 0x61, 0x55, 0xe5, 0x65, 0x46, 0x8e, 0xba, 0x0d, 0xa5, 0x3f,
0xb5, 0x17, 0xc0, 0x47, 0x64, 0x44, 0x02, 0x18, 0x4f, 0xa8, 0x11, 0x24, 0x50, 0xd4, 0x7b, 0x35,
0x83, 0x29, 0x01, 0x29, 0x02, 0x18, 0x35, 0x82, 0x29, 0x01, 0x24, 0x02, 0x60, 0x18, 0x35, 0x81,
0x30, 0x02, 0x08, 0x42, 0x0c, 0xac, 0xf6, 0xb4, 0x64, 0x71, 0xe6, 0x18, 0x35, 0x80, 0x30, 0x02,
0x08, 0x42, 0x0c, 0xac, 0xf6, 0xb4, 0x64, 0x71, 0xe6, 0x18, 0x35, 0x0c, 0x30, 0x01, 0x19, 0x00,
0xbe, 0x0e, 0xda, 0xa1, 0x63, 0x5a, 0x8e, 0xf1, 0x52, 0x17, 0x45, 0x80, 0xbd, 0xdc, 0x94, 0x12,
0xd4, 0xcc, 0x1c, 0x2c, 0x33, 0x4e, 0x29, 0xdc, 0x30, 0x02, 0x19, 0x00, 0x8b, 0xe7, 0xee, 0x2e,
0x11, 0x17, 0x14, 0xae, 0x92, 0xda, 0x2b, 0x3b, 0x6d, 0x2f, 0xd7, 0x5d, 0x9e, 0x5f, 0xcd, 0xb8,
0xba, 0x2f, 0x65, 0x76, 0x18, 0x18, 0x18, 0x35, 0x02, 0x27, 0x01, 0x01, 0x00, 0x00, 0x00, 0x02,
0x30, 0xb4, 0x18, 0x36, 0x02, 0x15, 0x2c, 0x01, 0x22, 0x66, 0x72, 0x6f, 0x6e, 0x74, 0x64, 0x6f,
0x6f, 0x72, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x6e,
0x65, 0x73, 0x74, 0x6c, 0x61, 0x62, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x18, 0x18, 0x18};
} // namespace
class PlatformAuthDelegateTest : public WeaveTestFixture<> {
public:
PlatformAuthDelegateTest() {
context_provider_.service_directory_provider()->AddService(
fake_weave_signer_.GetHandler(dispatcher()));
}
void SetUp() override {
WeaveTestFixture<>::SetUp();
WeaveTestFixture<>::RunFixtureLoop();
PlatformMgrImpl().SetComponentContextForProcess(context_provider_.TakeContext());
ConfigurationMgrImpl().SetDelegate(std::make_unique<TestConfigurationManager>());
ThreadStackMgrImpl().SetDelegate(std::make_unique<TestThreadStackManager>());
// Initialize and set default certificate, service config. Disable the use
// of the signing key except for tests that explicitly want to provide the
// test signing key.
configuration_delegate().InitForTesting();
configuration_delegate().set_use_signing_key(false);
EXPECT_EQ(ConfigurationMgr().StoreManufacturerDeviceCertificate(kTestDeviceCert,
sizeof(kTestDeviceCert)),
WEAVE_NO_ERROR);
EXPECT_EQ(ConfigurationMgr().StoreServiceConfig(kTestServiceConfig, sizeof(kTestServiceConfig)),
WEAVE_NO_ERROR);
}
void TearDown() override {
WeaveTestFixture<>::StopFixtureLoop();
WeaveTestFixture<>::TearDown();
ConfigurationMgrImpl().SetDelegate(nullptr);
ThreadStackMgrImpl().SetDelegate(nullptr);
}
protected:
FakeWeaveSigner& fake_weave_signer() { return fake_weave_signer_; }
PlatformAuthDelegate& platform_auth_delegate() { return platform_auth_delegate_; }
TestConfigurationManager& configuration_delegate() {
return *reinterpret_cast<TestConfigurationManager*>(ConfigurationMgrImpl().GetDelegate());
}
private:
FakeWeaveSigner fake_weave_signer_{kTestSignedHash, sizeof(kTestSignedHash)};
PlatformAuthDelegate platform_auth_delegate_;
sys::testing::ComponentContextProvider context_provider_;
};
TEST_F(PlatformAuthDelegateTest, CASEAuth_EncodeNodePayload) {
BeginSessionContext context;
WeaveDeviceDescriptor descriptor;
uint8_t payload_buf[WeaveDeviceDescriptor::kMaxEncodedTLVLength] = {};
uint16_t payload_len = 0;
// Get descriptor used when encoding node payload.
EXPECT_EQ(ConfigurationMgr().GetDeviceDescriptor(descriptor), WEAVE_NO_ERROR);
// Acquire node payload and decoded contents to device descriptor.
WeaveDeviceDescriptor decoded_descriptor;
EXPECT_EQ(platform_auth_delegate().EncodeNodePayload(context, payload_buf, sizeof(payload_buf),
payload_len),
WEAVE_NO_ERROR);
EXPECT_EQ(WeaveDeviceDescriptor::DecodeTLV(payload_buf, payload_len, decoded_descriptor),
WEAVE_NO_ERROR);
// Compare device descriptor from delegate and configuration manager.
uint8_t descriptor_buf[WeaveDeviceDescriptor::kMaxEncodedTLVLength] = {};
uint32_t descriptor_buf_len = 0;
EXPECT_EQ(WeaveDeviceDescriptor::EncodeTLV(descriptor, descriptor_buf, sizeof(descriptor_buf),
descriptor_buf_len),
WEAVE_NO_ERROR);
uint8_t decoded_descriptor_buf[WeaveDeviceDescriptor::kMaxEncodedTLVLength] = {};
uint32_t decoded_descriptor_buf_len = 0;
EXPECT_EQ(
WeaveDeviceDescriptor::EncodeTLV(decoded_descriptor, decoded_descriptor_buf,
sizeof(decoded_descriptor_buf), decoded_descriptor_buf_len),
WEAVE_NO_ERROR);
EXPECT_EQ(memcmp(descriptor_buf, decoded_descriptor_buf, descriptor_buf_len), 0);
}
TEST_F(PlatformAuthDelegateTest, CASEAuth_EncodeNodePayloadEncodingFailure) {
BeginSessionContext context;
WeaveDeviceDescriptor descriptor;
uint8_t payload_buf[WeaveDeviceDescriptor::kMaxEncodedTLVLength] = {};
uint16_t payload_len = 0;
// Get descriptor used when encoding node payload.
EXPECT_EQ(ConfigurationMgr().GetDeviceDescriptor(descriptor), WEAVE_NO_ERROR);
// Acquire node payload and decoded contents to device descriptor, but supply
// insufficient space to encode the descriptor.
uint64_t payload_len_stored = payload_len;
EXPECT_EQ(platform_auth_delegate().EncodeNodePayload(context, payload_buf, 0, payload_len),
WEAVE_ERROR_BUFFER_TOO_SMALL);
EXPECT_EQ(payload_len, payload_len_stored);
}
TEST_F(PlatformAuthDelegateTest, CASEAuth_EncodeNodeCertInfo) {
constexpr size_t kMaxCerts = 4;
constexpr size_t kCertDecodeBufferSize = 800;
BeginSessionContext context;
TLVWriter writer;
PacketBuffer* buffer = PacketBuffer::New();
writer.Init(buffer);
EXPECT_EQ(platform_auth_delegate().EncodeNodeCertInfo(context, writer), WEAVE_NO_ERROR);
EXPECT_EQ(writer.Finalize(), WEAVE_NO_ERROR);
TLVReader reader;
reader.Init(buffer, WEAVE_SYSTEM_PACKETBUFFER_SIZE);
// Verify that the structure of the packet buffer contains sane information
// from the manufacturer certificate.
reader.ImplicitProfileId = Profiles::kWeaveProfile_Security;
EXPECT_EQ(reader.Next(TLV::kTLVType_Structure,
TLV::ProfileTag(Profiles::kWeaveProfile_Security,
Security::kTag_WeaveCASECertificateInformation)),
WEAVE_NO_ERROR);
WeaveCertificateSet cert_set;
WeaveCertificateData* cert;
TLV::TLVType type;
EXPECT_EQ(reader.EnterContainer(type), WEAVE_NO_ERROR);
EXPECT_EQ(reader.Next(), WEAVE_NO_ERROR);
EXPECT_EQ(reader.GetTag(), TLV::ContextTag(Security::kTag_CASECertificateInfo_EntityCertificate));
// Check that the CommonName of the certificate matches our dummy account id.
auto release_cert_set = fit::defer([&] { cert_set.Release(); });
EXPECT_EQ(cert_set.Init(kMaxCerts, kCertDecodeBufferSize), WEAVE_NO_ERROR);
EXPECT_EQ(cert_set.LoadCert(reader, Security::kDecodeFlag_GenerateTBSHash, cert), WEAVE_NO_ERROR);
EXPECT_EQ(cert->SubjectDN.AttrOID, ASN1::kOID_AttributeType_CommonName);
EXPECT_EQ(strncmp((const char*)cert->SubjectDN.AttrValue.String.Value, kTestDeviceCertName,
cert->SubjectDN.AttrValue.String.Len),
0);
EXPECT_EQ(reader.ExitContainer(type), WEAVE_NO_ERROR);
EXPECT_EQ(reader.VerifyEndOfContainer(), WEAVE_NO_ERROR);
PacketBuffer::Free(buffer);
}
TEST_F(PlatformAuthDelegateTest, CASEAuth_EncodeNodeCertInfoInvalidCert) {
constexpr uint8_t kTestInvalidCert[] = "invalid-cert-data";
BeginSessionContext context;
TLVWriter writer;
PacketBuffer* buffer = PacketBuffer::New();
writer.Init(buffer);
EXPECT_EQ(ConfigurationMgr().StoreManufacturerDeviceCertificate(kTestInvalidCert,
sizeof(kTestInvalidCert)),
WEAVE_NO_ERROR);
EXPECT_EQ(platform_auth_delegate().EncodeNodeCertInfo(context, writer),
WEAVE_ERROR_INVALID_ARGUMENT);
EXPECT_EQ(writer.Finalize(), WEAVE_NO_ERROR);
// TODO(https://fxbug.dev/42129132): Test when manufacturer certificate does not exist. This
// requires initializing ConfigurationMgr from this test, or removing the lazy
// init from the factory certificate read operation.
PacketBuffer::Free(buffer);
}
TEST_F(PlatformAuthDelegateTest, CASEAuth_GenerateNodeSignature) {
BeginSessionContext context;
TLVWriter writer;
PacketBuffer* buffer = PacketBuffer::New();
writer.Init(buffer);
EXPECT_EQ(
platform_auth_delegate().GenerateNodeSignature(
context, kTestHash, sizeof(kTestHash) - 1, writer,
TLV::ProfileTag(Profiles::kWeaveProfile_Security, Security::kTag_WeaveCASESignature)),
WEAVE_NO_ERROR);
EXPECT_EQ(writer.Finalize(), WEAVE_NO_ERROR);
TLVReader reader;
reader.Init(buffer, WEAVE_SYSTEM_PACKETBUFFER_SIZE);
reader.ImplicitProfileId = Profiles::kWeaveProfile_Security;
TLV::TLVType type;
EXPECT_EQ(
reader.Next(TLV::kTLVType_Structure, TLV::ProfileTag(Profiles::kWeaveProfile_Security,
Security::kTag_WeaveCASESignature)),
WEAVE_NO_ERROR);
EXPECT_EQ(reader.EnterContainer(type), WEAVE_NO_ERROR);
EXPECT_EQ(reader.Next(TLV::kTLVType_ByteString, TLV::ContextTag(Security::kTag_ECDSASignature_r)),
WEAVE_NO_ERROR);
EXPECT_EQ(reader.Next(TLV::kTLVType_ByteString, TLV::ContextTag(Security::kTag_ECDSASignature_s)),
WEAVE_NO_ERROR);
EXPECT_EQ(reader.ExitContainer(type), WEAVE_NO_ERROR);
EXPECT_EQ(reader.VerifyEndOfContainer(), WEAVE_NO_ERROR);
PacketBuffer::Free(buffer);
}
TEST_F(PlatformAuthDelegateTest, CASEAuth_GenerateNodeSignatureInvalidSignedHash) {
constexpr uint8_t kInvalidSignedHash[] = "invalid-signed-hash";
PacketBuffer* buffer = PacketBuffer::New();
BeginSessionContext context;
TLVWriter writer;
// Set an invalid signed hash.
fake_weave_signer().set_signed_hash(kInvalidSignedHash, sizeof(kInvalidSignedHash));
writer.Init(buffer);
EXPECT_EQ(
platform_auth_delegate().GenerateNodeSignature(
context, kTestHash, sizeof(kTestHash) - 1, writer,
TLV::ProfileTag(Profiles::kWeaveProfile_Security, Security::kTag_WeaveCASESignature)),
ASN1_ERROR_INVALID_ENCODING);
EXPECT_EQ(writer.Finalize(), WEAVE_NO_ERROR);
// Set an error code when signing.
fake_weave_signer().set_sign_hash_error(fuchsia::weave::ErrorCode::CRYPTO_ERROR);
writer.Init(buffer);
EXPECT_EQ(
platform_auth_delegate().GenerateNodeSignature(
context, kTestHash, sizeof(kTestHash) - 1, writer,
TLV::ProfileTag(Profiles::kWeaveProfile_Security, Security::kTag_WeaveCASESignature)),
WEAVE_NO_ERROR);
EXPECT_EQ(writer.Finalize(), WEAVE_NO_ERROR);
PacketBuffer::Free(buffer);
}
TEST_F(PlatformAuthDelegateTest, CASEAuth_BeginValidation) {
BeginSessionContext msg_ctx;
ValidationContext valid_ctx;
WeaveCertificateSet certs;
msg_ctx.SetIsInitiator(true);
EXPECT_EQ(platform_auth_delegate().BeginValidation(msg_ctx, valid_ctx, certs), WEAVE_NO_ERROR);
EXPECT_EQ(certs.CertCount, 2);
EXPECT_EQ(certs.Certs[0].CertType, Weave::kCertType_AccessToken);
EXPECT_EQ(strncmp((const char*)certs.Certs[0].SubjectDN.AttrValue.String.Value,
kTestDeviceCertName, certs.Certs[0].SubjectDN.AttrValue.String.Len),
0);
EXPECT_EQ(certs.Certs[1].CertType, Weave::kCertType_CA);
EXPECT_EQ(valid_ctx.RequiredKeyUsages, Security::kKeyUsageFlag_DigitalSignature);
EXPECT_EQ(valid_ctx.RequiredKeyPurposes, Security::kKeyPurposeFlag_ServerAuth);
platform_auth_delegate().EndValidation(msg_ctx, valid_ctx, certs);
}
TEST_F(PlatformAuthDelegateTest, CASEAuth_BeginValidationInvalidServiceConfig) {
constexpr uint8_t kTestInvalidServiceConfig[] = "invalid-service-config";
BeginSessionContext msg_ctx;
ValidationContext valid_ctx;
WeaveCertificateSet certs;
EXPECT_EQ(ConfigurationMgr().StoreServiceConfig(kTestInvalidServiceConfig,
sizeof(kTestInvalidServiceConfig)),
WEAVE_NO_ERROR);
EXPECT_EQ(platform_auth_delegate().BeginValidation(msg_ctx, valid_ctx, certs),
WEAVE_ERROR_WRONG_TLV_TYPE);
ConfigurationMgr().InitiateFactoryReset();
EXPECT_EQ(platform_auth_delegate().BeginValidation(msg_ctx, valid_ctx, certs),
WEAVE_DEVICE_ERROR_CONFIG_NOT_FOUND);
}
TEST_F(PlatformAuthDelegateTest, CASEAuth_HandleValidationResult) {
BeginSessionContext msg_ctx;
ValidationContext valid_ctx;
WeaveCertificateSet certs;
WeaveCertificateData signing_cert;
WEAVE_ERROR result;
valid_ctx.SigningCert = &signing_cert;
// Do nothing if validation has already failed.
result = ~WEAVE_NO_ERROR;
EXPECT_EQ(platform_auth_delegate().HandleValidationResult(msg_ctx, valid_ctx, certs, result),
WEAVE_NO_ERROR);
EXPECT_EQ(result, ~WEAVE_NO_ERROR);
// Verify behavior when the signing cert is a device certificate. Expect to
// receive WEAVE_ERROR_WRONG_CERTIFICATE_SUBJECT if the weave ID and peer node
// ID do not match.
result = WEAVE_NO_ERROR;
signing_cert.CertType = Weave::kCertType_Device;
signing_cert.SubjectDN.AttrValue.WeaveId = 1U;
msg_ctx.PeerNodeId = signing_cert.SubjectDN.AttrValue.WeaveId + 1;
EXPECT_EQ(platform_auth_delegate().HandleValidationResult(msg_ctx, valid_ctx, certs, result),
WEAVE_NO_ERROR);
EXPECT_EQ(result, WEAVE_ERROR_WRONG_CERTIFICATE_SUBJECT);
result = WEAVE_NO_ERROR;
msg_ctx.PeerNodeId = signing_cert.SubjectDN.AttrValue.WeaveId;
EXPECT_EQ(platform_auth_delegate().HandleValidationResult(msg_ctx, valid_ctx, certs, result),
WEAVE_NO_ERROR);
EXPECT_EQ(result, WEAVE_NO_ERROR);
// Verify behavior when the signing cert is a service endpoint certificate.
// Expect to receive WEAVE_ERROR_WRONG_CERTIFICATE_SUBJECT if the weave ID and
// peer node ID do not match.
result = WEAVE_NO_ERROR;
signing_cert.CertType = Weave::kCertType_ServiceEndpoint;
signing_cert.SubjectDN.AttrValue.WeaveId = 1U;
msg_ctx.PeerNodeId = signing_cert.SubjectDN.AttrValue.WeaveId + 1;
EXPECT_EQ(platform_auth_delegate().HandleValidationResult(msg_ctx, valid_ctx, certs, result),
WEAVE_NO_ERROR);
EXPECT_EQ(result, WEAVE_ERROR_WRONG_CERTIFICATE_SUBJECT);
result = WEAVE_NO_ERROR;
msg_ctx.PeerNodeId = signing_cert.SubjectDN.AttrValue.WeaveId;
EXPECT_EQ(platform_auth_delegate().HandleValidationResult(msg_ctx, valid_ctx, certs, result),
WEAVE_NO_ERROR);
EXPECT_EQ(result, WEAVE_NO_ERROR);
result = WEAVE_NO_ERROR;
msg_ctx.SetIsInitiator(false);
EXPECT_EQ(platform_auth_delegate().HandleValidationResult(msg_ctx, valid_ctx, certs, result),
WEAVE_NO_ERROR);
EXPECT_EQ(result, WEAVE_ERROR_CERT_USAGE_NOT_ALLOWED);
// Verify behavior when the signing cert is an access token certificate.
result = WEAVE_NO_ERROR;
signing_cert.CertType = Weave::kCertType_AccessToken;
msg_ctx.SetIsInitiator(false);
EXPECT_EQ(platform_auth_delegate().HandleValidationResult(msg_ctx, valid_ctx, certs, result),
WEAVE_NO_ERROR);
EXPECT_EQ(result, WEAVE_NO_ERROR);
result = WEAVE_NO_ERROR;
msg_ctx.SetIsInitiator(true);
EXPECT_EQ(platform_auth_delegate().HandleValidationResult(msg_ctx, valid_ctx, certs, result),
WEAVE_NO_ERROR);
EXPECT_EQ(result, WEAVE_ERROR_CERT_USAGE_NOT_ALLOWED);
// Verify behavior when the signing cert is not a valid type.
result = WEAVE_NO_ERROR;
signing_cert.CertType = Weave::kCertType_General;
EXPECT_EQ(platform_auth_delegate().HandleValidationResult(msg_ctx, valid_ctx, certs, result),
WEAVE_NO_ERROR);
EXPECT_EQ(result, WEAVE_ERROR_CERT_USAGE_NOT_ALLOWED);
}
TEST_F(PlatformAuthDelegateTest, CASEAuth_GenerateNodeSignatureWithPrivateKey) {
BeginSessionContext context;
TLVWriter writer;
// Provide a test signing key for validation.
configuration_delegate().set_signing_key(
std::vector<uint8_t>(kTestPrivateKey, kTestPrivateKey + sizeof(kTestPrivateKey)));
configuration_delegate().set_use_signing_key(true);
PacketBuffer* buffer = PacketBuffer::New();
writer.Init(buffer);
EXPECT_EQ(
platform_auth_delegate().GenerateNodeSignature(
context, kTestHash, sizeof(kTestHash), writer,
TLV::ProfileTag(Profiles::kWeaveProfile_Security, Security::kTag_WeaveCASESignature)),
WEAVE_NO_ERROR);
EXPECT_EQ(writer.Finalize(), WEAVE_NO_ERROR);
TLVReader reader;
reader.Init(buffer, WEAVE_SYSTEM_PACKETBUFFER_SIZE);
reader.ImplicitProfileId = Profiles::kWeaveProfile_Security;
TLV::TLVType type;
EXPECT_EQ(
reader.Next(TLV::kTLVType_Structure, TLV::ProfileTag(Profiles::kWeaveProfile_Security,
Security::kTag_WeaveCASESignature)),
WEAVE_NO_ERROR);
EXPECT_EQ(reader.EnterContainer(type), WEAVE_NO_ERROR);
EXPECT_EQ(reader.Next(TLV::kTLVType_ByteString, TLV::ContextTag(Security::kTag_ECDSASignature_r)),
WEAVE_NO_ERROR);
EXPECT_EQ(reader.Next(TLV::kTLVType_ByteString, TLV::ContextTag(Security::kTag_ECDSASignature_s)),
WEAVE_NO_ERROR);
EXPECT_EQ(reader.ExitContainer(type), WEAVE_NO_ERROR);
EXPECT_EQ(reader.VerifyEndOfContainer(), WEAVE_NO_ERROR);
PacketBuffer::Free(buffer);
}
TEST_F(PlatformAuthDelegateTest, KeyExport_GetNodeCertSet) {
WeaveCertificateSet cert_set;
WeaveKeyExport key_export;
// Check that we can populate the certificates into a set.
EXPECT_EQ(platform_auth_delegate().GetNodeCertSet(&key_export, cert_set), WEAVE_NO_ERROR);
EXPECT_EQ(cert_set.CertCount, 1U);
// Check that the CommonName of the certificate matches our dummy account id.
WeaveCertificateData* cert = cert_set.Certs;
EXPECT_EQ(cert->SubjectDN.AttrOID, ASN1::kOID_AttributeType_CommonName);
EXPECT_EQ(strncmp((const char*)cert->SubjectDN.AttrValue.String.Value, kTestDeviceCertName,
cert->SubjectDN.AttrValue.String.Len),
0);
// Clean up the certificates.
EXPECT_EQ(platform_auth_delegate().ReleaseNodeCertSet(&key_export, cert_set), WEAVE_NO_ERROR);
}
TEST_F(PlatformAuthDelegateTest, KeyExport_GetNodeCertSetInvalidCert) {
constexpr uint8_t kTestInvalidCert[] = "invalid-cert-data";
WeaveCertificateSet cert_set;
WeaveKeyExport key_export;
// Populate some invalid certificate data.
EXPECT_EQ(ConfigurationMgr().StoreManufacturerDeviceCertificate(kTestInvalidCert,
sizeof(kTestInvalidCert)),
WEAVE_NO_ERROR);
// Check that we fail to populate the certificates into a set.
EXPECT_NE(platform_auth_delegate().GetNodeCertSet(&key_export, cert_set), WEAVE_NO_ERROR);
}
TEST_F(PlatformAuthDelegateTest, KeyExport_HandleCertValidationResult) {
constexpr uint8_t kAttrValue[] = "TEST";
WeaveKeyExport key_export;
ValidationContext valid_ctx;
WeaveCertificateSet cert_set;
WeaveCertificateData signing_cert;
WeaveCertificateData valid_signing_cert;
// Construct valid signing certificate.
valid_ctx.SigningCert = &signing_cert;
valid_ctx.SigningCert->CertFlags |= Security::kCertFlag_IsTrusted;
valid_ctx.SigningCert->SubjectDN.AttrOID = ASN1::kOID_AttributeType_CommonName;
valid_ctx.SigningCert->SubjectDN.AttrValue.String.Value = kAttrValue;
valid_ctx.SigningCert->SubjectDN.AttrValue.String.Len = sizeof(kAttrValue);
valid_ctx.SigningCert->IssuerDN = valid_ctx.SigningCert->SubjectDN;
valid_signing_cert = signing_cert;
valid_ctx.SigningCert->IssuerDN.IsEqual(valid_ctx.SigningCert->SubjectDN);
// Approve if self-signed, trusted, matching SubjectDN + IssuerDN, CommonName.
EXPECT_EQ(platform_auth_delegate().HandleCertValidationResult(&key_export, valid_ctx, cert_set,
WeaveKeyId::kClientRootKey),
WEAVE_NO_ERROR);
// Reject if requested key ID is not a client root key.
EXPECT_EQ(platform_auth_delegate().HandleCertValidationResult(&key_export, valid_ctx, cert_set,
WeaveKeyId::kFabricRootKey),
WEAVE_ERROR_UNAUTHORIZED_KEY_EXPORT_RESPONSE);
// Reject if cert flags are not trusted.
valid_ctx.SigningCert->CertFlags &= ~Security::kCertFlag_IsTrusted;
EXPECT_EQ(platform_auth_delegate().HandleCertValidationResult(&key_export, valid_ctx, cert_set,
WeaveKeyId::kClientRootKey),
WEAVE_ERROR_UNAUTHORIZED_KEY_EXPORT_RESPONSE);
*valid_ctx.SigningCert = valid_signing_cert;
// Reject if SubjectDN doesn't have the CommonName attribute.
valid_ctx.SigningCert->SubjectDN.AttrOID = ASN1::kOID_AttributeType_WeaveDeviceId;
EXPECT_EQ(platform_auth_delegate().HandleCertValidationResult(&key_export, valid_ctx, cert_set,
WeaveKeyId::kClientRootKey),
WEAVE_ERROR_UNAUTHORIZED_KEY_EXPORT_RESPONSE);
*valid_ctx.SigningCert = valid_signing_cert;
// Reject if IssuerDN doesn't match SubjectDN.
valid_ctx.SigningCert->IssuerDN.AttrOID = ~valid_ctx.SigningCert->SubjectDN.AttrOID;
EXPECT_EQ(platform_auth_delegate().HandleCertValidationResult(&key_export, valid_ctx, cert_set,
WeaveKeyId::kClientRootKey),
WEAVE_ERROR_UNAUTHORIZED_KEY_EXPORT_RESPONSE);
*valid_ctx.SigningCert = valid_signing_cert;
}
// TODO(https://fxbug.dev/42129133): Add tests for intermediate CA certs.
} // namespace weave::adaptation::testing