widevine-partner/ce_cdm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Source release 19.1.0

Browse Source
This commit is contained in:
Matt Feddersen
2024-03-28 19:21:54 -07:00
parent 28ec8548c6
commit b8bdfccebe
182 changed files with 10645 additions and 2040 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
oemcrypto/util/test/bcc_validator_unittest.cpp Normal file
View File

@@ -0,0 +1,147 @@
// Copyright 2023 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine License
// Agreement.
//
// Reference implementation utilities of OEMCrypto APIs
//
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include "bcc_validator.h"
using ::testing::AllOf;
using ::testing::Ge;
using ::testing::HasSubstr;
using ::testing::Le;
namespace wvoec {
namespace util {
namespace {
// Self-signed phase 1 BCC generated by OPK reference implementation.
const std::vector<uint8_t> kBcc = {
0x82, 0xa5, 0x01, 0x01, 0x03, 0x27, 0x04, 0x81, 0x02, 0x20, 0x06, 0x21,
0x58, 0x20, 0x02, 0xab, 0xbe, 0x80, 0x02, 0x41, 0xf1, 0x0b, 0x40, 0xff,
0xd5, 0xf0, 0xd0, 0x26, 0x65, 0x70, 0xdc, 0x5a, 0x97, 0xa6, 0x80, 0xee,
0x15, 0x95, 0xec, 0x26, 0x36, 0x70, 0x77, 0xe5, 0xfb, 0x10, 0x84, 0x43,
0xa1, 0x01, 0x27, 0xa0, 0x58, 0x40, 0xa4, 0x01, 0x60, 0x02, 0x60, 0x3a,
0x00, 0x47, 0x44, 0x57, 0x58, 0x2d, 0xa5, 0x01, 0x01, 0x03, 0x27, 0x04,
0x81, 0x02, 0x20, 0x06, 0x21, 0x58, 0x20, 0x02, 0xab, 0xbe, 0x80, 0x02,
0x41, 0xf1, 0x0b, 0x40, 0xff, 0xd5, 0xf0, 0xd0, 0x26, 0x65, 0x70, 0xdc,
0x5a, 0x97, 0xa6, 0x80, 0xee, 0x15, 0x95, 0xec, 0x26, 0x36, 0x70, 0x77,
0xe5, 0xfb, 0x10, 0x3a, 0x00, 0x47, 0x44, 0x58, 0x41, 0x20, 0x58, 0x40,
0x73, 0x02, 0x36, 0xaa, 0x6d, 0x52, 0x50, 0x67, 0x43, 0xc4, 0x0b, 0xf8,
0x3f, 0x35, 0x2a, 0xd8, 0x44, 0x09, 0xf4, 0x1d, 0xca, 0x91, 0x12, 0x27,
0x01, 0xdf, 0x73, 0xb7, 0x9b, 0x31, 0x28, 0x8e, 0xae, 0x9b, 0xc6, 0x7a,
0xdc, 0x07, 0xab, 0x69, 0xd2, 0x85, 0x9a, 0x15, 0x8b, 0xe3, 0x5b, 0xf2,
0x94, 0x95, 0xee, 0x49, 0x74, 0xc5, 0x85, 0x62, 0x3d, 0x46, 0x4c, 0xeb,
0x11, 0x89, 0x68, 0x02};
const std::vector<uint8_t> kBccWrongEntryKey = {
0x82, 0xa5, 0x01, 0x01, 0x03, 0x27, 0x04, 0x81, 0x02, 0x20, 0x06, 0x21,
0x58, 0x20, 0x02, 0xab, 0xbe, 0x80, 0x02, 0x41, 0xf1, 0x0b, 0x40, 0xff,
0xd5, 0xf0, 0xd0, 0x26, 0x65, 0x70, 0xdc, 0x5a, 0x97, 0xa6, 0x80, 0xee,
0x15, 0x95, 0xec, 0x26, 0x36, 0x70, 0x77, 0xe5, 0xfb, 0x10, 0x84, 0x43,
0xa1, 0x01, 0x27, 0xa0, 0x58, 0x40, 0xa4, 0x01, 0x60, 0x02, 0x60, 0x3a,
0x00, 0x47, 0x44, 0x57, 0x58, 0x2d, 0xa5, 0x01, 0x01, 0x03, 0x27, 0x04,
0x81, 0x02, 0x20, 0x06, 0x21, 0x58, 0x20, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
0xaa, 0xaa, 0xaa, 0x3a, 0x00, 0x47, 0x44, 0x58, 0x41, 0x20, 0x58, 0x40,
0x89, 0x1d, 0xff, 0xb3, 0x3b, 0xe2, 0xdc, 0xc6, 0xbc, 0xbd, 0xc7, 0xcd,
0x3f, 0x9c, 0x43, 0xf6, 0xdd, 0xea, 0x58, 0x53, 0x45, 0x8f, 0x87, 0x17,
0x0a, 0xe4, 0x06, 0xf2, 0xbe, 0x14, 0x69, 0x13, 0x3d, 0x1d, 0xd0, 0x52,
0x8f, 0x56, 0x4b, 0x0f, 0xad, 0x2e, 0xf0, 0xbf, 0xbb, 0xd1, 0x35, 0x9c,
0x5a, 0xe8, 0x67, 0xbe, 0xec, 0xff, 0x9d, 0xfe, 0xac, 0x8d, 0x47, 0x4e,
0x6d, 0xd1, 0xd3, 0x02};
const std::vector<uint8_t> kBccMissingIssuer = {
0x82, 0xa5, 0x01, 0x01, 0x03, 0x27, 0x04, 0x81, 0x02, 0x20, 0x06, 0x21,
0x58, 0x20, 0x02, 0xab, 0xbe, 0x80, 0x02, 0x41, 0xf1, 0x0b, 0x40, 0xff,
0xd5, 0xf0, 0xd0, 0x26, 0x65, 0x70, 0xdc, 0x5a, 0x97, 0xa6, 0x80, 0xee,
0x15, 0x95, 0xec, 0x26, 0x36, 0x70, 0x77, 0xe5, 0xfb, 0x10, 0x84, 0x43,
0xa1, 0x01, 0x27, 0xa0, 0x58, 0x3e, 0xa3, 0x02, 0x60, 0x3a, 0x00, 0x47,
0x44, 0x57, 0x58, 0x2d, 0xa5, 0x01, 0x01, 0x03, 0x27, 0x04, 0x81, 0x02,
0x20, 0x06, 0x21, 0x58, 0x20, 0x02, 0xab, 0xbe, 0x80, 0x02, 0x41, 0xf1,
0x0b, 0x40, 0xff, 0xd5, 0xf0, 0xd0, 0x26, 0x65, 0x70, 0xdc, 0x5a, 0x97,
0xa6, 0x80, 0xee, 0x15, 0x95, 0xec, 0x26, 0x36, 0x70, 0x77, 0xe5, 0xfb,
0x10, 0x3a, 0x00, 0x47, 0x44, 0x58, 0x41, 0x20, 0x58, 0x40, 0xf9, 0x46,
0x36, 0xbd, 0x95, 0x75, 0xc2, 0x3d, 0xf9, 0xa2, 0xbe, 0x60, 0x8e, 0xbf,
0x64, 0x89, 0xdf, 0xb9, 0x9c, 0x3c, 0x17, 0x36, 0x23, 0x9a, 0x68, 0x1a,
0x34, 0x36, 0x51, 0x89, 0x59, 0xf2, 0x54, 0x62, 0xd3, 0x8f, 0xeb, 0x9b,
0x75, 0x3e, 0xe9, 0xfc, 0xe3, 0xc2, 0x8f, 0x84, 0xb1, 0x71, 0xcd, 0x29,
0x12, 0x65, 0xeb, 0xab, 0x28, 0x4b, 0xe2, 0x3e, 0x1b, 0xd8, 0x17, 0xdb,
0x97, 0x0f};
} // namespace
TEST(OEMCryptoBccValidatorTest, BccParseError) {
const std::vector<uint8_t> bcc_bad(kBcc.begin(), kBcc.end() - 1);
BccValidator validator;
CborMessageStatus result = validator.Parse(bcc_bad);
EXPECT_EQ(kCborParseError, result);
result = validator.Validate();
EXPECT_EQ(kCborParseError, result);
EXPECT_EQ("", validator.GetRawMessage());
EXPECT_EQ("", validator.GetFormattedMessage());
}
TEST(OEMCryptoBccValidatorTest, Bcc) {
BccValidator validator;
CborMessageStatus result = validator.Parse(kBcc);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, AllOf(Ge(kCborValidateOk), Le(kCborValidateWarning)));
const std::string out = validator.GetFormattedMessage();
EXPECT_THAT(out, HasSubstr("key encoding format: DEVICE_KEY_BYTE_STRING"));
EXPECT_THAT(out, HasSubstr("key algorithm type: EDDSA"));
}
TEST(OEMCryptoBccValidatorTest, BccWrongEntryKey) {
BccValidator validator;
CborMessageStatus result = validator.Parse(kBccWrongEntryKey);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_EQ(result, kCborValidateError);
// Non-fatal validation error should be able to return formatted output.
const std::string out = validator.GetFormattedMessage();
EXPECT_THAT(out, HasSubstr("key encoding format: DEVICE_KEY_BYTE_STRING"));
EXPECT_THAT(out, HasSubstr("key algorithm type: EDDSA"));
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(1u, msgs.size());
EXPECT_EQ(kCborValidateError, msgs[0].first);
}
TEST(OEMCryptoBccValidatorTest, BccParseThreeTimes) {
BccValidator validator;
const std::vector<uint8_t> bcc_bad(kBcc.begin(), kBcc.end() - 2);
CborMessageStatus result = validator.Parse(bcc_bad);
EXPECT_EQ(kCborParseError, result);
result = validator.Validate();
EXPECT_EQ(kCborParseError, result);
result = validator.Parse(kBccWrongEntryKey);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_EQ(result, kCborValidateError);
result = validator.Parse(kBcc);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_EQ(result, kCborValidateOk);
}
TEST(OEMCryptoBccValidatorTest, BccMissingIssuer) {
BccValidator validator;
CborMessageStatus result = validator.Parse(kBccMissingIssuer);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_EQ(result, kCborValidateError);
const std::string out = validator.GetFormattedMessage();
EXPECT_THAT(out, HasSubstr("key encoding format: DEVICE_KEY_BYTE_STRING"));
EXPECT_THAT(out, HasSubstr("key algorithm type: EDDSA"));
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(1u, msgs.size());
EXPECT_EQ(kCborValidateError, msgs[0].first);
EXPECT_THAT(msgs[0].second, HasSubstr("Missing Issuer"));
}
} // namespace util
} // namespace wvoec

204
oemcrypto/util/test/device_info_validator_unittest.cpp Normal file
View File

@@ -0,0 +1,204 @@
// Copyright 2023 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine License
// Agreement.
//
// Reference implementation utilities of OEMCrypto APIs
//
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include "device_info_validator.h"
using ::testing::AllOf;
using ::testing::Ge;
using ::testing::HasSubstr;
using ::testing::Le;
namespace wvoec {
namespace util {
namespace {
constexpr int kDeviceVersion1 = 1;
constexpr int kDeviceVersion2 = 2;
constexpr int kDeviceVersion3 = 3;
cppbor::Map BuildDeviceInfoMap(int version) {
cppbor::Map device_info =
cppbor::Map()
.add("brand", "brand")
.add("manufacturer", "manufacturer")
.add("product", "product")
.add("model", "model")
.add("vb_state", "green")
.add("bootloader_state", "unlocked")
.add("vbmeta_digest", cppbor::Bstr(std::vector<uint8_t>()))
.add("os_version", "os_version")
.add("system_patch_level", 202312)
.add("boot_patch_level", 20231201)
.add("vendor_patch_level", 20231201)
.add("security_level", "tee");
switch (version) {
case kDeviceVersion1:
device_info.add("board", "board");
device_info.add("version", 1);
device_info.add("att_id_state", "open");
break;
case kDeviceVersion2:
device_info.add("device", "device");
device_info.add("version", 2);
device_info.add("fused", 0);
break;
case kDeviceVersion3:
device_info.add("device", "device");
device_info.add("fused", 0);
break;
}
return device_info;
}
std::vector<uint8_t> BuildDeviceInfo(int version) {
auto map = BuildDeviceInfoMap(version);
return map.canonicalize().encode();
}
} // namespace
TEST(OEMCryptoDeviceInfoValidatorTest, DeviceInfoParseError) {
const std::vector<uint8_t> device_info = BuildDeviceInfo(kDeviceVersion3);
const std::vector<uint8_t> device_info_bad(device_info.begin(),
device_info.end() - 1);
DeviceInfoValidator validator(kDeviceVersion3);
CborMessageStatus result = validator.Parse(device_info_bad);
EXPECT_EQ(kCborParseError, result);
result = validator.Validate();
EXPECT_EQ(kCborParseError, result);
EXPECT_EQ("", validator.GetRawMessage());
EXPECT_EQ("", validator.GetFormattedMessage());
}
TEST(OEMCryptoDeviceInfoValidatorTest, DeviceInfoNotMap) {
cppbor::Array array = cppbor::Array().add("make").add(123).add("model");
const std::vector<uint8_t> device_info_bad = array.encode();
DeviceInfoValidator validator(kDeviceVersion3);
CborMessageStatus result = validator.Parse(device_info_bad);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, kCborValidateFatal);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(1u, msgs.size());
EXPECT_EQ(kCborValidateFatal, msgs[0].first);
EXPECT_THAT(msgs[0].second, HasSubstr("Device info is not a CBOR map"));
}
TEST(OEMCryptoDeviceInfoValidatorTest,
DeviceInfoV3WrongKeyValueTypeAndMissingField) {
const std::vector<uint8_t> device_info_bad =
cppbor::Map()
.add("brand", "brand")
.add("manufacturer", "manufacturer")
.add(123, 456) // Non-Tstr key type
.add("system_patch_level", "not a uint") // Non-uint value type
.canonicalize()
.encode();
DeviceInfoValidator validator(kDeviceVersion3);
CborMessageStatus result = validator.Parse(device_info_bad);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_EQ(kCborValidateError, result);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
const bool unexpected_key_type_found = std::any_of(
msgs.begin(), msgs.end(),
[](const std::pair<CborMessageStatus, std::string>& p) {
return p.second.find("Unexpected entry key type") != std::string::npos;
});
EXPECT_EQ(true, unexpected_key_type_found);
const bool unexpected_value_type_found = std::any_of(
msgs.begin(), msgs.end(),
[](const std::pair<CborMessageStatus, std::string>& p) {
return p.second.find("system_patch_level has the wrong type") !=
std::string::npos;
});
EXPECT_EQ(true, unexpected_value_type_found);
const bool missing_model_found = std::any_of(
msgs.begin(), msgs.end(),
[](const std::pair<CborMessageStatus, std::string>& p) {
return p.second.find("model is missing") != std::string::npos;
});
EXPECT_EQ(true, missing_model_found);
}
TEST(OEMCryptoDeviceInfoValidatorTest, DeviceInfoV3NonCanonical) {
const cppbor::Map map = BuildDeviceInfoMap(kDeviceVersion3);
const std::vector<uint8_t> device_info = map.encode();
DeviceInfoValidator validator(kDeviceVersion3);
CborMessageStatus result = validator.Parse(device_info);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, kCborValidateError);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(1u, msgs.size());
EXPECT_EQ(kCborValidateError, msgs[0].first);
EXPECT_THAT(msgs[0].second,
HasSubstr("Device info ordering is non-canonical"));
}
TEST(OEMCryptoDeviceInfoValidatorTest, DeviceInfoV3) {
const std::vector<uint8_t> device_info = BuildDeviceInfo(kDeviceVersion3);
DeviceInfoValidator validator(kDeviceVersion3);
CborMessageStatus result = validator.Parse(device_info);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, AllOf(Ge(kCborValidateOk), Le(kCborValidateWarning)));
const std::string out = validator.GetFormattedMessage();
EXPECT_THAT(out, HasSubstr("manufacturer: manufacturer"));
EXPECT_THAT(out, HasSubstr("model: model"));
EXPECT_THAT(out, HasSubstr("fused: 0"));
}
TEST(OEMCryptoDeviceInfoValidatorTest, DeviceInfoV2) {
const std::vector<uint8_t> device_info = BuildDeviceInfo(kDeviceVersion2);
DeviceInfoValidator validator(kDeviceVersion2);
CborMessageStatus result = validator.Parse(device_info);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, AllOf(Ge(kCborValidateOk), Le(kCborValidateWarning)));
const std::string out = validator.GetFormattedMessage();
EXPECT_THAT(out, HasSubstr("manufacturer: manufacturer"));
EXPECT_THAT(out, HasSubstr("model: model"));
EXPECT_THAT(out, HasSubstr("fused: 0"));
EXPECT_THAT(out, HasSubstr("version: 2"));
}
TEST(OEMCryptoDeviceInfoValidatorTest, DeviceInfoV1MissingField) {
const std::vector<uint8_t> device_info = cppbor::Map()
.add("brand", "brand")
.add("security_level", "tee")
.add("version", 1)
.canonicalize()
.encode();
DeviceInfoValidator validator(kDeviceVersion1);
CborMessageStatus result = validator.Parse(device_info);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, kCborValidateError);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(1u, msgs.size());
EXPECT_EQ(kCborValidateError, msgs[0].first);
EXPECT_THAT(msgs[0].second, HasSubstr("att_id_state is missing"));
}
TEST(OEMCryptoDeviceInfoValidatorTest, DeviceInfoV1) {
DeviceInfoValidator validator(kDeviceVersion1);
const std::vector<uint8_t> device_info = BuildDeviceInfo(kDeviceVersion1);
CborMessageStatus result = validator.Parse(device_info);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, AllOf(Ge(kCborValidateOk), Le(kCborValidateWarning)));
const std::string out = validator.GetFormattedMessage();
EXPECT_THAT(out, HasSubstr("board: board"));
EXPECT_THAT(out, HasSubstr("version: 1"));
}
} // namespace util
} // namespace wvoec

294
oemcrypto/util/test/signed_csr_payload_validator_unittest.cpp Normal file
View File

@@ -0,0 +1,294 @@
// Copyright 2023 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine License
// Agreement.
//
// Reference implementation utilities of OEMCrypto APIs
//
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include "signed_csr_payload_validator.h"
using ::testing::AllOf;
using ::testing::Ge;
using ::testing::HasSubstr;
using ::testing::Le;
namespace wvoec {
namespace util {
namespace {
std::vector<uint8_t> GetDefaultProtectedData() {
return cppbor::Map().add(1, /*ES256=*/-7).encode();
}
cppbor::Map GetDefaultDeviceInfoMap() {
return cppbor::Map()
.add("brand", "brand")
.add("manufacturer", "manufacturer")
.add("product", "product")
.add("model", "model")
.add("vb_state", "green")
.add("bootloader_state", "unlocked")
.add("vbmeta_digest", cppbor::Bstr(std::vector<uint8_t>()))
.add("os_version", "os_version")
.add("system_patch_level", 202312)
.add("boot_patch_level", 20231201)
.add("vendor_patch_level", 20231201)
.add("security_level", "tee")
.add("device", "device")
.add("fused", 0);
}
std::vector<uint8_t> GetDefaultCsrPayload() {
// CsrPayload = [ ; CBOR Array defining the payload for CSR.
// version: 3, ; The CsrPayload CDDL Schema version.
// CertificateType: "widevine" ; The type of certificate being requested.
// DeviceInfo, ; Defined in Android DeviceInfo.aidl
// KeysToSign: [] ; Empty list
// ]
return cppbor::Array()
.add(3)
.add("widevine")
.add(GetDefaultDeviceInfoMap())
.add(/*KeysToSign*/ cppbor::Array())
.encode();
}
std::vector<uint8_t> GetDefaultPayloadData() {
// payload: bstr .cbor DataToBeSigned / nil
// DataToBeSigned = [
// challenge: bstr .size (0..64),
// bstr .cbor CsrPayload,
// ]
const std::vector<uint8_t> challenge(64, 0xC0);
return cppbor::Array()
.add(cppbor::Bstr(challenge))
.add(cppbor::Bstr(GetDefaultCsrPayload()))
.encode();
}
std::vector<uint8_t> GetDefaultSignature() {
return std::vector<uint8_t>(64, 0xA0);
}
std::vector<uint8_t> GetDefaultSignedCsrPayload() {
// SignedData<CsrPayload> = [
// protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 /
// AlgorithmES384 },
// unprotected: {},
// payload: bstr .cbor DataToBeSigned / nil,
// signature: bstr
// ]
return cppbor::Array()
.add(cppbor::Bstr(GetDefaultProtectedData()))
.add(/*unprotected*/ cppbor::Map())
.add(cppbor::Bstr(GetDefaultPayloadData()))
.add(cppbor::Bstr(GetDefaultSignature()))
.encode();
}
} // namespace
TEST(OEMCryptoSignedCsrPayloadValidatorTest, SignedCsrPayloadParseError) {
const std::vector<uint8_t> signed_csr_payload = GetDefaultSignedCsrPayload();
const std::vector<uint8_t> signed_csr_payload_bad(
signed_csr_payload.begin(), signed_csr_payload.end() - 1);
SignedCsrPayloadValidator validator;
CborMessageStatus result = validator.Parse(signed_csr_payload_bad);
EXPECT_EQ(kCborParseError, result);
result = validator.Validate();
EXPECT_EQ(kCborParseError, result);
EXPECT_EQ("", validator.GetRawMessage());
EXPECT_EQ("", validator.GetFormattedMessage());
}
TEST(OEMCryptoSignedCsrPayloadValidatorTest, ProtectedDataNotMap) {
cppbor::Array protected_data_array = cppbor::Array().add(1).add(-7);
std::vector<uint8_t> signed_csr_payload =
cppbor::Array()
.add(cppbor::Bstr(protected_data_array.encode()))
.add(/*unprotected*/ cppbor::Map())
.add(cppbor::Bstr(GetDefaultPayloadData()))
.add(cppbor::Bstr(GetDefaultSignature()))
.encode();
SignedCsrPayloadValidator validator;
CborMessageStatus result = validator.Parse(signed_csr_payload);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, kCborValidateFatal);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(1u, msgs.size());
EXPECT_EQ(kCborValidateFatal, msgs[0].first);
EXPECT_THAT(msgs[0].second, HasSubstr("ProtectedParams must be a CBOR map"));
}
TEST(OEMCryptoSignedCsrPayloadValidatorTest, ProtectedDataMapMissingKey) {
cppbor::Map protected_data = cppbor::Map();
std::vector<uint8_t> signed_csr_payload =
cppbor::Array()
.add(cppbor::Bstr(protected_data.encode()))
.add(/*unprotected*/ cppbor::Map())
.add(cppbor::Bstr(GetDefaultPayloadData()))
.add(cppbor::Bstr(GetDefaultSignature()))
.encode();
SignedCsrPayloadValidator validator;
CborMessageStatus result = validator.Parse(signed_csr_payload);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, kCborValidateFatal);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(1u, msgs.size());
EXPECT_EQ(kCborValidateFatal, msgs[0].first);
EXPECT_THAT(msgs[0].second, HasSubstr("ProtectedParams is empty"));
}
TEST(OEMCryptoSignedCsrPayloadValidatorTest, ProtectedDataMapKeyWarnings) {
cppbor::Map protected_data =
cppbor::Map().add(1, -7).add("1", -7).add(2, "abc");
std::vector<uint8_t> signed_csr_payload =
cppbor::Array()
.add(cppbor::Bstr(protected_data.encode()))
.add(/*unprotected*/ cppbor::Map())
.add(cppbor::Bstr(GetDefaultPayloadData()))
.add(cppbor::Bstr(GetDefaultSignature()))
.encode();
SignedCsrPayloadValidator validator;
CborMessageStatus result = validator.Parse(signed_csr_payload);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, kCborValidateWarning);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
const bool unexpected_key_type_found = std::any_of(
msgs.begin(), msgs.end(),
[](const std::pair<CborMessageStatus, std::string>& p) {
return p.second.find("Unsupported key type") != std::string::npos;
});
EXPECT_EQ(true, unexpected_key_type_found);
const bool unexpected_key_value_found = std::any_of(
msgs.begin(), msgs.end(),
[](const std::pair<CborMessageStatus, std::string>& p) {
return p.second.find("Unsupported key value") != std::string::npos;
});
EXPECT_EQ(true, unexpected_key_value_found);
const bool unexpected_entry_found =
std::any_of(msgs.begin(), msgs.end(),
[](const std::pair<CborMessageStatus, std::string>& p) {
return p.second.find("ProtectedParams expects 1 entry") !=
std::string::npos;
});
EXPECT_EQ(true, unexpected_entry_found);
}
TEST(OEMCryptoSignedCsrPayloadValidatorTest, InvalidChallengeAndPayload) {
const std::vector<uint8_t> challenge(65, 0xC0); // bad length
const std::vector<uint8_t> csr_payload =
cppbor::Array()
.add(2) // wrong version
.add("widevine")
.add(GetDefaultDeviceInfoMap())
.add(/*KeysToSign*/ cppbor::Array())
.encode();
const std::vector<uint8_t> payload = cppbor::Array()
.add(cppbor::Bstr(challenge))
.add(cppbor::Bstr(csr_payload))
.encode();
std::vector<uint8_t> signed_csr_payload =
cppbor::Array()
.add(cppbor::Bstr(GetDefaultProtectedData()))
.add(/*unprotected*/ cppbor::Map())
.add(cppbor::Bstr(payload))
.add(cppbor::Bstr(GetDefaultSignature()))
.encode();
SignedCsrPayloadValidator validator;
CborMessageStatus result = validator.Parse(signed_csr_payload);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, kCborValidateError);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(2u, msgs.size());
const bool challenge_error_found = std::any_of(
msgs.begin(), msgs.end(),
[](const std::pair<CborMessageStatus, std::string>& p) {
return p.second.find("Challenge size must be between 0 and 64 bytes") !=
std::string::npos;
});
EXPECT_EQ(true, challenge_error_found);
const bool csr_payload_error_found = std::any_of(
msgs.begin(), msgs.end(),
[](const std::pair<CborMessageStatus, std::string>& p) {
return p.second.find(
"CSR payload version must be must be equal to 3") !=
std::string::npos;
});
EXPECT_EQ(true, csr_payload_error_found);
}
TEST(OEMCryptoSignedCsrPayloadValidatorTest, KeysToSignEmptyList) {
const std::vector<uint8_t> challenge(64, 0xC0);
const std::vector<uint8_t> csr_payload =
cppbor::Array()
.add(3)
.add("widevine")
.add(GetDefaultDeviceInfoMap())
.add(/*KeysToSign*/ cppbor::Bstr()) // wrong type, expect list
.encode();
const std::vector<uint8_t> payload = cppbor::Array()
.add(cppbor::Bstr(challenge))
.add(cppbor::Bstr(csr_payload))
.encode();
std::vector<uint8_t> signed_csr_payload =
cppbor::Array()
.add(cppbor::Bstr(GetDefaultProtectedData()))
.add(/*unprotected*/ cppbor::Map())
.add(cppbor::Bstr(payload))
.add(cppbor::Bstr(GetDefaultSignature()))
.encode();
SignedCsrPayloadValidator validator;
CborMessageStatus result = validator.Parse(signed_csr_payload);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, kCborValidateFatal);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(1u, msgs.size());
EXPECT_EQ(kCborValidateFatal, msgs[0].first);
EXPECT_THAT(msgs[0].second, HasSubstr("Keys must be a CBOR array"));
}
TEST(OEMCryptoSignedCsrPayloadValidatorTest, SignatureMissing) {
std::vector<uint8_t> signed_csr_payload =
cppbor::Array()
.add(cppbor::Bstr(GetDefaultProtectedData()))
.add(/*unprotected*/ cppbor::Map())
.add(cppbor::Bstr(GetDefaultPayloadData()))
.add(cppbor::Bstr(std::vector<uint8_t>())) // empty signature
.encode();
SignedCsrPayloadValidator validator;
CborMessageStatus result = validator.Parse(signed_csr_payload);
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, kCborValidateError);
const std::vector<std::pair<CborMessageStatus, std::string>> msgs =
validator.GetValidateMessages();
EXPECT_EQ(1u, msgs.size());
EXPECT_EQ(kCborValidateError, msgs[0].first);
EXPECT_THAT(msgs[0].second, HasSubstr("CoseSign1 signature is missing"));
}
TEST(OEMCryptoSignedCsrPayloadValidatorTest, ValidateOk) {
SignedCsrPayloadValidator validator;
CborMessageStatus result = validator.Parse(GetDefaultSignedCsrPayload());
EXPECT_EQ(kCborParseOk, result);
result = validator.Validate();
EXPECT_THAT(result, AllOf(Ge(kCborValidateOk), Le(kCborValidateWarning)));
const std::string out = validator.GetFormattedMessage();
EXPECT_THAT(out, HasSubstr("1: ES256"));
EXPECT_THAT(out, HasSubstr("version: 3"));
EXPECT_THAT(out, HasSubstr("certificate_type: widevine"));
EXPECT_THAT(out, HasSubstr("keys_to_sign: []"));
}
} // namespace util
} // namespace wvoec