Google Git
Sign in
android / platform / test / vts-testcase / security / 7a29595ab56fa58fbb86fcf52efa68723ee45764 / . / avb / gsi_validation_utils.cpp
blob: ec8769f20290921b245b10cbee9fbc033a0889b1 [file] [log] [blame]
/*
* Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <android-base/file.h>
#include <android-base/properties.h>
#include <gtest/gtest.h>
#include <openssl/sha.h>
#include "gsi_validation_utils.h"
uint8_t HexDigitToByte(char c) {
if (c >= '0' && c <= '9') {
return c - '0';
}
if (c >= 'a' && c <= 'f') {
return c - 'a' + 10;
}
if (c >= 'A' && c <= 'Z') {
return c - 'A' + 10;
}
return 0xff;
}
bool HexToBytes(const std::string &hex, std::vector<uint8_t> *bytes) {
if (hex.size() % 2 != 0) {
return false;
}
bytes->resize(hex.size() / 2);
for (unsigned i = 0; i < bytes->size(); i++) {
uint8_t hi = HexDigitToByte(hex[i * 2]);
uint8_t lo = HexDigitToByte(hex[i * 2 + 1]);
if (lo > 0xf || hi > 0xf) {
return false;
}
bytes->at(i) = (hi << 4) | lo;
}
return true;
}
const char kNibble2Hex[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
std::string BytesToHex(const std::vector<uint8_t> &bytes) {
std::string retval;
retval.reserve(bytes.size() * 2 + 1);
for (uint8_t byte : bytes) {
retval.push_back(kNibble2Hex[0x0F & (byte >> 4)]);
retval.push_back(kNibble2Hex[0x0F & byte]);
}
return retval;
}
std::unique_ptr<ShaHasher> CreateShaHasher(const std::string &algorithm) {
if (algorithm == "sha1") {
return std::make_unique<ShaHasherImpl<SHA_CTX>>(
SHA1_Init, SHA1_Update, SHA1_Final, SHA_DIGEST_LENGTH);
}
if (algorithm == "sha256") {
return std::make_unique<ShaHasherImpl<SHA256_CTX>>(
SHA256_Init, SHA256_Update, SHA256_Final, SHA256_DIGEST_LENGTH);
}
if (algorithm == "sha512") {
return std::make_unique<ShaHasherImpl<SHA512_CTX>>(
SHA512_Init, SHA512_Update, SHA512_Final, SHA512_DIGEST_LENGTH);
}
return nullptr;
}
bool ValidatePublicKeyBlob(const std::string &key_blob_to_validate) {
if (key_blob_to_validate.empty()) {
GTEST_LOG_(ERROR) << "Failed to validate an empty key";
return false;
}
const std::string exec_dir = android::base::GetExecutableDirectory();
std::vector<std::string> allowed_key_names = {
"q-gsi.avbpubkey", "r-gsi.avbpubkey", "s-gsi.avbpubkey",
"t-gsi.avbpubkey", "qcar-gsi.avbpubkey",
};
for (const auto &key_name : allowed_key_names) {
const auto key_path = exec_dir + "/" + key_name;
std::string allowed_key_blob;
if (android::base::ReadFileToString(key_path, &allowed_key_blob)) {
if (key_blob_to_validate == allowed_key_blob) {
GTEST_LOG_(INFO) << "Found matching GSI key: " << key_path;
return true;
}
}
}
return false;
}
const uint32_t kCurrentApiLevel = 10000;
static uint32_t ReadApiLevelProps(
const std::vector<std::string> &api_level_props) {
uint32_t api_level = kCurrentApiLevel;
for (const auto &api_level_prop : api_level_props) {
api_level = android::base::GetUintProperty<uint32_t>(api_level_prop,
kCurrentApiLevel);
if (api_level != kCurrentApiLevel) {
break;
}
}
return api_level;
}
uint32_t GetSdkLevel() {
uint32_t sdk_level = ReadApiLevelProps({"ro.build.version.sdk"});
if (sdk_level == kCurrentApiLevel) {
ADD_FAILURE() << "Failed to determine SDK level";
return 0;
}
return sdk_level;
}
uint32_t GetProductFirstApiLevel() {
uint32_t product_api_level =
ReadApiLevelProps({"ro.product.first_api_level", "ro.build.version.sdk"});
if (product_api_level == kCurrentApiLevel) {
ADD_FAILURE() << "Failed to determine product first API level";
return 0;
}
return product_api_level;
}
uint32_t GetVendorApiLevel() {
// "ro.vendor.api_level" is added in Android T.
uint32_t vendor_api_level = ReadApiLevelProps({"ro.vendor.api_level"});
if (vendor_api_level != kCurrentApiLevel) {
return vendor_api_level;
}
// For pre-T devices, determine the board API level by ourselves.
uint32_t product_api_level = GetProductFirstApiLevel();
uint32_t board_api_level =
ReadApiLevelProps({"ro.board.api_level", "ro.board.first_api_level"});
uint32_t api_level = std::min(board_api_level, product_api_level);
if (api_level == kCurrentApiLevel) {
ADD_FAILURE() << "Failed to determine vendor API level";
return 0;
}
return api_level;
}
std::optional<uint32_t> GetBoardApiLevel() {
uint32_t board_api_level =
ReadApiLevelProps({"ro.board.api_level", "ro.board.first_api_level"});
if (board_api_level == kCurrentApiLevel) {
return std::nullopt;
}
return board_api_level;
}
bool IsReleasedAndroidVersion() {
return android::base::GetProperty("ro.build.version.codename", "") == "REL";
}