Skip to content
This repository has been archived by the owner on Oct 29, 2024. It is now read-only.

Commit

Permalink
duress password test: check that Weaver is wiped as part of duress wipe
Browse files Browse the repository at this point in the history
  • Loading branch information
muhomorr committed Jun 3, 2024
1 parent c7cf366 commit 4d50580
Showing 1 changed file with 19 additions and 9 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
import org.junit.Test;
import org.junit.runner.RunWith;

import java.util.Arrays;
import java.util.List;

import static com.google.common.truth.Truth.assertThat;
import static java.util.concurrent.TimeUnit.MINUTES;

Expand Down Expand Up @@ -43,7 +46,11 @@ private void testDuressCredential(boolean isPin) throws DeviceNotAvailableExcept

// check that credential verifies before duress wipe
CommandResult vcr = verifyCredential(dev, userId, credential);
assertThat(vcr.getStdout()).isEqualTo("Lock credential verified successfully\n");
List<String> lines = lines(vcr.getStdout());
assertThat(lines.get(0)).isEqualTo("Lock credential verified successfully");
// check that Weaver slot value is non-zero
assertThat(lines.get(1)).matches("WeaverRead\\[slot=., responseStatus=0, valueType=NON_ZERO, valueLength=16, ex=null]");
assertThat(lines).hasSize(2);
assertThat(vcr.getExitCode()).isEqualTo(0);
}

Expand Down Expand Up @@ -88,14 +95,12 @@ private void testDuressCredential(boolean isPin) throws DeviceNotAvailableExcept
assertThat(checkNonCeStorageEncryptionKeys(dev)).hasLength(0);

for (int userId : userIds) {
// check that user credentials no longer verify due to now-missing underlying keys,
// which are used for CE storage
CommandResult r = verifyCredential(dev, userId, makeUserCredential(userId));
String stderr = r.getStderr();
assertThat(stderr).contains("\njava.lang.IllegalStateException: Failed to decrypt blob");
assertThat(stderr).contains("\nCaused by: java.security.InvalidKeyException: Keystore operation failed");
assertThat(stderr).contains("\nCaused by: android.security.KeyStoreException: Invalid key blob (internal Keystore code: -33");
assertThat(stderr).contains(": Error::Km(r#INVALID_KEY_BLOB)) (public error code: 10 internal Keystore code: -33)");
List<String> stdout = lines(r.getStdout());
// check that Weaver slot is now zeroed
assertThat(stdout.get(0)).matches("WeaverRead\\[slot=., responseStatus=0, valueType=ZERO, valueLength=16, ex=null]");
assertThat(stdout).hasSize(1);
// credential verification should now fail
assertThat(r.getExitCode()).isEqualTo(255);
}
}
Expand All @@ -115,7 +120,8 @@ private static String[] checkNonCeStorageEncryptionKeys(ITestDevice dev)

private static CommandResult verifyCredential(ITestDevice dev, int userId, String credential)
throws DeviceNotAvailableException {
return dev.executeShellV2Command("cmd lock_settings verify --old " + credential + " --user " + userId);
return dev.executeShellV2Command("cmd lock_settings verify --old " + credential
+ " --user " + userId + " --capture-weaver-ops");
}

private static void inputKeyEvent(ITestDevice dev, String ev) throws DeviceNotAvailableException {
Expand All @@ -125,4 +131,8 @@ private static void inputKeyEvent(ITestDevice dev, String ev) throws DeviceNotAv
private static String makeUserCredential(int userId) {
return Integer.toString(userId).repeat(5);
}

private static List<String> lines(String s) {
return Arrays.asList(s.split("\n"));
}
}

0 comments on commit 4d50580

Please sign in to comment.