sdcp-device: Use a key DB for testing

If FP_DEVICE_EMULATION is set, then switch to using predictable EC
ephemeral key and random numbers. This should allow recording and
replaying real device interactions using umockdev.

.gitlab-ci.yml

@@ -63,7 +63,7 @@ test:
     variables:
       - $CI_PIPELINE_SOURCE == "schedule"
   script:
-    - meson --werror -Ddrivers=all -Db_coverage=true . _build
+    - meson --werror -Ddrivers=all -Db_coverage=true -Dsdcp_virt_binary=/usr/local/bin/sdcp_virt_device . _build
     - ninja -C _build
     - meson test -C _build --print-errorlogs --no-stdsplit --timeout-multiplier 3
     - ninja -C _build coverage
@@ -83,7 +83,7 @@ test_valgrind:
     variables:
       - $CI_PIPELINE_SOURCE == "schedule"
   script:
-    - meson -Ddrivers=all . _build
+    - meson -Ddrivers=all -Dsdcp_virt_binary=/usr/local/bin/sdcp_virt_device . _build
     - ninja -C _build
     - meson test -C _build --print-errorlogs --no-stdsplit --setup=valgrind
   artifacts:
@@ -167,8 +167,20 @@ container_fedora_build:
       vala
       libpcap-devel
       libudev-devel
+      mbedtls-devel
     FDO_DISTRIBUTION_EXEC: |
       git clone https://github.com/martinpitt/umockdev.git && \
         cd umockdev && \
         meson _build --prefix=/usr && \
         ninja -C _build && ninja -C _build install
+      cd /tmp
+      mkdir -p /usr/local/bin
+      git clone https://github.com/benzea/SecureDeviceConnectionProtocol.git
+      # Don't bother with cmake
+      gcc -l mbedcrypto -I SecureDeviceConnectionProtocol/src/include \
+        SecureDeviceConnectionProtocol/src/test/virt_device.c \
+        SecureDeviceConnectionProtocol/src/client/client.c \
+        SecureDeviceConnectionProtocol/src/test/helpers.c \
+        SecureDeviceConnectionProtocol/src/test/testkeys.c \
+        -o /usr/local/bin/sdcp_virt_device
+      rm -rf SecureDeviceConnectionProtocol

NEWS

@@ -1,6 +1,16 @@
 This file lists notable changes in each release. For the full history of all
 changes, see ChangeLog.
 
+2021-11-02: v1.94.3 release
+
+Highlights:
+ * Ensure idle mainloop before completing enumeration (fprintd#119)
+ * It is now possible to extend already enrolled prints
+ * elanspi: Fix timeout error with some hardware (#438)
+ * elanspi: Fix cancellation issues
+ * goodixmoc: Return matching device print; fixes duplicate checking (#444)
+ * goodixmoc: Support clearing the storage (usually unused)
+
 2021-11-02: v1.94.2 release
 
 Highlights:

README.md

@@ -1,9 +1,10 @@
-libfprint
+# libfprint
-=========
 
 libfprint is part of the fprint project:
 https://fprint.freedesktop.org/
 
+## History
+
 libfprint was originally developed as part of an academic project at the
 University of Manchester with the aim of hiding differences between different
 consumer fingerprint scanners and providing a single uniform API to application
@@ -15,6 +16,8 @@ from this one, although I try to keep them as similar as possible (I'm not
 hiding anything in the academic branch, it's just the open source release
 contains some commits excluded from the academic project).
 
+## License
+
 THE UNIVERSITY OF MANCHESTER DOES NOT ENDORSE THIS THIS SOFTWARE RELEASE AND
 IS IN NO WAY RESPONSIBLE FOR THE CODE CONTAINED WITHIN, OR ANY DAMAGES CAUSED
 BY USING OR DISTRIBUTING THE SOFTWARE. Development does not happen on

TODO

@@ -1,30 +0,0 @@
-LIBRARY
-=======
-test suite against NFIQ compliance set
-make library optionally asynchronous and maybe thread-safe
-nbis cleanups
-API function to determine if img device supports uncond. capture
-race-free way of saying "save this print but don't overwrite"
-
-NEW DRIVERS
-===========
-Sunplus 895 driver
-AES3400/3500 driver
-ID Mouse driver
-Support for 2nd generation MS devices
-Support for 2nd generation UPEK devices
-
-IMAGING
-=======
-ignore first frame or two with aes2501
-aes2501: increase threshold "sum" for end-of-image detection
-aes2501 gain calibration
-aes4000 gain calibration
-aes4000 resampling
-PPMM parameter to get_minutiae seems to have no effect
-nbis minutiae should be stored in endian-independent format
-
-PORTABILITY
-===========
-OpenBSD can't do -Wshadow or visibility
-OpenBSD: add compat codes for ENOTSUP ENODATA and EPROTO

data/autosuspend.hwdb

@@ -181,7 +181,6 @@ usb:v06CBp00DF*
 usb:v06CBp00F9*
 usb:v06CBp00FC*
 usb:v06CBp00C2*
-usb:v06CBp00C9*
 usb:v06CBp0100*
 usb:v06CBp00F0*
 usb:v06CBp0103*
@@ -268,15 +267,19 @@ usb:v06CBp008A*
 usb:v06CBp009A*
 usb:v06CBp009B*
 usb:v06CBp00A2*
+usb:v06CBp00A8*
 usb:v06CBp00B7*
 usb:v06CBp00BB*
 usb:v06CBp00BE*
 usb:v06CBp00C4*
 usb:v06CBp00CB*
+usb:v06CBp00C9*
 usb:v06CBp00D8*
 usb:v06CBp00DA*
+usb:v06CBp00DC*
 usb:v06CBp00E7*
 usb:v06CBp00E9*
+usb:v06CBp00FD*
 usb:v0A5Cp5801*
 usb:v0A5Cp5805*
 usb:v0A5Cp5834*
@@ -288,6 +291,7 @@ usb:v0A5Cp5844*
 usb:v0A5Cp5845*
 usb:v0BDAp5812*
 usb:v10A5p0007*
+usb:v10A5p9200*
 usb:v1188p9545*
 usb:v138Ap0007*
 usb:v138Ap003A*
@@ -305,6 +309,7 @@ usb:v1491p0088*
 usb:v16D1p1027*
 usb:v1C7Ap0300*
 usb:v1C7Ap0575*
+usb:v1C7Ap0576*
 usb:v27C6p5042*
 usb:v27C6p5110*
 usb:v27C6p5117*
@@ -324,7 +329,9 @@ usb:v27C6p55A2*
 usb:v27C6p55A4*
 usb:v27C6p55B4*
 usb:v27C6p5740*
+usb:v27C6p5E0A*
 usb:v2808p9338*
+usb:v298Dp2020*
 usb:v298Dp2033*
 usb:v3538p0930*
  ID_AUTOSUSPEND=1

doc/libfprint-2-sections.txt

@@ -100,6 +100,12 @@ FP_TYPE_IMAGE_DEVICE
 FpImageDevice
 </SECTION>
 
+<SECTION>
+<FILE>fp-sdcp-device</FILE>
+FP_TYPE_SDCP_DEVICE
+FpSdcpDevice
+</SECTION>
+
 <SECTION>
 <FILE>fp-print</FILE>
 FP_TYPE_PRINT
@@ -215,6 +221,26 @@ fpi_image_device_retry_scan
 fpi_image_device_set_bz3_threshold
 </SECTION>
 
+<SECTION>
+<FILE>fpi-sdcp-device</FILE>
+<TITLE>Internal FpSdcpDevice</TITLE>
+FpiSdcpClaim
+FpSdcpDeviceClass
+fpi_sdcp_claim_copy
+fpi_sdcp_claim_free
+fpi_sdcp_claim_get_type
+fpi_sdcp_claim_new
+fpi_sdcp_device_connect_complete
+fpi_sdcp_device_get_connect_data
+fpi_sdcp_device_get_reconnect_data
+fpi_sdcp_device_reconnect_complete
+fpi_sdcp_device_enroll_commit_complete
+fpi_sdcp_device_enroll_ready
+fpi_sdcp_device_enroll_set_nonce
+fpi_sdcp_device_identify_retry
+fpi_sdcp_device_identify_complete
+</SECTION>
+
 <SECTION>
 <FILE>fpi-log</FILE>
 fp_dbg

doc/libfprint-docs.xml

@@ -28,6 +28,7 @@
     <xi:include href="xml/fp-context.xml"/>
     <xi:include href="xml/fp-device.xml"/>
     <xi:include href="xml/fp-image-device.xml"/>
+    <xi:include href="xml/fp-sdcp-device.xml"/>
     <xi:include href="xml/fp-print.xml"/>
     <xi:include href="xml/fp-image.xml"/>
   </part>
@@ -38,6 +39,7 @@
       <title>Device methods for drivers</title>
       <xi:include href="xml/fpi-device.xml"/>
       <xi:include href="xml/fpi-image-device.xml"/>
+      <xi:include href="xml/fpi-sdcp-device.xml"/>
     </chapter>
 
     <chapter id="driver-helpers">

examples/identify.c

@@ -143,6 +143,7 @@ on_identify_cb (FpDevice *dev, FpPrint *match, FpPrint *print,
   if (match)
     {
       g_autoptr(FpPrint) matched_print = g_object_ref (match);
+      const GDate *date;
       char date_str[128] = {};
 
       identify_data->ret_value = EXIT_SUCCESS;
@@ -155,7 +156,8 @@ on_identify_cb (FpDevice *dev, FpPrint *match, FpPrint *print,
             matched_print = g_steal_pointer (&stored_print);
         }
 
-      if (fp_print_get_enroll_date (matched_print))
+      date = fp_print_get_enroll_date (matched_print);
+      if (date && g_date_valid (date))
         g_date_strftime (date_str, G_N_ELEMENTS (date_str), "%Y-%m-%d\0",
                          fp_print_get_enroll_date (matched_print));
       else

examples/manage-prints.c

@@ -161,7 +161,7 @@ on_list_completed (FpDevice     *dev,
                    finger_to_string (fp_print_get_finger (print)),
                    fp_print_get_username (print));
 
-          if (date)
+          if (date && g_date_valid (date))
             {
               g_date_strftime (buf, G_N_ELEMENTS (buf), "%Y-%m-%d\0", date);
               g_print (", enrolled on %s", buf);

examples/verify.c

@@ -130,12 +130,14 @@ on_match_cb (FpDevice *dev, FpPrint *match, FpPrint *print,
 
   if (match)
     {
-      char date_str[128];
+      const GDate *date = fp_print_get_enroll_date (match);
+      char date_str[128] = "<unknown>";
 
       verify_data->ret_value = EXIT_SUCCESS;
 
-      g_date_strftime (date_str, G_N_ELEMENTS (date_str), "%Y-%m-%d\0",
+      if (date && g_date_valid (date))
-                       fp_print_get_enroll_date (match));
+        g_date_strftime (date_str, G_N_ELEMENTS (date_str), "%Y-%m-%d\0",
+                         fp_print_get_enroll_date (match));
       g_debug ("Match report: device %s matched finger %s successifully "
                "with print %s, enrolled on date %s by user %s",
                fp_device_get_name (dev),

libfprint/drivers/elan.h

@@ -31,10 +31,9 @@
 #define ELAN_0907 (1 << 0)
 #define ELAN_0C03 (1 << 1)
 #define ELAN_0C42 (1 << 2)
-#define ELAN_0C3D (1 << 3)
 
 /* devices which don't require frame rotation before assembling */
-#define ELAN_NOT_ROTATED (ELAN_0C03 | ELAN_0C3D)
+#define ELAN_NOT_ROTATED ELAN_0C03
 
 /* min FW version that supports calibration */
 #define ELAN_MIN_CALIBRATION_FW 0x0138
@@ -214,7 +213,7 @@ static const FpIdEntry elan_id_table[] = {
   {.vid = ELAN_VEND_ID,  .pid = 0x0c31, .driver_data = ELAN_ALL_DEV},
   {.vid = ELAN_VEND_ID,  .pid = 0x0c32, .driver_data = ELAN_ALL_DEV},
   {.vid = ELAN_VEND_ID,  .pid = 0x0c33, .driver_data = ELAN_ALL_DEV},
-  {.vid = ELAN_VEND_ID,  .pid = 0x0c3d, .driver_data = ELAN_0C3D},
+  {.vid = ELAN_VEND_ID,  .pid = 0x0c3d, .driver_data = ELAN_ALL_DEV},
   {.vid = ELAN_VEND_ID,  .pid = 0x0c42, .driver_data = ELAN_0C42},
   {.vid = ELAN_VEND_ID,  .pid = 0x0c4d, .driver_data = ELAN_ALL_DEV},
   {.vid = ELAN_VEND_ID,  .pid = 0x0c4f, .driver_data = ELAN_ALL_DEV},

libfprint/drivers/goodixmoc/goodix.c

@@ -159,7 +159,7 @@ fp_cmd_receive_cb (FpiUsbTransfer *transfer,
     {
       fpi_ssm_mark_failed (transfer->ssm,
                            fpi_device_error_new_msg (FP_DEVICE_ERROR_PROTO,
-                                                     "Corrupted message received"));
+                                                     "Corrupted message header received"));
       return;
     }
 
@@ -420,12 +420,9 @@ fp_verify_cb (FpiDeviceGoodixMoc  *self,
               gxfp_cmd_response_t *resp,
               GError              *error)
 {
-  g_autoptr(GPtrArray) templates = NULL;
   FpDevice *device = FP_DEVICE (self);
-  FpPrint *match = NULL;
+  FpPrint *new_scan = NULL;
-  FpPrint *print = NULL;
+  FpPrint *matching = NULL;
-  gint cnt = 0;
-  gboolean find = false;
 
   if (error)
     {
@@ -434,46 +431,34 @@ fp_verify_cb (FpiDeviceGoodixMoc  *self,
     }
   if (resp->verify.match)
     {
-      match = fp_print_from_template (self, &resp->verify.template);
+      new_scan = fp_print_from_template (self, &resp->verify.template);
 
       if (fpi_device_get_current_action (device) == FPI_DEVICE_ACTION_VERIFY)
         {
-          templates = g_ptr_array_sized_new (1);
+          fpi_device_get_verify_data (device, &matching);
-          fpi_device_get_verify_data (device, &print);
+          if (!fp_print_equal (matching, new_scan))
-          g_ptr_array_add (templates, print);
+            matching = NULL;
         }
       else
         {
+          GPtrArray *templates = NULL;
           fpi_device_get_identify_data (device, &templates);
-          g_ptr_array_ref (templates);
-        }
-      for (cnt = 0; cnt < templates->len; cnt++)
-        {
-          print = g_ptr_array_index (templates, cnt);
 
-          if (fp_print_equal (print, match))
+          for (gint i = 0; i < templates->len; i++)
             {
-              find = true;
+              if (fp_print_equal (g_ptr_array_index (templates, i), new_scan))
-              break;
+                {
+                  matching = g_ptr_array_index (templates, i);
+                  break;
+                }
             }
-
-        }
-      if (find)
-        {
-          if (fpi_device_get_current_action (device) == FPI_DEVICE_ACTION_VERIFY)
-            fpi_device_verify_report (device, FPI_MATCH_SUCCESS, match, error);
-          else
-            fpi_device_identify_report (device, print, match, error);
         }
     }
 
-  if (!find)
+  if (fpi_device_get_current_action (device) == FPI_DEVICE_ACTION_VERIFY)
-    {
+    fpi_device_verify_report (device, matching ? FPI_MATCH_SUCCESS : FPI_MATCH_FAIL, new_scan, error);
-      if (fpi_device_get_current_action (device) == FPI_DEVICE_ACTION_VERIFY)
+  else
-        fpi_device_verify_report (device, FPI_MATCH_FAIL, NULL, error);
+    fpi_device_identify_report (device, matching, new_scan, error);
-      else
-        fpi_device_identify_report (device, NULL, NULL, error);
-    }
 
   fpi_ssm_next_state (self->task_ssm);
 
@@ -764,9 +749,14 @@ fp_enroll_check_duplicate_cb (FpiDeviceGoodixMoc  *self,
     }
   if (resp->check_duplicate_resp.duplicate)
     {
+      g_autoptr(FpPrint) print = NULL;
+
+      print = g_object_ref_sink (fp_print_from_template (self, &resp->check_duplicate_resp.template));
+
       fpi_ssm_mark_failed (self->task_ssm,
                            fpi_device_error_new_msg (FP_DEVICE_ERROR_DATA_DUPLICATE,
-                                                     "Finger has already enrolled"));
+                                                     "Finger was already enrolled as '%s'",
+                                                     fp_print_get_description (print)));
       return;
     }
 
@@ -1170,6 +1160,32 @@ fp_template_delete_cb (FpiDeviceGoodixMoc  *self,
   fp_info ("Successfully deleted enrolled user");
   fpi_device_delete_complete (device, NULL);
 }
+
+static void
+fp_template_delete_all_cb (FpiDeviceGoodixMoc  *self,
+                           gxfp_cmd_response_t *resp,
+                           GError              *error)
+{
+  FpDevice *device = FP_DEVICE (self);
+
+  if (error)
+    {
+      fpi_device_clear_storage_complete (device, error);
+      return;
+    }
+  if ((resp->result >= GX_FAILED) && (resp->result != GX_ERROR_FINGER_ID_NOEXIST))
+    {
+      fpi_device_clear_storage_complete (FP_DEVICE (self),
+                                         fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
+                                                                   "Failed clear storage, result: 0x%x",
+                                                                   resp->result));
+      return;
+    }
+
+  fp_info ("Successfully cleared storage");
+  fpi_device_clear_storage_complete (device, NULL);
+}
+
 /******************************************************************************
  *
  *  fp_template_list Function
@@ -1493,6 +1509,19 @@ gx_fp_template_delete (FpDevice *device)
 
 }
 
+static void
+gx_fp_template_delete_all (FpDevice *device)
+{
+  FpiDeviceGoodixMoc *self = FPI_DEVICE_GOODIXMOC (device);
+
+  goodix_sensor_cmd (self, MOC_CMD0_DELETETEMPLATE, MOC_CMD1_DELETE_ALL,
+                     false,
+                     NULL,
+                     0,
+                     fp_template_delete_all_cb);
+
+}
+
 static void
 fpi_device_goodixmoc_init (FpiDeviceGoodixMoc *self)
 {
@@ -1536,6 +1565,7 @@ fpi_device_goodixmoc_class_init (FpiDeviceGoodixMocClass *klass)
   dev_class->probe  = gx_fp_probe;
   dev_class->enroll = gx_fp_enroll;
   dev_class->delete = gx_fp_template_delete;
+  dev_class->clear_storage = gx_fp_template_delete_all;
   dev_class->list   = gx_fp_template_list;
   dev_class->verify   = gx_fp_verify_identify;
   dev_class->identify = gx_fp_verify_identify;

libfprint/drivers/goodixmoc/goodix_proto.c

@@ -259,12 +259,9 @@ gx_proto_parse_fingerid (
 
   if (buffer[Offset++] != 67)
     return -1;
-  fid_buffer_size--;
 
   template->type = buffer[Offset++];
-  fid_buffer_size--;
   template->finger_index = buffer[Offset++];
-  fid_buffer_size--;
   Offset++;
   memcpy (template->accountid, &buffer[Offset], sizeof (template->accountid));
   Offset += sizeof (template->accountid);
@@ -273,6 +270,8 @@ gx_proto_parse_fingerid (
   template->payload.size = buffer[Offset++];
   if (template->payload.size > sizeof (template->payload.data))
     return -1;
+  if (template->payload.size + Offset > fid_buffer_size)
+    return -1;
   memset (template->payload.data, 0, template->payload.size);
   memcpy (template->payload.data, &buffer[Offset], template->payload.size);
 
@@ -365,9 +364,12 @@ gx_proto_parse_body (uint16_t cmd, uint8_t *buffer, uint16_t buffer_len, pgxfp_c
           if (buffer_len < 3)
             return -1;
           uint16_t tid_size = GUINT16_FROM_LE (*(uint16_t *) (buffer + 1));
-          if ((buffer_len < tid_size + 3) || (buffer_len > sizeof (template_format_t)) + 3)
+          offset += 3;
+
+          if (buffer_len < tid_size + offset)
+            return -1;
+          if (gx_proto_parse_fingerid (buffer + offset, tid_size, &presp->check_duplicate_resp.template) != 0)
             return -1;
-          memcpy (&presp->check_duplicate_resp.template, buffer + 3, tid_size);
         }
       break;
 
@@ -380,9 +382,12 @@ gx_proto_parse_body (uint16_t cmd, uint8_t *buffer, uint16_t buffer_len, pgxfp_c
       fingerlist = buffer + 2;
       for(uint8_t num = 0; num < presp->finger_list_resp.finger_num; num++)
         {
-          uint16_t fingerid_length = GUINT16_FROM_LE (*(uint16_t *) (fingerlist + offset));
+          uint16_t fingerid_length;
+          if (buffer_len < offset + 2)
+            return -1;
+          fingerid_length = GUINT16_FROM_LE (*(uint16_t *) (fingerlist + offset));
           offset += 2;
-          if (buffer_len < fingerid_length + offset + 2)
+          if (buffer_len < fingerid_length + offset)
             return -1;
           if (gx_proto_parse_fingerid (fingerlist + offset,
                                        fingerid_length,
@@ -405,7 +410,7 @@ gx_proto_parse_body (uint16_t cmd, uint8_t *buffer, uint16_t buffer_len, pgxfp_c
         presp->verify.match = (buffer[0] == 0) ? true : false;
         if (presp->verify.match)
           {
-            if (buffer_len < sizeof (template_format_t) + 10)
+            if (buffer_len < 10)
               return -1;
             offset += 1;
             presp->verify.rejectdetail = GUINT16_FROM_LE (*(uint16_t *) (buffer + offset));
@@ -416,6 +421,8 @@ gx_proto_parse_body (uint16_t cmd, uint8_t *buffer, uint16_t buffer_len, pgxfp_c
             offset += 1;
             fingerid_size = GUINT16_FROM_LE (*(uint16_t *) (buffer + offset));
             offset += 2;
+            if (buffer_len < fingerid_size + offset)
+              return -1;
             if (gx_proto_parse_fingerid (buffer + offset, fingerid_size, &presp->verify.template) != 0)
               {
                 presp->result = GX_FAILED;

libfprint/drivers/synaptics/synaptics.c

@@ -36,7 +36,6 @@ static const FpIdEntry id_table[] = {
   { .vid = SYNAPTICS_VENDOR_ID,  .pid = 0x00F9,  },
   { .vid = SYNAPTICS_VENDOR_ID,  .pid = 0x00FC,  },
   { .vid = SYNAPTICS_VENDOR_ID,  .pid = 0x00C2,  },
-  { .vid = SYNAPTICS_VENDOR_ID,  .pid = 0x00C9,  },
   { .vid = SYNAPTICS_VENDOR_ID,  .pid = 0x0100,  },
   { .vid = SYNAPTICS_VENDOR_ID,  .pid = 0x00F0,  },
   { .vid = SYNAPTICS_VENDOR_ID,  .pid = 0x0103,  },

libfprint/drivers/virtual-sdcp.c

@@ -0,0 +1,676 @@
+/*
+ * Virtual driver for SDCP device debugging
+ *
+ * Copyright (C) 2020 Benjamin Berg <bberg@redhat.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/*
+ * This is a virtual test driver to test the basic SDCP functionality.
+ * It uses the test binaries from Microsoft, which were extended to allow
+ * a simple chat with the device.
+ * The environment variable contains the to be executed binary including
+ * arguments. This binary should be compiled from the code in
+ *   https://github.com/Microsoft/SecureDeviceConnectionProtocol
+ * or, until it is merged upstream
+ *   https://github.com/benzea/SecureDeviceConnectionProtocol
+ *
+ * Note that using this as an external executable has the advantage that we
+ * do not need to link against mbedtls or any other crypto library.
+ */
+
+#define FP_COMPONENT "virtual_sdcp"
+
+#include "fpi-log.h"
+#include "fpi-ssm.h"
+
+#include "../fpi-sdcp-device.h"
+
+#include <glib/gstdio.h>
+#include <gio/gio.h>
+
+struct _FpDeviceVirtualSdcp
+{
+  FpSdcpDevice   parent;
+
+  GSubprocess   *proc;
+  GOutputStream *proc_stdin;
+  GInputStream  *proc_stdout;
+
+  /* Only valid while a read/write is pending */
+  GByteArray *msg_out;
+  GByteArray *msg_in;
+
+  GByteArray *connect_msg;
+};
+
+G_DECLARE_FINAL_TYPE (FpDeviceVirtualSdcp, fpi_device_virtual_sdcp, FPI, DEVICE_VIRTUAL_SDCP, FpSdcpDevice)
+G_DEFINE_TYPE (FpDeviceVirtualSdcp, fpi_device_virtual_sdcp, FP_TYPE_SDCP_DEVICE)
+
+guint8 ca_1[] = {
+  0x30, 0x82, 0x03, 0xFD, 0x30, 0x82, 0x03, 0x82, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x13, 0x33,
+  0x00, 0x00, 0x00, 0x07, 0xE8, 0x9D, 0x61, 0x62, 0x4D, 0x46, 0x0F, 0x95, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x07, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x81,
+  0x84, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
+  0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67,
+  0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65,
+  0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15,
+  0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72,
+  0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x2E, 0x30, 0x2C, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25,
+  0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20, 0x53, 0x65,
+  0x63, 0x75, 0x72, 0x65, 0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x50, 0x43, 0x41,
+  0x20, 0x32, 0x30, 0x31, 0x38, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x31, 0x33, 0x31, 0x31,
+  0x39, 0x35, 0x34, 0x35, 0x33, 0x5A, 0x17, 0x0D, 0x32, 0x38, 0x30, 0x31, 0x33, 0x31, 0x32, 0x30,
+  0x30, 0x34, 0x35, 0x33, 0x5A, 0x30, 0x7D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A, 0x57,
+  0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
+  0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, 0x30, 0x1C, 0x06,
+  0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20,
+  0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x27, 0x30, 0x25, 0x06,
+  0x03, 0x55, 0x04, 0x03, 0x13, 0x1E, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x48, 0x65,
+  0x6C, 0x6C, 0x6F, 0x20, 0x31, 0x39, 0x42, 0x39, 0x32, 0x39, 0x36, 0x35, 0x20, 0x43, 0x41, 0x20,
+  0x32, 0x30, 0x31, 0x38, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02,
+  0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xBE,
+  0x4B, 0x90, 0x6E, 0x24, 0xFC, 0xA1, 0x53, 0xC8, 0xA7, 0x3C, 0x70, 0xE8, 0x97, 0xCD, 0x1B, 0x31,
+  0xE4, 0x95, 0x91, 0x7A, 0x58, 0xA2, 0x86, 0xA8, 0x70, 0xF6, 0x09, 0x30, 0x77, 0x99, 0x3D, 0x10,
+  0xDF, 0xF7, 0x95, 0x0F, 0x68, 0x83, 0xE6, 0xA4, 0x11, 0x7C, 0xDA, 0x82, 0xE7, 0x0B, 0x8B, 0xF2,
+  0x9D, 0x6B, 0x5B, 0xF5, 0x3E, 0x77, 0xB4, 0xC1, 0x0E, 0x49, 0x00, 0x83, 0xBA, 0x94, 0xF8, 0xA3,
+  0x82, 0x01, 0xD7, 0x30, 0x82, 0x01, 0xD3, 0x30, 0x10, 0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01,
+  0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
+  0x04, 0x16, 0x04, 0x14, 0x13, 0x93, 0xC8, 0xCD, 0xF2, 0x23, 0x9A, 0x2D, 0xC6, 0x9B, 0x2A, 0xEB,
+  0x9A, 0xAB, 0x99, 0x0B, 0x56, 0x04, 0x5E, 0x7C, 0x30, 0x65, 0x06, 0x03, 0x55, 0x1D, 0x20, 0x04,
+  0x5E, 0x30, 0x5C, 0x30, 0x06, 0x06, 0x04, 0x55, 0x1D, 0x20, 0x00, 0x30, 0x52, 0x06, 0x0C, 0x2B,
+  0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x4C, 0x83, 0x7D, 0x01, 0x01, 0x30, 0x42, 0x30, 0x40, 0x06,
+  0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x34, 0x68, 0x74, 0x74, 0x70, 0x3A,
+  0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E,
+  0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x6F, 0x70, 0x73, 0x2F, 0x44, 0x6F, 0x63, 0x73, 0x2F,
+  0x52, 0x65, 0x70, 0x6F, 0x73, 0x69, 0x74, 0x6F, 0x72, 0x79, 0x2E, 0x68, 0x74, 0x6D, 0x00, 0x30,
+  0x19, 0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0C, 0x1E, 0x0A,
+  0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x1D,
+  0x0F, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01,
+  0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23, 0x04,
+  0x18, 0x30, 0x16, 0x80, 0x14, 0xDA, 0xCA, 0x4B, 0xD0, 0x4C, 0x56, 0x03, 0x27, 0x5F, 0x97, 0xEB,
+  0x75, 0xA3, 0x02, 0xC3, 0xBF, 0x45, 0x9C, 0xF8, 0xB1, 0x30, 0x68, 0x06, 0x03, 0x55, 0x1D, 0x1F,
+  0x04, 0x61, 0x30, 0x5F, 0x30, 0x5D, 0xA0, 0x5B, 0xA0, 0x59, 0x86, 0x57, 0x68, 0x74, 0x74, 0x70,
+  0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74,
+  0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x6F, 0x70, 0x73, 0x2F, 0x63, 0x72, 0x6C, 0x2F,
+  0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x25, 0x32, 0x30, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x25,
+  0x32, 0x30, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x25, 0x32, 0x30, 0x44, 0x65, 0x76, 0x69, 0x63,
+  0x65, 0x73, 0x25, 0x32, 0x30, 0x50, 0x43, 0x41, 0x25, 0x32, 0x30, 0x32, 0x30, 0x31, 0x38, 0x2E,
+  0x63, 0x72, 0x6C, 0x30, 0x75, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04,
+  0x69, 0x30, 0x67, 0x30, 0x65, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86,
+  0x59, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72,
+  0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x6F, 0x70, 0x73,
+  0x2F, 0x63, 0x65, 0x72, 0x74, 0x73, 0x2F, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x25, 0x32,
+  0x30, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x25, 0x32, 0x30, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x25,
+  0x32, 0x30, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x50, 0x43, 0x41, 0x25,
+  0x32, 0x30, 0x32, 0x30, 0x31, 0x38, 0x2E, 0x63, 0x72, 0x74, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86,
+  0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x69, 0x00, 0x30, 0x66, 0x02, 0x31, 0x00, 0x87, 0xB6,
+  0x82, 0xF3, 0xDA, 0xBE, 0xB1, 0x7B, 0x98, 0x7D, 0x3D, 0x0A, 0x90, 0xA8, 0xF5, 0xBF, 0x15, 0xC3,
+  0xEE, 0x8A, 0x4E, 0xC0, 0x7B, 0x10, 0x1D, 0xA9, 0xE3, 0x0B, 0xEC, 0x2C, 0x53, 0x4E, 0xA7, 0xBD,
+  0xF1, 0x6C, 0xAD, 0x18, 0x55, 0xBA, 0x25, 0x73, 0x55, 0xB7, 0x5B, 0x12, 0x24, 0xF4, 0x02, 0x31,
+  0x00, 0xAF, 0x02, 0x9C, 0x4B, 0x92, 0xD0, 0x72, 0xA5, 0x80, 0xCA, 0x69, 0x2B, 0x38, 0x50, 0x64,
+  0xD8, 0x58, 0x9E, 0xEA, 0xD6, 0x35, 0xCF, 0x68, 0x98, 0x92, 0x81, 0x09, 0x61, 0xC2, 0xBD, 0xB1,
+  0x4C, 0x7F, 0xAE, 0x55, 0x7B, 0xFC, 0x22, 0xDD, 0xD6, 0xB7, 0x7C, 0xB5, 0xA8, 0x18, 0x5D, 0x33,
+  0x04
+};
+guint8 ca_2[] = {
+  0x30, 0x82, 0x04, 0x56, 0x30, 0x82, 0x03, 0xDC, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x13, 0x33,
+  0x00, 0x00, 0x00, 0x03, 0x6C, 0xCF, 0xED, 0xE2, 0x44, 0x70, 0x19, 0xBF, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x03, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03, 0x30, 0x81,
+  0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
+  0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67,
+  0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65,
+  0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, 0x30, 0x1C, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15,
+  0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72,
+  0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x3E, 0x30, 0x3C, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x35,
+  0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x45, 0x43, 0x43, 0x20, 0x44, 0x65,
+  0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
+  0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79,
+  0x20, 0x32, 0x30, 0x31, 0x37, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x38, 0x30, 0x31, 0x32, 0x35, 0x31,
+  0x39, 0x34, 0x39, 0x33, 0x38, 0x5A, 0x17, 0x0D, 0x33, 0x33, 0x30, 0x31, 0x32, 0x35, 0x31, 0x39,
+  0x35, 0x39, 0x33, 0x38, 0x5A, 0x30, 0x81, 0x84, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+  0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0A,
+  0x57, 0x61, 0x73, 0x68, 0x69, 0x6E, 0x67, 0x74, 0x6F, 0x6E, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+  0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6D, 0x6F, 0x6E, 0x64, 0x31, 0x1E, 0x30, 0x1C,
+  0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x15, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74,
+  0x20, 0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x2E, 0x30, 0x2C,
+  0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x48,
+  0x65, 0x6C, 0x6C, 0x6F, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x44, 0x65, 0x76, 0x69,
+  0x63, 0x65, 0x73, 0x20, 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x38, 0x30, 0x76, 0x30, 0x10,
+  0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22,
+  0x03, 0x62, 0x00, 0x04, 0x1D, 0xDD, 0x08, 0x02, 0x03, 0x25, 0x75, 0x20, 0xE2, 0x71, 0x8B, 0xAD,
+  0x28, 0x09, 0x82, 0xE9, 0x06, 0xEE, 0x83, 0xC5, 0x3A, 0x6C, 0x4B, 0x71, 0x92, 0x50, 0x4E, 0x20,
+  0xE9, 0x72, 0xB4, 0xFC, 0x53, 0x2A, 0xEF, 0x5D, 0xCC, 0x9A, 0xB4, 0xCD, 0x76, 0xB8, 0x94, 0x97,
+  0x44, 0xB2, 0x71, 0x0E, 0xC9, 0xB1, 0x16, 0x03, 0xA1, 0x65, 0x2B, 0xB9, 0xE8, 0x5D, 0x5F, 0xF2,
+  0x30, 0x2E, 0xDD, 0xB1, 0x2B, 0x20, 0xFC, 0xBE, 0x00, 0x88, 0xEA, 0x1F, 0xA7, 0x7F, 0x99, 0x84,
+  0x98, 0x7C, 0x71, 0x3E, 0x4D, 0x34, 0x83, 0x69, 0x9B, 0x08, 0xCB, 0x78, 0xB2, 0x4B, 0xBD, 0xD7,
+  0x3E, 0xBE, 0x67, 0xA0, 0xA3, 0x82, 0x01, 0xFC, 0x30, 0x82, 0x01, 0xF8, 0x30, 0x10, 0x06, 0x09,
+  0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1D,
+  0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xDA, 0xCA, 0x4B, 0xD0, 0x4C, 0x56, 0x03,
+  0x27, 0x5F, 0x97, 0xEB, 0x75, 0xA3, 0x02, 0xC3, 0xBF, 0x45, 0x9C, 0xF8, 0xB1, 0x30, 0x65, 0x06,
+  0x03, 0x55, 0x1D, 0x20, 0x04, 0x5E, 0x30, 0x5C, 0x30, 0x06, 0x06, 0x04, 0x55, 0x1D, 0x20, 0x00,
+  0x30, 0x52, 0x06, 0x0C, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x4C, 0x83, 0x7D, 0x01, 0x01,
+  0x30, 0x42, 0x30, 0x40, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x34,
+  0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F,
+  0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x6F, 0x70, 0x73, 0x2F,
+  0x44, 0x6F, 0x63, 0x73, 0x2F, 0x52, 0x65, 0x70, 0x6F, 0x73, 0x69, 0x74, 0x6F, 0x72, 0x79, 0x2E,
+  0x68, 0x74, 0x6D, 0x00, 0x30, 0x19, 0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
+  0x02, 0x04, 0x0C, 0x1E, 0x0A, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30,
+  0x0B, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0F, 0x06, 0x03,
+  0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1F, 0x06,
+  0x03, 0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x14, 0xDA, 0x5B, 0xF1, 0x0E, 0x66,
+  0x47, 0xD1, 0x5D, 0x13, 0x5F, 0x5B, 0x7A, 0xEB, 0xEB, 0x5F, 0x01, 0x08, 0xB5, 0x49, 0x30, 0x7A,
+  0x06, 0x03, 0x55, 0x1D, 0x1F, 0x04, 0x73, 0x30, 0x71, 0x30, 0x6F, 0xA0, 0x6D, 0xA0, 0x6B, 0x86,
+  0x69, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72,
+  0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x6F, 0x70, 0x73,
+  0x2F, 0x63, 0x72, 0x6C, 0x2F, 0x4D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x25, 0x32,
+  0x30, 0x45, 0x43, 0x43, 0x25, 0x32, 0x30, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32,
+  0x30, 0x52, 0x6F, 0x6F, 0x74, 0x25, 0x32, 0x30, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
+  0x61, 0x74, 0x65, 0x25, 0x32, 0x30, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x25,
+  0x32, 0x30, 0x32, 0x30, 0x31, 0x37, 0x2E, 0x63, 0x72, 0x6C, 0x30, 0x81, 0x87, 0x06, 0x08, 0x2B,
+  0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x7B, 0x30, 0x79, 0x30, 0x77, 0x06, 0x08, 0x2B,
+  0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x6B, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F,
+  0x77, 0x77, 0x77, 0x2E, 0x6D, 0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x2E, 0x63, 0x6F,
+  0x6D, 0x2F, 0x70, 0x6B, 0x69, 0x6F, 0x70, 0x73, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x73, 0x2F, 0x4D,
+  0x69, 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x25, 0x32, 0x30, 0x45, 0x43, 0x43, 0x25, 0x32,
+  0x30, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x25, 0x32, 0x30, 0x52, 0x6F, 0x6F, 0x74, 0x25,
+  0x32, 0x30, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x25, 0x32, 0x30,
+  0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x25, 0x32, 0x30, 0x32, 0x30, 0x31, 0x37,
+  0x2E, 0x63, 0x72, 0x74, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03,
+  0x03, 0x68, 0x00, 0x30, 0x65, 0x02, 0x30, 0x56, 0x2A, 0xAD, 0x72, 0x4C, 0xB9, 0x8C, 0xB3, 0x23,
+  0x80, 0xF5, 0x5F, 0xF8, 0x21, 0x94, 0x66, 0x0F, 0x76, 0x77, 0xE2, 0x7B, 0x03, 0xDD, 0x30, 0x5E,
+  0xCB, 0x90, 0xCA, 0x78, 0xE6, 0x0B, 0x2D, 0x12, 0xE5, 0xF7, 0x67, 0x31, 0x58, 0x71, 0xE6, 0xF3,
+  0x64, 0xC1, 0x04, 0xB3, 0x8B, 0xE9, 0xE2, 0x02, 0x31, 0x00, 0xB9, 0x20, 0x61, 0xB9, 0xD0, 0x5E,
+  0x3A, 0xA4, 0xA2, 0x8A, 0xFE, 0x1D, 0xFC, 0x27, 0x61, 0x0B, 0x98, 0x16, 0x8C, 0x02, 0x9C, 0x20,
+  0x7F, 0xEE, 0xF3, 0xCB, 0x1F, 0x0A, 0x37, 0x62, 0xB1, 0x8E, 0xCE, 0xD9, 0x9A, 0x9E, 0xAC, 0xE6,
+  0x1A, 0xD4, 0xB8, 0xF1, 0xA8, 0x2B, 0xB1, 0xB4, 0x40, 0x9B
+};
+
+
+static void
+msg_written_cb (GObject      *source_object,
+                GAsyncResult *res,
+                gpointer      user_data)
+{
+  GError *error = NULL;
+  GOutputStream *stream = G_OUTPUT_STREAM (source_object);
+  FpiSsm *ssm = user_data;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (fpi_ssm_get_device (ssm));
+
+  g_clear_pointer (&self->msg_out, g_byte_array_unref);
+  g_assert (self->msg_out == NULL);
+
+  if (!g_output_stream_write_all_finish (stream, res, NULL, &error))
+    {
+      fpi_ssm_mark_failed (ssm, error);
+      return;
+    }
+
+  fpi_ssm_next_state (ssm);
+}
+
+static void
+msg_received_cb (GObject      *source_object,
+                 GAsyncResult *res,
+                 gpointer      user_data)
+{
+  GError *error = NULL;
+  GInputStream *stream = G_INPUT_STREAM (source_object);
+  FpiSsm *ssm = user_data;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (fpi_ssm_get_device (ssm));
+  gsize read;
+
+  g_assert (self->msg_out == NULL);
+
+  if (!g_input_stream_read_all_finish (stream, res, &read, &error) ||
+      read != self->msg_in->len)
+    {
+      g_clear_pointer (&self->msg_in, g_byte_array_unref);
+
+      if (!error)
+        error = fpi_device_error_new_msg (FP_DEVICE_ERROR_PROTO,
+                                          "Received EOF while reading from test binary.");
+
+      fpi_ssm_mark_failed (ssm, error);
+      return;
+    }
+
+  fpi_ssm_next_state (ssm);
+}
+
+enum {
+  SEND_MESSAGE,
+  RECV_MESSAGE,
+  SEND_RECV_STATES
+};
+
+static void
+send_recv_ssm (FpiSsm *ssm, FpDevice *dev)
+{
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+
+  switch (fpi_ssm_get_cur_state (ssm))
+    {
+    case SEND_MESSAGE:
+      g_output_stream_write_all_async (self->proc_stdin,
+                                       self->msg_out->data,
+                                       self->msg_out->len,
+                                       G_PRIORITY_DEFAULT,
+                                       fpi_device_get_cancellable (FP_DEVICE (dev)),
+                                       msg_written_cb,
+                                       ssm);
+      break;
+
+    case RECV_MESSAGE:
+      g_input_stream_read_all_async (self->proc_stdout,
+                                     self->msg_in->data,
+                                     self->msg_in->len,
+                                     G_PRIORITY_DEFAULT,
+                                     fpi_device_get_cancellable (FP_DEVICE (dev)),
+                                     msg_received_cb,
+                                     ssm);
+      break;
+    }
+}
+
+static void
+connect_2_cb (FpiSsm *ssm, FpDevice *dev, GError *error)
+{
+  g_autoptr(GBytes) recv_data = NULL;
+  g_autoptr(GBytes) r_d = NULL;
+  g_autoptr(FpiSdcpClaim) claim = NULL;
+  g_autoptr(GBytes) mac = NULL;
+  g_autoptr(GBytes) ca_1_bytes = NULL, ca_2_bytes = NULL;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+  guint16 cert_size;
+
+  if (error)
+    {
+      fpi_sdcp_device_connect_complete (FP_SDCP_DEVICE (dev), NULL, NULL, NULL, error);
+      g_clear_pointer (&self->connect_msg, g_byte_array_unref);
+      return;
+    }
+
+  memcpy (&cert_size, self->connect_msg->data + 32, 2);
+  g_byte_array_append (self->connect_msg, self->msg_in->data, self->msg_in->len);
+  g_clear_pointer (&self->msg_in, g_byte_array_unref);
+  /* Double check that the size is correct. */
+  g_assert (self->connect_msg->len == 32 + (2 + cert_size + 65 + 65 + 32 + 64 + 64) + 32);
+  recv_data = g_byte_array_free_to_bytes (g_steal_pointer (&self->connect_msg));
+
+  claim = fpi_sdcp_claim_new ();
+  r_d = g_bytes_new_from_bytes (recv_data, 0, 32);
+  claim->cert_m = g_bytes_new_from_bytes (recv_data, 34, cert_size);
+  claim->pk_d = g_bytes_new_from_bytes (recv_data, 34 + cert_size, 65);
+  claim->pk_f = g_bytes_new_from_bytes (recv_data, 34 + cert_size + 65, 65);
+  claim->h_f = g_bytes_new_from_bytes (recv_data, 34 + cert_size + 65 + 65, 32);
+  claim->s_m = g_bytes_new_from_bytes (recv_data, 34 + cert_size + 65 + 65 + 32, 64);
+  claim->s_d = g_bytes_new_from_bytes (recv_data, 34 + cert_size + 65 + 65 + 32 + 64, 64);
+  mac = g_bytes_new_from_bytes (recv_data, 34 + cert_size + 65 + 65 + 32 + 64 + 64, 32);
+
+  ca_1_bytes = g_bytes_new_static (ca_1, G_N_ELEMENTS (ca_1));
+  ca_2_bytes = g_bytes_new_static (ca_2, G_N_ELEMENTS (ca_2));
+
+  fpi_sdcp_device_set_intermediat_cas (FP_SDCP_DEVICE (dev),
+                                       ca_1_bytes,
+                                       ca_2_bytes);
+
+  fpi_sdcp_device_connect_complete (FP_SDCP_DEVICE (dev), r_d, claim, mac, NULL);
+}
+
+static void
+connect_1_cb (FpiSsm *ssm, FpDevice *dev, GError *error)
+{
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+  guint16 cert_size;
+
+  if (error)
+    {
+      fpi_sdcp_device_connect_complete (FP_SDCP_DEVICE (dev), NULL, NULL, NULL, error);
+      return;
+    }
+
+  g_clear_pointer (&self->connect_msg, g_byte_array_unref);
+  self->connect_msg = g_steal_pointer (&self->msg_in);
+
+  memcpy (&cert_size, self->connect_msg->data + 32, 2);
+
+  /* Nothing to send and the rest to receive. */
+  self->msg_out = g_byte_array_new ();
+  self->msg_in = g_byte_array_new ();
+  g_byte_array_set_size (self->msg_in, 32 + (2 + cert_size + 65 + 65 + 32 + 64 + 64) + 32 - self->connect_msg->len);
+
+  /* New SSM */
+  ssm = fpi_ssm_new_full (FP_DEVICE (dev), send_recv_ssm, SEND_RECV_STATES, SEND_RECV_STATES, "connect 2");
+  fpi_ssm_start (ssm, connect_2_cb);
+}
+
+static void
+connect (FpSdcpDevice *dev)
+{
+  g_autoptr(GBytes) r_h = NULL;
+  g_autoptr(GBytes) pk_h = NULL;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+  FpiSsm *ssm;
+
+  G_DEBUG_HERE ();
+
+  g_assert (self->proc);
+  g_assert (self->connect_msg == NULL);
+
+  fpi_sdcp_device_get_connect_data (dev, &r_h, &pk_h);
+
+  self->msg_out = g_byte_array_new ();
+  g_byte_array_append (self->msg_out, (const guint8 *) "C", 1);
+  g_byte_array_append (self->msg_out,
+                       g_bytes_get_data (r_h, NULL),
+                       g_bytes_get_size (r_h));
+  g_byte_array_append (self->msg_out,
+                       g_bytes_get_data (pk_h, NULL),
+                       g_bytes_get_size (pk_h));
+
+  self->msg_in = g_byte_array_new ();
+  g_byte_array_set_size (self->msg_in, 34);
+
+  ssm = fpi_ssm_new_full (FP_DEVICE (dev), send_recv_ssm, SEND_RECV_STATES, SEND_RECV_STATES, "connect");
+  fpi_ssm_start (ssm, connect_1_cb);
+}
+
+static void
+reconnect_cb (FpiSsm *ssm, FpDevice *dev, GError *error)
+{
+  g_autoptr(GBytes) mac = NULL;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+
+  if (error)
+    {
+      fpi_sdcp_device_reconnect_complete (FP_SDCP_DEVICE (dev), mac, error);
+      return;
+    }
+
+  mac = g_byte_array_free_to_bytes (g_steal_pointer (&self->msg_in));
+
+  fpi_sdcp_device_reconnect_complete (FP_SDCP_DEVICE (dev), mac, NULL);
+}
+
+static void
+reconnect (FpSdcpDevice *dev)
+{
+  g_autoptr(GBytes) r_h = NULL;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+  FpiSsm *ssm;
+
+  G_DEBUG_HERE ();
+
+  g_assert (self->proc);
+
+  fpi_sdcp_device_get_reconnect_data (dev, &r_h);
+
+  self->msg_out = g_byte_array_new ();
+  g_byte_array_append (self->msg_out, (const guint8 *) "R", 1);
+  g_byte_array_append (self->msg_out,
+                       g_bytes_get_data (r_h, NULL),
+                       g_bytes_get_size (r_h));
+
+  self->msg_in = g_byte_array_new ();
+  g_byte_array_set_size (self->msg_in, 32);
+
+  ssm = fpi_ssm_new_full (FP_DEVICE (dev), send_recv_ssm, SEND_RECV_STATES, SEND_RECV_STATES, "connect 2");
+  fpi_ssm_start (ssm, reconnect_cb);
+}
+
+static void
+enroll_begin_cb (FpiSsm *ssm, FpDevice *dev, GError *error)
+{
+  g_autoptr(GBytes) nonce = NULL;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+
+  if (error)
+    {
+      fpi_sdcp_device_enroll_ready (FP_SDCP_DEVICE (dev), error);
+      return;
+    }
+
+  nonce = g_byte_array_free_to_bytes (g_steal_pointer (&self->msg_in));
+
+  fpi_sdcp_device_enroll_set_nonce (FP_SDCP_DEVICE (dev), nonce);
+
+  /* Claim that we completed one enroll step. */
+  fpi_device_enroll_progress (dev, 1, NULL, NULL);
+
+  /* And signal that we are ready to commit. */
+  fpi_sdcp_device_enroll_ready (FP_SDCP_DEVICE (dev), NULL);
+}
+
+static void
+enroll_begin (FpSdcpDevice *dev)
+{
+  g_autoptr(GBytes) r_h = NULL;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+  FpiSsm *ssm;
+
+  G_DEBUG_HERE ();
+
+  g_assert (self->proc);
+
+  fpi_sdcp_device_get_reconnect_data (dev, &r_h);
+
+  self->msg_out = g_byte_array_new ();
+  g_byte_array_append (self->msg_out, (const guint8 *) "E", 1);
+
+  /* Expect 32 byte nonce */
+  self->msg_in = g_byte_array_new ();
+  g_byte_array_set_size (self->msg_in, 32);
+
+  ssm = fpi_ssm_new_full (FP_DEVICE (dev), send_recv_ssm, SEND_RECV_STATES, SEND_RECV_STATES, "enroll_begin");
+  fpi_ssm_start (ssm, enroll_begin_cb);
+}
+
+static void
+enroll_commit_cb (FpiSsm *ssm, FpDevice *dev, GError *error)
+{
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+
+  g_clear_pointer (&self->msg_in, g_byte_array_unref);
+
+  if (error)
+    {
+      fpi_sdcp_device_enroll_ready (FP_SDCP_DEVICE (dev), error);
+      return;
+    }
+
+  /* Signal that we have committed. We don't expect a response
+   * from the virtual device (even though that is kind of broken).
+   */
+  fpi_sdcp_device_enroll_commit_complete (FP_SDCP_DEVICE (dev), NULL);
+}
+
+static void
+enroll_commit (FpSdcpDevice *dev, GBytes *id_in)
+{
+  g_autoptr(GBytes) r_h = NULL;
+  g_autoptr(GBytes) id = id_in;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+  FpiSsm *ssm;
+
+  G_DEBUG_HERE ();
+
+  g_assert (self->proc);
+
+  fpi_sdcp_device_get_reconnect_data (dev, &r_h);
+
+  self->msg_out = g_byte_array_new ();
+  self->msg_in = g_byte_array_new ();
+  if (id)
+    {
+      g_byte_array_append (self->msg_out, (const guint8 *) "F", 1);
+      g_byte_array_append (self->msg_out,
+                           g_bytes_get_data (id, NULL),
+                           g_bytes_get_size (id));
+
+      /* NOTE: No response from device, assume commit works. */
+    }
+  else
+    {
+      /* Cancel enroll (does not receive a reply) */
+      g_byte_array_append (self->msg_out, (const guint8 *) "G", 1);
+
+      /* NOTE: No response from device, assume cancellation works. */
+    }
+
+  ssm = fpi_ssm_new_full (FP_DEVICE (dev), send_recv_ssm, SEND_RECV_STATES, SEND_RECV_STATES, "enroll_commit");
+  fpi_ssm_start (ssm, enroll_commit_cb);
+}
+
+static void
+identify_cb (FpiSsm *ssm, FpDevice *dev, GError *error)
+{
+  g_autoptr(GBytes) reply = NULL;
+  g_autoptr(GBytes) id = NULL;
+  g_autoptr(GBytes) mac = NULL;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+
+  if (error)
+    {
+      fpi_sdcp_device_identify_complete (FP_SDCP_DEVICE (dev), NULL, NULL, error);
+      return;
+    }
+
+  reply = g_byte_array_free_to_bytes (g_steal_pointer (&self->msg_in));
+  id = g_bytes_new_from_bytes (reply, 0, 32);
+  mac = g_bytes_new_from_bytes (reply, 32, 32);
+
+  fpi_sdcp_device_identify_complete (FP_SDCP_DEVICE (self), id, mac, NULL);
+}
+
+static void
+identify (FpSdcpDevice *dev)
+{
+  g_autoptr(GBytes) nonce = NULL;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+  FpiSsm *ssm;
+
+  G_DEBUG_HERE ();
+
+  g_assert (self->proc);
+
+  fpi_sdcp_device_get_identify_data (dev, &nonce);
+
+  self->msg_out = g_byte_array_new ();
+  g_byte_array_append (self->msg_out, (const guint8 *) "I", 1);
+  g_byte_array_append (self->msg_out, g_bytes_get_data (nonce, NULL), g_bytes_get_size (nonce));
+
+  /* Expect 64 byte nonce */
+  self->msg_in = g_byte_array_new ();
+  g_byte_array_set_size (self->msg_in, 64);
+
+  ssm = fpi_ssm_new_full (FP_DEVICE (dev), send_recv_ssm, SEND_RECV_STATES, SEND_RECV_STATES, "identify");
+  fpi_ssm_start (ssm, identify_cb);
+}
+
+static void
+probe (FpDevice *dev)
+{
+  g_auto(GStrv) argv = NULL;
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (dev);
+  GError *error = NULL;
+  const char *env;
+
+  /* We launch the test binary alread at probe time and quit only when
+   * the object is finalized. This allows testing reconnect properly.
+   *
+   * Also, we'll fail probe if something goes wrong executing it.
+   */
+  env = fpi_device_get_virtual_env (FP_DEVICE (self));
+
+  if (!g_shell_parse_argv (env, NULL, &argv, &error))
+    goto out;
+
+  self->proc = g_subprocess_newv ((const char * const *) argv,
+                                  G_SUBPROCESS_FLAGS_STDIN_PIPE | G_SUBPROCESS_FLAGS_STDOUT_PIPE,
+                                  &error);
+  if (!self->proc)
+    goto out;
+
+  self->proc_stdin = g_object_ref (g_subprocess_get_stdin_pipe (self->proc));
+  self->proc_stdout = g_object_ref (g_subprocess_get_stdout_pipe (self->proc));
+
+
+out:
+  fpi_device_probe_complete (dev, "virtual-sdcp", NULL, error);
+}
+
+static void
+dev_close (FpDevice *dev)
+{
+  /* No-op, needs to be defined. */
+  fpi_device_close_complete (dev, NULL);
+}
+
+static void
+fpi_device_virtual_sdcp_init (FpDeviceVirtualSdcp *self)
+{
+}
+
+static void
+fpi_device_virtual_sdcp_finalize (GObject *obj)
+{
+  FpDeviceVirtualSdcp *self = FPI_DEVICE_VIRTUAL_SDCP (obj);
+
+  /* Just kill the subprocess, no need to be graceful here. */
+  if (self->proc)
+    g_subprocess_force_exit (self->proc);
+
+  g_clear_object (&self->proc);
+  g_clear_object (&self->proc_stdin);
+  g_clear_object (&self->proc_stdout);
+
+  G_OBJECT_CLASS (fpi_device_virtual_sdcp_parent_class)->finalize (obj);
+}
+
+static const FpIdEntry driver_ids[] = {
+  { .virtual_envvar = "FP_VIRTUAL_SDCP" },
+  { .virtual_envvar = NULL }
+};
+
+static void
+fpi_device_virtual_sdcp_class_init (FpDeviceVirtualSdcpClass *klass)
+{
+  GObjectClass *obj_class = G_OBJECT_CLASS (klass);
+  FpDeviceClass *dev_class = FP_DEVICE_CLASS (klass);
+  FpSdcpDeviceClass *sdcp_class = FP_SDCP_DEVICE_CLASS (klass);
+
+  obj_class->finalize = fpi_device_virtual_sdcp_finalize;
+
+  dev_class->id = FP_COMPONENT;
+  dev_class->full_name = "Virtual SDCP device talking to MS test code";
+  dev_class->type = FP_DEVICE_TYPE_VIRTUAL;
+  dev_class->id_table = driver_ids;
+  dev_class->nr_enroll_stages = 1;
+
+  /* The SDCP base class may need to override this in the long run */
+  dev_class->probe = probe;
+  dev_class->close = dev_close;
+
+  sdcp_class->connect = connect;
+  sdcp_class->reconnect = reconnect;
+
+  sdcp_class->enroll_begin = enroll_begin;
+  sdcp_class->enroll_commit = enroll_commit;
+
+  sdcp_class->identify = identify;
+}

libfprint/fp-device.h

@@ -140,6 +140,7 @@ typedef enum {
  * @FP_DEVICE_ERROR_DATA_DUPLICATE: Enrolling template duplicates storaged templates
  * @FP_DEVICE_ERROR_REMOVED: The device has been removed.
  * @FP_DEVICE_ERROR_TOO_HOT: The device might be getting too hot
+ * @FP_DEVICE_ERROR_UNTRUSTED: Device cannot be trusted
  *
  * Error codes for device operations. More specific errors from other domains
  * such as #G_IO_ERROR or #G_USB_DEVICE_ERROR may also be reported.
@@ -158,6 +159,7 @@ typedef enum {
   /* Leave some room to add more DATA related errors */
   FP_DEVICE_ERROR_REMOVED = 0x100,
   FP_DEVICE_ERROR_TOO_HOT,
+  FP_DEVICE_ERROR_UNTRUSTED,
 } FpDeviceError;
 
 GQuark fp_device_retry_quark (void);

libfprint/fp-print.c

@@ -605,7 +605,7 @@ fp_print_equal (FpPrint *self, FpPrint *other)
   if (g_strcmp0 (self->device_id, other->device_id))
     return FALSE;
 
-  if (self->type == FPI_PRINT_RAW)
+  if (self->type == FPI_PRINT_RAW || self->type == FPI_PRINT_SDCP)
     {
       return g_variant_equal (self->data, other->data);
     }
@@ -870,7 +870,7 @@ fp_print_deserialize (const guchar *data,
           g_ptr_array_add (result->prints, g_steal_pointer (&xyt));
         }
     }
-  else if (type == FPI_PRINT_RAW)
+  else if (type == FPI_PRINT_RAW || type == FPI_PRINT_SDCP)
     {
       g_autoptr(GVariant) fp_data = g_variant_get_child_value (print_data, 0);
 

libfprint/fp-sdcp-device-private.h

@@ -0,0 +1,58 @@
+/*
+ * FpSdcpDevice - A base class for SDCP enabled devices
+ * Copyright (C) 2020 Benjamin Berg <bberg@redhat.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#pragma once
+
+#include "fpi-sdcp-device.h"
+
+#include <nss.h>
+#include <keyhi.h>
+#include <keythi.h>
+#include <pk11pub.h>
+
+typedef struct
+{
+  GError *enroll_pre_commit_error;
+
+  /* XXX: Do we want a separate SDCP session object?
+   */
+
+  GPtrArray *intermediate_cas;
+
+  /* Host random for the connection */
+  guint8            host_random[32];
+
+  NSSInitContext   *nss_init_context;
+  PK11SlotInfo     *slot;
+  SECKEYPrivateKey *host_key_private;
+  SECKEYPublicKey  *host_key_public;
+
+  /* Master secret is required for reconnects.
+   * TODO: We probably want to serialize this to disk so it can survive
+   *       fprintd idle shutdown. */
+  PK11SymKey *master_secret;
+  PK11SymKey *mac_secret;
+
+} FpSdcpDevicePrivate;
+
+void fpi_sdcp_device_connect (FpSdcpDevice *self);
+void fpi_sdcp_device_reconnect (FpSdcpDevice *self);
+
+void fpi_sdcp_device_enroll (FpSdcpDevice *self);
+void fpi_sdcp_device_identify (FpSdcpDevice *self);

libfprint/fp-sdcp-device.c

@@ -0,0 +1,141 @@
+/*
+ * FpSdcpDevice - A base class for SDCP enabled devices
+ * Copyright (C) 2020 Benjamin Berg <bberg@redhat.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#define FP_COMPONENT "sdcp_device"
+#include "fpi-log.h"
+
+#include "fp-sdcp-device-private.h"
+
+/**
+ * SECTION: fp-sdcp-device
+ * @title: FpSdcpDevice
+ * @short_description: SDCP device subclass
+ *
+ * This is a base class for devices implementing the SDCP security protocol.
+ */
+
+G_DEFINE_ABSTRACT_TYPE_WITH_PRIVATE (FpSdcpDevice, fp_sdcp_device, FP_TYPE_DEVICE)
+
+#if 0
+/* XXX: We'll very likely want/need some properties on this class. */
+enum {
+  PROP_0,
+  N_PROPS
+};
+
+static GParamSpec *properties[N_PROPS];
+#endif
+
+/*******************************************************/
+
+/* Callbacks/vfuncs */
+static void
+fp_sdcp_device_open (FpDevice *device)
+{
+  FpSdcpDevice *self = FP_SDCP_DEVICE (device);
+  FpSdcpDevicePrivate *priv = fp_sdcp_device_get_instance_private (self);
+
+  /* Try a reconnect if we still have the mac secret. */
+  if (priv->mac_secret)
+    fpi_sdcp_device_reconnect (self);
+  else
+    fpi_sdcp_device_connect (self);
+}
+
+static void
+fp_sdcp_device_enroll (FpDevice *device)
+{
+  FpSdcpDevice *self = FP_SDCP_DEVICE (device);
+
+  fpi_sdcp_device_enroll (self);
+}
+
+static void
+fp_sdcp_device_identify (FpDevice *device)
+{
+  FpSdcpDevice *self = FP_SDCP_DEVICE (device);
+
+  fpi_sdcp_device_identify (self);
+}
+
+/*********************************************************/
+
+static void
+fp_sdcp_device_finalize (GObject *object)
+{
+  FpSdcpDevice *self = (FpSdcpDevice *) object;
+  FpSdcpDevicePrivate *priv = fp_sdcp_device_get_instance_private (self);
+
+  g_clear_pointer (&priv->intermediate_cas, g_ptr_array_unref);
+  g_clear_pointer (&priv->slot, PK11_FreeSlot);
+  g_clear_pointer (&priv->host_key_private, SECKEY_DestroyPrivateKey);
+  g_clear_pointer (&priv->host_key_public, SECKEY_DestroyPublicKey);
+  g_clear_pointer (&priv->master_secret, PK11_FreeSymKey);
+  g_clear_pointer (&priv->mac_secret, PK11_FreeSymKey);
+  g_clear_pointer (&priv->nss_init_context, NSS_ShutdownContext);
+
+  G_OBJECT_CLASS (fp_sdcp_device_parent_class)->finalize (object);
+}
+
+static void
+fp_sdcp_device_get_property (GObject    *object,
+                             guint       prop_id,
+                             GValue     *value,
+                             GParamSpec *pspec)
+{
+  switch (prop_id)
+    {
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+    }
+}
+
+static void
+fp_sdcp_device_constructed (GObject *obj)
+{
+  G_OBJECT_CLASS (fp_sdcp_device_parent_class)->constructed (obj);
+}
+
+static void
+fp_sdcp_device_class_init (FpSdcpDeviceClass *klass)
+{
+  GObjectClass *object_class = G_OBJECT_CLASS (klass);
+  FpDeviceClass *fp_device_class = FP_DEVICE_CLASS (klass);
+
+  object_class->finalize = fp_sdcp_device_finalize;
+  object_class->get_property = fp_sdcp_device_get_property;
+  object_class->constructed = fp_sdcp_device_constructed;
+
+  fp_device_class->open = fp_sdcp_device_open;
+  fp_device_class->enroll = fp_sdcp_device_enroll;
+  fp_device_class->verify = fp_sdcp_device_identify;
+  fp_device_class->identify = fp_sdcp_device_identify;
+
+#if 0
+  g_object_class_install_properties (object_class, N_PROPS, properties);
+#endif
+}
+
+static void
+fp_sdcp_device_init (FpSdcpDevice *self)
+{
+  FpSdcpDevicePrivate *priv = fp_sdcp_device_get_instance_private (self);
+
+  priv->intermediate_cas = g_ptr_array_new_with_free_func ((GDestroyNotify) g_bytes_unref);
+}

libfprint/fp-sdcp-device.h

@@ -0,0 +1,29 @@
+/*
+ * FpSdcpDevice - A base class for SDCP enabled devices
+ * Copyright (C) 2020 Benjamin Berg <bberg@redhat.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#pragma once
+
+#include <fp-device.h>
+
+G_BEGIN_DECLS
+
+#define FP_TYPE_SDCP_DEVICE (fp_sdcp_device_get_type ())
+G_DECLARE_DERIVABLE_TYPE (FpSdcpDevice, fp_sdcp_device, FP, SDCP_DEVICE, FpDevice)
+
+G_END_DECLS

libfprint/fpi-device.c

@@ -185,6 +185,9 @@ fpi_device_error_new (FpDeviceError error)
 
     case FP_DEVICE_ERROR_TOO_HOT:
       msg = "Device disabled to prevent overheating.";
+
+    case FP_DEVICE_ERROR_UNTRUSTED:
+      msg = "Could not verify integrity of the device, it cannot be trusted!";
       break;
 
     default:

libfprint/fpi-print.h

@@ -11,11 +11,13 @@ G_BEGIN_DECLS
  * @FPI_PRINT_UNDEFINED: Undefined type, this happens prior to enrollment
  * @FPI_PRINT_RAW: A raw print where the data is directly compared
  * @FPI_PRINT_NBIS: NBIS minutiae comparison
+ * @FPI_PRINT_SDCP: Print from an SDCP conforming device
  */
 typedef enum {
   FPI_PRINT_UNDEFINED = 0,
   FPI_PRINT_RAW,
   FPI_PRINT_NBIS,
+  FPI_PRINT_SDCP,
 } FpiPrintType;
 
 /**

libfprint/fpi-sdcp-device.h

@@ -0,0 +1,142 @@
+/*
+ * FpSdcpDevice - A base class for SDCP enabled devices
+ * Copyright (C) 2020 Benjamin Berg <bberg@redhat.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#pragma once
+
+#include <glib-2.0/glib.h>
+#include "fpi-device.h"
+#include "fp-sdcp-device.h"
+
+/**
+ * FpiSdcpClaim:
+ * @cert_m: The per-model ECDSA certificate (x509 ASN.1 DER encoded)
+ * @pk_d: The device public key (65 bytes)
+ * @pk_f: The firmware public key (65 bytes)
+ * @h_f: The firmware hash
+ * @s_m: Signature over @pk_d using the per-model private key (64 bytes)
+ * @s_d: Signature over h_f and pk_f using the device private key (64 bytes)
+ *
+ * Structure to hold the claim as produced by the device during a secure
+ * connect. See the SDCP specification for more details.
+ *
+ * Note all of these may simply be memory views into a larger #GBytes created
+ * using g_bytes_new_from_bytes().
+ */
+struct _FpiSdcpClaim
+{
+  /*< public >*/
+  GBytes *cert_m;
+  GBytes *pk_d;
+  GBytes *pk_f;
+  GBytes *h_f;
+  GBytes *s_m;
+  GBytes *s_d;
+};
+typedef struct _FpiSdcpClaim FpiSdcpClaim;
+
+GType          fpi_sdcp_claim_get_type (void) G_GNUC_CONST;
+FpiSdcpClaim  *fpi_sdcp_claim_new (void);
+FpiSdcpClaim  *fpi_sdcp_claim_copy (FpiSdcpClaim *other);
+void           fpi_sdcp_claim_free (FpiSdcpClaim *claim);
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC (FpiSdcpClaim, fpi_sdcp_claim_free)
+
+
+/**
+ * FpSdcpDeviceClass:
+ * @connect: Establish SDCP connection. Similar to open in #FpDeviceClass
+ *   but called connect to mirror the SDCP specification.
+ * @reconnect: Perform a faster reconnect. Drivers do not need to provide this
+ *   function. If reconnect fails, then a normal connect will be tried.
+ * @enroll_begin: Start the enrollment procedure. In the absence of an error,
+ *   the driver must call fpi_sdcp_device_enroll_set_nonce() at any point. It
+ *   also must report enrollment progress using fpi_device_enroll_progress().
+ *   It should also store available metadata about the print in device memory.
+ *   The operation is completed with fpi_sdcp_device_enroll_ready().
+ * @enroll_commit: Complete the enrollment procedure. This commits the newly
+ *   enrolled print to the device memory. Will only be called if enroll_begin
+ *   succeeded. The passed id may be %NULL, in that case the driver must
+ *   abort the enrollment process. id is owned by the base class and remains
+ *   valid throughout the operation.
+ * @identify: Start identification process. On completion, the driver must call
+ *   fpi_sdcp_device_identify_complete(). To request the user to retry the
+ *   fpi_sdcp_device_identify_retry() function is used.
+ *
+ *
+ * These are the main entry points for drivers implementing SDCP.
+ *
+ * Drivers *must* eventually call the corresponding function to finish the
+ * operation.
+ *
+ * XXX: Is the use of fpi_device_action_error() acceptable?
+ *
+ * Drivers *must* also handle cancellation properly for any long running
+ * operation (i.e. any operation that requires capturing). It is entirely fine
+ * to ignore cancellation requests for short operations (e.g. open/close).
+ *
+ * This API is solely intended for drivers. It is purely internal and neither
+ * API nor ABI stable.
+ */
+struct _FpSdcpDeviceClass
+{
+  FpDeviceClass parent_class;
+
+  void          (*connect)       (FpSdcpDevice *dev);
+  void          (*reconnect)     (FpSdcpDevice *dev);
+  void          (*close)         (FpSdcpDevice *dev);
+  void          (*enroll_begin)  (FpSdcpDevice *dev);
+  void          (*enroll_commit) (FpSdcpDevice *dev,
+                                  GBytes       *id);
+  void          (*identify)      (FpSdcpDevice *dev);
+};
+
+void fpi_sdcp_device_set_intermediat_cas (FpSdcpDevice *self,
+                                          GBytes       *ca_1,
+                                          GBytes       *ca_2);
+
+void fpi_sdcp_device_get_connect_data (FpSdcpDevice *self,
+                                       GBytes      **r_h,
+                                       GBytes      **pk_h);
+void fpi_sdcp_device_connect_complete (FpSdcpDevice *self,
+                                       GBytes       *r_d,
+                                       FpiSdcpClaim *claim,
+                                       GBytes       *mac,
+                                       GError       *error);
+
+void fpi_sdcp_device_get_reconnect_data (FpSdcpDevice *self,
+                                         GBytes      **r_h);
+void fpi_sdcp_device_reconnect_complete (FpSdcpDevice *self,
+                                         GBytes       *mac,
+                                         GError       *error);
+
+void fpi_sdcp_device_enroll_set_nonce (FpSdcpDevice *self,
+                                       GBytes       *nonce);
+void fpi_sdcp_device_enroll_ready (FpSdcpDevice *self,
+                                   GError       *error);
+void fpi_sdcp_device_enroll_commit_complete (FpSdcpDevice *self,
+                                             GError       *error);
+
+void fpi_sdcp_device_get_identify_data (FpSdcpDevice *self,
+                                        GBytes      **nonce);
+void fpi_sdcp_device_identify_retry (FpSdcpDevice *self,
+                                     GError       *error);
+void fpi_sdcp_device_identify_complete (FpSdcpDevice *self,
+                                        GBytes       *id,
+                                        GBytes       *mac,
+                                        GError       *error);

libfprint/fprint-list-udev-hwdb.c

@@ -42,15 +42,19 @@ static const FpIdEntry whitelist_id_table[] = {
   { .vid = 0x06cb, .pid = 0x009a },
   { .vid = 0x06cb, .pid = 0x009b },
   { .vid = 0x06cb, .pid = 0x00a2 },
+  { .vid = 0x06cb, .pid = 0x00a8 },
   { .vid = 0x06cb, .pid = 0x00b7 },
   { .vid = 0x06cb, .pid = 0x00bb },
   { .vid = 0x06cb, .pid = 0x00be },
   { .vid = 0x06cb, .pid = 0x00c4 },
   { .vid = 0x06cb, .pid = 0x00cb },
+  { .vid = 0x06cb, .pid = 0x00c9 },
   { .vid = 0x06cb, .pid = 0x00d8 },
   { .vid = 0x06cb, .pid = 0x00da },
+  { .vid = 0x06cb, .pid = 0x00dc },
   { .vid = 0x06cb, .pid = 0x00e7 },
   { .vid = 0x06cb, .pid = 0x00e9 },
+  { .vid = 0x06cb, .pid = 0x00fd },
   { .vid = 0x0a5c, .pid = 0x5801 },
   { .vid = 0x0a5c, .pid = 0x5805 },
   { .vid = 0x0a5c, .pid = 0x5834 },
@@ -62,6 +66,7 @@ static const FpIdEntry whitelist_id_table[] = {
   { .vid = 0x0a5c, .pid = 0x5845 },
   { .vid = 0x0bda, .pid = 0x5812 },
   { .vid = 0x10a5, .pid = 0x0007 },
+  { .vid = 0x10a5, .pid = 0x9200 },
   { .vid = 0x1188, .pid = 0x9545 },
   { .vid = 0x138a, .pid = 0x0007 },
   { .vid = 0x138a, .pid = 0x003a },
@@ -79,6 +84,7 @@ static const FpIdEntry whitelist_id_table[] = {
   { .vid = 0x16d1, .pid = 0x1027 },
   { .vid = 0x1c7a, .pid = 0x0300 },
   { .vid = 0x1c7a, .pid = 0x0575 },
+  { .vid = 0x1c7a, .pid = 0x0576 },
   { .vid = 0x27c6, .pid = 0x5042 },
   { .vid = 0x27c6, .pid = 0x5110 },
   { .vid = 0x27c6, .pid = 0x5117 },
@@ -98,7 +104,9 @@ static const FpIdEntry whitelist_id_table[] = {
   { .vid = 0x27c6, .pid = 0x55a4 },
   { .vid = 0x27c6, .pid = 0x55b4 },
   { .vid = 0x27c6, .pid = 0x5740 },
+  { .vid = 0x27c6, .pid = 0x5e0a },
   { .vid = 0x2808, .pid = 0x9338 },
+  { .vid = 0x298d, .pid = 0x2020 },
   { .vid = 0x298d, .pid = 0x2033 },
   { .vid = 0x3538, .pid = 0x0930 },
   { .vid = 0 },

libfprint/meson.build

@@ -135,6 +135,8 @@ driver_sources = {
         [ 'drivers/virtual-device.c' ],
     'virtual_device_storage' :
         [ 'drivers/virtual-device-storage.c' ],
+    'virtual_sdcp' :
+        [ 'drivers/virtual-sdcp.c' ],
     'synaptics' :
         [ 'drivers/synaptics/synaptics.c', 'drivers/synaptics/bmkt_message.c' ],
     'goodixmoc' :
@@ -142,6 +144,8 @@ driver_sources = {
 }
 
 helper_sources = {
+    'sdcp' :
+        [ 'fp-sdcp-device.c', 'fpi-sdcp-device.c' ],
     'aeslib' :
         [ 'drivers/aeslib.c' ],
     'aesx660' :

meson.build

@@ -1,5 +1,5 @@
 project('libfprint', [ 'c', 'cpp' ],
-    version: '1.94.2',
+    version: '1.94.3',
     license: 'LGPLv2.1+',
     default_options: [
         'buildtype=debugoptimized',
@@ -96,8 +96,8 @@ virtual_drivers = [
     'virtual_image',
     'virtual_device',
     'virtual_device_storage',
+    'virtual_sdcp',
 ]
-
 default_drivers = [
     'upektc_img',
     'vfs5011',
@@ -159,6 +159,7 @@ driver_helper_mapping = {
     'virtual_image'          : [ 'virtual' ],
     'virtual_device'         : [ 'virtual' ],
     'virtual_device_storage' : [ 'virtual' ],
+    'virtual_sdcp'           : [ 'sdcp' ],
 }
 
 driver_helpers = []
@@ -217,6 +218,13 @@ foreach i : driver_helpers
             error('nss is required for @0@ and possibly others'.format(driver))
         endif
 
+        optional_deps += nss_dep
+    elif i == 'sdcp'
+        nss_dep = dependency('nss', version: '>=3.55', required: false)
+        if not nss_dep.found()
+            error('nss >=3.55 is required for SDCP support (@0@ and possibly others)'.format(driver))
+        endif
+
         optional_deps += nss_dep
     elif i == 'udev'
         install_udev_rules = true

meson_options.txt

@@ -30,3 +30,8 @@ option('doc',
        description: 'Whether to build the API documentation',
        type: 'boolean',
        value: true)
+
+option('sdcp_virt_binary',
+       description: 'Path to virtual SDCP test binary, please refer to CI for more details.',
+       type: 'string',
+       value: '')

tests/goodixmoc/custom.py

@@ -21,7 +21,7 @@ assert d.has_feature(FPrint.DeviceFeature.DUPLICATES_CHECK)
 assert d.has_feature(FPrint.DeviceFeature.STORAGE)
 assert d.has_feature(FPrint.DeviceFeature.STORAGE_LIST)
 assert d.has_feature(FPrint.DeviceFeature.STORAGE_DELETE)
-assert not d.has_feature(FPrint.DeviceFeature.STORAGE_CLEAR)
+assert d.has_feature(FPrint.DeviceFeature.STORAGE_CLEAR)
 
 d.open_sync()
 

tests/meson.build

@@ -12,6 +12,9 @@ envs.prepend('LD_LIBRARY_PATH', join_paths(meson.build_root(), 'libfprint'))
 # random numbers rather than proper ones)
 envs.set('FP_DEVICE_EMULATION', '1')
 
+# Path to SDCP virtual device binary, only used for virtual-sdcp test
+envs.set('SDCP_VIRT_BINARY', get_option('sdcp_virt_binary'))
+
 # Set a colon-separated list of native drivers we enable in tests
 envs.set('FP_DRIVERS_WHITELIST', ':'.join([
     'virtual_image',
@@ -88,6 +91,7 @@ if get_option('introspection')
                     suite: ut_suite,
                     depends: libfprint_typelib,
                     env: envs,
+                    workdir: meson.current_source_dir(),
                 )
             endforeach
         else
@@ -98,6 +102,46 @@ if get_option('introspection')
         endif
     endforeach
 
+    if 'virtual_sdcp' in drivers and get_option('sdcp_virt_binary') != ''
+        python3 = find_program('python3')
+        unittest_inspector = find_program('unittest_inspector.py')
+        base_args = files('virtual-sdcp.py')
+        suite = []
+
+        r = run_command(unittest_inspector, files('virtual-sdcp.py'))
+        unit_tests = r.stdout().strip().split('\n')
+
+        if r.returncode() == 0 and unit_tests.length() > 0
+            suite += 'virtual-sdcp'
+        else
+            unit_tests = ['virtual-sdcp']
+        endif
+
+        sdcp_envs = envs
+        sdcp_envs.set('FP_DEVICE_EMULATION', '0')
+        foreach ut: unit_tests
+            ut_suite = suite
+            ut_args = base_args
+            if unit_tests.length() > 1
+                ut_args += ut
+                ut_suite += ut.split('.')[0]
+            endif
+            test(ut,
+                python3,
+                args: ut_args,
+                suite: ut_suite,
+                depends: libfprint_typelib,
+                env: sdcp_envs,
+                workdir: meson.current_source_dir(),
+            )
+        endforeach
+    else
+        test('virtual-sdcp',
+            find_program('sh'),
+            args: ['-c', 'exit 77']
+        )
+    endif
+
     foreach driver_test: drivers_tests
         driver_name = driver_test.split('-')[0]
         driver_envs = envs
@@ -109,6 +153,7 @@ if get_option('introspection')
                 find_program('umockdev-test.py'),
                 args: join_paths(meson.current_source_dir(), driver_test),
                 env: driver_envs,
+                workdir: meson.current_source_dir(),
                 suite: ['drivers'],
                 timeout: 15,
                 depends: libfprint_typelib,

tests/virtual-sdcp.py

@@ -0,0 +1,144 @@
+#!/usr/bin/env python3
+
+import sys
+try:
+    import gi
+    import os
+
+    from gi.repository import GLib, Gio
+
+    import unittest
+    import subprocess
+    import shutil
+    import tempfile
+except Exception as e:
+    print("Missing dependencies: %s" % str(e))
+    sys.exit(77)
+
+FPrint = None
+
+# Re-run the test with the passed wrapper if set
+wrapper = os.getenv('LIBFPRINT_TEST_WRAPPER')
+if wrapper:
+    wrap_cmd = wrapper.split(' ') + [sys.executable, os.path.abspath(__file__)] + \
+        sys.argv[1:]
+    os.unsetenv('LIBFPRINT_TEST_WRAPPER')
+    sys.exit(subprocess.check_call(wrap_cmd))
+
+# Only permit loading virtual_sdcp driver for tests in this file
+os.environ['FP_DRIVERS_WHITELIST'] = 'virtual_sdcp'
+
+if hasattr(os.environ, 'MESON_SOURCE_ROOT'):
+    root = os.environ['MESON_SOURCE_ROOT']
+else:
+    root = os.path.join(os.path.dirname(__file__), '..')
+
+ctx = GLib.main_context_default()
+
+class VirtualSDCP(unittest.TestCase):
+
+    @classmethod
+    def setUpClass(cls):
+        os.environ['FP_VIRTUAL_SDCP'] = os.environ['SDCP_VIRT_BINARY']
+
+        cls.ctx = FPrint.Context()
+
+        cls.dev = None
+        for dev in cls.ctx.get_devices():
+            cls.dev = dev
+            break
+
+        assert cls.dev is not None, "You need to compile with virtual_sdcp for testing"
+
+    @classmethod
+    def tearDownClass(cls):
+        del cls.dev
+        del cls.ctx
+
+    def setUp(self):
+        pass
+
+    def tearDown(self):
+        pass
+
+    def enroll(self, progress_cb=None):
+        # Enroll another print
+        template = FPrint.Print.new(self.dev)
+        template.props.finger = FPrint.Finger.LEFT_THUMB
+        template.props.username = "testuser"
+        template.props.description = "test print"
+        datetime = GLib.DateTime.new_now_local()
+        date = GLib.Date()
+        date.set_dmy(*datetime.get_ymd()[::-1])
+        template.props.enroll_date = date
+        return self.dev.enroll_sync(template, None, progress_cb, None)
+
+    def test_connect(self):
+        self.dev.open_sync()
+        self.dev.close_sync()
+
+    def test_reconnect(self):
+        # Ensure device was opened once before, this may be a reconnect if
+        # it is the same process as another test.
+        self.dev.open_sync()
+        self.dev.close_sync()
+
+        # Check that a reconnect happens on next open. To know about this, we
+        # need to parse check log messages for that.
+        success = [False]
+        def log_func(domain, level, msg):
+            print("log: '%s', '%s', '%s'" % (str(domain), str(level), msg))
+            if msg == 'Reconnect succeeded':
+                success[0] = True
+
+            # Call default handler
+            GLib.log_default_handler(domain, level, msg)
+
+        handler_id = GLib.log_set_handler('libfprint-sdcp_device', GLib.LogLevelFlags.LEVEL_DEBUG, log_func)
+        self.dev.open_sync()
+        self.dev.close_sync()
+        GLib.log_remove_handler('libfprint-sdcp_device', handler_id)
+        assert success[0]
+
+    def test_enroll(self):
+        self.dev.open_sync()
+
+        # Must return a print
+        assert isinstance(self.enroll(), FPrint.Print)
+
+        self.dev.close_sync()
+
+
+    def test_verify(self):
+        self.dev.open_sync()
+
+        # Enroll a new print (will be the last), check that it verifies
+        p = self.enroll()
+        match, dev_print = self.dev.verify_sync(p)
+        assert match
+
+        # The returned "device" print is identical
+        assert p.equal(dev_print)
+
+        # We can do the same with it
+        match, dev_print2 = self.dev.verify_sync(dev_print)
+        assert match
+
+        # Now, enroll a new print, causing the old one to not match anymore
+        # (the device always claims to see the last enrolled print).
+        self.enroll()
+        match, dev_print = self.dev.verify_sync(p)
+        assert match is False
+
+        self.dev.close_sync()
+
+if __name__ == '__main__':
+    try:
+        gi.require_version('FPrint', '2.0')
+        from gi.repository import FPrint
+    except Exception as e:
+        print("Missing dependencies: %s" % str(e))
+        sys.exit(77)
+
+    # avoid writing to stderr
+    unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout, verbosity=2))