summaryrefslogtreecommitdiff
path: root/unit_test/android_keymaster_test.cpp (plain)
blob: d11b5be3fb8b2d4252dc82714e17a4c4b54e95e3
1/*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <fstream>
18#include <string>
19#include <vector>
20
21#include <openssl/evp.h>
22#include <openssl/x509.h>
23
24#include <hardware/keymaster0.h>
25#include <keymaster/key_factory.h>
26#include <keymaster/soft_keymaster_context.h>
27#include <keymaster/soft_keymaster_device.h>
28#include <keymaster/softkeymaster.h>
29
30#include "android_keymaster_test_utils.h"
31#include "attestation_record.h"
32#include "keymaster0_engine.h"
33#include "openssl_utils.h"
34
35#define CHECK_FAIL 1
36#define SUPPORT_TEST 1
37#define RSA_TEST 1
38#define EC_TEST 1
39#define AES_TEST 1
40#define HMAC_TEST 1
41#define MAX_TEST 1
42#define ENTROPY_TEST 1
43#define ATTESTATIONTEST 1
44#define KEYUPGRADETEST 0
45using std::ifstream;
46using std::istreambuf_iterator;
47using std::ofstream;
48using std::string;
49using std::unique_ptr;
50using std::vector;
51
52extern "C" {
53int __android_log_print(int prio, const char* tag, const char* fmt);
54int __android_log_print(int prio, const char* tag, const char* fmt) {
55 (void)prio, (void)tag, (void)fmt;
56 return 0;
57}
58} // extern "C"
59
60namespace keymaster {
61namespace test {
62
63const uint32_t kOsVersion = 060000;
64const uint32_t kOsPatchLevel = 201603;
65
66StdoutLogger logger;
67
68template <typename T> vector<T> make_vector(const T* array, size_t len) {
69 return vector<T>(array, array + len);
70}
71
72/**
73 * KeymasterEnforcement class for use in testing. It's permissive in the sense that it doesn't
74 * check cryptoperiods, but restrictive in the sense that the clock never advances (so rate-limited
75 * keys will only work once).
76 */
77class TestKeymasterEnforcement : public KeymasterEnforcement {
78 public:
79 TestKeymasterEnforcement() : KeymasterEnforcement(3, 3) {}
80
81 virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; }
82 virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; }
83 virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */,
84 uint32_t /* timeout */) const {
85 return false;
86 }
87 virtual uint32_t get_current_time() const { return 0; }
88 virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; }
89};
90
91/**
92 * Variant of SoftKeymasterContext that provides a TestKeymasterEnforcement.
93 */
94class TestKeymasterContext : public SoftKeymasterContext {
95 public:
96 TestKeymasterContext() {}
97 explicit TestKeymasterContext(const string& root_of_trust) : SoftKeymasterContext(root_of_trust) {}
98
99 KeymasterEnforcement* enforcement_policy() override { return &test_policy_; }
100
101 private:
102 TestKeymasterEnforcement test_policy_;
103};
104
105/**
106 * Test instance creator that builds a pure software keymaster2 implementation.
107 */
108class SoftKeymasterTestInstanceCreator : public Keymaster2TestInstanceCreator {
109 public:
110 keymaster2_device_t* CreateDevice() const override {
111 std::cerr << "Creating software-only device" << std::endl;
112 context_ = new TestKeymasterContext;
113 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
114 AuthorizationSet version_info(AuthorizationSetBuilder()
115 .Authorization(TAG_OS_VERSION, kOsVersion)
116 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
117 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info);
118 return device->keymaster2_device();
119 }
120
121 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; }
122 int keymaster0_calls() const override { return 0; }
123 bool is_keymaster1_hw() const override { return false; }
124 KeymasterContext* keymaster_context() const override { return context_; }
125
126 private:
127 mutable TestKeymasterContext* context_;
128};
129
130/**
131 * Test instance creator that builds a keymaster2 implementations.
132 */
133class AmlKeymasterTestInstanceCreator : public Keymaster2TestInstanceCreator {
134 public:
135 keymaster2_device_t* CreateDevice() const override {
136 const hw_module_t* mod;
137 keymaster2_device_t* device = NULL;
138
139 int rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
140 if (rc) {
141 std::cerr << "Could not find any keystore module!" << std::endl;
142 } else {
143 assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_2_0);
144 rc = keymaster2_open(mod, &device);
145 if (rc) {
146 std::cerr << "Error "<< rc << "opening keystore keymaster2 device" << std::endl;
147 return NULL;
148 }
149 }
150
151 std::cerr << "Creating Amlogic keymaster2 device" << std::endl;
152 // context_ = new TestKeymasterContext;
153 // SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
154 AuthorizationSet version_info(AuthorizationSetBuilder()
155 .Authorization(TAG_OS_VERSION, kOsVersion)
156 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
157 device->configure(device, &version_info);
158 _device = device;
159 return device;
160 }
161
162 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; }
163 int keymaster0_calls() const override { return 0; }
164 bool is_keymaster1_hw() const override { return false; }
165 KeymasterContext* keymaster_context() const override { return (KeymasterContext*) _device; }
166
167 private:
168 static keymaster2_device_t* _device;
169 //mutable TestKeymasterContext* context_;
170};
171
172keymaster2_device_t* AmlKeymasterTestInstanceCreator::_device;
173/**
174 * Test instance creator that builds keymaster1 instances which wrap a faked hardware keymaster0
175 * instance, with or without EC support.
176 */
177class Keymaster0AdapterTestInstanceCreator : public Keymaster2TestInstanceCreator {
178 public:
179 explicit Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {}
180
181 keymaster2_device_t* CreateDevice() const {
182 std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_
183 << ")." << std::endl;
184 hw_device_t* softkeymaster_device;
185 EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER,
186 &softkeymaster_device));
187 // Make the software device pretend to be hardware
188 keymaster0_device_t* keymaster0_device =
189 reinterpret_cast<keymaster0_device_t*>(softkeymaster_device);
190 keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY;
191
192 if (!support_ec_) {
193 // Make the software device pretend not to support EC
194 keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC;
195 }
196
197 counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device);
198
199 context_ = new TestKeymasterContext;
200 SoftKeymasterDevice* keymaster = new SoftKeymasterDevice(context_);
201 keymaster->SetHardwareDevice(counting_keymaster0_device_);
202 AuthorizationSet version_info(AuthorizationSetBuilder()
203 .Authorization(TAG_OS_VERSION, kOsVersion)
204 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
205 keymaster->keymaster2_device()->configure(keymaster->keymaster2_device(), &version_info);
206 return keymaster->keymaster2_device();
207 }
208
209 bool algorithm_in_km0_hardware(keymaster_algorithm_t algorithm) const override {
210 switch (algorithm) {
211 case KM_ALGORITHM_RSA:
212 return true;
213 case KM_ALGORITHM_EC:
214 return support_ec_;
215 default:
216 return false;
217 }
218 }
219 int keymaster0_calls() const override { return counting_keymaster0_device_->count(); }
220 bool is_keymaster1_hw() const override { return false; }
221 KeymasterContext* keymaster_context() const override { return context_; }
222
223 private:
224 mutable TestKeymasterContext* context_;
225 mutable Keymaster0CountingWrapper* counting_keymaster0_device_;
226 bool support_ec_;
227};
228
229/**
230 * Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1
231 * instance, with minimal digest support.
232 */
233class Sha256OnlyKeymaster2TestInstanceCreator : public Keymaster2TestInstanceCreator {
234 keymaster2_device_t* CreateDevice() const {
235 std::cerr << "Creating keymaster1-backed device that supports only SHA256";
236
237 // fake_device doesn't leak because device (below) takes ownership of it.
238 keymaster1_device_t* fake_device = make_device_sha256_only(
239 (new SoftKeymasterDevice(new TestKeymasterContext("PseudoHW")))->keymaster_device());
240
241 // device doesn't leak; it's cleaned up by device->keymaster_device()->common.close().
242 context_ = new TestKeymasterContext;
243 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
244 device->SetHardwareDevice(fake_device);
245
246 AuthorizationSet version_info(AuthorizationSetBuilder()
247 .Authorization(TAG_OS_VERSION, kOsVersion)
248 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
249 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info);
250 return device->keymaster2_device();
251 }
252
253 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; }
254 int keymaster0_calls() const override { return 0; }
255 int minimal_digest_set() const override { return true; }
256 bool is_keymaster1_hw() const override { return true; }
257 KeymasterContext* keymaster_context() const override { return context_; }
258
259 private:
260 mutable TestKeymasterContext* context_;
261};
262
263static auto test_params = testing::Values(
264#if 0
265 InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator),
266 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)),
267 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)),
268 InstanceCreatorPtr(new Sha256OnlyKeymaster2TestInstanceCreator)
269#endif
270 InstanceCreatorPtr(new AmlKeymasterTestInstanceCreator)
271 );
272
273class NewKeyGeneration : public Keymaster2Test {
274 protected:
275 void CheckBaseParams() {
276 AuthorizationSet auths = sw_enforced();
277 auths.Union(hw_enforced());
278 EXPECT_GT(auths.SerializedSize(), 12U);
279
280 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN));
281 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY));
282 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7));
283 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
284 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300));
285
286 // Verify that App ID, App data and ROT are NOT included.
287 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST));
288 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID));
289 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA));
290
291 // Just for giggles, check that some unexpected tags/values are NOT present.
292 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT));
293 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT));
294 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301));
295
296 // Now check that unspecified, defaulted tags are correct.
297 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME));
298 if (GetParam()->is_keymaster1_hw()) {
299 // If the underlying (faked) HW is KM1, it will not have version info.
300 EXPECT_FALSE(auths.Contains(TAG_OS_VERSION));
301 EXPECT_FALSE(auths.Contains(TAG_OS_PATCHLEVEL));
302 } else {
303 // In all othe cases; SoftKeymasterDevice keys, or keymaster0 keys wrapped by
304 // SoftKeymasterDevice, version information will be present and up to date.
305 EXPECT_TRUE(contains(auths, TAG_OS_VERSION, kOsVersion));
306 EXPECT_TRUE(contains(auths, TAG_OS_PATCHLEVEL, kOsPatchLevel));
307 }
308 }
309};
310INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params);
311#if RSA_TEST
312TEST_P(NewKeyGeneration, Rsa) {
313 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
314 .RsaSigningKey(256, 3)
315 .Digest(KM_DIGEST_NONE)
316 .Padding(KM_PAD_NONE)));
317 CheckBaseParams();
318
319 // Check specified tags are all present, and in the right set.
320 AuthorizationSet crypto_params;
321 AuthorizationSet non_crypto_params;
322#if 0
323 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) {
324 EXPECT_NE(0U, hw_enforced().size());
325 EXPECT_NE(0U, sw_enforced().size());
326 crypto_params.push_back(hw_enforced());
327 non_crypto_params.push_back(sw_enforced());
328 } else {
329 EXPECT_EQ(0U, hw_enforced().size());
330 EXPECT_NE(0U, sw_enforced().size());
331 crypto_params.push_back(sw_enforced());
332 }
333#else
334 EXPECT_NE(0U, hw_enforced().size());
335 EXPECT_NE(0U, sw_enforced().size());
336 crypto_params.push_back(hw_enforced());
337 non_crypto_params.push_back(sw_enforced());
338#endif
339
340 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
341 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
342 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256));
343 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256));
344 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
345 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
346
347 EXPECT_EQ(KM_ERROR_OK, DeleteKey());
348
349 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
350 EXPECT_EQ(2, GetParam()->keymaster0_calls());
351}
352#endif
353#if RSA_TEST
354TEST_P(NewKeyGeneration, RsaDefaultSize) {
355 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
356 GenerateKey(AuthorizationSetBuilder()
357 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
358 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
359 .SigningKey()));
360
361 EXPECT_EQ(0, GetParam()->keymaster0_calls());
362}
363#endif
364#if EC_TEST
365TEST_P(NewKeyGeneration, Ecdsa) {
366 ASSERT_EQ(KM_ERROR_OK,
367 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
368 CheckBaseParams();
369
370 // Check specified tags are all present, and in the right set.
371 AuthorizationSet crypto_params;
372 AuthorizationSet non_crypto_params;
373#if 0
374 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) {
375 EXPECT_NE(0U, hw_enforced().size());
376 EXPECT_NE(0U, sw_enforced().size());
377 crypto_params.push_back(hw_enforced());
378 non_crypto_params.push_back(sw_enforced());
379 } else {
380 EXPECT_EQ(0U, hw_enforced().size());
381 EXPECT_NE(0U, sw_enforced().size());
382 crypto_params.push_back(sw_enforced());
383 }
384#else
385 EXPECT_NE(0U, hw_enforced().size());
386 EXPECT_NE(0U, sw_enforced().size());
387 crypto_params.push_back(hw_enforced());
388 non_crypto_params.push_back(sw_enforced());
389#endif
390
391 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
392 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
393 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224));
394 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224));
395
396 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
397 EXPECT_EQ(1, GetParam()->keymaster0_calls());
398}
399#endif
400#if EC_TEST
401TEST_P(NewKeyGeneration, EcdsaDefaultSize) {
402 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
403 GenerateKey(AuthorizationSetBuilder()
404 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC)
405 .SigningKey()
406 .Digest(KM_DIGEST_NONE)));
407
408 EXPECT_EQ(0, GetParam()->keymaster0_calls());
409}
410
411TEST_P(NewKeyGeneration, EcdsaInvalidSize) {
412 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
413 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE)));
414 EXPECT_EQ(0, GetParam()->keymaster0_calls());
415}
416#endif
417
418#if EC_TEST
419TEST_P(NewKeyGeneration, EcdsaMismatchKeySize) {
420 ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT,
421 GenerateKey(AuthorizationSetBuilder()
422 .EcdsaSigningKey(224)
423 .Authorization(TAG_EC_CURVE, KM_EC_CURVE_P_256)
424 .Digest(KM_DIGEST_NONE)));
425}
426#endif
427
428#if EC_TEST
429TEST_P(NewKeyGeneration, EcdsaAllValidSizes) {
430 size_t valid_sizes[] = {224, 256, 384, 521};
431 for (size_t size : valid_sizes) {
432 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(
433 KM_DIGEST_NONE)))
434 << "Failed to generate size: " << size;
435 }
436
437 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
438 EXPECT_EQ(4, GetParam()->keymaster0_calls());
439}
440#endif
441#if HMAC_TEST
442TEST_P(NewKeyGeneration, HmacSha256) {
443 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
444 .HmacKey(128)
445 .Digest(KM_DIGEST_SHA_2_256)
446 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
447
448 EXPECT_EQ(0, GetParam()->keymaster0_calls());
449}
450
451TEST_P(NewKeyGeneration, HmacMultipleDigests) {
452 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
453 GenerateKey(AuthorizationSetBuilder()
454 .HmacKey(128)
455 .Digest(KM_DIGEST_SHA1)
456 .Digest(KM_DIGEST_SHA_2_256)
457 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
458
459 EXPECT_EQ(0, GetParam()->keymaster0_calls());
460}
461
462TEST_P(NewKeyGeneration, HmacDigestNone) {
463 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
464 GenerateKey(AuthorizationSetBuilder()
465 .HmacKey(128)
466 .Digest(KM_DIGEST_NONE)
467 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
468
469 EXPECT_EQ(0, GetParam()->keymaster0_calls());
470}
471
472TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) {
473 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
474 GenerateKey(AuthorizationSetBuilder()
475 .HmacKey(128)
476 .Digest(KM_DIGEST_SHA_2_256)
477 .Authorization(TAG_MIN_MAC_LENGTH, 48)));
478
479 EXPECT_EQ(0, GetParam()->keymaster0_calls());
480}
481
482TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) {
483 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
484 GenerateKey(AuthorizationSetBuilder()
485 .HmacKey(128)
486 .Digest(KM_DIGEST_SHA_2_256)
487 .Authorization(TAG_MIN_MAC_LENGTH, 130)));
488
489 EXPECT_EQ(0, GetParam()->keymaster0_calls());
490}
491
492TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) {
493 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
494 GenerateKey(AuthorizationSetBuilder()
495 .HmacKey(128)
496 .Digest(KM_DIGEST_SHA_2_256)
497 .Authorization(TAG_MIN_MAC_LENGTH, 384)));
498
499 EXPECT_EQ(0, GetParam()->keymaster0_calls());
500}
501#endif
502typedef Keymaster2Test GetKeyCharacteristics;
503INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params);
504
505#if RSA_TEST
506TEST_P(GetKeyCharacteristics, SimpleRsa) {
507 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
508 .RsaSigningKey(256, 3)
509 .Digest(KM_DIGEST_NONE)
510 .Padding(KM_PAD_NONE)));
511 AuthorizationSet original(sw_enforced());
512
513 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics());
514 EXPECT_EQ(original, sw_enforced());
515
516 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
517 EXPECT_EQ(1, GetParam()->keymaster0_calls());
518}
519#endif
520typedef Keymaster2Test SigningOperationsTest;
521INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params);
522#if RSA_TEST
523TEST_P(SigningOperationsTest, RsaSuccess) {
524 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
525 .RsaSigningKey(256, 3)
526 .Digest(KM_DIGEST_NONE)
527 .Padding(KM_PAD_NONE)));
528 string message = "12345678901234567890123456789012";
529 string signature;
530 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
531
532 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
533 EXPECT_EQ(3, GetParam()->keymaster0_calls());
534}
535#endif
536#if RSA_TEST
537TEST_P(SigningOperationsTest, RsaPssSha256Success) {
538 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
539 .RsaSigningKey(768, 3)
540 .Digest(KM_DIGEST_SHA_2_256)
541 .Padding(KM_PAD_RSA_PSS)));
542 // Use large message, which won't work without digesting.
543 string message(1024, 'a');
544 string signature;
545 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
546
547 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
548 EXPECT_EQ(3, GetParam()->keymaster0_calls());
549}
550
551TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
552 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
553 .RsaSigningKey(512, 3)
554 .Digest(KM_DIGEST_NONE)
555 .Padding(KM_PAD_NONE)));
556 string message = "12345678901234567890123456789012";
557 string signature;
558
559 AuthorizationSet begin_params(client_params());
560 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
561 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
562 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
563
564 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
565 EXPECT_EQ(2, GetParam()->keymaster0_calls());
566}
567
568TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
569 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
570 .RsaSigningKey(512, 3)
571 .Digest(KM_DIGEST_SHA_2_256)
572 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
573 string message(1024, 'a');
574 string signature;
575 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
576
577 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
578 EXPECT_EQ(3, GetParam()->keymaster0_calls());
579}
580#endif
581#if RSA_TEST
582TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
583 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
584 .RsaSigningKey(512, 3)
585 .Digest(KM_DIGEST_NONE)
586 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
587 string message(53, 'a');
588 string signature;
589 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN);
590
591 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
592 EXPECT_EQ(3, GetParam()->keymaster0_calls());
593}
594#endif
595#if RSA_TEST
596TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) {
597 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
598 .RsaSigningKey(512, 3)
599 .Digest(KM_DIGEST_NONE)
600 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
601 string message(54, 'a');
602
603 AuthorizationSet begin_params(client_params());
604 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
605 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
606 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
607 string result;
608 size_t input_consumed;
609 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
610 string signature;
611 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature));
612
613 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
614 EXPECT_EQ(2, GetParam()->keymaster0_calls());
615}
616#endif
617#if CHECK_FAIL
618TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) {
619 // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so
620 // verify that nine bytes larger than hash won't work.
621 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
622 .RsaSigningKey(256 + 9 * 8, 3)
623 .Digest(KM_DIGEST_SHA_2_256)
624 .Padding(KM_PAD_RSA_PSS)));
625 string message(1024, 'a');
626 string signature;
627
628 AuthorizationSet begin_params(client_params());
629 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
630 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
631 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
632}
633#endif
634#if CHECK_FAIL
635TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) {
636 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
637 .RsaSigningKey(256, 3)
638 .Digest(KM_DIGEST_NONE)
639 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
640 string message(64 * 1024, 'a');
641 string signature;
642 AuthorizationSet begin_params(client_params());
643 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
644 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
645 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
646 string result;
647 size_t input_consumed;
648 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
649
650 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
651 EXPECT_EQ(2, GetParam()->keymaster0_calls());
652}
653#endif
654#if CHECK_FAIL
655TEST_P(SigningOperationsTest, RsaAbort) {
656 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
657 .RsaSigningKey(256, 3)
658 .Digest(KM_DIGEST_NONE)
659 .Padding(KM_PAD_NONE)));
660 AuthorizationSet begin_params(client_params());
661 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
662 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
663 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
664 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
665 // Another abort should fail
666 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation());
667
668 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
669 EXPECT_EQ(2, GetParam()->keymaster0_calls());
670}
671#endif
672#if RSA_TEST
673TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
674 GenerateKey(AuthorizationSetBuilder()
675 .RsaSigningKey(256, 3)
676 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */)
677 .Padding(KM_PAD_PKCS7));
678 AuthorizationSet begin_params(client_params());
679 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
680 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
681
682 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
683 EXPECT_EQ(2, GetParam()->keymaster0_calls());
684}
685
686TEST_P(SigningOperationsTest, RsaNoDigest) {
687 // PSS requires a digest.
688 GenerateKey(AuthorizationSetBuilder()
689 .RsaSigningKey(256, 3)
690 .Digest(KM_DIGEST_NONE)
691 .Padding(KM_PAD_RSA_PSS));
692 AuthorizationSet begin_params(client_params());
693 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
694 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
695 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
696
697 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
698 EXPECT_EQ(2, GetParam()->keymaster0_calls());
699}
700
701TEST_P(SigningOperationsTest, RsaNoPadding) {
702 // Padding must be specified
703 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest(
704 KM_DIGEST_NONE)));
705 AuthorizationSet begin_params(client_params());
706 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
707 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
708
709 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
710 EXPECT_EQ(2, GetParam()->keymaster0_calls());
711}
712
713TEST_P(SigningOperationsTest, RsaTooShortMessage) {
714 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
715 .RsaSigningKey(256, 3)
716 .Digest(KM_DIGEST_NONE)
717 .Padding(KM_PAD_NONE)));
718 string message = "1234567890123456789012345678901";
719 string signature;
720 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
721
722 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
723 EXPECT_EQ(3, GetParam()->keymaster0_calls());
724}
725
726TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
727 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
728 .RsaEncryptionKey(256, 3)
729 .Digest(KM_DIGEST_NONE)
730 .Padding(KM_PAD_NONE)));
731 AuthorizationSet begin_params(client_params());
732 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
733 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
734 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
735
736 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
737 EXPECT_EQ(2, GetParam()->keymaster0_calls());
738}
739
740TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
741 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
742 .RsaSigningKey(256, 3)
743 .Digest(KM_DIGEST_NONE)
744 .Padding(KM_PAD_NONE)));
745 string message(256 / 8, static_cast<char>(0xff));
746 string signature;
747 AuthorizationSet begin_params(client_params());
748 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
749 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
750 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
751 string result;
752 size_t input_consumed;
753 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
754 ASSERT_EQ(message.size(), input_consumed);
755 string output;
756 ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&output));
757
758 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
759 EXPECT_EQ(3, GetParam()->keymaster0_calls());
760}
761#endif
762#if EC_TEST
763TEST_P(SigningOperationsTest, EcdsaSuccess) {
764 ASSERT_EQ(KM_ERROR_OK,
765 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
766 string message(224 / 8, 'a');
767 string signature;
768 SignMessage(message, &signature, KM_DIGEST_NONE);
769
770 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
771 EXPECT_EQ(3, GetParam()->keymaster0_calls());
772}
773#endif
774#if EC_TEST
775TEST_P(SigningOperationsTest, EcdsaSha256Success) {
776 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
777 KM_DIGEST_SHA_2_256)));
778 string message(1024, 'a');
779 string signature;
780 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
781
782 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
783 EXPECT_EQ(3, GetParam()->keymaster0_calls());
784}
785
786TEST_P(SigningOperationsTest, EcdsaSha384Success) {
787 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
788 KM_DIGEST_SHA_2_384)));
789 string message(1024, 'a');
790 string signature;
791 SignMessage(message, &signature, KM_DIGEST_SHA_2_384);
792
793 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
794 EXPECT_EQ(3, GetParam()->keymaster0_calls());
795}
796
797TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) {
798 ASSERT_EQ(KM_ERROR_OK,
799 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
800 string message(64 * 1024, 'a');
801 string signature;
802 AuthorizationSet begin_params(client_params());
803 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
804 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
805 string result;
806 size_t input_consumed;
807 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
808
809 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
810 EXPECT_EQ(2, GetParam()->keymaster0_calls());
811}
812
813TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) {
814 vector<int> key_sizes = {224, 256, 384, 521};
815 vector<keymaster_digest_t> digests = {
816 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256,
817 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
818 };
819
820 for (int key_size : key_sizes) {
821 for (keymaster_digest_t digest : digests) {
822 ASSERT_EQ(
823 KM_ERROR_OK,
824 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest)));
825
826 string message(1024, 'a');
827 string signature;
828 if (digest == KM_DIGEST_NONE)
829 message.resize(key_size / 8);
830 SignMessage(message, &signature, digest);
831 }
832 }
833
834 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
835 EXPECT_EQ(digests.size() * key_sizes.size() * 3,
836 static_cast<size_t>(GetParam()->keymaster0_calls()));
837}
838#endif
839#if AES_TEST
840TEST_P(SigningOperationsTest, AesEcbSign) {
841 ASSERT_EQ(KM_ERROR_OK,
842 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization(
843 TAG_BLOCK_MODE, KM_MODE_ECB)));
844 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN));
845 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY));
846
847 EXPECT_EQ(0, GetParam()->keymaster0_calls());
848}
849#endif
850#if HMAC_TEST
851TEST_P(SigningOperationsTest, HmacSha1Success) {
852 if (GetParam()->minimal_digest_set())
853 // Can't emulate other digests for HMAC.
854 return;
855
856 GenerateKey(AuthorizationSetBuilder()
857 .HmacKey(128)
858 .Digest(KM_DIGEST_SHA1)
859 .Authorization(TAG_MIN_MAC_LENGTH, 160));
860 string message = "12345678901234567890123456789012";
861 string signature;
862 MacMessage(message, &signature, 160);
863 ASSERT_EQ(20U, signature.size());
864
865 EXPECT_EQ(0, GetParam()->keymaster0_calls());
866}
867#endif
868#if HMAC_TEST
869TEST_P(SigningOperationsTest, HmacSha224Success) {
870 if (GetParam()->minimal_digest_set())
871 // Can't emulate other digests for HMAC.
872 return;
873
874 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
875 .HmacKey(128)
876 .Digest(KM_DIGEST_SHA_2_224)
877 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
878 string message = "12345678901234567890123456789012";
879 string signature;
880 MacMessage(message, &signature, 224);
881 ASSERT_EQ(28U, signature.size());
882
883 EXPECT_EQ(0, GetParam()->keymaster0_calls());
884}
885
886TEST_P(SigningOperationsTest, HmacSha256Success) {
887 if (GetParam()->minimal_digest_set())
888 // Can't emulate other digests for HMAC.
889 return;
890
891 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
892 .HmacKey(128)
893 .Digest(KM_DIGEST_SHA_2_256)
894 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
895 string message = "12345678901234567890123456789012";
896 string signature;
897 MacMessage(message, &signature, 256);
898 ASSERT_EQ(32U, signature.size());
899
900 EXPECT_EQ(0, GetParam()->keymaster0_calls());
901}
902
903TEST_P(SigningOperationsTest, HmacSha384Success) {
904 if (GetParam()->minimal_digest_set())
905 // Can't emulate other digests for HMAC.
906 return;
907
908 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
909 .HmacKey(128)
910 .Digest(KM_DIGEST_SHA_2_384)
911 .Authorization(TAG_MIN_MAC_LENGTH, 384)));
912
913 string message = "12345678901234567890123456789012";
914 string signature;
915 MacMessage(message, &signature, 384);
916 ASSERT_EQ(48U, signature.size());
917
918 EXPECT_EQ(0, GetParam()->keymaster0_calls());
919}
920
921TEST_P(SigningOperationsTest, HmacSha512Success) {
922 if (GetParam()->minimal_digest_set())
923 // Can't emulate other digests for HMAC.
924 return;
925
926 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
927 .HmacKey(128)
928 .Digest(KM_DIGEST_SHA_2_512)
929 .Authorization(TAG_MIN_MAC_LENGTH, 384)));
930 string message = "12345678901234567890123456789012";
931 string signature;
932 MacMessage(message, &signature, 512);
933 ASSERT_EQ(64U, signature.size());
934
935 EXPECT_EQ(0, GetParam()->keymaster0_calls());
936}
937
938TEST_P(SigningOperationsTest, HmacLengthInKey) {
939 // TODO(swillden): unified API should generate an error on key generation.
940 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
941 .HmacKey(128)
942 .Digest(KM_DIGEST_SHA_2_256)
943 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
944 string message = "12345678901234567890123456789012";
945 string signature;
946 MacMessage(message, &signature, 160);
947 ASSERT_EQ(20U, signature.size());
948
949 EXPECT_EQ(0, GetParam()->keymaster0_calls());
950}
951
952TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) {
953 uint8_t key_data[] = {
954 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
955 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
956 };
957 string message = "Hi There";
958 uint8_t sha_224_expected[] = {
959 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d,
960 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22,
961 };
962 uint8_t sha_256_expected[] = {
963 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf,
964 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83,
965 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7,
966 };
967 uint8_t sha_384_expected[] = {
968 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4,
969 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6,
970 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9,
971 0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6,
972 };
973 uint8_t sha_512_expected[] = {
974 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a,
975 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0,
976 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7,
977 0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e,
978 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54,
979 };
980
981 string key = make_string(key_data);
982
983 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
984 if (!GetParam()->minimal_digest_set()) {
985 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
986 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
987 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
988 }
989
990 EXPECT_EQ(0, GetParam()->keymaster0_calls());
991}
992
993TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) {
994 string key = "Jefe";
995 string message = "what do ya want for nothing?";
996 uint8_t sha_224_expected[] = {
997 0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e,
998 0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44,
999 };
1000 uint8_t sha_256_expected[] = {
1001 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24,
1002 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27,
1003 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43,
1004 };
1005 uint8_t sha_384_expected[] = {
1006 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2,
1007 0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47,
1008 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca,
1009 0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49,
1010 };
1011 uint8_t sha_512_expected[] = {
1012 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b,
1013 0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27,
1014 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99,
1015 0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3,
1016 0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37,
1017 };
1018
1019 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1020 if (!GetParam()->minimal_digest_set()) {
1021 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1022 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1023 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1024 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1025 }
1026
1027 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1028}
1029
1030TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
1031 string key(20, 0xaa);
1032 string message(50, 0xdd);
1033 uint8_t sha_224_expected[] = {
1034 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
1035 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
1036 };
1037 uint8_t sha_256_expected[] = {
1038 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
1039 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
1040 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
1041 };
1042 uint8_t sha_384_expected[] = {
1043 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
1044 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
1045 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
1046 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
1047 };
1048 uint8_t sha_512_expected[] = {
1049 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
1050 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
1051 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
1052 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
1053 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
1054 };
1055
1056 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1057 if (!GetParam()->minimal_digest_set()) {
1058 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1059 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1060 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1061 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1062 }
1063
1064 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1065}
1066
1067TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) {
1068 uint8_t key_data[25] = {
1069 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
1070 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
1071 };
1072 string key = make_string(key_data);
1073 string message(50, 0xcd);
1074 uint8_t sha_224_expected[] = {
1075 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82,
1076 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a,
1077 };
1078 uint8_t sha_256_expected[] = {
1079 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81,
1080 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78,
1081 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b,
1082 };
1083 uint8_t sha_384_expected[] = {
1084 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62,
1085 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c,
1086 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23,
1087 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb,
1088 };
1089 uint8_t sha_512_expected[] = {
1090 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6,
1091 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f,
1092 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e,
1093 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41,
1094 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd,
1095 };
1096
1097 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1098 if (!GetParam()->minimal_digest_set()) {
1099 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1100 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1101 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1102 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1103 }
1104
1105 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1106}
1107
1108TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
1109 string key(20, 0x0c);
1110 string message = "Test With Truncation";
1111
1112 uint8_t sha_224_expected[] = {
1113 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
1114 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
1115 };
1116 uint8_t sha_256_expected[] = {
1117 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
1118 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
1119 };
1120 uint8_t sha_384_expected[] = {
1121 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
1122 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
1123 };
1124 uint8_t sha_512_expected[] = {
1125 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
1126 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
1127 };
1128
1129 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1130 if (!GetParam()->minimal_digest_set()) {
1131 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1132 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1133 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1134 }
1135
1136 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1137}
1138#endif
1139
1140#if HMAC_TEST
1141TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) {
1142 string key(131, 0xaa);
1143 string message = "Test Using Larger Than Block-Size Key - Hash Key First";
1144
1145 uint8_t sha_224_expected[] = {
1146 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d,
1147 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e,
1148 };
1149 uint8_t sha_256_expected[] = {
1150 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26,
1151 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28,
1152 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54,
1153 };
1154 uint8_t sha_384_expected[] = {
1155 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a,
1156 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
1157 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab,
1158 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52,
1159 };
1160 uint8_t sha_512_expected[] = {
1161 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd,
1162 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b,
1163 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25,
1164 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73,
1165 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,
1166 };
1167
1168 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1169 if (!GetParam()->minimal_digest_set()) {
1170 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1171 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1172 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1173 }
1174
1175 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1176}
1177#endif
1178
1179#if HMAC_TEST
1180TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) {
1181 string key(131, 0xaa);
1182 string message = "This is a test using a larger than block-size key and a larger than "
1183 "block-size data. The key needs to be hashed before being used by the HMAC "
1184 "algorithm.";
1185
1186 uint8_t sha_224_expected[] = {
1187 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3,
1188 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1,
1189 };
1190 uint8_t sha_256_expected[] = {
1191 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f,
1192 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07,
1193 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2,
1194 };
1195 uint8_t sha_384_expected[] = {
1196 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25,
1197 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
1198 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31,
1199 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e,
1200 };
1201 uint8_t sha_512_expected[] = {
1202 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e,
1203 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5,
1204 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82,
1205 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb,
1206 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,
1207 };
1208
1209 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1210 if (!GetParam()->minimal_digest_set()) {
1211 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1212 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1213 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1214 }
1215
1216 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1217}
1218
1219TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
1220 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1221 .HmacKey(128)
1222 .Digest(KM_DIGEST_SHA_2_256)
1223 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
1224 AuthorizationSet begin_params(client_params());
1225 begin_params.push_back(TAG_MAC_LENGTH, 264);
1226 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1227 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH,
1228 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
1229
1230 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1231}
1232
1233TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
1234 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1235 .HmacKey(128)
1236 .Digest(KM_DIGEST_SHA_2_256)
1237 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1238 AuthorizationSet begin_params(client_params());
1239 begin_params.push_back(TAG_MAC_LENGTH, 120);
1240 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1241 ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH,
1242 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
1243
1244 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1245}
1246#endif
1247// TODO(swillden): Add more verification failure tests.
1248
1249typedef Keymaster2Test VerificationOperationsTest;
1250INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params);
1251#if RSA_TEST
1252TEST_P(VerificationOperationsTest, RsaSuccess) {
1253 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1254 .RsaSigningKey(256, 3)
1255 .Digest(KM_DIGEST_NONE)
1256 .Padding(KM_PAD_NONE)));
1257 string message = "12345678901234567890123456789012";
1258 string signature;
1259 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
1260 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
1261
1262 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1263 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1264}
1265
1266TEST_P(VerificationOperationsTest, RsaPssSha256Success) {
1267 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1268 .RsaSigningKey(768, 3)
1269 .Digest(KM_DIGEST_SHA_2_256)
1270 .Padding(KM_PAD_RSA_PSS)));
1271 // Use large message, which won't work without digesting.
1272 string message(1024, 'a');
1273 string signature;
1274 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1275 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1276
1277 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1278 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1279}
1280
1281TEST_P(VerificationOperationsTest, RsaPssSha224Success) {
1282 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1283 .RsaSigningKey(512, 3)
1284 .Digest(KM_DIGEST_SHA_2_224)
1285 .Padding(KM_PAD_RSA_PSS)));
1286 // Use large message, which won't work without digesting.
1287 string message(1024, 'a');
1288 string signature;
1289 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
1290 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
1291
1292 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1293 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1294
1295 // Verify with OpenSSL.
1296 string pubkey;
1297 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
1298
1299 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
1300 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
1301 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
1302 ASSERT_TRUE(pkey.get());
1303
1304 EVP_MD_CTX digest_ctx;
1305 EVP_MD_CTX_init(&digest_ctx);
1306 EVP_PKEY_CTX* pkey_ctx;
1307 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
1308 pkey.get()));
1309 EXPECT_EQ(1, EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING));
1310 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
1311 EXPECT_EQ(1,
1312 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
1313 signature.size()));
1314 EVP_MD_CTX_cleanup(&digest_ctx);
1315}
1316
1317TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) {
1318 GenerateKey(AuthorizationSetBuilder()
1319 .RsaSigningKey(768, 3)
1320 .Digest(KM_DIGEST_SHA_2_256)
1321 .Padding(KM_PAD_RSA_PSS));
1322 string message(1024, 'a');
1323 string signature;
1324 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1325 ++signature[signature.size() / 2];
1326
1327 AuthorizationSet begin_params(client_params());
1328 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1329 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1330 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1331
1332 string result;
1333 size_t input_consumed;
1334 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1335 EXPECT_EQ(message.size(), input_consumed);
1336 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1337
1338 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1339 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1340}
1341
1342TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) {
1343 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1344 .RsaSigningKey(768, 3)
1345 .Digest(KM_DIGEST_SHA_2_256)
1346 .Padding(KM_PAD_RSA_PSS)));
1347 // Use large message, which won't work without digesting.
1348 string message(1024, 'a');
1349 string signature;
1350 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1351 ++message[message.size() / 2];
1352
1353 AuthorizationSet begin_params(client_params());
1354 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1355 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1356 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1357
1358 string result;
1359 size_t input_consumed;
1360 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1361 EXPECT_EQ(message.size(), input_consumed);
1362 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1363
1364 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1365 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1366}
1367
1368TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) {
1369 GenerateKey(AuthorizationSetBuilder()
1370 .RsaSigningKey(512, 3)
1371 .Digest(KM_DIGEST_SHA_2_256)
1372 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
1373 string message(1024, 'a');
1374 string signature;
1375 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1376 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1377
1378 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1379 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1380}
1381
1382TEST_P(VerificationOperationsTest, RsaPks1Sha224Success) {
1383 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1384 .RsaSigningKey(512, 3)
1385 .Digest(KM_DIGEST_SHA_2_224)
1386 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
1387 // Use large message, which won't work without digesting.
1388 string message(1024, 'a');
1389 string signature;
1390 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
1391 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
1392
1393 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1394 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1395
1396 // Verify with OpenSSL.
1397 string pubkey;
1398 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
1399
1400 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
1401 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
1402 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
1403 ASSERT_TRUE(pkey.get());
1404
1405 EVP_MD_CTX digest_ctx;
1406 EVP_MD_CTX_init(&digest_ctx);
1407 EVP_PKEY_CTX* pkey_ctx;
1408 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
1409 pkey.get()));
1410 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
1411 EXPECT_EQ(1,
1412 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
1413 signature.size()));
1414 EVP_MD_CTX_cleanup(&digest_ctx);
1415}
1416
1417TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) {
1418 GenerateKey(AuthorizationSetBuilder()
1419 .RsaSigningKey(512, 3)
1420 .Digest(KM_DIGEST_SHA_2_256)
1421 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
1422 string message(1024, 'a');
1423 string signature;
1424 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1425 ++signature[signature.size() / 2];
1426
1427 AuthorizationSet begin_params(client_params());
1428 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1429 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1430 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1431
1432 string result;
1433 size_t input_consumed;
1434 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1435 EXPECT_EQ(message.size(), input_consumed);
1436 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1437
1438 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1439 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1440}
1441
1442TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) {
1443 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1444 .RsaSigningKey(512, 3)
1445 .Digest(KM_DIGEST_SHA_2_256)
1446 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
1447 // Use large message, which won't work without digesting.
1448 string message(1024, 'a');
1449 string signature;
1450 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1451 ++message[message.size() / 2];
1452
1453 AuthorizationSet begin_params(client_params());
1454 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1455 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1456 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1457
1458 string result;
1459 size_t input_consumed;
1460 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1461 EXPECT_EQ(message.size(), input_consumed);
1462 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1463
1464 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1465 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1466}
1467#endif
1468#if CHECK_FAIL
1469TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) {
1470 vector<keymaster_digest_t> digests = {
1471 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
1472 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
1473 };
1474
1475 vector<keymaster_padding_t> padding_modes{
1476 KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS,
1477 };
1478
1479 int trial_count = 0;
1480 for (keymaster_padding_t padding_mode : padding_modes) {
1481 for (keymaster_digest_t digest : digests) {
1482 if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE)
1483 // Digesting requires padding
1484 continue;
1485
1486 // Compute key & message size that will work.
1487 size_t key_bits = 0;
1488 size_t message_len = 1000;
1489
1490 if (digest == KM_DIGEST_NONE) {
1491 key_bits = 256;
1492 switch (padding_mode) {
1493 case KM_PAD_NONE:
1494 // Match key size.
1495 message_len = key_bits / 8;
1496 break;
1497 case KM_PAD_RSA_PKCS1_1_5_SIGN:
1498 message_len = key_bits / 8 - 11;
1499 break;
1500 case KM_PAD_RSA_PSS:
1501 // PSS requires a digest.
1502 continue;
1503 default:
1504 FAIL() << "Missing padding";
1505 break;
1506 }
1507 } else {
1508 size_t digest_bits;
1509 switch (digest) {
1510 case KM_DIGEST_MD5:
1511 digest_bits = 128;
1512 break;
1513 case KM_DIGEST_SHA1:
1514 digest_bits = 160;
1515 break;
1516 case KM_DIGEST_SHA_2_224:
1517 digest_bits = 224;
1518 break;
1519 case KM_DIGEST_SHA_2_256:
1520 digest_bits = 256;
1521 break;
1522 case KM_DIGEST_SHA_2_384:
1523 digest_bits = 384;
1524 break;
1525 case KM_DIGEST_SHA_2_512:
1526 digest_bits = 512;
1527 break;
1528 default:
1529 FAIL() << "Missing digest";
1530 }
1531
1532 switch (padding_mode) {
1533 case KM_PAD_RSA_PKCS1_1_5_SIGN:
1534 key_bits = digest_bits + 8 * (11 + 19);
1535 break;
1536 case KM_PAD_RSA_PSS:
1537 key_bits = digest_bits * 2 + 2 * 8;
1538 break;
1539 default:
1540 FAIL() << "Missing padding";
1541 break;
1542 }
1543 }
1544
1545 // round up to 128 bits because new boringssl supports only 128 bit mulitples
1546 key_bits += 127;
1547 key_bits &= ~127;
1548 GenerateKey(AuthorizationSetBuilder()
1549 .RsaSigningKey(key_bits, 3)
1550 .Digest(digest)
1551 .Padding(padding_mode));
1552 string message(message_len, 'a');
1553 string signature;
1554 SignMessage(message, &signature, digest, padding_mode);
1555 VerifyMessage(message, signature, digest, padding_mode);
1556 ++trial_count;
1557 }
1558 }
1559
1560 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1561 EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls());
1562}
1563#endif
1564#if EC_TEST
1565TEST_P(VerificationOperationsTest, EcdsaSuccess) {
1566 ASSERT_EQ(KM_ERROR_OK,
1567 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
1568 string message = "12345678901234567890123456789012";
1569 string signature;
1570 SignMessage(message, &signature, KM_DIGEST_NONE);
1571 VerifyMessage(message, signature, KM_DIGEST_NONE);
1572
1573 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1574 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1575}
1576
1577TEST_P(VerificationOperationsTest, EcdsaTooShort) {
1578 ASSERT_EQ(KM_ERROR_OK,
1579 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
1580 string message = "12345678901234567890";
1581 string signature;
1582 SignMessage(message, &signature, KM_DIGEST_NONE);
1583 VerifyMessage(message, signature, KM_DIGEST_NONE);
1584
1585 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1586 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1587}
1588
1589TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) {
1590 ASSERT_EQ(KM_ERROR_OK,
1591 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE)));
1592
1593 string message(66, 'a');
1594 string signature;
1595 SignMessage(message, &signature, KM_DIGEST_NONE);
1596 VerifyMessage(message, signature, KM_DIGEST_NONE);
1597
1598 // Modifying low-order bits doesn't matter, because they didn't get signed. Ugh.
1599 message[65] ^= 7;
1600 VerifyMessage(message, signature, KM_DIGEST_NONE);
1601
1602 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1603 EXPECT_EQ(5, GetParam()->keymaster0_calls());
1604}
1605
1606TEST_P(VerificationOperationsTest, EcdsaSha256Success) {
1607 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1608 .EcdsaSigningKey(256)
1609 .Digest(KM_DIGEST_SHA_2_256)
1610 .Digest(KM_DIGEST_NONE)));
1611 string message = "12345678901234567890123456789012";
1612 string signature;
1613 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
1614 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
1615
1616 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1617 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1618
1619 // Just for giggles, try verifying with the wrong digest.
1620 AuthorizationSet begin_params(client_params());
1621 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
1622 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1623
1624 string result;
1625 size_t input_consumed;
1626 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1627 EXPECT_EQ(message.size(), input_consumed);
1628 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1629}
1630
1631TEST_P(VerificationOperationsTest, EcdsaSha224Success) {
1632 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
1633 KM_DIGEST_SHA_2_224)));
1634
1635 string message = "12345678901234567890123456789012";
1636 string signature;
1637 SignMessage(message, &signature, KM_DIGEST_SHA_2_224);
1638 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224);
1639
1640 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1641 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1642
1643 // Just for giggles, try verifying with the wrong digest.
1644 AuthorizationSet begin_params(client_params());
1645 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
1646 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1647
1648 string result;
1649 size_t input_consumed;
1650 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1651 EXPECT_EQ(message.size(), input_consumed);
1652 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1653}
1654
1655TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndKeySizes) {
1656 keymaster_digest_t digests[] = {
1657 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256,
1658 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
1659 };
1660 size_t key_sizes[] = {224, 256, 384, 521};
1661
1662 string message = "1234567890";
1663 string signature;
1664
1665 for (auto key_size : key_sizes) {
1666 AuthorizationSetBuilder builder;
1667 builder.EcdsaSigningKey(key_size);
1668 for (auto digest : digests)
1669 builder.Digest(digest);
1670 ASSERT_EQ(KM_ERROR_OK, GenerateKey(builder));
1671
1672 for (auto digest : digests) {
1673 SignMessage(message, &signature, digest);
1674 VerifyMessage(message, signature, digest);
1675 }
1676 }
1677
1678 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1679 EXPECT_EQ(static_cast<int>(array_length(key_sizes) * (1 + 3 * array_length(digests))),
1680 GetParam()->keymaster0_calls());
1681}
1682#endif
1683#if HMAC_TEST
1684TEST_P(VerificationOperationsTest, HmacSha1Success) {
1685 if (GetParam()->minimal_digest_set())
1686 // Can't emulate missing digests for HMAC.
1687 return;
1688
1689 GenerateKey(AuthorizationSetBuilder()
1690 .HmacKey(128)
1691 .Digest(KM_DIGEST_SHA1)
1692 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1693 string message = "123456789012345678901234567890123456789012345678";
1694 string signature;
1695 MacMessage(message, &signature, 160);
1696 VerifyMac(message, signature);
1697
1698 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1699}
1700
1701TEST_P(VerificationOperationsTest, HmacSha224Success) {
1702 if (GetParam()->minimal_digest_set())
1703 // Can't emulate missing digests for HMAC.
1704 return;
1705
1706 GenerateKey(AuthorizationSetBuilder()
1707 .HmacKey(128)
1708 .Digest(KM_DIGEST_SHA_2_224)
1709 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1710 string message = "123456789012345678901234567890123456789012345678";
1711 string signature;
1712 MacMessage(message, &signature, 224);
1713 VerifyMac(message, signature);
1714
1715 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1716}
1717
1718TEST_P(VerificationOperationsTest, HmacSha256Success) {
1719 GenerateKey(AuthorizationSetBuilder()
1720 .HmacKey(128)
1721 .Digest(KM_DIGEST_SHA_2_256)
1722 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1723 string message = "123456789012345678901234567890123456789012345678";
1724 string signature;
1725 MacMessage(message, &signature, 256);
1726 VerifyMac(message, signature);
1727
1728 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1729}
1730
1731TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) {
1732 GenerateKey(AuthorizationSetBuilder()
1733 .HmacKey(128)
1734 .Digest(KM_DIGEST_SHA_2_256)
1735 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1736 string message = "123456789012345678901234567890123456789012345678";
1737 string signature;
1738 MacMessage(message, &signature, 256);
1739
1740 // Shorten to 128 bits, should still work.
1741 signature.resize(128 / 8);
1742 VerifyMac(message, signature);
1743
1744 // Drop one more byte.
1745 signature.resize(signature.length() - 1);
1746
1747 AuthorizationSet begin_params(client_params());
1748 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1749 string result;
1750 size_t input_consumed;
1751 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1752 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(signature, &result));
1753
1754 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1755}
1756
1757TEST_P(VerificationOperationsTest, HmacSha384Success) {
1758 if (GetParam()->minimal_digest_set())
1759 // Can't emulate missing digests for HMAC.
1760 return;
1761
1762 GenerateKey(AuthorizationSetBuilder()
1763 .HmacKey(128)
1764 .Digest(KM_DIGEST_SHA_2_384)
1765 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1766 string message = "123456789012345678901234567890123456789012345678";
1767 string signature;
1768 MacMessage(message, &signature, 384);
1769 VerifyMac(message, signature);
1770
1771 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1772}
1773
1774TEST_P(VerificationOperationsTest, HmacSha512Success) {
1775 if (GetParam()->minimal_digest_set())
1776 // Can't emulate missing digests for HMAC.
1777 return;
1778
1779 GenerateKey(AuthorizationSetBuilder()
1780 .HmacKey(128)
1781 .Digest(KM_DIGEST_SHA_2_512)
1782 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1783 string message = "123456789012345678901234567890123456789012345678";
1784 string signature;
1785 MacMessage(message, &signature, 512);
1786 VerifyMac(message, signature);
1787
1788 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1789}
1790#endif
1791typedef Keymaster2Test ExportKeyTest;
1792INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params);
1793#if RSA_TEST
1794TEST_P(ExportKeyTest, RsaSuccess) {
1795 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1796 .RsaSigningKey(256, 3)
1797 .Digest(KM_DIGEST_NONE)
1798 .Padding(KM_PAD_NONE)));
1799 string export_data;
1800 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1801 EXPECT_GT(export_data.length(), 0U);
1802
1803 // TODO(swillden): Verify that the exported key is actually usable to verify signatures.
1804
1805 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1806 EXPECT_EQ(2, GetParam()->keymaster0_calls());
1807}
1808#endif
1809#if EC_TEST
1810TEST_P(ExportKeyTest, EcdsaSuccess) {
1811 ASSERT_EQ(KM_ERROR_OK,
1812 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
1813 string export_data;
1814 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1815 EXPECT_GT(export_data.length(), 0U);
1816
1817 // TODO(swillden): Verify that the exported key is actually usable to verify signatures.
1818
1819 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1820 EXPECT_EQ(2, GetParam()->keymaster0_calls());
1821}
1822#endif
1823#if RSA_TEST
1824TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) {
1825 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1826 .RsaSigningKey(256, 3)
1827 .Digest(KM_DIGEST_NONE)
1828 .Padding(KM_PAD_NONE)));
1829 string export_data;
1830 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
1831
1832 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1833 EXPECT_EQ(2, GetParam()->keymaster0_calls());
1834}
1835
1836TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) {
1837 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1838 .RsaSigningKey(256, 3)
1839 .Digest(KM_DIGEST_NONE)
1840 .Padding(KM_PAD_NONE)));
1841 corrupt_key_blob();
1842 string export_data;
1843 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1844
1845 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1846 EXPECT_EQ(2, GetParam()->keymaster0_calls());
1847}
1848#endif
1849#if AES_TEST
1850TEST_P(ExportKeyTest, AesKeyExportFails) {
1851 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128)));
1852 string export_data;
1853
1854 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1855 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
1856 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data));
1857
1858 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1859}
1860#endif
1861static string read_file(const string& file_name) {
1862 ifstream file_stream(file_name, std::ios::binary);
1863 istreambuf_iterator<char> file_begin(file_stream);
1864 istreambuf_iterator<char> file_end;
1865 return string(file_begin, file_end);
1866}
1867
1868typedef Keymaster2Test ImportKeyTest;
1869INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params);
1870#if RSA_TEST
1871TEST_P(ImportKeyTest, RsaSuccess) {
1872 string pk8_key = read_file("rsa_privkey_pk8.der");
1873 ASSERT_EQ(633U, pk8_key.size());
1874
1875 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
1876 .RsaSigningKey(1024, 65537)
1877 .Digest(KM_DIGEST_NONE)
1878 .Padding(KM_PAD_NONE),
1879 KM_KEY_FORMAT_PKCS8, pk8_key));
1880
1881 // Check values derived from the key.
1882 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
1883 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 1024));
1884 EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 65537U));
1885
1886 // And values provided by AndroidKeymaster
1887 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1888 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1889
1890 string message(1024 / 8, 'a');
1891 string signature;
1892 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
1893 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
1894
1895 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1896 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1897}
1898#endif
1899#if RSA_TEST
1900TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
1901 string pk8_key = read_file("rsa_privkey_pk8.der");
1902 ASSERT_EQ(633U, pk8_key.size());
1903 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1904 ImportKey(AuthorizationSetBuilder()
1905 .RsaSigningKey(2048 /* Doesn't match key */, 3)
1906 .Digest(KM_DIGEST_NONE)
1907 .Padding(KM_PAD_NONE),
1908 KM_KEY_FORMAT_PKCS8, pk8_key));
1909
1910 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1911}
1912
1913TEST_P(ImportKeyTest, RsaPublicExponenMismatch) {
1914 string pk8_key = read_file("rsa_privkey_pk8.der");
1915 ASSERT_EQ(633U, pk8_key.size());
1916 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1917 ImportKey(AuthorizationSetBuilder()
1918 .RsaSigningKey(256, 3 /* Doesnt' match key */)
1919 .Digest(KM_DIGEST_NONE)
1920 .Padding(KM_PAD_NONE),
1921 KM_KEY_FORMAT_PKCS8, pk8_key));
1922
1923 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1924}
1925#endif
1926#if EC_TEST
1927TEST_P(ImportKeyTest, EcdsaSuccess) {
1928 string pk8_key = read_file("ec_privkey_pk8.der");
1929 ASSERT_EQ(138U, pk8_key.size());
1930
1931 ASSERT_EQ(KM_ERROR_OK,
1932 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
1933 KM_KEY_FORMAT_PKCS8, pk8_key));
1934
1935 // Check values derived from the key.
1936 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_EC));
1937 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 256));
1938
1939 // And values provided by AndroidKeymaster
1940 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1941 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1942
1943 string message(32, 'a');
1944 string signature;
1945 SignMessage(message, &signature, KM_DIGEST_NONE);
1946 VerifyMessage(message, signature, KM_DIGEST_NONE);
1947
1948 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1949 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1950}
1951
1952TEST_P(ImportKeyTest, EcdsaSizeSpecified) {
1953 string pk8_key = read_file("ec_privkey_pk8.der");
1954 ASSERT_EQ(138U, pk8_key.size());
1955
1956 ASSERT_EQ(KM_ERROR_OK,
1957 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
1958 KM_KEY_FORMAT_PKCS8, pk8_key));
1959
1960 // Check values derived from the key.
1961 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_EC));
1962 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 256));
1963
1964 // And values provided by AndroidKeymaster
1965 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1966 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1967
1968 string message(32, 'a');
1969 string signature;
1970 SignMessage(message, &signature, KM_DIGEST_NONE);
1971 VerifyMessage(message, signature, KM_DIGEST_NONE);
1972
1973 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1974 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1975}
1976
1977TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
1978 string pk8_key = read_file("ec_privkey_pk8.der");
1979 ASSERT_EQ(138U, pk8_key.size());
1980 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1981 ImportKey(AuthorizationSetBuilder()
1982 .EcdsaSigningKey(224 /* Doesn't match key */)
1983 .Digest(KM_DIGEST_NONE),
1984 KM_KEY_FORMAT_PKCS8, pk8_key));
1985
1986 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1987}
1988#endif
1989#if AES_TEST
1990TEST_P(ImportKeyTest, AesKeySuccess) {
1991 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1992 string key(key_data, sizeof(key_data));
1993 ASSERT_EQ(KM_ERROR_OK,
1994 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization(
1995 TAG_PADDING, KM_PAD_PKCS7),
1996 KM_KEY_FORMAT_RAW, key));
1997
1998 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1999 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
2000
2001 string message = "Hello World!";
2002 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
2003 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
2004 EXPECT_EQ(message, plaintext);
2005
2006 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2007}
2008#endif
2009#if HMAC_TEST
2010TEST_P(ImportKeyTest, HmacSha256KeySuccess) {
2011 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
2012 string key(key_data, sizeof(key_data));
2013 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
2014 .HmacKey(sizeof(key_data) * 8)
2015 .Digest(KM_DIGEST_SHA_2_256)
2016 .Authorization(TAG_MIN_MAC_LENGTH, 256),
2017 KM_KEY_FORMAT_RAW, key));
2018
2019 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
2020 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
2021
2022 string message = "Hello World!";
2023 string signature;
2024 MacMessage(message, &signature, 256);
2025 VerifyMac(message, signature);
2026
2027 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2028}
2029#endif
2030typedef Keymaster2Test EncryptionOperationsTest;
2031INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params);
2032#if RSA_TEST
2033TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
2034 ASSERT_EQ(KM_ERROR_OK,
2035 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
2036
2037 string message = "12345678901234567890123456789012";
2038 string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE);
2039 EXPECT_EQ(256U / 8, ciphertext1.size());
2040
2041 string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE);
2042 EXPECT_EQ(256U / 8, ciphertext2.size());
2043
2044 // Unpadded RSA is deterministic
2045 EXPECT_EQ(ciphertext1, ciphertext2);
2046
2047 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2048 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2049}
2050
2051TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) {
2052 ASSERT_EQ(KM_ERROR_OK,
2053 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
2054
2055 string message = "1";
2056
2057 string ciphertext = EncryptMessage(message, KM_PAD_NONE);
2058 EXPECT_EQ(256U / 8, ciphertext.size());
2059
2060 string expected_plaintext = string(256 / 8 - 1, 0) + message;
2061 string plaintext = DecryptMessage(ciphertext, KM_PAD_NONE);
2062
2063 EXPECT_EQ(expected_plaintext, plaintext);
2064
2065 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2066 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2067}
2068
2069TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) {
2070 ASSERT_EQ(KM_ERROR_OK,
2071 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
2072
2073 string message = "123456789012345678901234567890123";
2074
2075 AuthorizationSet begin_params(client_params());
2076 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2077 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2078
2079 string result;
2080 size_t input_consumed;
2081 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
2082
2083 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2084 EXPECT_EQ(2, GetParam()->keymaster0_calls());
2085}
2086
2087TEST_P(EncryptionOperationsTest, RsaNoPaddingLargerThanModulus) {
2088 ASSERT_EQ(KM_ERROR_OK,
2089 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
2090
2091 string exported;
2092 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &exported));
2093
2094 const uint8_t* p = reinterpret_cast<const uint8_t*>(exported.data());
2095 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
2096 d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size()));
2097 unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(pkey.get()));
2098
2099 size_t modulus_len = BN_num_bytes(rsa->n);
2100 ASSERT_EQ(256U / 8, modulus_len);
2101 unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]);
2102 BN_bn2bin(rsa->n, modulus_buf.get());
2103
2104 // The modulus is too big to encrypt.
2105 string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
2106
2107 AuthorizationSet begin_params(client_params());
2108 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2109 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2110
2111 string result;
2112 size_t input_consumed;
2113 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2114 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result));
2115
2116 // One smaller than the modulus is okay.
2117 BN_sub(rsa->n, rsa->n, BN_value_one());
2118 modulus_len = BN_num_bytes(rsa->n);
2119 ASSERT_EQ(256U / 8, modulus_len);
2120 BN_bn2bin(rsa->n, modulus_buf.get());
2121 message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
2122 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2123 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2124 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result));
2125
2126 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2127 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2128}
2129#endif
2130#if RSA_TEST
2131TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
2132 size_t key_size = 768;
2133 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2134 .RsaEncryptionKey(key_size, 3)
2135 .Padding(KM_PAD_RSA_OAEP)
2136 .Digest(KM_DIGEST_SHA_2_256)));
2137
2138 string message = "Hello";
2139 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2140 EXPECT_EQ(key_size / 8, ciphertext1.size());
2141
2142 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2143 EXPECT_EQ(key_size / 8, ciphertext2.size());
2144
2145 // OAEP randomizes padding so every result should be different.
2146 EXPECT_NE(ciphertext1, ciphertext2);
2147
2148 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2149 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2150}
2151#endif
2152#if RSA_TEST
2153TEST_P(EncryptionOperationsTest, RsaOaepSha224Success) {
2154 size_t key_size = 768;
2155 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2156 .RsaEncryptionKey(key_size, 3)
2157 .Padding(KM_PAD_RSA_OAEP)
2158 .Digest(KM_DIGEST_SHA_2_224)));
2159
2160 string message = "Hello";
2161 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2162 EXPECT_EQ(key_size / 8, ciphertext1.size());
2163
2164 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2165 EXPECT_EQ(key_size / 8, ciphertext2.size());
2166
2167 // OAEP randomizes padding so every result should be different.
2168 EXPECT_NE(ciphertext1, ciphertext2);
2169
2170 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2171 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2172}
2173
2174TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) {
2175 size_t key_size = 768;
2176 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2177 .RsaEncryptionKey(key_size, 3)
2178 .Padding(KM_PAD_RSA_OAEP)
2179 .Digest(KM_DIGEST_SHA_2_256)));
2180 string message = "Hello World!";
2181 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2182 EXPECT_EQ(key_size / 8, ciphertext.size());
2183
2184 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2185 EXPECT_EQ(message, plaintext);
2186
2187 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2188 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2189}
2190
2191TEST_P(EncryptionOperationsTest, RsaOaepSha224RoundTrip) {
2192 size_t key_size = 768;
2193 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2194 .RsaEncryptionKey(key_size, 3)
2195 .Padding(KM_PAD_RSA_OAEP)
2196 .Digest(KM_DIGEST_SHA_2_224)));
2197 string message = "Hello World!";
2198 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2199 EXPECT_EQ(key_size / 8, ciphertext.size());
2200
2201 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2202 EXPECT_EQ(message, plaintext);
2203
2204 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2205 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2206}
2207
2208TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
2209 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2210 .RsaEncryptionKey(512, 3)
2211 .Padding(KM_PAD_RSA_OAEP)
2212 .Digest(KM_DIGEST_NONE)));
2213 string message = "Hello World!";
2214
2215 AuthorizationSet begin_params(client_params());
2216 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2217 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
2218 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2219
2220 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2221 EXPECT_EQ(2, GetParam()->keymaster0_calls());
2222}
2223
2224TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) {
2225 if (GetParam()->minimal_digest_set())
2226 // We don't have two supported digests, so we can't try authorizing one and using another.
2227 return;
2228
2229 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2230 .RsaEncryptionKey(512, 3)
2231 .Padding(KM_PAD_RSA_OAEP)
2232 .Digest(KM_DIGEST_SHA_2_256)));
2233 string message = "Hello World!";
2234 // Works because encryption is a public key operation.
2235 EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP);
2236
2237 AuthorizationSet begin_params(client_params());
2238 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2239 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
2240 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2241
2242 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2243 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2244}
2245
2246TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
2247 if (GetParam()->minimal_digest_set())
2248 // We don't have two supported digests, so we can't try encrypting with one and decrypting
2249 // with another.
2250 return;
2251
2252 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2253 .RsaEncryptionKey(768, 3)
2254 .Padding(KM_PAD_RSA_OAEP)
2255 .Digest(KM_DIGEST_SHA_2_256)
2256 .Digest(KM_DIGEST_SHA_2_384)));
2257 string message = "Hello World!";
2258 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2259
2260 string result;
2261 size_t input_consumed;
2262 AuthorizationSet begin_params(client_params());
2263 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2264 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384);
2265 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2266 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2267 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2268 EXPECT_EQ(0U, result.size());
2269
2270 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2271 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2272}
2273
2274TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) {
2275 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2276 .RsaEncryptionKey(512, 3)
2277 .Padding(KM_PAD_RSA_OAEP)
2278 .Digest(KM_DIGEST_SHA1)));
2279 string message = "12345678901234567890123";
2280 string result;
2281 size_t input_consumed;
2282
2283 AuthorizationSet begin_params(client_params());
2284 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2285 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
2286 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2287 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2288 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result));
2289 EXPECT_EQ(0U, result.size());
2290
2291 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2292 EXPECT_EQ(2, GetParam()->keymaster0_calls());
2293}
2294
2295TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) {
2296 size_t key_size = 768;
2297 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2298 .RsaEncryptionKey(768, 3)
2299 .Padding(KM_PAD_RSA_OAEP)
2300 .Digest(KM_DIGEST_SHA_2_256)));
2301 string message = "Hello World!";
2302 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2303 EXPECT_EQ(key_size / 8, ciphertext.size());
2304
2305 // Corrupt the ciphertext
2306 ciphertext[key_size / 8 / 2]++;
2307
2308 string result;
2309 size_t input_consumed;
2310 AuthorizationSet begin_params(client_params());
2311 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2312 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
2313 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2314 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2315 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2316 EXPECT_EQ(0U, result.size());
2317
2318 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2319 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2320}
2321#endif
2322#if RSA_TEST
2323TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
2324 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2325 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2326 string message = "Hello World!";
2327 string ciphertext1 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2328 EXPECT_EQ(512U / 8, ciphertext1.size());
2329
2330 string ciphertext2 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2331 EXPECT_EQ(512U / 8, ciphertext2.size());
2332
2333 // PKCS1 v1.5 randomizes padding so every result should be different.
2334 EXPECT_NE(ciphertext1, ciphertext2);
2335
2336 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2337 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2338}
2339
2340TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) {
2341 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2342 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2343 string message = "Hello World!";
2344 string ciphertext = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2345 EXPECT_EQ(512U / 8, ciphertext.size());
2346
2347 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2348 EXPECT_EQ(message, plaintext);
2349
2350 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2351 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2352}
2353#endif
2354#if CHECK_FAIL
2355TEST_P(EncryptionOperationsTest, RsaRoundTripAllCombinations) {
2356 size_t key_size = 2048;
2357 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2358 .RsaEncryptionKey(key_size, 3)
2359 .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT)
2360 .Padding(KM_PAD_RSA_OAEP)
2361 .Digest(KM_DIGEST_NONE)
2362 .Digest(KM_DIGEST_MD5)
2363 .Digest(KM_DIGEST_SHA1)
2364 .Digest(KM_DIGEST_SHA_2_224)
2365 .Digest(KM_DIGEST_SHA_2_256)
2366 .Digest(KM_DIGEST_SHA_2_384)
2367 .Digest(KM_DIGEST_SHA_2_512)));
2368
2369 string message = "Hello World!";
2370
2371 keymaster_padding_t padding_modes[] = {KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
2372 keymaster_digest_t digests[] = {
2373 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
2374 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
2375 };
2376
2377 for (auto padding : padding_modes)
2378 for (auto digest : digests) {
2379 if (padding == KM_PAD_RSA_OAEP && digest == KM_DIGEST_NONE)
2380 // OAEP requires a digest.
2381 continue;
2382
2383 string ciphertext = EncryptMessage(message, digest, padding);
2384 EXPECT_EQ(key_size / 8, ciphertext.size());
2385
2386 string plaintext = DecryptMessage(ciphertext, digest, padding);
2387 EXPECT_EQ(message, plaintext);
2388 }
2389
2390 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2391 EXPECT_EQ(40, GetParam()->keymaster0_calls());
2392}
2393#endif
2394#if RSA_TEST
2395TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) {
2396 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2397 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2398 string message = "123456789012345678901234567890123456789012345678901234";
2399 string result;
2400 size_t input_consumed;
2401
2402 AuthorizationSet begin_params(client_params());
2403 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2404 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2405 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2406 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result));
2407 EXPECT_EQ(0U, result.size());
2408
2409 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2410 EXPECT_EQ(2, GetParam()->keymaster0_calls());
2411}
2412
2413TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) {
2414 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2415 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2416 string message = "Hello World!";
2417 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2418 EXPECT_EQ(512U / 8, ciphertext.size());
2419
2420 // Corrupt the ciphertext
2421 ciphertext[512 / 8 / 2]++;
2422
2423 string result;
2424 size_t input_consumed;
2425 AuthorizationSet begin_params(client_params());
2426 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2427 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2428 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2429 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2430 EXPECT_EQ(0U, result.size());
2431
2432 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2433 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2434}
2435
2436TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) {
2437 ASSERT_EQ(KM_ERROR_OK,
2438 GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE)));
2439
2440 AuthorizationSet begin_params(client_params());
2441 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2442 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2443
2444 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2445 EXPECT_EQ(2, GetParam()->keymaster0_calls());
2446}
2447#endif
2448#if EC_TEST
2449TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
2450 ASSERT_EQ(KM_ERROR_OK,
2451 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
2452 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT));
2453 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT));
2454
2455 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
2456 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2457}
2458#endif
2459#if HMAC_TEST
2460TEST_P(EncryptionOperationsTest, HmacEncrypt) {
2461 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2462 .HmacKey(128)
2463 .Digest(KM_DIGEST_SHA_2_256)
2464 .Padding(KM_PAD_NONE)
2465 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2466 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT));
2467 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT));
2468
2469 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2470}
2471#endif
2472#if AES_TEST
2473TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
2474 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2475 .AesEncryptionKey(128)
2476 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2477 .Padding(KM_PAD_NONE)));
2478 // Two-block message.
2479 string message = "12345678901234567890123456789012";
2480 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
2481 EXPECT_EQ(message.size(), ciphertext1.size());
2482
2483 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE);
2484 EXPECT_EQ(message.size(), ciphertext2.size());
2485
2486 // ECB is deterministic.
2487 EXPECT_EQ(ciphertext1, ciphertext2);
2488
2489 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE);
2490 EXPECT_EQ(message, plaintext);
2491
2492 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2493}
2494
2495TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) {
2496 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2497 .AesEncryptionKey(128)
2498 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2499 .Padding(KM_PAD_NONE)));
2500 // Two-block message.
2501 string message = "12345678901234567890123456789012";
2502 AuthorizationSet begin_params(client_params());
2503 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2504 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2505 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2506
2507 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2508}
2509
2510TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) {
2511 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2512 .AesEncryptionKey(128)
2513 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2514 .Padding(KM_PAD_NONE)));
2515 // Message is slightly shorter than two blocks.
2516 string message = "1234567890123456789012345678901";
2517
2518 AuthorizationSet begin_params(client_params());
2519 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2520 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2521 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2522 string ciphertext;
2523 size_t input_consumed;
2524 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed));
2525 EXPECT_EQ(message.size(), input_consumed);
2526 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext));
2527
2528 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2529}
2530#endif
2531#if AES_TEST
2532TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
2533 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2534 .AesEncryptionKey(128)
2535 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2536 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2537
2538 // Try various message lengths; all should work.
2539 for (size_t i = 0; i < 32; ++i) {
2540 string message(i, 'a');
2541 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
2542 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2543 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
2544 EXPECT_EQ(message, plaintext);
2545 }
2546
2547 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2548}
2549#endif
2550#if AES_TEST
2551TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) {
2552 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2553 .AesEncryptionKey(128)
2554 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2555 .Authorization(TAG_PADDING, KM_PAD_NONE)));
2556
2557 // Try various message lengths; all should fail.
2558 for (size_t i = 0; i < 32; ++i) {
2559 AuthorizationSet begin_params(client_params());
2560 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2561 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
2562 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE,
2563 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2564 }
2565
2566 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2567}
2568#endif
2569
2570#if AES_TEST
2571TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
2572 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2573 .AesEncryptionKey(128)
2574 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2575 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2576
2577 string message = "a";
2578 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
2579 EXPECT_EQ(16U, ciphertext.size());
2580 EXPECT_NE(ciphertext, message);
2581 ++ciphertext[ciphertext.size() / 2];
2582
2583 AuthorizationSet begin_params(client_params());
2584 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2585 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
2586 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2587 string plaintext;
2588 size_t input_consumed;
2589 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed));
2590 EXPECT_EQ(ciphertext.size(), input_consumed);
2591 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext));
2592
2593 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2594}
2595#endif
2596
2597#if AES_TEST
2598TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
2599 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2600 .AesEncryptionKey(128)
2601 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2602 .Padding(KM_PAD_NONE)));
2603 string message = "123";
2604 string iv1;
2605 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1);
2606 EXPECT_EQ(message.size(), ciphertext1.size());
2607 EXPECT_EQ(16U, iv1.size());
2608
2609 string iv2;
2610 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2);
2611 EXPECT_EQ(message.size(), ciphertext2.size());
2612 EXPECT_EQ(16U, iv2.size());
2613
2614 // IVs should be random, so ciphertexts should differ.
2615 EXPECT_NE(iv1, iv2);
2616 EXPECT_NE(ciphertext1, ciphertext2);
2617
2618 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1);
2619 EXPECT_EQ(message, plaintext);
2620
2621 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2622}
2623
2624TEST_P(EncryptionOperationsTest, AesCtrIncremental) {
2625 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2626 .AesEncryptionKey(128)
2627 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2628 .Padding(KM_PAD_NONE)));
2629
2630 int increment = 15;
2631 string message(239, 'a');
2632 AuthorizationSet input_params(client_params());
2633 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2634 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2635 AuthorizationSet output_params;
2636 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2637
2638 string ciphertext;
2639 size_t input_consumed;
2640 for (size_t i = 0; i < message.size(); i += increment)
2641 EXPECT_EQ(KM_ERROR_OK,
2642 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed));
2643 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2644 EXPECT_EQ(message.size(), ciphertext.size());
2645
2646 // Move TAG_NONCE into input_params
2647 input_params.Reinitialize(output_params);
2648 input_params.push_back(client_params());
2649 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2650 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2651 output_params.Clear();
2652
2653 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params));
2654 string plaintext;
2655 for (size_t i = 0; i < ciphertext.size(); i += increment)
2656 EXPECT_EQ(KM_ERROR_OK,
2657 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed));
2658 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2659 EXPECT_EQ(ciphertext.size(), plaintext.size());
2660 EXPECT_EQ(message, plaintext);
2661
2662 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2663}
2664
2665struct AesCtrSp80038aTestVector {
2666 const char* key;
2667 const char* nonce;
2668 const char* plaintext;
2669 const char* ciphertext;
2670};
2671
2672// These test vectors are taken from
2673// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
2674static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
2675 // AES-128
2676 {
2677 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2678 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2679 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2680 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
2681 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
2682 },
2683 // AES-192
2684 {
2685 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2686 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2687 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2688 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
2689 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
2690 },
2691 // AES-256
2692 {
2693 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
2694 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2695 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2696 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2697 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
2698 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
2699 },
2700};
2701
2702TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
2703 for (size_t i = 0; i < 3; i++) {
2704 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
2705 const string key = hex2str(test.key);
2706 const string nonce = hex2str(test.nonce);
2707 const string plaintext = hex2str(test.plaintext);
2708 const string ciphertext = hex2str(test.ciphertext);
2709 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
2710 }
2711
2712 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2713}
2714
2715TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) {
2716 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2717 .AesEncryptionKey(128)
2718 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2719 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2720 AuthorizationSet begin_params(client_params());
2721 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2722 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2723 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2724
2725 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2726}
2727
2728TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
2729 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2730 .AesEncryptionKey(128)
2731 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2732 .Authorization(TAG_CALLER_NONCE)
2733 .Padding(KM_PAD_NONE)));
2734
2735 AuthorizationSet input_params(client_params());
2736 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2737 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2738 input_params.push_back(TAG_NONCE, "123", 3);
2739 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params));
2740
2741 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2742}
2743
2744TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
2745 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2746 .AesEncryptionKey(128)
2747 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2748 .Padding(KM_PAD_NONE)));
2749 // Two-block message.
2750 string message = "12345678901234567890123456789012";
2751 string iv1;
2752 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2753 EXPECT_EQ(message.size(), ciphertext1.size());
2754
2755 string iv2;
2756 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2);
2757 EXPECT_EQ(message.size(), ciphertext2.size());
2758
2759 // IVs should be random, so ciphertexts should differ.
2760 EXPECT_NE(iv1, iv2);
2761 EXPECT_NE(ciphertext1, ciphertext2);
2762
2763 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2764 EXPECT_EQ(message, plaintext);
2765
2766 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2767}
2768
2769TEST_P(EncryptionOperationsTest, AesCallerNonce) {
2770 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2771 .AesEncryptionKey(128)
2772 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2773 .Authorization(TAG_CALLER_NONCE)
2774 .Padding(KM_PAD_NONE)));
2775 string message = "12345678901234567890123456789012";
2776 string iv1;
2777 // Don't specify nonce, should get a random one.
2778 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2779 EXPECT_EQ(message.size(), ciphertext1.size());
2780 EXPECT_EQ(16U, iv1.size());
2781
2782 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2783 EXPECT_EQ(message, plaintext);
2784
2785 // Now specify a nonce, should also work.
2786 AuthorizationSet input_params(client_params());
2787 AuthorizationSet update_params;
2788 AuthorizationSet output_params;
2789 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16);
2790 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2791 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2792 string ciphertext2 =
2793 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params);
2794
2795 // Decrypt with correct nonce.
2796 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
2797 &output_params);
2798 EXPECT_EQ(message, plaintext);
2799
2800 // Now try with wrong nonce.
2801 input_params.Reinitialize(client_params());
2802 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2803 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2804 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16);
2805 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
2806 &output_params);
2807 EXPECT_NE(message, plaintext);
2808
2809 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2810}
2811
2812TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
2813 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2814 .AesEncryptionKey(128)
2815 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2816 .Padding(KM_PAD_NONE)));
2817
2818 string message = "12345678901234567890123456789012";
2819 string iv1;
2820 // Don't specify nonce, should get a random one.
2821 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2822 EXPECT_EQ(message.size(), ciphertext1.size());
2823 EXPECT_EQ(16U, iv1.size());
2824
2825 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2826 EXPECT_EQ(message, plaintext);
2827
2828 // Now specify a nonce, should fail.
2829 AuthorizationSet input_params(client_params());
2830 AuthorizationSet update_params;
2831 AuthorizationSet output_params;
2832 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16);
2833 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2834 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2835
2836 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED,
2837 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2838
2839 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2840}
2841
2842TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) {
2843 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2844 .AesEncryptionKey(128)
2845 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2846 .Padding(KM_PAD_NONE)));
2847
2848 int increment = 15;
2849 string message(240, 'a');
2850 AuthorizationSet input_params(client_params());
2851 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2852 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2853 AuthorizationSet output_params;
2854 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2855
2856 string ciphertext;
2857 size_t input_consumed;
2858 for (size_t i = 0; i < message.size(); i += increment)
2859 EXPECT_EQ(KM_ERROR_OK,
2860 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed));
2861 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2862 EXPECT_EQ(message.size(), ciphertext.size());
2863
2864 // Move TAG_NONCE into input_params
2865 input_params.Reinitialize(output_params);
2866 input_params.push_back(client_params());
2867 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2868 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2869 output_params.Clear();
2870
2871 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params));
2872 string plaintext;
2873 for (size_t i = 0; i < ciphertext.size(); i += increment)
2874 EXPECT_EQ(KM_ERROR_OK,
2875 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed));
2876 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2877 EXPECT_EQ(ciphertext.size(), plaintext.size());
2878 EXPECT_EQ(message, plaintext);
2879
2880 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2881}
2882#endif
2883
2884#if AES_TEST
2885TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) {
2886 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2887 .AesEncryptionKey(128)
2888 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2889 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2890
2891 // Try various message lengths; all should work.
2892 for (size_t i = 0; i < 32; ++i) {
2893 string message(i, 'a');
2894 string iv;
2895 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv);
2896 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2897 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv);
2898 EXPECT_EQ(message, plaintext);
2899 }
2900
2901 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2902}
2903#endif
2904#if AES_TEST
2905TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
2906 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2907 .AesEncryptionKey(128)
2908 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2909 .Authorization(TAG_PADDING, KM_PAD_NONE)
2910 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2911 string aad = "foobar";
2912 string message = "123456789012345678901234567890123456";
2913 AuthorizationSet begin_params(client_params());
2914 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2915 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2916 begin_params.push_back(TAG_MAC_LENGTH, 128);
2917
2918 AuthorizationSet update_params;
2919 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2920
2921 // Encrypt
2922 AuthorizationSet begin_out_params;
2923 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2924 string ciphertext;
2925 size_t input_consumed;
2926 AuthorizationSet update_out_params;
2927 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2928 &input_consumed));
2929 EXPECT_EQ(message.size(), input_consumed);
2930 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2931
2932 // Grab nonce
2933 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2934 begin_params.push_back(begin_out_params);
2935
2936 // Decrypt.
2937 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2938 string plaintext;
2939 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
2940 &plaintext, &input_consumed));
2941 EXPECT_EQ(ciphertext.size(), input_consumed);
2942 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2943
2944 EXPECT_EQ(message, plaintext);
2945 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2946}
2947
2948TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
2949 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2950 .AesEncryptionKey(128)
2951 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2952 .Authorization(TAG_PADDING, KM_PAD_NONE)
2953 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2954 string aad = "foobar";
2955 string message = "123456789012345678901234567890123456";
2956 AuthorizationSet begin_params(client_params());
2957 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2958 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2959 begin_params.push_back(TAG_MAC_LENGTH, 96);
2960
2961 AuthorizationSet update_params;
2962 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2963
2964 AuthorizationSet begin_out_params;
2965 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH,
2966 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2967
2968 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2969}
2970
2971TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
2972 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2973 .AesEncryptionKey(128)
2974 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2975 .Authorization(TAG_PADDING, KM_PAD_NONE)
2976 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2977 string aad = "foobar";
2978 string message = "123456789012345678901234567890123456";
2979 AuthorizationSet begin_params(client_params());
2980 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2981 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2982 begin_params.push_back(TAG_MAC_LENGTH, 128);
2983
2984 AuthorizationSet update_params;
2985 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2986
2987 // Encrypt
2988 AuthorizationSet begin_out_params;
2989 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2990 string ciphertext;
2991 size_t input_consumed;
2992 AuthorizationSet update_out_params;
2993 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2994 &input_consumed));
2995 EXPECT_EQ(message.size(), input_consumed);
2996 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2997
2998 // Grab nonce
2999 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3000 begin_params.Reinitialize(client_params());
3001 begin_params.push_back(begin_out_params);
3002 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3003 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3004 begin_params.push_back(TAG_MAC_LENGTH, 96);
3005
3006 // Decrypt.
3007 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3008
3009 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3010}
3011
3012TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
3013 uint8_t nonce[] = {
3014 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
3015 };
3016 uint8_t ciphertext[] = {
3017 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16,
3018 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a,
3019 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76,
3020 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
3021 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
3022 };
3023 string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext));
3024
3025 AuthorizationSet begin_params(client_params());
3026 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3027 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3028 begin_params.push_back(TAG_MAC_LENGTH, 128);
3029 begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce));
3030
3031 string plaintext;
3032 size_t input_consumed;
3033
3034 // Import correct key and decrypt
3035 uint8_t good_key[] = {
3036 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
3037 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
3038 };
3039 string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key));
3040 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
3041 .AesEncryptionKey(128)
3042 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3043 .Authorization(TAG_PADDING, KM_PAD_NONE)
3044 .Authorization(TAG_CALLER_NONCE)
3045 .Authorization(TAG_MIN_MAC_LENGTH, 128),
3046 KM_KEY_FORMAT_RAW, good_key_str));
3047 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3048 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed));
3049 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3050
3051 // Import bad key and decrypt
3052 uint8_t bad_key[] = {
3053 0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
3054 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
3055 };
3056 string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key));
3057 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
3058 .AesEncryptionKey(128)
3059 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3060 .Authorization(TAG_PADDING, KM_PAD_NONE)
3061 .Authorization(TAG_MIN_MAC_LENGTH, 128),
3062 KM_KEY_FORMAT_RAW, bad_key_str));
3063 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3064 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed));
3065 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3066
3067 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3068}
3069
3070TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
3071 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3072 .AesEncryptionKey(128)
3073 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3074 .Authorization(TAG_PADDING, KM_PAD_NONE)
3075 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3076 string aad = "123456789012345678";
3077 string empty_message;
3078 AuthorizationSet begin_params(client_params());
3079 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3080 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3081 begin_params.push_back(TAG_MAC_LENGTH, 128);
3082
3083 AuthorizationSet update_params;
3084 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
3085
3086 // Encrypt
3087 AuthorizationSet begin_out_params;
3088 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3089 string ciphertext;
3090 size_t input_consumed;
3091 AuthorizationSet update_out_params;
3092 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params,
3093 &ciphertext, &input_consumed));
3094 EXPECT_EQ(0U, input_consumed);
3095 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3096
3097 // Grab nonce
3098 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3099 begin_params.push_back(begin_out_params);
3100
3101 // Decrypt.
3102 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3103 string plaintext;
3104 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3105 &plaintext, &input_consumed));
3106 EXPECT_EQ(ciphertext.size(), input_consumed);
3107 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3108
3109 EXPECT_EQ(empty_message, plaintext);
3110 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3111}
3112#endif
3113#if AES_TEST
3114TEST_P(EncryptionOperationsTest, AesGcmIncremental) {
3115 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3116 .AesEncryptionKey(128)
3117 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3118 .Authorization(TAG_PADDING, KM_PAD_NONE)
3119 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3120 AuthorizationSet begin_params(client_params());
3121 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3122 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3123 begin_params.push_back(TAG_MAC_LENGTH, 128);
3124
3125 AuthorizationSet update_params;
3126 update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1);
3127
3128 // Encrypt
3129 AuthorizationSet begin_out_params;
3130 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3131 string ciphertext;
3132 size_t input_consumed;
3133 AuthorizationSet update_out_params;
3134
3135 // Send AAD, incrementally
3136 for (int i = 0; i < 1000; ++i) {
3137 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext,
3138 &input_consumed));
3139 EXPECT_EQ(0U, input_consumed);
3140 EXPECT_EQ(0U, ciphertext.size());
3141 }
3142
3143 // Now send data, incrementally, no data.
3144 AuthorizationSet empty_params;
3145 for (int i = 0; i < 1000; ++i) {
3146 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext,
3147 &input_consumed));
3148 EXPECT_EQ(1U, input_consumed);
3149 }
3150 EXPECT_EQ(1000U, ciphertext.size());
3151
3152 // And finish.
3153 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3154 EXPECT_EQ(1016U, ciphertext.size());
3155
3156 // Grab nonce
3157 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3158 begin_params.push_back(begin_out_params);
3159
3160 // Decrypt.
3161 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3162 string plaintext;
3163
3164 // Send AAD, incrementally, no data
3165 for (int i = 0; i < 1000; ++i) {
3166 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext,
3167 &input_consumed));
3168 EXPECT_EQ(0U, input_consumed);
3169 EXPECT_EQ(0U, plaintext.size());
3170 }
3171
3172 // Now send data, incrementally.
3173 for (size_t i = 0; i < ciphertext.length(); ++i) {
3174 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1),
3175 &update_out_params, &plaintext, &input_consumed));
3176 EXPECT_EQ(1U, input_consumed);
3177 }
3178 EXPECT_EQ(1000U, plaintext.size());
3179 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3180
3181 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3182}
3183
3184TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
3185 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3186 .AesEncryptionKey(128)
3187 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3188 .Authorization(TAG_PADDING, KM_PAD_NONE)
3189 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3190 string message = "123456789012345678901234567890123456";
3191 AuthorizationSet begin_params(client_params());
3192 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3193 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3194 begin_params.push_back(TAG_MAC_LENGTH, 128);
3195 AuthorizationSet begin_out_params;
3196
3197 AuthorizationSet update_params;
3198 update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3);
3199
3200 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3201
3202 // No data, AAD only.
3203 string ciphertext;
3204 size_t input_consumed;
3205 AuthorizationSet update_out_params;
3206 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params,
3207 &ciphertext, &input_consumed));
3208 EXPECT_EQ(0U, input_consumed);
3209
3210 // AAD and data.
3211 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3212 &input_consumed));
3213 EXPECT_EQ(message.size(), input_consumed);
3214 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3215
3216 // Grab nonce.
3217 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3218 begin_params.push_back(begin_out_params);
3219
3220 // Decrypt
3221 update_params.Clear();
3222 update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6);
3223
3224 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3225 string plaintext;
3226 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3227 &plaintext, &input_consumed));
3228 EXPECT_EQ(ciphertext.size(), input_consumed);
3229 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3230
3231 EXPECT_EQ(message, plaintext);
3232 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3233}
3234
3235TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
3236 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3237 .AesEncryptionKey(128)
3238 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3239 .Authorization(TAG_PADDING, KM_PAD_NONE)
3240 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3241 string message = "12345678901234567890123456789012";
3242 AuthorizationSet begin_params(client_params());
3243 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3244 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3245 begin_params.push_back(TAG_MAC_LENGTH, 128);
3246
3247 AuthorizationSet update_params;
3248 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6);
3249
3250 AuthorizationSet finish_params;
3251 AuthorizationSet finish_out_params;
3252
3253 // Encrypt
3254 AuthorizationSet begin_out_params;
3255 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3256 AuthorizationSet update_out_params;
3257 string ciphertext;
3258 size_t input_consumed;
3259 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3260 &input_consumed));
3261 EXPECT_EQ(message.size(), input_consumed);
3262 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3263
3264 // Grab nonce
3265 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3266 begin_params.push_back(begin_out_params);
3267
3268 update_params.Clear();
3269 update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6);
3270
3271 // Decrypt.
3272 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3273 string plaintext;
3274 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3275 &plaintext, &input_consumed));
3276 EXPECT_EQ(ciphertext.size(), input_consumed);
3277 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3278
3279 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3280}
3281
3282TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
3283 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3284 .AesEncryptionKey(128)
3285 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3286 .Authorization(TAG_PADDING, KM_PAD_NONE)
3287 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3288 string message = "12345678901234567890123456789012";
3289 AuthorizationSet begin_params(client_params());
3290 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3291 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3292 begin_params.push_back(TAG_MAC_LENGTH, 128);
3293
3294 AuthorizationSet update_params;
3295 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6);
3296
3297 // Encrypt
3298 AuthorizationSet begin_out_params;
3299 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3300 AuthorizationSet update_out_params;
3301 string ciphertext;
3302 size_t input_consumed;
3303 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3304 &input_consumed));
3305 EXPECT_EQ(message.size(), input_consumed);
3306 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3307
3308 begin_params.push_back(TAG_NONCE, "123456789012", 12);
3309
3310 // Decrypt
3311 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3312 string plaintext;
3313 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3314 &plaintext, &input_consumed));
3315 EXPECT_EQ(ciphertext.size(), input_consumed);
3316 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3317
3318 // With wrong nonce, should have gotten garbage plaintext.
3319 EXPECT_NE(message, plaintext);
3320 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3321}
3322#endif
3323#if AES_TEST
3324TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
3325 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3326 .AesEncryptionKey(128)
3327 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3328 .Authorization(TAG_PADDING, KM_PAD_NONE)
3329 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3330 string aad = "foobar";
3331 string message = "123456789012345678901234567890123456";
3332 AuthorizationSet begin_params(client_params());
3333 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3334 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3335 begin_params.push_back(TAG_MAC_LENGTH, 128);
3336 AuthorizationSet begin_out_params;
3337
3338 AuthorizationSet update_params;
3339 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
3340
3341 // Encrypt
3342 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3343 AuthorizationSet update_out_params;
3344 string ciphertext;
3345 size_t input_consumed;
3346 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3347 &input_consumed));
3348 EXPECT_EQ(message.size(), input_consumed);
3349 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3350
3351 // Corrupt tag
3352 (*ciphertext.rbegin())++;
3353
3354 // Grab nonce.
3355 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3356 begin_params.push_back(begin_out_params);
3357
3358 // Decrypt.
3359 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3360 string plaintext;
3361 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3362 &plaintext, &input_consumed));
3363 EXPECT_EQ(ciphertext.size(), input_consumed);
3364 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3365
3366 EXPECT_EQ(message, plaintext);
3367 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3368}
3369#endif
3370typedef Keymaster2Test MaxOperationsTest;
3371INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params);
3372#if MAX_TEST
3373TEST_P(MaxOperationsTest, TestLimit) {
3374 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3375 .AesEncryptionKey(128)
3376 .EcbMode()
3377 .Authorization(TAG_PADDING, KM_PAD_NONE)
3378 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3379
3380 string message = "1234567890123456";
3381 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3382 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3383 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3384
3385 // Fourth time should fail.
3386 AuthorizationSet begin_params(client_params());
3387 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3388 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3389 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3390
3391 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3392}
3393
3394TEST_P(MaxOperationsTest, TestAbort) {
3395 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3396 .AesEncryptionKey(128)
3397 .EcbMode()
3398 .Authorization(TAG_PADDING, KM_PAD_NONE)
3399 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3400
3401 string message = "1234567890123456";
3402 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3403 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3404 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3405
3406 // Fourth time should fail.
3407 AuthorizationSet begin_params(client_params());
3408 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3409 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3410 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3411
3412 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3413}
3414#endif
3415typedef Keymaster2Test AddEntropyTest;
3416INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params);
3417#if ENTROPY_TEST
3418TEST_P(AddEntropyTest, AddEntropy) {
3419 // There's no obvious way to test that entropy is actually added, but we can test that the API
3420 // doesn't blow up or return an error.
3421 EXPECT_EQ(KM_ERROR_OK,
3422 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3));
3423
3424 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3425}
3426#endif
3427typedef Keymaster2Test Keymaster0AdapterTest;
3428#if 0
3429INSTANTIATE_TEST_CASE_P(
3430 AndroidKeymasterTest, Keymaster0AdapterTest,
3431 ::testing::Values(
3432 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)),
3433 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */))));
3434#endif
3435TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1RsaBlob) {
3436 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted
3437 // key data.
3438 string km1_sw = read_file("km1_sw_rsa_512.blob");
3439 EXPECT_EQ(486U, km1_sw.length());
3440
3441 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length()));
3442 memcpy(key_data, km1_sw.data(), km1_sw.length());
3443 set_key_blob(key_data, km1_sw.length());
3444
3445 string message(64, 'a');
3446 string signature;
3447 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3448
3449 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3450}
3451
3452TEST_P(Keymaster0AdapterTest, UnversionedSoftwareKeymaster1RsaBlob) {
3453 // Load and use an old-style Keymaster1 software key blob, without the version byte. These
3454 // blobs contain OCB-encrypted key data.
3455 string km1_sw = read_file("km1_sw_rsa_512_unversioned.blob");
3456 EXPECT_EQ(477U, km1_sw.length());
3457
3458 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length()));
3459 memcpy(key_data, km1_sw.data(), km1_sw.length());
3460 set_key_blob(key_data, km1_sw.length());
3461
3462 string message(64, 'a');
3463 string signature;
3464 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3465
3466 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3467}
3468
3469TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1EcdsaBlob) {
3470 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted
3471 // key data.
3472 string km1_sw = read_file("km1_sw_ecdsa_256.blob");
3473 EXPECT_EQ(270U, km1_sw.length());
3474
3475 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length()));
3476 memcpy(key_data, km1_sw.data(), km1_sw.length());
3477 set_key_blob(key_data, km1_sw.length());
3478
3479 string message(32, static_cast<char>(0xFF));
3480 string signature;
3481 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3482
3483 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3484}
3485
3486struct Malloc_Delete {
3487 void operator()(void* p) { free(p); }
3488};
3489
3490TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0RsaBlob) {
3491 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data.
3492 string km0_sw = read_file("km0_sw_rsa_512.blob");
3493 EXPECT_EQ(333U, km0_sw.length());
3494
3495 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3496 memcpy(key_data, km0_sw.data(), km0_sw.length());
3497 set_key_blob(key_data, km0_sw.length());
3498
3499 string message(64, 'a');
3500 string signature;
3501 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3502
3503 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3504}
3505
3506TEST_P(Keymaster0AdapterTest, OldSwKeymaster0RsaBlobGetCharacteristics) {
3507 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data.
3508 string km0_sw = read_file("km0_sw_rsa_512.blob");
3509 EXPECT_EQ(333U, km0_sw.length());
3510
3511 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3512 memcpy(key_data, km0_sw.data(), km0_sw.length());
3513 set_key_blob(key_data, km0_sw.length());
3514
3515 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics());
3516 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
3517 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 512));
3518 EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3));
3519 EXPECT_TRUE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE));
3520 EXPECT_TRUE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE));
3521 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN));
3522 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY));
3523 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS));
3524 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED));
3525
3526 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3527}
3528
3529TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlob) {
3530 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data.
3531 string km0_sw = read_file("km0_sw_rsa_512.blob");
3532 EXPECT_EQ(333U, km0_sw.length());
3533
3534 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not
3535 // be recognized as a software key. Do the same here to pretend this is a hardware key.
3536 EXPECT_EQ('P', km0_sw[0]);
3537 km0_sw[0] = 'Q';
3538
3539 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3540 memcpy(key_data, km0_sw.data(), km0_sw.length());
3541 set_key_blob(key_data, km0_sw.length());
3542
3543 string message(64, 'a');
3544 string signature;
3545 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3546 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
3547
3548 EXPECT_EQ(5, GetParam()->keymaster0_calls());
3549}
3550
3551TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) {
3552 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data.
3553 string km0_sw = read_file("km0_sw_rsa_512.blob");
3554 EXPECT_EQ(333U, km0_sw.length());
3555
3556 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not
3557 // be recognized as a software key. Do the same here to pretend this is a hardware key.
3558 EXPECT_EQ('P', km0_sw[0]);
3559 km0_sw[0] = 'Q';
3560
3561 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3562 memcpy(key_data, km0_sw.data(), km0_sw.length());
3563 set_key_blob(key_data, km0_sw.length());
3564
3565 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics());
3566 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
3567 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 512));
3568 EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3));
3569 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_NONE));
3570 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_MD5));
3571 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA1));
3572 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_224));
3573 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_256));
3574 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_384));
3575 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_512));
3576 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_NONE));
3577 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT));
3578 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN));
3579 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_OAEP));
3580 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PSS));
3581 EXPECT_EQ(15U, hw_enforced().size());
3582
3583 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN));
3584 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY));
3585 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS));
3586 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED));
3587
3588 EXPECT_FALSE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
3589 EXPECT_FALSE(contains(sw_enforced(), TAG_KEY_SIZE, 512));
3590 EXPECT_FALSE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3));
3591 EXPECT_FALSE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE));
3592 EXPECT_FALSE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE));
3593
3594 EXPECT_EQ(1, GetParam()->keymaster0_calls());
3595}
3596
3597typedef Keymaster2Test AttestationTest;
3598INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AttestationTest, test_params);
3599
3600#if ATTESTATIONTEST
3601static X509* parse_cert_blob(const keymaster_blob_t& blob) {
3602 const uint8_t* p = blob.data;
3603 return d2i_X509(nullptr, &p, blob.data_length);
3604}
3605
3606static bool verify_chain(const keymaster_cert_chain_t& chain) {
3607 for (size_t i = 0; i < chain.entry_count - 1; ++i) {
3608 keymaster_blob_t& key_cert_blob = chain.entries[i];
3609 keymaster_blob_t& signing_cert_blob = chain.entries[i + 1];
3610
3611 X509_Ptr key_cert(parse_cert_blob(key_cert_blob));
3612 X509_Ptr signing_cert(parse_cert_blob(signing_cert_blob));
3613 EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get());
3614 if (!key_cert.get() || !signing_cert.get())
3615 return false;
3616
3617 EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
3618 EXPECT_TRUE(!!signing_pubkey.get());
3619 if (!signing_pubkey.get())
3620 return false;
3621
3622 EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get()))
3623 << "Verification of certificate " << i << " failed";
3624 }
3625
3626 return true;
3627}
3628
3629// Extract attestation record from cert. Returned object is still part of cert; don't free it
3630// separately.
3631static ASN1_OCTET_STRING* get_attestation_record(X509* certificate) {
3632 ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */));
3633 EXPECT_TRUE(!!oid.get());
3634 if (!oid.get())
3635 return nullptr;
3636
3637 int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */);
3638 EXPECT_NE(-1, location);
3639 if (location == -1)
3640 return nullptr;
3641
3642 X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location);
3643 EXPECT_TRUE(!!attest_rec_ext);
3644 if (!attest_rec_ext)
3645 return nullptr;
3646
3647 ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext);
3648 EXPECT_TRUE(!!attest_rec);
3649 return attest_rec;
3650}
3651
3652static bool verify_attestation_record(const string& challenge,
3653 AuthorizationSet expected_sw_enforced,
3654 AuthorizationSet expected_tee_enforced,
3655 uint32_t expected_keymaster_version,
3656 keymaster_security_level_t expected_keymaster_security_level,
3657 const keymaster_blob_t& attestation_cert) {
3658
3659 X509_Ptr cert(parse_cert_blob(attestation_cert));
3660 EXPECT_TRUE(!!cert.get());
3661 if (!cert.get())
3662 return false;
3663
3664 ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());
3665 EXPECT_TRUE(!!attest_rec);
3666 if (!attest_rec)
3667 return false;
3668
3669 AuthorizationSet att_sw_enforced;
3670 AuthorizationSet att_tee_enforced;
3671 uint32_t att_attestation_version;
3672 uint32_t att_keymaster_version;
3673 keymaster_security_level_t att_attestation_security_level;
3674 keymaster_security_level_t att_keymaster_security_level;
3675 keymaster_blob_t att_challenge = {};
3676 keymaster_blob_t att_unique_id = {};
3677
3678 EXPECT_EQ(KM_ERROR_OK, parse_attestation_record(
3679 attest_rec->data, attest_rec->length, &att_attestation_version,
3680 &att_attestation_security_level, &att_keymaster_version,
3681 &att_keymaster_security_level, &att_challenge, &att_sw_enforced,
3682 &att_tee_enforced, &att_unique_id));
3683
3684 EXPECT_EQ(1U, att_attestation_version);
3685 EXPECT_EQ(KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT, att_attestation_security_level);
3686 EXPECT_EQ(expected_keymaster_version, att_keymaster_version);
3687 EXPECT_EQ(expected_keymaster_security_level, att_keymaster_security_level);
3688
3689 EXPECT_EQ(challenge.length(), att_challenge.data_length);
3690 EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data, challenge.length()));
3691
3692 // Add TAG_USER_ID to the relevant attestation list, because user IDs are not included in
3693 // attestations, since they're meaningless off-device.
3694 uint32_t user_id;
3695 if (expected_sw_enforced.GetTagValue(TAG_USER_ID, &user_id))
3696 att_sw_enforced.push_back(TAG_USER_ID, user_id);
3697 if (expected_tee_enforced.GetTagValue(TAG_USER_ID, &user_id))
3698 att_tee_enforced.push_back(TAG_USER_ID, user_id);
3699
3700 // Add TAG_INCLUDE_UNIQUE_ID to the relevant attestation list, because that tag is not included
3701 // in the attestation.
3702 if (expected_sw_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID))
3703 att_sw_enforced.push_back(TAG_INCLUDE_UNIQUE_ID);
3704 if (expected_tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID))
3705 att_tee_enforced.push_back(TAG_INCLUDE_UNIQUE_ID);
3706
3707 att_sw_enforced.Sort();
3708 expected_sw_enforced.Sort();
3709 EXPECT_EQ(expected_sw_enforced, att_sw_enforced);
3710
3711 att_tee_enforced.Sort();
3712 expected_tee_enforced.Sort();
3713 EXPECT_EQ(expected_tee_enforced, att_tee_enforced);
3714
3715 return true;
3716}
3717#endif
3718#if ATTESTATIONTEST
3719TEST_P(AttestationTest, RsaAttestation) {
3720 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3721 .RsaSigningKey(256, 3)
3722 .Digest(KM_DIGEST_NONE)
3723 .Padding(KM_PAD_NONE)
3724 .Authorization(TAG_INCLUDE_UNIQUE_ID)));
3725
3726 keymaster_cert_chain_t cert_chain;
3727 EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", &cert_chain));
3728 EXPECT_EQ(3U, cert_chain.entry_count);
3729 EXPECT_TRUE(verify_chain(cert_chain));
3730
3731 uint32_t expected_keymaster_version;
3732 keymaster_security_level_t expected_keymaster_security_level;
3733 expected_keymaster_version = 2;
3734 expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
3735
3736 EXPECT_TRUE(verify_attestation_record(
3737 "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version,
3738 expected_keymaster_security_level, cert_chain.entries[0]));
3739
3740 keymaster_free_cert_chain(&cert_chain);
3741}
3742#endif
3743#if ATTESTATIONTEST
3744TEST_P(AttestationTest, EcAttestation) {
3745 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
3746 KM_DIGEST_SHA_2_256)));
3747
3748 uint32_t expected_keymaster_version;
3749 keymaster_security_level_t expected_keymaster_security_level;
3750 expected_keymaster_version = 2;
3751 expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
3752
3753 keymaster_cert_chain_t cert_chain;
3754 EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", &cert_chain));
3755 EXPECT_EQ(3U, cert_chain.entry_count);
3756 EXPECT_TRUE(verify_chain(cert_chain));
3757 EXPECT_TRUE(verify_attestation_record(
3758 "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version,
3759 expected_keymaster_security_level, cert_chain.entries[0]));
3760
3761 keymaster_free_cert_chain(&cert_chain);
3762}
3763#endif
3764typedef Keymaster2Test KeyUpgradeTest;
3765INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, KeyUpgradeTest, test_params);
3766#if KEYUPGRADETEST
3767TEST_P(KeyUpgradeTest, AesVersionUpgrade) {
3768 // A workaround for testing TEE based keymaster 2 from normal world
3769 keymaster2_device_t* device = (keymaster2_device_t* )GetParam()->keymaster_context();
3770 AuthorizationSet version_info(AuthorizationSetBuilder()
3771 .Authorization(TAG_OS_VERSION, 1)
3772 .Authorization(TAG_OS_PATCHLEVEL, 1));
3773 device->configure(device, &version_info);
3774
3775 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3776 .AesEncryptionKey(128)
3777 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3778 .Padding(KM_PAD_NONE)));
3779
3780 // Key should operate fine.
3781 string message = "1234567890123456";
3782 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3783 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE));
3784
3785 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3786 AuthorizationSet version_info_1_2(AuthorizationSetBuilder()
3787 .Authorization(TAG_OS_VERSION, 1)
3788 .Authorization(TAG_OS_PATCHLEVEL, 2));
3789 device->configure(device, &version_info_1_2);
3790 AuthorizationSet begin_params(client_params());
3791 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3792 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3793 if (GetParam()->is_keymaster1_hw()) {
3794 // Keymaster1 hardware can't support version binding. The key will work regardless
3795 // of system version. Just abort the remainder of the test.
3796 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3797 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3798 return;
3799 }
3800 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3801
3802 // Getting characteristics should also fail
3803 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3804
3805 // Upgrade key.
3806 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3807
3808 // Key should work again
3809 ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3810 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE));
3811
3812 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3813 AuthorizationSet version_info_1_1(AuthorizationSetBuilder()
3814 .Authorization(TAG_OS_VERSION, 1)
3815 .Authorization(TAG_OS_PATCHLEVEL, 1));
3816 device->configure(device, &version_info_1_1);
3817
3818 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3819 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3820
3821 // Upgrade should fail
3822 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3823
3824 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3825}
3826#endif
3827#if 0//KEYUPGRADETEST
3828//this test is no longer valid because boring ssl rejects rsa keys less than 256 bits
3829TEST_P(KeyUpgradeTest, RsaVersionUpgrade) {
3830 keymaster2_device_t* device = (keymaster2_device_t* )GetParam()->keymaster_context();
3831 AuthorizationSet version_info(AuthorizationSetBuilder()
3832 .Authorization(TAG_OS_VERSION, 1)
3833 .Authorization(TAG_OS_PATCHLEVEL, 1));
3834 device->configure(device, &version_info);
3835
3836 ASSERT_EQ(KM_ERROR_OK,
3837 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(128, 3).Padding(KM_PAD_NONE)));
3838
3839 // Key should operate fine.
3840 string message = "1234567890123456";
3841 string ciphertext = EncryptMessage(message, KM_PAD_NONE);
3842 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE));
3843
3844 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3845 AuthorizationSet version_info_1_2(AuthorizationSetBuilder()
3846 .Authorization(TAG_OS_VERSION, 1)
3847 .Authorization(TAG_OS_PATCHLEVEL, 2));
3848 device->configure(device, &version_info_1_2);
3849 AuthorizationSet begin_params(client_params());
3850 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3851 if (GetParam()->is_keymaster1_hw()) {
3852 // Keymaster1 hardware can't support version binding. The key will work regardless
3853 // of system version. Just abort the remainder of the test.
3854 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3855 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3856 return;
3857 }
3858 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3859
3860 // Getting characteristics should also fail
3861 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3862
3863 // Upgrade key.
3864 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3865
3866 // Key should work again
3867 ciphertext = EncryptMessage(message, KM_PAD_NONE);
3868 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE));
3869
3870 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3871 AuthorizationSet version_info_1_1(AuthorizationSetBuilder()
3872 .Authorization(TAG_OS_VERSION, 1)
3873 .Authorization(TAG_OS_PATCHLEVEL, 1));
3874 device->configure(device, &version_info_1_1);
3875
3876 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3877 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3878
3879 // Upgrade should fail
3880 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3881
3882 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
3883 EXPECT_EQ(7, GetParam()->keymaster0_calls());
3884}
3885#endif
3886#if KEYUPGRADETEST
3887TEST_P(KeyUpgradeTest, EcVersionUpgrade) {
3888 keymaster2_device_t* device = (keymaster2_device_t* )GetParam()->keymaster_context();
3889 AuthorizationSet version_info(AuthorizationSetBuilder()
3890 .Authorization(TAG_OS_VERSION, 1)
3891 .Authorization(TAG_OS_PATCHLEVEL, 1));
3892 device->configure(device, &version_info);
3893
3894 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
3895 KM_DIGEST_SHA_2_256)));
3896
3897 // Key should operate fine.
3898 string message = "1234567890123456";
3899 string signature;
3900 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
3901 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
3902
3903 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3904 AuthorizationSet version_info_1_2(AuthorizationSetBuilder()
3905 .Authorization(TAG_OS_VERSION, 1)
3906 .Authorization(TAG_OS_PATCHLEVEL, 2));
3907 device->configure(device, &version_info_1_2);
3908
3909 AuthorizationSet begin_params(client_params());
3910 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
3911 if (GetParam()->is_keymaster1_hw()) {
3912 // Keymaster1 hardware can't support version binding. The key will work regardless
3913 // of system version. Just abort the remainder of the test.
3914 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
3915 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3916 return;
3917 }
3918 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
3919
3920 // Getting characteristics should also fail
3921 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3922
3923 // Upgrade key.
3924 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3925
3926 // Key should work again
3927 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
3928 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
3929
3930 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3931 AuthorizationSet version_info_1_1(AuthorizationSetBuilder()
3932 .Authorization(TAG_OS_VERSION, 1)
3933 .Authorization(TAG_OS_PATCHLEVEL, 1));
3934 device->configure(device, &version_info_1_1);
3935
3936 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3937 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3938
3939 // Upgrade should fail
3940 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3941
3942 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
3943 EXPECT_EQ(7, GetParam()->keymaster0_calls());
3944}
3945#endif
3946#if 0
3947TEST(SoftKeymasterWrapperTest, CheckKeymaster2Device) {
3948 // Make a good fake device, and wrap it.
3949 SoftKeymasterDevice* good_fake(new SoftKeymasterDevice(new TestKeymasterContext));
3950
3951 // Wrap it and check it.
3952 SoftKeymasterDevice* good_fake_wrapper(new SoftKeymasterDevice(new TestKeymasterContext));
3953 good_fake_wrapper->SetHardwareDevice(good_fake->keymaster_device());
3954 EXPECT_TRUE(good_fake_wrapper->Keymaster1DeviceIsGood());
3955
3956 // Close and clean up wrapper and wrapped
3957 good_fake_wrapper->keymaster_device()->common.close(good_fake_wrapper->hw_device());
3958
3959 // Make a "bad" (doesn't support all digests) device;
3960 keymaster1_device_t* sha256_only_fake = make_device_sha256_only(
3961 (new SoftKeymasterDevice(new TestKeymasterContext("256")))->keymaster_device());
3962
3963 // Wrap it and check it.
3964 SoftKeymasterDevice* sha256_only_fake_wrapper(
3965 (new SoftKeymasterDevice(new TestKeymasterContext)));
3966 sha256_only_fake_wrapper->SetHardwareDevice(sha256_only_fake);
3967 EXPECT_FALSE(sha256_only_fake_wrapper->Keymaster1DeviceIsGood());
3968
3969 // Close and clean up wrapper and wrapped
3970 sha256_only_fake_wrapper->keymaster_device()->common.close(
3971 sha256_only_fake_wrapper->hw_device());
3972}
3973#endif
3974
3975} // namespace test
3976} // namespace keymaster
3977
generated by cgit at 2024-05-19 07:30:38 (GMT)