blob: d11b5be3fb8b2d4252dc82714e17a4c4b54e95e3
1 | /* |
2 | * Copyright (C) 2014 The Android Open Source Project |
3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
5 | * you may not use this file except in compliance with the License. |
6 | * You may obtain a copy of the License at |
7 | * |
8 | * http://www.apache.org/licenses/LICENSE-2.0 |
9 | * |
10 | * Unless required by applicable law or agreed to in writing, software |
11 | * distributed under the License is distributed on an "AS IS" BASIS, |
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
13 | * See the License for the specific language governing permissions and |
14 | * limitations under the License. |
15 | */ |
16 | |
17 | #include <fstream> |
18 | #include <string> |
19 | #include <vector> |
20 | |
21 | #include <openssl/evp.h> |
22 | #include <openssl/x509.h> |
23 | |
24 | #include <hardware/keymaster0.h> |
25 | #include <keymaster/key_factory.h> |
26 | #include <keymaster/soft_keymaster_context.h> |
27 | #include <keymaster/soft_keymaster_device.h> |
28 | #include <keymaster/softkeymaster.h> |
29 | |
30 | #include "android_keymaster_test_utils.h" |
31 | #include "attestation_record.h" |
32 | #include "keymaster0_engine.h" |
33 | #include "openssl_utils.h" |
34 | |
35 | #define CHECK_FAIL 1 |
36 | #define SUPPORT_TEST 1 |
37 | #define RSA_TEST 1 |
38 | #define EC_TEST 1 |
39 | #define AES_TEST 1 |
40 | #define HMAC_TEST 1 |
41 | #define MAX_TEST 1 |
42 | #define ENTROPY_TEST 1 |
43 | #define ATTESTATIONTEST 1 |
44 | #define KEYUPGRADETEST 0 |
45 | using std::ifstream; |
46 | using std::istreambuf_iterator; |
47 | using std::ofstream; |
48 | using std::string; |
49 | using std::unique_ptr; |
50 | using std::vector; |
51 | |
52 | extern "C" { |
53 | int __android_log_print(int prio, const char* tag, const char* fmt); |
54 | int __android_log_print(int prio, const char* tag, const char* fmt) { |
55 | (void)prio, (void)tag, (void)fmt; |
56 | return 0; |
57 | } |
58 | } // extern "C" |
59 | |
60 | namespace keymaster { |
61 | namespace test { |
62 | |
63 | const uint32_t kOsVersion = 060000; |
64 | const uint32_t kOsPatchLevel = 201603; |
65 | |
66 | StdoutLogger logger; |
67 | |
68 | template <typename T> vector<T> make_vector(const T* array, size_t len) { |
69 | return vector<T>(array, array + len); |
70 | } |
71 | |
72 | /** |
73 | * KeymasterEnforcement class for use in testing. It's permissive in the sense that it doesn't |
74 | * check cryptoperiods, but restrictive in the sense that the clock never advances (so rate-limited |
75 | * keys will only work once). |
76 | */ |
77 | class TestKeymasterEnforcement : public KeymasterEnforcement { |
78 | public: |
79 | TestKeymasterEnforcement() : KeymasterEnforcement(3, 3) {} |
80 | |
81 | virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; } |
82 | virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; } |
83 | virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */, |
84 | uint32_t /* timeout */) const { |
85 | return false; |
86 | } |
87 | virtual uint32_t get_current_time() const { return 0; } |
88 | virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; } |
89 | }; |
90 | |
91 | /** |
92 | * Variant of SoftKeymasterContext that provides a TestKeymasterEnforcement. |
93 | */ |
94 | class TestKeymasterContext : public SoftKeymasterContext { |
95 | public: |
96 | TestKeymasterContext() {} |
97 | explicit TestKeymasterContext(const string& root_of_trust) : SoftKeymasterContext(root_of_trust) {} |
98 | |
99 | KeymasterEnforcement* enforcement_policy() override { return &test_policy_; } |
100 | |
101 | private: |
102 | TestKeymasterEnforcement test_policy_; |
103 | }; |
104 | |
105 | /** |
106 | * Test instance creator that builds a pure software keymaster2 implementation. |
107 | */ |
108 | class SoftKeymasterTestInstanceCreator : public Keymaster2TestInstanceCreator { |
109 | public: |
110 | keymaster2_device_t* CreateDevice() const override { |
111 | std::cerr << "Creating software-only device" << std::endl; |
112 | context_ = new TestKeymasterContext; |
113 | SoftKeymasterDevice* device = new SoftKeymasterDevice(context_); |
114 | AuthorizationSet version_info(AuthorizationSetBuilder() |
115 | .Authorization(TAG_OS_VERSION, kOsVersion) |
116 | .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel)); |
117 | device->keymaster2_device()->configure(device->keymaster2_device(), &version_info); |
118 | return device->keymaster2_device(); |
119 | } |
120 | |
121 | bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; } |
122 | int keymaster0_calls() const override { return 0; } |
123 | bool is_keymaster1_hw() const override { return false; } |
124 | KeymasterContext* keymaster_context() const override { return context_; } |
125 | |
126 | private: |
127 | mutable TestKeymasterContext* context_; |
128 | }; |
129 | |
130 | /** |
131 | * Test instance creator that builds a keymaster2 implementations. |
132 | */ |
133 | class AmlKeymasterTestInstanceCreator : public Keymaster2TestInstanceCreator { |
134 | public: |
135 | keymaster2_device_t* CreateDevice() const override { |
136 | const hw_module_t* mod; |
137 | keymaster2_device_t* device = NULL; |
138 | |
139 | int rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); |
140 | if (rc) { |
141 | std::cerr << "Could not find any keystore module!" << std::endl; |
142 | } else { |
143 | assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_2_0); |
144 | rc = keymaster2_open(mod, &device); |
145 | if (rc) { |
146 | std::cerr << "Error "<< rc << "opening keystore keymaster2 device" << std::endl; |
147 | return NULL; |
148 | } |
149 | } |
150 | |
151 | std::cerr << "Creating Amlogic keymaster2 device" << std::endl; |
152 | // context_ = new TestKeymasterContext; |
153 | // SoftKeymasterDevice* device = new SoftKeymasterDevice(context_); |
154 | AuthorizationSet version_info(AuthorizationSetBuilder() |
155 | .Authorization(TAG_OS_VERSION, kOsVersion) |
156 | .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel)); |
157 | device->configure(device, &version_info); |
158 | _device = device; |
159 | return device; |
160 | } |
161 | |
162 | bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; } |
163 | int keymaster0_calls() const override { return 0; } |
164 | bool is_keymaster1_hw() const override { return false; } |
165 | KeymasterContext* keymaster_context() const override { return (KeymasterContext*) _device; } |
166 | |
167 | private: |
168 | static keymaster2_device_t* _device; |
169 | //mutable TestKeymasterContext* context_; |
170 | }; |
171 | |
172 | keymaster2_device_t* AmlKeymasterTestInstanceCreator::_device; |
173 | /** |
174 | * Test instance creator that builds keymaster1 instances which wrap a faked hardware keymaster0 |
175 | * instance, with or without EC support. |
176 | */ |
177 | class Keymaster0AdapterTestInstanceCreator : public Keymaster2TestInstanceCreator { |
178 | public: |
179 | explicit Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {} |
180 | |
181 | keymaster2_device_t* CreateDevice() const { |
182 | std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_ |
183 | << ")." << std::endl; |
184 | hw_device_t* softkeymaster_device; |
185 | EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER, |
186 | &softkeymaster_device)); |
187 | // Make the software device pretend to be hardware |
188 | keymaster0_device_t* keymaster0_device = |
189 | reinterpret_cast<keymaster0_device_t*>(softkeymaster_device); |
190 | keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY; |
191 | |
192 | if (!support_ec_) { |
193 | // Make the software device pretend not to support EC |
194 | keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC; |
195 | } |
196 | |
197 | counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device); |
198 | |
199 | context_ = new TestKeymasterContext; |
200 | SoftKeymasterDevice* keymaster = new SoftKeymasterDevice(context_); |
201 | keymaster->SetHardwareDevice(counting_keymaster0_device_); |
202 | AuthorizationSet version_info(AuthorizationSetBuilder() |
203 | .Authorization(TAG_OS_VERSION, kOsVersion) |
204 | .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel)); |
205 | keymaster->keymaster2_device()->configure(keymaster->keymaster2_device(), &version_info); |
206 | return keymaster->keymaster2_device(); |
207 | } |
208 | |
209 | bool algorithm_in_km0_hardware(keymaster_algorithm_t algorithm) const override { |
210 | switch (algorithm) { |
211 | case KM_ALGORITHM_RSA: |
212 | return true; |
213 | case KM_ALGORITHM_EC: |
214 | return support_ec_; |
215 | default: |
216 | return false; |
217 | } |
218 | } |
219 | int keymaster0_calls() const override { return counting_keymaster0_device_->count(); } |
220 | bool is_keymaster1_hw() const override { return false; } |
221 | KeymasterContext* keymaster_context() const override { return context_; } |
222 | |
223 | private: |
224 | mutable TestKeymasterContext* context_; |
225 | mutable Keymaster0CountingWrapper* counting_keymaster0_device_; |
226 | bool support_ec_; |
227 | }; |
228 | |
229 | /** |
230 | * Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1 |
231 | * instance, with minimal digest support. |
232 | */ |
233 | class Sha256OnlyKeymaster2TestInstanceCreator : public Keymaster2TestInstanceCreator { |
234 | keymaster2_device_t* CreateDevice() const { |
235 | std::cerr << "Creating keymaster1-backed device that supports only SHA256"; |
236 | |
237 | // fake_device doesn't leak because device (below) takes ownership of it. |
238 | keymaster1_device_t* fake_device = make_device_sha256_only( |
239 | (new SoftKeymasterDevice(new TestKeymasterContext("PseudoHW")))->keymaster_device()); |
240 | |
241 | // device doesn't leak; it's cleaned up by device->keymaster_device()->common.close(). |
242 | context_ = new TestKeymasterContext; |
243 | SoftKeymasterDevice* device = new SoftKeymasterDevice(context_); |
244 | device->SetHardwareDevice(fake_device); |
245 | |
246 | AuthorizationSet version_info(AuthorizationSetBuilder() |
247 | .Authorization(TAG_OS_VERSION, kOsVersion) |
248 | .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel)); |
249 | device->keymaster2_device()->configure(device->keymaster2_device(), &version_info); |
250 | return device->keymaster2_device(); |
251 | } |
252 | |
253 | bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; } |
254 | int keymaster0_calls() const override { return 0; } |
255 | int minimal_digest_set() const override { return true; } |
256 | bool is_keymaster1_hw() const override { return true; } |
257 | KeymasterContext* keymaster_context() const override { return context_; } |
258 | |
259 | private: |
260 | mutable TestKeymasterContext* context_; |
261 | }; |
262 | |
263 | static auto test_params = testing::Values( |
264 | #if 0 |
265 | InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator), |
266 | InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), |
267 | InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)), |
268 | InstanceCreatorPtr(new Sha256OnlyKeymaster2TestInstanceCreator) |
269 | #endif |
270 | InstanceCreatorPtr(new AmlKeymasterTestInstanceCreator) |
271 | ); |
272 | |
273 | class NewKeyGeneration : public Keymaster2Test { |
274 | protected: |
275 | void CheckBaseParams() { |
276 | AuthorizationSet auths = sw_enforced(); |
277 | auths.Union(hw_enforced()); |
278 | EXPECT_GT(auths.SerializedSize(), 12U); |
279 | |
280 | EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN)); |
281 | EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY)); |
282 | EXPECT_TRUE(contains(auths, TAG_USER_ID, 7)); |
283 | EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)); |
284 | EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300)); |
285 | |
286 | // Verify that App ID, App data and ROT are NOT included. |
287 | EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST)); |
288 | EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID)); |
289 | EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA)); |
290 | |
291 | // Just for giggles, check that some unexpected tags/values are NOT present. |
292 | EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT)); |
293 | EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT)); |
294 | EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301)); |
295 | |
296 | // Now check that unspecified, defaulted tags are correct. |
297 | EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME)); |
298 | if (GetParam()->is_keymaster1_hw()) { |
299 | // If the underlying (faked) HW is KM1, it will not have version info. |
300 | EXPECT_FALSE(auths.Contains(TAG_OS_VERSION)); |
301 | EXPECT_FALSE(auths.Contains(TAG_OS_PATCHLEVEL)); |
302 | } else { |
303 | // In all othe cases; SoftKeymasterDevice keys, or keymaster0 keys wrapped by |
304 | // SoftKeymasterDevice, version information will be present and up to date. |
305 | EXPECT_TRUE(contains(auths, TAG_OS_VERSION, kOsVersion)); |
306 | EXPECT_TRUE(contains(auths, TAG_OS_PATCHLEVEL, kOsPatchLevel)); |
307 | } |
308 | } |
309 | }; |
310 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params); |
311 | #if RSA_TEST |
312 | TEST_P(NewKeyGeneration, Rsa) { |
313 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
314 | .RsaSigningKey(256, 3) |
315 | .Digest(KM_DIGEST_NONE) |
316 | .Padding(KM_PAD_NONE))); |
317 | CheckBaseParams(); |
318 | |
319 | // Check specified tags are all present, and in the right set. |
320 | AuthorizationSet crypto_params; |
321 | AuthorizationSet non_crypto_params; |
322 | #if 0 |
323 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) { |
324 | EXPECT_NE(0U, hw_enforced().size()); |
325 | EXPECT_NE(0U, sw_enforced().size()); |
326 | crypto_params.push_back(hw_enforced()); |
327 | non_crypto_params.push_back(sw_enforced()); |
328 | } else { |
329 | EXPECT_EQ(0U, hw_enforced().size()); |
330 | EXPECT_NE(0U, sw_enforced().size()); |
331 | crypto_params.push_back(sw_enforced()); |
332 | } |
333 | #else |
334 | EXPECT_NE(0U, hw_enforced().size()); |
335 | EXPECT_NE(0U, sw_enforced().size()); |
336 | crypto_params.push_back(hw_enforced()); |
337 | non_crypto_params.push_back(sw_enforced()); |
338 | #endif |
339 | |
340 | EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); |
341 | EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); |
342 | EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256)); |
343 | EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256)); |
344 | EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); |
345 | EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); |
346 | |
347 | EXPECT_EQ(KM_ERROR_OK, DeleteKey()); |
348 | |
349 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
350 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
351 | } |
352 | #endif |
353 | #if RSA_TEST |
354 | TEST_P(NewKeyGeneration, RsaDefaultSize) { |
355 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, |
356 | GenerateKey(AuthorizationSetBuilder() |
357 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
358 | .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3) |
359 | .SigningKey())); |
360 | |
361 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
362 | } |
363 | #endif |
364 | #if EC_TEST |
365 | TEST_P(NewKeyGeneration, Ecdsa) { |
366 | ASSERT_EQ(KM_ERROR_OK, |
367 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); |
368 | CheckBaseParams(); |
369 | |
370 | // Check specified tags are all present, and in the right set. |
371 | AuthorizationSet crypto_params; |
372 | AuthorizationSet non_crypto_params; |
373 | #if 0 |
374 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) { |
375 | EXPECT_NE(0U, hw_enforced().size()); |
376 | EXPECT_NE(0U, sw_enforced().size()); |
377 | crypto_params.push_back(hw_enforced()); |
378 | non_crypto_params.push_back(sw_enforced()); |
379 | } else { |
380 | EXPECT_EQ(0U, hw_enforced().size()); |
381 | EXPECT_NE(0U, sw_enforced().size()); |
382 | crypto_params.push_back(sw_enforced()); |
383 | } |
384 | #else |
385 | EXPECT_NE(0U, hw_enforced().size()); |
386 | EXPECT_NE(0U, sw_enforced().size()); |
387 | crypto_params.push_back(hw_enforced()); |
388 | non_crypto_params.push_back(sw_enforced()); |
389 | #endif |
390 | |
391 | EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); |
392 | EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); |
393 | EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224)); |
394 | EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224)); |
395 | |
396 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
397 | EXPECT_EQ(1, GetParam()->keymaster0_calls()); |
398 | } |
399 | #endif |
400 | #if EC_TEST |
401 | TEST_P(NewKeyGeneration, EcdsaDefaultSize) { |
402 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, |
403 | GenerateKey(AuthorizationSetBuilder() |
404 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) |
405 | .SigningKey() |
406 | .Digest(KM_DIGEST_NONE))); |
407 | |
408 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
409 | } |
410 | |
411 | TEST_P(NewKeyGeneration, EcdsaInvalidSize) { |
412 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, |
413 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); |
414 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
415 | } |
416 | #endif |
417 | |
418 | #if EC_TEST |
419 | TEST_P(NewKeyGeneration, EcdsaMismatchKeySize) { |
420 | ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT, |
421 | GenerateKey(AuthorizationSetBuilder() |
422 | .EcdsaSigningKey(224) |
423 | .Authorization(TAG_EC_CURVE, KM_EC_CURVE_P_256) |
424 | .Digest(KM_DIGEST_NONE))); |
425 | } |
426 | #endif |
427 | |
428 | #if EC_TEST |
429 | TEST_P(NewKeyGeneration, EcdsaAllValidSizes) { |
430 | size_t valid_sizes[] = {224, 256, 384, 521}; |
431 | for (size_t size : valid_sizes) { |
432 | EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest( |
433 | KM_DIGEST_NONE))) |
434 | << "Failed to generate size: " << size; |
435 | } |
436 | |
437 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
438 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
439 | } |
440 | #endif |
441 | #if HMAC_TEST |
442 | TEST_P(NewKeyGeneration, HmacSha256) { |
443 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
444 | .HmacKey(128) |
445 | .Digest(KM_DIGEST_SHA_2_256) |
446 | .Authorization(TAG_MIN_MAC_LENGTH, 256))); |
447 | |
448 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
449 | } |
450 | |
451 | TEST_P(NewKeyGeneration, HmacMultipleDigests) { |
452 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, |
453 | GenerateKey(AuthorizationSetBuilder() |
454 | .HmacKey(128) |
455 | .Digest(KM_DIGEST_SHA1) |
456 | .Digest(KM_DIGEST_SHA_2_256) |
457 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
458 | |
459 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
460 | } |
461 | |
462 | TEST_P(NewKeyGeneration, HmacDigestNone) { |
463 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, |
464 | GenerateKey(AuthorizationSetBuilder() |
465 | .HmacKey(128) |
466 | .Digest(KM_DIGEST_NONE) |
467 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
468 | |
469 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
470 | } |
471 | |
472 | TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) { |
473 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, |
474 | GenerateKey(AuthorizationSetBuilder() |
475 | .HmacKey(128) |
476 | .Digest(KM_DIGEST_SHA_2_256) |
477 | .Authorization(TAG_MIN_MAC_LENGTH, 48))); |
478 | |
479 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
480 | } |
481 | |
482 | TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) { |
483 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, |
484 | GenerateKey(AuthorizationSetBuilder() |
485 | .HmacKey(128) |
486 | .Digest(KM_DIGEST_SHA_2_256) |
487 | .Authorization(TAG_MIN_MAC_LENGTH, 130))); |
488 | |
489 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
490 | } |
491 | |
492 | TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) { |
493 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, |
494 | GenerateKey(AuthorizationSetBuilder() |
495 | .HmacKey(128) |
496 | .Digest(KM_DIGEST_SHA_2_256) |
497 | .Authorization(TAG_MIN_MAC_LENGTH, 384))); |
498 | |
499 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
500 | } |
501 | #endif |
502 | typedef Keymaster2Test GetKeyCharacteristics; |
503 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params); |
504 | |
505 | #if RSA_TEST |
506 | TEST_P(GetKeyCharacteristics, SimpleRsa) { |
507 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
508 | .RsaSigningKey(256, 3) |
509 | .Digest(KM_DIGEST_NONE) |
510 | .Padding(KM_PAD_NONE))); |
511 | AuthorizationSet original(sw_enforced()); |
512 | |
513 | ASSERT_EQ(KM_ERROR_OK, GetCharacteristics()); |
514 | EXPECT_EQ(original, sw_enforced()); |
515 | |
516 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
517 | EXPECT_EQ(1, GetParam()->keymaster0_calls()); |
518 | } |
519 | #endif |
520 | typedef Keymaster2Test SigningOperationsTest; |
521 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params); |
522 | #if RSA_TEST |
523 | TEST_P(SigningOperationsTest, RsaSuccess) { |
524 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
525 | .RsaSigningKey(256, 3) |
526 | .Digest(KM_DIGEST_NONE) |
527 | .Padding(KM_PAD_NONE))); |
528 | string message = "12345678901234567890123456789012"; |
529 | string signature; |
530 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); |
531 | |
532 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
533 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
534 | } |
535 | #endif |
536 | #if RSA_TEST |
537 | TEST_P(SigningOperationsTest, RsaPssSha256Success) { |
538 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
539 | .RsaSigningKey(768, 3) |
540 | .Digest(KM_DIGEST_SHA_2_256) |
541 | .Padding(KM_PAD_RSA_PSS))); |
542 | // Use large message, which won't work without digesting. |
543 | string message(1024, 'a'); |
544 | string signature; |
545 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); |
546 | |
547 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
548 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
549 | } |
550 | |
551 | TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { |
552 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
553 | .RsaSigningKey(512, 3) |
554 | .Digest(KM_DIGEST_NONE) |
555 | .Padding(KM_PAD_NONE))); |
556 | string message = "12345678901234567890123456789012"; |
557 | string signature; |
558 | |
559 | AuthorizationSet begin_params(client_params()); |
560 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
561 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); |
562 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
563 | |
564 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
565 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
566 | } |
567 | |
568 | TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) { |
569 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
570 | .RsaSigningKey(512, 3) |
571 | .Digest(KM_DIGEST_SHA_2_256) |
572 | .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); |
573 | string message(1024, 'a'); |
574 | string signature; |
575 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); |
576 | |
577 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
578 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
579 | } |
580 | #endif |
581 | #if RSA_TEST |
582 | TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) { |
583 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
584 | .RsaSigningKey(512, 3) |
585 | .Digest(KM_DIGEST_NONE) |
586 | .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); |
587 | string message(53, 'a'); |
588 | string signature; |
589 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN); |
590 | |
591 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
592 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
593 | } |
594 | #endif |
595 | #if RSA_TEST |
596 | TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) { |
597 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
598 | .RsaSigningKey(512, 3) |
599 | .Digest(KM_DIGEST_NONE) |
600 | .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); |
601 | string message(54, 'a'); |
602 | |
603 | AuthorizationSet begin_params(client_params()); |
604 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
605 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); |
606 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
607 | string result; |
608 | size_t input_consumed; |
609 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
610 | string signature; |
611 | EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature)); |
612 | |
613 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
614 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
615 | } |
616 | #endif |
617 | #if CHECK_FAIL |
618 | TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) { |
619 | // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so |
620 | // verify that nine bytes larger than hash won't work. |
621 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
622 | .RsaSigningKey(256 + 9 * 8, 3) |
623 | .Digest(KM_DIGEST_SHA_2_256) |
624 | .Padding(KM_PAD_RSA_PSS))); |
625 | string message(1024, 'a'); |
626 | string signature; |
627 | |
628 | AuthorizationSet begin_params(client_params()); |
629 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
630 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); |
631 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
632 | } |
633 | #endif |
634 | #if CHECK_FAIL |
635 | TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) { |
636 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
637 | .RsaSigningKey(256, 3) |
638 | .Digest(KM_DIGEST_NONE) |
639 | .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); |
640 | string message(64 * 1024, 'a'); |
641 | string signature; |
642 | AuthorizationSet begin_params(client_params()); |
643 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
644 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); |
645 | ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
646 | string result; |
647 | size_t input_consumed; |
648 | EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); |
649 | |
650 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
651 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
652 | } |
653 | #endif |
654 | #if CHECK_FAIL |
655 | TEST_P(SigningOperationsTest, RsaAbort) { |
656 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
657 | .RsaSigningKey(256, 3) |
658 | .Digest(KM_DIGEST_NONE) |
659 | .Padding(KM_PAD_NONE))); |
660 | AuthorizationSet begin_params(client_params()); |
661 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
662 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
663 | ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
664 | EXPECT_EQ(KM_ERROR_OK, AbortOperation()); |
665 | // Another abort should fail |
666 | EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation()); |
667 | |
668 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
669 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
670 | } |
671 | #endif |
672 | #if RSA_TEST |
673 | TEST_P(SigningOperationsTest, RsaUnsupportedPadding) { |
674 | GenerateKey(AuthorizationSetBuilder() |
675 | .RsaSigningKey(256, 3) |
676 | .Digest(KM_DIGEST_SHA_2_256 /* supported digest */) |
677 | .Padding(KM_PAD_PKCS7)); |
678 | AuthorizationSet begin_params(client_params()); |
679 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
680 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
681 | |
682 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
683 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
684 | } |
685 | |
686 | TEST_P(SigningOperationsTest, RsaNoDigest) { |
687 | // PSS requires a digest. |
688 | GenerateKey(AuthorizationSetBuilder() |
689 | .RsaSigningKey(256, 3) |
690 | .Digest(KM_DIGEST_NONE) |
691 | .Padding(KM_PAD_RSA_PSS)); |
692 | AuthorizationSet begin_params(client_params()); |
693 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
694 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); |
695 | ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
696 | |
697 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
698 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
699 | } |
700 | |
701 | TEST_P(SigningOperationsTest, RsaNoPadding) { |
702 | // Padding must be specified |
703 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest( |
704 | KM_DIGEST_NONE))); |
705 | AuthorizationSet begin_params(client_params()); |
706 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
707 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
708 | |
709 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
710 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
711 | } |
712 | |
713 | TEST_P(SigningOperationsTest, RsaTooShortMessage) { |
714 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
715 | .RsaSigningKey(256, 3) |
716 | .Digest(KM_DIGEST_NONE) |
717 | .Padding(KM_PAD_NONE))); |
718 | string message = "1234567890123456789012345678901"; |
719 | string signature; |
720 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); |
721 | |
722 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
723 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
724 | } |
725 | |
726 | TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) { |
727 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
728 | .RsaEncryptionKey(256, 3) |
729 | .Digest(KM_DIGEST_NONE) |
730 | .Padding(KM_PAD_NONE))); |
731 | AuthorizationSet begin_params(client_params()); |
732 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
733 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
734 | ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
735 | |
736 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
737 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
738 | } |
739 | |
740 | TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) { |
741 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
742 | .RsaSigningKey(256, 3) |
743 | .Digest(KM_DIGEST_NONE) |
744 | .Padding(KM_PAD_NONE))); |
745 | string message(256 / 8, static_cast<char>(0xff)); |
746 | string signature; |
747 | AuthorizationSet begin_params(client_params()); |
748 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
749 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
750 | ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
751 | string result; |
752 | size_t input_consumed; |
753 | ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
754 | ASSERT_EQ(message.size(), input_consumed); |
755 | string output; |
756 | ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&output)); |
757 | |
758 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
759 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
760 | } |
761 | #endif |
762 | #if EC_TEST |
763 | TEST_P(SigningOperationsTest, EcdsaSuccess) { |
764 | ASSERT_EQ(KM_ERROR_OK, |
765 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); |
766 | string message(224 / 8, 'a'); |
767 | string signature; |
768 | SignMessage(message, &signature, KM_DIGEST_NONE); |
769 | |
770 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
771 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
772 | } |
773 | #endif |
774 | #if EC_TEST |
775 | TEST_P(SigningOperationsTest, EcdsaSha256Success) { |
776 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( |
777 | KM_DIGEST_SHA_2_256))); |
778 | string message(1024, 'a'); |
779 | string signature; |
780 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256); |
781 | |
782 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
783 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
784 | } |
785 | |
786 | TEST_P(SigningOperationsTest, EcdsaSha384Success) { |
787 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( |
788 | KM_DIGEST_SHA_2_384))); |
789 | string message(1024, 'a'); |
790 | string signature; |
791 | SignMessage(message, &signature, KM_DIGEST_SHA_2_384); |
792 | |
793 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
794 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
795 | } |
796 | |
797 | TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) { |
798 | ASSERT_EQ(KM_ERROR_OK, |
799 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); |
800 | string message(64 * 1024, 'a'); |
801 | string signature; |
802 | AuthorizationSet begin_params(client_params()); |
803 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
804 | ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
805 | string result; |
806 | size_t input_consumed; |
807 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
808 | |
809 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
810 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
811 | } |
812 | |
813 | TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) { |
814 | vector<int> key_sizes = {224, 256, 384, 521}; |
815 | vector<keymaster_digest_t> digests = { |
816 | KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, |
817 | KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, |
818 | }; |
819 | |
820 | for (int key_size : key_sizes) { |
821 | for (keymaster_digest_t digest : digests) { |
822 | ASSERT_EQ( |
823 | KM_ERROR_OK, |
824 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest))); |
825 | |
826 | string message(1024, 'a'); |
827 | string signature; |
828 | if (digest == KM_DIGEST_NONE) |
829 | message.resize(key_size / 8); |
830 | SignMessage(message, &signature, digest); |
831 | } |
832 | } |
833 | |
834 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
835 | EXPECT_EQ(digests.size() * key_sizes.size() * 3, |
836 | static_cast<size_t>(GetParam()->keymaster0_calls())); |
837 | } |
838 | #endif |
839 | #if AES_TEST |
840 | TEST_P(SigningOperationsTest, AesEcbSign) { |
841 | ASSERT_EQ(KM_ERROR_OK, |
842 | GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization( |
843 | TAG_BLOCK_MODE, KM_MODE_ECB))); |
844 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); |
845 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); |
846 | |
847 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
848 | } |
849 | #endif |
850 | #if HMAC_TEST |
851 | TEST_P(SigningOperationsTest, HmacSha1Success) { |
852 | if (GetParam()->minimal_digest_set()) |
853 | // Can't emulate other digests for HMAC. |
854 | return; |
855 | |
856 | GenerateKey(AuthorizationSetBuilder() |
857 | .HmacKey(128) |
858 | .Digest(KM_DIGEST_SHA1) |
859 | .Authorization(TAG_MIN_MAC_LENGTH, 160)); |
860 | string message = "12345678901234567890123456789012"; |
861 | string signature; |
862 | MacMessage(message, &signature, 160); |
863 | ASSERT_EQ(20U, signature.size()); |
864 | |
865 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
866 | } |
867 | #endif |
868 | #if HMAC_TEST |
869 | TEST_P(SigningOperationsTest, HmacSha224Success) { |
870 | if (GetParam()->minimal_digest_set()) |
871 | // Can't emulate other digests for HMAC. |
872 | return; |
873 | |
874 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
875 | .HmacKey(128) |
876 | .Digest(KM_DIGEST_SHA_2_224) |
877 | .Authorization(TAG_MIN_MAC_LENGTH, 160))); |
878 | string message = "12345678901234567890123456789012"; |
879 | string signature; |
880 | MacMessage(message, &signature, 224); |
881 | ASSERT_EQ(28U, signature.size()); |
882 | |
883 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
884 | } |
885 | |
886 | TEST_P(SigningOperationsTest, HmacSha256Success) { |
887 | if (GetParam()->minimal_digest_set()) |
888 | // Can't emulate other digests for HMAC. |
889 | return; |
890 | |
891 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
892 | .HmacKey(128) |
893 | .Digest(KM_DIGEST_SHA_2_256) |
894 | .Authorization(TAG_MIN_MAC_LENGTH, 256))); |
895 | string message = "12345678901234567890123456789012"; |
896 | string signature; |
897 | MacMessage(message, &signature, 256); |
898 | ASSERT_EQ(32U, signature.size()); |
899 | |
900 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
901 | } |
902 | |
903 | TEST_P(SigningOperationsTest, HmacSha384Success) { |
904 | if (GetParam()->minimal_digest_set()) |
905 | // Can't emulate other digests for HMAC. |
906 | return; |
907 | |
908 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
909 | .HmacKey(128) |
910 | .Digest(KM_DIGEST_SHA_2_384) |
911 | .Authorization(TAG_MIN_MAC_LENGTH, 384))); |
912 | |
913 | string message = "12345678901234567890123456789012"; |
914 | string signature; |
915 | MacMessage(message, &signature, 384); |
916 | ASSERT_EQ(48U, signature.size()); |
917 | |
918 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
919 | } |
920 | |
921 | TEST_P(SigningOperationsTest, HmacSha512Success) { |
922 | if (GetParam()->minimal_digest_set()) |
923 | // Can't emulate other digests for HMAC. |
924 | return; |
925 | |
926 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
927 | .HmacKey(128) |
928 | .Digest(KM_DIGEST_SHA_2_512) |
929 | .Authorization(TAG_MIN_MAC_LENGTH, 384))); |
930 | string message = "12345678901234567890123456789012"; |
931 | string signature; |
932 | MacMessage(message, &signature, 512); |
933 | ASSERT_EQ(64U, signature.size()); |
934 | |
935 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
936 | } |
937 | |
938 | TEST_P(SigningOperationsTest, HmacLengthInKey) { |
939 | // TODO(swillden): unified API should generate an error on key generation. |
940 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
941 | .HmacKey(128) |
942 | .Digest(KM_DIGEST_SHA_2_256) |
943 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
944 | string message = "12345678901234567890123456789012"; |
945 | string signature; |
946 | MacMessage(message, &signature, 160); |
947 | ASSERT_EQ(20U, signature.size()); |
948 | |
949 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
950 | } |
951 | |
952 | TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) { |
953 | uint8_t key_data[] = { |
954 | 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, |
955 | 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, |
956 | }; |
957 | string message = "Hi There"; |
958 | uint8_t sha_224_expected[] = { |
959 | 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, |
960 | 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22, |
961 | }; |
962 | uint8_t sha_256_expected[] = { |
963 | 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, |
964 | 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, |
965 | 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7, |
966 | }; |
967 | uint8_t sha_384_expected[] = { |
968 | 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4, |
969 | 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, |
970 | 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9, |
971 | 0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6, |
972 | }; |
973 | uint8_t sha_512_expected[] = { |
974 | 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a, |
975 | 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0, |
976 | 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, |
977 | 0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e, |
978 | 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54, |
979 | }; |
980 | |
981 | string key = make_string(key_data); |
982 | |
983 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
984 | if (!GetParam()->minimal_digest_set()) { |
985 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); |
986 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); |
987 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); |
988 | } |
989 | |
990 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
991 | } |
992 | |
993 | TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) { |
994 | string key = "Jefe"; |
995 | string message = "what do ya want for nothing?"; |
996 | uint8_t sha_224_expected[] = { |
997 | 0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e, |
998 | 0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44, |
999 | }; |
1000 | uint8_t sha_256_expected[] = { |
1001 | 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, |
1002 | 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, |
1003 | 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43, |
1004 | }; |
1005 | uint8_t sha_384_expected[] = { |
1006 | 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2, |
1007 | 0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47, |
1008 | 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca, |
1009 | 0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49, |
1010 | }; |
1011 | uint8_t sha_512_expected[] = { |
1012 | 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b, |
1013 | 0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27, |
1014 | 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99, |
1015 | 0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3, |
1016 | 0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37, |
1017 | }; |
1018 | |
1019 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
1020 | if (!GetParam()->minimal_digest_set()) { |
1021 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); |
1022 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
1023 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); |
1024 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); |
1025 | } |
1026 | |
1027 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1028 | } |
1029 | |
1030 | TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) { |
1031 | string key(20, 0xaa); |
1032 | string message(50, 0xdd); |
1033 | uint8_t sha_224_expected[] = { |
1034 | 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a, |
1035 | 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea, |
1036 | }; |
1037 | uint8_t sha_256_expected[] = { |
1038 | 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, |
1039 | 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, |
1040 | 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe, |
1041 | }; |
1042 | uint8_t sha_384_expected[] = { |
1043 | 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0, |
1044 | 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb, |
1045 | 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d, |
1046 | 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27, |
1047 | }; |
1048 | uint8_t sha_512_expected[] = { |
1049 | 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c, |
1050 | 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8, |
1051 | 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, |
1052 | 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37, |
1053 | 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb, |
1054 | }; |
1055 | |
1056 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
1057 | if (!GetParam()->minimal_digest_set()) { |
1058 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); |
1059 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
1060 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); |
1061 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); |
1062 | } |
1063 | |
1064 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1065 | } |
1066 | |
1067 | TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) { |
1068 | uint8_t key_data[25] = { |
1069 | 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, |
1070 | 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, |
1071 | }; |
1072 | string key = make_string(key_data); |
1073 | string message(50, 0xcd); |
1074 | uint8_t sha_224_expected[] = { |
1075 | 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82, |
1076 | 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a, |
1077 | }; |
1078 | uint8_t sha_256_expected[] = { |
1079 | 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, |
1080 | 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, |
1081 | 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b, |
1082 | }; |
1083 | uint8_t sha_384_expected[] = { |
1084 | 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62, |
1085 | 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c, |
1086 | 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23, |
1087 | 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb, |
1088 | }; |
1089 | uint8_t sha_512_expected[] = { |
1090 | 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6, |
1091 | 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f, |
1092 | 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, |
1093 | 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41, |
1094 | 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd, |
1095 | }; |
1096 | |
1097 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
1098 | if (!GetParam()->minimal_digest_set()) { |
1099 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); |
1100 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
1101 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); |
1102 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); |
1103 | } |
1104 | |
1105 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1106 | } |
1107 | |
1108 | TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) { |
1109 | string key(20, 0x0c); |
1110 | string message = "Test With Truncation"; |
1111 | |
1112 | uint8_t sha_224_expected[] = { |
1113 | 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37, |
1114 | 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8, |
1115 | }; |
1116 | uint8_t sha_256_expected[] = { |
1117 | 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, |
1118 | 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b, |
1119 | }; |
1120 | uint8_t sha_384_expected[] = { |
1121 | 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23, |
1122 | 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97, |
1123 | }; |
1124 | uint8_t sha_512_expected[] = { |
1125 | 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53, |
1126 | 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6, |
1127 | }; |
1128 | |
1129 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
1130 | if (!GetParam()->minimal_digest_set()) { |
1131 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); |
1132 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); |
1133 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); |
1134 | } |
1135 | |
1136 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1137 | } |
1138 | #endif |
1139 | |
1140 | #if HMAC_TEST |
1141 | TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) { |
1142 | string key(131, 0xaa); |
1143 | string message = "Test Using Larger Than Block-Size Key - Hash Key First"; |
1144 | |
1145 | uint8_t sha_224_expected[] = { |
1146 | 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d, |
1147 | 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e, |
1148 | }; |
1149 | uint8_t sha_256_expected[] = { |
1150 | 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, |
1151 | 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, |
1152 | 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, |
1153 | }; |
1154 | uint8_t sha_384_expected[] = { |
1155 | 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a, |
1156 | 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f, |
1157 | 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab, |
1158 | 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52, |
1159 | }; |
1160 | uint8_t sha_512_expected[] = { |
1161 | 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd, |
1162 | 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b, |
1163 | 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, |
1164 | 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73, |
1165 | 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98, |
1166 | }; |
1167 | |
1168 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
1169 | if (!GetParam()->minimal_digest_set()) { |
1170 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); |
1171 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); |
1172 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); |
1173 | } |
1174 | |
1175 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1176 | } |
1177 | #endif |
1178 | |
1179 | #if HMAC_TEST |
1180 | TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) { |
1181 | string key(131, 0xaa); |
1182 | string message = "This is a test using a larger than block-size key and a larger than " |
1183 | "block-size data. The key needs to be hashed before being used by the HMAC " |
1184 | "algorithm."; |
1185 | |
1186 | uint8_t sha_224_expected[] = { |
1187 | 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3, |
1188 | 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1, |
1189 | }; |
1190 | uint8_t sha_256_expected[] = { |
1191 | 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, |
1192 | 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, |
1193 | 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2, |
1194 | }; |
1195 | uint8_t sha_384_expected[] = { |
1196 | 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25, |
1197 | 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a, |
1198 | 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31, |
1199 | 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e, |
1200 | }; |
1201 | uint8_t sha_512_expected[] = { |
1202 | 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, |
1203 | 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5, |
1204 | 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, |
1205 | 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb, |
1206 | 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58, |
1207 | }; |
1208 | |
1209 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); |
1210 | if (!GetParam()->minimal_digest_set()) { |
1211 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); |
1212 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); |
1213 | CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); |
1214 | } |
1215 | |
1216 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1217 | } |
1218 | |
1219 | TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) { |
1220 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1221 | .HmacKey(128) |
1222 | .Digest(KM_DIGEST_SHA_2_256) |
1223 | .Authorization(TAG_MIN_MAC_LENGTH, 256))); |
1224 | AuthorizationSet begin_params(client_params()); |
1225 | begin_params.push_back(TAG_MAC_LENGTH, 264); |
1226 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
1227 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH, |
1228 | BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); |
1229 | |
1230 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1231 | } |
1232 | |
1233 | TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) { |
1234 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1235 | .HmacKey(128) |
1236 | .Digest(KM_DIGEST_SHA_2_256) |
1237 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
1238 | AuthorizationSet begin_params(client_params()); |
1239 | begin_params.push_back(TAG_MAC_LENGTH, 120); |
1240 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
1241 | ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH, |
1242 | BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); |
1243 | |
1244 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1245 | } |
1246 | #endif |
1247 | // TODO(swillden): Add more verification failure tests. |
1248 | |
1249 | typedef Keymaster2Test VerificationOperationsTest; |
1250 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params); |
1251 | #if RSA_TEST |
1252 | TEST_P(VerificationOperationsTest, RsaSuccess) { |
1253 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1254 | .RsaSigningKey(256, 3) |
1255 | .Digest(KM_DIGEST_NONE) |
1256 | .Padding(KM_PAD_NONE))); |
1257 | string message = "12345678901234567890123456789012"; |
1258 | string signature; |
1259 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); |
1260 | VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); |
1261 | |
1262 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1263 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1264 | } |
1265 | |
1266 | TEST_P(VerificationOperationsTest, RsaPssSha256Success) { |
1267 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1268 | .RsaSigningKey(768, 3) |
1269 | .Digest(KM_DIGEST_SHA_2_256) |
1270 | .Padding(KM_PAD_RSA_PSS))); |
1271 | // Use large message, which won't work without digesting. |
1272 | string message(1024, 'a'); |
1273 | string signature; |
1274 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); |
1275 | VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); |
1276 | |
1277 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1278 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1279 | } |
1280 | |
1281 | TEST_P(VerificationOperationsTest, RsaPssSha224Success) { |
1282 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1283 | .RsaSigningKey(512, 3) |
1284 | .Digest(KM_DIGEST_SHA_2_224) |
1285 | .Padding(KM_PAD_RSA_PSS))); |
1286 | // Use large message, which won't work without digesting. |
1287 | string message(1024, 'a'); |
1288 | string signature; |
1289 | SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS); |
1290 | VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS); |
1291 | |
1292 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1293 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1294 | |
1295 | // Verify with OpenSSL. |
1296 | string pubkey; |
1297 | EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey)); |
1298 | |
1299 | const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data()); |
1300 | unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( |
1301 | d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size())); |
1302 | ASSERT_TRUE(pkey.get()); |
1303 | |
1304 | EVP_MD_CTX digest_ctx; |
1305 | EVP_MD_CTX_init(&digest_ctx); |
1306 | EVP_PKEY_CTX* pkey_ctx; |
1307 | EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */, |
1308 | pkey.get())); |
1309 | EXPECT_EQ(1, EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)); |
1310 | EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size())); |
1311 | EXPECT_EQ(1, |
1312 | EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()), |
1313 | signature.size())); |
1314 | EVP_MD_CTX_cleanup(&digest_ctx); |
1315 | } |
1316 | |
1317 | TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) { |
1318 | GenerateKey(AuthorizationSetBuilder() |
1319 | .RsaSigningKey(768, 3) |
1320 | .Digest(KM_DIGEST_SHA_2_256) |
1321 | .Padding(KM_PAD_RSA_PSS)); |
1322 | string message(1024, 'a'); |
1323 | string signature; |
1324 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); |
1325 | ++signature[signature.size() / 2]; |
1326 | |
1327 | AuthorizationSet begin_params(client_params()); |
1328 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
1329 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); |
1330 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); |
1331 | |
1332 | string result; |
1333 | size_t input_consumed; |
1334 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
1335 | EXPECT_EQ(message.size(), input_consumed); |
1336 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); |
1337 | |
1338 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1339 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1340 | } |
1341 | |
1342 | TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) { |
1343 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1344 | .RsaSigningKey(768, 3) |
1345 | .Digest(KM_DIGEST_SHA_2_256) |
1346 | .Padding(KM_PAD_RSA_PSS))); |
1347 | // Use large message, which won't work without digesting. |
1348 | string message(1024, 'a'); |
1349 | string signature; |
1350 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); |
1351 | ++message[message.size() / 2]; |
1352 | |
1353 | AuthorizationSet begin_params(client_params()); |
1354 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
1355 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); |
1356 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); |
1357 | |
1358 | string result; |
1359 | size_t input_consumed; |
1360 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
1361 | EXPECT_EQ(message.size(), input_consumed); |
1362 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); |
1363 | |
1364 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1365 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1366 | } |
1367 | |
1368 | TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) { |
1369 | GenerateKey(AuthorizationSetBuilder() |
1370 | .RsaSigningKey(512, 3) |
1371 | .Digest(KM_DIGEST_SHA_2_256) |
1372 | .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); |
1373 | string message(1024, 'a'); |
1374 | string signature; |
1375 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); |
1376 | VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); |
1377 | |
1378 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1379 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1380 | } |
1381 | |
1382 | TEST_P(VerificationOperationsTest, RsaPks1Sha224Success) { |
1383 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1384 | .RsaSigningKey(512, 3) |
1385 | .Digest(KM_DIGEST_SHA_2_224) |
1386 | .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); |
1387 | // Use large message, which won't work without digesting. |
1388 | string message(1024, 'a'); |
1389 | string signature; |
1390 | SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN); |
1391 | VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN); |
1392 | |
1393 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1394 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1395 | |
1396 | // Verify with OpenSSL. |
1397 | string pubkey; |
1398 | EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey)); |
1399 | |
1400 | const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data()); |
1401 | unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( |
1402 | d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size())); |
1403 | ASSERT_TRUE(pkey.get()); |
1404 | |
1405 | EVP_MD_CTX digest_ctx; |
1406 | EVP_MD_CTX_init(&digest_ctx); |
1407 | EVP_PKEY_CTX* pkey_ctx; |
1408 | EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */, |
1409 | pkey.get())); |
1410 | EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size())); |
1411 | EXPECT_EQ(1, |
1412 | EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()), |
1413 | signature.size())); |
1414 | EVP_MD_CTX_cleanup(&digest_ctx); |
1415 | } |
1416 | |
1417 | TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) { |
1418 | GenerateKey(AuthorizationSetBuilder() |
1419 | .RsaSigningKey(512, 3) |
1420 | .Digest(KM_DIGEST_SHA_2_256) |
1421 | .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); |
1422 | string message(1024, 'a'); |
1423 | string signature; |
1424 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); |
1425 | ++signature[signature.size() / 2]; |
1426 | |
1427 | AuthorizationSet begin_params(client_params()); |
1428 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
1429 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); |
1430 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); |
1431 | |
1432 | string result; |
1433 | size_t input_consumed; |
1434 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
1435 | EXPECT_EQ(message.size(), input_consumed); |
1436 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); |
1437 | |
1438 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1439 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1440 | } |
1441 | |
1442 | TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) { |
1443 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1444 | .RsaSigningKey(512, 3) |
1445 | .Digest(KM_DIGEST_SHA_2_256) |
1446 | .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); |
1447 | // Use large message, which won't work without digesting. |
1448 | string message(1024, 'a'); |
1449 | string signature; |
1450 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); |
1451 | ++message[message.size() / 2]; |
1452 | |
1453 | AuthorizationSet begin_params(client_params()); |
1454 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
1455 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); |
1456 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); |
1457 | |
1458 | string result; |
1459 | size_t input_consumed; |
1460 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
1461 | EXPECT_EQ(message.size(), input_consumed); |
1462 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); |
1463 | |
1464 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1465 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1466 | } |
1467 | #endif |
1468 | #if CHECK_FAIL |
1469 | TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) { |
1470 | vector<keymaster_digest_t> digests = { |
1471 | KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, |
1472 | KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, |
1473 | }; |
1474 | |
1475 | vector<keymaster_padding_t> padding_modes{ |
1476 | KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS, |
1477 | }; |
1478 | |
1479 | int trial_count = 0; |
1480 | for (keymaster_padding_t padding_mode : padding_modes) { |
1481 | for (keymaster_digest_t digest : digests) { |
1482 | if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE) |
1483 | // Digesting requires padding |
1484 | continue; |
1485 | |
1486 | // Compute key & message size that will work. |
1487 | size_t key_bits = 0; |
1488 | size_t message_len = 1000; |
1489 | |
1490 | if (digest == KM_DIGEST_NONE) { |
1491 | key_bits = 256; |
1492 | switch (padding_mode) { |
1493 | case KM_PAD_NONE: |
1494 | // Match key size. |
1495 | message_len = key_bits / 8; |
1496 | break; |
1497 | case KM_PAD_RSA_PKCS1_1_5_SIGN: |
1498 | message_len = key_bits / 8 - 11; |
1499 | break; |
1500 | case KM_PAD_RSA_PSS: |
1501 | // PSS requires a digest. |
1502 | continue; |
1503 | default: |
1504 | FAIL() << "Missing padding"; |
1505 | break; |
1506 | } |
1507 | } else { |
1508 | size_t digest_bits; |
1509 | switch (digest) { |
1510 | case KM_DIGEST_MD5: |
1511 | digest_bits = 128; |
1512 | break; |
1513 | case KM_DIGEST_SHA1: |
1514 | digest_bits = 160; |
1515 | break; |
1516 | case KM_DIGEST_SHA_2_224: |
1517 | digest_bits = 224; |
1518 | break; |
1519 | case KM_DIGEST_SHA_2_256: |
1520 | digest_bits = 256; |
1521 | break; |
1522 | case KM_DIGEST_SHA_2_384: |
1523 | digest_bits = 384; |
1524 | break; |
1525 | case KM_DIGEST_SHA_2_512: |
1526 | digest_bits = 512; |
1527 | break; |
1528 | default: |
1529 | FAIL() << "Missing digest"; |
1530 | } |
1531 | |
1532 | switch (padding_mode) { |
1533 | case KM_PAD_RSA_PKCS1_1_5_SIGN: |
1534 | key_bits = digest_bits + 8 * (11 + 19); |
1535 | break; |
1536 | case KM_PAD_RSA_PSS: |
1537 | key_bits = digest_bits * 2 + 2 * 8; |
1538 | break; |
1539 | default: |
1540 | FAIL() << "Missing padding"; |
1541 | break; |
1542 | } |
1543 | } |
1544 | |
1545 | // round up to 128 bits because new boringssl supports only 128 bit mulitples |
1546 | key_bits += 127; |
1547 | key_bits &= ~127; |
1548 | GenerateKey(AuthorizationSetBuilder() |
1549 | .RsaSigningKey(key_bits, 3) |
1550 | .Digest(digest) |
1551 | .Padding(padding_mode)); |
1552 | string message(message_len, 'a'); |
1553 | string signature; |
1554 | SignMessage(message, &signature, digest, padding_mode); |
1555 | VerifyMessage(message, signature, digest, padding_mode); |
1556 | ++trial_count; |
1557 | } |
1558 | } |
1559 | |
1560 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1561 | EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls()); |
1562 | } |
1563 | #endif |
1564 | #if EC_TEST |
1565 | TEST_P(VerificationOperationsTest, EcdsaSuccess) { |
1566 | ASSERT_EQ(KM_ERROR_OK, |
1567 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); |
1568 | string message = "12345678901234567890123456789012"; |
1569 | string signature; |
1570 | SignMessage(message, &signature, KM_DIGEST_NONE); |
1571 | VerifyMessage(message, signature, KM_DIGEST_NONE); |
1572 | |
1573 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
1574 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1575 | } |
1576 | |
1577 | TEST_P(VerificationOperationsTest, EcdsaTooShort) { |
1578 | ASSERT_EQ(KM_ERROR_OK, |
1579 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); |
1580 | string message = "12345678901234567890"; |
1581 | string signature; |
1582 | SignMessage(message, &signature, KM_DIGEST_NONE); |
1583 | VerifyMessage(message, signature, KM_DIGEST_NONE); |
1584 | |
1585 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
1586 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1587 | } |
1588 | |
1589 | TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) { |
1590 | ASSERT_EQ(KM_ERROR_OK, |
1591 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE))); |
1592 | |
1593 | string message(66, 'a'); |
1594 | string signature; |
1595 | SignMessage(message, &signature, KM_DIGEST_NONE); |
1596 | VerifyMessage(message, signature, KM_DIGEST_NONE); |
1597 | |
1598 | // Modifying low-order bits doesn't matter, because they didn't get signed. Ugh. |
1599 | message[65] ^= 7; |
1600 | VerifyMessage(message, signature, KM_DIGEST_NONE); |
1601 | |
1602 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
1603 | EXPECT_EQ(5, GetParam()->keymaster0_calls()); |
1604 | } |
1605 | |
1606 | TEST_P(VerificationOperationsTest, EcdsaSha256Success) { |
1607 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1608 | .EcdsaSigningKey(256) |
1609 | .Digest(KM_DIGEST_SHA_2_256) |
1610 | .Digest(KM_DIGEST_NONE))); |
1611 | string message = "12345678901234567890123456789012"; |
1612 | string signature; |
1613 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256); |
1614 | VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); |
1615 | |
1616 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
1617 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1618 | |
1619 | // Just for giggles, try verifying with the wrong digest. |
1620 | AuthorizationSet begin_params(client_params()); |
1621 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
1622 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); |
1623 | |
1624 | string result; |
1625 | size_t input_consumed; |
1626 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
1627 | EXPECT_EQ(message.size(), input_consumed); |
1628 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); |
1629 | } |
1630 | |
1631 | TEST_P(VerificationOperationsTest, EcdsaSha224Success) { |
1632 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest( |
1633 | KM_DIGEST_SHA_2_224))); |
1634 | |
1635 | string message = "12345678901234567890123456789012"; |
1636 | string signature; |
1637 | SignMessage(message, &signature, KM_DIGEST_SHA_2_224); |
1638 | VerifyMessage(message, signature, KM_DIGEST_SHA_2_224); |
1639 | |
1640 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
1641 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1642 | |
1643 | // Just for giggles, try verifying with the wrong digest. |
1644 | AuthorizationSet begin_params(client_params()); |
1645 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
1646 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); |
1647 | |
1648 | string result; |
1649 | size_t input_consumed; |
1650 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
1651 | EXPECT_EQ(message.size(), input_consumed); |
1652 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); |
1653 | } |
1654 | |
1655 | TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndKeySizes) { |
1656 | keymaster_digest_t digests[] = { |
1657 | KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, |
1658 | KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, |
1659 | }; |
1660 | size_t key_sizes[] = {224, 256, 384, 521}; |
1661 | |
1662 | string message = "1234567890"; |
1663 | string signature; |
1664 | |
1665 | for (auto key_size : key_sizes) { |
1666 | AuthorizationSetBuilder builder; |
1667 | builder.EcdsaSigningKey(key_size); |
1668 | for (auto digest : digests) |
1669 | builder.Digest(digest); |
1670 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(builder)); |
1671 | |
1672 | for (auto digest : digests) { |
1673 | SignMessage(message, &signature, digest); |
1674 | VerifyMessage(message, signature, digest); |
1675 | } |
1676 | } |
1677 | |
1678 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
1679 | EXPECT_EQ(static_cast<int>(array_length(key_sizes) * (1 + 3 * array_length(digests))), |
1680 | GetParam()->keymaster0_calls()); |
1681 | } |
1682 | #endif |
1683 | #if HMAC_TEST |
1684 | TEST_P(VerificationOperationsTest, HmacSha1Success) { |
1685 | if (GetParam()->minimal_digest_set()) |
1686 | // Can't emulate missing digests for HMAC. |
1687 | return; |
1688 | |
1689 | GenerateKey(AuthorizationSetBuilder() |
1690 | .HmacKey(128) |
1691 | .Digest(KM_DIGEST_SHA1) |
1692 | .Authorization(TAG_MIN_MAC_LENGTH, 128)); |
1693 | string message = "123456789012345678901234567890123456789012345678"; |
1694 | string signature; |
1695 | MacMessage(message, &signature, 160); |
1696 | VerifyMac(message, signature); |
1697 | |
1698 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1699 | } |
1700 | |
1701 | TEST_P(VerificationOperationsTest, HmacSha224Success) { |
1702 | if (GetParam()->minimal_digest_set()) |
1703 | // Can't emulate missing digests for HMAC. |
1704 | return; |
1705 | |
1706 | GenerateKey(AuthorizationSetBuilder() |
1707 | .HmacKey(128) |
1708 | .Digest(KM_DIGEST_SHA_2_224) |
1709 | .Authorization(TAG_MIN_MAC_LENGTH, 128)); |
1710 | string message = "123456789012345678901234567890123456789012345678"; |
1711 | string signature; |
1712 | MacMessage(message, &signature, 224); |
1713 | VerifyMac(message, signature); |
1714 | |
1715 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1716 | } |
1717 | |
1718 | TEST_P(VerificationOperationsTest, HmacSha256Success) { |
1719 | GenerateKey(AuthorizationSetBuilder() |
1720 | .HmacKey(128) |
1721 | .Digest(KM_DIGEST_SHA_2_256) |
1722 | .Authorization(TAG_MIN_MAC_LENGTH, 128)); |
1723 | string message = "123456789012345678901234567890123456789012345678"; |
1724 | string signature; |
1725 | MacMessage(message, &signature, 256); |
1726 | VerifyMac(message, signature); |
1727 | |
1728 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1729 | } |
1730 | |
1731 | TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) { |
1732 | GenerateKey(AuthorizationSetBuilder() |
1733 | .HmacKey(128) |
1734 | .Digest(KM_DIGEST_SHA_2_256) |
1735 | .Authorization(TAG_MIN_MAC_LENGTH, 128)); |
1736 | string message = "123456789012345678901234567890123456789012345678"; |
1737 | string signature; |
1738 | MacMessage(message, &signature, 256); |
1739 | |
1740 | // Shorten to 128 bits, should still work. |
1741 | signature.resize(128 / 8); |
1742 | VerifyMac(message, signature); |
1743 | |
1744 | // Drop one more byte. |
1745 | signature.resize(signature.length() - 1); |
1746 | |
1747 | AuthorizationSet begin_params(client_params()); |
1748 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); |
1749 | string result; |
1750 | size_t input_consumed; |
1751 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
1752 | EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(signature, &result)); |
1753 | |
1754 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1755 | } |
1756 | |
1757 | TEST_P(VerificationOperationsTest, HmacSha384Success) { |
1758 | if (GetParam()->minimal_digest_set()) |
1759 | // Can't emulate missing digests for HMAC. |
1760 | return; |
1761 | |
1762 | GenerateKey(AuthorizationSetBuilder() |
1763 | .HmacKey(128) |
1764 | .Digest(KM_DIGEST_SHA_2_384) |
1765 | .Authorization(TAG_MIN_MAC_LENGTH, 128)); |
1766 | string message = "123456789012345678901234567890123456789012345678"; |
1767 | string signature; |
1768 | MacMessage(message, &signature, 384); |
1769 | VerifyMac(message, signature); |
1770 | |
1771 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1772 | } |
1773 | |
1774 | TEST_P(VerificationOperationsTest, HmacSha512Success) { |
1775 | if (GetParam()->minimal_digest_set()) |
1776 | // Can't emulate missing digests for HMAC. |
1777 | return; |
1778 | |
1779 | GenerateKey(AuthorizationSetBuilder() |
1780 | .HmacKey(128) |
1781 | .Digest(KM_DIGEST_SHA_2_512) |
1782 | .Authorization(TAG_MIN_MAC_LENGTH, 128)); |
1783 | string message = "123456789012345678901234567890123456789012345678"; |
1784 | string signature; |
1785 | MacMessage(message, &signature, 512); |
1786 | VerifyMac(message, signature); |
1787 | |
1788 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1789 | } |
1790 | #endif |
1791 | typedef Keymaster2Test ExportKeyTest; |
1792 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params); |
1793 | #if RSA_TEST |
1794 | TEST_P(ExportKeyTest, RsaSuccess) { |
1795 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1796 | .RsaSigningKey(256, 3) |
1797 | .Digest(KM_DIGEST_NONE) |
1798 | .Padding(KM_PAD_NONE))); |
1799 | string export_data; |
1800 | ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); |
1801 | EXPECT_GT(export_data.length(), 0U); |
1802 | |
1803 | // TODO(swillden): Verify that the exported key is actually usable to verify signatures. |
1804 | |
1805 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1806 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
1807 | } |
1808 | #endif |
1809 | #if EC_TEST |
1810 | TEST_P(ExportKeyTest, EcdsaSuccess) { |
1811 | ASSERT_EQ(KM_ERROR_OK, |
1812 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); |
1813 | string export_data; |
1814 | ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); |
1815 | EXPECT_GT(export_data.length(), 0U); |
1816 | |
1817 | // TODO(swillden): Verify that the exported key is actually usable to verify signatures. |
1818 | |
1819 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
1820 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
1821 | } |
1822 | #endif |
1823 | #if RSA_TEST |
1824 | TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) { |
1825 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1826 | .RsaSigningKey(256, 3) |
1827 | .Digest(KM_DIGEST_NONE) |
1828 | .Padding(KM_PAD_NONE))); |
1829 | string export_data; |
1830 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); |
1831 | |
1832 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1833 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
1834 | } |
1835 | |
1836 | TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) { |
1837 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
1838 | .RsaSigningKey(256, 3) |
1839 | .Digest(KM_DIGEST_NONE) |
1840 | .Padding(KM_PAD_NONE))); |
1841 | corrupt_key_blob(); |
1842 | string export_data; |
1843 | ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data)); |
1844 | |
1845 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1846 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
1847 | } |
1848 | #endif |
1849 | #if AES_TEST |
1850 | TEST_P(ExportKeyTest, AesKeyExportFails) { |
1851 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128))); |
1852 | string export_data; |
1853 | |
1854 | EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data)); |
1855 | EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); |
1856 | EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data)); |
1857 | |
1858 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1859 | } |
1860 | #endif |
1861 | static string read_file(const string& file_name) { |
1862 | ifstream file_stream(file_name, std::ios::binary); |
1863 | istreambuf_iterator<char> file_begin(file_stream); |
1864 | istreambuf_iterator<char> file_end; |
1865 | return string(file_begin, file_end); |
1866 | } |
1867 | |
1868 | typedef Keymaster2Test ImportKeyTest; |
1869 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params); |
1870 | #if RSA_TEST |
1871 | TEST_P(ImportKeyTest, RsaSuccess) { |
1872 | string pk8_key = read_file("rsa_privkey_pk8.der"); |
1873 | ASSERT_EQ(633U, pk8_key.size()); |
1874 | |
1875 | ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() |
1876 | .RsaSigningKey(1024, 65537) |
1877 | .Digest(KM_DIGEST_NONE) |
1878 | .Padding(KM_PAD_NONE), |
1879 | KM_KEY_FORMAT_PKCS8, pk8_key)); |
1880 | |
1881 | // Check values derived from the key. |
1882 | EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); |
1883 | EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 1024)); |
1884 | EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 65537U)); |
1885 | |
1886 | // And values provided by AndroidKeymaster |
1887 | EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); |
1888 | EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); |
1889 | |
1890 | string message(1024 / 8, 'a'); |
1891 | string signature; |
1892 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); |
1893 | VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); |
1894 | |
1895 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
1896 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1897 | } |
1898 | #endif |
1899 | #if RSA_TEST |
1900 | TEST_P(ImportKeyTest, RsaKeySizeMismatch) { |
1901 | string pk8_key = read_file("rsa_privkey_pk8.der"); |
1902 | ASSERT_EQ(633U, pk8_key.size()); |
1903 | ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, |
1904 | ImportKey(AuthorizationSetBuilder() |
1905 | .RsaSigningKey(2048 /* Doesn't match key */, 3) |
1906 | .Digest(KM_DIGEST_NONE) |
1907 | .Padding(KM_PAD_NONE), |
1908 | KM_KEY_FORMAT_PKCS8, pk8_key)); |
1909 | |
1910 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1911 | } |
1912 | |
1913 | TEST_P(ImportKeyTest, RsaPublicExponenMismatch) { |
1914 | string pk8_key = read_file("rsa_privkey_pk8.der"); |
1915 | ASSERT_EQ(633U, pk8_key.size()); |
1916 | ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, |
1917 | ImportKey(AuthorizationSetBuilder() |
1918 | .RsaSigningKey(256, 3 /* Doesnt' match key */) |
1919 | .Digest(KM_DIGEST_NONE) |
1920 | .Padding(KM_PAD_NONE), |
1921 | KM_KEY_FORMAT_PKCS8, pk8_key)); |
1922 | |
1923 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1924 | } |
1925 | #endif |
1926 | #if EC_TEST |
1927 | TEST_P(ImportKeyTest, EcdsaSuccess) { |
1928 | string pk8_key = read_file("ec_privkey_pk8.der"); |
1929 | ASSERT_EQ(138U, pk8_key.size()); |
1930 | |
1931 | ASSERT_EQ(KM_ERROR_OK, |
1932 | ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), |
1933 | KM_KEY_FORMAT_PKCS8, pk8_key)); |
1934 | |
1935 | // Check values derived from the key. |
1936 | EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_EC)); |
1937 | EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 256)); |
1938 | |
1939 | // And values provided by AndroidKeymaster |
1940 | EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); |
1941 | EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); |
1942 | |
1943 | string message(32, 'a'); |
1944 | string signature; |
1945 | SignMessage(message, &signature, KM_DIGEST_NONE); |
1946 | VerifyMessage(message, signature, KM_DIGEST_NONE); |
1947 | |
1948 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
1949 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1950 | } |
1951 | |
1952 | TEST_P(ImportKeyTest, EcdsaSizeSpecified) { |
1953 | string pk8_key = read_file("ec_privkey_pk8.der"); |
1954 | ASSERT_EQ(138U, pk8_key.size()); |
1955 | |
1956 | ASSERT_EQ(KM_ERROR_OK, |
1957 | ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), |
1958 | KM_KEY_FORMAT_PKCS8, pk8_key)); |
1959 | |
1960 | // Check values derived from the key. |
1961 | EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_EC)); |
1962 | EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 256)); |
1963 | |
1964 | // And values provided by AndroidKeymaster |
1965 | EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); |
1966 | EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); |
1967 | |
1968 | string message(32, 'a'); |
1969 | string signature; |
1970 | SignMessage(message, &signature, KM_DIGEST_NONE); |
1971 | VerifyMessage(message, signature, KM_DIGEST_NONE); |
1972 | |
1973 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
1974 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
1975 | } |
1976 | |
1977 | TEST_P(ImportKeyTest, EcdsaSizeMismatch) { |
1978 | string pk8_key = read_file("ec_privkey_pk8.der"); |
1979 | ASSERT_EQ(138U, pk8_key.size()); |
1980 | ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, |
1981 | ImportKey(AuthorizationSetBuilder() |
1982 | .EcdsaSigningKey(224 /* Doesn't match key */) |
1983 | .Digest(KM_DIGEST_NONE), |
1984 | KM_KEY_FORMAT_PKCS8, pk8_key)); |
1985 | |
1986 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
1987 | } |
1988 | #endif |
1989 | #if AES_TEST |
1990 | TEST_P(ImportKeyTest, AesKeySuccess) { |
1991 | char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; |
1992 | string key(key_data, sizeof(key_data)); |
1993 | ASSERT_EQ(KM_ERROR_OK, |
1994 | ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization( |
1995 | TAG_PADDING, KM_PAD_PKCS7), |
1996 | KM_KEY_FORMAT_RAW, key)); |
1997 | |
1998 | EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); |
1999 | EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); |
2000 | |
2001 | string message = "Hello World!"; |
2002 | string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); |
2003 | string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); |
2004 | EXPECT_EQ(message, plaintext); |
2005 | |
2006 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2007 | } |
2008 | #endif |
2009 | #if HMAC_TEST |
2010 | TEST_P(ImportKeyTest, HmacSha256KeySuccess) { |
2011 | char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; |
2012 | string key(key_data, sizeof(key_data)); |
2013 | ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() |
2014 | .HmacKey(sizeof(key_data) * 8) |
2015 | .Digest(KM_DIGEST_SHA_2_256) |
2016 | .Authorization(TAG_MIN_MAC_LENGTH, 256), |
2017 | KM_KEY_FORMAT_RAW, key)); |
2018 | |
2019 | EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); |
2020 | EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); |
2021 | |
2022 | string message = "Hello World!"; |
2023 | string signature; |
2024 | MacMessage(message, &signature, 256); |
2025 | VerifyMac(message, signature); |
2026 | |
2027 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2028 | } |
2029 | #endif |
2030 | typedef Keymaster2Test EncryptionOperationsTest; |
2031 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params); |
2032 | #if RSA_TEST |
2033 | TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { |
2034 | ASSERT_EQ(KM_ERROR_OK, |
2035 | GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); |
2036 | |
2037 | string message = "12345678901234567890123456789012"; |
2038 | string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE); |
2039 | EXPECT_EQ(256U / 8, ciphertext1.size()); |
2040 | |
2041 | string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE); |
2042 | EXPECT_EQ(256U / 8, ciphertext2.size()); |
2043 | |
2044 | // Unpadded RSA is deterministic |
2045 | EXPECT_EQ(ciphertext1, ciphertext2); |
2046 | |
2047 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2048 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
2049 | } |
2050 | |
2051 | TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) { |
2052 | ASSERT_EQ(KM_ERROR_OK, |
2053 | GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); |
2054 | |
2055 | string message = "1"; |
2056 | |
2057 | string ciphertext = EncryptMessage(message, KM_PAD_NONE); |
2058 | EXPECT_EQ(256U / 8, ciphertext.size()); |
2059 | |
2060 | string expected_plaintext = string(256 / 8 - 1, 0) + message; |
2061 | string plaintext = DecryptMessage(ciphertext, KM_PAD_NONE); |
2062 | |
2063 | EXPECT_EQ(expected_plaintext, plaintext); |
2064 | |
2065 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2066 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
2067 | } |
2068 | |
2069 | TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) { |
2070 | ASSERT_EQ(KM_ERROR_OK, |
2071 | GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); |
2072 | |
2073 | string message = "123456789012345678901234567890123"; |
2074 | |
2075 | AuthorizationSet begin_params(client_params()); |
2076 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2077 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2078 | |
2079 | string result; |
2080 | size_t input_consumed; |
2081 | EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); |
2082 | |
2083 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2084 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
2085 | } |
2086 | |
2087 | TEST_P(EncryptionOperationsTest, RsaNoPaddingLargerThanModulus) { |
2088 | ASSERT_EQ(KM_ERROR_OK, |
2089 | GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); |
2090 | |
2091 | string exported; |
2092 | ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &exported)); |
2093 | |
2094 | const uint8_t* p = reinterpret_cast<const uint8_t*>(exported.data()); |
2095 | unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( |
2096 | d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size())); |
2097 | unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(pkey.get())); |
2098 | |
2099 | size_t modulus_len = BN_num_bytes(rsa->n); |
2100 | ASSERT_EQ(256U / 8, modulus_len); |
2101 | unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]); |
2102 | BN_bn2bin(rsa->n, modulus_buf.get()); |
2103 | |
2104 | // The modulus is too big to encrypt. |
2105 | string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); |
2106 | |
2107 | AuthorizationSet begin_params(client_params()); |
2108 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2109 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2110 | |
2111 | string result; |
2112 | size_t input_consumed; |
2113 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
2114 | EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result)); |
2115 | |
2116 | // One smaller than the modulus is okay. |
2117 | BN_sub(rsa->n, rsa->n, BN_value_one()); |
2118 | modulus_len = BN_num_bytes(rsa->n); |
2119 | ASSERT_EQ(256U / 8, modulus_len); |
2120 | BN_bn2bin(rsa->n, modulus_buf.get()); |
2121 | message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); |
2122 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2123 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
2124 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result)); |
2125 | |
2126 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2127 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
2128 | } |
2129 | #endif |
2130 | #if RSA_TEST |
2131 | TEST_P(EncryptionOperationsTest, RsaOaepSuccess) { |
2132 | size_t key_size = 768; |
2133 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2134 | .RsaEncryptionKey(key_size, 3) |
2135 | .Padding(KM_PAD_RSA_OAEP) |
2136 | .Digest(KM_DIGEST_SHA_2_256))); |
2137 | |
2138 | string message = "Hello"; |
2139 | string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); |
2140 | EXPECT_EQ(key_size / 8, ciphertext1.size()); |
2141 | |
2142 | string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); |
2143 | EXPECT_EQ(key_size / 8, ciphertext2.size()); |
2144 | |
2145 | // OAEP randomizes padding so every result should be different. |
2146 | EXPECT_NE(ciphertext1, ciphertext2); |
2147 | |
2148 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2149 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
2150 | } |
2151 | #endif |
2152 | #if RSA_TEST |
2153 | TEST_P(EncryptionOperationsTest, RsaOaepSha224Success) { |
2154 | size_t key_size = 768; |
2155 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2156 | .RsaEncryptionKey(key_size, 3) |
2157 | .Padding(KM_PAD_RSA_OAEP) |
2158 | .Digest(KM_DIGEST_SHA_2_224))); |
2159 | |
2160 | string message = "Hello"; |
2161 | string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); |
2162 | EXPECT_EQ(key_size / 8, ciphertext1.size()); |
2163 | |
2164 | string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); |
2165 | EXPECT_EQ(key_size / 8, ciphertext2.size()); |
2166 | |
2167 | // OAEP randomizes padding so every result should be different. |
2168 | EXPECT_NE(ciphertext1, ciphertext2); |
2169 | |
2170 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2171 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
2172 | } |
2173 | |
2174 | TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) { |
2175 | size_t key_size = 768; |
2176 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2177 | .RsaEncryptionKey(key_size, 3) |
2178 | .Padding(KM_PAD_RSA_OAEP) |
2179 | .Digest(KM_DIGEST_SHA_2_256))); |
2180 | string message = "Hello World!"; |
2181 | string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); |
2182 | EXPECT_EQ(key_size / 8, ciphertext.size()); |
2183 | |
2184 | string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); |
2185 | EXPECT_EQ(message, plaintext); |
2186 | |
2187 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2188 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
2189 | } |
2190 | |
2191 | TEST_P(EncryptionOperationsTest, RsaOaepSha224RoundTrip) { |
2192 | size_t key_size = 768; |
2193 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2194 | .RsaEncryptionKey(key_size, 3) |
2195 | .Padding(KM_PAD_RSA_OAEP) |
2196 | .Digest(KM_DIGEST_SHA_2_224))); |
2197 | string message = "Hello World!"; |
2198 | string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); |
2199 | EXPECT_EQ(key_size / 8, ciphertext.size()); |
2200 | |
2201 | string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); |
2202 | EXPECT_EQ(message, plaintext); |
2203 | |
2204 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2205 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
2206 | } |
2207 | |
2208 | TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) { |
2209 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2210 | .RsaEncryptionKey(512, 3) |
2211 | .Padding(KM_PAD_RSA_OAEP) |
2212 | .Digest(KM_DIGEST_NONE))); |
2213 | string message = "Hello World!"; |
2214 | |
2215 | AuthorizationSet begin_params(client_params()); |
2216 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); |
2217 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); |
2218 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2219 | |
2220 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2221 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
2222 | } |
2223 | |
2224 | TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) { |
2225 | if (GetParam()->minimal_digest_set()) |
2226 | // We don't have two supported digests, so we can't try authorizing one and using another. |
2227 | return; |
2228 | |
2229 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2230 | .RsaEncryptionKey(512, 3) |
2231 | .Padding(KM_PAD_RSA_OAEP) |
2232 | .Digest(KM_DIGEST_SHA_2_256))); |
2233 | string message = "Hello World!"; |
2234 | // Works because encryption is a public key operation. |
2235 | EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP); |
2236 | |
2237 | AuthorizationSet begin_params(client_params()); |
2238 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); |
2239 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); |
2240 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
2241 | |
2242 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2243 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
2244 | } |
2245 | |
2246 | TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) { |
2247 | if (GetParam()->minimal_digest_set()) |
2248 | // We don't have two supported digests, so we can't try encrypting with one and decrypting |
2249 | // with another. |
2250 | return; |
2251 | |
2252 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2253 | .RsaEncryptionKey(768, 3) |
2254 | .Padding(KM_PAD_RSA_OAEP) |
2255 | .Digest(KM_DIGEST_SHA_2_256) |
2256 | .Digest(KM_DIGEST_SHA_2_384))); |
2257 | string message = "Hello World!"; |
2258 | string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); |
2259 | |
2260 | string result; |
2261 | size_t input_consumed; |
2262 | AuthorizationSet begin_params(client_params()); |
2263 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); |
2264 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384); |
2265 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
2266 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); |
2267 | EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); |
2268 | EXPECT_EQ(0U, result.size()); |
2269 | |
2270 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2271 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
2272 | } |
2273 | |
2274 | TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) { |
2275 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2276 | .RsaEncryptionKey(512, 3) |
2277 | .Padding(KM_PAD_RSA_OAEP) |
2278 | .Digest(KM_DIGEST_SHA1))); |
2279 | string message = "12345678901234567890123"; |
2280 | string result; |
2281 | size_t input_consumed; |
2282 | |
2283 | AuthorizationSet begin_params(client_params()); |
2284 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); |
2285 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); |
2286 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2287 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
2288 | EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); |
2289 | EXPECT_EQ(0U, result.size()); |
2290 | |
2291 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2292 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
2293 | } |
2294 | |
2295 | TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) { |
2296 | size_t key_size = 768; |
2297 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2298 | .RsaEncryptionKey(768, 3) |
2299 | .Padding(KM_PAD_RSA_OAEP) |
2300 | .Digest(KM_DIGEST_SHA_2_256))); |
2301 | string message = "Hello World!"; |
2302 | string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); |
2303 | EXPECT_EQ(key_size / 8, ciphertext.size()); |
2304 | |
2305 | // Corrupt the ciphertext |
2306 | ciphertext[key_size / 8 / 2]++; |
2307 | |
2308 | string result; |
2309 | size_t input_consumed; |
2310 | AuthorizationSet begin_params(client_params()); |
2311 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); |
2312 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
2313 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
2314 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); |
2315 | EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); |
2316 | EXPECT_EQ(0U, result.size()); |
2317 | |
2318 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2319 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
2320 | } |
2321 | #endif |
2322 | #if RSA_TEST |
2323 | TEST_P(EncryptionOperationsTest, RsaPkcs1Success) { |
2324 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( |
2325 | KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); |
2326 | string message = "Hello World!"; |
2327 | string ciphertext1 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); |
2328 | EXPECT_EQ(512U / 8, ciphertext1.size()); |
2329 | |
2330 | string ciphertext2 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); |
2331 | EXPECT_EQ(512U / 8, ciphertext2.size()); |
2332 | |
2333 | // PKCS1 v1.5 randomizes padding so every result should be different. |
2334 | EXPECT_NE(ciphertext1, ciphertext2); |
2335 | |
2336 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2337 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
2338 | } |
2339 | |
2340 | TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) { |
2341 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( |
2342 | KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); |
2343 | string message = "Hello World!"; |
2344 | string ciphertext = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); |
2345 | EXPECT_EQ(512U / 8, ciphertext.size()); |
2346 | |
2347 | string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); |
2348 | EXPECT_EQ(message, plaintext); |
2349 | |
2350 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2351 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
2352 | } |
2353 | #endif |
2354 | #if CHECK_FAIL |
2355 | TEST_P(EncryptionOperationsTest, RsaRoundTripAllCombinations) { |
2356 | size_t key_size = 2048; |
2357 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2358 | .RsaEncryptionKey(key_size, 3) |
2359 | .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT) |
2360 | .Padding(KM_PAD_RSA_OAEP) |
2361 | .Digest(KM_DIGEST_NONE) |
2362 | .Digest(KM_DIGEST_MD5) |
2363 | .Digest(KM_DIGEST_SHA1) |
2364 | .Digest(KM_DIGEST_SHA_2_224) |
2365 | .Digest(KM_DIGEST_SHA_2_256) |
2366 | .Digest(KM_DIGEST_SHA_2_384) |
2367 | .Digest(KM_DIGEST_SHA_2_512))); |
2368 | |
2369 | string message = "Hello World!"; |
2370 | |
2371 | keymaster_padding_t padding_modes[] = {KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT}; |
2372 | keymaster_digest_t digests[] = { |
2373 | KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, |
2374 | KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, |
2375 | }; |
2376 | |
2377 | for (auto padding : padding_modes) |
2378 | for (auto digest : digests) { |
2379 | if (padding == KM_PAD_RSA_OAEP && digest == KM_DIGEST_NONE) |
2380 | // OAEP requires a digest. |
2381 | continue; |
2382 | |
2383 | string ciphertext = EncryptMessage(message, digest, padding); |
2384 | EXPECT_EQ(key_size / 8, ciphertext.size()); |
2385 | |
2386 | string plaintext = DecryptMessage(ciphertext, digest, padding); |
2387 | EXPECT_EQ(message, plaintext); |
2388 | } |
2389 | |
2390 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2391 | EXPECT_EQ(40, GetParam()->keymaster0_calls()); |
2392 | } |
2393 | #endif |
2394 | #if RSA_TEST |
2395 | TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) { |
2396 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( |
2397 | KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); |
2398 | string message = "123456789012345678901234567890123456789012345678901234"; |
2399 | string result; |
2400 | size_t input_consumed; |
2401 | |
2402 | AuthorizationSet begin_params(client_params()); |
2403 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); |
2404 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2405 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); |
2406 | EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); |
2407 | EXPECT_EQ(0U, result.size()); |
2408 | |
2409 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2410 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
2411 | } |
2412 | |
2413 | TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) { |
2414 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( |
2415 | KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); |
2416 | string message = "Hello World!"; |
2417 | string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); |
2418 | EXPECT_EQ(512U / 8, ciphertext.size()); |
2419 | |
2420 | // Corrupt the ciphertext |
2421 | ciphertext[512 / 8 / 2]++; |
2422 | |
2423 | string result; |
2424 | size_t input_consumed; |
2425 | AuthorizationSet begin_params(client_params()); |
2426 | begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); |
2427 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
2428 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); |
2429 | EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); |
2430 | EXPECT_EQ(0U, result.size()); |
2431 | |
2432 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2433 | EXPECT_EQ(4, GetParam()->keymaster0_calls()); |
2434 | } |
2435 | |
2436 | TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) { |
2437 | ASSERT_EQ(KM_ERROR_OK, |
2438 | GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE))); |
2439 | |
2440 | AuthorizationSet begin_params(client_params()); |
2441 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2442 | ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
2443 | |
2444 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
2445 | EXPECT_EQ(2, GetParam()->keymaster0_calls()); |
2446 | } |
2447 | #endif |
2448 | #if EC_TEST |
2449 | TEST_P(EncryptionOperationsTest, EcdsaEncrypt) { |
2450 | ASSERT_EQ(KM_ERROR_OK, |
2451 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); |
2452 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); |
2453 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); |
2454 | |
2455 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
2456 | EXPECT_EQ(3, GetParam()->keymaster0_calls()); |
2457 | } |
2458 | #endif |
2459 | #if HMAC_TEST |
2460 | TEST_P(EncryptionOperationsTest, HmacEncrypt) { |
2461 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2462 | .HmacKey(128) |
2463 | .Digest(KM_DIGEST_SHA_2_256) |
2464 | .Padding(KM_PAD_NONE) |
2465 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
2466 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); |
2467 | ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); |
2468 | |
2469 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2470 | } |
2471 | #endif |
2472 | #if AES_TEST |
2473 | TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) { |
2474 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2475 | .AesEncryptionKey(128) |
2476 | .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) |
2477 | .Padding(KM_PAD_NONE))); |
2478 | // Two-block message. |
2479 | string message = "12345678901234567890123456789012"; |
2480 | string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); |
2481 | EXPECT_EQ(message.size(), ciphertext1.size()); |
2482 | |
2483 | string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE); |
2484 | EXPECT_EQ(message.size(), ciphertext2.size()); |
2485 | |
2486 | // ECB is deterministic. |
2487 | EXPECT_EQ(ciphertext1, ciphertext2); |
2488 | |
2489 | string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE); |
2490 | EXPECT_EQ(message, plaintext); |
2491 | |
2492 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2493 | } |
2494 | |
2495 | TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) { |
2496 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2497 | .AesEncryptionKey(128) |
2498 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) |
2499 | .Padding(KM_PAD_NONE))); |
2500 | // Two-block message. |
2501 | string message = "12345678901234567890123456789012"; |
2502 | AuthorizationSet begin_params(client_params()); |
2503 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); |
2504 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2505 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2506 | |
2507 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2508 | } |
2509 | |
2510 | TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) { |
2511 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2512 | .AesEncryptionKey(128) |
2513 | .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) |
2514 | .Padding(KM_PAD_NONE))); |
2515 | // Message is slightly shorter than two blocks. |
2516 | string message = "1234567890123456789012345678901"; |
2517 | |
2518 | AuthorizationSet begin_params(client_params()); |
2519 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); |
2520 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2521 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2522 | string ciphertext; |
2523 | size_t input_consumed; |
2524 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed)); |
2525 | EXPECT_EQ(message.size(), input_consumed); |
2526 | EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext)); |
2527 | |
2528 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2529 | } |
2530 | #endif |
2531 | #if AES_TEST |
2532 | TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) { |
2533 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2534 | .AesEncryptionKey(128) |
2535 | .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) |
2536 | .Authorization(TAG_PADDING, KM_PAD_PKCS7))); |
2537 | |
2538 | // Try various message lengths; all should work. |
2539 | for (size_t i = 0; i < 32; ++i) { |
2540 | string message(i, 'a'); |
2541 | string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); |
2542 | EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); |
2543 | string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); |
2544 | EXPECT_EQ(message, plaintext); |
2545 | } |
2546 | |
2547 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2548 | } |
2549 | #endif |
2550 | #if AES_TEST |
2551 | TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) { |
2552 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2553 | .AesEncryptionKey(128) |
2554 | .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) |
2555 | .Authorization(TAG_PADDING, KM_PAD_NONE))); |
2556 | |
2557 | // Try various message lengths; all should fail. |
2558 | for (size_t i = 0; i < 32; ++i) { |
2559 | AuthorizationSet begin_params(client_params()); |
2560 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); |
2561 | begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); |
2562 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, |
2563 | BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2564 | } |
2565 | |
2566 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2567 | } |
2568 | #endif |
2569 | |
2570 | #if AES_TEST |
2571 | TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) { |
2572 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2573 | .AesEncryptionKey(128) |
2574 | .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) |
2575 | .Authorization(TAG_PADDING, KM_PAD_PKCS7))); |
2576 | |
2577 | string message = "a"; |
2578 | string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); |
2579 | EXPECT_EQ(16U, ciphertext.size()); |
2580 | EXPECT_NE(ciphertext, message); |
2581 | ++ciphertext[ciphertext.size() / 2]; |
2582 | |
2583 | AuthorizationSet begin_params(client_params()); |
2584 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); |
2585 | begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); |
2586 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
2587 | string plaintext; |
2588 | size_t input_consumed; |
2589 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); |
2590 | EXPECT_EQ(ciphertext.size(), input_consumed); |
2591 | EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); |
2592 | |
2593 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2594 | } |
2595 | #endif |
2596 | |
2597 | #if AES_TEST |
2598 | TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) { |
2599 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2600 | .AesEncryptionKey(128) |
2601 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) |
2602 | .Padding(KM_PAD_NONE))); |
2603 | string message = "123"; |
2604 | string iv1; |
2605 | string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1); |
2606 | EXPECT_EQ(message.size(), ciphertext1.size()); |
2607 | EXPECT_EQ(16U, iv1.size()); |
2608 | |
2609 | string iv2; |
2610 | string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2); |
2611 | EXPECT_EQ(message.size(), ciphertext2.size()); |
2612 | EXPECT_EQ(16U, iv2.size()); |
2613 | |
2614 | // IVs should be random, so ciphertexts should differ. |
2615 | EXPECT_NE(iv1, iv2); |
2616 | EXPECT_NE(ciphertext1, ciphertext2); |
2617 | |
2618 | string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1); |
2619 | EXPECT_EQ(message, plaintext); |
2620 | |
2621 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2622 | } |
2623 | |
2624 | TEST_P(EncryptionOperationsTest, AesCtrIncremental) { |
2625 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2626 | .AesEncryptionKey(128) |
2627 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) |
2628 | .Padding(KM_PAD_NONE))); |
2629 | |
2630 | int increment = 15; |
2631 | string message(239, 'a'); |
2632 | AuthorizationSet input_params(client_params()); |
2633 | input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); |
2634 | input_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2635 | AuthorizationSet output_params; |
2636 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); |
2637 | |
2638 | string ciphertext; |
2639 | size_t input_consumed; |
2640 | for (size_t i = 0; i < message.size(); i += increment) |
2641 | EXPECT_EQ(KM_ERROR_OK, |
2642 | UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); |
2643 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
2644 | EXPECT_EQ(message.size(), ciphertext.size()); |
2645 | |
2646 | // Move TAG_NONCE into input_params |
2647 | input_params.Reinitialize(output_params); |
2648 | input_params.push_back(client_params()); |
2649 | input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); |
2650 | input_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2651 | output_params.Clear(); |
2652 | |
2653 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); |
2654 | string plaintext; |
2655 | for (size_t i = 0; i < ciphertext.size(); i += increment) |
2656 | EXPECT_EQ(KM_ERROR_OK, |
2657 | UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); |
2658 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); |
2659 | EXPECT_EQ(ciphertext.size(), plaintext.size()); |
2660 | EXPECT_EQ(message, plaintext); |
2661 | |
2662 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2663 | } |
2664 | |
2665 | struct AesCtrSp80038aTestVector { |
2666 | const char* key; |
2667 | const char* nonce; |
2668 | const char* plaintext; |
2669 | const char* ciphertext; |
2670 | }; |
2671 | |
2672 | // These test vectors are taken from |
2673 | // http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5. |
2674 | static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = { |
2675 | // AES-128 |
2676 | { |
2677 | "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", |
2678 | "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" |
2679 | "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", |
2680 | "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff" |
2681 | "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee", |
2682 | }, |
2683 | // AES-192 |
2684 | { |
2685 | "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", |
2686 | "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" |
2687 | "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", |
2688 | "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94" |
2689 | "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050", |
2690 | }, |
2691 | // AES-256 |
2692 | { |
2693 | "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", |
2694 | "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", |
2695 | "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" |
2696 | "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", |
2697 | "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5" |
2698 | "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6", |
2699 | }, |
2700 | }; |
2701 | |
2702 | TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) { |
2703 | for (size_t i = 0; i < 3; i++) { |
2704 | const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]); |
2705 | const string key = hex2str(test.key); |
2706 | const string nonce = hex2str(test.nonce); |
2707 | const string plaintext = hex2str(test.plaintext); |
2708 | const string ciphertext = hex2str(test.ciphertext); |
2709 | CheckAesCtrTestVector(key, nonce, plaintext, ciphertext); |
2710 | } |
2711 | |
2712 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2713 | } |
2714 | |
2715 | TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) { |
2716 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2717 | .AesEncryptionKey(128) |
2718 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) |
2719 | .Authorization(TAG_PADDING, KM_PAD_PKCS7))); |
2720 | AuthorizationSet begin_params(client_params()); |
2721 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); |
2722 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2723 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
2724 | |
2725 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2726 | } |
2727 | |
2728 | TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) { |
2729 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2730 | .AesEncryptionKey(128) |
2731 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) |
2732 | .Authorization(TAG_CALLER_NONCE) |
2733 | .Padding(KM_PAD_NONE))); |
2734 | |
2735 | AuthorizationSet input_params(client_params()); |
2736 | input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); |
2737 | input_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2738 | input_params.push_back(TAG_NONCE, "123", 3); |
2739 | EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params)); |
2740 | |
2741 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2742 | } |
2743 | |
2744 | TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) { |
2745 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2746 | .AesEncryptionKey(128) |
2747 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) |
2748 | .Padding(KM_PAD_NONE))); |
2749 | // Two-block message. |
2750 | string message = "12345678901234567890123456789012"; |
2751 | string iv1; |
2752 | string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); |
2753 | EXPECT_EQ(message.size(), ciphertext1.size()); |
2754 | |
2755 | string iv2; |
2756 | string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2); |
2757 | EXPECT_EQ(message.size(), ciphertext2.size()); |
2758 | |
2759 | // IVs should be random, so ciphertexts should differ. |
2760 | EXPECT_NE(iv1, iv2); |
2761 | EXPECT_NE(ciphertext1, ciphertext2); |
2762 | |
2763 | string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); |
2764 | EXPECT_EQ(message, plaintext); |
2765 | |
2766 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2767 | } |
2768 | |
2769 | TEST_P(EncryptionOperationsTest, AesCallerNonce) { |
2770 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2771 | .AesEncryptionKey(128) |
2772 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) |
2773 | .Authorization(TAG_CALLER_NONCE) |
2774 | .Padding(KM_PAD_NONE))); |
2775 | string message = "12345678901234567890123456789012"; |
2776 | string iv1; |
2777 | // Don't specify nonce, should get a random one. |
2778 | string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); |
2779 | EXPECT_EQ(message.size(), ciphertext1.size()); |
2780 | EXPECT_EQ(16U, iv1.size()); |
2781 | |
2782 | string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); |
2783 | EXPECT_EQ(message, plaintext); |
2784 | |
2785 | // Now specify a nonce, should also work. |
2786 | AuthorizationSet input_params(client_params()); |
2787 | AuthorizationSet update_params; |
2788 | AuthorizationSet output_params; |
2789 | input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); |
2790 | input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); |
2791 | input_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2792 | string ciphertext2 = |
2793 | ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params); |
2794 | |
2795 | // Decrypt with correct nonce. |
2796 | plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, |
2797 | &output_params); |
2798 | EXPECT_EQ(message, plaintext); |
2799 | |
2800 | // Now try with wrong nonce. |
2801 | input_params.Reinitialize(client_params()); |
2802 | input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); |
2803 | input_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2804 | input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16); |
2805 | plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, |
2806 | &output_params); |
2807 | EXPECT_NE(message, plaintext); |
2808 | |
2809 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2810 | } |
2811 | |
2812 | TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) { |
2813 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2814 | .AesEncryptionKey(128) |
2815 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) |
2816 | .Padding(KM_PAD_NONE))); |
2817 | |
2818 | string message = "12345678901234567890123456789012"; |
2819 | string iv1; |
2820 | // Don't specify nonce, should get a random one. |
2821 | string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); |
2822 | EXPECT_EQ(message.size(), ciphertext1.size()); |
2823 | EXPECT_EQ(16U, iv1.size()); |
2824 | |
2825 | string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); |
2826 | EXPECT_EQ(message, plaintext); |
2827 | |
2828 | // Now specify a nonce, should fail. |
2829 | AuthorizationSet input_params(client_params()); |
2830 | AuthorizationSet update_params; |
2831 | AuthorizationSet output_params; |
2832 | input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); |
2833 | input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); |
2834 | input_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2835 | |
2836 | EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, |
2837 | BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); |
2838 | |
2839 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2840 | } |
2841 | |
2842 | TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) { |
2843 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2844 | .AesEncryptionKey(128) |
2845 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) |
2846 | .Padding(KM_PAD_NONE))); |
2847 | |
2848 | int increment = 15; |
2849 | string message(240, 'a'); |
2850 | AuthorizationSet input_params(client_params()); |
2851 | input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); |
2852 | input_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2853 | AuthorizationSet output_params; |
2854 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); |
2855 | |
2856 | string ciphertext; |
2857 | size_t input_consumed; |
2858 | for (size_t i = 0; i < message.size(); i += increment) |
2859 | EXPECT_EQ(KM_ERROR_OK, |
2860 | UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); |
2861 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
2862 | EXPECT_EQ(message.size(), ciphertext.size()); |
2863 | |
2864 | // Move TAG_NONCE into input_params |
2865 | input_params.Reinitialize(output_params); |
2866 | input_params.push_back(client_params()); |
2867 | input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); |
2868 | input_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2869 | output_params.Clear(); |
2870 | |
2871 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); |
2872 | string plaintext; |
2873 | for (size_t i = 0; i < ciphertext.size(); i += increment) |
2874 | EXPECT_EQ(KM_ERROR_OK, |
2875 | UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); |
2876 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); |
2877 | EXPECT_EQ(ciphertext.size(), plaintext.size()); |
2878 | EXPECT_EQ(message, plaintext); |
2879 | |
2880 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2881 | } |
2882 | #endif |
2883 | |
2884 | #if AES_TEST |
2885 | TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) { |
2886 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2887 | .AesEncryptionKey(128) |
2888 | .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) |
2889 | .Authorization(TAG_PADDING, KM_PAD_PKCS7))); |
2890 | |
2891 | // Try various message lengths; all should work. |
2892 | for (size_t i = 0; i < 32; ++i) { |
2893 | string message(i, 'a'); |
2894 | string iv; |
2895 | string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); |
2896 | EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); |
2897 | string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv); |
2898 | EXPECT_EQ(message, plaintext); |
2899 | } |
2900 | |
2901 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2902 | } |
2903 | #endif |
2904 | #if AES_TEST |
2905 | TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) { |
2906 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2907 | .AesEncryptionKey(128) |
2908 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
2909 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
2910 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
2911 | string aad = "foobar"; |
2912 | string message = "123456789012345678901234567890123456"; |
2913 | AuthorizationSet begin_params(client_params()); |
2914 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
2915 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2916 | begin_params.push_back(TAG_MAC_LENGTH, 128); |
2917 | |
2918 | AuthorizationSet update_params; |
2919 | update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); |
2920 | |
2921 | // Encrypt |
2922 | AuthorizationSet begin_out_params; |
2923 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); |
2924 | string ciphertext; |
2925 | size_t input_consumed; |
2926 | AuthorizationSet update_out_params; |
2927 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, |
2928 | &input_consumed)); |
2929 | EXPECT_EQ(message.size(), input_consumed); |
2930 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
2931 | |
2932 | // Grab nonce |
2933 | EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); |
2934 | begin_params.push_back(begin_out_params); |
2935 | |
2936 | // Decrypt. |
2937 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
2938 | string plaintext; |
2939 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, |
2940 | &plaintext, &input_consumed)); |
2941 | EXPECT_EQ(ciphertext.size(), input_consumed); |
2942 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); |
2943 | |
2944 | EXPECT_EQ(message, plaintext); |
2945 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2946 | } |
2947 | |
2948 | TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) { |
2949 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2950 | .AesEncryptionKey(128) |
2951 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
2952 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
2953 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
2954 | string aad = "foobar"; |
2955 | string message = "123456789012345678901234567890123456"; |
2956 | AuthorizationSet begin_params(client_params()); |
2957 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
2958 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2959 | begin_params.push_back(TAG_MAC_LENGTH, 96); |
2960 | |
2961 | AuthorizationSet update_params; |
2962 | update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); |
2963 | |
2964 | AuthorizationSet begin_out_params; |
2965 | EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, |
2966 | BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); |
2967 | |
2968 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
2969 | } |
2970 | |
2971 | TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) { |
2972 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
2973 | .AesEncryptionKey(128) |
2974 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
2975 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
2976 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
2977 | string aad = "foobar"; |
2978 | string message = "123456789012345678901234567890123456"; |
2979 | AuthorizationSet begin_params(client_params()); |
2980 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
2981 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
2982 | begin_params.push_back(TAG_MAC_LENGTH, 128); |
2983 | |
2984 | AuthorizationSet update_params; |
2985 | update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); |
2986 | |
2987 | // Encrypt |
2988 | AuthorizationSet begin_out_params; |
2989 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); |
2990 | string ciphertext; |
2991 | size_t input_consumed; |
2992 | AuthorizationSet update_out_params; |
2993 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, |
2994 | &input_consumed)); |
2995 | EXPECT_EQ(message.size(), input_consumed); |
2996 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
2997 | |
2998 | // Grab nonce |
2999 | EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); |
3000 | begin_params.Reinitialize(client_params()); |
3001 | begin_params.push_back(begin_out_params); |
3002 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
3003 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3004 | begin_params.push_back(TAG_MAC_LENGTH, 96); |
3005 | |
3006 | // Decrypt. |
3007 | EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
3008 | |
3009 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3010 | } |
3011 | |
3012 | TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) { |
3013 | uint8_t nonce[] = { |
3014 | 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f, |
3015 | }; |
3016 | uint8_t ciphertext[] = { |
3017 | 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16, |
3018 | 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, |
3019 | 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, |
3020 | 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd, |
3021 | 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0, |
3022 | }; |
3023 | string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext)); |
3024 | |
3025 | AuthorizationSet begin_params(client_params()); |
3026 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
3027 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3028 | begin_params.push_back(TAG_MAC_LENGTH, 128); |
3029 | begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce)); |
3030 | |
3031 | string plaintext; |
3032 | size_t input_consumed; |
3033 | |
3034 | // Import correct key and decrypt |
3035 | uint8_t good_key[] = { |
3036 | 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, |
3037 | 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, |
3038 | }; |
3039 | string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key)); |
3040 | ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() |
3041 | .AesEncryptionKey(128) |
3042 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
3043 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3044 | .Authorization(TAG_CALLER_NONCE) |
3045 | .Authorization(TAG_MIN_MAC_LENGTH, 128), |
3046 | KM_KEY_FORMAT_RAW, good_key_str)); |
3047 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
3048 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); |
3049 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); |
3050 | |
3051 | // Import bad key and decrypt |
3052 | uint8_t bad_key[] = { |
3053 | 0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, |
3054 | 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, |
3055 | }; |
3056 | string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key)); |
3057 | ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() |
3058 | .AesEncryptionKey(128) |
3059 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
3060 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3061 | .Authorization(TAG_MIN_MAC_LENGTH, 128), |
3062 | KM_KEY_FORMAT_RAW, bad_key_str)); |
3063 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
3064 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); |
3065 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); |
3066 | |
3067 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3068 | } |
3069 | |
3070 | TEST_P(EncryptionOperationsTest, AesGcmAadNoData) { |
3071 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3072 | .AesEncryptionKey(128) |
3073 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
3074 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3075 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
3076 | string aad = "123456789012345678"; |
3077 | string empty_message; |
3078 | AuthorizationSet begin_params(client_params()); |
3079 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
3080 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3081 | begin_params.push_back(TAG_MAC_LENGTH, 128); |
3082 | |
3083 | AuthorizationSet update_params; |
3084 | update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); |
3085 | |
3086 | // Encrypt |
3087 | AuthorizationSet begin_out_params; |
3088 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); |
3089 | string ciphertext; |
3090 | size_t input_consumed; |
3091 | AuthorizationSet update_out_params; |
3092 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params, |
3093 | &ciphertext, &input_consumed)); |
3094 | EXPECT_EQ(0U, input_consumed); |
3095 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
3096 | |
3097 | // Grab nonce |
3098 | EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); |
3099 | begin_params.push_back(begin_out_params); |
3100 | |
3101 | // Decrypt. |
3102 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
3103 | string plaintext; |
3104 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, |
3105 | &plaintext, &input_consumed)); |
3106 | EXPECT_EQ(ciphertext.size(), input_consumed); |
3107 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); |
3108 | |
3109 | EXPECT_EQ(empty_message, plaintext); |
3110 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3111 | } |
3112 | #endif |
3113 | #if AES_TEST |
3114 | TEST_P(EncryptionOperationsTest, AesGcmIncremental) { |
3115 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3116 | .AesEncryptionKey(128) |
3117 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
3118 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3119 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
3120 | AuthorizationSet begin_params(client_params()); |
3121 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
3122 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3123 | begin_params.push_back(TAG_MAC_LENGTH, 128); |
3124 | |
3125 | AuthorizationSet update_params; |
3126 | update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1); |
3127 | |
3128 | // Encrypt |
3129 | AuthorizationSet begin_out_params; |
3130 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); |
3131 | string ciphertext; |
3132 | size_t input_consumed; |
3133 | AuthorizationSet update_out_params; |
3134 | |
3135 | // Send AAD, incrementally |
3136 | for (int i = 0; i < 1000; ++i) { |
3137 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext, |
3138 | &input_consumed)); |
3139 | EXPECT_EQ(0U, input_consumed); |
3140 | EXPECT_EQ(0U, ciphertext.size()); |
3141 | } |
3142 | |
3143 | // Now send data, incrementally, no data. |
3144 | AuthorizationSet empty_params; |
3145 | for (int i = 0; i < 1000; ++i) { |
3146 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext, |
3147 | &input_consumed)); |
3148 | EXPECT_EQ(1U, input_consumed); |
3149 | } |
3150 | EXPECT_EQ(1000U, ciphertext.size()); |
3151 | |
3152 | // And finish. |
3153 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
3154 | EXPECT_EQ(1016U, ciphertext.size()); |
3155 | |
3156 | // Grab nonce |
3157 | EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); |
3158 | begin_params.push_back(begin_out_params); |
3159 | |
3160 | // Decrypt. |
3161 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
3162 | string plaintext; |
3163 | |
3164 | // Send AAD, incrementally, no data |
3165 | for (int i = 0; i < 1000; ++i) { |
3166 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext, |
3167 | &input_consumed)); |
3168 | EXPECT_EQ(0U, input_consumed); |
3169 | EXPECT_EQ(0U, plaintext.size()); |
3170 | } |
3171 | |
3172 | // Now send data, incrementally. |
3173 | for (size_t i = 0; i < ciphertext.length(); ++i) { |
3174 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1), |
3175 | &update_out_params, &plaintext, &input_consumed)); |
3176 | EXPECT_EQ(1U, input_consumed); |
3177 | } |
3178 | EXPECT_EQ(1000U, plaintext.size()); |
3179 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); |
3180 | |
3181 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3182 | } |
3183 | |
3184 | TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) { |
3185 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3186 | .AesEncryptionKey(128) |
3187 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
3188 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3189 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
3190 | string message = "123456789012345678901234567890123456"; |
3191 | AuthorizationSet begin_params(client_params()); |
3192 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
3193 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3194 | begin_params.push_back(TAG_MAC_LENGTH, 128); |
3195 | AuthorizationSet begin_out_params; |
3196 | |
3197 | AuthorizationSet update_params; |
3198 | update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3); |
3199 | |
3200 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); |
3201 | |
3202 | // No data, AAD only. |
3203 | string ciphertext; |
3204 | size_t input_consumed; |
3205 | AuthorizationSet update_out_params; |
3206 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params, |
3207 | &ciphertext, &input_consumed)); |
3208 | EXPECT_EQ(0U, input_consumed); |
3209 | |
3210 | // AAD and data. |
3211 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, |
3212 | &input_consumed)); |
3213 | EXPECT_EQ(message.size(), input_consumed); |
3214 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
3215 | |
3216 | // Grab nonce. |
3217 | EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); |
3218 | begin_params.push_back(begin_out_params); |
3219 | |
3220 | // Decrypt |
3221 | update_params.Clear(); |
3222 | update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6); |
3223 | |
3224 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); |
3225 | string plaintext; |
3226 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, |
3227 | &plaintext, &input_consumed)); |
3228 | EXPECT_EQ(ciphertext.size(), input_consumed); |
3229 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); |
3230 | |
3231 | EXPECT_EQ(message, plaintext); |
3232 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3233 | } |
3234 | |
3235 | TEST_P(EncryptionOperationsTest, AesGcmBadAad) { |
3236 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3237 | .AesEncryptionKey(128) |
3238 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
3239 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3240 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
3241 | string message = "12345678901234567890123456789012"; |
3242 | AuthorizationSet begin_params(client_params()); |
3243 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
3244 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3245 | begin_params.push_back(TAG_MAC_LENGTH, 128); |
3246 | |
3247 | AuthorizationSet update_params; |
3248 | update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); |
3249 | |
3250 | AuthorizationSet finish_params; |
3251 | AuthorizationSet finish_out_params; |
3252 | |
3253 | // Encrypt |
3254 | AuthorizationSet begin_out_params; |
3255 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); |
3256 | AuthorizationSet update_out_params; |
3257 | string ciphertext; |
3258 | size_t input_consumed; |
3259 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, |
3260 | &input_consumed)); |
3261 | EXPECT_EQ(message.size(), input_consumed); |
3262 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
3263 | |
3264 | // Grab nonce |
3265 | EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); |
3266 | begin_params.push_back(begin_out_params); |
3267 | |
3268 | update_params.Clear(); |
3269 | update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6); |
3270 | |
3271 | // Decrypt. |
3272 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); |
3273 | string plaintext; |
3274 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, |
3275 | &plaintext, &input_consumed)); |
3276 | EXPECT_EQ(ciphertext.size(), input_consumed); |
3277 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); |
3278 | |
3279 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3280 | } |
3281 | |
3282 | TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) { |
3283 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3284 | .AesEncryptionKey(128) |
3285 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
3286 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3287 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
3288 | string message = "12345678901234567890123456789012"; |
3289 | AuthorizationSet begin_params(client_params()); |
3290 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
3291 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3292 | begin_params.push_back(TAG_MAC_LENGTH, 128); |
3293 | |
3294 | AuthorizationSet update_params; |
3295 | update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); |
3296 | |
3297 | // Encrypt |
3298 | AuthorizationSet begin_out_params; |
3299 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); |
3300 | AuthorizationSet update_out_params; |
3301 | string ciphertext; |
3302 | size_t input_consumed; |
3303 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, |
3304 | &input_consumed)); |
3305 | EXPECT_EQ(message.size(), input_consumed); |
3306 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
3307 | |
3308 | begin_params.push_back(TAG_NONCE, "123456789012", 12); |
3309 | |
3310 | // Decrypt |
3311 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); |
3312 | string plaintext; |
3313 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, |
3314 | &plaintext, &input_consumed)); |
3315 | EXPECT_EQ(ciphertext.size(), input_consumed); |
3316 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); |
3317 | |
3318 | // With wrong nonce, should have gotten garbage plaintext. |
3319 | EXPECT_NE(message, plaintext); |
3320 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3321 | } |
3322 | #endif |
3323 | #if AES_TEST |
3324 | TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) { |
3325 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3326 | .AesEncryptionKey(128) |
3327 | .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) |
3328 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3329 | .Authorization(TAG_MIN_MAC_LENGTH, 128))); |
3330 | string aad = "foobar"; |
3331 | string message = "123456789012345678901234567890123456"; |
3332 | AuthorizationSet begin_params(client_params()); |
3333 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); |
3334 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3335 | begin_params.push_back(TAG_MAC_LENGTH, 128); |
3336 | AuthorizationSet begin_out_params; |
3337 | |
3338 | AuthorizationSet update_params; |
3339 | update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); |
3340 | |
3341 | // Encrypt |
3342 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); |
3343 | AuthorizationSet update_out_params; |
3344 | string ciphertext; |
3345 | size_t input_consumed; |
3346 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, |
3347 | &input_consumed)); |
3348 | EXPECT_EQ(message.size(), input_consumed); |
3349 | EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); |
3350 | |
3351 | // Corrupt tag |
3352 | (*ciphertext.rbegin())++; |
3353 | |
3354 | // Grab nonce. |
3355 | EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); |
3356 | begin_params.push_back(begin_out_params); |
3357 | |
3358 | // Decrypt. |
3359 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); |
3360 | string plaintext; |
3361 | EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, |
3362 | &plaintext, &input_consumed)); |
3363 | EXPECT_EQ(ciphertext.size(), input_consumed); |
3364 | EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); |
3365 | |
3366 | EXPECT_EQ(message, plaintext); |
3367 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3368 | } |
3369 | #endif |
3370 | typedef Keymaster2Test MaxOperationsTest; |
3371 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params); |
3372 | #if MAX_TEST |
3373 | TEST_P(MaxOperationsTest, TestLimit) { |
3374 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3375 | .AesEncryptionKey(128) |
3376 | .EcbMode() |
3377 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3378 | .Authorization(TAG_MAX_USES_PER_BOOT, 3))); |
3379 | |
3380 | string message = "1234567890123456"; |
3381 | string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); |
3382 | string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); |
3383 | string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); |
3384 | |
3385 | // Fourth time should fail. |
3386 | AuthorizationSet begin_params(client_params()); |
3387 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); |
3388 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3389 | EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
3390 | |
3391 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3392 | } |
3393 | |
3394 | TEST_P(MaxOperationsTest, TestAbort) { |
3395 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3396 | .AesEncryptionKey(128) |
3397 | .EcbMode() |
3398 | .Authorization(TAG_PADDING, KM_PAD_NONE) |
3399 | .Authorization(TAG_MAX_USES_PER_BOOT, 3))); |
3400 | |
3401 | string message = "1234567890123456"; |
3402 | string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); |
3403 | string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); |
3404 | string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); |
3405 | |
3406 | // Fourth time should fail. |
3407 | AuthorizationSet begin_params(client_params()); |
3408 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); |
3409 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3410 | EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
3411 | |
3412 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3413 | } |
3414 | #endif |
3415 | typedef Keymaster2Test AddEntropyTest; |
3416 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params); |
3417 | #if ENTROPY_TEST |
3418 | TEST_P(AddEntropyTest, AddEntropy) { |
3419 | // There's no obvious way to test that entropy is actually added, but we can test that the API |
3420 | // doesn't blow up or return an error. |
3421 | EXPECT_EQ(KM_ERROR_OK, |
3422 | device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3)); |
3423 | |
3424 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3425 | } |
3426 | #endif |
3427 | typedef Keymaster2Test Keymaster0AdapterTest; |
3428 | #if 0 |
3429 | INSTANTIATE_TEST_CASE_P( |
3430 | AndroidKeymasterTest, Keymaster0AdapterTest, |
3431 | ::testing::Values( |
3432 | InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), |
3433 | InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)))); |
3434 | #endif |
3435 | TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1RsaBlob) { |
3436 | // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted |
3437 | // key data. |
3438 | string km1_sw = read_file("km1_sw_rsa_512.blob"); |
3439 | EXPECT_EQ(486U, km1_sw.length()); |
3440 | |
3441 | uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); |
3442 | memcpy(key_data, km1_sw.data(), km1_sw.length()); |
3443 | set_key_blob(key_data, km1_sw.length()); |
3444 | |
3445 | string message(64, 'a'); |
3446 | string signature; |
3447 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); |
3448 | |
3449 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3450 | } |
3451 | |
3452 | TEST_P(Keymaster0AdapterTest, UnversionedSoftwareKeymaster1RsaBlob) { |
3453 | // Load and use an old-style Keymaster1 software key blob, without the version byte. These |
3454 | // blobs contain OCB-encrypted key data. |
3455 | string km1_sw = read_file("km1_sw_rsa_512_unversioned.blob"); |
3456 | EXPECT_EQ(477U, km1_sw.length()); |
3457 | |
3458 | uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); |
3459 | memcpy(key_data, km1_sw.data(), km1_sw.length()); |
3460 | set_key_blob(key_data, km1_sw.length()); |
3461 | |
3462 | string message(64, 'a'); |
3463 | string signature; |
3464 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); |
3465 | |
3466 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3467 | } |
3468 | |
3469 | TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1EcdsaBlob) { |
3470 | // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted |
3471 | // key data. |
3472 | string km1_sw = read_file("km1_sw_ecdsa_256.blob"); |
3473 | EXPECT_EQ(270U, km1_sw.length()); |
3474 | |
3475 | uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); |
3476 | memcpy(key_data, km1_sw.data(), km1_sw.length()); |
3477 | set_key_blob(key_data, km1_sw.length()); |
3478 | |
3479 | string message(32, static_cast<char>(0xFF)); |
3480 | string signature; |
3481 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); |
3482 | |
3483 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3484 | } |
3485 | |
3486 | struct Malloc_Delete { |
3487 | void operator()(void* p) { free(p); } |
3488 | }; |
3489 | |
3490 | TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0RsaBlob) { |
3491 | // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. |
3492 | string km0_sw = read_file("km0_sw_rsa_512.blob"); |
3493 | EXPECT_EQ(333U, km0_sw.length()); |
3494 | |
3495 | uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); |
3496 | memcpy(key_data, km0_sw.data(), km0_sw.length()); |
3497 | set_key_blob(key_data, km0_sw.length()); |
3498 | |
3499 | string message(64, 'a'); |
3500 | string signature; |
3501 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); |
3502 | |
3503 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3504 | } |
3505 | |
3506 | TEST_P(Keymaster0AdapterTest, OldSwKeymaster0RsaBlobGetCharacteristics) { |
3507 | // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. |
3508 | string km0_sw = read_file("km0_sw_rsa_512.blob"); |
3509 | EXPECT_EQ(333U, km0_sw.length()); |
3510 | |
3511 | uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); |
3512 | memcpy(key_data, km0_sw.data(), km0_sw.length()); |
3513 | set_key_blob(key_data, km0_sw.length()); |
3514 | |
3515 | EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); |
3516 | EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); |
3517 | EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); |
3518 | EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); |
3519 | EXPECT_TRUE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); |
3520 | EXPECT_TRUE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); |
3521 | EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); |
3522 | EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); |
3523 | EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); |
3524 | EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); |
3525 | |
3526 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3527 | } |
3528 | |
3529 | TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlob) { |
3530 | // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. |
3531 | string km0_sw = read_file("km0_sw_rsa_512.blob"); |
3532 | EXPECT_EQ(333U, km0_sw.length()); |
3533 | |
3534 | // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not |
3535 | // be recognized as a software key. Do the same here to pretend this is a hardware key. |
3536 | EXPECT_EQ('P', km0_sw[0]); |
3537 | km0_sw[0] = 'Q'; |
3538 | |
3539 | uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); |
3540 | memcpy(key_data, km0_sw.data(), km0_sw.length()); |
3541 | set_key_blob(key_data, km0_sw.length()); |
3542 | |
3543 | string message(64, 'a'); |
3544 | string signature; |
3545 | SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); |
3546 | VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); |
3547 | |
3548 | EXPECT_EQ(5, GetParam()->keymaster0_calls()); |
3549 | } |
3550 | |
3551 | TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) { |
3552 | // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. |
3553 | string km0_sw = read_file("km0_sw_rsa_512.blob"); |
3554 | EXPECT_EQ(333U, km0_sw.length()); |
3555 | |
3556 | // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not |
3557 | // be recognized as a software key. Do the same here to pretend this is a hardware key. |
3558 | EXPECT_EQ('P', km0_sw[0]); |
3559 | km0_sw[0] = 'Q'; |
3560 | |
3561 | uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); |
3562 | memcpy(key_data, km0_sw.data(), km0_sw.length()); |
3563 | set_key_blob(key_data, km0_sw.length()); |
3564 | |
3565 | EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); |
3566 | EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); |
3567 | EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 512)); |
3568 | EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); |
3569 | EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); |
3570 | EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_MD5)); |
3571 | EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA1)); |
3572 | EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_224)); |
3573 | EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_256)); |
3574 | EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_384)); |
3575 | EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_512)); |
3576 | EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_NONE)); |
3577 | EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT)); |
3578 | EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN)); |
3579 | EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_OAEP)); |
3580 | EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PSS)); |
3581 | EXPECT_EQ(15U, hw_enforced().size()); |
3582 | |
3583 | EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); |
3584 | EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); |
3585 | EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); |
3586 | EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); |
3587 | |
3588 | EXPECT_FALSE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); |
3589 | EXPECT_FALSE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); |
3590 | EXPECT_FALSE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); |
3591 | EXPECT_FALSE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); |
3592 | EXPECT_FALSE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); |
3593 | |
3594 | EXPECT_EQ(1, GetParam()->keymaster0_calls()); |
3595 | } |
3596 | |
3597 | typedef Keymaster2Test AttestationTest; |
3598 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AttestationTest, test_params); |
3599 | |
3600 | #if ATTESTATIONTEST |
3601 | static X509* parse_cert_blob(const keymaster_blob_t& blob) { |
3602 | const uint8_t* p = blob.data; |
3603 | return d2i_X509(nullptr, &p, blob.data_length); |
3604 | } |
3605 | |
3606 | static bool verify_chain(const keymaster_cert_chain_t& chain) { |
3607 | for (size_t i = 0; i < chain.entry_count - 1; ++i) { |
3608 | keymaster_blob_t& key_cert_blob = chain.entries[i]; |
3609 | keymaster_blob_t& signing_cert_blob = chain.entries[i + 1]; |
3610 | |
3611 | X509_Ptr key_cert(parse_cert_blob(key_cert_blob)); |
3612 | X509_Ptr signing_cert(parse_cert_blob(signing_cert_blob)); |
3613 | EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get()); |
3614 | if (!key_cert.get() || !signing_cert.get()) |
3615 | return false; |
3616 | |
3617 | EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get())); |
3618 | EXPECT_TRUE(!!signing_pubkey.get()); |
3619 | if (!signing_pubkey.get()) |
3620 | return false; |
3621 | |
3622 | EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get())) |
3623 | << "Verification of certificate " << i << " failed"; |
3624 | } |
3625 | |
3626 | return true; |
3627 | } |
3628 | |
3629 | // Extract attestation record from cert. Returned object is still part of cert; don't free it |
3630 | // separately. |
3631 | static ASN1_OCTET_STRING* get_attestation_record(X509* certificate) { |
3632 | ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */)); |
3633 | EXPECT_TRUE(!!oid.get()); |
3634 | if (!oid.get()) |
3635 | return nullptr; |
3636 | |
3637 | int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */); |
3638 | EXPECT_NE(-1, location); |
3639 | if (location == -1) |
3640 | return nullptr; |
3641 | |
3642 | X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location); |
3643 | EXPECT_TRUE(!!attest_rec_ext); |
3644 | if (!attest_rec_ext) |
3645 | return nullptr; |
3646 | |
3647 | ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext); |
3648 | EXPECT_TRUE(!!attest_rec); |
3649 | return attest_rec; |
3650 | } |
3651 | |
3652 | static bool verify_attestation_record(const string& challenge, |
3653 | AuthorizationSet expected_sw_enforced, |
3654 | AuthorizationSet expected_tee_enforced, |
3655 | uint32_t expected_keymaster_version, |
3656 | keymaster_security_level_t expected_keymaster_security_level, |
3657 | const keymaster_blob_t& attestation_cert) { |
3658 | |
3659 | X509_Ptr cert(parse_cert_blob(attestation_cert)); |
3660 | EXPECT_TRUE(!!cert.get()); |
3661 | if (!cert.get()) |
3662 | return false; |
3663 | |
3664 | ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get()); |
3665 | EXPECT_TRUE(!!attest_rec); |
3666 | if (!attest_rec) |
3667 | return false; |
3668 | |
3669 | AuthorizationSet att_sw_enforced; |
3670 | AuthorizationSet att_tee_enforced; |
3671 | uint32_t att_attestation_version; |
3672 | uint32_t att_keymaster_version; |
3673 | keymaster_security_level_t att_attestation_security_level; |
3674 | keymaster_security_level_t att_keymaster_security_level; |
3675 | keymaster_blob_t att_challenge = {}; |
3676 | keymaster_blob_t att_unique_id = {}; |
3677 | |
3678 | EXPECT_EQ(KM_ERROR_OK, parse_attestation_record( |
3679 | attest_rec->data, attest_rec->length, &att_attestation_version, |
3680 | &att_attestation_security_level, &att_keymaster_version, |
3681 | &att_keymaster_security_level, &att_challenge, &att_sw_enforced, |
3682 | &att_tee_enforced, &att_unique_id)); |
3683 | |
3684 | EXPECT_EQ(1U, att_attestation_version); |
3685 | EXPECT_EQ(KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT, att_attestation_security_level); |
3686 | EXPECT_EQ(expected_keymaster_version, att_keymaster_version); |
3687 | EXPECT_EQ(expected_keymaster_security_level, att_keymaster_security_level); |
3688 | |
3689 | EXPECT_EQ(challenge.length(), att_challenge.data_length); |
3690 | EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data, challenge.length())); |
3691 | |
3692 | // Add TAG_USER_ID to the relevant attestation list, because user IDs are not included in |
3693 | // attestations, since they're meaningless off-device. |
3694 | uint32_t user_id; |
3695 | if (expected_sw_enforced.GetTagValue(TAG_USER_ID, &user_id)) |
3696 | att_sw_enforced.push_back(TAG_USER_ID, user_id); |
3697 | if (expected_tee_enforced.GetTagValue(TAG_USER_ID, &user_id)) |
3698 | att_tee_enforced.push_back(TAG_USER_ID, user_id); |
3699 | |
3700 | // Add TAG_INCLUDE_UNIQUE_ID to the relevant attestation list, because that tag is not included |
3701 | // in the attestation. |
3702 | if (expected_sw_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) |
3703 | att_sw_enforced.push_back(TAG_INCLUDE_UNIQUE_ID); |
3704 | if (expected_tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) |
3705 | att_tee_enforced.push_back(TAG_INCLUDE_UNIQUE_ID); |
3706 | |
3707 | att_sw_enforced.Sort(); |
3708 | expected_sw_enforced.Sort(); |
3709 | EXPECT_EQ(expected_sw_enforced, att_sw_enforced); |
3710 | |
3711 | att_tee_enforced.Sort(); |
3712 | expected_tee_enforced.Sort(); |
3713 | EXPECT_EQ(expected_tee_enforced, att_tee_enforced); |
3714 | |
3715 | return true; |
3716 | } |
3717 | #endif |
3718 | #if ATTESTATIONTEST |
3719 | TEST_P(AttestationTest, RsaAttestation) { |
3720 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3721 | .RsaSigningKey(256, 3) |
3722 | .Digest(KM_DIGEST_NONE) |
3723 | .Padding(KM_PAD_NONE) |
3724 | .Authorization(TAG_INCLUDE_UNIQUE_ID))); |
3725 | |
3726 | keymaster_cert_chain_t cert_chain; |
3727 | EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", &cert_chain)); |
3728 | EXPECT_EQ(3U, cert_chain.entry_count); |
3729 | EXPECT_TRUE(verify_chain(cert_chain)); |
3730 | |
3731 | uint32_t expected_keymaster_version; |
3732 | keymaster_security_level_t expected_keymaster_security_level; |
3733 | expected_keymaster_version = 2; |
3734 | expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT; |
3735 | |
3736 | EXPECT_TRUE(verify_attestation_record( |
3737 | "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version, |
3738 | expected_keymaster_security_level, cert_chain.entries[0])); |
3739 | |
3740 | keymaster_free_cert_chain(&cert_chain); |
3741 | } |
3742 | #endif |
3743 | #if ATTESTATIONTEST |
3744 | TEST_P(AttestationTest, EcAttestation) { |
3745 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest( |
3746 | KM_DIGEST_SHA_2_256))); |
3747 | |
3748 | uint32_t expected_keymaster_version; |
3749 | keymaster_security_level_t expected_keymaster_security_level; |
3750 | expected_keymaster_version = 2; |
3751 | expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT; |
3752 | |
3753 | keymaster_cert_chain_t cert_chain; |
3754 | EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", &cert_chain)); |
3755 | EXPECT_EQ(3U, cert_chain.entry_count); |
3756 | EXPECT_TRUE(verify_chain(cert_chain)); |
3757 | EXPECT_TRUE(verify_attestation_record( |
3758 | "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version, |
3759 | expected_keymaster_security_level, cert_chain.entries[0])); |
3760 | |
3761 | keymaster_free_cert_chain(&cert_chain); |
3762 | } |
3763 | #endif |
3764 | typedef Keymaster2Test KeyUpgradeTest; |
3765 | INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, KeyUpgradeTest, test_params); |
3766 | #if KEYUPGRADETEST |
3767 | TEST_P(KeyUpgradeTest, AesVersionUpgrade) { |
3768 | // A workaround for testing TEE based keymaster 2 from normal world |
3769 | keymaster2_device_t* device = (keymaster2_device_t* )GetParam()->keymaster_context(); |
3770 | AuthorizationSet version_info(AuthorizationSetBuilder() |
3771 | .Authorization(TAG_OS_VERSION, 1) |
3772 | .Authorization(TAG_OS_PATCHLEVEL, 1)); |
3773 | device->configure(device, &version_info); |
3774 | |
3775 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() |
3776 | .AesEncryptionKey(128) |
3777 | .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) |
3778 | .Padding(KM_PAD_NONE))); |
3779 | |
3780 | // Key should operate fine. |
3781 | string message = "1234567890123456"; |
3782 | string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); |
3783 | EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE)); |
3784 | |
3785 | // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE. |
3786 | AuthorizationSet version_info_1_2(AuthorizationSetBuilder() |
3787 | .Authorization(TAG_OS_VERSION, 1) |
3788 | .Authorization(TAG_OS_PATCHLEVEL, 2)); |
3789 | device->configure(device, &version_info_1_2); |
3790 | AuthorizationSet begin_params(client_params()); |
3791 | begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); |
3792 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3793 | if (GetParam()->is_keymaster1_hw()) { |
3794 | // Keymaster1 hardware can't support version binding. The key will work regardless |
3795 | // of system version. Just abort the remainder of the test. |
3796 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
3797 | EXPECT_EQ(KM_ERROR_OK, AbortOperation()); |
3798 | return; |
3799 | } |
3800 | EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
3801 | |
3802 | // Getting characteristics should also fail |
3803 | EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics()); |
3804 | |
3805 | // Upgrade key. |
3806 | EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params())); |
3807 | |
3808 | // Key should work again |
3809 | ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); |
3810 | EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE)); |
3811 | |
3812 | // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB. |
3813 | AuthorizationSet version_info_1_1(AuthorizationSetBuilder() |
3814 | .Authorization(TAG_OS_VERSION, 1) |
3815 | .Authorization(TAG_OS_PATCHLEVEL, 1)); |
3816 | device->configure(device, &version_info_1_1); |
3817 | |
3818 | EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
3819 | EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics()); |
3820 | |
3821 | // Upgrade should fail |
3822 | EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params())); |
3823 | |
3824 | EXPECT_EQ(0, GetParam()->keymaster0_calls()); |
3825 | } |
3826 | #endif |
3827 | #if 0//KEYUPGRADETEST |
3828 | //this test is no longer valid because boring ssl rejects rsa keys less than 256 bits |
3829 | TEST_P(KeyUpgradeTest, RsaVersionUpgrade) { |
3830 | keymaster2_device_t* device = (keymaster2_device_t* )GetParam()->keymaster_context(); |
3831 | AuthorizationSet version_info(AuthorizationSetBuilder() |
3832 | .Authorization(TAG_OS_VERSION, 1) |
3833 | .Authorization(TAG_OS_PATCHLEVEL, 1)); |
3834 | device->configure(device, &version_info); |
3835 | |
3836 | ASSERT_EQ(KM_ERROR_OK, |
3837 | GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(128, 3).Padding(KM_PAD_NONE))); |
3838 | |
3839 | // Key should operate fine. |
3840 | string message = "1234567890123456"; |
3841 | string ciphertext = EncryptMessage(message, KM_PAD_NONE); |
3842 | EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE)); |
3843 | |
3844 | // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE. |
3845 | AuthorizationSet version_info_1_2(AuthorizationSetBuilder() |
3846 | .Authorization(TAG_OS_VERSION, 1) |
3847 | .Authorization(TAG_OS_PATCHLEVEL, 2)); |
3848 | device->configure(device, &version_info_1_2); |
3849 | AuthorizationSet begin_params(client_params()); |
3850 | begin_params.push_back(TAG_PADDING, KM_PAD_NONE); |
3851 | if (GetParam()->is_keymaster1_hw()) { |
3852 | // Keymaster1 hardware can't support version binding. The key will work regardless |
3853 | // of system version. Just abort the remainder of the test. |
3854 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
3855 | EXPECT_EQ(KM_ERROR_OK, AbortOperation()); |
3856 | return; |
3857 | } |
3858 | EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
3859 | |
3860 | // Getting characteristics should also fail |
3861 | EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics()); |
3862 | |
3863 | // Upgrade key. |
3864 | EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params())); |
3865 | |
3866 | // Key should work again |
3867 | ciphertext = EncryptMessage(message, KM_PAD_NONE); |
3868 | EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE)); |
3869 | |
3870 | // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB. |
3871 | AuthorizationSet version_info_1_1(AuthorizationSetBuilder() |
3872 | .Authorization(TAG_OS_VERSION, 1) |
3873 | .Authorization(TAG_OS_PATCHLEVEL, 1)); |
3874 | device->configure(device, &version_info_1_1); |
3875 | |
3876 | EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
3877 | EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics()); |
3878 | |
3879 | // Upgrade should fail |
3880 | EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params())); |
3881 | |
3882 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) |
3883 | EXPECT_EQ(7, GetParam()->keymaster0_calls()); |
3884 | } |
3885 | #endif |
3886 | #if KEYUPGRADETEST |
3887 | TEST_P(KeyUpgradeTest, EcVersionUpgrade) { |
3888 | keymaster2_device_t* device = (keymaster2_device_t* )GetParam()->keymaster_context(); |
3889 | AuthorizationSet version_info(AuthorizationSetBuilder() |
3890 | .Authorization(TAG_OS_VERSION, 1) |
3891 | .Authorization(TAG_OS_PATCHLEVEL, 1)); |
3892 | device->configure(device, &version_info); |
3893 | |
3894 | ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest( |
3895 | KM_DIGEST_SHA_2_256))); |
3896 | |
3897 | // Key should operate fine. |
3898 | string message = "1234567890123456"; |
3899 | string signature; |
3900 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256); |
3901 | VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); |
3902 | |
3903 | // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE. |
3904 | AuthorizationSet version_info_1_2(AuthorizationSetBuilder() |
3905 | .Authorization(TAG_OS_VERSION, 1) |
3906 | .Authorization(TAG_OS_PATCHLEVEL, 2)); |
3907 | device->configure(device, &version_info_1_2); |
3908 | |
3909 | AuthorizationSet begin_params(client_params()); |
3910 | begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); |
3911 | if (GetParam()->is_keymaster1_hw()) { |
3912 | // Keymaster1 hardware can't support version binding. The key will work regardless |
3913 | // of system version. Just abort the remainder of the test. |
3914 | EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
3915 | EXPECT_EQ(KM_ERROR_OK, AbortOperation()); |
3916 | return; |
3917 | } |
3918 | EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); |
3919 | |
3920 | // Getting characteristics should also fail |
3921 | EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics()); |
3922 | |
3923 | // Upgrade key. |
3924 | EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params())); |
3925 | |
3926 | // Key should work again |
3927 | SignMessage(message, &signature, KM_DIGEST_SHA_2_256); |
3928 | VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); |
3929 | |
3930 | // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB. |
3931 | AuthorizationSet version_info_1_1(AuthorizationSetBuilder() |
3932 | .Authorization(TAG_OS_VERSION, 1) |
3933 | .Authorization(TAG_OS_PATCHLEVEL, 1)); |
3934 | device->configure(device, &version_info_1_1); |
3935 | |
3936 | EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); |
3937 | EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics()); |
3938 | |
3939 | // Upgrade should fail |
3940 | EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params())); |
3941 | |
3942 | if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) |
3943 | EXPECT_EQ(7, GetParam()->keymaster0_calls()); |
3944 | } |
3945 | #endif |
3946 | #if 0 |
3947 | TEST(SoftKeymasterWrapperTest, CheckKeymaster2Device) { |
3948 | // Make a good fake device, and wrap it. |
3949 | SoftKeymasterDevice* good_fake(new SoftKeymasterDevice(new TestKeymasterContext)); |
3950 | |
3951 | // Wrap it and check it. |
3952 | SoftKeymasterDevice* good_fake_wrapper(new SoftKeymasterDevice(new TestKeymasterContext)); |
3953 | good_fake_wrapper->SetHardwareDevice(good_fake->keymaster_device()); |
3954 | EXPECT_TRUE(good_fake_wrapper->Keymaster1DeviceIsGood()); |
3955 | |
3956 | // Close and clean up wrapper and wrapped |
3957 | good_fake_wrapper->keymaster_device()->common.close(good_fake_wrapper->hw_device()); |
3958 | |
3959 | // Make a "bad" (doesn't support all digests) device; |
3960 | keymaster1_device_t* sha256_only_fake = make_device_sha256_only( |
3961 | (new SoftKeymasterDevice(new TestKeymasterContext("256")))->keymaster_device()); |
3962 | |
3963 | // Wrap it and check it. |
3964 | SoftKeymasterDevice* sha256_only_fake_wrapper( |
3965 | (new SoftKeymasterDevice(new TestKeymasterContext))); |
3966 | sha256_only_fake_wrapper->SetHardwareDevice(sha256_only_fake); |
3967 | EXPECT_FALSE(sha256_only_fake_wrapper->Keymaster1DeviceIsGood()); |
3968 | |
3969 | // Close and clean up wrapper and wrapped |
3970 | sha256_only_fake_wrapper->keymaster_device()->common.close( |
3971 | sha256_only_fake_wrapper->hw_device()); |
3972 | } |
3973 | #endif |
3974 | |
3975 | } // namespace test |
3976 | } // namespace keymaster |
3977 |