summaryrefslogtreecommitdiff
path: root/unit_test/keymaster_enforcement_test.cpp (plain)
blob: 3874744f188d853d66d110213705266eaa120cc9
1/*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <errno.h>
18#include <stdio.h>
19#include <time.h>
20
21#include <keymaster/android_keymaster.h>
22#include <keymaster/authorization_set.h>
23#include <keymaster/keymaster_enforcement.h>
24
25#include "android_keymaster_test_utils.h"
26
27namespace keymaster {
28namespace test {
29
30class TestKeymasterEnforcement : public KeymasterEnforcement {
31 public:
32 TestKeymasterEnforcement()
33 : KeymasterEnforcement(3, 3), current_time_(10000), report_token_valid_(true) {}
34
35 keymaster_error_t AuthorizeOperation(const keymaster_purpose_t purpose, const km_id_t keyid,
36 const AuthorizationSet& auth_set) {
37 AuthorizationSet empty_set;
38 return KeymasterEnforcement::AuthorizeOperation(
39 purpose, keyid, auth_set, empty_set, 0 /* op_handle */, true /* is_begin_operation */);
40 }
41 using KeymasterEnforcement::AuthorizeOperation;
42
43 uint32_t get_current_time() const override { return current_time_; }
44 bool activation_date_valid(uint64_t activation_date) const override {
45 // Convert java date to time_t, non-portably.
46 time_t activation_time = activation_date / 1000;
47 return difftime(time(NULL), activation_time) >= 0;
48 }
49 bool expiration_date_passed(uint64_t expiration_date) const override {
50 // Convert jave date to time_t, non-portably.
51 time_t expiration_time = expiration_date / 1000;
52 return difftime(time(NULL), expiration_time) > 0;
53 }
54 bool auth_token_timed_out(const hw_auth_token_t& token, uint32_t timeout) const {
55 return current_time_ > ntoh(token.timestamp) + timeout;
56 }
57 bool ValidateTokenSignature(const hw_auth_token_t&) const override {
58 return report_token_valid_;
59 }
60
61 void tick(unsigned seconds = 1) { current_time_ += seconds; }
62 uint32_t current_time() { return current_time_; }
63 void set_report_token_valid(bool report_token_valid) {
64 report_token_valid_ = report_token_valid;
65 }
66
67 private:
68 uint32_t current_time_;
69 bool report_token_valid_;
70};
71
72class KeymasterBaseTest : public ::testing::Test {
73 protected:
74 KeymasterBaseTest() {
75 past_time = 0;
76
77 time_t t = time(NULL);
78 future_tm = localtime(&t);
79 future_tm->tm_year += 1;
80 future_time = static_cast<uint64_t>(mktime(future_tm)) * 1000;
81 sign_param = Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN);
82 }
83 virtual ~KeymasterBaseTest() {}
84
85 TestKeymasterEnforcement kmen;
86
87 tm past_tm;
88 tm* future_tm;
89 uint64_t past_time;
90 uint64_t future_time;
91 static const km_id_t key_id = 0xa;
92 static const uid_t uid = 0xf;
93 keymaster_key_param_t sign_param;
94};
95
96TEST_F(KeymasterBaseTest, TestValidKeyPeriodNoTags) {
97 keymaster_key_param_t params[] = {
98 sign_param,
99 };
100 AuthorizationSet single_auth_set(params, array_length(params));
101
102 keymaster_error_t kmer = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, single_auth_set);
103 ASSERT_EQ(KM_ERROR_OK, kmer);
104}
105
106TEST_F(KeymasterBaseTest, TestInvalidActiveTime) {
107 keymaster_key_param_t params[] = {
108 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
109 Authorization(TAG_NO_AUTH_REQUIRED), Authorization(TAG_ACTIVE_DATETIME, future_time),
110 };
111
112 AuthorizationSet auth_set(params, array_length(params));
113
114 ASSERT_EQ(KM_ERROR_KEY_NOT_YET_VALID,
115 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
116
117 // Pubkey ops allowed.
118 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set));
119}
120
121TEST_F(KeymasterBaseTest, TestValidActiveTime) {
122 keymaster_key_param_t params[] = {
123 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_ACTIVE_DATETIME, past_time),
124 };
125
126 AuthorizationSet auth_set(params, array_length(params));
127
128 keymaster_error_t kmer_valid_time = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set);
129 ASSERT_EQ(KM_ERROR_OK, kmer_valid_time);
130}
131
132TEST_F(KeymasterBaseTest, TestInvalidOriginationExpireTime) {
133 keymaster_key_param_t params[] = {
134 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
135 Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, past_time),
136 };
137
138 AuthorizationSet auth_set(params, array_length(params));
139
140 ASSERT_EQ(KM_ERROR_KEY_EXPIRED, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
141
142 // Pubkey ops allowed.
143 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set));
144}
145
146TEST_F(KeymasterBaseTest, TestInvalidOriginationExpireTimeOnUsgae) {
147 keymaster_key_param_t params[] = {
148 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
149 Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, past_time),
150 };
151
152 AuthorizationSet auth_set(params, array_length(params));
153
154 keymaster_error_t kmer_invalid_origination =
155 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set);
156 ASSERT_EQ(KM_ERROR_OK, kmer_invalid_origination);
157}
158
159TEST_F(KeymasterBaseTest, TestValidOriginationExpireTime) {
160 keymaster_key_param_t params[] = {
161 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
162 Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, future_time),
163 };
164
165 AuthorizationSet auth_set(params, array_length(params));
166
167 keymaster_error_t kmer_valid_origination =
168 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set);
169 ASSERT_EQ(KM_ERROR_OK, kmer_valid_origination);
170}
171
172TEST_F(KeymasterBaseTest, TestInvalidUsageExpireTime) {
173 keymaster_key_param_t params[] = {
174 Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES),
175 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
176 Authorization(TAG_USAGE_EXPIRE_DATETIME, past_time),
177 };
178
179 AuthorizationSet auth_set(params, array_length(params));
180
181 keymaster_error_t kmer_invalid_origination =
182 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set);
183 ASSERT_EQ(KM_ERROR_KEY_EXPIRED, kmer_invalid_origination);
184}
185
186TEST_F(KeymasterBaseTest, TestInvalidPubkeyUsageExpireTime) {
187 keymaster_key_param_t params[] = {
188 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA),
189 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
190 Authorization(TAG_USAGE_EXPIRE_DATETIME, past_time),
191 };
192
193 AuthorizationSet auth_set(params, array_length(params));
194
195 keymaster_error_t kmer_invalid_origination =
196 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set);
197 // Pubkey ops allowed.
198 ASSERT_EQ(KM_ERROR_OK, kmer_invalid_origination);
199}
200
201TEST_F(KeymasterBaseTest, TestInvalidUsageExpireTimeOnOrigination) {
202 keymaster_key_param_t params[] = {
203 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
204 Authorization(TAG_USAGE_EXPIRE_DATETIME, past_time),
205 };
206
207 AuthorizationSet auth_set(params, array_length(params));
208
209 keymaster_error_t kmer_invalid_origination =
210 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set);
211 ASSERT_EQ(KM_ERROR_OK, kmer_invalid_origination);
212}
213
214TEST_F(KeymasterBaseTest, TestValidUsageExpireTime) {
215 keymaster_key_param_t params[] = {
216 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
217 Authorization(TAG_USAGE_EXPIRE_DATETIME, future_time),
218 };
219
220 AuthorizationSet auth_set(params, array_length(params));
221
222 keymaster_error_t kmer_valid_usage =
223 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set);
224 ASSERT_EQ(KM_ERROR_OK, kmer_valid_usage);
225}
226
227TEST_F(KeymasterBaseTest, TestValidSingleUseAccesses) {
228 keymaster_key_param_t params[] = {
229 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
230 };
231
232 AuthorizationSet auth_set(params, array_length(params));
233
234 keymaster_error_t kmer1 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set);
235 keymaster_error_t kmer2 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set);
236
237 ASSERT_EQ(KM_ERROR_OK, kmer1);
238 ASSERT_EQ(KM_ERROR_OK, kmer2);
239}
240
241TEST_F(KeymasterBaseTest, TestInvalidMaxOps) {
242 keymaster_key_param_t params[] = {
243 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA),
244 Authorization(TAG_MAX_USES_PER_BOOT, 4),
245 };
246
247 AuthorizationSet auth_set(params, array_length(params));
248
249 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
250 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
251 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
252 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
253 ASSERT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED,
254 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
255 // Pubkey ops allowed.
256 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set));
257}
258
259TEST_F(KeymasterBaseTest, TestOverFlowMaxOpsTable) {
260 keymaster_key_param_t params[] = {
261 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
262 Authorization(TAG_MAX_USES_PER_BOOT, 2),
263 };
264
265 AuthorizationSet auth_set(params, array_length(params));
266
267 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set));
268
269 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 2 /* key_id */, auth_set));
270
271 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 3 /* key_id */, auth_set));
272
273 // Key 4 should fail, because table is full.
274 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS,
275 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 4 /* key_id */, auth_set));
276
277 // Key 1 still works, because it's already in the table and hasn't reached max.
278 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set));
279
280 // Key 1 no longer works, because it's reached max.
281 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED,
282 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set));
283
284 // Key 4 should fail, because table is (still and forever) full.
285 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS,
286 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 4 /* key_id */, auth_set));
287
288 // Pubkey ops allowed.
289 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set));
290 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set));
291}
292
293TEST_F(KeymasterBaseTest, TestInvalidTimeBetweenOps) {
294 keymaster_key_param_t params[] = {
295 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
296 Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 10),
297 };
298
299 AuthorizationSet auth_set(params, array_length(params));
300
301 keymaster_error_t kmer1 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set);
302 keymaster_error_t kmer2 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set);
303 keymaster_error_t kmer3 = kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set);
304
305 ASSERT_EQ(KM_ERROR_OK, kmer1);
306 kmen.tick(2);
307 ASSERT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, kmer2);
308
309 // Allowed because it's a pubkey op.
310 ASSERT_EQ(KM_ERROR_OK, kmer3);
311}
312
313TEST_F(KeymasterBaseTest, TestValidTimeBetweenOps) {
314 keymaster_key_param_t params[] = {
315 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
316 Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 2),
317 };
318
319 AuthorizationSet auth_set(params, array_length(params));
320
321 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set));
322 kmen.tick();
323 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
324 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
325 kmen.tick();
326 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
327}
328
329TEST_F(KeymasterBaseTest, TestOptTimeoutTableOverflow) {
330 keymaster_key_param_t params[] = {
331 Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES),
332 Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 4),
333 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY),
334 };
335
336 AuthorizationSet auth_set(params, array_length(params));
337
338 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set));
339
340 kmen.tick();
341
342 // Key 1 fails because it's too soon
343 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
344 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set));
345
346 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set));
347
348 kmen.tick();
349
350 // Key 1 fails because it's too soon
351 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
352 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set));
353 // Key 2 fails because it's too soon
354 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
355 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set));
356
357 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set));
358
359 kmen.tick();
360
361 // Key 1 fails because it's too soon
362 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
363 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set));
364 // Key 2 fails because it's too soon
365 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
366 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set));
367 // Key 3 fails because it's too soon
368 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
369 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set));
370 // Key 4 fails because the table is full
371 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS,
372 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set));
373
374 kmen.tick();
375
376 // Key 4 succeeds because key 1 expired.
377 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set));
378
379 // Key 1 fails because the table is full... and key 1 is no longer in it.
380 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS,
381 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set));
382 // Key 2 fails because it's too soon
383 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
384 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set));
385 // Key 3 fails because it's too soon
386 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
387 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set));
388
389 kmen.tick();
390
391 // Key 1 succeeds because key 2 expired
392 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set));
393 // Key 2 fails because the table is full... and key 2 is no longer in it.
394 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS,
395 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set));
396 // Key 3 fails because it's too soon
397 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
398 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set));
399 // Key 4 fails because it's too soon
400 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
401 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set));
402
403 kmen.tick(4);
404
405 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set));
406 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set));
407 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set));
408}
409
410TEST_F(KeymasterBaseTest, TestPubkeyOptTimeoutTableOverflow) {
411 keymaster_key_param_t params[] = {
412 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA),
413 Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 4), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN),
414 };
415
416 AuthorizationSet auth_set(params, array_length(params));
417
418 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set));
419
420 kmen.tick();
421
422 // Key 1 fails because it's too soon
423 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED,
424 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set));
425 // Too soo, but pubkey ops allowed.
426 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set));
427}
428
429TEST_F(KeymasterBaseTest, TestInvalidPurpose) {
430 keymaster_purpose_t invalidPurpose1 = static_cast<keymaster_purpose_t>(-1);
431 keymaster_purpose_t invalidPurpose2 = static_cast<keymaster_purpose_t>(4);
432
433 AuthorizationSet auth_set(
434 AuthorizationSetBuilder().Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY));
435
436 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE,
437 kmen.AuthorizeOperation(invalidPurpose1, key_id, auth_set));
438 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE,
439 kmen.AuthorizeOperation(invalidPurpose2, key_id, auth_set));
440}
441
442TEST_F(KeymasterBaseTest, TestIncompatiblePurposeSymmetricKey) {
443 AuthorizationSet auth_set(AuthorizationSetBuilder()
444 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES)
445 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
446 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
447
448 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
449 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set));
450
451 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE,
452 kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, auth_set));
453 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE,
454 kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, auth_set));
455}
456
457TEST_F(KeymasterBaseTest, TestIncompatiblePurposeAssymmetricKey) {
458 AuthorizationSet auth_set(AuthorizationSetBuilder()
459 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
460 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)
461 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
462
463 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
464 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set));
465
466 // This one is allowed because it's a pubkey op.
467 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, auth_set));
468 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE,
469 kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, auth_set));
470}
471
472TEST_F(KeymasterBaseTest, TestInvalidCallerNonce) {
473 AuthorizationSet no_caller_nonce(AuthorizationSetBuilder()
474 .Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT)
475 .Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT)
476 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES));
477 AuthorizationSet caller_nonce(AuthorizationSetBuilder()
478 .Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT)
479 .Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT)
480 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_HMAC)
481 .Authorization(TAG_CALLER_NONCE));
482 AuthorizationSet begin_params(AuthorizationSetBuilder().Authorization(TAG_NONCE, "foo", 3));
483
484 EXPECT_EQ(KM_ERROR_OK,
485 kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, caller_nonce, begin_params,
486 0 /* challenge */, true /* is_begin_operation */));
487 EXPECT_EQ(KM_ERROR_OK,
488 kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, caller_nonce, begin_params,
489 0 /* challenge */, true /* is_begin_operation */));
490 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED,
491 kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, no_caller_nonce, begin_params,
492 0 /* challenge */, true /* is_begin_operation */));
493 EXPECT_EQ(KM_ERROR_OK,
494 kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, no_caller_nonce, begin_params,
495 0 /* challenge */, true /* is_begin_operation */));
496}
497
498TEST_F(KeymasterBaseTest, TestBootloaderOnly) {
499 AuthorizationSet auth_set(AuthorizationSetBuilder()
500 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
501 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
502 .Authorization(TAG_BOOTLOADER_ONLY));
503 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
504 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
505
506 // Pubkey ops allowed.
507 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set));
508}
509
510TEST_F(KeymasterBaseTest, TestInvalidTag) {
511 AuthorizationSet auth_set(AuthorizationSetBuilder()
512 .Authorization(TAG_INVALID)
513 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
514
515 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
516 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
517}
518
519TEST_F(KeymasterBaseTest, TestAuthPerOpSuccess) {
520 hw_auth_token_t token;
521 memset(&token, 0, sizeof(token));
522 token.version = HW_AUTH_TOKEN_VERSION;
523 token.challenge = 99;
524 token.user_id = 9;
525 token.authenticator_id = 0;
526 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
527 token.timestamp = 0;
528
529 AuthorizationSet auth_set(AuthorizationSetBuilder()
530 .Authorization(TAG_USER_SECURE_ID, token.user_id)
531 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
532 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
533
534 AuthorizationSet op_params;
535 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token)));
536
537 EXPECT_EQ(KM_ERROR_OK,
538 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge,
539 false /* is_begin_operation */));
540}
541
542TEST_F(KeymasterBaseTest, TestAuthPerOpInvalidTokenSignature) {
543 hw_auth_token_t token;
544 memset(&token, 0, sizeof(token));
545 token.version = HW_AUTH_TOKEN_VERSION;
546 token.challenge = 99;
547 token.user_id = 9;
548 token.authenticator_id = 0;
549 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
550 token.timestamp = 0;
551
552 AuthorizationSet auth_set(AuthorizationSetBuilder()
553 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC)
554 .Authorization(TAG_USER_SECURE_ID, token.user_id)
555 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
556 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
557
558 AuthorizationSet op_params;
559 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token)));
560
561 kmen.set_report_token_valid(false);
562 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED,
563 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge,
564 false /* is_begin_operation */));
565 // Pubkey ops allowed.
566 EXPECT_EQ(KM_ERROR_OK,
567 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params,
568 token.challenge, false /* is_begin_operation */));
569}
570
571TEST_F(KeymasterBaseTest, TestAuthPerOpWrongChallenge) {
572 hw_auth_token_t token;
573 memset(&token, 0, sizeof(token));
574 token.version = HW_AUTH_TOKEN_VERSION;
575 token.challenge = 99;
576 token.user_id = 9;
577 token.authenticator_id = 0;
578 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
579 token.timestamp = 0;
580
581 AuthorizationSet auth_set(AuthorizationSetBuilder()
582 .Authorization(TAG_USER_SECURE_ID, token.user_id)
583 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
584 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
585
586 AuthorizationSet op_params;
587 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token)));
588
589 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED,
590 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params,
591 token.challenge + 1 /* doesn't match token */,
592 false /* is_begin_operation */));
593}
594
595TEST_F(KeymasterBaseTest, TestAuthPerOpNoAuthType) {
596 hw_auth_token_t token;
597 memset(&token, 0, sizeof(token));
598 token.version = HW_AUTH_TOKEN_VERSION;
599 token.challenge = 99;
600 token.user_id = 9;
601 token.authenticator_id = 0;
602 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
603 token.timestamp = 0;
604
605 AuthorizationSet auth_set(AuthorizationSetBuilder()
606 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
607 .Authorization(TAG_USER_SECURE_ID, token.user_id)
608 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
609
610 AuthorizationSet op_params;
611 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token)));
612
613 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED,
614 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge,
615 false /* is_begin_operation */));
616 // Pubkey ops allowed.
617 EXPECT_EQ(KM_ERROR_OK,
618 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params,
619 token.challenge, false /* is_begin_operation */));
620}
621
622TEST_F(KeymasterBaseTest, TestAuthPerOpWrongAuthType) {
623 hw_auth_token_t token;
624 memset(&token, 0, sizeof(token));
625 token.version = HW_AUTH_TOKEN_VERSION;
626 token.challenge = 99;
627 token.user_id = 9;
628 token.authenticator_id = 0;
629 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
630 token.timestamp = 0;
631
632 AuthorizationSet auth_set(
633 AuthorizationSetBuilder()
634 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
635 .Authorization(TAG_USER_SECURE_ID, token.user_id)
636 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_FINGERPRINT /* doesn't match token */)
637 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
638
639 AuthorizationSet op_params;
640 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token)));
641
642 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED,
643 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge,
644 false /* is_begin_operation */));
645 // Pubkey ops allowed.
646 EXPECT_EQ(KM_ERROR_OK,
647 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params,
648 token.challenge, false /* is_begin_operation */));
649}
650
651TEST_F(KeymasterBaseTest, TestAuthPerOpWrongSid) {
652 hw_auth_token_t token;
653 memset(&token, 0, sizeof(token));
654 token.version = HW_AUTH_TOKEN_VERSION;
655 token.challenge = 99;
656 token.user_id = 9;
657 token.authenticator_id = 0;
658 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
659 token.timestamp = 0;
660
661 AuthorizationSet auth_set(
662 AuthorizationSetBuilder()
663 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
664 .Authorization(TAG_USER_SECURE_ID, token.user_id + 1 /* doesn't match token */)
665 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
666 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
667
668 AuthorizationSet op_params;
669 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token)));
670
671 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED,
672 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge,
673 false /* is_begin_operation */));
674 // Pubkey op allowed.
675 EXPECT_EQ(KM_ERROR_OK,
676 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params,
677 token.challenge, false /* is_begin_operation */));
678}
679
680TEST_F(KeymasterBaseTest, TestAuthPerOpSuccessAlternateSid) {
681 hw_auth_token_t token;
682 memset(&token, 0, sizeof(token));
683 token.version = HW_AUTH_TOKEN_VERSION;
684 token.challenge = 99;
685 token.user_id = 9;
686 token.authenticator_id = 10;
687 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
688 token.timestamp = 0;
689
690 AuthorizationSet auth_set(AuthorizationSetBuilder()
691 .Authorization(TAG_USER_SECURE_ID, token.authenticator_id)
692 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
693 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
694
695 AuthorizationSet op_params;
696 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token)));
697
698 EXPECT_EQ(KM_ERROR_OK,
699 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge,
700 false /* is_begin_operation */));
701}
702
703TEST_F(KeymasterBaseTest, TestAuthPerOpMissingToken) {
704 hw_auth_token_t token;
705 memset(&token, 0, sizeof(token));
706 token.version = HW_AUTH_TOKEN_VERSION;
707 token.challenge = 99;
708 token.user_id = 9;
709 token.authenticator_id = 0;
710 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
711 token.timestamp = 0;
712
713 AuthorizationSet auth_set(AuthorizationSetBuilder()
714 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
715 .Authorization(TAG_USER_SECURE_ID, token.user_id)
716 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
717 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
718
719 AuthorizationSet op_params;
720
721 // During begin we can skip the auth token
722 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params,
723 token.challenge, true /* is_begin_operation */));
724 // Afterwards we must have authentication
725 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED,
726 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge,
727 false /* is_begin_operation */));
728 // Pubkey ops allowed
729 EXPECT_EQ(KM_ERROR_OK,
730 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params,
731 token.challenge, false /* is_begin_operation */));
732
733 auth_set.Reinitialize(AuthorizationSetBuilder()
734 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES)
735 .Authorization(TAG_USER_SECURE_ID, token.user_id)
736 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
737 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)
738 .build());
739
740 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED,
741 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params,
742 token.challenge, false /* is_begin_operation */));
743}
744
745TEST_F(KeymasterBaseTest, TestAuthAndNoAuth) {
746 AuthorizationSet auth_set(AuthorizationSetBuilder()
747 .Authorization(TAG_USER_SECURE_ID, 1)
748 .Authorization(TAG_NO_AUTH_REQUIRED)
749 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
750
751 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
752 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set));
753}
754
755TEST_F(KeymasterBaseTest, TestTimedAuthSuccess) {
756 hw_auth_token_t token;
757 memset(&token, 0, sizeof(token));
758 token.version = HW_AUTH_TOKEN_VERSION;
759 token.challenge = 99;
760 token.user_id = 9;
761 token.authenticator_id = 0;
762 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
763 token.timestamp = hton(kmen.current_time());
764
765 AuthorizationSet auth_set(AuthorizationSetBuilder()
766 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
767 .Authorization(TAG_USER_SECURE_ID, token.user_id)
768 .Authorization(TAG_AUTH_TIMEOUT, 1)
769 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
770 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
771
772 AuthorizationSet op_params;
773 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token)));
774
775 EXPECT_EQ(KM_ERROR_OK,
776 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params,
777 0 /* irrelevant */, false /* is_begin_operation */));
778}
779
780TEST_F(KeymasterBaseTest, TestTimedAuthTimedOut) {
781 hw_auth_token_t token;
782 memset(&token, 0, sizeof(token));
783 token.version = HW_AUTH_TOKEN_VERSION;
784 token.challenge = 99;
785 token.user_id = 9;
786 token.authenticator_id = 0;
787 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
788 token.timestamp = hton(static_cast<uint64_t>(kmen.current_time()));
789
790 AuthorizationSet auth_set(AuthorizationSetBuilder()
791 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
792 .Authorization(TAG_USER_SECURE_ID, token.user_id)
793 .Authorization(TAG_AUTH_TIMEOUT, 1)
794 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
795 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
796
797 AuthorizationSet op_params;
798 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token)));
799
800 EXPECT_EQ(KM_ERROR_OK,
801 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params,
802 0 /* irrelevant */, false /* is_begin_operation */));
803
804 kmen.tick(1);
805
806 // token still good
807 EXPECT_EQ(KM_ERROR_OK,
808 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params,
809 0 /* irrelevant */, false /* is_begin_operation */));
810
811 kmen.tick(1);
812
813 // token expired, not allowed during begin.
814 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED,
815 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params,
816 0 /* irrelevant */, true /* is_begin_operation */));
817
818 // token expired, afterwards it's okay.
819 EXPECT_EQ(KM_ERROR_OK,
820 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params,
821 0 /* irrelevant */, false /* is_begin_operation */));
822
823 // Pubkey ops allowed.
824 EXPECT_EQ(KM_ERROR_OK,
825 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params,
826 0 /* irrelevant */, true /* is_begin_operation */));
827}
828
829TEST_F(KeymasterBaseTest, TestTimedAuthMissingToken) {
830 hw_auth_token_t token;
831 memset(&token, 0, sizeof(token));
832 token.version = HW_AUTH_TOKEN_VERSION;
833 token.challenge = 99;
834 token.user_id = 9;
835 token.authenticator_id = 0;
836 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
837 token.timestamp = hton(static_cast<uint64_t>(kmen.current_time()));
838
839 AuthorizationSet auth_set(AuthorizationSetBuilder()
840 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
841 .Authorization(TAG_USER_SECURE_ID, token.user_id)
842 .Authorization(TAG_AUTH_TIMEOUT, 1)
843 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY)
844 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN));
845
846 AuthorizationSet op_params;
847
848 // Unlike auth-per-op, must have the auth token during begin.
849 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED,
850 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge,
851 true /* is_begin_operation */));
852
853 // Later we don't check (though begin would fail, so there wouldn't be a later).
854 EXPECT_EQ(KM_ERROR_OK,
855 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge,
856 false /* is_begin_operation */));
857
858 // Pubkey ops allowed.
859 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params,
860 token.challenge, true /* is_begin_operation */));
861}
862
863TEST_F(KeymasterBaseTest, TestCreateKeyId) {
864 keymaster_key_blob_t blob = {reinterpret_cast<const uint8_t*>("foobar"), 6};
865
866 km_id_t key_id = 0;
867 EXPECT_TRUE(KeymasterEnforcement::CreateKeyId(blob, &key_id));
868 EXPECT_NE(0U, key_id);
869}
870
871}; /* namespace test */
872}; /* namespace keymaster */
873
generated by cgit at 2024-05-18 10:30:46 (GMT)