blob: 3874744f188d853d66d110213705266eaa120cc9
1 | /* |
2 | * Copyright (C) 2014 The Android Open Source Project |
3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
5 | * you may not use this file except in compliance with the License. |
6 | * You may obtain a copy of the License at |
7 | * |
8 | * http://www.apache.org/licenses/LICENSE-2.0 |
9 | * |
10 | * Unless required by applicable law or agreed to in writing, software |
11 | * distributed under the License is distributed on an "AS IS" BASIS, |
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
13 | * See the License for the specific language governing permissions and |
14 | * limitations under the License. |
15 | */ |
16 | |
17 | #include <errno.h> |
18 | #include <stdio.h> |
19 | #include <time.h> |
20 | |
21 | #include <keymaster/android_keymaster.h> |
22 | #include <keymaster/authorization_set.h> |
23 | #include <keymaster/keymaster_enforcement.h> |
24 | |
25 | #include "android_keymaster_test_utils.h" |
26 | |
27 | namespace keymaster { |
28 | namespace test { |
29 | |
30 | class TestKeymasterEnforcement : public KeymasterEnforcement { |
31 | public: |
32 | TestKeymasterEnforcement() |
33 | : KeymasterEnforcement(3, 3), current_time_(10000), report_token_valid_(true) {} |
34 | |
35 | keymaster_error_t AuthorizeOperation(const keymaster_purpose_t purpose, const km_id_t keyid, |
36 | const AuthorizationSet& auth_set) { |
37 | AuthorizationSet empty_set; |
38 | return KeymasterEnforcement::AuthorizeOperation( |
39 | purpose, keyid, auth_set, empty_set, 0 /* op_handle */, true /* is_begin_operation */); |
40 | } |
41 | using KeymasterEnforcement::AuthorizeOperation; |
42 | |
43 | uint32_t get_current_time() const override { return current_time_; } |
44 | bool activation_date_valid(uint64_t activation_date) const override { |
45 | // Convert java date to time_t, non-portably. |
46 | time_t activation_time = activation_date / 1000; |
47 | return difftime(time(NULL), activation_time) >= 0; |
48 | } |
49 | bool expiration_date_passed(uint64_t expiration_date) const override { |
50 | // Convert jave date to time_t, non-portably. |
51 | time_t expiration_time = expiration_date / 1000; |
52 | return difftime(time(NULL), expiration_time) > 0; |
53 | } |
54 | bool auth_token_timed_out(const hw_auth_token_t& token, uint32_t timeout) const { |
55 | return current_time_ > ntoh(token.timestamp) + timeout; |
56 | } |
57 | bool ValidateTokenSignature(const hw_auth_token_t&) const override { |
58 | return report_token_valid_; |
59 | } |
60 | |
61 | void tick(unsigned seconds = 1) { current_time_ += seconds; } |
62 | uint32_t current_time() { return current_time_; } |
63 | void set_report_token_valid(bool report_token_valid) { |
64 | report_token_valid_ = report_token_valid; |
65 | } |
66 | |
67 | private: |
68 | uint32_t current_time_; |
69 | bool report_token_valid_; |
70 | }; |
71 | |
72 | class KeymasterBaseTest : public ::testing::Test { |
73 | protected: |
74 | KeymasterBaseTest() { |
75 | past_time = 0; |
76 | |
77 | time_t t = time(NULL); |
78 | future_tm = localtime(&t); |
79 | future_tm->tm_year += 1; |
80 | future_time = static_cast<uint64_t>(mktime(future_tm)) * 1000; |
81 | sign_param = Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN); |
82 | } |
83 | virtual ~KeymasterBaseTest() {} |
84 | |
85 | TestKeymasterEnforcement kmen; |
86 | |
87 | tm past_tm; |
88 | tm* future_tm; |
89 | uint64_t past_time; |
90 | uint64_t future_time; |
91 | static const km_id_t key_id = 0xa; |
92 | static const uid_t uid = 0xf; |
93 | keymaster_key_param_t sign_param; |
94 | }; |
95 | |
96 | TEST_F(KeymasterBaseTest, TestValidKeyPeriodNoTags) { |
97 | keymaster_key_param_t params[] = { |
98 | sign_param, |
99 | }; |
100 | AuthorizationSet single_auth_set(params, array_length(params)); |
101 | |
102 | keymaster_error_t kmer = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, single_auth_set); |
103 | ASSERT_EQ(KM_ERROR_OK, kmer); |
104 | } |
105 | |
106 | TEST_F(KeymasterBaseTest, TestInvalidActiveTime) { |
107 | keymaster_key_param_t params[] = { |
108 | Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), |
109 | Authorization(TAG_NO_AUTH_REQUIRED), Authorization(TAG_ACTIVE_DATETIME, future_time), |
110 | }; |
111 | |
112 | AuthorizationSet auth_set(params, array_length(params)); |
113 | |
114 | ASSERT_EQ(KM_ERROR_KEY_NOT_YET_VALID, |
115 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
116 | |
117 | // Pubkey ops allowed. |
118 | ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); |
119 | } |
120 | |
121 | TEST_F(KeymasterBaseTest, TestValidActiveTime) { |
122 | keymaster_key_param_t params[] = { |
123 | Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_ACTIVE_DATETIME, past_time), |
124 | }; |
125 | |
126 | AuthorizationSet auth_set(params, array_length(params)); |
127 | |
128 | keymaster_error_t kmer_valid_time = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); |
129 | ASSERT_EQ(KM_ERROR_OK, kmer_valid_time); |
130 | } |
131 | |
132 | TEST_F(KeymasterBaseTest, TestInvalidOriginationExpireTime) { |
133 | keymaster_key_param_t params[] = { |
134 | Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), |
135 | Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, past_time), |
136 | }; |
137 | |
138 | AuthorizationSet auth_set(params, array_length(params)); |
139 | |
140 | ASSERT_EQ(KM_ERROR_KEY_EXPIRED, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
141 | |
142 | // Pubkey ops allowed. |
143 | ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); |
144 | } |
145 | |
146 | TEST_F(KeymasterBaseTest, TestInvalidOriginationExpireTimeOnUsgae) { |
147 | keymaster_key_param_t params[] = { |
148 | Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), |
149 | Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, past_time), |
150 | }; |
151 | |
152 | AuthorizationSet auth_set(params, array_length(params)); |
153 | |
154 | keymaster_error_t kmer_invalid_origination = |
155 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); |
156 | ASSERT_EQ(KM_ERROR_OK, kmer_invalid_origination); |
157 | } |
158 | |
159 | TEST_F(KeymasterBaseTest, TestValidOriginationExpireTime) { |
160 | keymaster_key_param_t params[] = { |
161 | Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), |
162 | Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, future_time), |
163 | }; |
164 | |
165 | AuthorizationSet auth_set(params, array_length(params)); |
166 | |
167 | keymaster_error_t kmer_valid_origination = |
168 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); |
169 | ASSERT_EQ(KM_ERROR_OK, kmer_valid_origination); |
170 | } |
171 | |
172 | TEST_F(KeymasterBaseTest, TestInvalidUsageExpireTime) { |
173 | keymaster_key_param_t params[] = { |
174 | Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES), |
175 | Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), |
176 | Authorization(TAG_USAGE_EXPIRE_DATETIME, past_time), |
177 | }; |
178 | |
179 | AuthorizationSet auth_set(params, array_length(params)); |
180 | |
181 | keymaster_error_t kmer_invalid_origination = |
182 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); |
183 | ASSERT_EQ(KM_ERROR_KEY_EXPIRED, kmer_invalid_origination); |
184 | } |
185 | |
186 | TEST_F(KeymasterBaseTest, TestInvalidPubkeyUsageExpireTime) { |
187 | keymaster_key_param_t params[] = { |
188 | Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), |
189 | Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), |
190 | Authorization(TAG_USAGE_EXPIRE_DATETIME, past_time), |
191 | }; |
192 | |
193 | AuthorizationSet auth_set(params, array_length(params)); |
194 | |
195 | keymaster_error_t kmer_invalid_origination = |
196 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); |
197 | // Pubkey ops allowed. |
198 | ASSERT_EQ(KM_ERROR_OK, kmer_invalid_origination); |
199 | } |
200 | |
201 | TEST_F(KeymasterBaseTest, TestInvalidUsageExpireTimeOnOrigination) { |
202 | keymaster_key_param_t params[] = { |
203 | Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), |
204 | Authorization(TAG_USAGE_EXPIRE_DATETIME, past_time), |
205 | }; |
206 | |
207 | AuthorizationSet auth_set(params, array_length(params)); |
208 | |
209 | keymaster_error_t kmer_invalid_origination = |
210 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); |
211 | ASSERT_EQ(KM_ERROR_OK, kmer_invalid_origination); |
212 | } |
213 | |
214 | TEST_F(KeymasterBaseTest, TestValidUsageExpireTime) { |
215 | keymaster_key_param_t params[] = { |
216 | Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), |
217 | Authorization(TAG_USAGE_EXPIRE_DATETIME, future_time), |
218 | }; |
219 | |
220 | AuthorizationSet auth_set(params, array_length(params)); |
221 | |
222 | keymaster_error_t kmer_valid_usage = |
223 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); |
224 | ASSERT_EQ(KM_ERROR_OK, kmer_valid_usage); |
225 | } |
226 | |
227 | TEST_F(KeymasterBaseTest, TestValidSingleUseAccesses) { |
228 | keymaster_key_param_t params[] = { |
229 | Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), |
230 | }; |
231 | |
232 | AuthorizationSet auth_set(params, array_length(params)); |
233 | |
234 | keymaster_error_t kmer1 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); |
235 | keymaster_error_t kmer2 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); |
236 | |
237 | ASSERT_EQ(KM_ERROR_OK, kmer1); |
238 | ASSERT_EQ(KM_ERROR_OK, kmer2); |
239 | } |
240 | |
241 | TEST_F(KeymasterBaseTest, TestInvalidMaxOps) { |
242 | keymaster_key_param_t params[] = { |
243 | Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), |
244 | Authorization(TAG_MAX_USES_PER_BOOT, 4), |
245 | }; |
246 | |
247 | AuthorizationSet auth_set(params, array_length(params)); |
248 | |
249 | ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
250 | ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
251 | ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
252 | ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
253 | ASSERT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, |
254 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
255 | // Pubkey ops allowed. |
256 | ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); |
257 | } |
258 | |
259 | TEST_F(KeymasterBaseTest, TestOverFlowMaxOpsTable) { |
260 | keymaster_key_param_t params[] = { |
261 | Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), |
262 | Authorization(TAG_MAX_USES_PER_BOOT, 2), |
263 | }; |
264 | |
265 | AuthorizationSet auth_set(params, array_length(params)); |
266 | |
267 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); |
268 | |
269 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 2 /* key_id */, auth_set)); |
270 | |
271 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 3 /* key_id */, auth_set)); |
272 | |
273 | // Key 4 should fail, because table is full. |
274 | EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, |
275 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 4 /* key_id */, auth_set)); |
276 | |
277 | // Key 1 still works, because it's already in the table and hasn't reached max. |
278 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); |
279 | |
280 | // Key 1 no longer works, because it's reached max. |
281 | EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, |
282 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); |
283 | |
284 | // Key 4 should fail, because table is (still and forever) full. |
285 | EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, |
286 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 4 /* key_id */, auth_set)); |
287 | |
288 | // Pubkey ops allowed. |
289 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); |
290 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set)); |
291 | } |
292 | |
293 | TEST_F(KeymasterBaseTest, TestInvalidTimeBetweenOps) { |
294 | keymaster_key_param_t params[] = { |
295 | Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), |
296 | Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 10), |
297 | }; |
298 | |
299 | AuthorizationSet auth_set(params, array_length(params)); |
300 | |
301 | keymaster_error_t kmer1 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); |
302 | keymaster_error_t kmer2 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); |
303 | keymaster_error_t kmer3 = kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); |
304 | |
305 | ASSERT_EQ(KM_ERROR_OK, kmer1); |
306 | kmen.tick(2); |
307 | ASSERT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, kmer2); |
308 | |
309 | // Allowed because it's a pubkey op. |
310 | ASSERT_EQ(KM_ERROR_OK, kmer3); |
311 | } |
312 | |
313 | TEST_F(KeymasterBaseTest, TestValidTimeBetweenOps) { |
314 | keymaster_key_param_t params[] = { |
315 | Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), |
316 | Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 2), |
317 | }; |
318 | |
319 | AuthorizationSet auth_set(params, array_length(params)); |
320 | |
321 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); |
322 | kmen.tick(); |
323 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
324 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
325 | kmen.tick(); |
326 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
327 | } |
328 | |
329 | TEST_F(KeymasterBaseTest, TestOptTimeoutTableOverflow) { |
330 | keymaster_key_param_t params[] = { |
331 | Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES), |
332 | Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 4), |
333 | Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), |
334 | }; |
335 | |
336 | AuthorizationSet auth_set(params, array_length(params)); |
337 | |
338 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); |
339 | |
340 | kmen.tick(); |
341 | |
342 | // Key 1 fails because it's too soon |
343 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
344 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); |
345 | |
346 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); |
347 | |
348 | kmen.tick(); |
349 | |
350 | // Key 1 fails because it's too soon |
351 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
352 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); |
353 | // Key 2 fails because it's too soon |
354 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
355 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); |
356 | |
357 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); |
358 | |
359 | kmen.tick(); |
360 | |
361 | // Key 1 fails because it's too soon |
362 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
363 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); |
364 | // Key 2 fails because it's too soon |
365 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
366 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); |
367 | // Key 3 fails because it's too soon |
368 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
369 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); |
370 | // Key 4 fails because the table is full |
371 | EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, |
372 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set)); |
373 | |
374 | kmen.tick(); |
375 | |
376 | // Key 4 succeeds because key 1 expired. |
377 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set)); |
378 | |
379 | // Key 1 fails because the table is full... and key 1 is no longer in it. |
380 | EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, |
381 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); |
382 | // Key 2 fails because it's too soon |
383 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
384 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); |
385 | // Key 3 fails because it's too soon |
386 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
387 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); |
388 | |
389 | kmen.tick(); |
390 | |
391 | // Key 1 succeeds because key 2 expired |
392 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); |
393 | // Key 2 fails because the table is full... and key 2 is no longer in it. |
394 | EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, |
395 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); |
396 | // Key 3 fails because it's too soon |
397 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
398 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); |
399 | // Key 4 fails because it's too soon |
400 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
401 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set)); |
402 | |
403 | kmen.tick(4); |
404 | |
405 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); |
406 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); |
407 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); |
408 | } |
409 | |
410 | TEST_F(KeymasterBaseTest, TestPubkeyOptTimeoutTableOverflow) { |
411 | keymaster_key_param_t params[] = { |
412 | Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), |
413 | Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 4), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), |
414 | }; |
415 | |
416 | AuthorizationSet auth_set(params, array_length(params)); |
417 | |
418 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); |
419 | |
420 | kmen.tick(); |
421 | |
422 | // Key 1 fails because it's too soon |
423 | EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, |
424 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); |
425 | // Too soo, but pubkey ops allowed. |
426 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); |
427 | } |
428 | |
429 | TEST_F(KeymasterBaseTest, TestInvalidPurpose) { |
430 | keymaster_purpose_t invalidPurpose1 = static_cast<keymaster_purpose_t>(-1); |
431 | keymaster_purpose_t invalidPurpose2 = static_cast<keymaster_purpose_t>(4); |
432 | |
433 | AuthorizationSet auth_set( |
434 | AuthorizationSetBuilder().Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)); |
435 | |
436 | EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, |
437 | kmen.AuthorizeOperation(invalidPurpose1, key_id, auth_set)); |
438 | EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, |
439 | kmen.AuthorizeOperation(invalidPurpose2, key_id, auth_set)); |
440 | } |
441 | |
442 | TEST_F(KeymasterBaseTest, TestIncompatiblePurposeSymmetricKey) { |
443 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
444 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES) |
445 | .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY) |
446 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
447 | |
448 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
449 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); |
450 | |
451 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, |
452 | kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, auth_set)); |
453 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, |
454 | kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, auth_set)); |
455 | } |
456 | |
457 | TEST_F(KeymasterBaseTest, TestIncompatiblePurposeAssymmetricKey) { |
458 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
459 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
460 | .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY) |
461 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
462 | |
463 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
464 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); |
465 | |
466 | // This one is allowed because it's a pubkey op. |
467 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, auth_set)); |
468 | EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, |
469 | kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, auth_set)); |
470 | } |
471 | |
472 | TEST_F(KeymasterBaseTest, TestInvalidCallerNonce) { |
473 | AuthorizationSet no_caller_nonce(AuthorizationSetBuilder() |
474 | .Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT) |
475 | .Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT) |
476 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES)); |
477 | AuthorizationSet caller_nonce(AuthorizationSetBuilder() |
478 | .Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT) |
479 | .Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT) |
480 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_HMAC) |
481 | .Authorization(TAG_CALLER_NONCE)); |
482 | AuthorizationSet begin_params(AuthorizationSetBuilder().Authorization(TAG_NONCE, "foo", 3)); |
483 | |
484 | EXPECT_EQ(KM_ERROR_OK, |
485 | kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, caller_nonce, begin_params, |
486 | 0 /* challenge */, true /* is_begin_operation */)); |
487 | EXPECT_EQ(KM_ERROR_OK, |
488 | kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, caller_nonce, begin_params, |
489 | 0 /* challenge */, true /* is_begin_operation */)); |
490 | EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, |
491 | kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, no_caller_nonce, begin_params, |
492 | 0 /* challenge */, true /* is_begin_operation */)); |
493 | EXPECT_EQ(KM_ERROR_OK, |
494 | kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, no_caller_nonce, begin_params, |
495 | 0 /* challenge */, true /* is_begin_operation */)); |
496 | } |
497 | |
498 | TEST_F(KeymasterBaseTest, TestBootloaderOnly) { |
499 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
500 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN) |
501 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
502 | .Authorization(TAG_BOOTLOADER_ONLY)); |
503 | EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, |
504 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
505 | |
506 | // Pubkey ops allowed. |
507 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); |
508 | } |
509 | |
510 | TEST_F(KeymasterBaseTest, TestInvalidTag) { |
511 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
512 | .Authorization(TAG_INVALID) |
513 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
514 | |
515 | EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, |
516 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
517 | } |
518 | |
519 | TEST_F(KeymasterBaseTest, TestAuthPerOpSuccess) { |
520 | hw_auth_token_t token; |
521 | memset(&token, 0, sizeof(token)); |
522 | token.version = HW_AUTH_TOKEN_VERSION; |
523 | token.challenge = 99; |
524 | token.user_id = 9; |
525 | token.authenticator_id = 0; |
526 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
527 | token.timestamp = 0; |
528 | |
529 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
530 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
531 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
532 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
533 | |
534 | AuthorizationSet op_params; |
535 | op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); |
536 | |
537 | EXPECT_EQ(KM_ERROR_OK, |
538 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, |
539 | false /* is_begin_operation */)); |
540 | } |
541 | |
542 | TEST_F(KeymasterBaseTest, TestAuthPerOpInvalidTokenSignature) { |
543 | hw_auth_token_t token; |
544 | memset(&token, 0, sizeof(token)); |
545 | token.version = HW_AUTH_TOKEN_VERSION; |
546 | token.challenge = 99; |
547 | token.user_id = 9; |
548 | token.authenticator_id = 0; |
549 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
550 | token.timestamp = 0; |
551 | |
552 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
553 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) |
554 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
555 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
556 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
557 | |
558 | AuthorizationSet op_params; |
559 | op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); |
560 | |
561 | kmen.set_report_token_valid(false); |
562 | EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, |
563 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, |
564 | false /* is_begin_operation */)); |
565 | // Pubkey ops allowed. |
566 | EXPECT_EQ(KM_ERROR_OK, |
567 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, |
568 | token.challenge, false /* is_begin_operation */)); |
569 | } |
570 | |
571 | TEST_F(KeymasterBaseTest, TestAuthPerOpWrongChallenge) { |
572 | hw_auth_token_t token; |
573 | memset(&token, 0, sizeof(token)); |
574 | token.version = HW_AUTH_TOKEN_VERSION; |
575 | token.challenge = 99; |
576 | token.user_id = 9; |
577 | token.authenticator_id = 0; |
578 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
579 | token.timestamp = 0; |
580 | |
581 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
582 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
583 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
584 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
585 | |
586 | AuthorizationSet op_params; |
587 | op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); |
588 | |
589 | EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, |
590 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, |
591 | token.challenge + 1 /* doesn't match token */, |
592 | false /* is_begin_operation */)); |
593 | } |
594 | |
595 | TEST_F(KeymasterBaseTest, TestAuthPerOpNoAuthType) { |
596 | hw_auth_token_t token; |
597 | memset(&token, 0, sizeof(token)); |
598 | token.version = HW_AUTH_TOKEN_VERSION; |
599 | token.challenge = 99; |
600 | token.user_id = 9; |
601 | token.authenticator_id = 0; |
602 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
603 | token.timestamp = 0; |
604 | |
605 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
606 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
607 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
608 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
609 | |
610 | AuthorizationSet op_params; |
611 | op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); |
612 | |
613 | EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, |
614 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, |
615 | false /* is_begin_operation */)); |
616 | // Pubkey ops allowed. |
617 | EXPECT_EQ(KM_ERROR_OK, |
618 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, |
619 | token.challenge, false /* is_begin_operation */)); |
620 | } |
621 | |
622 | TEST_F(KeymasterBaseTest, TestAuthPerOpWrongAuthType) { |
623 | hw_auth_token_t token; |
624 | memset(&token, 0, sizeof(token)); |
625 | token.version = HW_AUTH_TOKEN_VERSION; |
626 | token.challenge = 99; |
627 | token.user_id = 9; |
628 | token.authenticator_id = 0; |
629 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
630 | token.timestamp = 0; |
631 | |
632 | AuthorizationSet auth_set( |
633 | AuthorizationSetBuilder() |
634 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
635 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
636 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_FINGERPRINT /* doesn't match token */) |
637 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
638 | |
639 | AuthorizationSet op_params; |
640 | op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); |
641 | |
642 | EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, |
643 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, |
644 | false /* is_begin_operation */)); |
645 | // Pubkey ops allowed. |
646 | EXPECT_EQ(KM_ERROR_OK, |
647 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, |
648 | token.challenge, false /* is_begin_operation */)); |
649 | } |
650 | |
651 | TEST_F(KeymasterBaseTest, TestAuthPerOpWrongSid) { |
652 | hw_auth_token_t token; |
653 | memset(&token, 0, sizeof(token)); |
654 | token.version = HW_AUTH_TOKEN_VERSION; |
655 | token.challenge = 99; |
656 | token.user_id = 9; |
657 | token.authenticator_id = 0; |
658 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
659 | token.timestamp = 0; |
660 | |
661 | AuthorizationSet auth_set( |
662 | AuthorizationSetBuilder() |
663 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
664 | .Authorization(TAG_USER_SECURE_ID, token.user_id + 1 /* doesn't match token */) |
665 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
666 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
667 | |
668 | AuthorizationSet op_params; |
669 | op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); |
670 | |
671 | EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, |
672 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, |
673 | false /* is_begin_operation */)); |
674 | // Pubkey op allowed. |
675 | EXPECT_EQ(KM_ERROR_OK, |
676 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, |
677 | token.challenge, false /* is_begin_operation */)); |
678 | } |
679 | |
680 | TEST_F(KeymasterBaseTest, TestAuthPerOpSuccessAlternateSid) { |
681 | hw_auth_token_t token; |
682 | memset(&token, 0, sizeof(token)); |
683 | token.version = HW_AUTH_TOKEN_VERSION; |
684 | token.challenge = 99; |
685 | token.user_id = 9; |
686 | token.authenticator_id = 10; |
687 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
688 | token.timestamp = 0; |
689 | |
690 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
691 | .Authorization(TAG_USER_SECURE_ID, token.authenticator_id) |
692 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
693 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
694 | |
695 | AuthorizationSet op_params; |
696 | op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); |
697 | |
698 | EXPECT_EQ(KM_ERROR_OK, |
699 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, |
700 | false /* is_begin_operation */)); |
701 | } |
702 | |
703 | TEST_F(KeymasterBaseTest, TestAuthPerOpMissingToken) { |
704 | hw_auth_token_t token; |
705 | memset(&token, 0, sizeof(token)); |
706 | token.version = HW_AUTH_TOKEN_VERSION; |
707 | token.challenge = 99; |
708 | token.user_id = 9; |
709 | token.authenticator_id = 0; |
710 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
711 | token.timestamp = 0; |
712 | |
713 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
714 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
715 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
716 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
717 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
718 | |
719 | AuthorizationSet op_params; |
720 | |
721 | // During begin we can skip the auth token |
722 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, |
723 | token.challenge, true /* is_begin_operation */)); |
724 | // Afterwards we must have authentication |
725 | EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, |
726 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, |
727 | false /* is_begin_operation */)); |
728 | // Pubkey ops allowed |
729 | EXPECT_EQ(KM_ERROR_OK, |
730 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, |
731 | token.challenge, false /* is_begin_operation */)); |
732 | |
733 | auth_set.Reinitialize(AuthorizationSetBuilder() |
734 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES) |
735 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
736 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
737 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN) |
738 | .build()); |
739 | |
740 | EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, |
741 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, |
742 | token.challenge, false /* is_begin_operation */)); |
743 | } |
744 | |
745 | TEST_F(KeymasterBaseTest, TestAuthAndNoAuth) { |
746 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
747 | .Authorization(TAG_USER_SECURE_ID, 1) |
748 | .Authorization(TAG_NO_AUTH_REQUIRED) |
749 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
750 | |
751 | EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, |
752 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); |
753 | } |
754 | |
755 | TEST_F(KeymasterBaseTest, TestTimedAuthSuccess) { |
756 | hw_auth_token_t token; |
757 | memset(&token, 0, sizeof(token)); |
758 | token.version = HW_AUTH_TOKEN_VERSION; |
759 | token.challenge = 99; |
760 | token.user_id = 9; |
761 | token.authenticator_id = 0; |
762 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
763 | token.timestamp = hton(kmen.current_time()); |
764 | |
765 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
766 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
767 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
768 | .Authorization(TAG_AUTH_TIMEOUT, 1) |
769 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
770 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
771 | |
772 | AuthorizationSet op_params; |
773 | op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); |
774 | |
775 | EXPECT_EQ(KM_ERROR_OK, |
776 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, |
777 | 0 /* irrelevant */, false /* is_begin_operation */)); |
778 | } |
779 | |
780 | TEST_F(KeymasterBaseTest, TestTimedAuthTimedOut) { |
781 | hw_auth_token_t token; |
782 | memset(&token, 0, sizeof(token)); |
783 | token.version = HW_AUTH_TOKEN_VERSION; |
784 | token.challenge = 99; |
785 | token.user_id = 9; |
786 | token.authenticator_id = 0; |
787 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
788 | token.timestamp = hton(static_cast<uint64_t>(kmen.current_time())); |
789 | |
790 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
791 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
792 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
793 | .Authorization(TAG_AUTH_TIMEOUT, 1) |
794 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
795 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
796 | |
797 | AuthorizationSet op_params; |
798 | op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); |
799 | |
800 | EXPECT_EQ(KM_ERROR_OK, |
801 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, |
802 | 0 /* irrelevant */, false /* is_begin_operation */)); |
803 | |
804 | kmen.tick(1); |
805 | |
806 | // token still good |
807 | EXPECT_EQ(KM_ERROR_OK, |
808 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, |
809 | 0 /* irrelevant */, false /* is_begin_operation */)); |
810 | |
811 | kmen.tick(1); |
812 | |
813 | // token expired, not allowed during begin. |
814 | EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, |
815 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, |
816 | 0 /* irrelevant */, true /* is_begin_operation */)); |
817 | |
818 | // token expired, afterwards it's okay. |
819 | EXPECT_EQ(KM_ERROR_OK, |
820 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, |
821 | 0 /* irrelevant */, false /* is_begin_operation */)); |
822 | |
823 | // Pubkey ops allowed. |
824 | EXPECT_EQ(KM_ERROR_OK, |
825 | kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, |
826 | 0 /* irrelevant */, true /* is_begin_operation */)); |
827 | } |
828 | |
829 | TEST_F(KeymasterBaseTest, TestTimedAuthMissingToken) { |
830 | hw_auth_token_t token; |
831 | memset(&token, 0, sizeof(token)); |
832 | token.version = HW_AUTH_TOKEN_VERSION; |
833 | token.challenge = 99; |
834 | token.user_id = 9; |
835 | token.authenticator_id = 0; |
836 | token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); |
837 | token.timestamp = hton(static_cast<uint64_t>(kmen.current_time())); |
838 | |
839 | AuthorizationSet auth_set(AuthorizationSetBuilder() |
840 | .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) |
841 | .Authorization(TAG_USER_SECURE_ID, token.user_id) |
842 | .Authorization(TAG_AUTH_TIMEOUT, 1) |
843 | .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) |
844 | .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); |
845 | |
846 | AuthorizationSet op_params; |
847 | |
848 | // Unlike auth-per-op, must have the auth token during begin. |
849 | EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, |
850 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, |
851 | true /* is_begin_operation */)); |
852 | |
853 | // Later we don't check (though begin would fail, so there wouldn't be a later). |
854 | EXPECT_EQ(KM_ERROR_OK, |
855 | kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, |
856 | false /* is_begin_operation */)); |
857 | |
858 | // Pubkey ops allowed. |
859 | EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, |
860 | token.challenge, true /* is_begin_operation */)); |
861 | } |
862 | |
863 | TEST_F(KeymasterBaseTest, TestCreateKeyId) { |
864 | keymaster_key_blob_t blob = {reinterpret_cast<const uint8_t*>("foobar"), 6}; |
865 | |
866 | km_id_t key_id = 0; |
867 | EXPECT_TRUE(KeymasterEnforcement::CreateKeyId(blob, &key_id)); |
868 | EXPECT_NE(0U, key_id); |
869 | } |
870 | |
871 | }; /* namespace test */ |
872 | }; /* namespace keymaster */ |
873 |