platform/hardware/amlogic/keymaster.git - Unnamed repository; edit this file 'description' to name the repository.

1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16
17 #include "nist_curve_key_exchange.h"
18
19 #include <gtest/gtest.h>
20 #include <openssl/evp.h>
21
22 #include <hardware/keymaster_defs.h>
23 #include <keymaster/android_keymaster_utils.h>
24
25 #include "android_keymaster_test_utils.h"
26
27 using std::string;
28
29 namespace keymaster {
30 namespace test {
31
32 StdoutLogger logger;
33
34 static const keymaster_ec_curve_t kEcCurves[] = {KM_EC_CURVE_P_224, KM_EC_CURVE_P_256,
35                                                  KM_EC_CURVE_P_384, KM_EC_CURVE_P_521};
36
37 /**
38  * SharedKey just tests that the basic key exchange identity holds: that both
39  * parties end up with the same key.
40  */
41 TEST(NistCurveKeyExchange, SharedKey) {
42     for (auto& curve : kEcCurves) {
43         AuthorizationSet kex_description(
44             AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve));
45         for (size_t j = 0; j < 5; j++) {
46             NistCurveKeyExchange* alice_keyex = NistCurveKeyExchange::GenerateKeyExchange(curve);
47             NistCurveKeyExchange* bob_keyex = NistCurveKeyExchange::GenerateKeyExchange(curve);
48
49             ASSERT_TRUE(alice_keyex != nullptr);
50             ASSERT_TRUE(bob_keyex != nullptr);
51
52             Buffer alice_public_value;
53             ASSERT_TRUE(alice_keyex->public_value(&alice_public_value));
54             Buffer bob_public_value;
55             ASSERT_TRUE(bob_keyex->public_value(&bob_public_value));
56
57             Buffer alice_shared, bob_shared;
58             ASSERT_TRUE(alice_keyex->CalculateSharedKey(bob_public_value, &alice_shared));
59             ASSERT_TRUE(bob_keyex->CalculateSharedKey(alice_public_value, &bob_shared));
60             EXPECT_EQ(alice_shared.available_read(), bob_shared.available_read());
61             EXPECT_EQ(0, memcmp(alice_shared.peek_read(), bob_shared.peek_read(),
62                                 alice_shared.available_read()));
63         }
64     }
65 }
66
67 /*
68  * This test tries a key agreement with a false public key (i.e. with
69  * a point not on the curve.)
70  * The expected result of such a protocol should be that the
71  * key agreement fails and returns an error.
72 */
73 static const char* kInvalidPublicKeys[] = {
74     "04"  // uncompressed public key
75     "deadbeef7f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287"
76     "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac",
77 };
78
79 TEST(NistCurveKeyExchange, InvalidPublicKey) {
80     for (auto& curve : kEcCurves) {
81         AuthorizationSet kex_description(
82             AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve));
83         KeyExchange* key_exchange = NistCurveKeyExchange::GenerateKeyExchange(curve);
84         ASSERT_TRUE(key_exchange != nullptr);
85
86         string peer_public_key = hex2str(kInvalidPublicKeys[0]);
87         Buffer computed_shared_secret;
88         ASSERT_FALSE(key_exchange->CalculateSharedKey(
89             reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(),
90             &computed_shared_secret));
91     }
92 }
93
94 /**
95  * Test that key exchange fails when peer public key is the point at infinity.
96  */
97 TEST(NistCurveKeyExchange, TestInfinity) {
98     for (auto& curve : kEcCurves) {
99         /* Obtain the point at infinity */
100         EC_GROUP* group = ec_get_group(curve);
101         EC_POINT* point_at_infinity = EC_POINT_new(group);
102         EC_POINT_set_to_infinity(group, point_at_infinity);
103         EXPECT_EQ(1, EC_POINT_is_on_curve(group, point_at_infinity, nullptr));
104         size_t field_len_in_bits;
105         ec_get_group_size(group, &field_len_in_bits);
106         size_t field_len = (field_len_in_bits + 7) / 8;
107         size_t public_key_len = (field_len * 2) + 1;
108         uint8_t* public_key = new uint8_t[public_key_len];
109         public_key_len = EC_POINT_point2oct(group, point_at_infinity, POINT_CONVERSION_UNCOMPRESSED,
110                                             public_key, public_key_len, nullptr /* ctx */);
111
112         /* Perform the key exchange */
113         AuthorizationSet kex_description(
114             AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve));
115         NistCurveKeyExchange* key_exchange = NistCurveKeyExchange::GenerateKeyExchange(curve);
116         ASSERT_TRUE(key_exchange != nullptr);
117         Buffer computed_shared_secret;
118         /* It should fail */
119         ASSERT_FALSE(key_exchange->CalculateSharedKey(reinterpret_cast<const uint8_t*>(public_key),
120                                                       public_key_len, &computed_shared_secret));
121
122         /* Explicitly test that ECDH_compute_key fails when the public key is the point at infinity
123          */
124         UniquePtr<uint8_t[]> result(new uint8_t[field_len]);
125         EXPECT_EQ(-1 /* error */, ECDH_compute_key(result.get(), field_len, point_at_infinity,
126                                                    key_exchange->private_key(), nullptr /* kdf */));
127     }
128 }
129
130 /* Test vectors for P-256, downloaded from NIST. */
131 struct NistCurveTest {
132     const keymaster_ec_curve_t curve;
133     const char* peer_public_key;
134     const char* my_private_key;
135     const char* shared_secret;
136 };
137
138 static const NistCurveTest kNistCurveTests[] = {
139     {
140         KM_EC_CURVE_P_256,
141         "04"  // uncompressed public key
142         "700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287"
143         "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac",
144         // https://tools.ietf.org/html/rfc5915
145         "30770201010420"  // DER-encodeded EC private key header
146         "7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534"  // private key
147         "a00a06082a8648ce3d030107a144034200"  // DER-encoded curve OID,
148         "04"
149         "ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b230"
150         "28af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141",
151         "46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b",
152     },
153     {
154         KM_EC_CURVE_P_256, "04"
155                            "809f04289c64348c01515eb03d5ce7ac1a8cb9498f5caa50197e58d43a86a7ae"
156                            "b29d84e811197f25eba8f5194092cb6ff440e26d4421011372461f579271cda3",
157         // https://tools.ietf.org/html/rfc5915
158         "30770201010420"  // DER-encodeded EC private key header
159         "38f65d6dce47676044d58ce5139582d568f64bb16098d179dbab07741dd5caf5"  // private key
160         "a00a06082a8648ce3d030107a144034200"  // DER-encoded curve OID,
161         "04"
162         "119f2f047902782ab0c9e27a54aff5eb9b964829ca99c06b02ddba95b0a3f6d0"
163         "8f52b726664cac366fc98ac7a012b2682cbd962e5acb544671d41b9445704d1d",
164         "057d636096cb80b67a8c038c890e887d1adfa4195e9b3ce241c8a778c59cda67",
165     },
166     {
167         KM_EC_CURVE_P_256, "04"
168                            "df3989b9fa55495719b3cf46dccd28b5153f7808191dd518eff0c3cff2b705ed"
169                            "422294ff46003429d739a33206c8752552c8ba54a270defc06e221e0feaf6ac4",
170         // https://tools.ietf.org/html/rfc5915
171         "30770201010420"  // DER-encodeded EC private key header
172         "207c43a79bfee03db6f4b944f53d2fb76cc49ef1c9c4d34d51b6c65c4db6932d"  // private key
173         "a00a06082a8648ce3d030107a144034200"  // DER-encoded curve OID,
174         "04"
175         "24277c33f450462dcb3d4801d57b9ced05188f16c28eda873258048cd1607e0d"
176         "c4789753e2b1f63b32ff014ec42cd6a69fac81dfe6d0d6fd4af372ae27c46f88",
177         "96441259534b80f6aee3d287a6bb17b5094dd4277d9e294f8fe73e48bf2a0024",
178     },
179 };
180
181 /**
182  * Test that key exchange works with NIST test vectors.
183  */
184 TEST(NistCurveKeyExchange, NistTestVectors) {
185     for (auto& test : kNistCurveTests) {
186         string private_key = hex2str(test.my_private_key);
187         string shared_secret = hex2str(test.shared_secret);
188
189         const uint8_t* private_key_data = reinterpret_cast<const uint8_t*>(private_key.data());
190         UniquePtr<EC_KEY, EC_KEY_Delete> ec_key(
191             d2i_ECPrivateKey(nullptr, &private_key_data, private_key.size()));
192         ASSERT_TRUE(ec_key.get() && EC_KEY_check_key(ec_key.get()));
193
194         keymaster_error_t error;
195         NistCurveKeyExchange* key_exchange = new NistCurveKeyExchange(ec_key.release(), &error);
196         EXPECT_EQ(KM_ERROR_OK, error);
197         ASSERT_TRUE(key_exchange != nullptr);
198
199         Buffer computed_shared_secret;
200         string peer_public_key = hex2str(test.peer_public_key);
201         ASSERT_TRUE(key_exchange->CalculateSharedKey(
202             reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(),
203             &computed_shared_secret));
204         EXPECT_EQ(shared_secret.size(), computed_shared_secret.available_read());
205         EXPECT_EQ(0, memcmp(shared_secret.data(), computed_shared_secret.peek_read(),
206                             shared_secret.size()));
207
208         for (size_t i = 0; i < peer_public_key.size(); i++) {
209             // randomly flip some bits in the peer public key to make it invalid
210             peer_public_key[i] ^= 0xff;
211             ASSERT_FALSE(key_exchange->CalculateSharedKey(
212                 reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(),
213                 &computed_shared_secret));
214         }
215     }
216 }
217
218 }  // namespace test
219 }  // namespace keymaster
220
1	/*
2	* Copyright 2015 The Android Open Source Project
3	*
4	* Licensed under the Apache License, Version 2.0 (the "License");
5	* you may not use this file except in compliance with the License.
6	* You may obtain a copy of the License at
7	*
8	* http://www.apache.org/licenses/LICENSE-2.0
9	*
10	* Unless required by applicable law or agreed to in writing, software
11	* distributed under the License is distributed on an "AS IS" BASIS,
12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13	* See the License for the specific language governing permissions and
14	* limitations under the License.
15	*/
16
17	#include "nist_curve_key_exchange.h"
18
19	#include <gtest/gtest.h>
20	#include <openssl/evp.h>
21
22	#include <hardware/keymaster_defs.h>
23	#include <keymaster/android_keymaster_utils.h>
24
25	#include "android_keymaster_test_utils.h"
26
27	using std::string;
28
29	namespace keymaster {
30	namespace test {
31
32	StdoutLogger logger;
33
34	static const keymaster_ec_curve_t kEcCurves[] = {KM_EC_CURVE_P_224, KM_EC_CURVE_P_256,
35	KM_EC_CURVE_P_384, KM_EC_CURVE_P_521};
36
37	/**
38	* SharedKey just tests that the basic key exchange identity holds: that both
39	* parties end up with the same key.
40	*/
41	TEST(NistCurveKeyExchange, SharedKey) {
42	for (auto& curve : kEcCurves) {
43	AuthorizationSet kex_description(
44	AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve));
45	for (size_t j = 0; j < 5; j++) {
46	NistCurveKeyExchange* alice_keyex = NistCurveKeyExchange::GenerateKeyExchange(curve);
47	NistCurveKeyExchange* bob_keyex = NistCurveKeyExchange::GenerateKeyExchange(curve);
48
49	ASSERT_TRUE(alice_keyex != nullptr);
50	ASSERT_TRUE(bob_keyex != nullptr);
51
52	Buffer alice_public_value;
53	ASSERT_TRUE(alice_keyex->public_value(&alice_public_value));
54	Buffer bob_public_value;
55	ASSERT_TRUE(bob_keyex->public_value(&bob_public_value));
56
57	Buffer alice_shared, bob_shared;
58	ASSERT_TRUE(alice_keyex->CalculateSharedKey(bob_public_value, &alice_shared));
59	ASSERT_TRUE(bob_keyex->CalculateSharedKey(alice_public_value, &bob_shared));
60	EXPECT_EQ(alice_shared.available_read(), bob_shared.available_read());
61	EXPECT_EQ(0, memcmp(alice_shared.peek_read(), bob_shared.peek_read(),
62	alice_shared.available_read()));
63	}
64	}
65	}
66
67	/*
68	* This test tries a key agreement with a false public key (i.e. with
69	* a point not on the curve.)
70	* The expected result of such a protocol should be that the
71	* key agreement fails and returns an error.
72	*/
73	static const char* kInvalidPublicKeys[] = {
74	"04" // uncompressed public key
75	"deadbeef7f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287"
76	"db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac",
77	};
78
79	TEST(NistCurveKeyExchange, InvalidPublicKey) {
80	for (auto& curve : kEcCurves) {
81	AuthorizationSet kex_description(
82	AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve));
83	KeyExchange* key_exchange = NistCurveKeyExchange::GenerateKeyExchange(curve);
84	ASSERT_TRUE(key_exchange != nullptr);
85
86	string peer_public_key = hex2str(kInvalidPublicKeys[0]);
87	Buffer computed_shared_secret;
88	ASSERT_FALSE(key_exchange->CalculateSharedKey(
89	reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(),
90	&computed_shared_secret));
91	}
92	}
93
94	/**
95	* Test that key exchange fails when peer public key is the point at infinity.
96	*/
97	TEST(NistCurveKeyExchange, TestInfinity) {
98	for (auto& curve : kEcCurves) {
99	/* Obtain the point at infinity */
100	EC_GROUP* group = ec_get_group(curve);
101	EC_POINT* point_at_infinity = EC_POINT_new(group);
102	EC_POINT_set_to_infinity(group, point_at_infinity);
103	EXPECT_EQ(1, EC_POINT_is_on_curve(group, point_at_infinity, nullptr));
104	size_t field_len_in_bits;
105	ec_get_group_size(group, &field_len_in_bits);
106	size_t field_len = (field_len_in_bits + 7) / 8;
107	size_t public_key_len = (field_len * 2) + 1;
108	uint8_t* public_key = new uint8_t[public_key_len];
109	public_key_len = EC_POINT_point2oct(group, point_at_infinity, POINT_CONVERSION_UNCOMPRESSED,
110	public_key, public_key_len, nullptr /* ctx */);
111
112	/* Perform the key exchange */
113	AuthorizationSet kex_description(
114	AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve));
115	NistCurveKeyExchange* key_exchange = NistCurveKeyExchange::GenerateKeyExchange(curve);
116	ASSERT_TRUE(key_exchange != nullptr);
117	Buffer computed_shared_secret;
118	/* It should fail */
119	ASSERT_FALSE(key_exchange->CalculateSharedKey(reinterpret_cast<const uint8_t*>(public_key),
120	public_key_len, &computed_shared_secret));
121
122	/* Explicitly test that ECDH_compute_key fails when the public key is the point at infinity
123	*/
124	UniquePtr<uint8_t[]> result(new uint8_t[field_len]);
125	EXPECT_EQ(-1 /* error */, ECDH_compute_key(result.get(), field_len, point_at_infinity,
126	key_exchange->private_key(), nullptr /* kdf */));
127	}
128	}
129
130	/* Test vectors for P-256, downloaded from NIST. */
131	struct NistCurveTest {
132	const keymaster_ec_curve_t curve;
133	const char* peer_public_key;
134	const char* my_private_key;
135	const char* shared_secret;
136	};
137
138	static const NistCurveTest kNistCurveTests[] = {
139	{
140	KM_EC_CURVE_P_256,
141	"04" // uncompressed public key
142	"700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287"
143	"db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac",
144	// https://tools.ietf.org/html/rfc5915
145	"30770201010420" // DER-encodeded EC private key header
146	"7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534" // private key
147	"a00a06082a8648ce3d030107a144034200" // DER-encoded curve OID,
148	"04"
149	"ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b230"
150	"28af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141",
151	"46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b",
152	},
153	{
154	KM_EC_CURVE_P_256, "04"
155	"809f04289c64348c01515eb03d5ce7ac1a8cb9498f5caa50197e58d43a86a7ae"
156	"b29d84e811197f25eba8f5194092cb6ff440e26d4421011372461f579271cda3",
157	// https://tools.ietf.org/html/rfc5915
158	"30770201010420" // DER-encodeded EC private key header
159	"38f65d6dce47676044d58ce5139582d568f64bb16098d179dbab07741dd5caf5" // private key
160	"a00a06082a8648ce3d030107a144034200" // DER-encoded curve OID,
161	"04"
162	"119f2f047902782ab0c9e27a54aff5eb9b964829ca99c06b02ddba95b0a3f6d0"
163	"8f52b726664cac366fc98ac7a012b2682cbd962e5acb544671d41b9445704d1d",
164	"057d636096cb80b67a8c038c890e887d1adfa4195e9b3ce241c8a778c59cda67",
165	},
166	{
167	KM_EC_CURVE_P_256, "04"
168	"df3989b9fa55495719b3cf46dccd28b5153f7808191dd518eff0c3cff2b705ed"
169	"422294ff46003429d739a33206c8752552c8ba54a270defc06e221e0feaf6ac4",
170	// https://tools.ietf.org/html/rfc5915
171	"30770201010420" // DER-encodeded EC private key header
172	"207c43a79bfee03db6f4b944f53d2fb76cc49ef1c9c4d34d51b6c65c4db6932d" // private key
173	"a00a06082a8648ce3d030107a144034200" // DER-encoded curve OID,
174	"04"
175	"24277c33f450462dcb3d4801d57b9ced05188f16c28eda873258048cd1607e0d"
176	"c4789753e2b1f63b32ff014ec42cd6a69fac81dfe6d0d6fd4af372ae27c46f88",
177	"96441259534b80f6aee3d287a6bb17b5094dd4277d9e294f8fe73e48bf2a0024",
178	},
179	};
180
181	/**
182	* Test that key exchange works with NIST test vectors.
183	*/
184	TEST(NistCurveKeyExchange, NistTestVectors) {
185	for (auto& test : kNistCurveTests) {
186	string private_key = hex2str(test.my_private_key);
187	string shared_secret = hex2str(test.shared_secret);
188
189	const uint8_t* private_key_data = reinterpret_cast<const uint8_t*>(private_key.data());
190	UniquePtr<EC_KEY, EC_KEY_Delete> ec_key(
191	d2i_ECPrivateKey(nullptr, &private_key_data, private_key.size()));
192	ASSERT_TRUE(ec_key.get() && EC_KEY_check_key(ec_key.get()));
193
194	keymaster_error_t error;
195	NistCurveKeyExchange* key_exchange = new NistCurveKeyExchange(ec_key.release(), &error);
196	EXPECT_EQ(KM_ERROR_OK, error);
197	ASSERT_TRUE(key_exchange != nullptr);
198
199	Buffer computed_shared_secret;
200	string peer_public_key = hex2str(test.peer_public_key);
201	ASSERT_TRUE(key_exchange->CalculateSharedKey(
202	reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(),
203	&computed_shared_secret));
204	EXPECT_EQ(shared_secret.size(), computed_shared_secret.available_read());
205	EXPECT_EQ(0, memcmp(shared_secret.data(), computed_shared_secret.peek_read(),
206	shared_secret.size()));
207
208	for (size_t i = 0; i < peer_public_key.size(); i++) {
209	// randomly flip some bits in the peer public key to make it invalid
210	peer_public_key[i] ^= 0xff;
211	ASSERT_FALSE(key_exchange->CalculateSharedKey(
212	reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(),
213	&computed_shared_secret));
214	}
215	}
216	}
217
218	} // namespace test
219	} // namespace keymaster
220