blob: 39ea38ba44572a01501f11c3bece303edc029ca0
1 | /* |
2 | * Copyright 2015 The Android Open Source Project |
3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
5 | * you may not use this file except in compliance with the License. |
6 | * You may obtain a copy of the License at |
7 | * |
8 | * http://www.apache.org/licenses/LICENSE-2.0 |
9 | * |
10 | * Unless required by applicable law or agreed to in writing, software |
11 | * distributed under the License is distributed on an "AS IS" BASIS, |
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
13 | * See the License for the specific language governing permissions and |
14 | * limitations under the License. |
15 | */ |
16 | |
17 | #include "nist_curve_key_exchange.h" |
18 | |
19 | #include <gtest/gtest.h> |
20 | #include <openssl/evp.h> |
21 | |
22 | #include <hardware/keymaster_defs.h> |
23 | #include <keymaster/android_keymaster_utils.h> |
24 | |
25 | #include "android_keymaster_test_utils.h" |
26 | |
27 | using std::string; |
28 | |
29 | namespace keymaster { |
30 | namespace test { |
31 | |
32 | StdoutLogger logger; |
33 | |
34 | static const keymaster_ec_curve_t kEcCurves[] = {KM_EC_CURVE_P_224, KM_EC_CURVE_P_256, |
35 | KM_EC_CURVE_P_384, KM_EC_CURVE_P_521}; |
36 | |
37 | /** |
38 | * SharedKey just tests that the basic key exchange identity holds: that both |
39 | * parties end up with the same key. |
40 | */ |
41 | TEST(NistCurveKeyExchange, SharedKey) { |
42 | for (auto& curve : kEcCurves) { |
43 | AuthorizationSet kex_description( |
44 | AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve)); |
45 | for (size_t j = 0; j < 5; j++) { |
46 | NistCurveKeyExchange* alice_keyex = NistCurveKeyExchange::GenerateKeyExchange(curve); |
47 | NistCurveKeyExchange* bob_keyex = NistCurveKeyExchange::GenerateKeyExchange(curve); |
48 | |
49 | ASSERT_TRUE(alice_keyex != nullptr); |
50 | ASSERT_TRUE(bob_keyex != nullptr); |
51 | |
52 | Buffer alice_public_value; |
53 | ASSERT_TRUE(alice_keyex->public_value(&alice_public_value)); |
54 | Buffer bob_public_value; |
55 | ASSERT_TRUE(bob_keyex->public_value(&bob_public_value)); |
56 | |
57 | Buffer alice_shared, bob_shared; |
58 | ASSERT_TRUE(alice_keyex->CalculateSharedKey(bob_public_value, &alice_shared)); |
59 | ASSERT_TRUE(bob_keyex->CalculateSharedKey(alice_public_value, &bob_shared)); |
60 | EXPECT_EQ(alice_shared.available_read(), bob_shared.available_read()); |
61 | EXPECT_EQ(0, memcmp(alice_shared.peek_read(), bob_shared.peek_read(), |
62 | alice_shared.available_read())); |
63 | } |
64 | } |
65 | } |
66 | |
67 | /* |
68 | * This test tries a key agreement with a false public key (i.e. with |
69 | * a point not on the curve.) |
70 | * The expected result of such a protocol should be that the |
71 | * key agreement fails and returns an error. |
72 | */ |
73 | static const char* kInvalidPublicKeys[] = { |
74 | "04" // uncompressed public key |
75 | "deadbeef7f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287" |
76 | "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac", |
77 | }; |
78 | |
79 | TEST(NistCurveKeyExchange, InvalidPublicKey) { |
80 | for (auto& curve : kEcCurves) { |
81 | AuthorizationSet kex_description( |
82 | AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve)); |
83 | KeyExchange* key_exchange = NistCurveKeyExchange::GenerateKeyExchange(curve); |
84 | ASSERT_TRUE(key_exchange != nullptr); |
85 | |
86 | string peer_public_key = hex2str(kInvalidPublicKeys[0]); |
87 | Buffer computed_shared_secret; |
88 | ASSERT_FALSE(key_exchange->CalculateSharedKey( |
89 | reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(), |
90 | &computed_shared_secret)); |
91 | } |
92 | } |
93 | |
94 | /** |
95 | * Test that key exchange fails when peer public key is the point at infinity. |
96 | */ |
97 | TEST(NistCurveKeyExchange, TestInfinity) { |
98 | for (auto& curve : kEcCurves) { |
99 | /* Obtain the point at infinity */ |
100 | EC_GROUP* group = ec_get_group(curve); |
101 | EC_POINT* point_at_infinity = EC_POINT_new(group); |
102 | EC_POINT_set_to_infinity(group, point_at_infinity); |
103 | EXPECT_EQ(1, EC_POINT_is_on_curve(group, point_at_infinity, nullptr)); |
104 | size_t field_len_in_bits; |
105 | ec_get_group_size(group, &field_len_in_bits); |
106 | size_t field_len = (field_len_in_bits + 7) / 8; |
107 | size_t public_key_len = (field_len * 2) + 1; |
108 | uint8_t* public_key = new uint8_t[public_key_len]; |
109 | public_key_len = EC_POINT_point2oct(group, point_at_infinity, POINT_CONVERSION_UNCOMPRESSED, |
110 | public_key, public_key_len, nullptr /* ctx */); |
111 | |
112 | /* Perform the key exchange */ |
113 | AuthorizationSet kex_description( |
114 | AuthorizationSetBuilder().Authorization(TAG_EC_CURVE, curve)); |
115 | NistCurveKeyExchange* key_exchange = NistCurveKeyExchange::GenerateKeyExchange(curve); |
116 | ASSERT_TRUE(key_exchange != nullptr); |
117 | Buffer computed_shared_secret; |
118 | /* It should fail */ |
119 | ASSERT_FALSE(key_exchange->CalculateSharedKey(reinterpret_cast<const uint8_t*>(public_key), |
120 | public_key_len, &computed_shared_secret)); |
121 | |
122 | /* Explicitly test that ECDH_compute_key fails when the public key is the point at infinity |
123 | */ |
124 | UniquePtr<uint8_t[]> result(new uint8_t[field_len]); |
125 | EXPECT_EQ(-1 /* error */, ECDH_compute_key(result.get(), field_len, point_at_infinity, |
126 | key_exchange->private_key(), nullptr /* kdf */)); |
127 | } |
128 | } |
129 | |
130 | /* Test vectors for P-256, downloaded from NIST. */ |
131 | struct NistCurveTest { |
132 | const keymaster_ec_curve_t curve; |
133 | const char* peer_public_key; |
134 | const char* my_private_key; |
135 | const char* shared_secret; |
136 | }; |
137 | |
138 | static const NistCurveTest kNistCurveTests[] = { |
139 | { |
140 | KM_EC_CURVE_P_256, |
141 | "04" // uncompressed public key |
142 | "700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287" |
143 | "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac", |
144 | // https://tools.ietf.org/html/rfc5915 |
145 | "30770201010420" // DER-encodeded EC private key header |
146 | "7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534" // private key |
147 | "a00a06082a8648ce3d030107a144034200" // DER-encoded curve OID, |
148 | "04" |
149 | "ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b230" |
150 | "28af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141", |
151 | "46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b", |
152 | }, |
153 | { |
154 | KM_EC_CURVE_P_256, "04" |
155 | "809f04289c64348c01515eb03d5ce7ac1a8cb9498f5caa50197e58d43a86a7ae" |
156 | "b29d84e811197f25eba8f5194092cb6ff440e26d4421011372461f579271cda3", |
157 | // https://tools.ietf.org/html/rfc5915 |
158 | "30770201010420" // DER-encodeded EC private key header |
159 | "38f65d6dce47676044d58ce5139582d568f64bb16098d179dbab07741dd5caf5" // private key |
160 | "a00a06082a8648ce3d030107a144034200" // DER-encoded curve OID, |
161 | "04" |
162 | "119f2f047902782ab0c9e27a54aff5eb9b964829ca99c06b02ddba95b0a3f6d0" |
163 | "8f52b726664cac366fc98ac7a012b2682cbd962e5acb544671d41b9445704d1d", |
164 | "057d636096cb80b67a8c038c890e887d1adfa4195e9b3ce241c8a778c59cda67", |
165 | }, |
166 | { |
167 | KM_EC_CURVE_P_256, "04" |
168 | "df3989b9fa55495719b3cf46dccd28b5153f7808191dd518eff0c3cff2b705ed" |
169 | "422294ff46003429d739a33206c8752552c8ba54a270defc06e221e0feaf6ac4", |
170 | // https://tools.ietf.org/html/rfc5915 |
171 | "30770201010420" // DER-encodeded EC private key header |
172 | "207c43a79bfee03db6f4b944f53d2fb76cc49ef1c9c4d34d51b6c65c4db6932d" // private key |
173 | "a00a06082a8648ce3d030107a144034200" // DER-encoded curve OID, |
174 | "04" |
175 | "24277c33f450462dcb3d4801d57b9ced05188f16c28eda873258048cd1607e0d" |
176 | "c4789753e2b1f63b32ff014ec42cd6a69fac81dfe6d0d6fd4af372ae27c46f88", |
177 | "96441259534b80f6aee3d287a6bb17b5094dd4277d9e294f8fe73e48bf2a0024", |
178 | }, |
179 | }; |
180 | |
181 | /** |
182 | * Test that key exchange works with NIST test vectors. |
183 | */ |
184 | TEST(NistCurveKeyExchange, NistTestVectors) { |
185 | for (auto& test : kNistCurveTests) { |
186 | string private_key = hex2str(test.my_private_key); |
187 | string shared_secret = hex2str(test.shared_secret); |
188 | |
189 | const uint8_t* private_key_data = reinterpret_cast<const uint8_t*>(private_key.data()); |
190 | UniquePtr<EC_KEY, EC_KEY_Delete> ec_key( |
191 | d2i_ECPrivateKey(nullptr, &private_key_data, private_key.size())); |
192 | ASSERT_TRUE(ec_key.get() && EC_KEY_check_key(ec_key.get())); |
193 | |
194 | keymaster_error_t error; |
195 | NistCurveKeyExchange* key_exchange = new NistCurveKeyExchange(ec_key.release(), &error); |
196 | EXPECT_EQ(KM_ERROR_OK, error); |
197 | ASSERT_TRUE(key_exchange != nullptr); |
198 | |
199 | Buffer computed_shared_secret; |
200 | string peer_public_key = hex2str(test.peer_public_key); |
201 | ASSERT_TRUE(key_exchange->CalculateSharedKey( |
202 | reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(), |
203 | &computed_shared_secret)); |
204 | EXPECT_EQ(shared_secret.size(), computed_shared_secret.available_read()); |
205 | EXPECT_EQ(0, memcmp(shared_secret.data(), computed_shared_secret.peek_read(), |
206 | shared_secret.size())); |
207 | |
208 | for (size_t i = 0; i < peer_public_key.size(); i++) { |
209 | // randomly flip some bits in the peer public key to make it invalid |
210 | peer_public_key[i] ^= 0xff; |
211 | ASSERT_FALSE(key_exchange->CalculateSharedKey( |
212 | reinterpret_cast<const uint8_t*>(peer_public_key.data()), peer_public_key.size(), |
213 | &computed_shared_secret)); |
214 | } |
215 | } |
216 | } |
217 | |
218 | } // namespace test |
219 | } // namespace keymaster |
220 |