android_keymaster_test.cpp revision 4f83b89b2bdb1dacfa1c208786e29c0cd66f0b15
1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <fstream> 18#include <string> 19#include <vector> 20 21#include <hardware/keymaster0.h> 22#include <keymaster/soft_keymaster_device.h> 23#include <keymaster/softkeymaster.h> 24 25#include "android_keymaster_test_utils.h" 26 27using std::ifstream; 28using std::istreambuf_iterator; 29using std::string; 30using std::vector; 31using std::unique_ptr; 32 33extern "C" { 34int __android_log_print(int prio, const char* tag, const char* fmt); 35int __android_log_print(int prio, const char* tag, const char* fmt) { 36 prio, tag, fmt; 37 return 0; 38} 39} // extern "C" 40 41namespace keymaster { 42namespace test { 43 44StdoutLogger logger; 45 46class SoftKeymasterTestInstanceCreator : public Keymaster1TestInstanceCreator { 47 public: 48 keymaster1_device_t* CreateDevice() const override { 49 std::cerr << "Creating software-only device" << std::endl; 50 SoftKeymasterDevice* device = new SoftKeymasterDevice; 51 return device->keymaster_device(); 52 } 53 54 bool crypto_params_in_hardware(keymaster_algorithm_t) const override { return false; } 55 bool expect_keymaster0_calls() const override { return false; } 56 int keymaster0_calls() const override { return 0; } 57}; 58 59class Keymaster0AdapterTestInstanceCreator : public Keymaster1TestInstanceCreator { 60 public: 61 keymaster1_device_t* CreateDevice() const { 62 std::cerr << "Creating keymaster0-backed device" << std::endl; 63 hw_device_t* softkeymaster_device; 64 EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER, 65 &softkeymaster_device)); 66 // Make the software device pretend to be hardware 67 keymaster0_device_t* keymaster0_device = 68 reinterpret_cast<keymaster0_device_t*>(softkeymaster_device); 69 keymaster0_device->flags = KEYMASTER_SUPPORTS_EC; 70 71 counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device); 72 73 SoftKeymasterDevice* keymaster = new SoftKeymasterDevice(counting_keymaster0_device_); 74 return keymaster->keymaster_device(); 75 } 76 77 bool crypto_params_in_hardware(keymaster_algorithm_t algorithm) const override { 78 return algorithm == KM_ALGORITHM_RSA; 79 } 80 bool expect_keymaster0_calls() const override { return true; } 81 int keymaster0_calls() const override { return counting_keymaster0_device_->count(); } 82 83 private: 84 mutable Keymaster0CountingWrapper* counting_keymaster0_device_; 85}; 86 87static auto test_params = 88 testing::Values(InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator), 89 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator)); 90 91typedef Keymaster1Test CheckSupported; 92INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, CheckSupported, test_params); 93 94TEST_P(CheckSupported, SupportedAlgorithms) { 95 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 96 device()->get_supported_algorithms(device(), NULL, NULL)); 97 98 size_t len; 99 keymaster_algorithm_t* algorithms; 100 EXPECT_EQ(KM_ERROR_OK, device()->get_supported_algorithms(device(), &algorithms, &len)); 101 EXPECT_TRUE(ResponseContains( 102 {KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_AES, KM_ALGORITHM_HMAC}, algorithms, len)); 103 free(algorithms); 104 105 if (GetParam()->expect_keymaster0_calls()) 106 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 107} 108 109TEST_P(CheckSupported, SupportedBlockModes) { 110 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 111 device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 112 NULL, NULL)); 113 114 size_t len; 115 keymaster_block_mode_t* modes; 116 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, 117 KM_PURPOSE_ENCRYPT, &modes, &len)); 118 EXPECT_EQ(0U, len); 119 free(modes); 120 121 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 122 device()->get_supported_block_modes(device(), KM_ALGORITHM_EC, KM_PURPOSE_ENCRYPT, 123 &modes, &len)); 124 125 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_AES, 126 KM_PURPOSE_ENCRYPT, &modes, &len)); 127 EXPECT_TRUE(ResponseContains({KM_MODE_ECB, KM_MODE_CBC, KM_MODE_CTR}, modes, len)); 128 free(modes); 129 130 if (GetParam()->expect_keymaster0_calls()) 131 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 132} 133 134TEST_P(CheckSupported, SupportedPaddingModes) { 135 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 136 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 137 NULL, NULL)); 138 139 size_t len; 140 keymaster_padding_t* modes; 141 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 142 KM_PURPOSE_SIGN, &modes, &len)); 143 EXPECT_TRUE( 144 ResponseContains({KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS}, modes, len)); 145 free(modes); 146 147 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 148 KM_PURPOSE_ENCRYPT, &modes, &len)); 149 EXPECT_TRUE(ResponseContains({KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT}, modes, len)); 150 free(modes); 151 152 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_EC, 153 KM_PURPOSE_SIGN, &modes, &len)); 154 EXPECT_EQ(0U, len); 155 free(modes); 156 157 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 158 device()->get_supported_padding_modes(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, 159 &modes, &len)); 160 161 if (GetParam()->expect_keymaster0_calls()) 162 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 163} 164 165TEST_P(CheckSupported, SupportedDigests) { 166 EXPECT_EQ( 167 KM_ERROR_OUTPUT_PARAMETER_NULL, 168 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, NULL, NULL)); 169 170 size_t len; 171 keymaster_digest_t* digests; 172 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_RSA, 173 KM_PURPOSE_SIGN, &digests, &len)); 174 EXPECT_TRUE(ResponseContains({KM_DIGEST_NONE, KM_DIGEST_SHA_2_256}, digests, len)); 175 free(digests); 176 177 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC, 178 KM_PURPOSE_SIGN, &digests, &len)); 179 EXPECT_TRUE(ResponseContains(KM_DIGEST_NONE, digests, len)); 180 free(digests); 181 182 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 183 device()->get_supported_digests(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, &digests, 184 &len)); 185 186 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_HMAC, 187 KM_PURPOSE_SIGN, &digests, &len)); 188 EXPECT_TRUE(ResponseContains({KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, 189 KM_DIGEST_SHA_2_512, KM_DIGEST_SHA1}, 190 digests, len)); 191 free(digests); 192 193 if (GetParam()->expect_keymaster0_calls()) 194 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 195} 196 197TEST_P(CheckSupported, SupportedImportFormats) { 198 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 199 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 200 201 size_t len; 202 keymaster_key_format_t* formats; 203 ASSERT_EQ(KM_ERROR_OK, 204 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 205 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_PKCS8, formats, len)); 206 free(formats); 207 208 ASSERT_EQ(KM_ERROR_OK, 209 device()->get_supported_import_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 210 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 211 free(formats); 212 213 ASSERT_EQ(KM_ERROR_OK, 214 device()->get_supported_import_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 215 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 216 free(formats); 217 218 if (GetParam()->expect_keymaster0_calls()) 219 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 220} 221 222TEST_P(CheckSupported, SupportedExportFormats) { 223 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 224 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 225 226 size_t len; 227 keymaster_key_format_t* formats; 228 ASSERT_EQ(KM_ERROR_OK, 229 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 230 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 231 free(formats); 232 233 ASSERT_EQ(KM_ERROR_OK, 234 device()->get_supported_export_formats(device(), KM_ALGORITHM_EC, &formats, &len)); 235 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 236 free(formats); 237 238 ASSERT_EQ(KM_ERROR_OK, 239 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 240 EXPECT_EQ(0U, len); 241 free(formats); 242 243 ASSERT_EQ(KM_ERROR_OK, 244 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 245 EXPECT_EQ(0U, len); 246 free(formats); 247 248 ASSERT_EQ(KM_ERROR_OK, 249 device()->get_supported_export_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 250 EXPECT_EQ(0U, len); 251 free(formats); 252 253 if (GetParam()->expect_keymaster0_calls()) 254 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 255} 256 257class NewKeyGeneration : public Keymaster1Test { 258 protected: 259 void CheckBaseParams() { 260 AuthorizationSet auths = sw_enforced(); 261 EXPECT_GT(auths.SerializedSize(), 12U); 262 263 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN)); 264 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY)); 265 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7)); 266 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)); 267 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300)); 268 269 // Verify that App ID, App data and ROT are NOT included. 270 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST)); 271 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID)); 272 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA)); 273 274 // Just for giggles, check that some unexpected tags/values are NOT present. 275 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT)); 276 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT)); 277 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301)); 278 279 // Now check that unspecified, defaulted tags are correct. 280 EXPECT_TRUE(contains(auths, TAG_ORIGIN, KM_ORIGIN_GENERATED)); 281 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME)); 282 } 283}; 284INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params); 285 286TEST_P(NewKeyGeneration, Rsa) { 287 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 288 .RsaSigningKey(256, 3) 289 .Digest(KM_DIGEST_NONE) 290 .Padding(KM_PAD_NONE))); 291 CheckBaseParams(); 292 293 // Check specified tags are all present, and in the right set. 294 AuthorizationSet crypto_params; 295 AuthorizationSet non_crypto_params; 296 if (GetParam()->crypto_params_in_hardware(KM_ALGORITHM_RSA)) { 297 EXPECT_NE(0U, hw_enforced().size()); 298 EXPECT_NE(0U, sw_enforced().size()); 299 crypto_params.push_back(hw_enforced()); 300 non_crypto_params.push_back(sw_enforced()); 301 } else { 302 EXPECT_EQ(0U, hw_enforced().size()); 303 EXPECT_NE(0U, sw_enforced().size()); 304 crypto_params.push_back(sw_enforced()); 305 } 306 307 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 308 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 309 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256)); 310 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256)); 311 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 312 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 313 314 if (GetParam()->expect_keymaster0_calls()) 315 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 316} 317 318TEST_P(NewKeyGeneration, RsaDefaultSize) { 319 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 320 GenerateKey(AuthorizationSetBuilder() 321 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 322 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3) 323 .SigningKey())); 324 325 if (GetParam()->expect_keymaster0_calls()) 326 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 327} 328 329TEST_P(NewKeyGeneration, Ecdsa) { 330 ASSERT_EQ(KM_ERROR_OK, 331 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 332 CheckBaseParams(); 333 334 // Check specified tags are all present in unenforced characteristics 335 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_EC)); 336 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 224)); 337 338 if (GetParam()->expect_keymaster0_calls()) 339 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 340} 341 342TEST_P(NewKeyGeneration, EcdsaDefaultSize) { 343 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 344 GenerateKey(AuthorizationSetBuilder() 345 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) 346 .SigningKey() 347 .Digest(KM_DIGEST_NONE))); 348 349 if (GetParam()->expect_keymaster0_calls()) 350 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 351} 352 353TEST_P(NewKeyGeneration, EcdsaInvalidSize) { 354 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 355 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 356 357 if (GetParam()->expect_keymaster0_calls()) 358 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 359} 360 361TEST_P(NewKeyGeneration, EcdsaAllValidSizes) { 362 size_t valid_sizes[] = {224, 256, 384, 521}; 363 for (size_t size : valid_sizes) { 364 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest( 365 KM_DIGEST_NONE))) 366 << "Failed to generate size: " 367 << size; 368 } 369 370 if (GetParam()->expect_keymaster0_calls()) 371 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 372} 373 374TEST_P(NewKeyGeneration, HmacSha256) { 375 ASSERT_EQ(KM_ERROR_OK, 376 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256))); 377 378 if (GetParam()->expect_keymaster0_calls()) 379 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 380} 381 382typedef Keymaster1Test GetKeyCharacteristics; 383INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params); 384 385TEST_P(GetKeyCharacteristics, SimpleRsa) { 386 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 387 .RsaSigningKey(256, 3) 388 .Digest(KM_DIGEST_NONE) 389 .Padding(KM_PAD_NONE))); 390 AuthorizationSet original(sw_enforced()); 391 392 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics()); 393 EXPECT_EQ(original, sw_enforced()); 394 395 if (GetParam()->expect_keymaster0_calls()) 396 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 397} 398 399typedef Keymaster1Test SigningOperationsTest; 400INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params); 401 402TEST_P(SigningOperationsTest, RsaSuccess) { 403 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 404 .RsaSigningKey(256, 3) 405 .Digest(KM_DIGEST_NONE) 406 .Padding(KM_PAD_NONE))); 407 string message = "12345678901234567890123456789012"; 408 string signature; 409 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 410 411 if (GetParam()->expect_keymaster0_calls()) 412 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 413} 414 415TEST_P(SigningOperationsTest, RsaSha256DigestSuccess) { 416 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 417 .RsaSigningKey(384, 3) 418 .Digest(KM_DIGEST_SHA_2_256) 419 .Padding(KM_PAD_RSA_PSS))); 420 string message(1024, 'a'); 421 string signature; 422 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 423 424 if (GetParam()->expect_keymaster0_calls()) 425 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 426} 427 428TEST_P(SigningOperationsTest, RsaPssSha256Success) { 429 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 430 .RsaSigningKey(512, 3) 431 .Digest(KM_DIGEST_SHA_2_256) 432 .Padding(KM_PAD_RSA_PSS))); 433 // Use large message, which won't work without digesting. 434 string message(1024, 'a'); 435 string signature; 436 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 437 438 if (GetParam()->expect_keymaster0_calls()) 439 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 440} 441 442TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) { 443 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 444 .RsaSigningKey(512, 3) 445 .Digest(KM_DIGEST_SHA_2_256) 446 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 447 string message(1024, 'a'); 448 string signature; 449 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 450 451 if (GetParam()->expect_keymaster0_calls()) 452 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 453} 454 455TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) { 456 // Key must be at least 10 bytes larger than hash, to provide minimal random salt, so verify 457 // that 9 bytes larger than hash won't work. 458 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 459 .RsaSigningKey(256 + 9 * 8, 3) 460 .Digest(KM_DIGEST_SHA_2_256) 461 .Padding(KM_PAD_RSA_PSS))); 462 string message(1024, 'a'); 463 string signature; 464 465 AuthorizationSet begin_params(client_params()); 466 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 467 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 468 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 469 470 string result; 471 size_t input_consumed; 472 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 473 EXPECT_EQ(message.size(), input_consumed); 474 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, FinishOperation(signature, &result)); 475 476 if (GetParam()->expect_keymaster0_calls()) 477 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 478} 479 480TEST_P(SigningOperationsTest, RsaAbort) { 481 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 482 .RsaSigningKey(256, 3) 483 .Digest(KM_DIGEST_NONE) 484 .Padding(KM_PAD_NONE))); 485 AuthorizationSet begin_params(client_params()); 486 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 487 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 488 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 489 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 490 // Another abort should fail 491 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation()); 492 493 if (GetParam()->expect_keymaster0_calls()) 494 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 495} 496 497TEST_P(SigningOperationsTest, RsaUnsupportedDigest) { 498 GenerateKey(AuthorizationSetBuilder() 499 .RsaSigningKey(256, 3) 500 .Digest(KM_DIGEST_MD5) 501 .Padding(KM_PAD_RSA_PSS /* supported padding */)); 502 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, BeginOperation(KM_PURPOSE_SIGN)); 503 504 if (GetParam()->expect_keymaster0_calls()) 505 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 506} 507 508TEST_P(SigningOperationsTest, RsaUnsupportedPadding) { 509 GenerateKey(AuthorizationSetBuilder() 510 .RsaSigningKey(256, 3) 511 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */) 512 .Padding(KM_PAD_PKCS7)); 513 AuthorizationSet begin_params(client_params()); 514 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 515 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 516 517 if (GetParam()->expect_keymaster0_calls()) 518 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 519} 520 521TEST_P(SigningOperationsTest, RsaNoDigest) { 522 // PSS requires a digest. 523 GenerateKey(AuthorizationSetBuilder() 524 .RsaSigningKey(256, 3) 525 .Digest(KM_DIGEST_NONE) 526 .Padding(KM_PAD_RSA_PSS)); 527 AuthorizationSet begin_params(client_params()); 528 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 529 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 530 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 531 532 if (GetParam()->expect_keymaster0_calls()) 533 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 534} 535 536TEST_P(SigningOperationsTest, RsaNoPadding) { 537 // Padding must be specified 538 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest( 539 KM_DIGEST_NONE))); 540 AuthorizationSet begin_params(client_params()); 541 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 542 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 543 544 if (GetParam()->expect_keymaster0_calls()) 545 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 546} 547 548TEST_P(SigningOperationsTest, RsaTooShortMessage) { 549 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 550 .RsaSigningKey(256, 3) 551 .Digest(KM_DIGEST_NONE) 552 .Padding(KM_PAD_NONE))); 553 AuthorizationSet begin_params(client_params()); 554 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 555 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 556 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 557 558 string message = "1234567890123456789012345678901"; 559 string result; 560 size_t input_consumed; 561 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 562 EXPECT_EQ(0U, result.size()); 563 EXPECT_EQ(31U, input_consumed); 564 565 string signature; 566 ASSERT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&signature)); 567 EXPECT_EQ(0U, signature.length()); 568 569 if (GetParam()->expect_keymaster0_calls()) 570 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 571} 572 573TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) { 574 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 575 .RsaEncryptionKey(256, 3) 576 .Digest(KM_DIGEST_NONE) 577 .Padding(KM_PAD_NONE))); 578 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); 579 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); 580 581 if (GetParam()->expect_keymaster0_calls()) 582 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 583} 584 585TEST_P(SigningOperationsTest, EcdsaSuccess) { 586 ASSERT_EQ(KM_ERROR_OK, 587 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 588 string message = "123456789012345678901234567890123456789012345678"; 589 string signature; 590 SignMessage(message, &signature, KM_DIGEST_NONE); 591 592 if (GetParam()->expect_keymaster0_calls()) 593 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 594} 595 596TEST_P(SigningOperationsTest, AesEcbSign) { 597 ASSERT_EQ(KM_ERROR_OK, 598 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization( 599 TAG_BLOCK_MODE, KM_MODE_ECB))); 600 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); 601 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); 602 603 if (GetParam()->expect_keymaster0_calls()) 604 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 605} 606 607TEST_P(SigningOperationsTest, HmacSha1Success) { 608 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA1)); 609 string message = "12345678901234567890123456789012"; 610 string signature; 611 MacMessage(message, &signature, KM_DIGEST_SHA1, 160); 612 ASSERT_EQ(20U, signature.size()); 613 614 if (GetParam()->expect_keymaster0_calls()) 615 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 616} 617 618TEST_P(SigningOperationsTest, HmacSha224Success) { 619 ASSERT_EQ(KM_ERROR_OK, 620 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_224))); 621 string message = "12345678901234567890123456789012"; 622 string signature; 623 MacMessage(message, &signature, KM_DIGEST_SHA_2_224, 224); 624 ASSERT_EQ(28U, signature.size()); 625 626 if (GetParam()->expect_keymaster0_calls()) 627 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 628} 629 630TEST_P(SigningOperationsTest, HmacSha256Success) { 631 ASSERT_EQ(KM_ERROR_OK, 632 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256))); 633 string message = "12345678901234567890123456789012"; 634 string signature; 635 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 256); 636 ASSERT_EQ(32U, signature.size()); 637 638 if (GetParam()->expect_keymaster0_calls()) 639 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 640} 641 642TEST_P(SigningOperationsTest, HmacSha384Success) { 643 ASSERT_EQ(KM_ERROR_OK, 644 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_384))); 645 646 string message = "12345678901234567890123456789012"; 647 string signature; 648 MacMessage(message, &signature, KM_DIGEST_SHA_2_384, 384); 649 ASSERT_EQ(48U, signature.size()); 650 651 if (GetParam()->expect_keymaster0_calls()) 652 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 653} 654 655TEST_P(SigningOperationsTest, HmacSha512Success) { 656 ASSERT_EQ(KM_ERROR_OK, 657 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_512))); 658 string message = "12345678901234567890123456789012"; 659 string signature; 660 MacMessage(message, &signature, KM_DIGEST_SHA_2_512, 512); 661 ASSERT_EQ(64U, signature.size()); 662 663 if (GetParam()->expect_keymaster0_calls()) 664 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 665} 666 667TEST_P(SigningOperationsTest, HmacLengthInKey) { 668 // TODO(swillden): unified API should generate an error on key generation. 669 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 670 .HmacKey(128) 671 .Digest(KM_DIGEST_SHA_2_256) 672 .Authorization(TAG_MAC_LENGTH, 20))); 673 string message = "12345678901234567890123456789012"; 674 string signature; 675 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 240); 676 // Size in key was ignored. 677 ASSERT_EQ(30U, signature.size()); 678 679 if (GetParam()->expect_keymaster0_calls()) 680 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 681} 682 683TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) { 684 uint8_t key_data[] = { 685 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 686 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 687 }; 688 string message = "Hi There"; 689 uint8_t sha_224_expected[] = { 690 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 691 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22, 692 }; 693 uint8_t sha_256_expected[] = { 694 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 695 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 696 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7, 697 }; 698 uint8_t sha_384_expected[] = { 699 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4, 700 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, 701 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9, 702 0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6, 703 }; 704 uint8_t sha_512_expected[] = { 705 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 706 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0, 707 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 708 0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e, 709 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54, 710 }; 711 712 string key = make_string(key_data); 713 714 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 715 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 716 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 717 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 718 719 if (GetParam()->expect_keymaster0_calls()) 720 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 721} 722 723TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) { 724 string key = "Jefe"; 725 string message = "what do ya want for nothing?"; 726 uint8_t sha_224_expected[] = { 727 0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e, 728 0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44, 729 }; 730 uint8_t sha_256_expected[] = { 731 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 732 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 733 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43, 734 }; 735 uint8_t sha_384_expected[] = { 736 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2, 737 0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47, 738 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca, 739 0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49, 740 }; 741 uint8_t sha_512_expected[] = { 742 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b, 743 0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27, 744 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99, 745 0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3, 746 0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37, 747 }; 748 749 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 750 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 751 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 752 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 753 754 if (GetParam()->expect_keymaster0_calls()) 755 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 756} 757 758TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) { 759 string key(20, 0xaa); 760 string message(50, 0xdd); 761 uint8_t sha_224_expected[] = { 762 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a, 763 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea, 764 }; 765 uint8_t sha_256_expected[] = { 766 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 767 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 768 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe, 769 }; 770 uint8_t sha_384_expected[] = { 771 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0, 772 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb, 773 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d, 774 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27, 775 }; 776 uint8_t sha_512_expected[] = { 777 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c, 778 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8, 779 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 780 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37, 781 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb, 782 }; 783 784 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 785 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 786 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 787 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 788 789 if (GetParam()->expect_keymaster0_calls()) 790 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 791} 792 793TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) { 794 uint8_t key_data[25] = { 795 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 796 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 797 }; 798 string key = make_string(key_data); 799 string message(50, 0xcd); 800 uint8_t sha_224_expected[] = { 801 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82, 802 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a, 803 }; 804 uint8_t sha_256_expected[] = { 805 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 806 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 807 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b, 808 }; 809 uint8_t sha_384_expected[] = { 810 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62, 811 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c, 812 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23, 813 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb, 814 }; 815 uint8_t sha_512_expected[] = { 816 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6, 817 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f, 818 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, 819 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41, 820 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd, 821 }; 822 823 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 824 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 825 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 826 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 827 828 if (GetParam()->expect_keymaster0_calls()) 829 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 830} 831 832TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) { 833 string key(20, 0x0c); 834 string message = "Test With Truncation"; 835 836 uint8_t sha_224_expected[] = { 837 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37, 838 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8, 839 }; 840 uint8_t sha_256_expected[] = { 841 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 842 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b, 843 }; 844 uint8_t sha_384_expected[] = { 845 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23, 846 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97, 847 }; 848 uint8_t sha_512_expected[] = { 849 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53, 850 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6, 851 }; 852 853 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 854 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 855 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 856 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 857 858 if (GetParam()->expect_keymaster0_calls()) 859 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 860} 861 862TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) { 863 string key(131, 0xaa); 864 string message = "Test Using Larger Than Block-Size Key - Hash Key First"; 865 866 uint8_t sha_224_expected[] = { 867 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d, 868 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e, 869 }; 870 uint8_t sha_256_expected[] = { 871 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 872 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 873 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, 874 }; 875 uint8_t sha_384_expected[] = { 876 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a, 877 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f, 878 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab, 879 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52, 880 }; 881 uint8_t sha_512_expected[] = { 882 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd, 883 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b, 884 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 885 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73, 886 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98, 887 }; 888 889 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 890 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 891 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 892 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 893 894 if (GetParam()->expect_keymaster0_calls()) 895 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 896} 897 898TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) { 899 string key(131, 0xaa); 900 string message = "This is a test using a larger than block-size key and a larger than " 901 "block-size data. The key needs to be hashed before being used by the HMAC " 902 "algorithm."; 903 904 uint8_t sha_224_expected[] = { 905 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3, 906 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1, 907 }; 908 uint8_t sha_256_expected[] = { 909 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 910 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 911 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2, 912 }; 913 uint8_t sha_384_expected[] = { 914 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25, 915 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a, 916 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31, 917 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e, 918 }; 919 uint8_t sha_512_expected[] = { 920 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 921 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5, 922 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 923 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb, 924 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58, 925 }; 926 927 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 928 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 929 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 930 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 931 932 if (GetParam()->expect_keymaster0_calls()) 933 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 934} 935 936TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) { 937 ASSERT_EQ(KM_ERROR_OK, 938 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256))); 939 AuthorizationSet begin_params(client_params()); 940 begin_params.push_back(TAG_MAC_LENGTH, 264); 941 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 942 ASSERT_EQ(KM_ERROR_OK, 943 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 944 string message = "1234567890123456789012345678901"; 945 string result; 946 size_t input_consumed; 947 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 948 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH, FinishOperation(&result)); 949 950 if (GetParam()->expect_keymaster0_calls()) 951 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 952} 953 954// TODO(swillden): Add more verification failure tests. 955 956typedef Keymaster1Test VerificationOperationsTest; 957INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params); 958 959TEST_P(VerificationOperationsTest, RsaSuccess) { 960 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 961 .RsaSigningKey(256, 3) 962 .Digest(KM_DIGEST_NONE) 963 .Padding(KM_PAD_NONE))); 964 string message = "12345678901234567890123456789012"; 965 string signature; 966 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 967 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 968 969 if (GetParam()->expect_keymaster0_calls()) 970 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 971} 972 973TEST_P(VerificationOperationsTest, RsaSha256DigestSuccess) { 974 GenerateKey(AuthorizationSetBuilder() 975 .RsaSigningKey(384, 3) 976 .Digest(KM_DIGEST_SHA_2_256) 977 .Padding(KM_PAD_RSA_PSS)); 978 string message(1024, 'a'); 979 string signature; 980 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 981 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 982 983 if (GetParam()->expect_keymaster0_calls()) 984 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 985} 986 987TEST_P(VerificationOperationsTest, RsaSha256CorruptSignature) { 988 GenerateKey(AuthorizationSetBuilder() 989 .RsaSigningKey(384, 3) 990 .Digest(KM_DIGEST_SHA_2_256) 991 .Padding(KM_PAD_RSA_PSS)); 992 string message(1024, 'a'); 993 string signature; 994 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 995 ++signature[signature.size() / 2]; 996 997 AuthorizationSet begin_params(client_params()); 998 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 999 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1000 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1001 1002 string result; 1003 size_t input_consumed; 1004 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1005 EXPECT_EQ(message.size(), input_consumed); 1006 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1007 1008 if (GetParam()->expect_keymaster0_calls()) 1009 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1010} 1011 1012TEST_P(VerificationOperationsTest, RsaPssSha256Success) { 1013 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1014 .RsaSigningKey(512, 3) 1015 .Digest(KM_DIGEST_SHA_2_256) 1016 .Padding(KM_PAD_RSA_PSS))); 1017 // Use large message, which won't work without digesting. 1018 string message(1024, 'a'); 1019 string signature; 1020 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1021 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1022 1023 if (GetParam()->expect_keymaster0_calls()) 1024 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1025} 1026 1027TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) { 1028 GenerateKey(AuthorizationSetBuilder() 1029 .RsaSigningKey(512, 3) 1030 .Digest(KM_DIGEST_SHA_2_256) 1031 .Padding(KM_PAD_RSA_PSS)); 1032 string message(1024, 'a'); 1033 string signature; 1034 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1035 ++signature[signature.size() / 2]; 1036 1037 AuthorizationSet begin_params(client_params()); 1038 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1039 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1040 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1041 1042 string result; 1043 size_t input_consumed; 1044 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1045 EXPECT_EQ(message.size(), input_consumed); 1046 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1047 1048 if (GetParam()->expect_keymaster0_calls()) 1049 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1050} 1051 1052TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) { 1053 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1054 .RsaSigningKey(512, 3) 1055 .Digest(KM_DIGEST_SHA_2_256) 1056 .Padding(KM_PAD_RSA_PSS))); 1057 // Use large message, which won't work without digesting. 1058 string message(1024, 'a'); 1059 string signature; 1060 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1061 ++message[message.size() / 2]; 1062 1063 AuthorizationSet begin_params(client_params()); 1064 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1065 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1066 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1067 1068 string result; 1069 size_t input_consumed; 1070 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1071 EXPECT_EQ(message.size(), input_consumed); 1072 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1073 1074 if (GetParam()->expect_keymaster0_calls()) 1075 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1076} 1077 1078TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) { 1079 GenerateKey(AuthorizationSetBuilder() 1080 .RsaSigningKey(512, 3) 1081 .Digest(KM_DIGEST_SHA_2_256) 1082 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1083 string message(1024, 'a'); 1084 string signature; 1085 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1086 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1087 1088 if (GetParam()->expect_keymaster0_calls()) 1089 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1090} 1091 1092TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) { 1093 GenerateKey(AuthorizationSetBuilder() 1094 .RsaSigningKey(512, 3) 1095 .Digest(KM_DIGEST_SHA_2_256) 1096 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1097 string message(1024, 'a'); 1098 string signature; 1099 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1100 ++signature[signature.size() / 2]; 1101 1102 AuthorizationSet begin_params(client_params()); 1103 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1104 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1105 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1106 1107 string result; 1108 size_t input_consumed; 1109 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1110 EXPECT_EQ(message.size(), input_consumed); 1111 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1112 1113 if (GetParam()->expect_keymaster0_calls()) 1114 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1115} 1116 1117TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) { 1118 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1119 .RsaSigningKey(512, 3) 1120 .Digest(KM_DIGEST_SHA_2_256) 1121 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 1122 // Use large message, which won't work without digesting. 1123 string message(1024, 'a'); 1124 string signature; 1125 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1126 ++message[message.size() / 2]; 1127 1128 AuthorizationSet begin_params(client_params()); 1129 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1130 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1131 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1132 1133 string result; 1134 size_t input_consumed; 1135 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1136 EXPECT_EQ(message.size(), input_consumed); 1137 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1138 1139 if (GetParam()->expect_keymaster0_calls()) 1140 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1141} 1142 1143template <typename T> vector<T> make_vector(const T* array, size_t len) { 1144 return vector<T>(array, array + len); 1145} 1146 1147TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) { 1148 // Get all supported digests and padding modes. 1149 size_t digests_len; 1150 keymaster_digest_t* digests; 1151 ASSERT_EQ(KM_ERROR_OK, 1152 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, &digests, 1153 &digests_len)); 1154 1155 size_t padding_modes_len; 1156 keymaster_padding_t* padding_modes; 1157 ASSERT_EQ(KM_ERROR_OK, 1158 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, 1159 &padding_modes, &padding_modes_len)); 1160 1161 // Try them. 1162 for (keymaster_padding_t padding_mode : make_vector(padding_modes, padding_modes_len)) { 1163 for (keymaster_digest_t digest : make_vector(digests, digests_len)) { 1164 // Compute key & message size that will work. 1165 size_t key_bits = 256; 1166 size_t message_len = 1000; 1167 switch (digest) { 1168 case KM_DIGEST_NONE: 1169 switch (padding_mode) { 1170 case KM_PAD_NONE: 1171 // Match key size. 1172 message_len = key_bits / 8; 1173 break; 1174 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1175 message_len = key_bits / 8 - 11; 1176 break; 1177 case KM_PAD_RSA_PSS: 1178 // PSS requires a digest. 1179 continue; 1180 default: 1181 FAIL() << "Missing padding"; 1182 break; 1183 } 1184 break; 1185 1186 case KM_DIGEST_SHA_2_256: 1187 switch (padding_mode) { 1188 case KM_PAD_NONE: 1189 // Digesting requires padding 1190 continue; 1191 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1192 key_bits += 8 * 11; 1193 break; 1194 case KM_PAD_RSA_PSS: 1195 key_bits += 8 * 10; 1196 break; 1197 default: 1198 FAIL() << "Missing padding"; 1199 break; 1200 } 1201 break; 1202 default: 1203 FAIL() << "Missing digest"; 1204 } 1205 1206 GenerateKey(AuthorizationSetBuilder() 1207 .RsaSigningKey(key_bits, 3) 1208 .Digest(digest) 1209 .Padding(padding_mode)); 1210 string message(message_len, 'a'); 1211 string signature; 1212 SignMessage(message, &signature, digest, padding_mode); 1213 VerifyMessage(message, signature, digest, padding_mode); 1214 } 1215 } 1216 1217 free(padding_modes); 1218 free(digests); 1219 1220 if (GetParam()->expect_keymaster0_calls()) 1221 EXPECT_EQ(16, GetParam()->keymaster0_calls()); 1222} 1223 1224TEST_P(VerificationOperationsTest, EcdsaSuccess) { 1225 ASSERT_EQ(KM_ERROR_OK, 1226 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1227 string message = "123456789012345678901234567890123456789012345678"; 1228 string signature; 1229 SignMessage(message, &signature, KM_DIGEST_NONE); 1230 VerifyMessage(message, signature, KM_DIGEST_NONE); 1231 1232 if (GetParam()->expect_keymaster0_calls()) 1233 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1234} 1235 1236TEST_P(VerificationOperationsTest, HmacSha1Success) { 1237 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA1)); 1238 string message = "123456789012345678901234567890123456789012345678"; 1239 string signature; 1240 MacMessage(message, &signature, KM_DIGEST_SHA1, 160); 1241 VerifyMessage(message, signature, KM_DIGEST_SHA1); 1242 1243 if (GetParam()->expect_keymaster0_calls()) 1244 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1245} 1246 1247TEST_P(VerificationOperationsTest, HmacSha224Success) { 1248 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_224)); 1249 string message = "123456789012345678901234567890123456789012345678"; 1250 string signature; 1251 MacMessage(message, &signature, KM_DIGEST_SHA_2_224, 224); 1252 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224); 1253 1254 if (GetParam()->expect_keymaster0_calls()) 1255 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1256} 1257 1258TEST_P(VerificationOperationsTest, HmacSha256Success) { 1259 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256)); 1260 string message = "123456789012345678901234567890123456789012345678"; 1261 string signature; 1262 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 256); 1263 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1264 1265 if (GetParam()->expect_keymaster0_calls()) 1266 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1267} 1268 1269TEST_P(VerificationOperationsTest, HmacSha384Success) { 1270 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_384)); 1271 string message = "123456789012345678901234567890123456789012345678"; 1272 string signature; 1273 MacMessage(message, &signature, KM_DIGEST_SHA_2_384, 384); 1274 VerifyMessage(message, signature, KM_DIGEST_SHA_2_384); 1275 1276 if (GetParam()->expect_keymaster0_calls()) 1277 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1278} 1279 1280TEST_P(VerificationOperationsTest, HmacSha512Success) { 1281 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_512)); 1282 string message = "123456789012345678901234567890123456789012345678"; 1283 string signature; 1284 MacMessage(message, &signature, KM_DIGEST_SHA_2_512, 512); 1285 VerifyMessage(message, signature, KM_DIGEST_SHA_2_512); 1286 1287 if (GetParam()->expect_keymaster0_calls()) 1288 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1289} 1290 1291typedef Keymaster1Test ExportKeyTest; 1292INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params); 1293 1294TEST_P(ExportKeyTest, RsaSuccess) { 1295 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1296 .RsaSigningKey(256, 3) 1297 .Digest(KM_DIGEST_NONE) 1298 .Padding(KM_PAD_NONE))); 1299 string export_data; 1300 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1301 EXPECT_GT(export_data.length(), 0U); 1302 1303 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1304 1305 if (GetParam()->expect_keymaster0_calls()) 1306 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1307} 1308 1309TEST_P(ExportKeyTest, EcdsaSuccess) { 1310 ASSERT_EQ(KM_ERROR_OK, 1311 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 1312 string export_data; 1313 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1314 EXPECT_GT(export_data.length(), 0U); 1315 1316 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1317 1318 if (GetParam()->expect_keymaster0_calls()) 1319 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1320} 1321 1322TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) { 1323 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1324 .RsaSigningKey(256, 3) 1325 .Digest(KM_DIGEST_NONE) 1326 .Padding(KM_PAD_NONE))); 1327 string export_data; 1328 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1329 1330 if (GetParam()->expect_keymaster0_calls()) 1331 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1332} 1333 1334TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) { 1335 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1336 .RsaSigningKey(256, 3) 1337 .Digest(KM_DIGEST_NONE) 1338 .Padding(KM_PAD_NONE))); 1339 corrupt_key_blob(); 1340 string export_data; 1341 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1342 1343 if (GetParam()->expect_keymaster0_calls()) 1344 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1345} 1346 1347TEST_P(ExportKeyTest, AesKeyExportFails) { 1348 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128))); 1349 string export_data; 1350 1351 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1352 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1353 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data)); 1354 1355 if (GetParam()->expect_keymaster0_calls()) 1356 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1357} 1358 1359static string read_file(const string& file_name) { 1360 ifstream file_stream(file_name, std::ios::binary); 1361 istreambuf_iterator<char> file_begin(file_stream); 1362 istreambuf_iterator<char> file_end; 1363 return string(file_begin, file_end); 1364} 1365 1366typedef Keymaster1Test ImportKeyTest; 1367INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params); 1368 1369TEST_P(ImportKeyTest, RsaSuccess) { 1370 string pk8_key = read_file("rsa_privkey_pk8.der"); 1371 ASSERT_EQ(633U, pk8_key.size()); 1372 1373 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1374 .RsaSigningKey(1024, 65537) 1375 .Digest(KM_DIGEST_NONE) 1376 .Padding(KM_PAD_NONE), 1377 KM_KEY_FORMAT_PKCS8, pk8_key)); 1378 1379 // Check values derived from the key. 1380 EXPECT_TRUE(contains(GetParam()->crypto_params_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1381 : sw_enforced(), 1382 TAG_ALGORITHM, KM_ALGORITHM_RSA)); 1383 EXPECT_TRUE(contains(GetParam()->crypto_params_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1384 : sw_enforced(), 1385 TAG_KEY_SIZE, 1024)); 1386 EXPECT_TRUE(contains(GetParam()->crypto_params_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1387 : sw_enforced(), 1388 TAG_RSA_PUBLIC_EXPONENT, 65537U)); 1389 1390 // And values provided by AndroidKeymaster 1391 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1392 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1393 1394 string message(1024 / 8, 'a'); 1395 string signature; 1396 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1397 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1398 1399 if (GetParam()->expect_keymaster0_calls()) 1400 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1401} 1402 1403TEST_P(ImportKeyTest, OldApiRsaSuccess) { 1404 string pk8_key = read_file("rsa_privkey_pk8.der"); 1405 ASSERT_EQ(633U, pk8_key.size()); 1406 1407 // NOTE: This will break when the keymaster0 APIs are removed from keymaster1. But at that 1408 // point softkeymaster will no longer support keymaster0 APIs anyway. 1409 uint8_t* key_blob; 1410 size_t key_blob_length; 1411 ASSERT_EQ(0, 1412 device()->import_keypair(device(), reinterpret_cast<const uint8_t*>(pk8_key.data()), 1413 pk8_key.size(), &key_blob, &key_blob_length)); 1414 set_key_blob(key_blob, key_blob_length); 1415 1416 string message(1024 / 8, 'a'); 1417 AuthorizationSet begin_params; // Don't use client data. 1418 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1419 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1420 AuthorizationSet update_params; 1421 AuthorizationSet output_params; 1422 string signature = 1423 ProcessMessage(KM_PURPOSE_SIGN, message, begin_params, update_params, &output_params); 1424 ProcessMessage(KM_PURPOSE_VERIFY, message, signature, begin_params, update_params, 1425 &output_params); 1426 1427 if (GetParam()->expect_keymaster0_calls()) 1428 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1429} 1430 1431TEST_P(ImportKeyTest, RsaKeySizeMismatch) { 1432 string pk8_key = read_file("rsa_privkey_pk8.der"); 1433 ASSERT_EQ(633U, pk8_key.size()); 1434 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1435 ImportKey(AuthorizationSetBuilder() 1436 .RsaSigningKey(2048 /* Doesn't match key */, 3) 1437 .Digest(KM_DIGEST_NONE) 1438 .Padding(KM_PAD_NONE), 1439 KM_KEY_FORMAT_PKCS8, pk8_key)); 1440 1441 if (GetParam()->expect_keymaster0_calls()) 1442 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1443} 1444 1445TEST_P(ImportKeyTest, RsaPublicExponenMismatch) { 1446 string pk8_key = read_file("rsa_privkey_pk8.der"); 1447 ASSERT_EQ(633U, pk8_key.size()); 1448 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1449 ImportKey(AuthorizationSetBuilder() 1450 .RsaSigningKey(256, 3 /* Doesnt' match key */) 1451 .Digest(KM_DIGEST_NONE) 1452 .Padding(KM_PAD_NONE), 1453 KM_KEY_FORMAT_PKCS8, pk8_key)); 1454 1455 if (GetParam()->expect_keymaster0_calls()) 1456 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1457} 1458 1459TEST_P(ImportKeyTest, EcdsaSuccess) { 1460 string pk8_key = read_file("ec_privkey_pk8.der"); 1461 ASSERT_EQ(138U, pk8_key.size()); 1462 1463 ASSERT_EQ(KM_ERROR_OK, 1464 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1465 KM_KEY_FORMAT_PKCS8, pk8_key)); 1466 1467 // Check values derived from the key. 1468 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_EC)); 1469 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 256)); 1470 1471 // And values provided by AndroidKeymaster 1472 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1473 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1474 1475 string message(1024 / 8, 'a'); 1476 string signature; 1477 SignMessage(message, &signature, KM_DIGEST_NONE); 1478 VerifyMessage(message, signature, KM_DIGEST_NONE); 1479 1480 if (GetParam()->expect_keymaster0_calls()) 1481 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1482} 1483 1484TEST_P(ImportKeyTest, EcdsaSizeSpecified) { 1485 string pk8_key = read_file("ec_privkey_pk8.der"); 1486 ASSERT_EQ(138U, pk8_key.size()); 1487 1488 ASSERT_EQ(KM_ERROR_OK, 1489 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1490 KM_KEY_FORMAT_PKCS8, pk8_key)); 1491 1492 // Check values derived from the key. 1493 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_EC)); 1494 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 256)); 1495 1496 // And values provided by AndroidKeymaster 1497 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1498 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1499 1500 string message(1024 / 8, 'a'); 1501 string signature; 1502 SignMessage(message, &signature, KM_DIGEST_NONE); 1503 VerifyMessage(message, signature, KM_DIGEST_NONE); 1504 1505 if (GetParam()->expect_keymaster0_calls()) 1506 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1507} 1508 1509TEST_P(ImportKeyTest, EcdsaSizeMismatch) { 1510 string pk8_key = read_file("ec_privkey_pk8.der"); 1511 ASSERT_EQ(138U, pk8_key.size()); 1512 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1513 ImportKey(AuthorizationSetBuilder() 1514 .EcdsaSigningKey(224 /* Doesn't match key */) 1515 .Digest(KM_DIGEST_NONE), 1516 KM_KEY_FORMAT_PKCS8, pk8_key)); 1517 1518 if (GetParam()->expect_keymaster0_calls()) 1519 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1520} 1521 1522TEST_P(ImportKeyTest, AesKeySuccess) { 1523 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1524 string key(key_data, sizeof(key_data)); 1525 ASSERT_EQ(KM_ERROR_OK, 1526 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization( 1527 TAG_PADDING, KM_PAD_PKCS7), 1528 KM_KEY_FORMAT_RAW, key)); 1529 1530 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1531 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1532 1533 string message = "Hello World!"; 1534 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1535 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 1536 EXPECT_EQ(message, plaintext); 1537 1538 if (GetParam()->expect_keymaster0_calls()) 1539 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1540} 1541 1542TEST_P(ImportKeyTest, HmacSha256KeySuccess) { 1543 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1544 string key(key_data, sizeof(key_data)); 1545 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1546 .HmacKey(sizeof(key_data) * 8) 1547 .Digest(KM_DIGEST_SHA_2_256) 1548 .Authorization(TAG_MAC_LENGTH, 32), 1549 KM_KEY_FORMAT_RAW, key)); 1550 1551 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1552 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1553 1554 string message = "Hello World!"; 1555 string signature; 1556 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 32); 1557 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1558 1559 if (GetParam()->expect_keymaster0_calls()) 1560 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1561} 1562 1563typedef Keymaster1Test EncryptionOperationsTest; 1564INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params); 1565 1566TEST_P(EncryptionOperationsTest, RsaOaepSuccess) { 1567 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1568 KM_PAD_RSA_OAEP))); 1569 1570 string message = "Hello World!"; 1571 string ciphertext1 = EncryptMessage(string(message), KM_PAD_RSA_OAEP); 1572 EXPECT_EQ(512U / 8, ciphertext1.size()); 1573 1574 string ciphertext2 = EncryptMessage(string(message), KM_PAD_RSA_OAEP); 1575 EXPECT_EQ(512U / 8, ciphertext2.size()); 1576 1577 // OAEP randomizes padding so every result should be different. 1578 EXPECT_NE(ciphertext1, ciphertext2); 1579 1580 if (GetParam()->expect_keymaster0_calls()) 1581 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1582} 1583 1584TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) { 1585 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1586 KM_PAD_RSA_OAEP))); 1587 string message = "Hello World!"; 1588 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_OAEP); 1589 EXPECT_EQ(512U / 8, ciphertext.size()); 1590 1591 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_OAEP); 1592 EXPECT_EQ(message, plaintext); 1593 1594 if (GetParam()->expect_keymaster0_calls()) 1595 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1596} 1597 1598TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) { 1599 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1600 KM_PAD_RSA_OAEP))); 1601 string message = "12345678901234567890123"; 1602 string result; 1603 size_t input_consumed; 1604 1605 AuthorizationSet begin_params(client_params()); 1606 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 1607 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1608 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1609 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 1610 EXPECT_EQ(0U, result.size()); 1611 1612 if (GetParam()->expect_keymaster0_calls()) 1613 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1614} 1615 1616TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) { 1617 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1618 KM_PAD_RSA_OAEP))); 1619 string message = "Hello World!"; 1620 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_OAEP); 1621 EXPECT_EQ(512U / 8, ciphertext.size()); 1622 1623 // Corrupt the ciphertext 1624 ciphertext[512 / 8 / 2]++; 1625 1626 string result; 1627 size_t input_consumed; 1628 AuthorizationSet begin_params(client_params()); 1629 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 1630 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 1631 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 1632 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 1633 EXPECT_EQ(0U, result.size()); 1634 1635 if (GetParam()->expect_keymaster0_calls()) 1636 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1637} 1638 1639TEST_P(EncryptionOperationsTest, RsaPkcs1Success) { 1640 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1641 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1642 string message = "Hello World!"; 1643 string ciphertext1 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1644 EXPECT_EQ(512U / 8, ciphertext1.size()); 1645 1646 string ciphertext2 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1647 EXPECT_EQ(512U / 8, ciphertext2.size()); 1648 1649 // PKCS1 v1.5 randomizes padding so every result should be different. 1650 EXPECT_NE(ciphertext1, ciphertext2); 1651 1652 if (GetParam()->expect_keymaster0_calls()) 1653 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1654} 1655 1656TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) { 1657 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1658 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1659 string message = "Hello World!"; 1660 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1661 EXPECT_EQ(512U / 8, ciphertext.size()); 1662 1663 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1664 EXPECT_EQ(message, plaintext); 1665 1666 if (GetParam()->expect_keymaster0_calls()) 1667 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1668} 1669 1670TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) { 1671 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1672 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1673 string message = "123456789012345678901234567890123456789012345678901234"; 1674 string result; 1675 size_t input_consumed; 1676 1677 AuthorizationSet begin_params(client_params()); 1678 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1679 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1680 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1681 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 1682 EXPECT_EQ(0U, result.size()); 1683 1684 if (GetParam()->expect_keymaster0_calls()) 1685 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1686} 1687 1688TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) { 1689 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1690 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1691 string message = "Hello World!"; 1692 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1693 EXPECT_EQ(512U / 8, ciphertext.size()); 1694 1695 // Corrupt the ciphertext 1696 ciphertext[512 / 8 / 2]++; 1697 1698 string result; 1699 size_t input_consumed; 1700 AuthorizationSet begin_params(client_params()); 1701 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1702 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 1703 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 1704 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 1705 EXPECT_EQ(0U, result.size()); 1706 1707 if (GetParam()->expect_keymaster0_calls()) 1708 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1709} 1710 1711TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) { 1712 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1713 .RsaSigningKey(256, 3) 1714 .Digest(KM_DIGEST_NONE) 1715 .Padding(KM_PAD_NONE))); 1716 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 1717 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 1718 1719 if (GetParam()->expect_keymaster0_calls()) 1720 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1721} 1722 1723TEST_P(EncryptionOperationsTest, EcdsaEncrypt) { 1724 ASSERT_EQ(KM_ERROR_OK, 1725 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 1726 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 1727 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 1728 1729 if (GetParam()->expect_keymaster0_calls()) 1730 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1731} 1732 1733TEST_P(EncryptionOperationsTest, HmacEncrypt) { 1734 ASSERT_EQ( 1735 KM_ERROR_OK, 1736 GenerateKey( 1737 AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_NONE).Padding(KM_PAD_NONE))); 1738 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 1739 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 1740 1741 if (GetParam()->expect_keymaster0_calls()) 1742 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1743} 1744 1745TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) { 1746 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1747 .AesEncryptionKey(128) 1748 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 1749 .Padding(KM_PAD_NONE))); 1750 // Two-block message. 1751 string message = "12345678901234567890123456789012"; 1752 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 1753 EXPECT_EQ(message.size(), ciphertext1.size()); 1754 1755 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE); 1756 EXPECT_EQ(message.size(), ciphertext2.size()); 1757 1758 // ECB is deterministic. 1759 EXPECT_EQ(ciphertext1, ciphertext2); 1760 1761 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE); 1762 EXPECT_EQ(message, plaintext); 1763 1764 if (GetParam()->expect_keymaster0_calls()) 1765 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1766} 1767 1768TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) { 1769 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1770 .AesEncryptionKey(128) 1771 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 1772 .Padding(KM_PAD_NONE))); 1773 // Message is slightly shorter than two blocks. 1774 string message = "1234567890123456789012345678901"; 1775 1776 AuthorizationSet begin_params(client_params()); 1777 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 1778 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1779 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1780 string ciphertext; 1781 size_t input_consumed; 1782 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed)); 1783 EXPECT_EQ(message.size(), input_consumed); 1784 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext)); 1785 1786 if (GetParam()->expect_keymaster0_calls()) 1787 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1788} 1789 1790TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) { 1791 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1792 .AesEncryptionKey(128) 1793 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 1794 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 1795 1796 // Try various message lengths; all should work. 1797 for (size_t i = 0; i < 32; ++i) { 1798 string message(i, 'a'); 1799 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1800 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 1801 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 1802 EXPECT_EQ(message, plaintext); 1803 } 1804 1805 if (GetParam()->expect_keymaster0_calls()) 1806 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1807} 1808 1809TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) { 1810 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1811 .AesEncryptionKey(128) 1812 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 1813 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 1814 1815 string message = "a"; 1816 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1817 EXPECT_EQ(16U, ciphertext.size()); 1818 EXPECT_NE(ciphertext, message); 1819 ++ciphertext[ciphertext.size() / 2]; 1820 1821 AuthorizationSet begin_params(client_params()); 1822 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 1823 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 1824 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 1825 string plaintext; 1826 size_t input_consumed; 1827 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); 1828 EXPECT_EQ(ciphertext.size(), input_consumed); 1829 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); 1830 1831 if (GetParam()->expect_keymaster0_calls()) 1832 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1833} 1834 1835TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) { 1836 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1837 .AesEncryptionKey(128) 1838 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 1839 .Padding(KM_PAD_NONE))); 1840 string message = "123"; 1841 string iv1; 1842 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1); 1843 EXPECT_EQ(message.size(), ciphertext1.size()); 1844 EXPECT_EQ(16U, iv1.size()); 1845 1846 string iv2; 1847 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2); 1848 EXPECT_EQ(message.size(), ciphertext2.size()); 1849 EXPECT_EQ(16U, iv2.size()); 1850 1851 // IVs should be random, so ciphertexts should differ. 1852 EXPECT_NE(iv1, iv2); 1853 EXPECT_NE(ciphertext1, ciphertext2); 1854 1855 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1); 1856 EXPECT_EQ(message, plaintext); 1857 1858 if (GetParam()->expect_keymaster0_calls()) 1859 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1860} 1861 1862TEST_P(EncryptionOperationsTest, AesCtrIncremental) { 1863 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1864 .AesEncryptionKey(128) 1865 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 1866 .Padding(KM_PAD_NONE))); 1867 1868 int increment = 15; 1869 string message(239, 'a'); 1870 AuthorizationSet input_params(client_params()); 1871 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 1872 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 1873 AuthorizationSet output_params; 1874 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 1875 1876 string ciphertext; 1877 size_t input_consumed; 1878 for (size_t i = 0; i < message.size(); i += increment) 1879 EXPECT_EQ(KM_ERROR_OK, 1880 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 1881 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 1882 EXPECT_EQ(message.size(), ciphertext.size()); 1883 1884 // Move TAG_NONCE into input_params 1885 input_params.Reinitialize(output_params); 1886 input_params.push_back(client_params()); 1887 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 1888 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 1889 output_params.Clear(); 1890 1891 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 1892 string plaintext; 1893 for (size_t i = 0; i < ciphertext.size(); i += increment) 1894 EXPECT_EQ(KM_ERROR_OK, 1895 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 1896 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 1897 EXPECT_EQ(ciphertext.size(), plaintext.size()); 1898 EXPECT_EQ(message, plaintext); 1899 1900 if (GetParam()->expect_keymaster0_calls()) 1901 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1902} 1903 1904struct AesCtrSp80038aTestVector { 1905 const char* key; 1906 const char* nonce; 1907 const char* plaintext; 1908 const char* ciphertext; 1909}; 1910 1911// These test vectors are taken from 1912// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5. 1913static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = { 1914 // AES-128 1915 { 1916 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 1917 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 1918 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 1919 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff" 1920 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee", 1921 }, 1922 // AES-192 1923 { 1924 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 1925 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 1926 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 1927 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94" 1928 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050", 1929 }, 1930 // AES-256 1931 { 1932 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", 1933 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 1934 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 1935 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 1936 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5" 1937 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6", 1938 }, 1939}; 1940 1941TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) { 1942 for (size_t i = 0; i < 3; i++) { 1943 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]); 1944 const string key = hex2str(test.key); 1945 const string nonce = hex2str(test.nonce); 1946 const string plaintext = hex2str(test.plaintext); 1947 const string ciphertext = hex2str(test.ciphertext); 1948 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext); 1949 } 1950 1951 if (GetParam()->expect_keymaster0_calls()) 1952 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1953} 1954 1955TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) { 1956 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1957 .AesEncryptionKey(128) 1958 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 1959 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 1960 AuthorizationSet begin_params(client_params()); 1961 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 1962 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1963 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1964 1965 if (GetParam()->expect_keymaster0_calls()) 1966 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1967} 1968 1969TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) { 1970 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1971 .AesEncryptionKey(128) 1972 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 1973 .Authorization(TAG_CALLER_NONCE) 1974 .Padding(KM_PAD_NONE))); 1975 1976 AuthorizationSet input_params(client_params()); 1977 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 1978 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 1979 input_params.push_back(TAG_NONCE, "123", 3); 1980 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params)); 1981 1982 if (GetParam()->expect_keymaster0_calls()) 1983 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1984} 1985 1986TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) { 1987 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1988 .AesEncryptionKey(128) 1989 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 1990 .Padding(KM_PAD_NONE))); 1991 // Two-block message. 1992 string message = "12345678901234567890123456789012"; 1993 string iv1; 1994 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 1995 EXPECT_EQ(message.size(), ciphertext1.size()); 1996 1997 string iv2; 1998 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2); 1999 EXPECT_EQ(message.size(), ciphertext2.size()); 2000 2001 // IVs should be random, so ciphertexts should differ. 2002 EXPECT_NE(iv1, iv2); 2003 EXPECT_NE(ciphertext1, ciphertext2); 2004 2005 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2006 EXPECT_EQ(message, plaintext); 2007 2008 if (GetParam()->expect_keymaster0_calls()) 2009 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2010} 2011 2012TEST_P(EncryptionOperationsTest, AesCallerNonce) { 2013 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2014 .AesEncryptionKey(128) 2015 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2016 .Authorization(TAG_CALLER_NONCE) 2017 .Padding(KM_PAD_NONE))); 2018 string message = "12345678901234567890123456789012"; 2019 string iv1; 2020 // Don't specify nonce, should get a random one. 2021 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2022 EXPECT_EQ(message.size(), ciphertext1.size()); 2023 EXPECT_EQ(16U, iv1.size()); 2024 2025 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2026 EXPECT_EQ(message, plaintext); 2027 2028 // Now specify a nonce, should also work. 2029 AuthorizationSet input_params(client_params()); 2030 AuthorizationSet update_params; 2031 AuthorizationSet output_params; 2032 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2033 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2034 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2035 string ciphertext2 = 2036 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params); 2037 2038 // Decrypt with correct nonce. 2039 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2040 &output_params); 2041 EXPECT_EQ(message, plaintext); 2042 2043 // Now try with wrong nonce. 2044 input_params.Reinitialize(client_params()); 2045 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2046 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2047 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16); 2048 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2049 &output_params); 2050 EXPECT_NE(message, plaintext); 2051 2052 if (GetParam()->expect_keymaster0_calls()) 2053 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2054} 2055 2056TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) { 2057 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2058 .AesEncryptionKey(128) 2059 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2060 .Padding(KM_PAD_NONE))); 2061 2062 string message = "12345678901234567890123456789012"; 2063 string iv1; 2064 // Don't specify nonce, should get a random one. 2065 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2066 EXPECT_EQ(message.size(), ciphertext1.size()); 2067 EXPECT_EQ(16U, iv1.size()); 2068 2069 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2070 EXPECT_EQ(message, plaintext); 2071 2072 // Now specify a nonce, should fail. 2073 AuthorizationSet input_params(client_params()); 2074 AuthorizationSet update_params; 2075 AuthorizationSet output_params; 2076 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2077 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2078 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2079 2080 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, 2081 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2082 2083 if (GetParam()->expect_keymaster0_calls()) 2084 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2085} 2086 2087TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) { 2088 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2089 .AesEncryptionKey(128) 2090 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2091 .Padding(KM_PAD_NONE))); 2092 2093 int increment = 15; 2094 string message(240, 'a'); 2095 AuthorizationSet input_params(client_params()); 2096 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2097 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2098 AuthorizationSet output_params; 2099 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2100 2101 string ciphertext; 2102 size_t input_consumed; 2103 for (size_t i = 0; i < message.size(); i += increment) 2104 EXPECT_EQ(KM_ERROR_OK, 2105 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2106 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2107 EXPECT_EQ(message.size(), ciphertext.size()); 2108 2109 // Move TAG_NONCE into input_params 2110 input_params.Reinitialize(output_params); 2111 input_params.push_back(client_params()); 2112 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2113 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2114 output_params.Clear(); 2115 2116 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2117 string plaintext; 2118 for (size_t i = 0; i < ciphertext.size(); i += increment) 2119 EXPECT_EQ(KM_ERROR_OK, 2120 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2121 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2122 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2123 EXPECT_EQ(message, plaintext); 2124 2125 if (GetParam()->expect_keymaster0_calls()) 2126 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2127} 2128 2129TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) { 2130 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2131 .AesEncryptionKey(128) 2132 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2133 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2134 2135 // Try various message lengths; all should work. 2136 for (size_t i = 0; i < 32; ++i) { 2137 string message(i, 'a'); 2138 string iv; 2139 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); 2140 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2141 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv); 2142 EXPECT_EQ(message, plaintext); 2143 } 2144 2145 if (GetParam()->expect_keymaster0_calls()) 2146 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2147} 2148 2149typedef Keymaster1Test AddEntropyTest; 2150INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params); 2151 2152TEST_P(AddEntropyTest, AddEntropy) { 2153 // There's no obvious way to test that entropy is actually added, but we can test that the API 2154 // doesn't blow up or return an error. 2155 EXPECT_EQ(KM_ERROR_OK, 2156 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3)); 2157 2158 if (GetParam()->expect_keymaster0_calls()) 2159 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2160} 2161 2162typedef Keymaster1Test Keymaster0AdapterTest; 2163INSTANTIATE_TEST_CASE_P( 2164 AndroidKeymasterTest, Keymaster0AdapterTest, 2165 ::testing::Values(InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator))); 2166 2167TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1Blob) { 2168 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 2169 // key data. 2170 string km1_sw = read_file("km1_sw_rsa_512.blob"); 2171 EXPECT_EQ(486U, km1_sw.length()); 2172 2173 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 2174 memcpy(key_data, km1_sw.data(), km1_sw.length()); 2175 set_key_blob(key_data, km1_sw.length()); 2176 2177 string message(64, 'a'); 2178 string signature; 2179 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 2180 2181 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2182} 2183 2184struct Malloc_Delete { 2185 void operator()(void* p) { free(p); } 2186}; 2187 2188TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0Blob) { 2189 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 2190 string km0_sw = read_file("km0_sw_rsa_512.blob"); 2191 EXPECT_EQ(333U, km0_sw.length()); 2192 2193 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 2194 memcpy(key_data, km0_sw.data(), km0_sw.length()); 2195 set_key_blob(key_data, km0_sw.length()); 2196 2197 string message(64, 'a'); 2198 string signature; 2199 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 2200 2201 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2202} 2203 2204} // namespace test 2205} // namespace keymaster 2206