android_keymaster_test.cpp revision 5cf45028751471f79d9f8a390f64fe9412acd53a
1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <fstream> 18#include <string> 19#include <vector> 20 21#include <hardware/keymaster0.h> 22#include <keymaster/key_factory.h> 23#include <keymaster/soft_keymaster_context.h> 24#include <keymaster/soft_keymaster_device.h> 25#include <keymaster/softkeymaster.h> 26 27#include "android_keymaster_test_utils.h" 28#include "keymaster0_engine.h" 29 30using std::ifstream; 31using std::istreambuf_iterator; 32using std::string; 33using std::vector; 34using std::unique_ptr; 35 36extern "C" { 37int __android_log_print(int prio, const char* tag, const char* fmt); 38int __android_log_print(int prio, const char* tag, const char* fmt) { 39 (void)prio, (void)tag, (void)fmt; 40 return 0; 41} 42} // extern "C" 43 44namespace keymaster { 45namespace test { 46 47StdoutLogger logger; 48 49template <typename T> vector<T> make_vector(const T* array, size_t len) { 50 return vector<T>(array, array + len); 51} 52 53class TestKeymasterEnforcement : public KeymasterEnforcement { 54 public: 55 TestKeymasterEnforcement() : KeymasterEnforcement(3, 3) {} 56 57 virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; } 58 virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; } 59 virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */, 60 uint32_t /* timeout */) const { 61 return false; 62 } 63 virtual uint32_t get_current_time() const { return 0; } 64 virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; } 65}; 66 67class TestKeymasterContext : public SoftKeymasterContext { 68 public: 69 TestKeymasterContext(keymaster0_device_t* keymaster0 = nullptr) 70 : SoftKeymasterContext(keymaster0) {} 71 72 KeymasterEnforcement* enforcement_policy() override { return &test_policy_; } 73 74 private: 75 TestKeymasterEnforcement test_policy_; 76}; 77 78class SoftKeymasterTestInstanceCreator : public Keymaster1TestInstanceCreator { 79 public: 80 keymaster1_device_t* CreateDevice() const override { 81 std::cerr << "Creating software-only device" << std::endl; 82 SoftKeymasterDevice* device = new SoftKeymasterDevice(new TestKeymasterContext); 83 return device->keymaster_device(); 84 } 85 86 bool algorithm_in_hardware(keymaster_algorithm_t) const override { return false; } 87 int keymaster0_calls() const override { return 0; } 88}; 89 90class Keymaster0AdapterTestInstanceCreator : public Keymaster1TestInstanceCreator { 91 public: 92 Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {} 93 94 keymaster1_device_t* CreateDevice() const { 95 std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_ 96 << ")." << std::endl; 97 hw_device_t* softkeymaster_device; 98 EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER, 99 &softkeymaster_device)); 100 // Make the software device pretend to be hardware 101 keymaster0_device_t* keymaster0_device = 102 reinterpret_cast<keymaster0_device_t*>(softkeymaster_device); 103 keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY; 104 105 if (!support_ec_) { 106 // Make the software device pretend not to support EC 107 keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC; 108 } 109 110 counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device); 111 112 SoftKeymasterDevice* keymaster = 113 new SoftKeymasterDevice(new TestKeymasterContext(counting_keymaster0_device_)); 114 return keymaster->keymaster_device(); 115 } 116 117 bool algorithm_in_hardware(keymaster_algorithm_t algorithm) const override { 118 switch (algorithm) { 119 case KM_ALGORITHM_RSA: 120 return true; 121 case KM_ALGORITHM_EC: 122 return support_ec_; 123 default: 124 return false; 125 } 126 } 127 int keymaster0_calls() const override { return counting_keymaster0_device_->count(); } 128 129 private: 130 mutable Keymaster0CountingWrapper* counting_keymaster0_device_; 131 bool support_ec_; 132}; 133 134static auto test_params = testing::Values( 135 InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator), 136 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 137 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */))); 138 139typedef Keymaster1Test CheckSupported; 140INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, CheckSupported, test_params); 141 142TEST_P(CheckSupported, SupportedAlgorithms) { 143 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 144 device()->get_supported_algorithms(device(), NULL, NULL)); 145 146 size_t len; 147 keymaster_algorithm_t* algorithms; 148 EXPECT_EQ(KM_ERROR_OK, device()->get_supported_algorithms(device(), &algorithms, &len)); 149 EXPECT_TRUE(ResponseContains( 150 {KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_AES, KM_ALGORITHM_HMAC}, algorithms, len)); 151 free(algorithms); 152 153 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 154} 155 156TEST_P(CheckSupported, SupportedBlockModes) { 157 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 158 device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 159 NULL, NULL)); 160 161 size_t len; 162 keymaster_block_mode_t* modes; 163 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, 164 KM_PURPOSE_ENCRYPT, &modes, &len)); 165 EXPECT_EQ(0U, len); 166 free(modes); 167 168 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 169 device()->get_supported_block_modes(device(), KM_ALGORITHM_EC, KM_PURPOSE_ENCRYPT, 170 &modes, &len)); 171 172 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_AES, 173 KM_PURPOSE_ENCRYPT, &modes, &len)); 174 EXPECT_TRUE(ResponseContains({KM_MODE_ECB, KM_MODE_CBC, KM_MODE_CTR, KM_MODE_GCM}, modes, len)); 175 free(modes); 176 177 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 178} 179 180TEST_P(CheckSupported, SupportedPaddingModes) { 181 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 182 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 183 NULL, NULL)); 184 185 size_t len; 186 keymaster_padding_t* modes; 187 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 188 KM_PURPOSE_SIGN, &modes, &len)); 189 EXPECT_TRUE( 190 ResponseContains({KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS}, modes, len)); 191 free(modes); 192 193 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 194 KM_PURPOSE_ENCRYPT, &modes, &len)); 195 EXPECT_TRUE( 196 ResponseContains({KM_PAD_NONE, KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT}, modes, len)); 197 free(modes); 198 199 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_EC, 200 KM_PURPOSE_SIGN, &modes, &len)); 201 EXPECT_EQ(0U, len); 202 free(modes); 203 204 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 205 device()->get_supported_padding_modes(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, 206 &modes, &len)); 207 208 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 209} 210 211TEST_P(CheckSupported, SupportedDigests) { 212 EXPECT_EQ( 213 KM_ERROR_OUTPUT_PARAMETER_NULL, 214 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, NULL, NULL)); 215 216 size_t len; 217 keymaster_digest_t* digests; 218 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_RSA, 219 KM_PURPOSE_SIGN, &digests, &len)); 220 EXPECT_TRUE( 221 ResponseContains({KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 222 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}, 223 digests, len)); 224 free(digests); 225 226 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC, 227 KM_PURPOSE_SIGN, &digests, &len)); 228 EXPECT_TRUE(ResponseContains({KM_DIGEST_NONE, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 229 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}, 230 digests, len)); 231 free(digests); 232 233 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 234 device()->get_supported_digests(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, &digests, 235 &len)); 236 237 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_HMAC, 238 KM_PURPOSE_SIGN, &digests, &len)); 239 EXPECT_TRUE(ResponseContains({KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, 240 KM_DIGEST_SHA_2_512, KM_DIGEST_SHA1}, 241 digests, len)); 242 free(digests); 243 244 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 245} 246 247TEST_P(CheckSupported, SupportedImportFormats) { 248 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 249 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 250 251 size_t len; 252 keymaster_key_format_t* formats; 253 ASSERT_EQ(KM_ERROR_OK, 254 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 255 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_PKCS8, formats, len)); 256 free(formats); 257 258 ASSERT_EQ(KM_ERROR_OK, 259 device()->get_supported_import_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 260 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 261 free(formats); 262 263 ASSERT_EQ(KM_ERROR_OK, 264 device()->get_supported_import_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 265 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 266 free(formats); 267 268 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 269} 270 271TEST_P(CheckSupported, SupportedExportFormats) { 272 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 273 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 274 275 size_t len; 276 keymaster_key_format_t* formats; 277 ASSERT_EQ(KM_ERROR_OK, 278 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 279 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 280 free(formats); 281 282 ASSERT_EQ(KM_ERROR_OK, 283 device()->get_supported_export_formats(device(), KM_ALGORITHM_EC, &formats, &len)); 284 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 285 free(formats); 286 287 ASSERT_EQ(KM_ERROR_OK, 288 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 289 EXPECT_EQ(0U, len); 290 free(formats); 291 292 ASSERT_EQ(KM_ERROR_OK, 293 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 294 EXPECT_EQ(0U, len); 295 free(formats); 296 297 ASSERT_EQ(KM_ERROR_OK, 298 device()->get_supported_export_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 299 EXPECT_EQ(0U, len); 300 free(formats); 301 302 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 303} 304 305class NewKeyGeneration : public Keymaster1Test { 306 protected: 307 void CheckBaseParams() { 308 AuthorizationSet auths = sw_enforced(); 309 EXPECT_GT(auths.SerializedSize(), 12U); 310 311 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN)); 312 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY)); 313 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7)); 314 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)); 315 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300)); 316 317 // Verify that App ID, App data and ROT are NOT included. 318 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST)); 319 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID)); 320 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA)); 321 322 // Just for giggles, check that some unexpected tags/values are NOT present. 323 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT)); 324 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT)); 325 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301)); 326 327 // Now check that unspecified, defaulted tags are correct. 328 EXPECT_TRUE(contains(auths, TAG_ORIGIN, KM_ORIGIN_GENERATED)); 329 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME)); 330 } 331}; 332INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params); 333 334TEST_P(NewKeyGeneration, Rsa) { 335 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 336 .RsaSigningKey(256, 3) 337 .Digest(KM_DIGEST_NONE) 338 .Padding(KM_PAD_NONE))); 339 CheckBaseParams(); 340 341 // Check specified tags are all present, and in the right set. 342 AuthorizationSet crypto_params; 343 AuthorizationSet non_crypto_params; 344 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) { 345 EXPECT_NE(0U, hw_enforced().size()); 346 EXPECT_NE(0U, sw_enforced().size()); 347 crypto_params.push_back(hw_enforced()); 348 non_crypto_params.push_back(sw_enforced()); 349 } else { 350 EXPECT_EQ(0U, hw_enforced().size()); 351 EXPECT_NE(0U, sw_enforced().size()); 352 crypto_params.push_back(sw_enforced()); 353 } 354 355 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 356 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 357 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256)); 358 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256)); 359 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 360 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 361 362 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 363 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 364} 365 366TEST_P(NewKeyGeneration, RsaDefaultSize) { 367 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 368 GenerateKey(AuthorizationSetBuilder() 369 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 370 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3) 371 .SigningKey())); 372 373 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 374} 375 376TEST_P(NewKeyGeneration, Ecdsa) { 377 ASSERT_EQ(KM_ERROR_OK, 378 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 379 CheckBaseParams(); 380 381 // Check specified tags are all present, and in the right set. 382 AuthorizationSet crypto_params; 383 AuthorizationSet non_crypto_params; 384 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) { 385 EXPECT_NE(0U, hw_enforced().size()); 386 EXPECT_NE(0U, sw_enforced().size()); 387 crypto_params.push_back(hw_enforced()); 388 non_crypto_params.push_back(sw_enforced()); 389 } else { 390 EXPECT_EQ(0U, hw_enforced().size()); 391 EXPECT_NE(0U, sw_enforced().size()); 392 crypto_params.push_back(sw_enforced()); 393 } 394 395 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 396 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 397 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224)); 398 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224)); 399 400 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 401 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 402} 403 404TEST_P(NewKeyGeneration, EcdsaDefaultSize) { 405 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 406 GenerateKey(AuthorizationSetBuilder() 407 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) 408 .SigningKey() 409 .Digest(KM_DIGEST_NONE))); 410 411 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 412} 413 414TEST_P(NewKeyGeneration, EcdsaInvalidSize) { 415 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 416 ASSERT_EQ( 417 KM_ERROR_UNKNOWN_ERROR, 418 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 419 else 420 ASSERT_EQ( 421 KM_ERROR_UNSUPPORTED_KEY_SIZE, 422 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 423 424 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 425 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 426} 427 428TEST_P(NewKeyGeneration, EcdsaAllValidSizes) { 429 size_t valid_sizes[] = {224, 256, 384, 521}; 430 for (size_t size : valid_sizes) { 431 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest( 432 KM_DIGEST_NONE))) 433 << "Failed to generate size: " << size; 434 } 435 436 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 437 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 438} 439 440TEST_P(NewKeyGeneration, HmacSha256) { 441 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 442 .HmacKey(128) 443 .Digest(KM_DIGEST_SHA_2_256) 444 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 445 446 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 447} 448 449TEST_P(NewKeyGeneration, HmacMultipleDigests) { 450 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, 451 GenerateKey(AuthorizationSetBuilder() 452 .HmacKey(128) 453 .Digest(KM_DIGEST_SHA1) 454 .Digest(KM_DIGEST_SHA_2_256) 455 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 456 457 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 458} 459 460TEST_P(NewKeyGeneration, HmacDigestNone) { 461 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, 462 GenerateKey(AuthorizationSetBuilder() 463 .HmacKey(128) 464 .Digest(KM_DIGEST_NONE) 465 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 466 467 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 468} 469 470TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) { 471 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 472 GenerateKey(AuthorizationSetBuilder() 473 .HmacKey(128) 474 .Digest(KM_DIGEST_SHA_2_256) 475 .Authorization(TAG_MIN_MAC_LENGTH, 48))); 476 477 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 478} 479 480TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) { 481 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 482 GenerateKey(AuthorizationSetBuilder() 483 .HmacKey(128) 484 .Digest(KM_DIGEST_SHA_2_256) 485 .Authorization(TAG_MIN_MAC_LENGTH, 130))); 486 487 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 488} 489 490TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) { 491 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 492 GenerateKey(AuthorizationSetBuilder() 493 .HmacKey(128) 494 .Digest(KM_DIGEST_SHA_2_256) 495 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 496 497 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 498} 499 500typedef Keymaster1Test GetKeyCharacteristics; 501INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params); 502 503TEST_P(GetKeyCharacteristics, SimpleRsa) { 504 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 505 .RsaSigningKey(256, 3) 506 .Digest(KM_DIGEST_NONE) 507 .Padding(KM_PAD_NONE))); 508 AuthorizationSet original(sw_enforced()); 509 510 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics()); 511 EXPECT_EQ(original, sw_enforced()); 512 513 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 514 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 515} 516 517typedef Keymaster1Test SigningOperationsTest; 518INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params); 519 520TEST_P(SigningOperationsTest, RsaSuccess) { 521 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 522 .RsaSigningKey(256, 3) 523 .Digest(KM_DIGEST_NONE) 524 .Padding(KM_PAD_NONE))); 525 string message = "12345678901234567890123456789012"; 526 string signature; 527 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 528 529 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 530 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 531} 532 533TEST_P(SigningOperationsTest, RsaPssSha256Success) { 534 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 535 .RsaSigningKey(512, 3) 536 .Digest(KM_DIGEST_SHA_2_256) 537 .Padding(KM_PAD_RSA_PSS))); 538 // Use large message, which won't work without digesting. 539 string message(1024, 'a'); 540 string signature; 541 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 542 543 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 544 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 545} 546 547TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { 548 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 549 .RsaSigningKey(512, 3) 550 .Digest(KM_DIGEST_NONE) 551 .Padding(KM_PAD_NONE))); 552 string message = "12345678901234567890123456789012"; 553 string signature; 554 555 AuthorizationSet begin_params(client_params()); 556 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 557 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 558 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 559} 560 561TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) { 562 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 563 .RsaSigningKey(512, 3) 564 .Digest(KM_DIGEST_SHA_2_256) 565 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 566 string message(1024, 'a'); 567 string signature; 568 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 569 570 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 571 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 572} 573 574TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) { 575 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 576 .RsaSigningKey(512, 3) 577 .Digest(KM_DIGEST_NONE) 578 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 579 string message(53, 'a'); 580 string signature; 581 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN); 582 583 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 584 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 585} 586 587TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) { 588 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 589 .RsaSigningKey(512, 3) 590 .Digest(KM_DIGEST_NONE) 591 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 592 string message(54, 'a'); 593 594 AuthorizationSet begin_params(client_params()); 595 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 596 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 597 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 598 string result; 599 size_t input_consumed; 600 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 601 string signature; 602 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature)); 603 604 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 605 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 606} 607 608TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) { 609 // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so 610 // verify that nine bytes larger than hash won't work. 611 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 612 .RsaSigningKey(256 + 9 * 8, 3) 613 .Digest(KM_DIGEST_SHA_2_256) 614 .Padding(KM_PAD_RSA_PSS))); 615 string message(1024, 'a'); 616 string signature; 617 618 AuthorizationSet begin_params(client_params()); 619 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 620 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 621 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 622} 623 624TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) { 625 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 626 .RsaSigningKey(256, 3) 627 .Digest(KM_DIGEST_NONE) 628 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 629 string message(64 * 1024, 'a'); 630 string signature; 631 AuthorizationSet begin_params(client_params()); 632 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 633 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 634 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 635 string result; 636 size_t input_consumed; 637 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 638 639 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 640 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 641} 642 643TEST_P(SigningOperationsTest, RsaAbort) { 644 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 645 .RsaSigningKey(256, 3) 646 .Digest(KM_DIGEST_NONE) 647 .Padding(KM_PAD_NONE))); 648 AuthorizationSet begin_params(client_params()); 649 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 650 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 651 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 652 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 653 // Another abort should fail 654 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation()); 655 656 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 657 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 658} 659 660TEST_P(SigningOperationsTest, RsaUnsupportedPadding) { 661 GenerateKey(AuthorizationSetBuilder() 662 .RsaSigningKey(256, 3) 663 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */) 664 .Padding(KM_PAD_PKCS7)); 665 AuthorizationSet begin_params(client_params()); 666 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 667 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 668 669 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 670 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 671} 672 673TEST_P(SigningOperationsTest, RsaNoDigest) { 674 // PSS requires a digest. 675 GenerateKey(AuthorizationSetBuilder() 676 .RsaSigningKey(256, 3) 677 .Digest(KM_DIGEST_NONE) 678 .Padding(KM_PAD_RSA_PSS)); 679 AuthorizationSet begin_params(client_params()); 680 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 681 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 682 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 683 684 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 685 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 686} 687 688TEST_P(SigningOperationsTest, RsaNoPadding) { 689 // Padding must be specified 690 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest( 691 KM_DIGEST_NONE))); 692 AuthorizationSet begin_params(client_params()); 693 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 694 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 695 696 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 697 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 698} 699 700TEST_P(SigningOperationsTest, RsaTooShortMessage) { 701 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 702 .RsaSigningKey(256, 3) 703 .Digest(KM_DIGEST_NONE) 704 .Padding(KM_PAD_NONE))); 705 AuthorizationSet begin_params(client_params()); 706 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 707 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 708 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 709 710 string message = "1234567890123456789012345678901"; 711 string result; 712 size_t input_consumed; 713 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 714 EXPECT_EQ(0U, result.size()); 715 EXPECT_EQ(31U, input_consumed); 716 717 string signature; 718 ASSERT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature)); 719 EXPECT_EQ(0U, signature.length()); 720 721 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 722 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 723} 724 725TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) { 726 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 727 .RsaEncryptionKey(256, 3) 728 .Digest(KM_DIGEST_NONE) 729 .Padding(KM_PAD_NONE))); 730 AuthorizationSet begin_params(client_params()); 731 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 732 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 733 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 734 735 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 736 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 737} 738 739TEST_P(SigningOperationsTest, EcdsaSuccess) { 740 ASSERT_EQ(KM_ERROR_OK, 741 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 742 string message(224 / 8, 'a'); 743 string signature; 744 SignMessage(message, &signature, KM_DIGEST_NONE); 745 746 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 747 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 748} 749 750TEST_P(SigningOperationsTest, EcdsaSha256Success) { 751 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( 752 KM_DIGEST_SHA_2_256))); 753 string message(1024, 'a'); 754 string signature; 755 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 756 757 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 758 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 759} 760 761TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) { 762 ASSERT_EQ(KM_ERROR_OK, 763 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 764 string message(64 * 1024, 'a'); 765 string signature; 766 AuthorizationSet begin_params(client_params()); 767 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 768 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 769 string result; 770 size_t input_consumed; 771 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 772 773 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 774 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 775} 776 777TEST_P(SigningOperationsTest, EcsdaAllSizesAndHashes) { 778 size_t len; 779 keymaster_digest_t* digest_arr; 780 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC, 781 KM_PURPOSE_SIGN, &digest_arr, &len)); 782 vector<int> key_sizes = {224, 256, 384, 521}; 783 vector<keymaster_digest_t> digests = make_vector(digest_arr, len); 784 free(digest_arr); 785 786 for (int key_size : key_sizes) { 787 for (keymaster_digest_t digest : digests) { 788 ASSERT_EQ( 789 KM_ERROR_OK, 790 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest))); 791 792 string message(1024, 'a'); 793 string signature; 794 if (digest == KM_DIGEST_NONE) 795 message.resize(key_size / 8); 796 SignMessage(message, &signature, digest); 797 } 798 } 799 800 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 801 EXPECT_EQ(digests.size() * key_sizes.size() * 3, 802 static_cast<size_t>(GetParam()->keymaster0_calls())); 803} 804 805TEST_P(SigningOperationsTest, AesEcbSign) { 806 ASSERT_EQ(KM_ERROR_OK, 807 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization( 808 TAG_BLOCK_MODE, KM_MODE_ECB))); 809 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); 810 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); 811 812 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 813} 814 815TEST_P(SigningOperationsTest, HmacSha1Success) { 816 GenerateKey(AuthorizationSetBuilder() 817 .HmacKey(128) 818 .Digest(KM_DIGEST_SHA1) 819 .Authorization(TAG_MIN_MAC_LENGTH, 160)); 820 string message = "12345678901234567890123456789012"; 821 string signature; 822 MacMessage(message, &signature, 160); 823 ASSERT_EQ(20U, signature.size()); 824 825 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 826} 827 828TEST_P(SigningOperationsTest, HmacSha224Success) { 829 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 830 .HmacKey(128) 831 .Digest(KM_DIGEST_SHA_2_224) 832 .Authorization(TAG_MIN_MAC_LENGTH, 160))); 833 string message = "12345678901234567890123456789012"; 834 string signature; 835 MacMessage(message, &signature, 224); 836 ASSERT_EQ(28U, signature.size()); 837 838 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 839} 840 841TEST_P(SigningOperationsTest, HmacSha256Success) { 842 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 843 .HmacKey(128) 844 .Digest(KM_DIGEST_SHA_2_256) 845 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 846 string message = "12345678901234567890123456789012"; 847 string signature; 848 MacMessage(message, &signature, 256); 849 ASSERT_EQ(32U, signature.size()); 850 851 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 852} 853 854TEST_P(SigningOperationsTest, HmacSha384Success) { 855 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 856 .HmacKey(128) 857 .Digest(KM_DIGEST_SHA_2_384) 858 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 859 860 string message = "12345678901234567890123456789012"; 861 string signature; 862 MacMessage(message, &signature, 384); 863 ASSERT_EQ(48U, signature.size()); 864 865 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 866} 867 868TEST_P(SigningOperationsTest, HmacSha512Success) { 869 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 870 .HmacKey(128) 871 .Digest(KM_DIGEST_SHA_2_512) 872 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 873 string message = "12345678901234567890123456789012"; 874 string signature; 875 MacMessage(message, &signature, 512); 876 ASSERT_EQ(64U, signature.size()); 877 878 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 879} 880 881TEST_P(SigningOperationsTest, HmacLengthInKey) { 882 // TODO(swillden): unified API should generate an error on key generation. 883 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 884 .HmacKey(128) 885 .Digest(KM_DIGEST_SHA_2_512) 886 .Authorization(TAG_MIN_MAC_LENGTH, 512))); 887 string message = "12345678901234567890123456789012"; 888 string signature; 889 MacMessage(message, &signature, 512); 890 ASSERT_EQ(64U, signature.size()); 891 892 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 893} 894 895TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) { 896 uint8_t key_data[] = { 897 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 898 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 899 }; 900 string message = "Hi There"; 901 uint8_t sha_224_expected[] = { 902 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 903 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22, 904 }; 905 uint8_t sha_256_expected[] = { 906 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 907 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 908 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7, 909 }; 910 uint8_t sha_384_expected[] = { 911 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4, 912 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, 913 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9, 914 0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6, 915 }; 916 uint8_t sha_512_expected[] = { 917 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 918 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0, 919 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 920 0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e, 921 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54, 922 }; 923 924 string key = make_string(key_data); 925 926 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 927 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 928 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 929 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 930 931 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 932} 933 934TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) { 935 string key = "Jefe"; 936 string message = "what do ya want for nothing?"; 937 uint8_t sha_224_expected[] = { 938 0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e, 939 0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44, 940 }; 941 uint8_t sha_256_expected[] = { 942 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 943 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 944 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43, 945 }; 946 uint8_t sha_384_expected[] = { 947 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2, 948 0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47, 949 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca, 950 0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49, 951 }; 952 uint8_t sha_512_expected[] = { 953 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b, 954 0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27, 955 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99, 956 0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3, 957 0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37, 958 }; 959 960 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 961 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 962 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 963 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 964 965 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 966} 967 968TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) { 969 string key(20, 0xaa); 970 string message(50, 0xdd); 971 uint8_t sha_224_expected[] = { 972 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a, 973 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea, 974 }; 975 uint8_t sha_256_expected[] = { 976 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 977 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 978 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe, 979 }; 980 uint8_t sha_384_expected[] = { 981 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0, 982 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb, 983 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d, 984 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27, 985 }; 986 uint8_t sha_512_expected[] = { 987 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c, 988 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8, 989 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 990 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37, 991 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb, 992 }; 993 994 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 995 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 996 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 997 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 998 999 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1000} 1001 1002TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) { 1003 uint8_t key_data[25] = { 1004 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 1005 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 1006 }; 1007 string key = make_string(key_data); 1008 string message(50, 0xcd); 1009 uint8_t sha_224_expected[] = { 1010 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82, 1011 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a, 1012 }; 1013 uint8_t sha_256_expected[] = { 1014 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 1015 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 1016 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b, 1017 }; 1018 uint8_t sha_384_expected[] = { 1019 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62, 1020 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c, 1021 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23, 1022 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb, 1023 }; 1024 uint8_t sha_512_expected[] = { 1025 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6, 1026 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f, 1027 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, 1028 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41, 1029 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd, 1030 }; 1031 1032 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1033 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1034 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1035 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1036 1037 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1038} 1039 1040TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) { 1041 string key(20, 0x0c); 1042 string message = "Test With Truncation"; 1043 1044 uint8_t sha_224_expected[] = { 1045 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37, 1046 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8, 1047 }; 1048 uint8_t sha_256_expected[] = { 1049 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 1050 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b, 1051 }; 1052 uint8_t sha_384_expected[] = { 1053 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23, 1054 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97, 1055 }; 1056 uint8_t sha_512_expected[] = { 1057 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53, 1058 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6, 1059 }; 1060 1061 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1062 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1063 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1064 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1065 1066 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1067} 1068 1069TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) { 1070 string key(131, 0xaa); 1071 string message = "Test Using Larger Than Block-Size Key - Hash Key First"; 1072 1073 uint8_t sha_224_expected[] = { 1074 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d, 1075 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e, 1076 }; 1077 uint8_t sha_256_expected[] = { 1078 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 1079 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 1080 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, 1081 }; 1082 uint8_t sha_384_expected[] = { 1083 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a, 1084 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f, 1085 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab, 1086 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52, 1087 }; 1088 uint8_t sha_512_expected[] = { 1089 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd, 1090 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b, 1091 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 1092 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73, 1093 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98, 1094 }; 1095 1096 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1097 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1098 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1099 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1100 1101 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1102} 1103 1104TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) { 1105 string key(131, 0xaa); 1106 string message = "This is a test using a larger than block-size key and a larger than " 1107 "block-size data. The key needs to be hashed before being used by the HMAC " 1108 "algorithm."; 1109 1110 uint8_t sha_224_expected[] = { 1111 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3, 1112 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1, 1113 }; 1114 uint8_t sha_256_expected[] = { 1115 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 1116 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 1117 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2, 1118 }; 1119 uint8_t sha_384_expected[] = { 1120 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25, 1121 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a, 1122 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31, 1123 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e, 1124 }; 1125 uint8_t sha_512_expected[] = { 1126 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 1127 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5, 1128 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 1129 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb, 1130 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58, 1131 }; 1132 1133 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1134 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1135 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1136 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1137 1138 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1139} 1140 1141TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) { 1142 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1143 .HmacKey(128) 1144 .Digest(KM_DIGEST_SHA_2_256) 1145 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 1146 AuthorizationSet begin_params(client_params()); 1147 begin_params.push_back(TAG_MAC_LENGTH, 264); 1148 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1149 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH, 1150 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 1151 1152 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1153} 1154 1155TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) { 1156 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1157 .HmacKey(128) 1158 .Digest(KM_DIGEST_SHA_2_256) 1159 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 1160 AuthorizationSet begin_params(client_params()); 1161 begin_params.push_back(TAG_MAC_LENGTH, 120); 1162 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1163 ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH, 1164 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 1165 1166 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1167} 1168 1169// TODO(swillden): Add more verification failure tests. 1170 1171typedef Keymaster1Test VerificationOperationsTest; 1172INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params); 1173 1174TEST_P(VerificationOperationsTest, RsaSuccess) { 1175 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1176 .RsaSigningKey(256, 3) 1177 .Digest(KM_DIGEST_NONE) 1178 .Padding(KM_PAD_NONE))); 1179 string message = "12345678901234567890123456789012"; 1180 string signature; 1181 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1182 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1183 1184 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1185 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1186} 1187 1188TEST_P(VerificationOperationsTest, RsaPssSha256Success) { 1189 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1190 .RsaSigningKey(512, 3) 1191 .Digest(KM_DIGEST_SHA_2_256) 1192 .Padding(KM_PAD_RSA_PSS))); 1193 // Use large message, which won't work without digesting. 1194 string message(1024, 'a'); 1195 string signature; 1196 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1197 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1198 1199 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1200 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1201} 1202 1203TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) { 1204 GenerateKey(AuthorizationSetBuilder() 1205 .RsaSigningKey(512, 3) 1206 .Digest(KM_DIGEST_SHA_2_256) 1207 .Padding(KM_PAD_RSA_PSS)); 1208 string message(1024, 'a'); 1209 string signature; 1210 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1211 ++signature[signature.size() / 2]; 1212 1213 AuthorizationSet begin_params(client_params()); 1214 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1215 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1216 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1217 1218 string result; 1219 size_t input_consumed; 1220 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1221 EXPECT_EQ(message.size(), input_consumed); 1222 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1223 1224 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1225 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1226} 1227 1228TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) { 1229 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1230 .RsaSigningKey(512, 3) 1231 .Digest(KM_DIGEST_SHA_2_256) 1232 .Padding(KM_PAD_RSA_PSS))); 1233 // Use large message, which won't work without digesting. 1234 string message(1024, 'a'); 1235 string signature; 1236 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1237 ++message[message.size() / 2]; 1238 1239 AuthorizationSet begin_params(client_params()); 1240 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1241 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1242 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1243 1244 string result; 1245 size_t input_consumed; 1246 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1247 EXPECT_EQ(message.size(), input_consumed); 1248 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1249 1250 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1251 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1252} 1253 1254TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) { 1255 GenerateKey(AuthorizationSetBuilder() 1256 .RsaSigningKey(512, 3) 1257 .Digest(KM_DIGEST_SHA_2_256) 1258 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1259 string message(1024, 'a'); 1260 string signature; 1261 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1262 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1263 1264 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1265 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1266} 1267 1268TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) { 1269 GenerateKey(AuthorizationSetBuilder() 1270 .RsaSigningKey(512, 3) 1271 .Digest(KM_DIGEST_SHA_2_256) 1272 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1273 string message(1024, 'a'); 1274 string signature; 1275 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1276 ++signature[signature.size() / 2]; 1277 1278 AuthorizationSet begin_params(client_params()); 1279 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1280 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1281 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1282 1283 string result; 1284 size_t input_consumed; 1285 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1286 EXPECT_EQ(message.size(), input_consumed); 1287 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1288 1289 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1290 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1291} 1292 1293TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) { 1294 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1295 .RsaSigningKey(512, 3) 1296 .Digest(KM_DIGEST_SHA_2_256) 1297 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 1298 // Use large message, which won't work without digesting. 1299 string message(1024, 'a'); 1300 string signature; 1301 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1302 ++message[message.size() / 2]; 1303 1304 AuthorizationSet begin_params(client_params()); 1305 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1306 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1307 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1308 1309 string result; 1310 size_t input_consumed; 1311 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1312 EXPECT_EQ(message.size(), input_consumed); 1313 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1314 1315 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1316 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1317} 1318 1319TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) { 1320 // Get all supported digests and padding modes. 1321 size_t digests_len; 1322 keymaster_digest_t* digests; 1323 ASSERT_EQ(KM_ERROR_OK, 1324 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, &digests, 1325 &digests_len)); 1326 1327 size_t padding_modes_len; 1328 keymaster_padding_t* padding_modes; 1329 ASSERT_EQ(KM_ERROR_OK, 1330 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, 1331 &padding_modes, &padding_modes_len)); 1332 1333 // Try them. 1334 int trial_count = 0; 1335 for (keymaster_padding_t padding_mode : make_vector(padding_modes, padding_modes_len)) { 1336 for (keymaster_digest_t digest : make_vector(digests, digests_len)) { 1337 if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE) 1338 // Digesting requires padding 1339 continue; 1340 1341 // Compute key & message size that will work. 1342 size_t key_bits = 0; 1343 size_t message_len = 1000; 1344 1345 if (digest == KM_DIGEST_NONE) { 1346 key_bits = 256; 1347 switch (padding_mode) { 1348 case KM_PAD_NONE: 1349 // Match key size. 1350 message_len = key_bits / 8; 1351 break; 1352 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1353 message_len = key_bits / 8 - 11; 1354 break; 1355 case KM_PAD_RSA_PSS: 1356 // PSS requires a digest. 1357 continue; 1358 default: 1359 FAIL() << "Missing padding"; 1360 break; 1361 } 1362 } else { 1363 size_t digest_bits; 1364 switch (digest) { 1365 case KM_DIGEST_MD5: 1366 digest_bits = 128; 1367 break; 1368 case KM_DIGEST_SHA1: 1369 digest_bits = 160; 1370 break; 1371 case KM_DIGEST_SHA_2_224: 1372 digest_bits = 224; 1373 break; 1374 case KM_DIGEST_SHA_2_256: 1375 digest_bits = 256; 1376 break; 1377 case KM_DIGEST_SHA_2_384: 1378 digest_bits = 384; 1379 break; 1380 case KM_DIGEST_SHA_2_512: 1381 digest_bits = 512; 1382 break; 1383 default: 1384 FAIL() << "Missing digest"; 1385 } 1386 1387 switch (padding_mode) { 1388 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1389 key_bits = digest_bits + 8 * (11 + 19); 1390 break; 1391 case KM_PAD_RSA_PSS: 1392 key_bits = digest_bits + 22 * 8; 1393 break; 1394 default: 1395 FAIL() << "Missing padding"; 1396 break; 1397 } 1398 } 1399 1400 GenerateKey(AuthorizationSetBuilder() 1401 .RsaSigningKey(key_bits, 3) 1402 .Digest(digest) 1403 .Padding(padding_mode)); 1404 string message(message_len, 'a'); 1405 string signature; 1406 SignMessage(message, &signature, digest, padding_mode); 1407 VerifyMessage(message, signature, digest, padding_mode); 1408 ++trial_count; 1409 } 1410 } 1411 1412 free(padding_modes); 1413 free(digests); 1414 1415 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1416 EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls()); 1417} 1418 1419TEST_P(VerificationOperationsTest, EcdsaSuccess) { 1420 ASSERT_EQ(KM_ERROR_OK, 1421 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1422 string message = "12345678901234567890123456789012"; 1423 string signature; 1424 SignMessage(message, &signature, KM_DIGEST_NONE); 1425 VerifyMessage(message, signature, KM_DIGEST_NONE); 1426 1427 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1428 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1429} 1430 1431TEST_P(VerificationOperationsTest, EcdsaTooShort) { 1432 ASSERT_EQ(KM_ERROR_OK, 1433 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1434 string message = "12345678901234567890"; 1435 string signature; 1436 SignMessage(message, &signature, KM_DIGEST_NONE); 1437 VerifyMessage(message, signature, KM_DIGEST_NONE); 1438 1439 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1440 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1441} 1442 1443TEST_P(VerificationOperationsTest, EcdsaTooLong) { 1444 ASSERT_EQ(KM_ERROR_OK, 1445 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1446 string message = "1234567890123456789012345678901234"; 1447 string signature; 1448 1449 AuthorizationSet begin_params(client_params()); 1450 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1451 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 1452 string output; 1453 size_t input_consumed; 1454 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &output, &input_consumed)); 1455 1456 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1457 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1458} 1459 1460TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) { 1461 ASSERT_EQ(KM_ERROR_OK, 1462 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE))); 1463 1464 string message(66, 'a'); 1465 string signature; 1466 SignMessage(message, &signature, KM_DIGEST_NONE); 1467 VerifyMessage(message, signature, KM_DIGEST_NONE); 1468 1469 // Modifying low-order bits doesn't matter, because they didn't get signed. Ugh. 1470 message[65] ^= 7; 1471 VerifyMessage(message, signature, KM_DIGEST_NONE); 1472 1473 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1474 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 1475} 1476 1477TEST_P(VerificationOperationsTest, EcdsaSha256Success) { 1478 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1479 .EcdsaSigningKey(256) 1480 .Digest(KM_DIGEST_SHA_2_256) 1481 .Digest(KM_DIGEST_NONE))); 1482 string message = "12345678901234567890123456789012"; 1483 string signature; 1484 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 1485 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1486 1487 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1488 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1489 1490 // Just for giggles, try verifying with the wrong digest. 1491 AuthorizationSet begin_params(client_params()); 1492 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1493 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1494 1495 string result; 1496 size_t input_consumed; 1497 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1498 EXPECT_EQ(message.size(), input_consumed); 1499 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1500} 1501 1502TEST_P(VerificationOperationsTest, HmacSha1Success) { 1503 GenerateKey(AuthorizationSetBuilder() 1504 .HmacKey(128) 1505 .Digest(KM_DIGEST_SHA1) 1506 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1507 string message = "123456789012345678901234567890123456789012345678"; 1508 string signature; 1509 MacMessage(message, &signature, 160); 1510 VerifyMac(message, signature); 1511 1512 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1513} 1514 1515TEST_P(VerificationOperationsTest, HmacSha224Success) { 1516 GenerateKey(AuthorizationSetBuilder() 1517 .HmacKey(128) 1518 .Digest(KM_DIGEST_SHA_2_224) 1519 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1520 string message = "123456789012345678901234567890123456789012345678"; 1521 string signature; 1522 MacMessage(message, &signature, 224); 1523 VerifyMac(message, signature); 1524 1525 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1526} 1527 1528TEST_P(VerificationOperationsTest, HmacSha256Success) { 1529 GenerateKey(AuthorizationSetBuilder() 1530 .HmacKey(128) 1531 .Digest(KM_DIGEST_SHA_2_256) 1532 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1533 string message = "123456789012345678901234567890123456789012345678"; 1534 string signature; 1535 MacMessage(message, &signature, 256); 1536 VerifyMac(message, signature); 1537 1538 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1539} 1540 1541TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) { 1542 GenerateKey(AuthorizationSetBuilder() 1543 .HmacKey(128) 1544 .Digest(KM_DIGEST_SHA_2_256) 1545 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1546 string message = "123456789012345678901234567890123456789012345678"; 1547 string signature; 1548 MacMessage(message, &signature, 256); 1549 1550 // Shorten to 128 bits, should still work. 1551 signature.resize(128 / 8); 1552 VerifyMac(message, signature); 1553 1554 // Drop one more byte. 1555 signature.resize(signature.length() - 1); 1556 1557 AuthorizationSet begin_params(client_params()); 1558 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1559 string result; 1560 size_t input_consumed; 1561 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1562 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(signature, &result)); 1563 1564 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1565} 1566 1567TEST_P(VerificationOperationsTest, HmacSha384Success) { 1568 GenerateKey(AuthorizationSetBuilder() 1569 .HmacKey(128) 1570 .Digest(KM_DIGEST_SHA_2_384) 1571 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1572 string message = "123456789012345678901234567890123456789012345678"; 1573 string signature; 1574 MacMessage(message, &signature, 384); 1575 VerifyMac(message, signature); 1576 1577 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1578} 1579 1580TEST_P(VerificationOperationsTest, HmacSha512Success) { 1581 GenerateKey(AuthorizationSetBuilder() 1582 .HmacKey(128) 1583 .Digest(KM_DIGEST_SHA_2_512) 1584 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1585 string message = "123456789012345678901234567890123456789012345678"; 1586 string signature; 1587 MacMessage(message, &signature, 512); 1588 VerifyMac(message, signature); 1589 1590 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1591} 1592 1593typedef Keymaster1Test ExportKeyTest; 1594INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params); 1595 1596TEST_P(ExportKeyTest, RsaSuccess) { 1597 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1598 .RsaSigningKey(256, 3) 1599 .Digest(KM_DIGEST_NONE) 1600 .Padding(KM_PAD_NONE))); 1601 string export_data; 1602 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1603 EXPECT_GT(export_data.length(), 0U); 1604 1605 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1606 1607 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1608 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1609} 1610 1611TEST_P(ExportKeyTest, EcdsaSuccess) { 1612 ASSERT_EQ(KM_ERROR_OK, 1613 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 1614 string export_data; 1615 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1616 EXPECT_GT(export_data.length(), 0U); 1617 1618 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1619 1620 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1621 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1622} 1623 1624TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) { 1625 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1626 .RsaSigningKey(256, 3) 1627 .Digest(KM_DIGEST_NONE) 1628 .Padding(KM_PAD_NONE))); 1629 string export_data; 1630 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1631 1632 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1633 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1634} 1635 1636TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) { 1637 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1638 .RsaSigningKey(256, 3) 1639 .Digest(KM_DIGEST_NONE) 1640 .Padding(KM_PAD_NONE))); 1641 corrupt_key_blob(); 1642 string export_data; 1643 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1644 1645 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1646 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1647} 1648 1649TEST_P(ExportKeyTest, AesKeyExportFails) { 1650 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128))); 1651 string export_data; 1652 1653 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1654 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1655 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data)); 1656 1657 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1658} 1659 1660static string read_file(const string& file_name) { 1661 ifstream file_stream(file_name, std::ios::binary); 1662 istreambuf_iterator<char> file_begin(file_stream); 1663 istreambuf_iterator<char> file_end; 1664 return string(file_begin, file_end); 1665} 1666 1667typedef Keymaster1Test ImportKeyTest; 1668INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params); 1669 1670TEST_P(ImportKeyTest, RsaSuccess) { 1671 string pk8_key = read_file("rsa_privkey_pk8.der"); 1672 ASSERT_EQ(633U, pk8_key.size()); 1673 1674 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1675 .RsaSigningKey(1024, 65537) 1676 .Digest(KM_DIGEST_NONE) 1677 .Padding(KM_PAD_NONE), 1678 KM_KEY_FORMAT_PKCS8, pk8_key)); 1679 1680 // Check values derived from the key. 1681 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1682 : sw_enforced(), 1683 TAG_ALGORITHM, KM_ALGORITHM_RSA)); 1684 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1685 : sw_enforced(), 1686 TAG_KEY_SIZE, 1024)); 1687 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1688 : sw_enforced(), 1689 TAG_RSA_PUBLIC_EXPONENT, 65537U)); 1690 1691 // And values provided by AndroidKeymaster 1692 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1693 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1694 1695 string message(1024 / 8, 'a'); 1696 string signature; 1697 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1698 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1699 1700 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1701 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1702} 1703 1704TEST_P(ImportKeyTest, OldApiRsaSuccess) { 1705 string pk8_key = read_file("rsa_privkey_pk8.der"); 1706 ASSERT_EQ(633U, pk8_key.size()); 1707 1708 // NOTE: This will break when the keymaster0 APIs are removed from keymaster1. But at that 1709 // point softkeymaster will no longer support keymaster0 APIs anyway. 1710 uint8_t* key_blob; 1711 size_t key_blob_length; 1712 ASSERT_EQ(0, 1713 device()->import_keypair(device(), reinterpret_cast<const uint8_t*>(pk8_key.data()), 1714 pk8_key.size(), &key_blob, &key_blob_length)); 1715 set_key_blob(key_blob, key_blob_length); 1716 1717 string message(1024 / 8, 'a'); 1718 AuthorizationSet begin_params; // Don't use client data. 1719 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1720 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1721 AuthorizationSet update_params; 1722 AuthorizationSet output_params; 1723 string signature = 1724 ProcessMessage(KM_PURPOSE_SIGN, message, begin_params, update_params, &output_params); 1725 ProcessMessage(KM_PURPOSE_VERIFY, message, signature, begin_params, update_params, 1726 &output_params); 1727 1728 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1729 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1730} 1731 1732TEST_P(ImportKeyTest, RsaKeySizeMismatch) { 1733 string pk8_key = read_file("rsa_privkey_pk8.der"); 1734 ASSERT_EQ(633U, pk8_key.size()); 1735 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1736 ImportKey(AuthorizationSetBuilder() 1737 .RsaSigningKey(2048 /* Doesn't match key */, 3) 1738 .Digest(KM_DIGEST_NONE) 1739 .Padding(KM_PAD_NONE), 1740 KM_KEY_FORMAT_PKCS8, pk8_key)); 1741 1742 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1743} 1744 1745TEST_P(ImportKeyTest, RsaPublicExponenMismatch) { 1746 string pk8_key = read_file("rsa_privkey_pk8.der"); 1747 ASSERT_EQ(633U, pk8_key.size()); 1748 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1749 ImportKey(AuthorizationSetBuilder() 1750 .RsaSigningKey(256, 3 /* Doesnt' match key */) 1751 .Digest(KM_DIGEST_NONE) 1752 .Padding(KM_PAD_NONE), 1753 KM_KEY_FORMAT_PKCS8, pk8_key)); 1754 1755 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1756} 1757 1758TEST_P(ImportKeyTest, EcdsaSuccess) { 1759 string pk8_key = read_file("ec_privkey_pk8.der"); 1760 ASSERT_EQ(138U, pk8_key.size()); 1761 1762 ASSERT_EQ(KM_ERROR_OK, 1763 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1764 KM_KEY_FORMAT_PKCS8, pk8_key)); 1765 1766 // Check values derived from the key. 1767 EXPECT_TRUE( 1768 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1769 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1770 EXPECT_TRUE( 1771 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1772 TAG_KEY_SIZE, 256)); 1773 1774 // And values provided by AndroidKeymaster 1775 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1776 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1777 1778 string message(32, 'a'); 1779 string signature; 1780 SignMessage(message, &signature, KM_DIGEST_NONE); 1781 VerifyMessage(message, signature, KM_DIGEST_NONE); 1782 1783 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1784 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1785} 1786 1787TEST_P(ImportKeyTest, EcdsaSizeSpecified) { 1788 string pk8_key = read_file("ec_privkey_pk8.der"); 1789 ASSERT_EQ(138U, pk8_key.size()); 1790 1791 ASSERT_EQ(KM_ERROR_OK, 1792 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1793 KM_KEY_FORMAT_PKCS8, pk8_key)); 1794 1795 // Check values derived from the key. 1796 EXPECT_TRUE( 1797 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1798 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1799 EXPECT_TRUE( 1800 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1801 TAG_KEY_SIZE, 256)); 1802 1803 // And values provided by AndroidKeymaster 1804 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1805 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1806 1807 string message(32, 'a'); 1808 string signature; 1809 SignMessage(message, &signature, KM_DIGEST_NONE); 1810 VerifyMessage(message, signature, KM_DIGEST_NONE); 1811 1812 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1813 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1814} 1815 1816TEST_P(ImportKeyTest, EcdsaSizeMismatch) { 1817 string pk8_key = read_file("ec_privkey_pk8.der"); 1818 ASSERT_EQ(138U, pk8_key.size()); 1819 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1820 ImportKey(AuthorizationSetBuilder() 1821 .EcdsaSigningKey(224 /* Doesn't match key */) 1822 .Digest(KM_DIGEST_NONE), 1823 KM_KEY_FORMAT_PKCS8, pk8_key)); 1824 1825 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1826} 1827 1828TEST_P(ImportKeyTest, AesKeySuccess) { 1829 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1830 string key(key_data, sizeof(key_data)); 1831 ASSERT_EQ(KM_ERROR_OK, 1832 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization( 1833 TAG_PADDING, KM_PAD_PKCS7), 1834 KM_KEY_FORMAT_RAW, key)); 1835 1836 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1837 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1838 1839 string message = "Hello World!"; 1840 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1841 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 1842 EXPECT_EQ(message, plaintext); 1843 1844 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1845} 1846 1847TEST_P(ImportKeyTest, HmacSha256KeySuccess) { 1848 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1849 string key(key_data, sizeof(key_data)); 1850 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1851 .HmacKey(sizeof(key_data) * 8) 1852 .Digest(KM_DIGEST_SHA_2_256) 1853 .Authorization(TAG_MIN_MAC_LENGTH, 256), 1854 KM_KEY_FORMAT_RAW, key)); 1855 1856 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1857 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1858 1859 string message = "Hello World!"; 1860 string signature; 1861 MacMessage(message, &signature, 256); 1862 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1863 1864 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1865} 1866 1867typedef Keymaster1Test EncryptionOperationsTest; 1868INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params); 1869 1870TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { 1871 ASSERT_EQ(KM_ERROR_OK, 1872 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1873 1874 string message = "12345678901234567890123456789012"; 1875 string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE); 1876 EXPECT_EQ(256U / 8, ciphertext1.size()); 1877 1878 string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE); 1879 EXPECT_EQ(256U / 8, ciphertext2.size()); 1880 1881 // Unpadded RSA is deterministic 1882 EXPECT_EQ(ciphertext1, ciphertext2); 1883 1884 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1885 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1886} 1887 1888TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) { 1889 ASSERT_EQ(KM_ERROR_OK, 1890 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1891 1892 string message = "1234567890123456789012345678901"; 1893 1894 AuthorizationSet begin_params(client_params()); 1895 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1896 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1897 1898 string result; 1899 size_t input_consumed; 1900 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1901 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 1902 EXPECT_EQ(0U, result.size()); 1903 1904 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1905 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1906} 1907 1908TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) { 1909 ASSERT_EQ(KM_ERROR_OK, 1910 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1911 1912 string message = "123456789012345678901234567890123"; 1913 1914 AuthorizationSet begin_params(client_params()); 1915 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1916 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1917 1918 string result; 1919 size_t input_consumed; 1920 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 1921 1922 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1923 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1924} 1925 1926TEST_P(EncryptionOperationsTest, RsaOaepSuccess) { 1927 size_t key_size = 768; 1928 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1929 .RsaEncryptionKey(key_size, 3) 1930 .Padding(KM_PAD_RSA_OAEP) 1931 .Digest(KM_DIGEST_SHA_2_256))); 1932 1933 string message = "Hello"; 1934 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1935 EXPECT_EQ(key_size / 8, ciphertext1.size()); 1936 1937 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1938 EXPECT_EQ(key_size / 8, ciphertext2.size()); 1939 1940 // OAEP randomizes padding so every result should be different. 1941 EXPECT_NE(ciphertext1, ciphertext2); 1942 1943 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1944 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1945} 1946 1947TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) { 1948 size_t key_size = 768; 1949 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1950 .RsaEncryptionKey(key_size, 3) 1951 .Padding(KM_PAD_RSA_OAEP) 1952 .Digest(KM_DIGEST_SHA_2_256))); 1953 string message = "Hello World!"; 1954 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1955 EXPECT_EQ(key_size / 8, ciphertext.size()); 1956 1957 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1958 EXPECT_EQ(message, plaintext); 1959 1960 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1961 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1962} 1963 1964TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) { 1965 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1966 .RsaEncryptionKey(512, 3) 1967 .Padding(KM_PAD_RSA_OAEP) 1968 .Digest(KM_DIGEST_NONE))); 1969 string message = "Hello World!"; 1970 1971 AuthorizationSet begin_params(client_params()); 1972 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 1973 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1974 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1975 1976 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1977 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1978} 1979 1980TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) { 1981 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1982 .RsaEncryptionKey(512, 3) 1983 .Padding(KM_PAD_RSA_OAEP) 1984 .Digest(KM_DIGEST_SHA_2_256))); 1985 string message = "Hello World!"; 1986 // Works because encryption is a public key operation. 1987 EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP); 1988 1989 AuthorizationSet begin_params(client_params()); 1990 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 1991 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); 1992 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 1993 1994 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1995 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1996} 1997 1998TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) { 1999 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2000 .RsaEncryptionKey(768, 3) 2001 .Padding(KM_PAD_RSA_OAEP) 2002 .Digest(KM_DIGEST_SHA_2_256) 2003 .Digest(KM_DIGEST_SHA_2_384))); 2004 string message = "Hello World!"; 2005 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2006 2007 string result; 2008 size_t input_consumed; 2009 AuthorizationSet begin_params(client_params()); 2010 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2011 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384); 2012 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2013 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2014 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2015 EXPECT_EQ(0U, result.size()); 2016 2017 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2018 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2019} 2020 2021TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) { 2022 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2023 .RsaEncryptionKey(512, 3) 2024 .Padding(KM_PAD_RSA_OAEP) 2025 .Digest(KM_DIGEST_SHA1))); 2026 string message = "12345678901234567890123"; 2027 string result; 2028 size_t input_consumed; 2029 2030 AuthorizationSet begin_params(client_params()); 2031 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2032 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); 2033 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2034 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2035 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 2036 EXPECT_EQ(0U, result.size()); 2037 2038 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2039 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2040} 2041 2042TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) { 2043 size_t key_size = 768; 2044 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2045 .RsaEncryptionKey(768, 3) 2046 .Padding(KM_PAD_RSA_OAEP) 2047 .Digest(KM_DIGEST_SHA_2_256))); 2048 string message = "Hello World!"; 2049 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2050 EXPECT_EQ(key_size / 8, ciphertext.size()); 2051 2052 // Corrupt the ciphertext 2053 ciphertext[key_size / 8 / 2]++; 2054 2055 string result; 2056 size_t input_consumed; 2057 AuthorizationSet begin_params(client_params()); 2058 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2059 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 2060 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2061 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2062 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2063 EXPECT_EQ(0U, result.size()); 2064 2065 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2066 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2067} 2068 2069TEST_P(EncryptionOperationsTest, RsaPkcs1Success) { 2070 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2071 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2072 string message = "Hello World!"; 2073 string ciphertext1 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2074 EXPECT_EQ(512U / 8, ciphertext1.size()); 2075 2076 string ciphertext2 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2077 EXPECT_EQ(512U / 8, ciphertext2.size()); 2078 2079 // PKCS1 v1.5 randomizes padding so every result should be different. 2080 EXPECT_NE(ciphertext1, ciphertext2); 2081 2082 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2083 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2084} 2085 2086TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) { 2087 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2088 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2089 string message = "Hello World!"; 2090 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2091 EXPECT_EQ(512U / 8, ciphertext.size()); 2092 2093 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2094 EXPECT_EQ(message, plaintext); 2095 2096 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2097 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2098} 2099 2100TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) { 2101 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2102 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2103 string message = "123456789012345678901234567890123456789012345678901234"; 2104 string result; 2105 size_t input_consumed; 2106 2107 AuthorizationSet begin_params(client_params()); 2108 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2109 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2110 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2111 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 2112 EXPECT_EQ(0U, result.size()); 2113 2114 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2115 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2116} 2117 2118TEST_P(EncryptionOperationsTest, RsaPkcs1InvalidDigest) { 2119 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2120 .RsaEncryptionKey(512, 3) 2121 .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT) 2122 .Digest(KM_DIGEST_NONE))); 2123 string message = "Hello World!"; 2124 string result; 2125 2126 AuthorizationSet begin_params(client_params()); 2127 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2128 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); // Any digest is invalid 2129 EXPECT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2130 2131 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2132 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2133} 2134 2135TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) { 2136 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2137 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2138 string message = "Hello World!"; 2139 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2140 EXPECT_EQ(512U / 8, ciphertext.size()); 2141 2142 // Corrupt the ciphertext 2143 ciphertext[512 / 8 / 2]++; 2144 2145 string result; 2146 size_t input_consumed; 2147 AuthorizationSet begin_params(client_params()); 2148 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2149 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2150 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2151 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2152 EXPECT_EQ(0U, result.size()); 2153 2154 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2155 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2156} 2157 2158TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) { 2159 ASSERT_EQ(KM_ERROR_OK, 2160 GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE))); 2161 2162 AuthorizationSet begin_params(client_params()); 2163 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2164 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2165 2166 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2167 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2168} 2169 2170TEST_P(EncryptionOperationsTest, EcdsaEncrypt) { 2171 ASSERT_EQ(KM_ERROR_OK, 2172 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 2173 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2174 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2175 2176 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 2177 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2178} 2179 2180TEST_P(EncryptionOperationsTest, HmacEncrypt) { 2181 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2182 .HmacKey(128) 2183 .Digest(KM_DIGEST_SHA_2_256) 2184 .Padding(KM_PAD_NONE) 2185 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2186 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2187 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2188 2189 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2190} 2191 2192TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) { 2193 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2194 .AesEncryptionKey(128) 2195 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2196 .Padding(KM_PAD_NONE))); 2197 // Two-block message. 2198 string message = "12345678901234567890123456789012"; 2199 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2200 EXPECT_EQ(message.size(), ciphertext1.size()); 2201 2202 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE); 2203 EXPECT_EQ(message.size(), ciphertext2.size()); 2204 2205 // ECB is deterministic. 2206 EXPECT_EQ(ciphertext1, ciphertext2); 2207 2208 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE); 2209 EXPECT_EQ(message, plaintext); 2210 2211 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2212} 2213 2214TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) { 2215 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2216 .AesEncryptionKey(128) 2217 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2218 .Padding(KM_PAD_NONE))); 2219 // Two-block message. 2220 string message = "12345678901234567890123456789012"; 2221 AuthorizationSet begin_params(client_params()); 2222 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2223 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2224 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2225 2226 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2227} 2228 2229TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) { 2230 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2231 .AesEncryptionKey(128) 2232 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2233 .Padding(KM_PAD_NONE))); 2234 // Message is slightly shorter than two blocks. 2235 string message = "1234567890123456789012345678901"; 2236 2237 AuthorizationSet begin_params(client_params()); 2238 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2239 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2240 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2241 string ciphertext; 2242 size_t input_consumed; 2243 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed)); 2244 EXPECT_EQ(message.size(), input_consumed); 2245 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext)); 2246 2247 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2248} 2249 2250TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) { 2251 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2252 .AesEncryptionKey(128) 2253 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2254 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2255 2256 // Try various message lengths; all should work. 2257 for (size_t i = 0; i < 32; ++i) { 2258 string message(i, 'a'); 2259 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2260 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2261 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 2262 EXPECT_EQ(message, plaintext); 2263 } 2264 2265 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2266} 2267 2268TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) { 2269 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2270 .AesEncryptionKey(128) 2271 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2272 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2273 2274 // Try various message lengths; all should fail. 2275 for (size_t i = 0; i < 32; ++i) { 2276 AuthorizationSet begin_params(client_params()); 2277 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2278 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 2279 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, 2280 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2281 } 2282 2283 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2284} 2285 2286TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) { 2287 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2288 .AesEncryptionKey(128) 2289 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2290 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2291 2292 string message = "a"; 2293 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2294 EXPECT_EQ(16U, ciphertext.size()); 2295 EXPECT_NE(ciphertext, message); 2296 ++ciphertext[ciphertext.size() / 2]; 2297 2298 AuthorizationSet begin_params(client_params()); 2299 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2300 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 2301 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2302 string plaintext; 2303 size_t input_consumed; 2304 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); 2305 EXPECT_EQ(ciphertext.size(), input_consumed); 2306 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); 2307 2308 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2309} 2310 2311TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) { 2312 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2313 .AesEncryptionKey(128) 2314 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2315 .Padding(KM_PAD_NONE))); 2316 string message = "123"; 2317 string iv1; 2318 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1); 2319 EXPECT_EQ(message.size(), ciphertext1.size()); 2320 EXPECT_EQ(16U, iv1.size()); 2321 2322 string iv2; 2323 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2); 2324 EXPECT_EQ(message.size(), ciphertext2.size()); 2325 EXPECT_EQ(16U, iv2.size()); 2326 2327 // IVs should be random, so ciphertexts should differ. 2328 EXPECT_NE(iv1, iv2); 2329 EXPECT_NE(ciphertext1, ciphertext2); 2330 2331 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1); 2332 EXPECT_EQ(message, plaintext); 2333 2334 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2335} 2336 2337TEST_P(EncryptionOperationsTest, AesCtrIncremental) { 2338 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2339 .AesEncryptionKey(128) 2340 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2341 .Padding(KM_PAD_NONE))); 2342 2343 int increment = 15; 2344 string message(239, 'a'); 2345 AuthorizationSet input_params(client_params()); 2346 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2347 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2348 AuthorizationSet output_params; 2349 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2350 2351 string ciphertext; 2352 size_t input_consumed; 2353 for (size_t i = 0; i < message.size(); i += increment) 2354 EXPECT_EQ(KM_ERROR_OK, 2355 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2356 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2357 EXPECT_EQ(message.size(), ciphertext.size()); 2358 2359 // Move TAG_NONCE into input_params 2360 input_params.Reinitialize(output_params); 2361 input_params.push_back(client_params()); 2362 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2363 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2364 output_params.Clear(); 2365 2366 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2367 string plaintext; 2368 for (size_t i = 0; i < ciphertext.size(); i += increment) 2369 EXPECT_EQ(KM_ERROR_OK, 2370 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2371 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2372 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2373 EXPECT_EQ(message, plaintext); 2374 2375 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2376} 2377 2378struct AesCtrSp80038aTestVector { 2379 const char* key; 2380 const char* nonce; 2381 const char* plaintext; 2382 const char* ciphertext; 2383}; 2384 2385// These test vectors are taken from 2386// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5. 2387static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = { 2388 // AES-128 2389 { 2390 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2391 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2392 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2393 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff" 2394 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee", 2395 }, 2396 // AES-192 2397 { 2398 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2399 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2400 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2401 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94" 2402 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050", 2403 }, 2404 // AES-256 2405 { 2406 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", 2407 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2408 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2409 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2410 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5" 2411 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6", 2412 }, 2413}; 2414 2415TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) { 2416 for (size_t i = 0; i < 3; i++) { 2417 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]); 2418 const string key = hex2str(test.key); 2419 const string nonce = hex2str(test.nonce); 2420 const string plaintext = hex2str(test.plaintext); 2421 const string ciphertext = hex2str(test.ciphertext); 2422 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext); 2423 } 2424 2425 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2426} 2427 2428TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) { 2429 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2430 .AesEncryptionKey(128) 2431 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2432 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2433 AuthorizationSet begin_params(client_params()); 2434 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2435 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2436 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2437 2438 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2439} 2440 2441TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) { 2442 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2443 .AesEncryptionKey(128) 2444 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2445 .Authorization(TAG_CALLER_NONCE) 2446 .Padding(KM_PAD_NONE))); 2447 2448 AuthorizationSet input_params(client_params()); 2449 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2450 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2451 input_params.push_back(TAG_NONCE, "123", 3); 2452 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params)); 2453 2454 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2455} 2456 2457TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) { 2458 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2459 .AesEncryptionKey(128) 2460 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2461 .Padding(KM_PAD_NONE))); 2462 // Two-block message. 2463 string message = "12345678901234567890123456789012"; 2464 string iv1; 2465 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2466 EXPECT_EQ(message.size(), ciphertext1.size()); 2467 2468 string iv2; 2469 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2); 2470 EXPECT_EQ(message.size(), ciphertext2.size()); 2471 2472 // IVs should be random, so ciphertexts should differ. 2473 EXPECT_NE(iv1, iv2); 2474 EXPECT_NE(ciphertext1, ciphertext2); 2475 2476 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2477 EXPECT_EQ(message, plaintext); 2478 2479 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2480} 2481 2482TEST_P(EncryptionOperationsTest, AesCallerNonce) { 2483 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2484 .AesEncryptionKey(128) 2485 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2486 .Authorization(TAG_CALLER_NONCE) 2487 .Padding(KM_PAD_NONE))); 2488 string message = "12345678901234567890123456789012"; 2489 string iv1; 2490 // Don't specify nonce, should get a random one. 2491 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2492 EXPECT_EQ(message.size(), ciphertext1.size()); 2493 EXPECT_EQ(16U, iv1.size()); 2494 2495 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2496 EXPECT_EQ(message, plaintext); 2497 2498 // Now specify a nonce, should also work. 2499 AuthorizationSet input_params(client_params()); 2500 AuthorizationSet update_params; 2501 AuthorizationSet output_params; 2502 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2503 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2504 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2505 string ciphertext2 = 2506 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params); 2507 2508 // Decrypt with correct nonce. 2509 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2510 &output_params); 2511 EXPECT_EQ(message, plaintext); 2512 2513 // Now try with wrong nonce. 2514 input_params.Reinitialize(client_params()); 2515 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2516 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2517 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16); 2518 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2519 &output_params); 2520 EXPECT_NE(message, plaintext); 2521 2522 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2523} 2524 2525TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) { 2526 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2527 .AesEncryptionKey(128) 2528 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2529 .Padding(KM_PAD_NONE))); 2530 2531 string message = "12345678901234567890123456789012"; 2532 string iv1; 2533 // Don't specify nonce, should get a random one. 2534 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2535 EXPECT_EQ(message.size(), ciphertext1.size()); 2536 EXPECT_EQ(16U, iv1.size()); 2537 2538 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2539 EXPECT_EQ(message, plaintext); 2540 2541 // Now specify a nonce, should fail. 2542 AuthorizationSet input_params(client_params()); 2543 AuthorizationSet update_params; 2544 AuthorizationSet output_params; 2545 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2546 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2547 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2548 2549 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, 2550 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2551 2552 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2553} 2554 2555TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) { 2556 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2557 .AesEncryptionKey(128) 2558 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2559 .Padding(KM_PAD_NONE))); 2560 2561 int increment = 15; 2562 string message(240, 'a'); 2563 AuthorizationSet input_params(client_params()); 2564 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2565 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2566 AuthorizationSet output_params; 2567 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2568 2569 string ciphertext; 2570 size_t input_consumed; 2571 for (size_t i = 0; i < message.size(); i += increment) 2572 EXPECT_EQ(KM_ERROR_OK, 2573 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2574 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2575 EXPECT_EQ(message.size(), ciphertext.size()); 2576 2577 // Move TAG_NONCE into input_params 2578 input_params.Reinitialize(output_params); 2579 input_params.push_back(client_params()); 2580 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2581 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2582 output_params.Clear(); 2583 2584 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2585 string plaintext; 2586 for (size_t i = 0; i < ciphertext.size(); i += increment) 2587 EXPECT_EQ(KM_ERROR_OK, 2588 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2589 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2590 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2591 EXPECT_EQ(message, plaintext); 2592 2593 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2594} 2595 2596TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) { 2597 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2598 .AesEncryptionKey(128) 2599 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2600 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2601 2602 // Try various message lengths; all should work. 2603 for (size_t i = 0; i < 32; ++i) { 2604 string message(i, 'a'); 2605 string iv; 2606 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); 2607 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2608 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv); 2609 EXPECT_EQ(message, plaintext); 2610 } 2611 2612 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2613} 2614 2615TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) { 2616 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2617 .AesEncryptionKey(128) 2618 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2619 .Authorization(TAG_PADDING, KM_PAD_NONE) 2620 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2621 string aad = "foobar"; 2622 string message = "123456789012345678901234567890123456"; 2623 AuthorizationSet begin_params(client_params()); 2624 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2625 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2626 begin_params.push_back(TAG_MAC_LENGTH, 128); 2627 2628 AuthorizationSet update_params; 2629 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2630 2631 // Encrypt 2632 AuthorizationSet begin_out_params; 2633 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2634 string ciphertext; 2635 size_t input_consumed; 2636 AuthorizationSet update_out_params; 2637 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2638 &input_consumed)); 2639 EXPECT_EQ(message.size(), input_consumed); 2640 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2641 2642 // Grab nonce 2643 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2644 begin_params.push_back(begin_out_params); 2645 2646 // Decrypt. 2647 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2648 string plaintext; 2649 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2650 &plaintext, &input_consumed)); 2651 EXPECT_EQ(ciphertext.size(), input_consumed); 2652 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2653 2654 EXPECT_EQ(message, plaintext); 2655 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2656} 2657 2658TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) { 2659 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2660 .AesEncryptionKey(128) 2661 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2662 .Authorization(TAG_PADDING, KM_PAD_NONE) 2663 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2664 string aad = "foobar"; 2665 string message = "123456789012345678901234567890123456"; 2666 AuthorizationSet begin_params(client_params()); 2667 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2668 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2669 begin_params.push_back(TAG_MAC_LENGTH, 96); 2670 2671 AuthorizationSet update_params; 2672 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2673 2674 AuthorizationSet begin_out_params; 2675 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, 2676 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2677 2678 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2679} 2680 2681TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) { 2682 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2683 .AesEncryptionKey(128) 2684 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2685 .Authorization(TAG_PADDING, KM_PAD_NONE) 2686 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2687 string aad = "foobar"; 2688 string message = "123456789012345678901234567890123456"; 2689 AuthorizationSet begin_params(client_params()); 2690 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2691 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2692 begin_params.push_back(TAG_MAC_LENGTH, 128); 2693 2694 AuthorizationSet update_params; 2695 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2696 2697 // Encrypt 2698 AuthorizationSet begin_out_params; 2699 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2700 string ciphertext; 2701 size_t input_consumed; 2702 AuthorizationSet update_out_params; 2703 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2704 &input_consumed)); 2705 EXPECT_EQ(message.size(), input_consumed); 2706 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2707 2708 // Grab nonce 2709 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2710 begin_params.Reinitialize(client_params()); 2711 begin_params.push_back(begin_out_params); 2712 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2713 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2714 begin_params.push_back(TAG_MAC_LENGTH, 96); 2715 2716 // Decrypt. 2717 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2718 2719 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2720} 2721 2722TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) { 2723 uint8_t nonce[] = { 2724 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f, 2725 }; 2726 uint8_t ciphertext[] = { 2727 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16, 2728 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 2729 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 2730 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd, 2731 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0, 2732 }; 2733 string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext)); 2734 2735 AuthorizationSet begin_params(client_params()); 2736 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2737 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2738 begin_params.push_back(TAG_MAC_LENGTH, 128); 2739 begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce)); 2740 2741 string plaintext; 2742 size_t input_consumed; 2743 2744 // Import correct key and decrypt 2745 uint8_t good_key[] = { 2746 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 2747 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 2748 }; 2749 string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key)); 2750 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 2751 .AesEncryptionKey(128) 2752 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2753 .Authorization(TAG_PADDING, KM_PAD_NONE) 2754 .Authorization(TAG_CALLER_NONCE) 2755 .Authorization(TAG_MIN_MAC_LENGTH, 128), 2756 KM_KEY_FORMAT_RAW, good_key_str)); 2757 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2758 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 2759 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2760 2761 // Import bad key and decrypt 2762 uint8_t bad_key[] = { 2763 0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 2764 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 2765 }; 2766 string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key)); 2767 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 2768 .AesEncryptionKey(128) 2769 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2770 .Authorization(TAG_PADDING, KM_PAD_NONE) 2771 .Authorization(TAG_MIN_MAC_LENGTH, 128), 2772 KM_KEY_FORMAT_RAW, bad_key_str)); 2773 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2774 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 2775 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 2776 2777 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2778} 2779 2780TEST_P(EncryptionOperationsTest, AesGcmAadNoData) { 2781 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2782 .AesEncryptionKey(128) 2783 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2784 .Authorization(TAG_PADDING, KM_PAD_NONE) 2785 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2786 string aad = "123456789012345678"; 2787 string empty_message; 2788 AuthorizationSet begin_params(client_params()); 2789 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2790 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2791 begin_params.push_back(TAG_MAC_LENGTH, 128); 2792 2793 AuthorizationSet update_params; 2794 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2795 2796 // Encrypt 2797 AuthorizationSet begin_out_params; 2798 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2799 string ciphertext; 2800 size_t input_consumed; 2801 AuthorizationSet update_out_params; 2802 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params, 2803 &ciphertext, &input_consumed)); 2804 EXPECT_EQ(0U, input_consumed); 2805 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2806 2807 // Grab nonce 2808 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2809 begin_params.push_back(begin_out_params); 2810 2811 // Decrypt. 2812 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2813 string plaintext; 2814 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2815 &plaintext, &input_consumed)); 2816 EXPECT_EQ(ciphertext.size(), input_consumed); 2817 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2818 2819 EXPECT_EQ(empty_message, plaintext); 2820 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2821} 2822 2823TEST_P(EncryptionOperationsTest, AesGcmIncremental) { 2824 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2825 .AesEncryptionKey(128) 2826 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2827 .Authorization(TAG_PADDING, KM_PAD_NONE) 2828 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2829 AuthorizationSet begin_params(client_params()); 2830 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2831 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2832 begin_params.push_back(TAG_MAC_LENGTH, 128); 2833 2834 AuthorizationSet update_params; 2835 update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1); 2836 2837 // Encrypt 2838 AuthorizationSet begin_out_params; 2839 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2840 string ciphertext; 2841 size_t input_consumed; 2842 AuthorizationSet update_out_params; 2843 2844 // Send AAD, incrementally 2845 for (int i = 0; i < 1000; ++i) { 2846 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext, 2847 &input_consumed)); 2848 EXPECT_EQ(0U, input_consumed); 2849 EXPECT_EQ(0U, ciphertext.size()); 2850 } 2851 2852 // Now send data, incrementally, no data. 2853 AuthorizationSet empty_params; 2854 for (int i = 0; i < 1000; ++i) { 2855 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext, 2856 &input_consumed)); 2857 EXPECT_EQ(1U, input_consumed); 2858 } 2859 EXPECT_EQ(1000U, ciphertext.size()); 2860 2861 // And finish. 2862 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2863 EXPECT_EQ(1016U, ciphertext.size()); 2864 2865 // Grab nonce 2866 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2867 begin_params.push_back(begin_out_params); 2868 2869 // Decrypt. 2870 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2871 string plaintext; 2872 2873 // Send AAD, incrementally, no data 2874 for (int i = 0; i < 1000; ++i) { 2875 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext, 2876 &input_consumed)); 2877 EXPECT_EQ(0U, input_consumed); 2878 EXPECT_EQ(0U, plaintext.size()); 2879 } 2880 2881 // Now send data, incrementally. 2882 for (size_t i = 0; i < ciphertext.length(); ++i) { 2883 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1), 2884 &update_out_params, &plaintext, &input_consumed)); 2885 EXPECT_EQ(1U, input_consumed); 2886 } 2887 EXPECT_EQ(1000U, plaintext.size()); 2888 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2889 2890 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2891} 2892 2893TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) { 2894 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2895 .AesEncryptionKey(128) 2896 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2897 .Authorization(TAG_PADDING, KM_PAD_NONE) 2898 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2899 string message = "123456789012345678901234567890123456"; 2900 AuthorizationSet begin_params(client_params()); 2901 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2902 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2903 begin_params.push_back(TAG_MAC_LENGTH, 128); 2904 AuthorizationSet begin_out_params; 2905 2906 AuthorizationSet update_params; 2907 update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3); 2908 2909 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2910 2911 // No data, AAD only. 2912 string ciphertext; 2913 size_t input_consumed; 2914 AuthorizationSet update_out_params; 2915 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params, 2916 &ciphertext, &input_consumed)); 2917 EXPECT_EQ(0U, input_consumed); 2918 2919 // AAD and data. 2920 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2921 &input_consumed)); 2922 EXPECT_EQ(message.size(), input_consumed); 2923 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2924 2925 // Grab nonce. 2926 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2927 begin_params.push_back(begin_out_params); 2928 2929 // Decrypt 2930 update_params.Clear(); 2931 update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6); 2932 2933 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2934 string plaintext; 2935 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2936 &plaintext, &input_consumed)); 2937 EXPECT_EQ(ciphertext.size(), input_consumed); 2938 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2939 2940 EXPECT_EQ(message, plaintext); 2941 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2942} 2943 2944TEST_P(EncryptionOperationsTest, AesGcmBadAad) { 2945 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2946 .AesEncryptionKey(128) 2947 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2948 .Authorization(TAG_PADDING, KM_PAD_NONE) 2949 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2950 string message = "12345678901234567890123456789012"; 2951 AuthorizationSet begin_params(client_params()); 2952 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2953 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2954 begin_params.push_back(TAG_MAC_LENGTH, 128); 2955 2956 AuthorizationSet update_params; 2957 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 2958 2959 AuthorizationSet finish_params; 2960 AuthorizationSet finish_out_params; 2961 2962 // Encrypt 2963 AuthorizationSet begin_out_params; 2964 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2965 AuthorizationSet update_out_params; 2966 string ciphertext; 2967 size_t input_consumed; 2968 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2969 &input_consumed)); 2970 EXPECT_EQ(message.size(), input_consumed); 2971 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2972 2973 // Grab nonce 2974 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2975 begin_params.push_back(begin_out_params); 2976 2977 update_params.Clear(); 2978 update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6); 2979 2980 // Decrypt. 2981 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2982 string plaintext; 2983 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2984 &plaintext, &input_consumed)); 2985 EXPECT_EQ(ciphertext.size(), input_consumed); 2986 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 2987 2988 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2989} 2990 2991TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) { 2992 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2993 .AesEncryptionKey(128) 2994 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2995 .Authorization(TAG_PADDING, KM_PAD_NONE) 2996 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2997 string message = "12345678901234567890123456789012"; 2998 AuthorizationSet begin_params(client_params()); 2999 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3000 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3001 begin_params.push_back(TAG_MAC_LENGTH, 128); 3002 3003 AuthorizationSet update_params; 3004 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 3005 3006 // Encrypt 3007 AuthorizationSet begin_out_params; 3008 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3009 AuthorizationSet update_out_params; 3010 string ciphertext; 3011 size_t input_consumed; 3012 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3013 &input_consumed)); 3014 EXPECT_EQ(message.size(), input_consumed); 3015 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3016 3017 begin_params.push_back(TAG_NONCE, "123456789012", 12); 3018 3019 // Decrypt 3020 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3021 string plaintext; 3022 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3023 &plaintext, &input_consumed)); 3024 EXPECT_EQ(ciphertext.size(), input_consumed); 3025 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3026 3027 // With wrong nonce, should have gotten garbage plaintext. 3028 EXPECT_NE(message, plaintext); 3029 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3030} 3031 3032TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) { 3033 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3034 .AesEncryptionKey(128) 3035 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3036 .Authorization(TAG_PADDING, KM_PAD_NONE) 3037 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3038 string aad = "foobar"; 3039 string message = "123456789012345678901234567890123456"; 3040 AuthorizationSet begin_params(client_params()); 3041 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3042 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3043 begin_params.push_back(TAG_MAC_LENGTH, 128); 3044 AuthorizationSet begin_out_params; 3045 3046 AuthorizationSet update_params; 3047 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 3048 3049 // Encrypt 3050 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3051 AuthorizationSet update_out_params; 3052 string ciphertext; 3053 size_t input_consumed; 3054 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3055 &input_consumed)); 3056 EXPECT_EQ(message.size(), input_consumed); 3057 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3058 3059 // Corrupt tag 3060 (*ciphertext.rbegin())++; 3061 3062 // Grab nonce. 3063 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3064 begin_params.push_back(begin_out_params); 3065 3066 // Decrypt. 3067 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3068 string plaintext; 3069 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3070 &plaintext, &input_consumed)); 3071 EXPECT_EQ(ciphertext.size(), input_consumed); 3072 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3073 3074 EXPECT_EQ(message, plaintext); 3075 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3076} 3077 3078typedef Keymaster1Test MaxOperationsTest; 3079INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params); 3080 3081TEST_P(MaxOperationsTest, TestLimit) { 3082 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3083 .AesEncryptionKey(128) 3084 .EcbMode() 3085 .Authorization(TAG_PADDING, KM_PAD_NONE) 3086 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3087 3088 string message = "1234567890123456"; 3089 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3090 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3091 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3092 3093 // Fourth time should fail. 3094 AuthorizationSet begin_params(client_params()); 3095 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3096 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3097 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3098 3099 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3100} 3101 3102TEST_P(MaxOperationsTest, TestAbort) { 3103 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3104 .AesEncryptionKey(128) 3105 .EcbMode() 3106 .Authorization(TAG_PADDING, KM_PAD_NONE) 3107 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3108 3109 string message = "1234567890123456"; 3110 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3111 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3112 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3113 3114 // Fourth time should fail. 3115 AuthorizationSet begin_params(client_params()); 3116 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3117 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3118 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3119 3120 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3121} 3122 3123typedef Keymaster1Test AddEntropyTest; 3124INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params); 3125 3126TEST_P(AddEntropyTest, AddEntropy) { 3127 // There's no obvious way to test that entropy is actually added, but we can test that the API 3128 // doesn't blow up or return an error. 3129 EXPECT_EQ(KM_ERROR_OK, 3130 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3)); 3131 3132 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3133} 3134 3135typedef Keymaster1Test Keymaster0AdapterTest; 3136INSTANTIATE_TEST_CASE_P( 3137 AndroidKeymasterTest, Keymaster0AdapterTest, 3138 ::testing::Values( 3139 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 3140 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)))); 3141 3142TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1RsaBlob) { 3143 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 3144 // key data. 3145 string km1_sw = read_file("km1_sw_rsa_512.blob"); 3146 EXPECT_EQ(486U, km1_sw.length()); 3147 3148 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3149 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3150 set_key_blob(key_data, km1_sw.length()); 3151 3152 string message(64, 'a'); 3153 string signature; 3154 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3155 3156 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3157} 3158 3159TEST_P(Keymaster0AdapterTest, UnversionedSoftwareKeymaster1RsaBlob) { 3160 // Load and use an old-style Keymaster1 software key blob, without the version byte. These 3161 // blobs contain OCB-encrypted key data. 3162 string km1_sw = read_file("km1_sw_rsa_512_unversioned.blob"); 3163 EXPECT_EQ(477U, km1_sw.length()); 3164 3165 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3166 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3167 set_key_blob(key_data, km1_sw.length()); 3168 3169 string message(64, 'a'); 3170 string signature; 3171 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3172 3173 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3174} 3175 3176TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1EcdsaBlob) { 3177 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 3178 // key data. 3179 string km1_sw = read_file("km1_sw_ecdsa_256.blob"); 3180 EXPECT_EQ(270U, km1_sw.length()); 3181 3182 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3183 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3184 set_key_blob(key_data, km1_sw.length()); 3185 3186 string message(32, static_cast<char>(0xFF)); 3187 string signature; 3188 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3189 3190 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3191} 3192 3193struct Malloc_Delete { 3194 void operator()(void* p) { free(p); } 3195}; 3196 3197TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0RsaBlob) { 3198 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3199 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3200 EXPECT_EQ(333U, km0_sw.length()); 3201 3202 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3203 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3204 set_key_blob(key_data, km0_sw.length()); 3205 3206 string message(64, 'a'); 3207 string signature; 3208 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3209 3210 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3211} 3212 3213TEST_P(Keymaster0AdapterTest, OldSwKeymaster0RsaBlobGetCharacteristics) { 3214 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3215 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3216 EXPECT_EQ(333U, km0_sw.length()); 3217 3218 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3219 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3220 set_key_blob(key_data, km0_sw.length()); 3221 3222 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 3223 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3224 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 3225 EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3226 EXPECT_TRUE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3227 EXPECT_TRUE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3228 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 3229 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 3230 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 3231 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 3232 3233 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3234} 3235 3236TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlob) { 3237 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3238 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3239 EXPECT_EQ(333U, km0_sw.length()); 3240 3241 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 3242 // be recognized as a software key. Do the same here to pretend this is a hardware key. 3243 EXPECT_EQ('P', km0_sw[0]); 3244 km0_sw[0] = 'Q'; 3245 3246 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3247 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3248 set_key_blob(key_data, km0_sw.length()); 3249 3250 string message(64, 'a'); 3251 string signature; 3252 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3253 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 3254 3255 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 3256} 3257 3258TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) { 3259 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3260 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3261 EXPECT_EQ(333U, km0_sw.length()); 3262 3263 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 3264 // be recognized as a software key. Do the same here to pretend this is a hardware key. 3265 EXPECT_EQ('P', km0_sw[0]); 3266 km0_sw[0] = 'Q'; 3267 3268 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3269 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3270 set_key_blob(key_data, km0_sw.length()); 3271 3272 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 3273 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3274 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 512)); 3275 EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3276 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3277 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_MD5)); 3278 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA1)); 3279 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_224)); 3280 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_256)); 3281 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_384)); 3282 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_512)); 3283 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3284 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT)); 3285 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN)); 3286 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_OAEP)); 3287 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PSS)); 3288 EXPECT_EQ(15U, hw_enforced().size()); 3289 3290 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 3291 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 3292 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 3293 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 3294 3295 EXPECT_FALSE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3296 EXPECT_FALSE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 3297 EXPECT_FALSE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3298 EXPECT_FALSE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3299 EXPECT_FALSE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3300 3301 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 3302} 3303 3304} // namespace test 3305} // namespace keymaster 3306