1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <errno.h> 18#include <stdio.h> 19#include <time.h> 20 21#include <keymaster/android_keymaster.h> 22#include <keymaster/authorization_set.h> 23#include <keymaster/keymaster_enforcement.h> 24 25#include "android_keymaster_test_utils.h" 26 27namespace keymaster { 28namespace test { 29 30class TestKeymasterEnforcement : public KeymasterEnforcement { 31 public: 32 TestKeymasterEnforcement() 33 : KeymasterEnforcement(3, 3), current_time_(10000), report_token_valid_(true) {} 34 35 keymaster_error_t AuthorizeOperation(const keymaster_purpose_t purpose, const km_id_t keyid, 36 const AuthorizationSet& auth_set) { 37 AuthorizationSet empty_set; 38 return KeymasterEnforcement::AuthorizeOperation( 39 purpose, keyid, auth_set, empty_set, 0 /* op_handle */, true /* is_begin_operation */); 40 } 41 using KeymasterEnforcement::AuthorizeOperation; 42 43 uint32_t get_current_time() const override { return current_time_; } 44 bool activation_date_valid(uint64_t activation_date) const override { 45 // Convert java date to time_t, non-portably. 46 time_t activation_time = activation_date / 1000; 47 return difftime(time(NULL), activation_time) >= 0; 48 } 49 bool expiration_date_passed(uint64_t expiration_date) const override { 50 // Convert jave date to time_t, non-portably. 51 time_t expiration_time = expiration_date / 1000; 52 return difftime(time(NULL), expiration_time) > 0; 53 } 54 bool auth_token_timed_out(const hw_auth_token_t& token, uint32_t timeout) const { 55 return current_time_ > ntoh(token.timestamp) + timeout; 56 } 57 bool ValidateTokenSignature(const hw_auth_token_t&) const override { 58 return report_token_valid_; 59 } 60 61 void tick(unsigned seconds = 1) { current_time_ += seconds; } 62 uint32_t current_time() { return current_time_; } 63 void set_report_token_valid(bool report_token_valid) { 64 report_token_valid_ = report_token_valid; 65 } 66 67 private: 68 uint32_t current_time_; 69 bool report_token_valid_; 70}; 71 72class KeymasterBaseTest : public ::testing::Test { 73 protected: 74 KeymasterBaseTest() { 75 past_time = 0; 76 77 time_t t = time(NULL); 78 future_tm = localtime(&t); 79 future_tm->tm_year += 1; 80 future_time = static_cast<uint64_t>(mktime(future_tm)) * 1000; 81 sign_param = Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN); 82 } 83 virtual ~KeymasterBaseTest() {} 84 85 TestKeymasterEnforcement kmen; 86 87 tm past_tm; 88 tm* future_tm; 89 uint64_t past_time; 90 uint64_t future_time; 91 static const km_id_t key_id = 0xa; 92 static const uid_t uid = 0xf; 93 keymaster_key_param_t sign_param; 94}; 95 96TEST_F(KeymasterBaseTest, TestValidKeyPeriodNoTags) { 97 keymaster_key_param_t params[] = { 98 sign_param, 99 }; 100 AuthorizationSet single_auth_set(params, array_length(params)); 101 102 keymaster_error_t kmer = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, single_auth_set); 103 ASSERT_EQ(KM_ERROR_OK, kmer); 104} 105 106TEST_F(KeymasterBaseTest, TestInvalidActiveTime) { 107 keymaster_key_param_t params[] = { 108 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), 109 Authorization(TAG_NO_AUTH_REQUIRED), Authorization(TAG_ACTIVE_DATETIME, future_time), 110 }; 111 112 AuthorizationSet auth_set(params, array_length(params)); 113 114 ASSERT_EQ(KM_ERROR_KEY_NOT_YET_VALID, 115 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 116 117 // Pubkey ops allowed. 118 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); 119} 120 121TEST_F(KeymasterBaseTest, TestValidActiveTime) { 122 keymaster_key_param_t params[] = { 123 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_ACTIVE_DATETIME, past_time), 124 }; 125 126 AuthorizationSet auth_set(params, array_length(params)); 127 128 keymaster_error_t kmer_valid_time = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); 129 ASSERT_EQ(KM_ERROR_OK, kmer_valid_time); 130} 131 132TEST_F(KeymasterBaseTest, TestInvalidOriginationExpireTime) { 133 keymaster_key_param_t params[] = { 134 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), 135 Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, past_time), 136 }; 137 138 AuthorizationSet auth_set(params, array_length(params)); 139 140 ASSERT_EQ(KM_ERROR_KEY_EXPIRED, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 141 142 // Pubkey ops allowed. 143 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); 144} 145 146TEST_F(KeymasterBaseTest, TestInvalidOriginationExpireTimeOnUsgae) { 147 keymaster_key_param_t params[] = { 148 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), 149 Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, past_time), 150 }; 151 152 AuthorizationSet auth_set(params, array_length(params)); 153 154 keymaster_error_t kmer_invalid_origination = 155 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); 156 ASSERT_EQ(KM_ERROR_OK, kmer_invalid_origination); 157} 158 159TEST_F(KeymasterBaseTest, TestValidOriginationExpireTime) { 160 keymaster_key_param_t params[] = { 161 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), 162 Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, future_time), 163 }; 164 165 AuthorizationSet auth_set(params, array_length(params)); 166 167 keymaster_error_t kmer_valid_origination = 168 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); 169 ASSERT_EQ(KM_ERROR_OK, kmer_valid_origination); 170} 171 172TEST_F(KeymasterBaseTest, TestInvalidUsageExpireTime) { 173 keymaster_key_param_t params[] = { 174 Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES), 175 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), 176 Authorization(TAG_USAGE_EXPIRE_DATETIME, past_time), 177 }; 178 179 AuthorizationSet auth_set(params, array_length(params)); 180 181 keymaster_error_t kmer_invalid_origination = 182 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); 183 ASSERT_EQ(KM_ERROR_KEY_EXPIRED, kmer_invalid_origination); 184} 185 186TEST_F(KeymasterBaseTest, TestInvalidPubkeyUsageExpireTime) { 187 keymaster_key_param_t params[] = { 188 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), 189 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), 190 Authorization(TAG_USAGE_EXPIRE_DATETIME, past_time), 191 }; 192 193 AuthorizationSet auth_set(params, array_length(params)); 194 195 keymaster_error_t kmer_invalid_origination = 196 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); 197 // Pubkey ops allowed. 198 ASSERT_EQ(KM_ERROR_OK, kmer_invalid_origination); 199} 200 201TEST_F(KeymasterBaseTest, TestInvalidUsageExpireTimeOnOrigination) { 202 keymaster_key_param_t params[] = { 203 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), 204 Authorization(TAG_USAGE_EXPIRE_DATETIME, past_time), 205 }; 206 207 AuthorizationSet auth_set(params, array_length(params)); 208 209 keymaster_error_t kmer_invalid_origination = 210 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); 211 ASSERT_EQ(KM_ERROR_OK, kmer_invalid_origination); 212} 213 214TEST_F(KeymasterBaseTest, TestValidUsageExpireTime) { 215 keymaster_key_param_t params[] = { 216 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), 217 Authorization(TAG_USAGE_EXPIRE_DATETIME, future_time), 218 }; 219 220 AuthorizationSet auth_set(params, array_length(params)); 221 222 keymaster_error_t kmer_valid_usage = 223 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); 224 ASSERT_EQ(KM_ERROR_OK, kmer_valid_usage); 225} 226 227TEST_F(KeymasterBaseTest, TestValidSingleUseAccesses) { 228 keymaster_key_param_t params[] = { 229 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), 230 }; 231 232 AuthorizationSet auth_set(params, array_length(params)); 233 234 keymaster_error_t kmer1 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); 235 keymaster_error_t kmer2 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); 236 237 ASSERT_EQ(KM_ERROR_OK, kmer1); 238 ASSERT_EQ(KM_ERROR_OK, kmer2); 239} 240 241TEST_F(KeymasterBaseTest, TestInvalidMaxOps) { 242 keymaster_key_param_t params[] = { 243 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), 244 Authorization(TAG_MAX_USES_PER_BOOT, 4), 245 }; 246 247 AuthorizationSet auth_set(params, array_length(params)); 248 249 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 250 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 251 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 252 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 253 ASSERT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, 254 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 255 // Pubkey ops allowed. 256 ASSERT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); 257} 258 259TEST_F(KeymasterBaseTest, TestOverFlowMaxOpsTable) { 260 keymaster_key_param_t params[] = { 261 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), 262 Authorization(TAG_MAX_USES_PER_BOOT, 2), 263 }; 264 265 AuthorizationSet auth_set(params, array_length(params)); 266 267 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); 268 269 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 2 /* key_id */, auth_set)); 270 271 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 3 /* key_id */, auth_set)); 272 273 // Key 4 should fail, because table is full. 274 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, 275 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 4 /* key_id */, auth_set)); 276 277 // Key 1 still works, because it's already in the table and hasn't reached max. 278 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); 279 280 // Key 1 no longer works, because it's reached max. 281 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, 282 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); 283 284 // Key 4 should fail, because table is (still and forever) full. 285 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, 286 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 4 /* key_id */, auth_set)); 287 288 // Pubkey ops allowed. 289 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); 290 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set)); 291} 292 293TEST_F(KeymasterBaseTest, TestInvalidTimeBetweenOps) { 294 keymaster_key_param_t params[] = { 295 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), 296 Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 10), 297 }; 298 299 AuthorizationSet auth_set(params, array_length(params)); 300 301 keymaster_error_t kmer1 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); 302 keymaster_error_t kmer2 = kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set); 303 keymaster_error_t kmer3 = kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set); 304 305 ASSERT_EQ(KM_ERROR_OK, kmer1); 306 kmen.tick(2); 307 ASSERT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, kmer2); 308 309 // Allowed because it's a pubkey op. 310 ASSERT_EQ(KM_ERROR_OK, kmer3); 311} 312 313TEST_F(KeymasterBaseTest, TestValidTimeBetweenOps) { 314 keymaster_key_param_t params[] = { 315 Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), 316 Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 2), 317 }; 318 319 AuthorizationSet auth_set(params, array_length(params)); 320 321 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); 322 kmen.tick(); 323 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 324 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 325 kmen.tick(); 326 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 327} 328 329TEST_F(KeymasterBaseTest, TestOptTimeoutTableOverflow) { 330 keymaster_key_param_t params[] = { 331 Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES), 332 Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 4), 333 Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY), 334 }; 335 336 AuthorizationSet auth_set(params, array_length(params)); 337 338 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); 339 340 kmen.tick(); 341 342 // Key 1 fails because it's too soon 343 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 344 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); 345 346 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); 347 348 kmen.tick(); 349 350 // Key 1 fails because it's too soon 351 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 352 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); 353 // Key 2 fails because it's too soon 354 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 355 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); 356 357 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); 358 359 kmen.tick(); 360 361 // Key 1 fails because it's too soon 362 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 363 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); 364 // Key 2 fails because it's too soon 365 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 366 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); 367 // Key 3 fails because it's too soon 368 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 369 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); 370 // Key 4 fails because the table is full 371 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, 372 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set)); 373 374 kmen.tick(); 375 376 // Key 4 succeeds because key 1 expired. 377 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set)); 378 379 // Key 1 fails because the table is full... and key 1 is no longer in it. 380 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, 381 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); 382 // Key 2 fails because it's too soon 383 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 384 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); 385 // Key 3 fails because it's too soon 386 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 387 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); 388 389 kmen.tick(); 390 391 // Key 1 succeeds because key 2 expired 392 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); 393 // Key 2 fails because the table is full... and key 2 is no longer in it. 394 EXPECT_EQ(KM_ERROR_TOO_MANY_OPERATIONS, 395 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); 396 // Key 3 fails because it's too soon 397 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 398 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); 399 // Key 4 fails because it's too soon 400 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 401 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 4 /* key_id */, auth_set)); 402 403 kmen.tick(4); 404 405 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); 406 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 2 /* key_id */, auth_set)); 407 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 3 /* key_id */, auth_set)); 408} 409 410TEST_F(KeymasterBaseTest, TestPubkeyOptTimeoutTableOverflow) { 411 keymaster_key_param_t params[] = { 412 Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA), 413 Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, 4), Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN), 414 }; 415 416 AuthorizationSet auth_set(params, array_length(params)); 417 418 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); 419 420 kmen.tick(); 421 422 // Key 1 fails because it's too soon 423 EXPECT_EQ(KM_ERROR_KEY_RATE_LIMIT_EXCEEDED, 424 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, 1 /* key_id */, auth_set)); 425 // Too soo, but pubkey ops allowed. 426 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, 1 /* key_id */, auth_set)); 427} 428 429TEST_F(KeymasterBaseTest, TestInvalidPurpose) { 430 keymaster_purpose_t invalidPurpose1 = static_cast<keymaster_purpose_t>(-1); 431 keymaster_purpose_t invalidPurpose2 = static_cast<keymaster_purpose_t>(4); 432 433 AuthorizationSet auth_set( 434 AuthorizationSetBuilder().Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY)); 435 436 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 437 kmen.AuthorizeOperation(invalidPurpose1, key_id, auth_set)); 438 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 439 kmen.AuthorizeOperation(invalidPurpose2, key_id, auth_set)); 440} 441 442TEST_F(KeymasterBaseTest, TestIncompatiblePurposeSymmetricKey) { 443 AuthorizationSet auth_set(AuthorizationSetBuilder() 444 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES) 445 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY) 446 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 447 448 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 449 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); 450 451 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, 452 kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, auth_set)); 453 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, 454 kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, auth_set)); 455} 456 457TEST_F(KeymasterBaseTest, TestIncompatiblePurposeAssymmetricKey) { 458 AuthorizationSet auth_set(AuthorizationSetBuilder() 459 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 460 .Authorization(TAG_PURPOSE, KM_PURPOSE_VERIFY) 461 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 462 463 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 464 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); 465 466 // This one is allowed because it's a pubkey op. 467 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, auth_set)); 468 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, 469 kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, auth_set)); 470} 471 472TEST_F(KeymasterBaseTest, TestInvalidCallerNonce) { 473 AuthorizationSet no_caller_nonce(AuthorizationSetBuilder() 474 .Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT) 475 .Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT) 476 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES)); 477 AuthorizationSet caller_nonce(AuthorizationSetBuilder() 478 .Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT) 479 .Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT) 480 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_HMAC) 481 .Authorization(TAG_CALLER_NONCE)); 482 AuthorizationSet begin_params(AuthorizationSetBuilder().Authorization(TAG_NONCE, "foo", 3)); 483 484 EXPECT_EQ(KM_ERROR_OK, 485 kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, caller_nonce, begin_params, 486 0 /* challenge */, true /* is_begin_operation */)); 487 EXPECT_EQ(KM_ERROR_OK, 488 kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, caller_nonce, begin_params, 489 0 /* challenge */, true /* is_begin_operation */)); 490 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, 491 kmen.AuthorizeOperation(KM_PURPOSE_ENCRYPT, key_id, no_caller_nonce, begin_params, 492 0 /* challenge */, true /* is_begin_operation */)); 493 EXPECT_EQ(KM_ERROR_OK, 494 kmen.AuthorizeOperation(KM_PURPOSE_DECRYPT, key_id, no_caller_nonce, begin_params, 495 0 /* challenge */, true /* is_begin_operation */)); 496} 497 498TEST_F(KeymasterBaseTest, TestBootloaderOnly) { 499 AuthorizationSet auth_set(AuthorizationSetBuilder() 500 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN) 501 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 502 .Authorization(TAG_BOOTLOADER_ONLY)); 503 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, 504 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 505 506 // Pubkey ops allowed. 507 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set)); 508} 509 510TEST_F(KeymasterBaseTest, TestInvalidTag) { 511 AuthorizationSet auth_set(AuthorizationSetBuilder() 512 .Authorization(TAG_INVALID) 513 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 514 515 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, 516 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 517} 518 519TEST_F(KeymasterBaseTest, TestAuthPerOpSuccess) { 520 hw_auth_token_t token; 521 memset(&token, 0, sizeof(token)); 522 token.version = HW_AUTH_TOKEN_VERSION; 523 token.challenge = 99; 524 token.user_id = 9; 525 token.authenticator_id = 0; 526 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 527 token.timestamp = 0; 528 529 AuthorizationSet auth_set(AuthorizationSetBuilder() 530 .Authorization(TAG_USER_SECURE_ID, token.user_id) 531 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 532 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 533 534 AuthorizationSet op_params; 535 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); 536 537 EXPECT_EQ(KM_ERROR_OK, 538 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, 539 false /* is_begin_operation */)); 540} 541 542TEST_F(KeymasterBaseTest, TestAuthPerOpInvalidTokenSignature) { 543 hw_auth_token_t token; 544 memset(&token, 0, sizeof(token)); 545 token.version = HW_AUTH_TOKEN_VERSION; 546 token.challenge = 99; 547 token.user_id = 9; 548 token.authenticator_id = 0; 549 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 550 token.timestamp = 0; 551 552 AuthorizationSet auth_set(AuthorizationSetBuilder() 553 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) 554 .Authorization(TAG_USER_SECURE_ID, token.user_id) 555 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 556 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 557 558 AuthorizationSet op_params; 559 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); 560 561 kmen.set_report_token_valid(false); 562 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, 563 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, 564 false /* is_begin_operation */)); 565 // Pubkey ops allowed. 566 EXPECT_EQ(KM_ERROR_OK, 567 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, 568 token.challenge, false /* is_begin_operation */)); 569} 570 571TEST_F(KeymasterBaseTest, TestAuthPerOpWrongChallenge) { 572 hw_auth_token_t token; 573 memset(&token, 0, sizeof(token)); 574 token.version = HW_AUTH_TOKEN_VERSION; 575 token.challenge = 99; 576 token.user_id = 9; 577 token.authenticator_id = 0; 578 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 579 token.timestamp = 0; 580 581 AuthorizationSet auth_set(AuthorizationSetBuilder() 582 .Authorization(TAG_USER_SECURE_ID, token.user_id) 583 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 584 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 585 586 AuthorizationSet op_params; 587 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); 588 589 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, 590 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, 591 token.challenge + 1 /* doesn't match token */, 592 false /* is_begin_operation */)); 593} 594 595TEST_F(KeymasterBaseTest, TestAuthPerOpNoAuthType) { 596 hw_auth_token_t token; 597 memset(&token, 0, sizeof(token)); 598 token.version = HW_AUTH_TOKEN_VERSION; 599 token.challenge = 99; 600 token.user_id = 9; 601 token.authenticator_id = 0; 602 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 603 token.timestamp = 0; 604 605 AuthorizationSet auth_set(AuthorizationSetBuilder() 606 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 607 .Authorization(TAG_USER_SECURE_ID, token.user_id) 608 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 609 610 AuthorizationSet op_params; 611 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); 612 613 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, 614 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, 615 false /* is_begin_operation */)); 616 // Pubkey ops allowed. 617 EXPECT_EQ(KM_ERROR_OK, 618 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, 619 token.challenge, false /* is_begin_operation */)); 620} 621 622TEST_F(KeymasterBaseTest, TestAuthPerOpWrongAuthType) { 623 hw_auth_token_t token; 624 memset(&token, 0, sizeof(token)); 625 token.version = HW_AUTH_TOKEN_VERSION; 626 token.challenge = 99; 627 token.user_id = 9; 628 token.authenticator_id = 0; 629 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 630 token.timestamp = 0; 631 632 AuthorizationSet auth_set( 633 AuthorizationSetBuilder() 634 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 635 .Authorization(TAG_USER_SECURE_ID, token.user_id) 636 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_FINGERPRINT /* doesn't match token */) 637 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 638 639 AuthorizationSet op_params; 640 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); 641 642 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, 643 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, 644 false /* is_begin_operation */)); 645 // Pubkey ops allowed. 646 EXPECT_EQ(KM_ERROR_OK, 647 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, 648 token.challenge, false /* is_begin_operation */)); 649} 650 651TEST_F(KeymasterBaseTest, TestAuthPerOpWrongSid) { 652 hw_auth_token_t token; 653 memset(&token, 0, sizeof(token)); 654 token.version = HW_AUTH_TOKEN_VERSION; 655 token.challenge = 99; 656 token.user_id = 9; 657 token.authenticator_id = 0; 658 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 659 token.timestamp = 0; 660 661 AuthorizationSet auth_set( 662 AuthorizationSetBuilder() 663 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 664 .Authorization(TAG_USER_SECURE_ID, token.user_id + 1 /* doesn't match token */) 665 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 666 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 667 668 AuthorizationSet op_params; 669 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); 670 671 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, 672 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, 673 false /* is_begin_operation */)); 674 // Pubkey op allowed. 675 EXPECT_EQ(KM_ERROR_OK, 676 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, 677 token.challenge, false /* is_begin_operation */)); 678} 679 680TEST_F(KeymasterBaseTest, TestAuthPerOpSuccessAlternateSid) { 681 hw_auth_token_t token; 682 memset(&token, 0, sizeof(token)); 683 token.version = HW_AUTH_TOKEN_VERSION; 684 token.challenge = 99; 685 token.user_id = 9; 686 token.authenticator_id = 10; 687 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 688 token.timestamp = 0; 689 690 AuthorizationSet auth_set(AuthorizationSetBuilder() 691 .Authorization(TAG_USER_SECURE_ID, token.authenticator_id) 692 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 693 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 694 695 AuthorizationSet op_params; 696 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); 697 698 EXPECT_EQ(KM_ERROR_OK, 699 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, 700 false /* is_begin_operation */)); 701} 702 703TEST_F(KeymasterBaseTest, TestAuthPerOpMissingToken) { 704 hw_auth_token_t token; 705 memset(&token, 0, sizeof(token)); 706 token.version = HW_AUTH_TOKEN_VERSION; 707 token.challenge = 99; 708 token.user_id = 9; 709 token.authenticator_id = 0; 710 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 711 token.timestamp = 0; 712 713 AuthorizationSet auth_set(AuthorizationSetBuilder() 714 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 715 .Authorization(TAG_USER_SECURE_ID, token.user_id) 716 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 717 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 718 719 AuthorizationSet op_params; 720 721 // During begin we can skip the auth token 722 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, 723 token.challenge, true /* is_begin_operation */)); 724 // Afterwards we must have authentication 725 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, 726 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, 727 false /* is_begin_operation */)); 728 // Pubkey ops allowed 729 EXPECT_EQ(KM_ERROR_OK, 730 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, 731 token.challenge, false /* is_begin_operation */)); 732 733 auth_set.Reinitialize(AuthorizationSetBuilder() 734 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES) 735 .Authorization(TAG_USER_SECURE_ID, token.user_id) 736 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 737 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN) 738 .build()); 739 740 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, 741 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, 742 token.challenge, false /* is_begin_operation */)); 743} 744 745TEST_F(KeymasterBaseTest, TestAuthAndNoAuth) { 746 AuthorizationSet auth_set(AuthorizationSetBuilder() 747 .Authorization(TAG_USER_SECURE_ID, 1) 748 .Authorization(TAG_NO_AUTH_REQUIRED) 749 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 750 751 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, 752 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set)); 753} 754 755TEST_F(KeymasterBaseTest, TestTimedAuthSuccess) { 756 hw_auth_token_t token; 757 memset(&token, 0, sizeof(token)); 758 token.version = HW_AUTH_TOKEN_VERSION; 759 token.challenge = 99; 760 token.user_id = 9; 761 token.authenticator_id = 0; 762 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 763 token.timestamp = hton(kmen.current_time()); 764 765 AuthorizationSet auth_set(AuthorizationSetBuilder() 766 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 767 .Authorization(TAG_USER_SECURE_ID, token.user_id) 768 .Authorization(TAG_AUTH_TIMEOUT, 1) 769 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 770 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 771 772 AuthorizationSet op_params; 773 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); 774 775 EXPECT_EQ(KM_ERROR_OK, 776 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, 777 0 /* irrelevant */, false /* is_begin_operation */)); 778} 779 780TEST_F(KeymasterBaseTest, TestTimedAuthTimedOut) { 781 hw_auth_token_t token; 782 memset(&token, 0, sizeof(token)); 783 token.version = HW_AUTH_TOKEN_VERSION; 784 token.challenge = 99; 785 token.user_id = 9; 786 token.authenticator_id = 0; 787 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 788 token.timestamp = hton(static_cast<uint64_t>(kmen.current_time())); 789 790 AuthorizationSet auth_set(AuthorizationSetBuilder() 791 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 792 .Authorization(TAG_USER_SECURE_ID, token.user_id) 793 .Authorization(TAG_AUTH_TIMEOUT, 1) 794 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 795 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 796 797 AuthorizationSet op_params; 798 op_params.push_back(Authorization(TAG_AUTH_TOKEN, &token, sizeof(token))); 799 800 EXPECT_EQ(KM_ERROR_OK, 801 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, 802 0 /* irrelevant */, false /* is_begin_operation */)); 803 804 kmen.tick(1); 805 806 // token still good 807 EXPECT_EQ(KM_ERROR_OK, 808 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, 809 0 /* irrelevant */, false /* is_begin_operation */)); 810 811 kmen.tick(1); 812 813 // token expired, not allowed during begin. 814 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, 815 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, 816 0 /* irrelevant */, true /* is_begin_operation */)); 817 818 // token expired, afterwards it's okay. 819 EXPECT_EQ(KM_ERROR_OK, 820 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, 821 0 /* irrelevant */, false /* is_begin_operation */)); 822 823 // Pubkey ops allowed. 824 EXPECT_EQ(KM_ERROR_OK, 825 kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, 826 0 /* irrelevant */, true /* is_begin_operation */)); 827} 828 829TEST_F(KeymasterBaseTest, TestTimedAuthMissingToken) { 830 hw_auth_token_t token; 831 memset(&token, 0, sizeof(token)); 832 token.version = HW_AUTH_TOKEN_VERSION; 833 token.challenge = 99; 834 token.user_id = 9; 835 token.authenticator_id = 0; 836 token.authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD)); 837 token.timestamp = hton(static_cast<uint64_t>(kmen.current_time())); 838 839 AuthorizationSet auth_set(AuthorizationSetBuilder() 840 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 841 .Authorization(TAG_USER_SECURE_ID, token.user_id) 842 .Authorization(TAG_AUTH_TIMEOUT, 1) 843 .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_ANY) 844 .Authorization(TAG_PURPOSE, KM_PURPOSE_SIGN)); 845 846 AuthorizationSet op_params; 847 848 // Unlike auth-per-op, must have the auth token during begin. 849 EXPECT_EQ(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, 850 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, 851 true /* is_begin_operation */)); 852 853 // Later we don't check (though begin would fail, so there wouldn't be a later). 854 EXPECT_EQ(KM_ERROR_OK, 855 kmen.AuthorizeOperation(KM_PURPOSE_SIGN, key_id, auth_set, op_params, token.challenge, 856 false /* is_begin_operation */)); 857 858 // Pubkey ops allowed. 859 EXPECT_EQ(KM_ERROR_OK, kmen.AuthorizeOperation(KM_PURPOSE_VERIFY, key_id, auth_set, op_params, 860 token.challenge, true /* is_begin_operation */)); 861} 862 863TEST_F(KeymasterBaseTest, TestCreateKeyId) { 864 keymaster_key_blob_t blob = {reinterpret_cast<const uint8_t*>("foobar"), 6}; 865 866 km_id_t key_id = 0; 867 EXPECT_TRUE(KeymasterEnforcement::CreateKeyId(blob, &key_id)); 868 EXPECT_NE(0U, key_id); 869} 870 871}; /* namespace test */ 872}; /* namespace keymaster */ 873