1/*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <fstream>
18#include <string>
19#include <vector>
20
21#include <openssl/evp.h>
22#include <openssl/x509.h>
23
24#include <hardware/keymaster0.h>
25#include <keymaster/key_factory.h>
26#include <keymaster/soft_keymaster_context.h>
27#include <keymaster/soft_keymaster_device.h>
28#include <keymaster/softkeymaster.h>
29
30#include "android_keymaster_test_utils.h"
31#include "attestation_record.h"
32#include "keymaster0_engine.h"
33#include "openssl_utils.h"
34
35using std::ifstream;
36using std::istreambuf_iterator;
37using std::ofstream;
38using std::string;
39using std::unique_ptr;
40using std::vector;
41
42extern "C" {
43int __android_log_print(int prio, const char* tag, const char* fmt);
44int __android_log_print(int prio, const char* tag, const char* fmt) {
45    (void)prio, (void)tag, (void)fmt;
46    return 0;
47}
48}  // extern "C"
49
50namespace keymaster {
51namespace test {
52
53const uint32_t kOsVersion = 060000;
54const uint32_t kOsPatchLevel = 201603;
55
56StdoutLogger logger;
57
58template <typename T> vector<T> make_vector(const T* array, size_t len) {
59    return vector<T>(array, array + len);
60}
61
62/**
63 * KeymasterEnforcement class for use in testing.  It's permissive in the sense that it doesn't
64 * check cryptoperiods, but restrictive in the sense that the clock never advances (so rate-limited
65 * keys will only work once).
66 */
67class TestKeymasterEnforcement : public KeymasterEnforcement {
68  public:
69    TestKeymasterEnforcement() : KeymasterEnforcement(3, 3) {}
70
71    virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; }
72    virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; }
73    virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */,
74                                      uint32_t /* timeout */) const {
75        return false;
76    }
77    virtual uint32_t get_current_time() const { return 0; }
78    virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; }
79};
80
81/**
82 * Variant of SoftKeymasterContext that provides a TestKeymasterEnforcement.
83 */
84class TestKeymasterContext : public SoftKeymasterContext {
85  public:
86    TestKeymasterContext() {}
87    TestKeymasterContext(const string& root_of_trust) : SoftKeymasterContext(root_of_trust) {}
88
89    KeymasterEnforcement* enforcement_policy() override { return &test_policy_; }
90
91  private:
92    TestKeymasterEnforcement test_policy_;
93};
94
95/**
96 * Test instance creator that builds a pure software keymaster2 implementation.
97 */
98class SoftKeymasterTestInstanceCreator : public Keymaster2TestInstanceCreator {
99  public:
100    keymaster2_device_t* CreateDevice() const override {
101        std::cerr << "Creating software-only device" << std::endl;
102        context_ = new TestKeymasterContext;
103        SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
104        AuthorizationSet version_info(AuthorizationSetBuilder()
105                                          .Authorization(TAG_OS_VERSION, kOsVersion)
106                                          .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
107        device->keymaster2_device()->configure(device->keymaster2_device(), &version_info);
108        return device->keymaster2_device();
109    }
110
111    bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; }
112    int keymaster0_calls() const override { return 0; }
113    bool is_keymaster1_hw() const override { return false; }
114    KeymasterContext* keymaster_context() const override { return context_; }
115
116  private:
117    mutable TestKeymasterContext* context_;
118};
119
120/**
121 * Test instance creator that builds keymaster1 instances which wrap a faked hardware keymaster0
122 * instance, with or without EC support.
123 */
124class Keymaster0AdapterTestInstanceCreator : public Keymaster2TestInstanceCreator {
125  public:
126    Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {}
127
128    keymaster2_device_t* CreateDevice() const {
129        std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_
130                  << ")." << std::endl;
131        hw_device_t* softkeymaster_device;
132        EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER,
133                                  &softkeymaster_device));
134        // Make the software device pretend to be hardware
135        keymaster0_device_t* keymaster0_device =
136            reinterpret_cast<keymaster0_device_t*>(softkeymaster_device);
137        keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY;
138
139        if (!support_ec_) {
140            // Make the software device pretend not to support EC
141            keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC;
142        }
143
144        counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device);
145
146        context_ = new TestKeymasterContext;
147        SoftKeymasterDevice* keymaster = new SoftKeymasterDevice(context_);
148        keymaster->SetHardwareDevice(counting_keymaster0_device_);
149        AuthorizationSet version_info(AuthorizationSetBuilder()
150                                          .Authorization(TAG_OS_VERSION, kOsVersion)
151                                          .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
152        keymaster->keymaster2_device()->configure(keymaster->keymaster2_device(), &version_info);
153        return keymaster->keymaster2_device();
154    }
155
156    bool algorithm_in_km0_hardware(keymaster_algorithm_t algorithm) const override {
157        switch (algorithm) {
158        case KM_ALGORITHM_RSA:
159            return true;
160        case KM_ALGORITHM_EC:
161            return support_ec_;
162        default:
163            return false;
164        }
165    }
166    int keymaster0_calls() const override { return counting_keymaster0_device_->count(); }
167    bool is_keymaster1_hw() const override { return false; }
168    KeymasterContext* keymaster_context() const override { return context_; }
169
170  private:
171    mutable TestKeymasterContext* context_;
172    mutable Keymaster0CountingWrapper* counting_keymaster0_device_;
173    bool support_ec_;
174};
175
176/**
177 * Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1
178 * instance, with minimal digest support.
179 */
180class Sha256OnlyKeymaster2TestInstanceCreator : public Keymaster2TestInstanceCreator {
181    keymaster2_device_t* CreateDevice() const {
182        std::cerr << "Creating keymaster1-backed device that supports only SHA256";
183
184        // fake_device doesn't leak because device (below) takes ownership of it.
185        keymaster1_device_t* fake_device = make_device_sha256_only(
186            (new SoftKeymasterDevice(new TestKeymasterContext("PseudoHW")))->keymaster_device());
187
188        // device doesn't leak; it's cleaned up by device->keymaster_device()->common.close().
189        context_ = new TestKeymasterContext;
190        SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
191        device->SetHardwareDevice(fake_device);
192
193        AuthorizationSet version_info(AuthorizationSetBuilder()
194                                          .Authorization(TAG_OS_VERSION, kOsVersion)
195                                          .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
196        device->keymaster2_device()->configure(device->keymaster2_device(), &version_info);
197        return device->keymaster2_device();
198    }
199
200    bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; }
201    int keymaster0_calls() const override { return 0; }
202    int minimal_digest_set() const override { return true; }
203    bool is_keymaster1_hw() const override { return true; }
204    KeymasterContext* keymaster_context() const override { return context_; }
205
206  private:
207    mutable TestKeymasterContext* context_;
208};
209
210static auto test_params = testing::Values(
211    InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator),
212    InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)),
213    InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)),
214    InstanceCreatorPtr(new Sha256OnlyKeymaster2TestInstanceCreator));
215
216class NewKeyGeneration : public Keymaster2Test {
217  protected:
218    void CheckBaseParams() {
219        AuthorizationSet auths = sw_enforced();
220        EXPECT_GT(auths.SerializedSize(), 12U);
221
222        EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN));
223        EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY));
224        EXPECT_TRUE(contains(auths, TAG_USER_ID, 7));
225        EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
226        EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300));
227
228        // Verify that App ID, App data and ROT are NOT included.
229        EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST));
230        EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID));
231        EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA));
232
233        // Just for giggles, check that some unexpected tags/values are NOT present.
234        EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT));
235        EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT));
236        EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301));
237
238        // Now check that unspecified, defaulted tags are correct.
239        EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME));
240        if (GetParam()->is_keymaster1_hw()) {
241            // If the underlying (faked) HW is KM1, it will not have version info.
242            EXPECT_FALSE(auths.Contains(TAG_OS_VERSION));
243            EXPECT_FALSE(auths.Contains(TAG_OS_PATCHLEVEL));
244        } else {
245            // In all othe cases; SoftKeymasterDevice keys, or keymaster0 keys wrapped by
246            // SoftKeymasterDevice, version information will be present and up to date.
247            EXPECT_TRUE(contains(auths, TAG_OS_VERSION, kOsVersion));
248            EXPECT_TRUE(contains(auths, TAG_OS_PATCHLEVEL, kOsPatchLevel));
249        }
250    }
251};
252INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params);
253
254TEST_P(NewKeyGeneration, Rsa) {
255    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
256                                           .RsaSigningKey(256, 3)
257                                           .Digest(KM_DIGEST_NONE)
258                                           .Padding(KM_PAD_NONE)));
259    CheckBaseParams();
260
261    // Check specified tags are all present, and in the right set.
262    AuthorizationSet crypto_params;
263    AuthorizationSet non_crypto_params;
264    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) {
265        EXPECT_NE(0U, hw_enforced().size());
266        EXPECT_NE(0U, sw_enforced().size());
267        crypto_params.push_back(hw_enforced());
268        non_crypto_params.push_back(sw_enforced());
269    } else {
270        EXPECT_EQ(0U, hw_enforced().size());
271        EXPECT_NE(0U, sw_enforced().size());
272        crypto_params.push_back(sw_enforced());
273    }
274
275    EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
276    EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
277    EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256));
278    EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256));
279    EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
280    EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
281
282    EXPECT_EQ(KM_ERROR_OK, DeleteKey());
283
284    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
285        EXPECT_EQ(2, GetParam()->keymaster0_calls());
286}
287
288TEST_P(NewKeyGeneration, RsaDefaultSize) {
289    ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
290              GenerateKey(AuthorizationSetBuilder()
291                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
292                              .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
293                              .SigningKey()));
294
295    EXPECT_EQ(0, GetParam()->keymaster0_calls());
296}
297
298TEST_P(NewKeyGeneration, Ecdsa) {
299    ASSERT_EQ(KM_ERROR_OK,
300              GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
301    CheckBaseParams();
302
303    // Check specified tags are all present, and in the right set.
304    AuthorizationSet crypto_params;
305    AuthorizationSet non_crypto_params;
306    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) {
307        EXPECT_NE(0U, hw_enforced().size());
308        EXPECT_NE(0U, sw_enforced().size());
309        crypto_params.push_back(hw_enforced());
310        non_crypto_params.push_back(sw_enforced());
311    } else {
312        EXPECT_EQ(0U, hw_enforced().size());
313        EXPECT_NE(0U, sw_enforced().size());
314        crypto_params.push_back(sw_enforced());
315    }
316
317    EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
318    EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
319    EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224));
320    EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224));
321
322    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
323        EXPECT_EQ(1, GetParam()->keymaster0_calls());
324}
325
326TEST_P(NewKeyGeneration, EcdsaDefaultSize) {
327    ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
328              GenerateKey(AuthorizationSetBuilder()
329                              .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC)
330                              .SigningKey()
331                              .Digest(KM_DIGEST_NONE)));
332
333    EXPECT_EQ(0, GetParam()->keymaster0_calls());
334}
335
336TEST_P(NewKeyGeneration, EcdsaInvalidSize) {
337    ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
338              GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE)));
339    EXPECT_EQ(0, GetParam()->keymaster0_calls());
340}
341
342TEST_P(NewKeyGeneration, EcdsaMismatchKeySize) {
343    ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT,
344              GenerateKey(AuthorizationSetBuilder()
345                              .EcdsaSigningKey(224)
346                              .Authorization(TAG_EC_CURVE, KM_EC_CURVE_P_256)
347                              .Digest(KM_DIGEST_NONE)));
348}
349
350TEST_P(NewKeyGeneration, EcdsaAllValidSizes) {
351    size_t valid_sizes[] = {224, 256, 384, 521};
352    for (size_t size : valid_sizes) {
353        EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(
354                                   KM_DIGEST_NONE)))
355            << "Failed to generate size: " << size;
356    }
357
358    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
359        EXPECT_EQ(4, GetParam()->keymaster0_calls());
360}
361
362TEST_P(NewKeyGeneration, HmacSha256) {
363    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
364                                           .HmacKey(128)
365                                           .Digest(KM_DIGEST_SHA_2_256)
366                                           .Authorization(TAG_MIN_MAC_LENGTH, 256)));
367
368    EXPECT_EQ(0, GetParam()->keymaster0_calls());
369}
370
371TEST_P(NewKeyGeneration, HmacMultipleDigests) {
372    ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
373              GenerateKey(AuthorizationSetBuilder()
374                              .HmacKey(128)
375                              .Digest(KM_DIGEST_SHA1)
376                              .Digest(KM_DIGEST_SHA_2_256)
377                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
378
379    EXPECT_EQ(0, GetParam()->keymaster0_calls());
380}
381
382TEST_P(NewKeyGeneration, HmacDigestNone) {
383    ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
384              GenerateKey(AuthorizationSetBuilder()
385                              .HmacKey(128)
386                              .Digest(KM_DIGEST_NONE)
387                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
388
389    EXPECT_EQ(0, GetParam()->keymaster0_calls());
390}
391
392TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) {
393    ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
394              GenerateKey(AuthorizationSetBuilder()
395                              .HmacKey(128)
396                              .Digest(KM_DIGEST_SHA_2_256)
397                              .Authorization(TAG_MIN_MAC_LENGTH, 48)));
398
399    EXPECT_EQ(0, GetParam()->keymaster0_calls());
400}
401
402TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) {
403    ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
404              GenerateKey(AuthorizationSetBuilder()
405                              .HmacKey(128)
406                              .Digest(KM_DIGEST_SHA_2_256)
407                              .Authorization(TAG_MIN_MAC_LENGTH, 130)));
408
409    EXPECT_EQ(0, GetParam()->keymaster0_calls());
410}
411
412TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) {
413    ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
414              GenerateKey(AuthorizationSetBuilder()
415                              .HmacKey(128)
416                              .Digest(KM_DIGEST_SHA_2_256)
417                              .Authorization(TAG_MIN_MAC_LENGTH, 384)));
418
419    EXPECT_EQ(0, GetParam()->keymaster0_calls());
420}
421
422typedef Keymaster2Test GetKeyCharacteristics;
423INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params);
424
425TEST_P(GetKeyCharacteristics, SimpleRsa) {
426    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
427                                           .RsaSigningKey(256, 3)
428                                           .Digest(KM_DIGEST_NONE)
429                                           .Padding(KM_PAD_NONE)));
430    AuthorizationSet original(sw_enforced());
431
432    ASSERT_EQ(KM_ERROR_OK, GetCharacteristics());
433    EXPECT_EQ(original, sw_enforced());
434
435    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
436        EXPECT_EQ(1, GetParam()->keymaster0_calls());
437}
438
439typedef Keymaster2Test SigningOperationsTest;
440INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params);
441
442TEST_P(SigningOperationsTest, RsaSuccess) {
443    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
444                                           .RsaSigningKey(256, 3)
445                                           .Digest(KM_DIGEST_NONE)
446                                           .Padding(KM_PAD_NONE)));
447    string message = "12345678901234567890123456789012";
448    string signature;
449    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
450
451    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
452        EXPECT_EQ(3, GetParam()->keymaster0_calls());
453}
454
455TEST_P(SigningOperationsTest, RsaPssSha256Success) {
456    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
457                                           .RsaSigningKey(768, 3)
458                                           .Digest(KM_DIGEST_SHA_2_256)
459                                           .Padding(KM_PAD_RSA_PSS)));
460    // Use large message, which won't work without digesting.
461    string message(1024, 'a');
462    string signature;
463    SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
464
465    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
466        EXPECT_EQ(3, GetParam()->keymaster0_calls());
467}
468
469TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
470    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
471                                           .RsaSigningKey(512, 3)
472                                           .Digest(KM_DIGEST_NONE)
473                                           .Padding(KM_PAD_NONE)));
474    string message = "12345678901234567890123456789012";
475    string signature;
476
477    AuthorizationSet begin_params(client_params());
478    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
479    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
480    EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
481
482    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
483        EXPECT_EQ(2, GetParam()->keymaster0_calls());
484}
485
486TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
487    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
488                                           .RsaSigningKey(512, 3)
489                                           .Digest(KM_DIGEST_SHA_2_256)
490                                           .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
491    string message(1024, 'a');
492    string signature;
493    SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
494
495    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
496        EXPECT_EQ(3, GetParam()->keymaster0_calls());
497}
498
499TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
500    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
501                                           .RsaSigningKey(512, 3)
502                                           .Digest(KM_DIGEST_NONE)
503                                           .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
504    string message(53, 'a');
505    string signature;
506    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN);
507
508    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
509        EXPECT_EQ(3, GetParam()->keymaster0_calls());
510}
511
512TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) {
513    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
514                                           .RsaSigningKey(512, 3)
515                                           .Digest(KM_DIGEST_NONE)
516                                           .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
517    string message(54, 'a');
518
519    AuthorizationSet begin_params(client_params());
520    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
521    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
522    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
523    string result;
524    size_t input_consumed;
525    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
526    string signature;
527    EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature));
528
529    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
530        EXPECT_EQ(2, GetParam()->keymaster0_calls());
531}
532
533TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) {
534    // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so
535    // verify that nine bytes larger than hash won't work.
536    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
537                                           .RsaSigningKey(256 + 9 * 8, 3)
538                                           .Digest(KM_DIGEST_SHA_2_256)
539                                           .Padding(KM_PAD_RSA_PSS)));
540    string message(1024, 'a');
541    string signature;
542
543    AuthorizationSet begin_params(client_params());
544    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
545    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
546    EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
547}
548
549TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) {
550    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
551                                           .RsaSigningKey(256, 3)
552                                           .Digest(KM_DIGEST_NONE)
553                                           .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
554    string message(64 * 1024, 'a');
555    string signature;
556    AuthorizationSet begin_params(client_params());
557    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
558    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
559    ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
560    string result;
561    size_t input_consumed;
562    EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
563
564    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
565        EXPECT_EQ(2, GetParam()->keymaster0_calls());
566}
567
568TEST_P(SigningOperationsTest, RsaAbort) {
569    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
570                                           .RsaSigningKey(256, 3)
571                                           .Digest(KM_DIGEST_NONE)
572                                           .Padding(KM_PAD_NONE)));
573    AuthorizationSet begin_params(client_params());
574    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
575    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
576    ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
577    EXPECT_EQ(KM_ERROR_OK, AbortOperation());
578    // Another abort should fail
579    EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation());
580
581    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
582        EXPECT_EQ(2, GetParam()->keymaster0_calls());
583}
584
585TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
586    GenerateKey(AuthorizationSetBuilder()
587                    .RsaSigningKey(256, 3)
588                    .Digest(KM_DIGEST_SHA_2_256 /* supported digest */)
589                    .Padding(KM_PAD_PKCS7));
590    AuthorizationSet begin_params(client_params());
591    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
592    ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
593
594    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
595        EXPECT_EQ(2, GetParam()->keymaster0_calls());
596}
597
598TEST_P(SigningOperationsTest, RsaNoDigest) {
599    // PSS requires a digest.
600    GenerateKey(AuthorizationSetBuilder()
601                    .RsaSigningKey(256, 3)
602                    .Digest(KM_DIGEST_NONE)
603                    .Padding(KM_PAD_RSA_PSS));
604    AuthorizationSet begin_params(client_params());
605    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
606    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
607    ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
608
609    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
610        EXPECT_EQ(2, GetParam()->keymaster0_calls());
611}
612
613TEST_P(SigningOperationsTest, RsaNoPadding) {
614    // Padding must be specified
615    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest(
616                               KM_DIGEST_NONE)));
617    AuthorizationSet begin_params(client_params());
618    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
619    ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
620
621    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
622        EXPECT_EQ(2, GetParam()->keymaster0_calls());
623}
624
625TEST_P(SigningOperationsTest, RsaTooShortMessage) {
626    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
627                                           .RsaSigningKey(256, 3)
628                                           .Digest(KM_DIGEST_NONE)
629                                           .Padding(KM_PAD_NONE)));
630    string message = "1234567890123456789012345678901";
631    string signature;
632    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
633
634    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
635        EXPECT_EQ(3, GetParam()->keymaster0_calls());
636}
637
638TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
639    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
640                                           .RsaEncryptionKey(256, 3)
641                                           .Digest(KM_DIGEST_NONE)
642                                           .Padding(KM_PAD_NONE)));
643    AuthorizationSet begin_params(client_params());
644    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
645    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
646    ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
647
648    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
649        EXPECT_EQ(2, GetParam()->keymaster0_calls());
650}
651
652TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
653    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
654                                           .RsaSigningKey(256, 3)
655                                           .Digest(KM_DIGEST_NONE)
656                                           .Padding(KM_PAD_NONE)));
657    string message(256 / 8, static_cast<char>(0xff));
658    string signature;
659    AuthorizationSet begin_params(client_params());
660    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
661    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
662    ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
663    string result;
664    size_t input_consumed;
665    ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
666    ASSERT_EQ(message.size(), input_consumed);
667    string output;
668    ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&output));
669
670    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
671        EXPECT_EQ(3, GetParam()->keymaster0_calls());
672}
673
674TEST_P(SigningOperationsTest, EcdsaSuccess) {
675    ASSERT_EQ(KM_ERROR_OK,
676              GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
677    string message(224 / 8, 'a');
678    string signature;
679    SignMessage(message, &signature, KM_DIGEST_NONE);
680
681    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
682        EXPECT_EQ(3, GetParam()->keymaster0_calls());
683}
684
685TEST_P(SigningOperationsTest, EcdsaSha256Success) {
686    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
687                               KM_DIGEST_SHA_2_256)));
688    string message(1024, 'a');
689    string signature;
690    SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
691
692    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
693        EXPECT_EQ(3, GetParam()->keymaster0_calls());
694}
695
696TEST_P(SigningOperationsTest, EcdsaSha384Success) {
697    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
698                               KM_DIGEST_SHA_2_384)));
699    string message(1024, 'a');
700    string signature;
701    SignMessage(message, &signature, KM_DIGEST_SHA_2_384);
702
703    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
704        EXPECT_EQ(3, GetParam()->keymaster0_calls());
705}
706
707TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) {
708    ASSERT_EQ(KM_ERROR_OK,
709              GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
710    string message(64 * 1024, 'a');
711    string signature;
712    AuthorizationSet begin_params(client_params());
713    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
714    ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
715    string result;
716    size_t input_consumed;
717    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
718
719    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
720        EXPECT_EQ(2, GetParam()->keymaster0_calls());
721}
722
723TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) {
724    vector<int> key_sizes = {224, 256, 384, 521};
725    vector<keymaster_digest_t> digests = {
726        KM_DIGEST_SHA1,      KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256,
727        KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
728    };
729
730    for (int key_size : key_sizes) {
731        for (keymaster_digest_t digest : digests) {
732            ASSERT_EQ(
733                KM_ERROR_OK,
734                GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest)));
735
736            string message(1024, 'a');
737            string signature;
738            if (digest == KM_DIGEST_NONE)
739                message.resize(key_size / 8);
740            SignMessage(message, &signature, digest);
741        }
742    }
743
744    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
745        EXPECT_EQ(digests.size() * key_sizes.size() * 3,
746                  static_cast<size_t>(GetParam()->keymaster0_calls()));
747}
748
749TEST_P(SigningOperationsTest, AesEcbSign) {
750    ASSERT_EQ(KM_ERROR_OK,
751              GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization(
752                  TAG_BLOCK_MODE, KM_MODE_ECB)));
753    ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN));
754    ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY));
755
756    EXPECT_EQ(0, GetParam()->keymaster0_calls());
757}
758
759TEST_P(SigningOperationsTest, HmacSha1Success) {
760    if (GetParam()->minimal_digest_set())
761        // Can't emulate other digests for HMAC.
762        return;
763
764    GenerateKey(AuthorizationSetBuilder()
765                    .HmacKey(128)
766                    .Digest(KM_DIGEST_SHA1)
767                    .Authorization(TAG_MIN_MAC_LENGTH, 160));
768    string message = "12345678901234567890123456789012";
769    string signature;
770    MacMessage(message, &signature, 160);
771    ASSERT_EQ(20U, signature.size());
772
773    EXPECT_EQ(0, GetParam()->keymaster0_calls());
774}
775
776TEST_P(SigningOperationsTest, HmacSha224Success) {
777    if (GetParam()->minimal_digest_set())
778        // Can't emulate other digests for HMAC.
779        return;
780
781    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
782                                           .HmacKey(128)
783                                           .Digest(KM_DIGEST_SHA_2_224)
784                                           .Authorization(TAG_MIN_MAC_LENGTH, 160)));
785    string message = "12345678901234567890123456789012";
786    string signature;
787    MacMessage(message, &signature, 224);
788    ASSERT_EQ(28U, signature.size());
789
790    EXPECT_EQ(0, GetParam()->keymaster0_calls());
791}
792
793TEST_P(SigningOperationsTest, HmacSha256Success) {
794    if (GetParam()->minimal_digest_set())
795        // Can't emulate other digests for HMAC.
796        return;
797
798    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
799                                           .HmacKey(128)
800                                           .Digest(KM_DIGEST_SHA_2_256)
801                                           .Authorization(TAG_MIN_MAC_LENGTH, 256)));
802    string message = "12345678901234567890123456789012";
803    string signature;
804    MacMessage(message, &signature, 256);
805    ASSERT_EQ(32U, signature.size());
806
807    EXPECT_EQ(0, GetParam()->keymaster0_calls());
808}
809
810TEST_P(SigningOperationsTest, HmacSha384Success) {
811    if (GetParam()->minimal_digest_set())
812        // Can't emulate other digests for HMAC.
813        return;
814
815    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
816                                           .HmacKey(128)
817                                           .Digest(KM_DIGEST_SHA_2_384)
818                                           .Authorization(TAG_MIN_MAC_LENGTH, 384)));
819
820    string message = "12345678901234567890123456789012";
821    string signature;
822    MacMessage(message, &signature, 384);
823    ASSERT_EQ(48U, signature.size());
824
825    EXPECT_EQ(0, GetParam()->keymaster0_calls());
826}
827
828TEST_P(SigningOperationsTest, HmacSha512Success) {
829    if (GetParam()->minimal_digest_set())
830        // Can't emulate other digests for HMAC.
831        return;
832
833    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
834                                           .HmacKey(128)
835                                           .Digest(KM_DIGEST_SHA_2_512)
836                                           .Authorization(TAG_MIN_MAC_LENGTH, 384)));
837    string message = "12345678901234567890123456789012";
838    string signature;
839    MacMessage(message, &signature, 512);
840    ASSERT_EQ(64U, signature.size());
841
842    EXPECT_EQ(0, GetParam()->keymaster0_calls());
843}
844
845TEST_P(SigningOperationsTest, HmacLengthInKey) {
846    // TODO(swillden): unified API should generate an error on key generation.
847    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
848                                           .HmacKey(128)
849                                           .Digest(KM_DIGEST_SHA_2_256)
850                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
851    string message = "12345678901234567890123456789012";
852    string signature;
853    MacMessage(message, &signature, 160);
854    ASSERT_EQ(20U, signature.size());
855
856    EXPECT_EQ(0, GetParam()->keymaster0_calls());
857}
858
859TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) {
860    uint8_t key_data[] = {
861        0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
862        0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
863    };
864    string message = "Hi There";
865    uint8_t sha_224_expected[] = {
866        0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d,
867        0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22,
868    };
869    uint8_t sha_256_expected[] = {
870        0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf,
871        0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83,
872        0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7,
873    };
874    uint8_t sha_384_expected[] = {
875        0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4,
876        0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6,
877        0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9,
878        0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6,
879    };
880    uint8_t sha_512_expected[] = {
881        0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a,
882        0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0,
883        0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7,
884        0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e,
885        0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54,
886    };
887
888    string key = make_string(key_data);
889
890    CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
891    if (!GetParam()->minimal_digest_set()) {
892        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
893        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
894        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
895    }
896
897    EXPECT_EQ(0, GetParam()->keymaster0_calls());
898}
899
900TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) {
901    string key = "Jefe";
902    string message = "what do ya want for nothing?";
903    uint8_t sha_224_expected[] = {
904        0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e,
905        0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44,
906    };
907    uint8_t sha_256_expected[] = {
908        0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24,
909        0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27,
910        0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43,
911    };
912    uint8_t sha_384_expected[] = {
913        0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2,
914        0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47,
915        0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca,
916        0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49,
917    };
918    uint8_t sha_512_expected[] = {
919        0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b,
920        0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27,
921        0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99,
922        0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3,
923        0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37,
924    };
925
926    CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
927    if (!GetParam()->minimal_digest_set()) {
928        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
929        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
930        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
931        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
932    }
933
934    EXPECT_EQ(0, GetParam()->keymaster0_calls());
935}
936
937TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
938    string key(20, 0xaa);
939    string message(50, 0xdd);
940    uint8_t sha_224_expected[] = {
941        0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
942        0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
943    };
944    uint8_t sha_256_expected[] = {
945        0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
946        0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
947        0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
948    };
949    uint8_t sha_384_expected[] = {
950        0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
951        0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
952        0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
953        0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
954    };
955    uint8_t sha_512_expected[] = {
956        0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
957        0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
958        0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
959        0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
960        0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
961    };
962
963    CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
964    if (!GetParam()->minimal_digest_set()) {
965        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
966        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
967        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
968        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
969    }
970
971    EXPECT_EQ(0, GetParam()->keymaster0_calls());
972}
973
974TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) {
975    uint8_t key_data[25] = {
976        0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
977        0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
978    };
979    string key = make_string(key_data);
980    string message(50, 0xcd);
981    uint8_t sha_224_expected[] = {
982        0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82,
983        0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a,
984    };
985    uint8_t sha_256_expected[] = {
986        0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81,
987        0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78,
988        0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b,
989    };
990    uint8_t sha_384_expected[] = {
991        0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62,
992        0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c,
993        0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23,
994        0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb,
995    };
996    uint8_t sha_512_expected[] = {
997        0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6,
998        0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f,
999        0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e,
1000        0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41,
1001        0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd,
1002    };
1003
1004    CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1005    if (!GetParam()->minimal_digest_set()) {
1006        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1007        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1008        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1009        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1010    }
1011
1012    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1013}
1014
1015TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
1016    string key(20, 0x0c);
1017    string message = "Test With Truncation";
1018
1019    uint8_t sha_224_expected[] = {
1020        0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
1021        0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
1022    };
1023    uint8_t sha_256_expected[] = {
1024        0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
1025        0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
1026    };
1027    uint8_t sha_384_expected[] = {
1028        0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
1029        0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
1030    };
1031    uint8_t sha_512_expected[] = {
1032        0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
1033        0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
1034    };
1035
1036    CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1037    if (!GetParam()->minimal_digest_set()) {
1038        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1039        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1040        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1041    }
1042
1043    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1044}
1045
1046TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) {
1047    string key(131, 0xaa);
1048    string message = "Test Using Larger Than Block-Size Key - Hash Key First";
1049
1050    uint8_t sha_224_expected[] = {
1051        0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d,
1052        0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e,
1053    };
1054    uint8_t sha_256_expected[] = {
1055        0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26,
1056        0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28,
1057        0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54,
1058    };
1059    uint8_t sha_384_expected[] = {
1060        0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a,
1061        0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
1062        0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab,
1063        0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52,
1064    };
1065    uint8_t sha_512_expected[] = {
1066        0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd,
1067        0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b,
1068        0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25,
1069        0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73,
1070        0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,
1071    };
1072
1073    CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1074    if (!GetParam()->minimal_digest_set()) {
1075        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1076        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1077        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1078    }
1079
1080    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1081}
1082
1083TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) {
1084    string key(131, 0xaa);
1085    string message = "This is a test using a larger than block-size key and a larger than "
1086                     "block-size data. The key needs to be hashed before being used by the HMAC "
1087                     "algorithm.";
1088
1089    uint8_t sha_224_expected[] = {
1090        0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3,
1091        0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1,
1092    };
1093    uint8_t sha_256_expected[] = {
1094        0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f,
1095        0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07,
1096        0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2,
1097    };
1098    uint8_t sha_384_expected[] = {
1099        0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25,
1100        0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
1101        0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31,
1102        0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e,
1103    };
1104    uint8_t sha_512_expected[] = {
1105        0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e,
1106        0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5,
1107        0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82,
1108        0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb,
1109        0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,
1110    };
1111
1112    CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1113    if (!GetParam()->minimal_digest_set()) {
1114        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1115        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1116        CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1117    }
1118
1119    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1120}
1121
1122TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
1123    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1124                                           .HmacKey(128)
1125                                           .Digest(KM_DIGEST_SHA_2_256)
1126                                           .Authorization(TAG_MIN_MAC_LENGTH, 256)));
1127    AuthorizationSet begin_params(client_params());
1128    begin_params.push_back(TAG_MAC_LENGTH, 264);
1129    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1130    ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH,
1131              BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
1132
1133    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1134}
1135
1136TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
1137    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1138                                           .HmacKey(128)
1139                                           .Digest(KM_DIGEST_SHA_2_256)
1140                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1141    AuthorizationSet begin_params(client_params());
1142    begin_params.push_back(TAG_MAC_LENGTH, 120);
1143    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1144    ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH,
1145              BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
1146
1147    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1148}
1149
1150// TODO(swillden): Add more verification failure tests.
1151
1152typedef Keymaster2Test VerificationOperationsTest;
1153INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params);
1154
1155TEST_P(VerificationOperationsTest, RsaSuccess) {
1156    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1157                                           .RsaSigningKey(256, 3)
1158                                           .Digest(KM_DIGEST_NONE)
1159                                           .Padding(KM_PAD_NONE)));
1160    string message = "12345678901234567890123456789012";
1161    string signature;
1162    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
1163    VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
1164
1165    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1166        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1167}
1168
1169TEST_P(VerificationOperationsTest, RsaPssSha256Success) {
1170    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1171                                           .RsaSigningKey(768, 3)
1172                                           .Digest(KM_DIGEST_SHA_2_256)
1173                                           .Padding(KM_PAD_RSA_PSS)));
1174    // Use large message, which won't work without digesting.
1175    string message(1024, 'a');
1176    string signature;
1177    SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1178    VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1179
1180    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1181        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1182}
1183
1184TEST_P(VerificationOperationsTest, RsaPssSha224Success) {
1185    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1186                                           .RsaSigningKey(512, 3)
1187                                           .Digest(KM_DIGEST_SHA_2_224)
1188                                           .Padding(KM_PAD_RSA_PSS)));
1189    // Use large message, which won't work without digesting.
1190    string message(1024, 'a');
1191    string signature;
1192    SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
1193    VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
1194
1195    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1196        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1197
1198    // Verify with OpenSSL.
1199    string pubkey;
1200    EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
1201
1202    const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
1203    unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
1204        d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
1205    ASSERT_TRUE(pkey.get());
1206
1207    EVP_MD_CTX digest_ctx;
1208    EVP_MD_CTX_init(&digest_ctx);
1209    EVP_PKEY_CTX* pkey_ctx;
1210    EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
1211                                      pkey.get()));
1212    EXPECT_EQ(1, EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING));
1213    EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
1214    EXPECT_EQ(1,
1215              EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
1216                                    signature.size()));
1217    EVP_MD_CTX_cleanup(&digest_ctx);
1218}
1219
1220TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) {
1221    GenerateKey(AuthorizationSetBuilder()
1222                    .RsaSigningKey(768, 3)
1223                    .Digest(KM_DIGEST_SHA_2_256)
1224                    .Padding(KM_PAD_RSA_PSS));
1225    string message(1024, 'a');
1226    string signature;
1227    SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1228    ++signature[signature.size() / 2];
1229
1230    AuthorizationSet begin_params(client_params());
1231    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1232    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1233    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1234
1235    string result;
1236    size_t input_consumed;
1237    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1238    EXPECT_EQ(message.size(), input_consumed);
1239    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1240
1241    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1242        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1243}
1244
1245TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) {
1246    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1247                                           .RsaSigningKey(768, 3)
1248                                           .Digest(KM_DIGEST_SHA_2_256)
1249                                           .Padding(KM_PAD_RSA_PSS)));
1250    // Use large message, which won't work without digesting.
1251    string message(1024, 'a');
1252    string signature;
1253    SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1254    ++message[message.size() / 2];
1255
1256    AuthorizationSet begin_params(client_params());
1257    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1258    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1259    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1260
1261    string result;
1262    size_t input_consumed;
1263    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1264    EXPECT_EQ(message.size(), input_consumed);
1265    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1266
1267    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1268        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1269}
1270
1271TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) {
1272    GenerateKey(AuthorizationSetBuilder()
1273                    .RsaSigningKey(512, 3)
1274                    .Digest(KM_DIGEST_SHA_2_256)
1275                    .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
1276    string message(1024, 'a');
1277    string signature;
1278    SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1279    VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1280
1281    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1282        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1283}
1284
1285TEST_P(VerificationOperationsTest, RsaPks1Sha224Success) {
1286    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1287                                           .RsaSigningKey(512, 3)
1288                                           .Digest(KM_DIGEST_SHA_2_224)
1289                                           .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
1290    // Use large message, which won't work without digesting.
1291    string message(1024, 'a');
1292    string signature;
1293    SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
1294    VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
1295
1296    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1297        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1298
1299    // Verify with OpenSSL.
1300    string pubkey;
1301    EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
1302
1303    const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
1304    unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
1305        d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
1306    ASSERT_TRUE(pkey.get());
1307
1308    EVP_MD_CTX digest_ctx;
1309    EVP_MD_CTX_init(&digest_ctx);
1310    EVP_PKEY_CTX* pkey_ctx;
1311    EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
1312                                      pkey.get()));
1313    EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
1314    EXPECT_EQ(1,
1315              EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
1316                                    signature.size()));
1317    EVP_MD_CTX_cleanup(&digest_ctx);
1318}
1319
1320TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) {
1321    GenerateKey(AuthorizationSetBuilder()
1322                    .RsaSigningKey(512, 3)
1323                    .Digest(KM_DIGEST_SHA_2_256)
1324                    .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
1325    string message(1024, 'a');
1326    string signature;
1327    SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1328    ++signature[signature.size() / 2];
1329
1330    AuthorizationSet begin_params(client_params());
1331    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1332    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1333    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1334
1335    string result;
1336    size_t input_consumed;
1337    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1338    EXPECT_EQ(message.size(), input_consumed);
1339    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1340
1341    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1342        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1343}
1344
1345TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) {
1346    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1347                                           .RsaSigningKey(512, 3)
1348                                           .Digest(KM_DIGEST_SHA_2_256)
1349                                           .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
1350    // Use large message, which won't work without digesting.
1351    string message(1024, 'a');
1352    string signature;
1353    SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1354    ++message[message.size() / 2];
1355
1356    AuthorizationSet begin_params(client_params());
1357    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1358    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1359    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1360
1361    string result;
1362    size_t input_consumed;
1363    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1364    EXPECT_EQ(message.size(), input_consumed);
1365    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1366
1367    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1368        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1369}
1370
1371TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) {
1372    vector<keymaster_digest_t> digests = {
1373        KM_DIGEST_NONE,      KM_DIGEST_MD5,       KM_DIGEST_SHA1,      KM_DIGEST_SHA_2_224,
1374        KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
1375    };
1376
1377    vector<keymaster_padding_t> padding_modes{
1378        KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS,
1379    };
1380
1381    int trial_count = 0;
1382    for (keymaster_padding_t padding_mode : padding_modes) {
1383        for (keymaster_digest_t digest : digests) {
1384            if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE)
1385                // Digesting requires padding
1386                continue;
1387
1388            // Compute key & message size that will work.
1389            size_t key_bits = 0;
1390            size_t message_len = 1000;
1391
1392            if (digest == KM_DIGEST_NONE) {
1393                key_bits = 256;
1394                switch (padding_mode) {
1395                case KM_PAD_NONE:
1396                    // Match key size.
1397                    message_len = key_bits / 8;
1398                    break;
1399                case KM_PAD_RSA_PKCS1_1_5_SIGN:
1400                    message_len = key_bits / 8 - 11;
1401                    break;
1402                case KM_PAD_RSA_PSS:
1403                    // PSS requires a digest.
1404                    continue;
1405                default:
1406                    FAIL() << "Missing padding";
1407                    break;
1408                }
1409            } else {
1410                size_t digest_bits;
1411                switch (digest) {
1412                case KM_DIGEST_MD5:
1413                    digest_bits = 128;
1414                    break;
1415                case KM_DIGEST_SHA1:
1416                    digest_bits = 160;
1417                    break;
1418                case KM_DIGEST_SHA_2_224:
1419                    digest_bits = 224;
1420                    break;
1421                case KM_DIGEST_SHA_2_256:
1422                    digest_bits = 256;
1423                    break;
1424                case KM_DIGEST_SHA_2_384:
1425                    digest_bits = 384;
1426                    break;
1427                case KM_DIGEST_SHA_2_512:
1428                    digest_bits = 512;
1429                    break;
1430                default:
1431                    FAIL() << "Missing digest";
1432                }
1433
1434                switch (padding_mode) {
1435                case KM_PAD_RSA_PKCS1_1_5_SIGN:
1436                    key_bits = digest_bits + 8 * (11 + 19);
1437                    break;
1438                case KM_PAD_RSA_PSS:
1439                    key_bits = digest_bits * 2 + 2 * 8;
1440                    break;
1441                default:
1442                    FAIL() << "Missing padding";
1443                    break;
1444                }
1445            }
1446
1447            GenerateKey(AuthorizationSetBuilder()
1448                            .RsaSigningKey(key_bits, 3)
1449                            .Digest(digest)
1450                            .Padding(padding_mode));
1451            string message(message_len, 'a');
1452            string signature;
1453            SignMessage(message, &signature, digest, padding_mode);
1454            VerifyMessage(message, signature, digest, padding_mode);
1455            ++trial_count;
1456        }
1457    }
1458
1459    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1460        EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls());
1461}
1462
1463TEST_P(VerificationOperationsTest, EcdsaSuccess) {
1464    ASSERT_EQ(KM_ERROR_OK,
1465              GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
1466    string message = "12345678901234567890123456789012";
1467    string signature;
1468    SignMessage(message, &signature, KM_DIGEST_NONE);
1469    VerifyMessage(message, signature, KM_DIGEST_NONE);
1470
1471    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1472        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1473}
1474
1475TEST_P(VerificationOperationsTest, EcdsaTooShort) {
1476    ASSERT_EQ(KM_ERROR_OK,
1477              GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
1478    string message = "12345678901234567890";
1479    string signature;
1480    SignMessage(message, &signature, KM_DIGEST_NONE);
1481    VerifyMessage(message, signature, KM_DIGEST_NONE);
1482
1483    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1484        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1485}
1486
1487TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) {
1488    ASSERT_EQ(KM_ERROR_OK,
1489              GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE)));
1490
1491    string message(66, 'a');
1492    string signature;
1493    SignMessage(message, &signature, KM_DIGEST_NONE);
1494    VerifyMessage(message, signature, KM_DIGEST_NONE);
1495
1496    // Modifying low-order bits doesn't matter, because they didn't get signed.  Ugh.
1497    message[65] ^= 7;
1498    VerifyMessage(message, signature, KM_DIGEST_NONE);
1499
1500    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1501        EXPECT_EQ(5, GetParam()->keymaster0_calls());
1502}
1503
1504TEST_P(VerificationOperationsTest, EcdsaSha256Success) {
1505    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1506                                           .EcdsaSigningKey(256)
1507                                           .Digest(KM_DIGEST_SHA_2_256)
1508                                           .Digest(KM_DIGEST_NONE)));
1509    string message = "12345678901234567890123456789012";
1510    string signature;
1511    SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
1512    VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
1513
1514    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1515        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1516
1517    // Just for giggles, try verifying with the wrong digest.
1518    AuthorizationSet begin_params(client_params());
1519    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
1520    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1521
1522    string result;
1523    size_t input_consumed;
1524    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1525    EXPECT_EQ(message.size(), input_consumed);
1526    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1527}
1528
1529TEST_P(VerificationOperationsTest, EcdsaSha224Success) {
1530    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
1531                               KM_DIGEST_SHA_2_224)));
1532
1533    string message = "12345678901234567890123456789012";
1534    string signature;
1535    SignMessage(message, &signature, KM_DIGEST_SHA_2_224);
1536    VerifyMessage(message, signature, KM_DIGEST_SHA_2_224);
1537
1538    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1539        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1540
1541    // Just for giggles, try verifying with the wrong digest.
1542    AuthorizationSet begin_params(client_params());
1543    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
1544    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1545
1546    string result;
1547    size_t input_consumed;
1548    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1549    EXPECT_EQ(message.size(), input_consumed);
1550    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1551}
1552
1553TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndKeySizes) {
1554    keymaster_digest_t digests[] = {
1555        KM_DIGEST_SHA1,      KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256,
1556        KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
1557    };
1558    size_t key_sizes[] = {224, 256, 384, 521};
1559
1560    string message = "1234567890";
1561    string signature;
1562
1563    for (auto key_size : key_sizes) {
1564        AuthorizationSetBuilder builder;
1565        builder.EcdsaSigningKey(key_size);
1566        for (auto digest : digests)
1567            builder.Digest(digest);
1568        ASSERT_EQ(KM_ERROR_OK, GenerateKey(builder));
1569
1570        for (auto digest : digests) {
1571            SignMessage(message, &signature, digest);
1572            VerifyMessage(message, signature, digest);
1573        }
1574    }
1575
1576    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1577        EXPECT_EQ(static_cast<int>(array_length(key_sizes) * (1 + 3 * array_length(digests))),
1578                  GetParam()->keymaster0_calls());
1579}
1580
1581TEST_P(VerificationOperationsTest, HmacSha1Success) {
1582    if (GetParam()->minimal_digest_set())
1583        // Can't emulate missing digests for HMAC.
1584        return;
1585
1586    GenerateKey(AuthorizationSetBuilder()
1587                    .HmacKey(128)
1588                    .Digest(KM_DIGEST_SHA1)
1589                    .Authorization(TAG_MIN_MAC_LENGTH, 128));
1590    string message = "123456789012345678901234567890123456789012345678";
1591    string signature;
1592    MacMessage(message, &signature, 160);
1593    VerifyMac(message, signature);
1594
1595    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1596}
1597
1598TEST_P(VerificationOperationsTest, HmacSha224Success) {
1599    if (GetParam()->minimal_digest_set())
1600        // Can't emulate missing digests for HMAC.
1601        return;
1602
1603    GenerateKey(AuthorizationSetBuilder()
1604                    .HmacKey(128)
1605                    .Digest(KM_DIGEST_SHA_2_224)
1606                    .Authorization(TAG_MIN_MAC_LENGTH, 128));
1607    string message = "123456789012345678901234567890123456789012345678";
1608    string signature;
1609    MacMessage(message, &signature, 224);
1610    VerifyMac(message, signature);
1611
1612    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1613}
1614
1615TEST_P(VerificationOperationsTest, HmacSha256Success) {
1616    GenerateKey(AuthorizationSetBuilder()
1617                    .HmacKey(128)
1618                    .Digest(KM_DIGEST_SHA_2_256)
1619                    .Authorization(TAG_MIN_MAC_LENGTH, 128));
1620    string message = "123456789012345678901234567890123456789012345678";
1621    string signature;
1622    MacMessage(message, &signature, 256);
1623    VerifyMac(message, signature);
1624
1625    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1626}
1627
1628TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) {
1629    GenerateKey(AuthorizationSetBuilder()
1630                    .HmacKey(128)
1631                    .Digest(KM_DIGEST_SHA_2_256)
1632                    .Authorization(TAG_MIN_MAC_LENGTH, 128));
1633    string message = "123456789012345678901234567890123456789012345678";
1634    string signature;
1635    MacMessage(message, &signature, 256);
1636
1637    // Shorten to 128 bits, should still work.
1638    signature.resize(128 / 8);
1639    VerifyMac(message, signature);
1640
1641    // Drop one more byte.
1642    signature.resize(signature.length() - 1);
1643
1644    AuthorizationSet begin_params(client_params());
1645    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1646    string result;
1647    size_t input_consumed;
1648    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1649    EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(signature, &result));
1650
1651    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1652}
1653
1654TEST_P(VerificationOperationsTest, HmacSha384Success) {
1655    if (GetParam()->minimal_digest_set())
1656        // Can't emulate missing digests for HMAC.
1657        return;
1658
1659    GenerateKey(AuthorizationSetBuilder()
1660                    .HmacKey(128)
1661                    .Digest(KM_DIGEST_SHA_2_384)
1662                    .Authorization(TAG_MIN_MAC_LENGTH, 128));
1663    string message = "123456789012345678901234567890123456789012345678";
1664    string signature;
1665    MacMessage(message, &signature, 384);
1666    VerifyMac(message, signature);
1667
1668    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1669}
1670
1671TEST_P(VerificationOperationsTest, HmacSha512Success) {
1672    if (GetParam()->minimal_digest_set())
1673        // Can't emulate missing digests for HMAC.
1674        return;
1675
1676    GenerateKey(AuthorizationSetBuilder()
1677                    .HmacKey(128)
1678                    .Digest(KM_DIGEST_SHA_2_512)
1679                    .Authorization(TAG_MIN_MAC_LENGTH, 128));
1680    string message = "123456789012345678901234567890123456789012345678";
1681    string signature;
1682    MacMessage(message, &signature, 512);
1683    VerifyMac(message, signature);
1684
1685    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1686}
1687
1688typedef Keymaster2Test ExportKeyTest;
1689INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params);
1690
1691TEST_P(ExportKeyTest, RsaSuccess) {
1692    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1693                                           .RsaSigningKey(256, 3)
1694                                           .Digest(KM_DIGEST_NONE)
1695                                           .Padding(KM_PAD_NONE)));
1696    string export_data;
1697    ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1698    EXPECT_GT(export_data.length(), 0U);
1699
1700    // TODO(swillden): Verify that the exported key is actually usable to verify signatures.
1701
1702    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1703        EXPECT_EQ(2, GetParam()->keymaster0_calls());
1704}
1705
1706TEST_P(ExportKeyTest, EcdsaSuccess) {
1707    ASSERT_EQ(KM_ERROR_OK,
1708              GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
1709    string export_data;
1710    ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1711    EXPECT_GT(export_data.length(), 0U);
1712
1713    // TODO(swillden): Verify that the exported key is actually usable to verify signatures.
1714
1715    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1716        EXPECT_EQ(2, GetParam()->keymaster0_calls());
1717}
1718
1719TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) {
1720    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1721                                           .RsaSigningKey(256, 3)
1722                                           .Digest(KM_DIGEST_NONE)
1723                                           .Padding(KM_PAD_NONE)));
1724    string export_data;
1725    ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
1726
1727    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1728        EXPECT_EQ(2, GetParam()->keymaster0_calls());
1729}
1730
1731TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) {
1732    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1733                                           .RsaSigningKey(256, 3)
1734                                           .Digest(KM_DIGEST_NONE)
1735                                           .Padding(KM_PAD_NONE)));
1736    corrupt_key_blob();
1737    string export_data;
1738    ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1739
1740    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1741        EXPECT_EQ(2, GetParam()->keymaster0_calls());
1742}
1743
1744TEST_P(ExportKeyTest, AesKeyExportFails) {
1745    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128)));
1746    string export_data;
1747
1748    EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1749    EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
1750    EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data));
1751
1752    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1753}
1754
1755static string read_file(const string& file_name) {
1756    ifstream file_stream(file_name, std::ios::binary);
1757    istreambuf_iterator<char> file_begin(file_stream);
1758    istreambuf_iterator<char> file_end;
1759    return string(file_begin, file_end);
1760}
1761
1762typedef Keymaster2Test ImportKeyTest;
1763INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params);
1764
1765TEST_P(ImportKeyTest, RsaSuccess) {
1766    string pk8_key = read_file("rsa_privkey_pk8.der");
1767    ASSERT_EQ(633U, pk8_key.size());
1768
1769    ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
1770                                         .RsaSigningKey(1024, 65537)
1771                                         .Digest(KM_DIGEST_NONE)
1772                                         .Padding(KM_PAD_NONE),
1773                                     KM_KEY_FORMAT_PKCS8, pk8_key));
1774
1775    // Check values derived from the key.
1776    EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced()
1777                                                                                 : sw_enforced(),
1778                         TAG_ALGORITHM, KM_ALGORITHM_RSA));
1779    EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced()
1780                                                                                 : sw_enforced(),
1781                         TAG_KEY_SIZE, 1024));
1782    EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced()
1783                                                                                 : sw_enforced(),
1784                         TAG_RSA_PUBLIC_EXPONENT, 65537U));
1785
1786    // And values provided by AndroidKeymaster
1787    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1788        EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN));
1789    else
1790        EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1791    EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1792
1793    string message(1024 / 8, 'a');
1794    string signature;
1795    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
1796    VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
1797
1798    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1799        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1800}
1801
1802TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
1803    string pk8_key = read_file("rsa_privkey_pk8.der");
1804    ASSERT_EQ(633U, pk8_key.size());
1805    ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1806              ImportKey(AuthorizationSetBuilder()
1807                            .RsaSigningKey(2048 /* Doesn't match key */, 3)
1808                            .Digest(KM_DIGEST_NONE)
1809                            .Padding(KM_PAD_NONE),
1810                        KM_KEY_FORMAT_PKCS8, pk8_key));
1811
1812    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1813}
1814
1815TEST_P(ImportKeyTest, RsaPublicExponenMismatch) {
1816    string pk8_key = read_file("rsa_privkey_pk8.der");
1817    ASSERT_EQ(633U, pk8_key.size());
1818    ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1819              ImportKey(AuthorizationSetBuilder()
1820                            .RsaSigningKey(256, 3 /* Doesnt' match key */)
1821                            .Digest(KM_DIGEST_NONE)
1822                            .Padding(KM_PAD_NONE),
1823                        KM_KEY_FORMAT_PKCS8, pk8_key));
1824
1825    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1826}
1827
1828TEST_P(ImportKeyTest, EcdsaSuccess) {
1829    string pk8_key = read_file("ec_privkey_pk8.der");
1830    ASSERT_EQ(138U, pk8_key.size());
1831
1832    ASSERT_EQ(KM_ERROR_OK,
1833              ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
1834                        KM_KEY_FORMAT_PKCS8, pk8_key));
1835
1836    // Check values derived from the key.
1837    EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
1838                                                                                : sw_enforced(),
1839                         TAG_ALGORITHM, KM_ALGORITHM_EC));
1840    EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
1841                                                                                : sw_enforced(),
1842                         TAG_KEY_SIZE, 256));
1843
1844    // And values provided by AndroidKeymaster
1845    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1846        EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN));
1847    else
1848        EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1849    EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1850
1851    string message(32, 'a');
1852    string signature;
1853    SignMessage(message, &signature, KM_DIGEST_NONE);
1854    VerifyMessage(message, signature, KM_DIGEST_NONE);
1855
1856    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1857        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1858}
1859
1860TEST_P(ImportKeyTest, EcdsaSizeSpecified) {
1861    string pk8_key = read_file("ec_privkey_pk8.der");
1862    ASSERT_EQ(138U, pk8_key.size());
1863
1864    ASSERT_EQ(KM_ERROR_OK,
1865              ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
1866                        KM_KEY_FORMAT_PKCS8, pk8_key));
1867
1868    // Check values derived from the key.
1869    EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
1870                                                                                : sw_enforced(),
1871                         TAG_ALGORITHM, KM_ALGORITHM_EC));
1872    EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
1873                                                                                : sw_enforced(),
1874                         TAG_KEY_SIZE, 256));
1875
1876    // And values provided by AndroidKeymaster
1877    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1878        EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN));
1879    else
1880        EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1881    EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1882
1883    string message(32, 'a');
1884    string signature;
1885    SignMessage(message, &signature, KM_DIGEST_NONE);
1886    VerifyMessage(message, signature, KM_DIGEST_NONE);
1887
1888    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1889        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1890}
1891
1892TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
1893    string pk8_key = read_file("ec_privkey_pk8.der");
1894    ASSERT_EQ(138U, pk8_key.size());
1895    ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1896              ImportKey(AuthorizationSetBuilder()
1897                            .EcdsaSigningKey(224 /* Doesn't match key */)
1898                            .Digest(KM_DIGEST_NONE),
1899                        KM_KEY_FORMAT_PKCS8, pk8_key));
1900
1901    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1902}
1903
1904TEST_P(ImportKeyTest, AesKeySuccess) {
1905    char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1906    string key(key_data, sizeof(key_data));
1907    ASSERT_EQ(KM_ERROR_OK,
1908              ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization(
1909                            TAG_PADDING, KM_PAD_PKCS7),
1910                        KM_KEY_FORMAT_RAW, key));
1911
1912    EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1913    EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1914
1915    string message = "Hello World!";
1916    string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
1917    string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
1918    EXPECT_EQ(message, plaintext);
1919
1920    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1921}
1922
1923TEST_P(ImportKeyTest, HmacSha256KeySuccess) {
1924    char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1925    string key(key_data, sizeof(key_data));
1926    ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
1927                                         .HmacKey(sizeof(key_data) * 8)
1928                                         .Digest(KM_DIGEST_SHA_2_256)
1929                                         .Authorization(TAG_MIN_MAC_LENGTH, 256),
1930                                     KM_KEY_FORMAT_RAW, key));
1931
1932    EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1933    EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1934
1935    string message = "Hello World!";
1936    string signature;
1937    MacMessage(message, &signature, 256);
1938    VerifyMac(message, signature);
1939
1940    EXPECT_EQ(0, GetParam()->keymaster0_calls());
1941}
1942
1943typedef Keymaster2Test EncryptionOperationsTest;
1944INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params);
1945
1946TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
1947    ASSERT_EQ(KM_ERROR_OK,
1948              GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1949
1950    string message = "12345678901234567890123456789012";
1951    string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE);
1952    EXPECT_EQ(256U / 8, ciphertext1.size());
1953
1954    string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE);
1955    EXPECT_EQ(256U / 8, ciphertext2.size());
1956
1957    // Unpadded RSA is deterministic
1958    EXPECT_EQ(ciphertext1, ciphertext2);
1959
1960    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1961        EXPECT_EQ(3, GetParam()->keymaster0_calls());
1962}
1963
1964TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) {
1965    ASSERT_EQ(KM_ERROR_OK,
1966              GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1967
1968    string message = "1";
1969
1970    string ciphertext = EncryptMessage(message, KM_PAD_NONE);
1971    EXPECT_EQ(256U / 8, ciphertext.size());
1972
1973    string expected_plaintext = string(256 / 8 - 1, 0) + message;
1974    string plaintext = DecryptMessage(ciphertext, KM_PAD_NONE);
1975
1976    EXPECT_EQ(expected_plaintext, plaintext);
1977
1978    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1979        EXPECT_EQ(4, GetParam()->keymaster0_calls());
1980}
1981
1982TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) {
1983    ASSERT_EQ(KM_ERROR_OK,
1984              GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1985
1986    string message = "123456789012345678901234567890123";
1987
1988    AuthorizationSet begin_params(client_params());
1989    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
1990    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
1991
1992    string result;
1993    size_t input_consumed;
1994    EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
1995
1996    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1997        EXPECT_EQ(2, GetParam()->keymaster0_calls());
1998}
1999
2000TEST_P(EncryptionOperationsTest, RsaNoPaddingLargerThanModulus) {
2001    ASSERT_EQ(KM_ERROR_OK,
2002              GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
2003
2004    string exported;
2005    ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &exported));
2006
2007    const uint8_t* p = reinterpret_cast<const uint8_t*>(exported.data());
2008    unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
2009        d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size()));
2010    unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(pkey.get()));
2011
2012    size_t modulus_len = BN_num_bytes(rsa->n);
2013    ASSERT_EQ(256U / 8, modulus_len);
2014    unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]);
2015    BN_bn2bin(rsa->n, modulus_buf.get());
2016
2017    // The modulus is too big to encrypt.
2018    string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
2019
2020    AuthorizationSet begin_params(client_params());
2021    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2022    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2023
2024    string result;
2025    size_t input_consumed;
2026    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2027    EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result));
2028
2029    // One smaller than the modulus is okay.
2030    BN_sub(rsa->n, rsa->n, BN_value_one());
2031    modulus_len = BN_num_bytes(rsa->n);
2032    ASSERT_EQ(256U / 8, modulus_len);
2033    BN_bn2bin(rsa->n, modulus_buf.get());
2034    message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
2035    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2036    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2037    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result));
2038
2039    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2040        EXPECT_EQ(4, GetParam()->keymaster0_calls());
2041}
2042
2043TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
2044    size_t key_size = 768;
2045    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2046                                           .RsaEncryptionKey(key_size, 3)
2047                                           .Padding(KM_PAD_RSA_OAEP)
2048                                           .Digest(KM_DIGEST_SHA_2_256)));
2049
2050    string message = "Hello";
2051    string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2052    EXPECT_EQ(key_size / 8, ciphertext1.size());
2053
2054    string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2055    EXPECT_EQ(key_size / 8, ciphertext2.size());
2056
2057    // OAEP randomizes padding so every result should be different.
2058    EXPECT_NE(ciphertext1, ciphertext2);
2059
2060    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2061        EXPECT_EQ(3, GetParam()->keymaster0_calls());
2062}
2063
2064TEST_P(EncryptionOperationsTest, RsaOaepSha224Success) {
2065    size_t key_size = 768;
2066    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2067                                           .RsaEncryptionKey(key_size, 3)
2068                                           .Padding(KM_PAD_RSA_OAEP)
2069                                           .Digest(KM_DIGEST_SHA_2_224)));
2070
2071    string message = "Hello";
2072    string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2073    EXPECT_EQ(key_size / 8, ciphertext1.size());
2074
2075    string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2076    EXPECT_EQ(key_size / 8, ciphertext2.size());
2077
2078    // OAEP randomizes padding so every result should be different.
2079    EXPECT_NE(ciphertext1, ciphertext2);
2080
2081    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2082        EXPECT_EQ(3, GetParam()->keymaster0_calls());
2083}
2084
2085TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) {
2086    size_t key_size = 768;
2087    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2088                                           .RsaEncryptionKey(key_size, 3)
2089                                           .Padding(KM_PAD_RSA_OAEP)
2090                                           .Digest(KM_DIGEST_SHA_2_256)));
2091    string message = "Hello World!";
2092    string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2093    EXPECT_EQ(key_size / 8, ciphertext.size());
2094
2095    string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2096    EXPECT_EQ(message, plaintext);
2097
2098    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2099        EXPECT_EQ(4, GetParam()->keymaster0_calls());
2100}
2101
2102TEST_P(EncryptionOperationsTest, RsaOaepSha224RoundTrip) {
2103    size_t key_size = 768;
2104    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2105                                           .RsaEncryptionKey(key_size, 3)
2106                                           .Padding(KM_PAD_RSA_OAEP)
2107                                           .Digest(KM_DIGEST_SHA_2_224)));
2108    string message = "Hello World!";
2109    string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2110    EXPECT_EQ(key_size / 8, ciphertext.size());
2111
2112    string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2113    EXPECT_EQ(message, plaintext);
2114
2115    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2116        EXPECT_EQ(4, GetParam()->keymaster0_calls());
2117}
2118
2119TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
2120    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2121                                           .RsaEncryptionKey(512, 3)
2122                                           .Padding(KM_PAD_RSA_OAEP)
2123                                           .Digest(KM_DIGEST_NONE)));
2124    string message = "Hello World!";
2125
2126    AuthorizationSet begin_params(client_params());
2127    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2128    begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
2129    EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2130
2131    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2132        EXPECT_EQ(2, GetParam()->keymaster0_calls());
2133}
2134
2135TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) {
2136    if (GetParam()->minimal_digest_set())
2137        // We don't have two supported digests, so we can't try authorizing one and using another.
2138        return;
2139
2140    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2141                                           .RsaEncryptionKey(512, 3)
2142                                           .Padding(KM_PAD_RSA_OAEP)
2143                                           .Digest(KM_DIGEST_SHA_2_256)));
2144    string message = "Hello World!";
2145    // Works because encryption is a public key operation.
2146    EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP);
2147
2148    AuthorizationSet begin_params(client_params());
2149    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2150    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
2151    EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2152
2153    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2154        EXPECT_EQ(3, GetParam()->keymaster0_calls());
2155}
2156
2157TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
2158    if (GetParam()->minimal_digest_set())
2159        // We don't have two supported digests, so we can't try encrypting with one and decrypting
2160        // with another.
2161        return;
2162
2163    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2164                                           .RsaEncryptionKey(768, 3)
2165                                           .Padding(KM_PAD_RSA_OAEP)
2166                                           .Digest(KM_DIGEST_SHA_2_256)
2167                                           .Digest(KM_DIGEST_SHA_2_384)));
2168    string message = "Hello World!";
2169    string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2170
2171    string result;
2172    size_t input_consumed;
2173    AuthorizationSet begin_params(client_params());
2174    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2175    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384);
2176    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2177    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2178    EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2179    EXPECT_EQ(0U, result.size());
2180
2181    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2182        EXPECT_EQ(4, GetParam()->keymaster0_calls());
2183}
2184
2185TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) {
2186    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2187                                           .RsaEncryptionKey(512, 3)
2188                                           .Padding(KM_PAD_RSA_OAEP)
2189                                           .Digest(KM_DIGEST_SHA1)));
2190    string message = "12345678901234567890123";
2191    string result;
2192    size_t input_consumed;
2193
2194    AuthorizationSet begin_params(client_params());
2195    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2196    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
2197    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2198    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2199    EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result));
2200    EXPECT_EQ(0U, result.size());
2201
2202    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2203        EXPECT_EQ(2, GetParam()->keymaster0_calls());
2204}
2205
2206TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) {
2207    size_t key_size = 768;
2208    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2209                                           .RsaEncryptionKey(768, 3)
2210                                           .Padding(KM_PAD_RSA_OAEP)
2211                                           .Digest(KM_DIGEST_SHA_2_256)));
2212    string message = "Hello World!";
2213    string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2214    EXPECT_EQ(key_size / 8, ciphertext.size());
2215
2216    // Corrupt the ciphertext
2217    ciphertext[key_size / 8 / 2]++;
2218
2219    string result;
2220    size_t input_consumed;
2221    AuthorizationSet begin_params(client_params());
2222    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2223    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
2224    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2225    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2226    EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2227    EXPECT_EQ(0U, result.size());
2228
2229    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2230        EXPECT_EQ(4, GetParam()->keymaster0_calls());
2231}
2232
2233TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
2234    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2235                               KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2236    string message = "Hello World!";
2237    string ciphertext1 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2238    EXPECT_EQ(512U / 8, ciphertext1.size());
2239
2240    string ciphertext2 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2241    EXPECT_EQ(512U / 8, ciphertext2.size());
2242
2243    // PKCS1 v1.5 randomizes padding so every result should be different.
2244    EXPECT_NE(ciphertext1, ciphertext2);
2245
2246    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2247        EXPECT_EQ(3, GetParam()->keymaster0_calls());
2248}
2249
2250TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) {
2251    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2252                               KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2253    string message = "Hello World!";
2254    string ciphertext = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2255    EXPECT_EQ(512U / 8, ciphertext.size());
2256
2257    string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2258    EXPECT_EQ(message, plaintext);
2259
2260    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2261        EXPECT_EQ(4, GetParam()->keymaster0_calls());
2262}
2263
2264TEST_P(EncryptionOperationsTest, RsaRoundTripAllCombinations) {
2265    size_t key_size = 2048;
2266    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2267                                           .RsaEncryptionKey(key_size, 3)
2268                                           .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT)
2269                                           .Padding(KM_PAD_RSA_OAEP)
2270                                           .Digest(KM_DIGEST_NONE)
2271                                           .Digest(KM_DIGEST_MD5)
2272                                           .Digest(KM_DIGEST_SHA1)
2273                                           .Digest(KM_DIGEST_SHA_2_224)
2274                                           .Digest(KM_DIGEST_SHA_2_256)
2275                                           .Digest(KM_DIGEST_SHA_2_384)
2276                                           .Digest(KM_DIGEST_SHA_2_512)));
2277
2278    string message = "Hello World!";
2279
2280    keymaster_padding_t padding_modes[] = {KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
2281    keymaster_digest_t digests[] = {
2282        KM_DIGEST_NONE,      KM_DIGEST_MD5,       KM_DIGEST_SHA1,      KM_DIGEST_SHA_2_224,
2283        KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
2284    };
2285
2286    for (auto padding : padding_modes)
2287        for (auto digest : digests) {
2288            if (padding == KM_PAD_RSA_OAEP && digest == KM_DIGEST_NONE)
2289                // OAEP requires a digest.
2290                continue;
2291
2292            string ciphertext = EncryptMessage(message, digest, padding);
2293            EXPECT_EQ(key_size / 8, ciphertext.size());
2294
2295            string plaintext = DecryptMessage(ciphertext, digest, padding);
2296            EXPECT_EQ(message, plaintext);
2297        }
2298
2299    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2300        EXPECT_EQ(40, GetParam()->keymaster0_calls());
2301}
2302
2303TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) {
2304    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2305                               KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2306    string message = "123456789012345678901234567890123456789012345678901234";
2307    string result;
2308    size_t input_consumed;
2309
2310    AuthorizationSet begin_params(client_params());
2311    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2312    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2313    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2314    EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result));
2315    EXPECT_EQ(0U, result.size());
2316
2317    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2318        EXPECT_EQ(2, GetParam()->keymaster0_calls());
2319}
2320
2321TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) {
2322    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2323                               KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2324    string message = "Hello World!";
2325    string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2326    EXPECT_EQ(512U / 8, ciphertext.size());
2327
2328    // Corrupt the ciphertext
2329    ciphertext[512 / 8 / 2]++;
2330
2331    string result;
2332    size_t input_consumed;
2333    AuthorizationSet begin_params(client_params());
2334    begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2335    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2336    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2337    EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2338    EXPECT_EQ(0U, result.size());
2339
2340    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2341        EXPECT_EQ(4, GetParam()->keymaster0_calls());
2342}
2343
2344TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) {
2345    ASSERT_EQ(KM_ERROR_OK,
2346              GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE)));
2347
2348    AuthorizationSet begin_params(client_params());
2349    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2350    ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2351
2352    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2353        EXPECT_EQ(2, GetParam()->keymaster0_calls());
2354}
2355
2356TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
2357    ASSERT_EQ(KM_ERROR_OK,
2358              GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
2359    ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT));
2360    ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT));
2361
2362    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
2363        EXPECT_EQ(3, GetParam()->keymaster0_calls());
2364}
2365
2366TEST_P(EncryptionOperationsTest, HmacEncrypt) {
2367    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2368                                           .HmacKey(128)
2369                                           .Digest(KM_DIGEST_SHA_2_256)
2370                                           .Padding(KM_PAD_NONE)
2371                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2372    ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT));
2373    ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT));
2374
2375    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2376}
2377
2378TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
2379    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2380                                           .AesEncryptionKey(128)
2381                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2382                                           .Padding(KM_PAD_NONE)));
2383    // Two-block message.
2384    string message = "12345678901234567890123456789012";
2385    string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
2386    EXPECT_EQ(message.size(), ciphertext1.size());
2387
2388    string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE);
2389    EXPECT_EQ(message.size(), ciphertext2.size());
2390
2391    // ECB is deterministic.
2392    EXPECT_EQ(ciphertext1, ciphertext2);
2393
2394    string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE);
2395    EXPECT_EQ(message, plaintext);
2396
2397    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2398}
2399
2400TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) {
2401    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2402                                           .AesEncryptionKey(128)
2403                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2404                                           .Padding(KM_PAD_NONE)));
2405    // Two-block message.
2406    string message = "12345678901234567890123456789012";
2407    AuthorizationSet begin_params(client_params());
2408    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2409    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2410    EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2411
2412    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2413}
2414
2415TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) {
2416    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2417                                           .AesEncryptionKey(128)
2418                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2419                                           .Padding(KM_PAD_NONE)));
2420    // Message is slightly shorter than two blocks.
2421    string message = "1234567890123456789012345678901";
2422
2423    AuthorizationSet begin_params(client_params());
2424    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2425    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2426    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2427    string ciphertext;
2428    size_t input_consumed;
2429    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed));
2430    EXPECT_EQ(message.size(), input_consumed);
2431    EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext));
2432
2433    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2434}
2435
2436TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
2437    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2438                                           .AesEncryptionKey(128)
2439                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2440                                           .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2441
2442    // Try various message lengths; all should work.
2443    for (size_t i = 0; i < 32; ++i) {
2444        string message(i, 'a');
2445        string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
2446        EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2447        string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
2448        EXPECT_EQ(message, plaintext);
2449    }
2450
2451    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2452}
2453
2454TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) {
2455    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2456                                           .AesEncryptionKey(128)
2457                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2458                                           .Authorization(TAG_PADDING, KM_PAD_NONE)));
2459
2460    // Try various message lengths; all should fail.
2461    for (size_t i = 0; i < 32; ++i) {
2462        AuthorizationSet begin_params(client_params());
2463        begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2464        begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
2465        EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE,
2466                  BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2467    }
2468
2469    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2470}
2471
2472TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
2473    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2474                                           .AesEncryptionKey(128)
2475                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2476                                           .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2477
2478    string message = "a";
2479    string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
2480    EXPECT_EQ(16U, ciphertext.size());
2481    EXPECT_NE(ciphertext, message);
2482    ++ciphertext[ciphertext.size() / 2];
2483
2484    AuthorizationSet begin_params(client_params());
2485    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2486    begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
2487    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2488    string plaintext;
2489    size_t input_consumed;
2490    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed));
2491    EXPECT_EQ(ciphertext.size(), input_consumed);
2492    EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext));
2493
2494    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2495}
2496
2497TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
2498    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2499                                           .AesEncryptionKey(128)
2500                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2501                                           .Padding(KM_PAD_NONE)));
2502    string message = "123";
2503    string iv1;
2504    string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1);
2505    EXPECT_EQ(message.size(), ciphertext1.size());
2506    EXPECT_EQ(16U, iv1.size());
2507
2508    string iv2;
2509    string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2);
2510    EXPECT_EQ(message.size(), ciphertext2.size());
2511    EXPECT_EQ(16U, iv2.size());
2512
2513    // IVs should be random, so ciphertexts should differ.
2514    EXPECT_NE(iv1, iv2);
2515    EXPECT_NE(ciphertext1, ciphertext2);
2516
2517    string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1);
2518    EXPECT_EQ(message, plaintext);
2519
2520    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2521}
2522
2523TEST_P(EncryptionOperationsTest, AesCtrIncremental) {
2524    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2525                                           .AesEncryptionKey(128)
2526                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2527                                           .Padding(KM_PAD_NONE)));
2528
2529    int increment = 15;
2530    string message(239, 'a');
2531    AuthorizationSet input_params(client_params());
2532    input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2533    input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2534    AuthorizationSet output_params;
2535    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2536
2537    string ciphertext;
2538    size_t input_consumed;
2539    for (size_t i = 0; i < message.size(); i += increment)
2540        EXPECT_EQ(KM_ERROR_OK,
2541                  UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed));
2542    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2543    EXPECT_EQ(message.size(), ciphertext.size());
2544
2545    // Move TAG_NONCE into input_params
2546    input_params.Reinitialize(output_params);
2547    input_params.push_back(client_params());
2548    input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2549    input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2550    output_params.Clear();
2551
2552    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params));
2553    string plaintext;
2554    for (size_t i = 0; i < ciphertext.size(); i += increment)
2555        EXPECT_EQ(KM_ERROR_OK,
2556                  UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed));
2557    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2558    EXPECT_EQ(ciphertext.size(), plaintext.size());
2559    EXPECT_EQ(message, plaintext);
2560
2561    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2562}
2563
2564struct AesCtrSp80038aTestVector {
2565    const char* key;
2566    const char* nonce;
2567    const char* plaintext;
2568    const char* ciphertext;
2569};
2570
2571// These test vectors are taken from
2572// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
2573static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
2574    // AES-128
2575    {
2576        "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2577        "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2578        "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2579        "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
2580        "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
2581    },
2582    // AES-192
2583    {
2584        "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2585        "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2586        "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2587        "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
2588        "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
2589    },
2590    // AES-256
2591    {
2592        "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
2593        "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2594        "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2595        "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2596        "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
2597        "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
2598    },
2599};
2600
2601TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
2602    for (size_t i = 0; i < 3; i++) {
2603        const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
2604        const string key = hex2str(test.key);
2605        const string nonce = hex2str(test.nonce);
2606        const string plaintext = hex2str(test.plaintext);
2607        const string ciphertext = hex2str(test.ciphertext);
2608        CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
2609    }
2610
2611    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2612}
2613
2614TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) {
2615    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2616                                           .AesEncryptionKey(128)
2617                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2618                                           .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2619    AuthorizationSet begin_params(client_params());
2620    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2621    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2622    EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2623
2624    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2625}
2626
2627TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
2628    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2629                                           .AesEncryptionKey(128)
2630                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2631                                           .Authorization(TAG_CALLER_NONCE)
2632                                           .Padding(KM_PAD_NONE)));
2633
2634    AuthorizationSet input_params(client_params());
2635    input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2636    input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2637    input_params.push_back(TAG_NONCE, "123", 3);
2638    EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params));
2639
2640    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2641}
2642
2643TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
2644    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2645                                           .AesEncryptionKey(128)
2646                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2647                                           .Padding(KM_PAD_NONE)));
2648    // Two-block message.
2649    string message = "12345678901234567890123456789012";
2650    string iv1;
2651    string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2652    EXPECT_EQ(message.size(), ciphertext1.size());
2653
2654    string iv2;
2655    string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2);
2656    EXPECT_EQ(message.size(), ciphertext2.size());
2657
2658    // IVs should be random, so ciphertexts should differ.
2659    EXPECT_NE(iv1, iv2);
2660    EXPECT_NE(ciphertext1, ciphertext2);
2661
2662    string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2663    EXPECT_EQ(message, plaintext);
2664
2665    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2666}
2667
2668TEST_P(EncryptionOperationsTest, AesCallerNonce) {
2669    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2670                                           .AesEncryptionKey(128)
2671                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2672                                           .Authorization(TAG_CALLER_NONCE)
2673                                           .Padding(KM_PAD_NONE)));
2674    string message = "12345678901234567890123456789012";
2675    string iv1;
2676    // Don't specify nonce, should get a random one.
2677    string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2678    EXPECT_EQ(message.size(), ciphertext1.size());
2679    EXPECT_EQ(16U, iv1.size());
2680
2681    string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2682    EXPECT_EQ(message, plaintext);
2683
2684    // Now specify a nonce, should also work.
2685    AuthorizationSet input_params(client_params());
2686    AuthorizationSet update_params;
2687    AuthorizationSet output_params;
2688    input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16);
2689    input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2690    input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2691    string ciphertext2 =
2692        ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params);
2693
2694    // Decrypt with correct nonce.
2695    plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
2696                               &output_params);
2697    EXPECT_EQ(message, plaintext);
2698
2699    // Now try with wrong nonce.
2700    input_params.Reinitialize(client_params());
2701    input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2702    input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2703    input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16);
2704    plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
2705                               &output_params);
2706    EXPECT_NE(message, plaintext);
2707
2708    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2709}
2710
2711TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
2712    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2713                                           .AesEncryptionKey(128)
2714                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2715                                           .Padding(KM_PAD_NONE)));
2716
2717    string message = "12345678901234567890123456789012";
2718    string iv1;
2719    // Don't specify nonce, should get a random one.
2720    string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2721    EXPECT_EQ(message.size(), ciphertext1.size());
2722    EXPECT_EQ(16U, iv1.size());
2723
2724    string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2725    EXPECT_EQ(message, plaintext);
2726
2727    // Now specify a nonce, should fail.
2728    AuthorizationSet input_params(client_params());
2729    AuthorizationSet update_params;
2730    AuthorizationSet output_params;
2731    input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16);
2732    input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2733    input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2734
2735    EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED,
2736              BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2737
2738    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2739}
2740
2741TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) {
2742    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2743                                           .AesEncryptionKey(128)
2744                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2745                                           .Padding(KM_PAD_NONE)));
2746
2747    int increment = 15;
2748    string message(240, 'a');
2749    AuthorizationSet input_params(client_params());
2750    input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2751    input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2752    AuthorizationSet output_params;
2753    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2754
2755    string ciphertext;
2756    size_t input_consumed;
2757    for (size_t i = 0; i < message.size(); i += increment)
2758        EXPECT_EQ(KM_ERROR_OK,
2759                  UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed));
2760    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2761    EXPECT_EQ(message.size(), ciphertext.size());
2762
2763    // Move TAG_NONCE into input_params
2764    input_params.Reinitialize(output_params);
2765    input_params.push_back(client_params());
2766    input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2767    input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2768    output_params.Clear();
2769
2770    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params));
2771    string plaintext;
2772    for (size_t i = 0; i < ciphertext.size(); i += increment)
2773        EXPECT_EQ(KM_ERROR_OK,
2774                  UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed));
2775    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2776    EXPECT_EQ(ciphertext.size(), plaintext.size());
2777    EXPECT_EQ(message, plaintext);
2778
2779    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2780}
2781
2782TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) {
2783    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2784                                           .AesEncryptionKey(128)
2785                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2786                                           .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2787
2788    // Try various message lengths; all should work.
2789    for (size_t i = 0; i < 32; ++i) {
2790        string message(i, 'a');
2791        string iv;
2792        string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv);
2793        EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2794        string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv);
2795        EXPECT_EQ(message, plaintext);
2796    }
2797
2798    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2799}
2800
2801TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
2802    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2803                                           .AesEncryptionKey(128)
2804                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2805                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
2806                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2807    string aad = "foobar";
2808    string message = "123456789012345678901234567890123456";
2809    AuthorizationSet begin_params(client_params());
2810    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2811    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2812    begin_params.push_back(TAG_MAC_LENGTH, 128);
2813
2814    AuthorizationSet update_params;
2815    update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2816
2817    // Encrypt
2818    AuthorizationSet begin_out_params;
2819    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2820    string ciphertext;
2821    size_t input_consumed;
2822    AuthorizationSet update_out_params;
2823    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2824                                           &input_consumed));
2825    EXPECT_EQ(message.size(), input_consumed);
2826    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2827
2828    // Grab nonce
2829    EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2830    begin_params.push_back(begin_out_params);
2831
2832    // Decrypt.
2833    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2834    string plaintext;
2835    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
2836                                           &plaintext, &input_consumed));
2837    EXPECT_EQ(ciphertext.size(), input_consumed);
2838    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2839
2840    EXPECT_EQ(message, plaintext);
2841    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2842}
2843
2844TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
2845    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2846                                           .AesEncryptionKey(128)
2847                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2848                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
2849                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2850    string aad = "foobar";
2851    string message = "123456789012345678901234567890123456";
2852    AuthorizationSet begin_params(client_params());
2853    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2854    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2855    begin_params.push_back(TAG_MAC_LENGTH, 96);
2856
2857    AuthorizationSet update_params;
2858    update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2859
2860    AuthorizationSet begin_out_params;
2861    EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH,
2862              BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2863
2864    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2865}
2866
2867TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
2868    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2869                                           .AesEncryptionKey(128)
2870                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2871                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
2872                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2873    string aad = "foobar";
2874    string message = "123456789012345678901234567890123456";
2875    AuthorizationSet begin_params(client_params());
2876    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2877    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2878    begin_params.push_back(TAG_MAC_LENGTH, 128);
2879
2880    AuthorizationSet update_params;
2881    update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2882
2883    // Encrypt
2884    AuthorizationSet begin_out_params;
2885    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2886    string ciphertext;
2887    size_t input_consumed;
2888    AuthorizationSet update_out_params;
2889    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2890                                           &input_consumed));
2891    EXPECT_EQ(message.size(), input_consumed);
2892    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2893
2894    // Grab nonce
2895    EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2896    begin_params.Reinitialize(client_params());
2897    begin_params.push_back(begin_out_params);
2898    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2899    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2900    begin_params.push_back(TAG_MAC_LENGTH, 96);
2901
2902    // Decrypt.
2903    EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2904
2905    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2906}
2907
2908TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
2909    uint8_t nonce[] = {
2910        0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
2911    };
2912    uint8_t ciphertext[] = {
2913        0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16,
2914        0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a,
2915        0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76,
2916        0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
2917        0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
2918    };
2919    string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext));
2920
2921    AuthorizationSet begin_params(client_params());
2922    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2923    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2924    begin_params.push_back(TAG_MAC_LENGTH, 128);
2925    begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce));
2926
2927    string plaintext;
2928    size_t input_consumed;
2929
2930    // Import correct key and decrypt
2931    uint8_t good_key[] = {
2932        0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
2933        0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
2934    };
2935    string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key));
2936    ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
2937                                         .AesEncryptionKey(128)
2938                                         .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2939                                         .Authorization(TAG_PADDING, KM_PAD_NONE)
2940                                         .Authorization(TAG_CALLER_NONCE)
2941                                         .Authorization(TAG_MIN_MAC_LENGTH, 128),
2942                                     KM_KEY_FORMAT_RAW, good_key_str));
2943    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2944    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed));
2945    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2946
2947    // Import bad key and decrypt
2948    uint8_t bad_key[] = {
2949        0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
2950        0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
2951    };
2952    string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key));
2953    ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
2954                                         .AesEncryptionKey(128)
2955                                         .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2956                                         .Authorization(TAG_PADDING, KM_PAD_NONE)
2957                                         .Authorization(TAG_MIN_MAC_LENGTH, 128),
2958                                     KM_KEY_FORMAT_RAW, bad_key_str));
2959    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2960    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed));
2961    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
2962
2963    EXPECT_EQ(0, GetParam()->keymaster0_calls());
2964}
2965
2966TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
2967    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2968                                           .AesEncryptionKey(128)
2969                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2970                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
2971                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2972    string aad = "123456789012345678";
2973    string empty_message;
2974    AuthorizationSet begin_params(client_params());
2975    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2976    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2977    begin_params.push_back(TAG_MAC_LENGTH, 128);
2978
2979    AuthorizationSet update_params;
2980    update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2981
2982    // Encrypt
2983    AuthorizationSet begin_out_params;
2984    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2985    string ciphertext;
2986    size_t input_consumed;
2987    AuthorizationSet update_out_params;
2988    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params,
2989                                           &ciphertext, &input_consumed));
2990    EXPECT_EQ(0U, input_consumed);
2991    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2992
2993    // Grab nonce
2994    EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2995    begin_params.push_back(begin_out_params);
2996
2997    // Decrypt.
2998    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2999    string plaintext;
3000    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3001                                           &plaintext, &input_consumed));
3002    EXPECT_EQ(ciphertext.size(), input_consumed);
3003    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3004
3005    EXPECT_EQ(empty_message, plaintext);
3006    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3007}
3008
3009TEST_P(EncryptionOperationsTest, AesGcmIncremental) {
3010    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3011                                           .AesEncryptionKey(128)
3012                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3013                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
3014                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3015    AuthorizationSet begin_params(client_params());
3016    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3017    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3018    begin_params.push_back(TAG_MAC_LENGTH, 128);
3019
3020    AuthorizationSet update_params;
3021    update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1);
3022
3023    // Encrypt
3024    AuthorizationSet begin_out_params;
3025    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3026    string ciphertext;
3027    size_t input_consumed;
3028    AuthorizationSet update_out_params;
3029
3030    // Send AAD, incrementally
3031    for (int i = 0; i < 1000; ++i) {
3032        EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext,
3033                                               &input_consumed));
3034        EXPECT_EQ(0U, input_consumed);
3035        EXPECT_EQ(0U, ciphertext.size());
3036    }
3037
3038    // Now send data, incrementally, no data.
3039    AuthorizationSet empty_params;
3040    for (int i = 0; i < 1000; ++i) {
3041        EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext,
3042                                               &input_consumed));
3043        EXPECT_EQ(1U, input_consumed);
3044    }
3045    EXPECT_EQ(1000U, ciphertext.size());
3046
3047    // And finish.
3048    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3049    EXPECT_EQ(1016U, ciphertext.size());
3050
3051    // Grab nonce
3052    EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3053    begin_params.push_back(begin_out_params);
3054
3055    // Decrypt.
3056    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3057    string plaintext;
3058
3059    // Send AAD, incrementally, no data
3060    for (int i = 0; i < 1000; ++i) {
3061        EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext,
3062                                               &input_consumed));
3063        EXPECT_EQ(0U, input_consumed);
3064        EXPECT_EQ(0U, plaintext.size());
3065    }
3066
3067    // Now send data, incrementally.
3068    for (size_t i = 0; i < ciphertext.length(); ++i) {
3069        EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1),
3070                                               &update_out_params, &plaintext, &input_consumed));
3071        EXPECT_EQ(1U, input_consumed);
3072    }
3073    EXPECT_EQ(1000U, plaintext.size());
3074    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3075
3076    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3077}
3078
3079TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
3080    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3081                                           .AesEncryptionKey(128)
3082                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3083                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
3084                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3085    string message = "123456789012345678901234567890123456";
3086    AuthorizationSet begin_params(client_params());
3087    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3088    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3089    begin_params.push_back(TAG_MAC_LENGTH, 128);
3090    AuthorizationSet begin_out_params;
3091
3092    AuthorizationSet update_params;
3093    update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3);
3094
3095    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3096
3097    // No data, AAD only.
3098    string ciphertext;
3099    size_t input_consumed;
3100    AuthorizationSet update_out_params;
3101    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params,
3102                                           &ciphertext, &input_consumed));
3103    EXPECT_EQ(0U, input_consumed);
3104
3105    // AAD and data.
3106    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3107                                           &input_consumed));
3108    EXPECT_EQ(message.size(), input_consumed);
3109    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3110
3111    // Grab nonce.
3112    EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3113    begin_params.push_back(begin_out_params);
3114
3115    // Decrypt
3116    update_params.Clear();
3117    update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6);
3118
3119    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3120    string plaintext;
3121    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3122                                           &plaintext, &input_consumed));
3123    EXPECT_EQ(ciphertext.size(), input_consumed);
3124    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3125
3126    EXPECT_EQ(message, plaintext);
3127    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3128}
3129
3130TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
3131    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3132                                           .AesEncryptionKey(128)
3133                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3134                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
3135                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3136    string message = "12345678901234567890123456789012";
3137    AuthorizationSet begin_params(client_params());
3138    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3139    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3140    begin_params.push_back(TAG_MAC_LENGTH, 128);
3141
3142    AuthorizationSet update_params;
3143    update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6);
3144
3145    AuthorizationSet finish_params;
3146    AuthorizationSet finish_out_params;
3147
3148    // Encrypt
3149    AuthorizationSet begin_out_params;
3150    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3151    AuthorizationSet update_out_params;
3152    string ciphertext;
3153    size_t input_consumed;
3154    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3155                                           &input_consumed));
3156    EXPECT_EQ(message.size(), input_consumed);
3157    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3158
3159    // Grab nonce
3160    EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3161    begin_params.push_back(begin_out_params);
3162
3163    update_params.Clear();
3164    update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6);
3165
3166    // Decrypt.
3167    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3168    string plaintext;
3169    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3170                                           &plaintext, &input_consumed));
3171    EXPECT_EQ(ciphertext.size(), input_consumed);
3172    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3173
3174    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3175}
3176
3177TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
3178    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3179                                           .AesEncryptionKey(128)
3180                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3181                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
3182                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3183    string message = "12345678901234567890123456789012";
3184    AuthorizationSet begin_params(client_params());
3185    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3186    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3187    begin_params.push_back(TAG_MAC_LENGTH, 128);
3188
3189    AuthorizationSet update_params;
3190    update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6);
3191
3192    // Encrypt
3193    AuthorizationSet begin_out_params;
3194    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3195    AuthorizationSet update_out_params;
3196    string ciphertext;
3197    size_t input_consumed;
3198    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3199                                           &input_consumed));
3200    EXPECT_EQ(message.size(), input_consumed);
3201    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3202
3203    begin_params.push_back(TAG_NONCE, "123456789012", 12);
3204
3205    // Decrypt
3206    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3207    string plaintext;
3208    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3209                                           &plaintext, &input_consumed));
3210    EXPECT_EQ(ciphertext.size(), input_consumed);
3211    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3212
3213    // With wrong nonce, should have gotten garbage plaintext.
3214    EXPECT_NE(message, plaintext);
3215    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3216}
3217
3218TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
3219    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3220                                           .AesEncryptionKey(128)
3221                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3222                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
3223                                           .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3224    string aad = "foobar";
3225    string message = "123456789012345678901234567890123456";
3226    AuthorizationSet begin_params(client_params());
3227    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3228    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3229    begin_params.push_back(TAG_MAC_LENGTH, 128);
3230    AuthorizationSet begin_out_params;
3231
3232    AuthorizationSet update_params;
3233    update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
3234
3235    // Encrypt
3236    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3237    AuthorizationSet update_out_params;
3238    string ciphertext;
3239    size_t input_consumed;
3240    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3241                                           &input_consumed));
3242    EXPECT_EQ(message.size(), input_consumed);
3243    EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3244
3245    // Corrupt tag
3246    (*ciphertext.rbegin())++;
3247
3248    // Grab nonce.
3249    EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3250    begin_params.push_back(begin_out_params);
3251
3252    // Decrypt.
3253    EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3254    string plaintext;
3255    EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3256                                           &plaintext, &input_consumed));
3257    EXPECT_EQ(ciphertext.size(), input_consumed);
3258    EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3259
3260    EXPECT_EQ(message, plaintext);
3261    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3262}
3263
3264typedef Keymaster2Test MaxOperationsTest;
3265INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params);
3266
3267TEST_P(MaxOperationsTest, TestLimit) {
3268    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3269                                           .AesEncryptionKey(128)
3270                                           .EcbMode()
3271                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
3272                                           .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3273
3274    string message = "1234567890123456";
3275    string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3276    string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3277    string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3278
3279    // Fourth time should fail.
3280    AuthorizationSet begin_params(client_params());
3281    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3282    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3283    EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3284
3285    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3286}
3287
3288TEST_P(MaxOperationsTest, TestAbort) {
3289    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3290                                           .AesEncryptionKey(128)
3291                                           .EcbMode()
3292                                           .Authorization(TAG_PADDING, KM_PAD_NONE)
3293                                           .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3294
3295    string message = "1234567890123456";
3296    string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3297    string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3298    string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3299
3300    // Fourth time should fail.
3301    AuthorizationSet begin_params(client_params());
3302    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3303    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3304    EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3305
3306    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3307}
3308
3309typedef Keymaster2Test AddEntropyTest;
3310INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params);
3311
3312TEST_P(AddEntropyTest, AddEntropy) {
3313    // There's no obvious way to test that entropy is actually added, but we can test that the API
3314    // doesn't blow up or return an error.
3315    EXPECT_EQ(KM_ERROR_OK,
3316              device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3));
3317
3318    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3319}
3320
3321typedef Keymaster2Test Keymaster0AdapterTest;
3322INSTANTIATE_TEST_CASE_P(
3323    AndroidKeymasterTest, Keymaster0AdapterTest,
3324    ::testing::Values(
3325        InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)),
3326        InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */))));
3327
3328TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1RsaBlob) {
3329    // Load and use an old-style Keymaster1 software key blob.  These blobs contain OCB-encrypted
3330    // key data.
3331    string km1_sw = read_file("km1_sw_rsa_512.blob");
3332    EXPECT_EQ(486U, km1_sw.length());
3333
3334    uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length()));
3335    memcpy(key_data, km1_sw.data(), km1_sw.length());
3336    set_key_blob(key_data, km1_sw.length());
3337
3338    string message(64, 'a');
3339    string signature;
3340    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3341
3342    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3343}
3344
3345TEST_P(Keymaster0AdapterTest, UnversionedSoftwareKeymaster1RsaBlob) {
3346    // Load and use an old-style Keymaster1 software key blob, without the version byte.  These
3347    // blobs contain OCB-encrypted key data.
3348    string km1_sw = read_file("km1_sw_rsa_512_unversioned.blob");
3349    EXPECT_EQ(477U, km1_sw.length());
3350
3351    uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length()));
3352    memcpy(key_data, km1_sw.data(), km1_sw.length());
3353    set_key_blob(key_data, km1_sw.length());
3354
3355    string message(64, 'a');
3356    string signature;
3357    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3358
3359    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3360}
3361
3362TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1EcdsaBlob) {
3363    // Load and use an old-style Keymaster1 software key blob.  These blobs contain OCB-encrypted
3364    // key data.
3365    string km1_sw = read_file("km1_sw_ecdsa_256.blob");
3366    EXPECT_EQ(270U, km1_sw.length());
3367
3368    uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length()));
3369    memcpy(key_data, km1_sw.data(), km1_sw.length());
3370    set_key_blob(key_data, km1_sw.length());
3371
3372    string message(32, static_cast<char>(0xFF));
3373    string signature;
3374    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3375
3376    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3377}
3378
3379struct Malloc_Delete {
3380    void operator()(void* p) { free(p); }
3381};
3382
3383TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0RsaBlob) {
3384    // Load and use an old softkeymaster blob.  These blobs contain PKCS#8 key data.
3385    string km0_sw = read_file("km0_sw_rsa_512.blob");
3386    EXPECT_EQ(333U, km0_sw.length());
3387
3388    uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3389    memcpy(key_data, km0_sw.data(), km0_sw.length());
3390    set_key_blob(key_data, km0_sw.length());
3391
3392    string message(64, 'a');
3393    string signature;
3394    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3395
3396    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3397}
3398
3399TEST_P(Keymaster0AdapterTest, OldSwKeymaster0RsaBlobGetCharacteristics) {
3400    // Load and use an old softkeymaster blob.  These blobs contain PKCS#8 key data.
3401    string km0_sw = read_file("km0_sw_rsa_512.blob");
3402    EXPECT_EQ(333U, km0_sw.length());
3403
3404    uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3405    memcpy(key_data, km0_sw.data(), km0_sw.length());
3406    set_key_blob(key_data, km0_sw.length());
3407
3408    EXPECT_EQ(KM_ERROR_OK, GetCharacteristics());
3409    EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
3410    EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 512));
3411    EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3));
3412    EXPECT_TRUE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE));
3413    EXPECT_TRUE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE));
3414    EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN));
3415    EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY));
3416    EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS));
3417    EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED));
3418
3419    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3420}
3421
3422TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlob) {
3423    // Load and use an old softkeymaster blob.  These blobs contain PKCS#8 key data.
3424    string km0_sw = read_file("km0_sw_rsa_512.blob");
3425    EXPECT_EQ(333U, km0_sw.length());
3426
3427    // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not
3428    // be recognized as a software key.  Do the same here to pretend this is a hardware key.
3429    EXPECT_EQ('P', km0_sw[0]);
3430    km0_sw[0] = 'Q';
3431
3432    uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3433    memcpy(key_data, km0_sw.data(), km0_sw.length());
3434    set_key_blob(key_data, km0_sw.length());
3435
3436    string message(64, 'a');
3437    string signature;
3438    SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3439    VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
3440
3441    EXPECT_EQ(5, GetParam()->keymaster0_calls());
3442}
3443
3444TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) {
3445    // Load and use an old softkeymaster blob.  These blobs contain PKCS#8 key data.
3446    string km0_sw = read_file("km0_sw_rsa_512.blob");
3447    EXPECT_EQ(333U, km0_sw.length());
3448
3449    // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not
3450    // be recognized as a software key.  Do the same here to pretend this is a hardware key.
3451    EXPECT_EQ('P', km0_sw[0]);
3452    km0_sw[0] = 'Q';
3453
3454    uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3455    memcpy(key_data, km0_sw.data(), km0_sw.length());
3456    set_key_blob(key_data, km0_sw.length());
3457
3458    EXPECT_EQ(KM_ERROR_OK, GetCharacteristics());
3459    EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
3460    EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 512));
3461    EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3));
3462    EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_NONE));
3463    EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_MD5));
3464    EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA1));
3465    EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_224));
3466    EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_256));
3467    EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_384));
3468    EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_512));
3469    EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_NONE));
3470    EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT));
3471    EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN));
3472    EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_OAEP));
3473    EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PSS));
3474    EXPECT_EQ(15U, hw_enforced().size());
3475
3476    EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN));
3477    EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY));
3478    EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS));
3479    EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED));
3480
3481    EXPECT_FALSE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
3482    EXPECT_FALSE(contains(sw_enforced(), TAG_KEY_SIZE, 512));
3483    EXPECT_FALSE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3));
3484    EXPECT_FALSE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE));
3485    EXPECT_FALSE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE));
3486
3487    EXPECT_EQ(1, GetParam()->keymaster0_calls());
3488}
3489
3490typedef Keymaster2Test AttestationTest;
3491INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AttestationTest, test_params);
3492
3493static X509* parse_cert_blob(const keymaster_blob_t& blob) {
3494    const uint8_t* p = blob.data;
3495    return d2i_X509(nullptr, &p, blob.data_length);
3496}
3497
3498static bool verify_chain(const keymaster_cert_chain_t& chain) {
3499    for (size_t i = 0; i < chain.entry_count - 1; ++i) {
3500        keymaster_blob_t& key_cert_blob = chain.entries[i];
3501        keymaster_blob_t& signing_cert_blob = chain.entries[i + 1];
3502
3503        X509_Ptr key_cert(parse_cert_blob(key_cert_blob));
3504        X509_Ptr signing_cert(parse_cert_blob(signing_cert_blob));
3505        EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get());
3506        if (!key_cert.get() || !signing_cert.get())
3507            return false;
3508
3509        EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
3510        EXPECT_TRUE(!!signing_pubkey.get());
3511        if (!signing_pubkey.get())
3512            return false;
3513
3514        EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get()))
3515            << "Verification of certificate " << i << " failed";
3516    }
3517
3518    return true;
3519}
3520
3521// Extract attestation record from cert. Returned object is still part of cert; don't free it
3522// separately.
3523static ASN1_OCTET_STRING* get_attestation_record(X509* certificate) {
3524    ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */));
3525    EXPECT_TRUE(!!oid.get());
3526    if (!oid.get())
3527        return nullptr;
3528
3529    int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */);
3530    EXPECT_NE(-1, location);
3531    if (location == -1)
3532        return nullptr;
3533
3534    X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location);
3535    EXPECT_TRUE(!!attest_rec_ext);
3536    if (!attest_rec_ext)
3537        return nullptr;
3538
3539    ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext);
3540    EXPECT_TRUE(!!attest_rec);
3541    return attest_rec;
3542}
3543
3544static bool verify_attestation_record(const string& challenge,
3545                                      AuthorizationSet expected_sw_enforced,
3546                                      AuthorizationSet expected_tee_enforced,
3547                                      uint32_t expected_keymaster_version,
3548                                      keymaster_security_level_t expected_keymaster_security_level,
3549                                      const keymaster_blob_t& attestation_cert) {
3550
3551    X509_Ptr cert(parse_cert_blob(attestation_cert));
3552    EXPECT_TRUE(!!cert.get());
3553    if (!cert.get())
3554        return false;
3555
3556    ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());
3557    EXPECT_TRUE(!!attest_rec);
3558    if (!attest_rec)
3559        return false;
3560
3561    AuthorizationSet att_sw_enforced;
3562    AuthorizationSet att_tee_enforced;
3563    uint32_t att_attestation_version;
3564    uint32_t att_keymaster_version;
3565    keymaster_security_level_t att_attestation_security_level;
3566    keymaster_security_level_t att_keymaster_security_level;
3567    keymaster_blob_t att_challenge = {};
3568    keymaster_blob_t att_unique_id = {};
3569    EXPECT_EQ(KM_ERROR_OK, parse_attestation_record(
3570                               attest_rec->data, attest_rec->length, &att_attestation_version,
3571                               &att_attestation_security_level, &att_keymaster_version,
3572                               &att_keymaster_security_level, &att_challenge, &att_sw_enforced,
3573                               &att_tee_enforced, &att_unique_id));
3574
3575    EXPECT_EQ(1U, att_attestation_version);
3576    EXPECT_EQ(KM_SECURITY_LEVEL_SOFTWARE, att_attestation_security_level);
3577    EXPECT_EQ(expected_keymaster_version, att_keymaster_version);
3578    EXPECT_EQ(expected_keymaster_security_level, att_keymaster_security_level);
3579
3580    EXPECT_EQ(challenge.length(), att_challenge.data_length);
3581    EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data, challenge.length()));
3582
3583    // Add TAG_USER_ID to the relevant attestation list, because user IDs are not included in
3584    // attestations, since they're meaningless off-device.
3585    uint32_t user_id;
3586    if (expected_sw_enforced.GetTagValue(TAG_USER_ID, &user_id))
3587        att_sw_enforced.push_back(TAG_USER_ID, user_id);
3588    if (expected_tee_enforced.GetTagValue(TAG_USER_ID, &user_id))
3589        att_tee_enforced.push_back(TAG_USER_ID, user_id);
3590
3591    // Add TAG_INCLUDE_UNIQUE_ID to the relevant attestation list, because that tag is not included
3592    // in the attestation.
3593    if (expected_sw_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID))
3594        att_sw_enforced.push_back(TAG_INCLUDE_UNIQUE_ID);
3595    if (expected_tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID))
3596        att_tee_enforced.push_back(TAG_INCLUDE_UNIQUE_ID);
3597
3598    att_sw_enforced.Sort();
3599    expected_sw_enforced.Sort();
3600    EXPECT_EQ(expected_sw_enforced, att_sw_enforced);
3601
3602    att_tee_enforced.Sort();
3603    expected_tee_enforced.Sort();
3604    EXPECT_EQ(expected_tee_enforced, att_tee_enforced);
3605
3606    return true;
3607}
3608
3609TEST_P(AttestationTest, RsaAttestation) {
3610    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3611                                           .RsaSigningKey(256, 3)
3612                                           .Digest(KM_DIGEST_NONE)
3613                                           .Padding(KM_PAD_NONE)
3614                                           .Authorization(TAG_INCLUDE_UNIQUE_ID)));
3615
3616    keymaster_cert_chain_t cert_chain;
3617    EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", &cert_chain));
3618    EXPECT_EQ(3U, cert_chain.entry_count);
3619    EXPECT_TRUE(verify_chain(cert_chain));
3620
3621    uint32_t expected_keymaster_version;
3622    keymaster_security_level_t expected_keymaster_security_level;
3623    // TODO(swillden): Add a test KM1 that claims to be hardware.
3624    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) {
3625        expected_keymaster_version = 0;
3626        expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
3627    } else {
3628        expected_keymaster_version = 2;
3629        expected_keymaster_security_level = KM_SECURITY_LEVEL_SOFTWARE;
3630    }
3631
3632    EXPECT_TRUE(verify_attestation_record(
3633        "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version,
3634        expected_keymaster_security_level, cert_chain.entries[0]));
3635
3636    keymaster_free_cert_chain(&cert_chain);
3637}
3638
3639TEST_P(AttestationTest, EcAttestation) {
3640    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
3641                               KM_DIGEST_SHA_2_256)));
3642
3643    uint32_t expected_keymaster_version;
3644    keymaster_security_level_t expected_keymaster_security_level;
3645    // TODO(swillden): Add a test KM1 that claims to be hardware.
3646    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) {
3647        expected_keymaster_version = 0;
3648        expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
3649    } else {
3650        expected_keymaster_version = 2;
3651        expected_keymaster_security_level = KM_SECURITY_LEVEL_SOFTWARE;
3652    }
3653
3654    keymaster_cert_chain_t cert_chain;
3655    EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", &cert_chain));
3656    EXPECT_EQ(3U, cert_chain.entry_count);
3657    EXPECT_TRUE(verify_chain(cert_chain));
3658    EXPECT_TRUE(verify_attestation_record(
3659        "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version,
3660        expected_keymaster_security_level, cert_chain.entries[0]));
3661
3662    keymaster_free_cert_chain(&cert_chain);
3663}
3664
3665typedef Keymaster2Test KeyUpgradeTest;
3666INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, KeyUpgradeTest, test_params);
3667
3668TEST_P(KeyUpgradeTest, AesVersionUpgrade) {
3669    GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3670
3671    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3672                                           .AesEncryptionKey(128)
3673                                           .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3674                                           .Padding(KM_PAD_NONE)));
3675
3676    // Key should operate fine.
3677    string message = "1234567890123456";
3678    string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3679    EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE));
3680
3681    // Increase patch level.  Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3682    GetParam()->keymaster_context()->SetSystemVersion(1, 2);
3683    AuthorizationSet begin_params(client_params());
3684    begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3685    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3686    if (GetParam()->is_keymaster1_hw()) {
3687        // Keymaster1 hardware can't support version binding.  The key will work regardless
3688        // of system version.  Just abort the remainder of the test.
3689        EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3690        EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3691        return;
3692    }
3693    EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3694
3695    // Getting characteristics should also fail
3696    EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3697
3698    // Upgrade key.
3699    EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3700
3701    // Key should work again
3702    ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3703    EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE));
3704
3705    // Decrease patch level.  Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3706    GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3707    EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3708    EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3709
3710    // Upgrade should fail
3711    EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3712
3713    EXPECT_EQ(0, GetParam()->keymaster0_calls());
3714}
3715
3716TEST_P(KeyUpgradeTest, RsaVersionUpgrade) {
3717    GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3718
3719    ASSERT_EQ(KM_ERROR_OK,
3720              GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(128, 3).Padding(KM_PAD_NONE)));
3721
3722    // Key should operate fine.
3723    string message = "1234567890123456";
3724    string ciphertext = EncryptMessage(message, KM_PAD_NONE);
3725    EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE));
3726
3727    // Increase patch level.  Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3728    GetParam()->keymaster_context()->SetSystemVersion(1, 2);
3729    AuthorizationSet begin_params(client_params());
3730    begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3731    if (GetParam()->is_keymaster1_hw()) {
3732        // Keymaster1 hardware can't support version binding.  The key will work regardless
3733        // of system version.  Just abort the remainder of the test.
3734        EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3735        EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3736        return;
3737    }
3738    EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3739
3740    // Getting characteristics should also fail
3741    EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3742
3743    // Upgrade key.
3744    EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3745
3746    // Key should work again
3747    ciphertext = EncryptMessage(message, KM_PAD_NONE);
3748    EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE));
3749
3750    // Decrease patch level.  Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3751    GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3752    EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3753    EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3754
3755    // Upgrade should fail
3756    EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3757
3758    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
3759        EXPECT_EQ(7, GetParam()->keymaster0_calls());
3760}
3761
3762TEST_P(KeyUpgradeTest, EcVersionUpgrade) {
3763    GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3764
3765    ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
3766                               KM_DIGEST_SHA_2_256)));
3767
3768    // Key should operate fine.
3769    string message = "1234567890123456";
3770    string signature;
3771    SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
3772    VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
3773
3774    // Increase patch level.  Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3775    GetParam()->keymaster_context()->SetSystemVersion(1, 2);
3776    AuthorizationSet begin_params(client_params());
3777    begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
3778    if (GetParam()->is_keymaster1_hw()) {
3779        // Keymaster1 hardware can't support version binding.  The key will work regardless
3780        // of system version.  Just abort the remainder of the test.
3781        EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
3782        EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3783        return;
3784    }
3785    EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
3786
3787    // Getting characteristics should also fail
3788    EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3789
3790    // Upgrade key.
3791    EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3792
3793    // Key should work again
3794    SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
3795    VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
3796
3797    // Decrease patch level.  Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3798    GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3799    EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3800    EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3801
3802    // Upgrade should fail
3803    EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3804
3805    if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
3806        EXPECT_EQ(7, GetParam()->keymaster0_calls());
3807}
3808
3809TEST(SoftKeymasterWrapperTest, CheckKeymaster2Device) {
3810    // Make a good fake device, and wrap it.
3811    SoftKeymasterDevice* good_fake(new SoftKeymasterDevice(new TestKeymasterContext));
3812
3813    // Wrap it and check it.
3814    SoftKeymasterDevice* good_fake_wrapper(new SoftKeymasterDevice(new TestKeymasterContext));
3815    good_fake_wrapper->SetHardwareDevice(good_fake->keymaster_device());
3816    EXPECT_TRUE(good_fake_wrapper->Keymaster1DeviceIsGood());
3817
3818    // Close and clean up wrapper and wrapped
3819    good_fake_wrapper->keymaster_device()->common.close(good_fake_wrapper->hw_device());
3820
3821    // Make a "bad" (doesn't support all digests) device;
3822    keymaster1_device_t* sha256_only_fake = make_device_sha256_only(
3823        (new SoftKeymasterDevice(new TestKeymasterContext("256")))->keymaster_device());
3824
3825    // Wrap it and check it.
3826    SoftKeymasterDevice* sha256_only_fake_wrapper(
3827        (new SoftKeymasterDevice(new TestKeymasterContext)));
3828    sha256_only_fake_wrapper->SetHardwareDevice(sha256_only_fake);
3829    EXPECT_FALSE(sha256_only_fake_wrapper->Keymaster1DeviceIsGood());
3830
3831    // Close and clean up wrapper and wrapped
3832    sha256_only_fake_wrapper->keymaster_device()->common.close(
3833        sha256_only_fake_wrapper->hw_device());
3834}
3835
3836}  // namespace test
3837}  // namespace keymaster
3838