1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <algorithm> 18 19#include <gtest/gtest.h> 20 21#include <openssl/engine.h> 22#include <openssl/rand.h> 23 24#include <keymaster/authorization_set.h> 25#include <keymaster/android_keymaster_utils.h> 26#include <keymaster/keymaster_tags.h> 27 28#include "android_keymaster_test_utils.h" 29#include "auth_encrypted_key_blob.h" 30#include "integrity_assured_key_blob.h" 31#include "ocb_utils.h" 32 33namespace keymaster { 34 35namespace test { 36 37const uint8_t master_key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 38const uint8_t key_data[5] = {21, 22, 23, 24, 25}; 39 40class KeyBlobTest : public testing::Test { 41 protected: 42 KeyBlobTest() 43 : master_key_(master_key_data, array_length(master_key_data)), 44 key_material_(key_data, array_length(key_data)) { 45 hw_enforced_.push_back(TAG_ALGORITHM, KM_ALGORITHM_RSA); 46 hw_enforced_.push_back(TAG_KEY_SIZE, 256); 47 hw_enforced_.push_back(TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE); 48 hw_enforced_.push_back(TAG_MIN_SECONDS_BETWEEN_OPS, 10); 49 hw_enforced_.push_back(TAG_ALL_USERS); 50 hw_enforced_.push_back(TAG_NO_AUTH_REQUIRED); 51 hw_enforced_.push_back(TAG_ORIGIN, KM_ORIGIN_GENERATED); 52 53 sw_enforced_.push_back(TAG_ACTIVE_DATETIME, 10); 54 sw_enforced_.push_back(TAG_ORIGINATION_EXPIRE_DATETIME, 100); 55 sw_enforced_.push_back(TAG_CREATION_DATETIME, 10); 56 57 hidden_.push_back(TAG_ROOT_OF_TRUST, "foo", 3); 58 hidden_.push_back(TAG_APPLICATION_ID, "my_app", 6); 59 60 nonce_.reserve(OCB_NONCE_LENGTH); 61 EXPECT_EQ(1, RAND_bytes(nonce_.peek_write(), OCB_NONCE_LENGTH)); 62 nonce_.advance_write(OCB_NONCE_LENGTH); 63 64 tag_.reserve(OCB_TAG_LENGTH); 65 } 66 67 keymaster_error_t Encrypt() { 68 return OcbEncryptKey(hw_enforced_, sw_enforced_, hidden_, master_key_, key_material_, 69 nonce_, &ciphertext_, &tag_); 70 } 71 72 keymaster_error_t Decrypt() { 73 return OcbDecryptKey(hw_enforced_, sw_enforced_, hidden_, master_key_, ciphertext_, nonce_, 74 tag_, &decrypted_plaintext_); 75 } 76 77 keymaster_error_t Serialize() { 78 return SerializeAuthEncryptedBlob(ciphertext_, hw_enforced_, sw_enforced_, nonce_, tag_, 79 &serialized_blob_); 80 } 81 82 keymaster_error_t Deserialize() { 83 return DeserializeAuthEncryptedBlob(serialized_blob_, &ciphertext_, &hw_enforced_, 84 &sw_enforced_, &nonce_, &tag_); 85 } 86 87 AuthorizationSet hw_enforced_; 88 AuthorizationSet sw_enforced_; 89 AuthorizationSet hidden_; 90 Buffer nonce_, tag_; 91 92 KeymasterKeyBlob master_key_; 93 KeymasterKeyBlob key_material_; 94 KeymasterKeyBlob ciphertext_; 95 KeymasterKeyBlob decrypted_plaintext_; 96 KeymasterKeyBlob serialized_blob_; 97}; 98 99TEST_F(KeyBlobTest, EncryptDecrypt) { 100 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 101 ASSERT_EQ(KM_ERROR_OK, Serialize()); 102 103 // key_data shouldn't be anywhere in the blob, ciphertext should. 104 EXPECT_EQ(serialized_blob_.end(), std::search(serialized_blob_.begin(), serialized_blob_.end(), 105 key_material_.begin(), key_material_.end())); 106 EXPECT_NE(serialized_blob_.end(), std::search(serialized_blob_.begin(), serialized_blob_.end(), 107 ciphertext_.begin(), ciphertext_.end())); 108 109 ciphertext_.Clear(); 110 nonce_.Clear(); 111 tag_.Clear(); 112 AuthorizationSet hw2; 113 AuthorizationSet sw2; 114 115 ASSERT_EQ(KM_ERROR_OK, DeserializeAuthEncryptedBlob(serialized_blob_, &ciphertext_, &hw2, &sw2, 116 &nonce_, &tag_)); 117 KeymasterKeyBlob plaintext; 118 OcbDecryptKey(hw2, sw2, hidden_, master_key_, ciphertext_, nonce_, tag_, &plaintext); 119 120 EXPECT_EQ(hw_enforced_, hw2); 121 EXPECT_EQ(sw_enforced_, sw2); 122 123 ASSERT_EQ(key_material_.key_material_size, plaintext.key_material_size); 124 EXPECT_EQ(0, memcmp(plaintext.begin(), key_material_.begin(), plaintext.key_material_size)); 125} 126 127TEST_F(KeyBlobTest, WrongKeyLength) { 128 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 129 ASSERT_EQ(KM_ERROR_OK, Serialize()); 130 131 // Modify the key length, shouldn't be able to parse. 132 serialized_blob_.writable_data()[1 /* version */ + 4 /* nonce len */ + 12 /* nonce */ + 3]++; 133 134 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Deserialize()); 135} 136 137TEST_F(KeyBlobTest, WrongNonce) { 138 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 139 ASSERT_EQ(KM_ERROR_OK, Serialize()); 140 141 // Find the nonce, then modify it. 142 auto nonce_ptr = 143 std::search(serialized_blob_.begin(), serialized_blob_.end(), nonce_.begin(), nonce_.end()); 144 ASSERT_NE(nonce_ptr, serialized_blob_.end()); 145 EXPECT_EQ(serialized_blob_.end(), 146 std::search(nonce_ptr + 1, serialized_blob_.end(), nonce_.begin(), nonce_.end())); 147 (*const_cast<uint8_t*>(nonce_ptr))++; 148 149 // Deserialization shouldn't be affected, but decryption should fail. 150 ASSERT_EQ(KM_ERROR_OK, Deserialize()); 151 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt()); 152} 153 154TEST_F(KeyBlobTest, WrongTag) { 155 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 156 ASSERT_EQ(KM_ERROR_OK, Serialize()); 157 158 // Find the tag, them modify it. 159 auto tag_ptr = 160 std::search(serialized_blob_.begin(), serialized_blob_.end(), tag_.begin(), tag_.end()); 161 ASSERT_NE(tag_ptr, serialized_blob_.end()); 162 EXPECT_EQ(serialized_blob_.end(), 163 std::search(tag_ptr + 1, serialized_blob_.end(), tag_.begin(), tag_.end())); 164 (*const_cast<uint8_t*>(tag_ptr))++; 165 166 // Deserialization shouldn't be affected, but decryption should fail. 167 ASSERT_EQ(KM_ERROR_OK, Deserialize()); 168 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt()); 169} 170 171TEST_F(KeyBlobTest, WrongCiphertext) { 172 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 173 ASSERT_EQ(KM_ERROR_OK, Serialize()); 174 175 // Find the ciphertext, them modify it. 176 auto ciphertext_ptr = std::search(serialized_blob_.begin(), serialized_blob_.end(), 177 ciphertext_.begin(), ciphertext_.end()); 178 ASSERT_NE(ciphertext_ptr, serialized_blob_.end()); 179 EXPECT_EQ(serialized_blob_.end(), std::search(ciphertext_ptr + 1, serialized_blob_.end(), 180 ciphertext_.begin(), ciphertext_.end())); 181 (*const_cast<uint8_t*>(ciphertext_ptr))++; 182 183 // Deserialization shouldn't be affected, but decryption should fail. 184 ASSERT_EQ(KM_ERROR_OK, Deserialize()); 185 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt()); 186} 187 188TEST_F(KeyBlobTest, WrongMasterKey) { 189 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 190 ASSERT_EQ(KM_ERROR_OK, Serialize()); 191 192 uint8_t wrong_master_data[] = {1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 193 KeymasterKeyBlob wrong_master(wrong_master_data, array_length(wrong_master_data)); 194 195 // Decrypting with wrong master key should fail. 196 ASSERT_EQ(KM_ERROR_OK, Deserialize()); 197 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, 198 OcbDecryptKey(hw_enforced_, sw_enforced_, hidden_, wrong_master, ciphertext_, nonce_, 199 tag_, &decrypted_plaintext_)); 200} 201 202TEST_F(KeyBlobTest, WrongHwEnforced) { 203 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 204 ASSERT_EQ(KM_ERROR_OK, Serialize()); 205 206 // Find enforced serialization data and modify it. 207 size_t hw_enforced_size = hw_enforced_.SerializedSize(); 208 UniquePtr<uint8_t[]> hw_enforced_data(new uint8_t[hw_enforced_size]); 209 hw_enforced_.Serialize(hw_enforced_data.get(), hw_enforced_data.get() + hw_enforced_size); 210 211 auto hw_enforced_ptr = 212 std::search(serialized_blob_.begin(), serialized_blob_.end(), hw_enforced_data.get(), 213 hw_enforced_data.get() + hw_enforced_size); 214 ASSERT_NE(serialized_blob_.end(), hw_enforced_ptr); 215 EXPECT_EQ(serialized_blob_.end(), 216 std::search(hw_enforced_ptr + 1, serialized_blob_.end(), hw_enforced_data.get(), 217 hw_enforced_data.get() + hw_enforced_size)); 218 (*(const_cast<uint8_t*>(hw_enforced_ptr) + hw_enforced_size - 1))++; 219 220 // Deserialization shouldn't be affected, but decryption should fail. 221 ASSERT_EQ(KM_ERROR_OK, Deserialize()); 222 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt()); 223} 224 225TEST_F(KeyBlobTest, WrongSwEnforced) { 226 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 227 ASSERT_EQ(KM_ERROR_OK, Serialize()); 228 229 // Find enforced serialization data and modify it. 230 size_t sw_enforced_size = sw_enforced_.SerializedSize(); 231 UniquePtr<uint8_t[]> sw_enforced_data(new uint8_t[sw_enforced_size]); 232 sw_enforced_.Serialize(sw_enforced_data.get(), sw_enforced_data.get() + sw_enforced_size); 233 234 auto sw_enforced_ptr = 235 std::search(serialized_blob_.begin(), serialized_blob_.end(), sw_enforced_data.get(), 236 sw_enforced_data.get() + sw_enforced_size); 237 ASSERT_NE(serialized_blob_.end(), sw_enforced_ptr); 238 EXPECT_EQ(serialized_blob_.end(), 239 std::search(sw_enforced_ptr + 1, serialized_blob_.end(), sw_enforced_data.get(), 240 sw_enforced_data.get() + sw_enforced_size)); 241 (*(const_cast<uint8_t*>(sw_enforced_ptr) + sw_enforced_size - 1))++; 242 243 // Deserialization shouldn't be affected, but decryption should fail. 244 ASSERT_EQ(KM_ERROR_OK, Deserialize()); 245 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt()); 246} 247 248TEST_F(KeyBlobTest, EmptyHidden) { 249 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 250 ASSERT_EQ(KM_ERROR_OK, Serialize()); 251 252 AuthorizationSet wrong_hidden; 253 254 // Deserialization shouldn't be affected, but decryption should fail. 255 ASSERT_EQ(KM_ERROR_OK, Deserialize()); 256 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, 257 OcbDecryptKey(hw_enforced_, sw_enforced_, wrong_hidden, master_key_, ciphertext_, 258 nonce_, tag_, &decrypted_plaintext_)); 259} 260 261TEST_F(KeyBlobTest, WrongRootOfTrust) { 262 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 263 ASSERT_EQ(KM_ERROR_OK, Serialize()); 264 265 AuthorizationSet wrong_hidden; 266 wrong_hidden.push_back(TAG_ROOT_OF_TRUST, "bar", 2); 267 wrong_hidden.push_back(TAG_APPLICATION_ID, "my_app", 6); 268 269 // Deserialization shouldn't be affected, but decryption should fail. 270 ASSERT_EQ(KM_ERROR_OK, Deserialize()); 271 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, 272 OcbDecryptKey(hw_enforced_, sw_enforced_, wrong_hidden, master_key_, ciphertext_, 273 nonce_, tag_, &decrypted_plaintext_)); 274} 275 276TEST_F(KeyBlobTest, WrongAppId) { 277 ASSERT_EQ(KM_ERROR_OK, Encrypt()); 278 ASSERT_EQ(KM_ERROR_OK, Serialize()); 279 280 AuthorizationSet wrong_hidden; 281 wrong_hidden.push_back(TAG_ROOT_OF_TRUST, "foo", 3); 282 wrong_hidden.push_back(TAG_APPLICATION_ID, "your_app", 7); 283 284 // Deserialization shouldn't be affected, but decryption should fail. 285 ASSERT_EQ(KM_ERROR_OK, Deserialize()); 286 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, 287 OcbDecryptKey(hw_enforced_, sw_enforced_, wrong_hidden, master_key_, ciphertext_, 288 nonce_, tag_, &decrypted_plaintext_)); 289} 290 291// This test is especially useful when compiled for 32-bit mode and run under valgrind. 292TEST_F(KeyBlobTest, FuzzTest) { 293 time_t now = time(NULL); 294 std::cout << "Seeding rand() with " << now << " for fuzz test." << std::endl; 295 srand(now); 296 297 // Fill large buffer with random bytes. 298 const int kBufSize = 10000; 299 UniquePtr<uint8_t[]> buf(new uint8_t[kBufSize]); 300 for (size_t i = 0; i < kBufSize; ++i) 301 buf[i] = static_cast<uint8_t>(rand()); 302 303 // Try to deserialize every offset with multiple methods. 304 size_t deserialize_auth_encrypted_success = 0; 305 for (size_t i = 0; i < kBufSize; ++i) { 306 keymaster_key_blob_t blob = {buf.get() + i, kBufSize - i}; 307 KeymasterKeyBlob key_blob(blob); 308 309 // Integrity-assured blob. 310 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, 311 DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_, 312 &sw_enforced_)); 313 314 // Auth-encrypted OCB blob. 315 keymaster_error_t error = DeserializeAuthEncryptedBlob( 316 key_blob, &ciphertext_, &hw_enforced_, &sw_enforced_, &nonce_, &tag_); 317 if (error == KM_ERROR_OK) { 318 // It's possible to deserialize successfully. Decryption should always fail. 319 ++deserialize_auth_encrypted_success; 320 error = OcbDecryptKey(hw_enforced_, sw_enforced_, hidden_, master_key_, ciphertext_, 321 nonce_, tag_, &decrypted_plaintext_); 322 } 323 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, error) 324 << "Somehow sucessfully parsed a blob with seed " << now << " at offset " << i; 325 } 326} 327 328TEST_F(KeyBlobTest, UnderflowTest) { 329 uint8_t buf[0]; 330 keymaster_key_blob_t blob = {buf, 0}; 331 KeymasterKeyBlob key_blob(blob); 332 EXPECT_NE(nullptr, key_blob.key_material); 333 EXPECT_EQ(0U, key_blob.key_material_size); 334 335 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, 336 DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_, 337 &sw_enforced_)); 338 339 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, 340 DeserializeAuthEncryptedBlob(key_blob, &ciphertext_, &hw_enforced_, &sw_enforced_, 341 &nonce_, &tag_)); 342} 343 344TEST_F(KeyBlobTest, DupBufferToolarge) { 345 uint8_t buf[0]; 346 keymaster_key_blob_t blob = {buf, 0}; 347 blob.key_material_size = 16 * 1024 * 1024 + 1; 348 KeymasterKeyBlob key_blob(blob); 349 EXPECT_EQ(nullptr, key_blob.key_material); 350 EXPECT_EQ(0U, key_blob.key_material_size); 351 352 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, 353 DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_, 354 &sw_enforced_)); 355 356 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, 357 DeserializeAuthEncryptedBlob(key_blob, &ciphertext_, &hw_enforced_, &sw_enforced_, 358 &nonce_, &tag_)); 359} 360 361} // namespace test 362} // namespace keymaster 363