KeyStoreTest.java revision 4a0ff7ca984d29bd34b02e54441957cad65e8b53
1/* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package android.security; 18 19import android.app.Activity; 20import android.os.Binder; 21import android.os.IBinder; 22import android.os.Process; 23import android.security.keymaster.ExportResult; 24import android.security.keymaster.KeyCharacteristics; 25import android.security.keymaster.KeymasterArguments; 26import android.security.keymaster.KeymasterBlob; 27import android.security.keymaster.KeymasterDefs; 28import android.security.keymaster.OperationResult; 29import android.test.ActivityUnitTestCase; 30import android.test.AssertionFailedError; 31import android.test.MoreAsserts; 32import android.test.suitebuilder.annotation.MediumTest; 33import com.android.org.conscrypt.NativeConstants; 34import java.nio.charset.StandardCharsets; 35import java.util.Arrays; 36import java.util.HashSet; 37import java.security.spec.RSAKeyGenParameterSpec; 38 39/** 40 * Junit / Instrumentation test case for KeyStore class 41 * 42 * Running the test suite: 43 * 44 * runtest keystore-unit 45 * 46 * Or this individual test case: 47 * 48 * runtest --path frameworks/base/keystore/tests/src/android/security/KeyStoreTest.java 49 */ 50@MediumTest 51public class KeyStoreTest extends ActivityUnitTestCase<Activity> { 52 private static final String TEST_PASSWD = "12345678"; 53 private static final String TEST_PASSWD2 = "87654321"; 54 private static final String TEST_KEYNAME = "test-key"; 55 private static final String TEST_KEYNAME1 = "test-key.1"; 56 private static final String TEST_KEYNAME2 = "test-key\02"; 57 private static final byte[] TEST_KEYVALUE = "test value".getBytes(StandardCharsets.UTF_8); 58 59 // "Hello, World" in Chinese 60 private static final String TEST_I18N_KEY = "\u4F60\u597D, \u4E16\u754C"; 61 private static final byte[] TEST_I18N_VALUE = TEST_I18N_KEY.getBytes(StandardCharsets.UTF_8); 62 63 // Test vector data for signatures 64 private static final int RSA_KEY_SIZE = 1024; 65 private static final byte[] TEST_DATA = new byte[RSA_KEY_SIZE / 8]; 66 static { 67 for (int i = 0; i < TEST_DATA.length; i++) { 68 TEST_DATA[i] = (byte) i; 69 } 70 } 71 72 private KeyStore mKeyStore = null; 73 74 public KeyStoreTest() { 75 super(Activity.class); 76 } 77 78 private static final byte[] PRIVKEY_BYTES = hexToBytes( 79 "308204BE020100300D06092A864886F70D0101010500048204A8308204A4020100028201" + 80 "0100E0473E8AB8F2284FEB9E742FF9748FA118ED98633C92F52AEB7A2EBE0D3BE60329BE" + 81 "766AD10EB6A515D0D2CFD9BEA7930F0C306537899F7958CD3E85B01F8818524D312584A9" + 82 "4B251E3625B54141EDBFEE198808E1BB97FC7CB49B9EAAAF68E9C98D7D0EDC53BBC0FA00" + 83 "34356D6305FBBCC3C7001405386ABBC873CB0F3EF7425F3D33DF7B315AE036D2A0B66AFD" + 84 "47503B169BF36E3B5162515B715FDA83DEAF2C58AEB9ABFB3097C3CC9DD9DBE5EF296C17" + 85 "6139028E8A671E63056D45F40188D2C4133490845DE52C2534E9C6B2478C07BDAE928823" + 86 "B62D066C7770F9F63F3DBA247F530844747BE7AAA85D853B8BD244ACEC3DE3C89AB46453" + 87 "AB4D24C3AC6902030100010282010037784776A5F17698F5AC960DFB83A1B67564E648BD" + 88 "0597CF8AB8087186F2669C27A9ECBDD480F0197A80D07309E6C6A96F925331E57F8B4AC6" + 89 "F4D45EDA45A23269C09FC428C07A4E6EDF738A15DEC97FABD2F2BB47A14F20EA72FCFE4C" + 90 "36E01ADA77BD137CD8D4DA10BB162E94A4662971F175F985FA188F056CB97EE2816F43AB" + 91 "9D3747612486CDA8C16196C30818A995EC85D38467791267B3BF21F273710A6925862576" + 92 "841C5B6712C12D4BD20A2F3299ADB7C135DA5E9515ABDA76E7CAF2A3BE80551D073B78BF" + 93 "1162C48AD2B7F4743A0238EE4D252F7D5E7E6533CCAE64CCB39360075A2FD1E034EC3AE5" + 94 "CE9C408CCBF0E25E4114021687B3DD4754AE8102818100F541884BC3737B2922D4119EF4" + 95 "5E2DEE2CD4CBB75F45505A157AA5009F99C73A2DF0724AC46024306332EA898177634546" + 96 "5DC6DF1E0A6F140AFF3B7396E6A8994AC5DAA96873472FE37749D14EB3E075E629DBEB35" + 97 "83338A6F3649D0A2654A7A42FD9AB6BFA4AC4D481D390BB229B064BDC311CC1BE1B63189" + 98 "DA7C40CDECF2B102818100EA1A742DDB881CEDB7288C87E38D868DD7A409D15A43F445D5" + 99 "377A0B5731DDBFCA2DAF28A8E13CD5C0AFCEC3347D74A39E235A3CD9633F274DE2B94F92" + 100 "DF43833911D9E9F1CF58F27DE2E08FF45964C720D3EC2139DC7CAFC912953CDECB2F355A" + 101 "2E2C35A50FAD754CB3B23166424BA3B6E3112A2B898C38C5C15EDB238693390281805182" + 102 "8F1EC6FD996029901BAF1D7E337BA5F0AF27E984EAD895ACE62BD7DF4EE45A224089F2CC" + 103 "151AF3CD173FCE0474BCB04F386A2CDCC0E0036BA2419F54579262D47100BE931984A3EF" + 104 "A05BECF141574DC079B3A95C4A83E6C43F3214D6DF32D512DE198085E531E616B83FD7DD" + 105 "9D1F4E2607C3333D07C55D107D1D3893587102818100DB4FB50F50DE8EDB53FF34C80931" + 106 "88A0512867DA2CCA04897759E587C244010DAF8664D59E8083D16C164789301F67A9F078" + 107 "060D834A2ADBD367575B68A8A842C2B02A89B3F31FCCEC8A22FE395795C5C6C7422B4E5D" + 108 "74A1E9A8F30E7759B9FC2D639C1F15673E84E93A5EF1506F4315383C38D45CBD1B14048F" + 109 "4721DC82326102818100D8114593AF415FB612DBF1923710D54D07486205A76A3B431949" + 110 "68C0DFF1F11EF0F61A4A337D5FD3741BBC9640E447B8B6B6C47C3AC1204357D3B0C55BA9" + 111 "286BDA73F629296F5FA9146D8976357D3C751E75148696A40B74685C82CE30902D639D72" + 112 "4FF24D5E2E9407EE34EDED2E3B4DF65AA9BCFEB6DF28D07BA6903F165768"); 113 114 private static final byte[] AES256_BYTES = hexToBytes( 115 "0CC175B9C0F1B6A831C399E269772661CEC520EA51EA0A47E87295FA3245A605"); 116 117 private static byte[] hexToBytes(String s) { 118 int len = s.length(); 119 byte[] data = new byte[len / 2]; 120 for (int i = 0; i < len; i += 2) { 121 data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit( 122 s.charAt(i + 1), 16)); 123 } 124 return data; 125 } 126 127 @Override 128 protected void setUp() throws Exception { 129 mKeyStore = KeyStore.getInstance(); 130 if (mKeyStore.state() != KeyStore.State.UNINITIALIZED) { 131 mKeyStore.reset(); 132 } 133 assertEquals("KeyStore should be in an uninitialized state", 134 KeyStore.State.UNINITIALIZED, mKeyStore.state()); 135 super.setUp(); 136 } 137 138 @Override 139 protected void tearDown() throws Exception { 140 mKeyStore.reset(); 141 super.tearDown(); 142 } 143 144 public void testState() throws Exception { 145 assertEquals(KeyStore.State.UNINITIALIZED, mKeyStore.state()); 146 } 147 148 public void testPassword() throws Exception { 149 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 150 assertEquals(KeyStore.State.UNLOCKED, mKeyStore.state()); 151 } 152 153 public void testGet() throws Exception { 154 assertNull(mKeyStore.get(TEST_KEYNAME)); 155 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 156 assertNull(mKeyStore.get(TEST_KEYNAME)); 157 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 158 KeyStore.FLAG_ENCRYPTED)); 159 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 160 } 161 162 public void testPut() throws Exception { 163 assertNull(mKeyStore.get(TEST_KEYNAME)); 164 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 165 KeyStore.FLAG_ENCRYPTED)); 166 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 167 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 168 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 169 KeyStore.FLAG_ENCRYPTED)); 170 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 171 } 172 173 public void testPut_grantedUid_Wifi() throws Exception { 174 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 175 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.WIFI_UID, 176 KeyStore.FLAG_ENCRYPTED)); 177 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 178 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 179 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.WIFI_UID, 180 KeyStore.FLAG_ENCRYPTED)); 181 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 182 } 183 184 public void testPut_ungrantedUid_Bluetooth() throws Exception { 185 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 186 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.BLUETOOTH_UID, 187 KeyStore.FLAG_ENCRYPTED)); 188 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 189 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 190 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.BLUETOOTH_UID, 191 KeyStore.FLAG_ENCRYPTED)); 192 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 193 } 194 195 public void testI18n() throws Exception { 196 assertFalse(mKeyStore.put(TEST_I18N_KEY, TEST_I18N_VALUE, KeyStore.UID_SELF, 197 KeyStore.FLAG_ENCRYPTED)); 198 assertFalse(mKeyStore.contains(TEST_I18N_KEY)); 199 mKeyStore.onUserPasswordChanged(TEST_I18N_KEY); 200 assertTrue(mKeyStore.put(TEST_I18N_KEY, TEST_I18N_VALUE, KeyStore.UID_SELF, 201 KeyStore.FLAG_ENCRYPTED)); 202 assertTrue(mKeyStore.contains(TEST_I18N_KEY)); 203 } 204 205 public void testDelete() throws Exception { 206 assertFalse(mKeyStore.delete(TEST_KEYNAME)); 207 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 208 assertFalse(mKeyStore.delete(TEST_KEYNAME)); 209 210 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 211 KeyStore.FLAG_ENCRYPTED)); 212 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 213 assertTrue(mKeyStore.delete(TEST_KEYNAME)); 214 assertNull(mKeyStore.get(TEST_KEYNAME)); 215 } 216 217 public void testDelete_grantedUid_Wifi() throws Exception { 218 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.WIFI_UID)); 219 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 220 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.WIFI_UID)); 221 222 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.WIFI_UID, 223 KeyStore.FLAG_ENCRYPTED)); 224 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 225 assertTrue(mKeyStore.delete(TEST_KEYNAME, Process.WIFI_UID)); 226 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 227 } 228 229 public void testDelete_ungrantedUid_Bluetooth() throws Exception { 230 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.BLUETOOTH_UID)); 231 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 232 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.BLUETOOTH_UID)); 233 234 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.BLUETOOTH_UID, 235 KeyStore.FLAG_ENCRYPTED)); 236 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 237 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.BLUETOOTH_UID)); 238 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 239 } 240 241 public void testContains() throws Exception { 242 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 243 244 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 245 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 246 247 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 248 KeyStore.FLAG_ENCRYPTED)); 249 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 250 } 251 252 public void testContains_grantedUid_Wifi() throws Exception { 253 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 254 255 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 256 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 257 258 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.WIFI_UID, 259 KeyStore.FLAG_ENCRYPTED)); 260 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 261 } 262 263 public void testContains_grantedUid_Bluetooth() throws Exception { 264 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 265 266 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 267 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 268 269 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.BLUETOOTH_UID, 270 KeyStore.FLAG_ENCRYPTED)); 271 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 272 } 273 274 public void testList() throws Exception { 275 String[] emptyResult = mKeyStore.list(TEST_KEYNAME); 276 assertNotNull(emptyResult); 277 assertEquals(0, emptyResult.length); 278 279 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 280 mKeyStore.put(TEST_KEYNAME1, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 281 mKeyStore.put(TEST_KEYNAME2, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 282 283 String[] results = mKeyStore.list(TEST_KEYNAME); 284 assertEquals(new HashSet(Arrays.asList(TEST_KEYNAME1.substring(TEST_KEYNAME.length()), 285 TEST_KEYNAME2.substring(TEST_KEYNAME.length()))), 286 new HashSet(Arrays.asList(results))); 287 } 288 289 public void testList_ungrantedUid_Bluetooth() throws Exception { 290 String[] results1 = mKeyStore.list(TEST_KEYNAME, Process.BLUETOOTH_UID); 291 assertEquals(0, results1.length); 292 293 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 294 mKeyStore.put(TEST_KEYNAME1, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 295 mKeyStore.put(TEST_KEYNAME2, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 296 297 String[] results2 = mKeyStore.list(TEST_KEYNAME, Process.BLUETOOTH_UID); 298 assertEquals(0, results2.length); 299 } 300 301 public void testList_grantedUid_Wifi() throws Exception { 302 String[] results1 = mKeyStore.list(TEST_KEYNAME, Process.WIFI_UID); 303 assertNotNull(results1); 304 assertEquals(0, results1.length); 305 306 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 307 mKeyStore.put(TEST_KEYNAME1, TEST_KEYVALUE, Process.WIFI_UID, KeyStore.FLAG_ENCRYPTED); 308 mKeyStore.put(TEST_KEYNAME2, TEST_KEYVALUE, Process.WIFI_UID, KeyStore.FLAG_ENCRYPTED); 309 310 String[] results2 = mKeyStore.list(TEST_KEYNAME, Process.WIFI_UID); 311 assertEquals(new HashSet(Arrays.asList(TEST_KEYNAME1.substring(TEST_KEYNAME.length()), 312 TEST_KEYNAME2.substring(TEST_KEYNAME.length()))), 313 new HashSet(Arrays.asList(results2))); 314 } 315 316 public void testList_grantedUid_Vpn() throws Exception { 317 String[] results1 = mKeyStore.list(TEST_KEYNAME, Process.VPN_UID); 318 assertNotNull(results1); 319 assertEquals(0, results1.length); 320 321 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 322 mKeyStore.put(TEST_KEYNAME1, TEST_KEYVALUE, Process.VPN_UID, KeyStore.FLAG_ENCRYPTED); 323 mKeyStore.put(TEST_KEYNAME2, TEST_KEYVALUE, Process.VPN_UID, KeyStore.FLAG_ENCRYPTED); 324 325 String[] results2 = mKeyStore.list(TEST_KEYNAME, Process.VPN_UID); 326 assertEquals(new HashSet(Arrays.asList(TEST_KEYNAME1.substring(TEST_KEYNAME.length()), 327 TEST_KEYNAME2.substring(TEST_KEYNAME.length()))), 328 new HashSet(Arrays.asList(results2))); 329 } 330 331 public void testLock() throws Exception { 332 assertFalse(mKeyStore.lock()); 333 334 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 335 assertEquals(KeyStore.State.UNLOCKED, mKeyStore.state()); 336 337 assertTrue(mKeyStore.lock()); 338 assertEquals(KeyStore.State.LOCKED, mKeyStore.state()); 339 } 340 341 public void testUnlock() throws Exception { 342 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 343 assertEquals(KeyStore.State.UNLOCKED, mKeyStore.state()); 344 mKeyStore.lock(); 345 346 assertFalse(mKeyStore.unlock(TEST_PASSWD2)); 347 assertTrue(mKeyStore.unlock(TEST_PASSWD)); 348 } 349 350 public void testIsEmpty() throws Exception { 351 assertTrue(mKeyStore.isEmpty()); 352 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 353 assertTrue(mKeyStore.isEmpty()); 354 mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 355 assertFalse(mKeyStore.isEmpty()); 356 mKeyStore.reset(); 357 assertTrue(mKeyStore.isEmpty()); 358 } 359 360 public void testGenerate_NotInitialized_Fail() throws Exception { 361 assertFalse("Should fail when keystore is not initialized", 362 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 363 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 364 } 365 366 public void testGenerate_Locked_Fail() throws Exception { 367 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 368 mKeyStore.lock(); 369 assertFalse("Should fail when keystore is locked", 370 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 371 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 372 } 373 374 public void testGenerate_Success() throws Exception { 375 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 376 377 assertTrue("Should be able to generate key when unlocked", 378 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 379 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 380 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 381 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 382 } 383 384 public void testGenerate_grantedUid_Wifi_Success() throws Exception { 385 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 386 387 assertTrue("Should be able to generate key when unlocked", 388 mKeyStore.generate(TEST_KEYNAME, Process.WIFI_UID, NativeConstants.EVP_PKEY_RSA, 389 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 390 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 391 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 392 } 393 394 public void testGenerate_ungrantedUid_Bluetooth_Failure() throws Exception { 395 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 396 397 assertFalse(mKeyStore.generate(TEST_KEYNAME, Process.BLUETOOTH_UID, 398 NativeConstants.EVP_PKEY_RSA, RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 399 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 400 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 401 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 402 } 403 404 public void testImport_Success() throws Exception { 405 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 406 407 assertTrue("Should be able to import key when unlocked", mKeyStore.importKey(TEST_KEYNAME, 408 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 409 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 410 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 411 } 412 413 public void testImport_grantedUid_Wifi_Success() throws Exception { 414 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 415 416 assertTrue("Should be able to import key when unlocked", mKeyStore.importKey(TEST_KEYNAME, 417 PRIVKEY_BYTES, Process.WIFI_UID, KeyStore.FLAG_ENCRYPTED)); 418 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 419 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 420 } 421 422 public void testImport_ungrantedUid_Bluetooth_Failure() throws Exception { 423 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 424 425 assertFalse(mKeyStore.importKey(TEST_KEYNAME, PRIVKEY_BYTES, Process.BLUETOOTH_UID, 426 KeyStore.FLAG_ENCRYPTED)); 427 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 428 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 429 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 430 } 431 432 public void testImport_Failure_BadEncoding() throws Exception { 433 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 434 435 assertFalse("Invalid DER-encoded key should not be imported", mKeyStore.importKey( 436 TEST_KEYNAME, TEST_DATA, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 437 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 438 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 439 } 440 441 public void testSign_Success() throws Exception { 442 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 443 444 assertTrue(mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 445 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 446 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 447 final byte[] signature = mKeyStore.sign(TEST_KEYNAME, TEST_DATA); 448 449 assertNotNull("Signature should not be null", signature); 450 } 451 452 public void testVerify_Success() throws Exception { 453 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 454 455 assertTrue(mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 456 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 457 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 458 final byte[] signature = mKeyStore.sign(TEST_KEYNAME, TEST_DATA); 459 460 assertNotNull("Signature should not be null", signature); 461 462 assertTrue("Signature should verify with same data", 463 mKeyStore.verify(TEST_KEYNAME, TEST_DATA, signature)); 464 } 465 466 public void testSign_NotInitialized_Failure() throws Exception { 467 assertNull("Should not be able to sign without first initializing the keystore", 468 mKeyStore.sign(TEST_KEYNAME, TEST_DATA)); 469 } 470 471 public void testSign_NotGenerated_Failure() throws Exception { 472 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 473 474 assertNull("Should not be able to sign without first generating keys", 475 mKeyStore.sign(TEST_KEYNAME, TEST_DATA)); 476 } 477 478 public void testGrant_Generated_Success() throws Exception { 479 assertTrue("Password should work for keystore", 480 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 481 482 assertTrue("Should be able to generate key for testcase", 483 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 484 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 485 486 assertTrue("Should be able to grant key to other user", 487 mKeyStore.grant(TEST_KEYNAME, 0)); 488 } 489 490 public void testGrant_Imported_Success() throws Exception { 491 assertTrue("Password should work for keystore", mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 492 493 assertTrue("Should be able to import key for testcase", mKeyStore.importKey(TEST_KEYNAME, 494 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 495 496 assertTrue("Should be able to grant key to other user", mKeyStore.grant(TEST_KEYNAME, 0)); 497 } 498 499 public void testGrant_NoKey_Failure() throws Exception { 500 assertTrue("Should be able to unlock keystore for test", 501 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 502 503 assertFalse("Should not be able to grant without first initializing the keystore", 504 mKeyStore.grant(TEST_KEYNAME, 0)); 505 } 506 507 public void testGrant_NotInitialized_Failure() throws Exception { 508 assertFalse("Should not be able to grant without first initializing the keystore", 509 mKeyStore.grant(TEST_KEYNAME, 0)); 510 } 511 512 public void testUngrant_Generated_Success() throws Exception { 513 assertTrue("Password should work for keystore", 514 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 515 516 assertTrue("Should be able to generate key for testcase", 517 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 518 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 519 520 assertTrue("Should be able to grant key to other user", 521 mKeyStore.grant(TEST_KEYNAME, 0)); 522 523 assertTrue("Should be able to ungrant key to other user", 524 mKeyStore.ungrant(TEST_KEYNAME, 0)); 525 } 526 527 public void testUngrant_Imported_Success() throws Exception { 528 assertTrue("Password should work for keystore", 529 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 530 531 assertTrue("Should be able to import key for testcase", mKeyStore.importKey(TEST_KEYNAME, 532 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 533 534 assertTrue("Should be able to grant key to other user", 535 mKeyStore.grant(TEST_KEYNAME, 0)); 536 537 assertTrue("Should be able to ungrant key to other user", 538 mKeyStore.ungrant(TEST_KEYNAME, 0)); 539 } 540 541 public void testUngrant_NotInitialized_Failure() throws Exception { 542 assertFalse("Should fail to ungrant key when keystore not initialized", 543 mKeyStore.ungrant(TEST_KEYNAME, 0)); 544 } 545 546 public void testUngrant_NoGrant_Failure() throws Exception { 547 assertTrue("Password should work for keystore", 548 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 549 550 assertTrue("Should be able to generate key for testcase", 551 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 552 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 553 554 assertFalse("Should not be able to revoke not existent grant", 555 mKeyStore.ungrant(TEST_KEYNAME, 0)); 556 } 557 558 public void testUngrant_DoubleUngrant_Failure() throws Exception { 559 assertTrue("Password should work for keystore", 560 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 561 562 assertTrue("Should be able to generate key for testcase", 563 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 564 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 565 566 assertTrue("Should be able to grant key to other user", 567 mKeyStore.grant(TEST_KEYNAME, 0)); 568 569 assertTrue("Should be able to ungrant key to other user", 570 mKeyStore.ungrant(TEST_KEYNAME, 0)); 571 572 assertFalse("Should fail to ungrant key to other user second time", 573 mKeyStore.ungrant(TEST_KEYNAME, 0)); 574 } 575 576 public void testUngrant_DoubleGrantUngrant_Failure() throws Exception { 577 assertTrue("Password should work for keystore", 578 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 579 580 assertTrue("Should be able to generate key for testcase", 581 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 582 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 583 584 assertTrue("Should be able to grant key to other user", 585 mKeyStore.grant(TEST_KEYNAME, 0)); 586 587 assertTrue("Should be able to grant key to other user a second time", 588 mKeyStore.grant(TEST_KEYNAME, 0)); 589 590 assertTrue("Should be able to ungrant key to other user", 591 mKeyStore.ungrant(TEST_KEYNAME, 0)); 592 593 assertFalse("Should fail to ungrant key to other user second time", 594 mKeyStore.ungrant(TEST_KEYNAME, 0)); 595 } 596 597 public void testDuplicate_grantedUid_Wifi_Success() throws Exception { 598 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 599 600 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 601 602 assertTrue(mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 603 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 604 605 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 606 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 607 608 // source doesn't exist 609 assertFalse(mKeyStore.duplicate(TEST_KEYNAME1, -1, TEST_KEYNAME1, Process.WIFI_UID)); 610 assertFalse(mKeyStore.contains(TEST_KEYNAME1, Process.WIFI_UID)); 611 612 // Copy from current UID to granted UID 613 assertTrue(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME1, Process.WIFI_UID)); 614 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 615 assertFalse(mKeyStore.contains(TEST_KEYNAME1)); 616 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 617 assertTrue(mKeyStore.contains(TEST_KEYNAME1, Process.WIFI_UID)); 618 assertFalse(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME1, Process.WIFI_UID)); 619 620 // Copy from granted UID to same granted UID 621 assertTrue(mKeyStore.duplicate(TEST_KEYNAME1, Process.WIFI_UID, TEST_KEYNAME2, 622 Process.WIFI_UID)); 623 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 624 assertTrue(mKeyStore.contains(TEST_KEYNAME1, Process.WIFI_UID)); 625 assertTrue(mKeyStore.contains(TEST_KEYNAME2, Process.WIFI_UID)); 626 assertFalse(mKeyStore.duplicate(TEST_KEYNAME1, Process.WIFI_UID, TEST_KEYNAME2, 627 Process.WIFI_UID)); 628 629 assertTrue(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME2, -1)); 630 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 631 assertFalse(mKeyStore.contains(TEST_KEYNAME1)); 632 assertTrue(mKeyStore.contains(TEST_KEYNAME2)); 633 assertFalse(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME2, -1)); 634 } 635 636 public void testDuplicate_ungrantedUid_Bluetooth_Failure() throws Exception { 637 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 638 639 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 640 641 assertTrue(mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 642 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 643 644 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 645 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 646 647 assertFalse(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME2, Process.BLUETOOTH_UID)); 648 assertFalse(mKeyStore.duplicate(TEST_KEYNAME, Process.BLUETOOTH_UID, TEST_KEYNAME2, 649 Process.BLUETOOTH_UID)); 650 651 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 652 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 653 } 654 655 /** 656 * The amount of time to allow before and after expected time for variance 657 * in timing tests. 658 */ 659 private static final long SLOP_TIME_MILLIS = 15000L; 660 661 public void testGetmtime_Success() throws Exception { 662 assertTrue("Password should work for keystore", 663 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 664 665 assertTrue("Should be able to import key when unlocked", mKeyStore.importKey(TEST_KEYNAME, 666 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 667 668 long now = System.currentTimeMillis(); 669 long actual = mKeyStore.getmtime(TEST_KEYNAME); 670 671 long expectedAfter = now - SLOP_TIME_MILLIS; 672 long expectedBefore = now + SLOP_TIME_MILLIS; 673 674 assertLessThan("Time should be close to current time", expectedBefore, actual); 675 assertGreaterThan("Time should be close to current time", expectedAfter, actual); 676 } 677 678 private static void assertLessThan(String explanation, long expectedBefore, long actual) { 679 if (actual >= expectedBefore) { 680 throw new AssertionFailedError(explanation + ": actual=" + actual 681 + ", expected before: " + expectedBefore); 682 } 683 } 684 685 private static void assertGreaterThan(String explanation, long expectedAfter, long actual) { 686 if (actual <= expectedAfter) { 687 throw new AssertionFailedError(explanation + ": actual=" + actual 688 + ", expected after: " + expectedAfter); 689 } 690 } 691 692 public void testGetmtime_NonExist_Failure() throws Exception { 693 assertTrue("Password should work for keystore", 694 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 695 696 assertTrue("Should be able to import key when unlocked", mKeyStore.importKey(TEST_KEYNAME, 697 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 698 699 assertEquals("-1 should be returned for non-existent key", 700 -1L, mKeyStore.getmtime(TEST_KEYNAME2)); 701 } 702 703 private KeyCharacteristics generateRsaKey(String name) throws Exception { 704 KeymasterArguments args = new KeymasterArguments(); 705 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 706 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 707 args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); 708 args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 709 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 710 args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, 2048); 711 args.addLong(KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, 712 RSAKeyGenParameterSpec.F4.longValue()); 713 714 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 715 int result = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 716 assertEquals("generateRsaKey should succeed", KeyStore.NO_ERROR, result); 717 return outCharacteristics; 718 } 719 720 public void testGenerateKey() throws Exception { 721 generateRsaKey("test"); 722 mKeyStore.delete("test"); 723 } 724 725 public void testGenerateRsaWithEntropy() throws Exception { 726 byte[] entropy = new byte[] {1,2,3,4,5}; 727 String name = "test"; 728 KeymasterArguments args = new KeymasterArguments(); 729 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 730 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 731 args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); 732 args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 733 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 734 args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, 2048); 735 args.addLong(KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, 736 RSAKeyGenParameterSpec.F4.longValue()); 737 738 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 739 int result = mKeyStore.generateKey(name, args, entropy, 0, outCharacteristics); 740 assertEquals("generateKey should succeed", KeyStore.NO_ERROR, result); 741 } 742 743 public void testGenerateAndDelete() throws Exception { 744 generateRsaKey("test"); 745 assertTrue("delete should succeed", mKeyStore.delete("test")); 746 } 747 748 public void testGetKeyCharacteristicsSuccess() throws Exception { 749 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 750 String name = "test"; 751 KeyCharacteristics gen = generateRsaKey(name); 752 KeyCharacteristics call = new KeyCharacteristics(); 753 int result = mKeyStore.getKeyCharacteristics(name, null, null, call); 754 assertEquals("getKeyCharacteristics should succeed", KeyStore.NO_ERROR, result); 755 mKeyStore.delete("test"); 756 } 757 758 public void testAppId() throws Exception { 759 String name = "test"; 760 byte[] id = new byte[] {0x01, 0x02, 0x03}; 761 KeymasterArguments args = new KeymasterArguments(); 762 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 763 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 764 args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); 765 args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 766 args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, 2048); 767 args.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_ECB); 768 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 769 args.addBlob(KeymasterDefs.KM_TAG_APPLICATION_ID, id); 770 args.addLong(KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, 771 RSAKeyGenParameterSpec.F4.longValue()); 772 773 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 774 int result = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 775 assertEquals("generateRsaKey should succeed", KeyStore.NO_ERROR, result); 776 assertEquals("getKeyCharacteristics should fail without application ID", 777 KeymasterDefs.KM_ERROR_INVALID_KEY_BLOB, 778 mKeyStore.getKeyCharacteristics(name, null, null, outCharacteristics)); 779 assertEquals("getKeyCharacteristics should succeed with application ID", 780 KeyStore.NO_ERROR, 781 mKeyStore.getKeyCharacteristics(name, new KeymasterBlob(id), null, 782 outCharacteristics)); 783 } 784 785 786 public void testExportRsa() throws Exception { 787 String name = "test"; 788 generateRsaKey(name); 789 ExportResult result = mKeyStore.exportKey(name, KeymasterDefs.KM_KEY_FORMAT_X509, null, 790 null); 791 assertEquals("Export success", KeyStore.NO_ERROR, result.resultCode); 792 // TODO: Verify we have an RSA public key that's well formed. 793 } 794 795 public void testAesGcmEncryptSuccess() throws Exception { 796 String name = "test"; 797 KeymasterArguments args = new KeymasterArguments(); 798 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 799 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 800 args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 801 args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 802 args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, 256); 803 args.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_GCM); 804 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 805 806 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 807 int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 808 assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc); 809 810 args = new KeymasterArguments(); 811 args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 812 args.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_GCM); 813 args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 814 args.addInt(KeymasterDefs.KM_TAG_MAC_LENGTH, 128); 815 OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, 816 true, args, null); 817 IBinder token = result.token; 818 assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode); 819 result = mKeyStore.update(token, null, new byte[] {0x01, 0x02, 0x03, 0x04}); 820 assertEquals("Update should succeed", KeyStore.NO_ERROR, result.resultCode); 821 assertEquals("Finish should succeed", KeyStore.NO_ERROR, 822 mKeyStore.finish(token, null, null).resultCode); 823 // TODO: Assert that an AEAD tag was returned by finish 824 } 825 826 public void testBadToken() throws Exception { 827 IBinder token = new Binder(); 828 OperationResult result = mKeyStore.update(token, null, new byte[] {0x01}); 829 assertEquals("Update with invalid token should fail", 830 KeymasterDefs.KM_ERROR_INVALID_OPERATION_HANDLE, result.resultCode); 831 } 832 833 private int importAesKey(String name, byte[] key, int size, int mode) { 834 KeymasterArguments args = new KeymasterArguments(); 835 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 836 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 837 args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 838 args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 839 args.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, mode); 840 args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, size); 841 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 842 return mKeyStore.importKey(name, args, KeymasterDefs.KM_KEY_FORMAT_RAW, key, 0, 843 new KeyCharacteristics()); 844 } 845 private byte[] doOperation(String name, int purpose, byte[] in, KeymasterArguments beginArgs) { 846 OperationResult result = mKeyStore.begin(name, purpose, 847 true, beginArgs, null); 848 assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode); 849 IBinder token = result.token; 850 result = mKeyStore.update(token, null, in); 851 assertEquals("Update should succeed", KeyStore.NO_ERROR, result.resultCode); 852 assertEquals("All data should be consumed", in.length, result.inputConsumed); 853 assertEquals("Finish should succeed", KeyStore.NO_ERROR, 854 mKeyStore.finish(token, null, null).resultCode); 855 return result.output; 856 } 857 858 public void testImportAes() throws Exception { 859 int result = importAesKey("aes", AES256_BYTES, 256, KeymasterDefs.KM_MODE_ECB); 860 assertEquals("import should succeed", KeyStore.NO_ERROR, result); 861 mKeyStore.delete("aes"); 862 } 863 864 public void testAes256Ecb() throws Exception { 865 byte[] key = 866 hexToBytes("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"); 867 String name = "aes"; 868 assertEquals(KeyStore.NO_ERROR, importAesKey(name, key, 256, KeymasterDefs.KM_MODE_ECB)); 869 byte[][] testVectors = new byte[][] { 870 hexToBytes("6bc1bee22e409f96e93d7e117393172a"), 871 hexToBytes("ae2d8a571e03ac9c9eb76fac45af8e51"), 872 hexToBytes("30c81c46a35ce411e5fbc1191a0a52ef"), 873 hexToBytes("f69f2445df4f9b17ad2b417be66c3710")}; 874 byte[][] cipherVectors = new byte[][] { 875 hexToBytes("f3eed1bdb5d2a03c064b5a7e3db181f8"), 876 hexToBytes("591ccb10d410ed26dc5ba74a31362870"), 877 hexToBytes("b6ed21b99ca6f4f9f153e7b1beafed1d"), 878 hexToBytes("23304b7a39f9f3ff067d8d8f9e24ecc7")}; 879 KeymasterArguments beginArgs = new KeymasterArguments(); 880 beginArgs.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 881 beginArgs.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_ECB); 882 beginArgs.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 883 for (int i = 0; i < testVectors.length; i++) { 884 byte[] cipherText = doOperation(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, testVectors[i], 885 beginArgs); 886 MoreAsserts.assertEquals(cipherVectors[i], cipherText); 887 } 888 for (int i = 0; i < testVectors.length; i++) { 889 byte[] plainText = doOperation(name, KeymasterDefs.KM_PURPOSE_DECRYPT, 890 cipherVectors[i], beginArgs); 891 MoreAsserts.assertEquals(testVectors[i], plainText); 892 } 893 } 894 895 // This is a very implementation specific test and should be thrown out eventually, however it 896 // is nice for now to test that keystore is properly pruning operations. 897 public void testOperationPruning() throws Exception { 898 String name = "test"; 899 KeymasterArguments args = new KeymasterArguments(); 900 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 901 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 902 args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 903 args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 904 args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, 256); 905 args.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_CTR); 906 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 907 908 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 909 int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 910 assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc); 911 912 args = new KeymasterArguments(); 913 args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 914 args.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_CTR); 915 args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 916 OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, 917 true, args, null); 918 assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode); 919 IBinder first = result.token; 920 // Implementation detail: softkeymaster supports 16 concurrent operations 921 for (int i = 0; i < 16; i++) { 922 result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, true, args, null); 923 assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode); 924 } 925 // At this point the first operation should be pruned. 926 assertEquals("Operation should be pruned", KeymasterDefs.KM_ERROR_INVALID_OPERATION_HANDLE, 927 mKeyStore.update(first, null, new byte[] {0x01}).resultCode); 928 } 929 930 public void testAuthNeeded() throws Exception { 931 String name = "test"; 932 KeymasterArguments args = new KeymasterArguments(); 933 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 934 args.addInt(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 935 args.addInt(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 936 args.addInt(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_PKCS7); 937 args.addInt(KeymasterDefs.KM_TAG_KEY_SIZE, 256); 938 args.addInt(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_ECB); 939 args.addInt(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, 1); 940 941 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 942 int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 943 assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc); 944 OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, 945 true, args, null); 946 assertEquals("Begin should expect authorization", KeyStore.OP_AUTH_NEEDED, 947 result.resultCode); 948 IBinder token = result.token; 949 result = mKeyStore.update(token, null, new byte[] {0x01, 0x02, 0x03, 0x04}); 950 assertEquals("Update should require authorization", 951 KeymasterDefs.KM_ERROR_KEY_USER_NOT_AUTHENTICATED, result.resultCode); 952 } 953 954 public void testPasswordRemovalEncryptedEntry() throws Exception { 955 mKeyStore.onUserPasswordChanged("test"); 956 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 957 KeyStore.FLAG_ENCRYPTED)); 958 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 959 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 960 mKeyStore.onUserPasswordChanged(""); 961 // Removing the password should have deleted all entries using FLAG_ENCRYPTED 962 assertNull(mKeyStore.get(TEST_KEYNAME)); 963 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 964 } 965 966 public void testPasswordRemovalUnencryptedEntry() throws Exception { 967 mKeyStore.onUserPasswordChanged("test"); 968 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 969 KeyStore.FLAG_NONE)); 970 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 971 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 972 mKeyStore.onUserPasswordChanged(""); 973 // Removing the password should not delete unencrypted entries. 974 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 975 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 976 } 977} 978