1/* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#define LOG_TAG "keymaster_hidl_hal_test" 18#include <cutils/log.h> 19 20#include <iostream> 21 22#include <openssl/evp.h> 23#include <openssl/x509.h> 24 25#include <android/hardware/keymaster/3.0/IKeymasterDevice.h> 26#include <android/hardware/keymaster/3.0/types.h> 27 28#include <cutils/properties.h> 29 30#include <keymaster/keymaster_configuration.h> 31 32#include "authorization_set.h" 33#include "key_param_output.h" 34 35#include <VtsHalHidlTargetTestBase.h> 36 37#include "attestation_record.h" 38#include "openssl_utils.h" 39 40using ::android::sp; 41 42using ::std::string; 43 44// This service_name will be passed to getService when retrieving the keymaster service to test. To 45// change it from "default" specify the selected service name on the command line. The first 46// non-gtest argument will be used as the service name. 47string service_name = "default"; 48 49static bool arm_deleteAllKeys = false; 50 51namespace android { 52namespace hardware { 53 54template <typename T> bool operator==(const hidl_vec<T>& a, const hidl_vec<T>& b) { 55 if (a.size() != b.size()) { 56 return false; 57 } 58 for (size_t i = 0; i < a.size(); ++i) { 59 if (a[i] != b[i]) { 60 return false; 61 } 62 } 63 return true; 64} 65 66namespace keymaster { 67namespace V3_0 { 68 69bool operator==(const KeyParameter& a, const KeyParameter& b) { 70 if (a.tag != b.tag) { 71 return false; 72 } 73 74 switch (a.tag) { 75 76 /* Boolean tags */ 77 case Tag::INVALID: 78 case Tag::CALLER_NONCE: 79 case Tag::INCLUDE_UNIQUE_ID: 80 case Tag::ECIES_SINGLE_HASH_MODE: 81 case Tag::BOOTLOADER_ONLY: 82 case Tag::NO_AUTH_REQUIRED: 83 case Tag::ALLOW_WHILE_ON_BODY: 84 case Tag::EXPORTABLE: 85 case Tag::ALL_APPLICATIONS: 86 case Tag::ROLLBACK_RESISTANT: 87 case Tag::RESET_SINCE_ID_ROTATION: 88 return true; 89 90 /* Integer tags */ 91 case Tag::KEY_SIZE: 92 case Tag::MIN_MAC_LENGTH: 93 case Tag::MIN_SECONDS_BETWEEN_OPS: 94 case Tag::MAX_USES_PER_BOOT: 95 case Tag::ALL_USERS: 96 case Tag::USER_ID: 97 case Tag::OS_VERSION: 98 case Tag::OS_PATCHLEVEL: 99 case Tag::MAC_LENGTH: 100 case Tag::AUTH_TIMEOUT: 101 return a.f.integer == b.f.integer; 102 103 /* Long integer tags */ 104 case Tag::RSA_PUBLIC_EXPONENT: 105 case Tag::USER_SECURE_ID: 106 return a.f.longInteger == b.f.longInteger; 107 108 /* Date-time tags */ 109 case Tag::ACTIVE_DATETIME: 110 case Tag::ORIGINATION_EXPIRE_DATETIME: 111 case Tag::USAGE_EXPIRE_DATETIME: 112 case Tag::CREATION_DATETIME: 113 return a.f.dateTime == b.f.dateTime; 114 115 /* Bytes tags */ 116 case Tag::APPLICATION_ID: 117 case Tag::APPLICATION_DATA: 118 case Tag::ROOT_OF_TRUST: 119 case Tag::UNIQUE_ID: 120 case Tag::ATTESTATION_CHALLENGE: 121 case Tag::ATTESTATION_APPLICATION_ID: 122 case Tag::ATTESTATION_ID_BRAND: 123 case Tag::ATTESTATION_ID_DEVICE: 124 case Tag::ATTESTATION_ID_PRODUCT: 125 case Tag::ATTESTATION_ID_SERIAL: 126 case Tag::ATTESTATION_ID_IMEI: 127 case Tag::ATTESTATION_ID_MEID: 128 case Tag::ATTESTATION_ID_MANUFACTURER: 129 case Tag::ATTESTATION_ID_MODEL: 130 case Tag::ASSOCIATED_DATA: 131 case Tag::NONCE: 132 case Tag::AUTH_TOKEN: 133 return a.blob == b.blob; 134 135 /* Enum tags */ 136 case Tag::PURPOSE: 137 return a.f.purpose == b.f.purpose; 138 case Tag::ALGORITHM: 139 return a.f.algorithm == b.f.algorithm; 140 case Tag::BLOCK_MODE: 141 return a.f.blockMode == b.f.blockMode; 142 case Tag::DIGEST: 143 return a.f.digest == b.f.digest; 144 case Tag::PADDING: 145 return a.f.paddingMode == b.f.paddingMode; 146 case Tag::EC_CURVE: 147 return a.f.ecCurve == b.f.ecCurve; 148 case Tag::BLOB_USAGE_REQUIREMENTS: 149 return a.f.keyBlobUsageRequirements == b.f.keyBlobUsageRequirements; 150 case Tag::USER_AUTH_TYPE: 151 return a.f.integer == b.f.integer; 152 case Tag::ORIGIN: 153 return a.f.origin == b.f.origin; 154 155 /* Unsupported tags */ 156 case Tag::KDF: 157 return false; 158 } 159} 160 161bool operator==(const AuthorizationSet& a, const AuthorizationSet& b) { 162 return a.size() == b.size() && std::equal(a.begin(), a.end(), b.begin()); 163} 164 165bool operator==(const KeyCharacteristics& a, const KeyCharacteristics& b) { 166 // This isn't very efficient. Oh, well. 167 AuthorizationSet a_sw(a.softwareEnforced); 168 AuthorizationSet b_sw(b.softwareEnforced); 169 AuthorizationSet a_tee(b.teeEnforced); 170 AuthorizationSet b_tee(b.teeEnforced); 171 172 a_sw.Sort(); 173 b_sw.Sort(); 174 a_tee.Sort(); 175 b_tee.Sort(); 176 177 return a_sw == b_sw && a_tee == b_sw; 178} 179 180::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) { 181 if (set.size() == 0) 182 os << "(Empty)" << ::std::endl; 183 else { 184 os << "\n"; 185 for (size_t i = 0; i < set.size(); ++i) 186 os << set[i] << ::std::endl; 187 } 188 return os; 189} 190 191namespace test { 192namespace { 193 194template <TagType tag_type, Tag tag, typename ValueT> 195bool contains(hidl_vec<KeyParameter>& set, TypedTag<tag_type, tag> ttag, ValueT expected_value) { 196 size_t count = std::count_if(set.begin(), set.end(), [&](const KeyParameter& param) { 197 return param.tag == tag && accessTagValue(ttag, param) == expected_value; 198 }); 199 return count == 1; 200} 201 202template <TagType tag_type, Tag tag> 203bool contains(hidl_vec<KeyParameter>& set, TypedTag<tag_type, tag>) { 204 size_t count = std::count_if(set.begin(), set.end(), 205 [&](const KeyParameter& param) { return param.tag == tag; }); 206 return count > 0; 207} 208 209constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 210 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 211 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 212 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9' 213 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F' 214 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 215 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f' 216 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 217 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 218 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 219 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 220 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 221 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 222 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 223 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 224 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 225 226string hex2str(string a) { 227 string b; 228 size_t num = a.size() / 2; 229 b.resize(num); 230 for (size_t i = 0; i < num; i++) { 231 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]); 232 } 233 return b; 234} 235 236string rsa_key = hex2str( 237 "30820275020100300d06092a864886f70d01010105000482025f3082025b" 238 "02010002818100c6095409047d8634812d5a218176e45c41d60a75b13901" 239 "f234226cffe776521c5a77b9e389417b71c0b6a44d13afe4e4a2805d46c9" 240 "da2935adb1ff0c1f24ea06e62b20d776430a4d435157233c6f916783c30e" 241 "310fcbd89b85c2d56771169785ac12bca244abda72bfb19fc44d27c81e1d" 242 "92de284f4061edfd99280745ea6d2502030100010281801be0f04d9cae37" 243 "18691f035338308e91564b55899ffb5084d2460e6630257e05b3ceab0297" 244 "2dfabcd6ce5f6ee2589eb67911ed0fac16e43a444b8c861e544a05933657" 245 "72f8baf6b22fc9e3c5f1024b063ac080a7b2234cf8aee8f6c47bbf4fd3ac" 246 "e7240290bef16c0b3f7f3cdd64ce3ab5912cf6e32f39ab188358afcccd80" 247 "81024100e4b49ef50f765d3b24dde01aceaaf130f2c76670a91a61ae08af" 248 "497b4a82be6dee8fcdd5e3f7ba1cfb1f0c926b88f88c92bfab137fba2285" 249 "227b83c342ff7c55024100ddabb5839c4c7f6bf3d4183231f005b31aa58a" 250 "ffdda5c79e4cce217f6bc930dbe563d480706c24e9ebfcab28a6cdefd324" 251 "b77e1bf7251b709092c24ff501fd91024023d4340eda3445d8cd26c14411" 252 "da6fdca63c1ccd4b80a98ad52b78cc8ad8beb2842c1d280405bc2f6c1bea" 253 "214a1d742ab996b35b63a82a5e470fa88dbf823cdd02401b7b57449ad30d" 254 "1518249a5f56bb98294d4b6ac12ffc86940497a5a5837a6cf946262b4945" 255 "26d328c11e1126380fde04c24f916dec250892db09a6d77cdba351024077" 256 "62cd8f4d050da56bd591adb515d24d7ccd32cca0d05f866d583514bd7324" 257 "d5f33645e8ed8b4a1cb3cc4a1d67987399f2a09f5b3fb68c88d5e5d90ac3" 258 "3492d6"); 259 260string ec_256_key = hex2str( 261 "308187020100301306072a8648ce3d020106082a8648ce3d030107046d30" 262 "6b0201010420737c2ecd7b8d1940bf2930aa9b4ed3ff941eed09366bc032" 263 "99986481f3a4d859a14403420004bf85d7720d07c25461683bc648b4778a" 264 "9a14dd8a024e3bdd8c7ddd9ab2b528bbc7aa1b51f14ebbbb0bd0ce21bcc4" 265 "1c6eb00083cf3376d11fd44949e0b2183bfe"); 266 267string ec_521_key = hex2str( 268 "3081EE020100301006072A8648CE3D020106052B810400230481D63081D3" 269 "02010104420011458C586DB5DAA92AFAB03F4FE46AA9D9C3CE9A9B7A006A" 270 "8384BEC4C78E8E9D18D7D08B5BCFA0E53C75B064AD51C449BAE0258D54B9" 271 "4B1E885DED08ED4FB25CE9A1818903818600040149EC11C6DF0FA122C6A9" 272 "AFD9754A4FA9513A627CA329E349535A5629875A8ADFBE27DCB932C05198" 273 "6377108D054C28C6F39B6F2C9AF81802F9F326B842FF2E5F3C00AB7635CF" 274 "B36157FC0882D574A10D839C1A0C049DC5E0D775E2EE50671A208431BB45" 275 "E78E70BEFE930DB34818EE4D5C26259F5C6B8E28A652950F9F88D7B4B2C9" 276 "D9"); 277 278struct RSA_Delete { 279 void operator()(RSA* p) { RSA_free(p); } 280}; 281 282X509* parse_cert_blob(const hidl_vec<uint8_t>& blob) { 283 const uint8_t* p = blob.data(); 284 return d2i_X509(nullptr, &p, blob.size()); 285} 286 287bool verify_chain(const hidl_vec<hidl_vec<uint8_t>>& chain) { 288 for (size_t i = 0; i < chain.size() - 1; ++i) { 289 auto& key_cert_blob = chain[i]; 290 auto& signing_cert_blob = chain[i + 1]; 291 292 X509_Ptr key_cert(parse_cert_blob(key_cert_blob)); 293 X509_Ptr signing_cert(parse_cert_blob(signing_cert_blob)); 294 EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get()); 295 if (!key_cert.get() || !signing_cert.get()) return false; 296 297 EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get())); 298 EXPECT_TRUE(!!signing_pubkey.get()); 299 if (!signing_pubkey.get()) return false; 300 301 EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get())) 302 << "Verification of certificate " << i << " failed"; 303 } 304 305 return true; 306} 307 308// Extract attestation record from cert. Returned object is still part of cert; don't free it 309// separately. 310ASN1_OCTET_STRING* get_attestation_record(X509* certificate) { 311 ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */)); 312 EXPECT_TRUE(!!oid.get()); 313 if (!oid.get()) return nullptr; 314 315 int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */); 316 EXPECT_NE(-1, location); 317 if (location == -1) return nullptr; 318 319 X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location); 320 EXPECT_TRUE(!!attest_rec_ext); 321 if (!attest_rec_ext) return nullptr; 322 323 ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext); 324 EXPECT_TRUE(!!attest_rec); 325 return attest_rec; 326} 327 328bool tag_in_list(const KeyParameter& entry) { 329 // Attestations don't contain everything in key authorization lists, so we need to filter 330 // the key lists to produce the lists that we expect to match the attestations. 331 auto tag_list = { 332 Tag::USER_ID, Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS, 333 Tag::EC_CURVE /* Tag::EC_CURVE will be included by KM2 implementations */, 334 }; 335 return std::find(tag_list.begin(), tag_list.end(), entry.tag) != tag_list.end(); 336} 337 338AuthorizationSet filter_tags(const AuthorizationSet& set) { 339 AuthorizationSet filtered; 340 std::remove_copy_if(set.begin(), set.end(), std::back_inserter(filtered), tag_in_list); 341 return filtered; 342} 343 344std::string make_string(const uint8_t* data, size_t length) { 345 return std::string(reinterpret_cast<const char*>(data), length); 346} 347 348template <size_t N> std::string make_string(const uint8_t (&a)[N]) { 349 return make_string(a, N); 350} 351 352class HidlBuf : public hidl_vec<uint8_t> { 353 typedef hidl_vec<uint8_t> super; 354 355 public: 356 HidlBuf() {} 357 HidlBuf(const super& other) : super(other) {} 358 HidlBuf(super&& other) : super(std::move(other)) {} 359 explicit HidlBuf(const std::string& other) : HidlBuf() { *this = other; } 360 361 HidlBuf& operator=(const super& other) { 362 super::operator=(other); 363 return *this; 364 } 365 366 HidlBuf& operator=(super&& other) { 367 super::operator=(std::move(other)); 368 return *this; 369 } 370 371 HidlBuf& operator=(const string& other) { 372 resize(other.size()); 373 for (size_t i = 0; i < other.size(); ++i) { 374 (*this)[i] = static_cast<uint8_t>(other[i]); 375 } 376 return *this; 377 } 378 379 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); } 380}; 381 382constexpr uint64_t kOpHandleSentinel = 0xFFFFFFFFFFFFFFFF; 383 384} // namespace 385 386class KeymasterHidlTest : public ::testing::VtsHalHidlTargetTestBase { 387 public: 388 void TearDown() override { 389 if (key_blob_.size()) { 390 CheckedDeleteKey(); 391 } 392 AbortIfNeeded(); 393 } 394 395 // SetUpTestCase runs only once per test case, not once per test. 396 static void SetUpTestCase() { 397 keymaster_ = IKeymasterDevice::getService(service_name); 398 ASSERT_NE(keymaster_, nullptr); 399 400 ASSERT_TRUE( 401 keymaster_ 402 ->getHardwareFeatures([&](bool isSecure, bool supportsEc, bool supportsSymmetric, 403 bool supportsAttestation, bool supportsAllDigests, 404 const hidl_string& name, const hidl_string& author) { 405 is_secure_ = isSecure; 406 supports_ec_ = supportsEc; 407 supports_symmetric_ = supportsSymmetric; 408 supports_attestation_ = supportsAttestation; 409 supports_all_digests_ = supportsAllDigests; 410 name_ = name; 411 author_ = author; 412 }) 413 .isOk()); 414 415 os_version_ = ::keymaster::GetOsVersion(); 416 os_patch_level_ = ::keymaster::GetOsPatchlevel(); 417 } 418 419 static void TearDownTestCase() { keymaster_.clear(); } 420 421 static IKeymasterDevice& keymaster() { return *keymaster_; } 422 static uint32_t os_version() { return os_version_; } 423 static uint32_t os_patch_level() { return os_patch_level_; } 424 425 AuthorizationSet UserAuths() { return AuthorizationSetBuilder().Authorization(TAG_USER_ID, 7); } 426 427 ErrorCode GenerateKey(const AuthorizationSet& key_desc, HidlBuf* key_blob, 428 KeyCharacteristics* key_characteristics) { 429 EXPECT_NE(key_blob, nullptr); 430 EXPECT_NE(key_characteristics, nullptr); 431 EXPECT_EQ(0U, key_blob->size()); 432 433 ErrorCode error; 434 EXPECT_TRUE(keymaster_ 435 ->generateKey(key_desc.hidl_data(), 436 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob, 437 const KeyCharacteristics& hidl_key_characteristics) { 438 error = hidl_error; 439 *key_blob = hidl_key_blob; 440 *key_characteristics = hidl_key_characteristics; 441 }) 442 .isOk()); 443 // On error, blob & characteristics should be empty. 444 if (error != ErrorCode::OK) { 445 EXPECT_EQ(0U, key_blob->size()); 446 EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() + 447 key_characteristics->teeEnforced.size())); 448 } 449 return error; 450 } 451 452 ErrorCode GenerateKey(const AuthorizationSet& key_desc) { 453 return GenerateKey(key_desc, &key_blob_, &key_characteristics_); 454 } 455 456 ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format, 457 const string& key_material, HidlBuf* key_blob, 458 KeyCharacteristics* key_characteristics) { 459 ErrorCode error; 460 EXPECT_TRUE(keymaster_ 461 ->importKey(key_desc.hidl_data(), format, HidlBuf(key_material), 462 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob, 463 const KeyCharacteristics& hidl_key_characteristics) { 464 error = hidl_error; 465 *key_blob = hidl_key_blob; 466 *key_characteristics = hidl_key_characteristics; 467 }) 468 .isOk()); 469 // On error, blob & characteristics should be empty. 470 if (error != ErrorCode::OK) { 471 EXPECT_EQ(0U, key_blob->size()); 472 EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() + 473 key_characteristics->teeEnforced.size())); 474 } 475 return error; 476 } 477 478 ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format, 479 const string& key_material) { 480 return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_); 481 } 482 483 ErrorCode ExportKey(KeyFormat format, const HidlBuf& key_blob, const HidlBuf& client_id, 484 const HidlBuf& app_data, HidlBuf* key_material) { 485 ErrorCode error; 486 EXPECT_TRUE( 487 keymaster_ 488 ->exportKey(format, key_blob, client_id, app_data, 489 [&](ErrorCode hidl_error_code, const HidlBuf& hidl_key_material) { 490 error = hidl_error_code; 491 *key_material = hidl_key_material; 492 }) 493 .isOk()); 494 // On error, blob should be empty. 495 if (error != ErrorCode::OK) { 496 EXPECT_EQ(0U, key_material->size()); 497 } 498 return error; 499 } 500 501 ErrorCode ExportKey(KeyFormat format, HidlBuf* key_material) { 502 HidlBuf client_id, app_data; 503 return ExportKey(format, key_blob_, client_id, app_data, key_material); 504 } 505 506 ErrorCode DeleteKey(HidlBuf* key_blob, bool keep_key_blob = false) { 507 ErrorCode error = keymaster_->deleteKey(*key_blob); 508 if (!keep_key_blob) *key_blob = HidlBuf(); 509 return error; 510 } 511 512 ErrorCode DeleteKey(bool keep_key_blob = false) { 513 return DeleteKey(&key_blob_, keep_key_blob); 514 } 515 516 ErrorCode DeleteAllKeys() { 517 ErrorCode error = keymaster_->deleteAllKeys(); 518 return error; 519 } 520 521 void CheckedDeleteKey(HidlBuf* key_blob, bool keep_key_blob = false) { 522 auto rc = DeleteKey(key_blob, keep_key_blob); 523 EXPECT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED); 524 } 525 526 void CheckedDeleteKey() { CheckedDeleteKey(&key_blob_); } 527 528 ErrorCode GetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id, 529 const HidlBuf& app_data, KeyCharacteristics* key_characteristics) { 530 ErrorCode error; 531 keymaster_->getKeyCharacteristics( 532 key_blob, client_id, app_data, 533 [&](ErrorCode hidl_error, const KeyCharacteristics& hidl_key_characteristics) { 534 error = hidl_error, *key_characteristics = hidl_key_characteristics; 535 }); 536 return error; 537 } 538 539 ErrorCode GetCharacteristics(const HidlBuf& key_blob, KeyCharacteristics* key_characteristics) { 540 HidlBuf client_id, app_data; 541 return GetCharacteristics(key_blob, client_id, app_data, key_characteristics); 542 } 543 544 ErrorCode Begin(KeyPurpose purpose, const HidlBuf& key_blob, const AuthorizationSet& in_params, 545 AuthorizationSet* out_params, OperationHandle* op_handle) { 546 SCOPED_TRACE("Begin"); 547 ErrorCode error; 548 OperationHandle saved_handle = *op_handle; 549 EXPECT_TRUE( 550 keymaster_ 551 ->begin(purpose, key_blob, in_params.hidl_data(), 552 [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params, 553 uint64_t hidl_op_handle) { 554 error = hidl_error; 555 *out_params = hidl_out_params; 556 *op_handle = hidl_op_handle; 557 }) 558 .isOk()); 559 if (error != ErrorCode::OK) { 560 // Some implementations may modify *op_handle on error. 561 *op_handle = saved_handle; 562 } 563 return error; 564 } 565 566 ErrorCode Begin(KeyPurpose purpose, const AuthorizationSet& in_params, 567 AuthorizationSet* out_params) { 568 SCOPED_TRACE("Begin"); 569 EXPECT_EQ(kOpHandleSentinel, op_handle_); 570 return Begin(purpose, key_blob_, in_params, out_params, &op_handle_); 571 } 572 573 ErrorCode Begin(KeyPurpose purpose, const AuthorizationSet& in_params) { 574 SCOPED_TRACE("Begin"); 575 AuthorizationSet out_params; 576 ErrorCode error = Begin(purpose, in_params, &out_params); 577 EXPECT_TRUE(out_params.empty()); 578 return error; 579 } 580 581 ErrorCode Update(OperationHandle op_handle, const AuthorizationSet& in_params, 582 const string& input, AuthorizationSet* out_params, string* output, 583 size_t* input_consumed) { 584 SCOPED_TRACE("Update"); 585 ErrorCode error; 586 EXPECT_TRUE(keymaster_ 587 ->update(op_handle, in_params.hidl_data(), HidlBuf(input), 588 [&](ErrorCode hidl_error, uint32_t hidl_input_consumed, 589 const hidl_vec<KeyParameter>& hidl_out_params, 590 const HidlBuf& hidl_output) { 591 error = hidl_error; 592 out_params->push_back(AuthorizationSet(hidl_out_params)); 593 output->append(hidl_output.to_string()); 594 *input_consumed = hidl_input_consumed; 595 }) 596 .isOk()); 597 return error; 598 } 599 600 ErrorCode Update(const string& input, string* out, size_t* input_consumed) { 601 SCOPED_TRACE("Update"); 602 AuthorizationSet out_params; 603 ErrorCode error = Update(op_handle_, AuthorizationSet() /* in_params */, input, &out_params, 604 out, input_consumed); 605 EXPECT_TRUE(out_params.empty()); 606 return error; 607 } 608 609 ErrorCode Finish(OperationHandle op_handle, const AuthorizationSet& in_params, 610 const string& input, const string& signature, AuthorizationSet* out_params, 611 string* output) { 612 SCOPED_TRACE("Finish"); 613 ErrorCode error; 614 EXPECT_TRUE( 615 keymaster_ 616 ->finish(op_handle, in_params.hidl_data(), HidlBuf(input), HidlBuf(signature), 617 [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params, 618 const HidlBuf& hidl_output) { 619 error = hidl_error; 620 *out_params = hidl_out_params; 621 output->append(hidl_output.to_string()); 622 }) 623 .isOk()); 624 op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort(). 625 return error; 626 } 627 628 ErrorCode Finish(const string& message, string* output) { 629 SCOPED_TRACE("Finish"); 630 AuthorizationSet out_params; 631 string finish_output; 632 ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, 633 "" /* signature */, &out_params, output); 634 if (error != ErrorCode::OK) { 635 return error; 636 } 637 EXPECT_EQ(0U, out_params.size()); 638 return error; 639 } 640 641 ErrorCode Finish(const string& message, const string& signature, string* output) { 642 SCOPED_TRACE("Finish"); 643 AuthorizationSet out_params; 644 ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, signature, 645 &out_params, output); 646 op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort(). 647 if (error != ErrorCode::OK) { 648 return error; 649 } 650 EXPECT_EQ(0U, out_params.size()); 651 return error; 652 } 653 654 ErrorCode Abort(OperationHandle op_handle) { 655 SCOPED_TRACE("Abort"); 656 auto retval = keymaster_->abort(op_handle); 657 EXPECT_TRUE(retval.isOk()); 658 return retval; 659 } 660 661 void AbortIfNeeded() { 662 SCOPED_TRACE("AbortIfNeeded"); 663 if (op_handle_ != kOpHandleSentinel) { 664 EXPECT_EQ(ErrorCode::OK, Abort(op_handle_)); 665 op_handle_ = kOpHandleSentinel; 666 } 667 } 668 669 ErrorCode AttestKey(const HidlBuf& key_blob, const AuthorizationSet& attest_params, 670 hidl_vec<hidl_vec<uint8_t>>* cert_chain) { 671 SCOPED_TRACE("AttestKey"); 672 ErrorCode error; 673 keymaster_->attestKey( 674 key_blob, attest_params.hidl_data(), 675 [&](ErrorCode hidl_error, const hidl_vec<hidl_vec<uint8_t>>& hidl_cert_chain) { 676 error = hidl_error; 677 *cert_chain = hidl_cert_chain; 678 }); 679 return error; 680 } 681 682 ErrorCode AttestKey(const AuthorizationSet& attest_params, 683 hidl_vec<hidl_vec<uint8_t>>* cert_chain) { 684 SCOPED_TRACE("AttestKey"); 685 return AttestKey(key_blob_, attest_params, cert_chain); 686 } 687 688 string ProcessMessage(const HidlBuf& key_blob, KeyPurpose operation, const string& message, 689 const AuthorizationSet& in_params, AuthorizationSet* out_params) { 690 SCOPED_TRACE("ProcessMessage"); 691 AuthorizationSet begin_out_params; 692 EXPECT_EQ(ErrorCode::OK, 693 Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_)); 694 695 string unused; 696 AuthorizationSet finish_params; 697 AuthorizationSet finish_out_params; 698 string output; 699 EXPECT_EQ(ErrorCode::OK, 700 Finish(op_handle_, finish_params, message, unused, &finish_out_params, &output)); 701 op_handle_ = kOpHandleSentinel; 702 703 out_params->push_back(begin_out_params); 704 out_params->push_back(finish_out_params); 705 return output; 706 } 707 708 string SignMessage(const HidlBuf& key_blob, const string& message, 709 const AuthorizationSet& params) { 710 SCOPED_TRACE("SignMessage"); 711 AuthorizationSet out_params; 712 string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params); 713 EXPECT_TRUE(out_params.empty()); 714 return signature; 715 } 716 717 string SignMessage(const string& message, const AuthorizationSet& params) { 718 SCOPED_TRACE("SignMessage"); 719 return SignMessage(key_blob_, message, params); 720 } 721 722 string MacMessage(const string& message, Digest digest, size_t mac_length) { 723 SCOPED_TRACE("MacMessage"); 724 return SignMessage( 725 key_blob_, message, 726 AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length)); 727 } 728 729 void CheckHmacTestVector(const string& key, const string& message, Digest digest, 730 const string& expected_mac) { 731 SCOPED_TRACE("CheckHmacTestVector"); 732 ASSERT_EQ(ErrorCode::OK, 733 ImportKey(AuthorizationSetBuilder() 734 .Authorization(TAG_NO_AUTH_REQUIRED) 735 .HmacKey(key.size() * 8) 736 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8) 737 .Digest(digest), 738 KeyFormat::RAW, key)); 739 string signature = MacMessage(message, digest, expected_mac.size() * 8); 740 EXPECT_EQ(expected_mac, signature) << "Test vector didn't match for digest " << (int)digest; 741 CheckedDeleteKey(); 742 } 743 744 void CheckAesCtrTestVector(const string& key, const string& nonce, const string& message, 745 const string& expected_ciphertext) { 746 SCOPED_TRACE("CheckAesCtrTestVector"); 747 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() 748 .Authorization(TAG_NO_AUTH_REQUIRED) 749 .AesEncryptionKey(key.size() * 8) 750 .BlockMode(BlockMode::CTR) 751 .Authorization(TAG_CALLER_NONCE) 752 .Padding(PaddingMode::NONE), 753 KeyFormat::RAW, key)); 754 755 auto params = AuthorizationSetBuilder() 756 .Authorization(TAG_NONCE, nonce.data(), nonce.size()) 757 .BlockMode(BlockMode::CTR) 758 .Padding(PaddingMode::NONE); 759 AuthorizationSet out_params; 760 string ciphertext = EncryptMessage(key_blob_, message, params, &out_params); 761 EXPECT_EQ(expected_ciphertext, ciphertext); 762 } 763 764 void VerifyMessage(const HidlBuf& key_blob, const string& message, const string& signature, 765 const AuthorizationSet& params) { 766 SCOPED_TRACE("VerifyMessage"); 767 AuthorizationSet begin_out_params; 768 ASSERT_EQ(ErrorCode::OK, 769 Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_)); 770 771 string unused; 772 AuthorizationSet finish_params; 773 AuthorizationSet finish_out_params; 774 string output; 775 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, signature, 776 &finish_out_params, &output)); 777 op_handle_ = kOpHandleSentinel; 778 EXPECT_TRUE(output.empty()); 779 } 780 781 void VerifyMessage(const string& message, const string& signature, 782 const AuthorizationSet& params) { 783 SCOPED_TRACE("VerifyMessage"); 784 VerifyMessage(key_blob_, message, signature, params); 785 } 786 787 string EncryptMessage(const HidlBuf& key_blob, const string& message, 788 const AuthorizationSet& in_params, AuthorizationSet* out_params) { 789 SCOPED_TRACE("EncryptMessage"); 790 return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params); 791 } 792 793 string EncryptMessage(const string& message, const AuthorizationSet& params, 794 AuthorizationSet* out_params) { 795 SCOPED_TRACE("EncryptMessage"); 796 return EncryptMessage(key_blob_, message, params, out_params); 797 } 798 799 string EncryptMessage(const string& message, const AuthorizationSet& params) { 800 SCOPED_TRACE("EncryptMessage"); 801 AuthorizationSet out_params; 802 string ciphertext = EncryptMessage(message, params, &out_params); 803 EXPECT_TRUE(out_params.empty()) 804 << "Output params should be empty. Contained: " << out_params; 805 return ciphertext; 806 } 807 808 string DecryptMessage(const HidlBuf& key_blob, const string& ciphertext, 809 const AuthorizationSet& params) { 810 SCOPED_TRACE("DecryptMessage"); 811 AuthorizationSet out_params; 812 string plaintext = 813 ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params); 814 EXPECT_TRUE(out_params.empty()); 815 return plaintext; 816 } 817 818 string DecryptMessage(const string& ciphertext, const AuthorizationSet& params) { 819 SCOPED_TRACE("DecryptMessage"); 820 return DecryptMessage(key_blob_, ciphertext, params); 821 } 822 823 template <TagType tag_type, Tag tag, typename ValueT> 824 void CheckKm0CryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) { 825 SCOPED_TRACE("CheckKm0CryptoParam"); 826 if (is_secure_) { 827 EXPECT_TRUE(contains(key_characteristics_.teeEnforced, ttag, expected)); 828 EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag)); 829 } else { 830 EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected)); 831 EXPECT_FALSE(contains(key_characteristics_.teeEnforced, ttag)); 832 } 833 } 834 835 template <TagType tag_type, Tag tag, typename ValueT> 836 void CheckKm1CryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) { 837 SCOPED_TRACE("CheckKm1CryptoParam"); 838 if (is_secure_ && supports_symmetric_) { 839 EXPECT_TRUE(contains(key_characteristics_.teeEnforced, ttag, expected)); 840 EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag)); 841 } else { 842 EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected)); 843 EXPECT_FALSE(contains(key_characteristics_.teeEnforced, ttag)); 844 } 845 } 846 847 template <TagType tag_type, Tag tag, typename ValueT> 848 void CheckKm2CryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) { 849 SCOPED_TRACE("CheckKm2CryptoParam"); 850 if (supports_attestation_) { 851 EXPECT_TRUE(contains(key_characteristics_.teeEnforced, ttag, expected)); 852 EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag)); 853 } else if (!supports_symmetric_ /* KM version < 1 or SW */) { 854 EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected)); 855 EXPECT_FALSE(contains(key_characteristics_.teeEnforced, ttag)); 856 } 857 } 858 859 void CheckOrigin() { 860 SCOPED_TRACE("CheckOrigin"); 861 if (is_secure_ && supports_symmetric_) { 862 EXPECT_TRUE( 863 contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED)); 864 } else if (is_secure_) { 865 EXPECT_TRUE(contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN)); 866 } else { 867 EXPECT_TRUE( 868 contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED)); 869 } 870 } 871 872 static bool IsSecure() { return is_secure_; } 873 static bool SupportsEc() { return supports_ec_; } 874 static bool SupportsSymmetric() { return supports_symmetric_; } 875 static bool SupportsAllDigests() { return supports_all_digests_; } 876 static bool SupportsAttestation() { return supports_attestation_; } 877 878 static bool Km2Profile() { 879 return SupportsAttestation() && SupportsAllDigests() && SupportsSymmetric() && 880 SupportsEc() && IsSecure(); 881 } 882 883 static bool Km1Profile() { 884 return !SupportsAttestation() && SupportsSymmetric() && SupportsEc() && IsSecure(); 885 } 886 887 static bool Km0Profile() { 888 return !SupportsAttestation() && !SupportsAllDigests() && !SupportsSymmetric() && 889 IsSecure(); 890 } 891 892 static bool SwOnlyProfile() { 893 return !SupportsAttestation() && !SupportsAllDigests() && !SupportsSymmetric() && 894 !SupportsEc() && !IsSecure(); 895 } 896 897 HidlBuf key_blob_; 898 KeyCharacteristics key_characteristics_; 899 OperationHandle op_handle_ = kOpHandleSentinel; 900 901 private: 902 static sp<IKeymasterDevice> keymaster_; 903 static uint32_t os_version_; 904 static uint32_t os_patch_level_; 905 906 static bool is_secure_; 907 static bool supports_ec_; 908 static bool supports_symmetric_; 909 static bool supports_attestation_; 910 static bool supports_all_digests_; 911 static hidl_string name_; 912 static hidl_string author_; 913}; 914 915bool verify_attestation_record(const string& challenge, const string& app_id, 916 AuthorizationSet expected_sw_enforced, 917 AuthorizationSet expected_tee_enforced, 918 const hidl_vec<uint8_t>& attestation_cert) { 919 X509_Ptr cert(parse_cert_blob(attestation_cert)); 920 EXPECT_TRUE(!!cert.get()); 921 if (!cert.get()) return false; 922 923 ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get()); 924 EXPECT_TRUE(!!attest_rec); 925 if (!attest_rec) return false; 926 927 AuthorizationSet att_sw_enforced; 928 AuthorizationSet att_tee_enforced; 929 uint32_t att_attestation_version; 930 uint32_t att_keymaster_version; 931 SecurityLevel att_attestation_security_level; 932 SecurityLevel att_keymaster_security_level; 933 HidlBuf att_challenge; 934 HidlBuf att_unique_id; 935 HidlBuf att_app_id; 936 EXPECT_EQ(ErrorCode::OK, 937 parse_attestation_record(attest_rec->data, // 938 attest_rec->length, // 939 &att_attestation_version, // 940 &att_attestation_security_level, // 941 &att_keymaster_version, // 942 &att_keymaster_security_level, // 943 &att_challenge, // 944 &att_sw_enforced, // 945 &att_tee_enforced, // 946 &att_unique_id)); 947 948 EXPECT_TRUE(att_attestation_version == 1 || att_attestation_version == 2); 949 950 expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID, 951 HidlBuf(app_id)); 952 953 if (!KeymasterHidlTest::IsSecure()) { 954 // SW is KM2 955 EXPECT_EQ(att_keymaster_version, 2U); 956 } 957 958 if (KeymasterHidlTest::SupportsSymmetric()) { 959 EXPECT_GE(att_keymaster_version, 1U); 960 } 961 962 if (KeymasterHidlTest::SupportsAttestation()) { 963 EXPECT_GE(att_keymaster_version, 2U); 964 } 965 966 EXPECT_EQ(KeymasterHidlTest::IsSecure() ? SecurityLevel::TRUSTED_ENVIRONMENT 967 : SecurityLevel::SOFTWARE, 968 att_keymaster_security_level); 969 EXPECT_EQ(KeymasterHidlTest::SupportsAttestation() ? SecurityLevel::TRUSTED_ENVIRONMENT 970 : SecurityLevel::SOFTWARE, 971 att_attestation_security_level); 972 973 EXPECT_EQ(challenge.length(), att_challenge.size()); 974 EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data(), challenge.length())); 975 976 att_sw_enforced.Sort(); 977 expected_sw_enforced.Sort(); 978 EXPECT_EQ(filter_tags(expected_sw_enforced), filter_tags(att_sw_enforced)); 979 980 att_tee_enforced.Sort(); 981 expected_tee_enforced.Sort(); 982 EXPECT_EQ(filter_tags(expected_tee_enforced), filter_tags(att_tee_enforced)); 983 984 return true; 985} 986 987sp<IKeymasterDevice> KeymasterHidlTest::keymaster_; 988uint32_t KeymasterHidlTest::os_version_; 989uint32_t KeymasterHidlTest::os_patch_level_; 990bool KeymasterHidlTest::is_secure_; 991bool KeymasterHidlTest::supports_ec_; 992bool KeymasterHidlTest::supports_symmetric_; 993bool KeymasterHidlTest::supports_all_digests_; 994bool KeymasterHidlTest::supports_attestation_; 995hidl_string KeymasterHidlTest::name_; 996hidl_string KeymasterHidlTest::author_; 997 998typedef KeymasterHidlTest KeymasterVersionTest; 999 1000/* 1001 * KeymasterVersionTest.SensibleFeatures: 1002 * 1003 * Queries keymaster to find the set of features it supports. Fails if the combination doesn't 1004 * correspond to any well-defined keymaster version. 1005 */ 1006TEST_F(KeymasterVersionTest, SensibleFeatures) { 1007 EXPECT_TRUE(Km2Profile() || Km1Profile() || Km0Profile() || SwOnlyProfile()) 1008 << "Keymaster feature set doesn't fit any reasonable profile. Reported features:" 1009 << "SupportsAttestation [" << SupportsAttestation() << "], " 1010 << "SupportsSymmetric [" << SupportsSymmetric() << "], " 1011 << "SupportsAllDigests [" << SupportsAllDigests() << "], " 1012 << "SupportsEc [" << SupportsEc() << "], " 1013 << "IsSecure [" << IsSecure() << "]"; 1014} 1015 1016class NewKeyGenerationTest : public KeymasterHidlTest { 1017 protected: 1018 void CheckBaseParams(const KeyCharacteristics& keyCharacteristics) { 1019 // TODO(swillden): Distinguish which params should be in which auth list. 1020 1021 AuthorizationSet auths(keyCharacteristics.teeEnforced); 1022 auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced)); 1023 1024 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED)); 1025 1026 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN)); 1027 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY)); 1028 EXPECT_TRUE(auths.Contains(TAG_USER_ID, 7)) 1029 << "User ID should be 7, was " << auths.GetTagValue(TAG_USER_ID); 1030 1031 // Verify that App ID, App data and ROT are NOT included. 1032 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST)); 1033 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_ID)); 1034 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA)); 1035 1036 // Check that some unexpected tags/values are NOT present. 1037 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT)); 1038 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT)); 1039 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301)); 1040 1041 // Now check that unspecified, defaulted tags are correct. 1042 EXPECT_TRUE(auths.Contains(TAG_CREATION_DATETIME)); 1043 1044 if (SupportsAttestation()) { 1045 EXPECT_TRUE(auths.Contains(TAG_OS_VERSION, os_version())) 1046 << "OS version is " << os_version() << " key reported " 1047 << auths.GetTagValue(TAG_OS_VERSION); 1048 EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, os_patch_level())) 1049 << "OS patch level is " << os_patch_level() << " key reported " 1050 << auths.GetTagValue(TAG_OS_PATCHLEVEL); 1051 } 1052 } 1053}; 1054 1055/* 1056 * NewKeyGenerationTest.Rsa 1057 * 1058 * Verifies that keymaster can generate all required RSA key sizes, and that the resulting keys have 1059 * correct characteristics. 1060 */ 1061TEST_F(NewKeyGenerationTest, Rsa) { 1062 for (auto key_size : {1024, 2048, 3072, 4096}) { 1063 HidlBuf key_blob; 1064 KeyCharacteristics key_characteristics; 1065 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1066 .RsaSigningKey(key_size, 3) 1067 .Digest(Digest::NONE) 1068 .Padding(PaddingMode::NONE) 1069 .Authorizations(UserAuths()), 1070 &key_blob, &key_characteristics)); 1071 1072 ASSERT_GT(key_blob.size(), 0U); 1073 CheckBaseParams(key_characteristics); 1074 1075 AuthorizationSet crypto_params; 1076 if (IsSecure()) { 1077 crypto_params = key_characteristics.teeEnforced; 1078 } else { 1079 crypto_params = key_characteristics.softwareEnforced; 1080 } 1081 1082 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, KM_ALGORITHM_RSA)); 1083 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size)); 1084 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 3)); 1085 1086 CheckedDeleteKey(&key_blob); 1087 } 1088} 1089 1090/* 1091 * NewKeyGenerationTest.RsaNoDefaultSize 1092 * 1093 * Verifies that failing to specify a key size for RSA key generation returns UNSUPPORTED_KEY_SIZE. 1094 */ 1095TEST_F(NewKeyGenerationTest, RsaNoDefaultSize) { 1096 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, 1097 GenerateKey(AuthorizationSetBuilder() 1098 .Authorization(TAG_ALGORITHM, Algorithm::RSA) 1099 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3) 1100 .SigningKey())); 1101} 1102 1103/* 1104 * NewKeyGenerationTest.Ecdsa 1105 * 1106 * Verifies that keymaster can generate all required EC key sizes, and that the resulting keys have 1107 * correct characteristics. 1108 */ 1109TEST_F(NewKeyGenerationTest, Ecdsa) { 1110 for (auto key_size : {224, 256, 384, 521}) { 1111 HidlBuf key_blob; 1112 KeyCharacteristics key_characteristics; 1113 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1114 .EcdsaSigningKey(key_size) 1115 .Digest(Digest::NONE) 1116 .Authorizations(UserAuths()), 1117 &key_blob, &key_characteristics)); 1118 ASSERT_GT(key_blob.size(), 0U); 1119 CheckBaseParams(key_characteristics); 1120 1121 AuthorizationSet crypto_params; 1122 if (IsSecure()) { 1123 crypto_params = key_characteristics.teeEnforced; 1124 } else { 1125 crypto_params = key_characteristics.softwareEnforced; 1126 } 1127 1128 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC)); 1129 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size)); 1130 1131 CheckedDeleteKey(&key_blob); 1132 } 1133} 1134 1135/* 1136 * NewKeyGenerationTest.EcdsaDefaultSize 1137 * 1138 * Verifies that failing to specify a key size for EC key generation returns UNSUPPORTED_KEY_SIZE. 1139 */ 1140TEST_F(NewKeyGenerationTest, EcdsaDefaultSize) { 1141 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, 1142 GenerateKey(AuthorizationSetBuilder() 1143 .Authorization(TAG_ALGORITHM, Algorithm::EC) 1144 .SigningKey() 1145 .Digest(Digest::NONE))); 1146} 1147 1148/* 1149 * NewKeyGenerationTest.EcdsaInvalidSize 1150 * 1151 * Verifies that failing to specify an invalid key size for EC key generation returns 1152 * UNSUPPORTED_KEY_SIZE. 1153 */ 1154TEST_F(NewKeyGenerationTest, EcdsaInvalidSize) { 1155 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, 1156 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(Digest::NONE))); 1157} 1158 1159/* 1160 * NewKeyGenerationTest.EcdsaMismatchKeySize 1161 * 1162 * Verifies that specifying mismatched key size and curve for EC key generation returns 1163 * INVALID_ARGUMENT. 1164 */ 1165TEST_F(NewKeyGenerationTest, EcdsaMismatchKeySize) { 1166 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, 1167 GenerateKey(AuthorizationSetBuilder() 1168 .EcdsaSigningKey(224) 1169 .Authorization(TAG_EC_CURVE, EcCurve::P_256) 1170 .Digest(Digest::NONE))) 1171 << "(Possibly b/36233343)"; 1172} 1173 1174TEST_F(NewKeyGenerationTest, EcdsaAllValidSizes) { 1175 size_t valid_sizes[] = {224, 256, 384, 521}; 1176 for (size_t size : valid_sizes) { 1177 EXPECT_EQ(ErrorCode::OK, 1178 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(Digest::NONE))) 1179 << "Failed to generate size: " << size; 1180 CheckedDeleteKey(); 1181 } 1182} 1183 1184/* 1185 * NewKeyGenerationTest.EcdsaAllValidCurves 1186 * 1187 * Verifies that keymaster supports all required EC curves. 1188 */ 1189TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) { 1190 EcCurve curves[] = {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}; 1191 for (auto curve : curves) { 1192 EXPECT_EQ( 1193 ErrorCode::OK, 1194 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(Digest::SHA_2_512))) 1195 << "Failed to generate key on curve: " << curve; 1196 CheckedDeleteKey(); 1197 } 1198} 1199 1200/* 1201 * NewKeyGenerationTest.Hmac 1202 * 1203 * Verifies that keymaster supports all required digests, and that the resulting keys have correct 1204 * characteristics. 1205 */ 1206TEST_F(NewKeyGenerationTest, Hmac) { 1207 for (auto digest : {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, 1208 Digest::SHA_2_384, Digest::SHA_2_512}) { 1209 HidlBuf key_blob; 1210 KeyCharacteristics key_characteristics; 1211 constexpr size_t key_size = 128; 1212 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1213 .HmacKey(key_size) 1214 .Digest(digest) 1215 .Authorization(TAG_MIN_MAC_LENGTH, 128) 1216 .Authorizations(UserAuths()), 1217 &key_blob, &key_characteristics)); 1218 1219 ASSERT_GT(key_blob.size(), 0U); 1220 CheckBaseParams(key_characteristics); 1221 1222 AuthorizationSet teeEnforced = key_characteristics.teeEnforced; 1223 AuthorizationSet softwareEnforced = key_characteristics.softwareEnforced; 1224 if (SupportsAttestation() || SupportsAllDigests()) { 1225 // Either KM2, which must support all, or KM1 that claims full support 1226 EXPECT_TRUE(teeEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC)); 1227 EXPECT_TRUE(teeEnforced.Contains(TAG_KEY_SIZE, key_size)); 1228 } else if (SupportsSymmetric()) { 1229 if (digest == Digest::SHA1 || digest == Digest::SHA_2_256) { 1230 // KM1 must support SHA1 and SHA256 in hardware 1231 EXPECT_TRUE(teeEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC)); 1232 EXPECT_TRUE(teeEnforced.Contains(TAG_KEY_SIZE, key_size)); 1233 } else { 1234 // Othere digests may or may not be supported 1235 EXPECT_TRUE(teeEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC) || 1236 softwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC)); 1237 EXPECT_TRUE(teeEnforced.Contains(TAG_KEY_SIZE, key_size) || 1238 softwareEnforced.Contains(TAG_KEY_SIZE, key_size)); 1239 } 1240 } else { 1241 // KM0 and SW KM do all digests in SW. 1242 EXPECT_TRUE(softwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC)); 1243 EXPECT_TRUE(softwareEnforced.Contains(TAG_KEY_SIZE, key_size)); 1244 } 1245 1246 CheckedDeleteKey(&key_blob); 1247 } 1248} 1249 1250/* 1251 * NewKeyGenerationTest.HmacCheckKeySizes 1252 * 1253 * Verifies that keymaster supports all key sizes, and rejects all invalid key sizes. 1254 */ 1255TEST_F(NewKeyGenerationTest, HmacCheckKeySizes) { 1256 for (size_t key_size = 0; key_size <= 512; ++key_size) { 1257 if (key_size < 64 || key_size % 8 != 0) { 1258 // To keep this test from being very slow, we only test a random fraction of non-byte 1259 // key sizes. We test only ~10% of such cases. Since there are 392 of them, we expect 1260 // to run ~40 of them in each run. 1261 if (key_size % 8 == 0 || random() % 10 == 0) { 1262 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, 1263 GenerateKey(AuthorizationSetBuilder() 1264 .HmacKey(key_size) 1265 .Digest(Digest::SHA_2_256) 1266 .Authorization(TAG_MIN_MAC_LENGTH, 256))) 1267 << "HMAC key size " << key_size << " invalid (Possibly b/33462346)"; 1268 } 1269 } else { 1270 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1271 .HmacKey(key_size) 1272 .Digest(Digest::SHA_2_256) 1273 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 1274 CheckedDeleteKey(); 1275 } 1276 } 1277} 1278 1279/* 1280 * NewKeyGenerationTest.HmacCheckMinMacLengths 1281 * 1282 * Verifies that keymaster supports all required MAC lengths and rejects all invalid lengths. This 1283 * test is probabilistic in order to keep the runtime down, but any failure prints out the specific 1284 * MAC length that failed, so reproducing a failed run will be easy. 1285 */ 1286TEST_F(NewKeyGenerationTest, HmacCheckMinMacLengths) { 1287 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) { 1288 if (min_mac_length < 64 || min_mac_length % 8 != 0) { 1289 // To keep this test from being very long, we only test a random fraction of non-byte 1290 // lengths. We test only ~10% of such cases. Since there are 172 of them, we expect to 1291 // run ~17 of them in each run. 1292 if (min_mac_length % 8 == 0 || random() % 10 == 0) { 1293 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH, 1294 GenerateKey(AuthorizationSetBuilder() 1295 .HmacKey(128) 1296 .Digest(Digest::SHA_2_256) 1297 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length))) 1298 << "HMAC min mac length " << min_mac_length << " invalid."; 1299 } 1300 } else { 1301 EXPECT_EQ(ErrorCode::OK, 1302 GenerateKey(AuthorizationSetBuilder() 1303 .HmacKey(128) 1304 .Digest(Digest::SHA_2_256) 1305 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length))); 1306 CheckedDeleteKey(); 1307 } 1308 } 1309} 1310 1311/* 1312 * NewKeyGenerationTest.HmacMultipleDigests 1313 * 1314 * Verifies that keymaster rejects HMAC key generation with multiple specified digest algorithms. 1315 */ 1316TEST_F(NewKeyGenerationTest, HmacMultipleDigests) { 1317 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, 1318 GenerateKey(AuthorizationSetBuilder() 1319 .HmacKey(128) 1320 .Digest(Digest::SHA1) 1321 .Digest(Digest::SHA_2_256) 1322 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 1323} 1324 1325/* 1326 * NewKeyGenerationTest.HmacDigestNone 1327 * 1328 * Verifies that keymaster rejects HMAC key generation with no digest or Digest::NONE 1329 */ 1330TEST_F(NewKeyGenerationTest, HmacDigestNone) { 1331 ASSERT_EQ( 1332 ErrorCode::UNSUPPORTED_DIGEST, 1333 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH, 128))); 1334 1335 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, 1336 GenerateKey(AuthorizationSetBuilder() 1337 .HmacKey(128) 1338 .Digest(Digest::NONE) 1339 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 1340} 1341 1342typedef KeymasterHidlTest GetKeyCharacteristicsTest; 1343 1344/* 1345 * GetKeyCharacteristicsTest.HmacDigestNone 1346 * 1347 * Verifies that getKeyCharacteristics functions, and that generated and retrieved key 1348 * characteristics match. 1349 */ 1350TEST_F(GetKeyCharacteristicsTest, SimpleRsa) { 1351 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1352 .RsaSigningKey(1024, 3) 1353 .Digest(Digest::NONE) 1354 .Padding(PaddingMode::NONE))); 1355 1356 KeyCharacteristics retrieved_chars; 1357 ASSERT_EQ(ErrorCode::OK, GetCharacteristics(key_blob_, &retrieved_chars)); 1358 1359 AuthorizationSet gen_sw = key_characteristics_.softwareEnforced; 1360 AuthorizationSet gen_tee = key_characteristics_.teeEnforced; 1361 AuthorizationSet retrieved_sw = retrieved_chars.softwareEnforced; 1362 AuthorizationSet retrieved_tee = retrieved_chars.teeEnforced; 1363 1364 EXPECT_EQ(gen_sw, retrieved_sw); 1365 EXPECT_EQ(gen_tee, retrieved_tee); 1366} 1367 1368typedef KeymasterHidlTest SigningOperationsTest; 1369 1370/* 1371 * SigningOperationsTest.RsaSuccess 1372 * 1373 * Verifies that raw RSA signature operations succeed. 1374 */ 1375TEST_F(SigningOperationsTest, RsaSuccess) { 1376 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1377 .RsaSigningKey(1024, 3) 1378 .Digest(Digest::NONE) 1379 .Padding(PaddingMode::NONE) 1380 .Authorization(TAG_NO_AUTH_REQUIRED))); 1381 string message = "12345678901234567890123456789012"; 1382 string signature = SignMessage( 1383 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)); 1384} 1385 1386/* 1387 * SigningOperationsTest.RsaPssSha256Success 1388 * 1389 * Verifies that RSA-PSS signature operations succeed. 1390 */ 1391TEST_F(SigningOperationsTest, RsaPssSha256Success) { 1392 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1393 .RsaSigningKey(1024, 3) 1394 .Digest(Digest::SHA_2_256) 1395 .Padding(PaddingMode::RSA_PSS) 1396 .Authorization(TAG_NO_AUTH_REQUIRED))); 1397 // Use large message, which won't work without digesting. 1398 string message(1024, 'a'); 1399 string signature = SignMessage( 1400 message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS)); 1401} 1402 1403/* 1404 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther 1405 * 1406 * Verifies that keymaster rejects signature operations that specify a padding mode when the key 1407 * supports only unpadded operations. 1408 */ 1409TEST_F(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { 1410 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1411 .RsaSigningKey(1024, 3) 1412 .Digest(Digest::NONE) 1413 .Authorization(TAG_NO_AUTH_REQUIRED) 1414 .Padding(PaddingMode::NONE))); 1415 string message = "12345678901234567890123456789012"; 1416 string signature; 1417 1418 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, 1419 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder() 1420 .Digest(Digest::NONE) 1421 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 1422} 1423 1424/* 1425 * SigningOperationsTest.RsaPkcs1Sha256Success 1426 * 1427 * Verifies that digested RSA-PKCS1 signature operations succeed. 1428 */ 1429TEST_F(SigningOperationsTest, RsaPkcs1Sha256Success) { 1430 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1431 .RsaSigningKey(1024, 3) 1432 .Digest(Digest::SHA_2_256) 1433 .Authorization(TAG_NO_AUTH_REQUIRED) 1434 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 1435 string message(1024, 'a'); 1436 string signature = SignMessage(message, AuthorizationSetBuilder() 1437 .Digest(Digest::SHA_2_256) 1438 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)); 1439} 1440 1441/* 1442 * SigningOperationsTest.RsaPkcs1NoDigestSuccess 1443 * 1444 * Verifies that undigested RSA-PKCS1 signature operations succeed. 1445 */ 1446TEST_F(SigningOperationsTest, RsaPkcs1NoDigestSuccess) { 1447 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1448 .RsaSigningKey(1024, 3) 1449 .Digest(Digest::NONE) 1450 .Authorization(TAG_NO_AUTH_REQUIRED) 1451 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 1452 string message(53, 'a'); 1453 string signature = SignMessage( 1454 message, 1455 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)); 1456} 1457 1458/* 1459 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge 1460 * 1461 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when 1462 * given a too-long message. 1463 */ 1464TEST_F(SigningOperationsTest, RsaPkcs1NoDigestTooLong) { 1465 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1466 .RsaSigningKey(1024, 3) 1467 .Digest(Digest::NONE) 1468 .Authorization(TAG_NO_AUTH_REQUIRED) 1469 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 1470 string message(129, 'a'); 1471 1472 EXPECT_EQ(ErrorCode::OK, 1473 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder() 1474 .Digest(Digest::NONE) 1475 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 1476 string signature; 1477 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature)); 1478} 1479 1480/* 1481 * SigningOperationsTest.RsaPssSha512TooSmallKey 1482 * 1483 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when 1484 * used with a key that is too small for the message. 1485 * 1486 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the keymaster 1487 * specification requires that salt_size == digest_size, so the message will be digest_size * 2 + 1488 * 16. Such a message can only be signed by a given key if the key is at least that size. This test 1489 * uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large for a 1490 * 1024-bit key. 1491 */ 1492TEST_F(SigningOperationsTest, RsaPssSha512TooSmallKey) { 1493 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1494 .RsaSigningKey(1024, 3) 1495 .Digest(Digest::SHA_2_512) 1496 .Authorization(TAG_NO_AUTH_REQUIRED) 1497 .Padding(PaddingMode::RSA_PSS))); 1498 EXPECT_EQ( 1499 ErrorCode::INCOMPATIBLE_DIGEST, 1500 Begin(KeyPurpose::SIGN, 1501 AuthorizationSetBuilder().Digest(Digest::SHA_2_512).Padding(PaddingMode::RSA_PSS))) 1502 << "(Possibly b/33346750)"; 1503} 1504 1505/* 1506 * SigningOperationsTest.RsaNoPaddingTooLong 1507 * 1508 * Verifies that raw RSA signature operations fail with the correct error code when 1509 * given a too-long message. 1510 */ 1511TEST_F(SigningOperationsTest, RsaNoPaddingTooLong) { 1512 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1513 .RsaSigningKey(1024, 3) 1514 .Digest(Digest::NONE) 1515 .Authorization(TAG_NO_AUTH_REQUIRED) 1516 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 1517 // One byte too long 1518 string message(1024 / 8 + 1, 'a'); 1519 ASSERT_EQ(ErrorCode::OK, 1520 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder() 1521 .Digest(Digest::NONE) 1522 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 1523 string result; 1524 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result)); 1525 1526 // Very large message that should exceed the transfer buffer size of any reasonable TEE. 1527 message = string(128 * 1024, 'a'); 1528 ASSERT_EQ(ErrorCode::OK, 1529 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder() 1530 .Digest(Digest::NONE) 1531 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 1532 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result)); 1533} 1534 1535/* 1536 * SigningOperationsTest.RsaAbort 1537 * 1538 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the test, 1539 * but the behavior should be algorithm and purpose-independent. 1540 */ 1541TEST_F(SigningOperationsTest, RsaAbort) { 1542 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1543 .RsaSigningKey(1024, 3) 1544 .Digest(Digest::NONE) 1545 .Authorization(TAG_NO_AUTH_REQUIRED) 1546 .Padding(PaddingMode::NONE))); 1547 1548 ASSERT_EQ(ErrorCode::OK, 1549 Begin(KeyPurpose::SIGN, 1550 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE))); 1551 EXPECT_EQ(ErrorCode::OK, Abort(op_handle_)); 1552 1553 // Another abort should fail 1554 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort(op_handle_)); 1555 1556 // Set to sentinel, so TearDown() doesn't try to abort again. 1557 op_handle_ = kOpHandleSentinel; 1558} 1559 1560/* 1561 * SigningOperationsTest.RsaUnsupportedPadding 1562 * 1563 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used with a 1564 * padding mode inappropriate for RSA. 1565 */ 1566TEST_F(SigningOperationsTest, RsaUnsupportedPadding) { 1567 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1568 .RsaSigningKey(1024, 3) 1569 .Authorization(TAG_NO_AUTH_REQUIRED) 1570 .Digest(Digest::SHA_2_256 /* supported digest */) 1571 .Padding(PaddingMode::PKCS7))); 1572 ASSERT_EQ( 1573 ErrorCode::UNSUPPORTED_PADDING_MODE, 1574 Begin(KeyPurpose::SIGN, 1575 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7))); 1576} 1577 1578/* 1579 * SigningOperationsTest.RsaPssNoDigest 1580 * 1581 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest. 1582 */ 1583TEST_F(SigningOperationsTest, RsaNoDigest) { 1584 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1585 .RsaSigningKey(1024, 3) 1586 .Authorization(TAG_NO_AUTH_REQUIRED) 1587 .Digest(Digest::NONE) 1588 .Padding(PaddingMode::RSA_PSS))); 1589 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, 1590 Begin(KeyPurpose::SIGN, 1591 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS))); 1592 1593 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, 1594 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS))); 1595} 1596 1597/* 1598 * SigningOperationsTest.RsaPssNoDigest 1599 * 1600 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is 1601 * supported in some cases (as validated in other tests), but a mode must be specified. 1602 */ 1603TEST_F(SigningOperationsTest, RsaNoPadding) { 1604 // Padding must be specified 1605 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1606 .RsaKey(1024, 3) 1607 .Authorization(TAG_NO_AUTH_REQUIRED) 1608 .SigningKey() 1609 .Digest(Digest::NONE))); 1610 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE, 1611 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE))); 1612} 1613 1614/* 1615 * SigningOperationsTest.RsaShortMessage 1616 * 1617 * Verifies that raw RSA signatures succeed with a message shorter than the key size. 1618 */ 1619TEST_F(SigningOperationsTest, RsaTooShortMessage) { 1620 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1621 .Authorization(TAG_NO_AUTH_REQUIRED) 1622 .RsaSigningKey(1024, 3) 1623 .Digest(Digest::NONE) 1624 .Padding(PaddingMode::NONE))); 1625 1626 // Barely shorter 1627 string message(1024 / 8 - 1, 'a'); 1628 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)); 1629 1630 // Much shorter 1631 message = "a"; 1632 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)); 1633} 1634 1635/* 1636 * SigningOperationsTest.RsaSignWithEncryptionKey 1637 * 1638 * Verifies that RSA encryption keys cannot be used to sign. 1639 */ 1640TEST_F(SigningOperationsTest, RsaSignWithEncryptionKey) { 1641 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1642 .Authorization(TAG_NO_AUTH_REQUIRED) 1643 .RsaEncryptionKey(1024, 3) 1644 .Digest(Digest::NONE) 1645 .Padding(PaddingMode::NONE))); 1646 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, 1647 Begin(KeyPurpose::SIGN, 1648 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE))); 1649} 1650 1651/* 1652 * SigningOperationsTest.RsaSignTooLargeMessage 1653 * 1654 * Verifies that attempting a raw signature of a message which is the same length as the key, but 1655 * numerically larger than the public modulus, fails with the correct error. 1656 */ 1657TEST_F(SigningOperationsTest, RsaSignTooLargeMessage) { 1658 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1659 .Authorization(TAG_NO_AUTH_REQUIRED) 1660 .RsaSigningKey(1024, 3) 1661 .Digest(Digest::NONE) 1662 .Padding(PaddingMode::NONE))); 1663 1664 // Largest possible message will always be larger than the public modulus. 1665 string message(1024 / 8, static_cast<char>(0xff)); 1666 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder() 1667 .Authorization(TAG_NO_AUTH_REQUIRED) 1668 .Digest(Digest::NONE) 1669 .Padding(PaddingMode::NONE))); 1670 string signature; 1671 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature)); 1672} 1673 1674/* 1675 * SigningOperationsTest.EcdsaAllSizesAndHashes 1676 * 1677 * Verifies that ECDSA operations succeed with all possible key sizes and hashes. 1678 */ 1679TEST_F(SigningOperationsTest, EcdsaAllSizesAndHashes) { 1680 for (auto key_size : {224, 256, 384, 521}) { 1681 for (auto digest : { 1682 Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, 1683 Digest::SHA_2_512, 1684 }) { 1685 ErrorCode error = GenerateKey(AuthorizationSetBuilder() 1686 .Authorization(TAG_NO_AUTH_REQUIRED) 1687 .EcdsaSigningKey(key_size) 1688 .Digest(digest)); 1689 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with size " << key_size 1690 << " and digest " << digest; 1691 if (error != ErrorCode::OK) continue; 1692 1693 string message(1024, 'a'); 1694 if (digest == Digest::NONE) message.resize(key_size / 8); 1695 SignMessage(message, AuthorizationSetBuilder().Digest(digest)); 1696 CheckedDeleteKey(); 1697 } 1698 } 1699} 1700 1701/* 1702 * SigningOperationsTest.EcdsaAllCurves 1703 * 1704 * Verifies that ECDSA operations succeed with all possible curves. 1705 */ 1706TEST_F(SigningOperationsTest, EcdsaAllCurves) { 1707 for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) { 1708 ErrorCode error = GenerateKey(AuthorizationSetBuilder() 1709 .Authorization(TAG_NO_AUTH_REQUIRED) 1710 .EcdsaSigningKey(curve) 1711 .Digest(Digest::SHA_2_256)); 1712 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve; 1713 if (error != ErrorCode::OK) continue; 1714 1715 string message(1024, 'a'); 1716 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)); 1717 CheckedDeleteKey(); 1718 } 1719} 1720 1721/* 1722 * SigningOperationsTest.EcdsaNoDigestHugeData 1723 * 1724 * Verifies that ECDSA operations support very large messages, even without digesting. This should 1725 * work because ECDSA actually only signs the leftmost L_n bits of the message, however large it may 1726 * be. Not using digesting is a bad idea, but in some cases digesting is done by the framework. 1727 */ 1728TEST_F(SigningOperationsTest, EcdsaNoDigestHugeData) { 1729 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1730 .Authorization(TAG_NO_AUTH_REQUIRED) 1731 .EcdsaSigningKey(224) 1732 .Digest(Digest::NONE))); 1733 string message(64 * 1024, 'a'); 1734 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE)); 1735} 1736 1737/* 1738 * SigningOperationsTest.AesEcbSign 1739 * 1740 * Verifies that attempts to use AES keys to sign fail in the correct way. 1741 */ 1742TEST_F(SigningOperationsTest, AesEcbSign) { 1743 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1744 .Authorization(TAG_NO_AUTH_REQUIRED) 1745 .SigningKey() 1746 .AesEncryptionKey(128) 1747 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB))) 1748 << "(Possibly b/36252957)"; 1749 1750 AuthorizationSet out_params; 1751 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, 1752 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params)) 1753 << "(Possibly b/36233187)"; 1754 1755 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, 1756 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params)) 1757 << "(Possibly b/36233187)"; 1758} 1759 1760/* 1761 * SigningOperationsTest.HmacAllDigests 1762 * 1763 * Verifies that HMAC works with all digests. 1764 */ 1765TEST_F(SigningOperationsTest, HmacAllDigests) { 1766 for (auto digest : {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, 1767 Digest::SHA_2_512}) { 1768 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1769 .Authorization(TAG_NO_AUTH_REQUIRED) 1770 .HmacKey(128) 1771 .Digest(digest) 1772 .Authorization(TAG_MIN_MAC_LENGTH, 160))) 1773 << "Failed to create HMAC key with digest " << digest; 1774 string message = "12345678901234567890123456789012"; 1775 string signature = MacMessage(message, digest, 160); 1776 EXPECT_EQ(160U / 8U, signature.size()) 1777 << "Failed to sign with HMAC key with digest " << digest; 1778 CheckedDeleteKey(); 1779 } 1780} 1781 1782/* 1783 * SigningOperationsTest.HmacSha256TooLargeMacLength 1784 * 1785 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the digest 1786 * size. 1787 */ 1788TEST_F(SigningOperationsTest, HmacSha256TooLargeMacLength) { 1789 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1790 .Authorization(TAG_NO_AUTH_REQUIRED) 1791 .HmacKey(128) 1792 .Digest(Digest::SHA_2_256) 1793 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 1794 AuthorizationSet output_params; 1795 EXPECT_EQ( 1796 ErrorCode::UNSUPPORTED_MAC_LENGTH, 1797 Begin( 1798 KeyPurpose::SIGN, key_blob_, 1799 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 264), 1800 &output_params, &op_handle_)); 1801} 1802 1803/* 1804 * SigningOperationsTest.HmacSha256TooSmallMacLength 1805 * 1806 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the 1807 * specified minimum MAC length. 1808 */ 1809TEST_F(SigningOperationsTest, HmacSha256TooSmallMacLength) { 1810 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1811 .Authorization(TAG_NO_AUTH_REQUIRED) 1812 .HmacKey(128) 1813 .Digest(Digest::SHA_2_256) 1814 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 1815 AuthorizationSet output_params; 1816 EXPECT_EQ( 1817 ErrorCode::INVALID_MAC_LENGTH, 1818 Begin( 1819 KeyPurpose::SIGN, key_blob_, 1820 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 120), 1821 &output_params, &op_handle_)); 1822} 1823 1824/* 1825 * SigningOperationsTest.HmacRfc4231TestCase3 1826 * 1827 * Validates against the test vectors from RFC 4231 test case 3. 1828 */ 1829TEST_F(SigningOperationsTest, HmacRfc4231TestCase3) { 1830 string key(20, 0xaa); 1831 string message(50, 0xdd); 1832 uint8_t sha_224_expected[] = { 1833 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a, 1834 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea, 1835 }; 1836 uint8_t sha_256_expected[] = { 1837 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 1838 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 1839 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe, 1840 }; 1841 uint8_t sha_384_expected[] = { 1842 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0, 1843 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb, 1844 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d, 1845 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27, 1846 }; 1847 uint8_t sha_512_expected[] = { 1848 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c, 1849 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8, 1850 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 1851 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37, 1852 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb, 1853 }; 1854 1855 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected)); 1856 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected)); 1857 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected)); 1858 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected)); 1859} 1860 1861/* 1862 * SigningOperationsTest.HmacRfc4231TestCase5 1863 * 1864 * Validates against the test vectors from RFC 4231 test case 5. 1865 */ 1866TEST_F(SigningOperationsTest, HmacRfc4231TestCase5) { 1867 string key(20, 0x0c); 1868 string message = "Test With Truncation"; 1869 1870 uint8_t sha_224_expected[] = { 1871 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37, 1872 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8, 1873 }; 1874 uint8_t sha_256_expected[] = { 1875 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 1876 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b, 1877 }; 1878 uint8_t sha_384_expected[] = { 1879 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23, 1880 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97, 1881 }; 1882 uint8_t sha_512_expected[] = { 1883 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53, 1884 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6, 1885 }; 1886 1887 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected)); 1888 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected)); 1889 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected)); 1890 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected)); 1891} 1892 1893/* 1894 * SigningOperationsTest.HmacRfc4231TestCase6 1895 * 1896 * Validates against the test vectors from RFC 4231 test case 6. 1897 */ 1898TEST_F(SigningOperationsTest, HmacRfc4231TestCase6) { 1899 string key(131, 0xaa); 1900 string message = "Test Using Larger Than Block-Size Key - Hash Key First"; 1901 1902 uint8_t sha_224_expected[] = { 1903 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d, 1904 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e, 1905 }; 1906 uint8_t sha_256_expected[] = { 1907 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 1908 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 1909 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, 1910 }; 1911 uint8_t sha_384_expected[] = { 1912 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a, 1913 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f, 1914 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab, 1915 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52, 1916 }; 1917 uint8_t sha_512_expected[] = { 1918 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd, 1919 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b, 1920 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 1921 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73, 1922 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98, 1923 }; 1924 1925 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected)); 1926 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected)); 1927 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected)); 1928 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected)); 1929} 1930 1931/* 1932 * SigningOperationsTest.HmacRfc4231TestCase7 1933 * 1934 * Validates against the test vectors from RFC 4231 test case 7. 1935 */ 1936TEST_F(SigningOperationsTest, HmacRfc4231TestCase7) { 1937 string key(131, 0xaa); 1938 string message = "This is a test using a larger than block-size key and a larger than " 1939 "block-size data. The key needs to be hashed before being used by the HMAC " 1940 "algorithm."; 1941 1942 uint8_t sha_224_expected[] = { 1943 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3, 1944 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1, 1945 }; 1946 uint8_t sha_256_expected[] = { 1947 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 1948 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 1949 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2, 1950 }; 1951 uint8_t sha_384_expected[] = { 1952 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25, 1953 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a, 1954 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31, 1955 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e, 1956 }; 1957 uint8_t sha_512_expected[] = { 1958 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 1959 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5, 1960 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 1961 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb, 1962 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58, 1963 }; 1964 1965 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected)); 1966 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected)); 1967 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected)); 1968 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected)); 1969} 1970 1971typedef KeymasterHidlTest VerificationOperationsTest; 1972 1973/* 1974 * VerificationOperationsTest.RsaSuccess 1975 * 1976 * Verifies that a simple RSA signature/verification sequence succeeds. 1977 */ 1978TEST_F(VerificationOperationsTest, RsaSuccess) { 1979 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1980 .Authorization(TAG_NO_AUTH_REQUIRED) 1981 .RsaSigningKey(1024, 3) 1982 .Digest(Digest::NONE) 1983 .Padding(PaddingMode::NONE))); 1984 string message = "12345678901234567890123456789012"; 1985 string signature = SignMessage( 1986 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)); 1987 VerifyMessage(message, signature, 1988 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)); 1989} 1990 1991/* 1992 * VerificationOperationsTest.RsaSuccess 1993 * 1994 * Verifies RSA signature/verification for all padding modes and digests. 1995 */ 1996TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) { 1997 ASSERT_EQ(ErrorCode::OK, 1998 GenerateKey(AuthorizationSetBuilder() 1999 .Authorization(TAG_NO_AUTH_REQUIRED) 2000 .RsaSigningKey(2048, 3) 2001 .Digest(Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224, 2002 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512) 2003 .Padding(PaddingMode::NONE) 2004 .Padding(PaddingMode::RSA_PSS) 2005 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 2006 2007 string message(128, 'a'); 2008 string corrupt_message(message); 2009 ++corrupt_message[corrupt_message.size() / 2]; 2010 2011 for (auto padding : 2012 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) { 2013 2014 for (auto digest : {Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224, 2015 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}) { 2016 if (padding == PaddingMode::NONE && digest != Digest::NONE) { 2017 // Digesting only makes sense with padding. 2018 continue; 2019 } 2020 2021 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) { 2022 // PSS requires digesting. 2023 continue; 2024 } 2025 2026 string signature = 2027 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding)); 2028 VerifyMessage(message, signature, 2029 AuthorizationSetBuilder().Digest(digest).Padding(padding)); 2030 2031 if (digest != Digest::NONE) { 2032 // Verify with OpenSSL. 2033 HidlBuf pubkey; 2034 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey)); 2035 2036 const uint8_t* p = pubkey.data(); 2037 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size())); 2038 ASSERT_TRUE(pkey.get()); 2039 2040 EVP_MD_CTX digest_ctx; 2041 EVP_MD_CTX_init(&digest_ctx); 2042 EVP_PKEY_CTX* pkey_ctx; 2043 const EVP_MD* md = openssl_digest(digest); 2044 ASSERT_NE(md, nullptr); 2045 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md, nullptr /* engine */, 2046 pkey.get())); 2047 2048 switch (padding) { 2049 case PaddingMode::RSA_PSS: 2050 EXPECT_GT(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING), 0); 2051 EXPECT_GT(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, EVP_MD_size(md)), 0); 2052 break; 2053 case PaddingMode::RSA_PKCS1_1_5_SIGN: 2054 // PKCS1 is the default; don't need to set anything. 2055 break; 2056 default: 2057 FAIL(); 2058 break; 2059 } 2060 2061 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size())); 2062 EXPECT_EQ(1, EVP_DigestVerifyFinal( 2063 &digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()), 2064 signature.size())); 2065 EVP_MD_CTX_cleanup(&digest_ctx); 2066 } 2067 2068 // Corrupt signature shouldn't verify. 2069 string corrupt_signature(signature); 2070 ++corrupt_signature[corrupt_signature.size() / 2]; 2071 2072 EXPECT_EQ(ErrorCode::OK, 2073 Begin(KeyPurpose::VERIFY, 2074 AuthorizationSetBuilder().Digest(digest).Padding(padding))); 2075 string result; 2076 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result)); 2077 2078 // Corrupt message shouldn't verify 2079 EXPECT_EQ(ErrorCode::OK, 2080 Begin(KeyPurpose::VERIFY, 2081 AuthorizationSetBuilder().Digest(digest).Padding(padding))); 2082 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result)); 2083 } 2084 } 2085} 2086 2087/* 2088 * VerificationOperationsTest.RsaSuccess 2089 * 2090 * Verifies ECDSA signature/verification for all digests and curves. 2091 */ 2092TEST_F(VerificationOperationsTest, EcdsaAllDigestsAndCurves) { 2093 auto digests = { 2094 Digest::NONE, Digest::SHA1, Digest::SHA_2_224, 2095 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512, 2096 }; 2097 2098 string message = "1234567890"; 2099 string corrupt_message = "2234567890"; 2100 for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) { 2101 ErrorCode error = GenerateKey(AuthorizationSetBuilder() 2102 .Authorization(TAG_NO_AUTH_REQUIRED) 2103 .EcdsaSigningKey(curve) 2104 .Digest(digests)); 2105 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve; 2106 if (error != ErrorCode::OK) { 2107 continue; 2108 } 2109 2110 for (auto digest : digests) { 2111 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest)); 2112 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest)); 2113 2114 // Verify with OpenSSL 2115 if (digest != Digest::NONE) { 2116 HidlBuf pubkey; 2117 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey)) 2118 << curve << ' ' << digest; 2119 2120 const uint8_t* p = pubkey.data(); 2121 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size())); 2122 ASSERT_TRUE(pkey.get()); 2123 2124 EVP_MD_CTX digest_ctx; 2125 EVP_MD_CTX_init(&digest_ctx); 2126 EVP_PKEY_CTX* pkey_ctx; 2127 const EVP_MD* md = openssl_digest(digest); 2128 2129 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md, nullptr /* engine */, 2130 pkey.get())) 2131 << curve << ' ' << digest; 2132 2133 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size())) 2134 << curve << ' ' << digest; 2135 2136 EXPECT_EQ(1, EVP_DigestVerifyFinal( 2137 &digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()), 2138 signature.size())) 2139 << curve << ' ' << digest; 2140 2141 EVP_MD_CTX_cleanup(&digest_ctx); 2142 } 2143 2144 // Corrupt signature shouldn't verify. 2145 string corrupt_signature(signature); 2146 ++corrupt_signature[corrupt_signature.size() / 2]; 2147 2148 EXPECT_EQ(ErrorCode::OK, 2149 Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest))) 2150 << curve << ' ' << digest; 2151 2152 string result; 2153 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result)) 2154 << curve << ' ' << digest; 2155 2156 // Corrupt message shouldn't verify 2157 EXPECT_EQ(ErrorCode::OK, 2158 Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest))) 2159 << curve << ' ' << digest; 2160 2161 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result)) 2162 << curve << ' ' << digest; 2163 } 2164 2165 auto rc = DeleteKey(); 2166 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED); 2167 } 2168} 2169 2170/* 2171 * VerificationOperationsTest.HmacSigningKeyCannotVerify 2172 * 2173 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify. 2174 */ 2175TEST_F(VerificationOperationsTest, HmacSigningKeyCannotVerify) { 2176 string key_material = "HelloThisIsAKey"; 2177 2178 HidlBuf signing_key, verification_key; 2179 KeyCharacteristics signing_key_chars, verification_key_chars; 2180 EXPECT_EQ(ErrorCode::OK, 2181 ImportKey(AuthorizationSetBuilder() 2182 .Authorization(TAG_NO_AUTH_REQUIRED) 2183 .Authorization(TAG_ALGORITHM, Algorithm::HMAC) 2184 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN) 2185 .Digest(Digest::SHA1) 2186 .Authorization(TAG_MIN_MAC_LENGTH, 160), 2187 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars)); 2188 EXPECT_EQ(ErrorCode::OK, 2189 ImportKey(AuthorizationSetBuilder() 2190 .Authorization(TAG_NO_AUTH_REQUIRED) 2191 .Authorization(TAG_ALGORITHM, Algorithm::HMAC) 2192 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY) 2193 .Digest(Digest::SHA1) 2194 .Authorization(TAG_MIN_MAC_LENGTH, 160), 2195 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars)); 2196 2197 string message = "This is a message."; 2198 string signature = SignMessage( 2199 signing_key, message, 2200 AuthorizationSetBuilder().Digest(Digest::SHA1).Authorization(TAG_MAC_LENGTH, 160)); 2201 2202 // Signing key should not work. 2203 AuthorizationSet out_params; 2204 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, 2205 Begin(KeyPurpose::VERIFY, signing_key, AuthorizationSetBuilder().Digest(Digest::SHA1), 2206 &out_params, &op_handle_)); 2207 2208 // Verification key should work. 2209 VerifyMessage(verification_key, message, signature, 2210 AuthorizationSetBuilder().Digest(Digest::SHA1)); 2211 2212 CheckedDeleteKey(&signing_key); 2213 CheckedDeleteKey(&verification_key); 2214} 2215 2216typedef KeymasterHidlTest ExportKeyTest; 2217 2218/* 2219 * ExportKeyTest.RsaUnsupportedKeyFormat 2220 * 2221 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error. 2222 */ 2223TEST_F(ExportKeyTest, RsaUnsupportedKeyFormat) { 2224 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2225 .RsaSigningKey(1024, 3) 2226 .Digest(Digest::NONE) 2227 .Padding(PaddingMode::NONE))); 2228 HidlBuf export_data; 2229 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::PKCS8, &export_data)); 2230} 2231 2232/* 2233 * ExportKeyTest.RsaCorruptedKeyBlob 2234 * 2235 * Verifies that attempting to export RSA keys from corrupted key blobs fails. This is essentially 2236 * a poor-man's key blob fuzzer. 2237 */ 2238// Disabled due to b/33385206 2239TEST_F(ExportKeyTest, DISABLED_RsaCorruptedKeyBlob) { 2240 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2241 .Authorization(TAG_NO_AUTH_REQUIRED) 2242 .RsaSigningKey(1024, 3) 2243 .Digest(Digest::NONE) 2244 .Padding(PaddingMode::NONE))); 2245 for (size_t i = 0; i < key_blob_.size(); ++i) { 2246 HidlBuf corrupted(key_blob_); 2247 ++corrupted[i]; 2248 2249 HidlBuf export_data; 2250 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, 2251 ExportKey(KeyFormat::X509, corrupted, HidlBuf(), HidlBuf(), &export_data)) 2252 << "Blob corrupted at offset " << i << " erroneously accepted as valid"; 2253 } 2254} 2255 2256/* 2257 * ExportKeyTest.RsaCorruptedKeyBlob 2258 * 2259 * Verifies that attempting to export ECDSA keys from corrupted key blobs fails. This is 2260 * essentially a poor-man's key blob fuzzer. 2261 */ 2262// Disabled due to b/33385206 2263TEST_F(ExportKeyTest, DISABLED_EcCorruptedKeyBlob) { 2264 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2265 .Authorization(TAG_NO_AUTH_REQUIRED) 2266 .EcdsaSigningKey(EcCurve::P_256) 2267 .Digest(Digest::NONE))); 2268 for (size_t i = 0; i < key_blob_.size(); ++i) { 2269 HidlBuf corrupted(key_blob_); 2270 ++corrupted[i]; 2271 2272 HidlBuf export_data; 2273 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, 2274 ExportKey(KeyFormat::X509, corrupted, HidlBuf(), HidlBuf(), &export_data)) 2275 << "Blob corrupted at offset " << i << " erroneously accepted as valid"; 2276 } 2277} 2278 2279/* 2280 * ExportKeyTest.AesKeyUnexportable 2281 * 2282 * Verifies that attempting to export AES keys fails in the expected way. 2283 */ 2284TEST_F(ExportKeyTest, AesKeyUnexportable) { 2285 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2286 .Authorization(TAG_NO_AUTH_REQUIRED) 2287 .AesEncryptionKey(128) 2288 .EcbMode() 2289 .Padding(PaddingMode::NONE))); 2290 2291 HidlBuf export_data; 2292 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::X509, &export_data)); 2293 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::PKCS8, &export_data)); 2294 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::RAW, &export_data)); 2295} 2296typedef KeymasterHidlTest ImportKeyTest; 2297 2298/* 2299 * ImportKeyTest.RsaSuccess 2300 * 2301 * Verifies that importing and using an RSA key pair works correctly. 2302 */ 2303TEST_F(ImportKeyTest, RsaSuccess) { 2304 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() 2305 .Authorization(TAG_NO_AUTH_REQUIRED) 2306 .RsaSigningKey(1024, 65537) 2307 .Digest(Digest::SHA_2_256) 2308 .Padding(PaddingMode::RSA_PSS), 2309 KeyFormat::PKCS8, rsa_key)); 2310 2311 CheckKm0CryptoParam(TAG_ALGORITHM, Algorithm::RSA); 2312 CheckKm0CryptoParam(TAG_KEY_SIZE, 1024U); 2313 CheckKm0CryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U); 2314 CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); 2315 CheckKm1CryptoParam(TAG_PADDING, PaddingMode::RSA_PSS); 2316 CheckOrigin(); 2317 2318 string message(1024 / 8, 'a'); 2319 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS); 2320 string signature = SignMessage(message, params); 2321 VerifyMessage(message, signature, params); 2322} 2323 2324/* 2325 * ImportKeyTest.RsaKeySizeMismatch 2326 * 2327 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the 2328 * correct way. 2329 */ 2330TEST_F(ImportKeyTest, RsaKeySizeMismatch) { 2331 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH, 2332 ImportKey(AuthorizationSetBuilder() 2333 .RsaSigningKey(2048 /* Doesn't match key */, 65537) 2334 .Digest(Digest::NONE) 2335 .Padding(PaddingMode::NONE), 2336 KeyFormat::PKCS8, rsa_key)); 2337} 2338 2339/* 2340 * ImportKeyTest.RsaPublicExponentMismatch 2341 * 2342 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key fails 2343 * in the correct way. 2344 */ 2345TEST_F(ImportKeyTest, RsaPublicExponentMismatch) { 2346 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH, 2347 ImportKey(AuthorizationSetBuilder() 2348 .RsaSigningKey(1024, 3 /* Doesn't match key */) 2349 .Digest(Digest::NONE) 2350 .Padding(PaddingMode::NONE), 2351 KeyFormat::PKCS8, rsa_key)); 2352} 2353 2354/* 2355 * ImportKeyTest.EcdsaSuccess 2356 * 2357 * Verifies that importing and using an ECDSA P-256 key pair works correctly. 2358 */ 2359TEST_F(ImportKeyTest, EcdsaSuccess) { 2360 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() 2361 .Authorization(TAG_NO_AUTH_REQUIRED) 2362 .EcdsaSigningKey(256) 2363 .Digest(Digest::SHA_2_256), 2364 KeyFormat::PKCS8, ec_256_key)) 2365 << "(Possibly b/33945114)"; 2366 2367 CheckKm0CryptoParam(TAG_ALGORITHM, Algorithm::EC); 2368 CheckKm0CryptoParam(TAG_KEY_SIZE, 256U); 2369 CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); 2370 CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_256); 2371 2372 CheckOrigin(); 2373 2374 string message(32, 'a'); 2375 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256); 2376 string signature = SignMessage(message, params); 2377 VerifyMessage(message, signature, params); 2378} 2379 2380/* 2381 * ImportKeyTest.Ecdsa521Success 2382 * 2383 * Verifies that importing and using an ECDSA P-521 key pair works correctly. 2384 */ 2385TEST_F(ImportKeyTest, Ecdsa521Success) { 2386 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() 2387 .Authorization(TAG_NO_AUTH_REQUIRED) 2388 .EcdsaSigningKey(521) 2389 .Digest(Digest::SHA_2_256), 2390 KeyFormat::PKCS8, ec_521_key)) 2391 << "(Possibly b/33945114)"; 2392 2393 CheckKm0CryptoParam(TAG_ALGORITHM, Algorithm::EC); 2394 CheckKm0CryptoParam(TAG_KEY_SIZE, 521U); 2395 CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); 2396 CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_521); 2397 2398 CheckOrigin(); 2399 2400 string message(32, 'a'); 2401 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256); 2402 string signature = SignMessage(message, params); 2403 VerifyMessage(message, signature, params); 2404} 2405 2406/* 2407 * ImportKeyTest.EcdsaSizeMismatch 2408 * 2409 * Verifies that importing an ECDSA key pair with a size that doesn't match the key fails in the 2410 * correct way. 2411 */ 2412TEST_F(ImportKeyTest, EcdsaSizeMismatch) { 2413 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH, 2414 ImportKey(AuthorizationSetBuilder() 2415 .EcdsaSigningKey(224 /* Doesn't match key */) 2416 .Digest(Digest::NONE), 2417 KeyFormat::PKCS8, ec_256_key)); 2418} 2419 2420/* 2421 * ImportKeyTest.EcdsaCurveMismatch 2422 * 2423 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in the 2424 * correct way. 2425 */ 2426TEST_F(ImportKeyTest, EcdsaCurveMismatch) { 2427 if (SupportsSymmetric() && !SupportsAttestation()) { 2428 // KM1 hardware doesn't know about curves 2429 return; 2430 } 2431 2432 ASSERT_EQ( 2433 ErrorCode::IMPORT_PARAMETER_MISMATCH, 2434 ImportKey(AuthorizationSetBuilder() 2435 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */) 2436 .Digest(Digest::NONE), 2437 KeyFormat::PKCS8, ec_256_key)) 2438 << "(Possibly b/36233241)"; 2439} 2440 2441/* 2442 * ImportKeyTest.AesSuccess 2443 * 2444 * Verifies that importing and using an AES key works. 2445 */ 2446TEST_F(ImportKeyTest, AesSuccess) { 2447 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 2448 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() 2449 .Authorization(TAG_NO_AUTH_REQUIRED) 2450 .AesEncryptionKey(key.size() * 8) 2451 .EcbMode() 2452 .Padding(PaddingMode::PKCS7), 2453 KeyFormat::RAW, key)); 2454 2455 CheckKm1CryptoParam(TAG_ALGORITHM, Algorithm::AES); 2456 CheckKm1CryptoParam(TAG_KEY_SIZE, 128U); 2457 CheckKm1CryptoParam(TAG_PADDING, PaddingMode::PKCS7); 2458 CheckKm1CryptoParam(TAG_BLOCK_MODE, BlockMode::ECB); 2459 CheckOrigin(); 2460 2461 string message = "Hello World!"; 2462 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7); 2463 string ciphertext = EncryptMessage(message, params); 2464 string plaintext = DecryptMessage(ciphertext, params); 2465 EXPECT_EQ(message, plaintext); 2466} 2467 2468/* 2469 * ImportKeyTest.AesSuccess 2470 * 2471 * Verifies that importing and using an HMAC key works. 2472 */ 2473TEST_F(ImportKeyTest, HmacKeySuccess) { 2474 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 2475 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() 2476 .Authorization(TAG_NO_AUTH_REQUIRED) 2477 .HmacKey(key.size() * 8) 2478 .Digest(Digest::SHA_2_256) 2479 .Authorization(TAG_MIN_MAC_LENGTH, 256), 2480 KeyFormat::RAW, key)); 2481 2482 CheckKm1CryptoParam(TAG_ALGORITHM, Algorithm::HMAC); 2483 CheckKm1CryptoParam(TAG_KEY_SIZE, 128U); 2484 CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); 2485 CheckOrigin(); 2486 2487 string message = "Hello World!"; 2488 string signature = MacMessage(message, Digest::SHA_2_256, 256); 2489 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)); 2490} 2491 2492typedef KeymasterHidlTest EncryptionOperationsTest; 2493 2494/* 2495 * EncryptionOperationsTest.RsaNoPaddingSuccess 2496 * 2497 * Verifies that raw RSA encryption works. 2498 */ 2499TEST_F(EncryptionOperationsTest, RsaNoPaddingSuccess) { 2500 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2501 .Authorization(TAG_NO_AUTH_REQUIRED) 2502 .RsaEncryptionKey(1024, 3) 2503 .Padding(PaddingMode::NONE))); 2504 2505 string message = string(1024 / 8, 'a'); 2506 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE); 2507 string ciphertext1 = EncryptMessage(message, params); 2508 EXPECT_EQ(1024U / 8, ciphertext1.size()); 2509 2510 string ciphertext2 = EncryptMessage(message, params); 2511 EXPECT_EQ(1024U / 8, ciphertext2.size()); 2512 2513 // Unpadded RSA is deterministic 2514 EXPECT_EQ(ciphertext1, ciphertext2); 2515} 2516 2517/* 2518 * EncryptionOperationsTest.RsaNoPaddingShortMessage 2519 * 2520 * Verifies that raw RSA encryption of short messages works. 2521 */ 2522TEST_F(EncryptionOperationsTest, RsaNoPaddingShortMessage) { 2523 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2524 .Authorization(TAG_NO_AUTH_REQUIRED) 2525 .RsaEncryptionKey(1024, 3) 2526 .Padding(PaddingMode::NONE))); 2527 2528 string message = "1"; 2529 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE); 2530 2531 string ciphertext = EncryptMessage(message, params); 2532 EXPECT_EQ(1024U / 8, ciphertext.size()); 2533 2534 string expected_plaintext = string(1024 / 8 - 1, 0) + message; 2535 string plaintext = DecryptMessage(ciphertext, params); 2536 2537 EXPECT_EQ(expected_plaintext, plaintext); 2538 2539 // Degenerate case, encrypting a numeric 1 yields 0x00..01 as the ciphertext. 2540 message = static_cast<char>(1); 2541 ciphertext = EncryptMessage(message, params); 2542 EXPECT_EQ(1024U / 8, ciphertext.size()); 2543 EXPECT_EQ(ciphertext, string(1024 / 8 - 1, 0) + message); 2544} 2545 2546/* 2547 * EncryptionOperationsTest.RsaNoPaddingTooLong 2548 * 2549 * Verifies that raw RSA encryption of too-long messages fails in the expected way. 2550 */ 2551TEST_F(EncryptionOperationsTest, RsaNoPaddingTooLong) { 2552 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2553 .Authorization(TAG_NO_AUTH_REQUIRED) 2554 .RsaEncryptionKey(1024, 3) 2555 .Padding(PaddingMode::NONE))); 2556 2557 string message(1024 / 8 + 1, 'a'); 2558 2559 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE); 2560 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params)); 2561 2562 string result; 2563 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result)); 2564} 2565 2566/* 2567 * EncryptionOperationsTest.RsaNoPaddingTooLong 2568 * 2569 * Verifies that raw RSA encryption of too-large (numerically) messages fails in the expected way. 2570 */ 2571TEST_F(EncryptionOperationsTest, RsaNoPaddingTooLarge) { 2572 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2573 .Authorization(TAG_NO_AUTH_REQUIRED) 2574 .RsaEncryptionKey(1024, 3) 2575 .Padding(PaddingMode::NONE))); 2576 2577 HidlBuf exported; 2578 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &exported)); 2579 2580 const uint8_t* p = exported.data(); 2581 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size())); 2582 RSA_Ptr rsa(EVP_PKEY_get1_RSA(pkey.get())); 2583 2584 size_t modulus_len = BN_num_bytes(rsa->n); 2585 ASSERT_EQ(1024U / 8, modulus_len); 2586 std::unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]); 2587 BN_bn2bin(rsa->n, modulus_buf.get()); 2588 2589 // The modulus is too big to encrypt. 2590 string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); 2591 2592 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE); 2593 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params)); 2594 2595 string result; 2596 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &result)); 2597 2598 // One smaller than the modulus is okay. 2599 BN_sub(rsa->n, rsa->n, BN_value_one()); 2600 modulus_len = BN_num_bytes(rsa->n); 2601 ASSERT_EQ(1024U / 8, modulus_len); 2602 BN_bn2bin(rsa->n, modulus_buf.get()); 2603 message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); 2604 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params)); 2605 EXPECT_EQ(ErrorCode::OK, Finish(message, &result)); 2606} 2607 2608/* 2609 * EncryptionOperationsTest.RsaOaepSuccess 2610 * 2611 * Verifies that RSA-OAEP encryption operations work, with all digests. 2612 */ 2613TEST_F(EncryptionOperationsTest, RsaOaepSuccess) { 2614 auto digests = {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, 2615 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; 2616 2617 size_t key_size = 2048; // Need largish key for SHA-512 test. 2618 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2619 .Authorization(TAG_NO_AUTH_REQUIRED) 2620 .RsaEncryptionKey(key_size, 3) 2621 .Padding(PaddingMode::RSA_OAEP) 2622 .Digest(digests))); 2623 2624 string message = "Hello"; 2625 2626 for (auto digest : digests) { 2627 auto params = AuthorizationSetBuilder().Digest(digest).Padding(PaddingMode::RSA_OAEP); 2628 string ciphertext1 = EncryptMessage(message, params); 2629 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl; 2630 EXPECT_EQ(key_size / 8, ciphertext1.size()); 2631 2632 string ciphertext2 = EncryptMessage(message, params); 2633 EXPECT_EQ(key_size / 8, ciphertext2.size()); 2634 2635 // OAEP randomizes padding so every result should be different (with astronomically high 2636 // probability). 2637 EXPECT_NE(ciphertext1, ciphertext2); 2638 2639 string plaintext1 = DecryptMessage(ciphertext1, params); 2640 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest; 2641 string plaintext2 = DecryptMessage(ciphertext2, params); 2642 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest; 2643 2644 // Decrypting corrupted ciphertext should fail. 2645 size_t offset_to_corrupt = random() % ciphertext1.size(); 2646 char corrupt_byte; 2647 do { 2648 corrupt_byte = static_cast<char>(random() % 256); 2649 } while (corrupt_byte == ciphertext1[offset_to_corrupt]); 2650 ciphertext1[offset_to_corrupt] = corrupt_byte; 2651 2652 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params)); 2653 string result; 2654 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result)); 2655 EXPECT_EQ(0U, result.size()); 2656 } 2657} 2658 2659/* 2660 * EncryptionOperationsTest.RsaOaepInvalidDigest 2661 * 2662 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate 2663 * without a digest. 2664 */ 2665TEST_F(EncryptionOperationsTest, RsaOaepInvalidDigest) { 2666 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2667 .Authorization(TAG_NO_AUTH_REQUIRED) 2668 .RsaEncryptionKey(1024, 3) 2669 .Padding(PaddingMode::RSA_OAEP) 2670 .Digest(Digest::NONE))); 2671 string message = "Hello World!"; 2672 2673 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE); 2674 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::ENCRYPT, params)); 2675} 2676 2677/* 2678 * EncryptionOperationsTest.RsaOaepInvalidDigest 2679 * 2680 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to decrypt with a 2681 * different digest than was used to encrypt. 2682 */ 2683TEST_F(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) { 2684 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2685 .Authorization(TAG_NO_AUTH_REQUIRED) 2686 .RsaEncryptionKey(1024, 3) 2687 .Padding(PaddingMode::RSA_OAEP) 2688 .Digest(Digest::SHA_2_256, Digest::SHA_2_224))); 2689 string message = "Hello World!"; 2690 string ciphertext = EncryptMessage( 2691 message, 2692 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP)); 2693 2694 EXPECT_EQ( 2695 ErrorCode::OK, 2696 Begin(KeyPurpose::DECRYPT, 2697 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP))); 2698 string result; 2699 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result)); 2700 EXPECT_EQ(0U, result.size()); 2701} 2702 2703/* 2704 * EncryptionOperationsTest.RsaOaepTooLarge 2705 * 2706 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to encrypt a 2707 * too-large message. 2708 */ 2709TEST_F(EncryptionOperationsTest, RsaOaepTooLarge) { 2710 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2711 .Authorization(TAG_NO_AUTH_REQUIRED) 2712 .RsaEncryptionKey(1024, 3) 2713 .Padding(PaddingMode::RSA_OAEP) 2714 .Digest(Digest::SHA1))); 2715 constexpr size_t digest_size = 160 /* SHA1 */ / 8; 2716 constexpr size_t oaep_overhead = 2 * digest_size + 2; 2717 string message(1024 / 8 - oaep_overhead + 1, 'a'); 2718 EXPECT_EQ(ErrorCode::OK, 2719 Begin(KeyPurpose::ENCRYPT, 2720 AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::SHA1))); 2721 string result; 2722 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result)); 2723 EXPECT_EQ(0U, result.size()); 2724} 2725 2726/* 2727 * EncryptionOperationsTest.RsaPkcs1Success 2728 * 2729 * Verifies that RSA PKCS encryption/decrypts works. 2730 */ 2731TEST_F(EncryptionOperationsTest, RsaPkcs1Success) { 2732 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2733 .Authorization(TAG_NO_AUTH_REQUIRED) 2734 .RsaEncryptionKey(1024, 3) 2735 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT))); 2736 2737 string message = "Hello World!"; 2738 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT); 2739 string ciphertext1 = EncryptMessage(message, params); 2740 EXPECT_EQ(1024U / 8, ciphertext1.size()); 2741 2742 string ciphertext2 = EncryptMessage(message, params); 2743 EXPECT_EQ(1024U / 8, ciphertext2.size()); 2744 2745 // PKCS1 v1.5 randomizes padding so every result should be different. 2746 EXPECT_NE(ciphertext1, ciphertext2); 2747 2748 string plaintext = DecryptMessage(ciphertext1, params); 2749 EXPECT_EQ(message, plaintext); 2750 2751 // Decrypting corrupted ciphertext should fail. 2752 size_t offset_to_corrupt = random() % ciphertext1.size(); 2753 char corrupt_byte; 2754 do { 2755 corrupt_byte = static_cast<char>(random() % 256); 2756 } while (corrupt_byte == ciphertext1[offset_to_corrupt]); 2757 ciphertext1[offset_to_corrupt] = corrupt_byte; 2758 2759 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params)); 2760 string result; 2761 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result)); 2762 EXPECT_EQ(0U, result.size()); 2763} 2764 2765/* 2766 * EncryptionOperationsTest.RsaPkcs1TooLarge 2767 * 2768 * Verifies that RSA PKCS encryption fails in the correct way when the mssage is too large. 2769 */ 2770TEST_F(EncryptionOperationsTest, RsaPkcs1TooLarge) { 2771 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2772 .Authorization(TAG_NO_AUTH_REQUIRED) 2773 .RsaEncryptionKey(1024, 3) 2774 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT))); 2775 string message(1024 / 8 - 10, 'a'); 2776 2777 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT); 2778 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params)); 2779 string result; 2780 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result)); 2781 EXPECT_EQ(0U, result.size()); 2782} 2783 2784/* 2785 * EncryptionOperationsTest.EcdsaEncrypt 2786 * 2787 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way. 2788 */ 2789TEST_F(EncryptionOperationsTest, EcdsaEncrypt) { 2790 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2791 .Authorization(TAG_NO_AUTH_REQUIRED) 2792 .EcdsaSigningKey(224) 2793 .Digest(Digest::NONE))); 2794 auto params = AuthorizationSetBuilder().Digest(Digest::NONE); 2795 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params)) 2796 << "(Possibly b/33543625)"; 2797 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params)) 2798 << "(Possibly b/33543625)"; 2799} 2800 2801/* 2802 * EncryptionOperationsTest.HmacEncrypt 2803 * 2804 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way. 2805 */ 2806TEST_F(EncryptionOperationsTest, HmacEncrypt) { 2807 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2808 .Authorization(TAG_NO_AUTH_REQUIRED) 2809 .HmacKey(128) 2810 .Digest(Digest::SHA_2_256) 2811 .Padding(PaddingMode::NONE) 2812 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2813 auto params = AuthorizationSetBuilder() 2814 .Digest(Digest::SHA_2_256) 2815 .Padding(PaddingMode::NONE) 2816 .Authorization(TAG_MAC_LENGTH, 128); 2817 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params)) 2818 << "(Possibly b/33543625)"; 2819 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params)) 2820 << "(Possibly b/33543625)"; 2821} 2822 2823/* 2824 * EncryptionOperationsTest.AesEcbRoundTripSuccess 2825 * 2826 * Verifies that AES ECB mode works. 2827 */ 2828TEST_F(EncryptionOperationsTest, AesEcbRoundTripSuccess) { 2829 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2830 .Authorization(TAG_NO_AUTH_REQUIRED) 2831 .AesEncryptionKey(128) 2832 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB) 2833 .Padding(PaddingMode::NONE))); 2834 2835 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE); 2836 2837 // Two-block message. 2838 string message = "12345678901234567890123456789012"; 2839 string ciphertext1 = EncryptMessage(message, params); 2840 EXPECT_EQ(message.size(), ciphertext1.size()); 2841 2842 string ciphertext2 = EncryptMessage(string(message), params); 2843 EXPECT_EQ(message.size(), ciphertext2.size()); 2844 2845 // ECB is deterministic. 2846 EXPECT_EQ(ciphertext1, ciphertext2); 2847 2848 string plaintext = DecryptMessage(ciphertext1, params); 2849 EXPECT_EQ(message, plaintext); 2850} 2851 2852/* 2853 * EncryptionOperationsTest.AesEcbRoundTripSuccess 2854 * 2855 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified. 2856 */ 2857TEST_F(EncryptionOperationsTest, AesWrongMode) { 2858 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2859 .Authorization(TAG_NO_AUTH_REQUIRED) 2860 .AesEncryptionKey(128) 2861 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC) 2862 .Padding(PaddingMode::NONE))); 2863 // Two-block message. 2864 string message = "12345678901234567890123456789012"; 2865 EXPECT_EQ( 2866 ErrorCode::INCOMPATIBLE_BLOCK_MODE, 2867 Begin(KeyPurpose::ENCRYPT, 2868 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE))); 2869} 2870 2871/* 2872 * EncryptionOperationsTest.AesEcbNoPaddingWrongInputSize 2873 * 2874 * Verifies that AES encryption fails in the correct way when provided an input that is not a 2875 * multiple of the block size and no padding is specified. 2876 */ 2877TEST_F(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) { 2878 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2879 .Authorization(TAG_NO_AUTH_REQUIRED) 2880 .AesEncryptionKey(128) 2881 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB) 2882 .Padding(PaddingMode::NONE))); 2883 // Message is slightly shorter than two blocks. 2884 string message(16 * 2 - 1, 'a'); 2885 2886 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE); 2887 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params)); 2888 string ciphertext; 2889 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext)); 2890 EXPECT_EQ(0U, ciphertext.size()); 2891} 2892 2893/* 2894 * EncryptionOperationsTest.AesEcbPkcs7Padding 2895 * 2896 * Verifies that AES PKCS7 padding works for any message length. 2897 */ 2898TEST_F(EncryptionOperationsTest, AesEcbPkcs7Padding) { 2899 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2900 .Authorization(TAG_NO_AUTH_REQUIRED) 2901 .AesEncryptionKey(128) 2902 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB) 2903 .Padding(PaddingMode::PKCS7))); 2904 2905 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7); 2906 2907 // Try various message lengths; all should work. 2908 for (size_t i = 0; i < 32; ++i) { 2909 string message(i, 'a'); 2910 string ciphertext = EncryptMessage(message, params); 2911 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2912 string plaintext = DecryptMessage(ciphertext, params); 2913 EXPECT_EQ(message, plaintext); 2914 } 2915} 2916 2917/* 2918 * EncryptionOperationsTest.AesEcbWrongPadding 2919 * 2920 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is 2921 * specified. 2922 */ 2923TEST_F(EncryptionOperationsTest, AesEcbWrongPadding) { 2924 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2925 .Authorization(TAG_NO_AUTH_REQUIRED) 2926 .AesEncryptionKey(128) 2927 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB) 2928 .Padding(PaddingMode::NONE))); 2929 2930 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7); 2931 2932 // Try various message lengths; all should fail 2933 for (size_t i = 0; i < 32; ++i) { 2934 string message(i, 'a'); 2935 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params)); 2936 } 2937} 2938 2939/* 2940 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted 2941 * 2942 * Verifies that AES decryption fails in the correct way when the padding is corrupted. 2943 */ 2944TEST_F(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) { 2945 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2946 .Authorization(TAG_NO_AUTH_REQUIRED) 2947 .AesEncryptionKey(128) 2948 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB) 2949 .Padding(PaddingMode::PKCS7))); 2950 2951 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7); 2952 2953 string message = "a"; 2954 string ciphertext = EncryptMessage(message, params); 2955 EXPECT_EQ(16U, ciphertext.size()); 2956 EXPECT_NE(ciphertext, message); 2957 ++ciphertext[ciphertext.size() / 2]; 2958 2959 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params)); 2960 string plaintext; 2961 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &plaintext)); 2962} 2963 2964HidlBuf CopyIv(const AuthorizationSet& set) { 2965 auto iv = set.GetTagValue(TAG_NONCE); 2966 EXPECT_TRUE(iv.isOk()); 2967 return iv.value(); 2968} 2969 2970/* 2971 * EncryptionOperationsTest.AesCtrRoundTripSuccess 2972 * 2973 * Verifies that AES CTR mode works. 2974 */ 2975TEST_F(EncryptionOperationsTest, AesCtrRoundTripSuccess) { 2976 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2977 .Authorization(TAG_NO_AUTH_REQUIRED) 2978 .AesEncryptionKey(128) 2979 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR) 2980 .Padding(PaddingMode::NONE))); 2981 2982 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE); 2983 2984 string message = "123"; 2985 AuthorizationSet out_params; 2986 string ciphertext1 = EncryptMessage(message, params, &out_params); 2987 HidlBuf iv1 = CopyIv(out_params); 2988 EXPECT_EQ(16U, iv1.size()); 2989 2990 EXPECT_EQ(message.size(), ciphertext1.size()); 2991 2992 out_params.Clear(); 2993 string ciphertext2 = EncryptMessage(message, params, &out_params); 2994 HidlBuf iv2 = CopyIv(out_params); 2995 EXPECT_EQ(16U, iv2.size()); 2996 2997 // IVs should be random, so ciphertexts should differ. 2998 EXPECT_NE(ciphertext1, ciphertext2); 2999 3000 auto params_iv1 = 3001 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1); 3002 auto params_iv2 = 3003 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2); 3004 3005 string plaintext = DecryptMessage(ciphertext1, params_iv1); 3006 EXPECT_EQ(message, plaintext); 3007 plaintext = DecryptMessage(ciphertext2, params_iv2); 3008 EXPECT_EQ(message, plaintext); 3009 3010 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage. 3011 plaintext = DecryptMessage(ciphertext1, params_iv2); 3012 EXPECT_NE(message, plaintext); 3013 plaintext = DecryptMessage(ciphertext2, params_iv1); 3014 EXPECT_NE(message, plaintext); 3015} 3016 3017/* 3018 * EncryptionOperationsTest.AesIncremental 3019 * 3020 * Verifies that AES works, all modes, when provided data in various size increments. 3021 */ 3022TEST_F(EncryptionOperationsTest, AesIncremental) { 3023 auto block_modes = { 3024 BlockMode::ECB, BlockMode::CBC, BlockMode::CTR, BlockMode::GCM, 3025 }; 3026 3027 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3028 .Authorization(TAG_NO_AUTH_REQUIRED) 3029 .AesEncryptionKey(128) 3030 .BlockMode(block_modes) 3031 .Padding(PaddingMode::NONE) 3032 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3033 3034 for (int increment = 1; increment <= 240; ++increment) { 3035 for (auto block_mode : block_modes) { 3036 string message(240, 'a'); 3037 auto params = AuthorizationSetBuilder() 3038 .BlockMode(block_mode) 3039 .Padding(PaddingMode::NONE) 3040 .Authorization(TAG_MAC_LENGTH, 128) /* for GCM */; 3041 3042 AuthorizationSet output_params; 3043 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &output_params)); 3044 3045 string ciphertext; 3046 size_t input_consumed; 3047 string to_send; 3048 for (size_t i = 0; i < message.size(); i += increment) { 3049 to_send.append(message.substr(i, increment)); 3050 EXPECT_EQ(ErrorCode::OK, Update(to_send, &ciphertext, &input_consumed)); 3051 to_send = to_send.substr(input_consumed); 3052 3053 switch (block_mode) { 3054 case BlockMode::ECB: 3055 case BlockMode::CBC: 3056 // Implementations must take as many blocks as possible, leaving less than 3057 // a block. 3058 EXPECT_LE(to_send.length(), 16U); 3059 break; 3060 case BlockMode::GCM: 3061 case BlockMode::CTR: 3062 // Implementations must always take all the data. 3063 EXPECT_EQ(0U, to_send.length()); 3064 break; 3065 } 3066 } 3067 EXPECT_EQ(ErrorCode::OK, Finish(to_send, &ciphertext)) << "Error sending " << to_send; 3068 3069 switch (block_mode) { 3070 case BlockMode::GCM: 3071 EXPECT_EQ(message.size() + 16, ciphertext.size()); 3072 break; 3073 case BlockMode::CTR: 3074 EXPECT_EQ(message.size(), ciphertext.size()); 3075 break; 3076 case BlockMode::CBC: 3077 case BlockMode::ECB: 3078 EXPECT_EQ(message.size() + message.size() % 16, ciphertext.size()); 3079 break; 3080 } 3081 3082 auto iv = output_params.GetTagValue(TAG_NONCE); 3083 switch (block_mode) { 3084 case BlockMode::CBC: 3085 case BlockMode::GCM: 3086 case BlockMode::CTR: 3087 ASSERT_TRUE(iv.isOk()) << "No IV for block mode " << block_mode; 3088 EXPECT_EQ(block_mode == BlockMode::GCM ? 12U : 16U, iv.value().size()); 3089 params.push_back(TAG_NONCE, iv.value()); 3090 break; 3091 3092 case BlockMode::ECB: 3093 EXPECT_FALSE(iv.isOk()) << "ECB mode should not generate IV"; 3094 break; 3095 } 3096 3097 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params)) 3098 << "Decrypt begin() failed for block mode " << block_mode; 3099 3100 string plaintext; 3101 for (size_t i = 0; i < ciphertext.size(); i += increment) { 3102 to_send.append(ciphertext.substr(i, increment)); 3103 EXPECT_EQ(ErrorCode::OK, Update(to_send, &plaintext, &input_consumed)); 3104 to_send = to_send.substr(input_consumed); 3105 } 3106 ErrorCode error = Finish(to_send, &plaintext); 3107 ASSERT_EQ(ErrorCode::OK, error) 3108 << "Decryption failed for block mode " << block_mode << " and increment " 3109 << increment << " (Possibly b/33584622)"; 3110 if (error == ErrorCode::OK) { 3111 ASSERT_EQ(message, plaintext) << "Decryption didn't match for block mode " 3112 << block_mode << " and increment " << increment; 3113 } 3114 } 3115 } 3116} 3117 3118struct AesCtrSp80038aTestVector { 3119 const char* key; 3120 const char* nonce; 3121 const char* plaintext; 3122 const char* ciphertext; 3123}; 3124 3125// These test vectors are taken from 3126// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5. 3127static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = { 3128 // AES-128 3129 { 3130 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 3131 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 3132 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 3133 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff" 3134 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee", 3135 }, 3136 // AES-192 3137 { 3138 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 3139 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 3140 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 3141 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94" 3142 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050", 3143 }, 3144 // AES-256 3145 { 3146 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", 3147 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 3148 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 3149 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 3150 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5" 3151 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6", 3152 }, 3153}; 3154 3155/* 3156 * EncryptionOperationsTest.AesCtrSp80038aTestVector 3157 * 3158 * Verifies AES CTR implementation against SP800-38A test vectors. 3159 */ 3160TEST_F(EncryptionOperationsTest, AesCtrSp80038aTestVector) { 3161 for (size_t i = 0; i < 3; i++) { 3162 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]); 3163 const string key = hex2str(test.key); 3164 const string nonce = hex2str(test.nonce); 3165 const string plaintext = hex2str(test.plaintext); 3166 const string ciphertext = hex2str(test.ciphertext); 3167 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext); 3168 } 3169} 3170 3171/* 3172 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode 3173 * 3174 * Verifies that keymaster rejects use of CTR mode with PKCS7 padding in the correct way. 3175 */ 3176TEST_F(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) { 3177 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3178 .Authorization(TAG_NO_AUTH_REQUIRED) 3179 .AesEncryptionKey(128) 3180 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR) 3181 .Padding(PaddingMode::PKCS7))); 3182 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE); 3183 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params)); 3184} 3185 3186/* 3187 * EncryptionOperationsTest.AesCtrInvalidCallerNonce 3188 * 3189 * Verifies that keymaster fails correctly when the user supplies an incorrect-size nonce. 3190 */ 3191TEST_F(EncryptionOperationsTest, AesCtrInvalidCallerNonce) { 3192 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3193 .Authorization(TAG_NO_AUTH_REQUIRED) 3194 .AesEncryptionKey(128) 3195 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR) 3196 .Authorization(TAG_CALLER_NONCE) 3197 .Padding(PaddingMode::NONE))); 3198 3199 auto params = AuthorizationSetBuilder() 3200 .BlockMode(BlockMode::CTR) 3201 .Padding(PaddingMode::NONE) 3202 .Authorization(TAG_NONCE, HidlBuf(string(1, 'a'))); 3203 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params)); 3204 3205 params = AuthorizationSetBuilder() 3206 .BlockMode(BlockMode::CTR) 3207 .Padding(PaddingMode::NONE) 3208 .Authorization(TAG_NONCE, HidlBuf(string(15, 'a'))); 3209 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params)); 3210 3211 params = AuthorizationSetBuilder() 3212 .BlockMode(BlockMode::CTR) 3213 .Padding(PaddingMode::NONE) 3214 .Authorization(TAG_NONCE, HidlBuf(string(17, 'a'))); 3215 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params)); 3216} 3217 3218/* 3219 * EncryptionOperationsTest.AesCtrInvalidCallerNonce 3220 * 3221 * Verifies that keymaster fails correctly when the user supplies an incorrect-size nonce. 3222 */ 3223TEST_F(EncryptionOperationsTest, AesCbcRoundTripSuccess) { 3224 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3225 .Authorization(TAG_NO_AUTH_REQUIRED) 3226 .AesEncryptionKey(128) 3227 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC) 3228 .Padding(PaddingMode::NONE))); 3229 // Two-block message. 3230 string message = "12345678901234567890123456789012"; 3231 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE); 3232 AuthorizationSet out_params; 3233 string ciphertext1 = EncryptMessage(message, params, &out_params); 3234 HidlBuf iv1 = CopyIv(out_params); 3235 EXPECT_EQ(message.size(), ciphertext1.size()); 3236 3237 out_params.Clear(); 3238 3239 string ciphertext2 = EncryptMessage(message, params, &out_params); 3240 HidlBuf iv2 = CopyIv(out_params); 3241 EXPECT_EQ(message.size(), ciphertext2.size()); 3242 3243 // IVs should be random, so ciphertexts should differ. 3244 EXPECT_NE(ciphertext1, ciphertext2); 3245 3246 params.push_back(TAG_NONCE, iv1); 3247 string plaintext = DecryptMessage(ciphertext1, params); 3248 EXPECT_EQ(message, plaintext); 3249} 3250 3251/* 3252 * EncryptionOperationsTest.AesCallerNonce 3253 * 3254 * Verifies that AES caller-provided nonces work correctly. 3255 */ 3256TEST_F(EncryptionOperationsTest, AesCallerNonce) { 3257 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3258 .Authorization(TAG_NO_AUTH_REQUIRED) 3259 .AesEncryptionKey(128) 3260 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC) 3261 .Authorization(TAG_CALLER_NONCE) 3262 .Padding(PaddingMode::NONE))); 3263 3264 string message = "12345678901234567890123456789012"; 3265 3266 // Don't specify nonce, should get a random one. 3267 AuthorizationSetBuilder params = 3268 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE); 3269 AuthorizationSet out_params; 3270 string ciphertext = EncryptMessage(message, params, &out_params); 3271 EXPECT_EQ(message.size(), ciphertext.size()); 3272 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE).value().size()); 3273 3274 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE).value()); 3275 string plaintext = DecryptMessage(ciphertext, params); 3276 EXPECT_EQ(message, plaintext); 3277 3278 // Now specify a nonce, should also work. 3279 params = AuthorizationSetBuilder() 3280 .BlockMode(BlockMode::CBC) 3281 .Padding(PaddingMode::NONE) 3282 .Authorization(TAG_NONCE, HidlBuf("abcdefghijklmnop")); 3283 out_params.Clear(); 3284 ciphertext = EncryptMessage(message, params, &out_params); 3285 3286 // Decrypt with correct nonce. 3287 plaintext = DecryptMessage(ciphertext, params); 3288 EXPECT_EQ(message, plaintext); 3289 3290 // Try with wrong nonce. 3291 params = AuthorizationSetBuilder() 3292 .BlockMode(BlockMode::CBC) 3293 .Padding(PaddingMode::NONE) 3294 .Authorization(TAG_NONCE, HidlBuf("aaaaaaaaaaaaaaaa")); 3295 plaintext = DecryptMessage(ciphertext, params); 3296 EXPECT_NE(message, plaintext); 3297} 3298 3299/* 3300 * EncryptionOperationsTest.AesCallerNonceProhibited 3301 * 3302 * Verifies that caller-provided nonces are not permitted when not specified in the key 3303 * authorizations. 3304 */ 3305TEST_F(EncryptionOperationsTest, AesCallerNonceProhibited) { 3306 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3307 .Authorization(TAG_NO_AUTH_REQUIRED) 3308 .AesEncryptionKey(128) 3309 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC) 3310 .Padding(PaddingMode::NONE))); 3311 3312 string message = "12345678901234567890123456789012"; 3313 3314 // Don't specify nonce, should get a random one. 3315 AuthorizationSetBuilder params = 3316 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE); 3317 AuthorizationSet out_params; 3318 string ciphertext = EncryptMessage(message, params, &out_params); 3319 EXPECT_EQ(message.size(), ciphertext.size()); 3320 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE).value().size()); 3321 3322 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE).value()); 3323 string plaintext = DecryptMessage(ciphertext, params); 3324 EXPECT_EQ(message, plaintext); 3325 3326 // Now specify a nonce, should fail 3327 params = AuthorizationSetBuilder() 3328 .BlockMode(BlockMode::CBC) 3329 .Padding(PaddingMode::NONE) 3330 .Authorization(TAG_NONCE, HidlBuf("abcdefghijklmnop")); 3331 out_params.Clear(); 3332 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params)); 3333} 3334 3335/* 3336 * EncryptionOperationsTest.AesGcmRoundTripSuccess 3337 * 3338 * Verifies that AES GCM mode works. 3339 */ 3340TEST_F(EncryptionOperationsTest, AesGcmRoundTripSuccess) { 3341 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3342 .Authorization(TAG_NO_AUTH_REQUIRED) 3343 .AesEncryptionKey(128) 3344 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM) 3345 .Padding(PaddingMode::NONE) 3346 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3347 3348 string aad = "foobar"; 3349 string message = "123456789012345678901234567890123456"; 3350 3351 auto begin_params = AuthorizationSetBuilder() 3352 .BlockMode(BlockMode::GCM) 3353 .Padding(PaddingMode::NONE) 3354 .Authorization(TAG_MAC_LENGTH, 128); 3355 3356 auto update_params = 3357 AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 3358 3359 // Encrypt 3360 AuthorizationSet begin_out_params; 3361 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params)) 3362 << "Begin encrypt"; 3363 string ciphertext; 3364 AuthorizationSet update_out_params; 3365 ASSERT_EQ(ErrorCode::OK, 3366 Finish(op_handle_, update_params, message, "", &update_out_params, &ciphertext)); 3367 3368 // Grab nonce 3369 begin_params.push_back(begin_out_params); 3370 3371 // Decrypt. 3372 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt"; 3373 string plaintext; 3374 size_t input_consumed; 3375 ASSERT_EQ(ErrorCode::OK, Update(op_handle_, update_params, ciphertext, &update_out_params, 3376 &plaintext, &input_consumed)); 3377 EXPECT_EQ(ciphertext.size(), input_consumed); 3378 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext)); 3379 3380 EXPECT_EQ(message, plaintext); 3381} 3382 3383/* 3384 * EncryptionOperationsTest.AesGcmTooShortTag 3385 * 3386 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified. 3387 */ 3388TEST_F(EncryptionOperationsTest, AesGcmTooShortTag) { 3389 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3390 .Authorization(TAG_NO_AUTH_REQUIRED) 3391 .AesEncryptionKey(128) 3392 .BlockMode(BlockMode::GCM) 3393 .Padding(PaddingMode::NONE) 3394 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3395 string message = "123456789012345678901234567890123456"; 3396 auto params = AuthorizationSetBuilder() 3397 .BlockMode(BlockMode::GCM) 3398 .Padding(PaddingMode::NONE) 3399 .Authorization(TAG_MAC_LENGTH, 96); 3400 3401 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params)); 3402} 3403 3404/* 3405 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt 3406 * 3407 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption. 3408 */ 3409TEST_F(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) { 3410 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3411 .Authorization(TAG_NO_AUTH_REQUIRED) 3412 .AesEncryptionKey(128) 3413 .BlockMode(BlockMode::GCM) 3414 .Padding(PaddingMode::NONE) 3415 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3416 string aad = "foobar"; 3417 string message = "123456789012345678901234567890123456"; 3418 auto params = AuthorizationSetBuilder() 3419 .BlockMode(BlockMode::GCM) 3420 .Padding(PaddingMode::NONE) 3421 .Authorization(TAG_MAC_LENGTH, 128); 3422 3423 auto finish_params = 3424 AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 3425 3426 // Encrypt 3427 AuthorizationSet begin_out_params; 3428 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params)); 3429 EXPECT_EQ(1U, begin_out_params.size()); 3430 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE).isOk()); 3431 3432 AuthorizationSet finish_out_params; 3433 string ciphertext; 3434 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */, 3435 &finish_out_params, &ciphertext)); 3436 3437 params = AuthorizationSetBuilder() 3438 .Authorizations(begin_out_params) 3439 .BlockMode(BlockMode::GCM) 3440 .Padding(PaddingMode::NONE) 3441 .Authorization(TAG_MAC_LENGTH, 96); 3442 3443 // Decrypt. 3444 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params)); 3445} 3446 3447/* 3448 * EncryptionOperationsTest.AesGcmCorruptKey 3449 * 3450 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect. 3451 */ 3452TEST_F(EncryptionOperationsTest, AesGcmCorruptKey) { 3453 const uint8_t nonce_bytes[] = { 3454 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f, 3455 }; 3456 string nonce = make_string(nonce_bytes); 3457 const uint8_t ciphertext_bytes[] = { 3458 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16, 3459 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 3460 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 3461 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd, 3462 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0, 3463 }; 3464 string ciphertext = make_string(ciphertext_bytes); 3465 3466 auto params = AuthorizationSetBuilder() 3467 .BlockMode(BlockMode::GCM) 3468 .Padding(PaddingMode::NONE) 3469 .Authorization(TAG_MAC_LENGTH, 128) 3470 .Authorization(TAG_NONCE, nonce.data(), nonce.size()); 3471 3472 auto import_params = AuthorizationSetBuilder() 3473 .Authorization(TAG_NO_AUTH_REQUIRED) 3474 .AesEncryptionKey(128) 3475 .BlockMode(BlockMode::GCM) 3476 .Padding(PaddingMode::NONE) 3477 .Authorization(TAG_CALLER_NONCE) 3478 .Authorization(TAG_MIN_MAC_LENGTH, 128); 3479 3480 // Import correct key and decrypt 3481 const uint8_t key_bytes[] = { 3482 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 3483 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 3484 }; 3485 string key = make_string(key_bytes); 3486 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key)); 3487 string plaintext = DecryptMessage(ciphertext, params); 3488 CheckedDeleteKey(); 3489 3490 // Corrupt key and attempt to decrypt 3491 key[0] = 0; 3492 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key)); 3493 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params)); 3494 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext)); 3495 CheckedDeleteKey(); 3496} 3497 3498/* 3499 * EncryptionOperationsTest.AesGcmAadNoData 3500 * 3501 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to 3502 * encrypt. 3503 */ 3504TEST_F(EncryptionOperationsTest, AesGcmAadNoData) { 3505 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3506 .Authorization(TAG_NO_AUTH_REQUIRED) 3507 .AesEncryptionKey(128) 3508 .BlockMode(BlockMode::GCM) 3509 .Padding(PaddingMode::NONE) 3510 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3511 3512 string aad = "1234567890123456"; 3513 auto params = AuthorizationSetBuilder() 3514 .BlockMode(BlockMode::GCM) 3515 .Padding(PaddingMode::NONE) 3516 .Authorization(TAG_MAC_LENGTH, 128); 3517 3518 auto finish_params = 3519 AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 3520 3521 // Encrypt 3522 AuthorizationSet begin_out_params; 3523 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params)); 3524 string ciphertext; 3525 AuthorizationSet finish_out_params; 3526 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, "" /* input */, "" /* signature */, 3527 &finish_out_params, &ciphertext)); 3528 EXPECT_TRUE(finish_out_params.empty()); 3529 3530 // Grab nonce 3531 params.push_back(begin_out_params); 3532 3533 // Decrypt. 3534 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params)); 3535 string plaintext; 3536 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, ciphertext, "" /* signature */, 3537 &finish_out_params, &plaintext)) 3538 << "(Possibly b/33615032)"; 3539 3540 EXPECT_TRUE(finish_out_params.empty()); 3541 3542 EXPECT_EQ("", plaintext); 3543} 3544 3545/* 3546 * EncryptionOperationsTest.AesGcmMultiPartAad 3547 * 3548 * Verifies that AES GCM mode works when provided additional authenticated data in multiple chunks. 3549 */ 3550TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) { 3551 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3552 .Authorization(TAG_NO_AUTH_REQUIRED) 3553 .AesEncryptionKey(128) 3554 .BlockMode(BlockMode::GCM) 3555 .Padding(PaddingMode::NONE) 3556 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3557 3558 string message = "123456789012345678901234567890123456"; 3559 auto begin_params = AuthorizationSetBuilder() 3560 .BlockMode(BlockMode::GCM) 3561 .Padding(PaddingMode::NONE) 3562 .Authorization(TAG_MAC_LENGTH, 128); 3563 AuthorizationSet begin_out_params; 3564 3565 auto update_params = 3566 AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foo", (size_t)3); 3567 3568 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params)); 3569 3570 // No data, AAD only. 3571 string ciphertext; 3572 size_t input_consumed; 3573 AuthorizationSet update_out_params; 3574 EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, "" /* input */, &update_out_params, 3575 &ciphertext, &input_consumed)); 3576 EXPECT_EQ(0U, input_consumed); 3577 EXPECT_EQ(0U, ciphertext.size()); 3578 EXPECT_TRUE(update_out_params.empty()); 3579 3580 // AAD and data. 3581 EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, 3582 &ciphertext, &input_consumed)); 3583 EXPECT_EQ(message.size(), input_consumed); 3584 EXPECT_EQ(message.size(), ciphertext.size()); 3585 EXPECT_TRUE(update_out_params.empty()); 3586 3587 EXPECT_EQ(ErrorCode::OK, Finish("" /* input */, &ciphertext)); 3588 3589 // Grab nonce. 3590 begin_params.push_back(begin_out_params); 3591 3592 // Decrypt 3593 update_params = 3594 AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foofoo", (size_t)6); 3595 3596 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)); 3597 string plaintext; 3598 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, update_params, ciphertext, "" /* signature */, 3599 &update_out_params, &plaintext)); 3600 EXPECT_TRUE(update_out_params.empty()); 3601 EXPECT_EQ(message, plaintext); 3602} 3603 3604/* 3605 * EncryptionOperationsTest.AesGcmAadOutOfOrder 3606 * 3607 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher. 3608 */ 3609TEST_F(EncryptionOperationsTest, AesGcmAadOutOfOrder) { 3610 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3611 .Authorization(TAG_NO_AUTH_REQUIRED) 3612 .AesEncryptionKey(128) 3613 .BlockMode(BlockMode::GCM) 3614 .Padding(PaddingMode::NONE) 3615 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3616 3617 string message = "123456789012345678901234567890123456"; 3618 auto begin_params = AuthorizationSetBuilder() 3619 .BlockMode(BlockMode::GCM) 3620 .Padding(PaddingMode::NONE) 3621 .Authorization(TAG_MAC_LENGTH, 128); 3622 AuthorizationSet begin_out_params; 3623 3624 auto update_params = 3625 AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foo", (size_t)3); 3626 3627 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params)); 3628 3629 // No data, AAD only. 3630 string ciphertext; 3631 size_t input_consumed; 3632 AuthorizationSet update_out_params; 3633 EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, "" /* input */, &update_out_params, 3634 &ciphertext, &input_consumed)); 3635 EXPECT_EQ(0U, input_consumed); 3636 EXPECT_EQ(0U, ciphertext.size()); 3637 EXPECT_TRUE(update_out_params.empty()); 3638 3639 // AAD and data. 3640 EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, 3641 &ciphertext, &input_consumed)); 3642 EXPECT_EQ(message.size(), input_consumed); 3643 EXPECT_EQ(message.size(), ciphertext.size()); 3644 EXPECT_TRUE(update_out_params.empty()); 3645 3646 // More AAD 3647 EXPECT_EQ(ErrorCode::INVALID_TAG, Update(op_handle_, update_params, "", &update_out_params, 3648 &ciphertext, &input_consumed)); 3649 3650 op_handle_ = kOpHandleSentinel; 3651} 3652 3653/* 3654 * EncryptionOperationsTest.AesGcmBadAad 3655 * 3656 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong. 3657 */ 3658TEST_F(EncryptionOperationsTest, AesGcmBadAad) { 3659 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3660 .Authorization(TAG_NO_AUTH_REQUIRED) 3661 .AesEncryptionKey(128) 3662 .BlockMode(BlockMode::GCM) 3663 .Padding(PaddingMode::NONE) 3664 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3665 3666 string message = "12345678901234567890123456789012"; 3667 auto begin_params = AuthorizationSetBuilder() 3668 .BlockMode(BlockMode::GCM) 3669 .Padding(PaddingMode::NONE) 3670 .Authorization(TAG_MAC_LENGTH, 128); 3671 3672 auto finish_params = 3673 AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foobar", (size_t)6); 3674 3675 // Encrypt 3676 AuthorizationSet begin_out_params; 3677 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params)); 3678 string ciphertext; 3679 AuthorizationSet finish_out_params; 3680 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */, 3681 &finish_out_params, &ciphertext)); 3682 3683 // Grab nonce 3684 begin_params.push_back(begin_out_params); 3685 3686 finish_params = AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, 3687 "barfoo" /* Wrong AAD */, (size_t)6); 3688 3689 // Decrypt. 3690 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params)); 3691 string plaintext; 3692 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, 3693 Finish(op_handle_, finish_params, ciphertext, "" /* signature */, &finish_out_params, 3694 &plaintext)); 3695} 3696 3697/* 3698 * EncryptionOperationsTest.AesGcmWrongNonce 3699 * 3700 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect. 3701 */ 3702TEST_F(EncryptionOperationsTest, AesGcmWrongNonce) { 3703 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3704 .Authorization(TAG_NO_AUTH_REQUIRED) 3705 .AesEncryptionKey(128) 3706 .BlockMode(BlockMode::GCM) 3707 .Padding(PaddingMode::NONE) 3708 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3709 3710 string message = "12345678901234567890123456789012"; 3711 auto begin_params = AuthorizationSetBuilder() 3712 .BlockMode(BlockMode::GCM) 3713 .Padding(PaddingMode::NONE) 3714 .Authorization(TAG_MAC_LENGTH, 128); 3715 3716 auto finish_params = 3717 AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foobar", (size_t)6); 3718 3719 // Encrypt 3720 AuthorizationSet begin_out_params; 3721 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params)); 3722 string ciphertext; 3723 AuthorizationSet finish_out_params; 3724 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */, 3725 &finish_out_params, &ciphertext)); 3726 3727 // Wrong nonce 3728 begin_params.push_back(TAG_NONCE, HidlBuf("123456789012")); 3729 3730 // Decrypt. 3731 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params)); 3732 string plaintext; 3733 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, 3734 Finish(op_handle_, finish_params, ciphertext, "" /* signature */, &finish_out_params, 3735 &plaintext)); 3736 3737 // With wrong nonce, should have gotten garbage plaintext (or none). 3738 EXPECT_NE(message, plaintext); 3739} 3740 3741/* 3742 * EncryptionOperationsTest.AesGcmCorruptTag 3743 * 3744 * Verifies that AES GCM decryption fails correctly when the tag is wrong. 3745 */ 3746TEST_F(EncryptionOperationsTest, AesGcmCorruptTag) { 3747 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3748 .Authorization(TAG_NO_AUTH_REQUIRED) 3749 .AesEncryptionKey(128) 3750 .BlockMode(BlockMode::GCM) 3751 .Padding(PaddingMode::NONE) 3752 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3753 3754 string aad = "1234567890123456"; 3755 string message = "123456789012345678901234567890123456"; 3756 3757 auto params = AuthorizationSetBuilder() 3758 .BlockMode(BlockMode::GCM) 3759 .Padding(PaddingMode::NONE) 3760 .Authorization(TAG_MAC_LENGTH, 128); 3761 3762 auto finish_params = 3763 AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 3764 3765 // Encrypt 3766 AuthorizationSet begin_out_params; 3767 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params)); 3768 string ciphertext; 3769 AuthorizationSet finish_out_params; 3770 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */, 3771 &finish_out_params, &ciphertext)); 3772 EXPECT_TRUE(finish_out_params.empty()); 3773 3774 // Corrupt tag 3775 ++(*ciphertext.rbegin()); 3776 3777 // Grab nonce 3778 params.push_back(begin_out_params); 3779 3780 // Decrypt. 3781 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params)); 3782 string plaintext; 3783 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, 3784 Finish(op_handle_, finish_params, ciphertext, "" /* signature */, &finish_out_params, 3785 &plaintext)); 3786 EXPECT_TRUE(finish_out_params.empty()); 3787} 3788 3789typedef KeymasterHidlTest MaxOperationsTest; 3790 3791/* 3792 * MaxOperationsTest.TestLimitAes 3793 * 3794 * Verifies that the max uses per boot tag works correctly with AES keys. 3795 */ 3796TEST_F(MaxOperationsTest, TestLimitAes) { 3797 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3798 .Authorization(TAG_NO_AUTH_REQUIRED) 3799 .AesEncryptionKey(128) 3800 .EcbMode() 3801 .Padding(PaddingMode::NONE) 3802 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3803 3804 string message = "1234567890123456"; 3805 3806 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE); 3807 3808 EncryptMessage(message, params); 3809 EncryptMessage(message, params); 3810 EncryptMessage(message, params); 3811 3812 // Fourth time should fail. 3813 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params)); 3814} 3815 3816/* 3817 * MaxOperationsTest.TestLimitAes 3818 * 3819 * Verifies that the max uses per boot tag works correctly with RSA keys. 3820 */ 3821TEST_F(MaxOperationsTest, TestLimitRsa) { 3822 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3823 .Authorization(TAG_NO_AUTH_REQUIRED) 3824 .RsaSigningKey(1024, 3) 3825 .NoDigestOrPadding() 3826 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3827 3828 string message = "1234567890123456"; 3829 3830 auto params = AuthorizationSetBuilder().NoDigestOrPadding(); 3831 3832 SignMessage(message, params); 3833 SignMessage(message, params); 3834 SignMessage(message, params); 3835 3836 // Fourth time should fail. 3837 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params)); 3838} 3839 3840typedef KeymasterHidlTest AddEntropyTest; 3841 3842/* 3843 * AddEntropyTest.AddEntropy 3844 * 3845 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy is 3846 * actually added. 3847 */ 3848TEST_F(AddEntropyTest, AddEntropy) { 3849 EXPECT_EQ(ErrorCode::OK, keymaster().addRngEntropy(HidlBuf("foo"))); 3850} 3851 3852/* 3853 * AddEntropyTest.AddEmptyEntropy 3854 * 3855 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer. 3856 */ 3857TEST_F(AddEntropyTest, AddEmptyEntropy) { 3858 EXPECT_EQ(ErrorCode::OK, keymaster().addRngEntropy(HidlBuf())); 3859} 3860 3861/* 3862 * AddEntropyTest.AddLargeEntropy 3863 * 3864 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data. 3865 */ 3866TEST_F(AddEntropyTest, AddLargeEntropy) { 3867 EXPECT_EQ(ErrorCode::OK, keymaster().addRngEntropy(HidlBuf(string(16 * 1024, 'a')))); 3868} 3869 3870typedef KeymasterHidlTest AttestationTest; 3871 3872/* 3873 * AttestationTest.RsaAttestation 3874 * 3875 * Verifies that attesting to RSA keys works and generates the expected output. 3876 */ 3877TEST_F(AttestationTest, RsaAttestation) { 3878 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3879 .Authorization(TAG_NO_AUTH_REQUIRED) 3880 .RsaSigningKey(1024, 3) 3881 .Digest(Digest::NONE) 3882 .Padding(PaddingMode::NONE) 3883 .Authorization(TAG_INCLUDE_UNIQUE_ID))); 3884 3885 hidl_vec<hidl_vec<uint8_t>> cert_chain; 3886 EXPECT_EQ( 3887 ErrorCode::OK, 3888 AttestKey( 3889 AuthorizationSetBuilder() 3890 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")) 3891 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")), 3892 &cert_chain)); 3893 EXPECT_GE(cert_chain.size(), 2U); 3894 EXPECT_TRUE(verify_chain(cert_chain)); 3895 EXPECT_TRUE( 3896 verify_attestation_record("challenge", "foo", // 3897 key_characteristics_.softwareEnforced, // 3898 key_characteristics_.teeEnforced, // 3899 cert_chain[0])); 3900} 3901 3902/* 3903 * AttestationTest.RsaAttestationRequiresAppId 3904 * 3905 * Verifies that attesting to RSA requires app ID. 3906 */ 3907TEST_F(AttestationTest, RsaAttestationRequiresAppId) { 3908 ASSERT_EQ(ErrorCode::OK, 3909 GenerateKey(AuthorizationSetBuilder() 3910 .Authorization(TAG_NO_AUTH_REQUIRED) 3911 .RsaSigningKey(1024, 3) 3912 .Digest(Digest::NONE) 3913 .Padding(PaddingMode::NONE) 3914 .Authorization(TAG_INCLUDE_UNIQUE_ID))); 3915 3916 hidl_vec<hidl_vec<uint8_t>> cert_chain; 3917 EXPECT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, 3918 AttestKey(AuthorizationSetBuilder().Authorization( 3919 TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")), 3920 &cert_chain)); 3921} 3922 3923/* 3924 * AttestationTest.EcAttestation 3925 * 3926 * Verifies that attesting to EC keys works and generates the expected output. 3927 */ 3928TEST_F(AttestationTest, EcAttestation) { 3929 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3930 .Authorization(TAG_NO_AUTH_REQUIRED) 3931 .EcdsaSigningKey(EcCurve::P_256) 3932 .Digest(Digest::SHA_2_256) 3933 .Authorization(TAG_INCLUDE_UNIQUE_ID))); 3934 3935 hidl_vec<hidl_vec<uint8_t>> cert_chain; 3936 EXPECT_EQ( 3937 ErrorCode::OK, 3938 AttestKey( 3939 AuthorizationSetBuilder() 3940 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")) 3941 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")), 3942 &cert_chain)); 3943 EXPECT_GE(cert_chain.size(), 2U); 3944 EXPECT_TRUE(verify_chain(cert_chain)); 3945 3946 EXPECT_TRUE( 3947 verify_attestation_record("challenge", "foo", // 3948 key_characteristics_.softwareEnforced, // 3949 key_characteristics_.teeEnforced, // 3950 cert_chain[0])); 3951} 3952 3953/* 3954 * AttestationTest.EcAttestationRequiresAttestationAppId 3955 * 3956 * Verifies that attesting to EC keys requires app ID 3957 */ 3958TEST_F(AttestationTest, EcAttestationRequiresAttestationAppId) { 3959 ASSERT_EQ(ErrorCode::OK, 3960 GenerateKey(AuthorizationSetBuilder() 3961 .Authorization(TAG_NO_AUTH_REQUIRED) 3962 .EcdsaSigningKey(EcCurve::P_256) 3963 .Digest(Digest::SHA_2_256) 3964 .Authorization(TAG_INCLUDE_UNIQUE_ID))); 3965 3966 hidl_vec<hidl_vec<uint8_t>> cert_chain; 3967 EXPECT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, 3968 AttestKey(AuthorizationSetBuilder().Authorization( 3969 TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")), 3970 &cert_chain)); 3971} 3972 3973/* 3974 * AttestationTest.AesAttestation 3975 * 3976 * Verifies that attesting to AES keys fails in the expected way. 3977 */ 3978TEST_F(AttestationTest, AesAttestation) { 3979 ASSERT_EQ(ErrorCode::OK, 3980 GenerateKey(AuthorizationSetBuilder() 3981 .Authorization(TAG_NO_AUTH_REQUIRED) 3982 .AesEncryptionKey(128) 3983 .EcbMode() 3984 .Padding(PaddingMode::PKCS7))); 3985 3986 hidl_vec<hidl_vec<uint8_t>> cert_chain; 3987 EXPECT_EQ( 3988 ErrorCode::INCOMPATIBLE_ALGORITHM, 3989 AttestKey( 3990 AuthorizationSetBuilder() 3991 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")) 3992 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")), 3993 &cert_chain)); 3994} 3995 3996/* 3997 * AttestationTest.HmacAttestation 3998 * 3999 * Verifies that attesting to HMAC keys fails in the expected way. 4000 */ 4001TEST_F(AttestationTest, HmacAttestation) { 4002 ASSERT_EQ(ErrorCode::OK, 4003 GenerateKey(AuthorizationSetBuilder() 4004 .Authorization(TAG_NO_AUTH_REQUIRED) 4005 .HmacKey(128) 4006 .EcbMode() 4007 .Digest(Digest::SHA_2_256) 4008 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 4009 4010 hidl_vec<hidl_vec<uint8_t>> cert_chain; 4011 EXPECT_EQ( 4012 ErrorCode::INCOMPATIBLE_ALGORITHM, 4013 AttestKey( 4014 AuthorizationSetBuilder() 4015 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")) 4016 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")), 4017 &cert_chain)); 4018} 4019 4020typedef KeymasterHidlTest KeyDeletionTest; 4021 4022/** 4023 * KeyDeletionTest.DeleteKey 4024 * 4025 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly 4026 * valid key blob. 4027 */ 4028TEST_F(KeyDeletionTest, DeleteKey) { 4029 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 4030 .RsaSigningKey(1024, 3) 4031 .Digest(Digest::NONE) 4032 .Padding(PaddingMode::NONE) 4033 .Authorization(TAG_NO_AUTH_REQUIRED))); 4034 4035 // Delete must work if rollback protection is implemented 4036 AuthorizationSet teeEnforced(key_characteristics_.teeEnforced); 4037 bool rollback_protected = teeEnforced.Contains(TAG_ROLLBACK_RESISTANT); 4038 4039 if (rollback_protected) { 4040 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */)); 4041 } else { 4042 auto delete_result = DeleteKey(true /* keep key blob */); 4043 ASSERT_TRUE(delete_result == ErrorCode::OK | delete_result == ErrorCode::UNIMPLEMENTED); 4044 } 4045 4046 string message = "12345678901234567890123456789012"; 4047 AuthorizationSet begin_out_params; 4048 4049 if (rollback_protected) { 4050 EXPECT_EQ( 4051 ErrorCode::INVALID_KEY_BLOB, 4052 Begin(KeyPurpose::SIGN, key_blob_, AuthorizationSetBuilder() 4053 .Digest(Digest::NONE) 4054 .Padding(PaddingMode::NONE), 4055 &begin_out_params, &op_handle_)) 4056 << " (Possibly b/37623742)"; 4057 } else { 4058 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, 4059 AuthorizationSetBuilder() 4060 .Digest(Digest::NONE) 4061 .Padding(PaddingMode::NONE), 4062 &begin_out_params, &op_handle_)); 4063 } 4064 AbortIfNeeded(); 4065 key_blob_ = HidlBuf(); 4066} 4067 4068/** 4069 * KeyDeletionTest.DeleteInvalidKey 4070 * 4071 * This test checks that the HAL excepts invalid key blobs. 4072 */ 4073TEST_F(KeyDeletionTest, DeleteInvalidKey) { 4074 // Generate key just to check if rollback protection is implemented 4075 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 4076 .RsaSigningKey(1024, 3) 4077 .Digest(Digest::NONE) 4078 .Padding(PaddingMode::NONE) 4079 .Authorization(TAG_NO_AUTH_REQUIRED))); 4080 4081 // Delete must work if rollback protection is implemented 4082 AuthorizationSet teeEnforced(key_characteristics_.teeEnforced); 4083 bool rollback_protected = teeEnforced.Contains(TAG_ROLLBACK_RESISTANT); 4084 4085 // Delete the key we don't care about the result at this point. 4086 DeleteKey(); 4087 4088 // Now create an invalid key blob and delete it. 4089 key_blob_ = HidlBuf("just some garbage data which is not a valid key blob"); 4090 4091 if (rollback_protected) { 4092 ASSERT_EQ(ErrorCode::OK, DeleteKey()); 4093 } else { 4094 auto delete_result = DeleteKey(); 4095 ASSERT_TRUE(delete_result == ErrorCode::OK | delete_result == ErrorCode::UNIMPLEMENTED); 4096 } 4097} 4098 4099/** 4100 * KeyDeletionTest.DeleteAllKeys 4101 * 4102 * This test is disarmed by default. To arm it use --arm_deleteAllKeys. 4103 * 4104 * BEWARE: This test has serious side effects. All user keys will be lost! This includes 4105 * FBE/FDE encryption keys, which means that the device will not even boot until after the 4106 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have 4107 * been provisioned. Use this test only on dedicated testing devices that have no valuable 4108 * credentials stored in Keystore/Keymaster. 4109 */ 4110TEST_F(KeyDeletionTest, DeleteAllKeys) { 4111 if (!arm_deleteAllKeys) return; 4112 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 4113 .RsaSigningKey(1024, 3) 4114 .Digest(Digest::NONE) 4115 .Padding(PaddingMode::NONE) 4116 .Authorization(TAG_NO_AUTH_REQUIRED))); 4117 4118 // Delete must work if rollback protection is implemented 4119 AuthorizationSet teeEnforced(key_characteristics_.teeEnforced); 4120 bool rollback_protected = teeEnforced.Contains(TAG_ROLLBACK_RESISTANT); 4121 4122 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys()); 4123 4124 string message = "12345678901234567890123456789012"; 4125 AuthorizationSet begin_out_params; 4126 4127 if (rollback_protected) { 4128 EXPECT_EQ( 4129 ErrorCode::INVALID_KEY_BLOB, 4130 Begin(KeyPurpose::SIGN, key_blob_, AuthorizationSetBuilder() 4131 .Digest(Digest::NONE) 4132 .Padding(PaddingMode::NONE), 4133 &begin_out_params, &op_handle_)); 4134 } else { 4135 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, 4136 AuthorizationSetBuilder() 4137 .Digest(Digest::NONE) 4138 .Padding(PaddingMode::NONE), 4139 &begin_out_params, &op_handle_)); 4140 } 4141 AbortIfNeeded(); 4142 key_blob_ = HidlBuf(); 4143} 4144 4145} // namespace test 4146} // namespace V3_0 4147} // namespace keymaster 4148} // namespace hardware 4149} // namespace android 4150 4151int main(int argc, char** argv) { 4152 ::testing::InitGoogleTest(&argc, argv); 4153 std::vector<std::string> positional_args; 4154 for (int i = 1; i < argc; ++i) { 4155 if (argv[i][0] == '-') { 4156 if (std::string(argv[i]) == "--arm_deleteAllKeys") { 4157 arm_deleteAllKeys = true; 4158 } 4159 } else { 4160 positional_args.push_back(argv[i]); 4161 } 4162 } 4163 if (positional_args.size()) { 4164 ALOGI("Running keymaster VTS against service \"%s\"", positional_args[0].c_str()); 4165 service_name = positional_args[0]; 4166 } 4167 int status = RUN_ALL_TESTS(); 4168 ALOGI("Test result = %d", status); 4169 return status; 4170} 4171