android_keymaster_test.cpp revision 0d061c80d06f94291568e725f9eb649962a80352
1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <fstream> 18#include <string> 19#include <vector> 20 21#include <hardware/keymaster0.h> 22#include <keymaster/key_factory.h> 23#include <keymaster/soft_keymaster_context.h> 24#include <keymaster/soft_keymaster_device.h> 25#include <keymaster/softkeymaster.h> 26 27#include "android_keymaster_test_utils.h" 28#include "keymaster0_engine.h" 29 30using std::ifstream; 31using std::istreambuf_iterator; 32using std::string; 33using std::vector; 34using std::unique_ptr; 35 36extern "C" { 37int __android_log_print(int prio, const char* tag, const char* fmt); 38int __android_log_print(int prio, const char* tag, const char* fmt) { 39 (void)prio, (void)tag, (void)fmt; 40 return 0; 41} 42} // extern "C" 43 44namespace keymaster { 45namespace test { 46 47StdoutLogger logger; 48 49template <typename T> vector<T> make_vector(const T* array, size_t len) { 50 return vector<T>(array, array + len); 51} 52 53class TestKeymasterEnforcement : public KeymasterEnforcement { 54 public: 55 TestKeymasterEnforcement() : KeymasterEnforcement(3, 3) {} 56 57 virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; } 58 virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; } 59 virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */, 60 uint32_t /* timeout */) const { 61 return false; 62 } 63 virtual uint32_t get_current_time() const { return 0; } 64 virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; } 65}; 66 67class TestKeymasterContext : public SoftKeymasterContext { 68 public: 69 TestKeymasterContext(keymaster0_device_t* keymaster0 = nullptr) 70 : SoftKeymasterContext(keymaster0) {} 71 72 KeymasterEnforcement* enforcement_policy() override { return &test_policy_; } 73 74 private: 75 TestKeymasterEnforcement test_policy_; 76}; 77 78class SoftKeymasterTestInstanceCreator : public Keymaster1TestInstanceCreator { 79 public: 80 keymaster1_device_t* CreateDevice() const override { 81 std::cerr << "Creating software-only device" << std::endl; 82 SoftKeymasterDevice* device = new SoftKeymasterDevice(new TestKeymasterContext); 83 return device->keymaster_device(); 84 } 85 86 bool algorithm_in_hardware(keymaster_algorithm_t) const override { return false; } 87 int keymaster0_calls() const override { return 0; } 88}; 89 90class Keymaster0AdapterTestInstanceCreator : public Keymaster1TestInstanceCreator { 91 public: 92 Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {} 93 94 keymaster1_device_t* CreateDevice() const { 95 std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_ 96 << ")." << std::endl; 97 hw_device_t* softkeymaster_device; 98 EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER, 99 &softkeymaster_device)); 100 // Make the software device pretend to be hardware 101 keymaster0_device_t* keymaster0_device = 102 reinterpret_cast<keymaster0_device_t*>(softkeymaster_device); 103 keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY; 104 105 if (!support_ec_) { 106 // Make the software device pretend not to support EC 107 keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC; 108 } 109 110 counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device); 111 112 SoftKeymasterDevice* keymaster = 113 new SoftKeymasterDevice(new TestKeymasterContext(counting_keymaster0_device_)); 114 return keymaster->keymaster_device(); 115 } 116 117 bool algorithm_in_hardware(keymaster_algorithm_t algorithm) const override { 118 switch (algorithm) { 119 case KM_ALGORITHM_RSA: 120 return true; 121 case KM_ALGORITHM_EC: 122 return support_ec_; 123 default: 124 return false; 125 } 126 } 127 int keymaster0_calls() const override { return counting_keymaster0_device_->count(); } 128 129 private: 130 mutable Keymaster0CountingWrapper* counting_keymaster0_device_; 131 bool support_ec_; 132}; 133 134static auto test_params = testing::Values( 135 InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator), 136 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 137 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */))); 138 139typedef Keymaster1Test CheckSupported; 140INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, CheckSupported, test_params); 141 142TEST_P(CheckSupported, SupportedAlgorithms) { 143 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 144 device()->get_supported_algorithms(device(), NULL, NULL)); 145 146 size_t len; 147 keymaster_algorithm_t* algorithms; 148 EXPECT_EQ(KM_ERROR_OK, device()->get_supported_algorithms(device(), &algorithms, &len)); 149 EXPECT_TRUE(ResponseContains( 150 {KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_AES, KM_ALGORITHM_HMAC}, algorithms, len)); 151 free(algorithms); 152 153 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 154} 155 156TEST_P(CheckSupported, SupportedBlockModes) { 157 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 158 device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 159 NULL, NULL)); 160 161 size_t len; 162 keymaster_block_mode_t* modes; 163 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, 164 KM_PURPOSE_ENCRYPT, &modes, &len)); 165 EXPECT_EQ(0U, len); 166 free(modes); 167 168 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 169 device()->get_supported_block_modes(device(), KM_ALGORITHM_EC, KM_PURPOSE_ENCRYPT, 170 &modes, &len)); 171 172 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_AES, 173 KM_PURPOSE_ENCRYPT, &modes, &len)); 174 EXPECT_TRUE(ResponseContains({KM_MODE_ECB, KM_MODE_CBC, KM_MODE_CTR, KM_MODE_GCM}, modes, len)); 175 free(modes); 176 177 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 178} 179 180TEST_P(CheckSupported, SupportedPaddingModes) { 181 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 182 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 183 NULL, NULL)); 184 185 size_t len; 186 keymaster_padding_t* modes; 187 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 188 KM_PURPOSE_SIGN, &modes, &len)); 189 EXPECT_TRUE( 190 ResponseContains({KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS}, modes, len)); 191 free(modes); 192 193 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 194 KM_PURPOSE_ENCRYPT, &modes, &len)); 195 EXPECT_TRUE( 196 ResponseContains({KM_PAD_NONE, KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT}, modes, len)); 197 free(modes); 198 199 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_EC, 200 KM_PURPOSE_SIGN, &modes, &len)); 201 EXPECT_EQ(0U, len); 202 free(modes); 203 204 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 205 device()->get_supported_padding_modes(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, 206 &modes, &len)); 207 208 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 209} 210 211TEST_P(CheckSupported, SupportedDigests) { 212 EXPECT_EQ( 213 KM_ERROR_OUTPUT_PARAMETER_NULL, 214 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, NULL, NULL)); 215 216 size_t len; 217 keymaster_digest_t* digests; 218 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_RSA, 219 KM_PURPOSE_SIGN, &digests, &len)); 220 EXPECT_TRUE( 221 ResponseContains({KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 222 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}, 223 digests, len)); 224 free(digests); 225 226 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC, 227 KM_PURPOSE_SIGN, &digests, &len)); 228 EXPECT_TRUE(ResponseContains({KM_DIGEST_NONE, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 229 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}, 230 digests, len)); 231 free(digests); 232 233 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 234 device()->get_supported_digests(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, &digests, 235 &len)); 236 237 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_HMAC, 238 KM_PURPOSE_SIGN, &digests, &len)); 239 EXPECT_TRUE(ResponseContains({KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, 240 KM_DIGEST_SHA_2_512, KM_DIGEST_SHA1}, 241 digests, len)); 242 free(digests); 243 244 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 245} 246 247TEST_P(CheckSupported, SupportedImportFormats) { 248 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 249 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 250 251 size_t len; 252 keymaster_key_format_t* formats; 253 ASSERT_EQ(KM_ERROR_OK, 254 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 255 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_PKCS8, formats, len)); 256 free(formats); 257 258 ASSERT_EQ(KM_ERROR_OK, 259 device()->get_supported_import_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 260 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 261 free(formats); 262 263 ASSERT_EQ(KM_ERROR_OK, 264 device()->get_supported_import_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 265 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 266 free(formats); 267 268 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 269} 270 271TEST_P(CheckSupported, SupportedExportFormats) { 272 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 273 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 274 275 size_t len; 276 keymaster_key_format_t* formats; 277 ASSERT_EQ(KM_ERROR_OK, 278 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 279 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 280 free(formats); 281 282 ASSERT_EQ(KM_ERROR_OK, 283 device()->get_supported_export_formats(device(), KM_ALGORITHM_EC, &formats, &len)); 284 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 285 free(formats); 286 287 ASSERT_EQ(KM_ERROR_OK, 288 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 289 EXPECT_EQ(0U, len); 290 free(formats); 291 292 ASSERT_EQ(KM_ERROR_OK, 293 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 294 EXPECT_EQ(0U, len); 295 free(formats); 296 297 ASSERT_EQ(KM_ERROR_OK, 298 device()->get_supported_export_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 299 EXPECT_EQ(0U, len); 300 free(formats); 301 302 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 303} 304 305class NewKeyGeneration : public Keymaster1Test { 306 protected: 307 void CheckBaseParams() { 308 AuthorizationSet auths = sw_enforced(); 309 EXPECT_GT(auths.SerializedSize(), 12U); 310 311 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN)); 312 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY)); 313 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7)); 314 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)); 315 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300)); 316 317 // Verify that App ID, App data and ROT are NOT included. 318 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST)); 319 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID)); 320 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA)); 321 322 // Just for giggles, check that some unexpected tags/values are NOT present. 323 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT)); 324 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT)); 325 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301)); 326 327 // Now check that unspecified, defaulted tags are correct. 328 EXPECT_TRUE(contains(auths, TAG_ORIGIN, KM_ORIGIN_GENERATED)); 329 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME)); 330 } 331}; 332INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params); 333 334TEST_P(NewKeyGeneration, Rsa) { 335 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 336 .RsaSigningKey(256, 3) 337 .Digest(KM_DIGEST_NONE) 338 .Padding(KM_PAD_NONE))); 339 CheckBaseParams(); 340 341 // Check specified tags are all present, and in the right set. 342 AuthorizationSet crypto_params; 343 AuthorizationSet non_crypto_params; 344 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) { 345 EXPECT_NE(0U, hw_enforced().size()); 346 EXPECT_NE(0U, sw_enforced().size()); 347 crypto_params.push_back(hw_enforced()); 348 non_crypto_params.push_back(sw_enforced()); 349 } else { 350 EXPECT_EQ(0U, hw_enforced().size()); 351 EXPECT_NE(0U, sw_enforced().size()); 352 crypto_params.push_back(sw_enforced()); 353 } 354 355 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 356 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 357 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256)); 358 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256)); 359 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 360 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 361 362 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 363 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 364} 365 366TEST_P(NewKeyGeneration, RsaDefaultSize) { 367 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 368 GenerateKey(AuthorizationSetBuilder() 369 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 370 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3) 371 .SigningKey())); 372 373 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 374} 375 376TEST_P(NewKeyGeneration, Ecdsa) { 377 ASSERT_EQ(KM_ERROR_OK, 378 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 379 CheckBaseParams(); 380 381 // Check specified tags are all present, and in the right set. 382 AuthorizationSet crypto_params; 383 AuthorizationSet non_crypto_params; 384 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) { 385 EXPECT_NE(0U, hw_enforced().size()); 386 EXPECT_NE(0U, sw_enforced().size()); 387 crypto_params.push_back(hw_enforced()); 388 non_crypto_params.push_back(sw_enforced()); 389 } else { 390 EXPECT_EQ(0U, hw_enforced().size()); 391 EXPECT_NE(0U, sw_enforced().size()); 392 crypto_params.push_back(sw_enforced()); 393 } 394 395 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 396 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 397 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224)); 398 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224)); 399 400 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 401 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 402} 403 404TEST_P(NewKeyGeneration, EcdsaDefaultSize) { 405 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 406 GenerateKey(AuthorizationSetBuilder() 407 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) 408 .SigningKey() 409 .Digest(KM_DIGEST_NONE))); 410 411 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 412} 413 414TEST_P(NewKeyGeneration, EcdsaInvalidSize) { 415 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 416 ASSERT_EQ( 417 KM_ERROR_UNKNOWN_ERROR, 418 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 419 else 420 ASSERT_EQ( 421 KM_ERROR_UNSUPPORTED_KEY_SIZE, 422 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 423 424 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 425 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 426} 427 428TEST_P(NewKeyGeneration, EcdsaAllValidSizes) { 429 size_t valid_sizes[] = {224, 256, 384, 521}; 430 for (size_t size : valid_sizes) { 431 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest( 432 KM_DIGEST_NONE))) 433 << "Failed to generate size: " << size; 434 } 435 436 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 437 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 438} 439 440TEST_P(NewKeyGeneration, HmacSha256) { 441 ASSERT_EQ(KM_ERROR_OK, 442 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256))); 443 444 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 445} 446 447typedef Keymaster1Test GetKeyCharacteristics; 448INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params); 449 450TEST_P(GetKeyCharacteristics, SimpleRsa) { 451 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 452 .RsaSigningKey(256, 3) 453 .Digest(KM_DIGEST_NONE) 454 .Padding(KM_PAD_NONE))); 455 AuthorizationSet original(sw_enforced()); 456 457 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics()); 458 EXPECT_EQ(original, sw_enforced()); 459 460 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 461 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 462} 463 464typedef Keymaster1Test SigningOperationsTest; 465INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params); 466 467TEST_P(SigningOperationsTest, RsaSuccess) { 468 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 469 .RsaSigningKey(256, 3) 470 .Digest(KM_DIGEST_NONE) 471 .Padding(KM_PAD_NONE))); 472 string message = "12345678901234567890123456789012"; 473 string signature; 474 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 475 476 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 477 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 478} 479 480TEST_P(SigningOperationsTest, RsaPssSha256Success) { 481 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 482 .RsaSigningKey(512, 3) 483 .Digest(KM_DIGEST_SHA_2_256) 484 .Padding(KM_PAD_RSA_PSS))); 485 // Use large message, which won't work without digesting. 486 string message(1024, 'a'); 487 string signature; 488 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 489 490 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 491 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 492} 493 494TEST_P(SigningOperationsTest, RsaPaddingNoneAllowsOther) { 495 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 496 .RsaSigningKey(512, 3) 497 .Digest(KM_DIGEST_NONE) 498 .Padding(KM_PAD_NONE))); 499 string message = "12345678901234567890123456789012"; 500 string signature; 501 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 502 503 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 504 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 505} 506 507TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) { 508 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 509 .RsaSigningKey(512, 3) 510 .Digest(KM_DIGEST_SHA_2_256) 511 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 512 string message(1024, 'a'); 513 string signature; 514 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 515 516 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 517 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 518} 519 520TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) { 521 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 522 .RsaSigningKey(512, 3) 523 .Digest(KM_DIGEST_NONE) 524 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 525 string message(53, 'a'); 526 string signature; 527 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN); 528 529 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 530 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 531} 532 533TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) { 534 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 535 .RsaSigningKey(512, 3) 536 .Digest(KM_DIGEST_NONE) 537 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 538 string message(54, 'a'); 539 540 AuthorizationSet begin_params(client_params()); 541 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 542 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 543 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 544 string result; 545 size_t input_consumed; 546 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 547 string signature; 548 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature)); 549 550 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 551 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 552} 553 554TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) { 555 // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so 556 // verify that nine bytes larger than hash won't work. 557 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 558 .RsaSigningKey(256 + 9 * 8, 3) 559 .Digest(KM_DIGEST_SHA_2_256) 560 .Padding(KM_PAD_RSA_PSS))); 561 string message(1024, 'a'); 562 string signature; 563 564 AuthorizationSet begin_params(client_params()); 565 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 566 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 567 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 568} 569 570TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) { 571 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 572 .RsaSigningKey(256, 3) 573 .Digest(KM_DIGEST_NONE) 574 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 575 string message(64 * 1024, 'a'); 576 string signature; 577 AuthorizationSet begin_params(client_params()); 578 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 579 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 580 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 581 string result; 582 size_t input_consumed; 583 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 584 585 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 586 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 587} 588 589TEST_P(SigningOperationsTest, RsaAbort) { 590 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 591 .RsaSigningKey(256, 3) 592 .Digest(KM_DIGEST_NONE) 593 .Padding(KM_PAD_NONE))); 594 AuthorizationSet begin_params(client_params()); 595 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 596 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 597 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 598 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 599 // Another abort should fail 600 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation()); 601 602 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 603 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 604} 605 606TEST_P(SigningOperationsTest, RsaUnsupportedPadding) { 607 GenerateKey(AuthorizationSetBuilder() 608 .RsaSigningKey(256, 3) 609 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */) 610 .Padding(KM_PAD_PKCS7)); 611 AuthorizationSet begin_params(client_params()); 612 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 613 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 614 615 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 616 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 617} 618 619TEST_P(SigningOperationsTest, RsaNoDigest) { 620 // PSS requires a digest. 621 GenerateKey(AuthorizationSetBuilder() 622 .RsaSigningKey(256, 3) 623 .Digest(KM_DIGEST_NONE) 624 .Padding(KM_PAD_RSA_PSS)); 625 AuthorizationSet begin_params(client_params()); 626 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 627 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 628 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 629 630 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 631 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 632} 633 634TEST_P(SigningOperationsTest, RsaNoPadding) { 635 // Padding must be specified 636 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest( 637 KM_DIGEST_NONE))); 638 AuthorizationSet begin_params(client_params()); 639 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 640 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 641 642 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 643 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 644} 645 646TEST_P(SigningOperationsTest, RsaTooShortMessage) { 647 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 648 .RsaSigningKey(256, 3) 649 .Digest(KM_DIGEST_NONE) 650 .Padding(KM_PAD_NONE))); 651 AuthorizationSet begin_params(client_params()); 652 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 653 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 654 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 655 656 string message = "1234567890123456789012345678901"; 657 string result; 658 size_t input_consumed; 659 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 660 EXPECT_EQ(0U, result.size()); 661 EXPECT_EQ(31U, input_consumed); 662 663 string signature; 664 ASSERT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature)); 665 EXPECT_EQ(0U, signature.length()); 666 667 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 668 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 669} 670 671TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) { 672 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 673 .RsaEncryptionKey(256, 3) 674 .Digest(KM_DIGEST_NONE) 675 .Padding(KM_PAD_NONE))); 676 AuthorizationSet begin_params(client_params()); 677 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 678 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 679 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 680 681 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 682 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 683} 684 685TEST_P(SigningOperationsTest, EcdsaSuccess) { 686 ASSERT_EQ(KM_ERROR_OK, 687 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 688 string message(224 / 8, 'a'); 689 string signature; 690 SignMessage(message, &signature, KM_DIGEST_NONE); 691 692 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 693 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 694} 695 696TEST_P(SigningOperationsTest, EcdsaSha256Success) { 697 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( 698 KM_DIGEST_SHA_2_256))); 699 string message(1024, 'a'); 700 string signature; 701 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 702 703 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 704 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 705} 706 707TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) { 708 ASSERT_EQ(KM_ERROR_OK, 709 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 710 string message(64 * 1024, 'a'); 711 string signature; 712 AuthorizationSet begin_params(client_params()); 713 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 714 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 715 string result; 716 size_t input_consumed; 717 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 718 719 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 720 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 721} 722 723TEST_P(SigningOperationsTest, EcsdaAllSizesAndHashes) { 724 size_t len; 725 keymaster_digest_t* digest_arr; 726 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC, 727 KM_PURPOSE_SIGN, &digest_arr, &len)); 728 vector<int> key_sizes = {224, 256, 384, 521}; 729 vector<keymaster_digest_t> digests = make_vector(digest_arr, len); 730 free(digest_arr); 731 732 for (int key_size : key_sizes) { 733 for (keymaster_digest_t digest : digests) { 734 ASSERT_EQ( 735 KM_ERROR_OK, 736 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest))); 737 738 string message(1024, 'a'); 739 string signature; 740 if (digest == KM_DIGEST_NONE) 741 message.resize(key_size / 8); 742 SignMessage(message, &signature, digest); 743 } 744 } 745 746 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 747 EXPECT_EQ(digests.size() * key_sizes.size() * 3, 748 static_cast<size_t>(GetParam()->keymaster0_calls())); 749} 750 751TEST_P(SigningOperationsTest, AesEcbSign) { 752 ASSERT_EQ(KM_ERROR_OK, 753 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization( 754 TAG_BLOCK_MODE, KM_MODE_ECB))); 755 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); 756 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); 757 758 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 759} 760 761TEST_P(SigningOperationsTest, HmacSha1Success) { 762 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA1)); 763 string message = "12345678901234567890123456789012"; 764 string signature; 765 MacMessage(message, &signature, KM_DIGEST_SHA1, 160); 766 ASSERT_EQ(20U, signature.size()); 767 768 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 769} 770 771TEST_P(SigningOperationsTest, HmacSha224Success) { 772 ASSERT_EQ(KM_ERROR_OK, 773 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_224))); 774 string message = "12345678901234567890123456789012"; 775 string signature; 776 MacMessage(message, &signature, KM_DIGEST_SHA_2_224, 224); 777 ASSERT_EQ(28U, signature.size()); 778 779 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 780} 781 782TEST_P(SigningOperationsTest, HmacSha256Success) { 783 ASSERT_EQ(KM_ERROR_OK, 784 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256))); 785 string message = "12345678901234567890123456789012"; 786 string signature; 787 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 256); 788 ASSERT_EQ(32U, signature.size()); 789 790 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 791} 792 793TEST_P(SigningOperationsTest, HmacSha384Success) { 794 ASSERT_EQ(KM_ERROR_OK, 795 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_384))); 796 797 string message = "12345678901234567890123456789012"; 798 string signature; 799 MacMessage(message, &signature, KM_DIGEST_SHA_2_384, 384); 800 ASSERT_EQ(48U, signature.size()); 801 802 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 803} 804 805TEST_P(SigningOperationsTest, HmacSha512Success) { 806 ASSERT_EQ(KM_ERROR_OK, 807 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_512))); 808 string message = "12345678901234567890123456789012"; 809 string signature; 810 MacMessage(message, &signature, KM_DIGEST_SHA_2_512, 512); 811 ASSERT_EQ(64U, signature.size()); 812 813 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 814} 815 816TEST_P(SigningOperationsTest, HmacAnyDigestSuccess) { 817 ASSERT_EQ(KM_ERROR_OK, 818 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_NONE))); 819 string message = "12345678901234567890123456789012"; 820 string signature; 821 822 size_t len; 823 keymaster_digest_t* digests; 824 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_HMAC, 825 KM_PURPOSE_SIGN, &digests, &len)); 826 for (size_t i = 0; i < len; ++i) 827 MacMessage(message, &signature, digests[i], 128 /* small MAC to work with all digests */); 828 free(digests); 829 830 // Ensure that we can't actually try to do an HMAC with no digest 831 AuthorizationSet begin_params(client_params()); 832 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 833 begin_params.push_back(TAG_MAC_LENGTH, 128); 834 EXPECT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 835 836 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 837} 838 839TEST_P(SigningOperationsTest, HmacLengthInKey) { 840 // TODO(swillden): unified API should generate an error on key generation. 841 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 842 .HmacKey(128) 843 .Digest(KM_DIGEST_SHA_2_256) 844 .Authorization(TAG_MAC_LENGTH, 20))); 845 string message = "12345678901234567890123456789012"; 846 string signature; 847 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 240); 848 // Size in key was ignored. 849 ASSERT_EQ(30U, signature.size()); 850 851 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 852} 853 854TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) { 855 uint8_t key_data[] = { 856 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 857 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 858 }; 859 string message = "Hi There"; 860 uint8_t sha_224_expected[] = { 861 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 862 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22, 863 }; 864 uint8_t sha_256_expected[] = { 865 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 866 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 867 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7, 868 }; 869 uint8_t sha_384_expected[] = { 870 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4, 871 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, 872 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9, 873 0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6, 874 }; 875 uint8_t sha_512_expected[] = { 876 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 877 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0, 878 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 879 0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e, 880 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54, 881 }; 882 883 string key = make_string(key_data); 884 885 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 886 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 887 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 888 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 889 890 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 891} 892 893TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) { 894 string key = "Jefe"; 895 string message = "what do ya want for nothing?"; 896 uint8_t sha_224_expected[] = { 897 0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e, 898 0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44, 899 }; 900 uint8_t sha_256_expected[] = { 901 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 902 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 903 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43, 904 }; 905 uint8_t sha_384_expected[] = { 906 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2, 907 0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47, 908 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca, 909 0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49, 910 }; 911 uint8_t sha_512_expected[] = { 912 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b, 913 0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27, 914 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99, 915 0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3, 916 0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37, 917 }; 918 919 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 920 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 921 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 922 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 923 924 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 925} 926 927TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) { 928 string key(20, 0xaa); 929 string message(50, 0xdd); 930 uint8_t sha_224_expected[] = { 931 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a, 932 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea, 933 }; 934 uint8_t sha_256_expected[] = { 935 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 936 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 937 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe, 938 }; 939 uint8_t sha_384_expected[] = { 940 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0, 941 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb, 942 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d, 943 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27, 944 }; 945 uint8_t sha_512_expected[] = { 946 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c, 947 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8, 948 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 949 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37, 950 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb, 951 }; 952 953 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 954 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 955 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 956 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 957 958 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 959} 960 961TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) { 962 uint8_t key_data[25] = { 963 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 964 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 965 }; 966 string key = make_string(key_data); 967 string message(50, 0xcd); 968 uint8_t sha_224_expected[] = { 969 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82, 970 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a, 971 }; 972 uint8_t sha_256_expected[] = { 973 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 974 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 975 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b, 976 }; 977 uint8_t sha_384_expected[] = { 978 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62, 979 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c, 980 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23, 981 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb, 982 }; 983 uint8_t sha_512_expected[] = { 984 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6, 985 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f, 986 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, 987 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41, 988 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd, 989 }; 990 991 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 992 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 993 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 994 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 995 996 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 997} 998 999TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) { 1000 string key(20, 0x0c); 1001 string message = "Test With Truncation"; 1002 1003 uint8_t sha_224_expected[] = { 1004 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37, 1005 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8, 1006 }; 1007 uint8_t sha_256_expected[] = { 1008 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 1009 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b, 1010 }; 1011 uint8_t sha_384_expected[] = { 1012 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23, 1013 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97, 1014 }; 1015 uint8_t sha_512_expected[] = { 1016 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53, 1017 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6, 1018 }; 1019 1020 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1021 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1022 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1023 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1024 1025 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1026} 1027 1028TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) { 1029 string key(131, 0xaa); 1030 string message = "Test Using Larger Than Block-Size Key - Hash Key First"; 1031 1032 uint8_t sha_224_expected[] = { 1033 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d, 1034 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e, 1035 }; 1036 uint8_t sha_256_expected[] = { 1037 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 1038 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 1039 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, 1040 }; 1041 uint8_t sha_384_expected[] = { 1042 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a, 1043 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f, 1044 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab, 1045 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52, 1046 }; 1047 uint8_t sha_512_expected[] = { 1048 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd, 1049 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b, 1050 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 1051 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73, 1052 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98, 1053 }; 1054 1055 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1056 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1057 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1058 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1059 1060 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1061} 1062 1063TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) { 1064 string key(131, 0xaa); 1065 string message = "This is a test using a larger than block-size key and a larger than " 1066 "block-size data. The key needs to be hashed before being used by the HMAC " 1067 "algorithm."; 1068 1069 uint8_t sha_224_expected[] = { 1070 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3, 1071 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1, 1072 }; 1073 uint8_t sha_256_expected[] = { 1074 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 1075 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 1076 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2, 1077 }; 1078 uint8_t sha_384_expected[] = { 1079 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25, 1080 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a, 1081 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31, 1082 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e, 1083 }; 1084 uint8_t sha_512_expected[] = { 1085 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 1086 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5, 1087 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 1088 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb, 1089 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58, 1090 }; 1091 1092 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1093 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1094 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1095 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1096 1097 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1098} 1099 1100TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) { 1101 ASSERT_EQ(KM_ERROR_OK, 1102 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256))); 1103 AuthorizationSet begin_params(client_params()); 1104 begin_params.push_back(TAG_MAC_LENGTH, 264); 1105 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1106 ASSERT_EQ(KM_ERROR_OK, 1107 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 1108 string message = "1234567890123456789012345678901"; 1109 string result; 1110 size_t input_consumed; 1111 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1112 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH, FinishOperation(&result)); 1113 1114 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1115} 1116 1117// TODO(swillden): Add more verification failure tests. 1118 1119typedef Keymaster1Test VerificationOperationsTest; 1120INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params); 1121 1122TEST_P(VerificationOperationsTest, RsaSuccess) { 1123 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1124 .RsaSigningKey(256, 3) 1125 .Digest(KM_DIGEST_NONE) 1126 .Padding(KM_PAD_NONE))); 1127 string message = "12345678901234567890123456789012"; 1128 string signature; 1129 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1130 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1131 1132 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1133 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1134} 1135 1136TEST_P(VerificationOperationsTest, RsaPssSha256Success) { 1137 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1138 .RsaSigningKey(512, 3) 1139 .Digest(KM_DIGEST_SHA_2_256) 1140 .Padding(KM_PAD_RSA_PSS))); 1141 // Use large message, which won't work without digesting. 1142 string message(1024, 'a'); 1143 string signature; 1144 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1145 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1146 1147 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1148 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1149} 1150 1151TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) { 1152 GenerateKey(AuthorizationSetBuilder() 1153 .RsaSigningKey(512, 3) 1154 .Digest(KM_DIGEST_SHA_2_256) 1155 .Padding(KM_PAD_RSA_PSS)); 1156 string message(1024, 'a'); 1157 string signature; 1158 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1159 ++signature[signature.size() / 2]; 1160 1161 AuthorizationSet begin_params(client_params()); 1162 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1163 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1164 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1165 1166 string result; 1167 size_t input_consumed; 1168 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1169 EXPECT_EQ(message.size(), input_consumed); 1170 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1171 1172 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1173 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1174} 1175 1176TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) { 1177 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1178 .RsaSigningKey(512, 3) 1179 .Digest(KM_DIGEST_SHA_2_256) 1180 .Padding(KM_PAD_RSA_PSS))); 1181 // Use large message, which won't work without digesting. 1182 string message(1024, 'a'); 1183 string signature; 1184 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1185 ++message[message.size() / 2]; 1186 1187 AuthorizationSet begin_params(client_params()); 1188 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1189 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1190 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1191 1192 string result; 1193 size_t input_consumed; 1194 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1195 EXPECT_EQ(message.size(), input_consumed); 1196 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1197 1198 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1199 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1200} 1201 1202TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) { 1203 GenerateKey(AuthorizationSetBuilder() 1204 .RsaSigningKey(512, 3) 1205 .Digest(KM_DIGEST_SHA_2_256) 1206 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1207 string message(1024, 'a'); 1208 string signature; 1209 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1210 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1211 1212 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1213 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1214} 1215 1216TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) { 1217 GenerateKey(AuthorizationSetBuilder() 1218 .RsaSigningKey(512, 3) 1219 .Digest(KM_DIGEST_SHA_2_256) 1220 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1221 string message(1024, 'a'); 1222 string signature; 1223 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1224 ++signature[signature.size() / 2]; 1225 1226 AuthorizationSet begin_params(client_params()); 1227 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1228 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1229 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1230 1231 string result; 1232 size_t input_consumed; 1233 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1234 EXPECT_EQ(message.size(), input_consumed); 1235 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1236 1237 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1238 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1239} 1240 1241TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) { 1242 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1243 .RsaSigningKey(512, 3) 1244 .Digest(KM_DIGEST_SHA_2_256) 1245 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 1246 // Use large message, which won't work without digesting. 1247 string message(1024, 'a'); 1248 string signature; 1249 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1250 ++message[message.size() / 2]; 1251 1252 AuthorizationSet begin_params(client_params()); 1253 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1254 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1255 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1256 1257 string result; 1258 size_t input_consumed; 1259 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1260 EXPECT_EQ(message.size(), input_consumed); 1261 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1262 1263 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1264 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1265} 1266 1267TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) { 1268 // Get all supported digests and padding modes. 1269 size_t digests_len; 1270 keymaster_digest_t* digests; 1271 ASSERT_EQ(KM_ERROR_OK, 1272 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, &digests, 1273 &digests_len)); 1274 1275 size_t padding_modes_len; 1276 keymaster_padding_t* padding_modes; 1277 ASSERT_EQ(KM_ERROR_OK, 1278 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, 1279 &padding_modes, &padding_modes_len)); 1280 1281 // Try them. 1282 int trial_count = 0; 1283 for (keymaster_padding_t padding_mode : make_vector(padding_modes, padding_modes_len)) { 1284 for (keymaster_digest_t digest : make_vector(digests, digests_len)) { 1285 if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE) 1286 // Digesting requires padding 1287 continue; 1288 1289 // Compute key & message size that will work. 1290 size_t key_bits = 0; 1291 size_t message_len = 1000; 1292 1293 if (digest == KM_DIGEST_NONE) { 1294 key_bits = 256; 1295 switch (padding_mode) { 1296 case KM_PAD_NONE: 1297 // Match key size. 1298 message_len = key_bits / 8; 1299 break; 1300 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1301 message_len = key_bits / 8 - 11; 1302 break; 1303 case KM_PAD_RSA_PSS: 1304 // PSS requires a digest. 1305 continue; 1306 default: 1307 FAIL() << "Missing padding"; 1308 break; 1309 } 1310 } else { 1311 size_t digest_bits; 1312 switch (digest) { 1313 case KM_DIGEST_MD5: 1314 digest_bits = 128; 1315 break; 1316 case KM_DIGEST_SHA1: 1317 digest_bits = 160; 1318 break; 1319 case KM_DIGEST_SHA_2_224: 1320 digest_bits = 224; 1321 break; 1322 case KM_DIGEST_SHA_2_256: 1323 digest_bits = 256; 1324 break; 1325 case KM_DIGEST_SHA_2_384: 1326 digest_bits = 384; 1327 break; 1328 case KM_DIGEST_SHA_2_512: 1329 digest_bits = 512; 1330 break; 1331 default: 1332 FAIL() << "Missing digest"; 1333 } 1334 1335 switch (padding_mode) { 1336 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1337 key_bits = digest_bits + 8 * (11 + 19); 1338 break; 1339 case KM_PAD_RSA_PSS: 1340 key_bits = digest_bits + 8 * 10; 1341 break; 1342 default: 1343 FAIL() << "Missing padding"; 1344 break; 1345 } 1346 } 1347 1348 GenerateKey(AuthorizationSetBuilder() 1349 .RsaSigningKey(key_bits, 3) 1350 .Digest(digest) 1351 .Padding(padding_mode)); 1352 string message(message_len, 'a'); 1353 string signature; 1354 SignMessage(message, &signature, digest, padding_mode); 1355 VerifyMessage(message, signature, digest, padding_mode); 1356 ++trial_count; 1357 } 1358 } 1359 1360 free(padding_modes); 1361 free(digests); 1362 1363 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1364 EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls()); 1365} 1366 1367TEST_P(VerificationOperationsTest, EcdsaSuccess) { 1368 ASSERT_EQ(KM_ERROR_OK, 1369 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1370 string message = "12345678901234567890123456789012"; 1371 string signature; 1372 SignMessage(message, &signature, KM_DIGEST_NONE); 1373 VerifyMessage(message, signature, KM_DIGEST_NONE); 1374 1375 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1376 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1377} 1378 1379TEST_P(VerificationOperationsTest, EcdsaTooShort) { 1380 ASSERT_EQ(KM_ERROR_OK, 1381 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1382 string message = "12345678901234567890"; 1383 string signature; 1384 SignMessage(message, &signature, KM_DIGEST_NONE); 1385 VerifyMessage(message, signature, KM_DIGEST_NONE); 1386 1387 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1388 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1389} 1390 1391TEST_P(VerificationOperationsTest, EcdsaTooLong) { 1392 ASSERT_EQ(KM_ERROR_OK, 1393 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1394 string message = "1234567890123456789012345678901234"; 1395 string signature; 1396 1397 AuthorizationSet begin_params(client_params()); 1398 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1399 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 1400 string output; 1401 size_t input_consumed; 1402 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &output, &input_consumed)); 1403 1404 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1405 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1406} 1407 1408TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) { 1409 ASSERT_EQ(KM_ERROR_OK, 1410 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE))); 1411 1412 string message(66, 'a'); 1413 string signature; 1414 SignMessage(message, &signature, KM_DIGEST_NONE); 1415 VerifyMessage(message, signature, KM_DIGEST_NONE); 1416 1417 // Modifying low-order bits doesn't matter, because they didn't get signed. Ugh. 1418 message[65] ^= 7; 1419 VerifyMessage(message, signature, KM_DIGEST_NONE); 1420 1421 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1422 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 1423} 1424 1425TEST_P(VerificationOperationsTest, EcdsaSha256Success) { 1426 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1427 .EcdsaSigningKey(256) 1428 .Digest(KM_DIGEST_SHA_2_256) 1429 .Digest(KM_DIGEST_NONE))); 1430 string message = "12345678901234567890123456789012"; 1431 string signature; 1432 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 1433 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1434 1435 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1436 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1437 1438 // Just for giggles, try verifying with the wrong digest. 1439 AuthorizationSet begin_params(client_params()); 1440 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1441 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1442 1443 string result; 1444 size_t input_consumed; 1445 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1446 EXPECT_EQ(message.size(), input_consumed); 1447 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1448} 1449 1450TEST_P(VerificationOperationsTest, HmacSha1Success) { 1451 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA1)); 1452 string message = "123456789012345678901234567890123456789012345678"; 1453 string signature; 1454 MacMessage(message, &signature, KM_DIGEST_SHA1, 160); 1455 VerifyMessage(message, signature, KM_DIGEST_SHA1); 1456 1457 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1458} 1459 1460TEST_P(VerificationOperationsTest, HmacSha224Success) { 1461 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_224)); 1462 string message = "123456789012345678901234567890123456789012345678"; 1463 string signature; 1464 MacMessage(message, &signature, KM_DIGEST_SHA_2_224, 224); 1465 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224); 1466 1467 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1468} 1469 1470TEST_P(VerificationOperationsTest, HmacSha256Success) { 1471 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256)); 1472 string message = "123456789012345678901234567890123456789012345678"; 1473 string signature; 1474 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 256); 1475 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1476 1477 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1478} 1479 1480TEST_P(VerificationOperationsTest, HmacSha384Success) { 1481 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_384)); 1482 string message = "123456789012345678901234567890123456789012345678"; 1483 string signature; 1484 MacMessage(message, &signature, KM_DIGEST_SHA_2_384, 384); 1485 VerifyMessage(message, signature, KM_DIGEST_SHA_2_384); 1486 1487 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1488} 1489 1490TEST_P(VerificationOperationsTest, HmacSha512Success) { 1491 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_512)); 1492 string message = "123456789012345678901234567890123456789012345678"; 1493 string signature; 1494 MacMessage(message, &signature, KM_DIGEST_SHA_2_512, 512); 1495 VerifyMessage(message, signature, KM_DIGEST_SHA_2_512); 1496 1497 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1498} 1499 1500TEST_P(VerificationOperationsTest, HmacAnyDigestSuccess) { 1501 ASSERT_EQ(KM_ERROR_OK, 1502 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_NONE))); 1503 string message = "12345678901234567890123456789012"; 1504 string signature; 1505 1506 size_t len; 1507 keymaster_digest_t* digests; 1508 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_HMAC, 1509 KM_PURPOSE_SIGN, &digests, &len)); 1510 for (size_t i = 0; i < len; ++i) { 1511 MacMessage(message, &signature, digests[i], 128 /* small MAC to work with all digests */); 1512 VerifyMessage(message, signature, digests[i]); 1513 if (len > 1) { 1514 size_t wrong_digest_index = (i == 0) ? 1 : 0; 1515 AuthorizationSet begin_params(client_params()); 1516 begin_params.push_back(TAG_DIGEST, digests[wrong_digest_index]); 1517 begin_params.push_back(TAG_MAC_LENGTH, 128); 1518 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1519 string output; 1520 size_t input_consumed; 1521 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &output, &input_consumed)); 1522 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &output)); 1523 } 1524 } 1525 free(digests); 1526 1527 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1528} 1529 1530typedef Keymaster1Test ExportKeyTest; 1531INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params); 1532 1533TEST_P(ExportKeyTest, RsaSuccess) { 1534 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1535 .RsaSigningKey(256, 3) 1536 .Digest(KM_DIGEST_NONE) 1537 .Padding(KM_PAD_NONE))); 1538 string export_data; 1539 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1540 EXPECT_GT(export_data.length(), 0U); 1541 1542 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1543 1544 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1545 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1546} 1547 1548TEST_P(ExportKeyTest, EcdsaSuccess) { 1549 ASSERT_EQ(KM_ERROR_OK, 1550 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 1551 string export_data; 1552 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1553 EXPECT_GT(export_data.length(), 0U); 1554 1555 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1556 1557 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1558 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1559} 1560 1561TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) { 1562 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1563 .RsaSigningKey(256, 3) 1564 .Digest(KM_DIGEST_NONE) 1565 .Padding(KM_PAD_NONE))); 1566 string export_data; 1567 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1568 1569 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1570 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1571} 1572 1573TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) { 1574 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1575 .RsaSigningKey(256, 3) 1576 .Digest(KM_DIGEST_NONE) 1577 .Padding(KM_PAD_NONE))); 1578 corrupt_key_blob(); 1579 string export_data; 1580 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1581 1582 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1583 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1584} 1585 1586TEST_P(ExportKeyTest, AesKeyExportFails) { 1587 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128))); 1588 string export_data; 1589 1590 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1591 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1592 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data)); 1593 1594 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1595} 1596 1597static string read_file(const string& file_name) { 1598 ifstream file_stream(file_name, std::ios::binary); 1599 istreambuf_iterator<char> file_begin(file_stream); 1600 istreambuf_iterator<char> file_end; 1601 return string(file_begin, file_end); 1602} 1603 1604typedef Keymaster1Test ImportKeyTest; 1605INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params); 1606 1607TEST_P(ImportKeyTest, RsaSuccess) { 1608 string pk8_key = read_file("rsa_privkey_pk8.der"); 1609 ASSERT_EQ(633U, pk8_key.size()); 1610 1611 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1612 .RsaSigningKey(1024, 65537) 1613 .Digest(KM_DIGEST_NONE) 1614 .Padding(KM_PAD_NONE), 1615 KM_KEY_FORMAT_PKCS8, pk8_key)); 1616 1617 // Check values derived from the key. 1618 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1619 : sw_enforced(), 1620 TAG_ALGORITHM, KM_ALGORITHM_RSA)); 1621 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1622 : sw_enforced(), 1623 TAG_KEY_SIZE, 1024)); 1624 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1625 : sw_enforced(), 1626 TAG_RSA_PUBLIC_EXPONENT, 65537U)); 1627 1628 // And values provided by AndroidKeymaster 1629 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1630 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1631 1632 string message(1024 / 8, 'a'); 1633 string signature; 1634 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1635 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1636 1637 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1638 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1639} 1640 1641TEST_P(ImportKeyTest, OldApiRsaSuccess) { 1642 string pk8_key = read_file("rsa_privkey_pk8.der"); 1643 ASSERT_EQ(633U, pk8_key.size()); 1644 1645 // NOTE: This will break when the keymaster0 APIs are removed from keymaster1. But at that 1646 // point softkeymaster will no longer support keymaster0 APIs anyway. 1647 uint8_t* key_blob; 1648 size_t key_blob_length; 1649 ASSERT_EQ(0, 1650 device()->import_keypair(device(), reinterpret_cast<const uint8_t*>(pk8_key.data()), 1651 pk8_key.size(), &key_blob, &key_blob_length)); 1652 set_key_blob(key_blob, key_blob_length); 1653 1654 string message(1024 / 8, 'a'); 1655 AuthorizationSet begin_params; // Don't use client data. 1656 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1657 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1658 AuthorizationSet update_params; 1659 AuthorizationSet output_params; 1660 string signature = 1661 ProcessMessage(KM_PURPOSE_SIGN, message, begin_params, update_params, &output_params); 1662 ProcessMessage(KM_PURPOSE_VERIFY, message, signature, begin_params, update_params, 1663 &output_params); 1664 1665 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1666 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1667} 1668 1669TEST_P(ImportKeyTest, RsaKeySizeMismatch) { 1670 string pk8_key = read_file("rsa_privkey_pk8.der"); 1671 ASSERT_EQ(633U, pk8_key.size()); 1672 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1673 ImportKey(AuthorizationSetBuilder() 1674 .RsaSigningKey(2048 /* Doesn't match key */, 3) 1675 .Digest(KM_DIGEST_NONE) 1676 .Padding(KM_PAD_NONE), 1677 KM_KEY_FORMAT_PKCS8, pk8_key)); 1678 1679 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1680} 1681 1682TEST_P(ImportKeyTest, RsaPublicExponenMismatch) { 1683 string pk8_key = read_file("rsa_privkey_pk8.der"); 1684 ASSERT_EQ(633U, pk8_key.size()); 1685 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1686 ImportKey(AuthorizationSetBuilder() 1687 .RsaSigningKey(256, 3 /* Doesnt' match key */) 1688 .Digest(KM_DIGEST_NONE) 1689 .Padding(KM_PAD_NONE), 1690 KM_KEY_FORMAT_PKCS8, pk8_key)); 1691 1692 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1693} 1694 1695TEST_P(ImportKeyTest, EcdsaSuccess) { 1696 string pk8_key = read_file("ec_privkey_pk8.der"); 1697 ASSERT_EQ(138U, pk8_key.size()); 1698 1699 ASSERT_EQ(KM_ERROR_OK, 1700 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1701 KM_KEY_FORMAT_PKCS8, pk8_key)); 1702 1703 // Check values derived from the key. 1704 EXPECT_TRUE( 1705 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1706 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1707 EXPECT_TRUE( 1708 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1709 TAG_KEY_SIZE, 256)); 1710 1711 // And values provided by AndroidKeymaster 1712 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1713 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1714 1715 string message(32, 'a'); 1716 string signature; 1717 SignMessage(message, &signature, KM_DIGEST_NONE); 1718 VerifyMessage(message, signature, KM_DIGEST_NONE); 1719 1720 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1721 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1722} 1723 1724TEST_P(ImportKeyTest, EcdsaSizeSpecified) { 1725 string pk8_key = read_file("ec_privkey_pk8.der"); 1726 ASSERT_EQ(138U, pk8_key.size()); 1727 1728 ASSERT_EQ(KM_ERROR_OK, 1729 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1730 KM_KEY_FORMAT_PKCS8, pk8_key)); 1731 1732 // Check values derived from the key. 1733 EXPECT_TRUE( 1734 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1735 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1736 EXPECT_TRUE( 1737 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1738 TAG_KEY_SIZE, 256)); 1739 1740 // And values provided by AndroidKeymaster 1741 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1742 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1743 1744 string message(32, 'a'); 1745 string signature; 1746 SignMessage(message, &signature, KM_DIGEST_NONE); 1747 VerifyMessage(message, signature, KM_DIGEST_NONE); 1748 1749 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1750 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1751} 1752 1753TEST_P(ImportKeyTest, EcdsaSizeMismatch) { 1754 string pk8_key = read_file("ec_privkey_pk8.der"); 1755 ASSERT_EQ(138U, pk8_key.size()); 1756 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1757 ImportKey(AuthorizationSetBuilder() 1758 .EcdsaSigningKey(224 /* Doesn't match key */) 1759 .Digest(KM_DIGEST_NONE), 1760 KM_KEY_FORMAT_PKCS8, pk8_key)); 1761 1762 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1763} 1764 1765TEST_P(ImportKeyTest, AesKeySuccess) { 1766 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1767 string key(key_data, sizeof(key_data)); 1768 ASSERT_EQ(KM_ERROR_OK, 1769 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization( 1770 TAG_PADDING, KM_PAD_PKCS7), 1771 KM_KEY_FORMAT_RAW, key)); 1772 1773 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1774 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1775 1776 string message = "Hello World!"; 1777 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1778 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 1779 EXPECT_EQ(message, plaintext); 1780 1781 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1782} 1783 1784TEST_P(ImportKeyTest, HmacSha256KeySuccess) { 1785 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1786 string key(key_data, sizeof(key_data)); 1787 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1788 .HmacKey(sizeof(key_data) * 8) 1789 .Digest(KM_DIGEST_SHA_2_256) 1790 .Authorization(TAG_MAC_LENGTH, 32), 1791 KM_KEY_FORMAT_RAW, key)); 1792 1793 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1794 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1795 1796 string message = "Hello World!"; 1797 string signature; 1798 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 32); 1799 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1800 1801 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1802} 1803 1804typedef Keymaster1Test EncryptionOperationsTest; 1805INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params); 1806 1807TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { 1808 ASSERT_EQ(KM_ERROR_OK, 1809 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1810 1811 string message = "12345678901234567890123456789012"; 1812 string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE); 1813 EXPECT_EQ(256U / 8, ciphertext1.size()); 1814 1815 string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE); 1816 EXPECT_EQ(256U / 8, ciphertext2.size()); 1817 1818 // Unpadded RSA is deterministic 1819 EXPECT_EQ(ciphertext1, ciphertext2); 1820 1821 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1822 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1823} 1824 1825TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) { 1826 ASSERT_EQ(KM_ERROR_OK, 1827 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1828 1829 string message = "1234567890123456789012345678901"; 1830 1831 AuthorizationSet begin_params(client_params()); 1832 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1833 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1834 1835 string result; 1836 size_t input_consumed; 1837 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1838 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 1839 EXPECT_EQ(0U, result.size()); 1840 1841 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1842 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1843} 1844 1845TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) { 1846 ASSERT_EQ(KM_ERROR_OK, 1847 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1848 1849 string message = "123456789012345678901234567890123"; 1850 1851 AuthorizationSet begin_params(client_params()); 1852 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1853 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1854 1855 string result; 1856 size_t input_consumed; 1857 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 1858 1859 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1860 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1861} 1862 1863TEST_P(EncryptionOperationsTest, RsaOaepSuccess) { 1864 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1865 .RsaEncryptionKey(512, 3) 1866 .Padding(KM_PAD_RSA_OAEP) 1867 .Digest(KM_DIGEST_SHA_2_256))); 1868 1869 string message = "Hello World!"; 1870 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1871 EXPECT_EQ(512U / 8, ciphertext1.size()); 1872 1873 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1874 EXPECT_EQ(512U / 8, ciphertext2.size()); 1875 1876 // OAEP randomizes padding so every result should be different. 1877 EXPECT_NE(ciphertext1, ciphertext2); 1878 1879 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1880 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1881} 1882 1883TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) { 1884 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1885 .RsaEncryptionKey(512, 3) 1886 .Padding(KM_PAD_RSA_OAEP) 1887 .Digest(KM_DIGEST_SHA_2_256))); 1888 string message = "Hello World!"; 1889 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1890 EXPECT_EQ(512U / 8, ciphertext.size()); 1891 1892 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1893 EXPECT_EQ(message, plaintext); 1894 1895 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1896 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1897} 1898 1899TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) { 1900 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1901 .RsaEncryptionKey(512, 3) 1902 .Padding(KM_PAD_RSA_OAEP) 1903 .Digest(KM_DIGEST_NONE))); 1904 string message = "Hello World!"; 1905 1906 AuthorizationSet begin_params(client_params()); 1907 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 1908 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1909 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1910 1911 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1912 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1913} 1914 1915TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) { 1916 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1917 .RsaEncryptionKey(512, 3) 1918 .Padding(KM_PAD_RSA_OAEP) 1919 .Digest(KM_DIGEST_SHA_2_256))); 1920 string message = "12345678901234567890123"; 1921 string result; 1922 size_t input_consumed; 1923 1924 AuthorizationSet begin_params(client_params()); 1925 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 1926 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1927 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1928 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1929 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 1930 EXPECT_EQ(0U, result.size()); 1931 1932 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1933 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1934} 1935 1936TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) { 1937 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1938 .RsaEncryptionKey(512, 3) 1939 .Padding(KM_PAD_RSA_OAEP) 1940 .Digest(KM_DIGEST_SHA_2_256))); 1941 string message = "Hello World!"; 1942 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1943 EXPECT_EQ(512U / 8, ciphertext.size()); 1944 1945 // Corrupt the ciphertext 1946 ciphertext[512 / 8 / 2]++; 1947 1948 string result; 1949 size_t input_consumed; 1950 AuthorizationSet begin_params(client_params()); 1951 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 1952 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1953 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 1954 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 1955 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 1956 EXPECT_EQ(0U, result.size()); 1957 1958 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1959 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1960} 1961 1962TEST_P(EncryptionOperationsTest, RsaPkcs1Success) { 1963 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1964 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1965 string message = "Hello World!"; 1966 string ciphertext1 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1967 EXPECT_EQ(512U / 8, ciphertext1.size()); 1968 1969 string ciphertext2 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1970 EXPECT_EQ(512U / 8, ciphertext2.size()); 1971 1972 // PKCS1 v1.5 randomizes padding so every result should be different. 1973 EXPECT_NE(ciphertext1, ciphertext2); 1974 1975 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1976 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1977} 1978 1979TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) { 1980 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1981 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1982 string message = "Hello World!"; 1983 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1984 EXPECT_EQ(512U / 8, ciphertext.size()); 1985 1986 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1987 EXPECT_EQ(message, plaintext); 1988 1989 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1990 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1991} 1992 1993TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) { 1994 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1995 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1996 string message = "123456789012345678901234567890123456789012345678901234"; 1997 string result; 1998 size_t input_consumed; 1999 2000 AuthorizationSet begin_params(client_params()); 2001 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2002 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2003 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2004 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 2005 EXPECT_EQ(0U, result.size()); 2006 2007 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2008 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2009} 2010 2011TEST_P(EncryptionOperationsTest, RsaPkcs1InvalidDigest) { 2012 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2013 .RsaEncryptionKey(512, 3) 2014 .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT) 2015 .Digest(KM_DIGEST_NONE))); 2016 string message = "Hello World!"; 2017 string result; 2018 2019 AuthorizationSet begin_params(client_params()); 2020 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2021 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); // Any digest is invalid 2022 EXPECT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2023 2024 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2025 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2026} 2027 2028TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) { 2029 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2030 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2031 string message = "Hello World!"; 2032 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2033 EXPECT_EQ(512U / 8, ciphertext.size()); 2034 2035 // Corrupt the ciphertext 2036 ciphertext[512 / 8 / 2]++; 2037 2038 string result; 2039 size_t input_consumed; 2040 AuthorizationSet begin_params(client_params()); 2041 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2042 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2043 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2044 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2045 EXPECT_EQ(0U, result.size()); 2046 2047 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2048 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2049} 2050 2051TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) { 2052 ASSERT_EQ(KM_ERROR_OK, 2053 GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE))); 2054 2055 AuthorizationSet begin_params(client_params()); 2056 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2057 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2058 2059 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2060 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2061} 2062 2063TEST_P(EncryptionOperationsTest, EcdsaEncrypt) { 2064 ASSERT_EQ(KM_ERROR_OK, 2065 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 2066 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2067 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2068 2069 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 2070 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2071} 2072 2073TEST_P(EncryptionOperationsTest, HmacEncrypt) { 2074 ASSERT_EQ( 2075 KM_ERROR_OK, 2076 GenerateKey( 2077 AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_NONE).Padding(KM_PAD_NONE))); 2078 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2079 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2080 2081 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2082} 2083 2084TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) { 2085 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2086 .AesEncryptionKey(128) 2087 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2088 .Padding(KM_PAD_NONE))); 2089 // Two-block message. 2090 string message = "12345678901234567890123456789012"; 2091 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2092 EXPECT_EQ(message.size(), ciphertext1.size()); 2093 2094 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE); 2095 EXPECT_EQ(message.size(), ciphertext2.size()); 2096 2097 // ECB is deterministic. 2098 EXPECT_EQ(ciphertext1, ciphertext2); 2099 2100 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE); 2101 EXPECT_EQ(message, plaintext); 2102 2103 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2104} 2105 2106TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) { 2107 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2108 .AesEncryptionKey(128) 2109 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2110 .Padding(KM_PAD_NONE))); 2111 // Two-block message. 2112 string message = "12345678901234567890123456789012"; 2113 AuthorizationSet begin_params(client_params()); 2114 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2115 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2116 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2117 2118 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2119} 2120 2121TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) { 2122 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2123 .AesEncryptionKey(128) 2124 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2125 .Padding(KM_PAD_NONE))); 2126 // Message is slightly shorter than two blocks. 2127 string message = "1234567890123456789012345678901"; 2128 2129 AuthorizationSet begin_params(client_params()); 2130 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2131 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2132 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2133 string ciphertext; 2134 size_t input_consumed; 2135 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed)); 2136 EXPECT_EQ(message.size(), input_consumed); 2137 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext)); 2138 2139 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2140} 2141 2142TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) { 2143 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2144 .AesEncryptionKey(128) 2145 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2146 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2147 2148 // Try various message lengths; all should work. 2149 for (size_t i = 0; i < 32; ++i) { 2150 string message(i, 'a'); 2151 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2152 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2153 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 2154 EXPECT_EQ(message, plaintext); 2155 } 2156 2157 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2158} 2159 2160TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) { 2161 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2162 .AesEncryptionKey(128) 2163 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2164 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2165 2166 // Try various message lengths; all should work. 2167 for (size_t i = 0; i < 32; ++i) { 2168 string message(i, 'a'); 2169 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2170 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2171 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 2172 EXPECT_EQ(message, plaintext); 2173 } 2174 2175 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2176} 2177 2178TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) { 2179 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2180 .AesEncryptionKey(128) 2181 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2182 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2183 2184 string message = "a"; 2185 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2186 EXPECT_EQ(16U, ciphertext.size()); 2187 EXPECT_NE(ciphertext, message); 2188 ++ciphertext[ciphertext.size() / 2]; 2189 2190 AuthorizationSet begin_params(client_params()); 2191 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2192 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 2193 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2194 string plaintext; 2195 size_t input_consumed; 2196 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); 2197 EXPECT_EQ(ciphertext.size(), input_consumed); 2198 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); 2199 2200 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2201} 2202 2203TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) { 2204 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2205 .AesEncryptionKey(128) 2206 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2207 .Padding(KM_PAD_NONE))); 2208 string message = "123"; 2209 string iv1; 2210 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1); 2211 EXPECT_EQ(message.size(), ciphertext1.size()); 2212 EXPECT_EQ(16U, iv1.size()); 2213 2214 string iv2; 2215 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2); 2216 EXPECT_EQ(message.size(), ciphertext2.size()); 2217 EXPECT_EQ(16U, iv2.size()); 2218 2219 // IVs should be random, so ciphertexts should differ. 2220 EXPECT_NE(iv1, iv2); 2221 EXPECT_NE(ciphertext1, ciphertext2); 2222 2223 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1); 2224 EXPECT_EQ(message, plaintext); 2225 2226 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2227} 2228 2229TEST_P(EncryptionOperationsTest, AesCtrIncremental) { 2230 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2231 .AesEncryptionKey(128) 2232 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2233 .Padding(KM_PAD_NONE))); 2234 2235 int increment = 15; 2236 string message(239, 'a'); 2237 AuthorizationSet input_params(client_params()); 2238 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2239 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2240 AuthorizationSet output_params; 2241 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2242 2243 string ciphertext; 2244 size_t input_consumed; 2245 for (size_t i = 0; i < message.size(); i += increment) 2246 EXPECT_EQ(KM_ERROR_OK, 2247 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2248 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2249 EXPECT_EQ(message.size(), ciphertext.size()); 2250 2251 // Move TAG_NONCE into input_params 2252 input_params.Reinitialize(output_params); 2253 input_params.push_back(client_params()); 2254 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2255 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2256 output_params.Clear(); 2257 2258 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2259 string plaintext; 2260 for (size_t i = 0; i < ciphertext.size(); i += increment) 2261 EXPECT_EQ(KM_ERROR_OK, 2262 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2263 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2264 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2265 EXPECT_EQ(message, plaintext); 2266 2267 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2268} 2269 2270struct AesCtrSp80038aTestVector { 2271 const char* key; 2272 const char* nonce; 2273 const char* plaintext; 2274 const char* ciphertext; 2275}; 2276 2277// These test vectors are taken from 2278// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5. 2279static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = { 2280 // AES-128 2281 { 2282 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2283 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2284 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2285 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff" 2286 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee", 2287 }, 2288 // AES-192 2289 { 2290 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2291 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2292 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2293 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94" 2294 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050", 2295 }, 2296 // AES-256 2297 { 2298 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", 2299 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2300 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2301 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2302 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5" 2303 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6", 2304 }, 2305}; 2306 2307TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) { 2308 for (size_t i = 0; i < 3; i++) { 2309 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]); 2310 const string key = hex2str(test.key); 2311 const string nonce = hex2str(test.nonce); 2312 const string plaintext = hex2str(test.plaintext); 2313 const string ciphertext = hex2str(test.ciphertext); 2314 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext); 2315 } 2316 2317 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2318} 2319 2320TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) { 2321 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2322 .AesEncryptionKey(128) 2323 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2324 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2325 AuthorizationSet begin_params(client_params()); 2326 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2327 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2328 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2329 2330 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2331} 2332 2333TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) { 2334 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2335 .AesEncryptionKey(128) 2336 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2337 .Authorization(TAG_CALLER_NONCE) 2338 .Padding(KM_PAD_NONE))); 2339 2340 AuthorizationSet input_params(client_params()); 2341 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2342 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2343 input_params.push_back(TAG_NONCE, "123", 3); 2344 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params)); 2345 2346 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2347} 2348 2349TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) { 2350 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2351 .AesEncryptionKey(128) 2352 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2353 .Padding(KM_PAD_NONE))); 2354 // Two-block message. 2355 string message = "12345678901234567890123456789012"; 2356 string iv1; 2357 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2358 EXPECT_EQ(message.size(), ciphertext1.size()); 2359 2360 string iv2; 2361 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2); 2362 EXPECT_EQ(message.size(), ciphertext2.size()); 2363 2364 // IVs should be random, so ciphertexts should differ. 2365 EXPECT_NE(iv1, iv2); 2366 EXPECT_NE(ciphertext1, ciphertext2); 2367 2368 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2369 EXPECT_EQ(message, plaintext); 2370 2371 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2372} 2373 2374TEST_P(EncryptionOperationsTest, AesCallerNonce) { 2375 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2376 .AesEncryptionKey(128) 2377 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2378 .Authorization(TAG_CALLER_NONCE) 2379 .Padding(KM_PAD_NONE))); 2380 string message = "12345678901234567890123456789012"; 2381 string iv1; 2382 // Don't specify nonce, should get a random one. 2383 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2384 EXPECT_EQ(message.size(), ciphertext1.size()); 2385 EXPECT_EQ(16U, iv1.size()); 2386 2387 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2388 EXPECT_EQ(message, plaintext); 2389 2390 // Now specify a nonce, should also work. 2391 AuthorizationSet input_params(client_params()); 2392 AuthorizationSet update_params; 2393 AuthorizationSet output_params; 2394 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2395 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2396 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2397 string ciphertext2 = 2398 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params); 2399 2400 // Decrypt with correct nonce. 2401 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2402 &output_params); 2403 EXPECT_EQ(message, plaintext); 2404 2405 // Now try with wrong nonce. 2406 input_params.Reinitialize(client_params()); 2407 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2408 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2409 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16); 2410 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2411 &output_params); 2412 EXPECT_NE(message, plaintext); 2413 2414 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2415} 2416 2417TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) { 2418 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2419 .AesEncryptionKey(128) 2420 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2421 .Padding(KM_PAD_NONE))); 2422 2423 string message = "12345678901234567890123456789012"; 2424 string iv1; 2425 // Don't specify nonce, should get a random one. 2426 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2427 EXPECT_EQ(message.size(), ciphertext1.size()); 2428 EXPECT_EQ(16U, iv1.size()); 2429 2430 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2431 EXPECT_EQ(message, plaintext); 2432 2433 // Now specify a nonce, should fail. 2434 AuthorizationSet input_params(client_params()); 2435 AuthorizationSet update_params; 2436 AuthorizationSet output_params; 2437 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2438 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2439 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2440 2441 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, 2442 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2443 2444 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2445} 2446 2447TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) { 2448 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2449 .AesEncryptionKey(128) 2450 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2451 .Padding(KM_PAD_NONE))); 2452 2453 int increment = 15; 2454 string message(240, 'a'); 2455 AuthorizationSet input_params(client_params()); 2456 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2457 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2458 AuthorizationSet output_params; 2459 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2460 2461 string ciphertext; 2462 size_t input_consumed; 2463 for (size_t i = 0; i < message.size(); i += increment) 2464 EXPECT_EQ(KM_ERROR_OK, 2465 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2466 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2467 EXPECT_EQ(message.size(), ciphertext.size()); 2468 2469 // Move TAG_NONCE into input_params 2470 input_params.Reinitialize(output_params); 2471 input_params.push_back(client_params()); 2472 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2473 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2474 output_params.Clear(); 2475 2476 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2477 string plaintext; 2478 for (size_t i = 0; i < ciphertext.size(); i += increment) 2479 EXPECT_EQ(KM_ERROR_OK, 2480 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2481 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2482 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2483 EXPECT_EQ(message, plaintext); 2484 2485 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2486} 2487 2488TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) { 2489 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2490 .AesEncryptionKey(128) 2491 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2492 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2493 2494 // Try various message lengths; all should work. 2495 for (size_t i = 0; i < 32; ++i) { 2496 string message(i, 'a'); 2497 string iv; 2498 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); 2499 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2500 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv); 2501 EXPECT_EQ(message, plaintext); 2502 } 2503 2504 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2505} 2506 2507TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) { 2508 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2509 .AesEncryptionKey(128) 2510 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2511 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2512 string aad = "foobar"; 2513 string message = "123456789012345678901234567890123456"; 2514 AuthorizationSet begin_params(client_params()); 2515 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2516 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2517 begin_params.push_back(TAG_MAC_LENGTH, 128); 2518 2519 AuthorizationSet update_params; 2520 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2521 2522 // Encrypt 2523 AuthorizationSet begin_out_params; 2524 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2525 string ciphertext; 2526 size_t input_consumed; 2527 AuthorizationSet update_out_params; 2528 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2529 &input_consumed)); 2530 EXPECT_EQ(message.size(), input_consumed); 2531 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2532 2533 // Grab nonce 2534 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2535 begin_params.push_back(begin_out_params); 2536 2537 // Decrypt. 2538 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2539 string plaintext; 2540 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2541 &plaintext, &input_consumed)); 2542 EXPECT_EQ(ciphertext.size(), input_consumed); 2543 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2544 2545 EXPECT_EQ(message, plaintext); 2546 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2547} 2548 2549TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) { 2550 uint8_t nonce[] = { 2551 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f, 2552 }; 2553 uint8_t ciphertext[] = { 2554 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16, 2555 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 2556 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 2557 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd, 2558 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0, 2559 }; 2560 string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext)); 2561 2562 AuthorizationSet begin_params(client_params()); 2563 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2564 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2565 begin_params.push_back(TAG_MAC_LENGTH, 128); 2566 begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce)); 2567 2568 string plaintext; 2569 size_t input_consumed; 2570 2571 // Import correct key and decrypt 2572 uint8_t good_key[] = { 2573 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 2574 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 2575 }; 2576 string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key)); 2577 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 2578 .AesEncryptionKey(128) 2579 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2580 .Authorization(TAG_PADDING, KM_PAD_NONE) 2581 .Authorization(TAG_CALLER_NONCE), 2582 KM_KEY_FORMAT_RAW, good_key_str)); 2583 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2584 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 2585 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2586 2587 // Import bad key and decrypt 2588 uint8_t bad_key[] = { 2589 0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 2590 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 2591 }; 2592 string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key)); 2593 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 2594 .AesEncryptionKey(128) 2595 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2596 .Authorization(TAG_PADDING, KM_PAD_NONE), 2597 KM_KEY_FORMAT_RAW, bad_key_str)); 2598 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2599 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 2600 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 2601 2602 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2603} 2604 2605TEST_P(EncryptionOperationsTest, AesGcmAadNoData) { 2606 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2607 .AesEncryptionKey(128) 2608 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2609 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2610 string aad = "123456789012345678"; 2611 string empty_message; 2612 AuthorizationSet begin_params(client_params()); 2613 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2614 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2615 begin_params.push_back(TAG_MAC_LENGTH, 128); 2616 2617 AuthorizationSet update_params; 2618 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2619 2620 // Encrypt 2621 AuthorizationSet begin_out_params; 2622 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2623 string ciphertext; 2624 size_t input_consumed; 2625 AuthorizationSet update_out_params; 2626 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params, 2627 &ciphertext, &input_consumed)); 2628 EXPECT_EQ(0U, input_consumed); 2629 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2630 2631 // Grab nonce 2632 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2633 begin_params.push_back(begin_out_params); 2634 2635 // Decrypt. 2636 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2637 string plaintext; 2638 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2639 &plaintext, &input_consumed)); 2640 EXPECT_EQ(ciphertext.size(), input_consumed); 2641 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2642 2643 EXPECT_EQ(empty_message, plaintext); 2644 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2645} 2646 2647TEST_P(EncryptionOperationsTest, AesGcmIncremental) { 2648 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2649 .AesEncryptionKey(128) 2650 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2651 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2652 AuthorizationSet begin_params(client_params()); 2653 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2654 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2655 begin_params.push_back(TAG_MAC_LENGTH, 128); 2656 2657 AuthorizationSet update_params; 2658 update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1); 2659 2660 // Encrypt 2661 AuthorizationSet begin_out_params; 2662 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2663 string ciphertext; 2664 size_t input_consumed; 2665 AuthorizationSet update_out_params; 2666 2667 // Send AAD, incrementally 2668 for (int i = 0; i < 1000; ++i) { 2669 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext, 2670 &input_consumed)); 2671 EXPECT_EQ(0U, input_consumed); 2672 EXPECT_EQ(0U, ciphertext.size()); 2673 } 2674 2675 // Now send data, incrementally, no data. 2676 AuthorizationSet empty_params; 2677 for (int i = 0; i < 1000; ++i) { 2678 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext, 2679 &input_consumed)); 2680 EXPECT_EQ(1U, input_consumed); 2681 } 2682 EXPECT_EQ(1000U, ciphertext.size()); 2683 2684 // And finish. 2685 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2686 EXPECT_EQ(1016U, ciphertext.size()); 2687 2688 // Grab nonce 2689 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2690 begin_params.push_back(begin_out_params); 2691 2692 // Decrypt. 2693 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2694 string plaintext; 2695 2696 // Send AAD, incrementally, no data 2697 for (int i = 0; i < 1000; ++i) { 2698 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext, 2699 &input_consumed)); 2700 EXPECT_EQ(0U, input_consumed); 2701 EXPECT_EQ(0U, plaintext.size()); 2702 } 2703 2704 // Now send data, incrementally. 2705 for (size_t i = 0; i < ciphertext.length(); ++i) { 2706 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1), 2707 &update_out_params, &plaintext, &input_consumed)); 2708 EXPECT_EQ(1U, input_consumed); 2709 } 2710 EXPECT_EQ(1000U, plaintext.size()); 2711 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2712 2713 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2714} 2715 2716TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) { 2717 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2718 .AesEncryptionKey(128) 2719 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2720 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2721 string message = "123456789012345678901234567890123456"; 2722 AuthorizationSet begin_params(client_params()); 2723 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2724 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2725 begin_params.push_back(TAG_MAC_LENGTH, 128); 2726 AuthorizationSet begin_out_params; 2727 2728 AuthorizationSet update_params; 2729 update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3); 2730 2731 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2732 2733 // No data, AAD only. 2734 string ciphertext; 2735 size_t input_consumed; 2736 AuthorizationSet update_out_params; 2737 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params, 2738 &ciphertext, &input_consumed)); 2739 EXPECT_EQ(0U, input_consumed); 2740 2741 // AAD and data. 2742 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2743 &input_consumed)); 2744 EXPECT_EQ(message.size(), input_consumed); 2745 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2746 2747 // Grab nonce. 2748 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2749 begin_params.push_back(begin_out_params); 2750 2751 // Decrypt 2752 update_params.Clear(); 2753 update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6); 2754 2755 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2756 string plaintext; 2757 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2758 &plaintext, &input_consumed)); 2759 EXPECT_EQ(ciphertext.size(), input_consumed); 2760 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2761 2762 EXPECT_EQ(message, plaintext); 2763 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2764} 2765 2766TEST_P(EncryptionOperationsTest, AesGcmBadAad) { 2767 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2768 .AesEncryptionKey(128) 2769 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2770 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2771 string message = "12345678901234567890123456789012"; 2772 AuthorizationSet begin_params(client_params()); 2773 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2774 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2775 begin_params.push_back(TAG_MAC_LENGTH, 128); 2776 2777 AuthorizationSet update_params; 2778 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 2779 2780 AuthorizationSet finish_params; 2781 AuthorizationSet finish_out_params; 2782 2783 // Encrypt 2784 AuthorizationSet begin_out_params; 2785 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2786 AuthorizationSet update_out_params; 2787 string ciphertext; 2788 size_t input_consumed; 2789 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2790 &input_consumed)); 2791 EXPECT_EQ(message.size(), input_consumed); 2792 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2793 2794 // Grab nonce 2795 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2796 begin_params.push_back(begin_out_params); 2797 2798 update_params.Clear(); 2799 update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6); 2800 2801 // Decrypt. 2802 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2803 string plaintext; 2804 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2805 &plaintext, &input_consumed)); 2806 EXPECT_EQ(ciphertext.size(), input_consumed); 2807 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 2808 2809 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2810} 2811 2812TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) { 2813 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2814 .AesEncryptionKey(128) 2815 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2816 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2817 string message = "12345678901234567890123456789012"; 2818 AuthorizationSet begin_params(client_params()); 2819 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2820 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2821 begin_params.push_back(TAG_MAC_LENGTH, 128); 2822 2823 AuthorizationSet update_params; 2824 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 2825 2826 // Encrypt 2827 AuthorizationSet begin_out_params; 2828 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2829 AuthorizationSet update_out_params; 2830 string ciphertext; 2831 size_t input_consumed; 2832 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2833 &input_consumed)); 2834 EXPECT_EQ(message.size(), input_consumed); 2835 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2836 2837 begin_params.push_back(TAG_NONCE, "123456789012", 12); 2838 2839 // Decrypt 2840 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2841 string plaintext; 2842 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2843 &plaintext, &input_consumed)); 2844 EXPECT_EQ(ciphertext.size(), input_consumed); 2845 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 2846 2847 // With wrong nonce, should have gotten garbage plaintext. 2848 EXPECT_NE(message, plaintext); 2849 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2850} 2851 2852TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) { 2853 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2854 .AesEncryptionKey(128) 2855 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2856 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2857 string aad = "foobar"; 2858 string message = "123456789012345678901234567890123456"; 2859 AuthorizationSet begin_params(client_params()); 2860 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2861 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2862 begin_params.push_back(TAG_MAC_LENGTH, 128); 2863 AuthorizationSet begin_out_params; 2864 2865 AuthorizationSet update_params; 2866 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2867 2868 // Encrypt 2869 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2870 AuthorizationSet update_out_params; 2871 string ciphertext; 2872 size_t input_consumed; 2873 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2874 &input_consumed)); 2875 EXPECT_EQ(message.size(), input_consumed); 2876 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2877 2878 // Corrupt tag 2879 (*ciphertext.rbegin())++; 2880 2881 // Grab nonce. 2882 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2883 begin_params.push_back(begin_out_params); 2884 2885 // Decrypt. 2886 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2887 string plaintext; 2888 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2889 &plaintext, &input_consumed)); 2890 EXPECT_EQ(ciphertext.size(), input_consumed); 2891 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 2892 2893 EXPECT_EQ(message, plaintext); 2894 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2895} 2896 2897typedef Keymaster1Test MaxOperationsTest; 2898INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params); 2899 2900TEST_P(MaxOperationsTest, TestLimit) { 2901 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2902 .AesEncryptionKey(128) 2903 .EcbMode() 2904 .Authorization(TAG_PADDING, KM_PAD_NONE) 2905 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 2906 2907 string message = "1234567890123456"; 2908 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2909 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2910 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2911 2912 // Fourth time should fail. 2913 AuthorizationSet begin_params(client_params()); 2914 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2915 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2916 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2917 2918 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2919} 2920 2921TEST_P(MaxOperationsTest, TestAbort) { 2922 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2923 .AesEncryptionKey(128) 2924 .EcbMode() 2925 .Authorization(TAG_PADDING, KM_PAD_NONE) 2926 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 2927 2928 string message = "1234567890123456"; 2929 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2930 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2931 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2932 2933 // Fourth time should fail. 2934 AuthorizationSet begin_params(client_params()); 2935 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2936 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2937 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2938 2939 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2940} 2941 2942typedef Keymaster1Test AddEntropyTest; 2943INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params); 2944 2945TEST_P(AddEntropyTest, AddEntropy) { 2946 // There's no obvious way to test that entropy is actually added, but we can test that the API 2947 // doesn't blow up or return an error. 2948 EXPECT_EQ(KM_ERROR_OK, 2949 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3)); 2950 2951 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2952} 2953 2954typedef Keymaster1Test Keymaster0AdapterTest; 2955INSTANTIATE_TEST_CASE_P( 2956 AndroidKeymasterTest, Keymaster0AdapterTest, 2957 ::testing::Values( 2958 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 2959 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)))); 2960 2961TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1RsaBlob) { 2962 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 2963 // key data. 2964 string km1_sw = read_file("km1_sw_rsa_512.blob"); 2965 EXPECT_EQ(486U, km1_sw.length()); 2966 2967 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 2968 memcpy(key_data, km1_sw.data(), km1_sw.length()); 2969 set_key_blob(key_data, km1_sw.length()); 2970 2971 string message(64, 'a'); 2972 string signature; 2973 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 2974 2975 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2976} 2977 2978TEST_P(Keymaster0AdapterTest, UnversionedSoftwareKeymaster1RsaBlob) { 2979 // Load and use an old-style Keymaster1 software key blob, without the version byte. These 2980 // blobs contain OCB-encrypted key data. 2981 string km1_sw = read_file("km1_sw_rsa_512_unversioned.blob"); 2982 EXPECT_EQ(477U, km1_sw.length()); 2983 2984 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 2985 memcpy(key_data, km1_sw.data(), km1_sw.length()); 2986 set_key_blob(key_data, km1_sw.length()); 2987 2988 string message(64, 'a'); 2989 string signature; 2990 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 2991 2992 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2993} 2994 2995TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1EcdsaBlob) { 2996 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 2997 // key data. 2998 string km1_sw = read_file("km1_sw_ecdsa_256.blob"); 2999 EXPECT_EQ(270U, km1_sw.length()); 3000 3001 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3002 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3003 set_key_blob(key_data, km1_sw.length()); 3004 3005 string message(32, static_cast<char>(0xFF)); 3006 string signature; 3007 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3008 3009 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3010} 3011 3012struct Malloc_Delete { 3013 void operator()(void* p) { free(p); } 3014}; 3015 3016TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0RsaBlob) { 3017 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3018 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3019 EXPECT_EQ(333U, km0_sw.length()); 3020 3021 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3022 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3023 set_key_blob(key_data, km0_sw.length()); 3024 3025 string message(64, 'a'); 3026 string signature; 3027 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3028 3029 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3030} 3031 3032TEST_P(Keymaster0AdapterTest, OldSwKeymaster0RsaBlobGetCharacteristics) { 3033 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3034 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3035 EXPECT_EQ(333U, km0_sw.length()); 3036 3037 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3038 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3039 set_key_blob(key_data, km0_sw.length()); 3040 3041 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 3042 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3043 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 3044 EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3045 EXPECT_TRUE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3046 EXPECT_TRUE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3047 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 3048 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 3049 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 3050 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 3051 3052 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3053} 3054 3055TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlob) { 3056 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3057 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3058 EXPECT_EQ(333U, km0_sw.length()); 3059 3060 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 3061 // be recognized as a software key. Do the same here to pretend this is a hardware key. 3062 EXPECT_EQ('P', km0_sw[0]); 3063 km0_sw[0] = 'Q'; 3064 3065 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3066 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3067 set_key_blob(key_data, km0_sw.length()); 3068 3069 string message(64, 'a'); 3070 string signature; 3071 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3072 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 3073 3074 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 3075} 3076 3077TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) { 3078 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3079 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3080 EXPECT_EQ(333U, km0_sw.length()); 3081 3082 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 3083 // be recognized as a software key. Do the same here to pretend this is a hardware key. 3084 EXPECT_EQ('P', km0_sw[0]); 3085 km0_sw[0] = 'Q'; 3086 3087 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3088 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3089 set_key_blob(key_data, km0_sw.length()); 3090 3091 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 3092 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3093 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 512)); 3094 EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3095 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3096 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3097 EXPECT_EQ(5U, hw_enforced().size()); 3098 3099 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 3100 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 3101 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 3102 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 3103 3104 EXPECT_FALSE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3105 EXPECT_FALSE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 3106 EXPECT_FALSE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3107 EXPECT_FALSE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3108 EXPECT_FALSE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3109 3110 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 3111} 3112 3113} // namespace test 3114} // namespace keymaster 3115