android_keymaster_test.cpp revision 1937c715b39044e024e9eda98a09dee84142e9b2
1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <fstream> 18#include <string> 19#include <vector> 20 21#include <openssl/evp.h> 22#include <openssl/x509.h> 23 24#include <hardware/keymaster0.h> 25#include <keymaster/key_factory.h> 26#include <keymaster/soft_keymaster_context.h> 27#include <keymaster/soft_keymaster_device.h> 28#include <keymaster/softkeymaster.h> 29 30#include "android_keymaster_test_utils.h" 31#include "keymaster0_engine.h" 32#include "openssl_utils.h" 33 34using std::ifstream; 35using std::istreambuf_iterator; 36using std::string; 37using std::vector; 38using std::unique_ptr; 39 40extern "C" { 41int __android_log_print(int prio, const char* tag, const char* fmt); 42int __android_log_print(int prio, const char* tag, const char* fmt) { 43 (void)prio, (void)tag, (void)fmt; 44 return 0; 45} 46} // extern "C" 47 48namespace keymaster { 49namespace test { 50 51StdoutLogger logger; 52 53template <typename T> vector<T> make_vector(const T* array, size_t len) { 54 return vector<T>(array, array + len); 55} 56 57/** 58 * KeymasterEnforcement class for use in testing. It's permissive in the sense that it doesn't 59 * check cryptoperiods, but restrictive in the sense that the clock never advances (so rate-limited 60 * keys will only work once). 61 */ 62class TestKeymasterEnforcement : public KeymasterEnforcement { 63 public: 64 TestKeymasterEnforcement() : KeymasterEnforcement(3, 3) {} 65 66 virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; } 67 virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; } 68 virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */, 69 uint32_t /* timeout */) const { 70 return false; 71 } 72 virtual uint32_t get_current_time() const { return 0; } 73 virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; } 74}; 75 76/** 77 * Variant of SoftKeymasterContext that provides a TestKeymasterEnforcement. 78 */ 79class TestKeymasterContext : public SoftKeymasterContext { 80 public: 81 TestKeymasterContext() {} 82 TestKeymasterContext(const string& root_of_trust) : SoftKeymasterContext(root_of_trust) {} 83 84 KeymasterEnforcement* enforcement_policy() override { return &test_policy_; } 85 86 private: 87 TestKeymasterEnforcement test_policy_; 88}; 89 90/** 91 * Test instance creator that builds a pure software keymaster1 implementations. 92 */ 93class SoftKeymasterTestInstanceCreator : public Keymaster2TestInstanceCreator { 94 public: 95 keymaster2_device_t* CreateDevice() const override { 96 std::cerr << "Creating software-only device" << std::endl; 97 SoftKeymasterDevice* device = new SoftKeymasterDevice(new TestKeymasterContext); 98 return device->keymaster2_device(); 99 } 100 101 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; } 102 int keymaster0_calls() const override { return 0; } 103}; 104 105/** 106 * Test instance creator that builds keymaster1 instances which wrap a faked hardware keymaster0 107 * instance, with or without EC support. 108 */ 109class Keymaster0AdapterTestInstanceCreator : public Keymaster2TestInstanceCreator { 110 public: 111 Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {} 112 113 keymaster2_device_t* CreateDevice() const { 114 std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_ 115 << ")." << std::endl; 116 hw_device_t* softkeymaster_device; 117 EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER, 118 &softkeymaster_device)); 119 // Make the software device pretend to be hardware 120 keymaster0_device_t* keymaster0_device = 121 reinterpret_cast<keymaster0_device_t*>(softkeymaster_device); 122 keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY; 123 124 if (!support_ec_) { 125 // Make the software device pretend not to support EC 126 keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC; 127 } 128 129 counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device); 130 131 SoftKeymasterDevice* keymaster = new SoftKeymasterDevice(new TestKeymasterContext); 132 keymaster->SetHardwareDevice(counting_keymaster0_device_); 133 return keymaster->keymaster2_device(); 134 } 135 136 bool algorithm_in_km0_hardware(keymaster_algorithm_t algorithm) const override { 137 switch (algorithm) { 138 case KM_ALGORITHM_RSA: 139 return true; 140 case KM_ALGORITHM_EC: 141 return support_ec_; 142 default: 143 return false; 144 } 145 } 146 int keymaster0_calls() const override { return counting_keymaster0_device_->count(); } 147 148 private: 149 mutable Keymaster0CountingWrapper* counting_keymaster0_device_; 150 bool support_ec_; 151}; 152 153/** 154 * Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1 155 * instance, with minimal digest support. 156 */ 157class Sha256OnlyKeymaster1TestInstanceCreator : public Keymaster2TestInstanceCreator { 158 keymaster2_device_t* CreateDevice() const { 159 std::cerr << "Creating keymaster1-backed device that supports only SHA256"; 160 161 // fake_device doesn't leak because device (below) takes ownership of it. 162 keymaster1_device_t* fake_device = make_device_sha256_only( 163 (new SoftKeymasterDevice(new TestKeymasterContext("PseudoHW")))->keymaster_device()); 164 165 // device doesn't leak; it's cleaned up by device->keymaster_device()->common.close(). 166 SoftKeymasterDevice* device = new SoftKeymasterDevice(new TestKeymasterContext); 167 device->SetHardwareDevice(fake_device); 168 169 return device->keymaster2_device(); 170 } 171 172 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; } 173 int keymaster0_calls() const override { return 0; } 174 int minimal_digest_set() const override { return true; } 175}; 176 177static auto test_params = testing::Values( 178 InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator), 179 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 180 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)), 181 InstanceCreatorPtr(new Sha256OnlyKeymaster1TestInstanceCreator)); 182 183class NewKeyGeneration : public Keymaster2Test { 184 protected: 185 void CheckBaseParams() { 186 AuthorizationSet auths = sw_enforced(); 187 EXPECT_GT(auths.SerializedSize(), 12U); 188 189 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN)); 190 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY)); 191 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7)); 192 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)); 193 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300)); 194 195 // Verify that App ID, App data and ROT are NOT included. 196 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST)); 197 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID)); 198 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA)); 199 200 // Just for giggles, check that some unexpected tags/values are NOT present. 201 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT)); 202 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT)); 203 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301)); 204 205 // Now check that unspecified, defaulted tags are correct. 206 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME)); 207 } 208}; 209INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params); 210 211TEST_P(NewKeyGeneration, Rsa) { 212 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 213 .RsaSigningKey(256, 3) 214 .Digest(KM_DIGEST_NONE) 215 .Padding(KM_PAD_NONE))); 216 CheckBaseParams(); 217 218 // Check specified tags are all present, and in the right set. 219 AuthorizationSet crypto_params; 220 AuthorizationSet non_crypto_params; 221 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) { 222 EXPECT_NE(0U, hw_enforced().size()); 223 EXPECT_NE(0U, sw_enforced().size()); 224 crypto_params.push_back(hw_enforced()); 225 non_crypto_params.push_back(sw_enforced()); 226 } else { 227 EXPECT_EQ(0U, hw_enforced().size()); 228 EXPECT_NE(0U, sw_enforced().size()); 229 crypto_params.push_back(sw_enforced()); 230 } 231 232 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 233 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 234 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256)); 235 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256)); 236 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 237 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 238 239 EXPECT_EQ(KM_ERROR_OK, DeleteKey()); 240 241 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 242 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 243} 244 245TEST_P(NewKeyGeneration, RsaDefaultSize) { 246 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 247 GenerateKey(AuthorizationSetBuilder() 248 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 249 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3) 250 .SigningKey())); 251 252 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 253} 254 255TEST_P(NewKeyGeneration, Ecdsa) { 256 ASSERT_EQ(KM_ERROR_OK, 257 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 258 CheckBaseParams(); 259 260 // Check specified tags are all present, and in the right set. 261 AuthorizationSet crypto_params; 262 AuthorizationSet non_crypto_params; 263 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) { 264 EXPECT_NE(0U, hw_enforced().size()); 265 EXPECT_NE(0U, sw_enforced().size()); 266 crypto_params.push_back(hw_enforced()); 267 non_crypto_params.push_back(sw_enforced()); 268 } else { 269 EXPECT_EQ(0U, hw_enforced().size()); 270 EXPECT_NE(0U, sw_enforced().size()); 271 crypto_params.push_back(sw_enforced()); 272 } 273 274 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 275 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 276 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224)); 277 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224)); 278 279 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 280 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 281} 282 283TEST_P(NewKeyGeneration, EcdsaDefaultSize) { 284 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 285 GenerateKey(AuthorizationSetBuilder() 286 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) 287 .SigningKey() 288 .Digest(KM_DIGEST_NONE))); 289 290 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 291} 292 293TEST_P(NewKeyGeneration, EcdsaInvalidSize) { 294 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 295 ASSERT_EQ( 296 KM_ERROR_UNKNOWN_ERROR, 297 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 298 else 299 ASSERT_EQ( 300 KM_ERROR_UNSUPPORTED_KEY_SIZE, 301 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 302 303 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 304 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 305} 306 307TEST_P(NewKeyGeneration, EcdsaAllValidSizes) { 308 size_t valid_sizes[] = {224, 256, 384, 521}; 309 for (size_t size : valid_sizes) { 310 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest( 311 KM_DIGEST_NONE))) 312 << "Failed to generate size: " << size; 313 } 314 315 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 316 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 317} 318 319TEST_P(NewKeyGeneration, HmacSha256) { 320 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 321 .HmacKey(128) 322 .Digest(KM_DIGEST_SHA_2_256) 323 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 324 325 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 326} 327 328TEST_P(NewKeyGeneration, HmacMultipleDigests) { 329 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, 330 GenerateKey(AuthorizationSetBuilder() 331 .HmacKey(128) 332 .Digest(KM_DIGEST_SHA1) 333 .Digest(KM_DIGEST_SHA_2_256) 334 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 335 336 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 337} 338 339TEST_P(NewKeyGeneration, HmacDigestNone) { 340 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, 341 GenerateKey(AuthorizationSetBuilder() 342 .HmacKey(128) 343 .Digest(KM_DIGEST_NONE) 344 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 345 346 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 347} 348 349TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) { 350 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 351 GenerateKey(AuthorizationSetBuilder() 352 .HmacKey(128) 353 .Digest(KM_DIGEST_SHA_2_256) 354 .Authorization(TAG_MIN_MAC_LENGTH, 48))); 355 356 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 357} 358 359TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) { 360 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 361 GenerateKey(AuthorizationSetBuilder() 362 .HmacKey(128) 363 .Digest(KM_DIGEST_SHA_2_256) 364 .Authorization(TAG_MIN_MAC_LENGTH, 130))); 365 366 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 367} 368 369TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) { 370 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 371 GenerateKey(AuthorizationSetBuilder() 372 .HmacKey(128) 373 .Digest(KM_DIGEST_SHA_2_256) 374 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 375 376 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 377} 378 379typedef Keymaster2Test GetKeyCharacteristics; 380INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params); 381 382TEST_P(GetKeyCharacteristics, SimpleRsa) { 383 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 384 .RsaSigningKey(256, 3) 385 .Digest(KM_DIGEST_NONE) 386 .Padding(KM_PAD_NONE))); 387 AuthorizationSet original(sw_enforced()); 388 389 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics()); 390 EXPECT_EQ(original, sw_enforced()); 391 392 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 393 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 394} 395 396typedef Keymaster2Test SigningOperationsTest; 397INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params); 398 399TEST_P(SigningOperationsTest, RsaSuccess) { 400 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 401 .RsaSigningKey(256, 3) 402 .Digest(KM_DIGEST_NONE) 403 .Padding(KM_PAD_NONE))); 404 string message = "12345678901234567890123456789012"; 405 string signature; 406 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 407 408 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 409 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 410} 411 412TEST_P(SigningOperationsTest, RsaPssSha256Success) { 413 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 414 .RsaSigningKey(512, 3) 415 .Digest(KM_DIGEST_SHA_2_256) 416 .Padding(KM_PAD_RSA_PSS))); 417 // Use large message, which won't work without digesting. 418 string message(1024, 'a'); 419 string signature; 420 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 421 422 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 423 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 424} 425 426TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { 427 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 428 .RsaSigningKey(512, 3) 429 .Digest(KM_DIGEST_NONE) 430 .Padding(KM_PAD_NONE))); 431 string message = "12345678901234567890123456789012"; 432 string signature; 433 434 AuthorizationSet begin_params(client_params()); 435 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 436 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 437 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 438 439 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 440 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 441} 442 443TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) { 444 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 445 .RsaSigningKey(512, 3) 446 .Digest(KM_DIGEST_SHA_2_256) 447 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 448 string message(1024, 'a'); 449 string signature; 450 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 451 452 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 453 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 454} 455 456TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) { 457 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 458 .RsaSigningKey(512, 3) 459 .Digest(KM_DIGEST_NONE) 460 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 461 string message(53, 'a'); 462 string signature; 463 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN); 464 465 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 466 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 467} 468 469TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) { 470 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 471 .RsaSigningKey(512, 3) 472 .Digest(KM_DIGEST_NONE) 473 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 474 string message(54, 'a'); 475 476 AuthorizationSet begin_params(client_params()); 477 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 478 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 479 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 480 string result; 481 size_t input_consumed; 482 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 483 string signature; 484 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature)); 485 486 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 487 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 488} 489 490TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) { 491 // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so 492 // verify that nine bytes larger than hash won't work. 493 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 494 .RsaSigningKey(256 + 9 * 8, 3) 495 .Digest(KM_DIGEST_SHA_2_256) 496 .Padding(KM_PAD_RSA_PSS))); 497 string message(1024, 'a'); 498 string signature; 499 500 AuthorizationSet begin_params(client_params()); 501 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 502 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 503 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 504} 505 506TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) { 507 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 508 .RsaSigningKey(256, 3) 509 .Digest(KM_DIGEST_NONE) 510 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 511 string message(64 * 1024, 'a'); 512 string signature; 513 AuthorizationSet begin_params(client_params()); 514 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 515 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 516 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 517 string result; 518 size_t input_consumed; 519 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 520 521 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 522 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 523} 524 525TEST_P(SigningOperationsTest, RsaAbort) { 526 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 527 .RsaSigningKey(256, 3) 528 .Digest(KM_DIGEST_NONE) 529 .Padding(KM_PAD_NONE))); 530 AuthorizationSet begin_params(client_params()); 531 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 532 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 533 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 534 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 535 // Another abort should fail 536 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation()); 537 538 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 539 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 540} 541 542TEST_P(SigningOperationsTest, RsaUnsupportedPadding) { 543 GenerateKey(AuthorizationSetBuilder() 544 .RsaSigningKey(256, 3) 545 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */) 546 .Padding(KM_PAD_PKCS7)); 547 AuthorizationSet begin_params(client_params()); 548 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 549 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 550 551 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 552 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 553} 554 555TEST_P(SigningOperationsTest, RsaNoDigest) { 556 // PSS requires a digest. 557 GenerateKey(AuthorizationSetBuilder() 558 .RsaSigningKey(256, 3) 559 .Digest(KM_DIGEST_NONE) 560 .Padding(KM_PAD_RSA_PSS)); 561 AuthorizationSet begin_params(client_params()); 562 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 563 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 564 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 565 566 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 567 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 568} 569 570TEST_P(SigningOperationsTest, RsaNoPadding) { 571 // Padding must be specified 572 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest( 573 KM_DIGEST_NONE))); 574 AuthorizationSet begin_params(client_params()); 575 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 576 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 577 578 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 579 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 580} 581 582TEST_P(SigningOperationsTest, RsaTooShortMessage) { 583 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 584 .RsaSigningKey(256, 3) 585 .Digest(KM_DIGEST_NONE) 586 .Padding(KM_PAD_NONE))); 587 string message = "1234567890123456789012345678901"; 588 string signature; 589 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 590 591 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 592 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 593} 594 595TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) { 596 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 597 .RsaEncryptionKey(256, 3) 598 .Digest(KM_DIGEST_NONE) 599 .Padding(KM_PAD_NONE))); 600 AuthorizationSet begin_params(client_params()); 601 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 602 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 603 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 604 605 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 606 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 607} 608 609TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) { 610 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 611 .RsaSigningKey(256, 3) 612 .Digest(KM_DIGEST_NONE) 613 .Padding(KM_PAD_NONE))); 614 string message(256 / 8, static_cast<char>(0xff)); 615 string signature; 616 AuthorizationSet begin_params(client_params()); 617 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 618 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 619 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 620 string result; 621 size_t input_consumed; 622 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 623 ASSERT_EQ(message.size(), input_consumed); 624 string output; 625 ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&output)); 626 627 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 628 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 629} 630 631TEST_P(SigningOperationsTest, EcdsaSuccess) { 632 ASSERT_EQ(KM_ERROR_OK, 633 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 634 string message(224 / 8, 'a'); 635 string signature; 636 SignMessage(message, &signature, KM_DIGEST_NONE); 637 638 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 639 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 640} 641 642TEST_P(SigningOperationsTest, EcdsaSha256Success) { 643 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( 644 KM_DIGEST_SHA_2_256))); 645 string message(1024, 'a'); 646 string signature; 647 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 648 649 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 650 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 651} 652 653TEST_P(SigningOperationsTest, EcdsaSha384Success) { 654 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( 655 KM_DIGEST_SHA_2_384))); 656 string message(1024, 'a'); 657 string signature; 658 SignMessage(message, &signature, KM_DIGEST_SHA_2_384); 659 660 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 661 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 662} 663 664TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) { 665 ASSERT_EQ(KM_ERROR_OK, 666 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 667 string message(64 * 1024, 'a'); 668 string signature; 669 AuthorizationSet begin_params(client_params()); 670 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 671 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 672 string result; 673 size_t input_consumed; 674 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 675 676 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 677 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 678} 679 680TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) { 681 vector<int> key_sizes = {224, 256, 384, 521}; 682 vector<keymaster_digest_t> digests = { 683 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, 684 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, 685 }; 686 687 for (int key_size : key_sizes) { 688 for (keymaster_digest_t digest : digests) { 689 ASSERT_EQ( 690 KM_ERROR_OK, 691 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest))); 692 693 string message(1024, 'a'); 694 string signature; 695 if (digest == KM_DIGEST_NONE) 696 message.resize(key_size / 8); 697 SignMessage(message, &signature, digest); 698 } 699 } 700 701 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 702 EXPECT_EQ(digests.size() * key_sizes.size() * 3, 703 static_cast<size_t>(GetParam()->keymaster0_calls())); 704} 705 706TEST_P(SigningOperationsTest, AesEcbSign) { 707 ASSERT_EQ(KM_ERROR_OK, 708 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization( 709 TAG_BLOCK_MODE, KM_MODE_ECB))); 710 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); 711 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); 712 713 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 714} 715 716TEST_P(SigningOperationsTest, HmacSha1Success) { 717 if (GetParam()->minimal_digest_set()) 718 // Can't emulate other digests for HMAC. 719 return; 720 721 GenerateKey(AuthorizationSetBuilder() 722 .HmacKey(128) 723 .Digest(KM_DIGEST_SHA1) 724 .Authorization(TAG_MIN_MAC_LENGTH, 160)); 725 string message = "12345678901234567890123456789012"; 726 string signature; 727 MacMessage(message, &signature, 160); 728 ASSERT_EQ(20U, signature.size()); 729 730 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 731} 732 733TEST_P(SigningOperationsTest, HmacSha224Success) { 734 if (GetParam()->minimal_digest_set()) 735 // Can't emulate other digests for HMAC. 736 return; 737 738 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 739 .HmacKey(128) 740 .Digest(KM_DIGEST_SHA_2_224) 741 .Authorization(TAG_MIN_MAC_LENGTH, 160))); 742 string message = "12345678901234567890123456789012"; 743 string signature; 744 MacMessage(message, &signature, 224); 745 ASSERT_EQ(28U, signature.size()); 746 747 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 748} 749 750TEST_P(SigningOperationsTest, HmacSha256Success) { 751 if (GetParam()->minimal_digest_set()) 752 // Can't emulate other digests for HMAC. 753 return; 754 755 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 756 .HmacKey(128) 757 .Digest(KM_DIGEST_SHA_2_256) 758 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 759 string message = "12345678901234567890123456789012"; 760 string signature; 761 MacMessage(message, &signature, 256); 762 ASSERT_EQ(32U, signature.size()); 763 764 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 765} 766 767TEST_P(SigningOperationsTest, HmacSha384Success) { 768 if (GetParam()->minimal_digest_set()) 769 // Can't emulate other digests for HMAC. 770 return; 771 772 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 773 .HmacKey(128) 774 .Digest(KM_DIGEST_SHA_2_384) 775 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 776 777 string message = "12345678901234567890123456789012"; 778 string signature; 779 MacMessage(message, &signature, 384); 780 ASSERT_EQ(48U, signature.size()); 781 782 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 783} 784 785TEST_P(SigningOperationsTest, HmacSha512Success) { 786 if (GetParam()->minimal_digest_set()) 787 // Can't emulate other digests for HMAC. 788 return; 789 790 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 791 .HmacKey(128) 792 .Digest(KM_DIGEST_SHA_2_512) 793 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 794 string message = "12345678901234567890123456789012"; 795 string signature; 796 MacMessage(message, &signature, 512); 797 ASSERT_EQ(64U, signature.size()); 798 799 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 800} 801 802TEST_P(SigningOperationsTest, HmacLengthInKey) { 803 // TODO(swillden): unified API should generate an error on key generation. 804 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 805 .HmacKey(128) 806 .Digest(KM_DIGEST_SHA_2_256) 807 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 808 string message = "12345678901234567890123456789012"; 809 string signature; 810 MacMessage(message, &signature, 160); 811 ASSERT_EQ(20U, signature.size()); 812 813 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 814} 815 816TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) { 817 uint8_t key_data[] = { 818 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 819 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 820 }; 821 string message = "Hi There"; 822 uint8_t sha_224_expected[] = { 823 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 824 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22, 825 }; 826 uint8_t sha_256_expected[] = { 827 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 828 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 829 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7, 830 }; 831 uint8_t sha_384_expected[] = { 832 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4, 833 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, 834 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9, 835 0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6, 836 }; 837 uint8_t sha_512_expected[] = { 838 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 839 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0, 840 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 841 0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e, 842 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54, 843 }; 844 845 string key = make_string(key_data); 846 847 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 848 if (!GetParam()->minimal_digest_set()) { 849 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 850 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 851 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 852 } 853 854 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 855} 856 857TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) { 858 string key = "Jefe"; 859 string message = "what do ya want for nothing?"; 860 uint8_t sha_224_expected[] = { 861 0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e, 862 0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44, 863 }; 864 uint8_t sha_256_expected[] = { 865 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 866 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 867 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43, 868 }; 869 uint8_t sha_384_expected[] = { 870 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2, 871 0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47, 872 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca, 873 0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49, 874 }; 875 uint8_t sha_512_expected[] = { 876 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b, 877 0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27, 878 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99, 879 0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3, 880 0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37, 881 }; 882 883 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 884 if (!GetParam()->minimal_digest_set()) { 885 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 886 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 887 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 888 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 889 } 890 891 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 892} 893 894TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) { 895 string key(20, 0xaa); 896 string message(50, 0xdd); 897 uint8_t sha_224_expected[] = { 898 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a, 899 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea, 900 }; 901 uint8_t sha_256_expected[] = { 902 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 903 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 904 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe, 905 }; 906 uint8_t sha_384_expected[] = { 907 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0, 908 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb, 909 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d, 910 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27, 911 }; 912 uint8_t sha_512_expected[] = { 913 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c, 914 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8, 915 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 916 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37, 917 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb, 918 }; 919 920 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 921 if (!GetParam()->minimal_digest_set()) { 922 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 923 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 924 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 925 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 926 } 927 928 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 929} 930 931TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) { 932 uint8_t key_data[25] = { 933 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 934 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 935 }; 936 string key = make_string(key_data); 937 string message(50, 0xcd); 938 uint8_t sha_224_expected[] = { 939 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82, 940 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a, 941 }; 942 uint8_t sha_256_expected[] = { 943 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 944 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 945 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b, 946 }; 947 uint8_t sha_384_expected[] = { 948 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62, 949 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c, 950 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23, 951 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb, 952 }; 953 uint8_t sha_512_expected[] = { 954 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6, 955 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f, 956 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, 957 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41, 958 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd, 959 }; 960 961 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 962 if (!GetParam()->minimal_digest_set()) { 963 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 964 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 965 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 966 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 967 } 968 969 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 970} 971 972TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) { 973 string key(20, 0x0c); 974 string message = "Test With Truncation"; 975 976 uint8_t sha_224_expected[] = { 977 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37, 978 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8, 979 }; 980 uint8_t sha_256_expected[] = { 981 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 982 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b, 983 }; 984 uint8_t sha_384_expected[] = { 985 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23, 986 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97, 987 }; 988 uint8_t sha_512_expected[] = { 989 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53, 990 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6, 991 }; 992 993 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 994 if (!GetParam()->minimal_digest_set()) { 995 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 996 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 997 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 998 } 999 1000 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1001} 1002 1003TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) { 1004 string key(131, 0xaa); 1005 string message = "Test Using Larger Than Block-Size Key - Hash Key First"; 1006 1007 uint8_t sha_224_expected[] = { 1008 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d, 1009 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e, 1010 }; 1011 uint8_t sha_256_expected[] = { 1012 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 1013 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 1014 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, 1015 }; 1016 uint8_t sha_384_expected[] = { 1017 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a, 1018 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f, 1019 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab, 1020 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52, 1021 }; 1022 uint8_t sha_512_expected[] = { 1023 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd, 1024 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b, 1025 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 1026 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73, 1027 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98, 1028 }; 1029 1030 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1031 if (!GetParam()->minimal_digest_set()) { 1032 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1033 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1034 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1035 } 1036 1037 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1038} 1039 1040TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) { 1041 string key(131, 0xaa); 1042 string message = "This is a test using a larger than block-size key and a larger than " 1043 "block-size data. The key needs to be hashed before being used by the HMAC " 1044 "algorithm."; 1045 1046 uint8_t sha_224_expected[] = { 1047 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3, 1048 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1, 1049 }; 1050 uint8_t sha_256_expected[] = { 1051 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 1052 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 1053 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2, 1054 }; 1055 uint8_t sha_384_expected[] = { 1056 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25, 1057 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a, 1058 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31, 1059 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e, 1060 }; 1061 uint8_t sha_512_expected[] = { 1062 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 1063 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5, 1064 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 1065 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb, 1066 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58, 1067 }; 1068 1069 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1070 if (!GetParam()->minimal_digest_set()) { 1071 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1072 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1073 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1074 } 1075 1076 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1077} 1078 1079TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) { 1080 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1081 .HmacKey(128) 1082 .Digest(KM_DIGEST_SHA_2_256) 1083 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 1084 AuthorizationSet begin_params(client_params()); 1085 begin_params.push_back(TAG_MAC_LENGTH, 264); 1086 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1087 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH, 1088 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 1089 1090 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1091} 1092 1093TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) { 1094 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1095 .HmacKey(128) 1096 .Digest(KM_DIGEST_SHA_2_256) 1097 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 1098 AuthorizationSet begin_params(client_params()); 1099 begin_params.push_back(TAG_MAC_LENGTH, 120); 1100 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1101 ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH, 1102 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 1103 1104 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1105} 1106 1107// TODO(swillden): Add more verification failure tests. 1108 1109typedef Keymaster2Test VerificationOperationsTest; 1110INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params); 1111 1112TEST_P(VerificationOperationsTest, RsaSuccess) { 1113 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1114 .RsaSigningKey(256, 3) 1115 .Digest(KM_DIGEST_NONE) 1116 .Padding(KM_PAD_NONE))); 1117 string message = "12345678901234567890123456789012"; 1118 string signature; 1119 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1120 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1121 1122 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1123 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1124} 1125 1126TEST_P(VerificationOperationsTest, RsaPssSha256Success) { 1127 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1128 .RsaSigningKey(512, 3) 1129 .Digest(KM_DIGEST_SHA_2_256) 1130 .Padding(KM_PAD_RSA_PSS))); 1131 // Use large message, which won't work without digesting. 1132 string message(1024, 'a'); 1133 string signature; 1134 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1135 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1136 1137 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1138 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1139} 1140 1141TEST_P(VerificationOperationsTest, RsaPssSha224Success) { 1142 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1143 .RsaSigningKey(512, 3) 1144 .Digest(KM_DIGEST_SHA_2_224) 1145 .Padding(KM_PAD_RSA_PSS))); 1146 // Use large message, which won't work without digesting. 1147 string message(1024, 'a'); 1148 string signature; 1149 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS); 1150 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS); 1151 1152 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1153 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1154 1155 // Verify with OpenSSL. 1156 string pubkey; 1157 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey)); 1158 1159 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data()); 1160 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( 1161 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size())); 1162 ASSERT_TRUE(pkey.get()); 1163 1164 EVP_MD_CTX digest_ctx; 1165 EVP_MD_CTX_init(&digest_ctx); 1166 EVP_PKEY_CTX* pkey_ctx; 1167 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */, 1168 pkey.get())); 1169 EXPECT_EQ(1, EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)); 1170 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size())); 1171 EXPECT_EQ(1, 1172 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()), 1173 signature.size())); 1174 EVP_MD_CTX_cleanup(&digest_ctx); 1175} 1176 1177TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) { 1178 GenerateKey(AuthorizationSetBuilder() 1179 .RsaSigningKey(512, 3) 1180 .Digest(KM_DIGEST_SHA_2_256) 1181 .Padding(KM_PAD_RSA_PSS)); 1182 string message(1024, 'a'); 1183 string signature; 1184 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1185 ++signature[signature.size() / 2]; 1186 1187 AuthorizationSet begin_params(client_params()); 1188 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1189 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1190 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1191 1192 string result; 1193 size_t input_consumed; 1194 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1195 EXPECT_EQ(message.size(), input_consumed); 1196 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1197 1198 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1199 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1200} 1201 1202TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) { 1203 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1204 .RsaSigningKey(512, 3) 1205 .Digest(KM_DIGEST_SHA_2_256) 1206 .Padding(KM_PAD_RSA_PSS))); 1207 // Use large message, which won't work without digesting. 1208 string message(1024, 'a'); 1209 string signature; 1210 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1211 ++message[message.size() / 2]; 1212 1213 AuthorizationSet begin_params(client_params()); 1214 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1215 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1216 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1217 1218 string result; 1219 size_t input_consumed; 1220 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1221 EXPECT_EQ(message.size(), input_consumed); 1222 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1223 1224 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1225 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1226} 1227 1228TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) { 1229 GenerateKey(AuthorizationSetBuilder() 1230 .RsaSigningKey(512, 3) 1231 .Digest(KM_DIGEST_SHA_2_256) 1232 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1233 string message(1024, 'a'); 1234 string signature; 1235 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1236 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1237 1238 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1239 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1240} 1241 1242TEST_P(VerificationOperationsTest, RsaPks1Sha224Success) { 1243 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1244 .RsaSigningKey(512, 3) 1245 .Digest(KM_DIGEST_SHA_2_224) 1246 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 1247 // Use large message, which won't work without digesting. 1248 string message(1024, 'a'); 1249 string signature; 1250 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN); 1251 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN); 1252 1253 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1254 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1255 1256 // Verify with OpenSSL. 1257 string pubkey; 1258 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey)); 1259 1260 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data()); 1261 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( 1262 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size())); 1263 ASSERT_TRUE(pkey.get()); 1264 1265 EVP_MD_CTX digest_ctx; 1266 EVP_MD_CTX_init(&digest_ctx); 1267 EVP_PKEY_CTX* pkey_ctx; 1268 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */, 1269 pkey.get())); 1270 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size())); 1271 EXPECT_EQ(1, 1272 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()), 1273 signature.size())); 1274 EVP_MD_CTX_cleanup(&digest_ctx); 1275} 1276 1277TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) { 1278 GenerateKey(AuthorizationSetBuilder() 1279 .RsaSigningKey(512, 3) 1280 .Digest(KM_DIGEST_SHA_2_256) 1281 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1282 string message(1024, 'a'); 1283 string signature; 1284 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1285 ++signature[signature.size() / 2]; 1286 1287 AuthorizationSet begin_params(client_params()); 1288 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1289 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1290 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1291 1292 string result; 1293 size_t input_consumed; 1294 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1295 EXPECT_EQ(message.size(), input_consumed); 1296 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1297 1298 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1299 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1300} 1301 1302TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) { 1303 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1304 .RsaSigningKey(512, 3) 1305 .Digest(KM_DIGEST_SHA_2_256) 1306 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 1307 // Use large message, which won't work without digesting. 1308 string message(1024, 'a'); 1309 string signature; 1310 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1311 ++message[message.size() / 2]; 1312 1313 AuthorizationSet begin_params(client_params()); 1314 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1315 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1316 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1317 1318 string result; 1319 size_t input_consumed; 1320 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1321 EXPECT_EQ(message.size(), input_consumed); 1322 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1323 1324 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1325 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1326} 1327 1328TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) { 1329 vector<keymaster_digest_t> digests = { 1330 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 1331 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, 1332 }; 1333 1334 vector<keymaster_padding_t> padding_modes{ 1335 KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS, 1336 }; 1337 1338 int trial_count = 0; 1339 for (keymaster_padding_t padding_mode : padding_modes) { 1340 for (keymaster_digest_t digest : digests) { 1341 if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE) 1342 // Digesting requires padding 1343 continue; 1344 1345 // Compute key & message size that will work. 1346 size_t key_bits = 0; 1347 size_t message_len = 1000; 1348 1349 if (digest == KM_DIGEST_NONE) { 1350 key_bits = 256; 1351 switch (padding_mode) { 1352 case KM_PAD_NONE: 1353 // Match key size. 1354 message_len = key_bits / 8; 1355 break; 1356 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1357 message_len = key_bits / 8 - 11; 1358 break; 1359 case KM_PAD_RSA_PSS: 1360 // PSS requires a digest. 1361 continue; 1362 default: 1363 FAIL() << "Missing padding"; 1364 break; 1365 } 1366 } else { 1367 size_t digest_bits; 1368 switch (digest) { 1369 case KM_DIGEST_MD5: 1370 digest_bits = 128; 1371 break; 1372 case KM_DIGEST_SHA1: 1373 digest_bits = 160; 1374 break; 1375 case KM_DIGEST_SHA_2_224: 1376 digest_bits = 224; 1377 break; 1378 case KM_DIGEST_SHA_2_256: 1379 digest_bits = 256; 1380 break; 1381 case KM_DIGEST_SHA_2_384: 1382 digest_bits = 384; 1383 break; 1384 case KM_DIGEST_SHA_2_512: 1385 digest_bits = 512; 1386 break; 1387 default: 1388 FAIL() << "Missing digest"; 1389 } 1390 1391 switch (padding_mode) { 1392 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1393 key_bits = digest_bits + 8 * (11 + 19); 1394 break; 1395 case KM_PAD_RSA_PSS: 1396 key_bits = digest_bits + 22 * 8; 1397 break; 1398 default: 1399 FAIL() << "Missing padding"; 1400 break; 1401 } 1402 } 1403 1404 GenerateKey(AuthorizationSetBuilder() 1405 .RsaSigningKey(key_bits, 3) 1406 .Digest(digest) 1407 .Padding(padding_mode)); 1408 string message(message_len, 'a'); 1409 string signature; 1410 SignMessage(message, &signature, digest, padding_mode); 1411 VerifyMessage(message, signature, digest, padding_mode); 1412 ++trial_count; 1413 } 1414 } 1415 1416 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1417 EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls()); 1418} 1419 1420TEST_P(VerificationOperationsTest, EcdsaSuccess) { 1421 ASSERT_EQ(KM_ERROR_OK, 1422 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1423 string message = "12345678901234567890123456789012"; 1424 string signature; 1425 SignMessage(message, &signature, KM_DIGEST_NONE); 1426 VerifyMessage(message, signature, KM_DIGEST_NONE); 1427 1428 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1429 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1430} 1431 1432TEST_P(VerificationOperationsTest, EcdsaTooShort) { 1433 ASSERT_EQ(KM_ERROR_OK, 1434 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1435 string message = "12345678901234567890"; 1436 string signature; 1437 SignMessage(message, &signature, KM_DIGEST_NONE); 1438 VerifyMessage(message, signature, KM_DIGEST_NONE); 1439 1440 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1441 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1442} 1443 1444TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) { 1445 ASSERT_EQ(KM_ERROR_OK, 1446 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE))); 1447 1448 string message(66, 'a'); 1449 string signature; 1450 SignMessage(message, &signature, KM_DIGEST_NONE); 1451 VerifyMessage(message, signature, KM_DIGEST_NONE); 1452 1453 // Modifying low-order bits doesn't matter, because they didn't get signed. Ugh. 1454 message[65] ^= 7; 1455 VerifyMessage(message, signature, KM_DIGEST_NONE); 1456 1457 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1458 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 1459} 1460 1461TEST_P(VerificationOperationsTest, EcdsaSha256Success) { 1462 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1463 .EcdsaSigningKey(256) 1464 .Digest(KM_DIGEST_SHA_2_256) 1465 .Digest(KM_DIGEST_NONE))); 1466 string message = "12345678901234567890123456789012"; 1467 string signature; 1468 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 1469 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1470 1471 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1472 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1473 1474 // Just for giggles, try verifying with the wrong digest. 1475 AuthorizationSet begin_params(client_params()); 1476 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1477 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1478 1479 string result; 1480 size_t input_consumed; 1481 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1482 EXPECT_EQ(message.size(), input_consumed); 1483 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1484} 1485 1486TEST_P(VerificationOperationsTest, EcdsaSha224Success) { 1487 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest( 1488 KM_DIGEST_SHA_2_224))); 1489 1490 string message = "12345678901234567890123456789012"; 1491 string signature; 1492 SignMessage(message, &signature, KM_DIGEST_SHA_2_224); 1493 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224); 1494 1495 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1496 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1497 1498 // Just for giggles, try verifying with the wrong digest. 1499 AuthorizationSet begin_params(client_params()); 1500 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1501 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1502 1503 string result; 1504 size_t input_consumed; 1505 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1506 EXPECT_EQ(message.size(), input_consumed); 1507 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1508} 1509 1510TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndKeySizes) { 1511 keymaster_digest_t digests[] = { 1512 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, 1513 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, 1514 }; 1515 size_t key_sizes[] = {224, 256, 384, 521}; 1516 1517 string message = "1234567890"; 1518 string signature; 1519 1520 for (auto key_size : key_sizes) { 1521 AuthorizationSetBuilder builder; 1522 builder.EcdsaSigningKey(key_size); 1523 for (auto digest : digests) 1524 builder.Digest(digest); 1525 ASSERT_EQ(KM_ERROR_OK, GenerateKey(builder)); 1526 1527 for (auto digest : digests) { 1528 SignMessage(message, &signature, digest); 1529 VerifyMessage(message, signature, digest); 1530 } 1531 } 1532 1533 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1534 EXPECT_EQ(static_cast<int>(array_length(key_sizes) * (1 + 3 * array_length(digests))), 1535 GetParam()->keymaster0_calls()); 1536} 1537 1538TEST_P(VerificationOperationsTest, HmacSha1Success) { 1539 if (GetParam()->minimal_digest_set()) 1540 // Can't emulate missing digests for HMAC. 1541 return; 1542 1543 GenerateKey(AuthorizationSetBuilder() 1544 .HmacKey(128) 1545 .Digest(KM_DIGEST_SHA1) 1546 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1547 string message = "123456789012345678901234567890123456789012345678"; 1548 string signature; 1549 MacMessage(message, &signature, 160); 1550 VerifyMac(message, signature); 1551 1552 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1553} 1554 1555TEST_P(VerificationOperationsTest, HmacSha224Success) { 1556 if (GetParam()->minimal_digest_set()) 1557 // Can't emulate missing digests for HMAC. 1558 return; 1559 1560 GenerateKey(AuthorizationSetBuilder() 1561 .HmacKey(128) 1562 .Digest(KM_DIGEST_SHA_2_224) 1563 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1564 string message = "123456789012345678901234567890123456789012345678"; 1565 string signature; 1566 MacMessage(message, &signature, 224); 1567 VerifyMac(message, signature); 1568 1569 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1570} 1571 1572TEST_P(VerificationOperationsTest, HmacSha256Success) { 1573 GenerateKey(AuthorizationSetBuilder() 1574 .HmacKey(128) 1575 .Digest(KM_DIGEST_SHA_2_256) 1576 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1577 string message = "123456789012345678901234567890123456789012345678"; 1578 string signature; 1579 MacMessage(message, &signature, 256); 1580 VerifyMac(message, signature); 1581 1582 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1583} 1584 1585TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) { 1586 GenerateKey(AuthorizationSetBuilder() 1587 .HmacKey(128) 1588 .Digest(KM_DIGEST_SHA_2_256) 1589 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1590 string message = "123456789012345678901234567890123456789012345678"; 1591 string signature; 1592 MacMessage(message, &signature, 256); 1593 1594 // Shorten to 128 bits, should still work. 1595 signature.resize(128 / 8); 1596 VerifyMac(message, signature); 1597 1598 // Drop one more byte. 1599 signature.resize(signature.length() - 1); 1600 1601 AuthorizationSet begin_params(client_params()); 1602 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1603 string result; 1604 size_t input_consumed; 1605 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1606 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(signature, &result)); 1607 1608 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1609} 1610 1611TEST_P(VerificationOperationsTest, HmacSha384Success) { 1612 if (GetParam()->minimal_digest_set()) 1613 // Can't emulate missing digests for HMAC. 1614 return; 1615 1616 GenerateKey(AuthorizationSetBuilder() 1617 .HmacKey(128) 1618 .Digest(KM_DIGEST_SHA_2_384) 1619 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1620 string message = "123456789012345678901234567890123456789012345678"; 1621 string signature; 1622 MacMessage(message, &signature, 384); 1623 VerifyMac(message, signature); 1624 1625 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1626} 1627 1628TEST_P(VerificationOperationsTest, HmacSha512Success) { 1629 if (GetParam()->minimal_digest_set()) 1630 // Can't emulate missing digests for HMAC. 1631 return; 1632 1633 GenerateKey(AuthorizationSetBuilder() 1634 .HmacKey(128) 1635 .Digest(KM_DIGEST_SHA_2_512) 1636 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1637 string message = "123456789012345678901234567890123456789012345678"; 1638 string signature; 1639 MacMessage(message, &signature, 512); 1640 VerifyMac(message, signature); 1641 1642 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1643} 1644 1645typedef Keymaster2Test ExportKeyTest; 1646INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params); 1647 1648TEST_P(ExportKeyTest, RsaSuccess) { 1649 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1650 .RsaSigningKey(256, 3) 1651 .Digest(KM_DIGEST_NONE) 1652 .Padding(KM_PAD_NONE))); 1653 string export_data; 1654 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1655 EXPECT_GT(export_data.length(), 0U); 1656 1657 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1658 1659 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1660 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1661} 1662 1663TEST_P(ExportKeyTest, EcdsaSuccess) { 1664 ASSERT_EQ(KM_ERROR_OK, 1665 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 1666 string export_data; 1667 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1668 EXPECT_GT(export_data.length(), 0U); 1669 1670 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1671 1672 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1673 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1674} 1675 1676TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) { 1677 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1678 .RsaSigningKey(256, 3) 1679 .Digest(KM_DIGEST_NONE) 1680 .Padding(KM_PAD_NONE))); 1681 string export_data; 1682 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1683 1684 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1685 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1686} 1687 1688TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) { 1689 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1690 .RsaSigningKey(256, 3) 1691 .Digest(KM_DIGEST_NONE) 1692 .Padding(KM_PAD_NONE))); 1693 corrupt_key_blob(); 1694 string export_data; 1695 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1696 1697 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1698 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1699} 1700 1701TEST_P(ExportKeyTest, AesKeyExportFails) { 1702 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128))); 1703 string export_data; 1704 1705 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1706 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1707 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data)); 1708 1709 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1710} 1711 1712static string read_file(const string& file_name) { 1713 ifstream file_stream(file_name, std::ios::binary); 1714 istreambuf_iterator<char> file_begin(file_stream); 1715 istreambuf_iterator<char> file_end; 1716 return string(file_begin, file_end); 1717} 1718 1719typedef Keymaster2Test ImportKeyTest; 1720INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params); 1721 1722TEST_P(ImportKeyTest, RsaSuccess) { 1723 string pk8_key = read_file("rsa_privkey_pk8.der"); 1724 ASSERT_EQ(633U, pk8_key.size()); 1725 1726 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1727 .RsaSigningKey(1024, 65537) 1728 .Digest(KM_DIGEST_NONE) 1729 .Padding(KM_PAD_NONE), 1730 KM_KEY_FORMAT_PKCS8, pk8_key)); 1731 1732 // Check values derived from the key. 1733 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1734 : sw_enforced(), 1735 TAG_ALGORITHM, KM_ALGORITHM_RSA)); 1736 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1737 : sw_enforced(), 1738 TAG_KEY_SIZE, 1024)); 1739 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1740 : sw_enforced(), 1741 TAG_RSA_PUBLIC_EXPONENT, 65537U)); 1742 1743 // And values provided by AndroidKeymaster 1744 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1745 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN)); 1746 else 1747 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1748 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1749 1750 string message(1024 / 8, 'a'); 1751 string signature; 1752 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1753 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1754 1755 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1756 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1757} 1758 1759TEST_P(ImportKeyTest, RsaKeySizeMismatch) { 1760 string pk8_key = read_file("rsa_privkey_pk8.der"); 1761 ASSERT_EQ(633U, pk8_key.size()); 1762 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1763 ImportKey(AuthorizationSetBuilder() 1764 .RsaSigningKey(2048 /* Doesn't match key */, 3) 1765 .Digest(KM_DIGEST_NONE) 1766 .Padding(KM_PAD_NONE), 1767 KM_KEY_FORMAT_PKCS8, pk8_key)); 1768 1769 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1770} 1771 1772TEST_P(ImportKeyTest, RsaPublicExponenMismatch) { 1773 string pk8_key = read_file("rsa_privkey_pk8.der"); 1774 ASSERT_EQ(633U, pk8_key.size()); 1775 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1776 ImportKey(AuthorizationSetBuilder() 1777 .RsaSigningKey(256, 3 /* Doesnt' match key */) 1778 .Digest(KM_DIGEST_NONE) 1779 .Padding(KM_PAD_NONE), 1780 KM_KEY_FORMAT_PKCS8, pk8_key)); 1781 1782 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1783} 1784 1785TEST_P(ImportKeyTest, EcdsaSuccess) { 1786 string pk8_key = read_file("ec_privkey_pk8.der"); 1787 ASSERT_EQ(138U, pk8_key.size()); 1788 1789 ASSERT_EQ(KM_ERROR_OK, 1790 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1791 KM_KEY_FORMAT_PKCS8, pk8_key)); 1792 1793 // Check values derived from the key. 1794 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced() 1795 : sw_enforced(), 1796 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1797 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced() 1798 : sw_enforced(), 1799 TAG_KEY_SIZE, 256)); 1800 1801 // And values provided by AndroidKeymaster 1802 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1803 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN)); 1804 else 1805 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1806 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1807 1808 string message(32, 'a'); 1809 string signature; 1810 SignMessage(message, &signature, KM_DIGEST_NONE); 1811 VerifyMessage(message, signature, KM_DIGEST_NONE); 1812 1813 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1814 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1815} 1816 1817TEST_P(ImportKeyTest, EcdsaSizeSpecified) { 1818 string pk8_key = read_file("ec_privkey_pk8.der"); 1819 ASSERT_EQ(138U, pk8_key.size()); 1820 1821 ASSERT_EQ(KM_ERROR_OK, 1822 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1823 KM_KEY_FORMAT_PKCS8, pk8_key)); 1824 1825 // Check values derived from the key. 1826 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced() 1827 : sw_enforced(), 1828 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1829 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced() 1830 : sw_enforced(), 1831 TAG_KEY_SIZE, 256)); 1832 1833 // And values provided by AndroidKeymaster 1834 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1835 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN)); 1836 else 1837 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1838 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1839 1840 string message(32, 'a'); 1841 string signature; 1842 SignMessage(message, &signature, KM_DIGEST_NONE); 1843 VerifyMessage(message, signature, KM_DIGEST_NONE); 1844 1845 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1846 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1847} 1848 1849TEST_P(ImportKeyTest, EcdsaSizeMismatch) { 1850 string pk8_key = read_file("ec_privkey_pk8.der"); 1851 ASSERT_EQ(138U, pk8_key.size()); 1852 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1853 ImportKey(AuthorizationSetBuilder() 1854 .EcdsaSigningKey(224 /* Doesn't match key */) 1855 .Digest(KM_DIGEST_NONE), 1856 KM_KEY_FORMAT_PKCS8, pk8_key)); 1857 1858 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1859} 1860 1861TEST_P(ImportKeyTest, AesKeySuccess) { 1862 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1863 string key(key_data, sizeof(key_data)); 1864 ASSERT_EQ(KM_ERROR_OK, 1865 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization( 1866 TAG_PADDING, KM_PAD_PKCS7), 1867 KM_KEY_FORMAT_RAW, key)); 1868 1869 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1870 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1871 1872 string message = "Hello World!"; 1873 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1874 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 1875 EXPECT_EQ(message, plaintext); 1876 1877 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1878} 1879 1880TEST_P(ImportKeyTest, HmacSha256KeySuccess) { 1881 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1882 string key(key_data, sizeof(key_data)); 1883 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1884 .HmacKey(sizeof(key_data) * 8) 1885 .Digest(KM_DIGEST_SHA_2_256) 1886 .Authorization(TAG_MIN_MAC_LENGTH, 256), 1887 KM_KEY_FORMAT_RAW, key)); 1888 1889 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1890 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1891 1892 string message = "Hello World!"; 1893 string signature; 1894 MacMessage(message, &signature, 256); 1895 VerifyMac(message, signature); 1896 1897 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1898} 1899 1900typedef Keymaster2Test EncryptionOperationsTest; 1901INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params); 1902 1903TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { 1904 ASSERT_EQ(KM_ERROR_OK, 1905 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1906 1907 string message = "12345678901234567890123456789012"; 1908 string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE); 1909 EXPECT_EQ(256U / 8, ciphertext1.size()); 1910 1911 string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE); 1912 EXPECT_EQ(256U / 8, ciphertext2.size()); 1913 1914 // Unpadded RSA is deterministic 1915 EXPECT_EQ(ciphertext1, ciphertext2); 1916 1917 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1918 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1919} 1920 1921TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) { 1922 ASSERT_EQ(KM_ERROR_OK, 1923 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1924 1925 string message = "1"; 1926 1927 string ciphertext = EncryptMessage(message, KM_PAD_NONE); 1928 EXPECT_EQ(256U / 8, ciphertext.size()); 1929 1930 string expected_plaintext = string(256 / 8 - 1, 0) + message; 1931 string plaintext = DecryptMessage(ciphertext, KM_PAD_NONE); 1932 1933 EXPECT_EQ(expected_plaintext, plaintext); 1934 1935 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1936 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1937} 1938 1939TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) { 1940 ASSERT_EQ(KM_ERROR_OK, 1941 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1942 1943 string message = "123456789012345678901234567890123"; 1944 1945 AuthorizationSet begin_params(client_params()); 1946 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1947 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1948 1949 string result; 1950 size_t input_consumed; 1951 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 1952 1953 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1954 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1955} 1956 1957TEST_P(EncryptionOperationsTest, RsaNoPaddingLargerThanModulus) { 1958 ASSERT_EQ(KM_ERROR_OK, 1959 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1960 1961 string exported; 1962 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &exported)); 1963 1964 const uint8_t* p = reinterpret_cast<const uint8_t*>(exported.data()); 1965 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( 1966 d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size())); 1967 unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(pkey.get())); 1968 1969 size_t modulus_len = BN_num_bytes(rsa->n); 1970 ASSERT_EQ(256U / 8, modulus_len); 1971 unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]); 1972 BN_bn2bin(rsa->n, modulus_buf.get()); 1973 1974 // The modulus is too big to encrypt. 1975 string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); 1976 1977 AuthorizationSet begin_params(client_params()); 1978 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1979 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1980 1981 string result; 1982 size_t input_consumed; 1983 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1984 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result)); 1985 1986 // One smaller than the modulus is okay. 1987 BN_sub(rsa->n, rsa->n, BN_value_one()); 1988 modulus_len = BN_num_bytes(rsa->n); 1989 ASSERT_EQ(256U / 8, modulus_len); 1990 BN_bn2bin(rsa->n, modulus_buf.get()); 1991 message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); 1992 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1993 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1994 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result)); 1995 1996 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1997 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1998} 1999 2000TEST_P(EncryptionOperationsTest, RsaOaepSuccess) { 2001 size_t key_size = 768; 2002 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2003 .RsaEncryptionKey(key_size, 3) 2004 .Padding(KM_PAD_RSA_OAEP) 2005 .Digest(KM_DIGEST_SHA_2_256))); 2006 2007 string message = "Hello"; 2008 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2009 EXPECT_EQ(key_size / 8, ciphertext1.size()); 2010 2011 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2012 EXPECT_EQ(key_size / 8, ciphertext2.size()); 2013 2014 // OAEP randomizes padding so every result should be different. 2015 EXPECT_NE(ciphertext1, ciphertext2); 2016 2017 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2018 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2019} 2020 2021TEST_P(EncryptionOperationsTest, RsaOaepSha224Success) { 2022 size_t key_size = 768; 2023 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2024 .RsaEncryptionKey(key_size, 3) 2025 .Padding(KM_PAD_RSA_OAEP) 2026 .Digest(KM_DIGEST_SHA_2_224))); 2027 2028 string message = "Hello"; 2029 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); 2030 EXPECT_EQ(key_size / 8, ciphertext1.size()); 2031 2032 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); 2033 EXPECT_EQ(key_size / 8, ciphertext2.size()); 2034 2035 // OAEP randomizes padding so every result should be different. 2036 EXPECT_NE(ciphertext1, ciphertext2); 2037 2038 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2039 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2040} 2041 2042TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) { 2043 size_t key_size = 768; 2044 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2045 .RsaEncryptionKey(key_size, 3) 2046 .Padding(KM_PAD_RSA_OAEP) 2047 .Digest(KM_DIGEST_SHA_2_256))); 2048 string message = "Hello World!"; 2049 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2050 EXPECT_EQ(key_size / 8, ciphertext.size()); 2051 2052 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2053 EXPECT_EQ(message, plaintext); 2054 2055 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2056 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2057} 2058 2059TEST_P(EncryptionOperationsTest, RsaOaepSha224RoundTrip) { 2060 size_t key_size = 768; 2061 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2062 .RsaEncryptionKey(key_size, 3) 2063 .Padding(KM_PAD_RSA_OAEP) 2064 .Digest(KM_DIGEST_SHA_2_224))); 2065 string message = "Hello World!"; 2066 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); 2067 EXPECT_EQ(key_size / 8, ciphertext.size()); 2068 2069 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); 2070 EXPECT_EQ(message, plaintext); 2071 2072 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2073 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2074} 2075 2076TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) { 2077 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2078 .RsaEncryptionKey(512, 3) 2079 .Padding(KM_PAD_RSA_OAEP) 2080 .Digest(KM_DIGEST_NONE))); 2081 string message = "Hello World!"; 2082 2083 AuthorizationSet begin_params(client_params()); 2084 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2085 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 2086 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2087 2088 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2089 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2090} 2091 2092TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) { 2093 if (GetParam()->minimal_digest_set()) 2094 // We don't have two supported digests, so we can't try authorizing one and using another. 2095 return; 2096 2097 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2098 .RsaEncryptionKey(512, 3) 2099 .Padding(KM_PAD_RSA_OAEP) 2100 .Digest(KM_DIGEST_SHA_2_256))); 2101 string message = "Hello World!"; 2102 // Works because encryption is a public key operation. 2103 EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP); 2104 2105 AuthorizationSet begin_params(client_params()); 2106 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2107 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); 2108 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2109 2110 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2111 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2112} 2113 2114TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) { 2115 if (GetParam()->minimal_digest_set()) 2116 // We don't have two supported digests, so we can't try encrypting with one and decrypting 2117 // with another. 2118 return; 2119 2120 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2121 .RsaEncryptionKey(768, 3) 2122 .Padding(KM_PAD_RSA_OAEP) 2123 .Digest(KM_DIGEST_SHA_2_256) 2124 .Digest(KM_DIGEST_SHA_2_384))); 2125 string message = "Hello World!"; 2126 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2127 2128 string result; 2129 size_t input_consumed; 2130 AuthorizationSet begin_params(client_params()); 2131 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2132 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384); 2133 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2134 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2135 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2136 EXPECT_EQ(0U, result.size()); 2137 2138 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2139 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2140} 2141 2142TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) { 2143 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2144 .RsaEncryptionKey(512, 3) 2145 .Padding(KM_PAD_RSA_OAEP) 2146 .Digest(KM_DIGEST_SHA1))); 2147 string message = "12345678901234567890123"; 2148 string result; 2149 size_t input_consumed; 2150 2151 AuthorizationSet begin_params(client_params()); 2152 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2153 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); 2154 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2155 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2156 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 2157 EXPECT_EQ(0U, result.size()); 2158 2159 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2160 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2161} 2162 2163TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) { 2164 size_t key_size = 768; 2165 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2166 .RsaEncryptionKey(768, 3) 2167 .Padding(KM_PAD_RSA_OAEP) 2168 .Digest(KM_DIGEST_SHA_2_256))); 2169 string message = "Hello World!"; 2170 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2171 EXPECT_EQ(key_size / 8, ciphertext.size()); 2172 2173 // Corrupt the ciphertext 2174 ciphertext[key_size / 8 / 2]++; 2175 2176 string result; 2177 size_t input_consumed; 2178 AuthorizationSet begin_params(client_params()); 2179 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2180 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 2181 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2182 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2183 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2184 EXPECT_EQ(0U, result.size()); 2185 2186 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2187 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2188} 2189 2190TEST_P(EncryptionOperationsTest, RsaPkcs1Success) { 2191 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2192 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2193 string message = "Hello World!"; 2194 string ciphertext1 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2195 EXPECT_EQ(512U / 8, ciphertext1.size()); 2196 2197 string ciphertext2 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2198 EXPECT_EQ(512U / 8, ciphertext2.size()); 2199 2200 // PKCS1 v1.5 randomizes padding so every result should be different. 2201 EXPECT_NE(ciphertext1, ciphertext2); 2202 2203 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2204 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2205} 2206 2207TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) { 2208 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2209 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2210 string message = "Hello World!"; 2211 string ciphertext = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2212 EXPECT_EQ(512U / 8, ciphertext.size()); 2213 2214 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2215 EXPECT_EQ(message, plaintext); 2216 2217 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2218 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2219} 2220 2221TEST_P(EncryptionOperationsTest, RsaRoundTripAllCombinations) { 2222 size_t key_size = 2048; 2223 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2224 .RsaEncryptionKey(key_size, 3) 2225 .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT) 2226 .Padding(KM_PAD_RSA_OAEP) 2227 .Digest(KM_DIGEST_NONE) 2228 .Digest(KM_DIGEST_MD5) 2229 .Digest(KM_DIGEST_SHA1) 2230 .Digest(KM_DIGEST_SHA_2_224) 2231 .Digest(KM_DIGEST_SHA_2_256) 2232 .Digest(KM_DIGEST_SHA_2_384) 2233 .Digest(KM_DIGEST_SHA_2_512))); 2234 2235 string message = "Hello World!"; 2236 2237 keymaster_padding_t padding_modes[] = {KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT}; 2238 keymaster_digest_t digests[] = { 2239 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 2240 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, 2241 }; 2242 2243 for (auto padding : padding_modes) 2244 for (auto digest : digests) { 2245 if (padding == KM_PAD_RSA_OAEP && digest == KM_DIGEST_NONE) 2246 // OAEP requires a digest. 2247 continue; 2248 2249 string ciphertext = EncryptMessage(message, digest, padding); 2250 EXPECT_EQ(key_size / 8, ciphertext.size()); 2251 2252 string plaintext = DecryptMessage(ciphertext, digest, padding); 2253 EXPECT_EQ(message, plaintext); 2254 } 2255 2256 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2257 EXPECT_EQ(40, GetParam()->keymaster0_calls()); 2258} 2259 2260TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) { 2261 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2262 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2263 string message = "123456789012345678901234567890123456789012345678901234"; 2264 string result; 2265 size_t input_consumed; 2266 2267 AuthorizationSet begin_params(client_params()); 2268 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2269 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2270 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2271 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 2272 EXPECT_EQ(0U, result.size()); 2273 2274 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2275 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2276} 2277 2278TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) { 2279 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2280 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2281 string message = "Hello World!"; 2282 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2283 EXPECT_EQ(512U / 8, ciphertext.size()); 2284 2285 // Corrupt the ciphertext 2286 ciphertext[512 / 8 / 2]++; 2287 2288 string result; 2289 size_t input_consumed; 2290 AuthorizationSet begin_params(client_params()); 2291 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2292 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2293 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2294 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2295 EXPECT_EQ(0U, result.size()); 2296 2297 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2298 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2299} 2300 2301TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) { 2302 ASSERT_EQ(KM_ERROR_OK, 2303 GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE))); 2304 2305 AuthorizationSet begin_params(client_params()); 2306 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2307 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2308 2309 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2310 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2311} 2312 2313TEST_P(EncryptionOperationsTest, EcdsaEncrypt) { 2314 ASSERT_EQ(KM_ERROR_OK, 2315 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 2316 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2317 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2318 2319 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 2320 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2321} 2322 2323TEST_P(EncryptionOperationsTest, HmacEncrypt) { 2324 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2325 .HmacKey(128) 2326 .Digest(KM_DIGEST_SHA_2_256) 2327 .Padding(KM_PAD_NONE) 2328 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2329 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2330 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2331 2332 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2333} 2334 2335TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) { 2336 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2337 .AesEncryptionKey(128) 2338 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2339 .Padding(KM_PAD_NONE))); 2340 // Two-block message. 2341 string message = "12345678901234567890123456789012"; 2342 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2343 EXPECT_EQ(message.size(), ciphertext1.size()); 2344 2345 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE); 2346 EXPECT_EQ(message.size(), ciphertext2.size()); 2347 2348 // ECB is deterministic. 2349 EXPECT_EQ(ciphertext1, ciphertext2); 2350 2351 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE); 2352 EXPECT_EQ(message, plaintext); 2353 2354 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2355} 2356 2357TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) { 2358 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2359 .AesEncryptionKey(128) 2360 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2361 .Padding(KM_PAD_NONE))); 2362 // Two-block message. 2363 string message = "12345678901234567890123456789012"; 2364 AuthorizationSet begin_params(client_params()); 2365 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2366 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2367 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2368 2369 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2370} 2371 2372TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) { 2373 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2374 .AesEncryptionKey(128) 2375 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2376 .Padding(KM_PAD_NONE))); 2377 // Message is slightly shorter than two blocks. 2378 string message = "1234567890123456789012345678901"; 2379 2380 AuthorizationSet begin_params(client_params()); 2381 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2382 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2383 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2384 string ciphertext; 2385 size_t input_consumed; 2386 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed)); 2387 EXPECT_EQ(message.size(), input_consumed); 2388 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext)); 2389 2390 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2391} 2392 2393TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) { 2394 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2395 .AesEncryptionKey(128) 2396 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2397 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2398 2399 // Try various message lengths; all should work. 2400 for (size_t i = 0; i < 32; ++i) { 2401 string message(i, 'a'); 2402 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2403 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2404 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 2405 EXPECT_EQ(message, plaintext); 2406 } 2407 2408 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2409} 2410 2411TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) { 2412 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2413 .AesEncryptionKey(128) 2414 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2415 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2416 2417 // Try various message lengths; all should fail. 2418 for (size_t i = 0; i < 32; ++i) { 2419 AuthorizationSet begin_params(client_params()); 2420 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2421 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 2422 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, 2423 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2424 } 2425 2426 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2427} 2428 2429TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) { 2430 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2431 .AesEncryptionKey(128) 2432 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2433 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2434 2435 string message = "a"; 2436 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2437 EXPECT_EQ(16U, ciphertext.size()); 2438 EXPECT_NE(ciphertext, message); 2439 ++ciphertext[ciphertext.size() / 2]; 2440 2441 AuthorizationSet begin_params(client_params()); 2442 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2443 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 2444 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2445 string plaintext; 2446 size_t input_consumed; 2447 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); 2448 EXPECT_EQ(ciphertext.size(), input_consumed); 2449 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); 2450 2451 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2452} 2453 2454TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) { 2455 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2456 .AesEncryptionKey(128) 2457 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2458 .Padding(KM_PAD_NONE))); 2459 string message = "123"; 2460 string iv1; 2461 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1); 2462 EXPECT_EQ(message.size(), ciphertext1.size()); 2463 EXPECT_EQ(16U, iv1.size()); 2464 2465 string iv2; 2466 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2); 2467 EXPECT_EQ(message.size(), ciphertext2.size()); 2468 EXPECT_EQ(16U, iv2.size()); 2469 2470 // IVs should be random, so ciphertexts should differ. 2471 EXPECT_NE(iv1, iv2); 2472 EXPECT_NE(ciphertext1, ciphertext2); 2473 2474 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1); 2475 EXPECT_EQ(message, plaintext); 2476 2477 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2478} 2479 2480TEST_P(EncryptionOperationsTest, AesCtrIncremental) { 2481 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2482 .AesEncryptionKey(128) 2483 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2484 .Padding(KM_PAD_NONE))); 2485 2486 int increment = 15; 2487 string message(239, 'a'); 2488 AuthorizationSet input_params(client_params()); 2489 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2490 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2491 AuthorizationSet output_params; 2492 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2493 2494 string ciphertext; 2495 size_t input_consumed; 2496 for (size_t i = 0; i < message.size(); i += increment) 2497 EXPECT_EQ(KM_ERROR_OK, 2498 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2499 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2500 EXPECT_EQ(message.size(), ciphertext.size()); 2501 2502 // Move TAG_NONCE into input_params 2503 input_params.Reinitialize(output_params); 2504 input_params.push_back(client_params()); 2505 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2506 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2507 output_params.Clear(); 2508 2509 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2510 string plaintext; 2511 for (size_t i = 0; i < ciphertext.size(); i += increment) 2512 EXPECT_EQ(KM_ERROR_OK, 2513 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2514 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2515 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2516 EXPECT_EQ(message, plaintext); 2517 2518 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2519} 2520 2521struct AesCtrSp80038aTestVector { 2522 const char* key; 2523 const char* nonce; 2524 const char* plaintext; 2525 const char* ciphertext; 2526}; 2527 2528// These test vectors are taken from 2529// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5. 2530static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = { 2531 // AES-128 2532 { 2533 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2534 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2535 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2536 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff" 2537 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee", 2538 }, 2539 // AES-192 2540 { 2541 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2542 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2543 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2544 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94" 2545 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050", 2546 }, 2547 // AES-256 2548 { 2549 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", 2550 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2551 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2552 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2553 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5" 2554 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6", 2555 }, 2556}; 2557 2558TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) { 2559 for (size_t i = 0; i < 3; i++) { 2560 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]); 2561 const string key = hex2str(test.key); 2562 const string nonce = hex2str(test.nonce); 2563 const string plaintext = hex2str(test.plaintext); 2564 const string ciphertext = hex2str(test.ciphertext); 2565 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext); 2566 } 2567 2568 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2569} 2570 2571TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) { 2572 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2573 .AesEncryptionKey(128) 2574 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2575 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2576 AuthorizationSet begin_params(client_params()); 2577 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2578 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2579 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2580 2581 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2582} 2583 2584TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) { 2585 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2586 .AesEncryptionKey(128) 2587 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2588 .Authorization(TAG_CALLER_NONCE) 2589 .Padding(KM_PAD_NONE))); 2590 2591 AuthorizationSet input_params(client_params()); 2592 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2593 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2594 input_params.push_back(TAG_NONCE, "123", 3); 2595 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params)); 2596 2597 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2598} 2599 2600TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) { 2601 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2602 .AesEncryptionKey(128) 2603 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2604 .Padding(KM_PAD_NONE))); 2605 // Two-block message. 2606 string message = "12345678901234567890123456789012"; 2607 string iv1; 2608 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2609 EXPECT_EQ(message.size(), ciphertext1.size()); 2610 2611 string iv2; 2612 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2); 2613 EXPECT_EQ(message.size(), ciphertext2.size()); 2614 2615 // IVs should be random, so ciphertexts should differ. 2616 EXPECT_NE(iv1, iv2); 2617 EXPECT_NE(ciphertext1, ciphertext2); 2618 2619 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2620 EXPECT_EQ(message, plaintext); 2621 2622 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2623} 2624 2625TEST_P(EncryptionOperationsTest, AesCallerNonce) { 2626 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2627 .AesEncryptionKey(128) 2628 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2629 .Authorization(TAG_CALLER_NONCE) 2630 .Padding(KM_PAD_NONE))); 2631 string message = "12345678901234567890123456789012"; 2632 string iv1; 2633 // Don't specify nonce, should get a random one. 2634 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2635 EXPECT_EQ(message.size(), ciphertext1.size()); 2636 EXPECT_EQ(16U, iv1.size()); 2637 2638 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2639 EXPECT_EQ(message, plaintext); 2640 2641 // Now specify a nonce, should also work. 2642 AuthorizationSet input_params(client_params()); 2643 AuthorizationSet update_params; 2644 AuthorizationSet output_params; 2645 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2646 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2647 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2648 string ciphertext2 = 2649 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params); 2650 2651 // Decrypt with correct nonce. 2652 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2653 &output_params); 2654 EXPECT_EQ(message, plaintext); 2655 2656 // Now try with wrong nonce. 2657 input_params.Reinitialize(client_params()); 2658 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2659 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2660 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16); 2661 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2662 &output_params); 2663 EXPECT_NE(message, plaintext); 2664 2665 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2666} 2667 2668TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) { 2669 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2670 .AesEncryptionKey(128) 2671 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2672 .Padding(KM_PAD_NONE))); 2673 2674 string message = "12345678901234567890123456789012"; 2675 string iv1; 2676 // Don't specify nonce, should get a random one. 2677 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2678 EXPECT_EQ(message.size(), ciphertext1.size()); 2679 EXPECT_EQ(16U, iv1.size()); 2680 2681 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2682 EXPECT_EQ(message, plaintext); 2683 2684 // Now specify a nonce, should fail. 2685 AuthorizationSet input_params(client_params()); 2686 AuthorizationSet update_params; 2687 AuthorizationSet output_params; 2688 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2689 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2690 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2691 2692 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, 2693 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2694 2695 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2696} 2697 2698TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) { 2699 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2700 .AesEncryptionKey(128) 2701 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2702 .Padding(KM_PAD_NONE))); 2703 2704 int increment = 15; 2705 string message(240, 'a'); 2706 AuthorizationSet input_params(client_params()); 2707 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2708 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2709 AuthorizationSet output_params; 2710 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2711 2712 string ciphertext; 2713 size_t input_consumed; 2714 for (size_t i = 0; i < message.size(); i += increment) 2715 EXPECT_EQ(KM_ERROR_OK, 2716 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2717 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2718 EXPECT_EQ(message.size(), ciphertext.size()); 2719 2720 // Move TAG_NONCE into input_params 2721 input_params.Reinitialize(output_params); 2722 input_params.push_back(client_params()); 2723 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2724 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2725 output_params.Clear(); 2726 2727 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2728 string plaintext; 2729 for (size_t i = 0; i < ciphertext.size(); i += increment) 2730 EXPECT_EQ(KM_ERROR_OK, 2731 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2732 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2733 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2734 EXPECT_EQ(message, plaintext); 2735 2736 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2737} 2738 2739TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) { 2740 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2741 .AesEncryptionKey(128) 2742 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2743 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2744 2745 // Try various message lengths; all should work. 2746 for (size_t i = 0; i < 32; ++i) { 2747 string message(i, 'a'); 2748 string iv; 2749 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); 2750 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2751 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv); 2752 EXPECT_EQ(message, plaintext); 2753 } 2754 2755 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2756} 2757 2758TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) { 2759 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2760 .AesEncryptionKey(128) 2761 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2762 .Authorization(TAG_PADDING, KM_PAD_NONE) 2763 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2764 string aad = "foobar"; 2765 string message = "123456789012345678901234567890123456"; 2766 AuthorizationSet begin_params(client_params()); 2767 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2768 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2769 begin_params.push_back(TAG_MAC_LENGTH, 128); 2770 2771 AuthorizationSet update_params; 2772 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2773 2774 // Encrypt 2775 AuthorizationSet begin_out_params; 2776 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2777 string ciphertext; 2778 size_t input_consumed; 2779 AuthorizationSet update_out_params; 2780 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2781 &input_consumed)); 2782 EXPECT_EQ(message.size(), input_consumed); 2783 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2784 2785 // Grab nonce 2786 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2787 begin_params.push_back(begin_out_params); 2788 2789 // Decrypt. 2790 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2791 string plaintext; 2792 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2793 &plaintext, &input_consumed)); 2794 EXPECT_EQ(ciphertext.size(), input_consumed); 2795 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2796 2797 EXPECT_EQ(message, plaintext); 2798 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2799} 2800 2801TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) { 2802 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2803 .AesEncryptionKey(128) 2804 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2805 .Authorization(TAG_PADDING, KM_PAD_NONE) 2806 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2807 string aad = "foobar"; 2808 string message = "123456789012345678901234567890123456"; 2809 AuthorizationSet begin_params(client_params()); 2810 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2811 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2812 begin_params.push_back(TAG_MAC_LENGTH, 96); 2813 2814 AuthorizationSet update_params; 2815 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2816 2817 AuthorizationSet begin_out_params; 2818 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, 2819 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2820 2821 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2822} 2823 2824TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) { 2825 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2826 .AesEncryptionKey(128) 2827 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2828 .Authorization(TAG_PADDING, KM_PAD_NONE) 2829 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2830 string aad = "foobar"; 2831 string message = "123456789012345678901234567890123456"; 2832 AuthorizationSet begin_params(client_params()); 2833 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2834 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2835 begin_params.push_back(TAG_MAC_LENGTH, 128); 2836 2837 AuthorizationSet update_params; 2838 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2839 2840 // Encrypt 2841 AuthorizationSet begin_out_params; 2842 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2843 string ciphertext; 2844 size_t input_consumed; 2845 AuthorizationSet update_out_params; 2846 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2847 &input_consumed)); 2848 EXPECT_EQ(message.size(), input_consumed); 2849 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2850 2851 // Grab nonce 2852 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2853 begin_params.Reinitialize(client_params()); 2854 begin_params.push_back(begin_out_params); 2855 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2856 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2857 begin_params.push_back(TAG_MAC_LENGTH, 96); 2858 2859 // Decrypt. 2860 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2861 2862 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2863} 2864 2865TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) { 2866 uint8_t nonce[] = { 2867 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f, 2868 }; 2869 uint8_t ciphertext[] = { 2870 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16, 2871 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 2872 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 2873 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd, 2874 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0, 2875 }; 2876 string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext)); 2877 2878 AuthorizationSet begin_params(client_params()); 2879 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2880 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2881 begin_params.push_back(TAG_MAC_LENGTH, 128); 2882 begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce)); 2883 2884 string plaintext; 2885 size_t input_consumed; 2886 2887 // Import correct key and decrypt 2888 uint8_t good_key[] = { 2889 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 2890 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 2891 }; 2892 string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key)); 2893 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 2894 .AesEncryptionKey(128) 2895 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2896 .Authorization(TAG_PADDING, KM_PAD_NONE) 2897 .Authorization(TAG_CALLER_NONCE) 2898 .Authorization(TAG_MIN_MAC_LENGTH, 128), 2899 KM_KEY_FORMAT_RAW, good_key_str)); 2900 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2901 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 2902 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2903 2904 // Import bad key and decrypt 2905 uint8_t bad_key[] = { 2906 0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 2907 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 2908 }; 2909 string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key)); 2910 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 2911 .AesEncryptionKey(128) 2912 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2913 .Authorization(TAG_PADDING, KM_PAD_NONE) 2914 .Authorization(TAG_MIN_MAC_LENGTH, 128), 2915 KM_KEY_FORMAT_RAW, bad_key_str)); 2916 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2917 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 2918 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 2919 2920 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2921} 2922 2923TEST_P(EncryptionOperationsTest, AesGcmAadNoData) { 2924 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2925 .AesEncryptionKey(128) 2926 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2927 .Authorization(TAG_PADDING, KM_PAD_NONE) 2928 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2929 string aad = "123456789012345678"; 2930 string empty_message; 2931 AuthorizationSet begin_params(client_params()); 2932 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2933 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2934 begin_params.push_back(TAG_MAC_LENGTH, 128); 2935 2936 AuthorizationSet update_params; 2937 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2938 2939 // Encrypt 2940 AuthorizationSet begin_out_params; 2941 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2942 string ciphertext; 2943 size_t input_consumed; 2944 AuthorizationSet update_out_params; 2945 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params, 2946 &ciphertext, &input_consumed)); 2947 EXPECT_EQ(0U, input_consumed); 2948 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2949 2950 // Grab nonce 2951 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2952 begin_params.push_back(begin_out_params); 2953 2954 // Decrypt. 2955 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2956 string plaintext; 2957 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2958 &plaintext, &input_consumed)); 2959 EXPECT_EQ(ciphertext.size(), input_consumed); 2960 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2961 2962 EXPECT_EQ(empty_message, plaintext); 2963 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2964} 2965 2966TEST_P(EncryptionOperationsTest, AesGcmIncremental) { 2967 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2968 .AesEncryptionKey(128) 2969 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2970 .Authorization(TAG_PADDING, KM_PAD_NONE) 2971 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2972 AuthorizationSet begin_params(client_params()); 2973 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2974 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2975 begin_params.push_back(TAG_MAC_LENGTH, 128); 2976 2977 AuthorizationSet update_params; 2978 update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1); 2979 2980 // Encrypt 2981 AuthorizationSet begin_out_params; 2982 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2983 string ciphertext; 2984 size_t input_consumed; 2985 AuthorizationSet update_out_params; 2986 2987 // Send AAD, incrementally 2988 for (int i = 0; i < 1000; ++i) { 2989 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext, 2990 &input_consumed)); 2991 EXPECT_EQ(0U, input_consumed); 2992 EXPECT_EQ(0U, ciphertext.size()); 2993 } 2994 2995 // Now send data, incrementally, no data. 2996 AuthorizationSet empty_params; 2997 for (int i = 0; i < 1000; ++i) { 2998 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext, 2999 &input_consumed)); 3000 EXPECT_EQ(1U, input_consumed); 3001 } 3002 EXPECT_EQ(1000U, ciphertext.size()); 3003 3004 // And finish. 3005 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3006 EXPECT_EQ(1016U, ciphertext.size()); 3007 3008 // Grab nonce 3009 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3010 begin_params.push_back(begin_out_params); 3011 3012 // Decrypt. 3013 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3014 string plaintext; 3015 3016 // Send AAD, incrementally, no data 3017 for (int i = 0; i < 1000; ++i) { 3018 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext, 3019 &input_consumed)); 3020 EXPECT_EQ(0U, input_consumed); 3021 EXPECT_EQ(0U, plaintext.size()); 3022 } 3023 3024 // Now send data, incrementally. 3025 for (size_t i = 0; i < ciphertext.length(); ++i) { 3026 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1), 3027 &update_out_params, &plaintext, &input_consumed)); 3028 EXPECT_EQ(1U, input_consumed); 3029 } 3030 EXPECT_EQ(1000U, plaintext.size()); 3031 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 3032 3033 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3034} 3035 3036TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) { 3037 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3038 .AesEncryptionKey(128) 3039 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3040 .Authorization(TAG_PADDING, KM_PAD_NONE) 3041 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3042 string message = "123456789012345678901234567890123456"; 3043 AuthorizationSet begin_params(client_params()); 3044 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3045 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3046 begin_params.push_back(TAG_MAC_LENGTH, 128); 3047 AuthorizationSet begin_out_params; 3048 3049 AuthorizationSet update_params; 3050 update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3); 3051 3052 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3053 3054 // No data, AAD only. 3055 string ciphertext; 3056 size_t input_consumed; 3057 AuthorizationSet update_out_params; 3058 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params, 3059 &ciphertext, &input_consumed)); 3060 EXPECT_EQ(0U, input_consumed); 3061 3062 // AAD and data. 3063 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3064 &input_consumed)); 3065 EXPECT_EQ(message.size(), input_consumed); 3066 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3067 3068 // Grab nonce. 3069 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3070 begin_params.push_back(begin_out_params); 3071 3072 // Decrypt 3073 update_params.Clear(); 3074 update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6); 3075 3076 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3077 string plaintext; 3078 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3079 &plaintext, &input_consumed)); 3080 EXPECT_EQ(ciphertext.size(), input_consumed); 3081 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 3082 3083 EXPECT_EQ(message, plaintext); 3084 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3085} 3086 3087TEST_P(EncryptionOperationsTest, AesGcmBadAad) { 3088 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3089 .AesEncryptionKey(128) 3090 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3091 .Authorization(TAG_PADDING, KM_PAD_NONE) 3092 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3093 string message = "12345678901234567890123456789012"; 3094 AuthorizationSet begin_params(client_params()); 3095 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3096 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3097 begin_params.push_back(TAG_MAC_LENGTH, 128); 3098 3099 AuthorizationSet update_params; 3100 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 3101 3102 AuthorizationSet finish_params; 3103 AuthorizationSet finish_out_params; 3104 3105 // Encrypt 3106 AuthorizationSet begin_out_params; 3107 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3108 AuthorizationSet update_out_params; 3109 string ciphertext; 3110 size_t input_consumed; 3111 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3112 &input_consumed)); 3113 EXPECT_EQ(message.size(), input_consumed); 3114 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3115 3116 // Grab nonce 3117 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3118 begin_params.push_back(begin_out_params); 3119 3120 update_params.Clear(); 3121 update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6); 3122 3123 // Decrypt. 3124 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3125 string plaintext; 3126 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3127 &plaintext, &input_consumed)); 3128 EXPECT_EQ(ciphertext.size(), input_consumed); 3129 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3130 3131 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3132} 3133 3134TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) { 3135 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3136 .AesEncryptionKey(128) 3137 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3138 .Authorization(TAG_PADDING, KM_PAD_NONE) 3139 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3140 string message = "12345678901234567890123456789012"; 3141 AuthorizationSet begin_params(client_params()); 3142 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3143 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3144 begin_params.push_back(TAG_MAC_LENGTH, 128); 3145 3146 AuthorizationSet update_params; 3147 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 3148 3149 // Encrypt 3150 AuthorizationSet begin_out_params; 3151 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3152 AuthorizationSet update_out_params; 3153 string ciphertext; 3154 size_t input_consumed; 3155 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3156 &input_consumed)); 3157 EXPECT_EQ(message.size(), input_consumed); 3158 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3159 3160 begin_params.push_back(TAG_NONCE, "123456789012", 12); 3161 3162 // Decrypt 3163 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3164 string plaintext; 3165 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3166 &plaintext, &input_consumed)); 3167 EXPECT_EQ(ciphertext.size(), input_consumed); 3168 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3169 3170 // With wrong nonce, should have gotten garbage plaintext. 3171 EXPECT_NE(message, plaintext); 3172 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3173} 3174 3175TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) { 3176 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3177 .AesEncryptionKey(128) 3178 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3179 .Authorization(TAG_PADDING, KM_PAD_NONE) 3180 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3181 string aad = "foobar"; 3182 string message = "123456789012345678901234567890123456"; 3183 AuthorizationSet begin_params(client_params()); 3184 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3185 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3186 begin_params.push_back(TAG_MAC_LENGTH, 128); 3187 AuthorizationSet begin_out_params; 3188 3189 AuthorizationSet update_params; 3190 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 3191 3192 // Encrypt 3193 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3194 AuthorizationSet update_out_params; 3195 string ciphertext; 3196 size_t input_consumed; 3197 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3198 &input_consumed)); 3199 EXPECT_EQ(message.size(), input_consumed); 3200 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3201 3202 // Corrupt tag 3203 (*ciphertext.rbegin())++; 3204 3205 // Grab nonce. 3206 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3207 begin_params.push_back(begin_out_params); 3208 3209 // Decrypt. 3210 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3211 string plaintext; 3212 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3213 &plaintext, &input_consumed)); 3214 EXPECT_EQ(ciphertext.size(), input_consumed); 3215 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3216 3217 EXPECT_EQ(message, plaintext); 3218 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3219} 3220 3221typedef Keymaster2Test MaxOperationsTest; 3222INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params); 3223 3224TEST_P(MaxOperationsTest, TestLimit) { 3225 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3226 .AesEncryptionKey(128) 3227 .EcbMode() 3228 .Authorization(TAG_PADDING, KM_PAD_NONE) 3229 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3230 3231 string message = "1234567890123456"; 3232 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3233 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3234 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3235 3236 // Fourth time should fail. 3237 AuthorizationSet begin_params(client_params()); 3238 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3239 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3240 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3241 3242 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3243} 3244 3245TEST_P(MaxOperationsTest, TestAbort) { 3246 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3247 .AesEncryptionKey(128) 3248 .EcbMode() 3249 .Authorization(TAG_PADDING, KM_PAD_NONE) 3250 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3251 3252 string message = "1234567890123456"; 3253 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3254 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3255 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3256 3257 // Fourth time should fail. 3258 AuthorizationSet begin_params(client_params()); 3259 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3260 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3261 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3262 3263 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3264} 3265 3266typedef Keymaster2Test AddEntropyTest; 3267INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params); 3268 3269TEST_P(AddEntropyTest, AddEntropy) { 3270 // There's no obvious way to test that entropy is actually added, but we can test that the API 3271 // doesn't blow up or return an error. 3272 EXPECT_EQ(KM_ERROR_OK, 3273 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3)); 3274 3275 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3276} 3277 3278typedef Keymaster2Test Keymaster0AdapterTest; 3279INSTANTIATE_TEST_CASE_P( 3280 AndroidKeymasterTest, Keymaster0AdapterTest, 3281 ::testing::Values( 3282 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 3283 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)))); 3284 3285TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1RsaBlob) { 3286 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 3287 // key data. 3288 string km1_sw = read_file("km1_sw_rsa_512.blob"); 3289 EXPECT_EQ(486U, km1_sw.length()); 3290 3291 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3292 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3293 set_key_blob(key_data, km1_sw.length()); 3294 3295 string message(64, 'a'); 3296 string signature; 3297 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3298 3299 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3300} 3301 3302TEST_P(Keymaster0AdapterTest, UnversionedSoftwareKeymaster1RsaBlob) { 3303 // Load and use an old-style Keymaster1 software key blob, without the version byte. These 3304 // blobs contain OCB-encrypted key data. 3305 string km1_sw = read_file("km1_sw_rsa_512_unversioned.blob"); 3306 EXPECT_EQ(477U, km1_sw.length()); 3307 3308 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3309 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3310 set_key_blob(key_data, km1_sw.length()); 3311 3312 string message(64, 'a'); 3313 string signature; 3314 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3315 3316 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3317} 3318 3319TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1EcdsaBlob) { 3320 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 3321 // key data. 3322 string km1_sw = read_file("km1_sw_ecdsa_256.blob"); 3323 EXPECT_EQ(270U, km1_sw.length()); 3324 3325 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3326 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3327 set_key_blob(key_data, km1_sw.length()); 3328 3329 string message(32, static_cast<char>(0xFF)); 3330 string signature; 3331 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3332 3333 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3334} 3335 3336struct Malloc_Delete { 3337 void operator()(void* p) { free(p); } 3338}; 3339 3340TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0RsaBlob) { 3341 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3342 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3343 EXPECT_EQ(333U, km0_sw.length()); 3344 3345 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3346 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3347 set_key_blob(key_data, km0_sw.length()); 3348 3349 string message(64, 'a'); 3350 string signature; 3351 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3352 3353 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3354} 3355 3356TEST_P(Keymaster0AdapterTest, OldSwKeymaster0RsaBlobGetCharacteristics) { 3357 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3358 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3359 EXPECT_EQ(333U, km0_sw.length()); 3360 3361 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3362 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3363 set_key_blob(key_data, km0_sw.length()); 3364 3365 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 3366 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3367 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 3368 EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3369 EXPECT_TRUE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3370 EXPECT_TRUE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3371 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 3372 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 3373 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 3374 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 3375 3376 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3377} 3378 3379TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlob) { 3380 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3381 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3382 EXPECT_EQ(333U, km0_sw.length()); 3383 3384 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 3385 // be recognized as a software key. Do the same here to pretend this is a hardware key. 3386 EXPECT_EQ('P', km0_sw[0]); 3387 km0_sw[0] = 'Q'; 3388 3389 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3390 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3391 set_key_blob(key_data, km0_sw.length()); 3392 3393 string message(64, 'a'); 3394 string signature; 3395 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3396 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 3397 3398 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 3399} 3400 3401TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) { 3402 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3403 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3404 EXPECT_EQ(333U, km0_sw.length()); 3405 3406 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 3407 // be recognized as a software key. Do the same here to pretend this is a hardware key. 3408 EXPECT_EQ('P', km0_sw[0]); 3409 km0_sw[0] = 'Q'; 3410 3411 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3412 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3413 set_key_blob(key_data, km0_sw.length()); 3414 3415 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 3416 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3417 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 512)); 3418 EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3419 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3420 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_MD5)); 3421 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA1)); 3422 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_224)); 3423 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_256)); 3424 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_384)); 3425 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_512)); 3426 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3427 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT)); 3428 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN)); 3429 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_OAEP)); 3430 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PSS)); 3431 EXPECT_EQ(15U, hw_enforced().size()); 3432 3433 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 3434 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 3435 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 3436 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 3437 3438 EXPECT_FALSE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3439 EXPECT_FALSE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 3440 EXPECT_FALSE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3441 EXPECT_FALSE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3442 EXPECT_FALSE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3443 3444 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 3445} 3446 3447TEST(SoftKeymasterWrapperTest, CheckKeymaster2Device) { 3448 // Make a good fake device, and wrap it. 3449 SoftKeymasterDevice* good_fake(new SoftKeymasterDevice(new TestKeymasterContext)); 3450 3451 // Wrap it and check it. 3452 SoftKeymasterDevice* good_fake_wrapper(new SoftKeymasterDevice(new TestKeymasterContext)); 3453 good_fake_wrapper->SetHardwareDevice(good_fake->keymaster_device()); 3454 EXPECT_TRUE(good_fake_wrapper->Keymaster1DeviceIsGood()); 3455 3456 // Close and clean up wrapper and wrapped 3457 good_fake_wrapper->keymaster_device()->common.close(good_fake_wrapper->hw_device()); 3458 3459 // Make a "bad" (doesn't support all digests) device; 3460 keymaster1_device_t* sha256_only_fake = make_device_sha256_only( 3461 (new SoftKeymasterDevice(new TestKeymasterContext("256")))->keymaster_device()); 3462 3463 // Wrap it and check it. 3464 SoftKeymasterDevice* sha256_only_fake_wrapper( 3465 (new SoftKeymasterDevice(new TestKeymasterContext))); 3466 sha256_only_fake_wrapper->SetHardwareDevice(sha256_only_fake); 3467 EXPECT_FALSE(sha256_only_fake_wrapper->Keymaster1DeviceIsGood()); 3468 3469 // Close and clean up wrapper and wrapped 3470 sha256_only_fake_wrapper->keymaster_device()->common.close( 3471 sha256_only_fake_wrapper->hw_device()); 3472} 3473 3474} // namespace test 3475} // namespace keymaster 3476