android_keymaster_test.cpp revision 3e37f0a2c3ccd3606aed6dc4aea4a2c8c6cf7f55
1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <fstream> 18#include <string> 19#include <vector> 20 21#include <hardware/keymaster0.h> 22#include <keymaster/soft_keymaster_device.h> 23#include <keymaster/softkeymaster.h> 24 25#include "android_keymaster_test_utils.h" 26 27using std::ifstream; 28using std::istreambuf_iterator; 29using std::string; 30using std::vector; 31using std::unique_ptr; 32 33extern "C" { 34int __android_log_print(int prio, const char* tag, const char* fmt); 35int __android_log_print(int prio, const char* tag, const char* fmt) { 36 (void)prio, (void)tag, (void)fmt; 37 return 0; 38} 39} // extern "C" 40 41namespace keymaster { 42namespace test { 43 44StdoutLogger logger; 45 46class SoftKeymasterTestInstanceCreator : public Keymaster1TestInstanceCreator { 47 public: 48 keymaster1_device_t* CreateDevice() const override { 49 std::cerr << "Creating software-only device" << std::endl; 50 SoftKeymasterDevice* device = new SoftKeymasterDevice; 51 return device->keymaster_device(); 52 } 53 54 bool algorithm_in_hardware(keymaster_algorithm_t) const override { return false; } 55 int keymaster0_calls() const override { return 0; } 56}; 57 58class Keymaster0AdapterTestInstanceCreator : public Keymaster1TestInstanceCreator { 59 public: 60 Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {} 61 62 keymaster1_device_t* CreateDevice() const { 63 std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_ 64 << ")." << std::endl; 65 hw_device_t* softkeymaster_device; 66 EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER, 67 &softkeymaster_device)); 68 // Make the software device pretend to be hardware 69 keymaster0_device_t* keymaster0_device = 70 reinterpret_cast<keymaster0_device_t*>(softkeymaster_device); 71 keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY; 72 73 if (!support_ec_) { 74 // Make the software device pretend not to support EC 75 keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC; 76 } 77 78 counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device); 79 80 SoftKeymasterDevice* keymaster = new SoftKeymasterDevice(counting_keymaster0_device_); 81 return keymaster->keymaster_device(); 82 } 83 84 bool algorithm_in_hardware(keymaster_algorithm_t algorithm) const override { 85 switch (algorithm) { 86 case KM_ALGORITHM_RSA: 87 return true; 88 case KM_ALGORITHM_EC: 89 return support_ec_; 90 default: 91 return false; 92 } 93 } 94 int keymaster0_calls() const override { return counting_keymaster0_device_->count(); } 95 96 private: 97 mutable Keymaster0CountingWrapper* counting_keymaster0_device_; 98 bool support_ec_; 99}; 100 101static auto test_params = testing::Values( 102 InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator), 103 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 104 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */))); 105 106typedef Keymaster1Test CheckSupported; 107INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, CheckSupported, test_params); 108 109TEST_P(CheckSupported, SupportedAlgorithms) { 110 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 111 device()->get_supported_algorithms(device(), NULL, NULL)); 112 113 size_t len; 114 keymaster_algorithm_t* algorithms; 115 EXPECT_EQ(KM_ERROR_OK, device()->get_supported_algorithms(device(), &algorithms, &len)); 116 EXPECT_TRUE(ResponseContains( 117 {KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_AES, KM_ALGORITHM_HMAC}, algorithms, len)); 118 free(algorithms); 119 120 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 121} 122 123TEST_P(CheckSupported, SupportedBlockModes) { 124 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 125 device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 126 NULL, NULL)); 127 128 size_t len; 129 keymaster_block_mode_t* modes; 130 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, 131 KM_PURPOSE_ENCRYPT, &modes, &len)); 132 EXPECT_EQ(0U, len); 133 free(modes); 134 135 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 136 device()->get_supported_block_modes(device(), KM_ALGORITHM_EC, KM_PURPOSE_ENCRYPT, 137 &modes, &len)); 138 139 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_AES, 140 KM_PURPOSE_ENCRYPT, &modes, &len)); 141 EXPECT_TRUE(ResponseContains({KM_MODE_ECB, KM_MODE_CBC, KM_MODE_CTR, KM_MODE_GCM}, modes, len)); 142 free(modes); 143 144 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 145} 146 147TEST_P(CheckSupported, SupportedPaddingModes) { 148 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 149 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 150 NULL, NULL)); 151 152 size_t len; 153 keymaster_padding_t* modes; 154 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 155 KM_PURPOSE_SIGN, &modes, &len)); 156 EXPECT_TRUE( 157 ResponseContains({KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS}, modes, len)); 158 free(modes); 159 160 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 161 KM_PURPOSE_ENCRYPT, &modes, &len)); 162 EXPECT_TRUE( 163 ResponseContains({KM_PAD_NONE, KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT}, modes, len)); 164 free(modes); 165 166 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_EC, 167 KM_PURPOSE_SIGN, &modes, &len)); 168 EXPECT_EQ(0U, len); 169 free(modes); 170 171 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 172 device()->get_supported_padding_modes(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, 173 &modes, &len)); 174 175 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 176} 177 178TEST_P(CheckSupported, SupportedDigests) { 179 EXPECT_EQ( 180 KM_ERROR_OUTPUT_PARAMETER_NULL, 181 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, NULL, NULL)); 182 183 size_t len; 184 keymaster_digest_t* digests; 185 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_RSA, 186 KM_PURPOSE_SIGN, &digests, &len)); 187 EXPECT_TRUE( 188 ResponseContains({KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 189 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}, 190 digests, len)); 191 free(digests); 192 193 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC, 194 KM_PURPOSE_SIGN, &digests, &len)); 195 EXPECT_TRUE( 196 ResponseContains({KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 197 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}, 198 digests, len)); 199 free(digests); 200 201 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 202 device()->get_supported_digests(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, &digests, 203 &len)); 204 205 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_HMAC, 206 KM_PURPOSE_SIGN, &digests, &len)); 207 EXPECT_TRUE(ResponseContains({KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, 208 KM_DIGEST_SHA_2_512, KM_DIGEST_SHA1}, 209 digests, len)); 210 free(digests); 211 212 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 213} 214 215TEST_P(CheckSupported, SupportedImportFormats) { 216 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 217 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 218 219 size_t len; 220 keymaster_key_format_t* formats; 221 ASSERT_EQ(KM_ERROR_OK, 222 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 223 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_PKCS8, formats, len)); 224 free(formats); 225 226 ASSERT_EQ(KM_ERROR_OK, 227 device()->get_supported_import_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 228 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 229 free(formats); 230 231 ASSERT_EQ(KM_ERROR_OK, 232 device()->get_supported_import_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 233 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 234 free(formats); 235 236 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 237} 238 239TEST_P(CheckSupported, SupportedExportFormats) { 240 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 241 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 242 243 size_t len; 244 keymaster_key_format_t* formats; 245 ASSERT_EQ(KM_ERROR_OK, 246 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 247 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 248 free(formats); 249 250 ASSERT_EQ(KM_ERROR_OK, 251 device()->get_supported_export_formats(device(), KM_ALGORITHM_EC, &formats, &len)); 252 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 253 free(formats); 254 255 ASSERT_EQ(KM_ERROR_OK, 256 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 257 EXPECT_EQ(0U, len); 258 free(formats); 259 260 ASSERT_EQ(KM_ERROR_OK, 261 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 262 EXPECT_EQ(0U, len); 263 free(formats); 264 265 ASSERT_EQ(KM_ERROR_OK, 266 device()->get_supported_export_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 267 EXPECT_EQ(0U, len); 268 free(formats); 269 270 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 271} 272 273class NewKeyGeneration : public Keymaster1Test { 274 protected: 275 void CheckBaseParams() { 276 AuthorizationSet auths = sw_enforced(); 277 EXPECT_GT(auths.SerializedSize(), 12U); 278 279 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN)); 280 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY)); 281 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7)); 282 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)); 283 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300)); 284 285 // Verify that App ID, App data and ROT are NOT included. 286 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST)); 287 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID)); 288 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA)); 289 290 // Just for giggles, check that some unexpected tags/values are NOT present. 291 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT)); 292 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT)); 293 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301)); 294 295 // Now check that unspecified, defaulted tags are correct. 296 EXPECT_TRUE(contains(auths, TAG_ORIGIN, KM_ORIGIN_GENERATED)); 297 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME)); 298 } 299}; 300INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params); 301 302TEST_P(NewKeyGeneration, Rsa) { 303 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 304 .RsaSigningKey(256, 3) 305 .Digest(KM_DIGEST_NONE) 306 .Padding(KM_PAD_NONE))); 307 CheckBaseParams(); 308 309 // Check specified tags are all present, and in the right set. 310 AuthorizationSet crypto_params; 311 AuthorizationSet non_crypto_params; 312 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) { 313 EXPECT_NE(0U, hw_enforced().size()); 314 EXPECT_NE(0U, sw_enforced().size()); 315 crypto_params.push_back(hw_enforced()); 316 non_crypto_params.push_back(sw_enforced()); 317 } else { 318 EXPECT_EQ(0U, hw_enforced().size()); 319 EXPECT_NE(0U, sw_enforced().size()); 320 crypto_params.push_back(sw_enforced()); 321 } 322 323 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 324 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 325 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256)); 326 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256)); 327 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 328 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 329 330 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 331 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 332} 333 334TEST_P(NewKeyGeneration, RsaDefaultSize) { 335 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 336 GenerateKey(AuthorizationSetBuilder() 337 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 338 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3) 339 .SigningKey())); 340 341 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 342} 343 344TEST_P(NewKeyGeneration, Ecdsa) { 345 ASSERT_EQ(KM_ERROR_OK, 346 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 347 CheckBaseParams(); 348 349 // Check specified tags are all present, and in the right set. 350 AuthorizationSet crypto_params; 351 AuthorizationSet non_crypto_params; 352 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) { 353 EXPECT_NE(0U, hw_enforced().size()); 354 EXPECT_NE(0U, sw_enforced().size()); 355 crypto_params.push_back(hw_enforced()); 356 non_crypto_params.push_back(sw_enforced()); 357 } else { 358 EXPECT_EQ(0U, hw_enforced().size()); 359 EXPECT_NE(0U, sw_enforced().size()); 360 crypto_params.push_back(sw_enforced()); 361 } 362 363 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 364 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 365 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224)); 366 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224)); 367 368 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 369 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 370} 371 372TEST_P(NewKeyGeneration, EcdsaDefaultSize) { 373 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 374 GenerateKey(AuthorizationSetBuilder() 375 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) 376 .SigningKey() 377 .Digest(KM_DIGEST_NONE))); 378 379 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 380} 381 382TEST_P(NewKeyGeneration, EcdsaInvalidSize) { 383 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 384 ASSERT_EQ( 385 KM_ERROR_UNKNOWN_ERROR, 386 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 387 else 388 ASSERT_EQ( 389 KM_ERROR_UNSUPPORTED_KEY_SIZE, 390 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 391 392 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 393 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 394} 395 396TEST_P(NewKeyGeneration, EcdsaAllValidSizes) { 397 size_t valid_sizes[] = {224, 256, 384, 521}; 398 for (size_t size : valid_sizes) { 399 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest( 400 KM_DIGEST_NONE))) 401 << "Failed to generate size: " 402 << size; 403 } 404 405 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 406 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 407} 408 409TEST_P(NewKeyGeneration, HmacSha256) { 410 ASSERT_EQ(KM_ERROR_OK, 411 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256))); 412 413 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 414} 415 416typedef Keymaster1Test GetKeyCharacteristics; 417INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params); 418 419TEST_P(GetKeyCharacteristics, SimpleRsa) { 420 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 421 .RsaSigningKey(256, 3) 422 .Digest(KM_DIGEST_NONE) 423 .Padding(KM_PAD_NONE))); 424 AuthorizationSet original(sw_enforced()); 425 426 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics()); 427 EXPECT_EQ(original, sw_enforced()); 428 429 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 430 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 431} 432 433typedef Keymaster1Test SigningOperationsTest; 434INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params); 435 436TEST_P(SigningOperationsTest, RsaSuccess) { 437 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 438 .RsaSigningKey(256, 3) 439 .Digest(KM_DIGEST_NONE) 440 .Padding(KM_PAD_NONE))); 441 string message = "12345678901234567890123456789012"; 442 string signature; 443 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 444 445 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 446 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 447} 448 449TEST_P(SigningOperationsTest, RsaPssSha256Success) { 450 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 451 .RsaSigningKey(512, 3) 452 .Digest(KM_DIGEST_SHA_2_256) 453 .Padding(KM_PAD_RSA_PSS))); 454 // Use large message, which won't work without digesting. 455 string message(1024, 'a'); 456 string signature; 457 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 458 459 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 460 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 461} 462 463TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) { 464 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 465 .RsaSigningKey(512, 3) 466 .Digest(KM_DIGEST_SHA_2_256) 467 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 468 string message(1024, 'a'); 469 string signature; 470 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 471 472 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 473 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 474} 475 476TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) { 477 // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so 478 // verify that nine bytes larger than hash won't work. 479 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 480 .RsaSigningKey(256 + 9 * 8, 3) 481 .Digest(KM_DIGEST_SHA_2_256) 482 .Padding(KM_PAD_RSA_PSS))); 483 string message(1024, 'a'); 484 string signature; 485 486 AuthorizationSet begin_params(client_params()); 487 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 488 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 489 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 490} 491 492TEST_P(SigningOperationsTest, RsaAbort) { 493 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 494 .RsaSigningKey(256, 3) 495 .Digest(KM_DIGEST_NONE) 496 .Padding(KM_PAD_NONE))); 497 AuthorizationSet begin_params(client_params()); 498 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 499 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 500 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 501 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 502 // Another abort should fail 503 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation()); 504 505 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 506 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 507} 508 509TEST_P(SigningOperationsTest, RsaUnsupportedDigest) { 510 GenerateKey(AuthorizationSetBuilder() 511 .RsaSigningKey(256, 3) 512 .Digest(KM_DIGEST_MD5) 513 .Padding(KM_PAD_RSA_PSS /* supported padding */)); 514 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, BeginOperation(KM_PURPOSE_SIGN)); 515 516 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 517 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 518} 519 520TEST_P(SigningOperationsTest, RsaUnsupportedPadding) { 521 GenerateKey(AuthorizationSetBuilder() 522 .RsaSigningKey(256, 3) 523 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */) 524 .Padding(KM_PAD_PKCS7)); 525 AuthorizationSet begin_params(client_params()); 526 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 527 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 528 529 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 530 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 531} 532 533TEST_P(SigningOperationsTest, RsaNoDigest) { 534 // PSS requires a digest. 535 GenerateKey(AuthorizationSetBuilder() 536 .RsaSigningKey(256, 3) 537 .Digest(KM_DIGEST_NONE) 538 .Padding(KM_PAD_RSA_PSS)); 539 AuthorizationSet begin_params(client_params()); 540 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 541 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 542 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 543 544 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 545 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 546} 547 548TEST_P(SigningOperationsTest, RsaNoPadding) { 549 // Padding must be specified 550 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest( 551 KM_DIGEST_NONE))); 552 AuthorizationSet begin_params(client_params()); 553 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 554 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 555 556 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 557 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 558} 559 560TEST_P(SigningOperationsTest, RsaTooShortMessage) { 561 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 562 .RsaSigningKey(256, 3) 563 .Digest(KM_DIGEST_NONE) 564 .Padding(KM_PAD_NONE))); 565 AuthorizationSet begin_params(client_params()); 566 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 567 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 568 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 569 570 string message = "1234567890123456789012345678901"; 571 string result; 572 size_t input_consumed; 573 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 574 EXPECT_EQ(0U, result.size()); 575 EXPECT_EQ(31U, input_consumed); 576 577 string signature; 578 ASSERT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&signature)); 579 EXPECT_EQ(0U, signature.length()); 580 581 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 582 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 583} 584 585TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) { 586 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 587 .RsaEncryptionKey(256, 3) 588 .Digest(KM_DIGEST_NONE) 589 .Padding(KM_PAD_NONE))); 590 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); 591 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); 592 593 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 594 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 595} 596 597TEST_P(SigningOperationsTest, EcdsaSuccess) { 598 ASSERT_EQ(KM_ERROR_OK, 599 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 600 string message(1024, 'a'); 601 string signature; 602 SignMessage(message, &signature, KM_DIGEST_NONE); 603 604 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 605 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 606} 607 608TEST_P(SigningOperationsTest, EcdsaSha256Success) { 609 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( 610 KM_DIGEST_SHA_2_256))); 611 string message(1024, 'a'); 612 string signature; 613 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 614 615 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 616 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 617} 618 619TEST_P(SigningOperationsTest, AesEcbSign) { 620 ASSERT_EQ(KM_ERROR_OK, 621 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization( 622 TAG_BLOCK_MODE, KM_MODE_ECB))); 623 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); 624 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); 625 626 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 627} 628 629TEST_P(SigningOperationsTest, HmacSha1Success) { 630 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA1)); 631 string message = "12345678901234567890123456789012"; 632 string signature; 633 MacMessage(message, &signature, KM_DIGEST_SHA1, 160); 634 ASSERT_EQ(20U, signature.size()); 635 636 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 637} 638 639TEST_P(SigningOperationsTest, HmacSha224Success) { 640 ASSERT_EQ(KM_ERROR_OK, 641 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_224))); 642 string message = "12345678901234567890123456789012"; 643 string signature; 644 MacMessage(message, &signature, KM_DIGEST_SHA_2_224, 224); 645 ASSERT_EQ(28U, signature.size()); 646 647 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 648} 649 650TEST_P(SigningOperationsTest, HmacSha256Success) { 651 ASSERT_EQ(KM_ERROR_OK, 652 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256))); 653 string message = "12345678901234567890123456789012"; 654 string signature; 655 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 256); 656 ASSERT_EQ(32U, signature.size()); 657 658 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 659} 660 661TEST_P(SigningOperationsTest, HmacSha384Success) { 662 ASSERT_EQ(KM_ERROR_OK, 663 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_384))); 664 665 string message = "12345678901234567890123456789012"; 666 string signature; 667 MacMessage(message, &signature, KM_DIGEST_SHA_2_384, 384); 668 ASSERT_EQ(48U, signature.size()); 669 670 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 671} 672 673TEST_P(SigningOperationsTest, HmacSha512Success) { 674 ASSERT_EQ(KM_ERROR_OK, 675 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_512))); 676 string message = "12345678901234567890123456789012"; 677 string signature; 678 MacMessage(message, &signature, KM_DIGEST_SHA_2_512, 512); 679 ASSERT_EQ(64U, signature.size()); 680 681 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 682} 683 684TEST_P(SigningOperationsTest, HmacLengthInKey) { 685 // TODO(swillden): unified API should generate an error on key generation. 686 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 687 .HmacKey(128) 688 .Digest(KM_DIGEST_SHA_2_256) 689 .Authorization(TAG_MAC_LENGTH, 20))); 690 string message = "12345678901234567890123456789012"; 691 string signature; 692 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 240); 693 // Size in key was ignored. 694 ASSERT_EQ(30U, signature.size()); 695 696 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 697} 698 699TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) { 700 uint8_t key_data[] = { 701 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 702 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 703 }; 704 string message = "Hi There"; 705 uint8_t sha_224_expected[] = { 706 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 707 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22, 708 }; 709 uint8_t sha_256_expected[] = { 710 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 711 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 712 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7, 713 }; 714 uint8_t sha_384_expected[] = { 715 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4, 716 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, 717 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9, 718 0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6, 719 }; 720 uint8_t sha_512_expected[] = { 721 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 722 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0, 723 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 724 0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e, 725 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54, 726 }; 727 728 string key = make_string(key_data); 729 730 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 731 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 732 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 733 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 734 735 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 736} 737 738TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) { 739 string key = "Jefe"; 740 string message = "what do ya want for nothing?"; 741 uint8_t sha_224_expected[] = { 742 0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e, 743 0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44, 744 }; 745 uint8_t sha_256_expected[] = { 746 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 747 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 748 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43, 749 }; 750 uint8_t sha_384_expected[] = { 751 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2, 752 0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47, 753 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca, 754 0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49, 755 }; 756 uint8_t sha_512_expected[] = { 757 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b, 758 0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27, 759 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99, 760 0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3, 761 0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37, 762 }; 763 764 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 765 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 766 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 767 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 768 769 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 770} 771 772TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) { 773 string key(20, 0xaa); 774 string message(50, 0xdd); 775 uint8_t sha_224_expected[] = { 776 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a, 777 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea, 778 }; 779 uint8_t sha_256_expected[] = { 780 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 781 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 782 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe, 783 }; 784 uint8_t sha_384_expected[] = { 785 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0, 786 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb, 787 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d, 788 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27, 789 }; 790 uint8_t sha_512_expected[] = { 791 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c, 792 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8, 793 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 794 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37, 795 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb, 796 }; 797 798 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 799 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 800 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 801 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 802 803 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 804} 805 806TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) { 807 uint8_t key_data[25] = { 808 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 809 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 810 }; 811 string key = make_string(key_data); 812 string message(50, 0xcd); 813 uint8_t sha_224_expected[] = { 814 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82, 815 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a, 816 }; 817 uint8_t sha_256_expected[] = { 818 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 819 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 820 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b, 821 }; 822 uint8_t sha_384_expected[] = { 823 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62, 824 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c, 825 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23, 826 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb, 827 }; 828 uint8_t sha_512_expected[] = { 829 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6, 830 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f, 831 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, 832 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41, 833 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd, 834 }; 835 836 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 837 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 838 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 839 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 840 841 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 842} 843 844TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) { 845 string key(20, 0x0c); 846 string message = "Test With Truncation"; 847 848 uint8_t sha_224_expected[] = { 849 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37, 850 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8, 851 }; 852 uint8_t sha_256_expected[] = { 853 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 854 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b, 855 }; 856 uint8_t sha_384_expected[] = { 857 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23, 858 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97, 859 }; 860 uint8_t sha_512_expected[] = { 861 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53, 862 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6, 863 }; 864 865 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 866 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 867 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 868 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 869 870 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 871} 872 873TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) { 874 string key(131, 0xaa); 875 string message = "Test Using Larger Than Block-Size Key - Hash Key First"; 876 877 uint8_t sha_224_expected[] = { 878 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d, 879 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e, 880 }; 881 uint8_t sha_256_expected[] = { 882 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 883 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 884 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, 885 }; 886 uint8_t sha_384_expected[] = { 887 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a, 888 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f, 889 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab, 890 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52, 891 }; 892 uint8_t sha_512_expected[] = { 893 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd, 894 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b, 895 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 896 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73, 897 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98, 898 }; 899 900 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 901 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 902 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 903 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 904 905 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 906} 907 908TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) { 909 string key(131, 0xaa); 910 string message = "This is a test using a larger than block-size key and a larger than " 911 "block-size data. The key needs to be hashed before being used by the HMAC " 912 "algorithm."; 913 914 uint8_t sha_224_expected[] = { 915 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3, 916 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1, 917 }; 918 uint8_t sha_256_expected[] = { 919 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 920 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 921 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2, 922 }; 923 uint8_t sha_384_expected[] = { 924 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25, 925 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a, 926 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31, 927 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e, 928 }; 929 uint8_t sha_512_expected[] = { 930 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 931 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5, 932 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 933 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb, 934 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58, 935 }; 936 937 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 938 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 939 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 940 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 941 942 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 943} 944 945TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) { 946 ASSERT_EQ(KM_ERROR_OK, 947 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256))); 948 AuthorizationSet begin_params(client_params()); 949 begin_params.push_back(TAG_MAC_LENGTH, 264); 950 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 951 ASSERT_EQ(KM_ERROR_OK, 952 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 953 string message = "1234567890123456789012345678901"; 954 string result; 955 size_t input_consumed; 956 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 957 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH, FinishOperation(&result)); 958 959 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 960} 961 962// TODO(swillden): Add more verification failure tests. 963 964typedef Keymaster1Test VerificationOperationsTest; 965INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params); 966 967TEST_P(VerificationOperationsTest, RsaSuccess) { 968 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 969 .RsaSigningKey(256, 3) 970 .Digest(KM_DIGEST_NONE) 971 .Padding(KM_PAD_NONE))); 972 string message = "12345678901234567890123456789012"; 973 string signature; 974 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 975 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 976 977 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 978 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 979} 980 981TEST_P(VerificationOperationsTest, RsaPssSha256Success) { 982 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 983 .RsaSigningKey(512, 3) 984 .Digest(KM_DIGEST_SHA_2_256) 985 .Padding(KM_PAD_RSA_PSS))); 986 // Use large message, which won't work without digesting. 987 string message(1024, 'a'); 988 string signature; 989 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 990 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 991 992 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 993 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 994} 995 996TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) { 997 GenerateKey(AuthorizationSetBuilder() 998 .RsaSigningKey(512, 3) 999 .Digest(KM_DIGEST_SHA_2_256) 1000 .Padding(KM_PAD_RSA_PSS)); 1001 string message(1024, 'a'); 1002 string signature; 1003 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1004 ++signature[signature.size() / 2]; 1005 1006 AuthorizationSet begin_params(client_params()); 1007 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1008 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1009 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1010 1011 string result; 1012 size_t input_consumed; 1013 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1014 EXPECT_EQ(message.size(), input_consumed); 1015 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1016 1017 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1018 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1019} 1020 1021TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) { 1022 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1023 .RsaSigningKey(512, 3) 1024 .Digest(KM_DIGEST_SHA_2_256) 1025 .Padding(KM_PAD_RSA_PSS))); 1026 // Use large message, which won't work without digesting. 1027 string message(1024, 'a'); 1028 string signature; 1029 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1030 ++message[message.size() / 2]; 1031 1032 AuthorizationSet begin_params(client_params()); 1033 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1034 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1035 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1036 1037 string result; 1038 size_t input_consumed; 1039 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1040 EXPECT_EQ(message.size(), input_consumed); 1041 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1042 1043 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1044 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1045} 1046 1047TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) { 1048 GenerateKey(AuthorizationSetBuilder() 1049 .RsaSigningKey(512, 3) 1050 .Digest(KM_DIGEST_SHA_2_256) 1051 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1052 string message(1024, 'a'); 1053 string signature; 1054 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1055 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1056 1057 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1058 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1059} 1060 1061TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) { 1062 GenerateKey(AuthorizationSetBuilder() 1063 .RsaSigningKey(512, 3) 1064 .Digest(KM_DIGEST_SHA_2_256) 1065 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1066 string message(1024, 'a'); 1067 string signature; 1068 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1069 ++signature[signature.size() / 2]; 1070 1071 AuthorizationSet begin_params(client_params()); 1072 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1073 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1074 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1075 1076 string result; 1077 size_t input_consumed; 1078 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1079 EXPECT_EQ(message.size(), input_consumed); 1080 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1081 1082 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1083 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1084} 1085 1086TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) { 1087 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1088 .RsaSigningKey(512, 3) 1089 .Digest(KM_DIGEST_SHA_2_256) 1090 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 1091 // Use large message, which won't work without digesting. 1092 string message(1024, 'a'); 1093 string signature; 1094 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1095 ++message[message.size() / 2]; 1096 1097 AuthorizationSet begin_params(client_params()); 1098 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1099 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1100 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1101 1102 string result; 1103 size_t input_consumed; 1104 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1105 EXPECT_EQ(message.size(), input_consumed); 1106 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1107 1108 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1109 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1110} 1111 1112template <typename T> vector<T> make_vector(const T* array, size_t len) { 1113 return vector<T>(array, array + len); 1114} 1115 1116TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) { 1117 // Get all supported digests and padding modes. 1118 size_t digests_len; 1119 keymaster_digest_t* digests; 1120 ASSERT_EQ(KM_ERROR_OK, 1121 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, &digests, 1122 &digests_len)); 1123 1124 size_t padding_modes_len; 1125 keymaster_padding_t* padding_modes; 1126 ASSERT_EQ(KM_ERROR_OK, 1127 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, 1128 &padding_modes, &padding_modes_len)); 1129 1130 // Try them. 1131 int trial_count = 0; 1132 for (keymaster_padding_t padding_mode : make_vector(padding_modes, padding_modes_len)) { 1133 for (keymaster_digest_t digest : make_vector(digests, digests_len)) { 1134 if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE) 1135 // Digesting requires padding 1136 continue; 1137 1138 // Compute key & message size that will work. 1139 size_t key_bits = 0; 1140 size_t message_len = 1000; 1141 1142 if (digest == KM_DIGEST_NONE) { 1143 key_bits = 256; 1144 switch (padding_mode) { 1145 case KM_PAD_NONE: 1146 // Match key size. 1147 message_len = key_bits / 8; 1148 break; 1149 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1150 message_len = key_bits / 8 - 11; 1151 break; 1152 case KM_PAD_RSA_PSS: 1153 // PSS requires a digest. 1154 continue; 1155 default: 1156 FAIL() << "Missing padding"; 1157 break; 1158 } 1159 } else { 1160 size_t digest_bits; 1161 switch (digest) { 1162 case KM_DIGEST_MD5: 1163 digest_bits = 128; 1164 break; 1165 case KM_DIGEST_SHA1: 1166 digest_bits = 160; 1167 break; 1168 case KM_DIGEST_SHA_2_224: 1169 digest_bits = 224; 1170 break; 1171 case KM_DIGEST_SHA_2_256: 1172 digest_bits = 256; 1173 break; 1174 case KM_DIGEST_SHA_2_384: 1175 digest_bits = 384; 1176 break; 1177 case KM_DIGEST_SHA_2_512: 1178 digest_bits = 512; 1179 break; 1180 default: 1181 FAIL() << "Missing digest"; 1182 } 1183 1184 switch (padding_mode) { 1185 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1186 key_bits = digest_bits + 8 * (11 + 19); 1187 break; 1188 case KM_PAD_RSA_PSS: 1189 key_bits = digest_bits + 8 * 10; 1190 break; 1191 default: 1192 FAIL() << "Missing padding"; 1193 break; 1194 } 1195 } 1196 1197 GenerateKey(AuthorizationSetBuilder() 1198 .RsaSigningKey(key_bits, 3) 1199 .Digest(digest) 1200 .Padding(padding_mode)); 1201 string message(message_len, 'a'); 1202 string signature; 1203 SignMessage(message, &signature, digest, padding_mode); 1204 VerifyMessage(message, signature, digest, padding_mode); 1205 ++trial_count; 1206 } 1207 } 1208 1209 free(padding_modes); 1210 free(digests); 1211 1212 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1213 EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls()); 1214} 1215 1216TEST_P(VerificationOperationsTest, EcdsaSuccess) { 1217 ASSERT_EQ(KM_ERROR_OK, 1218 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1219 string message = "123456789012345678901234567890123456789012345678"; 1220 string signature; 1221 SignMessage(message, &signature, KM_DIGEST_NONE); 1222 VerifyMessage(message, signature, KM_DIGEST_NONE); 1223 1224 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1225 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1226} 1227 1228TEST_P(VerificationOperationsTest, EcdsaSha256Success) { 1229 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1230 .EcdsaSigningKey(256) 1231 .Digest(KM_DIGEST_SHA_2_256) 1232 .Digest(KM_DIGEST_NONE))); 1233 string message = "123456789012345678901234567890123456789012345678"; 1234 string signature; 1235 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 1236 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1237 1238 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1239 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1240 1241 // Just for giggles, try verifying with the wrong digest. 1242 AuthorizationSet begin_params(client_params()); 1243 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1244 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1245 1246 string result; 1247 size_t input_consumed; 1248 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1249 EXPECT_EQ(message.size(), input_consumed); 1250 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1251} 1252 1253TEST_P(VerificationOperationsTest, HmacSha1Success) { 1254 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA1)); 1255 string message = "123456789012345678901234567890123456789012345678"; 1256 string signature; 1257 MacMessage(message, &signature, KM_DIGEST_SHA1, 160); 1258 VerifyMessage(message, signature, KM_DIGEST_SHA1); 1259 1260 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1261} 1262 1263TEST_P(VerificationOperationsTest, HmacSha224Success) { 1264 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_224)); 1265 string message = "123456789012345678901234567890123456789012345678"; 1266 string signature; 1267 MacMessage(message, &signature, KM_DIGEST_SHA_2_224, 224); 1268 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224); 1269 1270 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1271} 1272 1273TEST_P(VerificationOperationsTest, HmacSha256Success) { 1274 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_256)); 1275 string message = "123456789012345678901234567890123456789012345678"; 1276 string signature; 1277 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 256); 1278 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1279 1280 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1281} 1282 1283TEST_P(VerificationOperationsTest, HmacSha384Success) { 1284 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_384)); 1285 string message = "123456789012345678901234567890123456789012345678"; 1286 string signature; 1287 MacMessage(message, &signature, KM_DIGEST_SHA_2_384, 384); 1288 VerifyMessage(message, signature, KM_DIGEST_SHA_2_384); 1289 1290 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1291} 1292 1293TEST_P(VerificationOperationsTest, HmacSha512Success) { 1294 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_SHA_2_512)); 1295 string message = "123456789012345678901234567890123456789012345678"; 1296 string signature; 1297 MacMessage(message, &signature, KM_DIGEST_SHA_2_512, 512); 1298 VerifyMessage(message, signature, KM_DIGEST_SHA_2_512); 1299 1300 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1301} 1302 1303typedef Keymaster1Test ExportKeyTest; 1304INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params); 1305 1306TEST_P(ExportKeyTest, RsaSuccess) { 1307 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1308 .RsaSigningKey(256, 3) 1309 .Digest(KM_DIGEST_NONE) 1310 .Padding(KM_PAD_NONE))); 1311 string export_data; 1312 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1313 EXPECT_GT(export_data.length(), 0U); 1314 1315 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1316 1317 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1318 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1319} 1320 1321TEST_P(ExportKeyTest, EcdsaSuccess) { 1322 ASSERT_EQ(KM_ERROR_OK, 1323 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 1324 string export_data; 1325 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1326 EXPECT_GT(export_data.length(), 0U); 1327 1328 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1329 1330 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1331 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1332} 1333 1334TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) { 1335 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1336 .RsaSigningKey(256, 3) 1337 .Digest(KM_DIGEST_NONE) 1338 .Padding(KM_PAD_NONE))); 1339 string export_data; 1340 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1341 1342 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1343 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1344} 1345 1346TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) { 1347 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1348 .RsaSigningKey(256, 3) 1349 .Digest(KM_DIGEST_NONE) 1350 .Padding(KM_PAD_NONE))); 1351 corrupt_key_blob(); 1352 string export_data; 1353 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1354 1355 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1356 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1357} 1358 1359TEST_P(ExportKeyTest, AesKeyExportFails) { 1360 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128))); 1361 string export_data; 1362 1363 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1364 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1365 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data)); 1366 1367 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1368} 1369 1370static string read_file(const string& file_name) { 1371 ifstream file_stream(file_name, std::ios::binary); 1372 istreambuf_iterator<char> file_begin(file_stream); 1373 istreambuf_iterator<char> file_end; 1374 return string(file_begin, file_end); 1375} 1376 1377typedef Keymaster1Test ImportKeyTest; 1378INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params); 1379 1380TEST_P(ImportKeyTest, RsaSuccess) { 1381 string pk8_key = read_file("rsa_privkey_pk8.der"); 1382 ASSERT_EQ(633U, pk8_key.size()); 1383 1384 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1385 .RsaSigningKey(1024, 65537) 1386 .Digest(KM_DIGEST_NONE) 1387 .Padding(KM_PAD_NONE), 1388 KM_KEY_FORMAT_PKCS8, pk8_key)); 1389 1390 // Check values derived from the key. 1391 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1392 : sw_enforced(), 1393 TAG_ALGORITHM, KM_ALGORITHM_RSA)); 1394 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1395 : sw_enforced(), 1396 TAG_KEY_SIZE, 1024)); 1397 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1398 : sw_enforced(), 1399 TAG_RSA_PUBLIC_EXPONENT, 65537U)); 1400 1401 // And values provided by AndroidKeymaster 1402 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1403 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1404 1405 string message(1024 / 8, 'a'); 1406 string signature; 1407 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1408 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1409 1410 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1411 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1412} 1413 1414TEST_P(ImportKeyTest, OldApiRsaSuccess) { 1415 string pk8_key = read_file("rsa_privkey_pk8.der"); 1416 ASSERT_EQ(633U, pk8_key.size()); 1417 1418 // NOTE: This will break when the keymaster0 APIs are removed from keymaster1. But at that 1419 // point softkeymaster will no longer support keymaster0 APIs anyway. 1420 uint8_t* key_blob; 1421 size_t key_blob_length; 1422 ASSERT_EQ(0, 1423 device()->import_keypair(device(), reinterpret_cast<const uint8_t*>(pk8_key.data()), 1424 pk8_key.size(), &key_blob, &key_blob_length)); 1425 set_key_blob(key_blob, key_blob_length); 1426 1427 string message(1024 / 8, 'a'); 1428 AuthorizationSet begin_params; // Don't use client data. 1429 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1430 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1431 AuthorizationSet update_params; 1432 AuthorizationSet output_params; 1433 string signature = 1434 ProcessMessage(KM_PURPOSE_SIGN, message, begin_params, update_params, &output_params); 1435 ProcessMessage(KM_PURPOSE_VERIFY, message, signature, begin_params, update_params, 1436 &output_params); 1437 1438 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1439 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1440} 1441 1442TEST_P(ImportKeyTest, RsaKeySizeMismatch) { 1443 string pk8_key = read_file("rsa_privkey_pk8.der"); 1444 ASSERT_EQ(633U, pk8_key.size()); 1445 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1446 ImportKey(AuthorizationSetBuilder() 1447 .RsaSigningKey(2048 /* Doesn't match key */, 3) 1448 .Digest(KM_DIGEST_NONE) 1449 .Padding(KM_PAD_NONE), 1450 KM_KEY_FORMAT_PKCS8, pk8_key)); 1451 1452 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1453} 1454 1455TEST_P(ImportKeyTest, RsaPublicExponenMismatch) { 1456 string pk8_key = read_file("rsa_privkey_pk8.der"); 1457 ASSERT_EQ(633U, pk8_key.size()); 1458 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1459 ImportKey(AuthorizationSetBuilder() 1460 .RsaSigningKey(256, 3 /* Doesnt' match key */) 1461 .Digest(KM_DIGEST_NONE) 1462 .Padding(KM_PAD_NONE), 1463 KM_KEY_FORMAT_PKCS8, pk8_key)); 1464 1465 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1466} 1467 1468TEST_P(ImportKeyTest, EcdsaSuccess) { 1469 string pk8_key = read_file("ec_privkey_pk8.der"); 1470 ASSERT_EQ(138U, pk8_key.size()); 1471 1472 ASSERT_EQ(KM_ERROR_OK, 1473 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1474 KM_KEY_FORMAT_PKCS8, pk8_key)); 1475 1476 // Check values derived from the key. 1477 EXPECT_TRUE( 1478 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1479 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1480 EXPECT_TRUE( 1481 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1482 TAG_KEY_SIZE, 256)); 1483 1484 // And values provided by AndroidKeymaster 1485 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1486 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1487 1488 string message(1024 / 8, 'a'); 1489 string signature; 1490 SignMessage(message, &signature, KM_DIGEST_NONE); 1491 VerifyMessage(message, signature, KM_DIGEST_NONE); 1492 1493 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1494 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1495} 1496 1497TEST_P(ImportKeyTest, EcdsaSizeSpecified) { 1498 string pk8_key = read_file("ec_privkey_pk8.der"); 1499 ASSERT_EQ(138U, pk8_key.size()); 1500 1501 ASSERT_EQ(KM_ERROR_OK, 1502 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1503 KM_KEY_FORMAT_PKCS8, pk8_key)); 1504 1505 // Check values derived from the key. 1506 EXPECT_TRUE( 1507 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1508 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1509 EXPECT_TRUE( 1510 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1511 TAG_KEY_SIZE, 256)); 1512 1513 // And values provided by AndroidKeymaster 1514 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1515 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1516 1517 string message(1024 / 8, 'a'); 1518 string signature; 1519 SignMessage(message, &signature, KM_DIGEST_NONE); 1520 VerifyMessage(message, signature, KM_DIGEST_NONE); 1521 1522 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1523 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1524} 1525 1526TEST_P(ImportKeyTest, EcdsaSizeMismatch) { 1527 string pk8_key = read_file("ec_privkey_pk8.der"); 1528 ASSERT_EQ(138U, pk8_key.size()); 1529 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1530 ImportKey(AuthorizationSetBuilder() 1531 .EcdsaSigningKey(224 /* Doesn't match key */) 1532 .Digest(KM_DIGEST_NONE), 1533 KM_KEY_FORMAT_PKCS8, pk8_key)); 1534 1535 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1536} 1537 1538TEST_P(ImportKeyTest, AesKeySuccess) { 1539 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1540 string key(key_data, sizeof(key_data)); 1541 ASSERT_EQ(KM_ERROR_OK, 1542 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization( 1543 TAG_PADDING, KM_PAD_PKCS7), 1544 KM_KEY_FORMAT_RAW, key)); 1545 1546 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1547 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1548 1549 string message = "Hello World!"; 1550 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1551 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 1552 EXPECT_EQ(message, plaintext); 1553 1554 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1555} 1556 1557TEST_P(ImportKeyTest, HmacSha256KeySuccess) { 1558 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1559 string key(key_data, sizeof(key_data)); 1560 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1561 .HmacKey(sizeof(key_data) * 8) 1562 .Digest(KM_DIGEST_SHA_2_256) 1563 .Authorization(TAG_MAC_LENGTH, 32), 1564 KM_KEY_FORMAT_RAW, key)); 1565 1566 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1567 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1568 1569 string message = "Hello World!"; 1570 string signature; 1571 MacMessage(message, &signature, KM_DIGEST_SHA_2_256, 32); 1572 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1573 1574 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1575} 1576 1577typedef Keymaster1Test EncryptionOperationsTest; 1578INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params); 1579 1580TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { 1581 ASSERT_EQ(KM_ERROR_OK, 1582 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1583 1584 string message = "12345678901234567890123456789012"; 1585 string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE); 1586 EXPECT_EQ(256U / 8, ciphertext1.size()); 1587 1588 string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE); 1589 EXPECT_EQ(256U / 8, ciphertext2.size()); 1590 1591 // Unpadded RSA is deterministic 1592 EXPECT_EQ(ciphertext1, ciphertext2); 1593 1594 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1595 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1596} 1597 1598TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) { 1599 ASSERT_EQ(KM_ERROR_OK, 1600 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1601 1602 string message = "1234567890123456789012345678901"; 1603 1604 AuthorizationSet begin_params(client_params()); 1605 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1606 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1607 1608 string result; 1609 size_t input_consumed; 1610 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1611 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 1612 EXPECT_EQ(0U, result.size()); 1613 1614 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1615 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1616} 1617 1618TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) { 1619 ASSERT_EQ(KM_ERROR_OK, 1620 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1621 1622 string message = "123456789012345678901234567890123"; 1623 1624 AuthorizationSet begin_params(client_params()); 1625 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1626 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1627 1628 string result; 1629 size_t input_consumed; 1630 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1631 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 1632 EXPECT_EQ(0U, result.size()); 1633 1634 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1635 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1636} 1637 1638TEST_P(EncryptionOperationsTest, RsaOaepSuccess) { 1639 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1640 KM_PAD_RSA_OAEP))); 1641 1642 string message = "Hello World!"; 1643 string ciphertext1 = EncryptMessage(string(message), KM_PAD_RSA_OAEP); 1644 EXPECT_EQ(512U / 8, ciphertext1.size()); 1645 1646 string ciphertext2 = EncryptMessage(string(message), KM_PAD_RSA_OAEP); 1647 EXPECT_EQ(512U / 8, ciphertext2.size()); 1648 1649 // OAEP randomizes padding so every result should be different. 1650 EXPECT_NE(ciphertext1, ciphertext2); 1651 1652 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1653 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1654} 1655 1656TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) { 1657 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1658 KM_PAD_RSA_OAEP))); 1659 string message = "Hello World!"; 1660 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_OAEP); 1661 EXPECT_EQ(512U / 8, ciphertext.size()); 1662 1663 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_OAEP); 1664 EXPECT_EQ(message, plaintext); 1665 1666 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1667 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1668} 1669 1670TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) { 1671 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1672 KM_PAD_RSA_OAEP))); 1673 string message = "12345678901234567890123"; 1674 string result; 1675 size_t input_consumed; 1676 1677 AuthorizationSet begin_params(client_params()); 1678 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 1679 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1680 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1681 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 1682 EXPECT_EQ(0U, result.size()); 1683 1684 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1685 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1686} 1687 1688TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) { 1689 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1690 KM_PAD_RSA_OAEP))); 1691 string message = "Hello World!"; 1692 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_OAEP); 1693 EXPECT_EQ(512U / 8, ciphertext.size()); 1694 1695 // Corrupt the ciphertext 1696 ciphertext[512 / 8 / 2]++; 1697 1698 string result; 1699 size_t input_consumed; 1700 AuthorizationSet begin_params(client_params()); 1701 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 1702 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 1703 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 1704 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 1705 EXPECT_EQ(0U, result.size()); 1706 1707 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1708 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1709} 1710 1711TEST_P(EncryptionOperationsTest, RsaPkcs1Success) { 1712 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1713 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1714 string message = "Hello World!"; 1715 string ciphertext1 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1716 EXPECT_EQ(512U / 8, ciphertext1.size()); 1717 1718 string ciphertext2 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1719 EXPECT_EQ(512U / 8, ciphertext2.size()); 1720 1721 // PKCS1 v1.5 randomizes padding so every result should be different. 1722 EXPECT_NE(ciphertext1, ciphertext2); 1723 1724 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1725 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1726} 1727 1728TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) { 1729 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1730 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1731 string message = "Hello World!"; 1732 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1733 EXPECT_EQ(512U / 8, ciphertext.size()); 1734 1735 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1736 EXPECT_EQ(message, plaintext); 1737 1738 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1739 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1740} 1741 1742TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) { 1743 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1744 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1745 string message = "123456789012345678901234567890123456789012345678901234"; 1746 string result; 1747 size_t input_consumed; 1748 1749 AuthorizationSet begin_params(client_params()); 1750 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1751 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1752 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1753 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 1754 EXPECT_EQ(0U, result.size()); 1755 1756 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1757 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1758} 1759 1760TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) { 1761 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 1762 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 1763 string message = "Hello World!"; 1764 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1765 EXPECT_EQ(512U / 8, ciphertext.size()); 1766 1767 // Corrupt the ciphertext 1768 ciphertext[512 / 8 / 2]++; 1769 1770 string result; 1771 size_t input_consumed; 1772 AuthorizationSet begin_params(client_params()); 1773 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 1774 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 1775 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 1776 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 1777 EXPECT_EQ(0U, result.size()); 1778 1779 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1780 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1781} 1782 1783TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) { 1784 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1785 .RsaSigningKey(256, 3) 1786 .Digest(KM_DIGEST_NONE) 1787 .Padding(KM_PAD_NONE))); 1788 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 1789 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 1790 1791 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1792 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1793} 1794 1795TEST_P(EncryptionOperationsTest, EcdsaEncrypt) { 1796 ASSERT_EQ(KM_ERROR_OK, 1797 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 1798 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 1799 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 1800 1801 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1802 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1803} 1804 1805TEST_P(EncryptionOperationsTest, HmacEncrypt) { 1806 ASSERT_EQ( 1807 KM_ERROR_OK, 1808 GenerateKey( 1809 AuthorizationSetBuilder().HmacKey(128).Digest(KM_DIGEST_NONE).Padding(KM_PAD_NONE))); 1810 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 1811 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 1812 1813 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1814} 1815 1816TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) { 1817 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1818 .AesEncryptionKey(128) 1819 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 1820 .Padding(KM_PAD_NONE))); 1821 // Two-block message. 1822 string message = "12345678901234567890123456789012"; 1823 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 1824 EXPECT_EQ(message.size(), ciphertext1.size()); 1825 1826 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE); 1827 EXPECT_EQ(message.size(), ciphertext2.size()); 1828 1829 // ECB is deterministic. 1830 EXPECT_EQ(ciphertext1, ciphertext2); 1831 1832 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE); 1833 EXPECT_EQ(message, plaintext); 1834 1835 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1836} 1837 1838TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) { 1839 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1840 .AesEncryptionKey(128) 1841 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 1842 .Padding(KM_PAD_NONE))); 1843 // Message is slightly shorter than two blocks. 1844 string message = "1234567890123456789012345678901"; 1845 1846 AuthorizationSet begin_params(client_params()); 1847 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 1848 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1849 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1850 string ciphertext; 1851 size_t input_consumed; 1852 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed)); 1853 EXPECT_EQ(message.size(), input_consumed); 1854 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext)); 1855 1856 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1857} 1858 1859TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) { 1860 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1861 .AesEncryptionKey(128) 1862 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 1863 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 1864 1865 // Try various message lengths; all should work. 1866 for (size_t i = 0; i < 32; ++i) { 1867 string message(i, 'a'); 1868 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1869 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 1870 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 1871 EXPECT_EQ(message, plaintext); 1872 } 1873 1874 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1875} 1876 1877TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) { 1878 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1879 .AesEncryptionKey(128) 1880 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 1881 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 1882 1883 string message = "a"; 1884 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1885 EXPECT_EQ(16U, ciphertext.size()); 1886 EXPECT_NE(ciphertext, message); 1887 ++ciphertext[ciphertext.size() / 2]; 1888 1889 AuthorizationSet begin_params(client_params()); 1890 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 1891 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 1892 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 1893 string plaintext; 1894 size_t input_consumed; 1895 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); 1896 EXPECT_EQ(ciphertext.size(), input_consumed); 1897 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); 1898 1899 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1900} 1901 1902TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) { 1903 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1904 .AesEncryptionKey(128) 1905 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 1906 .Padding(KM_PAD_NONE))); 1907 string message = "123"; 1908 string iv1; 1909 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1); 1910 EXPECT_EQ(message.size(), ciphertext1.size()); 1911 EXPECT_EQ(16U, iv1.size()); 1912 1913 string iv2; 1914 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2); 1915 EXPECT_EQ(message.size(), ciphertext2.size()); 1916 EXPECT_EQ(16U, iv2.size()); 1917 1918 // IVs should be random, so ciphertexts should differ. 1919 EXPECT_NE(iv1, iv2); 1920 EXPECT_NE(ciphertext1, ciphertext2); 1921 1922 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1); 1923 EXPECT_EQ(message, plaintext); 1924 1925 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1926} 1927 1928TEST_P(EncryptionOperationsTest, AesCtrIncremental) { 1929 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1930 .AesEncryptionKey(128) 1931 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 1932 .Padding(KM_PAD_NONE))); 1933 1934 int increment = 15; 1935 string message(239, 'a'); 1936 AuthorizationSet input_params(client_params()); 1937 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 1938 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 1939 AuthorizationSet output_params; 1940 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 1941 1942 string ciphertext; 1943 size_t input_consumed; 1944 for (size_t i = 0; i < message.size(); i += increment) 1945 EXPECT_EQ(KM_ERROR_OK, 1946 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 1947 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 1948 EXPECT_EQ(message.size(), ciphertext.size()); 1949 1950 // Move TAG_NONCE into input_params 1951 input_params.Reinitialize(output_params); 1952 input_params.push_back(client_params()); 1953 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 1954 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 1955 output_params.Clear(); 1956 1957 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 1958 string plaintext; 1959 for (size_t i = 0; i < ciphertext.size(); i += increment) 1960 EXPECT_EQ(KM_ERROR_OK, 1961 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 1962 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 1963 EXPECT_EQ(ciphertext.size(), plaintext.size()); 1964 EXPECT_EQ(message, plaintext); 1965 1966 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1967} 1968 1969struct AesCtrSp80038aTestVector { 1970 const char* key; 1971 const char* nonce; 1972 const char* plaintext; 1973 const char* ciphertext; 1974}; 1975 1976// These test vectors are taken from 1977// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5. 1978static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = { 1979 // AES-128 1980 { 1981 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 1982 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 1983 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 1984 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff" 1985 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee", 1986 }, 1987 // AES-192 1988 { 1989 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 1990 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 1991 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 1992 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94" 1993 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050", 1994 }, 1995 // AES-256 1996 { 1997 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", 1998 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 1999 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2000 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2001 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5" 2002 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6", 2003 }, 2004}; 2005 2006TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) { 2007 for (size_t i = 0; i < 3; i++) { 2008 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]); 2009 const string key = hex2str(test.key); 2010 const string nonce = hex2str(test.nonce); 2011 const string plaintext = hex2str(test.plaintext); 2012 const string ciphertext = hex2str(test.ciphertext); 2013 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext); 2014 } 2015 2016 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2017} 2018 2019TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) { 2020 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2021 .AesEncryptionKey(128) 2022 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2023 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2024 AuthorizationSet begin_params(client_params()); 2025 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2026 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2027 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2028 2029 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2030} 2031 2032TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) { 2033 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2034 .AesEncryptionKey(128) 2035 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2036 .Authorization(TAG_CALLER_NONCE) 2037 .Padding(KM_PAD_NONE))); 2038 2039 AuthorizationSet input_params(client_params()); 2040 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2041 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2042 input_params.push_back(TAG_NONCE, "123", 3); 2043 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params)); 2044 2045 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2046} 2047 2048TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) { 2049 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2050 .AesEncryptionKey(128) 2051 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2052 .Padding(KM_PAD_NONE))); 2053 // Two-block message. 2054 string message = "12345678901234567890123456789012"; 2055 string iv1; 2056 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2057 EXPECT_EQ(message.size(), ciphertext1.size()); 2058 2059 string iv2; 2060 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2); 2061 EXPECT_EQ(message.size(), ciphertext2.size()); 2062 2063 // IVs should be random, so ciphertexts should differ. 2064 EXPECT_NE(iv1, iv2); 2065 EXPECT_NE(ciphertext1, ciphertext2); 2066 2067 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2068 EXPECT_EQ(message, plaintext); 2069 2070 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2071} 2072 2073TEST_P(EncryptionOperationsTest, AesCallerNonce) { 2074 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2075 .AesEncryptionKey(128) 2076 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2077 .Authorization(TAG_CALLER_NONCE) 2078 .Padding(KM_PAD_NONE))); 2079 string message = "12345678901234567890123456789012"; 2080 string iv1; 2081 // Don't specify nonce, should get a random one. 2082 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2083 EXPECT_EQ(message.size(), ciphertext1.size()); 2084 EXPECT_EQ(16U, iv1.size()); 2085 2086 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2087 EXPECT_EQ(message, plaintext); 2088 2089 // Now specify a nonce, should also work. 2090 AuthorizationSet input_params(client_params()); 2091 AuthorizationSet update_params; 2092 AuthorizationSet output_params; 2093 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2094 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2095 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2096 string ciphertext2 = 2097 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params); 2098 2099 // Decrypt with correct nonce. 2100 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2101 &output_params); 2102 EXPECT_EQ(message, plaintext); 2103 2104 // Now try with wrong nonce. 2105 input_params.Reinitialize(client_params()); 2106 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2107 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2108 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16); 2109 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2110 &output_params); 2111 EXPECT_NE(message, plaintext); 2112 2113 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2114} 2115 2116TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) { 2117 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2118 .AesEncryptionKey(128) 2119 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2120 .Padding(KM_PAD_NONE))); 2121 2122 string message = "12345678901234567890123456789012"; 2123 string iv1; 2124 // Don't specify nonce, should get a random one. 2125 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2126 EXPECT_EQ(message.size(), ciphertext1.size()); 2127 EXPECT_EQ(16U, iv1.size()); 2128 2129 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2130 EXPECT_EQ(message, plaintext); 2131 2132 // Now specify a nonce, should fail. 2133 AuthorizationSet input_params(client_params()); 2134 AuthorizationSet update_params; 2135 AuthorizationSet output_params; 2136 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2137 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2138 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2139 2140 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, 2141 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2142 2143 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2144} 2145 2146TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) { 2147 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2148 .AesEncryptionKey(128) 2149 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2150 .Padding(KM_PAD_NONE))); 2151 2152 int increment = 15; 2153 string message(240, 'a'); 2154 AuthorizationSet input_params(client_params()); 2155 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2156 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2157 AuthorizationSet output_params; 2158 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2159 2160 string ciphertext; 2161 size_t input_consumed; 2162 for (size_t i = 0; i < message.size(); i += increment) 2163 EXPECT_EQ(KM_ERROR_OK, 2164 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2165 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2166 EXPECT_EQ(message.size(), ciphertext.size()); 2167 2168 // Move TAG_NONCE into input_params 2169 input_params.Reinitialize(output_params); 2170 input_params.push_back(client_params()); 2171 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2172 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2173 output_params.Clear(); 2174 2175 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2176 string plaintext; 2177 for (size_t i = 0; i < ciphertext.size(); i += increment) 2178 EXPECT_EQ(KM_ERROR_OK, 2179 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2180 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2181 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2182 EXPECT_EQ(message, plaintext); 2183 2184 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2185} 2186 2187TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) { 2188 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2189 .AesEncryptionKey(128) 2190 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2191 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2192 2193 // Try various message lengths; all should work. 2194 for (size_t i = 0; i < 32; ++i) { 2195 string message(i, 'a'); 2196 string iv; 2197 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); 2198 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2199 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv); 2200 EXPECT_EQ(message, plaintext); 2201 } 2202 2203 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2204} 2205 2206TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) { 2207 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2208 .AesEncryptionKey(128) 2209 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2210 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2211 string aad = "foobar"; 2212 string message = "123456789012345678901234567890123456"; 2213 AuthorizationSet begin_params(client_params()); 2214 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2215 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2216 begin_params.push_back(TAG_MAC_LENGTH, 128); 2217 AuthorizationSet begin_out_params; 2218 2219 AuthorizationSet update_params; 2220 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2221 AuthorizationSet update_out_params; 2222 2223 AuthorizationSet finish_params; 2224 AuthorizationSet finish_out_params; 2225 2226 string ciphertext; 2227 string discard; 2228 string plaintext; 2229 2230 size_t input_consumed; 2231 2232 // Encrypt 2233 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2234 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2235 &input_consumed)); 2236 EXPECT_EQ(message.size(), input_consumed); 2237 EXPECT_EQ(KM_ERROR_OK, FinishOperation(finish_params, "", &finish_out_params, &discard)); 2238 2239 // Grab nonce & tag. 2240 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2241 EXPECT_NE(-1, finish_out_params.find(TAG_AEAD_TAG)); 2242 begin_params.push_back(begin_out_params); 2243 update_params.push_back(finish_out_params); 2244 2245 // Decrypt. 2246 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2247 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2248 &plaintext, &input_consumed)); 2249 EXPECT_EQ(ciphertext.size(), input_consumed); 2250 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&discard)); 2251 2252 EXPECT_EQ(message, plaintext); 2253 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2254} 2255 2256TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) { 2257 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2258 .AesEncryptionKey(128) 2259 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2260 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2261 string message = "123456789012345678901234567890123456"; 2262 AuthorizationSet begin_params(client_params()); 2263 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2264 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2265 begin_params.push_back(TAG_MAC_LENGTH, 128); 2266 AuthorizationSet begin_out_params; 2267 2268 AuthorizationSet update_params; 2269 update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3); 2270 AuthorizationSet update_out_params; 2271 2272 AuthorizationSet finish_params; 2273 AuthorizationSet finish_out_params; 2274 2275 string ciphertext; 2276 string discard; 2277 string plaintext; 2278 2279 size_t input_consumed; 2280 2281 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2282 2283 // No data, AAD only. 2284 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext, 2285 &input_consumed)); 2286 2287 // AAD and data. 2288 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2289 &input_consumed)); 2290 EXPECT_EQ(message.size(), input_consumed); 2291 EXPECT_EQ(KM_ERROR_OK, FinishOperation(finish_params, "", &finish_out_params, &discard)); 2292 2293 // Grab nonce & tag. 2294 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2295 begin_params.push_back(begin_out_params); 2296 2297 EXPECT_NE(-1, finish_out_params.find(TAG_AEAD_TAG)); 2298 update_params.push_back(finish_out_params); 2299 2300 // All of the AAD in one. 2301 2302 // Decrypt. 2303 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2304 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext, 2305 &input_consumed)); 2306 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2307 &plaintext, &input_consumed)); 2308 EXPECT_EQ(ciphertext.size(), input_consumed); 2309 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&discard)); 2310 2311 EXPECT_EQ(message, plaintext); 2312 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2313} 2314 2315TEST_P(EncryptionOperationsTest, AesGcmBadAad) { 2316 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2317 .AesEncryptionKey(128) 2318 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2319 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2320 string aad = "foobar"; 2321 string message = "12345678901234567890123456789012"; 2322 AuthorizationSet begin_params(client_params()); 2323 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2324 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2325 begin_params.push_back(TAG_MAC_LENGTH, 128); 2326 AuthorizationSet begin_out_params; 2327 2328 AuthorizationSet update_params; 2329 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2330 AuthorizationSet update_out_params; 2331 2332 AuthorizationSet finish_params; 2333 AuthorizationSet finish_out_params; 2334 2335 string ciphertext; 2336 string discard; 2337 string plaintext; 2338 2339 size_t input_consumed; 2340 2341 // Encrypt 2342 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2343 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2344 &input_consumed)); 2345 EXPECT_EQ(message.size(), input_consumed); 2346 EXPECT_EQ(KM_ERROR_OK, FinishOperation(finish_params, "", &finish_out_params, &discard)); 2347 2348 // Grab nonce & tag. 2349 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2350 EXPECT_NE(-1, finish_out_params.find(TAG_AEAD_TAG)); 2351 begin_params.push_back(begin_out_params); 2352 update_params.Clear(); 2353 update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6); 2354 update_params.push_back(finish_out_params); 2355 2356 // Decrypt. 2357 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2358 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2359 &plaintext, &input_consumed)); 2360 EXPECT_EQ(ciphertext.size(), input_consumed); 2361 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&discard)); 2362 2363 EXPECT_EQ(message, plaintext); 2364 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2365} 2366 2367TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) { 2368 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2369 .AesEncryptionKey(128) 2370 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2371 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2372 string aad = "foobar"; 2373 string message = "12345678901234567890123456789012"; 2374 AuthorizationSet begin_params(client_params()); 2375 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2376 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2377 begin_params.push_back(TAG_MAC_LENGTH, 128); 2378 AuthorizationSet begin_out_params; 2379 2380 AuthorizationSet update_params; 2381 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2382 AuthorizationSet update_out_params; 2383 2384 AuthorizationSet finish_params; 2385 AuthorizationSet finish_out_params; 2386 2387 string ciphertext; 2388 string discard; 2389 string plaintext; 2390 2391 size_t input_consumed; 2392 2393 // Encrypt 2394 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2395 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2396 &input_consumed)); 2397 EXPECT_EQ(message.size(), input_consumed); 2398 EXPECT_EQ(KM_ERROR_OK, FinishOperation(finish_params, "", &finish_out_params, &discard)); 2399 2400 EXPECT_NE(-1, finish_out_params.find(TAG_AEAD_TAG)); 2401 update_params.push_back(finish_out_params); 2402 begin_params.push_back(TAG_NONCE, "123456789012", 12); 2403 2404 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2405 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2406 &plaintext, &input_consumed)); 2407 EXPECT_EQ(ciphertext.size(), input_consumed); 2408 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&discard)); 2409 2410 // With wrong nonce, should have gotten garbage plaintext. 2411 EXPECT_NE(message, plaintext); 2412 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2413} 2414 2415TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) { 2416 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2417 .AesEncryptionKey(128) 2418 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2419 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2420 string aad = "foobar"; 2421 string message = "123456789012345678901234567890123456"; 2422 AuthorizationSet begin_params(client_params()); 2423 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2424 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2425 begin_params.push_back(TAG_MAC_LENGTH, 128); 2426 AuthorizationSet begin_out_params; 2427 2428 AuthorizationSet update_params; 2429 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2430 AuthorizationSet update_out_params; 2431 2432 AuthorizationSet finish_params; 2433 AuthorizationSet finish_out_params; 2434 2435 string ciphertext; 2436 string discard; 2437 string plaintext; 2438 2439 size_t input_consumed; 2440 2441 // Encrypt 2442 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2443 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2444 &input_consumed)); 2445 EXPECT_EQ(message.size(), input_consumed); 2446 EXPECT_EQ(KM_ERROR_OK, FinishOperation(finish_params, "", &finish_out_params, &discard)); 2447 2448 // Grab nonce & tag; corrupt tag. 2449 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2450 begin_params.push_back(begin_out_params); 2451 keymaster_blob_t tag; 2452 EXPECT_TRUE(finish_out_params.GetTagValue(TAG_AEAD_TAG, &tag)); 2453 const_cast<uint8_t*>(tag.data)[tag.data_length / 2]++; 2454 update_params.push_back(TAG_AEAD_TAG, tag); 2455 2456 // Decrypt. 2457 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2458 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2459 &plaintext, &input_consumed)); 2460 EXPECT_EQ(ciphertext.size(), input_consumed); 2461 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&discard)); 2462 2463 EXPECT_EQ(message, plaintext); 2464 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2465} 2466 2467TEST_P(EncryptionOperationsTest, AesGcmShortTag) { 2468 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2469 .AesEncryptionKey(128) 2470 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2471 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2472 string aad = "foobar"; 2473 string message = "123456789012345678901234567890123456"; 2474 AuthorizationSet begin_params(client_params()); 2475 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2476 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2477 begin_params.push_back(TAG_MAC_LENGTH, 128); 2478 AuthorizationSet begin_out_params; 2479 2480 AuthorizationSet update_params; 2481 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2482 AuthorizationSet update_out_params; 2483 2484 AuthorizationSet finish_params; 2485 AuthorizationSet finish_out_params; 2486 2487 string ciphertext; 2488 string discard; 2489 string plaintext; 2490 2491 size_t input_consumed; 2492 2493 // Encrypt 2494 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2495 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2496 &input_consumed)); 2497 EXPECT_EQ(message.size(), input_consumed); 2498 EXPECT_EQ(KM_ERROR_OK, FinishOperation(finish_params, "", &finish_out_params, &discard)); 2499 2500 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2501 begin_params.push_back(begin_out_params); 2502 keymaster_blob_t tag; 2503 EXPECT_TRUE(finish_out_params.GetTagValue(TAG_AEAD_TAG, &tag)); 2504 tag.data_length = 11; 2505 update_params.push_back(TAG_AEAD_TAG, tag); 2506 2507 // Decrypt. 2508 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 2509 EXPECT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH, 2510 UpdateOperation(update_params, ciphertext, &update_out_params, &plaintext, 2511 &input_consumed)); 2512 2513 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2514} 2515 2516typedef Keymaster1Test AddEntropyTest; 2517INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params); 2518 2519TEST_P(AddEntropyTest, AddEntropy) { 2520 // There's no obvious way to test that entropy is actually added, but we can test that the API 2521 // doesn't blow up or return an error. 2522 EXPECT_EQ(KM_ERROR_OK, 2523 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3)); 2524 2525 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2526} 2527 2528typedef Keymaster1Test Keymaster0AdapterTest; 2529INSTANTIATE_TEST_CASE_P( 2530 AndroidKeymasterTest, Keymaster0AdapterTest, 2531 ::testing::Values( 2532 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 2533 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)))); 2534 2535TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1RsaBlob) { 2536 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 2537 // key data. 2538 string km1_sw = read_file("km1_sw_rsa_512.blob"); 2539 EXPECT_EQ(486U, km1_sw.length()); 2540 2541 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 2542 memcpy(key_data, km1_sw.data(), km1_sw.length()); 2543 set_key_blob(key_data, km1_sw.length()); 2544 2545 string message(64, 'a'); 2546 string signature; 2547 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 2548 2549 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2550} 2551 2552TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1EcdsaBlob) { 2553 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 2554 // key data. 2555 string km1_sw = read_file("km1_sw_ecdsa_256.blob"); 2556 EXPECT_EQ(270U, km1_sw.length()); 2557 2558 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 2559 memcpy(key_data, km1_sw.data(), km1_sw.length()); 2560 set_key_blob(key_data, km1_sw.length()); 2561 2562 string message(64, 'a'); 2563 string signature; 2564 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 2565 2566 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2567} 2568 2569struct Malloc_Delete { 2570 void operator()(void* p) { free(p); } 2571}; 2572 2573TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0RsaBlob) { 2574 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 2575 string km0_sw = read_file("km0_sw_rsa_512.blob"); 2576 EXPECT_EQ(333U, km0_sw.length()); 2577 2578 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 2579 memcpy(key_data, km0_sw.data(), km0_sw.length()); 2580 set_key_blob(key_data, km0_sw.length()); 2581 2582 string message(64, 'a'); 2583 string signature; 2584 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 2585 2586 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2587} 2588 2589TEST_P(Keymaster0AdapterTest, OldSwKeymaster0RsaBlobGetCharacteristics) { 2590 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 2591 string km0_sw = read_file("km0_sw_rsa_512.blob"); 2592 EXPECT_EQ(333U, km0_sw.length()); 2593 2594 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 2595 memcpy(key_data, km0_sw.data(), km0_sw.length()); 2596 set_key_blob(key_data, km0_sw.length()); 2597 2598 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 2599 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 2600 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 2601 EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 2602 EXPECT_TRUE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 2603 EXPECT_TRUE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 2604 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 2605 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 2606 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 2607 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 2608 2609 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2610} 2611 2612TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlob) { 2613 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 2614 string km0_sw = read_file("km0_sw_rsa_512.blob"); 2615 EXPECT_EQ(333U, km0_sw.length()); 2616 2617 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 2618 // be recognized as a software key. Do the same here to pretend this is a hardware key. 2619 EXPECT_EQ('P', km0_sw[0]); 2620 km0_sw[0] = 'Q'; 2621 2622 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 2623 memcpy(key_data, km0_sw.data(), km0_sw.length()); 2624 set_key_blob(key_data, km0_sw.length()); 2625 2626 string message(64, 'a'); 2627 string signature; 2628 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 2629 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 2630 2631 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 2632} 2633 2634TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) { 2635 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 2636 string km0_sw = read_file("km0_sw_rsa_512.blob"); 2637 EXPECT_EQ(333U, km0_sw.length()); 2638 2639 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 2640 // be recognized as a software key. Do the same here to pretend this is a hardware key. 2641 EXPECT_EQ('P', km0_sw[0]); 2642 km0_sw[0] = 'Q'; 2643 2644 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 2645 memcpy(key_data, km0_sw.data(), km0_sw.length()); 2646 set_key_blob(key_data, km0_sw.length()); 2647 2648 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 2649 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 2650 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 512)); 2651 EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 2652 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 2653 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_NONE)); 2654 EXPECT_EQ(5U, hw_enforced().size()); 2655 2656 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 2657 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 2658 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 2659 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 2660 2661 EXPECT_FALSE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 2662 EXPECT_FALSE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 2663 EXPECT_FALSE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 2664 EXPECT_FALSE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 2665 EXPECT_FALSE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 2666 2667 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 2668} 2669 2670} // namespace test 2671} // namespace keymaster 2672