1 /*
2  * Copyright 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "android_keymaster_test_utils.h"
18 
19 #include <algorithm>
20 
21 #include <openssl/rand.h>
22 
23 #include <keymaster/android_keymaster_messages.h>
24 #include <keymaster/android_keymaster_utils.h>
25 
26 using std::copy_if;
27 using std::find_if;
28 using std::is_permutation;
29 using std::ostream;
30 using std::string;
31 using std::vector;
32 
33 #ifndef KEYMASTER_NAME_TAGS
34 #error Keymaster test code requires that KEYMASTER_NAME_TAGS is defined
35 #endif
36 
operator <<(std::ostream & os,const keymaster_key_param_t & param)37 std::ostream& operator<<(std::ostream& os, const keymaster_key_param_t& param) {
38     os << "Tag: " << keymaster::StringifyTag(param.tag);
39     switch (keymaster_tag_get_type(param.tag)) {
40     case KM_INVALID:
41         os << " Invalid";
42         break;
43     case KM_UINT_REP:
44         os << " (Rep)";
45         /* Falls through */
46         [[fallthrough]];
47     case KM_UINT:
48         os << " Int: " << param.integer;
49         break;
50     case KM_ENUM_REP:
51         os << " (Rep)";
52         /* Falls through */
53         [[fallthrough]];
54     case KM_ENUM:
55         os << " Enum: " << param.enumerated;
56         break;
57     case KM_ULONG_REP:
58         os << " (Rep)";
59         /* Falls through */
60         [[fallthrough]];
61     case KM_ULONG:
62         os << " Long: " << param.long_integer;
63         break;
64     case KM_DATE:
65         os << " Date: " << param.date_time;
66         break;
67     case KM_BOOL:
68         os << " Bool: " << param.boolean;
69         break;
70     case KM_BIGNUM:
71         os << " Bignum: ";
72         if (!param.blob.data)
73             os << "(null)";
74         else
75             for (size_t i = 0; i < param.blob.data_length; ++i)
76                 os << std::hex << std::setw(2) << static_cast<int>(param.blob.data[i]) << std::dec;
77         break;
78     case KM_BYTES:
79         os << " Bytes: ";
80         if (!param.blob.data)
81             os << "(null)";
82         else
83             for (size_t i = 0; i < param.blob.data_length; ++i)
84                 os << std::hex << std::setw(2) << static_cast<int>(param.blob.data[i]) << std::dec;
85         break;
86     }
87     return os;
88 }
89 
operator ==(const keymaster_key_param_t & a,const keymaster_key_param_t & b)90 bool operator==(const keymaster_key_param_t& a, const keymaster_key_param_t& b) {
91     if (a.tag != b.tag) {
92         return false;
93     }
94 
95     switch (keymaster_tag_get_type(a.tag)) {
96     case KM_INVALID:
97         return true;
98     case KM_UINT_REP:
99     case KM_UINT:
100         return a.integer == b.integer;
101     case KM_ENUM_REP:
102     case KM_ENUM:
103         return a.enumerated == b.enumerated;
104     case KM_ULONG:
105     case KM_ULONG_REP:
106         return a.long_integer == b.long_integer;
107     case KM_DATE:
108         return a.date_time == b.date_time;
109     case KM_BOOL:
110         return a.boolean == b.boolean;
111     case KM_BIGNUM:
112     case KM_BYTES:
113         if ((a.blob.data == nullptr || b.blob.data == nullptr) && a.blob.data != b.blob.data)
114             return false;
115         return a.blob.data_length == b.blob.data_length &&
116                (memcmp(a.blob.data, b.blob.data, a.blob.data_length) == 0);
117     }
118 
119     return false;
120 }
121 
122 static char hex_value[256] = {
123     0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  0,  0,  0,  0,  0,  0,
124     0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  0,  0,  0,  0,  0,  0,
125     0, 1,  2,  3,  4,  5,  6,  7, 8, 9, 0, 0, 0, 0, 0, 0,  // '0'..'9'
126     0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0,  // 'A'..'F'
127     0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 0,
128     0, 0,  0,  0,  0,  0,  0,  0,  // 'a'..'f'
129     0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  0,  0,  0,  0,  0,  0,
130     0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  0,  0,  0,  0,  0,  0,
131     0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  0,  0,  0,  0,  0,  0,
132     0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  0,  0,  0,  0,  0,  0,
133     0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  0,  0,  0,  0,  0,  0,
134     0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,  0,  0,  0,  0,  0,  0};
135 
hex2str(string a)136 string hex2str(string a) {
137     string b;
138     size_t num = a.size() / 2;
139     b.resize(num);
140     for (size_t i = 0; i < num; i++) {
141         b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
142     }
143     return b;
144 }
145 
146 namespace keymaster {
147 
operator ==(const AuthorizationSet & a,const AuthorizationSet & b)148 bool operator==(const AuthorizationSet& a, const AuthorizationSet& b) {
149     if (a.size() != b.size()) return false;
150 
151     for (size_t i = 0; i < a.size(); ++i)
152         if (!(a[i] == b[i])) return false;
153     return true;
154 }
155 
operator !=(const AuthorizationSet & a,const AuthorizationSet & b)156 bool operator!=(const AuthorizationSet& a, const AuthorizationSet& b) {
157     return !(a == b);
158 }
159 
operator <<(std::ostream & os,const AuthorizationSet & set)160 std::ostream& operator<<(std::ostream& os, const AuthorizationSet& set) {
161     if (set.size() == 0)
162         os << "(Empty)" << std::endl;
163     else {
164         os << "\n";
165         for (size_t i = 0; i < set.size(); ++i)
166             os << set[i] << std::endl;
167     }
168     return os;
169 }
170 
171 namespace test {
172 
operator <<(std::ostream & os,const InstanceCreatorPtr & instance_creator)173 std::ostream& operator<<(std::ostream& os, const InstanceCreatorPtr& instance_creator) {
174     return os << instance_creator->name();
175 }
176 
Keymaster2Test()177 Keymaster2Test::Keymaster2Test() : op_handle_(OP_HANDLE_SENTINEL) {
178     memset(&characteristics_, 0, sizeof(characteristics_));
179     blob_.key_material = nullptr;
180     RAND_seed("foobar", 6);
181     blob_.key_material = 0;
182     device_ = GetParam()->CreateDevice();
183 }
184 
~Keymaster2Test()185 Keymaster2Test::~Keymaster2Test() {
186     FreeCharacteristics();
187     FreeKeyBlob();
188     device_->common.close(reinterpret_cast<hw_device_t*>(device_));
189 }
190 
device()191 keymaster2_device_t* Keymaster2Test::device() {
192     return device_;
193 }
194 
GenerateKey(const AuthorizationSetBuilder & builder)195 keymaster_error_t Keymaster2Test::GenerateKey(const AuthorizationSetBuilder& builder) {
196     AuthorizationSet params(builder.build());
197     params.push_back(UserAuthParams());
198     params.push_back(ClientParams());
199 
200     FreeKeyBlob();
201     FreeCharacteristics();
202     return device()->generate_key(device(), &params, &blob_, &characteristics_);
203 }
204 
DeleteKey()205 keymaster_error_t Keymaster2Test::DeleteKey() {
206     return device()->delete_key(device(), &blob_);
207 }
208 
ImportKey(const AuthorizationSetBuilder & builder,keymaster_key_format_t format,const string & key_material)209 keymaster_error_t Keymaster2Test::ImportKey(const AuthorizationSetBuilder& builder,
210                                             keymaster_key_format_t format,
211                                             const string& key_material) {
212     AuthorizationSet params(builder.build());
213     params.push_back(UserAuthParams());
214     params.push_back(ClientParams());
215 
216     FreeKeyBlob();
217     FreeCharacteristics();
218     keymaster_blob_t key = {reinterpret_cast<const uint8_t*>(key_material.c_str()),
219                             key_material.length()};
220     return device()->import_key(device(), &params, format, &key, &blob_, &characteristics_);
221 }
222 
UserAuthParams()223 AuthorizationSet Keymaster2Test::UserAuthParams() {
224     AuthorizationSet set;
225     set.push_back(TAG_USER_ID, 7);
226     set.push_back(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD);
227     set.push_back(TAG_AUTH_TIMEOUT, 300);
228     return set;
229 }
230 
ClientParams()231 AuthorizationSet Keymaster2Test::ClientParams() {
232     AuthorizationSet set;
233     set.push_back(TAG_APPLICATION_ID, "app_id", 6);
234     return set;
235 }
236 
BeginOperation(keymaster_purpose_t purpose)237 keymaster_error_t Keymaster2Test::BeginOperation(keymaster_purpose_t purpose) {
238     AuthorizationSet in_params(client_params());
239     keymaster_key_param_set_t out_params;
240     keymaster_error_t error =
241         device()->begin(device(), purpose, &blob_, &in_params, &out_params, &op_handle_);
242     EXPECT_EQ(0U, out_params.length);
243     EXPECT_TRUE(out_params.params == nullptr);
244     return error;
245 }
246 
BeginOperation(keymaster_purpose_t purpose,const AuthorizationSet & input_set,AuthorizationSet * output_set)247 keymaster_error_t Keymaster2Test::BeginOperation(keymaster_purpose_t purpose,
248                                                  const AuthorizationSet& input_set,
249                                                  AuthorizationSet* output_set) {
250     keymaster_key_param_set_t out_params;
251     keymaster_error_t error =
252         device()->begin(device(), purpose, &blob_, &input_set, &out_params, &op_handle_);
253     if (error == KM_ERROR_OK) {
254         if (output_set) {
255             output_set->Reinitialize(out_params);
256         } else {
257             EXPECT_EQ(0U, out_params.length);
258             EXPECT_TRUE(out_params.params == nullptr);
259         }
260         keymaster_free_param_set(&out_params);
261     }
262     return error;
263 }
264 
UpdateOperation(const string & message,string * output,size_t * input_consumed)265 keymaster_error_t Keymaster2Test::UpdateOperation(const string& message, string* output,
266                                                   size_t* input_consumed) {
267     EXPECT_NE(op_handle_, OP_HANDLE_SENTINEL);
268     keymaster_blob_t input = {reinterpret_cast<const uint8_t*>(message.c_str()), message.length()};
269     keymaster_blob_t out_tmp;
270     keymaster_key_param_set_t out_params;
271     keymaster_error_t error = device()->update(device(), op_handle_, nullptr /* params */, &input,
272                                                input_consumed, &out_params, &out_tmp);
273     if (error == KM_ERROR_OK && out_tmp.data)
274         output->append(reinterpret_cast<const char*>(out_tmp.data), out_tmp.data_length);
275     free(const_cast<uint8_t*>(out_tmp.data));
276     return error;
277 }
278 
UpdateOperation(const AuthorizationSet & additional_params,const string & message,AuthorizationSet * output_params,string * output,size_t * input_consumed)279 keymaster_error_t Keymaster2Test::UpdateOperation(const AuthorizationSet& additional_params,
280                                                   const string& message,
281                                                   AuthorizationSet* output_params, string* output,
282                                                   size_t* input_consumed) {
283     EXPECT_NE(op_handle_, OP_HANDLE_SENTINEL);
284     keymaster_blob_t input = {reinterpret_cast<const uint8_t*>(message.c_str()), message.length()};
285     keymaster_blob_t out_tmp;
286     keymaster_key_param_set_t out_params;
287     keymaster_error_t error = device()->update(device(), op_handle_, &additional_params, &input,
288                                                input_consumed, &out_params, &out_tmp);
289     if (error == KM_ERROR_OK && out_tmp.data)
290         output->append(reinterpret_cast<const char*>(out_tmp.data), out_tmp.data_length);
291     free((void*)out_tmp.data);
292     if (output_params) output_params->Reinitialize(out_params);
293     keymaster_free_param_set(&out_params);
294     return error;
295 }
296 
FinishOperation(string * output)297 keymaster_error_t Keymaster2Test::FinishOperation(string* output) {
298     return FinishOperation("", "", output);
299 }
300 
FinishOperation(const string & input,const string & signature,string * output)301 keymaster_error_t Keymaster2Test::FinishOperation(const string& input, const string& signature,
302                                                   string* output) {
303     AuthorizationSet additional_params;
304     AuthorizationSet output_params;
305     return FinishOperation(additional_params, input, signature, &output_params, output);
306 }
307 
FinishOperation(const AuthorizationSet & additional_params,const string & input,const string & signature,AuthorizationSet * output_params,string * output)308 keymaster_error_t Keymaster2Test::FinishOperation(const AuthorizationSet& additional_params,
309                                                   const string& input, const string& signature,
310                                                   AuthorizationSet* output_params, string* output) {
311     keymaster_blob_t inp = {reinterpret_cast<const uint8_t*>(input.c_str()), input.length()};
312     keymaster_blob_t sig = {reinterpret_cast<const uint8_t*>(signature.c_str()),
313                             signature.length()};
314     keymaster_blob_t out_tmp;
315     keymaster_key_param_set_t out_params;
316     keymaster_error_t error = device()->finish(device(), op_handle_, &additional_params, &inp, &sig,
317                                                &out_params, &out_tmp);
318     if (error != KM_ERROR_OK) {
319         EXPECT_TRUE(out_tmp.data == nullptr);
320         EXPECT_TRUE(out_params.params == nullptr);
321         return error;
322     }
323 
324     if (out_tmp.data)
325         output->append(reinterpret_cast<const char*>(out_tmp.data), out_tmp.data_length);
326     free((void*)out_tmp.data);
327     if (output_params) output_params->Reinitialize(out_params);
328     keymaster_free_param_set(&out_params);
329     return error;
330 }
331 
AbortOperation()332 keymaster_error_t Keymaster2Test::AbortOperation() {
333     return device()->abort(device(), op_handle_);
334 }
335 
AttestKey(const string & attest_challenge,const string & attest_app_id,keymaster_cert_chain_t * cert_chain)336 keymaster_error_t Keymaster2Test::AttestKey(const string& attest_challenge,
337                                             const string& attest_app_id,
338                                             keymaster_cert_chain_t* cert_chain) {
339     AuthorizationSet attest_params;
340     attest_params.push_back(UserAuthParams());
341     attest_params.push_back(ClientParams());
342     attest_params.push_back(TAG_ATTESTATION_CHALLENGE, attest_challenge.data(),
343                             attest_challenge.length());
344     attest_params.push_back(TAG_ATTESTATION_APPLICATION_ID, attest_app_id.data(),
345                             attest_app_id.length());
346     return device()->attest_key(device(), &blob_, &attest_params, cert_chain);
347 }
348 
UpgradeKey(const AuthorizationSet & upgrade_params)349 keymaster_error_t Keymaster2Test::UpgradeKey(const AuthorizationSet& upgrade_params) {
350     keymaster_key_blob_t upgraded_blob;
351     keymaster_error_t error =
352         device()->upgrade_key(device(), &blob_, &upgrade_params, &upgraded_blob);
353     if (error == KM_ERROR_OK) {
354         FreeKeyBlob();
355         blob_ = upgraded_blob;
356     }
357     return error;
358 }
359 
ProcessMessage(keymaster_purpose_t purpose,const string & message)360 string Keymaster2Test::ProcessMessage(keymaster_purpose_t purpose, const string& message) {
361     EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, client_params(), nullptr /* output_params */));
362 
363     string result;
364     EXPECT_EQ(KM_ERROR_OK, FinishOperation(message, "" /* signature */, &result));
365     return result;
366 }
367 
ProcessMessage(keymaster_purpose_t purpose,const string & message,const AuthorizationSet & begin_params,const AuthorizationSet & update_params,AuthorizationSet * begin_out_params)368 string Keymaster2Test::ProcessMessage(keymaster_purpose_t purpose, const string& message,
369                                       const AuthorizationSet& begin_params,
370                                       const AuthorizationSet& update_params,
371                                       AuthorizationSet* begin_out_params) {
372     EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, begin_params, begin_out_params));
373 
374     string result;
375     EXPECT_EQ(KM_ERROR_OK, FinishOperation(update_params, message, "" /* signature */, &result));
376     return result;
377 }
378 
ProcessMessage(keymaster_purpose_t purpose,const string & message,const string & signature,const AuthorizationSet & begin_params,const AuthorizationSet & update_params,AuthorizationSet * output_params)379 string Keymaster2Test::ProcessMessage(keymaster_purpose_t purpose, const string& message,
380                                       const string& signature, const AuthorizationSet& begin_params,
381                                       const AuthorizationSet& update_params,
382                                       AuthorizationSet* output_params) {
383     EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, begin_params, output_params));
384 
385     string result;
386     EXPECT_EQ(KM_ERROR_OK, FinishOperation(update_params, message, signature, &result));
387     return result;
388 }
389 
ProcessMessage(keymaster_purpose_t purpose,const string & message,const string & signature)390 string Keymaster2Test::ProcessMessage(keymaster_purpose_t purpose, const string& message,
391                                       const string& signature) {
392     EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, client_params(), nullptr /* output_params */));
393 
394     string result;
395     EXPECT_EQ(KM_ERROR_OK, FinishOperation(message, signature, &result));
396     return result;
397 }
398 
SignMessage(const string & message,string * signature,keymaster_digest_t digest)399 void Keymaster2Test::SignMessage(const string& message, string* signature,
400                                  keymaster_digest_t digest) {
401     SCOPED_TRACE("SignMessage");
402     AuthorizationSet input_params(AuthorizationSet(client_params_, array_length(client_params_)));
403     input_params.push_back(TAG_DIGEST, digest);
404     AuthorizationSet update_params;
405     AuthorizationSet output_params;
406     *signature =
407         ProcessMessage(KM_PURPOSE_SIGN, message, input_params, update_params, &output_params);
408     EXPECT_GT(signature->size(), 0U);
409 }
410 
SignMessage(const string & message,string * signature,keymaster_digest_t digest,keymaster_padding_t padding)411 void Keymaster2Test::SignMessage(const string& message, string* signature,
412                                  keymaster_digest_t digest, keymaster_padding_t padding) {
413     SCOPED_TRACE("SignMessage");
414     AuthorizationSet input_params(AuthorizationSet(client_params_, array_length(client_params_)));
415     input_params.push_back(TAG_DIGEST, digest);
416     input_params.push_back(TAG_PADDING, padding);
417     AuthorizationSet update_params;
418     AuthorizationSet output_params;
419     *signature =
420         ProcessMessage(KM_PURPOSE_SIGN, message, input_params, update_params, &output_params);
421     EXPECT_GT(signature->size(), 0U);
422 }
423 
MacMessage(const string & message,string * signature,size_t mac_length)424 void Keymaster2Test::MacMessage(const string& message, string* signature, size_t mac_length) {
425     SCOPED_TRACE("SignMessage");
426     AuthorizationSet input_params(AuthorizationSet(client_params_, array_length(client_params_)));
427     input_params.push_back(TAG_MAC_LENGTH, mac_length);
428     AuthorizationSet update_params;
429     AuthorizationSet output_params;
430     *signature =
431         ProcessMessage(KM_PURPOSE_SIGN, message, input_params, update_params, &output_params);
432     EXPECT_GT(signature->size(), 0U);
433 }
434 
VerifyMessage(const string & message,const string & signature,keymaster_digest_t digest)435 void Keymaster2Test::VerifyMessage(const string& message, const string& signature,
436                                    keymaster_digest_t digest) {
437     SCOPED_TRACE("VerifyMessage");
438     AuthorizationSet input_params(client_params());
439     input_params.push_back(TAG_DIGEST, digest);
440     AuthorizationSet update_params;
441     AuthorizationSet output_params;
442     ProcessMessage(KM_PURPOSE_VERIFY, message, signature, input_params, update_params,
443                    &output_params);
444 }
445 
VerifyMessage(const string & message,const string & signature,keymaster_digest_t digest,keymaster_padding_t padding)446 void Keymaster2Test::VerifyMessage(const string& message, const string& signature,
447                                    keymaster_digest_t digest, keymaster_padding_t padding) {
448     SCOPED_TRACE("VerifyMessage");
449     AuthorizationSet input_params(client_params());
450     input_params.push_back(TAG_DIGEST, digest);
451     input_params.push_back(TAG_PADDING, padding);
452     AuthorizationSet update_params;
453     AuthorizationSet output_params;
454     ProcessMessage(KM_PURPOSE_VERIFY, message, signature, input_params, update_params,
455                    &output_params);
456 }
457 
VerifyMac(const string & message,const string & signature)458 void Keymaster2Test::VerifyMac(const string& message, const string& signature) {
459     SCOPED_TRACE("VerifyMac");
460     ProcessMessage(KM_PURPOSE_VERIFY, message, signature);
461 }
462 
EncryptMessage(const string & message,keymaster_padding_t padding,string * generated_nonce)463 string Keymaster2Test::EncryptMessage(const string& message, keymaster_padding_t padding,
464                                       string* generated_nonce) {
465     SCOPED_TRACE("EncryptMessage");
466     AuthorizationSet begin_params(client_params()), output_params;
467     begin_params.push_back(TAG_PADDING, padding);
468     AuthorizationSet update_params;
469     string ciphertext =
470         ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params, &output_params);
471     if (generated_nonce) {
472         keymaster_blob_t nonce_blob;
473         EXPECT_TRUE(output_params.GetTagValue(TAG_NONCE, &nonce_blob));
474         *generated_nonce = make_string(nonce_blob.data, nonce_blob.data_length);
475     } else {
476         EXPECT_EQ(-1, output_params.find(TAG_NONCE));
477     }
478     return ciphertext;
479 }
480 
EncryptMessage(const string & message,keymaster_digest_t digest,keymaster_padding_t padding,string * generated_nonce)481 string Keymaster2Test::EncryptMessage(const string& message, keymaster_digest_t digest,
482                                       keymaster_padding_t padding, string* generated_nonce) {
483     AuthorizationSet update_params;
484     return EncryptMessage(update_params, message, digest, padding, generated_nonce);
485 }
486 
EncryptMessage(const string & message,keymaster_digest_t digest,keymaster_digest_t mgf_digest,keymaster_padding_t padding,string * generated_nonce)487 string Keymaster2Test::EncryptMessage(const string& message, keymaster_digest_t digest,
488                                       keymaster_digest_t mgf_digest, keymaster_padding_t padding,
489                                       string* generated_nonce) {
490     AuthorizationSet update_params;
491     return EncryptMessage(update_params, message, digest, mgf_digest, padding, generated_nonce);
492 }
493 
EncryptMessage(const string & message,keymaster_block_mode_t block_mode,keymaster_padding_t padding,string * generated_nonce)494 string Keymaster2Test::EncryptMessage(const string& message, keymaster_block_mode_t block_mode,
495                                       keymaster_padding_t padding, string* generated_nonce) {
496     AuthorizationSet update_params;
497     return EncryptMessage(update_params, message, block_mode, padding, generated_nonce);
498 }
499 
EncryptMessage(const AuthorizationSet & update_params,const string & message,keymaster_digest_t digest,keymaster_digest_t mgf_digest,keymaster_padding_t padding,string * generated_nonce)500 string Keymaster2Test::EncryptMessage(const AuthorizationSet& update_params, const string& message,
501                                       keymaster_digest_t digest, keymaster_digest_t mgf_digest,
502                                       keymaster_padding_t padding, string* generated_nonce) {
503     SCOPED_TRACE("EncryptMessage");
504     AuthorizationSet begin_params(client_params()), output_params;
505     begin_params.push_back(TAG_PADDING, padding);
506     begin_params.push_back(TAG_DIGEST, digest);
507     begin_params.push_back(TAG_RSA_OAEP_MGF_DIGEST, mgf_digest);
508     string ciphertext =
509         ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params, &output_params);
510     if (generated_nonce) {
511         keymaster_blob_t nonce_blob;
512         EXPECT_TRUE(output_params.GetTagValue(TAG_NONCE, &nonce_blob));
513         *generated_nonce = make_string(nonce_blob.data, nonce_blob.data_length);
514     } else {
515         EXPECT_EQ(-1, output_params.find(TAG_NONCE));
516     }
517     return ciphertext;
518 }
519 
EncryptMessage(const AuthorizationSet & update_params,const string & message,keymaster_digest_t digest,keymaster_padding_t padding,string * generated_nonce)520 string Keymaster2Test::EncryptMessage(const AuthorizationSet& update_params, const string& message,
521                                       keymaster_digest_t digest, keymaster_padding_t padding,
522                                       string* generated_nonce) {
523     SCOPED_TRACE("EncryptMessage");
524     AuthorizationSet begin_params(client_params()), output_params;
525     begin_params.push_back(TAG_PADDING, padding);
526     begin_params.push_back(TAG_DIGEST, digest);
527     string ciphertext =
528         ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params, &output_params);
529     if (generated_nonce) {
530         keymaster_blob_t nonce_blob;
531         EXPECT_TRUE(output_params.GetTagValue(TAG_NONCE, &nonce_blob));
532         *generated_nonce = make_string(nonce_blob.data, nonce_blob.data_length);
533     } else {
534         EXPECT_EQ(-1, output_params.find(TAG_NONCE));
535     }
536     return ciphertext;
537 }
538 
EncryptMessage(const AuthorizationSet & update_params,const string & message,keymaster_block_mode_t block_mode,keymaster_padding_t padding,string * generated_nonce)539 string Keymaster2Test::EncryptMessage(const AuthorizationSet& update_params, const string& message,
540                                       keymaster_block_mode_t block_mode,
541                                       keymaster_padding_t padding, string* generated_nonce) {
542     SCOPED_TRACE("EncryptMessage");
543     AuthorizationSet begin_params(client_params()), output_params;
544     begin_params.push_back(TAG_PADDING, padding);
545     begin_params.push_back(TAG_BLOCK_MODE, block_mode);
546     string ciphertext =
547         ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params, &output_params);
548     if (generated_nonce) {
549         keymaster_blob_t nonce_blob;
550         EXPECT_TRUE(output_params.GetTagValue(TAG_NONCE, &nonce_blob));
551         *generated_nonce = make_string(nonce_blob.data, nonce_blob.data_length);
552     } else {
553         EXPECT_EQ(-1, output_params.find(TAG_NONCE));
554     }
555     return ciphertext;
556 }
557 
EncryptMessageWithParams(const string & message,const AuthorizationSet & begin_params,const AuthorizationSet & update_params,AuthorizationSet * output_params)558 string Keymaster2Test::EncryptMessageWithParams(const string& message,
559                                                 const AuthorizationSet& begin_params,
560                                                 const AuthorizationSet& update_params,
561                                                 AuthorizationSet* output_params) {
562     SCOPED_TRACE("EncryptMessageWithParams");
563     return ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params, output_params);
564 }
565 
DecryptMessage(const string & ciphertext,keymaster_padding_t padding)566 string Keymaster2Test::DecryptMessage(const string& ciphertext, keymaster_padding_t padding) {
567     SCOPED_TRACE("DecryptMessage");
568     AuthorizationSet begin_params(client_params());
569     begin_params.push_back(TAG_PADDING, padding);
570     AuthorizationSet update_params;
571     return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
572 }
573 
DecryptMessage(const string & ciphertext,keymaster_digest_t digest,keymaster_padding_t padding)574 string Keymaster2Test::DecryptMessage(const string& ciphertext, keymaster_digest_t digest,
575                                       keymaster_padding_t padding) {
576     SCOPED_TRACE("DecryptMessage");
577     AuthorizationSet begin_params(client_params());
578     begin_params.push_back(TAG_PADDING, padding);
579     begin_params.push_back(TAG_DIGEST, digest);
580     AuthorizationSet update_params;
581     return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
582 }
583 
DecryptMessage(const string & ciphertext,keymaster_block_mode_t block_mode,keymaster_padding_t padding)584 string Keymaster2Test::DecryptMessage(const string& ciphertext, keymaster_block_mode_t block_mode,
585                                       keymaster_padding_t padding) {
586     SCOPED_TRACE("DecryptMessage");
587     AuthorizationSet begin_params(client_params());
588     begin_params.push_back(TAG_PADDING, padding);
589     begin_params.push_back(TAG_BLOCK_MODE, block_mode);
590     AuthorizationSet update_params;
591     return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
592 }
593 
DecryptMessage(const string & ciphertext,keymaster_digest_t digest,keymaster_padding_t padding,const string & nonce)594 string Keymaster2Test::DecryptMessage(const string& ciphertext, keymaster_digest_t digest,
595                                       keymaster_padding_t padding, const string& nonce) {
596     SCOPED_TRACE("DecryptMessage");
597     AuthorizationSet begin_params(client_params());
598     begin_params.push_back(TAG_PADDING, padding);
599     begin_params.push_back(TAG_DIGEST, digest);
600     begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
601     AuthorizationSet update_params;
602     return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
603 }
604 
DecryptMessage(const string & ciphertext,keymaster_block_mode_t block_mode,keymaster_padding_t padding,const string & nonce)605 string Keymaster2Test::DecryptMessage(const string& ciphertext, keymaster_block_mode_t block_mode,
606                                       keymaster_padding_t padding, const string& nonce) {
607     SCOPED_TRACE("DecryptMessage");
608     AuthorizationSet begin_params(client_params());
609     begin_params.push_back(TAG_PADDING, padding);
610     begin_params.push_back(TAG_BLOCK_MODE, block_mode);
611     begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
612     AuthorizationSet update_params;
613     return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
614 }
615 
DecryptMessage(const string & ciphertext,keymaster_digest_t digest,keymaster_digest_t mgf_digest,keymaster_padding_t padding)616 string Keymaster2Test::DecryptMessage(const string& ciphertext, keymaster_digest_t digest,
617                                       keymaster_digest_t mgf_digest, keymaster_padding_t padding) {
618     SCOPED_TRACE("DecryptMessage");
619     AuthorizationSet begin_params(client_params());
620     begin_params.push_back(TAG_PADDING, padding);
621     begin_params.push_back(TAG_DIGEST, digest);
622     begin_params.push_back(TAG_RSA_OAEP_MGF_DIGEST, mgf_digest);
623     AuthorizationSet update_params;
624     return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
625 }
626 
DecryptMessage(const AuthorizationSet & update_params,const string & ciphertext,keymaster_digest_t digest,keymaster_padding_t padding,const string & nonce)627 string Keymaster2Test::DecryptMessage(const AuthorizationSet& update_params,
628                                       const string& ciphertext, keymaster_digest_t digest,
629                                       keymaster_padding_t padding, const string& nonce) {
630     SCOPED_TRACE("DecryptMessage");
631     AuthorizationSet begin_params(client_params());
632     begin_params.push_back(TAG_PADDING, padding);
633     begin_params.push_back(TAG_DIGEST, digest);
634     begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
635     return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
636 }
637 
DecryptMessageWithParams(const string & message,const AuthorizationSet & begin_params,const AuthorizationSet & update_params,AuthorizationSet * output_params)638 string Keymaster2Test::DecryptMessageWithParams(const string& message,
639                                                 const AuthorizationSet& begin_params,
640                                                 const AuthorizationSet& update_params,
641                                                 AuthorizationSet* output_params) {
642     SCOPED_TRACE("DecryptMessageWithParams");
643     return ProcessMessage(KM_PURPOSE_DECRYPT, message, begin_params, update_params, output_params);
644 }
645 
GetCharacteristics()646 keymaster_error_t Keymaster2Test::GetCharacteristics() {
647     FreeCharacteristics();
648     return device()->get_key_characteristics(device(), &blob_, &client_id_, nullptr /* app_data */,
649                                              &characteristics_);
650 }
651 
ExportKey(keymaster_key_format_t format,string * export_data)652 keymaster_error_t Keymaster2Test::ExportKey(keymaster_key_format_t format, string* export_data) {
653     keymaster_blob_t export_tmp;
654     keymaster_error_t error = device()->export_key(device(), format, &blob_, &client_id_,
655                                                    nullptr /* app_data */, &export_tmp);
656 
657     if (error != KM_ERROR_OK) return error;
658 
659     *export_data = string(reinterpret_cast<const char*>(export_tmp.data), export_tmp.data_length);
660     free((void*)export_tmp.data);
661     return error;
662 }
663 
CheckHmacTestVector(const string & key,const string & message,keymaster_digest_t digest,string expected_mac)664 void Keymaster2Test::CheckHmacTestVector(const string& key, const string& message,
665                                          keymaster_digest_t digest, string expected_mac) {
666     ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
667                                          .HmacKey(key.size() * 8)
668                                          .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8)
669                                          .Digest(digest),
670                                      KM_KEY_FORMAT_RAW, key));
671     string signature;
672     MacMessage(message, &signature, expected_mac.size() * 8);
673     EXPECT_EQ(expected_mac, signature) << "Test vector didn't match for digest " << (int)digest;
674 }
675 
CheckAesCtrTestVector(const string & key,const string & nonce,const string & message,const string & expected_ciphertext)676 void Keymaster2Test::CheckAesCtrTestVector(const string& key, const string& nonce,
677                                            const string& message,
678                                            const string& expected_ciphertext) {
679     ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
680                                          .AesEncryptionKey(key.size() * 8)
681                                          .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
682                                          .Authorization(TAG_CALLER_NONCE)
683                                          .Padding(KM_PAD_NONE),
684                                      KM_KEY_FORMAT_RAW, key));
685 
686     AuthorizationSet begin_params(client_params()), update_params, output_params;
687     begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
688     begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
689     begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
690     string ciphertext =
691         EncryptMessageWithParams(message, begin_params, update_params, &output_params);
692     EXPECT_EQ(expected_ciphertext, ciphertext);
693 }
694 
CheckTripleDesTestVector(keymaster_purpose_t purpose,keymaster_block_mode_t block_mode,keymaster_padding_t padding_mode,const string & key,const string & iv,const string & input,const string & expected_output)695 void Keymaster2Test::CheckTripleDesTestVector(keymaster_purpose_t purpose,
696                                               keymaster_block_mode_t block_mode,
697                                               keymaster_padding_t padding_mode, const string& key,
698                                               const string& iv, const string& input,
699                                               const string& expected_output) {
700     auto authset = AuthorizationSetBuilder()
701                        .TripleDesEncryptionKey(key.size() * 7)
702                        .Authorization(TAG_BLOCK_MODE, block_mode)
703                        .Padding(padding_mode);
704     if (iv.size()) authset.Authorization(TAG_CALLER_NONCE);
705 
706     ASSERT_EQ(KM_ERROR_OK, ImportKey(authset, KM_KEY_FORMAT_RAW, key));
707 
708     AuthorizationSet begin_params(client_params()), update_params, output_params;
709     if (iv.size()) begin_params.push_back(TAG_NONCE, iv.data(), iv.size());
710     begin_params.push_back(TAG_BLOCK_MODE, block_mode);
711     begin_params.push_back(TAG_PADDING, padding_mode);
712     string output = ProcessMessage(purpose, input, begin_params, update_params, &output_params);
713     EXPECT_EQ(expected_output, output);
714 }
715 
hw_enforced()716 AuthorizationSet Keymaster2Test::hw_enforced() {
717     return AuthorizationSet(characteristics_.hw_enforced);
718 }
719 
sw_enforced()720 AuthorizationSet Keymaster2Test::sw_enforced() {
721     return AuthorizationSet(characteristics_.sw_enforced);
722 }
723 
FreeCharacteristics()724 void Keymaster2Test::FreeCharacteristics() {
725     keymaster_free_characteristics(&characteristics_);
726 }
727 
FreeKeyBlob()728 void Keymaster2Test::FreeKeyBlob() {
729     free(const_cast<uint8_t*>(blob_.key_material));
730     blob_.key_material = nullptr;
731 }
732 
corrupt_key_blob()733 void Keymaster2Test::corrupt_key_blob() {
734     assert(blob_.key_material);
735     uint8_t* tmp = const_cast<uint8_t*>(blob_.key_material);
736     ++tmp[blob_.key_material_size / 2];
737 }
738 
739 class Sha256OnlyWrapper {
740   public:
Sha256OnlyWrapper(const keymaster1_device_t * wrapped_device)741     explicit Sha256OnlyWrapper(const keymaster1_device_t* wrapped_device)
742         : wrapped_device_(wrapped_device) {
743 
744         new_module = *wrapped_device_->common.module;
745         new_module_name = std::string("SHA 256-only ") + wrapped_device_->common.module->name;
746         new_module.name = new_module_name.c_str();
747 
748         memset(&device_, 0, sizeof(device_));
749         device_.common.module = &new_module;
750 
751         device_.common.close = close_device;
752         device_.get_supported_algorithms = get_supported_algorithms;
753         device_.get_supported_block_modes = get_supported_block_modes;
754         device_.get_supported_padding_modes = get_supported_padding_modes;
755         device_.get_supported_digests = get_supported_digests;
756         device_.get_supported_import_formats = get_supported_import_formats;
757         device_.get_supported_export_formats = get_supported_export_formats;
758         device_.add_rng_entropy = add_rng_entropy;
759         device_.generate_key = generate_key;
760         device_.get_key_characteristics = get_key_characteristics;
761         device_.import_key = import_key;
762         device_.export_key = export_key;
763         device_.begin = begin;
764         device_.update = update;
765         device_.finish = finish;
766         device_.abort = abort;
767     }
768 
keymaster_device()769     keymaster1_device_t* keymaster_device() { return &device_; }
770 
is_supported(keymaster_digest_t digest)771     static bool is_supported(keymaster_digest_t digest) {
772         return digest == KM_DIGEST_NONE || digest == KM_DIGEST_SHA_2_256;
773     }
774 
all_digests_supported(const keymaster_key_param_set_t * params)775     static bool all_digests_supported(const keymaster_key_param_set_t* params) {
776         for (size_t i = 0; i < params->length; ++i)
777             if (params->params[i].tag == TAG_DIGEST)
778                 if (!is_supported(static_cast<keymaster_digest_t>(params->params[i].enumerated)))
779                     return false;
780         return true;
781     }
782 
783     static const keymaster_key_param_t*
get_algorithm_param(const keymaster_key_param_set_t * params)784     get_algorithm_param(const keymaster_key_param_set_t* params) {
785         keymaster_key_param_t* end = params->params + params->length;
786         auto alg_ptr = std::find_if(params->params, end, [](keymaster_key_param_t& p) {
787             return p.tag == KM_TAG_ALGORITHM;
788         });
789         if (alg_ptr == end) return nullptr;
790         return alg_ptr;
791     }
792 
close_device(hw_device_t * dev)793     static int close_device(hw_device_t* dev) {
794         Sha256OnlyWrapper* wrapper = reinterpret_cast<Sha256OnlyWrapper*>(dev);
795         const keymaster1_device_t* wrapped_device = wrapper->wrapped_device_;
796         delete wrapper;
797         return wrapped_device->common.close(const_cast<hw_device_t*>(&wrapped_device->common));
798     }
799 
unwrap(const keymaster1_device_t * dev)800     static const keymaster1_device_t* unwrap(const keymaster1_device_t* dev) {
801         return reinterpret_cast<const Sha256OnlyWrapper*>(dev)->wrapped_device_;
802     }
803 
get_supported_algorithms(const struct keymaster1_device * dev,keymaster_algorithm_t ** algorithms,size_t * algorithms_length)804     static keymaster_error_t get_supported_algorithms(const struct keymaster1_device* dev,
805                                                       keymaster_algorithm_t** algorithms,
806                                                       size_t* algorithms_length) {
807         return unwrap(dev)->get_supported_algorithms(unwrap(dev), algorithms, algorithms_length);
808     }
get_supported_block_modes(const struct keymaster1_device * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_block_mode_t ** modes,size_t * modes_length)809     static keymaster_error_t get_supported_block_modes(const struct keymaster1_device* dev,
810                                                        keymaster_algorithm_t algorithm,
811                                                        keymaster_purpose_t purpose,
812                                                        keymaster_block_mode_t** modes,
813                                                        size_t* modes_length) {
814         return unwrap(dev)->get_supported_block_modes(unwrap(dev), algorithm, purpose, modes,
815                                                       modes_length);
816     }
get_supported_padding_modes(const struct keymaster1_device * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_padding_t ** modes,size_t * modes_length)817     static keymaster_error_t get_supported_padding_modes(const struct keymaster1_device* dev,
818                                                          keymaster_algorithm_t algorithm,
819                                                          keymaster_purpose_t purpose,
820                                                          keymaster_padding_t** modes,
821                                                          size_t* modes_length) {
822         return unwrap(dev)->get_supported_padding_modes(unwrap(dev), algorithm, purpose, modes,
823                                                         modes_length);
824     }
825 
get_supported_digests(const keymaster1_device_t * dev,keymaster_algorithm_t algorithm,keymaster_purpose_t purpose,keymaster_digest_t ** digests,size_t * digests_length)826     static keymaster_error_t get_supported_digests(const keymaster1_device_t* dev,
827                                                    keymaster_algorithm_t algorithm,
828                                                    keymaster_purpose_t purpose,
829                                                    keymaster_digest_t** digests,
830                                                    size_t* digests_length) {
831         keymaster_error_t error = unwrap(dev)->get_supported_digests(
832             unwrap(dev), algorithm, purpose, digests, digests_length);
833         if (error != KM_ERROR_OK) return error;
834 
835         std::vector<keymaster_digest_t> filtered_digests;
836         std::copy_if(*digests, *digests + *digests_length, std::back_inserter(filtered_digests),
837                      [](keymaster_digest_t digest) { return is_supported(digest); });
838 
839         free(*digests);
840         *digests_length = filtered_digests.size();
841         *digests = reinterpret_cast<keymaster_digest_t*>(
842             malloc(*digests_length * sizeof(keymaster_digest_t)));
843         std::copy(filtered_digests.begin(), filtered_digests.end(), *digests);
844 
845         return KM_ERROR_OK;
846     }
847 
get_supported_import_formats(const struct keymaster1_device * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)848     static keymaster_error_t get_supported_import_formats(const struct keymaster1_device* dev,
849                                                           keymaster_algorithm_t algorithm,
850                                                           keymaster_key_format_t** formats,
851                                                           size_t* formats_length) {
852         return unwrap(dev)->get_supported_import_formats(unwrap(dev), algorithm, formats,
853                                                          formats_length);
854     }
get_supported_export_formats(const struct keymaster1_device * dev,keymaster_algorithm_t algorithm,keymaster_key_format_t ** formats,size_t * formats_length)855     static keymaster_error_t get_supported_export_formats(const struct keymaster1_device* dev,
856                                                           keymaster_algorithm_t algorithm,
857                                                           keymaster_key_format_t** formats,
858                                                           size_t* formats_length) {
859         return unwrap(dev)->get_supported_export_formats(unwrap(dev), algorithm, formats,
860                                                          formats_length);
861     }
add_rng_entropy(const struct keymaster1_device * dev,const uint8_t * data,size_t data_length)862     static keymaster_error_t add_rng_entropy(const struct keymaster1_device* dev,
863                                              const uint8_t* data, size_t data_length) {
864         return unwrap(dev)->add_rng_entropy(unwrap(dev), data, data_length);
865     }
866 
generate_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)867     static keymaster_error_t generate_key(const keymaster1_device_t* dev,
868                                           const keymaster_key_param_set_t* params,
869                                           keymaster_key_blob_t* key_blob,
870                                           keymaster_key_characteristics_t** characteristics) {
871         auto alg_ptr = get_algorithm_param(params);
872         if (!alg_ptr) return KM_ERROR_UNSUPPORTED_ALGORITHM;
873         if (alg_ptr->enumerated == KM_ALGORITHM_HMAC && !all_digests_supported(params))
874             return KM_ERROR_UNSUPPORTED_DIGEST;
875 
876         return unwrap(dev)->generate_key(unwrap(dev), params, key_blob, characteristics);
877     }
878 
879     static keymaster_error_t
get_key_characteristics(const struct keymaster1_device * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t ** characteristics)880     get_key_characteristics(const struct keymaster1_device* dev,
881                             const keymaster_key_blob_t* key_blob, const keymaster_blob_t* client_id,
882                             const keymaster_blob_t* app_data,
883                             keymaster_key_characteristics_t** characteristics) {
884         return unwrap(dev)->get_key_characteristics(unwrap(dev), key_blob, client_id, app_data,
885                                                     characteristics);
886     }
887 
888     static keymaster_error_t
import_key(const keymaster1_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t ** characteristics)889     import_key(const keymaster1_device_t* dev, const keymaster_key_param_set_t* params,
890                keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
891                keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics) {
892         auto alg_ptr = get_algorithm_param(params);
893         if (!alg_ptr) return KM_ERROR_UNSUPPORTED_ALGORITHM;
894         if (alg_ptr->enumerated == KM_ALGORITHM_HMAC && !all_digests_supported(params))
895             return KM_ERROR_UNSUPPORTED_DIGEST;
896 
897         return unwrap(dev)->import_key(unwrap(dev), params, key_format, key_data, key_blob,
898                                        characteristics);
899     }
900 
export_key(const struct keymaster1_device * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)901     static keymaster_error_t export_key(const struct keymaster1_device* dev,  //
902                                         keymaster_key_format_t export_format,
903                                         const keymaster_key_blob_t* key_to_export,
904                                         const keymaster_blob_t* client_id,
905                                         const keymaster_blob_t* app_data,
906                                         keymaster_blob_t* export_data) {
907         return unwrap(dev)->export_key(unwrap(dev), export_format, key_to_export, client_id,
908                                        app_data, export_data);
909     }
910 
begin(const keymaster1_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)911     static keymaster_error_t begin(const keymaster1_device_t* dev,  //
912                                    keymaster_purpose_t purpose, const keymaster_key_blob_t* key,
913                                    const keymaster_key_param_set_t* in_params,
914                                    keymaster_key_param_set_t* out_params,
915                                    keymaster_operation_handle_t* operation_handle) {
916         if (!all_digests_supported(in_params)) return KM_ERROR_UNSUPPORTED_DIGEST;
917         return unwrap(dev)->begin(unwrap(dev), purpose, key, in_params, out_params,
918                                   operation_handle);
919     }
920 
update(const keymaster1_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)921     static keymaster_error_t update(const keymaster1_device_t* dev,
922                                     keymaster_operation_handle_t operation_handle,
923                                     const keymaster_key_param_set_t* in_params,
924                                     const keymaster_blob_t* input, size_t* input_consumed,
925                                     keymaster_key_param_set_t* out_params,
926                                     keymaster_blob_t* output) {
927         return unwrap(dev)->update(unwrap(dev), operation_handle, in_params, input, input_consumed,
928                                    out_params, output);
929     }
930 
finish(const struct keymaster1_device * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)931     static keymaster_error_t finish(const struct keymaster1_device* dev,  //
932                                     keymaster_operation_handle_t operation_handle,
933                                     const keymaster_key_param_set_t* in_params,
934                                     const keymaster_blob_t* signature,
935                                     keymaster_key_param_set_t* out_params,
936                                     keymaster_blob_t* output) {
937         return unwrap(dev)->finish(unwrap(dev), operation_handle, in_params, signature, out_params,
938                                    output);
939     }
940 
abort(const struct keymaster1_device * dev,keymaster_operation_handle_t operation_handle)941     static keymaster_error_t abort(const struct keymaster1_device* dev,
942                                    keymaster_operation_handle_t operation_handle) {
943         return unwrap(dev)->abort(unwrap(dev), operation_handle);
944     }
945 
946   private:
947     keymaster1_device_t device_;
948     const keymaster1_device_t* wrapped_device_;
949     hw_module_t new_module;
950     string new_module_name;
951 };
952 
make_device_sha256_only(keymaster1_device_t * device)953 keymaster1_device_t* make_device_sha256_only(keymaster1_device_t* device) {
954     return (new Sha256OnlyWrapper(device))->keymaster_device();
955 }
956 
957 }  // namespace test
958 }  // namespace keymaster
959