1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <algorithm>
18
19 #include <gtest/gtest.h>
20
21 #include <openssl/engine.h>
22 #include <openssl/rand.h>
23
24 #include <keymaster/authorization_set.h>
25 #include <keymaster/android_keymaster_utils.h>
26 #include <keymaster/keymaster_tags.h>
27
28 #include "android_keymaster_test_utils.h"
29 #include "auth_encrypted_key_blob.h"
30 #include "integrity_assured_key_blob.h"
31 #include "ocb_utils.h"
32
33 namespace keymaster {
34
35 namespace test {
36
37 const uint8_t master_key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
38 const uint8_t key_data[5] = {21, 22, 23, 24, 25};
39
40 class KeyBlobTest : public testing::Test {
41 protected:
KeyBlobTest()42 KeyBlobTest()
43 : master_key_(master_key_data, array_length(master_key_data)),
44 key_material_(key_data, array_length(key_data)) {
45 hw_enforced_.push_back(TAG_ALGORITHM, KM_ALGORITHM_RSA);
46 hw_enforced_.push_back(TAG_KEY_SIZE, 256);
47 hw_enforced_.push_back(TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE);
48 hw_enforced_.push_back(TAG_MIN_SECONDS_BETWEEN_OPS, 10);
49 hw_enforced_.push_back(TAG_ALL_USERS);
50 hw_enforced_.push_back(TAG_NO_AUTH_REQUIRED);
51 hw_enforced_.push_back(TAG_ORIGIN, KM_ORIGIN_GENERATED);
52
53 sw_enforced_.push_back(TAG_ACTIVE_DATETIME, 10);
54 sw_enforced_.push_back(TAG_ORIGINATION_EXPIRE_DATETIME, 100);
55 sw_enforced_.push_back(TAG_CREATION_DATETIME, 10);
56
57 hidden_.push_back(TAG_ROOT_OF_TRUST, "foo", 3);
58 hidden_.push_back(TAG_APPLICATION_ID, "my_app", 6);
59
60 nonce_.reserve(OCB_NONCE_LENGTH);
61 EXPECT_EQ(1, RAND_bytes(nonce_.peek_write(), OCB_NONCE_LENGTH));
62 nonce_.advance_write(OCB_NONCE_LENGTH);
63
64 tag_.reserve(OCB_TAG_LENGTH);
65 }
66
Encrypt()67 keymaster_error_t Encrypt() {
68 return OcbEncryptKey(hw_enforced_, sw_enforced_, hidden_, master_key_, key_material_,
69 nonce_, &ciphertext_, &tag_);
70 }
71
Decrypt()72 keymaster_error_t Decrypt() {
73 return OcbDecryptKey(hw_enforced_, sw_enforced_, hidden_, master_key_, ciphertext_, nonce_,
74 tag_, &decrypted_plaintext_);
75 }
76
Serialize()77 keymaster_error_t Serialize() {
78 return SerializeAuthEncryptedBlob(ciphertext_, hw_enforced_, sw_enforced_, nonce_, tag_,
79 &serialized_blob_);
80 }
81
Deserialize()82 keymaster_error_t Deserialize() {
83 return DeserializeAuthEncryptedBlob(serialized_blob_, &ciphertext_, &hw_enforced_,
84 &sw_enforced_, &nonce_, &tag_);
85 }
86
87 AuthorizationSet hw_enforced_;
88 AuthorizationSet sw_enforced_;
89 AuthorizationSet hidden_;
90 Buffer nonce_, tag_;
91
92 KeymasterKeyBlob master_key_;
93 KeymasterKeyBlob key_material_;
94 KeymasterKeyBlob ciphertext_;
95 KeymasterKeyBlob decrypted_plaintext_;
96 KeymasterKeyBlob serialized_blob_;
97 };
98
TEST_F(KeyBlobTest,EncryptDecrypt)99 TEST_F(KeyBlobTest, EncryptDecrypt) {
100 ASSERT_EQ(KM_ERROR_OK, Encrypt());
101 ASSERT_EQ(KM_ERROR_OK, Serialize());
102
103 // key_data shouldn't be anywhere in the blob, ciphertext should.
104 EXPECT_EQ(serialized_blob_.end(), std::search(serialized_blob_.begin(), serialized_blob_.end(),
105 key_material_.begin(), key_material_.end()));
106 EXPECT_NE(serialized_blob_.end(), std::search(serialized_blob_.begin(), serialized_blob_.end(),
107 ciphertext_.begin(), ciphertext_.end()));
108
109 ciphertext_.Clear();
110 nonce_.Clear();
111 tag_.Clear();
112 AuthorizationSet hw2;
113 AuthorizationSet sw2;
114
115 ASSERT_EQ(KM_ERROR_OK, DeserializeAuthEncryptedBlob(serialized_blob_, &ciphertext_, &hw2, &sw2,
116 &nonce_, &tag_));
117 KeymasterKeyBlob plaintext;
118 OcbDecryptKey(hw2, sw2, hidden_, master_key_, ciphertext_, nonce_, tag_, &plaintext);
119
120 EXPECT_EQ(hw_enforced_, hw2);
121 EXPECT_EQ(sw_enforced_, sw2);
122
123 ASSERT_EQ(key_material_.key_material_size, plaintext.key_material_size);
124 EXPECT_EQ(0, memcmp(plaintext.begin(), key_material_.begin(), plaintext.key_material_size));
125 }
126
TEST_F(KeyBlobTest,WrongKeyLength)127 TEST_F(KeyBlobTest, WrongKeyLength) {
128 ASSERT_EQ(KM_ERROR_OK, Encrypt());
129 ASSERT_EQ(KM_ERROR_OK, Serialize());
130
131 // Modify the key length, shouldn't be able to parse.
132 serialized_blob_.writable_data()[1 /* version */ + 4 /* nonce len */ + 12 /* nonce */ + 3]++;
133
134 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Deserialize());
135 }
136
TEST_F(KeyBlobTest,WrongNonce)137 TEST_F(KeyBlobTest, WrongNonce) {
138 ASSERT_EQ(KM_ERROR_OK, Encrypt());
139 ASSERT_EQ(KM_ERROR_OK, Serialize());
140
141 // Find the nonce, then modify it.
142 auto nonce_ptr =
143 std::search(serialized_blob_.begin(), serialized_blob_.end(), nonce_.begin(), nonce_.end());
144 ASSERT_NE(nonce_ptr, serialized_blob_.end());
145 EXPECT_EQ(serialized_blob_.end(),
146 std::search(nonce_ptr + 1, serialized_blob_.end(), nonce_.begin(), nonce_.end()));
147 (*const_cast<uint8_t*>(nonce_ptr))++;
148
149 // Deserialization shouldn't be affected, but decryption should fail.
150 ASSERT_EQ(KM_ERROR_OK, Deserialize());
151 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
152 }
153
TEST_F(KeyBlobTest,WrongTag)154 TEST_F(KeyBlobTest, WrongTag) {
155 ASSERT_EQ(KM_ERROR_OK, Encrypt());
156 ASSERT_EQ(KM_ERROR_OK, Serialize());
157
158 // Find the tag, them modify it.
159 auto tag_ptr =
160 std::search(serialized_blob_.begin(), serialized_blob_.end(), tag_.begin(), tag_.end());
161 ASSERT_NE(tag_ptr, serialized_blob_.end());
162 EXPECT_EQ(serialized_blob_.end(),
163 std::search(tag_ptr + 1, serialized_blob_.end(), tag_.begin(), tag_.end()));
164 (*const_cast<uint8_t*>(tag_ptr))++;
165
166 // Deserialization shouldn't be affected, but decryption should fail.
167 ASSERT_EQ(KM_ERROR_OK, Deserialize());
168 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
169 }
170
TEST_F(KeyBlobTest,WrongCiphertext)171 TEST_F(KeyBlobTest, WrongCiphertext) {
172 ASSERT_EQ(KM_ERROR_OK, Encrypt());
173 ASSERT_EQ(KM_ERROR_OK, Serialize());
174
175 // Find the ciphertext, them modify it.
176 auto ciphertext_ptr = std::search(serialized_blob_.begin(), serialized_blob_.end(),
177 ciphertext_.begin(), ciphertext_.end());
178 ASSERT_NE(ciphertext_ptr, serialized_blob_.end());
179 EXPECT_EQ(serialized_blob_.end(), std::search(ciphertext_ptr + 1, serialized_blob_.end(),
180 ciphertext_.begin(), ciphertext_.end()));
181 (*const_cast<uint8_t*>(ciphertext_ptr))++;
182
183 // Deserialization shouldn't be affected, but decryption should fail.
184 ASSERT_EQ(KM_ERROR_OK, Deserialize());
185 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
186 }
187
TEST_F(KeyBlobTest,WrongMasterKey)188 TEST_F(KeyBlobTest, WrongMasterKey) {
189 ASSERT_EQ(KM_ERROR_OK, Encrypt());
190 ASSERT_EQ(KM_ERROR_OK, Serialize());
191
192 uint8_t wrong_master_data[] = {1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
193 KeymasterKeyBlob wrong_master(wrong_master_data, array_length(wrong_master_data));
194
195 // Decrypting with wrong master key should fail.
196 ASSERT_EQ(KM_ERROR_OK, Deserialize());
197 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB,
198 OcbDecryptKey(hw_enforced_, sw_enforced_, hidden_, wrong_master, ciphertext_, nonce_,
199 tag_, &decrypted_plaintext_));
200 }
201
TEST_F(KeyBlobTest,WrongHwEnforced)202 TEST_F(KeyBlobTest, WrongHwEnforced) {
203 ASSERT_EQ(KM_ERROR_OK, Encrypt());
204 ASSERT_EQ(KM_ERROR_OK, Serialize());
205
206 // Find enforced serialization data and modify it.
207 size_t hw_enforced_size = hw_enforced_.SerializedSize();
208 UniquePtr<uint8_t[]> hw_enforced_data(new uint8_t[hw_enforced_size]);
209 hw_enforced_.Serialize(hw_enforced_data.get(), hw_enforced_data.get() + hw_enforced_size);
210
211 auto hw_enforced_ptr =
212 std::search(serialized_blob_.begin(), serialized_blob_.end(), hw_enforced_data.get(),
213 hw_enforced_data.get() + hw_enforced_size);
214 ASSERT_NE(serialized_blob_.end(), hw_enforced_ptr);
215 EXPECT_EQ(serialized_blob_.end(),
216 std::search(hw_enforced_ptr + 1, serialized_blob_.end(), hw_enforced_data.get(),
217 hw_enforced_data.get() + hw_enforced_size));
218 (*(const_cast<uint8_t*>(hw_enforced_ptr) + hw_enforced_size - 1))++;
219
220 // Deserialization shouldn't be affected, but decryption should fail.
221 ASSERT_EQ(KM_ERROR_OK, Deserialize());
222 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
223 }
224
TEST_F(KeyBlobTest,WrongSwEnforced)225 TEST_F(KeyBlobTest, WrongSwEnforced) {
226 ASSERT_EQ(KM_ERROR_OK, Encrypt());
227 ASSERT_EQ(KM_ERROR_OK, Serialize());
228
229 // Find enforced serialization data and modify it.
230 size_t sw_enforced_size = sw_enforced_.SerializedSize();
231 UniquePtr<uint8_t[]> sw_enforced_data(new uint8_t[sw_enforced_size]);
232 sw_enforced_.Serialize(sw_enforced_data.get(), sw_enforced_data.get() + sw_enforced_size);
233
234 auto sw_enforced_ptr =
235 std::search(serialized_blob_.begin(), serialized_blob_.end(), sw_enforced_data.get(),
236 sw_enforced_data.get() + sw_enforced_size);
237 ASSERT_NE(serialized_blob_.end(), sw_enforced_ptr);
238 EXPECT_EQ(serialized_blob_.end(),
239 std::search(sw_enforced_ptr + 1, serialized_blob_.end(), sw_enforced_data.get(),
240 sw_enforced_data.get() + sw_enforced_size));
241 (*(const_cast<uint8_t*>(sw_enforced_ptr) + sw_enforced_size - 1))++;
242
243 // Deserialization shouldn't be affected, but decryption should fail.
244 ASSERT_EQ(KM_ERROR_OK, Deserialize());
245 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
246 }
247
TEST_F(KeyBlobTest,EmptyHidden)248 TEST_F(KeyBlobTest, EmptyHidden) {
249 ASSERT_EQ(KM_ERROR_OK, Encrypt());
250 ASSERT_EQ(KM_ERROR_OK, Serialize());
251
252 AuthorizationSet wrong_hidden;
253
254 // Deserialization shouldn't be affected, but decryption should fail.
255 ASSERT_EQ(KM_ERROR_OK, Deserialize());
256 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
257 OcbDecryptKey(hw_enforced_, sw_enforced_, wrong_hidden, master_key_, ciphertext_,
258 nonce_, tag_, &decrypted_plaintext_));
259 }
260
TEST_F(KeyBlobTest,WrongRootOfTrust)261 TEST_F(KeyBlobTest, WrongRootOfTrust) {
262 ASSERT_EQ(KM_ERROR_OK, Encrypt());
263 ASSERT_EQ(KM_ERROR_OK, Serialize());
264
265 AuthorizationSet wrong_hidden;
266 wrong_hidden.push_back(TAG_ROOT_OF_TRUST, "bar", 2);
267 wrong_hidden.push_back(TAG_APPLICATION_ID, "my_app", 6);
268
269 // Deserialization shouldn't be affected, but decryption should fail.
270 ASSERT_EQ(KM_ERROR_OK, Deserialize());
271 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
272 OcbDecryptKey(hw_enforced_, sw_enforced_, wrong_hidden, master_key_, ciphertext_,
273 nonce_, tag_, &decrypted_plaintext_));
274 }
275
TEST_F(KeyBlobTest,WrongAppId)276 TEST_F(KeyBlobTest, WrongAppId) {
277 ASSERT_EQ(KM_ERROR_OK, Encrypt());
278 ASSERT_EQ(KM_ERROR_OK, Serialize());
279
280 AuthorizationSet wrong_hidden;
281 wrong_hidden.push_back(TAG_ROOT_OF_TRUST, "foo", 3);
282 wrong_hidden.push_back(TAG_APPLICATION_ID, "your_app", 7);
283
284 // Deserialization shouldn't be affected, but decryption should fail.
285 ASSERT_EQ(KM_ERROR_OK, Deserialize());
286 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
287 OcbDecryptKey(hw_enforced_, sw_enforced_, wrong_hidden, master_key_, ciphertext_,
288 nonce_, tag_, &decrypted_plaintext_));
289 }
290
291 // This test is especially useful when compiled for 32-bit mode and run under valgrind.
TEST_F(KeyBlobTest,FuzzTest)292 TEST_F(KeyBlobTest, FuzzTest) {
293 time_t now = time(NULL);
294 std::cout << "Seeding rand() with " << now << " for fuzz test." << std::endl;
295 srand(now);
296
297 // Fill large buffer with random bytes.
298 const int kBufSize = 10000;
299 UniquePtr<uint8_t[]> buf(new uint8_t[kBufSize]);
300 for (size_t i = 0; i < kBufSize; ++i)
301 buf[i] = static_cast<uint8_t>(rand());
302
303 // Try to deserialize every offset with multiple methods.
304 size_t deserialize_auth_encrypted_success = 0;
305 for (size_t i = 0; i < kBufSize; ++i) {
306 keymaster_key_blob_t blob = {buf.get() + i, kBufSize - i};
307 KeymasterKeyBlob key_blob(blob);
308
309 // Integrity-assured blob.
310 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB,
311 DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_,
312 &sw_enforced_));
313
314 // Auth-encrypted OCB blob.
315 keymaster_error_t error = DeserializeAuthEncryptedBlob(
316 key_blob, &ciphertext_, &hw_enforced_, &sw_enforced_, &nonce_, &tag_);
317 if (error == KM_ERROR_OK) {
318 // It's possible to deserialize successfully. Decryption should always fail.
319 ++deserialize_auth_encrypted_success;
320 error = OcbDecryptKey(hw_enforced_, sw_enforced_, hidden_, master_key_, ciphertext_,
321 nonce_, tag_, &decrypted_plaintext_);
322 }
323 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, error)
324 << "Somehow sucessfully parsed a blob with seed " << now << " at offset " << i;
325 }
326 }
327
TEST_F(KeyBlobTest,UnderflowTest)328 TEST_F(KeyBlobTest, UnderflowTest) {
329 uint8_t buf[0];
330 keymaster_key_blob_t blob = {buf, 0};
331 KeymasterKeyBlob key_blob(blob);
332 EXPECT_NE(nullptr, key_blob.key_material);
333 EXPECT_EQ(0U, key_blob.key_material_size);
334
335 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
336 DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_,
337 &sw_enforced_));
338
339 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
340 DeserializeAuthEncryptedBlob(key_blob, &ciphertext_, &hw_enforced_, &sw_enforced_,
341 &nonce_, &tag_));
342 }
343
TEST_F(KeyBlobTest,DupBufferToolarge)344 TEST_F(KeyBlobTest, DupBufferToolarge) {
345 uint8_t buf[0];
346 keymaster_key_blob_t blob = {buf, 0};
347 blob.key_material_size = 16 * 1024 * 1024 + 1;
348 KeymasterKeyBlob key_blob(blob);
349 EXPECT_EQ(nullptr, key_blob.key_material);
350 EXPECT_EQ(0U, key_blob.key_material_size);
351
352 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB,
353 DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_,
354 &sw_enforced_));
355
356 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
357 DeserializeAuthEncryptedBlob(key_blob, &ciphertext_, &hw_enforced_, &sw_enforced_,
358 &nonce_, &tag_));
359 }
360
361 } // namespace test
362 } // namespace keymaster
363