1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <fstream>
18 #include <string>
19 #include <vector>
20
21 #include <openssl/evp.h>
22 #include <openssl/x509.h>
23
24 #include <hardware/keymaster0.h>
25 #include <keymaster/key_factory.h>
26 #include <keymaster/soft_keymaster_context.h>
27 #include <keymaster/soft_keymaster_device.h>
28 #include <keymaster/softkeymaster.h>
29
30 #include "android_keymaster_test_utils.h"
31 #include "attestation_record.h"
32 #include "keymaster0_engine.h"
33 #include "openssl_utils.h"
34
35 using std::ifstream;
36 using std::istreambuf_iterator;
37 using std::ofstream;
38 using std::string;
39 using std::unique_ptr;
40 using std::vector;
41
42 extern "C" {
43 int __android_log_print(int prio, const char* tag, const char* fmt);
__android_log_print(int prio,const char * tag,const char * fmt)44 int __android_log_print(int prio, const char* tag, const char* fmt) {
45 (void)prio, (void)tag, (void)fmt;
46 return 0;
47 }
48 } // extern "C"
49
50 namespace keymaster {
51 namespace test {
52
53 const uint32_t kOsVersion = 060000;
54 const uint32_t kOsPatchLevel = 201603;
55
56 StdoutLogger logger;
57
make_vector(const T * array,size_t len)58 template <typename T> vector<T> make_vector(const T* array, size_t len) {
59 return vector<T>(array, array + len);
60 }
61
62 /**
63 * KeymasterEnforcement class for use in testing. It's permissive in the sense that it doesn't
64 * check cryptoperiods, but restrictive in the sense that the clock never advances (so rate-limited
65 * keys will only work once).
66 */
67 class TestKeymasterEnforcement : public KeymasterEnforcement {
68 public:
TestKeymasterEnforcement()69 TestKeymasterEnforcement() : KeymasterEnforcement(3, 3) {}
70
activation_date_valid(uint64_t) const71 virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; }
expiration_date_passed(uint64_t) const72 virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; }
auth_token_timed_out(const hw_auth_token_t &,uint32_t) const73 virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */,
74 uint32_t /* timeout */) const {
75 return false;
76 }
get_current_time() const77 virtual uint32_t get_current_time() const { return 0; }
ValidateTokenSignature(const hw_auth_token_t &) const78 virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; }
79 };
80
81 /**
82 * Variant of SoftKeymasterContext that provides a TestKeymasterEnforcement.
83 */
84 class TestKeymasterContext : public SoftKeymasterContext {
85 public:
TestKeymasterContext()86 TestKeymasterContext() {}
TestKeymasterContext(const string & root_of_trust)87 TestKeymasterContext(const string& root_of_trust) : SoftKeymasterContext(root_of_trust) {}
88
enforcement_policy()89 KeymasterEnforcement* enforcement_policy() override { return &test_policy_; }
90
91 private:
92 TestKeymasterEnforcement test_policy_;
93 };
94
95 /**
96 * Test instance creator that builds a pure software keymaster2 implementation.
97 */
98 class SoftKeymasterTestInstanceCreator : public Keymaster2TestInstanceCreator {
99 public:
CreateDevice() const100 keymaster2_device_t* CreateDevice() const override {
101 std::cerr << "Creating software-only device" << std::endl;
102 context_ = new TestKeymasterContext;
103 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
104 AuthorizationSet version_info(AuthorizationSetBuilder()
105 .Authorization(TAG_OS_VERSION, kOsVersion)
106 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
107 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info);
108 return device->keymaster2_device();
109 }
110
algorithm_in_km0_hardware(keymaster_algorithm_t) const111 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; }
keymaster0_calls() const112 int keymaster0_calls() const override { return 0; }
is_keymaster1_hw() const113 bool is_keymaster1_hw() const override { return false; }
keymaster_context() const114 KeymasterContext* keymaster_context() const override { return context_; }
115
116 private:
117 mutable TestKeymasterContext* context_;
118 };
119
120 /**
121 * Test instance creator that builds keymaster1 instances which wrap a faked hardware keymaster0
122 * instance, with or without EC support.
123 */
124 class Keymaster0AdapterTestInstanceCreator : public Keymaster2TestInstanceCreator {
125 public:
Keymaster0AdapterTestInstanceCreator(bool support_ec)126 Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {}
127
CreateDevice() const128 keymaster2_device_t* CreateDevice() const {
129 std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_
130 << ")." << std::endl;
131 hw_device_t* softkeymaster_device;
132 EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER,
133 &softkeymaster_device));
134 // Make the software device pretend to be hardware
135 keymaster0_device_t* keymaster0_device =
136 reinterpret_cast<keymaster0_device_t*>(softkeymaster_device);
137 keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY;
138
139 if (!support_ec_) {
140 // Make the software device pretend not to support EC
141 keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC;
142 }
143
144 counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device);
145
146 context_ = new TestKeymasterContext;
147 SoftKeymasterDevice* keymaster = new SoftKeymasterDevice(context_);
148 keymaster->SetHardwareDevice(counting_keymaster0_device_);
149 AuthorizationSet version_info(AuthorizationSetBuilder()
150 .Authorization(TAG_OS_VERSION, kOsVersion)
151 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
152 keymaster->keymaster2_device()->configure(keymaster->keymaster2_device(), &version_info);
153 return keymaster->keymaster2_device();
154 }
155
algorithm_in_km0_hardware(keymaster_algorithm_t algorithm) const156 bool algorithm_in_km0_hardware(keymaster_algorithm_t algorithm) const override {
157 switch (algorithm) {
158 case KM_ALGORITHM_RSA:
159 return true;
160 case KM_ALGORITHM_EC:
161 return support_ec_;
162 default:
163 return false;
164 }
165 }
keymaster0_calls() const166 int keymaster0_calls() const override { return counting_keymaster0_device_->count(); }
is_keymaster1_hw() const167 bool is_keymaster1_hw() const override { return false; }
keymaster_context() const168 KeymasterContext* keymaster_context() const override { return context_; }
169
170 private:
171 mutable TestKeymasterContext* context_;
172 mutable Keymaster0CountingWrapper* counting_keymaster0_device_;
173 bool support_ec_;
174 };
175
176 /**
177 * Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1
178 * instance, with minimal digest support.
179 */
180 class Sha256OnlyKeymaster2TestInstanceCreator : public Keymaster2TestInstanceCreator {
CreateDevice() const181 keymaster2_device_t* CreateDevice() const {
182 std::cerr << "Creating keymaster1-backed device that supports only SHA256";
183
184 // fake_device doesn't leak because device (below) takes ownership of it.
185 keymaster1_device_t* fake_device = make_device_sha256_only(
186 (new SoftKeymasterDevice(new TestKeymasterContext("PseudoHW")))->keymaster_device());
187
188 // device doesn't leak; it's cleaned up by device->keymaster_device()->common.close().
189 context_ = new TestKeymasterContext;
190 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
191 device->SetHardwareDevice(fake_device);
192
193 AuthorizationSet version_info(AuthorizationSetBuilder()
194 .Authorization(TAG_OS_VERSION, kOsVersion)
195 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
196 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info);
197 return device->keymaster2_device();
198 }
199
algorithm_in_km0_hardware(keymaster_algorithm_t) const200 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; }
keymaster0_calls() const201 int keymaster0_calls() const override { return 0; }
minimal_digest_set() const202 int minimal_digest_set() const override { return true; }
is_keymaster1_hw() const203 bool is_keymaster1_hw() const override { return true; }
keymaster_context() const204 KeymasterContext* keymaster_context() const override { return context_; }
205
206 private:
207 mutable TestKeymasterContext* context_;
208 };
209
210 static auto test_params = testing::Values(
211 InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator),
212 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)),
213 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)),
214 InstanceCreatorPtr(new Sha256OnlyKeymaster2TestInstanceCreator));
215
216 class NewKeyGeneration : public Keymaster2Test {
217 protected:
CheckBaseParams()218 void CheckBaseParams() {
219 AuthorizationSet auths = sw_enforced();
220 EXPECT_GT(auths.SerializedSize(), 12U);
221
222 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN));
223 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY));
224 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7));
225 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
226 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300));
227
228 // Verify that App ID, App data and ROT are NOT included.
229 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST));
230 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID));
231 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA));
232
233 // Just for giggles, check that some unexpected tags/values are NOT present.
234 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT));
235 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT));
236 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301));
237
238 // Now check that unspecified, defaulted tags are correct.
239 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME));
240 if (GetParam()->is_keymaster1_hw()) {
241 // If the underlying (faked) HW is KM1, it will not have version info.
242 EXPECT_FALSE(auths.Contains(TAG_OS_VERSION));
243 EXPECT_FALSE(auths.Contains(TAG_OS_PATCHLEVEL));
244 } else {
245 // In all othe cases; SoftKeymasterDevice keys, or keymaster0 keys wrapped by
246 // SoftKeymasterDevice, version information will be present and up to date.
247 EXPECT_TRUE(contains(auths, TAG_OS_VERSION, kOsVersion));
248 EXPECT_TRUE(contains(auths, TAG_OS_PATCHLEVEL, kOsPatchLevel));
249 }
250 }
251 };
252 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params);
253
TEST_P(NewKeyGeneration,Rsa)254 TEST_P(NewKeyGeneration, Rsa) {
255 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
256 .RsaSigningKey(256, 3)
257 .Digest(KM_DIGEST_NONE)
258 .Padding(KM_PAD_NONE)));
259 CheckBaseParams();
260
261 // Check specified tags are all present, and in the right set.
262 AuthorizationSet crypto_params;
263 AuthorizationSet non_crypto_params;
264 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) {
265 EXPECT_NE(0U, hw_enforced().size());
266 EXPECT_NE(0U, sw_enforced().size());
267 crypto_params.push_back(hw_enforced());
268 non_crypto_params.push_back(sw_enforced());
269 } else {
270 EXPECT_EQ(0U, hw_enforced().size());
271 EXPECT_NE(0U, sw_enforced().size());
272 crypto_params.push_back(sw_enforced());
273 }
274
275 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
276 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
277 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256));
278 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256));
279 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
280 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
281
282 EXPECT_EQ(KM_ERROR_OK, DeleteKey());
283
284 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
285 EXPECT_EQ(2, GetParam()->keymaster0_calls());
286 }
287
TEST_P(NewKeyGeneration,RsaDefaultSize)288 TEST_P(NewKeyGeneration, RsaDefaultSize) {
289 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
290 GenerateKey(AuthorizationSetBuilder()
291 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
292 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
293 .SigningKey()));
294
295 EXPECT_EQ(0, GetParam()->keymaster0_calls());
296 }
297
TEST_P(NewKeyGeneration,Ecdsa)298 TEST_P(NewKeyGeneration, Ecdsa) {
299 ASSERT_EQ(KM_ERROR_OK,
300 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
301 CheckBaseParams();
302
303 // Check specified tags are all present, and in the right set.
304 AuthorizationSet crypto_params;
305 AuthorizationSet non_crypto_params;
306 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) {
307 EXPECT_NE(0U, hw_enforced().size());
308 EXPECT_NE(0U, sw_enforced().size());
309 crypto_params.push_back(hw_enforced());
310 non_crypto_params.push_back(sw_enforced());
311 } else {
312 EXPECT_EQ(0U, hw_enforced().size());
313 EXPECT_NE(0U, sw_enforced().size());
314 crypto_params.push_back(sw_enforced());
315 }
316
317 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
318 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
319 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224));
320 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224));
321
322 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
323 EXPECT_EQ(1, GetParam()->keymaster0_calls());
324 }
325
TEST_P(NewKeyGeneration,EcdsaDefaultSize)326 TEST_P(NewKeyGeneration, EcdsaDefaultSize) {
327 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
328 GenerateKey(AuthorizationSetBuilder()
329 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC)
330 .SigningKey()
331 .Digest(KM_DIGEST_NONE)));
332
333 EXPECT_EQ(0, GetParam()->keymaster0_calls());
334 }
335
TEST_P(NewKeyGeneration,EcdsaInvalidSize)336 TEST_P(NewKeyGeneration, EcdsaInvalidSize) {
337 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
338 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE)));
339 EXPECT_EQ(0, GetParam()->keymaster0_calls());
340 }
341
TEST_P(NewKeyGeneration,EcdsaMismatchKeySize)342 TEST_P(NewKeyGeneration, EcdsaMismatchKeySize) {
343 ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT,
344 GenerateKey(AuthorizationSetBuilder()
345 .EcdsaSigningKey(224)
346 .Authorization(TAG_EC_CURVE, KM_EC_CURVE_P_256)
347 .Digest(KM_DIGEST_NONE)));
348 }
349
TEST_P(NewKeyGeneration,EcdsaAllValidSizes)350 TEST_P(NewKeyGeneration, EcdsaAllValidSizes) {
351 size_t valid_sizes[] = {224, 256, 384, 521};
352 for (size_t size : valid_sizes) {
353 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(
354 KM_DIGEST_NONE)))
355 << "Failed to generate size: " << size;
356 }
357
358 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
359 EXPECT_EQ(4, GetParam()->keymaster0_calls());
360 }
361
TEST_P(NewKeyGeneration,HmacSha256)362 TEST_P(NewKeyGeneration, HmacSha256) {
363 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
364 .HmacKey(128)
365 .Digest(KM_DIGEST_SHA_2_256)
366 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
367
368 EXPECT_EQ(0, GetParam()->keymaster0_calls());
369 }
370
TEST_P(NewKeyGeneration,HmacMultipleDigests)371 TEST_P(NewKeyGeneration, HmacMultipleDigests) {
372 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
373 GenerateKey(AuthorizationSetBuilder()
374 .HmacKey(128)
375 .Digest(KM_DIGEST_SHA1)
376 .Digest(KM_DIGEST_SHA_2_256)
377 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
378
379 EXPECT_EQ(0, GetParam()->keymaster0_calls());
380 }
381
TEST_P(NewKeyGeneration,HmacDigestNone)382 TEST_P(NewKeyGeneration, HmacDigestNone) {
383 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
384 GenerateKey(AuthorizationSetBuilder()
385 .HmacKey(128)
386 .Digest(KM_DIGEST_NONE)
387 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
388
389 EXPECT_EQ(0, GetParam()->keymaster0_calls());
390 }
391
TEST_P(NewKeyGeneration,HmacSha256TooShortMacLength)392 TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) {
393 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
394 GenerateKey(AuthorizationSetBuilder()
395 .HmacKey(128)
396 .Digest(KM_DIGEST_SHA_2_256)
397 .Authorization(TAG_MIN_MAC_LENGTH, 48)));
398
399 EXPECT_EQ(0, GetParam()->keymaster0_calls());
400 }
401
TEST_P(NewKeyGeneration,HmacSha256NonIntegralOctetMacLength)402 TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) {
403 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
404 GenerateKey(AuthorizationSetBuilder()
405 .HmacKey(128)
406 .Digest(KM_DIGEST_SHA_2_256)
407 .Authorization(TAG_MIN_MAC_LENGTH, 130)));
408
409 EXPECT_EQ(0, GetParam()->keymaster0_calls());
410 }
411
TEST_P(NewKeyGeneration,HmacSha256TooLongMacLength)412 TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) {
413 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
414 GenerateKey(AuthorizationSetBuilder()
415 .HmacKey(128)
416 .Digest(KM_DIGEST_SHA_2_256)
417 .Authorization(TAG_MIN_MAC_LENGTH, 384)));
418
419 EXPECT_EQ(0, GetParam()->keymaster0_calls());
420 }
421
422 typedef Keymaster2Test GetKeyCharacteristics;
423 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params);
424
TEST_P(GetKeyCharacteristics,SimpleRsa)425 TEST_P(GetKeyCharacteristics, SimpleRsa) {
426 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
427 .RsaSigningKey(256, 3)
428 .Digest(KM_DIGEST_NONE)
429 .Padding(KM_PAD_NONE)));
430 AuthorizationSet original(sw_enforced());
431
432 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics());
433 EXPECT_EQ(original, sw_enforced());
434
435 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
436 EXPECT_EQ(1, GetParam()->keymaster0_calls());
437 }
438
439 typedef Keymaster2Test SigningOperationsTest;
440 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params);
441
TEST_P(SigningOperationsTest,RsaSuccess)442 TEST_P(SigningOperationsTest, RsaSuccess) {
443 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
444 .RsaSigningKey(256, 3)
445 .Digest(KM_DIGEST_NONE)
446 .Padding(KM_PAD_NONE)));
447 string message = "12345678901234567890123456789012";
448 string signature;
449 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
450
451 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
452 EXPECT_EQ(3, GetParam()->keymaster0_calls());
453 }
454
TEST_P(SigningOperationsTest,RsaPssSha256Success)455 TEST_P(SigningOperationsTest, RsaPssSha256Success) {
456 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
457 .RsaSigningKey(768, 3)
458 .Digest(KM_DIGEST_SHA_2_256)
459 .Padding(KM_PAD_RSA_PSS)));
460 // Use large message, which won't work without digesting.
461 string message(1024, 'a');
462 string signature;
463 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
464
465 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
466 EXPECT_EQ(3, GetParam()->keymaster0_calls());
467 }
468
TEST_P(SigningOperationsTest,RsaPaddingNoneDoesNotAllowOther)469 TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
470 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
471 .RsaSigningKey(512, 3)
472 .Digest(KM_DIGEST_NONE)
473 .Padding(KM_PAD_NONE)));
474 string message = "12345678901234567890123456789012";
475 string signature;
476
477 AuthorizationSet begin_params(client_params());
478 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
479 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
480 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
481
482 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
483 EXPECT_EQ(2, GetParam()->keymaster0_calls());
484 }
485
TEST_P(SigningOperationsTest,RsaPkcs1Sha256Success)486 TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
487 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
488 .RsaSigningKey(512, 3)
489 .Digest(KM_DIGEST_SHA_2_256)
490 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
491 string message(1024, 'a');
492 string signature;
493 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
494
495 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
496 EXPECT_EQ(3, GetParam()->keymaster0_calls());
497 }
498
TEST_P(SigningOperationsTest,RsaPkcs1NoDigestSuccess)499 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
500 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
501 .RsaSigningKey(512, 3)
502 .Digest(KM_DIGEST_NONE)
503 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
504 string message(53, 'a');
505 string signature;
506 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN);
507
508 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
509 EXPECT_EQ(3, GetParam()->keymaster0_calls());
510 }
511
TEST_P(SigningOperationsTest,RsaPkcs1NoDigestTooLarge)512 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) {
513 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
514 .RsaSigningKey(512, 3)
515 .Digest(KM_DIGEST_NONE)
516 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
517 string message(54, 'a');
518
519 AuthorizationSet begin_params(client_params());
520 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
521 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
522 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
523 string result;
524 size_t input_consumed;
525 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
526 string signature;
527 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature));
528
529 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
530 EXPECT_EQ(2, GetParam()->keymaster0_calls());
531 }
532
TEST_P(SigningOperationsTest,RsaPssSha256TooSmallKey)533 TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) {
534 // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so
535 // verify that nine bytes larger than hash won't work.
536 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
537 .RsaSigningKey(256 + 9 * 8, 3)
538 .Digest(KM_DIGEST_SHA_2_256)
539 .Padding(KM_PAD_RSA_PSS)));
540 string message(1024, 'a');
541 string signature;
542
543 AuthorizationSet begin_params(client_params());
544 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
545 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
546 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
547 }
548
TEST_P(SigningOperationsTest,RsaNoPaddingHugeData)549 TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) {
550 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
551 .RsaSigningKey(256, 3)
552 .Digest(KM_DIGEST_NONE)
553 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
554 string message(64 * 1024, 'a');
555 string signature;
556 AuthorizationSet begin_params(client_params());
557 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
558 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
559 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
560 string result;
561 size_t input_consumed;
562 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
563
564 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
565 EXPECT_EQ(2, GetParam()->keymaster0_calls());
566 }
567
TEST_P(SigningOperationsTest,RsaAbort)568 TEST_P(SigningOperationsTest, RsaAbort) {
569 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
570 .RsaSigningKey(256, 3)
571 .Digest(KM_DIGEST_NONE)
572 .Padding(KM_PAD_NONE)));
573 AuthorizationSet begin_params(client_params());
574 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
575 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
576 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
577 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
578 // Another abort should fail
579 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation());
580
581 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
582 EXPECT_EQ(2, GetParam()->keymaster0_calls());
583 }
584
TEST_P(SigningOperationsTest,RsaUnsupportedPadding)585 TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
586 GenerateKey(AuthorizationSetBuilder()
587 .RsaSigningKey(256, 3)
588 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */)
589 .Padding(KM_PAD_PKCS7));
590 AuthorizationSet begin_params(client_params());
591 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
592 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
593
594 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
595 EXPECT_EQ(2, GetParam()->keymaster0_calls());
596 }
597
TEST_P(SigningOperationsTest,RsaNoDigest)598 TEST_P(SigningOperationsTest, RsaNoDigest) {
599 // PSS requires a digest.
600 GenerateKey(AuthorizationSetBuilder()
601 .RsaSigningKey(256, 3)
602 .Digest(KM_DIGEST_NONE)
603 .Padding(KM_PAD_RSA_PSS));
604 AuthorizationSet begin_params(client_params());
605 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
606 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
607 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
608
609 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
610 EXPECT_EQ(2, GetParam()->keymaster0_calls());
611 }
612
TEST_P(SigningOperationsTest,RsaNoPadding)613 TEST_P(SigningOperationsTest, RsaNoPadding) {
614 // Padding must be specified
615 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest(
616 KM_DIGEST_NONE)));
617 AuthorizationSet begin_params(client_params());
618 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
619 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
620
621 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
622 EXPECT_EQ(2, GetParam()->keymaster0_calls());
623 }
624
TEST_P(SigningOperationsTest,RsaTooShortMessage)625 TEST_P(SigningOperationsTest, RsaTooShortMessage) {
626 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
627 .RsaSigningKey(256, 3)
628 .Digest(KM_DIGEST_NONE)
629 .Padding(KM_PAD_NONE)));
630 string message = "1234567890123456789012345678901";
631 string signature;
632 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
633
634 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
635 EXPECT_EQ(3, GetParam()->keymaster0_calls());
636 }
637
TEST_P(SigningOperationsTest,RsaSignWithEncryptionKey)638 TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
639 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
640 .RsaEncryptionKey(256, 3)
641 .Digest(KM_DIGEST_NONE)
642 .Padding(KM_PAD_NONE)));
643 AuthorizationSet begin_params(client_params());
644 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
645 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
646 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
647
648 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
649 EXPECT_EQ(2, GetParam()->keymaster0_calls());
650 }
651
TEST_P(SigningOperationsTest,RsaSignTooLargeMessage)652 TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
653 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
654 .RsaSigningKey(256, 3)
655 .Digest(KM_DIGEST_NONE)
656 .Padding(KM_PAD_NONE)));
657 string message(256 / 8, static_cast<char>(0xff));
658 string signature;
659 AuthorizationSet begin_params(client_params());
660 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
661 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
662 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
663 string result;
664 size_t input_consumed;
665 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
666 ASSERT_EQ(message.size(), input_consumed);
667 string output;
668 ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&output));
669
670 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
671 EXPECT_EQ(3, GetParam()->keymaster0_calls());
672 }
673
TEST_P(SigningOperationsTest,EcdsaSuccess)674 TEST_P(SigningOperationsTest, EcdsaSuccess) {
675 ASSERT_EQ(KM_ERROR_OK,
676 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
677 string message(224 / 8, 'a');
678 string signature;
679 SignMessage(message, &signature, KM_DIGEST_NONE);
680
681 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
682 EXPECT_EQ(3, GetParam()->keymaster0_calls());
683 }
684
TEST_P(SigningOperationsTest,EcdsaSha256Success)685 TEST_P(SigningOperationsTest, EcdsaSha256Success) {
686 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
687 KM_DIGEST_SHA_2_256)));
688 string message(1024, 'a');
689 string signature;
690 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
691
692 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
693 EXPECT_EQ(3, GetParam()->keymaster0_calls());
694 }
695
TEST_P(SigningOperationsTest,EcdsaSha384Success)696 TEST_P(SigningOperationsTest, EcdsaSha384Success) {
697 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
698 KM_DIGEST_SHA_2_384)));
699 string message(1024, 'a');
700 string signature;
701 SignMessage(message, &signature, KM_DIGEST_SHA_2_384);
702
703 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
704 EXPECT_EQ(3, GetParam()->keymaster0_calls());
705 }
706
TEST_P(SigningOperationsTest,EcdsaNoPaddingHugeData)707 TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) {
708 ASSERT_EQ(KM_ERROR_OK,
709 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
710 string message(64 * 1024, 'a');
711 string signature;
712 AuthorizationSet begin_params(client_params());
713 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
714 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
715 string result;
716 size_t input_consumed;
717 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
718
719 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
720 EXPECT_EQ(2, GetParam()->keymaster0_calls());
721 }
722
TEST_P(SigningOperationsTest,EcdsaAllSizesAndHashes)723 TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) {
724 vector<int> key_sizes = {224, 256, 384, 521};
725 vector<keymaster_digest_t> digests = {
726 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256,
727 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
728 };
729
730 for (int key_size : key_sizes) {
731 for (keymaster_digest_t digest : digests) {
732 ASSERT_EQ(
733 KM_ERROR_OK,
734 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest)));
735
736 string message(1024, 'a');
737 string signature;
738 if (digest == KM_DIGEST_NONE)
739 message.resize(key_size / 8);
740 SignMessage(message, &signature, digest);
741 }
742 }
743
744 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
745 EXPECT_EQ(digests.size() * key_sizes.size() * 3,
746 static_cast<size_t>(GetParam()->keymaster0_calls()));
747 }
748
TEST_P(SigningOperationsTest,AesEcbSign)749 TEST_P(SigningOperationsTest, AesEcbSign) {
750 ASSERT_EQ(KM_ERROR_OK,
751 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization(
752 TAG_BLOCK_MODE, KM_MODE_ECB)));
753 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN));
754 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY));
755
756 EXPECT_EQ(0, GetParam()->keymaster0_calls());
757 }
758
TEST_P(SigningOperationsTest,HmacSha1Success)759 TEST_P(SigningOperationsTest, HmacSha1Success) {
760 if (GetParam()->minimal_digest_set())
761 // Can't emulate other digests for HMAC.
762 return;
763
764 GenerateKey(AuthorizationSetBuilder()
765 .HmacKey(128)
766 .Digest(KM_DIGEST_SHA1)
767 .Authorization(TAG_MIN_MAC_LENGTH, 160));
768 string message = "12345678901234567890123456789012";
769 string signature;
770 MacMessage(message, &signature, 160);
771 ASSERT_EQ(20U, signature.size());
772
773 EXPECT_EQ(0, GetParam()->keymaster0_calls());
774 }
775
TEST_P(SigningOperationsTest,HmacSha224Success)776 TEST_P(SigningOperationsTest, HmacSha224Success) {
777 if (GetParam()->minimal_digest_set())
778 // Can't emulate other digests for HMAC.
779 return;
780
781 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
782 .HmacKey(128)
783 .Digest(KM_DIGEST_SHA_2_224)
784 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
785 string message = "12345678901234567890123456789012";
786 string signature;
787 MacMessage(message, &signature, 224);
788 ASSERT_EQ(28U, signature.size());
789
790 EXPECT_EQ(0, GetParam()->keymaster0_calls());
791 }
792
TEST_P(SigningOperationsTest,HmacSha256Success)793 TEST_P(SigningOperationsTest, HmacSha256Success) {
794 if (GetParam()->minimal_digest_set())
795 // Can't emulate other digests for HMAC.
796 return;
797
798 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
799 .HmacKey(128)
800 .Digest(KM_DIGEST_SHA_2_256)
801 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
802 string message = "12345678901234567890123456789012";
803 string signature;
804 MacMessage(message, &signature, 256);
805 ASSERT_EQ(32U, signature.size());
806
807 EXPECT_EQ(0, GetParam()->keymaster0_calls());
808 }
809
TEST_P(SigningOperationsTest,HmacSha384Success)810 TEST_P(SigningOperationsTest, HmacSha384Success) {
811 if (GetParam()->minimal_digest_set())
812 // Can't emulate other digests for HMAC.
813 return;
814
815 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
816 .HmacKey(128)
817 .Digest(KM_DIGEST_SHA_2_384)
818 .Authorization(TAG_MIN_MAC_LENGTH, 384)));
819
820 string message = "12345678901234567890123456789012";
821 string signature;
822 MacMessage(message, &signature, 384);
823 ASSERT_EQ(48U, signature.size());
824
825 EXPECT_EQ(0, GetParam()->keymaster0_calls());
826 }
827
TEST_P(SigningOperationsTest,HmacSha512Success)828 TEST_P(SigningOperationsTest, HmacSha512Success) {
829 if (GetParam()->minimal_digest_set())
830 // Can't emulate other digests for HMAC.
831 return;
832
833 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
834 .HmacKey(128)
835 .Digest(KM_DIGEST_SHA_2_512)
836 .Authorization(TAG_MIN_MAC_LENGTH, 384)));
837 string message = "12345678901234567890123456789012";
838 string signature;
839 MacMessage(message, &signature, 512);
840 ASSERT_EQ(64U, signature.size());
841
842 EXPECT_EQ(0, GetParam()->keymaster0_calls());
843 }
844
TEST_P(SigningOperationsTest,HmacLengthInKey)845 TEST_P(SigningOperationsTest, HmacLengthInKey) {
846 // TODO(swillden): unified API should generate an error on key generation.
847 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
848 .HmacKey(128)
849 .Digest(KM_DIGEST_SHA_2_256)
850 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
851 string message = "12345678901234567890123456789012";
852 string signature;
853 MacMessage(message, &signature, 160);
854 ASSERT_EQ(20U, signature.size());
855
856 EXPECT_EQ(0, GetParam()->keymaster0_calls());
857 }
858
TEST_P(SigningOperationsTest,HmacRfc4231TestCase1)859 TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) {
860 uint8_t key_data[] = {
861 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
862 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
863 };
864 string message = "Hi There";
865 uint8_t sha_224_expected[] = {
866 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d,
867 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22,
868 };
869 uint8_t sha_256_expected[] = {
870 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf,
871 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83,
872 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7,
873 };
874 uint8_t sha_384_expected[] = {
875 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4,
876 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6,
877 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9,
878 0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6,
879 };
880 uint8_t sha_512_expected[] = {
881 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a,
882 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0,
883 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7,
884 0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e,
885 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54,
886 };
887
888 string key = make_string(key_data);
889
890 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
891 if (!GetParam()->minimal_digest_set()) {
892 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
893 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
894 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
895 }
896
897 EXPECT_EQ(0, GetParam()->keymaster0_calls());
898 }
899
TEST_P(SigningOperationsTest,HmacRfc4231TestCase2)900 TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) {
901 string key = "Jefe";
902 string message = "what do ya want for nothing?";
903 uint8_t sha_224_expected[] = {
904 0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e,
905 0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44,
906 };
907 uint8_t sha_256_expected[] = {
908 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24,
909 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27,
910 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43,
911 };
912 uint8_t sha_384_expected[] = {
913 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2,
914 0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47,
915 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca,
916 0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49,
917 };
918 uint8_t sha_512_expected[] = {
919 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b,
920 0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27,
921 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99,
922 0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3,
923 0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37,
924 };
925
926 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
927 if (!GetParam()->minimal_digest_set()) {
928 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
929 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
930 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
931 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
932 }
933
934 EXPECT_EQ(0, GetParam()->keymaster0_calls());
935 }
936
TEST_P(SigningOperationsTest,HmacRfc4231TestCase3)937 TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
938 string key(20, 0xaa);
939 string message(50, 0xdd);
940 uint8_t sha_224_expected[] = {
941 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
942 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
943 };
944 uint8_t sha_256_expected[] = {
945 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
946 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
947 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
948 };
949 uint8_t sha_384_expected[] = {
950 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
951 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
952 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
953 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
954 };
955 uint8_t sha_512_expected[] = {
956 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
957 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
958 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
959 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
960 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
961 };
962
963 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
964 if (!GetParam()->minimal_digest_set()) {
965 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
966 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
967 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
968 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
969 }
970
971 EXPECT_EQ(0, GetParam()->keymaster0_calls());
972 }
973
TEST_P(SigningOperationsTest,HmacRfc4231TestCase4)974 TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) {
975 uint8_t key_data[25] = {
976 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
977 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
978 };
979 string key = make_string(key_data);
980 string message(50, 0xcd);
981 uint8_t sha_224_expected[] = {
982 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82,
983 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a,
984 };
985 uint8_t sha_256_expected[] = {
986 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81,
987 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78,
988 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b,
989 };
990 uint8_t sha_384_expected[] = {
991 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62,
992 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c,
993 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23,
994 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb,
995 };
996 uint8_t sha_512_expected[] = {
997 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6,
998 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f,
999 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e,
1000 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41,
1001 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd,
1002 };
1003
1004 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1005 if (!GetParam()->minimal_digest_set()) {
1006 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1007 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1008 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1009 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1010 }
1011
1012 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1013 }
1014
TEST_P(SigningOperationsTest,HmacRfc4231TestCase5)1015 TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
1016 string key(20, 0x0c);
1017 string message = "Test With Truncation";
1018
1019 uint8_t sha_224_expected[] = {
1020 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
1021 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
1022 };
1023 uint8_t sha_256_expected[] = {
1024 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
1025 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
1026 };
1027 uint8_t sha_384_expected[] = {
1028 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
1029 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
1030 };
1031 uint8_t sha_512_expected[] = {
1032 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
1033 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
1034 };
1035
1036 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1037 if (!GetParam()->minimal_digest_set()) {
1038 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1039 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1040 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1041 }
1042
1043 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1044 }
1045
TEST_P(SigningOperationsTest,HmacRfc4231TestCase6)1046 TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) {
1047 string key(131, 0xaa);
1048 string message = "Test Using Larger Than Block-Size Key - Hash Key First";
1049
1050 uint8_t sha_224_expected[] = {
1051 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d,
1052 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e,
1053 };
1054 uint8_t sha_256_expected[] = {
1055 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26,
1056 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28,
1057 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54,
1058 };
1059 uint8_t sha_384_expected[] = {
1060 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a,
1061 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
1062 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab,
1063 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52,
1064 };
1065 uint8_t sha_512_expected[] = {
1066 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd,
1067 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b,
1068 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25,
1069 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73,
1070 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,
1071 };
1072
1073 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1074 if (!GetParam()->minimal_digest_set()) {
1075 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1076 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1077 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1078 }
1079
1080 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1081 }
1082
TEST_P(SigningOperationsTest,HmacRfc4231TestCase7)1083 TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) {
1084 string key(131, 0xaa);
1085 string message = "This is a test using a larger than block-size key and a larger than "
1086 "block-size data. The key needs to be hashed before being used by the HMAC "
1087 "algorithm.";
1088
1089 uint8_t sha_224_expected[] = {
1090 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3,
1091 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1,
1092 };
1093 uint8_t sha_256_expected[] = {
1094 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f,
1095 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07,
1096 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2,
1097 };
1098 uint8_t sha_384_expected[] = {
1099 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25,
1100 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
1101 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31,
1102 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e,
1103 };
1104 uint8_t sha_512_expected[] = {
1105 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e,
1106 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5,
1107 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82,
1108 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb,
1109 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,
1110 };
1111
1112 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
1113 if (!GetParam()->minimal_digest_set()) {
1114 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
1115 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
1116 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
1117 }
1118
1119 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1120 }
1121
TEST_P(SigningOperationsTest,HmacSha256TooLargeMacLength)1122 TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
1123 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1124 .HmacKey(128)
1125 .Digest(KM_DIGEST_SHA_2_256)
1126 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
1127 AuthorizationSet begin_params(client_params());
1128 begin_params.push_back(TAG_MAC_LENGTH, 264);
1129 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1130 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH,
1131 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
1132
1133 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1134 }
1135
TEST_P(SigningOperationsTest,HmacSha256TooSmallMacLength)1136 TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
1137 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1138 .HmacKey(128)
1139 .Digest(KM_DIGEST_SHA_2_256)
1140 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1141 AuthorizationSet begin_params(client_params());
1142 begin_params.push_back(TAG_MAC_LENGTH, 120);
1143 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1144 ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH,
1145 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
1146
1147 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1148 }
1149
1150 // TODO(swillden): Add more verification failure tests.
1151
1152 typedef Keymaster2Test VerificationOperationsTest;
1153 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params);
1154
TEST_P(VerificationOperationsTest,RsaSuccess)1155 TEST_P(VerificationOperationsTest, RsaSuccess) {
1156 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1157 .RsaSigningKey(256, 3)
1158 .Digest(KM_DIGEST_NONE)
1159 .Padding(KM_PAD_NONE)));
1160 string message = "12345678901234567890123456789012";
1161 string signature;
1162 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
1163 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
1164
1165 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1166 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1167 }
1168
TEST_P(VerificationOperationsTest,RsaPssSha256Success)1169 TEST_P(VerificationOperationsTest, RsaPssSha256Success) {
1170 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1171 .RsaSigningKey(768, 3)
1172 .Digest(KM_DIGEST_SHA_2_256)
1173 .Padding(KM_PAD_RSA_PSS)));
1174 // Use large message, which won't work without digesting.
1175 string message(1024, 'a');
1176 string signature;
1177 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1178 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1179
1180 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1181 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1182 }
1183
TEST_P(VerificationOperationsTest,RsaPssSha224Success)1184 TEST_P(VerificationOperationsTest, RsaPssSha224Success) {
1185 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1186 .RsaSigningKey(512, 3)
1187 .Digest(KM_DIGEST_SHA_2_224)
1188 .Padding(KM_PAD_RSA_PSS)));
1189 // Use large message, which won't work without digesting.
1190 string message(1024, 'a');
1191 string signature;
1192 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
1193 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
1194
1195 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1196 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1197
1198 // Verify with OpenSSL.
1199 string pubkey;
1200 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
1201
1202 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
1203 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
1204 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
1205 ASSERT_TRUE(pkey.get());
1206
1207 EVP_MD_CTX digest_ctx;
1208 EVP_MD_CTX_init(&digest_ctx);
1209 EVP_PKEY_CTX* pkey_ctx;
1210 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
1211 pkey.get()));
1212 EXPECT_EQ(1, EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING));
1213 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
1214 EXPECT_EQ(1,
1215 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
1216 signature.size()));
1217 EVP_MD_CTX_cleanup(&digest_ctx);
1218 }
1219
TEST_P(VerificationOperationsTest,RsaPssSha256CorruptSignature)1220 TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) {
1221 GenerateKey(AuthorizationSetBuilder()
1222 .RsaSigningKey(768, 3)
1223 .Digest(KM_DIGEST_SHA_2_256)
1224 .Padding(KM_PAD_RSA_PSS));
1225 string message(1024, 'a');
1226 string signature;
1227 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1228 ++signature[signature.size() / 2];
1229
1230 AuthorizationSet begin_params(client_params());
1231 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1232 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1233 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1234
1235 string result;
1236 size_t input_consumed;
1237 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1238 EXPECT_EQ(message.size(), input_consumed);
1239 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1240
1241 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1242 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1243 }
1244
TEST_P(VerificationOperationsTest,RsaPssSha256CorruptInput)1245 TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) {
1246 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1247 .RsaSigningKey(768, 3)
1248 .Digest(KM_DIGEST_SHA_2_256)
1249 .Padding(KM_PAD_RSA_PSS)));
1250 // Use large message, which won't work without digesting.
1251 string message(1024, 'a');
1252 string signature;
1253 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1254 ++message[message.size() / 2];
1255
1256 AuthorizationSet begin_params(client_params());
1257 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1258 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1259 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1260
1261 string result;
1262 size_t input_consumed;
1263 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1264 EXPECT_EQ(message.size(), input_consumed);
1265 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1266
1267 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1268 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1269 }
1270
TEST_P(VerificationOperationsTest,RsaPkcs1Sha256Success)1271 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) {
1272 GenerateKey(AuthorizationSetBuilder()
1273 .RsaSigningKey(512, 3)
1274 .Digest(KM_DIGEST_SHA_2_256)
1275 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
1276 string message(1024, 'a');
1277 string signature;
1278 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1279 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1280
1281 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1282 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1283 }
1284
TEST_P(VerificationOperationsTest,RsaPks1Sha224Success)1285 TEST_P(VerificationOperationsTest, RsaPks1Sha224Success) {
1286 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1287 .RsaSigningKey(512, 3)
1288 .Digest(KM_DIGEST_SHA_2_224)
1289 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
1290 // Use large message, which won't work without digesting.
1291 string message(1024, 'a');
1292 string signature;
1293 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
1294 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
1295
1296 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1297 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1298
1299 // Verify with OpenSSL.
1300 string pubkey;
1301 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
1302
1303 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
1304 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
1305 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
1306 ASSERT_TRUE(pkey.get());
1307
1308 EVP_MD_CTX digest_ctx;
1309 EVP_MD_CTX_init(&digest_ctx);
1310 EVP_PKEY_CTX* pkey_ctx;
1311 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
1312 pkey.get()));
1313 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
1314 EXPECT_EQ(1,
1315 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
1316 signature.size()));
1317 EVP_MD_CTX_cleanup(&digest_ctx);
1318 }
1319
TEST_P(VerificationOperationsTest,RsaPkcs1Sha256CorruptSignature)1320 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) {
1321 GenerateKey(AuthorizationSetBuilder()
1322 .RsaSigningKey(512, 3)
1323 .Digest(KM_DIGEST_SHA_2_256)
1324 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
1325 string message(1024, 'a');
1326 string signature;
1327 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1328 ++signature[signature.size() / 2];
1329
1330 AuthorizationSet begin_params(client_params());
1331 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1332 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1333 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1334
1335 string result;
1336 size_t input_consumed;
1337 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1338 EXPECT_EQ(message.size(), input_consumed);
1339 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1340
1341 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1342 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1343 }
1344
TEST_P(VerificationOperationsTest,RsaPkcs1Sha256CorruptInput)1345 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) {
1346 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1347 .RsaSigningKey(512, 3)
1348 .Digest(KM_DIGEST_SHA_2_256)
1349 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
1350 // Use large message, which won't work without digesting.
1351 string message(1024, 'a');
1352 string signature;
1353 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1354 ++message[message.size() / 2];
1355
1356 AuthorizationSet begin_params(client_params());
1357 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1358 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1359 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1360
1361 string result;
1362 size_t input_consumed;
1363 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1364 EXPECT_EQ(message.size(), input_consumed);
1365 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1366
1367 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1368 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1369 }
1370
TEST_P(VerificationOperationsTest,RsaAllDigestAndPadCombinations)1371 TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) {
1372 vector<keymaster_digest_t> digests = {
1373 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
1374 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
1375 };
1376
1377 vector<keymaster_padding_t> padding_modes{
1378 KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS,
1379 };
1380
1381 int trial_count = 0;
1382 for (keymaster_padding_t padding_mode : padding_modes) {
1383 for (keymaster_digest_t digest : digests) {
1384 if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE)
1385 // Digesting requires padding
1386 continue;
1387
1388 // Compute key & message size that will work.
1389 size_t key_bits = 0;
1390 size_t message_len = 1000;
1391
1392 if (digest == KM_DIGEST_NONE) {
1393 key_bits = 256;
1394 switch (padding_mode) {
1395 case KM_PAD_NONE:
1396 // Match key size.
1397 message_len = key_bits / 8;
1398 break;
1399 case KM_PAD_RSA_PKCS1_1_5_SIGN:
1400 message_len = key_bits / 8 - 11;
1401 break;
1402 case KM_PAD_RSA_PSS:
1403 // PSS requires a digest.
1404 continue;
1405 default:
1406 FAIL() << "Missing padding";
1407 break;
1408 }
1409 } else {
1410 size_t digest_bits;
1411 switch (digest) {
1412 case KM_DIGEST_MD5:
1413 digest_bits = 128;
1414 break;
1415 case KM_DIGEST_SHA1:
1416 digest_bits = 160;
1417 break;
1418 case KM_DIGEST_SHA_2_224:
1419 digest_bits = 224;
1420 break;
1421 case KM_DIGEST_SHA_2_256:
1422 digest_bits = 256;
1423 break;
1424 case KM_DIGEST_SHA_2_384:
1425 digest_bits = 384;
1426 break;
1427 case KM_DIGEST_SHA_2_512:
1428 digest_bits = 512;
1429 break;
1430 default:
1431 FAIL() << "Missing digest";
1432 }
1433
1434 switch (padding_mode) {
1435 case KM_PAD_RSA_PKCS1_1_5_SIGN:
1436 key_bits = digest_bits + 8 * (11 + 19);
1437 break;
1438 case KM_PAD_RSA_PSS:
1439 key_bits = digest_bits * 2 + 2 * 8;
1440 break;
1441 default:
1442 FAIL() << "Missing padding";
1443 break;
1444 }
1445 }
1446
1447 GenerateKey(AuthorizationSetBuilder()
1448 .RsaSigningKey(key_bits, 3)
1449 .Digest(digest)
1450 .Padding(padding_mode));
1451 string message(message_len, 'a');
1452 string signature;
1453 SignMessage(message, &signature, digest, padding_mode);
1454 VerifyMessage(message, signature, digest, padding_mode);
1455 ++trial_count;
1456 }
1457 }
1458
1459 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1460 EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls());
1461 }
1462
TEST_P(VerificationOperationsTest,EcdsaSuccess)1463 TEST_P(VerificationOperationsTest, EcdsaSuccess) {
1464 ASSERT_EQ(KM_ERROR_OK,
1465 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
1466 string message = "12345678901234567890123456789012";
1467 string signature;
1468 SignMessage(message, &signature, KM_DIGEST_NONE);
1469 VerifyMessage(message, signature, KM_DIGEST_NONE);
1470
1471 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1472 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1473 }
1474
TEST_P(VerificationOperationsTest,EcdsaTooShort)1475 TEST_P(VerificationOperationsTest, EcdsaTooShort) {
1476 ASSERT_EQ(KM_ERROR_OK,
1477 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
1478 string message = "12345678901234567890";
1479 string signature;
1480 SignMessage(message, &signature, KM_DIGEST_NONE);
1481 VerifyMessage(message, signature, KM_DIGEST_NONE);
1482
1483 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1484 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1485 }
1486
TEST_P(VerificationOperationsTest,EcdsaSlightlyTooLong)1487 TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) {
1488 ASSERT_EQ(KM_ERROR_OK,
1489 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE)));
1490
1491 string message(66, 'a');
1492 string signature;
1493 SignMessage(message, &signature, KM_DIGEST_NONE);
1494 VerifyMessage(message, signature, KM_DIGEST_NONE);
1495
1496 // Modifying low-order bits doesn't matter, because they didn't get signed. Ugh.
1497 message[65] ^= 7;
1498 VerifyMessage(message, signature, KM_DIGEST_NONE);
1499
1500 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1501 EXPECT_EQ(5, GetParam()->keymaster0_calls());
1502 }
1503
TEST_P(VerificationOperationsTest,EcdsaSha256Success)1504 TEST_P(VerificationOperationsTest, EcdsaSha256Success) {
1505 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1506 .EcdsaSigningKey(256)
1507 .Digest(KM_DIGEST_SHA_2_256)
1508 .Digest(KM_DIGEST_NONE)));
1509 string message = "12345678901234567890123456789012";
1510 string signature;
1511 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
1512 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
1513
1514 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1515 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1516
1517 // Just for giggles, try verifying with the wrong digest.
1518 AuthorizationSet begin_params(client_params());
1519 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
1520 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1521
1522 string result;
1523 size_t input_consumed;
1524 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1525 EXPECT_EQ(message.size(), input_consumed);
1526 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1527 }
1528
TEST_P(VerificationOperationsTest,EcdsaSha224Success)1529 TEST_P(VerificationOperationsTest, EcdsaSha224Success) {
1530 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
1531 KM_DIGEST_SHA_2_224)));
1532
1533 string message = "12345678901234567890123456789012";
1534 string signature;
1535 SignMessage(message, &signature, KM_DIGEST_SHA_2_224);
1536 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224);
1537
1538 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1539 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1540
1541 // Just for giggles, try verifying with the wrong digest.
1542 AuthorizationSet begin_params(client_params());
1543 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
1544 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1545
1546 string result;
1547 size_t input_consumed;
1548 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1549 EXPECT_EQ(message.size(), input_consumed);
1550 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
1551 }
1552
TEST_P(VerificationOperationsTest,EcdsaAllDigestsAndKeySizes)1553 TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndKeySizes) {
1554 keymaster_digest_t digests[] = {
1555 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256,
1556 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
1557 };
1558 size_t key_sizes[] = {224, 256, 384, 521};
1559
1560 string message = "1234567890";
1561 string signature;
1562
1563 for (auto key_size : key_sizes) {
1564 AuthorizationSetBuilder builder;
1565 builder.EcdsaSigningKey(key_size);
1566 for (auto digest : digests)
1567 builder.Digest(digest);
1568 ASSERT_EQ(KM_ERROR_OK, GenerateKey(builder));
1569
1570 for (auto digest : digests) {
1571 SignMessage(message, &signature, digest);
1572 VerifyMessage(message, signature, digest);
1573 }
1574 }
1575
1576 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1577 EXPECT_EQ(static_cast<int>(array_length(key_sizes) * (1 + 3 * array_length(digests))),
1578 GetParam()->keymaster0_calls());
1579 }
1580
TEST_P(VerificationOperationsTest,HmacSha1Success)1581 TEST_P(VerificationOperationsTest, HmacSha1Success) {
1582 if (GetParam()->minimal_digest_set())
1583 // Can't emulate missing digests for HMAC.
1584 return;
1585
1586 GenerateKey(AuthorizationSetBuilder()
1587 .HmacKey(128)
1588 .Digest(KM_DIGEST_SHA1)
1589 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1590 string message = "123456789012345678901234567890123456789012345678";
1591 string signature;
1592 MacMessage(message, &signature, 160);
1593 VerifyMac(message, signature);
1594
1595 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1596 }
1597
TEST_P(VerificationOperationsTest,HmacSha224Success)1598 TEST_P(VerificationOperationsTest, HmacSha224Success) {
1599 if (GetParam()->minimal_digest_set())
1600 // Can't emulate missing digests for HMAC.
1601 return;
1602
1603 GenerateKey(AuthorizationSetBuilder()
1604 .HmacKey(128)
1605 .Digest(KM_DIGEST_SHA_2_224)
1606 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1607 string message = "123456789012345678901234567890123456789012345678";
1608 string signature;
1609 MacMessage(message, &signature, 224);
1610 VerifyMac(message, signature);
1611
1612 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1613 }
1614
TEST_P(VerificationOperationsTest,HmacSha256Success)1615 TEST_P(VerificationOperationsTest, HmacSha256Success) {
1616 GenerateKey(AuthorizationSetBuilder()
1617 .HmacKey(128)
1618 .Digest(KM_DIGEST_SHA_2_256)
1619 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1620 string message = "123456789012345678901234567890123456789012345678";
1621 string signature;
1622 MacMessage(message, &signature, 256);
1623 VerifyMac(message, signature);
1624
1625 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1626 }
1627
TEST_P(VerificationOperationsTest,HmacSha256TooShortMac)1628 TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) {
1629 GenerateKey(AuthorizationSetBuilder()
1630 .HmacKey(128)
1631 .Digest(KM_DIGEST_SHA_2_256)
1632 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1633 string message = "123456789012345678901234567890123456789012345678";
1634 string signature;
1635 MacMessage(message, &signature, 256);
1636
1637 // Shorten to 128 bits, should still work.
1638 signature.resize(128 / 8);
1639 VerifyMac(message, signature);
1640
1641 // Drop one more byte.
1642 signature.resize(signature.length() - 1);
1643
1644 AuthorizationSet begin_params(client_params());
1645 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1646 string result;
1647 size_t input_consumed;
1648 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1649 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(signature, &result));
1650
1651 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1652 }
1653
TEST_P(VerificationOperationsTest,HmacSha384Success)1654 TEST_P(VerificationOperationsTest, HmacSha384Success) {
1655 if (GetParam()->minimal_digest_set())
1656 // Can't emulate missing digests for HMAC.
1657 return;
1658
1659 GenerateKey(AuthorizationSetBuilder()
1660 .HmacKey(128)
1661 .Digest(KM_DIGEST_SHA_2_384)
1662 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1663 string message = "123456789012345678901234567890123456789012345678";
1664 string signature;
1665 MacMessage(message, &signature, 384);
1666 VerifyMac(message, signature);
1667
1668 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1669 }
1670
TEST_P(VerificationOperationsTest,HmacSha512Success)1671 TEST_P(VerificationOperationsTest, HmacSha512Success) {
1672 if (GetParam()->minimal_digest_set())
1673 // Can't emulate missing digests for HMAC.
1674 return;
1675
1676 GenerateKey(AuthorizationSetBuilder()
1677 .HmacKey(128)
1678 .Digest(KM_DIGEST_SHA_2_512)
1679 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1680 string message = "123456789012345678901234567890123456789012345678";
1681 string signature;
1682 MacMessage(message, &signature, 512);
1683 VerifyMac(message, signature);
1684
1685 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1686 }
1687
1688 typedef Keymaster2Test ExportKeyTest;
1689 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params);
1690
TEST_P(ExportKeyTest,RsaSuccess)1691 TEST_P(ExportKeyTest, RsaSuccess) {
1692 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1693 .RsaSigningKey(256, 3)
1694 .Digest(KM_DIGEST_NONE)
1695 .Padding(KM_PAD_NONE)));
1696 string export_data;
1697 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1698 EXPECT_GT(export_data.length(), 0U);
1699
1700 // TODO(swillden): Verify that the exported key is actually usable to verify signatures.
1701
1702 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1703 EXPECT_EQ(2, GetParam()->keymaster0_calls());
1704 }
1705
TEST_P(ExportKeyTest,EcdsaSuccess)1706 TEST_P(ExportKeyTest, EcdsaSuccess) {
1707 ASSERT_EQ(KM_ERROR_OK,
1708 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
1709 string export_data;
1710 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1711 EXPECT_GT(export_data.length(), 0U);
1712
1713 // TODO(swillden): Verify that the exported key is actually usable to verify signatures.
1714
1715 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1716 EXPECT_EQ(2, GetParam()->keymaster0_calls());
1717 }
1718
TEST_P(ExportKeyTest,RsaUnsupportedKeyFormat)1719 TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) {
1720 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1721 .RsaSigningKey(256, 3)
1722 .Digest(KM_DIGEST_NONE)
1723 .Padding(KM_PAD_NONE)));
1724 string export_data;
1725 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
1726
1727 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1728 EXPECT_EQ(2, GetParam()->keymaster0_calls());
1729 }
1730
TEST_P(ExportKeyTest,RsaCorruptedKeyBlob)1731 TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) {
1732 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1733 .RsaSigningKey(256, 3)
1734 .Digest(KM_DIGEST_NONE)
1735 .Padding(KM_PAD_NONE)));
1736 corrupt_key_blob();
1737 string export_data;
1738 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1739
1740 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1741 EXPECT_EQ(2, GetParam()->keymaster0_calls());
1742 }
1743
TEST_P(ExportKeyTest,AesKeyExportFails)1744 TEST_P(ExportKeyTest, AesKeyExportFails) {
1745 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128)));
1746 string export_data;
1747
1748 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1749 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
1750 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data));
1751
1752 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1753 }
1754
read_file(const string & file_name)1755 static string read_file(const string& file_name) {
1756 ifstream file_stream(file_name, std::ios::binary);
1757 istreambuf_iterator<char> file_begin(file_stream);
1758 istreambuf_iterator<char> file_end;
1759 return string(file_begin, file_end);
1760 }
1761
1762 typedef Keymaster2Test ImportKeyTest;
1763 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params);
1764
TEST_P(ImportKeyTest,RsaSuccess)1765 TEST_P(ImportKeyTest, RsaSuccess) {
1766 string pk8_key = read_file("rsa_privkey_pk8.der");
1767 ASSERT_EQ(633U, pk8_key.size());
1768
1769 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
1770 .RsaSigningKey(1024, 65537)
1771 .Digest(KM_DIGEST_NONE)
1772 .Padding(KM_PAD_NONE),
1773 KM_KEY_FORMAT_PKCS8, pk8_key));
1774
1775 // Check values derived from the key.
1776 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced()
1777 : sw_enforced(),
1778 TAG_ALGORITHM, KM_ALGORITHM_RSA));
1779 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced()
1780 : sw_enforced(),
1781 TAG_KEY_SIZE, 1024));
1782 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced()
1783 : sw_enforced(),
1784 TAG_RSA_PUBLIC_EXPONENT, 65537U));
1785
1786 // And values provided by AndroidKeymaster
1787 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1788 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN));
1789 else
1790 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1791 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1792
1793 string message(1024 / 8, 'a');
1794 string signature;
1795 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
1796 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
1797
1798 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1799 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1800 }
1801
TEST_P(ImportKeyTest,RsaKeySizeMismatch)1802 TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
1803 string pk8_key = read_file("rsa_privkey_pk8.der");
1804 ASSERT_EQ(633U, pk8_key.size());
1805 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1806 ImportKey(AuthorizationSetBuilder()
1807 .RsaSigningKey(2048 /* Doesn't match key */, 3)
1808 .Digest(KM_DIGEST_NONE)
1809 .Padding(KM_PAD_NONE),
1810 KM_KEY_FORMAT_PKCS8, pk8_key));
1811
1812 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1813 }
1814
TEST_P(ImportKeyTest,RsaPublicExponenMismatch)1815 TEST_P(ImportKeyTest, RsaPublicExponenMismatch) {
1816 string pk8_key = read_file("rsa_privkey_pk8.der");
1817 ASSERT_EQ(633U, pk8_key.size());
1818 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1819 ImportKey(AuthorizationSetBuilder()
1820 .RsaSigningKey(256, 3 /* Doesnt' match key */)
1821 .Digest(KM_DIGEST_NONE)
1822 .Padding(KM_PAD_NONE),
1823 KM_KEY_FORMAT_PKCS8, pk8_key));
1824
1825 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1826 }
1827
TEST_P(ImportKeyTest,EcdsaSuccess)1828 TEST_P(ImportKeyTest, EcdsaSuccess) {
1829 string pk8_key = read_file("ec_privkey_pk8.der");
1830 ASSERT_EQ(138U, pk8_key.size());
1831
1832 ASSERT_EQ(KM_ERROR_OK,
1833 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
1834 KM_KEY_FORMAT_PKCS8, pk8_key));
1835
1836 // Check values derived from the key.
1837 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
1838 : sw_enforced(),
1839 TAG_ALGORITHM, KM_ALGORITHM_EC));
1840 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
1841 : sw_enforced(),
1842 TAG_KEY_SIZE, 256));
1843
1844 // And values provided by AndroidKeymaster
1845 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1846 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN));
1847 else
1848 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1849 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1850
1851 string message(32, 'a');
1852 string signature;
1853 SignMessage(message, &signature, KM_DIGEST_NONE);
1854 VerifyMessage(message, signature, KM_DIGEST_NONE);
1855
1856 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1857 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1858 }
1859
TEST_P(ImportKeyTest,EcdsaSizeSpecified)1860 TEST_P(ImportKeyTest, EcdsaSizeSpecified) {
1861 string pk8_key = read_file("ec_privkey_pk8.der");
1862 ASSERT_EQ(138U, pk8_key.size());
1863
1864 ASSERT_EQ(KM_ERROR_OK,
1865 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
1866 KM_KEY_FORMAT_PKCS8, pk8_key));
1867
1868 // Check values derived from the key.
1869 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
1870 : sw_enforced(),
1871 TAG_ALGORITHM, KM_ALGORITHM_EC));
1872 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
1873 : sw_enforced(),
1874 TAG_KEY_SIZE, 256));
1875
1876 // And values provided by AndroidKeymaster
1877 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1878 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN));
1879 else
1880 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1881 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1882
1883 string message(32, 'a');
1884 string signature;
1885 SignMessage(message, &signature, KM_DIGEST_NONE);
1886 VerifyMessage(message, signature, KM_DIGEST_NONE);
1887
1888 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
1889 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1890 }
1891
TEST_P(ImportKeyTest,EcdsaSizeMismatch)1892 TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
1893 string pk8_key = read_file("ec_privkey_pk8.der");
1894 ASSERT_EQ(138U, pk8_key.size());
1895 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1896 ImportKey(AuthorizationSetBuilder()
1897 .EcdsaSigningKey(224 /* Doesn't match key */)
1898 .Digest(KM_DIGEST_NONE),
1899 KM_KEY_FORMAT_PKCS8, pk8_key));
1900
1901 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1902 }
1903
TEST_P(ImportKeyTest,AesKeySuccess)1904 TEST_P(ImportKeyTest, AesKeySuccess) {
1905 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1906 string key(key_data, sizeof(key_data));
1907 ASSERT_EQ(KM_ERROR_OK,
1908 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization(
1909 TAG_PADDING, KM_PAD_PKCS7),
1910 KM_KEY_FORMAT_RAW, key));
1911
1912 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1913 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1914
1915 string message = "Hello World!";
1916 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
1917 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
1918 EXPECT_EQ(message, plaintext);
1919
1920 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1921 }
1922
TEST_P(ImportKeyTest,HmacSha256KeySuccess)1923 TEST_P(ImportKeyTest, HmacSha256KeySuccess) {
1924 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1925 string key(key_data, sizeof(key_data));
1926 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
1927 .HmacKey(sizeof(key_data) * 8)
1928 .Digest(KM_DIGEST_SHA_2_256)
1929 .Authorization(TAG_MIN_MAC_LENGTH, 256),
1930 KM_KEY_FORMAT_RAW, key));
1931
1932 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1933 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1934
1935 string message = "Hello World!";
1936 string signature;
1937 MacMessage(message, &signature, 256);
1938 VerifyMac(message, signature);
1939
1940 EXPECT_EQ(0, GetParam()->keymaster0_calls());
1941 }
1942
1943 typedef Keymaster2Test EncryptionOperationsTest;
1944 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params);
1945
TEST_P(EncryptionOperationsTest,RsaNoPaddingSuccess)1946 TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
1947 ASSERT_EQ(KM_ERROR_OK,
1948 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1949
1950 string message = "12345678901234567890123456789012";
1951 string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE);
1952 EXPECT_EQ(256U / 8, ciphertext1.size());
1953
1954 string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE);
1955 EXPECT_EQ(256U / 8, ciphertext2.size());
1956
1957 // Unpadded RSA is deterministic
1958 EXPECT_EQ(ciphertext1, ciphertext2);
1959
1960 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1961 EXPECT_EQ(3, GetParam()->keymaster0_calls());
1962 }
1963
TEST_P(EncryptionOperationsTest,RsaNoPaddingTooShort)1964 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) {
1965 ASSERT_EQ(KM_ERROR_OK,
1966 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1967
1968 string message = "1";
1969
1970 string ciphertext = EncryptMessage(message, KM_PAD_NONE);
1971 EXPECT_EQ(256U / 8, ciphertext.size());
1972
1973 string expected_plaintext = string(256 / 8 - 1, 0) + message;
1974 string plaintext = DecryptMessage(ciphertext, KM_PAD_NONE);
1975
1976 EXPECT_EQ(expected_plaintext, plaintext);
1977
1978 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1979 EXPECT_EQ(4, GetParam()->keymaster0_calls());
1980 }
1981
TEST_P(EncryptionOperationsTest,RsaNoPaddingTooLong)1982 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) {
1983 ASSERT_EQ(KM_ERROR_OK,
1984 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1985
1986 string message = "123456789012345678901234567890123";
1987
1988 AuthorizationSet begin_params(client_params());
1989 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
1990 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
1991
1992 string result;
1993 size_t input_consumed;
1994 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
1995
1996 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
1997 EXPECT_EQ(2, GetParam()->keymaster0_calls());
1998 }
1999
TEST_P(EncryptionOperationsTest,RsaNoPaddingLargerThanModulus)2000 TEST_P(EncryptionOperationsTest, RsaNoPaddingLargerThanModulus) {
2001 ASSERT_EQ(KM_ERROR_OK,
2002 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
2003
2004 string exported;
2005 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &exported));
2006
2007 const uint8_t* p = reinterpret_cast<const uint8_t*>(exported.data());
2008 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
2009 d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size()));
2010 unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(pkey.get()));
2011
2012 size_t modulus_len = BN_num_bytes(rsa->n);
2013 ASSERT_EQ(256U / 8, modulus_len);
2014 unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]);
2015 BN_bn2bin(rsa->n, modulus_buf.get());
2016
2017 // The modulus is too big to encrypt.
2018 string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
2019
2020 AuthorizationSet begin_params(client_params());
2021 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2022 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2023
2024 string result;
2025 size_t input_consumed;
2026 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2027 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result));
2028
2029 // One smaller than the modulus is okay.
2030 BN_sub(rsa->n, rsa->n, BN_value_one());
2031 modulus_len = BN_num_bytes(rsa->n);
2032 ASSERT_EQ(256U / 8, modulus_len);
2033 BN_bn2bin(rsa->n, modulus_buf.get());
2034 message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
2035 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2036 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2037 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result));
2038
2039 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2040 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2041 }
2042
TEST_P(EncryptionOperationsTest,RsaOaepSuccess)2043 TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
2044 size_t key_size = 768;
2045 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2046 .RsaEncryptionKey(key_size, 3)
2047 .Padding(KM_PAD_RSA_OAEP)
2048 .Digest(KM_DIGEST_SHA_2_256)));
2049
2050 string message = "Hello";
2051 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2052 EXPECT_EQ(key_size / 8, ciphertext1.size());
2053
2054 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2055 EXPECT_EQ(key_size / 8, ciphertext2.size());
2056
2057 // OAEP randomizes padding so every result should be different.
2058 EXPECT_NE(ciphertext1, ciphertext2);
2059
2060 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2061 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2062 }
2063
TEST_P(EncryptionOperationsTest,RsaOaepSha224Success)2064 TEST_P(EncryptionOperationsTest, RsaOaepSha224Success) {
2065 size_t key_size = 768;
2066 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2067 .RsaEncryptionKey(key_size, 3)
2068 .Padding(KM_PAD_RSA_OAEP)
2069 .Digest(KM_DIGEST_SHA_2_224)));
2070
2071 string message = "Hello";
2072 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2073 EXPECT_EQ(key_size / 8, ciphertext1.size());
2074
2075 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2076 EXPECT_EQ(key_size / 8, ciphertext2.size());
2077
2078 // OAEP randomizes padding so every result should be different.
2079 EXPECT_NE(ciphertext1, ciphertext2);
2080
2081 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2082 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2083 }
2084
TEST_P(EncryptionOperationsTest,RsaOaepRoundTrip)2085 TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) {
2086 size_t key_size = 768;
2087 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2088 .RsaEncryptionKey(key_size, 3)
2089 .Padding(KM_PAD_RSA_OAEP)
2090 .Digest(KM_DIGEST_SHA_2_256)));
2091 string message = "Hello World!";
2092 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2093 EXPECT_EQ(key_size / 8, ciphertext.size());
2094
2095 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2096 EXPECT_EQ(message, plaintext);
2097
2098 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2099 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2100 }
2101
TEST_P(EncryptionOperationsTest,RsaOaepSha224RoundTrip)2102 TEST_P(EncryptionOperationsTest, RsaOaepSha224RoundTrip) {
2103 size_t key_size = 768;
2104 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2105 .RsaEncryptionKey(key_size, 3)
2106 .Padding(KM_PAD_RSA_OAEP)
2107 .Digest(KM_DIGEST_SHA_2_224)));
2108 string message = "Hello World!";
2109 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2110 EXPECT_EQ(key_size / 8, ciphertext.size());
2111
2112 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2113 EXPECT_EQ(message, plaintext);
2114
2115 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2116 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2117 }
2118
TEST_P(EncryptionOperationsTest,RsaOaepInvalidDigest)2119 TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
2120 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2121 .RsaEncryptionKey(512, 3)
2122 .Padding(KM_PAD_RSA_OAEP)
2123 .Digest(KM_DIGEST_NONE)));
2124 string message = "Hello World!";
2125
2126 AuthorizationSet begin_params(client_params());
2127 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2128 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
2129 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2130
2131 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2132 EXPECT_EQ(2, GetParam()->keymaster0_calls());
2133 }
2134
TEST_P(EncryptionOperationsTest,RsaOaepUnauthorizedDigest)2135 TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) {
2136 if (GetParam()->minimal_digest_set())
2137 // We don't have two supported digests, so we can't try authorizing one and using another.
2138 return;
2139
2140 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2141 .RsaEncryptionKey(512, 3)
2142 .Padding(KM_PAD_RSA_OAEP)
2143 .Digest(KM_DIGEST_SHA_2_256)));
2144 string message = "Hello World!";
2145 // Works because encryption is a public key operation.
2146 EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP);
2147
2148 AuthorizationSet begin_params(client_params());
2149 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2150 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
2151 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2152
2153 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2154 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2155 }
2156
TEST_P(EncryptionOperationsTest,RsaOaepDecryptWithWrongDigest)2157 TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
2158 if (GetParam()->minimal_digest_set())
2159 // We don't have two supported digests, so we can't try encrypting with one and decrypting
2160 // with another.
2161 return;
2162
2163 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2164 .RsaEncryptionKey(768, 3)
2165 .Padding(KM_PAD_RSA_OAEP)
2166 .Digest(KM_DIGEST_SHA_2_256)
2167 .Digest(KM_DIGEST_SHA_2_384)));
2168 string message = "Hello World!";
2169 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2170
2171 string result;
2172 size_t input_consumed;
2173 AuthorizationSet begin_params(client_params());
2174 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2175 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384);
2176 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2177 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2178 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2179 EXPECT_EQ(0U, result.size());
2180
2181 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2182 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2183 }
2184
TEST_P(EncryptionOperationsTest,RsaOaepTooLarge)2185 TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) {
2186 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2187 .RsaEncryptionKey(512, 3)
2188 .Padding(KM_PAD_RSA_OAEP)
2189 .Digest(KM_DIGEST_SHA1)));
2190 string message = "12345678901234567890123";
2191 string result;
2192 size_t input_consumed;
2193
2194 AuthorizationSet begin_params(client_params());
2195 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2196 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
2197 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2198 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2199 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result));
2200 EXPECT_EQ(0U, result.size());
2201
2202 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2203 EXPECT_EQ(2, GetParam()->keymaster0_calls());
2204 }
2205
TEST_P(EncryptionOperationsTest,RsaOaepCorruptedDecrypt)2206 TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) {
2207 size_t key_size = 768;
2208 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2209 .RsaEncryptionKey(768, 3)
2210 .Padding(KM_PAD_RSA_OAEP)
2211 .Digest(KM_DIGEST_SHA_2_256)));
2212 string message = "Hello World!";
2213 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2214 EXPECT_EQ(key_size / 8, ciphertext.size());
2215
2216 // Corrupt the ciphertext
2217 ciphertext[key_size / 8 / 2]++;
2218
2219 string result;
2220 size_t input_consumed;
2221 AuthorizationSet begin_params(client_params());
2222 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2223 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
2224 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2225 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2226 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2227 EXPECT_EQ(0U, result.size());
2228
2229 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2230 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2231 }
2232
TEST_P(EncryptionOperationsTest,RsaPkcs1Success)2233 TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
2234 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2235 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2236 string message = "Hello World!";
2237 string ciphertext1 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2238 EXPECT_EQ(512U / 8, ciphertext1.size());
2239
2240 string ciphertext2 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2241 EXPECT_EQ(512U / 8, ciphertext2.size());
2242
2243 // PKCS1 v1.5 randomizes padding so every result should be different.
2244 EXPECT_NE(ciphertext1, ciphertext2);
2245
2246 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2247 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2248 }
2249
TEST_P(EncryptionOperationsTest,RsaPkcs1RoundTrip)2250 TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) {
2251 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2252 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2253 string message = "Hello World!";
2254 string ciphertext = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2255 EXPECT_EQ(512U / 8, ciphertext.size());
2256
2257 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2258 EXPECT_EQ(message, plaintext);
2259
2260 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2261 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2262 }
2263
TEST_P(EncryptionOperationsTest,RsaRoundTripAllCombinations)2264 TEST_P(EncryptionOperationsTest, RsaRoundTripAllCombinations) {
2265 size_t key_size = 2048;
2266 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2267 .RsaEncryptionKey(key_size, 3)
2268 .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT)
2269 .Padding(KM_PAD_RSA_OAEP)
2270 .Digest(KM_DIGEST_NONE)
2271 .Digest(KM_DIGEST_MD5)
2272 .Digest(KM_DIGEST_SHA1)
2273 .Digest(KM_DIGEST_SHA_2_224)
2274 .Digest(KM_DIGEST_SHA_2_256)
2275 .Digest(KM_DIGEST_SHA_2_384)
2276 .Digest(KM_DIGEST_SHA_2_512)));
2277
2278 string message = "Hello World!";
2279
2280 keymaster_padding_t padding_modes[] = {KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
2281 keymaster_digest_t digests[] = {
2282 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
2283 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
2284 };
2285
2286 for (auto padding : padding_modes)
2287 for (auto digest : digests) {
2288 if (padding == KM_PAD_RSA_OAEP && digest == KM_DIGEST_NONE)
2289 // OAEP requires a digest.
2290 continue;
2291
2292 string ciphertext = EncryptMessage(message, digest, padding);
2293 EXPECT_EQ(key_size / 8, ciphertext.size());
2294
2295 string plaintext = DecryptMessage(ciphertext, digest, padding);
2296 EXPECT_EQ(message, plaintext);
2297 }
2298
2299 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2300 EXPECT_EQ(40, GetParam()->keymaster0_calls());
2301 }
2302
TEST_P(EncryptionOperationsTest,RsaPkcs1TooLarge)2303 TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) {
2304 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2305 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2306 string message = "123456789012345678901234567890123456789012345678901234";
2307 string result;
2308 size_t input_consumed;
2309
2310 AuthorizationSet begin_params(client_params());
2311 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2312 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2313 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2314 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result));
2315 EXPECT_EQ(0U, result.size());
2316
2317 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2318 EXPECT_EQ(2, GetParam()->keymaster0_calls());
2319 }
2320
TEST_P(EncryptionOperationsTest,RsaPkcs1CorruptedDecrypt)2321 TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) {
2322 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2323 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2324 string message = "Hello World!";
2325 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2326 EXPECT_EQ(512U / 8, ciphertext.size());
2327
2328 // Corrupt the ciphertext
2329 ciphertext[512 / 8 / 2]++;
2330
2331 string result;
2332 size_t input_consumed;
2333 AuthorizationSet begin_params(client_params());
2334 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2335 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2336 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2337 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2338 EXPECT_EQ(0U, result.size());
2339
2340 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2341 EXPECT_EQ(4, GetParam()->keymaster0_calls());
2342 }
2343
TEST_P(EncryptionOperationsTest,RsaEncryptWithSigningKey)2344 TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) {
2345 ASSERT_EQ(KM_ERROR_OK,
2346 GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE)));
2347
2348 AuthorizationSet begin_params(client_params());
2349 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2350 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2351
2352 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
2353 EXPECT_EQ(2, GetParam()->keymaster0_calls());
2354 }
2355
TEST_P(EncryptionOperationsTest,EcdsaEncrypt)2356 TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
2357 ASSERT_EQ(KM_ERROR_OK,
2358 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
2359 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT));
2360 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT));
2361
2362 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
2363 EXPECT_EQ(3, GetParam()->keymaster0_calls());
2364 }
2365
TEST_P(EncryptionOperationsTest,HmacEncrypt)2366 TEST_P(EncryptionOperationsTest, HmacEncrypt) {
2367 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2368 .HmacKey(128)
2369 .Digest(KM_DIGEST_SHA_2_256)
2370 .Padding(KM_PAD_NONE)
2371 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2372 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT));
2373 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT));
2374
2375 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2376 }
2377
TEST_P(EncryptionOperationsTest,AesEcbRoundTripSuccess)2378 TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
2379 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2380 .AesEncryptionKey(128)
2381 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2382 .Padding(KM_PAD_NONE)));
2383 // Two-block message.
2384 string message = "12345678901234567890123456789012";
2385 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
2386 EXPECT_EQ(message.size(), ciphertext1.size());
2387
2388 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE);
2389 EXPECT_EQ(message.size(), ciphertext2.size());
2390
2391 // ECB is deterministic.
2392 EXPECT_EQ(ciphertext1, ciphertext2);
2393
2394 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE);
2395 EXPECT_EQ(message, plaintext);
2396
2397 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2398 }
2399
TEST_P(EncryptionOperationsTest,AesEcbNotAuthorized)2400 TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) {
2401 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2402 .AesEncryptionKey(128)
2403 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2404 .Padding(KM_PAD_NONE)));
2405 // Two-block message.
2406 string message = "12345678901234567890123456789012";
2407 AuthorizationSet begin_params(client_params());
2408 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2409 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2410 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2411
2412 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2413 }
2414
TEST_P(EncryptionOperationsTest,AesEcbNoPaddingWrongInputSize)2415 TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) {
2416 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2417 .AesEncryptionKey(128)
2418 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2419 .Padding(KM_PAD_NONE)));
2420 // Message is slightly shorter than two blocks.
2421 string message = "1234567890123456789012345678901";
2422
2423 AuthorizationSet begin_params(client_params());
2424 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2425 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2426 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2427 string ciphertext;
2428 size_t input_consumed;
2429 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed));
2430 EXPECT_EQ(message.size(), input_consumed);
2431 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext));
2432
2433 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2434 }
2435
TEST_P(EncryptionOperationsTest,AesEcbPkcs7Padding)2436 TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
2437 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2438 .AesEncryptionKey(128)
2439 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2440 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2441
2442 // Try various message lengths; all should work.
2443 for (size_t i = 0; i < 32; ++i) {
2444 string message(i, 'a');
2445 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
2446 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2447 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
2448 EXPECT_EQ(message, plaintext);
2449 }
2450
2451 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2452 }
2453
TEST_P(EncryptionOperationsTest,AesEcbNoPaddingKeyWithPkcs7Padding)2454 TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) {
2455 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2456 .AesEncryptionKey(128)
2457 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2458 .Authorization(TAG_PADDING, KM_PAD_NONE)));
2459
2460 // Try various message lengths; all should fail.
2461 for (size_t i = 0; i < 32; ++i) {
2462 AuthorizationSet begin_params(client_params());
2463 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2464 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
2465 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE,
2466 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2467 }
2468
2469 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2470 }
2471
TEST_P(EncryptionOperationsTest,AesEcbPkcs7PaddingCorrupted)2472 TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
2473 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2474 .AesEncryptionKey(128)
2475 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2476 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2477
2478 string message = "a";
2479 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
2480 EXPECT_EQ(16U, ciphertext.size());
2481 EXPECT_NE(ciphertext, message);
2482 ++ciphertext[ciphertext.size() / 2];
2483
2484 AuthorizationSet begin_params(client_params());
2485 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2486 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
2487 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2488 string plaintext;
2489 size_t input_consumed;
2490 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed));
2491 EXPECT_EQ(ciphertext.size(), input_consumed);
2492 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext));
2493
2494 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2495 }
2496
TEST_P(EncryptionOperationsTest,AesCtrRoundTripSuccess)2497 TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
2498 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2499 .AesEncryptionKey(128)
2500 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2501 .Padding(KM_PAD_NONE)));
2502 string message = "123";
2503 string iv1;
2504 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1);
2505 EXPECT_EQ(message.size(), ciphertext1.size());
2506 EXPECT_EQ(16U, iv1.size());
2507
2508 string iv2;
2509 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2);
2510 EXPECT_EQ(message.size(), ciphertext2.size());
2511 EXPECT_EQ(16U, iv2.size());
2512
2513 // IVs should be random, so ciphertexts should differ.
2514 EXPECT_NE(iv1, iv2);
2515 EXPECT_NE(ciphertext1, ciphertext2);
2516
2517 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1);
2518 EXPECT_EQ(message, plaintext);
2519
2520 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2521 }
2522
TEST_P(EncryptionOperationsTest,AesCtrIncremental)2523 TEST_P(EncryptionOperationsTest, AesCtrIncremental) {
2524 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2525 .AesEncryptionKey(128)
2526 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2527 .Padding(KM_PAD_NONE)));
2528
2529 int increment = 15;
2530 string message(239, 'a');
2531 AuthorizationSet input_params(client_params());
2532 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2533 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2534 AuthorizationSet output_params;
2535 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2536
2537 string ciphertext;
2538 size_t input_consumed;
2539 for (size_t i = 0; i < message.size(); i += increment)
2540 EXPECT_EQ(KM_ERROR_OK,
2541 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed));
2542 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2543 EXPECT_EQ(message.size(), ciphertext.size());
2544
2545 // Move TAG_NONCE into input_params
2546 input_params.Reinitialize(output_params);
2547 input_params.push_back(client_params());
2548 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2549 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2550 output_params.Clear();
2551
2552 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params));
2553 string plaintext;
2554 for (size_t i = 0; i < ciphertext.size(); i += increment)
2555 EXPECT_EQ(KM_ERROR_OK,
2556 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed));
2557 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2558 EXPECT_EQ(ciphertext.size(), plaintext.size());
2559 EXPECT_EQ(message, plaintext);
2560
2561 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2562 }
2563
2564 struct AesCtrSp80038aTestVector {
2565 const char* key;
2566 const char* nonce;
2567 const char* plaintext;
2568 const char* ciphertext;
2569 };
2570
2571 // These test vectors are taken from
2572 // http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
2573 static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
2574 // AES-128
2575 {
2576 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2577 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2578 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2579 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
2580 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
2581 },
2582 // AES-192
2583 {
2584 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2585 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2586 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2587 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
2588 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
2589 },
2590 // AES-256
2591 {
2592 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
2593 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2594 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2595 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2596 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
2597 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
2598 },
2599 };
2600
TEST_P(EncryptionOperationsTest,AesCtrSp80038aTestVector)2601 TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
2602 for (size_t i = 0; i < 3; i++) {
2603 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
2604 const string key = hex2str(test.key);
2605 const string nonce = hex2str(test.nonce);
2606 const string plaintext = hex2str(test.plaintext);
2607 const string ciphertext = hex2str(test.ciphertext);
2608 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
2609 }
2610
2611 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2612 }
2613
TEST_P(EncryptionOperationsTest,AesCtrInvalidPaddingMode)2614 TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) {
2615 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2616 .AesEncryptionKey(128)
2617 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2618 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2619 AuthorizationSet begin_params(client_params());
2620 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2621 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2622 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2623
2624 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2625 }
2626
TEST_P(EncryptionOperationsTest,AesCtrInvalidCallerNonce)2627 TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
2628 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2629 .AesEncryptionKey(128)
2630 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2631 .Authorization(TAG_CALLER_NONCE)
2632 .Padding(KM_PAD_NONE)));
2633
2634 AuthorizationSet input_params(client_params());
2635 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2636 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2637 input_params.push_back(TAG_NONCE, "123", 3);
2638 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params));
2639
2640 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2641 }
2642
TEST_P(EncryptionOperationsTest,AesCbcRoundTripSuccess)2643 TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
2644 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2645 .AesEncryptionKey(128)
2646 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2647 .Padding(KM_PAD_NONE)));
2648 // Two-block message.
2649 string message = "12345678901234567890123456789012";
2650 string iv1;
2651 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2652 EXPECT_EQ(message.size(), ciphertext1.size());
2653
2654 string iv2;
2655 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2);
2656 EXPECT_EQ(message.size(), ciphertext2.size());
2657
2658 // IVs should be random, so ciphertexts should differ.
2659 EXPECT_NE(iv1, iv2);
2660 EXPECT_NE(ciphertext1, ciphertext2);
2661
2662 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2663 EXPECT_EQ(message, plaintext);
2664
2665 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2666 }
2667
TEST_P(EncryptionOperationsTest,AesCallerNonce)2668 TEST_P(EncryptionOperationsTest, AesCallerNonce) {
2669 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2670 .AesEncryptionKey(128)
2671 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2672 .Authorization(TAG_CALLER_NONCE)
2673 .Padding(KM_PAD_NONE)));
2674 string message = "12345678901234567890123456789012";
2675 string iv1;
2676 // Don't specify nonce, should get a random one.
2677 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2678 EXPECT_EQ(message.size(), ciphertext1.size());
2679 EXPECT_EQ(16U, iv1.size());
2680
2681 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2682 EXPECT_EQ(message, plaintext);
2683
2684 // Now specify a nonce, should also work.
2685 AuthorizationSet input_params(client_params());
2686 AuthorizationSet update_params;
2687 AuthorizationSet output_params;
2688 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16);
2689 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2690 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2691 string ciphertext2 =
2692 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params);
2693
2694 // Decrypt with correct nonce.
2695 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
2696 &output_params);
2697 EXPECT_EQ(message, plaintext);
2698
2699 // Now try with wrong nonce.
2700 input_params.Reinitialize(client_params());
2701 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2702 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2703 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16);
2704 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
2705 &output_params);
2706 EXPECT_NE(message, plaintext);
2707
2708 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2709 }
2710
TEST_P(EncryptionOperationsTest,AesCallerNonceProhibited)2711 TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
2712 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2713 .AesEncryptionKey(128)
2714 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2715 .Padding(KM_PAD_NONE)));
2716
2717 string message = "12345678901234567890123456789012";
2718 string iv1;
2719 // Don't specify nonce, should get a random one.
2720 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2721 EXPECT_EQ(message.size(), ciphertext1.size());
2722 EXPECT_EQ(16U, iv1.size());
2723
2724 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2725 EXPECT_EQ(message, plaintext);
2726
2727 // Now specify a nonce, should fail.
2728 AuthorizationSet input_params(client_params());
2729 AuthorizationSet update_params;
2730 AuthorizationSet output_params;
2731 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16);
2732 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2733 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2734
2735 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED,
2736 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2737
2738 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2739 }
2740
TEST_P(EncryptionOperationsTest,AesCbcIncrementalNoPadding)2741 TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) {
2742 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2743 .AesEncryptionKey(128)
2744 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2745 .Padding(KM_PAD_NONE)));
2746
2747 int increment = 15;
2748 string message(240, 'a');
2749 AuthorizationSet input_params(client_params());
2750 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2751 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2752 AuthorizationSet output_params;
2753 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2754
2755 string ciphertext;
2756 size_t input_consumed;
2757 for (size_t i = 0; i < message.size(); i += increment)
2758 EXPECT_EQ(KM_ERROR_OK,
2759 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed));
2760 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2761 EXPECT_EQ(message.size(), ciphertext.size());
2762
2763 // Move TAG_NONCE into input_params
2764 input_params.Reinitialize(output_params);
2765 input_params.push_back(client_params());
2766 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2767 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2768 output_params.Clear();
2769
2770 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params));
2771 string plaintext;
2772 for (size_t i = 0; i < ciphertext.size(); i += increment)
2773 EXPECT_EQ(KM_ERROR_OK,
2774 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed));
2775 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2776 EXPECT_EQ(ciphertext.size(), plaintext.size());
2777 EXPECT_EQ(message, plaintext);
2778
2779 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2780 }
2781
TEST_P(EncryptionOperationsTest,AesCbcPkcs7Padding)2782 TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) {
2783 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2784 .AesEncryptionKey(128)
2785 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2786 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2787
2788 // Try various message lengths; all should work.
2789 for (size_t i = 0; i < 32; ++i) {
2790 string message(i, 'a');
2791 string iv;
2792 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv);
2793 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2794 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv);
2795 EXPECT_EQ(message, plaintext);
2796 }
2797
2798 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2799 }
2800
TEST_P(EncryptionOperationsTest,AesGcmRoundTripSuccess)2801 TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
2802 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2803 .AesEncryptionKey(128)
2804 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2805 .Authorization(TAG_PADDING, KM_PAD_NONE)
2806 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2807 string aad = "foobar";
2808 string message = "123456789012345678901234567890123456";
2809 AuthorizationSet begin_params(client_params());
2810 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2811 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2812 begin_params.push_back(TAG_MAC_LENGTH, 128);
2813
2814 AuthorizationSet update_params;
2815 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2816
2817 // Encrypt
2818 AuthorizationSet begin_out_params;
2819 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2820 string ciphertext;
2821 size_t input_consumed;
2822 AuthorizationSet update_out_params;
2823 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2824 &input_consumed));
2825 EXPECT_EQ(message.size(), input_consumed);
2826 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2827
2828 // Grab nonce
2829 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2830 begin_params.push_back(begin_out_params);
2831
2832 // Decrypt.
2833 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2834 string plaintext;
2835 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
2836 &plaintext, &input_consumed));
2837 EXPECT_EQ(ciphertext.size(), input_consumed);
2838 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2839
2840 EXPECT_EQ(message, plaintext);
2841 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2842 }
2843
TEST_P(EncryptionOperationsTest,AesGcmTooShortTag)2844 TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
2845 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2846 .AesEncryptionKey(128)
2847 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2848 .Authorization(TAG_PADDING, KM_PAD_NONE)
2849 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2850 string aad = "foobar";
2851 string message = "123456789012345678901234567890123456";
2852 AuthorizationSet begin_params(client_params());
2853 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2854 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2855 begin_params.push_back(TAG_MAC_LENGTH, 96);
2856
2857 AuthorizationSet update_params;
2858 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2859
2860 AuthorizationSet begin_out_params;
2861 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH,
2862 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2863
2864 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2865 }
2866
TEST_P(EncryptionOperationsTest,AesGcmTooShortTagOnDecrypt)2867 TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
2868 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2869 .AesEncryptionKey(128)
2870 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2871 .Authorization(TAG_PADDING, KM_PAD_NONE)
2872 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2873 string aad = "foobar";
2874 string message = "123456789012345678901234567890123456";
2875 AuthorizationSet begin_params(client_params());
2876 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2877 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2878 begin_params.push_back(TAG_MAC_LENGTH, 128);
2879
2880 AuthorizationSet update_params;
2881 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2882
2883 // Encrypt
2884 AuthorizationSet begin_out_params;
2885 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2886 string ciphertext;
2887 size_t input_consumed;
2888 AuthorizationSet update_out_params;
2889 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2890 &input_consumed));
2891 EXPECT_EQ(message.size(), input_consumed);
2892 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2893
2894 // Grab nonce
2895 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2896 begin_params.Reinitialize(client_params());
2897 begin_params.push_back(begin_out_params);
2898 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2899 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2900 begin_params.push_back(TAG_MAC_LENGTH, 96);
2901
2902 // Decrypt.
2903 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2904
2905 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2906 }
2907
TEST_P(EncryptionOperationsTest,AesGcmCorruptKey)2908 TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
2909 uint8_t nonce[] = {
2910 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
2911 };
2912 uint8_t ciphertext[] = {
2913 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16,
2914 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a,
2915 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76,
2916 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
2917 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
2918 };
2919 string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext));
2920
2921 AuthorizationSet begin_params(client_params());
2922 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2923 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2924 begin_params.push_back(TAG_MAC_LENGTH, 128);
2925 begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce));
2926
2927 string plaintext;
2928 size_t input_consumed;
2929
2930 // Import correct key and decrypt
2931 uint8_t good_key[] = {
2932 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
2933 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
2934 };
2935 string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key));
2936 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
2937 .AesEncryptionKey(128)
2938 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2939 .Authorization(TAG_PADDING, KM_PAD_NONE)
2940 .Authorization(TAG_CALLER_NONCE)
2941 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2942 KM_KEY_FORMAT_RAW, good_key_str));
2943 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2944 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed));
2945 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2946
2947 // Import bad key and decrypt
2948 uint8_t bad_key[] = {
2949 0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
2950 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
2951 };
2952 string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key));
2953 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
2954 .AesEncryptionKey(128)
2955 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2956 .Authorization(TAG_PADDING, KM_PAD_NONE)
2957 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2958 KM_KEY_FORMAT_RAW, bad_key_str));
2959 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2960 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed));
2961 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
2962
2963 EXPECT_EQ(0, GetParam()->keymaster0_calls());
2964 }
2965
TEST_P(EncryptionOperationsTest,AesGcmAadNoData)2966 TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
2967 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2968 .AesEncryptionKey(128)
2969 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2970 .Authorization(TAG_PADDING, KM_PAD_NONE)
2971 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2972 string aad = "123456789012345678";
2973 string empty_message;
2974 AuthorizationSet begin_params(client_params());
2975 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2976 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2977 begin_params.push_back(TAG_MAC_LENGTH, 128);
2978
2979 AuthorizationSet update_params;
2980 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2981
2982 // Encrypt
2983 AuthorizationSet begin_out_params;
2984 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2985 string ciphertext;
2986 size_t input_consumed;
2987 AuthorizationSet update_out_params;
2988 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params,
2989 &ciphertext, &input_consumed));
2990 EXPECT_EQ(0U, input_consumed);
2991 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2992
2993 // Grab nonce
2994 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2995 begin_params.push_back(begin_out_params);
2996
2997 // Decrypt.
2998 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2999 string plaintext;
3000 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3001 &plaintext, &input_consumed));
3002 EXPECT_EQ(ciphertext.size(), input_consumed);
3003 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3004
3005 EXPECT_EQ(empty_message, plaintext);
3006 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3007 }
3008
TEST_P(EncryptionOperationsTest,AesGcmIncremental)3009 TEST_P(EncryptionOperationsTest, AesGcmIncremental) {
3010 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3011 .AesEncryptionKey(128)
3012 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3013 .Authorization(TAG_PADDING, KM_PAD_NONE)
3014 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3015 AuthorizationSet begin_params(client_params());
3016 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3017 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3018 begin_params.push_back(TAG_MAC_LENGTH, 128);
3019
3020 AuthorizationSet update_params;
3021 update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1);
3022
3023 // Encrypt
3024 AuthorizationSet begin_out_params;
3025 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3026 string ciphertext;
3027 size_t input_consumed;
3028 AuthorizationSet update_out_params;
3029
3030 // Send AAD, incrementally
3031 for (int i = 0; i < 1000; ++i) {
3032 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext,
3033 &input_consumed));
3034 EXPECT_EQ(0U, input_consumed);
3035 EXPECT_EQ(0U, ciphertext.size());
3036 }
3037
3038 // Now send data, incrementally, no data.
3039 AuthorizationSet empty_params;
3040 for (int i = 0; i < 1000; ++i) {
3041 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext,
3042 &input_consumed));
3043 EXPECT_EQ(1U, input_consumed);
3044 }
3045 EXPECT_EQ(1000U, ciphertext.size());
3046
3047 // And finish.
3048 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3049 EXPECT_EQ(1016U, ciphertext.size());
3050
3051 // Grab nonce
3052 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3053 begin_params.push_back(begin_out_params);
3054
3055 // Decrypt.
3056 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3057 string plaintext;
3058
3059 // Send AAD, incrementally, no data
3060 for (int i = 0; i < 1000; ++i) {
3061 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext,
3062 &input_consumed));
3063 EXPECT_EQ(0U, input_consumed);
3064 EXPECT_EQ(0U, plaintext.size());
3065 }
3066
3067 // Now send data, incrementally.
3068 for (size_t i = 0; i < ciphertext.length(); ++i) {
3069 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1),
3070 &update_out_params, &plaintext, &input_consumed));
3071 EXPECT_EQ(1U, input_consumed);
3072 }
3073 EXPECT_EQ(1000U, plaintext.size());
3074 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3075
3076 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3077 }
3078
TEST_P(EncryptionOperationsTest,AesGcmMultiPartAad)3079 TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
3080 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3081 .AesEncryptionKey(128)
3082 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3083 .Authorization(TAG_PADDING, KM_PAD_NONE)
3084 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3085 string message = "123456789012345678901234567890123456";
3086 AuthorizationSet begin_params(client_params());
3087 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3088 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3089 begin_params.push_back(TAG_MAC_LENGTH, 128);
3090 AuthorizationSet begin_out_params;
3091
3092 AuthorizationSet update_params;
3093 update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3);
3094
3095 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3096
3097 // No data, AAD only.
3098 string ciphertext;
3099 size_t input_consumed;
3100 AuthorizationSet update_out_params;
3101 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params,
3102 &ciphertext, &input_consumed));
3103 EXPECT_EQ(0U, input_consumed);
3104
3105 // AAD and data.
3106 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3107 &input_consumed));
3108 EXPECT_EQ(message.size(), input_consumed);
3109 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3110
3111 // Grab nonce.
3112 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3113 begin_params.push_back(begin_out_params);
3114
3115 // Decrypt
3116 update_params.Clear();
3117 update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6);
3118
3119 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3120 string plaintext;
3121 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3122 &plaintext, &input_consumed));
3123 EXPECT_EQ(ciphertext.size(), input_consumed);
3124 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3125
3126 EXPECT_EQ(message, plaintext);
3127 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3128 }
3129
TEST_P(EncryptionOperationsTest,AesGcmBadAad)3130 TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
3131 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3132 .AesEncryptionKey(128)
3133 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3134 .Authorization(TAG_PADDING, KM_PAD_NONE)
3135 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3136 string message = "12345678901234567890123456789012";
3137 AuthorizationSet begin_params(client_params());
3138 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3139 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3140 begin_params.push_back(TAG_MAC_LENGTH, 128);
3141
3142 AuthorizationSet update_params;
3143 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6);
3144
3145 AuthorizationSet finish_params;
3146 AuthorizationSet finish_out_params;
3147
3148 // Encrypt
3149 AuthorizationSet begin_out_params;
3150 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3151 AuthorizationSet update_out_params;
3152 string ciphertext;
3153 size_t input_consumed;
3154 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3155 &input_consumed));
3156 EXPECT_EQ(message.size(), input_consumed);
3157 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3158
3159 // Grab nonce
3160 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3161 begin_params.push_back(begin_out_params);
3162
3163 update_params.Clear();
3164 update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6);
3165
3166 // Decrypt.
3167 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3168 string plaintext;
3169 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3170 &plaintext, &input_consumed));
3171 EXPECT_EQ(ciphertext.size(), input_consumed);
3172 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3173
3174 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3175 }
3176
TEST_P(EncryptionOperationsTest,AesGcmWrongNonce)3177 TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
3178 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3179 .AesEncryptionKey(128)
3180 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3181 .Authorization(TAG_PADDING, KM_PAD_NONE)
3182 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3183 string message = "12345678901234567890123456789012";
3184 AuthorizationSet begin_params(client_params());
3185 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3186 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3187 begin_params.push_back(TAG_MAC_LENGTH, 128);
3188
3189 AuthorizationSet update_params;
3190 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6);
3191
3192 // Encrypt
3193 AuthorizationSet begin_out_params;
3194 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3195 AuthorizationSet update_out_params;
3196 string ciphertext;
3197 size_t input_consumed;
3198 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3199 &input_consumed));
3200 EXPECT_EQ(message.size(), input_consumed);
3201 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3202
3203 begin_params.push_back(TAG_NONCE, "123456789012", 12);
3204
3205 // Decrypt
3206 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3207 string plaintext;
3208 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3209 &plaintext, &input_consumed));
3210 EXPECT_EQ(ciphertext.size(), input_consumed);
3211 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3212
3213 // With wrong nonce, should have gotten garbage plaintext.
3214 EXPECT_NE(message, plaintext);
3215 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3216 }
3217
TEST_P(EncryptionOperationsTest,AesGcmCorruptTag)3218 TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
3219 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3220 .AesEncryptionKey(128)
3221 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3222 .Authorization(TAG_PADDING, KM_PAD_NONE)
3223 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3224 string aad = "foobar";
3225 string message = "123456789012345678901234567890123456";
3226 AuthorizationSet begin_params(client_params());
3227 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3228 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3229 begin_params.push_back(TAG_MAC_LENGTH, 128);
3230 AuthorizationSet begin_out_params;
3231
3232 AuthorizationSet update_params;
3233 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
3234
3235 // Encrypt
3236 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3237 AuthorizationSet update_out_params;
3238 string ciphertext;
3239 size_t input_consumed;
3240 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3241 &input_consumed));
3242 EXPECT_EQ(message.size(), input_consumed);
3243 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3244
3245 // Corrupt tag
3246 (*ciphertext.rbegin())++;
3247
3248 // Grab nonce.
3249 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3250 begin_params.push_back(begin_out_params);
3251
3252 // Decrypt.
3253 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3254 string plaintext;
3255 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3256 &plaintext, &input_consumed));
3257 EXPECT_EQ(ciphertext.size(), input_consumed);
3258 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3259
3260 EXPECT_EQ(message, plaintext);
3261 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3262 }
3263
3264 typedef Keymaster2Test MaxOperationsTest;
3265 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params);
3266
TEST_P(MaxOperationsTest,TestLimit)3267 TEST_P(MaxOperationsTest, TestLimit) {
3268 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3269 .AesEncryptionKey(128)
3270 .EcbMode()
3271 .Authorization(TAG_PADDING, KM_PAD_NONE)
3272 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3273
3274 string message = "1234567890123456";
3275 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3276 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3277 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3278
3279 // Fourth time should fail.
3280 AuthorizationSet begin_params(client_params());
3281 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3282 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3283 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3284
3285 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3286 }
3287
TEST_P(MaxOperationsTest,TestAbort)3288 TEST_P(MaxOperationsTest, TestAbort) {
3289 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3290 .AesEncryptionKey(128)
3291 .EcbMode()
3292 .Authorization(TAG_PADDING, KM_PAD_NONE)
3293 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3294
3295 string message = "1234567890123456";
3296 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3297 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3298 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3299
3300 // Fourth time should fail.
3301 AuthorizationSet begin_params(client_params());
3302 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3303 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3304 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3305
3306 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3307 }
3308
3309 typedef Keymaster2Test AddEntropyTest;
3310 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params);
3311
TEST_P(AddEntropyTest,AddEntropy)3312 TEST_P(AddEntropyTest, AddEntropy) {
3313 // There's no obvious way to test that entropy is actually added, but we can test that the API
3314 // doesn't blow up or return an error.
3315 EXPECT_EQ(KM_ERROR_OK,
3316 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3));
3317
3318 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3319 }
3320
3321 typedef Keymaster2Test Keymaster0AdapterTest;
3322 INSTANTIATE_TEST_CASE_P(
3323 AndroidKeymasterTest, Keymaster0AdapterTest,
3324 ::testing::Values(
3325 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)),
3326 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */))));
3327
TEST_P(Keymaster0AdapterTest,OldSoftwareKeymaster1RsaBlob)3328 TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1RsaBlob) {
3329 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted
3330 // key data.
3331 string km1_sw = read_file("km1_sw_rsa_512.blob");
3332 EXPECT_EQ(486U, km1_sw.length());
3333
3334 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length()));
3335 memcpy(key_data, km1_sw.data(), km1_sw.length());
3336 set_key_blob(key_data, km1_sw.length());
3337
3338 string message(64, 'a');
3339 string signature;
3340 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3341
3342 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3343 }
3344
TEST_P(Keymaster0AdapterTest,UnversionedSoftwareKeymaster1RsaBlob)3345 TEST_P(Keymaster0AdapterTest, UnversionedSoftwareKeymaster1RsaBlob) {
3346 // Load and use an old-style Keymaster1 software key blob, without the version byte. These
3347 // blobs contain OCB-encrypted key data.
3348 string km1_sw = read_file("km1_sw_rsa_512_unversioned.blob");
3349 EXPECT_EQ(477U, km1_sw.length());
3350
3351 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length()));
3352 memcpy(key_data, km1_sw.data(), km1_sw.length());
3353 set_key_blob(key_data, km1_sw.length());
3354
3355 string message(64, 'a');
3356 string signature;
3357 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3358
3359 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3360 }
3361
TEST_P(Keymaster0AdapterTest,OldSoftwareKeymaster1EcdsaBlob)3362 TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1EcdsaBlob) {
3363 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted
3364 // key data.
3365 string km1_sw = read_file("km1_sw_ecdsa_256.blob");
3366 EXPECT_EQ(270U, km1_sw.length());
3367
3368 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length()));
3369 memcpy(key_data, km1_sw.data(), km1_sw.length());
3370 set_key_blob(key_data, km1_sw.length());
3371
3372 string message(32, static_cast<char>(0xFF));
3373 string signature;
3374 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3375
3376 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3377 }
3378
3379 struct Malloc_Delete {
operator ()keymaster::test::Malloc_Delete3380 void operator()(void* p) { free(p); }
3381 };
3382
TEST_P(Keymaster0AdapterTest,OldSoftwareKeymaster0RsaBlob)3383 TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0RsaBlob) {
3384 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data.
3385 string km0_sw = read_file("km0_sw_rsa_512.blob");
3386 EXPECT_EQ(333U, km0_sw.length());
3387
3388 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3389 memcpy(key_data, km0_sw.data(), km0_sw.length());
3390 set_key_blob(key_data, km0_sw.length());
3391
3392 string message(64, 'a');
3393 string signature;
3394 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3395
3396 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3397 }
3398
TEST_P(Keymaster0AdapterTest,OldSwKeymaster0RsaBlobGetCharacteristics)3399 TEST_P(Keymaster0AdapterTest, OldSwKeymaster0RsaBlobGetCharacteristics) {
3400 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data.
3401 string km0_sw = read_file("km0_sw_rsa_512.blob");
3402 EXPECT_EQ(333U, km0_sw.length());
3403
3404 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3405 memcpy(key_data, km0_sw.data(), km0_sw.length());
3406 set_key_blob(key_data, km0_sw.length());
3407
3408 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics());
3409 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
3410 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 512));
3411 EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3));
3412 EXPECT_TRUE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE));
3413 EXPECT_TRUE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE));
3414 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN));
3415 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY));
3416 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS));
3417 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED));
3418
3419 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3420 }
3421
TEST_P(Keymaster0AdapterTest,OldHwKeymaster0RsaBlob)3422 TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlob) {
3423 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data.
3424 string km0_sw = read_file("km0_sw_rsa_512.blob");
3425 EXPECT_EQ(333U, km0_sw.length());
3426
3427 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not
3428 // be recognized as a software key. Do the same here to pretend this is a hardware key.
3429 EXPECT_EQ('P', km0_sw[0]);
3430 km0_sw[0] = 'Q';
3431
3432 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3433 memcpy(key_data, km0_sw.data(), km0_sw.length());
3434 set_key_blob(key_data, km0_sw.length());
3435
3436 string message(64, 'a');
3437 string signature;
3438 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
3439 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
3440
3441 EXPECT_EQ(5, GetParam()->keymaster0_calls());
3442 }
3443
TEST_P(Keymaster0AdapterTest,OldHwKeymaster0RsaBlobGetCharacteristics)3444 TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) {
3445 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data.
3446 string km0_sw = read_file("km0_sw_rsa_512.blob");
3447 EXPECT_EQ(333U, km0_sw.length());
3448
3449 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not
3450 // be recognized as a software key. Do the same here to pretend this is a hardware key.
3451 EXPECT_EQ('P', km0_sw[0]);
3452 km0_sw[0] = 'Q';
3453
3454 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length()));
3455 memcpy(key_data, km0_sw.data(), km0_sw.length());
3456 set_key_blob(key_data, km0_sw.length());
3457
3458 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics());
3459 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
3460 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 512));
3461 EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3));
3462 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_NONE));
3463 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_MD5));
3464 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA1));
3465 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_224));
3466 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_256));
3467 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_384));
3468 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_512));
3469 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_NONE));
3470 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT));
3471 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN));
3472 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_OAEP));
3473 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PSS));
3474 EXPECT_EQ(15U, hw_enforced().size());
3475
3476 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN));
3477 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY));
3478 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS));
3479 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED));
3480
3481 EXPECT_FALSE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
3482 EXPECT_FALSE(contains(sw_enforced(), TAG_KEY_SIZE, 512));
3483 EXPECT_FALSE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3));
3484 EXPECT_FALSE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE));
3485 EXPECT_FALSE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE));
3486
3487 EXPECT_EQ(1, GetParam()->keymaster0_calls());
3488 }
3489
3490 typedef Keymaster2Test AttestationTest;
3491 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AttestationTest, test_params);
3492
parse_cert_blob(const keymaster_blob_t & blob)3493 static X509* parse_cert_blob(const keymaster_blob_t& blob) {
3494 const uint8_t* p = blob.data;
3495 return d2i_X509(nullptr, &p, blob.data_length);
3496 }
3497
verify_chain(const keymaster_cert_chain_t & chain)3498 static bool verify_chain(const keymaster_cert_chain_t& chain) {
3499 for (size_t i = 0; i < chain.entry_count - 1; ++i) {
3500 keymaster_blob_t& key_cert_blob = chain.entries[i];
3501 keymaster_blob_t& signing_cert_blob = chain.entries[i + 1];
3502
3503 X509_Ptr key_cert(parse_cert_blob(key_cert_blob));
3504 X509_Ptr signing_cert(parse_cert_blob(signing_cert_blob));
3505 EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get());
3506 if (!key_cert.get() || !signing_cert.get())
3507 return false;
3508
3509 EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
3510 EXPECT_TRUE(!!signing_pubkey.get());
3511 if (!signing_pubkey.get())
3512 return false;
3513
3514 EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get()))
3515 << "Verification of certificate " << i << " failed";
3516 }
3517
3518 return true;
3519 }
3520
3521 // Extract attestation record from cert. Returned object is still part of cert; don't free it
3522 // separately.
get_attestation_record(X509 * certificate)3523 static ASN1_OCTET_STRING* get_attestation_record(X509* certificate) {
3524 ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */));
3525 EXPECT_TRUE(!!oid.get());
3526 if (!oid.get())
3527 return nullptr;
3528
3529 int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */);
3530 EXPECT_NE(-1, location);
3531 if (location == -1)
3532 return nullptr;
3533
3534 X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location);
3535 EXPECT_TRUE(!!attest_rec_ext);
3536 if (!attest_rec_ext)
3537 return nullptr;
3538
3539 ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext);
3540 EXPECT_TRUE(!!attest_rec);
3541 return attest_rec;
3542 }
3543
verify_attestation_record(const string & challenge,AuthorizationSet expected_sw_enforced,AuthorizationSet expected_tee_enforced,uint32_t expected_keymaster_version,keymaster_security_level_t expected_keymaster_security_level,const keymaster_blob_t & attestation_cert)3544 static bool verify_attestation_record(const string& challenge,
3545 AuthorizationSet expected_sw_enforced,
3546 AuthorizationSet expected_tee_enforced,
3547 uint32_t expected_keymaster_version,
3548 keymaster_security_level_t expected_keymaster_security_level,
3549 const keymaster_blob_t& attestation_cert) {
3550
3551 X509_Ptr cert(parse_cert_blob(attestation_cert));
3552 EXPECT_TRUE(!!cert.get());
3553 if (!cert.get())
3554 return false;
3555
3556 ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());
3557 EXPECT_TRUE(!!attest_rec);
3558 if (!attest_rec)
3559 return false;
3560
3561 AuthorizationSet att_sw_enforced;
3562 AuthorizationSet att_tee_enforced;
3563 uint32_t att_attestation_version;
3564 uint32_t att_keymaster_version;
3565 keymaster_security_level_t att_attestation_security_level;
3566 keymaster_security_level_t att_keymaster_security_level;
3567 keymaster_blob_t att_challenge = {};
3568 keymaster_blob_t att_unique_id = {};
3569 EXPECT_EQ(KM_ERROR_OK, parse_attestation_record(
3570 attest_rec->data, attest_rec->length, &att_attestation_version,
3571 &att_attestation_security_level, &att_keymaster_version,
3572 &att_keymaster_security_level, &att_challenge, &att_sw_enforced,
3573 &att_tee_enforced, &att_unique_id));
3574
3575 EXPECT_EQ(1U, att_attestation_version);
3576 EXPECT_EQ(KM_SECURITY_LEVEL_SOFTWARE, att_attestation_security_level);
3577 EXPECT_EQ(expected_keymaster_version, att_keymaster_version);
3578 EXPECT_EQ(expected_keymaster_security_level, att_keymaster_security_level);
3579
3580 EXPECT_EQ(challenge.length(), att_challenge.data_length);
3581 EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data, challenge.length()));
3582
3583 // Add TAG_USER_ID to the relevant attestation list, because user IDs are not included in
3584 // attestations, since they're meaningless off-device.
3585 uint32_t user_id;
3586 if (expected_sw_enforced.GetTagValue(TAG_USER_ID, &user_id))
3587 att_sw_enforced.push_back(TAG_USER_ID, user_id);
3588 if (expected_tee_enforced.GetTagValue(TAG_USER_ID, &user_id))
3589 att_tee_enforced.push_back(TAG_USER_ID, user_id);
3590
3591 // Add TAG_INCLUDE_UNIQUE_ID to the relevant attestation list, because that tag is not included
3592 // in the attestation.
3593 if (expected_sw_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID))
3594 att_sw_enforced.push_back(TAG_INCLUDE_UNIQUE_ID);
3595 if (expected_tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID))
3596 att_tee_enforced.push_back(TAG_INCLUDE_UNIQUE_ID);
3597
3598 att_sw_enforced.Sort();
3599 expected_sw_enforced.Sort();
3600 EXPECT_EQ(expected_sw_enforced, att_sw_enforced);
3601
3602 att_tee_enforced.Sort();
3603 expected_tee_enforced.Sort();
3604 EXPECT_EQ(expected_tee_enforced, att_tee_enforced);
3605
3606 return true;
3607 }
3608
TEST_P(AttestationTest,RsaAttestation)3609 TEST_P(AttestationTest, RsaAttestation) {
3610 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3611 .RsaSigningKey(256, 3)
3612 .Digest(KM_DIGEST_NONE)
3613 .Padding(KM_PAD_NONE)
3614 .Authorization(TAG_INCLUDE_UNIQUE_ID)));
3615
3616 keymaster_cert_chain_t cert_chain;
3617 EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", &cert_chain));
3618 EXPECT_EQ(3U, cert_chain.entry_count);
3619 EXPECT_TRUE(verify_chain(cert_chain));
3620
3621 uint32_t expected_keymaster_version;
3622 keymaster_security_level_t expected_keymaster_security_level;
3623 // TODO(swillden): Add a test KM1 that claims to be hardware.
3624 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) {
3625 expected_keymaster_version = 0;
3626 expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
3627 } else {
3628 expected_keymaster_version = 2;
3629 expected_keymaster_security_level = KM_SECURITY_LEVEL_SOFTWARE;
3630 }
3631
3632 EXPECT_TRUE(verify_attestation_record(
3633 "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version,
3634 expected_keymaster_security_level, cert_chain.entries[0]));
3635
3636 keymaster_free_cert_chain(&cert_chain);
3637 }
3638
TEST_P(AttestationTest,EcAttestation)3639 TEST_P(AttestationTest, EcAttestation) {
3640 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
3641 KM_DIGEST_SHA_2_256)));
3642
3643 uint32_t expected_keymaster_version;
3644 keymaster_security_level_t expected_keymaster_security_level;
3645 // TODO(swillden): Add a test KM1 that claims to be hardware.
3646 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) {
3647 expected_keymaster_version = 0;
3648 expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
3649 } else {
3650 expected_keymaster_version = 2;
3651 expected_keymaster_security_level = KM_SECURITY_LEVEL_SOFTWARE;
3652 }
3653
3654 keymaster_cert_chain_t cert_chain;
3655 EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", &cert_chain));
3656 EXPECT_EQ(3U, cert_chain.entry_count);
3657 EXPECT_TRUE(verify_chain(cert_chain));
3658 EXPECT_TRUE(verify_attestation_record(
3659 "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version,
3660 expected_keymaster_security_level, cert_chain.entries[0]));
3661
3662 keymaster_free_cert_chain(&cert_chain);
3663 }
3664
3665 typedef Keymaster2Test KeyUpgradeTest;
3666 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, KeyUpgradeTest, test_params);
3667
TEST_P(KeyUpgradeTest,AesVersionUpgrade)3668 TEST_P(KeyUpgradeTest, AesVersionUpgrade) {
3669 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3670
3671 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3672 .AesEncryptionKey(128)
3673 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3674 .Padding(KM_PAD_NONE)));
3675
3676 // Key should operate fine.
3677 string message = "1234567890123456";
3678 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3679 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE));
3680
3681 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3682 GetParam()->keymaster_context()->SetSystemVersion(1, 2);
3683 AuthorizationSet begin_params(client_params());
3684 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3685 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3686 if (GetParam()->is_keymaster1_hw()) {
3687 // Keymaster1 hardware can't support version binding. The key will work regardless
3688 // of system version. Just abort the remainder of the test.
3689 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3690 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3691 return;
3692 }
3693 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3694
3695 // Getting characteristics should also fail
3696 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3697
3698 // Upgrade key.
3699 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3700
3701 // Key should work again
3702 ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3703 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE));
3704
3705 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3706 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3707 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3708 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3709
3710 // Upgrade should fail
3711 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3712
3713 EXPECT_EQ(0, GetParam()->keymaster0_calls());
3714 }
3715
TEST_P(KeyUpgradeTest,RsaVersionUpgrade)3716 TEST_P(KeyUpgradeTest, RsaVersionUpgrade) {
3717 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3718
3719 ASSERT_EQ(KM_ERROR_OK,
3720 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(128, 3).Padding(KM_PAD_NONE)));
3721
3722 // Key should operate fine.
3723 string message = "1234567890123456";
3724 string ciphertext = EncryptMessage(message, KM_PAD_NONE);
3725 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE));
3726
3727 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3728 GetParam()->keymaster_context()->SetSystemVersion(1, 2);
3729 AuthorizationSet begin_params(client_params());
3730 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3731 if (GetParam()->is_keymaster1_hw()) {
3732 // Keymaster1 hardware can't support version binding. The key will work regardless
3733 // of system version. Just abort the remainder of the test.
3734 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3735 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3736 return;
3737 }
3738 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3739
3740 // Getting characteristics should also fail
3741 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3742
3743 // Upgrade key.
3744 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3745
3746 // Key should work again
3747 ciphertext = EncryptMessage(message, KM_PAD_NONE);
3748 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE));
3749
3750 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3751 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3752 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3753 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3754
3755 // Upgrade should fail
3756 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3757
3758 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
3759 EXPECT_EQ(7, GetParam()->keymaster0_calls());
3760 }
3761
TEST_P(KeyUpgradeTest,EcVersionUpgrade)3762 TEST_P(KeyUpgradeTest, EcVersionUpgrade) {
3763 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3764
3765 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
3766 KM_DIGEST_SHA_2_256)));
3767
3768 // Key should operate fine.
3769 string message = "1234567890123456";
3770 string signature;
3771 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
3772 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
3773
3774 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3775 GetParam()->keymaster_context()->SetSystemVersion(1, 2);
3776 AuthorizationSet begin_params(client_params());
3777 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
3778 if (GetParam()->is_keymaster1_hw()) {
3779 // Keymaster1 hardware can't support version binding. The key will work regardless
3780 // of system version. Just abort the remainder of the test.
3781 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
3782 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3783 return;
3784 }
3785 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
3786
3787 // Getting characteristics should also fail
3788 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3789
3790 // Upgrade key.
3791 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3792
3793 // Key should work again
3794 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
3795 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
3796
3797 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3798 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3799 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3800 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3801
3802 // Upgrade should fail
3803 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3804
3805 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
3806 EXPECT_EQ(7, GetParam()->keymaster0_calls());
3807 }
3808
TEST(SoftKeymasterWrapperTest,CheckKeymaster2Device)3809 TEST(SoftKeymasterWrapperTest, CheckKeymaster2Device) {
3810 // Make a good fake device, and wrap it.
3811 SoftKeymasterDevice* good_fake(new SoftKeymasterDevice(new TestKeymasterContext));
3812
3813 // Wrap it and check it.
3814 SoftKeymasterDevice* good_fake_wrapper(new SoftKeymasterDevice(new TestKeymasterContext));
3815 good_fake_wrapper->SetHardwareDevice(good_fake->keymaster_device());
3816 EXPECT_TRUE(good_fake_wrapper->Keymaster1DeviceIsGood());
3817
3818 // Close and clean up wrapper and wrapped
3819 good_fake_wrapper->keymaster_device()->common.close(good_fake_wrapper->hw_device());
3820
3821 // Make a "bad" (doesn't support all digests) device;
3822 keymaster1_device_t* sha256_only_fake = make_device_sha256_only(
3823 (new SoftKeymasterDevice(new TestKeymasterContext("256")))->keymaster_device());
3824
3825 // Wrap it and check it.
3826 SoftKeymasterDevice* sha256_only_fake_wrapper(
3827 (new SoftKeymasterDevice(new TestKeymasterContext)));
3828 sha256_only_fake_wrapper->SetHardwareDevice(sha256_only_fake);
3829 EXPECT_FALSE(sha256_only_fake_wrapper->Keymaster1DeviceIsGood());
3830
3831 // Close and clean up wrapper and wrapped
3832 sha256_only_fake_wrapper->keymaster_device()->common.close(
3833 sha256_only_fake_wrapper->hw_device());
3834 }
3835
3836 } // namespace test
3837 } // namespace keymaster
3838