1 /* 2 * Copyright 2013 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.keystore.cts; 18 19 import android.app.KeyguardManager; 20 import android.content.Context; 21 import android.security.KeyPairGeneratorSpec; 22 import android.security.KeyStoreParameter; 23 import android.security.keystore.KeyProperties; 24 import android.security.keystore.KeyProtection; 25 import android.test.AndroidTestCase; 26 import android.test.MoreAsserts; 27 import android.test.suitebuilder.annotation.LargeTest; 28 import android.util.Log; 29 30 import android.keystore.cts.R; 31 32 import java.io.ByteArrayInputStream; 33 import java.io.ByteArrayOutputStream; 34 import java.io.OutputStream; 35 import java.math.BigInteger; 36 import java.security.AlgorithmParameters; 37 import java.security.Key; 38 import java.security.KeyFactory; 39 import java.security.KeyPairGenerator; 40 import java.security.KeyStore; 41 import java.security.KeyStore.Entry; 42 import java.security.KeyStore.PrivateKeyEntry; 43 import java.security.KeyStore.TrustedCertificateEntry; 44 import java.security.KeyStoreException; 45 import java.security.PrivateKey; 46 import java.security.PublicKey; 47 import java.security.Signature; 48 import java.security.cert.Certificate; 49 import java.security.cert.CertificateFactory; 50 import java.security.interfaces.ECKey; 51 import java.security.interfaces.RSAKey; 52 import java.security.spec.PKCS8EncodedKeySpec; 53 import java.util.ArrayList; 54 import java.util.Arrays; 55 import java.util.Calendar; 56 import java.util.Collection; 57 import java.util.Date; 58 import java.util.Enumeration; 59 import java.util.HashSet; 60 import java.util.Iterator; 61 import java.util.Set; 62 63 import javax.crypto.BadPaddingException; 64 import javax.crypto.Cipher; 65 import javax.crypto.Mac; 66 import javax.crypto.SecretKey; 67 import javax.security.auth.x500.X500Principal; 68 69 public class AndroidKeyStoreTest extends AndroidTestCase { 70 private static final String TAG = AndroidKeyStoreTest.class.getSimpleName(); 71 72 private KeyStore mKeyStore; 73 74 private static final String TEST_ALIAS_1 = "test1"; 75 76 private static final String TEST_ALIAS_2 = "test2"; 77 78 private static final String TEST_ALIAS_3 = "test3"; 79 80 /* 81 * The keys and certificates below are generated with: 82 * 83 * openssl req -new -x509 -days 3650 -extensions v3_ca -keyout cakey.pem -out cacert.pem 84 * openssl req -newkey rsa:1024 -keyout userkey.pem -nodes -days 3650 -out userkey.req 85 * mkdir -p demoCA/newcerts 86 * touch demoCA/index.txt 87 * echo "01" > demoCA/serial 88 * openssl ca -out usercert.pem -in userkey.req -cert cacert.pem -keyfile cakey.pem -days 3650 89 */ 90 91 /** 92 * Generated from above and converted with: 93 * 94 * openssl x509 -outform d -in cacert.pem | xxd -i | sed 's/0x/(byte) 0x/g' 95 */ 96 private static final byte[] FAKE_RSA_CA_1 = { 97 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0xce, (byte) 0x30, (byte) 0x82, 98 (byte) 0x02, (byte) 0x37, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, 99 (byte) 0x02, (byte) 0x02, (byte) 0x09, (byte) 0x00, (byte) 0xe1, (byte) 0x6a, 100 (byte) 0xa2, (byte) 0xf4, (byte) 0x2e, (byte) 0x55, (byte) 0x48, (byte) 0x0a, 101 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 102 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 103 (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x30, (byte) 0x4f, (byte) 0x31, 104 (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, 105 (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, 106 (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, 107 (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, 108 (byte) 0x41, (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, 109 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, 110 (byte) 0x4d, (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, 111 (byte) 0x69, (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, 112 (byte) 0x77, (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, 113 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, 114 (byte) 0x41, (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, 115 (byte) 0x64, (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, 116 (byte) 0x20, (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, 117 (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32, 118 (byte) 0x30, (byte) 0x38, (byte) 0x31, (byte) 0x34, (byte) 0x31, (byte) 0x36, 119 (byte) 0x35, (byte) 0x35, (byte) 0x34, (byte) 0x34, (byte) 0x5a, (byte) 0x17, 120 (byte) 0x0d, (byte) 0x32, (byte) 0x32, (byte) 0x30, (byte) 0x38, (byte) 0x31, 121 (byte) 0x32, (byte) 0x31, (byte) 0x36, (byte) 0x35, (byte) 0x35, (byte) 0x34, 122 (byte) 0x34, (byte) 0x5a, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, 123 (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 124 (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, 125 (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, 126 (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, 127 (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, 128 (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, 129 (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, 130 (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, 131 (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, 132 (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, 133 (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, 134 (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, 135 (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x30, 136 (byte) 0x81, (byte) 0x9f, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, 137 (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, 138 (byte) 0x01, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03, 139 (byte) 0x81, (byte) 0x8d, (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89, 140 (byte) 0x02, (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0xa3, (byte) 0x72, 141 (byte) 0xab, (byte) 0xd0, (byte) 0xe4, (byte) 0xad, (byte) 0x2f, (byte) 0xe7, 142 (byte) 0xe2, (byte) 0x79, (byte) 0x07, (byte) 0x36, (byte) 0x3d, (byte) 0x0c, 143 (byte) 0x8d, (byte) 0x42, (byte) 0x9a, (byte) 0x0a, (byte) 0x33, (byte) 0x64, 144 (byte) 0xb3, (byte) 0xcd, (byte) 0xb2, (byte) 0xd7, (byte) 0x3a, (byte) 0x42, 145 (byte) 0x06, (byte) 0x77, (byte) 0x45, (byte) 0x29, (byte) 0xe9, (byte) 0xcb, 146 (byte) 0xb7, (byte) 0x4a, (byte) 0xd6, (byte) 0xee, (byte) 0xad, (byte) 0x01, 147 (byte) 0x91, (byte) 0x9b, (byte) 0x0c, (byte) 0x59, (byte) 0xa1, (byte) 0x03, 148 (byte) 0xfa, (byte) 0xf0, (byte) 0x5a, (byte) 0x7c, (byte) 0x4f, (byte) 0xf7, 149 (byte) 0x8d, (byte) 0x36, (byte) 0x0f, (byte) 0x1f, (byte) 0x45, (byte) 0x7d, 150 (byte) 0x1b, (byte) 0x31, (byte) 0xa1, (byte) 0x35, (byte) 0x0b, (byte) 0x00, 151 (byte) 0xed, (byte) 0x7a, (byte) 0xb6, (byte) 0xc8, (byte) 0x4e, (byte) 0xa9, 152 (byte) 0x86, (byte) 0x4c, (byte) 0x7b, (byte) 0x99, (byte) 0x57, (byte) 0x41, 153 (byte) 0x12, (byte) 0xef, (byte) 0x6b, (byte) 0xbc, (byte) 0x3d, (byte) 0x60, 154 (byte) 0xf2, (byte) 0x99, (byte) 0x1a, (byte) 0xcd, (byte) 0xed, (byte) 0x56, 155 (byte) 0xa4, (byte) 0xe5, (byte) 0x36, (byte) 0x9f, (byte) 0x24, (byte) 0x1f, 156 (byte) 0xdc, (byte) 0x89, (byte) 0x40, (byte) 0xc8, (byte) 0x99, (byte) 0x92, 157 (byte) 0xab, (byte) 0x4a, (byte) 0xb5, (byte) 0x61, (byte) 0x45, (byte) 0x62, 158 (byte) 0xff, (byte) 0xa3, (byte) 0x45, (byte) 0x65, (byte) 0xaf, (byte) 0xf6, 159 (byte) 0x27, (byte) 0x30, (byte) 0x51, (byte) 0x0e, (byte) 0x0e, (byte) 0xeb, 160 (byte) 0x79, (byte) 0x0c, (byte) 0xbe, (byte) 0xb3, (byte) 0x0a, (byte) 0x6f, 161 (byte) 0x29, (byte) 0x06, (byte) 0xdc, (byte) 0x2f, (byte) 0x6b, (byte) 0x51, 162 (byte) 0x02, (byte) 0x03, (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3, 163 (byte) 0x81, (byte) 0xb1, (byte) 0x30, (byte) 0x81, (byte) 0xae, (byte) 0x30, 164 (byte) 0x1d, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e, 165 (byte) 0x04, (byte) 0x16, (byte) 0x04, (byte) 0x14, (byte) 0x33, (byte) 0x05, 166 (byte) 0xee, (byte) 0xfe, (byte) 0x6f, (byte) 0x60, (byte) 0xc7, (byte) 0xf9, 167 (byte) 0xa9, (byte) 0xd2, (byte) 0x73, (byte) 0x5c, (byte) 0x8f, (byte) 0x6d, 168 (byte) 0xa2, (byte) 0x2f, (byte) 0x97, (byte) 0x8e, (byte) 0x5d, (byte) 0x51, 169 (byte) 0x30, (byte) 0x7f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, 170 (byte) 0x23, (byte) 0x04, (byte) 0x78, (byte) 0x30, (byte) 0x76, (byte) 0x80, 171 (byte) 0x14, (byte) 0x33, (byte) 0x05, (byte) 0xee, (byte) 0xfe, (byte) 0x6f, 172 (byte) 0x60, (byte) 0xc7, (byte) 0xf9, (byte) 0xa9, (byte) 0xd2, (byte) 0x73, 173 (byte) 0x5c, (byte) 0x8f, (byte) 0x6d, (byte) 0xa2, (byte) 0x2f, (byte) 0x97, 174 (byte) 0x8e, (byte) 0x5d, (byte) 0x51, (byte) 0xa1, (byte) 0x53, (byte) 0xa4, 175 (byte) 0x51, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, (byte) 0x30, 176 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, 177 (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b, 178 (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 179 (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31, 180 (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, (byte) 0x55, 181 (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, (byte) 0x6f, 182 (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, (byte) 0x6e, 183 (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, (byte) 0x31, 184 (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55, 185 (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e, 186 (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20, 187 (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43, 188 (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x82, (byte) 0x09, 189 (byte) 0x00, (byte) 0xe1, (byte) 0x6a, (byte) 0xa2, (byte) 0xf4, (byte) 0x2e, 190 (byte) 0x55, (byte) 0x48, (byte) 0x0a, (byte) 0x30, (byte) 0x0c, (byte) 0x06, 191 (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x05, 192 (byte) 0x30, (byte) 0x03, (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x30, 193 (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, 194 (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, 195 (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x81, (byte) 0x00, 196 (byte) 0x8c, (byte) 0x30, (byte) 0x42, (byte) 0xfa, (byte) 0xeb, (byte) 0x1a, 197 (byte) 0x26, (byte) 0xeb, (byte) 0xda, (byte) 0x56, (byte) 0x32, (byte) 0xf2, 198 (byte) 0x9d, (byte) 0xa5, (byte) 0x24, (byte) 0xd8, (byte) 0x3a, (byte) 0xda, 199 (byte) 0x30, (byte) 0xa6, (byte) 0x8b, (byte) 0x46, (byte) 0xfe, (byte) 0xfe, 200 (byte) 0xdb, (byte) 0xf1, (byte) 0xe6, (byte) 0xe1, (byte) 0x7c, (byte) 0x1b, 201 (byte) 0xe7, (byte) 0x77, (byte) 0x00, (byte) 0xa1, (byte) 0x1c, (byte) 0x19, 202 (byte) 0x17, (byte) 0x73, (byte) 0xb0, (byte) 0xf0, (byte) 0x9d, (byte) 0xf3, 203 (byte) 0x4f, (byte) 0xb6, (byte) 0xbc, (byte) 0xc7, (byte) 0x47, (byte) 0x85, 204 (byte) 0x2a, (byte) 0x4a, (byte) 0xa1, (byte) 0xa5, (byte) 0x58, (byte) 0xf5, 205 (byte) 0xc5, (byte) 0x1a, (byte) 0x51, (byte) 0xb1, (byte) 0x04, (byte) 0x80, 206 (byte) 0xee, (byte) 0x3a, (byte) 0xec, (byte) 0x2f, (byte) 0xe1, (byte) 0xfd, 207 (byte) 0x58, (byte) 0xeb, (byte) 0xed, (byte) 0x82, (byte) 0x9e, (byte) 0x38, 208 (byte) 0xa3, (byte) 0x24, (byte) 0x75, (byte) 0xf7, (byte) 0x3e, (byte) 0xc2, 209 (byte) 0xc5, (byte) 0x27, (byte) 0xeb, (byte) 0x6f, (byte) 0x7b, (byte) 0x50, 210 (byte) 0xda, (byte) 0x43, (byte) 0xdc, (byte) 0x3b, (byte) 0x0b, (byte) 0x6f, 211 (byte) 0x78, (byte) 0x8f, (byte) 0xb0, (byte) 0x66, (byte) 0xe1, (byte) 0x12, 212 (byte) 0x87, (byte) 0x5f, (byte) 0x97, (byte) 0x7b, (byte) 0xca, (byte) 0x14, 213 (byte) 0x79, (byte) 0xf7, (byte) 0xe8, (byte) 0x6c, (byte) 0x72, (byte) 0xdb, 214 (byte) 0x91, (byte) 0x65, (byte) 0x17, (byte) 0x54, (byte) 0xe0, (byte) 0x74, 215 (byte) 0x1d, (byte) 0xac, (byte) 0x47, (byte) 0x04, (byte) 0x12, (byte) 0xe0, 216 (byte) 0xc3, (byte) 0x66, (byte) 0x19, (byte) 0x05, (byte) 0x2e, (byte) 0x7e, 217 (byte) 0xf1, (byte) 0x61 218 }; 219 220 /** 221 * Generated from above and converted with: 222 * 223 * openssl pkcs8 -topk8 -outform d -in userkey.pem -nocrypt | xxd -i | sed 's/0x/(byte) 0x/g' 224 */ 225 private static final byte[] FAKE_RSA_KEY_1 = new byte[] { 226 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x78, (byte) 0x02, (byte) 0x01, 227 (byte) 0x00, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, 228 (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, 229 (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x04, (byte) 0x82, 230 (byte) 0x02, (byte) 0x62, (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x5e, 231 (byte) 0x02, (byte) 0x01, (byte) 0x00, (byte) 0x02, (byte) 0x81, (byte) 0x81, 232 (byte) 0x00, (byte) 0xce, (byte) 0x29, (byte) 0xeb, (byte) 0xf6, (byte) 0x5b, 233 (byte) 0x25, (byte) 0xdc, (byte) 0xa1, (byte) 0xa6, (byte) 0x2c, (byte) 0x66, 234 (byte) 0xcb, (byte) 0x20, (byte) 0x90, (byte) 0x27, (byte) 0x86, (byte) 0x8a, 235 (byte) 0x44, (byte) 0x71, (byte) 0x50, (byte) 0xda, (byte) 0xd3, (byte) 0x02, 236 (byte) 0x77, (byte) 0x55, (byte) 0xe9, (byte) 0xe8, (byte) 0x08, (byte) 0xf3, 237 (byte) 0x36, (byte) 0x9a, (byte) 0xae, (byte) 0xab, (byte) 0x04, (byte) 0x6d, 238 (byte) 0x00, (byte) 0x99, (byte) 0xbf, (byte) 0x7d, (byte) 0x0f, (byte) 0x67, 239 (byte) 0x8b, (byte) 0x1d, (byte) 0xd4, (byte) 0x2b, (byte) 0x7c, (byte) 0xcb, 240 (byte) 0xcd, (byte) 0x33, (byte) 0xc7, (byte) 0x84, (byte) 0x30, (byte) 0xe2, 241 (byte) 0x45, (byte) 0x21, (byte) 0xb3, (byte) 0x75, (byte) 0xf5, (byte) 0x79, 242 (byte) 0x02, (byte) 0xda, (byte) 0x50, (byte) 0xa3, (byte) 0x8b, (byte) 0xce, 243 (byte) 0xc3, (byte) 0x8e, (byte) 0x0f, (byte) 0x25, (byte) 0xeb, (byte) 0x08, 244 (byte) 0x2c, (byte) 0xdd, (byte) 0x1c, (byte) 0xcf, (byte) 0xff, (byte) 0x3b, 245 (byte) 0xde, (byte) 0xb6, (byte) 0xaa, (byte) 0x2a, (byte) 0xa9, (byte) 0xc4, 246 (byte) 0x8a, (byte) 0x24, (byte) 0x24, (byte) 0xe6, (byte) 0x29, (byte) 0x0d, 247 (byte) 0x98, (byte) 0x4c, (byte) 0x32, (byte) 0xa1, (byte) 0x7b, (byte) 0x23, 248 (byte) 0x2b, (byte) 0x42, (byte) 0x30, (byte) 0xee, (byte) 0x78, (byte) 0x08, 249 (byte) 0x47, (byte) 0xad, (byte) 0xf2, (byte) 0x96, (byte) 0xd5, (byte) 0xf1, 250 (byte) 0x62, (byte) 0x42, (byte) 0x2d, (byte) 0x35, (byte) 0x19, (byte) 0xb4, 251 (byte) 0x3c, (byte) 0xc9, (byte) 0xc3, (byte) 0x5f, (byte) 0x03, (byte) 0x16, 252 (byte) 0x3a, (byte) 0x23, (byte) 0xac, (byte) 0xcb, (byte) 0xce, (byte) 0x9e, 253 (byte) 0x51, (byte) 0x2e, (byte) 0x6d, (byte) 0x02, (byte) 0x03, (byte) 0x01, 254 (byte) 0x00, (byte) 0x01, (byte) 0x02, (byte) 0x81, (byte) 0x80, (byte) 0x16, 255 (byte) 0x59, (byte) 0xc3, (byte) 0x24, (byte) 0x1d, (byte) 0x33, (byte) 0x98, 256 (byte) 0x9c, (byte) 0xc9, (byte) 0xc8, (byte) 0x2c, (byte) 0x88, (byte) 0xbf, 257 (byte) 0x0a, (byte) 0x01, (byte) 0xce, (byte) 0xfb, (byte) 0x34, (byte) 0x7a, 258 (byte) 0x58, (byte) 0x7a, (byte) 0xb0, (byte) 0xbf, (byte) 0xa6, (byte) 0xb2, 259 (byte) 0x60, (byte) 0xbe, (byte) 0x70, (byte) 0x21, (byte) 0xf5, (byte) 0xfc, 260 (byte) 0x85, (byte) 0x0d, (byte) 0x33, (byte) 0x58, (byte) 0xa1, (byte) 0xe5, 261 (byte) 0x09, (byte) 0x36, (byte) 0x84, (byte) 0xb2, (byte) 0x04, (byte) 0x0a, 262 (byte) 0x02, (byte) 0xd3, (byte) 0x88, (byte) 0x1f, (byte) 0x0c, (byte) 0x2b, 263 (byte) 0x1d, (byte) 0xe9, (byte) 0x3d, (byte) 0xe7, (byte) 0x79, (byte) 0xf9, 264 (byte) 0x32, (byte) 0x5c, (byte) 0x8a, (byte) 0x75, (byte) 0x49, (byte) 0x12, 265 (byte) 0xe4, (byte) 0x05, (byte) 0x26, (byte) 0xd4, (byte) 0x2e, (byte) 0x9e, 266 (byte) 0x1f, (byte) 0xcc, (byte) 0x54, (byte) 0xad, (byte) 0x33, (byte) 0x8d, 267 (byte) 0x99, (byte) 0x00, (byte) 0xdc, (byte) 0xf5, (byte) 0xb4, (byte) 0xa2, 268 (byte) 0x2f, (byte) 0xba, (byte) 0xe5, (byte) 0x62, (byte) 0x30, (byte) 0x6d, 269 (byte) 0xe6, (byte) 0x3d, (byte) 0xeb, (byte) 0x24, (byte) 0xc2, (byte) 0xdc, 270 (byte) 0x5f, (byte) 0xb7, (byte) 0x16, (byte) 0x35, (byte) 0xa3, (byte) 0x98, 271 (byte) 0x98, (byte) 0xa8, (byte) 0xef, (byte) 0xe8, (byte) 0xc4, (byte) 0x96, 272 (byte) 0x6d, (byte) 0x38, (byte) 0xab, (byte) 0x26, (byte) 0x6d, (byte) 0x30, 273 (byte) 0xc2, (byte) 0xa0, (byte) 0x44, (byte) 0xe4, (byte) 0xff, (byte) 0x7e, 274 (byte) 0xbe, (byte) 0x7c, (byte) 0x33, (byte) 0xa5, (byte) 0x10, (byte) 0xad, 275 (byte) 0xd7, (byte) 0x1e, (byte) 0x13, (byte) 0x20, (byte) 0xb3, (byte) 0x1f, 276 (byte) 0x41, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xf1, (byte) 0x89, 277 (byte) 0x07, (byte) 0x0f, (byte) 0xe8, (byte) 0xcf, (byte) 0xab, (byte) 0x13, 278 (byte) 0x2a, (byte) 0x8f, (byte) 0x88, (byte) 0x80, (byte) 0x11, (byte) 0x9a, 279 (byte) 0x79, (byte) 0xb6, (byte) 0x59, (byte) 0x3a, (byte) 0x50, (byte) 0x6e, 280 (byte) 0x57, (byte) 0x37, (byte) 0xab, (byte) 0x2a, (byte) 0xd2, (byte) 0xaa, 281 (byte) 0xd9, (byte) 0x72, (byte) 0x73, (byte) 0xff, (byte) 0x8b, (byte) 0x47, 282 (byte) 0x76, (byte) 0xdd, (byte) 0xdc, (byte) 0xf5, (byte) 0x97, (byte) 0x44, 283 (byte) 0x3a, (byte) 0x78, (byte) 0xbe, (byte) 0x17, (byte) 0xb4, (byte) 0x22, 284 (byte) 0x6f, (byte) 0xe5, (byte) 0x23, (byte) 0x70, (byte) 0x1d, (byte) 0x10, 285 (byte) 0x5d, (byte) 0xba, (byte) 0x16, (byte) 0x81, (byte) 0xf1, (byte) 0x45, 286 (byte) 0xce, (byte) 0x30, (byte) 0xb4, (byte) 0xab, (byte) 0x80, (byte) 0xe4, 287 (byte) 0x98, (byte) 0x31, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xda, 288 (byte) 0x82, (byte) 0x9d, (byte) 0x3f, (byte) 0xca, (byte) 0x2f, (byte) 0xe1, 289 (byte) 0xd4, (byte) 0x86, (byte) 0x77, (byte) 0x48, (byte) 0xa6, (byte) 0xab, 290 (byte) 0xab, (byte) 0x1c, (byte) 0x42, (byte) 0x5c, (byte) 0xd5, (byte) 0xc7, 291 (byte) 0x46, (byte) 0x59, (byte) 0x91, (byte) 0x3f, (byte) 0xfc, (byte) 0xcc, 292 (byte) 0xec, (byte) 0xc2, (byte) 0x40, (byte) 0x12, (byte) 0x2c, (byte) 0x8d, 293 (byte) 0x1f, (byte) 0xa2, (byte) 0x18, (byte) 0x88, (byte) 0xee, (byte) 0x82, 294 (byte) 0x4a, (byte) 0x5a, (byte) 0x5e, (byte) 0x88, (byte) 0x20, (byte) 0xe3, 295 (byte) 0x7b, (byte) 0xe0, (byte) 0xd8, (byte) 0x3a, (byte) 0x52, (byte) 0x9a, 296 (byte) 0x26, (byte) 0x6a, (byte) 0x04, (byte) 0xec, (byte) 0xe8, (byte) 0xb9, 297 (byte) 0x48, (byte) 0x40, (byte) 0xe1, (byte) 0xe1, (byte) 0x83, (byte) 0xa6, 298 (byte) 0x67, (byte) 0xa6, (byte) 0xfd, (byte) 0x02, (byte) 0x41, (byte) 0x00, 299 (byte) 0x89, (byte) 0x72, (byte) 0x3e, (byte) 0xb0, (byte) 0x90, (byte) 0xfd, 300 (byte) 0x4c, (byte) 0x0e, (byte) 0xd6, (byte) 0x13, (byte) 0x63, (byte) 0xcb, 301 (byte) 0xed, (byte) 0x38, (byte) 0x88, (byte) 0xb6, (byte) 0x79, (byte) 0xc4, 302 (byte) 0x33, (byte) 0x6c, (byte) 0xf6, (byte) 0xf8, (byte) 0xd8, (byte) 0xd0, 303 (byte) 0xbf, (byte) 0x9d, (byte) 0x35, (byte) 0xac, (byte) 0x69, (byte) 0xd2, 304 (byte) 0x2b, (byte) 0xc1, (byte) 0xf9, (byte) 0x24, (byte) 0x7b, (byte) 0xce, 305 (byte) 0xcd, (byte) 0xcb, (byte) 0xa7, (byte) 0xb2, (byte) 0x7a, (byte) 0x0a, 306 (byte) 0x27, (byte) 0x19, (byte) 0xc9, (byte) 0xaf, (byte) 0x0d, (byte) 0x21, 307 (byte) 0x89, (byte) 0x88, (byte) 0x7c, (byte) 0xad, (byte) 0x9e, (byte) 0x8d, 308 (byte) 0x47, (byte) 0x6d, (byte) 0x3f, (byte) 0xce, (byte) 0x7b, (byte) 0xa1, 309 (byte) 0x74, (byte) 0xf1, (byte) 0xa0, (byte) 0xa1, (byte) 0x02, (byte) 0x41, 310 (byte) 0x00, (byte) 0xd9, (byte) 0xa8, (byte) 0xf5, (byte) 0xfe, (byte) 0xce, 311 (byte) 0xe6, (byte) 0x77, (byte) 0x6b, (byte) 0xfe, (byte) 0x2d, (byte) 0xe0, 312 (byte) 0x1e, (byte) 0xb6, (byte) 0x2e, (byte) 0x12, (byte) 0x4e, (byte) 0x40, 313 (byte) 0xaf, (byte) 0x6a, (byte) 0x7b, (byte) 0x37, (byte) 0x49, (byte) 0x2a, 314 (byte) 0x96, (byte) 0x25, (byte) 0x83, (byte) 0x49, (byte) 0xd4, (byte) 0x0c, 315 (byte) 0xc6, (byte) 0x78, (byte) 0x25, (byte) 0x24, (byte) 0x90, (byte) 0x90, 316 (byte) 0x06, (byte) 0x15, (byte) 0x9e, (byte) 0xfe, (byte) 0xf9, (byte) 0xdf, 317 (byte) 0x5b, (byte) 0xf3, (byte) 0x7e, (byte) 0x38, (byte) 0x70, (byte) 0xeb, 318 (byte) 0x57, (byte) 0xd0, (byte) 0xd9, (byte) 0xa7, (byte) 0x0e, (byte) 0x14, 319 (byte) 0xf7, (byte) 0x95, (byte) 0x68, (byte) 0xd5, (byte) 0xc8, (byte) 0xab, 320 (byte) 0x9d, (byte) 0x3a, (byte) 0x2b, (byte) 0x51, (byte) 0xf9, (byte) 0x02, 321 (byte) 0x41, (byte) 0x00, (byte) 0x96, (byte) 0xdf, (byte) 0xe9, (byte) 0x67, 322 (byte) 0x6c, (byte) 0xdc, (byte) 0x90, (byte) 0x14, (byte) 0xb4, (byte) 0x1d, 323 (byte) 0x22, (byte) 0x33, (byte) 0x4a, (byte) 0x31, (byte) 0xc1, (byte) 0x9d, 324 (byte) 0x2e, (byte) 0xff, (byte) 0x9a, (byte) 0x2a, (byte) 0x95, (byte) 0x4b, 325 (byte) 0x27, (byte) 0x74, (byte) 0xcb, (byte) 0x21, (byte) 0xc3, (byte) 0xd2, 326 (byte) 0x0b, (byte) 0xb2, (byte) 0x46, (byte) 0x87, (byte) 0xf8, (byte) 0x28, 327 (byte) 0x01, (byte) 0x8b, (byte) 0xd8, (byte) 0xb9, (byte) 0x4b, (byte) 0xcd, 328 (byte) 0x9a, (byte) 0x96, (byte) 0x41, (byte) 0x0e, (byte) 0x36, (byte) 0x6d, 329 (byte) 0x40, (byte) 0x42, (byte) 0xbc, (byte) 0xd9, (byte) 0xd3, (byte) 0x7b, 330 (byte) 0xbc, (byte) 0xa7, (byte) 0x92, (byte) 0x90, (byte) 0xdd, (byte) 0xa1, 331 (byte) 0x9c, (byte) 0xce, (byte) 0xa1, (byte) 0x87, (byte) 0x11, (byte) 0x51 332 }; 333 334 /** 335 * Generated from above and converted with: 336 * 337 * openssl x509 -outform d -in usercert.pem | xxd -i | sed 's/0x/(byte) 0x/g' 338 */ 339 private static final byte[] FAKE_RSA_USER_1 = new byte[] { 340 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x95, (byte) 0x30, (byte) 0x82, 341 (byte) 0x01, (byte) 0xfe, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, 342 (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x0d, 343 (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, 344 (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, 345 (byte) 0x00, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, (byte) 0x30, 346 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, 347 (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b, 348 (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 349 (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31, 350 (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, (byte) 0x55, 351 (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, (byte) 0x6f, 352 (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, (byte) 0x6e, 353 (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, (byte) 0x31, 354 (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55, 355 (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e, 356 (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20, 357 (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43, 358 (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x30, (byte) 0x1e, 359 (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32, (byte) 0x30, (byte) 0x38, 360 (byte) 0x31, (byte) 0x34, (byte) 0x32, (byte) 0x33, (byte) 0x32, (byte) 0x35, 361 (byte) 0x34, (byte) 0x38, (byte) 0x5a, (byte) 0x17, (byte) 0x0d, (byte) 0x32, 362 (byte) 0x32, (byte) 0x30, (byte) 0x38, (byte) 0x31, (byte) 0x32, (byte) 0x32, 363 (byte) 0x33, (byte) 0x32, (byte) 0x35, (byte) 0x34, (byte) 0x38, (byte) 0x5a, 364 (byte) 0x30, (byte) 0x55, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, 365 (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, 366 (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b, (byte) 0x30, 367 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x08, 368 (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31, (byte) 0x1b, 369 (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 370 (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e, (byte) 0x64, 371 (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20, (byte) 0x54, 372 (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43, (byte) 0x61, 373 (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x31, (byte) 0x1c, (byte) 0x30, 374 (byte) 0x1a, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03, 375 (byte) 0x13, (byte) 0x13, (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x76, 376 (byte) 0x65, (byte) 0x72, (byte) 0x31, (byte) 0x2e, (byte) 0x65, (byte) 0x78, 377 (byte) 0x61, (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x65, (byte) 0x2e, 378 (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x30, (byte) 0x81, (byte) 0x9f, 379 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 380 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 381 (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x8d, 382 (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89, (byte) 0x02, (byte) 0x81, 383 (byte) 0x81, (byte) 0x00, (byte) 0xce, (byte) 0x29, (byte) 0xeb, (byte) 0xf6, 384 (byte) 0x5b, (byte) 0x25, (byte) 0xdc, (byte) 0xa1, (byte) 0xa6, (byte) 0x2c, 385 (byte) 0x66, (byte) 0xcb, (byte) 0x20, (byte) 0x90, (byte) 0x27, (byte) 0x86, 386 (byte) 0x8a, (byte) 0x44, (byte) 0x71, (byte) 0x50, (byte) 0xda, (byte) 0xd3, 387 (byte) 0x02, (byte) 0x77, (byte) 0x55, (byte) 0xe9, (byte) 0xe8, (byte) 0x08, 388 (byte) 0xf3, (byte) 0x36, (byte) 0x9a, (byte) 0xae, (byte) 0xab, (byte) 0x04, 389 (byte) 0x6d, (byte) 0x00, (byte) 0x99, (byte) 0xbf, (byte) 0x7d, (byte) 0x0f, 390 (byte) 0x67, (byte) 0x8b, (byte) 0x1d, (byte) 0xd4, (byte) 0x2b, (byte) 0x7c, 391 (byte) 0xcb, (byte) 0xcd, (byte) 0x33, (byte) 0xc7, (byte) 0x84, (byte) 0x30, 392 (byte) 0xe2, (byte) 0x45, (byte) 0x21, (byte) 0xb3, (byte) 0x75, (byte) 0xf5, 393 (byte) 0x79, (byte) 0x02, (byte) 0xda, (byte) 0x50, (byte) 0xa3, (byte) 0x8b, 394 (byte) 0xce, (byte) 0xc3, (byte) 0x8e, (byte) 0x0f, (byte) 0x25, (byte) 0xeb, 395 (byte) 0x08, (byte) 0x2c, (byte) 0xdd, (byte) 0x1c, (byte) 0xcf, (byte) 0xff, 396 (byte) 0x3b, (byte) 0xde, (byte) 0xb6, (byte) 0xaa, (byte) 0x2a, (byte) 0xa9, 397 (byte) 0xc4, (byte) 0x8a, (byte) 0x24, (byte) 0x24, (byte) 0xe6, (byte) 0x29, 398 (byte) 0x0d, (byte) 0x98, (byte) 0x4c, (byte) 0x32, (byte) 0xa1, (byte) 0x7b, 399 (byte) 0x23, (byte) 0x2b, (byte) 0x42, (byte) 0x30, (byte) 0xee, (byte) 0x78, 400 (byte) 0x08, (byte) 0x47, (byte) 0xad, (byte) 0xf2, (byte) 0x96, (byte) 0xd5, 401 (byte) 0xf1, (byte) 0x62, (byte) 0x42, (byte) 0x2d, (byte) 0x35, (byte) 0x19, 402 (byte) 0xb4, (byte) 0x3c, (byte) 0xc9, (byte) 0xc3, (byte) 0x5f, (byte) 0x03, 403 (byte) 0x16, (byte) 0x3a, (byte) 0x23, (byte) 0xac, (byte) 0xcb, (byte) 0xce, 404 (byte) 0x9e, (byte) 0x51, (byte) 0x2e, (byte) 0x6d, (byte) 0x02, (byte) 0x03, 405 (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3, (byte) 0x7b, (byte) 0x30, 406 (byte) 0x79, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, 407 (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x02, (byte) 0x30, (byte) 0x00, 408 (byte) 0x30, (byte) 0x2c, (byte) 0x06, (byte) 0x09, (byte) 0x60, (byte) 0x86, 409 (byte) 0x48, (byte) 0x01, (byte) 0x86, (byte) 0xf8, (byte) 0x42, (byte) 0x01, 410 (byte) 0x0d, (byte) 0x04, (byte) 0x1f, (byte) 0x16, (byte) 0x1d, (byte) 0x4f, 411 (byte) 0x70, (byte) 0x65, (byte) 0x6e, (byte) 0x53, (byte) 0x53, (byte) 0x4c, 412 (byte) 0x20, (byte) 0x47, (byte) 0x65, (byte) 0x6e, (byte) 0x65, (byte) 0x72, 413 (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x64, (byte) 0x20, (byte) 0x43, 414 (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, 415 (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x30, (byte) 0x1d, 416 (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04, 417 (byte) 0x16, (byte) 0x04, (byte) 0x14, (byte) 0x32, (byte) 0xa1, (byte) 0x1e, 418 (byte) 0x6b, (byte) 0x69, (byte) 0x04, (byte) 0xfe, (byte) 0xb3, (byte) 0xcd, 419 (byte) 0xf8, (byte) 0xbb, (byte) 0x14, (byte) 0xcd, (byte) 0xff, (byte) 0xd4, 420 (byte) 0x16, (byte) 0xc3, (byte) 0xab, (byte) 0x44, (byte) 0x2f, (byte) 0x30, 421 (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23, 422 (byte) 0x04, (byte) 0x18, (byte) 0x30, (byte) 0x16, (byte) 0x80, (byte) 0x14, 423 (byte) 0x33, (byte) 0x05, (byte) 0xee, (byte) 0xfe, (byte) 0x6f, (byte) 0x60, 424 (byte) 0xc7, (byte) 0xf9, (byte) 0xa9, (byte) 0xd2, (byte) 0x73, (byte) 0x5c, 425 (byte) 0x8f, (byte) 0x6d, (byte) 0xa2, (byte) 0x2f, (byte) 0x97, (byte) 0x8e, 426 (byte) 0x5d, (byte) 0x51, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, 427 (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, 428 (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, 429 (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0x46, (byte) 0x42, (byte) 0xef, 430 (byte) 0x56, (byte) 0x89, (byte) 0x78, (byte) 0x90, (byte) 0x38, (byte) 0x24, 431 (byte) 0x9f, (byte) 0x8c, (byte) 0x7a, (byte) 0xce, (byte) 0x7a, (byte) 0xa5, 432 (byte) 0xb5, (byte) 0x1e, (byte) 0x74, (byte) 0x96, (byte) 0x34, (byte) 0x49, 433 (byte) 0x8b, (byte) 0xed, (byte) 0x44, (byte) 0xb3, (byte) 0xc9, (byte) 0x05, 434 (byte) 0xd7, (byte) 0x48, (byte) 0x55, (byte) 0x52, (byte) 0x59, (byte) 0x15, 435 (byte) 0x0b, (byte) 0xaa, (byte) 0x16, (byte) 0x86, (byte) 0xd2, (byte) 0x8e, 436 (byte) 0x16, (byte) 0x99, (byte) 0xe8, (byte) 0x5f, (byte) 0x11, (byte) 0x71, 437 (byte) 0x42, (byte) 0x55, (byte) 0xd1, (byte) 0xc4, (byte) 0x6f, (byte) 0x2e, 438 (byte) 0xa9, (byte) 0x64, (byte) 0x6f, (byte) 0xd8, (byte) 0xfd, (byte) 0x43, 439 (byte) 0x13, (byte) 0x24, (byte) 0xaa, (byte) 0x67, (byte) 0xe6, (byte) 0xf5, 440 (byte) 0xca, (byte) 0x80, (byte) 0x5e, (byte) 0x3a, (byte) 0x3e, (byte) 0xcc, 441 (byte) 0x4f, (byte) 0xba, (byte) 0x87, (byte) 0xe6, (byte) 0xae, (byte) 0xbf, 442 (byte) 0x8f, (byte) 0xd5, (byte) 0x28, (byte) 0x38, (byte) 0x58, (byte) 0x30, 443 (byte) 0x24, (byte) 0xf6, (byte) 0x53, (byte) 0x5b, (byte) 0x41, (byte) 0x53, 444 (byte) 0xe6, (byte) 0x45, (byte) 0xbc, (byte) 0xbe, (byte) 0xe6, (byte) 0xbb, 445 (byte) 0x5d, (byte) 0xd8, (byte) 0xa7, (byte) 0xf9, (byte) 0x64, (byte) 0x99, 446 (byte) 0x04, (byte) 0x43, (byte) 0x75, (byte) 0xd7, (byte) 0x2d, (byte) 0x32, 447 (byte) 0x0a, (byte) 0x94, (byte) 0xaf, (byte) 0x06, (byte) 0x34, (byte) 0xae, 448 (byte) 0x46, (byte) 0xbd, (byte) 0xda, (byte) 0x00, (byte) 0x0e, (byte) 0x25, 449 (byte) 0xc2, (byte) 0xf7, (byte) 0xc9, (byte) 0xc3, (byte) 0x65, (byte) 0xd2, 450 (byte) 0x08, (byte) 0x41, (byte) 0x0a, (byte) 0xf3, (byte) 0x72 451 }; 452 453 /* 454 * The keys and certificates below are generated with: 455 * 456 * openssl req -new -x509 -days 3650 -extensions v3_ca -keyout cakey.pem -out cacert.pem 457 * openssl ecparam -name prime256v1 -out ecparam.pem 458 * openssl req -newkey ec:ecparam.pem -keyout userkey.pem -nodes -days 3650 -out userkey.req 459 * mkdir -p demoCA/newcerts 460 * touch demoCA/index.txt 461 * echo "01" > demoCA/serial 462 * openssl ca -out usercert.pem -in userkey.req -cert cacert.pem -keyfile cakey.pem -days 3650 463 */ 464 465 /** 466 * Generated from above and converted with: 467 * 468 * openssl x509 -outform d -in cacert.pem | xxd -i | sed 's/0x/(byte) 0x/g' 469 */ 470 private static final byte[] FAKE_EC_CA_1 = { 471 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x58, (byte) 0x30, (byte) 0x82, 472 (byte) 0x01, (byte) 0xc1, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, 473 (byte) 0x02, (byte) 0x02, (byte) 0x09, (byte) 0x00, (byte) 0xe1, (byte) 0xb2, 474 (byte) 0x8c, (byte) 0x04, (byte) 0x95, (byte) 0xeb, (byte) 0x10, (byte) 0xcb, 475 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 476 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 477 (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x30, (byte) 0x45, (byte) 0x31, 478 (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, 479 (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55, 480 (byte) 0x31, (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, 481 (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53, 482 (byte) 0x6f, (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74, 483 (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30, 484 (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, 485 (byte) 0x0c, (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65, 486 (byte) 0x72, (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57, 487 (byte) 0x69, (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73, 488 (byte) 0x20, (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c, 489 (byte) 0x74, (byte) 0x64, (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, 490 (byte) 0x31, (byte) 0x33, (byte) 0x30, (byte) 0x38, (byte) 0x32, (byte) 0x37, 491 (byte) 0x31, (byte) 0x36, (byte) 0x32, (byte) 0x38, (byte) 0x32, (byte) 0x38, 492 (byte) 0x5a, (byte) 0x17, (byte) 0x0d, (byte) 0x32, (byte) 0x33, (byte) 0x30, 493 (byte) 0x38, (byte) 0x32, (byte) 0x35, (byte) 0x31, (byte) 0x36, (byte) 0x32, 494 (byte) 0x38, (byte) 0x32, (byte) 0x38, (byte) 0x5a, (byte) 0x30, (byte) 0x45, 495 (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, 496 (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, 497 (byte) 0x55, (byte) 0x31, (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, 498 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a, 499 (byte) 0x53, (byte) 0x6f, (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53, 500 (byte) 0x74, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21, 501 (byte) 0x30, (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 502 (byte) 0x0a, (byte) 0x0c, (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74, 503 (byte) 0x65, (byte) 0x72, (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20, 504 (byte) 0x57, (byte) 0x69, (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74, 505 (byte) 0x73, (byte) 0x20, (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20, 506 (byte) 0x4c, (byte) 0x74, (byte) 0x64, (byte) 0x30, (byte) 0x81, (byte) 0x9f, 507 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 508 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 509 (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x8d, 510 (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89, (byte) 0x02, (byte) 0x81, 511 (byte) 0x81, (byte) 0x00, (byte) 0xb5, (byte) 0xf6, (byte) 0x08, (byte) 0x0f, 512 (byte) 0xc4, (byte) 0x4d, (byte) 0xe4, (byte) 0x0d, (byte) 0x34, (byte) 0x1d, 513 (byte) 0xe2, (byte) 0x23, (byte) 0x18, (byte) 0x63, (byte) 0x03, (byte) 0xf7, 514 (byte) 0x14, (byte) 0x0e, (byte) 0x98, (byte) 0xcd, (byte) 0x45, (byte) 0x1f, 515 (byte) 0xfe, (byte) 0xfb, (byte) 0x09, (byte) 0x3f, (byte) 0x5d, (byte) 0x36, 516 (byte) 0x3b, (byte) 0x0f, (byte) 0xf9, (byte) 0x5e, (byte) 0x86, (byte) 0x56, 517 (byte) 0x64, (byte) 0xd7, (byte) 0x3f, (byte) 0xae, (byte) 0x33, (byte) 0x09, 518 (byte) 0xd3, (byte) 0xdd, (byte) 0x06, (byte) 0x17, (byte) 0x26, (byte) 0xdc, 519 (byte) 0xa2, (byte) 0x8c, (byte) 0x3c, (byte) 0x65, (byte) 0xed, (byte) 0x03, 520 (byte) 0x82, (byte) 0x78, (byte) 0x9b, (byte) 0xee, (byte) 0xe3, (byte) 0x98, 521 (byte) 0x58, (byte) 0xe1, (byte) 0xf1, (byte) 0xa0, (byte) 0x85, (byte) 0xae, 522 (byte) 0x63, (byte) 0x84, (byte) 0x41, (byte) 0x46, (byte) 0xa7, (byte) 0x4f, 523 (byte) 0xdc, (byte) 0xbb, (byte) 0x1c, (byte) 0x6e, (byte) 0xec, (byte) 0x7b, 524 (byte) 0xd5, (byte) 0xab, (byte) 0x3d, (byte) 0x6a, (byte) 0x05, (byte) 0x58, 525 (byte) 0x0f, (byte) 0x9b, (byte) 0x6a, (byte) 0x67, (byte) 0x4b, (byte) 0xe9, 526 (byte) 0x2a, (byte) 0x6d, (byte) 0x96, (byte) 0x11, (byte) 0x53, (byte) 0x95, 527 (byte) 0x78, (byte) 0xaa, (byte) 0xd1, (byte) 0x91, (byte) 0x4a, (byte) 0xf8, 528 (byte) 0x54, (byte) 0x52, (byte) 0x6d, (byte) 0xb9, (byte) 0xca, (byte) 0x74, 529 (byte) 0x81, (byte) 0xf8, (byte) 0x99, (byte) 0x64, (byte) 0xd1, (byte) 0x4f, 530 (byte) 0x01, (byte) 0x38, (byte) 0x4f, (byte) 0x08, (byte) 0x5c, (byte) 0x31, 531 (byte) 0xcb, (byte) 0x7c, (byte) 0x5c, (byte) 0x78, (byte) 0x5d, (byte) 0x47, 532 (byte) 0xd9, (byte) 0xf0, (byte) 0x1a, (byte) 0xeb, (byte) 0x02, (byte) 0x03, 533 (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3, (byte) 0x50, (byte) 0x30, 534 (byte) 0x4e, (byte) 0x30, (byte) 0x1d, (byte) 0x06, (byte) 0x03, (byte) 0x55, 535 (byte) 0x1d, (byte) 0x0e, (byte) 0x04, (byte) 0x16, (byte) 0x04, (byte) 0x14, 536 (byte) 0x5f, (byte) 0x5b, (byte) 0x5e, (byte) 0xac, (byte) 0x29, (byte) 0xfa, 537 (byte) 0xa1, (byte) 0x9f, (byte) 0x9e, (byte) 0xad, (byte) 0x46, (byte) 0xe1, 538 (byte) 0xbc, (byte) 0x20, (byte) 0x72, (byte) 0xcf, (byte) 0x4a, (byte) 0xd4, 539 (byte) 0xfa, (byte) 0xe3, (byte) 0x30, (byte) 0x1f, (byte) 0x06, (byte) 0x03, 540 (byte) 0x55, (byte) 0x1d, (byte) 0x23, (byte) 0x04, (byte) 0x18, (byte) 0x30, 541 (byte) 0x16, (byte) 0x80, (byte) 0x14, (byte) 0x5f, (byte) 0x5b, (byte) 0x5e, 542 (byte) 0xac, (byte) 0x29, (byte) 0xfa, (byte) 0xa1, (byte) 0x9f, (byte) 0x9e, 543 (byte) 0xad, (byte) 0x46, (byte) 0xe1, (byte) 0xbc, (byte) 0x20, (byte) 0x72, 544 (byte) 0xcf, (byte) 0x4a, (byte) 0xd4, (byte) 0xfa, (byte) 0xe3, (byte) 0x30, 545 (byte) 0x0c, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, 546 (byte) 0x04, (byte) 0x05, (byte) 0x30, (byte) 0x03, (byte) 0x01, (byte) 0x01, 547 (byte) 0xff, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, 548 (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, 549 (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, 550 (byte) 0x81, (byte) 0x00, (byte) 0xa1, (byte) 0x4a, (byte) 0xe6, (byte) 0xfc, 551 (byte) 0x7f, (byte) 0x17, (byte) 0xaa, (byte) 0x65, (byte) 0x4a, (byte) 0x34, 552 (byte) 0xde, (byte) 0x69, (byte) 0x67, (byte) 0x54, (byte) 0x4d, (byte) 0xa2, 553 (byte) 0xc2, (byte) 0x98, (byte) 0x02, (byte) 0x43, (byte) 0x6a, (byte) 0x0e, 554 (byte) 0x0b, (byte) 0x7f, (byte) 0xa4, (byte) 0x46, (byte) 0xaf, (byte) 0xa4, 555 (byte) 0x65, (byte) 0xa0, (byte) 0xdb, (byte) 0xf1, (byte) 0x5b, (byte) 0xd5, 556 (byte) 0x09, (byte) 0xbc, (byte) 0xee, (byte) 0x37, (byte) 0x51, (byte) 0x19, 557 (byte) 0x36, (byte) 0xc0, (byte) 0x90, (byte) 0xd3, (byte) 0x5f, (byte) 0xf3, 558 (byte) 0x4f, (byte) 0xb9, (byte) 0x08, (byte) 0x45, (byte) 0x0e, (byte) 0x01, 559 (byte) 0x8a, (byte) 0x95, (byte) 0xef, (byte) 0x92, (byte) 0x95, (byte) 0x33, 560 (byte) 0x78, (byte) 0xdd, (byte) 0x90, (byte) 0xbb, (byte) 0xf3, (byte) 0x06, 561 (byte) 0x75, (byte) 0xd0, (byte) 0x66, (byte) 0xe6, (byte) 0xd0, (byte) 0x18, 562 (byte) 0x6e, (byte) 0xeb, (byte) 0x1c, (byte) 0x52, (byte) 0xc3, (byte) 0x2e, 563 (byte) 0x57, (byte) 0x7d, (byte) 0xa9, (byte) 0x03, (byte) 0xdb, (byte) 0xf4, 564 (byte) 0x57, (byte) 0x5f, (byte) 0x6c, (byte) 0x7e, (byte) 0x00, (byte) 0x0d, 565 (byte) 0x8f, (byte) 0xe8, (byte) 0x91, (byte) 0xf7, (byte) 0xae, (byte) 0x24, 566 (byte) 0x35, (byte) 0x07, (byte) 0xb5, (byte) 0x48, (byte) 0x2d, (byte) 0x36, 567 (byte) 0x30, (byte) 0x5d, (byte) 0xe9, (byte) 0x49, (byte) 0x2d, (byte) 0xd1, 568 (byte) 0x5d, (byte) 0xc5, (byte) 0xf4, (byte) 0x33, (byte) 0x77, (byte) 0x3c, 569 (byte) 0x71, (byte) 0xad, (byte) 0x90, (byte) 0x65, (byte) 0xa9, (byte) 0xc1, 570 (byte) 0x0b, (byte) 0x5c, (byte) 0x62, (byte) 0x55, (byte) 0x50, (byte) 0x6f, 571 (byte) 0x9b, (byte) 0xc9, (byte) 0x0d, (byte) 0xee 572 }; 573 574 /** 575 * Generated from above and converted with: 576 * 577 * openssl pkcs8 -topk8 -outform d -in userkey.pem -nocrypt | xxd -i | sed 's/0x/(byte) 0x/g' 578 */ 579 private static final byte[] FAKE_EC_KEY_1 = new byte[] { 580 (byte) 0x30, (byte) 0x81, (byte) 0x87, (byte) 0x02, (byte) 0x01, (byte) 0x00, 581 (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x07, (byte) 0x2a, (byte) 0x86, 582 (byte) 0x48, (byte) 0xce, (byte) 0x3d, (byte) 0x02, (byte) 0x01, (byte) 0x06, 583 (byte) 0x08, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x3d, 584 (byte) 0x03, (byte) 0x01, (byte) 0x07, (byte) 0x04, (byte) 0x6d, (byte) 0x30, 585 (byte) 0x6b, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x04, (byte) 0x20, 586 (byte) 0x3a, (byte) 0x8a, (byte) 0x02, (byte) 0xdc, (byte) 0xde, (byte) 0x70, 587 (byte) 0x84, (byte) 0x45, (byte) 0x34, (byte) 0xaf, (byte) 0xbd, (byte) 0xd5, 588 (byte) 0x02, (byte) 0x17, (byte) 0x69, (byte) 0x90, (byte) 0x65, (byte) 0x1e, 589 (byte) 0x87, (byte) 0xf1, (byte) 0x3d, (byte) 0x17, (byte) 0xb6, (byte) 0xf4, 590 (byte) 0x31, (byte) 0x94, (byte) 0x86, (byte) 0x76, (byte) 0x55, (byte) 0xf7, 591 (byte) 0xcc, (byte) 0xba, (byte) 0xa1, (byte) 0x44, (byte) 0x03, (byte) 0x42, 592 (byte) 0x00, (byte) 0x04, (byte) 0xd9, (byte) 0xcf, (byte) 0xe7, (byte) 0x9b, 593 (byte) 0x23, (byte) 0xc8, (byte) 0xa3, (byte) 0xb8, (byte) 0x33, (byte) 0x14, 594 (byte) 0xa4, (byte) 0x4d, (byte) 0x75, (byte) 0x90, (byte) 0xf3, (byte) 0xcd, 595 (byte) 0x43, (byte) 0xe5, (byte) 0x1b, (byte) 0x05, (byte) 0x1d, (byte) 0xf3, 596 (byte) 0xd0, (byte) 0xa3, (byte) 0xb7, (byte) 0x32, (byte) 0x5f, (byte) 0x79, 597 (byte) 0xdc, (byte) 0x88, (byte) 0xb8, (byte) 0x4d, (byte) 0xb3, (byte) 0xd1, 598 (byte) 0x6d, (byte) 0xf7, (byte) 0x75, (byte) 0xf3, (byte) 0xbf, (byte) 0x50, 599 (byte) 0xa1, (byte) 0xbc, (byte) 0x03, (byte) 0x64, (byte) 0x22, (byte) 0xe6, 600 (byte) 0x1a, (byte) 0xa1, (byte) 0xe1, (byte) 0x06, (byte) 0x68, (byte) 0x3b, 601 (byte) 0xbc, (byte) 0x9f, (byte) 0xd3, (byte) 0xae, (byte) 0x77, (byte) 0x5e, 602 (byte) 0x88, (byte) 0x0c, (byte) 0x5e, (byte) 0x0c, (byte) 0xb2, (byte) 0x38 603 }; 604 605 /** 606 * Generated from above and converted with: 607 * 608 * openssl x509 -outform d -in usercert.pem | xxd -i | sed 's/0x/(byte) 0x/g' 609 */ 610 private static final byte[] FAKE_EC_USER_1 = new byte[] { 611 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x51, (byte) 0x30, (byte) 0x82, 612 (byte) 0x01, (byte) 0xba, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, 613 (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x0d, 614 (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, 615 (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, 616 (byte) 0x00, (byte) 0x30, (byte) 0x45, (byte) 0x31, (byte) 0x0b, (byte) 0x30, 617 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, 618 (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55, (byte) 0x31, (byte) 0x13, 619 (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 620 (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53, (byte) 0x6f, (byte) 0x6d, 621 (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74, (byte) 0x61, (byte) 0x74, 622 (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30, (byte) 0x1f, (byte) 0x06, 623 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x0c, (byte) 0x18, 624 (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x6e, 625 (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57, (byte) 0x69, (byte) 0x64, 626 (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x20, (byte) 0x50, 627 (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c, (byte) 0x74, (byte) 0x64, 628 (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x33, 629 (byte) 0x30, (byte) 0x38, (byte) 0x32, (byte) 0x37, (byte) 0x31, (byte) 0x36, 630 (byte) 0x33, (byte) 0x30, (byte) 0x30, (byte) 0x38, (byte) 0x5a, (byte) 0x17, 631 (byte) 0x0d, (byte) 0x32, (byte) 0x33, (byte) 0x30, (byte) 0x38, (byte) 0x32, 632 (byte) 0x35, (byte) 0x31, (byte) 0x36, (byte) 0x33, (byte) 0x30, (byte) 0x30, 633 (byte) 0x38, (byte) 0x5a, (byte) 0x30, (byte) 0x62, (byte) 0x31, (byte) 0x0b, 634 (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 635 (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55, (byte) 0x31, 636 (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55, 637 (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53, (byte) 0x6f, 638 (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74, (byte) 0x61, 639 (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30, (byte) 0x1f, 640 (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x0c, 641 (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72, 642 (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57, (byte) 0x69, 643 (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x20, 644 (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c, (byte) 0x74, 645 (byte) 0x64, (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, 646 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03, (byte) 0x0c, (byte) 0x12, 647 (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x76, (byte) 0x65, (byte) 0x72, 648 (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x61, (byte) 0x6d, (byte) 0x70, 649 (byte) 0x6c, (byte) 0x65, (byte) 0x2e, (byte) 0x63, (byte) 0x6f, (byte) 0x6d, 650 (byte) 0x30, (byte) 0x59, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x07, 651 (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x3d, (byte) 0x02, 652 (byte) 0x01, (byte) 0x06, (byte) 0x08, (byte) 0x2a, (byte) 0x86, (byte) 0x48, 653 (byte) 0xce, (byte) 0x3d, (byte) 0x03, (byte) 0x01, (byte) 0x07, (byte) 0x03, 654 (byte) 0x42, (byte) 0x00, (byte) 0x04, (byte) 0xd9, (byte) 0xcf, (byte) 0xe7, 655 (byte) 0x9b, (byte) 0x23, (byte) 0xc8, (byte) 0xa3, (byte) 0xb8, (byte) 0x33, 656 (byte) 0x14, (byte) 0xa4, (byte) 0x4d, (byte) 0x75, (byte) 0x90, (byte) 0xf3, 657 (byte) 0xcd, (byte) 0x43, (byte) 0xe5, (byte) 0x1b, (byte) 0x05, (byte) 0x1d, 658 (byte) 0xf3, (byte) 0xd0, (byte) 0xa3, (byte) 0xb7, (byte) 0x32, (byte) 0x5f, 659 (byte) 0x79, (byte) 0xdc, (byte) 0x88, (byte) 0xb8, (byte) 0x4d, (byte) 0xb3, 660 (byte) 0xd1, (byte) 0x6d, (byte) 0xf7, (byte) 0x75, (byte) 0xf3, (byte) 0xbf, 661 (byte) 0x50, (byte) 0xa1, (byte) 0xbc, (byte) 0x03, (byte) 0x64, (byte) 0x22, 662 (byte) 0xe6, (byte) 0x1a, (byte) 0xa1, (byte) 0xe1, (byte) 0x06, (byte) 0x68, 663 (byte) 0x3b, (byte) 0xbc, (byte) 0x9f, (byte) 0xd3, (byte) 0xae, (byte) 0x77, 664 (byte) 0x5e, (byte) 0x88, (byte) 0x0c, (byte) 0x5e, (byte) 0x0c, (byte) 0xb2, 665 (byte) 0x38, (byte) 0xa3, (byte) 0x7b, (byte) 0x30, (byte) 0x79, (byte) 0x30, 666 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, 667 (byte) 0x04, (byte) 0x02, (byte) 0x30, (byte) 0x00, (byte) 0x30, (byte) 0x2c, 668 (byte) 0x06, (byte) 0x09, (byte) 0x60, (byte) 0x86, (byte) 0x48, (byte) 0x01, 669 (byte) 0x86, (byte) 0xf8, (byte) 0x42, (byte) 0x01, (byte) 0x0d, (byte) 0x04, 670 (byte) 0x1f, (byte) 0x16, (byte) 0x1d, (byte) 0x4f, (byte) 0x70, (byte) 0x65, 671 (byte) 0x6e, (byte) 0x53, (byte) 0x53, (byte) 0x4c, (byte) 0x20, (byte) 0x47, 672 (byte) 0x65, (byte) 0x6e, (byte) 0x65, (byte) 0x72, (byte) 0x61, (byte) 0x74, 673 (byte) 0x65, (byte) 0x64, (byte) 0x20, (byte) 0x43, (byte) 0x65, (byte) 0x72, 674 (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x63, (byte) 0x61, 675 (byte) 0x74, (byte) 0x65, (byte) 0x30, (byte) 0x1d, (byte) 0x06, (byte) 0x03, 676 (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04, (byte) 0x16, (byte) 0x04, 677 (byte) 0x14, (byte) 0xd5, (byte) 0xc4, (byte) 0x72, (byte) 0xbd, (byte) 0xd2, 678 (byte) 0x4e, (byte) 0x90, (byte) 0x1b, (byte) 0x14, (byte) 0x32, (byte) 0xdb, 679 (byte) 0x03, (byte) 0xae, (byte) 0xfa, (byte) 0x27, (byte) 0x7d, (byte) 0x8d, 680 (byte) 0xe4, (byte) 0x80, (byte) 0x58, (byte) 0x30, (byte) 0x1f, (byte) 0x06, 681 (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23, (byte) 0x04, (byte) 0x18, 682 (byte) 0x30, (byte) 0x16, (byte) 0x80, (byte) 0x14, (byte) 0x5f, (byte) 0x5b, 683 (byte) 0x5e, (byte) 0xac, (byte) 0x29, (byte) 0xfa, (byte) 0xa1, (byte) 0x9f, 684 (byte) 0x9e, (byte) 0xad, (byte) 0x46, (byte) 0xe1, (byte) 0xbc, (byte) 0x20, 685 (byte) 0x72, (byte) 0xcf, (byte) 0x4a, (byte) 0xd4, (byte) 0xfa, (byte) 0xe3, 686 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 687 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 688 (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x81, 689 (byte) 0x00, (byte) 0x43, (byte) 0x99, (byte) 0x9f, (byte) 0x67, (byte) 0x08, 690 (byte) 0x43, (byte) 0xd5, (byte) 0x6b, (byte) 0x6f, (byte) 0xd7, (byte) 0x05, 691 (byte) 0xd6, (byte) 0x75, (byte) 0x34, (byte) 0x30, (byte) 0xca, (byte) 0x20, 692 (byte) 0x47, (byte) 0x61, (byte) 0xa1, (byte) 0x89, (byte) 0xb6, (byte) 0xf1, 693 (byte) 0x49, (byte) 0x7b, (byte) 0xd9, (byte) 0xb9, (byte) 0xe8, (byte) 0x1e, 694 (byte) 0x29, (byte) 0x74, (byte) 0x0a, (byte) 0x67, (byte) 0xc0, (byte) 0x7d, 695 (byte) 0xb8, (byte) 0xe6, (byte) 0x39, (byte) 0xa8, (byte) 0x5e, (byte) 0xc3, 696 (byte) 0xb0, (byte) 0xa1, (byte) 0x30, (byte) 0x6a, (byte) 0x1f, (byte) 0x1d, 697 (byte) 0xfc, (byte) 0x11, (byte) 0x59, (byte) 0x0b, (byte) 0xb9, (byte) 0xad, 698 (byte) 0x3a, (byte) 0x4e, (byte) 0x50, (byte) 0x0a, (byte) 0x61, (byte) 0xdb, 699 (byte) 0x75, (byte) 0x6b, (byte) 0xe5, (byte) 0x3f, (byte) 0x8d, (byte) 0xde, 700 (byte) 0x28, (byte) 0x68, (byte) 0xb1, (byte) 0x29, (byte) 0x9a, (byte) 0x18, 701 (byte) 0x8a, (byte) 0xfc, (byte) 0x3f, (byte) 0x13, (byte) 0x93, (byte) 0x29, 702 (byte) 0xed, (byte) 0x22, (byte) 0x7c, (byte) 0xb4, (byte) 0x50, (byte) 0xd5, 703 (byte) 0x4d, (byte) 0x32, (byte) 0x4d, (byte) 0x42, (byte) 0x2b, (byte) 0x29, 704 (byte) 0x97, (byte) 0x86, (byte) 0xc0, (byte) 0x01, (byte) 0x00, (byte) 0x25, 705 (byte) 0xf6, (byte) 0xd3, (byte) 0x2a, (byte) 0xd8, (byte) 0xda, (byte) 0x13, 706 (byte) 0x94, (byte) 0x12, (byte) 0x78, (byte) 0x14, (byte) 0x0b, (byte) 0x51, 707 (byte) 0xc0, (byte) 0x45, (byte) 0xb4, (byte) 0x02, (byte) 0x37, (byte) 0x98, 708 (byte) 0x42, (byte) 0x3c, (byte) 0xcb, (byte) 0x2e, (byte) 0xe4, (byte) 0x38, 709 (byte) 0x69, (byte) 0x1b, (byte) 0x72, (byte) 0xf0, (byte) 0xaa, (byte) 0x89, 710 (byte) 0x7e, (byte) 0xde, (byte) 0xb2 711 }; 712 713 /** 714 * The amount of time to allow before and after expected time for variance 715 * in timing tests. 716 */ 717 private static final long SLOP_TIME_MILLIS = 15000L; 718 719 @Override setUp()720 protected void setUp() throws Exception { 721 super.setUp(); 722 723 // Wipe any existing entries in the KeyStore 724 KeyStore ksTemp = KeyStore.getInstance("AndroidKeyStore"); 725 ksTemp.load(null, null); 726 Enumeration<String> aliases = ksTemp.aliases(); 727 while (aliases.hasMoreElements()) { 728 String alias = aliases.nextElement(); 729 ksTemp.deleteEntry(alias); 730 } 731 732 // Get a new instance because some tests need it uninitialized 733 mKeyStore = KeyStore.getInstance("AndroidKeyStore"); 734 } 735 736 @Override tearDown()737 protected void tearDown() throws Exception { 738 try { 739 KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); 740 keyStore.load(null, null); 741 Enumeration<String> aliases = keyStore.aliases(); 742 while (aliases.hasMoreElements()) { 743 String alias = aliases.nextElement(); 744 keyStore.deleteEntry(alias); 745 } 746 } finally { 747 super.tearDown(); 748 } 749 } 750 generatePrivateKey(String keyType, byte[] fakeKey1)751 private PrivateKey generatePrivateKey(String keyType, byte[] fakeKey1) throws Exception { 752 KeyFactory kf = KeyFactory.getInstance(keyType); 753 return kf.generatePrivate(new PKCS8EncodedKeySpec(fakeKey1)); 754 } 755 generateCertificate(byte[] fakeUser1)756 private Certificate generateCertificate(byte[] fakeUser1) throws Exception { 757 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 758 return cf.generateCertificate(new ByteArrayInputStream(fakeUser1)); 759 } 760 makeUserEcKey1()761 private PrivateKeyEntry makeUserEcKey1() throws Exception { 762 return new KeyStore.PrivateKeyEntry(generatePrivateKey("EC", FAKE_EC_KEY_1), 763 new Certificate[] { 764 generateCertificate(FAKE_EC_USER_1), generateCertificate(FAKE_EC_CA_1) 765 }); 766 } 767 makeUserRsaKey1()768 private PrivateKeyEntry makeUserRsaKey1() throws Exception { 769 return new KeyStore.PrivateKeyEntry(generatePrivateKey("RSA", FAKE_RSA_KEY_1), 770 new Certificate[] { 771 generateCertificate(FAKE_RSA_USER_1), generateCertificate(FAKE_RSA_CA_1) 772 }); 773 } 774 makeCa1()775 private Entry makeCa1() throws Exception { 776 return new KeyStore.TrustedCertificateEntry(generateCertificate(FAKE_RSA_CA_1)); 777 } 778 assertAliases(final String[] expectedAliases)779 private void assertAliases(final String[] expectedAliases) throws KeyStoreException { 780 final Enumeration<String> aliases = mKeyStore.aliases(); 781 int count = 0; 782 783 final Set<String> expectedSet = new HashSet<String>(); 784 expectedSet.addAll(Arrays.asList(expectedAliases)); 785 786 while (aliases.hasMoreElements()) { 787 count++; 788 final String alias = aliases.nextElement(); 789 assertTrue("The alias should be in the expected set", expectedSet.contains(alias)); 790 expectedSet.remove(alias); 791 } 792 assertTrue("The expected set and actual set should be exactly equal", expectedSet.isEmpty()); 793 assertEquals("There should be the correct number of keystore entries", 794 expectedAliases.length, count); 795 } 796 testKeyStore_Aliases_Unencrypted_Success()797 public void testKeyStore_Aliases_Unencrypted_Success() throws Exception { 798 mKeyStore.load(null, null); 799 800 assertAliases(new String[] {}); 801 802 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 803 804 assertAliases(new String[] { TEST_ALIAS_1 }); 805 806 mKeyStore.setEntry(TEST_ALIAS_2, makeCa1(), null); 807 808 assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2 }); 809 } 810 testKeyStore_Aliases_NotInitialized_Unencrypted_Failure()811 public void testKeyStore_Aliases_NotInitialized_Unencrypted_Failure() throws Exception { 812 try { 813 mKeyStore.aliases(); 814 fail("KeyStore should throw exception when not initialized"); 815 } catch (KeyStoreException success) { 816 } 817 } 818 testKeyStore_ContainsAliases_PrivateAndCA_Unencrypted_Success()819 public void testKeyStore_ContainsAliases_PrivateAndCA_Unencrypted_Success() throws Exception { 820 mKeyStore.load(null, null); 821 822 assertAliases(new String[] {}); 823 824 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 825 826 assertTrue("Should contain generated private key", mKeyStore.containsAlias(TEST_ALIAS_1)); 827 828 mKeyStore.setEntry(TEST_ALIAS_2, makeCa1(), null); 829 830 assertTrue("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_2)); 831 832 assertFalse("Should not contain unadded certificate alias", 833 mKeyStore.containsAlias(TEST_ALIAS_3)); 834 } 835 testKeyStore_ContainsAliases_CAOnly_Unencrypted_Success()836 public void testKeyStore_ContainsAliases_CAOnly_Unencrypted_Success() throws Exception { 837 mKeyStore.load(null, null); 838 839 mKeyStore.setEntry(TEST_ALIAS_2, makeCa1(), null); 840 841 assertTrue("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_2)); 842 } 843 testKeyStore_ContainsAliases_NonExistent_Unencrypted_Failure()844 public void testKeyStore_ContainsAliases_NonExistent_Unencrypted_Failure() throws Exception { 845 mKeyStore.load(null, null); 846 847 assertFalse("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_1)); 848 } 849 testKeyStore_DeleteEntry_Unencrypted_Success()850 public void testKeyStore_DeleteEntry_Unencrypted_Success() throws Exception { 851 mKeyStore.load(null, null); 852 853 // TEST_ALIAS_1 854 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 855 856 // TEST_ALIAS_2 857 mKeyStore.setCertificateEntry(TEST_ALIAS_2, generateCertificate(FAKE_RSA_CA_1)); 858 859 // TEST_ALIAS_3 860 mKeyStore.setCertificateEntry(TEST_ALIAS_3, generateCertificate(FAKE_RSA_CA_1)); 861 862 assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2, TEST_ALIAS_3 }); 863 864 mKeyStore.deleteEntry(TEST_ALIAS_1); 865 866 assertAliases(new String[] { TEST_ALIAS_2, TEST_ALIAS_3 }); 867 868 mKeyStore.deleteEntry(TEST_ALIAS_3); 869 870 assertAliases(new String[] { TEST_ALIAS_2 }); 871 872 mKeyStore.deleteEntry(TEST_ALIAS_2); 873 874 assertAliases(new String[] { }); 875 } 876 testKeyStore_DeleteEntry_EmptyStore_Unencrypted_Success()877 public void testKeyStore_DeleteEntry_EmptyStore_Unencrypted_Success() throws Exception { 878 mKeyStore.load(null, null); 879 880 // Should not throw when a non-existent entry is requested for delete. 881 mKeyStore.deleteEntry(TEST_ALIAS_1); 882 } 883 testKeyStore_DeleteEntry_NonExistent_Unencrypted_Success()884 public void testKeyStore_DeleteEntry_NonExistent_Unencrypted_Success() throws Exception { 885 mKeyStore.load(null, null); 886 887 // TEST_ALIAS_1 888 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 889 890 // Should not throw when a non-existent entry is requested for delete. 891 mKeyStore.deleteEntry(TEST_ALIAS_2); 892 } 893 testKeyStore_GetCertificate_Single_Unencrypted_Success()894 public void testKeyStore_GetCertificate_Single_Unencrypted_Success() throws Exception { 895 mKeyStore.load(null, null); 896 897 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 898 899 assertAliases(new String[] { TEST_ALIAS_1 }); 900 901 assertNull("Certificate should not exist in keystore", 902 mKeyStore.getCertificate(TEST_ALIAS_2)); 903 904 Certificate retrieved = mKeyStore.getCertificate(TEST_ALIAS_1); 905 906 assertNotNull("Retrieved certificate should not be null", retrieved); 907 908 CertificateFactory f = CertificateFactory.getInstance("X.509"); 909 Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 910 911 assertEquals("Actual and retrieved certificates should be the same", actual, retrieved); 912 } 913 testKeyStore_GetCertificate_NonExist_Unencrypted_Failure()914 public void testKeyStore_GetCertificate_NonExist_Unencrypted_Failure() throws Exception { 915 mKeyStore.load(null, null); 916 917 assertNull("Certificate should not exist in keystore", 918 mKeyStore.getCertificate(TEST_ALIAS_1)); 919 } 920 testKeyStore_GetCertificateAlias_CAEntry_Unencrypted_Success()921 public void testKeyStore_GetCertificateAlias_CAEntry_Unencrypted_Success() throws Exception { 922 mKeyStore.load(null, null); 923 924 Certificate cert = generateCertificate(FAKE_RSA_CA_1); 925 mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert); 926 927 assertEquals("Stored certificate alias should be found", TEST_ALIAS_1, 928 mKeyStore.getCertificateAlias(cert)); 929 } 930 testKeyStore_GetCertificateAlias_PrivateKeyEntry_Unencrypted_Success()931 public void testKeyStore_GetCertificateAlias_PrivateKeyEntry_Unencrypted_Success() 932 throws Exception { 933 mKeyStore.load(null, null); 934 935 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 936 937 CertificateFactory f = CertificateFactory.getInstance("X.509"); 938 Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 939 940 assertEquals("Stored certificate alias should be found", TEST_ALIAS_1, 941 mKeyStore.getCertificateAlias(actual)); 942 } 943 testKeyStore_GetCertificateAlias_CAEntry_WithPrivateKeyUsingCA_Unencrypted_Success()944 public void testKeyStore_GetCertificateAlias_CAEntry_WithPrivateKeyUsingCA_Unencrypted_Success() 945 throws Exception { 946 mKeyStore.load(null, null); 947 948 Certificate actual = generateCertificate(FAKE_RSA_CA_1); 949 950 // Insert TrustedCertificateEntry with CA name 951 mKeyStore.setCertificateEntry(TEST_ALIAS_2, actual); 952 953 // Insert PrivateKeyEntry that uses the same CA 954 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 955 956 assertEquals("Stored certificate alias should be found", TEST_ALIAS_2, 957 mKeyStore.getCertificateAlias(actual)); 958 } 959 testKeyStore_GetCertificateAlias_NonExist_Empty_Unencrypted_Failure()960 public void testKeyStore_GetCertificateAlias_NonExist_Empty_Unencrypted_Failure() 961 throws Exception { 962 mKeyStore.load(null, null); 963 964 CertificateFactory f = CertificateFactory.getInstance("X.509"); 965 Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 966 967 assertNull("Stored certificate alias should not be found", 968 mKeyStore.getCertificateAlias(actual)); 969 } 970 testKeyStore_GetCertificateAlias_NonExist_Unencrypted_Failure()971 public void testKeyStore_GetCertificateAlias_NonExist_Unencrypted_Failure() throws Exception { 972 mKeyStore.load(null, null); 973 974 Certificate ca = generateCertificate(FAKE_RSA_CA_1); 975 976 // Insert TrustedCertificateEntry with CA name 977 mKeyStore.setCertificateEntry(TEST_ALIAS_1, ca); 978 979 Certificate userCert = generateCertificate(FAKE_RSA_USER_1); 980 981 assertNull("Stored certificate alias should be found", 982 mKeyStore.getCertificateAlias(userCert)); 983 } 984 testKeyStore_GetCertificateChain_SingleLength_Unencrypted_Success()985 public void testKeyStore_GetCertificateChain_SingleLength_Unencrypted_Success() throws Exception { 986 mKeyStore.load(null, null); 987 988 // TEST_ALIAS_1 989 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 990 991 Certificate[] expected = new Certificate[2]; 992 expected[0] = generateCertificate(FAKE_RSA_USER_1); 993 expected[1] = generateCertificate(FAKE_RSA_CA_1); 994 995 Certificate[] actual = mKeyStore.getCertificateChain(TEST_ALIAS_1); 996 997 assertNotNull("Returned certificate chain should not be null", actual); 998 assertEquals("Returned certificate chain should be correct size", expected.length, 999 actual.length); 1000 assertEquals("First certificate should be user certificate", expected[0], actual[0]); 1001 assertEquals("Second certificate should be CA certificate", expected[1], actual[1]); 1002 1003 // Negative test when keystore is populated. 1004 assertNull("Stored certificate alias should not be found", 1005 mKeyStore.getCertificateChain(TEST_ALIAS_2)); 1006 } 1007 testKeyStore_GetCertificateChain_NonExist_Unencrypted_Failure()1008 public void testKeyStore_GetCertificateChain_NonExist_Unencrypted_Failure() throws Exception { 1009 mKeyStore.load(null, null); 1010 1011 assertNull("Stored certificate alias should not be found", 1012 mKeyStore.getCertificateChain(TEST_ALIAS_1)); 1013 } 1014 testKeyStore_GetCreationDate_PrivateKeyEntry_Unencrypted_Success()1015 public void testKeyStore_GetCreationDate_PrivateKeyEntry_Unencrypted_Success() throws Exception { 1016 mKeyStore.load(null, null); 1017 1018 // TEST_ALIAS_1 1019 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1020 1021 Date now = new Date(); 1022 Date actual = mKeyStore.getCreationDate(TEST_ALIAS_1); 1023 1024 Date expectedAfter = new Date(now.getTime() - SLOP_TIME_MILLIS); 1025 Date expectedBefore = new Date(now.getTime() + SLOP_TIME_MILLIS); 1026 1027 assertTrue("Time should be close to current time", actual.before(expectedBefore)); 1028 assertTrue("Time should be close to current time", actual.after(expectedAfter)); 1029 } 1030 testKeyStore_GetCreationDate_CAEntry_Unencrypted_Success()1031 public void testKeyStore_GetCreationDate_CAEntry_Unencrypted_Success() throws Exception { 1032 mKeyStore.load(null, null); 1033 1034 // Insert TrustedCertificateEntry with CA name 1035 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1036 1037 Date now = new Date(); 1038 Date actual = mKeyStore.getCreationDate(TEST_ALIAS_1); 1039 assertNotNull("Certificate should be found", actual); 1040 1041 Date expectedAfter = new Date(now.getTime() - SLOP_TIME_MILLIS); 1042 Date expectedBefore = new Date(now.getTime() + SLOP_TIME_MILLIS); 1043 1044 assertTrue("Time should be close to current time", actual.before(expectedBefore)); 1045 assertTrue("Time should be close to current time", actual.after(expectedAfter)); 1046 } 1047 testKeyStore_GetEntry_NullParams_Unencrypted_Success()1048 public void testKeyStore_GetEntry_NullParams_Unencrypted_Success() throws Exception { 1049 mKeyStore.load(null, null); 1050 1051 // TEST_ALIAS_1 1052 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1053 1054 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1055 assertNotNull("Entry should exist", entry); 1056 1057 assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry); 1058 1059 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1060 1061 assertPrivateKeyEntryEquals(keyEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, FAKE_RSA_CA_1); 1062 } 1063 testKeyStore_GetEntry_EC_NullParams_Unencrypted_Success()1064 public void testKeyStore_GetEntry_EC_NullParams_Unencrypted_Success() throws Exception { 1065 mKeyStore.load(null, null); 1066 1067 // TEST_ALIAS_1 1068 mKeyStore.setEntry(TEST_ALIAS_1, makeUserEcKey1(), null); 1069 1070 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1071 assertNotNull("Entry should exist", entry); 1072 1073 assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry); 1074 1075 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1076 1077 assertPrivateKeyEntryEquals(keyEntry, "EC", FAKE_EC_KEY_1, FAKE_EC_USER_1, FAKE_EC_CA_1); 1078 } 1079 testKeyStore_GetEntry_RSA_NullParams_Unencrypted_Success()1080 public void testKeyStore_GetEntry_RSA_NullParams_Unencrypted_Success() throws Exception { 1081 mKeyStore.load(null, null); 1082 1083 // TEST_ALIAS_1 1084 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1085 1086 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1087 assertNotNull("Entry should exist", entry); 1088 1089 assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry); 1090 1091 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1092 1093 assertPrivateKeyEntryEquals(keyEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1094 FAKE_RSA_CA_1); 1095 } 1096 1097 @SuppressWarnings("unchecked") assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, String keyType, byte[] key, byte[] cert, byte[] ca)1098 private void assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, String keyType, byte[] key, 1099 byte[] cert, byte[] ca) throws Exception { 1100 KeyFactory keyFact = KeyFactory.getInstance(keyType); 1101 PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(key)); 1102 1103 CertificateFactory certFact = CertificateFactory.getInstance("X.509"); 1104 Certificate expectedCert = certFact.generateCertificate(new ByteArrayInputStream(cert)); 1105 1106 final Collection<Certificate> expectedChain; 1107 if (ca != null) { 1108 expectedChain = (Collection<Certificate>) certFact 1109 .generateCertificates(new ByteArrayInputStream(ca)); 1110 } else { 1111 expectedChain = null; 1112 } 1113 1114 assertPrivateKeyEntryEquals(keyEntry, expectedKey, expectedCert, expectedChain); 1115 } 1116 assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, PrivateKey expectedKey, Certificate expectedCert, Collection<Certificate> expectedChain)1117 private void assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, PrivateKey expectedKey, 1118 Certificate expectedCert, Collection<Certificate> expectedChain) throws Exception { 1119 final PrivateKey privKey = keyEntry.getPrivateKey(); 1120 final PublicKey pubKey = keyEntry.getCertificate().getPublicKey(); 1121 1122 if (expectedKey instanceof ECKey) { 1123 assertTrue("Returned PrivateKey " + privKey.getClass() + " should be instanceof ECKey", 1124 privKey instanceof ECKey); 1125 assertEquals("Returned PrivateKey should be what we inserted", 1126 ((ECKey) expectedKey).getParams().getCurve(), 1127 ((ECKey) privKey).getParams().getCurve()); 1128 } else if (expectedKey instanceof RSAKey) { 1129 assertTrue("Returned PrivateKey " + privKey.getClass() + " should be instanceof RSAKey", 1130 privKey instanceof RSAKey); 1131 assertEquals("Returned PrivateKey should be what we inserted", 1132 ((RSAKey) expectedKey).getModulus(), 1133 ((RSAKey) privKey).getModulus()); 1134 } 1135 1136 assertNull("getFormat() should return null", privKey.getFormat()); 1137 assertNull("getEncoded() should return null", privKey.getEncoded()); 1138 1139 assertEquals("Public keys should be in X.509 format", "X.509", pubKey.getFormat()); 1140 assertNotNull("Public keys should be encodable", pubKey.getEncoded()); 1141 1142 assertEquals("Returned Certificate should be what we inserted", expectedCert, 1143 keyEntry.getCertificate()); 1144 1145 Certificate[] actualChain = keyEntry.getCertificateChain(); 1146 1147 assertEquals("First certificate in chain should be user cert", expectedCert, actualChain[0]); 1148 1149 if (expectedChain == null) { 1150 assertEquals("Certificate chain should not include CAs", 1, actualChain.length); 1151 } else { 1152 assertEquals("Chains should be the same size", expectedChain.size() + 1, 1153 actualChain.length); 1154 int i = 1; 1155 final Iterator<Certificate> it = expectedChain.iterator(); 1156 while (it.hasNext() && i < actualChain.length) { 1157 assertEquals("CA chain certificate should equal what we put in", it.next(), 1158 actualChain[i++]); 1159 } 1160 } 1161 } 1162 testKeyStore_GetEntry_Nonexistent_NullParams_Unencrypted_Failure()1163 public void testKeyStore_GetEntry_Nonexistent_NullParams_Unencrypted_Failure() throws Exception { 1164 mKeyStore.load(null, null); 1165 1166 assertNull("A non-existent entry should return null", 1167 mKeyStore.getEntry(TEST_ALIAS_1, null)); 1168 } 1169 testKeyStore_GetKey_NoPassword_Unencrypted_Success()1170 public void testKeyStore_GetKey_NoPassword_Unencrypted_Success() throws Exception { 1171 mKeyStore.load(null, null); 1172 1173 // TEST_ALIAS_1 1174 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1175 1176 Key key = mKeyStore.getKey(TEST_ALIAS_1, null); 1177 assertNotNull("Key should exist", key); 1178 1179 assertTrue("Should be a PrivateKey", key instanceof PrivateKey); 1180 assertTrue("Should be a RSAKey", key instanceof RSAKey); 1181 1182 RSAKey actualKey = (RSAKey) key; 1183 1184 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1185 PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1186 1187 assertEquals("Inserted key should be same as retrieved key", 1188 ((RSAKey) expectedKey).getModulus(), actualKey.getModulus()); 1189 } 1190 testKeyStore_GetKey_Certificate_Unencrypted_Failure()1191 public void testKeyStore_GetKey_Certificate_Unencrypted_Failure() throws Exception { 1192 mKeyStore.load(null, null); 1193 1194 // Insert TrustedCertificateEntry with CA name 1195 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1196 1197 assertNull("Certificate entries should return null", mKeyStore.getKey(TEST_ALIAS_1, null)); 1198 } 1199 testKeyStore_GetKey_NonExistent_Unencrypted_Failure()1200 public void testKeyStore_GetKey_NonExistent_Unencrypted_Failure() throws Exception { 1201 mKeyStore.load(null, null); 1202 1203 assertNull("A non-existent entry should return null", mKeyStore.getKey(TEST_ALIAS_1, null)); 1204 } 1205 testKeyStore_GetProvider_Unencrypted_Success()1206 public void testKeyStore_GetProvider_Unencrypted_Success() throws Exception { 1207 assertEquals("AndroidKeyStore", mKeyStore.getProvider().getName()); 1208 } 1209 testKeyStore_GetType_Unencrypted_Success()1210 public void testKeyStore_GetType_Unencrypted_Success() throws Exception { 1211 assertEquals("AndroidKeyStore", mKeyStore.getType()); 1212 } 1213 testKeyStore_IsCertificateEntry_CA_Unencrypted_Success()1214 public void testKeyStore_IsCertificateEntry_CA_Unencrypted_Success() throws Exception { 1215 mKeyStore.load(null, null); 1216 1217 // Insert TrustedCertificateEntry with CA name 1218 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1219 1220 assertTrue("Should return true for CA certificate", 1221 mKeyStore.isCertificateEntry(TEST_ALIAS_1)); 1222 } 1223 testKeyStore_IsCertificateEntry_PrivateKey_Unencrypted_Failure()1224 public void testKeyStore_IsCertificateEntry_PrivateKey_Unencrypted_Failure() throws Exception { 1225 mKeyStore.load(null, null); 1226 1227 // TEST_ALIAS_1 1228 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1229 1230 assertFalse("Should return false for PrivateKeyEntry", 1231 mKeyStore.isCertificateEntry(TEST_ALIAS_1)); 1232 } 1233 testKeyStore_IsCertificateEntry_NonExist_Unencrypted_Failure()1234 public void testKeyStore_IsCertificateEntry_NonExist_Unencrypted_Failure() throws Exception { 1235 mKeyStore.load(null, null); 1236 1237 assertFalse("Should return false for non-existent entry", 1238 mKeyStore.isCertificateEntry(TEST_ALIAS_1)); 1239 } 1240 testKeyStore_IsKeyEntry_PrivateKey_Unencrypted_Success()1241 public void testKeyStore_IsKeyEntry_PrivateKey_Unencrypted_Success() throws Exception { 1242 mKeyStore.load(null, null); 1243 1244 // TEST_ALIAS_1 1245 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1246 1247 assertTrue("Should return true for PrivateKeyEntry", mKeyStore.isKeyEntry(TEST_ALIAS_1)); 1248 } 1249 testKeyStore_IsKeyEntry_CA_Unencrypted_Failure()1250 public void testKeyStore_IsKeyEntry_CA_Unencrypted_Failure() throws Exception { 1251 mKeyStore.load(null, null); 1252 1253 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1254 1255 assertFalse("Should return false for CA certificate", mKeyStore.isKeyEntry(TEST_ALIAS_1)); 1256 } 1257 testKeyStore_IsKeyEntry_NonExist_Unencrypted_Failure()1258 public void testKeyStore_IsKeyEntry_NonExist_Unencrypted_Failure() throws Exception { 1259 mKeyStore.load(null, null); 1260 1261 assertFalse("Should return false for non-existent entry", 1262 mKeyStore.isKeyEntry(TEST_ALIAS_1)); 1263 } 1264 testKeyStore_SetCertificate_CA_Unencrypted_Success()1265 public void testKeyStore_SetCertificate_CA_Unencrypted_Success() throws Exception { 1266 final Certificate actual = generateCertificate(FAKE_RSA_CA_1); 1267 1268 mKeyStore.load(null, null); 1269 1270 mKeyStore.setCertificateEntry(TEST_ALIAS_1, actual); 1271 assertAliases(new String[] { TEST_ALIAS_1 }); 1272 1273 Certificate retrieved = mKeyStore.getCertificate(TEST_ALIAS_1); 1274 1275 assertEquals("Retrieved certificate should be the same as the one inserted", actual, 1276 retrieved); 1277 } 1278 testKeyStore_SetCertificate_CAExists_Overwrite_Unencrypted_Success()1279 public void testKeyStore_SetCertificate_CAExists_Overwrite_Unencrypted_Success() 1280 throws Exception { 1281 mKeyStore.load(null, null); 1282 1283 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1284 1285 assertAliases(new String[] { TEST_ALIAS_1 }); 1286 1287 final Certificate cert = generateCertificate(FAKE_RSA_CA_1); 1288 1289 // TODO have separate FAKE_CA for second test 1290 mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert); 1291 1292 assertAliases(new String[] { TEST_ALIAS_1 }); 1293 } 1294 testKeyStore_SetCertificate_PrivateKeyExists_Unencrypted_Failure()1295 public void testKeyStore_SetCertificate_PrivateKeyExists_Unencrypted_Failure() throws Exception { 1296 mKeyStore.load(null, null); 1297 1298 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1299 1300 assertAliases(new String[] { TEST_ALIAS_1 }); 1301 1302 final Certificate cert = generateCertificate(FAKE_RSA_CA_1); 1303 1304 try { 1305 mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert); 1306 fail("Should throw when trying to overwrite a PrivateKey entry with a Certificate"); 1307 } catch (KeyStoreException success) { 1308 } 1309 } 1310 testKeyStore_SetEntry_PrivateKeyEntry_Unencrypted_Success()1311 public void testKeyStore_SetEntry_PrivateKeyEntry_Unencrypted_Success() throws Exception { 1312 mKeyStore.load(null, null); 1313 1314 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1315 PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1316 1317 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1318 1319 final Certificate[] expectedChain = new Certificate[2]; 1320 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1321 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1322 1323 PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain); 1324 1325 mKeyStore.setEntry(TEST_ALIAS_1, expected, null); 1326 1327 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1328 assertNotNull("Retrieved entry should exist", actualEntry); 1329 1330 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1331 actualEntry instanceof PrivateKeyEntry); 1332 1333 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1334 1335 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, FAKE_RSA_CA_1); 1336 } 1337 testKeyStore_SetEntry_PrivateKeyEntry_Params_Unencrypted_Failure()1338 public void testKeyStore_SetEntry_PrivateKeyEntry_Params_Unencrypted_Failure() throws Exception { 1339 // The Android Keystore requires encrypted storage which is only decryptable with a key 1340 // bound to a credential provided by the user. By default, the Keystore waits for the user 1341 // to set a lock screen PIN or password and uses this credential to set up an encrypted 1342 // storage space itself. In that implementation, the Keystore should not be initialized when 1343 // no lock screen PIN or password has been set. This is what the test verifies. 1344 // 1345 // If your environment already provides encrypted storage which is only decryptable with a 1346 // key bound to another credential provided by the user, you may initialize the Keystore 1347 // immediately and get a waiver for this test. 1348 KeyguardManager keyguardManager = 1349 (KeyguardManager) getContext().getSystemService(Context.KEYGUARD_SERVICE); 1350 assertNotNull(keyguardManager); 1351 assertFalse("Secure lock screen must not be configured", keyguardManager.isDeviceSecure()); 1352 1353 mKeyStore.load(null, null); 1354 1355 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1356 PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1357 1358 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1359 1360 final Certificate[] expectedChain = new Certificate[2]; 1361 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1362 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1363 1364 PrivateKeyEntry entry = new PrivateKeyEntry(expectedKey, expectedChain); 1365 1366 try { 1367 mKeyStore.setEntry(TEST_ALIAS_1, entry, 1368 new KeyStoreParameter.Builder(getContext()) 1369 .setEncryptionRequired(true) 1370 .build()); 1371 fail("Shouldn't be able to insert encrypted entry when KeyStore uninitialized"); 1372 } catch (KeyStoreException expected) { 1373 } 1374 1375 assertNull(mKeyStore.getEntry(TEST_ALIAS_1, null)); 1376 } 1377 testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success()1378 public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success() 1379 throws Exception { 1380 mKeyStore.load(null, null); 1381 1382 final KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1383 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1384 1385 // Start with PrivateKeyEntry 1386 { 1387 PrivateKey expectedKey = keyFact 1388 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1389 1390 final Certificate[] expectedChain = new Certificate[2]; 1391 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1392 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1393 1394 PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain); 1395 1396 mKeyStore.setEntry(TEST_ALIAS_1, expected, null); 1397 1398 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1399 assertNotNull("Retrieved entry should exist", actualEntry); 1400 1401 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1402 actualEntry instanceof PrivateKeyEntry); 1403 1404 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1405 1406 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1407 FAKE_RSA_CA_1); 1408 } 1409 1410 // TODO make entirely new test vector for the overwrite 1411 // Replace with PrivateKeyEntry 1412 { 1413 PrivateKey expectedKey = keyFact 1414 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1415 1416 final Certificate[] expectedChain = new Certificate[2]; 1417 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1418 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1419 1420 PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain); 1421 1422 mKeyStore.setEntry(TEST_ALIAS_1, expected, null); 1423 1424 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1425 assertNotNull("Retrieved entry should exist", actualEntry); 1426 1427 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1428 actualEntry instanceof PrivateKeyEntry); 1429 1430 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1431 1432 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1433 FAKE_RSA_CA_1); 1434 } 1435 } 1436 testKeyStore_SetEntry_CAEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success()1437 public void testKeyStore_SetEntry_CAEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success() 1438 throws Exception { 1439 mKeyStore.load(null, null); 1440 1441 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1442 1443 // Start with TrustedCertificateEntry 1444 { 1445 final Certificate caCert = f 1446 .generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1447 1448 TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert); 1449 mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null); 1450 1451 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1452 assertNotNull("Retrieved entry should exist", actualEntry); 1453 assertTrue("Retrieved entry should be of type TrustedCertificateEntry", 1454 actualEntry instanceof TrustedCertificateEntry); 1455 TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry; 1456 assertEquals("Stored and retrieved certificates should be the same", 1457 expectedCertEntry.getTrustedCertificate(), 1458 actualCertEntry.getTrustedCertificate()); 1459 } 1460 1461 // Replace with PrivateKeyEntry 1462 { 1463 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1464 PrivateKey expectedKey = keyFact 1465 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1466 final Certificate[] expectedChain = new Certificate[2]; 1467 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1468 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1469 1470 PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain); 1471 1472 mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null); 1473 1474 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1475 assertNotNull("Retrieved entry should exist", actualEntry); 1476 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1477 actualEntry instanceof PrivateKeyEntry); 1478 1479 PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry; 1480 assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1481 FAKE_RSA_CA_1); 1482 } 1483 } 1484 testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_CAEntry_Unencrypted_Success()1485 public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_CAEntry_Unencrypted_Success() 1486 throws Exception { 1487 mKeyStore.load(null, null); 1488 1489 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1490 1491 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1492 1493 // Start with PrivateKeyEntry 1494 { 1495 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1496 PrivateKey expectedKey = keyFact 1497 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1498 final Certificate[] expectedChain = new Certificate[2]; 1499 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1500 expectedChain[1] = caCert; 1501 1502 PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain); 1503 1504 mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null); 1505 1506 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1507 assertNotNull("Retrieved entry should exist", actualEntry); 1508 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1509 actualEntry instanceof PrivateKeyEntry); 1510 1511 PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry; 1512 assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1513 FAKE_RSA_CA_1); 1514 } 1515 1516 // Replace with TrustedCertificateEntry 1517 { 1518 TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert); 1519 mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null); 1520 1521 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1522 assertNotNull("Retrieved entry should exist", actualEntry); 1523 assertTrue("Retrieved entry should be of type TrustedCertificateEntry", 1524 actualEntry instanceof TrustedCertificateEntry); 1525 TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry; 1526 assertEquals("Stored and retrieved certificates should be the same", 1527 expectedCertEntry.getTrustedCertificate(), 1528 actualCertEntry.getTrustedCertificate()); 1529 } 1530 } 1531 testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_ShortPrivateKeyEntry_Unencrypted_Success()1532 public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_ShortPrivateKeyEntry_Unencrypted_Success() 1533 throws Exception { 1534 mKeyStore.load(null, null); 1535 1536 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1537 1538 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1539 1540 // Start with PrivateKeyEntry 1541 { 1542 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1543 PrivateKey expectedKey = keyFact 1544 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1545 final Certificate[] expectedChain = new Certificate[2]; 1546 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1547 expectedChain[1] = caCert; 1548 1549 PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain); 1550 1551 mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null); 1552 1553 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1554 assertNotNull("Retrieved entry should exist", actualEntry); 1555 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1556 actualEntry instanceof PrivateKeyEntry); 1557 1558 PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry; 1559 assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1560 FAKE_RSA_CA_1); 1561 } 1562 1563 // Replace with PrivateKeyEntry that has no chain 1564 { 1565 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1566 PrivateKey expectedKey = keyFact 1567 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1568 final Certificate[] expectedChain = new Certificate[1]; 1569 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1570 1571 PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain); 1572 1573 mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null); 1574 1575 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1576 assertNotNull("Retrieved entry should exist", actualEntry); 1577 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1578 actualEntry instanceof PrivateKeyEntry); 1579 1580 PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry; 1581 assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1582 null); 1583 } 1584 } 1585 testKeyStore_SetEntry_CAEntry_Overwrites_CAEntry_Unencrypted_Success()1586 public void testKeyStore_SetEntry_CAEntry_Overwrites_CAEntry_Unencrypted_Success() 1587 throws Exception { 1588 mKeyStore.load(null, null); 1589 1590 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1591 1592 // Insert TrustedCertificateEntry 1593 { 1594 final Certificate caCert = f 1595 .generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1596 1597 TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert); 1598 mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null); 1599 1600 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1601 assertNotNull("Retrieved entry should exist", actualEntry); 1602 assertTrue("Retrieved entry should be of type TrustedCertificateEntry", 1603 actualEntry instanceof TrustedCertificateEntry); 1604 TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry; 1605 assertEquals("Stored and retrieved certificates should be the same", 1606 expectedCertEntry.getTrustedCertificate(), 1607 actualCertEntry.getTrustedCertificate()); 1608 } 1609 1610 // Replace with TrustedCertificateEntry of USER 1611 { 1612 final Certificate userCert = f.generateCertificate(new ByteArrayInputStream( 1613 FAKE_RSA_USER_1)); 1614 1615 TrustedCertificateEntry expectedUserEntry = new TrustedCertificateEntry(userCert); 1616 mKeyStore.setEntry(TEST_ALIAS_1, expectedUserEntry, null); 1617 1618 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1619 assertNotNull("Retrieved entry should exist", actualEntry); 1620 assertTrue("Retrieved entry should be of type TrustedCertificateEntry", 1621 actualEntry instanceof TrustedCertificateEntry); 1622 TrustedCertificateEntry actualUserEntry = (TrustedCertificateEntry) actualEntry; 1623 assertEquals("Stored and retrieved certificates should be the same", 1624 expectedUserEntry.getTrustedCertificate(), 1625 actualUserEntry.getTrustedCertificate()); 1626 } 1627 } 1628 testKeyStore_SetKeyEntry_ProtectedKey_Unencrypted_Failure()1629 public void testKeyStore_SetKeyEntry_ProtectedKey_Unencrypted_Failure() throws Exception { 1630 mKeyStore.load(null, null); 1631 1632 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1633 1634 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1635 1636 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1637 PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1638 final Certificate[] chain = new Certificate[2]; 1639 chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1640 chain[1] = caCert; 1641 1642 try { 1643 mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, "foo".toCharArray(), chain); 1644 fail("Should fail when a password is specified"); 1645 } catch (KeyStoreException success) { 1646 } 1647 } 1648 testKeyStore_SetKeyEntry_Unencrypted_Success()1649 public void testKeyStore_SetKeyEntry_Unencrypted_Success() throws Exception { 1650 mKeyStore.load(null, null); 1651 1652 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1653 1654 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1655 1656 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1657 PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1658 final Certificate[] chain = new Certificate[2]; 1659 chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1660 chain[1] = caCert; 1661 1662 mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain); 1663 1664 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1665 assertNotNull("Retrieved entry should exist", actualEntry); 1666 1667 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1668 actualEntry instanceof PrivateKeyEntry); 1669 1670 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1671 1672 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, FAKE_RSA_CA_1); 1673 } 1674 testKeyStore_SetKeyEntry_Replaced_Unencrypted_Success()1675 public void testKeyStore_SetKeyEntry_Replaced_Unencrypted_Success() throws Exception { 1676 mKeyStore.load(null, null); 1677 1678 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1679 1680 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1681 1682 // Insert initial key 1683 { 1684 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1685 PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1686 final Certificate[] chain = new Certificate[2]; 1687 chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1688 chain[1] = caCert; 1689 1690 mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain); 1691 1692 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1693 assertNotNull("Retrieved entry should exist", actualEntry); 1694 1695 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1696 actualEntry instanceof PrivateKeyEntry); 1697 1698 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1699 1700 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1701 FAKE_RSA_CA_1); 1702 } 1703 1704 // TODO make a separate key 1705 // Replace key 1706 { 1707 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1708 PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1709 final Certificate[] chain = new Certificate[2]; 1710 chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1711 chain[1] = caCert; 1712 1713 mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain); 1714 1715 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1716 assertNotNull("Retrieved entry should exist", actualEntry); 1717 1718 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1719 actualEntry instanceof PrivateKeyEntry); 1720 1721 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1722 1723 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1724 FAKE_RSA_CA_1); 1725 } 1726 } 1727 testKeyStore_SetKeyEntry_ReplacedChain_Unencrypted_Success()1728 public void testKeyStore_SetKeyEntry_ReplacedChain_Unencrypted_Success() throws Exception { 1729 mKeyStore.load(null, null); 1730 1731 // Create key #1 1732 { 1733 KeyStore.PrivateKeyEntry privEntry = makeUserRsaKey1(); 1734 mKeyStore.setEntry(TEST_ALIAS_1, privEntry, null); 1735 1736 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1737 1738 assertTrue(entry instanceof PrivateKeyEntry); 1739 1740 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1741 1742 ArrayList<Certificate> chain = new ArrayList<Certificate>(); 1743 chain.add(generateCertificate(FAKE_RSA_CA_1)); 1744 assertPrivateKeyEntryEquals(keyEntry, privEntry.getPrivateKey(), 1745 privEntry.getCertificate(), chain); 1746 } 1747 1748 // Replace key #1 with new chain 1749 { 1750 Key key = mKeyStore.getKey(TEST_ALIAS_1, null); 1751 1752 assertTrue(key instanceof PrivateKey); 1753 1754 PrivateKey expectedKey = (PrivateKey) key; 1755 1756 Certificate expectedCert = generateCertificate(FAKE_RSA_USER_1); 1757 1758 mKeyStore.setKeyEntry(TEST_ALIAS_1, expectedKey, null, 1759 new Certificate[] { expectedCert }); 1760 1761 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1762 1763 assertTrue(entry instanceof PrivateKeyEntry); 1764 1765 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1766 1767 assertPrivateKeyEntryEquals(keyEntry, expectedKey, expectedCert, null); 1768 } 1769 } 1770 testKeyStore_SetKeyEntry_ReplacedChain_DifferentPrivateKey_Unencrypted_Failure()1771 public void testKeyStore_SetKeyEntry_ReplacedChain_DifferentPrivateKey_Unencrypted_Failure() 1772 throws Exception { 1773 mKeyStore.load(null, null); 1774 1775 // Create key #1 1776 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1777 1778 // Create key #2 1779 mKeyStore.setEntry(TEST_ALIAS_2, makeUserRsaKey1(), null); 1780 1781 1782 // Replace key #1 with key #2 1783 { 1784 Key key1 = mKeyStore.getKey(TEST_ALIAS_2, null); 1785 1786 Certificate cert = generateCertificate(FAKE_RSA_USER_1); 1787 1788 try { 1789 mKeyStore.setKeyEntry(TEST_ALIAS_1, key1, null, new Certificate[] { cert }); 1790 fail("Should not allow setting of KeyEntry with wrong PrivaetKey"); 1791 } catch (KeyStoreException success) { 1792 } 1793 } 1794 } 1795 testKeyStore_SetKeyEntry_ReplacedWithSame_UnencryptedToUnencrypted_Failure()1796 public void testKeyStore_SetKeyEntry_ReplacedWithSame_UnencryptedToUnencrypted_Failure() 1797 throws Exception { 1798 mKeyStore.load(null, null); 1799 1800 // Create key #1 1801 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1802 1803 // Replace with same 1804 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1805 mKeyStore.setEntry(TEST_ALIAS_1, entry, null); 1806 } 1807 testKeyStore_Size_Unencrypted_Success()1808 public void testKeyStore_Size_Unencrypted_Success() throws Exception { 1809 mKeyStore.load(null, null); 1810 1811 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1812 1813 assertEquals("The keystore size should match expected", 1, mKeyStore.size()); 1814 assertAliases(new String[] { TEST_ALIAS_1 }); 1815 1816 mKeyStore.setCertificateEntry(TEST_ALIAS_2, generateCertificate(FAKE_RSA_CA_1)); 1817 1818 assertEquals("The keystore size should match expected", 2, mKeyStore.size()); 1819 assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2 }); 1820 1821 mKeyStore.setEntry(TEST_ALIAS_3, makeUserRsaKey1(), null); 1822 1823 assertEquals("The keystore size should match expected", 3, mKeyStore.size()); 1824 assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2, TEST_ALIAS_3 }); 1825 1826 mKeyStore.deleteEntry(TEST_ALIAS_1); 1827 1828 assertEquals("The keystore size should match expected", 2, mKeyStore.size()); 1829 assertAliases(new String[] { TEST_ALIAS_2, TEST_ALIAS_3 }); 1830 1831 mKeyStore.deleteEntry(TEST_ALIAS_3); 1832 1833 assertEquals("The keystore size should match expected", 1, mKeyStore.size()); 1834 assertAliases(new String[] { TEST_ALIAS_2 }); 1835 } 1836 testKeyStore_Store_LoadStoreParam_Unencrypted_Failure()1837 public void testKeyStore_Store_LoadStoreParam_Unencrypted_Failure() throws Exception { 1838 mKeyStore.load(null, null); 1839 1840 try { 1841 mKeyStore.store(null); 1842 fail("Should throw UnsupportedOperationException when trying to store"); 1843 } catch (UnsupportedOperationException success) { 1844 } 1845 } 1846 testKeyStore_Load_InputStreamSupplied_Unencrypted_Failure()1847 public void testKeyStore_Load_InputStreamSupplied_Unencrypted_Failure() throws Exception { 1848 byte[] buf = "FAKE KEYSTORE".getBytes(); 1849 ByteArrayInputStream is = new ByteArrayInputStream(buf); 1850 1851 try { 1852 mKeyStore.load(is, null); 1853 fail("Should throw IllegalArgumentException when InputStream is supplied"); 1854 } catch (IllegalArgumentException success) { 1855 } 1856 } 1857 testKeyStore_Load_PasswordSupplied_Unencrypted_Failure()1858 public void testKeyStore_Load_PasswordSupplied_Unencrypted_Failure() throws Exception { 1859 try { 1860 mKeyStore.load(null, "password".toCharArray()); 1861 fail("Should throw IllegalArgumentException when password is supplied"); 1862 } catch (IllegalArgumentException success) { 1863 } 1864 } 1865 testKeyStore_Store_OutputStream_Unencrypted_Failure()1866 public void testKeyStore_Store_OutputStream_Unencrypted_Failure() throws Exception { 1867 mKeyStore.load(null, null); 1868 1869 OutputStream sink = new ByteArrayOutputStream(); 1870 try { 1871 mKeyStore.store(sink, null); 1872 fail("Should throw UnsupportedOperationException when trying to store"); 1873 } catch (UnsupportedOperationException success) { 1874 } 1875 1876 try { 1877 mKeyStore.store(sink, "blah".toCharArray()); 1878 fail("Should throw UnsupportedOperationException when trying to store"); 1879 } catch (UnsupportedOperationException success) { 1880 } 1881 } 1882 testKeyStore_KeyOperations_Wrap_Unencrypted_Success()1883 public void testKeyStore_KeyOperations_Wrap_Unencrypted_Success() throws Exception { 1884 mKeyStore.load(null, null); 1885 1886 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1887 1888 // Test key usage 1889 Entry e = mKeyStore.getEntry(TEST_ALIAS_1, null); 1890 assertNotNull(e); 1891 assertTrue(e instanceof PrivateKeyEntry); 1892 1893 PrivateKeyEntry privEntry = (PrivateKeyEntry) e; 1894 PrivateKey privKey = privEntry.getPrivateKey(); 1895 assertNotNull(privKey); 1896 1897 PublicKey pubKey = privEntry.getCertificate().getPublicKey(); 1898 1899 Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding"); 1900 c.init(Cipher.WRAP_MODE, pubKey); 1901 1902 byte[] expectedKey = new byte[] { 1903 0x00, 0x05, (byte) 0xAA, (byte) 0x0A5, (byte) 0xFF, 0x55, 0x0A 1904 }; 1905 1906 SecretKey expectedSecret = new TransparentSecretKey(expectedKey, "AES"); 1907 1908 byte[] wrappedExpected = c.wrap(expectedSecret); 1909 1910 c.init(Cipher.UNWRAP_MODE, privKey); 1911 SecretKey actualSecret = (SecretKey) c.unwrap(wrappedExpected, "AES", Cipher.SECRET_KEY); 1912 1913 assertEquals(Arrays.toString(expectedSecret.getEncoded()), 1914 Arrays.toString(actualSecret.getEncoded())); 1915 } 1916 testKeyStore_Encrypting_RSA_NONE_NOPADDING()1917 public void testKeyStore_Encrypting_RSA_NONE_NOPADDING() throws Exception { 1918 1919 String alias = "MyKey"; 1920 KeyStore ks = KeyStore.getInstance("AndroidKeyStore"); 1921 assertNotNull(ks); 1922 ks.load(null); 1923 1924 Calendar cal = Calendar.getInstance(); 1925 cal.set(1944, 5, 6); 1926 Date now = cal.getTime(); 1927 cal.clear(); 1928 1929 cal.set(1945, 8, 2); 1930 Date end = cal.getTime(); 1931 1932 KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore"); 1933 assertNotNull(kpg); 1934 kpg.initialize(new KeyPairGeneratorSpec.Builder(mContext) 1935 .setAlias(alias) 1936 .setStartDate(now) 1937 .setEndDate(end) 1938 .setSerialNumber(BigInteger.valueOf(1)) 1939 .setSubject(new X500Principal("CN=test1")) 1940 .build()); 1941 1942 kpg.generateKeyPair(); 1943 1944 PrivateKey privateKey = (PrivateKey) ks.getKey(alias, null); 1945 assertNotNull(privateKey); 1946 PublicKey publicKey = ks.getCertificate(alias).getPublicKey(); 1947 assertNotNull(publicKey); 1948 String cipher = privateKey.getAlgorithm() + "/NONE/NOPADDING"; 1949 Cipher encrypt = Cipher.getInstance(cipher); 1950 assertNotNull(encrypt); 1951 encrypt.init(Cipher.ENCRYPT_MODE, privateKey); 1952 1953 int modulusSizeBytes = (((RSAKey) publicKey).getModulus().bitLength() + 7) / 8; 1954 byte[] plainText = new byte[modulusSizeBytes]; 1955 Arrays.fill(plainText, (byte) 0xFF); 1956 1957 // We expect a BadPaddingException here as the message size (plaintext) 1958 // is bigger than the modulus. 1959 try { 1960 encrypt.doFinal(plainText); 1961 fail("Expected BadPaddingException"); 1962 } catch (BadPaddingException e) { 1963 // pass on exception as it is expected 1964 } 1965 } 1966 testKeyStore_PrivateKeyEntry_RSA_PublicKeyWorksWithCrypto()1967 public void testKeyStore_PrivateKeyEntry_RSA_PublicKeyWorksWithCrypto() 1968 throws Exception { 1969 mKeyStore.load(null, null); 1970 mKeyStore.setKeyEntry(TEST_ALIAS_2, 1971 KeyFactory.getInstance("RSA").generatePrivate( 1972 new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)), 1973 null, // no password (it's not even supported) 1974 new Certificate[] {generateCertificate(FAKE_RSA_USER_1)}); 1975 PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_2).getPublicKey(); 1976 assertNotNull(publicKey); 1977 1978 Signature.getInstance("SHA256withRSA").initVerify(publicKey); 1979 Signature.getInstance("NONEwithRSA").initVerify(publicKey); 1980 Signature.getInstance("SHA256withRSA/PSS").initVerify(publicKey); 1981 1982 Cipher.getInstance("RSA/ECB/PKCS1Padding").init(Cipher.ENCRYPT_MODE, publicKey); 1983 Cipher.getInstance("RSA/ECB/NoPadding").init(Cipher.ENCRYPT_MODE, publicKey); 1984 Cipher.getInstance("RSA/ECB/OAEPPadding").init(Cipher.ENCRYPT_MODE, publicKey); 1985 } 1986 testKeyStore_PrivateKeyEntry_EC_PublicKeyWorksWithCrypto()1987 public void testKeyStore_PrivateKeyEntry_EC_PublicKeyWorksWithCrypto() 1988 throws Exception { 1989 mKeyStore.load(null, null); 1990 mKeyStore.setKeyEntry(TEST_ALIAS_1, 1991 KeyFactory.getInstance("EC").generatePrivate( 1992 new PKCS8EncodedKeySpec(FAKE_EC_KEY_1)), 1993 null, // no password (it's not even supported) 1994 new Certificate[] {generateCertificate(FAKE_EC_USER_1)}); 1995 PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_1).getPublicKey(); 1996 assertNotNull(publicKey); 1997 1998 Signature.getInstance("SHA256withECDSA").initVerify(publicKey); 1999 Signature.getInstance("NONEwithECDSA").initVerify(publicKey); 2000 } 2001 testKeyStore_TrustedCertificateEntry_RSA_PublicKeyWorksWithCrypto()2002 public void testKeyStore_TrustedCertificateEntry_RSA_PublicKeyWorksWithCrypto() 2003 throws Exception { 2004 mKeyStore.load(null, null); 2005 mKeyStore.setCertificateEntry(TEST_ALIAS_2, generateCertificate(FAKE_RSA_USER_1)); 2006 PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_2).getPublicKey(); 2007 assertNotNull(publicKey); 2008 2009 Signature.getInstance("SHA256withRSA").initVerify(publicKey); 2010 Signature.getInstance("NONEwithRSA").initVerify(publicKey); 2011 2012 Cipher.getInstance("RSA/ECB/PKCS1Padding").init(Cipher.ENCRYPT_MODE, publicKey); 2013 Cipher.getInstance("RSA/ECB/NoPadding").init(Cipher.ENCRYPT_MODE, publicKey); 2014 } 2015 testKeyStore_TrustedCertificateEntry_EC_PublicKeyWorksWithCrypto()2016 public void testKeyStore_TrustedCertificateEntry_EC_PublicKeyWorksWithCrypto() 2017 throws Exception { 2018 mKeyStore.load(null, null); 2019 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_EC_USER_1)); 2020 PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_1).getPublicKey(); 2021 assertNotNull(publicKey); 2022 2023 Signature.getInstance("SHA256withECDSA").initVerify(publicKey); 2024 Signature.getInstance("NONEwithECDSA").initVerify(publicKey); 2025 } 2026 2027 private static final int MIN_SUPPORTED_KEY_COUNT = 1500; 2028 private static final long MINUTE_IN_MILLIS = 1000 * 60; 2029 private static final long LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_MILLIS = 2 * MINUTE_IN_MILLIS; 2030 isDeadlineReached(long startTimeMillis, long durationMillis)2031 private static boolean isDeadlineReached(long startTimeMillis, long durationMillis) { 2032 long nowMillis = System.currentTimeMillis(); 2033 if (nowMillis < startTimeMillis) { 2034 return true; 2035 } 2036 return nowMillis - startTimeMillis > durationMillis; 2037 } 2038 2039 @LargeTest testKeyStore_LargeNumberOfKeysSupported_RSA()2040 public void testKeyStore_LargeNumberOfKeysSupported_RSA() throws Exception { 2041 // This test imports key1, then lots of other keys, then key2, and then confirms that 2042 // key1 and key2 backed by Android Keystore work fine. The assumption is that if the 2043 // underlying implementation has a limit on the number of keys, it'll either delete the 2044 // oldest key (key1), or will refuse to add keys (key2). 2045 // The test imports as many keys as it can in a fixed amount of time instead of stopping 2046 // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys 2047 // with the constraints on how long the test can run and performance differences of hardware 2048 // under test. 2049 2050 long testStartTimeMillis = System.currentTimeMillis(); 2051 2052 Certificate cert1 = TestUtils.getRawResX509Certificate(getContext(), R.raw.rsa_key1_cert); 2053 PrivateKey privateKey1 = TestUtils.getRawResPrivateKey(getContext(), R.raw.rsa_key1_pkcs8); 2054 String entryName1 = "test0"; 2055 2056 Certificate cert2 = TestUtils.getRawResX509Certificate(getContext(), R.raw.rsa_key2_cert); 2057 PrivateKey privateKey2 = TestUtils.getRawResPrivateKey(getContext(), R.raw.rsa_key2_pkcs8); 2058 2059 Certificate cert3 = generateCertificate(FAKE_RSA_USER_1); 2060 PrivateKey privateKey3 = generatePrivateKey("RSA", FAKE_RSA_KEY_1); 2061 2062 mKeyStore.load(null); 2063 int latestImportedEntryNumber = 0; 2064 try { 2065 KeyProtection protectionParams = new KeyProtection.Builder( 2066 KeyProperties.PURPOSE_SIGN) 2067 .setDigests(KeyProperties.DIGEST_SHA256) 2068 .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) 2069 .build(); 2070 mKeyStore.setEntry(entryName1, 2071 new KeyStore.PrivateKeyEntry(privateKey1, new Certificate[] {cert1}), 2072 protectionParams); 2073 2074 // Import key3 lots of times, under different aliases. 2075 while (!isDeadlineReached( 2076 testStartTimeMillis, LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_MILLIS)) { 2077 latestImportedEntryNumber++; 2078 if ((latestImportedEntryNumber % 1000) == 0) { 2079 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2080 } 2081 String entryAlias = "test" + latestImportedEntryNumber; 2082 try { 2083 mKeyStore.setEntry(entryAlias, 2084 new KeyStore.PrivateKeyEntry(privateKey3, new Certificate[] {cert3}), 2085 protectionParams); 2086 } catch (Throwable e) { 2087 throw new RuntimeException("Entry " + entryAlias + " import failed", e); 2088 } 2089 } 2090 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2091 if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) { 2092 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in " 2093 + (System.currentTimeMillis() - testStartTimeMillis) 2094 + " ms. Imported: " + latestImportedEntryNumber + " keys"); 2095 } 2096 2097 latestImportedEntryNumber++; 2098 String entryName2 = "test" + latestImportedEntryNumber; 2099 mKeyStore.setEntry(entryName2, 2100 new KeyStore.PrivateKeyEntry(privateKey2, new Certificate[] {cert2}), 2101 protectionParams); 2102 PrivateKey keystorePrivateKey2 = (PrivateKey) mKeyStore.getKey(entryName2, null); 2103 PrivateKey keystorePrivateKey1 = (PrivateKey) mKeyStore.getKey(entryName1, null); 2104 2105 byte[] message = "This is a test".getBytes("UTF-8"); 2106 2107 Signature sig = Signature.getInstance("SHA256withRSA"); 2108 sig.initSign(keystorePrivateKey1); 2109 sig.update(message); 2110 byte[] signature = sig.sign(); 2111 sig = Signature.getInstance(sig.getAlgorithm()); 2112 sig.initVerify(cert1.getPublicKey()); 2113 sig.update(message); 2114 assertTrue(sig.verify(signature)); 2115 2116 sig = Signature.getInstance(sig.getAlgorithm()); 2117 sig.initSign(keystorePrivateKey2); 2118 sig.update(message); 2119 signature = sig.sign(); 2120 sig = Signature.getInstance(sig.getAlgorithm()); 2121 sig.initVerify(cert2.getPublicKey()); 2122 sig.update(message); 2123 assertTrue(sig.verify(signature)); 2124 } finally { 2125 // Clean up Keystore without using KeyStore.aliases() which can't handle this many 2126 // entries. 2127 Log.i(TAG, "Deleting imported keys"); 2128 for (int i = 0; i <= latestImportedEntryNumber; i++) { 2129 if ((i > 0) && ((i % 1000) == 0)) { 2130 Log.i(TAG, "Deleted " + i + " keys"); 2131 } 2132 mKeyStore.deleteEntry("test" + i); 2133 } 2134 Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys"); 2135 } 2136 } 2137 2138 @LargeTest testKeyStore_LargeNumberOfKeysSupported_EC()2139 public void testKeyStore_LargeNumberOfKeysSupported_EC() throws Exception { 2140 // This test imports key1, then lots of other keys, then key2, and then confirms that 2141 // key1 and key2 backed by Android Keystore work fine. The assumption is that if the 2142 // underlying implementation has a limit on the number of keys, it'll either delete the 2143 // oldest key (key1), or will refuse to add keys (key2). 2144 // The test imports as many keys as it can in a fixed amount of time instead of stopping 2145 // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys 2146 // with the constraints on how long the test can run and performance differences of hardware 2147 // under test. 2148 2149 long testStartTimeMillis = System.currentTimeMillis(); 2150 2151 Certificate cert1 = TestUtils.getRawResX509Certificate(getContext(), R.raw.ec_key1_cert); 2152 PrivateKey privateKey1 = TestUtils.getRawResPrivateKey(getContext(), R.raw.ec_key1_pkcs8); 2153 String entryName1 = "test0"; 2154 2155 Certificate cert2 = TestUtils.getRawResX509Certificate(getContext(), R.raw.ec_key2_cert); 2156 PrivateKey privateKey2 = TestUtils.getRawResPrivateKey(getContext(), R.raw.ec_key2_pkcs8); 2157 2158 Certificate cert3 = generateCertificate(FAKE_EC_USER_1); 2159 PrivateKey privateKey3 = generatePrivateKey("EC", FAKE_EC_KEY_1); 2160 2161 mKeyStore.load(null); 2162 int latestImportedEntryNumber = 0; 2163 try { 2164 KeyProtection protectionParams = new KeyProtection.Builder( 2165 KeyProperties.PURPOSE_SIGN) 2166 .setDigests(KeyProperties.DIGEST_SHA256) 2167 .build(); 2168 mKeyStore.setEntry(entryName1, 2169 new KeyStore.PrivateKeyEntry(privateKey1, new Certificate[] {cert1}), 2170 protectionParams); 2171 2172 // Import key3 lots of times, under different aliases. 2173 while (!isDeadlineReached( 2174 testStartTimeMillis, LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_MILLIS)) { 2175 latestImportedEntryNumber++; 2176 if ((latestImportedEntryNumber % 1000) == 0) { 2177 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2178 } 2179 String entryAlias = "test" + latestImportedEntryNumber; 2180 try { 2181 mKeyStore.setEntry(entryAlias, 2182 new KeyStore.PrivateKeyEntry(privateKey3, new Certificate[] {cert3}), 2183 protectionParams); 2184 } catch (Throwable e) { 2185 throw new RuntimeException("Entry " + entryAlias + " import failed", e); 2186 } 2187 } 2188 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2189 if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) { 2190 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in " 2191 + (System.currentTimeMillis() - testStartTimeMillis) 2192 + " ms. Imported: " + latestImportedEntryNumber + " keys"); 2193 } 2194 2195 latestImportedEntryNumber++; 2196 String entryName2 = "test" + latestImportedEntryNumber; 2197 mKeyStore.setEntry(entryName2, 2198 new KeyStore.PrivateKeyEntry(privateKey2, new Certificate[] {cert2}), 2199 protectionParams); 2200 PrivateKey keystorePrivateKey2 = (PrivateKey) mKeyStore.getKey(entryName2, null); 2201 PrivateKey keystorePrivateKey1 = (PrivateKey) mKeyStore.getKey(entryName1, null); 2202 2203 byte[] message = "This is a test".getBytes("UTF-8"); 2204 2205 Signature sig = Signature.getInstance("SHA256withECDSA"); 2206 sig.initSign(keystorePrivateKey1); 2207 sig.update(message); 2208 byte[] signature = sig.sign(); 2209 sig = Signature.getInstance(sig.getAlgorithm()); 2210 sig.initVerify(cert1.getPublicKey()); 2211 sig.update(message); 2212 assertTrue(sig.verify(signature)); 2213 2214 sig = Signature.getInstance(sig.getAlgorithm()); 2215 sig.initSign(keystorePrivateKey2); 2216 sig.update(message); 2217 signature = sig.sign(); 2218 sig = Signature.getInstance(sig.getAlgorithm()); 2219 sig.initVerify(cert2.getPublicKey()); 2220 sig.update(message); 2221 assertTrue(sig.verify(signature)); 2222 } finally { 2223 // Clean up Keystore without using KeyStore.aliases() which can't handle this many 2224 // entries. 2225 Log.i(TAG, "Deleting imported keys"); 2226 for (int i = 0; i <= latestImportedEntryNumber; i++) { 2227 if ((i > 0) && ((i % 1000) == 0)) { 2228 Log.i(TAG, "Deleted " + i + " keys"); 2229 } 2230 mKeyStore.deleteEntry("test" + i); 2231 } 2232 Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys"); 2233 } 2234 } 2235 2236 @LargeTest testKeyStore_LargeNumberOfKeysSupported_AES()2237 public void testKeyStore_LargeNumberOfKeysSupported_AES() throws Exception { 2238 // This test imports key1, then lots of other keys, then key2, and then confirms that 2239 // key1 and key2 backed by Android Keystore work fine. The assumption is that if the 2240 // underlying implementation has a limit on the number of keys, it'll either delete the 2241 // oldest key (key1), or will refuse to add keys (key2). 2242 // The test imports as many keys as it can in a fixed amount of time instead of stopping 2243 // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys 2244 // with the constraints on how long the test can run and performance differences of hardware 2245 // under test. 2246 2247 long testStartTimeMillis = System.currentTimeMillis(); 2248 2249 SecretKey key1 = new TransparentSecretKey( 2250 HexEncoding.decode("010203040506070809fafbfcfdfeffcc"), "AES"); 2251 String entryName1 = "test0"; 2252 2253 SecretKey key2 = new TransparentSecretKey( 2254 HexEncoding.decode("808182838485868788897a7b7c7d7e7f"), "AES"); 2255 2256 SecretKey key3 = new TransparentSecretKey( 2257 HexEncoding.decode("33333333333333333333777777777777"), "AES"); 2258 2259 mKeyStore.load(null); 2260 int latestImportedEntryNumber = 0; 2261 try { 2262 KeyProtection protectionParams = new KeyProtection.Builder( 2263 KeyProperties.PURPOSE_ENCRYPT) 2264 .setBlockModes(KeyProperties.BLOCK_MODE_GCM) 2265 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) 2266 .build(); 2267 mKeyStore.setEntry(entryName1, new KeyStore.SecretKeyEntry(key1), protectionParams); 2268 2269 // Import key3 lots of times, under different aliases. 2270 while (!isDeadlineReached( 2271 testStartTimeMillis, LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_MILLIS)) { 2272 latestImportedEntryNumber++; 2273 if ((latestImportedEntryNumber % 1000) == 0) { 2274 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2275 } 2276 String entryAlias = "test" + latestImportedEntryNumber; 2277 try { 2278 mKeyStore.setEntry(entryAlias, 2279 new KeyStore.SecretKeyEntry(key3), protectionParams); 2280 } catch (Throwable e) { 2281 throw new RuntimeException("Entry " + entryAlias + " import failed", e); 2282 } 2283 } 2284 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2285 if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) { 2286 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in " 2287 + (System.currentTimeMillis() - testStartTimeMillis) 2288 + " ms. Imported: " + latestImportedEntryNumber + " keys"); 2289 } 2290 2291 latestImportedEntryNumber++; 2292 String entryName2 = "test" + latestImportedEntryNumber; 2293 mKeyStore.setEntry(entryName2, new KeyStore.SecretKeyEntry(key2), protectionParams); 2294 SecretKey keystoreKey2 = (SecretKey) mKeyStore.getKey(entryName2, null); 2295 SecretKey keystoreKey1 = (SecretKey) mKeyStore.getKey(entryName1, null); 2296 2297 byte[] plaintext = "This is a test".getBytes("UTF-8"); 2298 Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); 2299 cipher.init(Cipher.ENCRYPT_MODE, keystoreKey1); 2300 byte[] ciphertext = cipher.doFinal(plaintext); 2301 AlgorithmParameters cipherParams = cipher.getParameters(); 2302 cipher = Cipher.getInstance(cipher.getAlgorithm()); 2303 cipher.init(Cipher.DECRYPT_MODE, key1, cipherParams); 2304 MoreAsserts.assertEquals(plaintext, cipher.doFinal(ciphertext)); 2305 2306 cipher = Cipher.getInstance(cipher.getAlgorithm()); 2307 cipher.init(Cipher.ENCRYPT_MODE, keystoreKey2); 2308 ciphertext = cipher.doFinal(plaintext); 2309 cipherParams = cipher.getParameters(); 2310 cipher = Cipher.getInstance(cipher.getAlgorithm()); 2311 cipher.init(Cipher.DECRYPT_MODE, key2, cipherParams); 2312 MoreAsserts.assertEquals(plaintext, cipher.doFinal(ciphertext)); 2313 } finally { 2314 // Clean up Keystore without using KeyStore.aliases() which can't handle this many 2315 // entries. 2316 Log.i(TAG, "Deleting imported keys"); 2317 for (int i = 0; i <= latestImportedEntryNumber; i++) { 2318 if ((i > 0) && ((i % 1000) == 0)) { 2319 Log.i(TAG, "Deleted " + i + " keys"); 2320 } 2321 mKeyStore.deleteEntry("test" + i); 2322 } 2323 Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys"); 2324 } 2325 } 2326 2327 @LargeTest testKeyStore_LargeNumberOfKeysSupported_HMAC()2328 public void testKeyStore_LargeNumberOfKeysSupported_HMAC() throws Exception { 2329 // This test imports key1, then lots of other keys, then key2, and then confirms that 2330 // key1 and key2 backed by Android Keystore work fine. The assumption is that if the 2331 // underlying implementation has a limit on the number of keys, it'll either delete the 2332 // oldest key (key1), or will refuse to add keys (key2). 2333 // The test imports as many keys as it can in a fixed amount of time instead of stopping 2334 // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys 2335 // with the constraints on how long the test can run and performance differences of hardware 2336 // under test. 2337 2338 long testStartTimeMillis = System.currentTimeMillis(); 2339 2340 SecretKey key1 = new TransparentSecretKey( 2341 HexEncoding.decode("010203040506070809fafbfcfdfeffcc"), "HmacSHA256"); 2342 String entryName1 = "test0"; 2343 2344 SecretKey key2 = new TransparentSecretKey( 2345 HexEncoding.decode("808182838485868788897a7b7c7d7e7f"), "HmacSHA256"); 2346 2347 SecretKey key3 = new TransparentSecretKey( 2348 HexEncoding.decode("33333333333333333333777777777777"), "HmacSHA256"); 2349 2350 mKeyStore.load(null); 2351 int latestImportedEntryNumber = 0; 2352 try { 2353 KeyProtection protectionParams = new KeyProtection.Builder( 2354 KeyProperties.PURPOSE_SIGN) 2355 .build(); 2356 mKeyStore.setEntry(entryName1, new KeyStore.SecretKeyEntry(key1), protectionParams); 2357 2358 // Import key3 lots of times, under different aliases. 2359 while (!isDeadlineReached( 2360 testStartTimeMillis, LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_MILLIS)) { 2361 latestImportedEntryNumber++; 2362 if ((latestImportedEntryNumber % 1000) == 0) { 2363 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2364 } 2365 String entryAlias = "test" + latestImportedEntryNumber; 2366 try { 2367 mKeyStore.setEntry(entryAlias, 2368 new KeyStore.SecretKeyEntry(key3), protectionParams); 2369 } catch (Throwable e) { 2370 throw new RuntimeException("Entry " + entryAlias + " import failed", e); 2371 } 2372 } 2373 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2374 if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) { 2375 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in " 2376 + (System.currentTimeMillis() - testStartTimeMillis) 2377 + " ms. Imported: " + latestImportedEntryNumber + " keys"); 2378 } 2379 2380 latestImportedEntryNumber++; 2381 String entryName2 = "test" + latestImportedEntryNumber; 2382 mKeyStore.setEntry(entryName2, new KeyStore.SecretKeyEntry(key2), protectionParams); 2383 SecretKey keystoreKey2 = (SecretKey) mKeyStore.getKey(entryName2, null); 2384 SecretKey keystoreKey1 = (SecretKey) mKeyStore.getKey(entryName1, null); 2385 2386 byte[] message = "This is a test".getBytes("UTF-8"); 2387 Mac mac = Mac.getInstance(key1.getAlgorithm()); 2388 mac.init(keystoreKey1); 2389 MoreAsserts.assertEquals( 2390 HexEncoding.decode( 2391 "905e36f5a175f4ca54ad56b860b46f6502f883a90628dca2d33a953fb7224eaf"), 2392 mac.doFinal(message)); 2393 2394 mac = Mac.getInstance(key2.getAlgorithm()); 2395 mac.init(keystoreKey2); 2396 MoreAsserts.assertEquals( 2397 HexEncoding.decode( 2398 "59b57e77e4e2cb36b5c7b84af198ac004327bc549de6931a1b5505372dd8c957"), 2399 mac.doFinal(message)); 2400 } finally { 2401 // Clean up Keystore without using KeyStore.aliases() which can't handle this many 2402 // entries. 2403 Log.i(TAG, "Deleting imported keys"); 2404 for (int i = 0; i <= latestImportedEntryNumber; i++) { 2405 if ((i > 0) && ((i % 1000) == 0)) { 2406 Log.i(TAG, "Deleted " + i + " keys"); 2407 } 2408 mKeyStore.deleteEntry("test" + i); 2409 } 2410 Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys"); 2411 } 2412 } 2413 testKeyStore_OnlyOneDigestCanBeAuthorized_HMAC()2414 public void testKeyStore_OnlyOneDigestCanBeAuthorized_HMAC() throws Exception { 2415 mKeyStore.load(null); 2416 2417 for (String algorithm : KeyGeneratorTest.EXPECTED_ALGORITHMS) { 2418 if (!TestUtils.isHmacAlgorithm(algorithm)) { 2419 continue; 2420 } 2421 try { 2422 String digest = TestUtils.getHmacAlgorithmDigest(algorithm); 2423 assertNotNull(digest); 2424 SecretKey keyBeingImported = new TransparentSecretKey(new byte[16], algorithm); 2425 2426 KeyProtection.Builder goodSpec = 2427 new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN); 2428 2429 // Digests authorization not specified in import parameters 2430 assertFalse(goodSpec.build().isDigestsSpecified()); 2431 mKeyStore.setEntry(TEST_ALIAS_1, 2432 new KeyStore.SecretKeyEntry(keyBeingImported), 2433 goodSpec.build()); 2434 SecretKey key = (SecretKey) mKeyStore.getKey(TEST_ALIAS_1, null); 2435 TestUtils.assertContentsInAnyOrder( 2436 Arrays.asList(TestUtils.getKeyInfo(key).getDigests()), digest); 2437 2438 // The same digest is specified in import parameters 2439 mKeyStore.setEntry(TEST_ALIAS_1, 2440 new KeyStore.SecretKeyEntry(keyBeingImported), 2441 TestUtils.buildUpon(goodSpec).setDigests(digest).build()); 2442 key = (SecretKey) mKeyStore.getKey(TEST_ALIAS_1, null); 2443 TestUtils.assertContentsInAnyOrder( 2444 Arrays.asList(TestUtils.getKeyInfo(key).getDigests()), digest); 2445 2446 // Empty set of digests specified in import parameters 2447 try { 2448 mKeyStore.setEntry(TEST_ALIAS_1, 2449 new KeyStore.SecretKeyEntry(keyBeingImported), 2450 TestUtils.buildUpon(goodSpec).setDigests().build()); 2451 fail(); 2452 } catch (KeyStoreException expected) {} 2453 2454 // A different digest specified in import parameters 2455 String anotherDigest = "SHA-256".equalsIgnoreCase(digest) ? "SHA-384" : "SHA-256"; 2456 try { 2457 mKeyStore.setEntry(TEST_ALIAS_1, 2458 new KeyStore.SecretKeyEntry(keyBeingImported), 2459 TestUtils.buildUpon(goodSpec).setDigests(anotherDigest).build()); 2460 fail(); 2461 } catch (KeyStoreException expected) {} 2462 try { 2463 mKeyStore.setEntry(TEST_ALIAS_1, 2464 new KeyStore.SecretKeyEntry(keyBeingImported), 2465 TestUtils.buildUpon(goodSpec) 2466 .setDigests(digest, anotherDigest) 2467 .build()); 2468 fail(); 2469 } catch (KeyStoreException expected) {} 2470 } catch (Throwable e) { 2471 throw new RuntimeException("Failed for " + algorithm, e); 2472 } 2473 } 2474 } 2475 testKeyStore_ImportSupportedSizes_AES()2476 public void testKeyStore_ImportSupportedSizes_AES() throws Exception { 2477 mKeyStore.load(null); 2478 2479 KeyProtection params = new KeyProtection.Builder( 2480 KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) 2481 .setBlockModes(KeyProperties.BLOCK_MODE_CBC) 2482 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) 2483 .build(); 2484 String alias = "test1"; 2485 mKeyStore.deleteEntry(alias); 2486 assertFalse(mKeyStore.containsAlias(alias)); 2487 for (int keySizeBytes = 0; keySizeBytes <= 512 / 8; keySizeBytes++) { 2488 int keySizeBits = keySizeBytes * 8; 2489 try { 2490 KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry( 2491 new TransparentSecretKey(new byte[keySizeBytes], "AES")); 2492 if (TestUtils.contains(KeyGeneratorTest.AES_SUPPORTED_KEY_SIZES, keySizeBits)) { 2493 mKeyStore.setEntry(alias, entry, params); 2494 SecretKey key = (SecretKey) mKeyStore.getKey(alias, null); 2495 assertEquals("AES", key.getAlgorithm()); 2496 assertEquals(keySizeBits, TestUtils.getKeyInfo(key).getKeySize()); 2497 } else { 2498 mKeyStore.deleteEntry(alias); 2499 assertFalse(mKeyStore.containsAlias(alias)); 2500 try { 2501 mKeyStore.setEntry(alias, entry, params); 2502 fail(); 2503 } catch (KeyStoreException expected) {} 2504 assertFalse(mKeyStore.containsAlias(alias)); 2505 } 2506 } catch (Throwable e) { 2507 throw new RuntimeException("Failed for key size " + keySizeBits, e); 2508 } 2509 } 2510 } 2511 testKeyStore_ImportSupportedSizes_HMAC()2512 public void testKeyStore_ImportSupportedSizes_HMAC() throws Exception { 2513 mKeyStore.load(null); 2514 2515 KeyProtection params = new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN).build(); 2516 String alias = "test1"; 2517 mKeyStore.deleteEntry(alias); 2518 assertFalse(mKeyStore.containsAlias(alias)); 2519 for (String algorithm : KeyGeneratorTest.EXPECTED_ALGORITHMS) { 2520 if (!TestUtils.isHmacAlgorithm(algorithm)) { 2521 continue; 2522 } 2523 for (int keySizeBytes = 8; keySizeBytes <= 1024 / 8; keySizeBytes++) { 2524 try { 2525 KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry( 2526 new TransparentSecretKey(new byte[keySizeBytes], algorithm)); 2527 if (keySizeBytes > 0) { 2528 mKeyStore.setEntry(alias, entry, params); 2529 SecretKey key = (SecretKey) mKeyStore.getKey(alias, null); 2530 assertEquals(algorithm, key.getAlgorithm()); 2531 assertEquals(keySizeBytes * 8, TestUtils.getKeyInfo(key).getKeySize()); 2532 } else { 2533 mKeyStore.deleteEntry(alias); 2534 assertFalse(mKeyStore.containsAlias(alias)); 2535 try { 2536 mKeyStore.setEntry(alias, entry, params); 2537 fail(); 2538 } catch (KeyStoreException expected) {} 2539 } 2540 } catch (Throwable e) { 2541 throw new RuntimeException( 2542 "Failed for " + algorithm + " with key size " + (keySizeBytes * 8), e); 2543 } 2544 } 2545 } 2546 } 2547 testKeyStore_ImportSupportedSizes_EC()2548 public void testKeyStore_ImportSupportedSizes_EC() throws Exception { 2549 mKeyStore.load(null); 2550 KeyProtection params = 2551 TestUtils.getMinimalWorkingImportParametersForSigningingWith("SHA256withECDSA"); 2552 checkKeyPairImportSucceeds( 2553 "secp224r1", R.raw.ec_key3_secp224r1_pkcs8, R.raw.ec_key3_secp224r1_cert, params); 2554 checkKeyPairImportSucceeds( 2555 "secp256r1", R.raw.ec_key4_secp256r1_pkcs8, R.raw.ec_key4_secp256r1_cert, params); 2556 checkKeyPairImportSucceeds( 2557 "secp384r1", R.raw.ec_key5_secp384r1_pkcs8, R.raw.ec_key5_secp384r1_cert, params); 2558 checkKeyPairImportSucceeds( 2559 "secp512r1", R.raw.ec_key6_secp521r1_pkcs8, R.raw.ec_key6_secp521r1_cert, params); 2560 } 2561 testKeyStore_ImportSupportedSizes_RSA()2562 public void testKeyStore_ImportSupportedSizes_RSA() throws Exception { 2563 mKeyStore.load(null); 2564 KeyProtection params = 2565 TestUtils.getMinimalWorkingImportParametersForSigningingWith("SHA256withRSA"); 2566 checkKeyPairImportSucceeds( 2567 "512", R.raw.rsa_key5_512_pkcs8, R.raw.rsa_key5_512_cert, params); 2568 checkKeyPairImportSucceeds( 2569 "768", R.raw.rsa_key6_768_pkcs8, R.raw.rsa_key6_768_cert, params); 2570 checkKeyPairImportSucceeds( 2571 "1024", R.raw.rsa_key3_1024_pkcs8, R.raw.rsa_key3_1024_cert, params); 2572 checkKeyPairImportSucceeds( 2573 "2048", R.raw.rsa_key8_2048_pkcs8, R.raw.rsa_key8_2048_cert, params); 2574 checkKeyPairImportSucceeds( 2575 "3072", R.raw.rsa_key7_3072_pksc8, R.raw.rsa_key7_3072_cert, params); 2576 checkKeyPairImportSucceeds( 2577 "4096", R.raw.rsa_key4_4096_pkcs8, R.raw.rsa_key4_4096_cert, params); 2578 } 2579 checkKeyPairImportSucceeds( String alias, int privateResId, int certResId, KeyProtection params)2580 private void checkKeyPairImportSucceeds( 2581 String alias, int privateResId, int certResId, KeyProtection params) throws Exception { 2582 try { 2583 mKeyStore.deleteEntry(alias); 2584 TestUtils.importIntoAndroidKeyStore( 2585 alias, getContext(), privateResId, certResId, params); 2586 } catch (Throwable e) { 2587 throw new RuntimeException("Failed for " + alias, e); 2588 } finally { 2589 try { 2590 mKeyStore.deleteEntry(alias); 2591 } catch (Exception ignored) {} 2592 } 2593 } 2594 } 2595