1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "KeymasterHidlTest.h"
18
19 #include <vector>
20
21 #include <android-base/logging.h>
22 #include <android/hidl/manager/1.0/IServiceManager.h>
23
24 #include <keymasterV4_0/key_param_output.h>
25
26 namespace android {
27 namespace hardware {
28 namespace keymaster {
29 namespace V4_0 {
30
operator <<(::std::ostream & os,const AuthorizationSet & set)31 ::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) {
32 if (set.size() == 0)
33 os << "(Empty)" << ::std::endl;
34 else {
35 os << "\n";
36 for (size_t i = 0; i < set.size(); ++i) os << set[i] << ::std::endl;
37 }
38 return os;
39 }
40
41 namespace test {
42
43 sp<IKeymasterDevice> KeymasterHidlTest::keymaster_;
44 std::vector<sp<IKeymasterDevice>> KeymasterHidlTest::all_keymasters_;
45 uint32_t KeymasterHidlTest::os_version_;
46 uint32_t KeymasterHidlTest::os_patch_level_;
47 SecurityLevel KeymasterHidlTest::securityLevel_;
48 hidl_string KeymasterHidlTest::name_;
49 hidl_string KeymasterHidlTest::author_;
50
SetUpTestCase()51 void KeymasterHidlTest::SetUpTestCase() {
52 string service_name = KeymasterHidlEnvironment::Instance()->getServiceName<IKeymasterDevice>();
53 keymaster_ = ::testing::VtsHalHidlTargetTestBase::getService<IKeymasterDevice>(service_name);
54 ASSERT_NE(keymaster_, nullptr);
55
56 ASSERT_TRUE(keymaster_
57 ->getHardwareInfo([&](SecurityLevel securityLevel, const hidl_string& name,
58 const hidl_string& author) {
59 securityLevel_ = securityLevel;
60 name_ = name;
61 author_ = author;
62 })
63 .isOk());
64
65 os_version_ = ::keymaster::GetOsVersion();
66 os_patch_level_ = ::keymaster::GetOsPatchlevel();
67
68 auto service_manager = android::hidl::manager::V1_0::IServiceManager::getService();
69 ASSERT_NE(nullptr, service_manager.get());
70
71 all_keymasters_.push_back(keymaster_);
72 service_manager->listByInterface(
73 IKeymasterDevice::descriptor, [&](const hidl_vec<hidl_string>& names) {
74 for (auto& name : names) {
75 if (name == service_name) continue;
76 auto keymaster =
77 ::testing::VtsHalHidlTargetTestBase::getService<IKeymasterDevice>(name);
78 ASSERT_NE(keymaster, nullptr);
79 all_keymasters_.push_back(keymaster);
80 }
81 });
82 }
83
GenerateKey(const AuthorizationSet & key_desc,HidlBuf * key_blob,KeyCharacteristics * key_characteristics)84 ErrorCode KeymasterHidlTest::GenerateKey(const AuthorizationSet& key_desc, HidlBuf* key_blob,
85 KeyCharacteristics* key_characteristics) {
86 EXPECT_NE(key_blob, nullptr) << "Key blob pointer must not be null. Test bug";
87 EXPECT_EQ(0U, key_blob->size()) << "Key blob not empty before generating key. Test bug.";
88 EXPECT_NE(key_characteristics, nullptr)
89 << "Previous characteristics not deleted before generating key. Test bug.";
90
91 ErrorCode error;
92 EXPECT_TRUE(keymaster_
93 ->generateKey(key_desc.hidl_data(),
94 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
95 const KeyCharacteristics& hidl_key_characteristics) {
96 error = hidl_error;
97 *key_blob = hidl_key_blob;
98 *key_characteristics = hidl_key_characteristics;
99 })
100 .isOk());
101 // On error, blob & characteristics should be empty.
102 if (error != ErrorCode::OK) {
103 EXPECT_EQ(0U, key_blob->size());
104 EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() +
105 key_characteristics->hardwareEnforced.size()));
106 }
107 return error;
108 }
109
GenerateKey(const AuthorizationSet & key_desc)110 ErrorCode KeymasterHidlTest::GenerateKey(const AuthorizationSet& key_desc) {
111 return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
112 }
113
ImportKey(const AuthorizationSet & key_desc,KeyFormat format,const string & key_material,HidlBuf * key_blob,KeyCharacteristics * key_characteristics)114 ErrorCode KeymasterHidlTest::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
115 const string& key_material, HidlBuf* key_blob,
116 KeyCharacteristics* key_characteristics) {
117 ErrorCode error;
118 EXPECT_TRUE(keymaster_
119 ->importKey(key_desc.hidl_data(), format, HidlBuf(key_material),
120 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
121 const KeyCharacteristics& hidl_key_characteristics) {
122 error = hidl_error;
123 *key_blob = hidl_key_blob;
124 *key_characteristics = hidl_key_characteristics;
125 })
126 .isOk());
127 // On error, blob & characteristics should be empty.
128 if (error != ErrorCode::OK) {
129 EXPECT_EQ(0U, key_blob->size());
130 EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() +
131 key_characteristics->hardwareEnforced.size()));
132 }
133 return error;
134 }
135
ImportKey(const AuthorizationSet & key_desc,KeyFormat format,const string & key_material)136 ErrorCode KeymasterHidlTest::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
137 const string& key_material) {
138 return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_);
139 }
140
ImportWrappedKey(string wrapped_key,string wrapping_key,const AuthorizationSet & wrapping_key_desc,string masking_key,const AuthorizationSet & unwrapping_params)141 ErrorCode KeymasterHidlTest::ImportWrappedKey(string wrapped_key, string wrapping_key,
142 const AuthorizationSet& wrapping_key_desc,
143 string masking_key,
144 const AuthorizationSet& unwrapping_params) {
145 ErrorCode error;
146 ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key);
147 EXPECT_TRUE(keymaster_
148 ->importWrappedKey(HidlBuf(wrapped_key), key_blob_, HidlBuf(masking_key),
149 unwrapping_params.hidl_data(), 0 /* passwordSid */,
150 0 /* biometricSid */,
151 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
152 const KeyCharacteristics& hidl_key_characteristics) {
153 error = hidl_error;
154 key_blob_ = hidl_key_blob;
155 key_characteristics_ = hidl_key_characteristics;
156 })
157 .isOk());
158 return error;
159 }
160
ExportKey(KeyFormat format,const HidlBuf & key_blob,const HidlBuf & client_id,const HidlBuf & app_data,HidlBuf * key_material)161 ErrorCode KeymasterHidlTest::ExportKey(KeyFormat format, const HidlBuf& key_blob,
162 const HidlBuf& client_id, const HidlBuf& app_data,
163 HidlBuf* key_material) {
164 ErrorCode error;
165 EXPECT_TRUE(keymaster_
166 ->exportKey(format, key_blob, client_id, app_data,
167 [&](ErrorCode hidl_error_code, const HidlBuf& hidl_key_material) {
168 error = hidl_error_code;
169 *key_material = hidl_key_material;
170 })
171 .isOk());
172 // On error, blob should be empty.
173 if (error != ErrorCode::OK) {
174 EXPECT_EQ(0U, key_material->size());
175 }
176 return error;
177 }
178
ExportKey(KeyFormat format,HidlBuf * key_material)179 ErrorCode KeymasterHidlTest::ExportKey(KeyFormat format, HidlBuf* key_material) {
180 HidlBuf client_id, app_data;
181 return ExportKey(format, key_blob_, client_id, app_data, key_material);
182 }
183
DeleteKey(HidlBuf * key_blob,bool keep_key_blob)184 ErrorCode KeymasterHidlTest::DeleteKey(HidlBuf* key_blob, bool keep_key_blob) {
185 auto rc = keymaster_->deleteKey(*key_blob);
186 if (!keep_key_blob) *key_blob = HidlBuf();
187 if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR;
188 return rc;
189 }
190
DeleteKey(bool keep_key_blob)191 ErrorCode KeymasterHidlTest::DeleteKey(bool keep_key_blob) {
192 return DeleteKey(&key_blob_, keep_key_blob);
193 }
194
DeleteAllKeys()195 ErrorCode KeymasterHidlTest::DeleteAllKeys() {
196 ErrorCode error = keymaster_->deleteAllKeys();
197 return error;
198 }
199
CheckedDeleteKey(HidlBuf * key_blob,bool keep_key_blob)200 void KeymasterHidlTest::CheckedDeleteKey(HidlBuf* key_blob, bool keep_key_blob) {
201 auto rc = DeleteKey(key_blob, keep_key_blob);
202 EXPECT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
203 }
204
CheckedDeleteKey()205 void KeymasterHidlTest::CheckedDeleteKey() {
206 CheckedDeleteKey(&key_blob_);
207 }
208
GetCharacteristics(const HidlBuf & key_blob,const HidlBuf & client_id,const HidlBuf & app_data,KeyCharacteristics * key_characteristics)209 ErrorCode KeymasterHidlTest::GetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id,
210 const HidlBuf& app_data,
211 KeyCharacteristics* key_characteristics) {
212 ErrorCode error = ErrorCode::UNKNOWN_ERROR;
213 EXPECT_TRUE(
214 keymaster_
215 ->getKeyCharacteristics(
216 key_blob, client_id, app_data,
217 [&](ErrorCode hidl_error, const KeyCharacteristics& hidl_key_characteristics) {
218 error = hidl_error, *key_characteristics = hidl_key_characteristics;
219 })
220 .isOk());
221 return error;
222 }
223
GetCharacteristics(const HidlBuf & key_blob,KeyCharacteristics * key_characteristics)224 ErrorCode KeymasterHidlTest::GetCharacteristics(const HidlBuf& key_blob,
225 KeyCharacteristics* key_characteristics) {
226 HidlBuf client_id, app_data;
227 return GetCharacteristics(key_blob, client_id, app_data, key_characteristics);
228 }
229
Begin(KeyPurpose purpose,const HidlBuf & key_blob,const AuthorizationSet & in_params,AuthorizationSet * out_params,OperationHandle * op_handle)230 ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const HidlBuf& key_blob,
231 const AuthorizationSet& in_params, AuthorizationSet* out_params,
232 OperationHandle* op_handle) {
233 SCOPED_TRACE("Begin");
234 ErrorCode error;
235 OperationHandle saved_handle = *op_handle;
236 EXPECT_TRUE(keymaster_
237 ->begin(purpose, key_blob, in_params.hidl_data(), HardwareAuthToken(),
238 [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params,
239 uint64_t hidl_op_handle) {
240 error = hidl_error;
241 *out_params = hidl_out_params;
242 *op_handle = hidl_op_handle;
243 })
244 .isOk());
245 if (error != ErrorCode::OK) {
246 // Some implementations may modify *op_handle on error.
247 *op_handle = saved_handle;
248 }
249 return error;
250 }
251
Begin(KeyPurpose purpose,const AuthorizationSet & in_params,AuthorizationSet * out_params)252 ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const AuthorizationSet& in_params,
253 AuthorizationSet* out_params) {
254 SCOPED_TRACE("Begin");
255 EXPECT_EQ(kOpHandleSentinel, op_handle_);
256 return Begin(purpose, key_blob_, in_params, out_params, &op_handle_);
257 }
258
Begin(KeyPurpose purpose,const AuthorizationSet & in_params)259 ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const AuthorizationSet& in_params) {
260 SCOPED_TRACE("Begin");
261 AuthorizationSet out_params;
262 ErrorCode error = Begin(purpose, in_params, &out_params);
263 EXPECT_TRUE(out_params.empty());
264 return error;
265 }
266
Update(OperationHandle op_handle,const AuthorizationSet & in_params,const string & input,AuthorizationSet * out_params,string * output,size_t * input_consumed)267 ErrorCode KeymasterHidlTest::Update(OperationHandle op_handle, const AuthorizationSet& in_params,
268 const string& input, AuthorizationSet* out_params,
269 string* output, size_t* input_consumed) {
270 SCOPED_TRACE("Update");
271 ErrorCode error;
272 EXPECT_TRUE(keymaster_
273 ->update(op_handle, in_params.hidl_data(), HidlBuf(input), HardwareAuthToken(),
274 VerificationToken(),
275 [&](ErrorCode hidl_error, uint32_t hidl_input_consumed,
276 const hidl_vec<KeyParameter>& hidl_out_params,
277 const HidlBuf& hidl_output) {
278 error = hidl_error;
279 out_params->push_back(AuthorizationSet(hidl_out_params));
280 output->append(hidl_output.to_string());
281 *input_consumed = hidl_input_consumed;
282 })
283 .isOk());
284 return error;
285 }
286
Update(const string & input,string * out,size_t * input_consumed)287 ErrorCode KeymasterHidlTest::Update(const string& input, string* out, size_t* input_consumed) {
288 SCOPED_TRACE("Update");
289 AuthorizationSet out_params;
290 ErrorCode error = Update(op_handle_, AuthorizationSet() /* in_params */, input, &out_params,
291 out, input_consumed);
292 EXPECT_TRUE(out_params.empty());
293 return error;
294 }
295
Finish(OperationHandle op_handle,const AuthorizationSet & in_params,const string & input,const string & signature,AuthorizationSet * out_params,string * output)296 ErrorCode KeymasterHidlTest::Finish(OperationHandle op_handle, const AuthorizationSet& in_params,
297 const string& input, const string& signature,
298 AuthorizationSet* out_params, string* output) {
299 SCOPED_TRACE("Finish");
300 ErrorCode error;
301 EXPECT_TRUE(
302 keymaster_
303 ->finish(op_handle, in_params.hidl_data(), HidlBuf(input), HidlBuf(signature),
304 HardwareAuthToken(), VerificationToken(),
305 [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params,
306 const HidlBuf& hidl_output) {
307 error = hidl_error;
308 *out_params = hidl_out_params;
309 output->append(hidl_output.to_string());
310 })
311 .isOk());
312 op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort().
313 return error;
314 }
315
Finish(const string & message,string * output)316 ErrorCode KeymasterHidlTest::Finish(const string& message, string* output) {
317 SCOPED_TRACE("Finish");
318 AuthorizationSet out_params;
319 string finish_output;
320 ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message,
321 "" /* signature */, &out_params, output);
322 if (error != ErrorCode::OK) {
323 return error;
324 }
325 EXPECT_EQ(0U, out_params.size());
326 return error;
327 }
328
Finish(const string & message,const string & signature,string * output)329 ErrorCode KeymasterHidlTest::Finish(const string& message, const string& signature,
330 string* output) {
331 SCOPED_TRACE("Finish");
332 AuthorizationSet out_params;
333 ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, signature,
334 &out_params, output);
335 op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort().
336 if (error != ErrorCode::OK) {
337 return error;
338 }
339 EXPECT_EQ(0U, out_params.size());
340 return error;
341 }
342
Abort(OperationHandle op_handle)343 ErrorCode KeymasterHidlTest::Abort(OperationHandle op_handle) {
344 SCOPED_TRACE("Abort");
345 auto retval = keymaster_->abort(op_handle);
346 EXPECT_TRUE(retval.isOk());
347 return retval;
348 }
349
AbortIfNeeded()350 void KeymasterHidlTest::AbortIfNeeded() {
351 SCOPED_TRACE("AbortIfNeeded");
352 if (op_handle_ != kOpHandleSentinel) {
353 EXPECT_EQ(ErrorCode::OK, Abort(op_handle_));
354 op_handle_ = kOpHandleSentinel;
355 }
356 }
357
AttestKey(const HidlBuf & key_blob,const AuthorizationSet & attest_params,hidl_vec<hidl_vec<uint8_t>> * cert_chain)358 ErrorCode KeymasterHidlTest::AttestKey(const HidlBuf& key_blob,
359 const AuthorizationSet& attest_params,
360 hidl_vec<hidl_vec<uint8_t>>* cert_chain) {
361 SCOPED_TRACE("AttestKey");
362 ErrorCode error;
363 auto rc = keymaster_->attestKey(
364 key_blob, attest_params.hidl_data(),
365 [&](ErrorCode hidl_error, const hidl_vec<hidl_vec<uint8_t>>& hidl_cert_chain) {
366 error = hidl_error;
367 *cert_chain = hidl_cert_chain;
368 });
369
370 EXPECT_TRUE(rc.isOk()) << rc.description();
371 if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR;
372
373 return error;
374 }
375
AttestKey(const AuthorizationSet & attest_params,hidl_vec<hidl_vec<uint8_t>> * cert_chain)376 ErrorCode KeymasterHidlTest::AttestKey(const AuthorizationSet& attest_params,
377 hidl_vec<hidl_vec<uint8_t>>* cert_chain) {
378 SCOPED_TRACE("AttestKey");
379 return AttestKey(key_blob_, attest_params, cert_chain);
380 }
381
ProcessMessage(const HidlBuf & key_blob,KeyPurpose operation,const string & message,const AuthorizationSet & in_params,AuthorizationSet * out_params)382 string KeymasterHidlTest::ProcessMessage(const HidlBuf& key_blob, KeyPurpose operation,
383 const string& message, const AuthorizationSet& in_params,
384 AuthorizationSet* out_params) {
385 SCOPED_TRACE("ProcessMessage");
386 AuthorizationSet begin_out_params;
387 EXPECT_EQ(ErrorCode::OK, Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_));
388
389 string output;
390 size_t consumed = 0;
391 AuthorizationSet update_params;
392 AuthorizationSet update_out_params;
393 EXPECT_EQ(ErrorCode::OK,
394 Update(op_handle_, update_params, message, &update_out_params, &output, &consumed));
395
396 string unused;
397 AuthorizationSet finish_params;
398 AuthorizationSet finish_out_params;
399 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), unused,
400 &finish_out_params, &output));
401 op_handle_ = kOpHandleSentinel;
402
403 out_params->push_back(begin_out_params);
404 out_params->push_back(finish_out_params);
405 return output;
406 }
407
SignMessage(const HidlBuf & key_blob,const string & message,const AuthorizationSet & params)408 string KeymasterHidlTest::SignMessage(const HidlBuf& key_blob, const string& message,
409 const AuthorizationSet& params) {
410 SCOPED_TRACE("SignMessage");
411 AuthorizationSet out_params;
412 string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params);
413 EXPECT_TRUE(out_params.empty());
414 return signature;
415 }
416
SignMessage(const string & message,const AuthorizationSet & params)417 string KeymasterHidlTest::SignMessage(const string& message, const AuthorizationSet& params) {
418 SCOPED_TRACE("SignMessage");
419 return SignMessage(key_blob_, message, params);
420 }
421
MacMessage(const string & message,Digest digest,size_t mac_length)422 string KeymasterHidlTest::MacMessage(const string& message, Digest digest, size_t mac_length) {
423 SCOPED_TRACE("MacMessage");
424 return SignMessage(
425 key_blob_, message,
426 AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length));
427 }
428
CheckHmacTestVector(const string & key,const string & message,Digest digest,const string & expected_mac)429 void KeymasterHidlTest::CheckHmacTestVector(const string& key, const string& message, Digest digest,
430 const string& expected_mac) {
431 SCOPED_TRACE("CheckHmacTestVector");
432 ASSERT_EQ(ErrorCode::OK,
433 ImportKey(AuthorizationSetBuilder()
434 .Authorization(TAG_NO_AUTH_REQUIRED)
435 .HmacKey(key.size() * 8)
436 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8)
437 .Digest(digest),
438 KeyFormat::RAW, key));
439 string signature = MacMessage(message, digest, expected_mac.size() * 8);
440 EXPECT_EQ(expected_mac, signature)
441 << "Test vector didn't match for key of size " << key.size() << " message of size "
442 << message.size() << " and digest " << digest;
443 CheckedDeleteKey();
444 }
445
CheckAesCtrTestVector(const string & key,const string & nonce,const string & message,const string & expected_ciphertext)446 void KeymasterHidlTest::CheckAesCtrTestVector(const string& key, const string& nonce,
447 const string& message,
448 const string& expected_ciphertext) {
449 SCOPED_TRACE("CheckAesCtrTestVector");
450 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
451 .Authorization(TAG_NO_AUTH_REQUIRED)
452 .AesEncryptionKey(key.size() * 8)
453 .BlockMode(BlockMode::CTR)
454 .Authorization(TAG_CALLER_NONCE)
455 .Padding(PaddingMode::NONE),
456 KeyFormat::RAW, key));
457
458 auto params = AuthorizationSetBuilder()
459 .Authorization(TAG_NONCE, nonce.data(), nonce.size())
460 .BlockMode(BlockMode::CTR)
461 .Padding(PaddingMode::NONE);
462 AuthorizationSet out_params;
463 string ciphertext = EncryptMessage(key_blob_, message, params, &out_params);
464 EXPECT_EQ(expected_ciphertext, ciphertext);
465 }
466
CheckTripleDesTestVector(KeyPurpose purpose,BlockMode block_mode,PaddingMode padding_mode,const string & key,const string & iv,const string & input,const string & expected_output)467 void KeymasterHidlTest::CheckTripleDesTestVector(KeyPurpose purpose, BlockMode block_mode,
468 PaddingMode padding_mode, const string& key,
469 const string& iv, const string& input,
470 const string& expected_output) {
471 auto authset = AuthorizationSetBuilder()
472 .TripleDesEncryptionKey(key.size() * 7)
473 .BlockMode(block_mode)
474 .Authorization(TAG_NO_AUTH_REQUIRED)
475 .Padding(padding_mode);
476 if (iv.size()) authset.Authorization(TAG_CALLER_NONCE);
477 ASSERT_EQ(ErrorCode::OK, ImportKey(authset, KeyFormat::RAW, key));
478 auto begin_params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
479 if (iv.size()) begin_params.Authorization(TAG_NONCE, iv.data(), iv.size());
480 AuthorizationSet output_params;
481 string output = ProcessMessage(key_blob_, purpose, input, begin_params, &output_params);
482 EXPECT_EQ(expected_output, output);
483 }
484
VerifyMessage(const HidlBuf & key_blob,const string & message,const string & signature,const AuthorizationSet & params)485 void KeymasterHidlTest::VerifyMessage(const HidlBuf& key_blob, const string& message,
486 const string& signature, const AuthorizationSet& params) {
487 SCOPED_TRACE("VerifyMessage");
488 AuthorizationSet begin_out_params;
489 ASSERT_EQ(ErrorCode::OK,
490 Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_));
491
492 string output;
493 AuthorizationSet update_params;
494 AuthorizationSet update_out_params;
495 size_t consumed;
496 ASSERT_EQ(ErrorCode::OK,
497 Update(op_handle_, update_params, message, &update_out_params, &output, &consumed));
498 EXPECT_TRUE(output.empty());
499 EXPECT_GT(consumed, 0U);
500
501 string unused;
502 AuthorizationSet finish_params;
503 AuthorizationSet finish_out_params;
504 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), signature,
505 &finish_out_params, &output));
506 op_handle_ = kOpHandleSentinel;
507 EXPECT_TRUE(output.empty());
508 }
509
VerifyMessage(const string & message,const string & signature,const AuthorizationSet & params)510 void KeymasterHidlTest::VerifyMessage(const string& message, const string& signature,
511 const AuthorizationSet& params) {
512 SCOPED_TRACE("VerifyMessage");
513 VerifyMessage(key_blob_, message, signature, params);
514 }
515
EncryptMessage(const HidlBuf & key_blob,const string & message,const AuthorizationSet & in_params,AuthorizationSet * out_params)516 string KeymasterHidlTest::EncryptMessage(const HidlBuf& key_blob, const string& message,
517 const AuthorizationSet& in_params,
518 AuthorizationSet* out_params) {
519 SCOPED_TRACE("EncryptMessage");
520 return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params);
521 }
522
EncryptMessage(const string & message,const AuthorizationSet & params,AuthorizationSet * out_params)523 string KeymasterHidlTest::EncryptMessage(const string& message, const AuthorizationSet& params,
524 AuthorizationSet* out_params) {
525 SCOPED_TRACE("EncryptMessage");
526 return EncryptMessage(key_blob_, message, params, out_params);
527 }
528
EncryptMessage(const string & message,const AuthorizationSet & params)529 string KeymasterHidlTest::EncryptMessage(const string& message, const AuthorizationSet& params) {
530 SCOPED_TRACE("EncryptMessage");
531 AuthorizationSet out_params;
532 string ciphertext = EncryptMessage(message, params, &out_params);
533 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
534 return ciphertext;
535 }
536
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding)537 string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode,
538 PaddingMode padding) {
539 SCOPED_TRACE("EncryptMessage");
540 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
541 AuthorizationSet out_params;
542 string ciphertext = EncryptMessage(message, params, &out_params);
543 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
544 return ciphertext;
545 }
546
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding,HidlBuf * iv_out)547 string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode,
548 PaddingMode padding, HidlBuf* iv_out) {
549 SCOPED_TRACE("EncryptMessage");
550 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
551 AuthorizationSet out_params;
552 string ciphertext = EncryptMessage(message, params, &out_params);
553 EXPECT_EQ(1U, out_params.size());
554 auto ivVal = out_params.GetTagValue(TAG_NONCE);
555 EXPECT_TRUE(ivVal.isOk());
556 if (ivVal.isOk()) *iv_out = ivVal.value();
557 return ciphertext;
558 }
559
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding,const HidlBuf & iv_in)560 string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode,
561 PaddingMode padding, const HidlBuf& iv_in) {
562 SCOPED_TRACE("EncryptMessage");
563 auto params = AuthorizationSetBuilder()
564 .BlockMode(block_mode)
565 .Padding(padding)
566 .Authorization(TAG_NONCE, iv_in);
567 AuthorizationSet out_params;
568 string ciphertext = EncryptMessage(message, params, &out_params);
569 return ciphertext;
570 }
571
DecryptMessage(const HidlBuf & key_blob,const string & ciphertext,const AuthorizationSet & params)572 string KeymasterHidlTest::DecryptMessage(const HidlBuf& key_blob, const string& ciphertext,
573 const AuthorizationSet& params) {
574 SCOPED_TRACE("DecryptMessage");
575 AuthorizationSet out_params;
576 string plaintext =
577 ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params);
578 EXPECT_TRUE(out_params.empty());
579 return plaintext;
580 }
581
DecryptMessage(const string & ciphertext,const AuthorizationSet & params)582 string KeymasterHidlTest::DecryptMessage(const string& ciphertext, const AuthorizationSet& params) {
583 SCOPED_TRACE("DecryptMessage");
584 return DecryptMessage(key_blob_, ciphertext, params);
585 }
586
DecryptMessage(const string & ciphertext,BlockMode block_mode,PaddingMode padding_mode,const HidlBuf & iv)587 string KeymasterHidlTest::DecryptMessage(const string& ciphertext, BlockMode block_mode,
588 PaddingMode padding_mode, const HidlBuf& iv) {
589 SCOPED_TRACE("DecryptMessage");
590 auto params = AuthorizationSetBuilder()
591 .BlockMode(block_mode)
592 .Padding(padding_mode)
593 .Authorization(TAG_NONCE, iv);
594 return DecryptMessage(key_blob_, ciphertext, params);
595 }
596
UpgradeKey(const HidlBuf & key_blob)597 std::pair<ErrorCode, HidlBuf> KeymasterHidlTest::UpgradeKey(const HidlBuf& key_blob) {
598 std::pair<ErrorCode, HidlBuf> retval;
599 keymaster_->upgradeKey(key_blob, hidl_vec<KeyParameter>(),
600 [&](ErrorCode error, const hidl_vec<uint8_t>& upgraded_blob) {
601 retval = std::tie(error, upgraded_blob);
602 });
603 return retval;
604 }
ValidKeySizes(Algorithm algorithm)605 std::vector<uint32_t> KeymasterHidlTest::ValidKeySizes(Algorithm algorithm) {
606 switch (algorithm) {
607 case Algorithm::RSA:
608 switch (SecLevel()) {
609 case SecurityLevel::TRUSTED_ENVIRONMENT:
610 return {2048, 3072, 4096};
611 case SecurityLevel::STRONGBOX:
612 return {2048};
613 default:
614 CHECK(false) << "Invalid security level " << uint32_t(SecLevel());
615 break;
616 }
617 break;
618 case Algorithm::EC:
619 switch (SecLevel()) {
620 case SecurityLevel::TRUSTED_ENVIRONMENT:
621 return {224, 256, 384, 521};
622 case SecurityLevel::STRONGBOX:
623 return {256};
624 default:
625 CHECK(false) << "Invalid security level " << uint32_t(SecLevel());
626 break;
627 }
628 break;
629 case Algorithm::AES:
630 return {128, 256};
631 case Algorithm::TRIPLE_DES:
632 return {168};
633 case Algorithm::HMAC: {
634 std::vector<uint32_t> retval((512 - 64) / 8 + 1);
635 uint32_t size = 64 - 8;
636 std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); });
637 return retval;
638 }
639 default:
640 CHECK(false) << "Invalid Algorithm: " << algorithm;
641 return {};
642 }
643 CHECK(false) << "Should be impossible to get here";
644 return {};
645 }
InvalidKeySizes(Algorithm algorithm)646 std::vector<uint32_t> KeymasterHidlTest::InvalidKeySizes(Algorithm algorithm) {
647 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {};
648 CHECK(SecLevel() == SecurityLevel::STRONGBOX);
649 switch (algorithm) {
650 case Algorithm::RSA:
651 return {3072, 4096};
652 case Algorithm::EC:
653 return {224, 384, 521};
654 default:
655 return {};
656 }
657 }
658
ValidCurves()659 std::vector<EcCurve> KeymasterHidlTest::ValidCurves() {
660 if (securityLevel_ == SecurityLevel::STRONGBOX) {
661 return {EcCurve::P_256};
662 } else {
663 return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521};
664 }
665 }
666
InvalidCurves()667 std::vector<EcCurve> KeymasterHidlTest::InvalidCurves() {
668 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {};
669 CHECK(SecLevel() == SecurityLevel::STRONGBOX);
670 return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521};
671 }
672
ValidDigests(bool withNone,bool withMD5)673 std::initializer_list<Digest> KeymasterHidlTest::ValidDigests(bool withNone, bool withMD5) {
674 std::vector<Digest> result;
675 switch (SecLevel()) {
676 case SecurityLevel::TRUSTED_ENVIRONMENT:
677 if (withNone) {
678 if (withMD5)
679 return {Digest::NONE, Digest::MD5, Digest::SHA1,
680 Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
681 Digest::SHA_2_512};
682 else
683 return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224,
684 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
685 } else {
686 if (withMD5)
687 return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
688 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
689 else
690 return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
691 Digest::SHA_2_512};
692 }
693 break;
694 case SecurityLevel::STRONGBOX:
695 if (withNone)
696 return {Digest::NONE, Digest::SHA_2_256};
697 else
698 return {Digest::SHA_2_256};
699 break;
700 default:
701 CHECK(false) << "Invalid security level " << uint32_t(SecLevel());
702 break;
703 }
704 CHECK(false) << "Should be impossible to get here";
705 return {};
706 }
707
InvalidDigests()708 std::vector<Digest> KeymasterHidlTest::InvalidDigests() {
709 return {};
710 }
711
712 } // namespace test
713 } // namespace V4_0
714 } // namespace keymaster
715 } // namespace hardware
716 } // namespace android
717