1 /* 2 * Copyright 2013 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.keystore.cts; 18 19 import android.app.KeyguardManager; 20 import android.content.Context; 21 import android.content.pm.PackageManager; 22 import android.security.KeyPairGeneratorSpec; 23 import android.security.KeyStoreParameter; 24 import android.security.keystore.KeyProperties; 25 import android.security.keystore.KeyProtection; 26 import android.test.AndroidTestCase; 27 import android.test.MoreAsserts; 28 import android.test.suitebuilder.annotation.LargeTest; 29 import android.util.Log; 30 31 import android.keystore.cts.R; 32 33 import java.io.ByteArrayInputStream; 34 import java.io.ByteArrayOutputStream; 35 import java.io.OutputStream; 36 import java.math.BigInteger; 37 import java.security.AlgorithmParameters; 38 import java.security.Key; 39 import java.security.KeyFactory; 40 import java.security.KeyPairGenerator; 41 import java.security.KeyStore; 42 import java.security.KeyStore.Entry; 43 import java.security.KeyStore.PrivateKeyEntry; 44 import java.security.KeyStore.TrustedCertificateEntry; 45 import java.security.KeyStoreException; 46 import java.security.PrivateKey; 47 import java.security.PublicKey; 48 import java.security.Signature; 49 import java.security.cert.Certificate; 50 import java.security.cert.CertificateFactory; 51 import java.security.interfaces.ECKey; 52 import java.security.interfaces.RSAKey; 53 import java.security.spec.PKCS8EncodedKeySpec; 54 import java.util.ArrayList; 55 import java.util.Arrays; 56 import java.util.Calendar; 57 import java.util.Collection; 58 import java.util.Date; 59 import java.util.Enumeration; 60 import java.util.HashSet; 61 import java.util.Iterator; 62 import java.util.Set; 63 64 import javax.crypto.BadPaddingException; 65 import javax.crypto.Cipher; 66 import javax.crypto.Mac; 67 import javax.crypto.SecretKey; 68 import javax.security.auth.x500.X500Principal; 69 70 public class AndroidKeyStoreTest extends AndroidTestCase { 71 private static final String TAG = AndroidKeyStoreTest.class.getSimpleName(); 72 73 private KeyStore mKeyStore; 74 75 private static final String TEST_ALIAS_1 = "test1"; 76 77 private static final String TEST_ALIAS_2 = "test2"; 78 79 private static final String TEST_ALIAS_3 = "test3"; 80 81 private long mMaxTestDurationMillis; 82 83 /* 84 * The keys and certificates below are generated with: 85 * 86 * openssl req -new -x509 -days 3650 -extensions v3_ca -keyout cakey.pem -out cacert.pem 87 * openssl req -newkey rsa:1024 -keyout userkey.pem -nodes -days 3650 -out userkey.req 88 * mkdir -p demoCA/newcerts 89 * touch demoCA/index.txt 90 * echo "01" > demoCA/serial 91 * openssl ca -out usercert.pem -in userkey.req -cert cacert.pem -keyfile cakey.pem -days 3650 92 */ 93 94 /** 95 * Generated from above and converted with: 96 * 97 * openssl x509 -outform d -in cacert.pem | xxd -i | sed 's/0x/(byte) 0x/g' 98 */ 99 private static final byte[] FAKE_RSA_CA_1 = { 100 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0xce, (byte) 0x30, (byte) 0x82, 101 (byte) 0x02, (byte) 0x37, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, 102 (byte) 0x02, (byte) 0x02, (byte) 0x09, (byte) 0x00, (byte) 0xe1, (byte) 0x6a, 103 (byte) 0xa2, (byte) 0xf4, (byte) 0x2e, (byte) 0x55, (byte) 0x48, (byte) 0x0a, 104 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 105 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 106 (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x30, (byte) 0x4f, (byte) 0x31, 107 (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, 108 (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, 109 (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, 110 (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, 111 (byte) 0x41, (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, 112 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, 113 (byte) 0x4d, (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, 114 (byte) 0x69, (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, 115 (byte) 0x77, (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, 116 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, 117 (byte) 0x41, (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, 118 (byte) 0x64, (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, 119 (byte) 0x20, (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, 120 (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32, 121 (byte) 0x30, (byte) 0x38, (byte) 0x31, (byte) 0x34, (byte) 0x31, (byte) 0x36, 122 (byte) 0x35, (byte) 0x35, (byte) 0x34, (byte) 0x34, (byte) 0x5a, (byte) 0x17, 123 (byte) 0x0d, (byte) 0x32, (byte) 0x32, (byte) 0x30, (byte) 0x38, (byte) 0x31, 124 (byte) 0x32, (byte) 0x31, (byte) 0x36, (byte) 0x35, (byte) 0x35, (byte) 0x34, 125 (byte) 0x34, (byte) 0x5a, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, 126 (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 127 (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, 128 (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, 129 (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, 130 (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, 131 (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, 132 (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, 133 (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, 134 (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, 135 (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, 136 (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, 137 (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, 138 (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x30, 139 (byte) 0x81, (byte) 0x9f, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, 140 (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, 141 (byte) 0x01, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03, 142 (byte) 0x81, (byte) 0x8d, (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89, 143 (byte) 0x02, (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0xa3, (byte) 0x72, 144 (byte) 0xab, (byte) 0xd0, (byte) 0xe4, (byte) 0xad, (byte) 0x2f, (byte) 0xe7, 145 (byte) 0xe2, (byte) 0x79, (byte) 0x07, (byte) 0x36, (byte) 0x3d, (byte) 0x0c, 146 (byte) 0x8d, (byte) 0x42, (byte) 0x9a, (byte) 0x0a, (byte) 0x33, (byte) 0x64, 147 (byte) 0xb3, (byte) 0xcd, (byte) 0xb2, (byte) 0xd7, (byte) 0x3a, (byte) 0x42, 148 (byte) 0x06, (byte) 0x77, (byte) 0x45, (byte) 0x29, (byte) 0xe9, (byte) 0xcb, 149 (byte) 0xb7, (byte) 0x4a, (byte) 0xd6, (byte) 0xee, (byte) 0xad, (byte) 0x01, 150 (byte) 0x91, (byte) 0x9b, (byte) 0x0c, (byte) 0x59, (byte) 0xa1, (byte) 0x03, 151 (byte) 0xfa, (byte) 0xf0, (byte) 0x5a, (byte) 0x7c, (byte) 0x4f, (byte) 0xf7, 152 (byte) 0x8d, (byte) 0x36, (byte) 0x0f, (byte) 0x1f, (byte) 0x45, (byte) 0x7d, 153 (byte) 0x1b, (byte) 0x31, (byte) 0xa1, (byte) 0x35, (byte) 0x0b, (byte) 0x00, 154 (byte) 0xed, (byte) 0x7a, (byte) 0xb6, (byte) 0xc8, (byte) 0x4e, (byte) 0xa9, 155 (byte) 0x86, (byte) 0x4c, (byte) 0x7b, (byte) 0x99, (byte) 0x57, (byte) 0x41, 156 (byte) 0x12, (byte) 0xef, (byte) 0x6b, (byte) 0xbc, (byte) 0x3d, (byte) 0x60, 157 (byte) 0xf2, (byte) 0x99, (byte) 0x1a, (byte) 0xcd, (byte) 0xed, (byte) 0x56, 158 (byte) 0xa4, (byte) 0xe5, (byte) 0x36, (byte) 0x9f, (byte) 0x24, (byte) 0x1f, 159 (byte) 0xdc, (byte) 0x89, (byte) 0x40, (byte) 0xc8, (byte) 0x99, (byte) 0x92, 160 (byte) 0xab, (byte) 0x4a, (byte) 0xb5, (byte) 0x61, (byte) 0x45, (byte) 0x62, 161 (byte) 0xff, (byte) 0xa3, (byte) 0x45, (byte) 0x65, (byte) 0xaf, (byte) 0xf6, 162 (byte) 0x27, (byte) 0x30, (byte) 0x51, (byte) 0x0e, (byte) 0x0e, (byte) 0xeb, 163 (byte) 0x79, (byte) 0x0c, (byte) 0xbe, (byte) 0xb3, (byte) 0x0a, (byte) 0x6f, 164 (byte) 0x29, (byte) 0x06, (byte) 0xdc, (byte) 0x2f, (byte) 0x6b, (byte) 0x51, 165 (byte) 0x02, (byte) 0x03, (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3, 166 (byte) 0x81, (byte) 0xb1, (byte) 0x30, (byte) 0x81, (byte) 0xae, (byte) 0x30, 167 (byte) 0x1d, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e, 168 (byte) 0x04, (byte) 0x16, (byte) 0x04, (byte) 0x14, (byte) 0x33, (byte) 0x05, 169 (byte) 0xee, (byte) 0xfe, (byte) 0x6f, (byte) 0x60, (byte) 0xc7, (byte) 0xf9, 170 (byte) 0xa9, (byte) 0xd2, (byte) 0x73, (byte) 0x5c, (byte) 0x8f, (byte) 0x6d, 171 (byte) 0xa2, (byte) 0x2f, (byte) 0x97, (byte) 0x8e, (byte) 0x5d, (byte) 0x51, 172 (byte) 0x30, (byte) 0x7f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, 173 (byte) 0x23, (byte) 0x04, (byte) 0x78, (byte) 0x30, (byte) 0x76, (byte) 0x80, 174 (byte) 0x14, (byte) 0x33, (byte) 0x05, (byte) 0xee, (byte) 0xfe, (byte) 0x6f, 175 (byte) 0x60, (byte) 0xc7, (byte) 0xf9, (byte) 0xa9, (byte) 0xd2, (byte) 0x73, 176 (byte) 0x5c, (byte) 0x8f, (byte) 0x6d, (byte) 0xa2, (byte) 0x2f, (byte) 0x97, 177 (byte) 0x8e, (byte) 0x5d, (byte) 0x51, (byte) 0xa1, (byte) 0x53, (byte) 0xa4, 178 (byte) 0x51, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, (byte) 0x30, 179 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, 180 (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b, 181 (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 182 (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31, 183 (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, (byte) 0x55, 184 (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, (byte) 0x6f, 185 (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, (byte) 0x6e, 186 (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, (byte) 0x31, 187 (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55, 188 (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e, 189 (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20, 190 (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43, 191 (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x82, (byte) 0x09, 192 (byte) 0x00, (byte) 0xe1, (byte) 0x6a, (byte) 0xa2, (byte) 0xf4, (byte) 0x2e, 193 (byte) 0x55, (byte) 0x48, (byte) 0x0a, (byte) 0x30, (byte) 0x0c, (byte) 0x06, 194 (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x05, 195 (byte) 0x30, (byte) 0x03, (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x30, 196 (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, 197 (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, 198 (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x81, (byte) 0x00, 199 (byte) 0x8c, (byte) 0x30, (byte) 0x42, (byte) 0xfa, (byte) 0xeb, (byte) 0x1a, 200 (byte) 0x26, (byte) 0xeb, (byte) 0xda, (byte) 0x56, (byte) 0x32, (byte) 0xf2, 201 (byte) 0x9d, (byte) 0xa5, (byte) 0x24, (byte) 0xd8, (byte) 0x3a, (byte) 0xda, 202 (byte) 0x30, (byte) 0xa6, (byte) 0x8b, (byte) 0x46, (byte) 0xfe, (byte) 0xfe, 203 (byte) 0xdb, (byte) 0xf1, (byte) 0xe6, (byte) 0xe1, (byte) 0x7c, (byte) 0x1b, 204 (byte) 0xe7, (byte) 0x77, (byte) 0x00, (byte) 0xa1, (byte) 0x1c, (byte) 0x19, 205 (byte) 0x17, (byte) 0x73, (byte) 0xb0, (byte) 0xf0, (byte) 0x9d, (byte) 0xf3, 206 (byte) 0x4f, (byte) 0xb6, (byte) 0xbc, (byte) 0xc7, (byte) 0x47, (byte) 0x85, 207 (byte) 0x2a, (byte) 0x4a, (byte) 0xa1, (byte) 0xa5, (byte) 0x58, (byte) 0xf5, 208 (byte) 0xc5, (byte) 0x1a, (byte) 0x51, (byte) 0xb1, (byte) 0x04, (byte) 0x80, 209 (byte) 0xee, (byte) 0x3a, (byte) 0xec, (byte) 0x2f, (byte) 0xe1, (byte) 0xfd, 210 (byte) 0x58, (byte) 0xeb, (byte) 0xed, (byte) 0x82, (byte) 0x9e, (byte) 0x38, 211 (byte) 0xa3, (byte) 0x24, (byte) 0x75, (byte) 0xf7, (byte) 0x3e, (byte) 0xc2, 212 (byte) 0xc5, (byte) 0x27, (byte) 0xeb, (byte) 0x6f, (byte) 0x7b, (byte) 0x50, 213 (byte) 0xda, (byte) 0x43, (byte) 0xdc, (byte) 0x3b, (byte) 0x0b, (byte) 0x6f, 214 (byte) 0x78, (byte) 0x8f, (byte) 0xb0, (byte) 0x66, (byte) 0xe1, (byte) 0x12, 215 (byte) 0x87, (byte) 0x5f, (byte) 0x97, (byte) 0x7b, (byte) 0xca, (byte) 0x14, 216 (byte) 0x79, (byte) 0xf7, (byte) 0xe8, (byte) 0x6c, (byte) 0x72, (byte) 0xdb, 217 (byte) 0x91, (byte) 0x65, (byte) 0x17, (byte) 0x54, (byte) 0xe0, (byte) 0x74, 218 (byte) 0x1d, (byte) 0xac, (byte) 0x47, (byte) 0x04, (byte) 0x12, (byte) 0xe0, 219 (byte) 0xc3, (byte) 0x66, (byte) 0x19, (byte) 0x05, (byte) 0x2e, (byte) 0x7e, 220 (byte) 0xf1, (byte) 0x61 221 }; 222 223 /** 224 * Generated from above and converted with: 225 * 226 * openssl pkcs8 -topk8 -outform d -in userkey.pem -nocrypt | xxd -i | sed 's/0x/(byte) 0x/g' 227 */ 228 private static final byte[] FAKE_RSA_KEY_1 = new byte[] { 229 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x78, (byte) 0x02, (byte) 0x01, 230 (byte) 0x00, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, 231 (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, 232 (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x04, (byte) 0x82, 233 (byte) 0x02, (byte) 0x62, (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x5e, 234 (byte) 0x02, (byte) 0x01, (byte) 0x00, (byte) 0x02, (byte) 0x81, (byte) 0x81, 235 (byte) 0x00, (byte) 0xce, (byte) 0x29, (byte) 0xeb, (byte) 0xf6, (byte) 0x5b, 236 (byte) 0x25, (byte) 0xdc, (byte) 0xa1, (byte) 0xa6, (byte) 0x2c, (byte) 0x66, 237 (byte) 0xcb, (byte) 0x20, (byte) 0x90, (byte) 0x27, (byte) 0x86, (byte) 0x8a, 238 (byte) 0x44, (byte) 0x71, (byte) 0x50, (byte) 0xda, (byte) 0xd3, (byte) 0x02, 239 (byte) 0x77, (byte) 0x55, (byte) 0xe9, (byte) 0xe8, (byte) 0x08, (byte) 0xf3, 240 (byte) 0x36, (byte) 0x9a, (byte) 0xae, (byte) 0xab, (byte) 0x04, (byte) 0x6d, 241 (byte) 0x00, (byte) 0x99, (byte) 0xbf, (byte) 0x7d, (byte) 0x0f, (byte) 0x67, 242 (byte) 0x8b, (byte) 0x1d, (byte) 0xd4, (byte) 0x2b, (byte) 0x7c, (byte) 0xcb, 243 (byte) 0xcd, (byte) 0x33, (byte) 0xc7, (byte) 0x84, (byte) 0x30, (byte) 0xe2, 244 (byte) 0x45, (byte) 0x21, (byte) 0xb3, (byte) 0x75, (byte) 0xf5, (byte) 0x79, 245 (byte) 0x02, (byte) 0xda, (byte) 0x50, (byte) 0xa3, (byte) 0x8b, (byte) 0xce, 246 (byte) 0xc3, (byte) 0x8e, (byte) 0x0f, (byte) 0x25, (byte) 0xeb, (byte) 0x08, 247 (byte) 0x2c, (byte) 0xdd, (byte) 0x1c, (byte) 0xcf, (byte) 0xff, (byte) 0x3b, 248 (byte) 0xde, (byte) 0xb6, (byte) 0xaa, (byte) 0x2a, (byte) 0xa9, (byte) 0xc4, 249 (byte) 0x8a, (byte) 0x24, (byte) 0x24, (byte) 0xe6, (byte) 0x29, (byte) 0x0d, 250 (byte) 0x98, (byte) 0x4c, (byte) 0x32, (byte) 0xa1, (byte) 0x7b, (byte) 0x23, 251 (byte) 0x2b, (byte) 0x42, (byte) 0x30, (byte) 0xee, (byte) 0x78, (byte) 0x08, 252 (byte) 0x47, (byte) 0xad, (byte) 0xf2, (byte) 0x96, (byte) 0xd5, (byte) 0xf1, 253 (byte) 0x62, (byte) 0x42, (byte) 0x2d, (byte) 0x35, (byte) 0x19, (byte) 0xb4, 254 (byte) 0x3c, (byte) 0xc9, (byte) 0xc3, (byte) 0x5f, (byte) 0x03, (byte) 0x16, 255 (byte) 0x3a, (byte) 0x23, (byte) 0xac, (byte) 0xcb, (byte) 0xce, (byte) 0x9e, 256 (byte) 0x51, (byte) 0x2e, (byte) 0x6d, (byte) 0x02, (byte) 0x03, (byte) 0x01, 257 (byte) 0x00, (byte) 0x01, (byte) 0x02, (byte) 0x81, (byte) 0x80, (byte) 0x16, 258 (byte) 0x59, (byte) 0xc3, (byte) 0x24, (byte) 0x1d, (byte) 0x33, (byte) 0x98, 259 (byte) 0x9c, (byte) 0xc9, (byte) 0xc8, (byte) 0x2c, (byte) 0x88, (byte) 0xbf, 260 (byte) 0x0a, (byte) 0x01, (byte) 0xce, (byte) 0xfb, (byte) 0x34, (byte) 0x7a, 261 (byte) 0x58, (byte) 0x7a, (byte) 0xb0, (byte) 0xbf, (byte) 0xa6, (byte) 0xb2, 262 (byte) 0x60, (byte) 0xbe, (byte) 0x70, (byte) 0x21, (byte) 0xf5, (byte) 0xfc, 263 (byte) 0x85, (byte) 0x0d, (byte) 0x33, (byte) 0x58, (byte) 0xa1, (byte) 0xe5, 264 (byte) 0x09, (byte) 0x36, (byte) 0x84, (byte) 0xb2, (byte) 0x04, (byte) 0x0a, 265 (byte) 0x02, (byte) 0xd3, (byte) 0x88, (byte) 0x1f, (byte) 0x0c, (byte) 0x2b, 266 (byte) 0x1d, (byte) 0xe9, (byte) 0x3d, (byte) 0xe7, (byte) 0x79, (byte) 0xf9, 267 (byte) 0x32, (byte) 0x5c, (byte) 0x8a, (byte) 0x75, (byte) 0x49, (byte) 0x12, 268 (byte) 0xe4, (byte) 0x05, (byte) 0x26, (byte) 0xd4, (byte) 0x2e, (byte) 0x9e, 269 (byte) 0x1f, (byte) 0xcc, (byte) 0x54, (byte) 0xad, (byte) 0x33, (byte) 0x8d, 270 (byte) 0x99, (byte) 0x00, (byte) 0xdc, (byte) 0xf5, (byte) 0xb4, (byte) 0xa2, 271 (byte) 0x2f, (byte) 0xba, (byte) 0xe5, (byte) 0x62, (byte) 0x30, (byte) 0x6d, 272 (byte) 0xe6, (byte) 0x3d, (byte) 0xeb, (byte) 0x24, (byte) 0xc2, (byte) 0xdc, 273 (byte) 0x5f, (byte) 0xb7, (byte) 0x16, (byte) 0x35, (byte) 0xa3, (byte) 0x98, 274 (byte) 0x98, (byte) 0xa8, (byte) 0xef, (byte) 0xe8, (byte) 0xc4, (byte) 0x96, 275 (byte) 0x6d, (byte) 0x38, (byte) 0xab, (byte) 0x26, (byte) 0x6d, (byte) 0x30, 276 (byte) 0xc2, (byte) 0xa0, (byte) 0x44, (byte) 0xe4, (byte) 0xff, (byte) 0x7e, 277 (byte) 0xbe, (byte) 0x7c, (byte) 0x33, (byte) 0xa5, (byte) 0x10, (byte) 0xad, 278 (byte) 0xd7, (byte) 0x1e, (byte) 0x13, (byte) 0x20, (byte) 0xb3, (byte) 0x1f, 279 (byte) 0x41, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xf1, (byte) 0x89, 280 (byte) 0x07, (byte) 0x0f, (byte) 0xe8, (byte) 0xcf, (byte) 0xab, (byte) 0x13, 281 (byte) 0x2a, (byte) 0x8f, (byte) 0x88, (byte) 0x80, (byte) 0x11, (byte) 0x9a, 282 (byte) 0x79, (byte) 0xb6, (byte) 0x59, (byte) 0x3a, (byte) 0x50, (byte) 0x6e, 283 (byte) 0x57, (byte) 0x37, (byte) 0xab, (byte) 0x2a, (byte) 0xd2, (byte) 0xaa, 284 (byte) 0xd9, (byte) 0x72, (byte) 0x73, (byte) 0xff, (byte) 0x8b, (byte) 0x47, 285 (byte) 0x76, (byte) 0xdd, (byte) 0xdc, (byte) 0xf5, (byte) 0x97, (byte) 0x44, 286 (byte) 0x3a, (byte) 0x78, (byte) 0xbe, (byte) 0x17, (byte) 0xb4, (byte) 0x22, 287 (byte) 0x6f, (byte) 0xe5, (byte) 0x23, (byte) 0x70, (byte) 0x1d, (byte) 0x10, 288 (byte) 0x5d, (byte) 0xba, (byte) 0x16, (byte) 0x81, (byte) 0xf1, (byte) 0x45, 289 (byte) 0xce, (byte) 0x30, (byte) 0xb4, (byte) 0xab, (byte) 0x80, (byte) 0xe4, 290 (byte) 0x98, (byte) 0x31, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xda, 291 (byte) 0x82, (byte) 0x9d, (byte) 0x3f, (byte) 0xca, (byte) 0x2f, (byte) 0xe1, 292 (byte) 0xd4, (byte) 0x86, (byte) 0x77, (byte) 0x48, (byte) 0xa6, (byte) 0xab, 293 (byte) 0xab, (byte) 0x1c, (byte) 0x42, (byte) 0x5c, (byte) 0xd5, (byte) 0xc7, 294 (byte) 0x46, (byte) 0x59, (byte) 0x91, (byte) 0x3f, (byte) 0xfc, (byte) 0xcc, 295 (byte) 0xec, (byte) 0xc2, (byte) 0x40, (byte) 0x12, (byte) 0x2c, (byte) 0x8d, 296 (byte) 0x1f, (byte) 0xa2, (byte) 0x18, (byte) 0x88, (byte) 0xee, (byte) 0x82, 297 (byte) 0x4a, (byte) 0x5a, (byte) 0x5e, (byte) 0x88, (byte) 0x20, (byte) 0xe3, 298 (byte) 0x7b, (byte) 0xe0, (byte) 0xd8, (byte) 0x3a, (byte) 0x52, (byte) 0x9a, 299 (byte) 0x26, (byte) 0x6a, (byte) 0x04, (byte) 0xec, (byte) 0xe8, (byte) 0xb9, 300 (byte) 0x48, (byte) 0x40, (byte) 0xe1, (byte) 0xe1, (byte) 0x83, (byte) 0xa6, 301 (byte) 0x67, (byte) 0xa6, (byte) 0xfd, (byte) 0x02, (byte) 0x41, (byte) 0x00, 302 (byte) 0x89, (byte) 0x72, (byte) 0x3e, (byte) 0xb0, (byte) 0x90, (byte) 0xfd, 303 (byte) 0x4c, (byte) 0x0e, (byte) 0xd6, (byte) 0x13, (byte) 0x63, (byte) 0xcb, 304 (byte) 0xed, (byte) 0x38, (byte) 0x88, (byte) 0xb6, (byte) 0x79, (byte) 0xc4, 305 (byte) 0x33, (byte) 0x6c, (byte) 0xf6, (byte) 0xf8, (byte) 0xd8, (byte) 0xd0, 306 (byte) 0xbf, (byte) 0x9d, (byte) 0x35, (byte) 0xac, (byte) 0x69, (byte) 0xd2, 307 (byte) 0x2b, (byte) 0xc1, (byte) 0xf9, (byte) 0x24, (byte) 0x7b, (byte) 0xce, 308 (byte) 0xcd, (byte) 0xcb, (byte) 0xa7, (byte) 0xb2, (byte) 0x7a, (byte) 0x0a, 309 (byte) 0x27, (byte) 0x19, (byte) 0xc9, (byte) 0xaf, (byte) 0x0d, (byte) 0x21, 310 (byte) 0x89, (byte) 0x88, (byte) 0x7c, (byte) 0xad, (byte) 0x9e, (byte) 0x8d, 311 (byte) 0x47, (byte) 0x6d, (byte) 0x3f, (byte) 0xce, (byte) 0x7b, (byte) 0xa1, 312 (byte) 0x74, (byte) 0xf1, (byte) 0xa0, (byte) 0xa1, (byte) 0x02, (byte) 0x41, 313 (byte) 0x00, (byte) 0xd9, (byte) 0xa8, (byte) 0xf5, (byte) 0xfe, (byte) 0xce, 314 (byte) 0xe6, (byte) 0x77, (byte) 0x6b, (byte) 0xfe, (byte) 0x2d, (byte) 0xe0, 315 (byte) 0x1e, (byte) 0xb6, (byte) 0x2e, (byte) 0x12, (byte) 0x4e, (byte) 0x40, 316 (byte) 0xaf, (byte) 0x6a, (byte) 0x7b, (byte) 0x37, (byte) 0x49, (byte) 0x2a, 317 (byte) 0x96, (byte) 0x25, (byte) 0x83, (byte) 0x49, (byte) 0xd4, (byte) 0x0c, 318 (byte) 0xc6, (byte) 0x78, (byte) 0x25, (byte) 0x24, (byte) 0x90, (byte) 0x90, 319 (byte) 0x06, (byte) 0x15, (byte) 0x9e, (byte) 0xfe, (byte) 0xf9, (byte) 0xdf, 320 (byte) 0x5b, (byte) 0xf3, (byte) 0x7e, (byte) 0x38, (byte) 0x70, (byte) 0xeb, 321 (byte) 0x57, (byte) 0xd0, (byte) 0xd9, (byte) 0xa7, (byte) 0x0e, (byte) 0x14, 322 (byte) 0xf7, (byte) 0x95, (byte) 0x68, (byte) 0xd5, (byte) 0xc8, (byte) 0xab, 323 (byte) 0x9d, (byte) 0x3a, (byte) 0x2b, (byte) 0x51, (byte) 0xf9, (byte) 0x02, 324 (byte) 0x41, (byte) 0x00, (byte) 0x96, (byte) 0xdf, (byte) 0xe9, (byte) 0x67, 325 (byte) 0x6c, (byte) 0xdc, (byte) 0x90, (byte) 0x14, (byte) 0xb4, (byte) 0x1d, 326 (byte) 0x22, (byte) 0x33, (byte) 0x4a, (byte) 0x31, (byte) 0xc1, (byte) 0x9d, 327 (byte) 0x2e, (byte) 0xff, (byte) 0x9a, (byte) 0x2a, (byte) 0x95, (byte) 0x4b, 328 (byte) 0x27, (byte) 0x74, (byte) 0xcb, (byte) 0x21, (byte) 0xc3, (byte) 0xd2, 329 (byte) 0x0b, (byte) 0xb2, (byte) 0x46, (byte) 0x87, (byte) 0xf8, (byte) 0x28, 330 (byte) 0x01, (byte) 0x8b, (byte) 0xd8, (byte) 0xb9, (byte) 0x4b, (byte) 0xcd, 331 (byte) 0x9a, (byte) 0x96, (byte) 0x41, (byte) 0x0e, (byte) 0x36, (byte) 0x6d, 332 (byte) 0x40, (byte) 0x42, (byte) 0xbc, (byte) 0xd9, (byte) 0xd3, (byte) 0x7b, 333 (byte) 0xbc, (byte) 0xa7, (byte) 0x92, (byte) 0x90, (byte) 0xdd, (byte) 0xa1, 334 (byte) 0x9c, (byte) 0xce, (byte) 0xa1, (byte) 0x87, (byte) 0x11, (byte) 0x51 335 }; 336 337 /** 338 * Generated from above and converted with: 339 * 340 * openssl x509 -outform d -in usercert.pem | xxd -i | sed 's/0x/(byte) 0x/g' 341 */ 342 private static final byte[] FAKE_RSA_USER_1 = new byte[] { 343 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x95, (byte) 0x30, (byte) 0x82, 344 (byte) 0x01, (byte) 0xfe, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, 345 (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x0d, 346 (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, 347 (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, 348 (byte) 0x00, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, (byte) 0x30, 349 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, 350 (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b, 351 (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 352 (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31, 353 (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, (byte) 0x55, 354 (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, (byte) 0x6f, 355 (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, (byte) 0x6e, 356 (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, (byte) 0x31, 357 (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55, 358 (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e, 359 (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20, 360 (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43, 361 (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x30, (byte) 0x1e, 362 (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32, (byte) 0x30, (byte) 0x38, 363 (byte) 0x31, (byte) 0x34, (byte) 0x32, (byte) 0x33, (byte) 0x32, (byte) 0x35, 364 (byte) 0x34, (byte) 0x38, (byte) 0x5a, (byte) 0x17, (byte) 0x0d, (byte) 0x32, 365 (byte) 0x32, (byte) 0x30, (byte) 0x38, (byte) 0x31, (byte) 0x32, (byte) 0x32, 366 (byte) 0x33, (byte) 0x32, (byte) 0x35, (byte) 0x34, (byte) 0x38, (byte) 0x5a, 367 (byte) 0x30, (byte) 0x55, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, 368 (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, 369 (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b, (byte) 0x30, 370 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x08, 371 (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31, (byte) 0x1b, 372 (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 373 (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e, (byte) 0x64, 374 (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20, (byte) 0x54, 375 (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43, (byte) 0x61, 376 (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x31, (byte) 0x1c, (byte) 0x30, 377 (byte) 0x1a, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03, 378 (byte) 0x13, (byte) 0x13, (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x76, 379 (byte) 0x65, (byte) 0x72, (byte) 0x31, (byte) 0x2e, (byte) 0x65, (byte) 0x78, 380 (byte) 0x61, (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x65, (byte) 0x2e, 381 (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x30, (byte) 0x81, (byte) 0x9f, 382 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 383 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 384 (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x8d, 385 (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89, (byte) 0x02, (byte) 0x81, 386 (byte) 0x81, (byte) 0x00, (byte) 0xce, (byte) 0x29, (byte) 0xeb, (byte) 0xf6, 387 (byte) 0x5b, (byte) 0x25, (byte) 0xdc, (byte) 0xa1, (byte) 0xa6, (byte) 0x2c, 388 (byte) 0x66, (byte) 0xcb, (byte) 0x20, (byte) 0x90, (byte) 0x27, (byte) 0x86, 389 (byte) 0x8a, (byte) 0x44, (byte) 0x71, (byte) 0x50, (byte) 0xda, (byte) 0xd3, 390 (byte) 0x02, (byte) 0x77, (byte) 0x55, (byte) 0xe9, (byte) 0xe8, (byte) 0x08, 391 (byte) 0xf3, (byte) 0x36, (byte) 0x9a, (byte) 0xae, (byte) 0xab, (byte) 0x04, 392 (byte) 0x6d, (byte) 0x00, (byte) 0x99, (byte) 0xbf, (byte) 0x7d, (byte) 0x0f, 393 (byte) 0x67, (byte) 0x8b, (byte) 0x1d, (byte) 0xd4, (byte) 0x2b, (byte) 0x7c, 394 (byte) 0xcb, (byte) 0xcd, (byte) 0x33, (byte) 0xc7, (byte) 0x84, (byte) 0x30, 395 (byte) 0xe2, (byte) 0x45, (byte) 0x21, (byte) 0xb3, (byte) 0x75, (byte) 0xf5, 396 (byte) 0x79, (byte) 0x02, (byte) 0xda, (byte) 0x50, (byte) 0xa3, (byte) 0x8b, 397 (byte) 0xce, (byte) 0xc3, (byte) 0x8e, (byte) 0x0f, (byte) 0x25, (byte) 0xeb, 398 (byte) 0x08, (byte) 0x2c, (byte) 0xdd, (byte) 0x1c, (byte) 0xcf, (byte) 0xff, 399 (byte) 0x3b, (byte) 0xde, (byte) 0xb6, (byte) 0xaa, (byte) 0x2a, (byte) 0xa9, 400 (byte) 0xc4, (byte) 0x8a, (byte) 0x24, (byte) 0x24, (byte) 0xe6, (byte) 0x29, 401 (byte) 0x0d, (byte) 0x98, (byte) 0x4c, (byte) 0x32, (byte) 0xa1, (byte) 0x7b, 402 (byte) 0x23, (byte) 0x2b, (byte) 0x42, (byte) 0x30, (byte) 0xee, (byte) 0x78, 403 (byte) 0x08, (byte) 0x47, (byte) 0xad, (byte) 0xf2, (byte) 0x96, (byte) 0xd5, 404 (byte) 0xf1, (byte) 0x62, (byte) 0x42, (byte) 0x2d, (byte) 0x35, (byte) 0x19, 405 (byte) 0xb4, (byte) 0x3c, (byte) 0xc9, (byte) 0xc3, (byte) 0x5f, (byte) 0x03, 406 (byte) 0x16, (byte) 0x3a, (byte) 0x23, (byte) 0xac, (byte) 0xcb, (byte) 0xce, 407 (byte) 0x9e, (byte) 0x51, (byte) 0x2e, (byte) 0x6d, (byte) 0x02, (byte) 0x03, 408 (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3, (byte) 0x7b, (byte) 0x30, 409 (byte) 0x79, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, 410 (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x02, (byte) 0x30, (byte) 0x00, 411 (byte) 0x30, (byte) 0x2c, (byte) 0x06, (byte) 0x09, (byte) 0x60, (byte) 0x86, 412 (byte) 0x48, (byte) 0x01, (byte) 0x86, (byte) 0xf8, (byte) 0x42, (byte) 0x01, 413 (byte) 0x0d, (byte) 0x04, (byte) 0x1f, (byte) 0x16, (byte) 0x1d, (byte) 0x4f, 414 (byte) 0x70, (byte) 0x65, (byte) 0x6e, (byte) 0x53, (byte) 0x53, (byte) 0x4c, 415 (byte) 0x20, (byte) 0x47, (byte) 0x65, (byte) 0x6e, (byte) 0x65, (byte) 0x72, 416 (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x64, (byte) 0x20, (byte) 0x43, 417 (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, 418 (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x30, (byte) 0x1d, 419 (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04, 420 (byte) 0x16, (byte) 0x04, (byte) 0x14, (byte) 0x32, (byte) 0xa1, (byte) 0x1e, 421 (byte) 0x6b, (byte) 0x69, (byte) 0x04, (byte) 0xfe, (byte) 0xb3, (byte) 0xcd, 422 (byte) 0xf8, (byte) 0xbb, (byte) 0x14, (byte) 0xcd, (byte) 0xff, (byte) 0xd4, 423 (byte) 0x16, (byte) 0xc3, (byte) 0xab, (byte) 0x44, (byte) 0x2f, (byte) 0x30, 424 (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23, 425 (byte) 0x04, (byte) 0x18, (byte) 0x30, (byte) 0x16, (byte) 0x80, (byte) 0x14, 426 (byte) 0x33, (byte) 0x05, (byte) 0xee, (byte) 0xfe, (byte) 0x6f, (byte) 0x60, 427 (byte) 0xc7, (byte) 0xf9, (byte) 0xa9, (byte) 0xd2, (byte) 0x73, (byte) 0x5c, 428 (byte) 0x8f, (byte) 0x6d, (byte) 0xa2, (byte) 0x2f, (byte) 0x97, (byte) 0x8e, 429 (byte) 0x5d, (byte) 0x51, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, 430 (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, 431 (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, 432 (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0x46, (byte) 0x42, (byte) 0xef, 433 (byte) 0x56, (byte) 0x89, (byte) 0x78, (byte) 0x90, (byte) 0x38, (byte) 0x24, 434 (byte) 0x9f, (byte) 0x8c, (byte) 0x7a, (byte) 0xce, (byte) 0x7a, (byte) 0xa5, 435 (byte) 0xb5, (byte) 0x1e, (byte) 0x74, (byte) 0x96, (byte) 0x34, (byte) 0x49, 436 (byte) 0x8b, (byte) 0xed, (byte) 0x44, (byte) 0xb3, (byte) 0xc9, (byte) 0x05, 437 (byte) 0xd7, (byte) 0x48, (byte) 0x55, (byte) 0x52, (byte) 0x59, (byte) 0x15, 438 (byte) 0x0b, (byte) 0xaa, (byte) 0x16, (byte) 0x86, (byte) 0xd2, (byte) 0x8e, 439 (byte) 0x16, (byte) 0x99, (byte) 0xe8, (byte) 0x5f, (byte) 0x11, (byte) 0x71, 440 (byte) 0x42, (byte) 0x55, (byte) 0xd1, (byte) 0xc4, (byte) 0x6f, (byte) 0x2e, 441 (byte) 0xa9, (byte) 0x64, (byte) 0x6f, (byte) 0xd8, (byte) 0xfd, (byte) 0x43, 442 (byte) 0x13, (byte) 0x24, (byte) 0xaa, (byte) 0x67, (byte) 0xe6, (byte) 0xf5, 443 (byte) 0xca, (byte) 0x80, (byte) 0x5e, (byte) 0x3a, (byte) 0x3e, (byte) 0xcc, 444 (byte) 0x4f, (byte) 0xba, (byte) 0x87, (byte) 0xe6, (byte) 0xae, (byte) 0xbf, 445 (byte) 0x8f, (byte) 0xd5, (byte) 0x28, (byte) 0x38, (byte) 0x58, (byte) 0x30, 446 (byte) 0x24, (byte) 0xf6, (byte) 0x53, (byte) 0x5b, (byte) 0x41, (byte) 0x53, 447 (byte) 0xe6, (byte) 0x45, (byte) 0xbc, (byte) 0xbe, (byte) 0xe6, (byte) 0xbb, 448 (byte) 0x5d, (byte) 0xd8, (byte) 0xa7, (byte) 0xf9, (byte) 0x64, (byte) 0x99, 449 (byte) 0x04, (byte) 0x43, (byte) 0x75, (byte) 0xd7, (byte) 0x2d, (byte) 0x32, 450 (byte) 0x0a, (byte) 0x94, (byte) 0xaf, (byte) 0x06, (byte) 0x34, (byte) 0xae, 451 (byte) 0x46, (byte) 0xbd, (byte) 0xda, (byte) 0x00, (byte) 0x0e, (byte) 0x25, 452 (byte) 0xc2, (byte) 0xf7, (byte) 0xc9, (byte) 0xc3, (byte) 0x65, (byte) 0xd2, 453 (byte) 0x08, (byte) 0x41, (byte) 0x0a, (byte) 0xf3, (byte) 0x72 454 }; 455 456 /* 457 * The keys and certificates below are generated with: 458 * 459 * openssl req -new -x509 -days 3650 -extensions v3_ca -keyout cakey.pem -out cacert.pem 460 * openssl ecparam -name prime256v1 -out ecparam.pem 461 * openssl req -newkey ec:ecparam.pem -keyout userkey.pem -nodes -days 3650 -out userkey.req 462 * mkdir -p demoCA/newcerts 463 * touch demoCA/index.txt 464 * echo "01" > demoCA/serial 465 * openssl ca -out usercert.pem -in userkey.req -cert cacert.pem -keyfile cakey.pem -days 3650 466 */ 467 468 /** 469 * Generated from above and converted with: 470 * 471 * openssl x509 -outform d -in cacert.pem | xxd -i | sed 's/0x/(byte) 0x/g' 472 */ 473 private static final byte[] FAKE_EC_CA_1 = { 474 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x58, (byte) 0x30, (byte) 0x82, 475 (byte) 0x01, (byte) 0xc1, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, 476 (byte) 0x02, (byte) 0x02, (byte) 0x09, (byte) 0x00, (byte) 0xe1, (byte) 0xb2, 477 (byte) 0x8c, (byte) 0x04, (byte) 0x95, (byte) 0xeb, (byte) 0x10, (byte) 0xcb, 478 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 479 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 480 (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x30, (byte) 0x45, (byte) 0x31, 481 (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, 482 (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55, 483 (byte) 0x31, (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, 484 (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53, 485 (byte) 0x6f, (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74, 486 (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30, 487 (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, 488 (byte) 0x0c, (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65, 489 (byte) 0x72, (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57, 490 (byte) 0x69, (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73, 491 (byte) 0x20, (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c, 492 (byte) 0x74, (byte) 0x64, (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, 493 (byte) 0x31, (byte) 0x33, (byte) 0x30, (byte) 0x38, (byte) 0x32, (byte) 0x37, 494 (byte) 0x31, (byte) 0x36, (byte) 0x32, (byte) 0x38, (byte) 0x32, (byte) 0x38, 495 (byte) 0x5a, (byte) 0x17, (byte) 0x0d, (byte) 0x32, (byte) 0x33, (byte) 0x30, 496 (byte) 0x38, (byte) 0x32, (byte) 0x35, (byte) 0x31, (byte) 0x36, (byte) 0x32, 497 (byte) 0x38, (byte) 0x32, (byte) 0x38, (byte) 0x5a, (byte) 0x30, (byte) 0x45, 498 (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, 499 (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, 500 (byte) 0x55, (byte) 0x31, (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, 501 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a, 502 (byte) 0x53, (byte) 0x6f, (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53, 503 (byte) 0x74, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21, 504 (byte) 0x30, (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 505 (byte) 0x0a, (byte) 0x0c, (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74, 506 (byte) 0x65, (byte) 0x72, (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20, 507 (byte) 0x57, (byte) 0x69, (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74, 508 (byte) 0x73, (byte) 0x20, (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20, 509 (byte) 0x4c, (byte) 0x74, (byte) 0x64, (byte) 0x30, (byte) 0x81, (byte) 0x9f, 510 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 511 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 512 (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x8d, 513 (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89, (byte) 0x02, (byte) 0x81, 514 (byte) 0x81, (byte) 0x00, (byte) 0xb5, (byte) 0xf6, (byte) 0x08, (byte) 0x0f, 515 (byte) 0xc4, (byte) 0x4d, (byte) 0xe4, (byte) 0x0d, (byte) 0x34, (byte) 0x1d, 516 (byte) 0xe2, (byte) 0x23, (byte) 0x18, (byte) 0x63, (byte) 0x03, (byte) 0xf7, 517 (byte) 0x14, (byte) 0x0e, (byte) 0x98, (byte) 0xcd, (byte) 0x45, (byte) 0x1f, 518 (byte) 0xfe, (byte) 0xfb, (byte) 0x09, (byte) 0x3f, (byte) 0x5d, (byte) 0x36, 519 (byte) 0x3b, (byte) 0x0f, (byte) 0xf9, (byte) 0x5e, (byte) 0x86, (byte) 0x56, 520 (byte) 0x64, (byte) 0xd7, (byte) 0x3f, (byte) 0xae, (byte) 0x33, (byte) 0x09, 521 (byte) 0xd3, (byte) 0xdd, (byte) 0x06, (byte) 0x17, (byte) 0x26, (byte) 0xdc, 522 (byte) 0xa2, (byte) 0x8c, (byte) 0x3c, (byte) 0x65, (byte) 0xed, (byte) 0x03, 523 (byte) 0x82, (byte) 0x78, (byte) 0x9b, (byte) 0xee, (byte) 0xe3, (byte) 0x98, 524 (byte) 0x58, (byte) 0xe1, (byte) 0xf1, (byte) 0xa0, (byte) 0x85, (byte) 0xae, 525 (byte) 0x63, (byte) 0x84, (byte) 0x41, (byte) 0x46, (byte) 0xa7, (byte) 0x4f, 526 (byte) 0xdc, (byte) 0xbb, (byte) 0x1c, (byte) 0x6e, (byte) 0xec, (byte) 0x7b, 527 (byte) 0xd5, (byte) 0xab, (byte) 0x3d, (byte) 0x6a, (byte) 0x05, (byte) 0x58, 528 (byte) 0x0f, (byte) 0x9b, (byte) 0x6a, (byte) 0x67, (byte) 0x4b, (byte) 0xe9, 529 (byte) 0x2a, (byte) 0x6d, (byte) 0x96, (byte) 0x11, (byte) 0x53, (byte) 0x95, 530 (byte) 0x78, (byte) 0xaa, (byte) 0xd1, (byte) 0x91, (byte) 0x4a, (byte) 0xf8, 531 (byte) 0x54, (byte) 0x52, (byte) 0x6d, (byte) 0xb9, (byte) 0xca, (byte) 0x74, 532 (byte) 0x81, (byte) 0xf8, (byte) 0x99, (byte) 0x64, (byte) 0xd1, (byte) 0x4f, 533 (byte) 0x01, (byte) 0x38, (byte) 0x4f, (byte) 0x08, (byte) 0x5c, (byte) 0x31, 534 (byte) 0xcb, (byte) 0x7c, (byte) 0x5c, (byte) 0x78, (byte) 0x5d, (byte) 0x47, 535 (byte) 0xd9, (byte) 0xf0, (byte) 0x1a, (byte) 0xeb, (byte) 0x02, (byte) 0x03, 536 (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3, (byte) 0x50, (byte) 0x30, 537 (byte) 0x4e, (byte) 0x30, (byte) 0x1d, (byte) 0x06, (byte) 0x03, (byte) 0x55, 538 (byte) 0x1d, (byte) 0x0e, (byte) 0x04, (byte) 0x16, (byte) 0x04, (byte) 0x14, 539 (byte) 0x5f, (byte) 0x5b, (byte) 0x5e, (byte) 0xac, (byte) 0x29, (byte) 0xfa, 540 (byte) 0xa1, (byte) 0x9f, (byte) 0x9e, (byte) 0xad, (byte) 0x46, (byte) 0xe1, 541 (byte) 0xbc, (byte) 0x20, (byte) 0x72, (byte) 0xcf, (byte) 0x4a, (byte) 0xd4, 542 (byte) 0xfa, (byte) 0xe3, (byte) 0x30, (byte) 0x1f, (byte) 0x06, (byte) 0x03, 543 (byte) 0x55, (byte) 0x1d, (byte) 0x23, (byte) 0x04, (byte) 0x18, (byte) 0x30, 544 (byte) 0x16, (byte) 0x80, (byte) 0x14, (byte) 0x5f, (byte) 0x5b, (byte) 0x5e, 545 (byte) 0xac, (byte) 0x29, (byte) 0xfa, (byte) 0xa1, (byte) 0x9f, (byte) 0x9e, 546 (byte) 0xad, (byte) 0x46, (byte) 0xe1, (byte) 0xbc, (byte) 0x20, (byte) 0x72, 547 (byte) 0xcf, (byte) 0x4a, (byte) 0xd4, (byte) 0xfa, (byte) 0xe3, (byte) 0x30, 548 (byte) 0x0c, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, 549 (byte) 0x04, (byte) 0x05, (byte) 0x30, (byte) 0x03, (byte) 0x01, (byte) 0x01, 550 (byte) 0xff, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, 551 (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, 552 (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, 553 (byte) 0x81, (byte) 0x00, (byte) 0xa1, (byte) 0x4a, (byte) 0xe6, (byte) 0xfc, 554 (byte) 0x7f, (byte) 0x17, (byte) 0xaa, (byte) 0x65, (byte) 0x4a, (byte) 0x34, 555 (byte) 0xde, (byte) 0x69, (byte) 0x67, (byte) 0x54, (byte) 0x4d, (byte) 0xa2, 556 (byte) 0xc2, (byte) 0x98, (byte) 0x02, (byte) 0x43, (byte) 0x6a, (byte) 0x0e, 557 (byte) 0x0b, (byte) 0x7f, (byte) 0xa4, (byte) 0x46, (byte) 0xaf, (byte) 0xa4, 558 (byte) 0x65, (byte) 0xa0, (byte) 0xdb, (byte) 0xf1, (byte) 0x5b, (byte) 0xd5, 559 (byte) 0x09, (byte) 0xbc, (byte) 0xee, (byte) 0x37, (byte) 0x51, (byte) 0x19, 560 (byte) 0x36, (byte) 0xc0, (byte) 0x90, (byte) 0xd3, (byte) 0x5f, (byte) 0xf3, 561 (byte) 0x4f, (byte) 0xb9, (byte) 0x08, (byte) 0x45, (byte) 0x0e, (byte) 0x01, 562 (byte) 0x8a, (byte) 0x95, (byte) 0xef, (byte) 0x92, (byte) 0x95, (byte) 0x33, 563 (byte) 0x78, (byte) 0xdd, (byte) 0x90, (byte) 0xbb, (byte) 0xf3, (byte) 0x06, 564 (byte) 0x75, (byte) 0xd0, (byte) 0x66, (byte) 0xe6, (byte) 0xd0, (byte) 0x18, 565 (byte) 0x6e, (byte) 0xeb, (byte) 0x1c, (byte) 0x52, (byte) 0xc3, (byte) 0x2e, 566 (byte) 0x57, (byte) 0x7d, (byte) 0xa9, (byte) 0x03, (byte) 0xdb, (byte) 0xf4, 567 (byte) 0x57, (byte) 0x5f, (byte) 0x6c, (byte) 0x7e, (byte) 0x00, (byte) 0x0d, 568 (byte) 0x8f, (byte) 0xe8, (byte) 0x91, (byte) 0xf7, (byte) 0xae, (byte) 0x24, 569 (byte) 0x35, (byte) 0x07, (byte) 0xb5, (byte) 0x48, (byte) 0x2d, (byte) 0x36, 570 (byte) 0x30, (byte) 0x5d, (byte) 0xe9, (byte) 0x49, (byte) 0x2d, (byte) 0xd1, 571 (byte) 0x5d, (byte) 0xc5, (byte) 0xf4, (byte) 0x33, (byte) 0x77, (byte) 0x3c, 572 (byte) 0x71, (byte) 0xad, (byte) 0x90, (byte) 0x65, (byte) 0xa9, (byte) 0xc1, 573 (byte) 0x0b, (byte) 0x5c, (byte) 0x62, (byte) 0x55, (byte) 0x50, (byte) 0x6f, 574 (byte) 0x9b, (byte) 0xc9, (byte) 0x0d, (byte) 0xee 575 }; 576 577 /** 578 * Generated from above and converted with: 579 * 580 * openssl pkcs8 -topk8 -outform d -in userkey.pem -nocrypt | xxd -i | sed 's/0x/(byte) 0x/g' 581 */ 582 private static final byte[] FAKE_EC_KEY_1 = new byte[] { 583 (byte) 0x30, (byte) 0x81, (byte) 0x87, (byte) 0x02, (byte) 0x01, (byte) 0x00, 584 (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x07, (byte) 0x2a, (byte) 0x86, 585 (byte) 0x48, (byte) 0xce, (byte) 0x3d, (byte) 0x02, (byte) 0x01, (byte) 0x06, 586 (byte) 0x08, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x3d, 587 (byte) 0x03, (byte) 0x01, (byte) 0x07, (byte) 0x04, (byte) 0x6d, (byte) 0x30, 588 (byte) 0x6b, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x04, (byte) 0x20, 589 (byte) 0x3a, (byte) 0x8a, (byte) 0x02, (byte) 0xdc, (byte) 0xde, (byte) 0x70, 590 (byte) 0x84, (byte) 0x45, (byte) 0x34, (byte) 0xaf, (byte) 0xbd, (byte) 0xd5, 591 (byte) 0x02, (byte) 0x17, (byte) 0x69, (byte) 0x90, (byte) 0x65, (byte) 0x1e, 592 (byte) 0x87, (byte) 0xf1, (byte) 0x3d, (byte) 0x17, (byte) 0xb6, (byte) 0xf4, 593 (byte) 0x31, (byte) 0x94, (byte) 0x86, (byte) 0x76, (byte) 0x55, (byte) 0xf7, 594 (byte) 0xcc, (byte) 0xba, (byte) 0xa1, (byte) 0x44, (byte) 0x03, (byte) 0x42, 595 (byte) 0x00, (byte) 0x04, (byte) 0xd9, (byte) 0xcf, (byte) 0xe7, (byte) 0x9b, 596 (byte) 0x23, (byte) 0xc8, (byte) 0xa3, (byte) 0xb8, (byte) 0x33, (byte) 0x14, 597 (byte) 0xa4, (byte) 0x4d, (byte) 0x75, (byte) 0x90, (byte) 0xf3, (byte) 0xcd, 598 (byte) 0x43, (byte) 0xe5, (byte) 0x1b, (byte) 0x05, (byte) 0x1d, (byte) 0xf3, 599 (byte) 0xd0, (byte) 0xa3, (byte) 0xb7, (byte) 0x32, (byte) 0x5f, (byte) 0x79, 600 (byte) 0xdc, (byte) 0x88, (byte) 0xb8, (byte) 0x4d, (byte) 0xb3, (byte) 0xd1, 601 (byte) 0x6d, (byte) 0xf7, (byte) 0x75, (byte) 0xf3, (byte) 0xbf, (byte) 0x50, 602 (byte) 0xa1, (byte) 0xbc, (byte) 0x03, (byte) 0x64, (byte) 0x22, (byte) 0xe6, 603 (byte) 0x1a, (byte) 0xa1, (byte) 0xe1, (byte) 0x06, (byte) 0x68, (byte) 0x3b, 604 (byte) 0xbc, (byte) 0x9f, (byte) 0xd3, (byte) 0xae, (byte) 0x77, (byte) 0x5e, 605 (byte) 0x88, (byte) 0x0c, (byte) 0x5e, (byte) 0x0c, (byte) 0xb2, (byte) 0x38 606 }; 607 608 /** 609 * Generated from above and converted with: 610 * 611 * openssl x509 -outform d -in usercert.pem | xxd -i | sed 's/0x/(byte) 0x/g' 612 */ 613 private static final byte[] FAKE_EC_USER_1 = new byte[] { 614 (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x51, (byte) 0x30, (byte) 0x82, 615 (byte) 0x01, (byte) 0xba, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, 616 (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x0d, 617 (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, 618 (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, 619 (byte) 0x00, (byte) 0x30, (byte) 0x45, (byte) 0x31, (byte) 0x0b, (byte) 0x30, 620 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, 621 (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55, (byte) 0x31, (byte) 0x13, 622 (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 623 (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53, (byte) 0x6f, (byte) 0x6d, 624 (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74, (byte) 0x61, (byte) 0x74, 625 (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30, (byte) 0x1f, (byte) 0x06, 626 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x0c, (byte) 0x18, 627 (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x6e, 628 (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57, (byte) 0x69, (byte) 0x64, 629 (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x20, (byte) 0x50, 630 (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c, (byte) 0x74, (byte) 0x64, 631 (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x33, 632 (byte) 0x30, (byte) 0x38, (byte) 0x32, (byte) 0x37, (byte) 0x31, (byte) 0x36, 633 (byte) 0x33, (byte) 0x30, (byte) 0x30, (byte) 0x38, (byte) 0x5a, (byte) 0x17, 634 (byte) 0x0d, (byte) 0x32, (byte) 0x33, (byte) 0x30, (byte) 0x38, (byte) 0x32, 635 (byte) 0x35, (byte) 0x31, (byte) 0x36, (byte) 0x33, (byte) 0x30, (byte) 0x30, 636 (byte) 0x38, (byte) 0x5a, (byte) 0x30, (byte) 0x62, (byte) 0x31, (byte) 0x0b, 637 (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 638 (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55, (byte) 0x31, 639 (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55, 640 (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53, (byte) 0x6f, 641 (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74, (byte) 0x61, 642 (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30, (byte) 0x1f, 643 (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x0c, 644 (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72, 645 (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57, (byte) 0x69, 646 (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x20, 647 (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c, (byte) 0x74, 648 (byte) 0x64, (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, 649 (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03, (byte) 0x0c, (byte) 0x12, 650 (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x76, (byte) 0x65, (byte) 0x72, 651 (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x61, (byte) 0x6d, (byte) 0x70, 652 (byte) 0x6c, (byte) 0x65, (byte) 0x2e, (byte) 0x63, (byte) 0x6f, (byte) 0x6d, 653 (byte) 0x30, (byte) 0x59, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x07, 654 (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x3d, (byte) 0x02, 655 (byte) 0x01, (byte) 0x06, (byte) 0x08, (byte) 0x2a, (byte) 0x86, (byte) 0x48, 656 (byte) 0xce, (byte) 0x3d, (byte) 0x03, (byte) 0x01, (byte) 0x07, (byte) 0x03, 657 (byte) 0x42, (byte) 0x00, (byte) 0x04, (byte) 0xd9, (byte) 0xcf, (byte) 0xe7, 658 (byte) 0x9b, (byte) 0x23, (byte) 0xc8, (byte) 0xa3, (byte) 0xb8, (byte) 0x33, 659 (byte) 0x14, (byte) 0xa4, (byte) 0x4d, (byte) 0x75, (byte) 0x90, (byte) 0xf3, 660 (byte) 0xcd, (byte) 0x43, (byte) 0xe5, (byte) 0x1b, (byte) 0x05, (byte) 0x1d, 661 (byte) 0xf3, (byte) 0xd0, (byte) 0xa3, (byte) 0xb7, (byte) 0x32, (byte) 0x5f, 662 (byte) 0x79, (byte) 0xdc, (byte) 0x88, (byte) 0xb8, (byte) 0x4d, (byte) 0xb3, 663 (byte) 0xd1, (byte) 0x6d, (byte) 0xf7, (byte) 0x75, (byte) 0xf3, (byte) 0xbf, 664 (byte) 0x50, (byte) 0xa1, (byte) 0xbc, (byte) 0x03, (byte) 0x64, (byte) 0x22, 665 (byte) 0xe6, (byte) 0x1a, (byte) 0xa1, (byte) 0xe1, (byte) 0x06, (byte) 0x68, 666 (byte) 0x3b, (byte) 0xbc, (byte) 0x9f, (byte) 0xd3, (byte) 0xae, (byte) 0x77, 667 (byte) 0x5e, (byte) 0x88, (byte) 0x0c, (byte) 0x5e, (byte) 0x0c, (byte) 0xb2, 668 (byte) 0x38, (byte) 0xa3, (byte) 0x7b, (byte) 0x30, (byte) 0x79, (byte) 0x30, 669 (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, 670 (byte) 0x04, (byte) 0x02, (byte) 0x30, (byte) 0x00, (byte) 0x30, (byte) 0x2c, 671 (byte) 0x06, (byte) 0x09, (byte) 0x60, (byte) 0x86, (byte) 0x48, (byte) 0x01, 672 (byte) 0x86, (byte) 0xf8, (byte) 0x42, (byte) 0x01, (byte) 0x0d, (byte) 0x04, 673 (byte) 0x1f, (byte) 0x16, (byte) 0x1d, (byte) 0x4f, (byte) 0x70, (byte) 0x65, 674 (byte) 0x6e, (byte) 0x53, (byte) 0x53, (byte) 0x4c, (byte) 0x20, (byte) 0x47, 675 (byte) 0x65, (byte) 0x6e, (byte) 0x65, (byte) 0x72, (byte) 0x61, (byte) 0x74, 676 (byte) 0x65, (byte) 0x64, (byte) 0x20, (byte) 0x43, (byte) 0x65, (byte) 0x72, 677 (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x63, (byte) 0x61, 678 (byte) 0x74, (byte) 0x65, (byte) 0x30, (byte) 0x1d, (byte) 0x06, (byte) 0x03, 679 (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04, (byte) 0x16, (byte) 0x04, 680 (byte) 0x14, (byte) 0xd5, (byte) 0xc4, (byte) 0x72, (byte) 0xbd, (byte) 0xd2, 681 (byte) 0x4e, (byte) 0x90, (byte) 0x1b, (byte) 0x14, (byte) 0x32, (byte) 0xdb, 682 (byte) 0x03, (byte) 0xae, (byte) 0xfa, (byte) 0x27, (byte) 0x7d, (byte) 0x8d, 683 (byte) 0xe4, (byte) 0x80, (byte) 0x58, (byte) 0x30, (byte) 0x1f, (byte) 0x06, 684 (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23, (byte) 0x04, (byte) 0x18, 685 (byte) 0x30, (byte) 0x16, (byte) 0x80, (byte) 0x14, (byte) 0x5f, (byte) 0x5b, 686 (byte) 0x5e, (byte) 0xac, (byte) 0x29, (byte) 0xfa, (byte) 0xa1, (byte) 0x9f, 687 (byte) 0x9e, (byte) 0xad, (byte) 0x46, (byte) 0xe1, (byte) 0xbc, (byte) 0x20, 688 (byte) 0x72, (byte) 0xcf, (byte) 0x4a, (byte) 0xd4, (byte) 0xfa, (byte) 0xe3, 689 (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 690 (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, 691 (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x81, 692 (byte) 0x00, (byte) 0x43, (byte) 0x99, (byte) 0x9f, (byte) 0x67, (byte) 0x08, 693 (byte) 0x43, (byte) 0xd5, (byte) 0x6b, (byte) 0x6f, (byte) 0xd7, (byte) 0x05, 694 (byte) 0xd6, (byte) 0x75, (byte) 0x34, (byte) 0x30, (byte) 0xca, (byte) 0x20, 695 (byte) 0x47, (byte) 0x61, (byte) 0xa1, (byte) 0x89, (byte) 0xb6, (byte) 0xf1, 696 (byte) 0x49, (byte) 0x7b, (byte) 0xd9, (byte) 0xb9, (byte) 0xe8, (byte) 0x1e, 697 (byte) 0x29, (byte) 0x74, (byte) 0x0a, (byte) 0x67, (byte) 0xc0, (byte) 0x7d, 698 (byte) 0xb8, (byte) 0xe6, (byte) 0x39, (byte) 0xa8, (byte) 0x5e, (byte) 0xc3, 699 (byte) 0xb0, (byte) 0xa1, (byte) 0x30, (byte) 0x6a, (byte) 0x1f, (byte) 0x1d, 700 (byte) 0xfc, (byte) 0x11, (byte) 0x59, (byte) 0x0b, (byte) 0xb9, (byte) 0xad, 701 (byte) 0x3a, (byte) 0x4e, (byte) 0x50, (byte) 0x0a, (byte) 0x61, (byte) 0xdb, 702 (byte) 0x75, (byte) 0x6b, (byte) 0xe5, (byte) 0x3f, (byte) 0x8d, (byte) 0xde, 703 (byte) 0x28, (byte) 0x68, (byte) 0xb1, (byte) 0x29, (byte) 0x9a, (byte) 0x18, 704 (byte) 0x8a, (byte) 0xfc, (byte) 0x3f, (byte) 0x13, (byte) 0x93, (byte) 0x29, 705 (byte) 0xed, (byte) 0x22, (byte) 0x7c, (byte) 0xb4, (byte) 0x50, (byte) 0xd5, 706 (byte) 0x4d, (byte) 0x32, (byte) 0x4d, (byte) 0x42, (byte) 0x2b, (byte) 0x29, 707 (byte) 0x97, (byte) 0x86, (byte) 0xc0, (byte) 0x01, (byte) 0x00, (byte) 0x25, 708 (byte) 0xf6, (byte) 0xd3, (byte) 0x2a, (byte) 0xd8, (byte) 0xda, (byte) 0x13, 709 (byte) 0x94, (byte) 0x12, (byte) 0x78, (byte) 0x14, (byte) 0x0b, (byte) 0x51, 710 (byte) 0xc0, (byte) 0x45, (byte) 0xb4, (byte) 0x02, (byte) 0x37, (byte) 0x98, 711 (byte) 0x42, (byte) 0x3c, (byte) 0xcb, (byte) 0x2e, (byte) 0xe4, (byte) 0x38, 712 (byte) 0x69, (byte) 0x1b, (byte) 0x72, (byte) 0xf0, (byte) 0xaa, (byte) 0x89, 713 (byte) 0x7e, (byte) 0xde, (byte) 0xb2 714 }; 715 716 /** 717 * The amount of time to allow before and after expected time for variance 718 * in timing tests. 719 */ 720 private static final long SLOP_TIME_MILLIS = 15000L; 721 722 @Override setUp()723 protected void setUp() throws Exception { 724 super.setUp(); 725 726 // Wipe any existing entries in the KeyStore 727 KeyStore ksTemp = KeyStore.getInstance("AndroidKeyStore"); 728 ksTemp.load(null, null); 729 Enumeration<String> aliases = ksTemp.aliases(); 730 while (aliases.hasMoreElements()) { 731 String alias = aliases.nextElement(); 732 ksTemp.deleteEntry(alias); 733 } 734 735 // Get a new instance because some tests need it uninitialized 736 mKeyStore = KeyStore.getInstance("AndroidKeyStore"); 737 738 // Use a longer timeout on watches, which are generally less performant. 739 mMaxTestDurationMillis = 740 getContext().getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH) 741 ? LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_WATCH_MILLIS 742 : LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_MILLIS; 743 } 744 745 @Override tearDown()746 protected void tearDown() throws Exception { 747 try { 748 KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); 749 keyStore.load(null, null); 750 Enumeration<String> aliases = keyStore.aliases(); 751 while (aliases.hasMoreElements()) { 752 String alias = aliases.nextElement(); 753 keyStore.deleteEntry(alias); 754 } 755 } finally { 756 super.tearDown(); 757 } 758 } 759 generatePrivateKey(String keyType, byte[] fakeKey1)760 private PrivateKey generatePrivateKey(String keyType, byte[] fakeKey1) throws Exception { 761 KeyFactory kf = KeyFactory.getInstance(keyType); 762 return kf.generatePrivate(new PKCS8EncodedKeySpec(fakeKey1)); 763 } 764 generateCertificate(byte[] fakeUser1)765 private Certificate generateCertificate(byte[] fakeUser1) throws Exception { 766 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 767 return cf.generateCertificate(new ByteArrayInputStream(fakeUser1)); 768 } 769 makeUserEcKey1()770 private PrivateKeyEntry makeUserEcKey1() throws Exception { 771 return new KeyStore.PrivateKeyEntry(generatePrivateKey("EC", FAKE_EC_KEY_1), 772 new Certificate[] { 773 generateCertificate(FAKE_EC_USER_1), generateCertificate(FAKE_EC_CA_1) 774 }); 775 } 776 makeUserRsaKey1()777 private PrivateKeyEntry makeUserRsaKey1() throws Exception { 778 return new KeyStore.PrivateKeyEntry(generatePrivateKey("RSA", FAKE_RSA_KEY_1), 779 new Certificate[] { 780 generateCertificate(FAKE_RSA_USER_1), generateCertificate(FAKE_RSA_CA_1) 781 }); 782 } 783 makeCa1()784 private Entry makeCa1() throws Exception { 785 return new KeyStore.TrustedCertificateEntry(generateCertificate(FAKE_RSA_CA_1)); 786 } 787 assertAliases(final String[] expectedAliases)788 private void assertAliases(final String[] expectedAliases) throws KeyStoreException { 789 final Enumeration<String> aliases = mKeyStore.aliases(); 790 int count = 0; 791 792 final Set<String> expectedSet = new HashSet<String>(); 793 expectedSet.addAll(Arrays.asList(expectedAliases)); 794 795 while (aliases.hasMoreElements()) { 796 count++; 797 final String alias = aliases.nextElement(); 798 assertTrue("The alias should be in the expected set", expectedSet.contains(alias)); 799 expectedSet.remove(alias); 800 } 801 assertTrue("The expected set and actual set should be exactly equal", expectedSet.isEmpty()); 802 assertEquals("There should be the correct number of keystore entries", 803 expectedAliases.length, count); 804 } 805 testKeyStore_Aliases_Unencrypted_Success()806 public void testKeyStore_Aliases_Unencrypted_Success() throws Exception { 807 mKeyStore.load(null, null); 808 809 assertAliases(new String[] {}); 810 811 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 812 813 assertAliases(new String[] { TEST_ALIAS_1 }); 814 815 mKeyStore.setEntry(TEST_ALIAS_2, makeCa1(), null); 816 817 assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2 }); 818 } 819 testKeyStore_Aliases_NotInitialized_Unencrypted_Failure()820 public void testKeyStore_Aliases_NotInitialized_Unencrypted_Failure() throws Exception { 821 try { 822 mKeyStore.aliases(); 823 fail("KeyStore should throw exception when not initialized"); 824 } catch (KeyStoreException success) { 825 } 826 } 827 testKeyStore_ContainsAliases_PrivateAndCA_Unencrypted_Success()828 public void testKeyStore_ContainsAliases_PrivateAndCA_Unencrypted_Success() throws Exception { 829 mKeyStore.load(null, null); 830 831 assertAliases(new String[] {}); 832 833 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 834 835 assertTrue("Should contain generated private key", mKeyStore.containsAlias(TEST_ALIAS_1)); 836 837 mKeyStore.setEntry(TEST_ALIAS_2, makeCa1(), null); 838 839 assertTrue("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_2)); 840 841 assertFalse("Should not contain unadded certificate alias", 842 mKeyStore.containsAlias(TEST_ALIAS_3)); 843 } 844 testKeyStore_ContainsAliases_CAOnly_Unencrypted_Success()845 public void testKeyStore_ContainsAliases_CAOnly_Unencrypted_Success() throws Exception { 846 mKeyStore.load(null, null); 847 848 mKeyStore.setEntry(TEST_ALIAS_2, makeCa1(), null); 849 850 assertTrue("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_2)); 851 } 852 testKeyStore_ContainsAliases_NonExistent_Unencrypted_Failure()853 public void testKeyStore_ContainsAliases_NonExistent_Unencrypted_Failure() throws Exception { 854 mKeyStore.load(null, null); 855 856 assertFalse("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_1)); 857 } 858 testKeyStore_DeleteEntry_Unencrypted_Success()859 public void testKeyStore_DeleteEntry_Unencrypted_Success() throws Exception { 860 mKeyStore.load(null, null); 861 862 // TEST_ALIAS_1 863 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 864 865 // TEST_ALIAS_2 866 mKeyStore.setCertificateEntry(TEST_ALIAS_2, generateCertificate(FAKE_RSA_CA_1)); 867 868 // TEST_ALIAS_3 869 mKeyStore.setCertificateEntry(TEST_ALIAS_3, generateCertificate(FAKE_RSA_CA_1)); 870 871 assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2, TEST_ALIAS_3 }); 872 873 mKeyStore.deleteEntry(TEST_ALIAS_1); 874 875 assertAliases(new String[] { TEST_ALIAS_2, TEST_ALIAS_3 }); 876 877 mKeyStore.deleteEntry(TEST_ALIAS_3); 878 879 assertAliases(new String[] { TEST_ALIAS_2 }); 880 881 mKeyStore.deleteEntry(TEST_ALIAS_2); 882 883 assertAliases(new String[] { }); 884 } 885 testKeyStore_DeleteEntry_EmptyStore_Unencrypted_Success()886 public void testKeyStore_DeleteEntry_EmptyStore_Unencrypted_Success() throws Exception { 887 mKeyStore.load(null, null); 888 889 // Should not throw when a non-existent entry is requested for delete. 890 mKeyStore.deleteEntry(TEST_ALIAS_1); 891 } 892 testKeyStore_DeleteEntry_NonExistent_Unencrypted_Success()893 public void testKeyStore_DeleteEntry_NonExistent_Unencrypted_Success() throws Exception { 894 mKeyStore.load(null, null); 895 896 // TEST_ALIAS_1 897 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 898 899 // Should not throw when a non-existent entry is requested for delete. 900 mKeyStore.deleteEntry(TEST_ALIAS_2); 901 } 902 testKeyStore_GetCertificate_Single_Unencrypted_Success()903 public void testKeyStore_GetCertificate_Single_Unencrypted_Success() throws Exception { 904 mKeyStore.load(null, null); 905 906 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 907 908 assertAliases(new String[] { TEST_ALIAS_1 }); 909 910 assertNull("Certificate should not exist in keystore", 911 mKeyStore.getCertificate(TEST_ALIAS_2)); 912 913 Certificate retrieved = mKeyStore.getCertificate(TEST_ALIAS_1); 914 915 assertNotNull("Retrieved certificate should not be null", retrieved); 916 917 CertificateFactory f = CertificateFactory.getInstance("X.509"); 918 Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 919 920 assertEquals("Actual and retrieved certificates should be the same", actual, retrieved); 921 } 922 testKeyStore_GetCertificate_NonExist_Unencrypted_Failure()923 public void testKeyStore_GetCertificate_NonExist_Unencrypted_Failure() throws Exception { 924 mKeyStore.load(null, null); 925 926 assertNull("Certificate should not exist in keystore", 927 mKeyStore.getCertificate(TEST_ALIAS_1)); 928 } 929 testKeyStore_GetCertificateAlias_CAEntry_Unencrypted_Success()930 public void testKeyStore_GetCertificateAlias_CAEntry_Unencrypted_Success() throws Exception { 931 mKeyStore.load(null, null); 932 933 Certificate cert = generateCertificate(FAKE_RSA_CA_1); 934 mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert); 935 936 assertEquals("Stored certificate alias should be found", TEST_ALIAS_1, 937 mKeyStore.getCertificateAlias(cert)); 938 } 939 testKeyStore_GetCertificateAlias_PrivateKeyEntry_Unencrypted_Success()940 public void testKeyStore_GetCertificateAlias_PrivateKeyEntry_Unencrypted_Success() 941 throws Exception { 942 mKeyStore.load(null, null); 943 944 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 945 946 CertificateFactory f = CertificateFactory.getInstance("X.509"); 947 Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 948 949 assertEquals("Stored certificate alias should be found", TEST_ALIAS_1, 950 mKeyStore.getCertificateAlias(actual)); 951 } 952 testKeyStore_GetCertificateAlias_CAEntry_WithPrivateKeyUsingCA_Unencrypted_Success()953 public void testKeyStore_GetCertificateAlias_CAEntry_WithPrivateKeyUsingCA_Unencrypted_Success() 954 throws Exception { 955 mKeyStore.load(null, null); 956 957 Certificate actual = generateCertificate(FAKE_RSA_CA_1); 958 959 // Insert TrustedCertificateEntry with CA name 960 mKeyStore.setCertificateEntry(TEST_ALIAS_2, actual); 961 962 // Insert PrivateKeyEntry that uses the same CA 963 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 964 965 assertEquals("Stored certificate alias should be found", TEST_ALIAS_2, 966 mKeyStore.getCertificateAlias(actual)); 967 } 968 testKeyStore_GetCertificateAlias_NonExist_Empty_Unencrypted_Failure()969 public void testKeyStore_GetCertificateAlias_NonExist_Empty_Unencrypted_Failure() 970 throws Exception { 971 mKeyStore.load(null, null); 972 973 CertificateFactory f = CertificateFactory.getInstance("X.509"); 974 Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 975 976 assertNull("Stored certificate alias should not be found", 977 mKeyStore.getCertificateAlias(actual)); 978 } 979 testKeyStore_GetCertificateAlias_NonExist_Unencrypted_Failure()980 public void testKeyStore_GetCertificateAlias_NonExist_Unencrypted_Failure() throws Exception { 981 mKeyStore.load(null, null); 982 983 Certificate ca = generateCertificate(FAKE_RSA_CA_1); 984 985 // Insert TrustedCertificateEntry with CA name 986 mKeyStore.setCertificateEntry(TEST_ALIAS_1, ca); 987 988 Certificate userCert = generateCertificate(FAKE_RSA_USER_1); 989 990 assertNull("Stored certificate alias should be found", 991 mKeyStore.getCertificateAlias(userCert)); 992 } 993 testKeyStore_GetCertificateChain_SingleLength_Unencrypted_Success()994 public void testKeyStore_GetCertificateChain_SingleLength_Unencrypted_Success() throws Exception { 995 mKeyStore.load(null, null); 996 997 // TEST_ALIAS_1 998 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 999 1000 Certificate[] expected = new Certificate[2]; 1001 expected[0] = generateCertificate(FAKE_RSA_USER_1); 1002 expected[1] = generateCertificate(FAKE_RSA_CA_1); 1003 1004 Certificate[] actual = mKeyStore.getCertificateChain(TEST_ALIAS_1); 1005 1006 assertNotNull("Returned certificate chain should not be null", actual); 1007 assertEquals("Returned certificate chain should be correct size", expected.length, 1008 actual.length); 1009 assertEquals("First certificate should be user certificate", expected[0], actual[0]); 1010 assertEquals("Second certificate should be CA certificate", expected[1], actual[1]); 1011 1012 // Negative test when keystore is populated. 1013 assertNull("Stored certificate alias should not be found", 1014 mKeyStore.getCertificateChain(TEST_ALIAS_2)); 1015 } 1016 testKeyStore_GetCertificateChain_NonExist_Unencrypted_Failure()1017 public void testKeyStore_GetCertificateChain_NonExist_Unencrypted_Failure() throws Exception { 1018 mKeyStore.load(null, null); 1019 1020 assertNull("Stored certificate alias should not be found", 1021 mKeyStore.getCertificateChain(TEST_ALIAS_1)); 1022 } 1023 testKeyStore_GetCreationDate_PrivateKeyEntry_Unencrypted_Success()1024 public void testKeyStore_GetCreationDate_PrivateKeyEntry_Unencrypted_Success() throws Exception { 1025 mKeyStore.load(null, null); 1026 1027 // TEST_ALIAS_1 1028 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1029 1030 Date now = new Date(); 1031 Date actual = mKeyStore.getCreationDate(TEST_ALIAS_1); 1032 1033 Date expectedAfter = new Date(now.getTime() - SLOP_TIME_MILLIS); 1034 Date expectedBefore = new Date(now.getTime() + SLOP_TIME_MILLIS); 1035 1036 assertTrue("Time should be close to current time", actual.before(expectedBefore)); 1037 assertTrue("Time should be close to current time", actual.after(expectedAfter)); 1038 } 1039 testKeyStore_GetCreationDate_CAEntry_Unencrypted_Success()1040 public void testKeyStore_GetCreationDate_CAEntry_Unencrypted_Success() throws Exception { 1041 mKeyStore.load(null, null); 1042 1043 // Insert TrustedCertificateEntry with CA name 1044 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1045 1046 Date now = new Date(); 1047 Date actual = mKeyStore.getCreationDate(TEST_ALIAS_1); 1048 assertNotNull("Certificate should be found", actual); 1049 1050 Date expectedAfter = new Date(now.getTime() - SLOP_TIME_MILLIS); 1051 Date expectedBefore = new Date(now.getTime() + SLOP_TIME_MILLIS); 1052 1053 assertTrue("Time should be close to current time", actual.before(expectedBefore)); 1054 assertTrue("Time should be close to current time", actual.after(expectedAfter)); 1055 } 1056 testKeyStore_GetEntry_NullParams_Unencrypted_Success()1057 public void testKeyStore_GetEntry_NullParams_Unencrypted_Success() throws Exception { 1058 mKeyStore.load(null, null); 1059 1060 // TEST_ALIAS_1 1061 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1062 1063 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1064 assertNotNull("Entry should exist", entry); 1065 1066 assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry); 1067 1068 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1069 1070 assertPrivateKeyEntryEquals(keyEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, FAKE_RSA_CA_1); 1071 } 1072 testKeyStore_GetEntry_EC_NullParams_Unencrypted_Success()1073 public void testKeyStore_GetEntry_EC_NullParams_Unencrypted_Success() throws Exception { 1074 mKeyStore.load(null, null); 1075 1076 // TEST_ALIAS_1 1077 mKeyStore.setEntry(TEST_ALIAS_1, makeUserEcKey1(), null); 1078 1079 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1080 assertNotNull("Entry should exist", entry); 1081 1082 assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry); 1083 1084 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1085 1086 assertPrivateKeyEntryEquals(keyEntry, "EC", FAKE_EC_KEY_1, FAKE_EC_USER_1, FAKE_EC_CA_1); 1087 } 1088 testKeyStore_GetEntry_RSA_NullParams_Unencrypted_Success()1089 public void testKeyStore_GetEntry_RSA_NullParams_Unencrypted_Success() throws Exception { 1090 mKeyStore.load(null, null); 1091 1092 // TEST_ALIAS_1 1093 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1094 1095 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1096 assertNotNull("Entry should exist", entry); 1097 1098 assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry); 1099 1100 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1101 1102 assertPrivateKeyEntryEquals(keyEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1103 FAKE_RSA_CA_1); 1104 } 1105 1106 @SuppressWarnings("unchecked") assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, String keyType, byte[] key, byte[] cert, byte[] ca)1107 private void assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, String keyType, byte[] key, 1108 byte[] cert, byte[] ca) throws Exception { 1109 KeyFactory keyFact = KeyFactory.getInstance(keyType); 1110 PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(key)); 1111 1112 CertificateFactory certFact = CertificateFactory.getInstance("X.509"); 1113 Certificate expectedCert = certFact.generateCertificate(new ByteArrayInputStream(cert)); 1114 1115 final Collection<Certificate> expectedChain; 1116 if (ca != null) { 1117 expectedChain = (Collection<Certificate>) certFact 1118 .generateCertificates(new ByteArrayInputStream(ca)); 1119 } else { 1120 expectedChain = null; 1121 } 1122 1123 assertPrivateKeyEntryEquals(keyEntry, expectedKey, expectedCert, expectedChain); 1124 } 1125 assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, PrivateKey expectedKey, Certificate expectedCert, Collection<Certificate> expectedChain)1126 private void assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, PrivateKey expectedKey, 1127 Certificate expectedCert, Collection<Certificate> expectedChain) throws Exception { 1128 final PrivateKey privKey = keyEntry.getPrivateKey(); 1129 final PublicKey pubKey = keyEntry.getCertificate().getPublicKey(); 1130 1131 if (expectedKey instanceof ECKey) { 1132 assertTrue("Returned PrivateKey " + privKey.getClass() + " should be instanceof ECKey", 1133 privKey instanceof ECKey); 1134 assertEquals("Returned PrivateKey should be what we inserted", 1135 ((ECKey) expectedKey).getParams().getCurve(), 1136 ((ECKey) privKey).getParams().getCurve()); 1137 } else if (expectedKey instanceof RSAKey) { 1138 assertTrue("Returned PrivateKey " + privKey.getClass() + " should be instanceof RSAKey", 1139 privKey instanceof RSAKey); 1140 assertEquals("Returned PrivateKey should be what we inserted", 1141 ((RSAKey) expectedKey).getModulus(), 1142 ((RSAKey) privKey).getModulus()); 1143 } 1144 1145 assertNull("getFormat() should return null", privKey.getFormat()); 1146 assertNull("getEncoded() should return null", privKey.getEncoded()); 1147 1148 assertEquals("Public keys should be in X.509 format", "X.509", pubKey.getFormat()); 1149 assertNotNull("Public keys should be encodable", pubKey.getEncoded()); 1150 1151 assertEquals("Returned Certificate should be what we inserted", expectedCert, 1152 keyEntry.getCertificate()); 1153 1154 Certificate[] actualChain = keyEntry.getCertificateChain(); 1155 1156 assertEquals("First certificate in chain should be user cert", expectedCert, actualChain[0]); 1157 1158 if (expectedChain == null) { 1159 assertEquals("Certificate chain should not include CAs", 1, actualChain.length); 1160 } else { 1161 assertEquals("Chains should be the same size", expectedChain.size() + 1, 1162 actualChain.length); 1163 int i = 1; 1164 final Iterator<Certificate> it = expectedChain.iterator(); 1165 while (it.hasNext() && i < actualChain.length) { 1166 assertEquals("CA chain certificate should equal what we put in", it.next(), 1167 actualChain[i++]); 1168 } 1169 } 1170 } 1171 testKeyStore_GetEntry_Nonexistent_NullParams_Unencrypted_Failure()1172 public void testKeyStore_GetEntry_Nonexistent_NullParams_Unencrypted_Failure() throws Exception { 1173 mKeyStore.load(null, null); 1174 1175 assertNull("A non-existent entry should return null", 1176 mKeyStore.getEntry(TEST_ALIAS_1, null)); 1177 } 1178 testKeyStore_GetKey_NoPassword_Unencrypted_Success()1179 public void testKeyStore_GetKey_NoPassword_Unencrypted_Success() throws Exception { 1180 mKeyStore.load(null, null); 1181 1182 // TEST_ALIAS_1 1183 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1184 1185 Key key = mKeyStore.getKey(TEST_ALIAS_1, null); 1186 assertNotNull("Key should exist", key); 1187 1188 assertTrue("Should be a PrivateKey", key instanceof PrivateKey); 1189 assertTrue("Should be a RSAKey", key instanceof RSAKey); 1190 1191 RSAKey actualKey = (RSAKey) key; 1192 1193 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1194 PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1195 1196 assertEquals("Inserted key should be same as retrieved key", 1197 ((RSAKey) expectedKey).getModulus(), actualKey.getModulus()); 1198 } 1199 testKeyStore_GetKey_Certificate_Unencrypted_Failure()1200 public void testKeyStore_GetKey_Certificate_Unencrypted_Failure() throws Exception { 1201 mKeyStore.load(null, null); 1202 1203 // Insert TrustedCertificateEntry with CA name 1204 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1205 1206 assertNull("Certificate entries should return null", mKeyStore.getKey(TEST_ALIAS_1, null)); 1207 } 1208 testKeyStore_GetKey_NonExistent_Unencrypted_Failure()1209 public void testKeyStore_GetKey_NonExistent_Unencrypted_Failure() throws Exception { 1210 mKeyStore.load(null, null); 1211 1212 assertNull("A non-existent entry should return null", mKeyStore.getKey(TEST_ALIAS_1, null)); 1213 } 1214 testKeyStore_GetProvider_Unencrypted_Success()1215 public void testKeyStore_GetProvider_Unencrypted_Success() throws Exception { 1216 assertEquals("AndroidKeyStore", mKeyStore.getProvider().getName()); 1217 } 1218 testKeyStore_GetType_Unencrypted_Success()1219 public void testKeyStore_GetType_Unencrypted_Success() throws Exception { 1220 assertEquals("AndroidKeyStore", mKeyStore.getType()); 1221 } 1222 testKeyStore_IsCertificateEntry_CA_Unencrypted_Success()1223 public void testKeyStore_IsCertificateEntry_CA_Unencrypted_Success() throws Exception { 1224 mKeyStore.load(null, null); 1225 1226 // Insert TrustedCertificateEntry with CA name 1227 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1228 1229 assertTrue("Should return true for CA certificate", 1230 mKeyStore.isCertificateEntry(TEST_ALIAS_1)); 1231 } 1232 testKeyStore_IsCertificateEntry_PrivateKey_Unencrypted_Failure()1233 public void testKeyStore_IsCertificateEntry_PrivateKey_Unencrypted_Failure() throws Exception { 1234 mKeyStore.load(null, null); 1235 1236 // TEST_ALIAS_1 1237 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1238 1239 assertFalse("Should return false for PrivateKeyEntry", 1240 mKeyStore.isCertificateEntry(TEST_ALIAS_1)); 1241 } 1242 testKeyStore_IsCertificateEntry_NonExist_Unencrypted_Failure()1243 public void testKeyStore_IsCertificateEntry_NonExist_Unencrypted_Failure() throws Exception { 1244 mKeyStore.load(null, null); 1245 1246 assertFalse("Should return false for non-existent entry", 1247 mKeyStore.isCertificateEntry(TEST_ALIAS_1)); 1248 } 1249 testKeyStore_IsKeyEntry_PrivateKey_Unencrypted_Success()1250 public void testKeyStore_IsKeyEntry_PrivateKey_Unencrypted_Success() throws Exception { 1251 mKeyStore.load(null, null); 1252 1253 // TEST_ALIAS_1 1254 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1255 1256 assertTrue("Should return true for PrivateKeyEntry", mKeyStore.isKeyEntry(TEST_ALIAS_1)); 1257 } 1258 testKeyStore_IsKeyEntry_CA_Unencrypted_Failure()1259 public void testKeyStore_IsKeyEntry_CA_Unencrypted_Failure() throws Exception { 1260 mKeyStore.load(null, null); 1261 1262 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1263 1264 assertFalse("Should return false for CA certificate", mKeyStore.isKeyEntry(TEST_ALIAS_1)); 1265 } 1266 testKeyStore_IsKeyEntry_NonExist_Unencrypted_Failure()1267 public void testKeyStore_IsKeyEntry_NonExist_Unencrypted_Failure() throws Exception { 1268 mKeyStore.load(null, null); 1269 1270 assertFalse("Should return false for non-existent entry", 1271 mKeyStore.isKeyEntry(TEST_ALIAS_1)); 1272 } 1273 testKeyStore_SetCertificate_CA_Unencrypted_Success()1274 public void testKeyStore_SetCertificate_CA_Unencrypted_Success() throws Exception { 1275 final Certificate actual = generateCertificate(FAKE_RSA_CA_1); 1276 1277 mKeyStore.load(null, null); 1278 1279 mKeyStore.setCertificateEntry(TEST_ALIAS_1, actual); 1280 assertAliases(new String[] { TEST_ALIAS_1 }); 1281 1282 Certificate retrieved = mKeyStore.getCertificate(TEST_ALIAS_1); 1283 1284 assertEquals("Retrieved certificate should be the same as the one inserted", actual, 1285 retrieved); 1286 } 1287 testKeyStore_SetCertificate_CAExists_Overwrite_Unencrypted_Success()1288 public void testKeyStore_SetCertificate_CAExists_Overwrite_Unencrypted_Success() 1289 throws Exception { 1290 mKeyStore.load(null, null); 1291 1292 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1293 1294 assertAliases(new String[] { TEST_ALIAS_1 }); 1295 1296 final Certificate cert = generateCertificate(FAKE_RSA_CA_1); 1297 1298 // TODO have separate FAKE_CA for second test 1299 mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert); 1300 1301 assertAliases(new String[] { TEST_ALIAS_1 }); 1302 } 1303 testKeyStore_SetCertificate_PrivateKeyExists_Unencrypted_Failure()1304 public void testKeyStore_SetCertificate_PrivateKeyExists_Unencrypted_Failure() throws Exception { 1305 mKeyStore.load(null, null); 1306 1307 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1308 1309 assertAliases(new String[] { TEST_ALIAS_1 }); 1310 1311 final Certificate cert = generateCertificate(FAKE_RSA_CA_1); 1312 1313 try { 1314 mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert); 1315 fail("Should throw when trying to overwrite a PrivateKey entry with a Certificate"); 1316 } catch (KeyStoreException success) { 1317 } 1318 } 1319 testKeyStore_SetEntry_PrivateKeyEntry_Unencrypted_Success()1320 public void testKeyStore_SetEntry_PrivateKeyEntry_Unencrypted_Success() throws Exception { 1321 mKeyStore.load(null, null); 1322 1323 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1324 PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1325 1326 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1327 1328 final Certificate[] expectedChain = new Certificate[2]; 1329 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1330 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1331 1332 PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain); 1333 1334 mKeyStore.setEntry(TEST_ALIAS_1, expected, null); 1335 1336 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1337 assertNotNull("Retrieved entry should exist", actualEntry); 1338 1339 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1340 actualEntry instanceof PrivateKeyEntry); 1341 1342 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1343 1344 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, FAKE_RSA_CA_1); 1345 } 1346 testKeyStore_SetEntry_PrivateKeyEntry_Params_Unencrypted_Failure()1347 public void testKeyStore_SetEntry_PrivateKeyEntry_Params_Unencrypted_Failure() throws Exception { 1348 // The Android Keystore requires encrypted storage which is only decryptable with a key 1349 // bound to a credential provided by the user. By default, the Keystore waits for the user 1350 // to set a lock screen PIN or password and uses this credential to set up an encrypted 1351 // storage space itself. In that implementation, the Keystore should not be initialized when 1352 // no lock screen PIN or password has been set. This is what the test verifies. 1353 // 1354 // If your environment already provides encrypted storage which is only decryptable with a 1355 // key bound to another credential provided by the user, you may initialize the Keystore 1356 // immediately and get a waiver for this test. 1357 KeyguardManager keyguardManager = 1358 (KeyguardManager) getContext().getSystemService(Context.KEYGUARD_SERVICE); 1359 assertNotNull(keyguardManager); 1360 assertFalse("Secure lock screen must not be configured", keyguardManager.isDeviceSecure()); 1361 1362 mKeyStore.load(null, null); 1363 1364 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1365 PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1366 1367 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1368 1369 final Certificate[] expectedChain = new Certificate[2]; 1370 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1371 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1372 1373 PrivateKeyEntry entry = new PrivateKeyEntry(expectedKey, expectedChain); 1374 1375 try { 1376 mKeyStore.setEntry(TEST_ALIAS_1, entry, 1377 new KeyStoreParameter.Builder(getContext()) 1378 .setEncryptionRequired(true) 1379 .build()); 1380 fail("Shouldn't be able to insert encrypted entry when KeyStore uninitialized"); 1381 } catch (KeyStoreException expected) { 1382 } 1383 1384 assertNull(mKeyStore.getEntry(TEST_ALIAS_1, null)); 1385 } 1386 testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success()1387 public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success() 1388 throws Exception { 1389 mKeyStore.load(null, null); 1390 1391 final KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1392 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1393 1394 // Start with PrivateKeyEntry 1395 { 1396 PrivateKey expectedKey = keyFact 1397 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1398 1399 final Certificate[] expectedChain = new Certificate[2]; 1400 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1401 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1402 1403 PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain); 1404 1405 mKeyStore.setEntry(TEST_ALIAS_1, expected, null); 1406 1407 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1408 assertNotNull("Retrieved entry should exist", actualEntry); 1409 1410 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1411 actualEntry instanceof PrivateKeyEntry); 1412 1413 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1414 1415 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1416 FAKE_RSA_CA_1); 1417 } 1418 1419 // TODO make entirely new test vector for the overwrite 1420 // Replace with PrivateKeyEntry 1421 { 1422 PrivateKey expectedKey = keyFact 1423 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1424 1425 final Certificate[] expectedChain = new Certificate[2]; 1426 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1427 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1428 1429 PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain); 1430 1431 mKeyStore.setEntry(TEST_ALIAS_1, expected, null); 1432 1433 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1434 assertNotNull("Retrieved entry should exist", actualEntry); 1435 1436 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1437 actualEntry instanceof PrivateKeyEntry); 1438 1439 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1440 1441 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1442 FAKE_RSA_CA_1); 1443 } 1444 } 1445 testKeyStore_SetEntry_CAEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success()1446 public void testKeyStore_SetEntry_CAEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success() 1447 throws Exception { 1448 mKeyStore.load(null, null); 1449 1450 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1451 1452 // Start with TrustedCertificateEntry 1453 { 1454 final Certificate caCert = f 1455 .generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1456 1457 TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert); 1458 mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null); 1459 1460 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1461 assertNotNull("Retrieved entry should exist", actualEntry); 1462 assertTrue("Retrieved entry should be of type TrustedCertificateEntry", 1463 actualEntry instanceof TrustedCertificateEntry); 1464 TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry; 1465 assertEquals("Stored and retrieved certificates should be the same", 1466 expectedCertEntry.getTrustedCertificate(), 1467 actualCertEntry.getTrustedCertificate()); 1468 } 1469 1470 // Replace with PrivateKeyEntry 1471 { 1472 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1473 PrivateKey expectedKey = keyFact 1474 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1475 final Certificate[] expectedChain = new Certificate[2]; 1476 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1477 expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1478 1479 PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain); 1480 1481 mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null); 1482 1483 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1484 assertNotNull("Retrieved entry should exist", actualEntry); 1485 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1486 actualEntry instanceof PrivateKeyEntry); 1487 1488 PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry; 1489 assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1490 FAKE_RSA_CA_1); 1491 } 1492 } 1493 testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_CAEntry_Unencrypted_Success()1494 public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_CAEntry_Unencrypted_Success() 1495 throws Exception { 1496 mKeyStore.load(null, null); 1497 1498 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1499 1500 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1501 1502 // Start with PrivateKeyEntry 1503 { 1504 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1505 PrivateKey expectedKey = keyFact 1506 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1507 final Certificate[] expectedChain = new Certificate[2]; 1508 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1509 expectedChain[1] = caCert; 1510 1511 PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain); 1512 1513 mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null); 1514 1515 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1516 assertNotNull("Retrieved entry should exist", actualEntry); 1517 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1518 actualEntry instanceof PrivateKeyEntry); 1519 1520 PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry; 1521 assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1522 FAKE_RSA_CA_1); 1523 } 1524 1525 // Replace with TrustedCertificateEntry 1526 { 1527 TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert); 1528 mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null); 1529 1530 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1531 assertNotNull("Retrieved entry should exist", actualEntry); 1532 assertTrue("Retrieved entry should be of type TrustedCertificateEntry", 1533 actualEntry instanceof TrustedCertificateEntry); 1534 TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry; 1535 assertEquals("Stored and retrieved certificates should be the same", 1536 expectedCertEntry.getTrustedCertificate(), 1537 actualCertEntry.getTrustedCertificate()); 1538 } 1539 } 1540 testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_ShortPrivateKeyEntry_Unencrypted_Success()1541 public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_ShortPrivateKeyEntry_Unencrypted_Success() 1542 throws Exception { 1543 mKeyStore.load(null, null); 1544 1545 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1546 1547 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1548 1549 // Start with PrivateKeyEntry 1550 { 1551 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1552 PrivateKey expectedKey = keyFact 1553 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1554 final Certificate[] expectedChain = new Certificate[2]; 1555 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1556 expectedChain[1] = caCert; 1557 1558 PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain); 1559 1560 mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null); 1561 1562 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1563 assertNotNull("Retrieved entry should exist", actualEntry); 1564 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1565 actualEntry instanceof PrivateKeyEntry); 1566 1567 PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry; 1568 assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1569 FAKE_RSA_CA_1); 1570 } 1571 1572 // Replace with PrivateKeyEntry that has no chain 1573 { 1574 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1575 PrivateKey expectedKey = keyFact 1576 .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1577 final Certificate[] expectedChain = new Certificate[1]; 1578 expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1579 1580 PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain); 1581 1582 mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null); 1583 1584 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1585 assertNotNull("Retrieved entry should exist", actualEntry); 1586 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1587 actualEntry instanceof PrivateKeyEntry); 1588 1589 PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry; 1590 assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1591 null); 1592 } 1593 } 1594 testKeyStore_SetEntry_CAEntry_Overwrites_CAEntry_Unencrypted_Success()1595 public void testKeyStore_SetEntry_CAEntry_Overwrites_CAEntry_Unencrypted_Success() 1596 throws Exception { 1597 mKeyStore.load(null, null); 1598 1599 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1600 1601 // Insert TrustedCertificateEntry 1602 { 1603 final Certificate caCert = f 1604 .generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1605 1606 TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert); 1607 mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null); 1608 1609 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1610 assertNotNull("Retrieved entry should exist", actualEntry); 1611 assertTrue("Retrieved entry should be of type TrustedCertificateEntry", 1612 actualEntry instanceof TrustedCertificateEntry); 1613 TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry; 1614 assertEquals("Stored and retrieved certificates should be the same", 1615 expectedCertEntry.getTrustedCertificate(), 1616 actualCertEntry.getTrustedCertificate()); 1617 } 1618 1619 // Replace with TrustedCertificateEntry of USER 1620 { 1621 final Certificate userCert = f.generateCertificate(new ByteArrayInputStream( 1622 FAKE_RSA_USER_1)); 1623 1624 TrustedCertificateEntry expectedUserEntry = new TrustedCertificateEntry(userCert); 1625 mKeyStore.setEntry(TEST_ALIAS_1, expectedUserEntry, null); 1626 1627 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1628 assertNotNull("Retrieved entry should exist", actualEntry); 1629 assertTrue("Retrieved entry should be of type TrustedCertificateEntry", 1630 actualEntry instanceof TrustedCertificateEntry); 1631 TrustedCertificateEntry actualUserEntry = (TrustedCertificateEntry) actualEntry; 1632 assertEquals("Stored and retrieved certificates should be the same", 1633 expectedUserEntry.getTrustedCertificate(), 1634 actualUserEntry.getTrustedCertificate()); 1635 } 1636 } 1637 testKeyStore_SetKeyEntry_ProtectedKey_Unencrypted_Failure()1638 public void testKeyStore_SetKeyEntry_ProtectedKey_Unencrypted_Failure() throws Exception { 1639 mKeyStore.load(null, null); 1640 1641 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1642 1643 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1644 1645 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1646 PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1647 final Certificate[] chain = new Certificate[2]; 1648 chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1649 chain[1] = caCert; 1650 1651 try { 1652 mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, "foo".toCharArray(), chain); 1653 fail("Should fail when a password is specified"); 1654 } catch (KeyStoreException success) { 1655 } 1656 } 1657 testKeyStore_SetKeyEntry_Unencrypted_Success()1658 public void testKeyStore_SetKeyEntry_Unencrypted_Success() throws Exception { 1659 mKeyStore.load(null, null); 1660 1661 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1662 1663 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1664 1665 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1666 PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1667 final Certificate[] chain = new Certificate[2]; 1668 chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1669 chain[1] = caCert; 1670 1671 mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain); 1672 1673 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1674 assertNotNull("Retrieved entry should exist", actualEntry); 1675 1676 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1677 actualEntry instanceof PrivateKeyEntry); 1678 1679 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1680 1681 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, FAKE_RSA_CA_1); 1682 } 1683 testKeyStore_SetKeyEntry_Replaced_Unencrypted_Success()1684 public void testKeyStore_SetKeyEntry_Replaced_Unencrypted_Success() throws Exception { 1685 mKeyStore.load(null, null); 1686 1687 final CertificateFactory f = CertificateFactory.getInstance("X.509"); 1688 1689 final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1)); 1690 1691 // Insert initial key 1692 { 1693 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1694 PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1695 final Certificate[] chain = new Certificate[2]; 1696 chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1697 chain[1] = caCert; 1698 1699 mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain); 1700 1701 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1702 assertNotNull("Retrieved entry should exist", actualEntry); 1703 1704 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1705 actualEntry instanceof PrivateKeyEntry); 1706 1707 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1708 1709 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1710 FAKE_RSA_CA_1); 1711 } 1712 1713 // TODO make a separate key 1714 // Replace key 1715 { 1716 KeyFactory keyFact = KeyFactory.getInstance("RSA"); 1717 PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)); 1718 final Certificate[] chain = new Certificate[2]; 1719 chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1)); 1720 chain[1] = caCert; 1721 1722 mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain); 1723 1724 Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1725 assertNotNull("Retrieved entry should exist", actualEntry); 1726 1727 assertTrue("Retrieved entry should be of type PrivateKeyEntry", 1728 actualEntry instanceof PrivateKeyEntry); 1729 1730 PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry; 1731 1732 assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, 1733 FAKE_RSA_CA_1); 1734 } 1735 } 1736 testKeyStore_SetKeyEntry_ReplacedChain_Unencrypted_Success()1737 public void testKeyStore_SetKeyEntry_ReplacedChain_Unencrypted_Success() throws Exception { 1738 mKeyStore.load(null, null); 1739 1740 // Create key #1 1741 { 1742 KeyStore.PrivateKeyEntry privEntry = makeUserRsaKey1(); 1743 mKeyStore.setEntry(TEST_ALIAS_1, privEntry, null); 1744 1745 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1746 1747 assertTrue(entry instanceof PrivateKeyEntry); 1748 1749 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1750 1751 ArrayList<Certificate> chain = new ArrayList<Certificate>(); 1752 chain.add(generateCertificate(FAKE_RSA_CA_1)); 1753 assertPrivateKeyEntryEquals(keyEntry, privEntry.getPrivateKey(), 1754 privEntry.getCertificate(), chain); 1755 } 1756 1757 // Replace key #1 with new chain 1758 { 1759 Key key = mKeyStore.getKey(TEST_ALIAS_1, null); 1760 1761 assertTrue(key instanceof PrivateKey); 1762 1763 PrivateKey expectedKey = (PrivateKey) key; 1764 1765 Certificate expectedCert = generateCertificate(FAKE_RSA_USER_1); 1766 1767 mKeyStore.setKeyEntry(TEST_ALIAS_1, expectedKey, null, 1768 new Certificate[] { expectedCert }); 1769 1770 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1771 1772 assertTrue(entry instanceof PrivateKeyEntry); 1773 1774 PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry; 1775 1776 assertPrivateKeyEntryEquals(keyEntry, expectedKey, expectedCert, null); 1777 } 1778 } 1779 testKeyStore_SetKeyEntry_ReplacedChain_DifferentPrivateKey_Unencrypted_Failure()1780 public void testKeyStore_SetKeyEntry_ReplacedChain_DifferentPrivateKey_Unencrypted_Failure() 1781 throws Exception { 1782 mKeyStore.load(null, null); 1783 1784 // Create key #1 1785 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1786 1787 // Create key #2 1788 mKeyStore.setEntry(TEST_ALIAS_2, makeUserRsaKey1(), null); 1789 1790 1791 // Replace key #1 with key #2 1792 { 1793 Key key1 = mKeyStore.getKey(TEST_ALIAS_2, null); 1794 1795 Certificate cert = generateCertificate(FAKE_RSA_USER_1); 1796 1797 try { 1798 mKeyStore.setKeyEntry(TEST_ALIAS_1, key1, null, new Certificate[] { cert }); 1799 fail("Should not allow setting of KeyEntry with wrong PrivaetKey"); 1800 } catch (KeyStoreException success) { 1801 } 1802 } 1803 } 1804 testKeyStore_SetKeyEntry_ReplacedWithSame_UnencryptedToUnencrypted_Failure()1805 public void testKeyStore_SetKeyEntry_ReplacedWithSame_UnencryptedToUnencrypted_Failure() 1806 throws Exception { 1807 mKeyStore.load(null, null); 1808 1809 // Create key #1 1810 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1811 1812 // Replace with same 1813 Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null); 1814 mKeyStore.setEntry(TEST_ALIAS_1, entry, null); 1815 } 1816 testKeyStore_Size_Unencrypted_Success()1817 public void testKeyStore_Size_Unencrypted_Success() throws Exception { 1818 mKeyStore.load(null, null); 1819 1820 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1)); 1821 1822 assertEquals("The keystore size should match expected", 1, mKeyStore.size()); 1823 assertAliases(new String[] { TEST_ALIAS_1 }); 1824 1825 mKeyStore.setCertificateEntry(TEST_ALIAS_2, generateCertificate(FAKE_RSA_CA_1)); 1826 1827 assertEquals("The keystore size should match expected", 2, mKeyStore.size()); 1828 assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2 }); 1829 1830 mKeyStore.setEntry(TEST_ALIAS_3, makeUserRsaKey1(), null); 1831 1832 assertEquals("The keystore size should match expected", 3, mKeyStore.size()); 1833 assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2, TEST_ALIAS_3 }); 1834 1835 mKeyStore.deleteEntry(TEST_ALIAS_1); 1836 1837 assertEquals("The keystore size should match expected", 2, mKeyStore.size()); 1838 assertAliases(new String[] { TEST_ALIAS_2, TEST_ALIAS_3 }); 1839 1840 mKeyStore.deleteEntry(TEST_ALIAS_3); 1841 1842 assertEquals("The keystore size should match expected", 1, mKeyStore.size()); 1843 assertAliases(new String[] { TEST_ALIAS_2 }); 1844 } 1845 testKeyStore_Store_LoadStoreParam_Unencrypted_Failure()1846 public void testKeyStore_Store_LoadStoreParam_Unencrypted_Failure() throws Exception { 1847 mKeyStore.load(null, null); 1848 1849 try { 1850 mKeyStore.store(null); 1851 fail("Should throw UnsupportedOperationException when trying to store"); 1852 } catch (UnsupportedOperationException success) { 1853 } 1854 } 1855 testKeyStore_Load_InputStreamSupplied_Unencrypted_Failure()1856 public void testKeyStore_Load_InputStreamSupplied_Unencrypted_Failure() throws Exception { 1857 byte[] buf = "FAKE KEYSTORE".getBytes(); 1858 ByteArrayInputStream is = new ByteArrayInputStream(buf); 1859 1860 try { 1861 mKeyStore.load(is, null); 1862 fail("Should throw IllegalArgumentException when InputStream is supplied"); 1863 } catch (IllegalArgumentException success) { 1864 } 1865 } 1866 testKeyStore_Load_PasswordSupplied_Unencrypted_Failure()1867 public void testKeyStore_Load_PasswordSupplied_Unencrypted_Failure() throws Exception { 1868 try { 1869 mKeyStore.load(null, "password".toCharArray()); 1870 fail("Should throw IllegalArgumentException when password is supplied"); 1871 } catch (IllegalArgumentException success) { 1872 } 1873 } 1874 testKeyStore_Store_OutputStream_Unencrypted_Failure()1875 public void testKeyStore_Store_OutputStream_Unencrypted_Failure() throws Exception { 1876 mKeyStore.load(null, null); 1877 1878 OutputStream sink = new ByteArrayOutputStream(); 1879 try { 1880 mKeyStore.store(sink, null); 1881 fail("Should throw UnsupportedOperationException when trying to store"); 1882 } catch (UnsupportedOperationException success) { 1883 } 1884 1885 try { 1886 mKeyStore.store(sink, "blah".toCharArray()); 1887 fail("Should throw UnsupportedOperationException when trying to store"); 1888 } catch (UnsupportedOperationException success) { 1889 } 1890 } 1891 testKeyStore_KeyOperations_Wrap_Unencrypted_Success()1892 public void testKeyStore_KeyOperations_Wrap_Unencrypted_Success() throws Exception { 1893 mKeyStore.load(null, null); 1894 1895 mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null); 1896 1897 // Test key usage 1898 Entry e = mKeyStore.getEntry(TEST_ALIAS_1, null); 1899 assertNotNull(e); 1900 assertTrue(e instanceof PrivateKeyEntry); 1901 1902 PrivateKeyEntry privEntry = (PrivateKeyEntry) e; 1903 PrivateKey privKey = privEntry.getPrivateKey(); 1904 assertNotNull(privKey); 1905 1906 PublicKey pubKey = privEntry.getCertificate().getPublicKey(); 1907 1908 Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding"); 1909 c.init(Cipher.WRAP_MODE, pubKey); 1910 1911 byte[] expectedKey = new byte[] { 1912 0x00, 0x05, (byte) 0xAA, (byte) 0x0A5, (byte) 0xFF, 0x55, 0x0A 1913 }; 1914 1915 SecretKey expectedSecret = new TransparentSecretKey(expectedKey, "AES"); 1916 1917 byte[] wrappedExpected = c.wrap(expectedSecret); 1918 1919 c.init(Cipher.UNWRAP_MODE, privKey); 1920 SecretKey actualSecret = (SecretKey) c.unwrap(wrappedExpected, "AES", Cipher.SECRET_KEY); 1921 1922 assertEquals(Arrays.toString(expectedSecret.getEncoded()), 1923 Arrays.toString(actualSecret.getEncoded())); 1924 } 1925 testKeyStore_Encrypting_RSA_NONE_NOPADDING()1926 public void testKeyStore_Encrypting_RSA_NONE_NOPADDING() throws Exception { 1927 1928 String alias = "MyKey"; 1929 KeyStore ks = KeyStore.getInstance("AndroidKeyStore"); 1930 assertNotNull(ks); 1931 ks.load(null); 1932 1933 Calendar cal = Calendar.getInstance(); 1934 cal.set(1944, 5, 6); 1935 Date now = cal.getTime(); 1936 cal.clear(); 1937 1938 cal.set(1945, 8, 2); 1939 Date end = cal.getTime(); 1940 1941 KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore"); 1942 assertNotNull(kpg); 1943 kpg.initialize(new KeyPairGeneratorSpec.Builder(mContext) 1944 .setAlias(alias) 1945 .setStartDate(now) 1946 .setEndDate(end) 1947 .setSerialNumber(BigInteger.valueOf(1)) 1948 .setSubject(new X500Principal("CN=test1")) 1949 .build()); 1950 1951 kpg.generateKeyPair(); 1952 1953 PrivateKey privateKey = (PrivateKey) ks.getKey(alias, null); 1954 assertNotNull(privateKey); 1955 PublicKey publicKey = ks.getCertificate(alias).getPublicKey(); 1956 assertNotNull(publicKey); 1957 String cipher = privateKey.getAlgorithm() + "/NONE/NOPADDING"; 1958 Cipher encrypt = Cipher.getInstance(cipher); 1959 assertNotNull(encrypt); 1960 encrypt.init(Cipher.ENCRYPT_MODE, privateKey); 1961 1962 int modulusSizeBytes = (((RSAKey) publicKey).getModulus().bitLength() + 7) / 8; 1963 byte[] plainText = new byte[modulusSizeBytes]; 1964 Arrays.fill(plainText, (byte) 0xFF); 1965 1966 // We expect a BadPaddingException here as the message size (plaintext) 1967 // is bigger than the modulus. 1968 try { 1969 encrypt.doFinal(plainText); 1970 fail("Expected BadPaddingException"); 1971 } catch (BadPaddingException e) { 1972 // pass on exception as it is expected 1973 } 1974 } 1975 testKeyStore_PrivateKeyEntry_RSA_PublicKeyWorksWithCrypto()1976 public void testKeyStore_PrivateKeyEntry_RSA_PublicKeyWorksWithCrypto() 1977 throws Exception { 1978 mKeyStore.load(null, null); 1979 mKeyStore.setKeyEntry(TEST_ALIAS_2, 1980 KeyFactory.getInstance("RSA").generatePrivate( 1981 new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)), 1982 null, // no password (it's not even supported) 1983 new Certificate[] {generateCertificate(FAKE_RSA_USER_1)}); 1984 PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_2).getPublicKey(); 1985 assertNotNull(publicKey); 1986 1987 Signature.getInstance("SHA256withRSA").initVerify(publicKey); 1988 Signature.getInstance("NONEwithRSA").initVerify(publicKey); 1989 Signature.getInstance("SHA256withRSA/PSS").initVerify(publicKey); 1990 1991 Cipher.getInstance("RSA/ECB/PKCS1Padding").init(Cipher.ENCRYPT_MODE, publicKey); 1992 Cipher.getInstance("RSA/ECB/NoPadding").init(Cipher.ENCRYPT_MODE, publicKey); 1993 Cipher.getInstance("RSA/ECB/OAEPPadding").init(Cipher.ENCRYPT_MODE, publicKey); 1994 } 1995 testKeyStore_PrivateKeyEntry_EC_PublicKeyWorksWithCrypto()1996 public void testKeyStore_PrivateKeyEntry_EC_PublicKeyWorksWithCrypto() 1997 throws Exception { 1998 mKeyStore.load(null, null); 1999 mKeyStore.setKeyEntry(TEST_ALIAS_1, 2000 KeyFactory.getInstance("EC").generatePrivate( 2001 new PKCS8EncodedKeySpec(FAKE_EC_KEY_1)), 2002 null, // no password (it's not even supported) 2003 new Certificate[] {generateCertificate(FAKE_EC_USER_1)}); 2004 PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_1).getPublicKey(); 2005 assertNotNull(publicKey); 2006 2007 Signature.getInstance("SHA256withECDSA").initVerify(publicKey); 2008 Signature.getInstance("NONEwithECDSA").initVerify(publicKey); 2009 } 2010 testKeyStore_TrustedCertificateEntry_RSA_PublicKeyWorksWithCrypto()2011 public void testKeyStore_TrustedCertificateEntry_RSA_PublicKeyWorksWithCrypto() 2012 throws Exception { 2013 mKeyStore.load(null, null); 2014 mKeyStore.setCertificateEntry(TEST_ALIAS_2, generateCertificate(FAKE_RSA_USER_1)); 2015 PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_2).getPublicKey(); 2016 assertNotNull(publicKey); 2017 2018 Signature.getInstance("SHA256withRSA").initVerify(publicKey); 2019 Signature.getInstance("NONEwithRSA").initVerify(publicKey); 2020 2021 Cipher.getInstance("RSA/ECB/PKCS1Padding").init(Cipher.ENCRYPT_MODE, publicKey); 2022 Cipher.getInstance("RSA/ECB/NoPadding").init(Cipher.ENCRYPT_MODE, publicKey); 2023 } 2024 testKeyStore_TrustedCertificateEntry_EC_PublicKeyWorksWithCrypto()2025 public void testKeyStore_TrustedCertificateEntry_EC_PublicKeyWorksWithCrypto() 2026 throws Exception { 2027 mKeyStore.load(null, null); 2028 mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_EC_USER_1)); 2029 PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_1).getPublicKey(); 2030 assertNotNull(publicKey); 2031 2032 Signature.getInstance("SHA256withECDSA").initVerify(publicKey); 2033 Signature.getInstance("NONEwithECDSA").initVerify(publicKey); 2034 } 2035 2036 private static final int MIN_SUPPORTED_KEY_COUNT = 1500; 2037 private static final long MINUTE_IN_MILLIS = 1000 * 60; 2038 private static final long LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_MILLIS = 2 * MINUTE_IN_MILLIS; 2039 private static final long LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_WATCH_MILLIS = 3 * MINUTE_IN_MILLIS; 2040 isDeadlineReached(long startTimeMillis, long durationMillis)2041 private static boolean isDeadlineReached(long startTimeMillis, long durationMillis) { 2042 long nowMillis = System.currentTimeMillis(); 2043 if (nowMillis < startTimeMillis) { 2044 return true; 2045 } 2046 return nowMillis - startTimeMillis > durationMillis; 2047 } 2048 2049 @LargeTest testKeyStore_LargeNumberOfKeysSupported_RSA()2050 public void testKeyStore_LargeNumberOfKeysSupported_RSA() throws Exception { 2051 // This test imports key1, then lots of other keys, then key2, and then confirms that 2052 // key1 and key2 backed by Android Keystore work fine. The assumption is that if the 2053 // underlying implementation has a limit on the number of keys, it'll either delete the 2054 // oldest key (key1), or will refuse to add keys (key2). 2055 // The test imports as many keys as it can in a fixed amount of time instead of stopping 2056 // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys 2057 // with the constraints on how long the test can run and performance differences of hardware 2058 // under test. 2059 2060 long testStartTimeMillis = System.currentTimeMillis(); 2061 2062 Certificate cert1 = TestUtils.getRawResX509Certificate(getContext(), R.raw.rsa_key1_cert); 2063 PrivateKey privateKey1 = TestUtils.getRawResPrivateKey(getContext(), R.raw.rsa_key1_pkcs8); 2064 String entryName1 = "test0"; 2065 2066 Certificate cert2 = TestUtils.getRawResX509Certificate(getContext(), R.raw.rsa_key2_cert); 2067 PrivateKey privateKey2 = TestUtils.getRawResPrivateKey(getContext(), R.raw.rsa_key2_pkcs8); 2068 2069 Certificate cert3 = generateCertificate(FAKE_RSA_USER_1); 2070 PrivateKey privateKey3 = generatePrivateKey("RSA", FAKE_RSA_KEY_1); 2071 2072 mKeyStore.load(null); 2073 int latestImportedEntryNumber = 0; 2074 try { 2075 KeyProtection protectionParams = new KeyProtection.Builder( 2076 KeyProperties.PURPOSE_SIGN) 2077 .setDigests(KeyProperties.DIGEST_SHA256) 2078 .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) 2079 .build(); 2080 mKeyStore.setEntry(entryName1, 2081 new KeyStore.PrivateKeyEntry(privateKey1, new Certificate[] {cert1}), 2082 protectionParams); 2083 2084 // Import key3 lots of times, under different aliases. 2085 while (!isDeadlineReached(testStartTimeMillis, mMaxTestDurationMillis)) { 2086 latestImportedEntryNumber++; 2087 if ((latestImportedEntryNumber % 1000) == 0) { 2088 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2089 } 2090 String entryAlias = "test" + latestImportedEntryNumber; 2091 try { 2092 mKeyStore.setEntry(entryAlias, 2093 new KeyStore.PrivateKeyEntry(privateKey3, new Certificate[] {cert3}), 2094 protectionParams); 2095 } catch (Throwable e) { 2096 throw new RuntimeException("Entry " + entryAlias + " import failed", e); 2097 } 2098 } 2099 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2100 if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) { 2101 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in " 2102 + (System.currentTimeMillis() - testStartTimeMillis) 2103 + " ms. Imported: " + latestImportedEntryNumber + " keys"); 2104 } 2105 2106 latestImportedEntryNumber++; 2107 String entryName2 = "test" + latestImportedEntryNumber; 2108 mKeyStore.setEntry(entryName2, 2109 new KeyStore.PrivateKeyEntry(privateKey2, new Certificate[] {cert2}), 2110 protectionParams); 2111 PrivateKey keystorePrivateKey2 = (PrivateKey) mKeyStore.getKey(entryName2, null); 2112 PrivateKey keystorePrivateKey1 = (PrivateKey) mKeyStore.getKey(entryName1, null); 2113 2114 byte[] message = "This is a test".getBytes("UTF-8"); 2115 2116 Signature sig = Signature.getInstance("SHA256withRSA"); 2117 sig.initSign(keystorePrivateKey1); 2118 sig.update(message); 2119 byte[] signature = sig.sign(); 2120 sig = Signature.getInstance(sig.getAlgorithm()); 2121 sig.initVerify(cert1.getPublicKey()); 2122 sig.update(message); 2123 assertTrue(sig.verify(signature)); 2124 2125 sig = Signature.getInstance(sig.getAlgorithm()); 2126 sig.initSign(keystorePrivateKey2); 2127 sig.update(message); 2128 signature = sig.sign(); 2129 sig = Signature.getInstance(sig.getAlgorithm()); 2130 sig.initVerify(cert2.getPublicKey()); 2131 sig.update(message); 2132 assertTrue(sig.verify(signature)); 2133 } finally { 2134 // Clean up Keystore without using KeyStore.aliases() which can't handle this many 2135 // entries. 2136 Log.i(TAG, "Deleting imported keys"); 2137 for (int i = 0; i <= latestImportedEntryNumber; i++) { 2138 if ((i > 0) && ((i % 1000) == 0)) { 2139 Log.i(TAG, "Deleted " + i + " keys"); 2140 } 2141 mKeyStore.deleteEntry("test" + i); 2142 } 2143 Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys"); 2144 } 2145 } 2146 2147 @LargeTest testKeyStore_LargeNumberOfKeysSupported_EC()2148 public void testKeyStore_LargeNumberOfKeysSupported_EC() throws Exception { 2149 // This test imports key1, then lots of other keys, then key2, and then confirms that 2150 // key1 and key2 backed by Android Keystore work fine. The assumption is that if the 2151 // underlying implementation has a limit on the number of keys, it'll either delete the 2152 // oldest key (key1), or will refuse to add keys (key2). 2153 // The test imports as many keys as it can in a fixed amount of time instead of stopping 2154 // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys 2155 // with the constraints on how long the test can run and performance differences of hardware 2156 // under test. 2157 2158 long testStartTimeMillis = System.currentTimeMillis(); 2159 2160 Certificate cert1 = TestUtils.getRawResX509Certificate(getContext(), R.raw.ec_key1_cert); 2161 PrivateKey privateKey1 = TestUtils.getRawResPrivateKey(getContext(), R.raw.ec_key1_pkcs8); 2162 String entryName1 = "test0"; 2163 2164 Certificate cert2 = TestUtils.getRawResX509Certificate(getContext(), R.raw.ec_key2_cert); 2165 PrivateKey privateKey2 = TestUtils.getRawResPrivateKey(getContext(), R.raw.ec_key2_pkcs8); 2166 2167 Certificate cert3 = generateCertificate(FAKE_EC_USER_1); 2168 PrivateKey privateKey3 = generatePrivateKey("EC", FAKE_EC_KEY_1); 2169 2170 mKeyStore.load(null); 2171 int latestImportedEntryNumber = 0; 2172 try { 2173 KeyProtection protectionParams = new KeyProtection.Builder( 2174 KeyProperties.PURPOSE_SIGN) 2175 .setDigests(KeyProperties.DIGEST_SHA256) 2176 .build(); 2177 mKeyStore.setEntry(entryName1, 2178 new KeyStore.PrivateKeyEntry(privateKey1, new Certificate[] {cert1}), 2179 protectionParams); 2180 2181 // Import key3 lots of times, under different aliases. 2182 while (!isDeadlineReached( 2183 testStartTimeMillis, mMaxTestDurationMillis)) { 2184 latestImportedEntryNumber++; 2185 if ((latestImportedEntryNumber % 1000) == 0) { 2186 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2187 } 2188 String entryAlias = "test" + latestImportedEntryNumber; 2189 try { 2190 mKeyStore.setEntry(entryAlias, 2191 new KeyStore.PrivateKeyEntry(privateKey3, new Certificate[] {cert3}), 2192 protectionParams); 2193 } catch (Throwable e) { 2194 throw new RuntimeException("Entry " + entryAlias + " import failed", e); 2195 } 2196 } 2197 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2198 if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) { 2199 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in " 2200 + (System.currentTimeMillis() - testStartTimeMillis) 2201 + " ms. Imported: " + latestImportedEntryNumber + " keys"); 2202 } 2203 2204 latestImportedEntryNumber++; 2205 String entryName2 = "test" + latestImportedEntryNumber; 2206 mKeyStore.setEntry(entryName2, 2207 new KeyStore.PrivateKeyEntry(privateKey2, new Certificate[] {cert2}), 2208 protectionParams); 2209 PrivateKey keystorePrivateKey2 = (PrivateKey) mKeyStore.getKey(entryName2, null); 2210 PrivateKey keystorePrivateKey1 = (PrivateKey) mKeyStore.getKey(entryName1, null); 2211 2212 byte[] message = "This is a test".getBytes("UTF-8"); 2213 2214 Signature sig = Signature.getInstance("SHA256withECDSA"); 2215 sig.initSign(keystorePrivateKey1); 2216 sig.update(message); 2217 byte[] signature = sig.sign(); 2218 sig = Signature.getInstance(sig.getAlgorithm()); 2219 sig.initVerify(cert1.getPublicKey()); 2220 sig.update(message); 2221 assertTrue(sig.verify(signature)); 2222 2223 sig = Signature.getInstance(sig.getAlgorithm()); 2224 sig.initSign(keystorePrivateKey2); 2225 sig.update(message); 2226 signature = sig.sign(); 2227 sig = Signature.getInstance(sig.getAlgorithm()); 2228 sig.initVerify(cert2.getPublicKey()); 2229 sig.update(message); 2230 assertTrue(sig.verify(signature)); 2231 } finally { 2232 // Clean up Keystore without using KeyStore.aliases() which can't handle this many 2233 // entries. 2234 Log.i(TAG, "Deleting imported keys"); 2235 for (int i = 0; i <= latestImportedEntryNumber; i++) { 2236 if ((i > 0) && ((i % 1000) == 0)) { 2237 Log.i(TAG, "Deleted " + i + " keys"); 2238 } 2239 mKeyStore.deleteEntry("test" + i); 2240 } 2241 Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys"); 2242 } 2243 } 2244 2245 @LargeTest testKeyStore_LargeNumberOfKeysSupported_AES()2246 public void testKeyStore_LargeNumberOfKeysSupported_AES() throws Exception { 2247 // This test imports key1, then lots of other keys, then key2, and then confirms that 2248 // key1 and key2 backed by Android Keystore work fine. The assumption is that if the 2249 // underlying implementation has a limit on the number of keys, it'll either delete the 2250 // oldest key (key1), or will refuse to add keys (key2). 2251 // The test imports as many keys as it can in a fixed amount of time instead of stopping 2252 // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys 2253 // with the constraints on how long the test can run and performance differences of hardware 2254 // under test. 2255 2256 long testStartTimeMillis = System.currentTimeMillis(); 2257 2258 SecretKey key1 = new TransparentSecretKey( 2259 HexEncoding.decode("010203040506070809fafbfcfdfeffcc"), "AES"); 2260 String entryName1 = "test0"; 2261 2262 SecretKey key2 = new TransparentSecretKey( 2263 HexEncoding.decode("808182838485868788897a7b7c7d7e7f"), "AES"); 2264 2265 SecretKey key3 = new TransparentSecretKey( 2266 HexEncoding.decode("33333333333333333333777777777777"), "AES"); 2267 2268 mKeyStore.load(null); 2269 int latestImportedEntryNumber = 0; 2270 try { 2271 KeyProtection protectionParams = new KeyProtection.Builder( 2272 KeyProperties.PURPOSE_ENCRYPT) 2273 .setBlockModes(KeyProperties.BLOCK_MODE_GCM) 2274 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) 2275 .build(); 2276 mKeyStore.setEntry(entryName1, new KeyStore.SecretKeyEntry(key1), protectionParams); 2277 2278 // Import key3 lots of times, under different aliases. 2279 while (!isDeadlineReached(testStartTimeMillis, mMaxTestDurationMillis)) { 2280 latestImportedEntryNumber++; 2281 if ((latestImportedEntryNumber % 1000) == 0) { 2282 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2283 } 2284 String entryAlias = "test" + latestImportedEntryNumber; 2285 try { 2286 mKeyStore.setEntry(entryAlias, 2287 new KeyStore.SecretKeyEntry(key3), protectionParams); 2288 } catch (Throwable e) { 2289 throw new RuntimeException("Entry " + entryAlias + " import failed", e); 2290 } 2291 } 2292 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2293 if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) { 2294 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in " 2295 + (System.currentTimeMillis() - testStartTimeMillis) 2296 + " ms. Imported: " + latestImportedEntryNumber + " keys"); 2297 } 2298 2299 latestImportedEntryNumber++; 2300 String entryName2 = "test" + latestImportedEntryNumber; 2301 mKeyStore.setEntry(entryName2, new KeyStore.SecretKeyEntry(key2), protectionParams); 2302 SecretKey keystoreKey2 = (SecretKey) mKeyStore.getKey(entryName2, null); 2303 SecretKey keystoreKey1 = (SecretKey) mKeyStore.getKey(entryName1, null); 2304 2305 byte[] plaintext = "This is a test".getBytes("UTF-8"); 2306 Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); 2307 cipher.init(Cipher.ENCRYPT_MODE, keystoreKey1); 2308 byte[] ciphertext = cipher.doFinal(plaintext); 2309 AlgorithmParameters cipherParams = cipher.getParameters(); 2310 cipher = Cipher.getInstance(cipher.getAlgorithm()); 2311 cipher.init(Cipher.DECRYPT_MODE, key1, cipherParams); 2312 MoreAsserts.assertEquals(plaintext, cipher.doFinal(ciphertext)); 2313 2314 cipher = Cipher.getInstance(cipher.getAlgorithm()); 2315 cipher.init(Cipher.ENCRYPT_MODE, keystoreKey2); 2316 ciphertext = cipher.doFinal(plaintext); 2317 cipherParams = cipher.getParameters(); 2318 cipher = Cipher.getInstance(cipher.getAlgorithm()); 2319 cipher.init(Cipher.DECRYPT_MODE, key2, cipherParams); 2320 MoreAsserts.assertEquals(plaintext, cipher.doFinal(ciphertext)); 2321 } finally { 2322 // Clean up Keystore without using KeyStore.aliases() which can't handle this many 2323 // entries. 2324 Log.i(TAG, "Deleting imported keys"); 2325 for (int i = 0; i <= latestImportedEntryNumber; i++) { 2326 if ((i > 0) && ((i % 1000) == 0)) { 2327 Log.i(TAG, "Deleted " + i + " keys"); 2328 } 2329 mKeyStore.deleteEntry("test" + i); 2330 } 2331 Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys"); 2332 } 2333 } 2334 2335 @LargeTest testKeyStore_LargeNumberOfKeysSupported_HMAC()2336 public void testKeyStore_LargeNumberOfKeysSupported_HMAC() throws Exception { 2337 // This test imports key1, then lots of other keys, then key2, and then confirms that 2338 // key1 and key2 backed by Android Keystore work fine. The assumption is that if the 2339 // underlying implementation has a limit on the number of keys, it'll either delete the 2340 // oldest key (key1), or will refuse to add keys (key2). 2341 // The test imports as many keys as it can in a fixed amount of time instead of stopping 2342 // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys 2343 // with the constraints on how long the test can run and performance differences of hardware 2344 // under test. 2345 2346 long testStartTimeMillis = System.currentTimeMillis(); 2347 2348 SecretKey key1 = new TransparentSecretKey( 2349 HexEncoding.decode("010203040506070809fafbfcfdfeffcc"), "HmacSHA256"); 2350 String entryName1 = "test0"; 2351 2352 SecretKey key2 = new TransparentSecretKey( 2353 HexEncoding.decode("808182838485868788897a7b7c7d7e7f"), "HmacSHA256"); 2354 2355 SecretKey key3 = new TransparentSecretKey( 2356 HexEncoding.decode("33333333333333333333777777777777"), "HmacSHA256"); 2357 2358 mKeyStore.load(null); 2359 int latestImportedEntryNumber = 0; 2360 try { 2361 KeyProtection protectionParams = new KeyProtection.Builder( 2362 KeyProperties.PURPOSE_SIGN) 2363 .build(); 2364 mKeyStore.setEntry(entryName1, new KeyStore.SecretKeyEntry(key1), protectionParams); 2365 2366 // Import key3 lots of times, under different aliases. 2367 while (!isDeadlineReached(testStartTimeMillis, mMaxTestDurationMillis)) { 2368 latestImportedEntryNumber++; 2369 if ((latestImportedEntryNumber % 1000) == 0) { 2370 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2371 } 2372 String entryAlias = "test" + latestImportedEntryNumber; 2373 try { 2374 mKeyStore.setEntry(entryAlias, 2375 new KeyStore.SecretKeyEntry(key3), protectionParams); 2376 } catch (Throwable e) { 2377 throw new RuntimeException("Entry " + entryAlias + " import failed", e); 2378 } 2379 } 2380 Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys"); 2381 if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) { 2382 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in " 2383 + (System.currentTimeMillis() - testStartTimeMillis) 2384 + " ms. Imported: " + latestImportedEntryNumber + " keys"); 2385 } 2386 2387 latestImportedEntryNumber++; 2388 String entryName2 = "test" + latestImportedEntryNumber; 2389 mKeyStore.setEntry(entryName2, new KeyStore.SecretKeyEntry(key2), protectionParams); 2390 SecretKey keystoreKey2 = (SecretKey) mKeyStore.getKey(entryName2, null); 2391 SecretKey keystoreKey1 = (SecretKey) mKeyStore.getKey(entryName1, null); 2392 2393 byte[] message = "This is a test".getBytes("UTF-8"); 2394 Mac mac = Mac.getInstance(key1.getAlgorithm()); 2395 mac.init(keystoreKey1); 2396 MoreAsserts.assertEquals( 2397 HexEncoding.decode( 2398 "905e36f5a175f4ca54ad56b860b46f6502f883a90628dca2d33a953fb7224eaf"), 2399 mac.doFinal(message)); 2400 2401 mac = Mac.getInstance(key2.getAlgorithm()); 2402 mac.init(keystoreKey2); 2403 MoreAsserts.assertEquals( 2404 HexEncoding.decode( 2405 "59b57e77e4e2cb36b5c7b84af198ac004327bc549de6931a1b5505372dd8c957"), 2406 mac.doFinal(message)); 2407 } finally { 2408 // Clean up Keystore without using KeyStore.aliases() which can't handle this many 2409 // entries. 2410 Log.i(TAG, "Deleting imported keys"); 2411 for (int i = 0; i <= latestImportedEntryNumber; i++) { 2412 if ((i > 0) && ((i % 1000) == 0)) { 2413 Log.i(TAG, "Deleted " + i + " keys"); 2414 } 2415 mKeyStore.deleteEntry("test" + i); 2416 } 2417 Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys"); 2418 } 2419 } 2420 testKeyStore_OnlyOneDigestCanBeAuthorized_HMAC()2421 public void testKeyStore_OnlyOneDigestCanBeAuthorized_HMAC() throws Exception { 2422 mKeyStore.load(null); 2423 2424 for (String algorithm : KeyGeneratorTest.EXPECTED_ALGORITHMS) { 2425 if (!TestUtils.isHmacAlgorithm(algorithm)) { 2426 continue; 2427 } 2428 try { 2429 String digest = TestUtils.getHmacAlgorithmDigest(algorithm); 2430 assertNotNull(digest); 2431 SecretKey keyBeingImported = new TransparentSecretKey(new byte[16], algorithm); 2432 2433 KeyProtection.Builder goodSpec = 2434 new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN); 2435 2436 // Digests authorization not specified in import parameters 2437 assertFalse(goodSpec.build().isDigestsSpecified()); 2438 mKeyStore.setEntry(TEST_ALIAS_1, 2439 new KeyStore.SecretKeyEntry(keyBeingImported), 2440 goodSpec.build()); 2441 SecretKey key = (SecretKey) mKeyStore.getKey(TEST_ALIAS_1, null); 2442 TestUtils.assertContentsInAnyOrder( 2443 Arrays.asList(TestUtils.getKeyInfo(key).getDigests()), digest); 2444 2445 // The same digest is specified in import parameters 2446 mKeyStore.setEntry(TEST_ALIAS_1, 2447 new KeyStore.SecretKeyEntry(keyBeingImported), 2448 TestUtils.buildUpon(goodSpec).setDigests(digest).build()); 2449 key = (SecretKey) mKeyStore.getKey(TEST_ALIAS_1, null); 2450 TestUtils.assertContentsInAnyOrder( 2451 Arrays.asList(TestUtils.getKeyInfo(key).getDigests()), digest); 2452 2453 // Empty set of digests specified in import parameters 2454 try { 2455 mKeyStore.setEntry(TEST_ALIAS_1, 2456 new KeyStore.SecretKeyEntry(keyBeingImported), 2457 TestUtils.buildUpon(goodSpec).setDigests().build()); 2458 fail(); 2459 } catch (KeyStoreException expected) {} 2460 2461 // A different digest specified in import parameters 2462 String anotherDigest = "SHA-256".equalsIgnoreCase(digest) ? "SHA-384" : "SHA-256"; 2463 try { 2464 mKeyStore.setEntry(TEST_ALIAS_1, 2465 new KeyStore.SecretKeyEntry(keyBeingImported), 2466 TestUtils.buildUpon(goodSpec).setDigests(anotherDigest).build()); 2467 fail(); 2468 } catch (KeyStoreException expected) {} 2469 try { 2470 mKeyStore.setEntry(TEST_ALIAS_1, 2471 new KeyStore.SecretKeyEntry(keyBeingImported), 2472 TestUtils.buildUpon(goodSpec) 2473 .setDigests(digest, anotherDigest) 2474 .build()); 2475 fail(); 2476 } catch (KeyStoreException expected) {} 2477 } catch (Throwable e) { 2478 throw new RuntimeException("Failed for " + algorithm, e); 2479 } 2480 } 2481 } 2482 testKeyStore_ImportSupportedSizes_AES()2483 public void testKeyStore_ImportSupportedSizes_AES() throws Exception { 2484 mKeyStore.load(null); 2485 2486 KeyProtection params = new KeyProtection.Builder( 2487 KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) 2488 .setBlockModes(KeyProperties.BLOCK_MODE_CBC) 2489 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) 2490 .build(); 2491 String alias = "test1"; 2492 mKeyStore.deleteEntry(alias); 2493 assertFalse(mKeyStore.containsAlias(alias)); 2494 for (int keySizeBytes = 0; keySizeBytes <= 512 / 8; keySizeBytes++) { 2495 int keySizeBits = keySizeBytes * 8; 2496 try { 2497 KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry( 2498 new TransparentSecretKey(new byte[keySizeBytes], "AES")); 2499 if (TestUtils.contains(KeyGeneratorTest.AES_SUPPORTED_KEY_SIZES, keySizeBits)) { 2500 mKeyStore.setEntry(alias, entry, params); 2501 SecretKey key = (SecretKey) mKeyStore.getKey(alias, null); 2502 assertEquals("AES", key.getAlgorithm()); 2503 assertEquals(keySizeBits, TestUtils.getKeyInfo(key).getKeySize()); 2504 } else { 2505 mKeyStore.deleteEntry(alias); 2506 assertFalse(mKeyStore.containsAlias(alias)); 2507 try { 2508 mKeyStore.setEntry(alias, entry, params); 2509 fail(); 2510 } catch (KeyStoreException expected) {} 2511 assertFalse(mKeyStore.containsAlias(alias)); 2512 } 2513 } catch (Throwable e) { 2514 throw new RuntimeException("Failed for key size " + keySizeBits, e); 2515 } 2516 } 2517 } 2518 testKeyStore_ImportSupportedSizes_HMAC()2519 public void testKeyStore_ImportSupportedSizes_HMAC() throws Exception { 2520 mKeyStore.load(null); 2521 2522 KeyProtection params = new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN).build(); 2523 String alias = "test1"; 2524 mKeyStore.deleteEntry(alias); 2525 assertFalse(mKeyStore.containsAlias(alias)); 2526 for (String algorithm : KeyGeneratorTest.EXPECTED_ALGORITHMS) { 2527 if (!TestUtils.isHmacAlgorithm(algorithm)) { 2528 continue; 2529 } 2530 for (int keySizeBytes = 8; keySizeBytes <= 1024 / 8; keySizeBytes++) { 2531 try { 2532 KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry( 2533 new TransparentSecretKey(new byte[keySizeBytes], algorithm)); 2534 if (keySizeBytes > 0) { 2535 mKeyStore.setEntry(alias, entry, params); 2536 SecretKey key = (SecretKey) mKeyStore.getKey(alias, null); 2537 assertEquals(algorithm, key.getAlgorithm()); 2538 assertEquals(keySizeBytes * 8, TestUtils.getKeyInfo(key).getKeySize()); 2539 } else { 2540 mKeyStore.deleteEntry(alias); 2541 assertFalse(mKeyStore.containsAlias(alias)); 2542 try { 2543 mKeyStore.setEntry(alias, entry, params); 2544 fail(); 2545 } catch (KeyStoreException expected) {} 2546 } 2547 } catch (Throwable e) { 2548 throw new RuntimeException( 2549 "Failed for " + algorithm + " with key size " + (keySizeBytes * 8), e); 2550 } 2551 } 2552 } 2553 } 2554 testKeyStore_ImportSupportedSizes_EC()2555 public void testKeyStore_ImportSupportedSizes_EC() throws Exception { 2556 mKeyStore.load(null); 2557 KeyProtection params = 2558 TestUtils.getMinimalWorkingImportParametersForSigningingWith("SHA256withECDSA"); 2559 checkKeyPairImportSucceeds( 2560 "secp224r1", R.raw.ec_key3_secp224r1_pkcs8, R.raw.ec_key3_secp224r1_cert, params); 2561 checkKeyPairImportSucceeds( 2562 "secp256r1", R.raw.ec_key4_secp256r1_pkcs8, R.raw.ec_key4_secp256r1_cert, params); 2563 checkKeyPairImportSucceeds( 2564 "secp384r1", R.raw.ec_key5_secp384r1_pkcs8, R.raw.ec_key5_secp384r1_cert, params); 2565 checkKeyPairImportSucceeds( 2566 "secp512r1", R.raw.ec_key6_secp521r1_pkcs8, R.raw.ec_key6_secp521r1_cert, params); 2567 } 2568 testKeyStore_ImportSupportedSizes_RSA()2569 public void testKeyStore_ImportSupportedSizes_RSA() throws Exception { 2570 mKeyStore.load(null); 2571 KeyProtection params = 2572 TestUtils.getMinimalWorkingImportParametersForSigningingWith("SHA256withRSA"); 2573 checkKeyPairImportSucceeds( 2574 "512", R.raw.rsa_key5_512_pkcs8, R.raw.rsa_key5_512_cert, params); 2575 checkKeyPairImportSucceeds( 2576 "768", R.raw.rsa_key6_768_pkcs8, R.raw.rsa_key6_768_cert, params); 2577 checkKeyPairImportSucceeds( 2578 "1024", R.raw.rsa_key3_1024_pkcs8, R.raw.rsa_key3_1024_cert, params); 2579 checkKeyPairImportSucceeds( 2580 "2048", R.raw.rsa_key8_2048_pkcs8, R.raw.rsa_key8_2048_cert, params); 2581 checkKeyPairImportSucceeds( 2582 "3072", R.raw.rsa_key7_3072_pksc8, R.raw.rsa_key7_3072_cert, params); 2583 checkKeyPairImportSucceeds( 2584 "4096", R.raw.rsa_key4_4096_pkcs8, R.raw.rsa_key4_4096_cert, params); 2585 } 2586 checkKeyPairImportSucceeds( String alias, int privateResId, int certResId, KeyProtection params)2587 private void checkKeyPairImportSucceeds( 2588 String alias, int privateResId, int certResId, KeyProtection params) throws Exception { 2589 try { 2590 mKeyStore.deleteEntry(alias); 2591 TestUtils.importIntoAndroidKeyStore( 2592 alias, getContext(), privateResId, certResId, params); 2593 } catch (Throwable e) { 2594 throw new RuntimeException("Failed for " + alias, e); 2595 } finally { 2596 try { 2597 mKeyStore.deleteEntry(alias); 2598 } catch (Exception ignored) {} 2599 } 2600 } 2601 } 2602