Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 1c15423de7156bf1f133d339939cccec0e98ad03 / . / security / keymint / aidl / vts / functional / KeyMintAidlTestBase.cpp
blob: 93a216f27e2ef2ee525cd32a215ae8fe9ebc69a0 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "KeyMintAidlTestBase.h"
18
19#include <chrono>
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]20#include <unordered_set>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]21#include <vector>
22
23#include <android-base/logging.h>
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]24#include <android/binder_manager.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]25
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]26#include <keymint_support/key_param_output.h>
27#include <keymint_support/keymint_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]28
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]29namespace aidl::android::hardware::security::keymint {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]30
31using namespace std::literals::chrono_literals;
32using std::endl;
33using std::optional;
34
35::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) {
36 if (set.size() == 0)
37 os << "(Empty)" << ::std::endl;
38 else {
39 os << "\n";
40 for (size_t i = 0; i < set.size(); ++i) os << set[i] << ::std::endl;
41 }
42 return os;
43}
44
45namespace test {
46
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]47namespace {
48
49// Predicate for testing basic characteristics validity in generation or import.
50bool KeyCharacteristicsBasicallyValid(SecurityLevel secLevel,
51 const vector<KeyCharacteristics>& key_characteristics) {
52 if (key_characteristics.empty()) return false;
53
54 std::unordered_set<SecurityLevel> levels_seen;
55 for (auto& entry : key_characteristics) {
56 if (entry.authorizations.empty()) return false;
57
58 if (levels_seen.find(entry.securityLevel) != levels_seen.end()) return false;
59 levels_seen.insert(entry.securityLevel);
60
61 // Generally, we should only have one entry, at the same security level as the KM
62 // instance. There is an exception: StrongBox KM can have some authorizations that are
63 // enforced by the TEE.
64 bool isExpectedSecurityLevel = secLevel == entry.securityLevel ||
65 (secLevel == SecurityLevel::STRONGBOX &&
66 entry.securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT);
67
68 if (!isExpectedSecurityLevel) return false;
69 }
70 return true;
71}
72
73} // namespace
74
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]75ErrorCode KeyMintAidlTestBase::GetReturnErrorCode(const Status& result) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]76 if (result.isOk()) return ErrorCode::OK;
77
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]78 if (result.getExceptionCode() == EX_SERVICE_SPECIFIC) {
79 return static_cast<ErrorCode>(result.getServiceSpecificError());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]80 }
81
82 return ErrorCode::UNKNOWN_ERROR;
83}
84
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]85void KeyMintAidlTestBase::InitializeKeyMint(std::shared_ptr<IKeyMintDevice> keyMint) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]86 ASSERT_NE(keyMint, nullptr);
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]87 keymint_ = std::move(keyMint);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]88
89 KeyMintHardwareInfo info;
90 ASSERT_TRUE(keymint_->getHardwareInfo(&info).isOk());
91
92 securityLevel_ = info.securityLevel;
93 name_.assign(info.keyMintName.begin(), info.keyMintName.end());
94 author_.assign(info.keyMintAuthorName.begin(), info.keyMintAuthorName.end());
95
96 os_version_ = getOsVersion();
97 os_patch_level_ = getOsPatchlevel();
98}
99
100void KeyMintAidlTestBase::SetUp() {
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]101 if (AServiceManager_isDeclared(GetParam().c_str())) {
102 ::ndk::SpAIBinder binder(AServiceManager_waitForService(GetParam().c_str()));
103 InitializeKeyMint(IKeyMintDevice::fromBinder(binder));
104 } else {
105 InitializeKeyMint(nullptr);
106 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]107}
108
109ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]110 vector<uint8_t>* key_blob,
111 vector<KeyCharacteristics>* key_characteristics) {
112 EXPECT_NE(key_blob, nullptr) << "Key blob pointer must not be null. Test bug";
113 EXPECT_NE(key_characteristics, nullptr)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]114 << "Previous characteristics not deleted before generating key. Test bug.";
115
116 // Aidl does not clear these output parameters if the function returns
117 // error. This is different from hal where output parameter is always
118 // cleared due to hal returning void. So now we need to do our own clearing
119 // of the output variables prior to calling keyMint aidl libraries.
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]120 key_blob->clear();
121 key_characteristics->clear();
122 cert_chain_.clear();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]123
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]124 KeyCreationResult creationResult;
125 Status result = keymint_->generateKey(key_desc.vector_data(), &creationResult);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]126
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]127 if (result.isOk()) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]128 EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
129 creationResult.keyCharacteristics);
130 EXPECT_GT(creationResult.keyBlob.size(), 0);
131 *key_blob = std::move(creationResult.keyBlob);
132 *key_characteristics = std::move(creationResult.keyCharacteristics);
133 cert_chain_ = std::move(creationResult.certificateChain);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]134 }
135
136 return GetReturnErrorCode(result);
137}
138
139ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) {
140 return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
141}
142
143ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
144 const string& key_material, vector<uint8_t>* key_blob,
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]145 vector<KeyCharacteristics>* key_characteristics) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]146 Status result;
147
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]148 cert_chain_.clear();
149 key_characteristics->clear();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]150 key_blob->clear();
151
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]152 KeyCreationResult creationResult;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]153 result = keymint_->importKey(key_desc.vector_data(), format,
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]154 vector<uint8_t>(key_material.begin(), key_material.end()),
155 &creationResult);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]156
157 if (result.isOk()) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]158 EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
159 creationResult.keyCharacteristics);
160 EXPECT_GT(creationResult.keyBlob.size(), 0);
161
162 *key_blob = std::move(creationResult.keyBlob);
163 *key_characteristics = std::move(creationResult.keyCharacteristics);
164 cert_chain_ = std::move(creationResult.certificateChain);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]165 }
166
167 return GetReturnErrorCode(result);
168}
169
170ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
171 const string& key_material) {
172 return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_);
173}
174
175ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapping_key,
176 const AuthorizationSet& wrapping_key_desc,
177 string masking_key,
178 const AuthorizationSet& unwrapping_params) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]179 EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key));
180
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]181 key_characteristics_.clear();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]182
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]183 KeyCreationResult creationResult;
184 Status result = keymint_->importWrappedKey(
185 vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()), key_blob_,
186 vector<uint8_t>(masking_key.begin(), masking_key.end()),
187 unwrapping_params.vector_data(), 0 /* passwordSid */, 0 /* biometricSid */,
188 &creationResult);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]189
190 if (result.isOk()) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]191 EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
192 creationResult.keyCharacteristics);
193 EXPECT_GT(creationResult.keyBlob.size(), 0);
194
195 key_blob_ = std::move(creationResult.keyBlob);
196 key_characteristics_ = std::move(creationResult.keyCharacteristics);
197 cert_chain_ = std::move(creationResult.certificateChain);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]198 }
199
200 return GetReturnErrorCode(result);
201}
202
203ErrorCode KeyMintAidlTestBase::DeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
204 Status result = keymint_->deleteKey(*key_blob);
205 if (!keep_key_blob) {
206 *key_blob = vector<uint8_t>();
207 }
208
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]209 EXPECT_TRUE(result.isOk()) << result.getServiceSpecificError() << endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]210 return GetReturnErrorCode(result);
211}
212
213ErrorCode KeyMintAidlTestBase::DeleteKey(bool keep_key_blob) {
214 return DeleteKey(&key_blob_, keep_key_blob);
215}
216
217ErrorCode KeyMintAidlTestBase::DeleteAllKeys() {
218 Status result = keymint_->deleteAllKeys();
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]219 EXPECT_TRUE(result.isOk()) << result.getServiceSpecificError() << endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]220 return GetReturnErrorCode(result);
221}
222
223void KeyMintAidlTestBase::CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
224 ErrorCode result = DeleteKey(key_blob, keep_key_blob);
225 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED) << result << endl;
226}
227
228void KeyMintAidlTestBase::CheckedDeleteKey() {
229 CheckedDeleteKey(&key_blob_);
230}
231
232ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
233 const AuthorizationSet& in_params,
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]234 AuthorizationSet* out_params,
235 std::shared_ptr<IKeyMintOperation>& op) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]236 SCOPED_TRACE("Begin");
237 Status result;
238 BeginResult out;
239 result = keymint_->begin(purpose, key_blob, in_params.vector_data(), HardwareAuthToken(), &out);
240
241 if (result.isOk()) {
242 *out_params = out.params;
243 challenge_ = out.challenge;
244 op = out.operation;
245 }
246
247 return GetReturnErrorCode(result);
248}
249
250ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
251 const AuthorizationSet& in_params,
252 AuthorizationSet* out_params) {
253 SCOPED_TRACE("Begin");
254 Status result;
255 BeginResult out;
256
257 result = keymint_->begin(purpose, key_blob, in_params.vector_data(), HardwareAuthToken(), &out);
258
259 if (result.isOk()) {
260 *out_params = out.params;
261 challenge_ = out.challenge;
262 op_ = out.operation;
263 }
264
265 return GetReturnErrorCode(result);
266}
267
268ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const AuthorizationSet& in_params,
269 AuthorizationSet* out_params) {
270 SCOPED_TRACE("Begin");
271 EXPECT_EQ(nullptr, op_);
272 return Begin(purpose, key_blob_, in_params, out_params);
273}
274
275ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const AuthorizationSet& in_params) {
276 SCOPED_TRACE("Begin");
277 AuthorizationSet out_params;
278 ErrorCode result = Begin(purpose, in_params, &out_params);
279 EXPECT_TRUE(out_params.empty());
280 return result;
281}
282
283ErrorCode KeyMintAidlTestBase::Update(const AuthorizationSet& in_params, const string& input,
284 AuthorizationSet* out_params, string* output,
285 int32_t* input_consumed) {
286 SCOPED_TRACE("Update");
287
288 Status result;
289 EXPECT_NE(op_, nullptr);
290 if (!op_) {
291 return ErrorCode::UNEXPECTED_NULL_POINTER;
292 }
293
294 KeyParameterArray key_params;
295 key_params.params = in_params.vector_data();
296
297 KeyParameterArray in_keyParams;
298 in_keyParams.params = in_params.vector_data();
299
300 optional<KeyParameterArray> out_keyParams;
301 optional<ByteArray> o_put;
302 result = op_->update(in_keyParams, vector<uint8_t>(input.begin(), input.end()), {}, {},
303 &out_keyParams, &o_put, input_consumed);
304
305 if (result.isOk()) {
306 if (o_put) {
307 output->append(o_put->data.begin(), o_put->data.end());
308 }
309
310 if (out_keyParams) {
311 out_params->push_back(AuthorizationSet(out_keyParams->params));
312 }
313 }
314
315 return GetReturnErrorCode(result);
316}
317
318ErrorCode KeyMintAidlTestBase::Update(const string& input, string* out, int32_t* input_consumed) {
319 SCOPED_TRACE("Update");
320 AuthorizationSet out_params;
321 ErrorCode result =
322 Update(AuthorizationSet() /* in_params */, input, &out_params, out, input_consumed);
323 EXPECT_TRUE(out_params.empty());
324 return result;
325}
326
327ErrorCode KeyMintAidlTestBase::Finish(const AuthorizationSet& in_params, const string& input,
328 const string& signature, AuthorizationSet* out_params,
329 string* output) {
330 SCOPED_TRACE("Finish");
331 Status result;
332
333 EXPECT_NE(op_, nullptr);
334 if (!op_) {
335 return ErrorCode::UNEXPECTED_NULL_POINTER;
336 }
337
338 KeyParameterArray key_params;
339 key_params.params = in_params.vector_data();
340
341 KeyParameterArray in_keyParams;
342 in_keyParams.params = in_params.vector_data();
343
344 optional<KeyParameterArray> out_keyParams;
345 optional<vector<uint8_t>> o_put;
346
347 vector<uint8_t> oPut;
348 result = op_->finish(in_keyParams, vector<uint8_t>(input.begin(), input.end()),
349 vector<uint8_t>(signature.begin(), signature.end()), {}, {},
350 &out_keyParams, &oPut);
351
352 if (result.isOk()) {
353 if (out_keyParams) {
354 out_params->push_back(AuthorizationSet(out_keyParams->params));
355 }
356
357 output->append(oPut.begin(), oPut.end());
358 }
359
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]360 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]361 return GetReturnErrorCode(result);
362}
363
364ErrorCode KeyMintAidlTestBase::Finish(const string& message, string* output) {
365 SCOPED_TRACE("Finish");
366 AuthorizationSet out_params;
367 string finish_output;
368 ErrorCode result = Finish(AuthorizationSet() /* in_params */, message, "" /* signature */,
369 &out_params, output);
370 if (result != ErrorCode::OK) {
371 return result;
372 }
373 EXPECT_EQ(0U, out_params.size());
374 return result;
375}
376
377ErrorCode KeyMintAidlTestBase::Finish(const string& message, const string& signature,
378 string* output) {
379 SCOPED_TRACE("Finish");
380 AuthorizationSet out_params;
381 ErrorCode result =
382 Finish(AuthorizationSet() /* in_params */, message, signature, &out_params, output);
383
384 if (result != ErrorCode::OK) {
385 return result;
386 }
387
388 EXPECT_EQ(0U, out_params.size());
389 return result;
390}
391
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]392ErrorCode KeyMintAidlTestBase::Abort(const std::shared_ptr<IKeyMintOperation>& op) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]393 SCOPED_TRACE("Abort");
394
395 EXPECT_NE(op, nullptr);
396 if (!op) {
397 return ErrorCode::UNEXPECTED_NULL_POINTER;
398 }
399
400 Status retval = op->abort();
401 EXPECT_TRUE(retval.isOk());
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]402 return static_cast<ErrorCode>(retval.getServiceSpecificError());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]403}
404
405ErrorCode KeyMintAidlTestBase::Abort() {
406 SCOPED_TRACE("Abort");
407
408 EXPECT_NE(op_, nullptr);
409 if (!op_) {
410 return ErrorCode::UNEXPECTED_NULL_POINTER;
411 }
412
413 Status retval = op_->abort();
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]414 return static_cast<ErrorCode>(retval.getServiceSpecificError());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]415}
416
417void KeyMintAidlTestBase::AbortIfNeeded() {
418 SCOPED_TRACE("AbortIfNeeded");
419 if (op_) {
420 EXPECT_EQ(ErrorCode::OK, Abort());
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]421 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]422 }
423}
424
425string KeyMintAidlTestBase::ProcessMessage(const vector<uint8_t>& key_blob, KeyPurpose operation,
426 const string& message, const AuthorizationSet& in_params,
427 AuthorizationSet* out_params) {
428 SCOPED_TRACE("ProcessMessage");
429 AuthorizationSet begin_out_params;
430 ErrorCode result = Begin(operation, key_blob, in_params, &begin_out_params);
431 EXPECT_EQ(ErrorCode::OK, result);
432 if (result != ErrorCode::OK) {
433 return "";
434 }
435
436 string output;
437 int32_t consumed = 0;
438 AuthorizationSet update_params;
439 AuthorizationSet update_out_params;
440 result = Update(update_params, message, &update_out_params, &output, &consumed);
441 EXPECT_EQ(ErrorCode::OK, result);
442 if (result != ErrorCode::OK) {
443 return "";
444 }
445
446 string unused;
447 AuthorizationSet finish_params;
448 AuthorizationSet finish_out_params;
449 EXPECT_EQ(ErrorCode::OK,
450 Finish(finish_params, message.substr(consumed), unused, &finish_out_params, &output));
451
452 out_params->push_back(begin_out_params);
453 out_params->push_back(finish_out_params);
454 return output;
455}
456
457string KeyMintAidlTestBase::SignMessage(const vector<uint8_t>& key_blob, const string& message,
458 const AuthorizationSet& params) {
459 SCOPED_TRACE("SignMessage");
460 AuthorizationSet out_params;
461 string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params);
462 EXPECT_TRUE(out_params.empty());
463 return signature;
464}
465
466string KeyMintAidlTestBase::SignMessage(const string& message, const AuthorizationSet& params) {
467 SCOPED_TRACE("SignMessage");
468 return SignMessage(key_blob_, message, params);
469}
470
471string KeyMintAidlTestBase::MacMessage(const string& message, Digest digest, size_t mac_length) {
472 SCOPED_TRACE("MacMessage");
473 return SignMessage(
474 key_blob_, message,
475 AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length));
476}
477
478void KeyMintAidlTestBase::CheckHmacTestVector(const string& key, const string& message,
479 Digest digest, const string& expected_mac) {
480 SCOPED_TRACE("CheckHmacTestVector");
481 ASSERT_EQ(ErrorCode::OK,
482 ImportKey(AuthorizationSetBuilder()
483 .Authorization(TAG_NO_AUTH_REQUIRED)
484 .HmacKey(key.size() * 8)
485 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8)
486 .Digest(digest),
487 KeyFormat::RAW, key));
488 string signature = MacMessage(message, digest, expected_mac.size() * 8);
489 EXPECT_EQ(expected_mac, signature)
490 << "Test vector didn't match for key of size " << key.size() << " message of size "
491 << message.size() << " and digest " << digest;
492 CheckedDeleteKey();
493}
494
495void KeyMintAidlTestBase::CheckAesCtrTestVector(const string& key, const string& nonce,
496 const string& message,
497 const string& expected_ciphertext) {
498 SCOPED_TRACE("CheckAesCtrTestVector");
499 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
500 .Authorization(TAG_NO_AUTH_REQUIRED)
501 .AesEncryptionKey(key.size() * 8)
502 .BlockMode(BlockMode::CTR)
503 .Authorization(TAG_CALLER_NONCE)
504 .Padding(PaddingMode::NONE),
505 KeyFormat::RAW, key));
506
507 auto params = AuthorizationSetBuilder()
508 .Authorization(TAG_NONCE, nonce.data(), nonce.size())
509 .BlockMode(BlockMode::CTR)
510 .Padding(PaddingMode::NONE);
511 AuthorizationSet out_params;
512 string ciphertext = EncryptMessage(key_blob_, message, params, &out_params);
513 EXPECT_EQ(expected_ciphertext, ciphertext);
514}
515
516void KeyMintAidlTestBase::CheckTripleDesTestVector(KeyPurpose purpose, BlockMode block_mode,
517 PaddingMode padding_mode, const string& key,
518 const string& iv, const string& input,
519 const string& expected_output) {
520 auto authset = AuthorizationSetBuilder()
521 .TripleDesEncryptionKey(key.size() * 7)
522 .BlockMode(block_mode)
523 .Authorization(TAG_NO_AUTH_REQUIRED)
524 .Padding(padding_mode);
525 if (iv.size()) authset.Authorization(TAG_CALLER_NONCE);
526 ASSERT_EQ(ErrorCode::OK, ImportKey(authset, KeyFormat::RAW, key));
527 ASSERT_GT(key_blob_.size(), 0U);
528
529 auto begin_params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
530 if (iv.size()) begin_params.Authorization(TAG_NONCE, iv.data(), iv.size());
531 AuthorizationSet output_params;
532 string output = ProcessMessage(key_blob_, purpose, input, begin_params, &output_params);
533 EXPECT_EQ(expected_output, output);
534}
535
536void KeyMintAidlTestBase::VerifyMessage(const vector<uint8_t>& key_blob, const string& message,
537 const string& signature, const AuthorizationSet& params) {
538 SCOPED_TRACE("VerifyMessage");
539 AuthorizationSet begin_out_params;
540 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params));
541
542 string output;
543 AuthorizationSet update_params;
544 AuthorizationSet update_out_params;
545 int32_t consumed;
546 ASSERT_EQ(ErrorCode::OK,
547 Update(update_params, message, &update_out_params, &output, &consumed));
548 EXPECT_TRUE(output.empty());
549 EXPECT_GT(consumed, 0U);
550
551 string unused;
552 AuthorizationSet finish_params;
553 AuthorizationSet finish_out_params;
554 EXPECT_EQ(ErrorCode::OK, Finish(finish_params, message.substr(consumed), signature,
555 &finish_out_params, &output));
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]556 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]557 EXPECT_TRUE(output.empty());
558}
559
560void KeyMintAidlTestBase::VerifyMessage(const string& message, const string& signature,
561 const AuthorizationSet& params) {
562 SCOPED_TRACE("VerifyMessage");
563 VerifyMessage(key_blob_, message, signature, params);
564}
565
566string KeyMintAidlTestBase::EncryptMessage(const vector<uint8_t>& key_blob, const string& message,
567 const AuthorizationSet& in_params,
568 AuthorizationSet* out_params) {
569 SCOPED_TRACE("EncryptMessage");
570 return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params);
571}
572
573string KeyMintAidlTestBase::EncryptMessage(const string& message, const AuthorizationSet& params,
574 AuthorizationSet* out_params) {
575 SCOPED_TRACE("EncryptMessage");
576 return EncryptMessage(key_blob_, message, params, out_params);
577}
578
579string KeyMintAidlTestBase::EncryptMessage(const string& message, const AuthorizationSet& params) {
580 SCOPED_TRACE("EncryptMessage");
581 AuthorizationSet out_params;
582 string ciphertext = EncryptMessage(message, params, &out_params);
583 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
584 return ciphertext;
585}
586
587string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
588 PaddingMode padding) {
589 SCOPED_TRACE("EncryptMessage");
590 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
591 AuthorizationSet out_params;
592 string ciphertext = EncryptMessage(message, params, &out_params);
593 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
594 return ciphertext;
595}
596
597string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
598 PaddingMode padding, vector<uint8_t>* iv_out) {
599 SCOPED_TRACE("EncryptMessage");
600 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
601 AuthorizationSet out_params;
602 string ciphertext = EncryptMessage(message, params, &out_params);
603 EXPECT_EQ(1U, out_params.size());
604 auto ivVal = out_params.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]605 EXPECT_TRUE(ivVal);
606 if (ivVal) *iv_out = *ivVal;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]607 return ciphertext;
608}
609
610string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
611 PaddingMode padding, const vector<uint8_t>& iv_in) {
612 SCOPED_TRACE("EncryptMessage");
613 auto params = AuthorizationSetBuilder()
614 .BlockMode(block_mode)
615 .Padding(padding)
616 .Authorization(TAG_NONCE, iv_in);
617 AuthorizationSet out_params;
618 string ciphertext = EncryptMessage(message, params, &out_params);
619 return ciphertext;
620}
621
622string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
623 PaddingMode padding, uint8_t mac_length_bits,
624 const vector<uint8_t>& iv_in) {
625 SCOPED_TRACE("EncryptMessage");
626 auto params = AuthorizationSetBuilder()
627 .BlockMode(block_mode)
628 .Padding(padding)
629 .Authorization(TAG_MAC_LENGTH, mac_length_bits)
630 .Authorization(TAG_NONCE, iv_in);
631 AuthorizationSet out_params;
632 string ciphertext = EncryptMessage(message, params, &out_params);
633 return ciphertext;
634}
635
636string KeyMintAidlTestBase::DecryptMessage(const vector<uint8_t>& key_blob,
637 const string& ciphertext,
638 const AuthorizationSet& params) {
639 SCOPED_TRACE("DecryptMessage");
640 AuthorizationSet out_params;
641 string plaintext =
642 ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params);
643 EXPECT_TRUE(out_params.empty());
644 return plaintext;
645}
646
647string KeyMintAidlTestBase::DecryptMessage(const string& ciphertext,
648 const AuthorizationSet& params) {
649 SCOPED_TRACE("DecryptMessage");
650 return DecryptMessage(key_blob_, ciphertext, params);
651}
652
653string KeyMintAidlTestBase::DecryptMessage(const string& ciphertext, BlockMode block_mode,
654 PaddingMode padding_mode, const vector<uint8_t>& iv) {
655 SCOPED_TRACE("DecryptMessage");
656 auto params = AuthorizationSetBuilder()
657 .BlockMode(block_mode)
658 .Padding(padding_mode)
659 .Authorization(TAG_NONCE, iv);
660 return DecryptMessage(key_blob_, ciphertext, params);
661}
662
663std::pair<ErrorCode, vector<uint8_t>> KeyMintAidlTestBase::UpgradeKey(
664 const vector<uint8_t>& key_blob) {
665 std::pair<ErrorCode, vector<uint8_t>> retval;
666 vector<uint8_t> outKeyBlob;
667 Status result = keymint_->upgradeKey(key_blob, vector<KeyParameter>(), &outKeyBlob);
668 ErrorCode errorcode = GetReturnErrorCode(result);
669 retval = std::tie(errorcode, outKeyBlob);
670
671 return retval;
672}
673vector<uint32_t> KeyMintAidlTestBase::ValidKeySizes(Algorithm algorithm) {
674 switch (algorithm) {
675 case Algorithm::RSA:
676 switch (SecLevel()) {
677 case SecurityLevel::SOFTWARE:
678 case SecurityLevel::TRUSTED_ENVIRONMENT:
679 return {2048, 3072, 4096};
680 case SecurityLevel::STRONGBOX:
681 return {2048};
682 default:
683 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
684 break;
685 }
686 break;
687 case Algorithm::EC:
688 switch (SecLevel()) {
689 case SecurityLevel::SOFTWARE:
690 case SecurityLevel::TRUSTED_ENVIRONMENT:
691 return {224, 256, 384, 521};
692 case SecurityLevel::STRONGBOX:
693 return {256};
694 default:
695 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
696 break;
697 }
698 break;
699 case Algorithm::AES:
700 return {128, 256};
701 case Algorithm::TRIPLE_DES:
702 return {168};
703 case Algorithm::HMAC: {
704 vector<uint32_t> retval((512 - 64) / 8 + 1);
705 uint32_t size = 64 - 8;
706 std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); });
707 return retval;
708 }
709 default:
710 ADD_FAILURE() << "Invalid Algorithm: " << algorithm;
711 return {};
712 }
713 ADD_FAILURE() << "Should be impossible to get here";
714 return {};
715}
716
717vector<uint32_t> KeyMintAidlTestBase::InvalidKeySizes(Algorithm algorithm) {
718 if (SecLevel() == SecurityLevel::STRONGBOX) {
719 switch (algorithm) {
720 case Algorithm::RSA:
721 return {3072, 4096};
722 case Algorithm::EC:
723 return {224, 384, 521};
724 case Algorithm::AES:
725 return {192};
726 default:
727 return {};
728 }
729 }
730 return {};
731}
732
733vector<EcCurve> KeyMintAidlTestBase::ValidCurves() {
734 if (securityLevel_ == SecurityLevel::STRONGBOX) {
735 return {EcCurve::P_256};
736 } else {
737 return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521};
738 }
739}
740
741vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() {
742 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {};
743 CHECK(SecLevel() == SecurityLevel::STRONGBOX);
744 return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521};
745}
746
747vector<Digest> KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) {
748 switch (SecLevel()) {
749 case SecurityLevel::SOFTWARE:
750 case SecurityLevel::TRUSTED_ENVIRONMENT:
751 if (withNone) {
752 if (withMD5)
753 return {Digest::NONE, Digest::MD5, Digest::SHA1,
754 Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
755 Digest::SHA_2_512};
756 else
757 return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224,
758 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
759 } else {
760 if (withMD5)
761 return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
762 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
763 else
764 return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
765 Digest::SHA_2_512};
766 }
767 break;
768 case SecurityLevel::STRONGBOX:
769 if (withNone)
770 return {Digest::NONE, Digest::SHA_2_256};
771 else
772 return {Digest::SHA_2_256};
773 break;
774 default:
775 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
776 break;
777 }
778 ADD_FAILURE() << "Should be impossible to get here";
779 return {};
780}
781
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]782static const vector<KeyParameter> kEmptyAuthList{};
783
784const vector<KeyParameter>& KeyMintAidlTestBase::SecLevelAuthorizations(
785 const vector<KeyCharacteristics>& key_characteristics) {
786 auto found = std::find_if(key_characteristics.begin(), key_characteristics.end(),
787 [this](auto& entry) { return entry.securityLevel == SecLevel(); });
788 return (found == key_characteristics.end()) ? kEmptyAuthList : found->authorizations;
789}
790
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]791} // namespace test
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]792
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]793} // namespace aidl::android::hardware::security::keymint