Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 276369a3df24748deff21e5414b34ef6eb12b8a8 / . / security / keymint / aidl / vts / functional / KeyMintAidlTestBase.cpp
blob: ea3a3295738ae2636b81e149eb2624b3bebee352 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "KeyMintAidlTestBase.h"
18
19#include <chrono>
20#include <vector>
21
22#include <android-base/logging.h>
23
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]24#include <keymint_support/key_param_output.h>
25#include <keymint_support/keymint_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]26
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]27namespace android::hardware::security::keymint {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]28
29using namespace std::literals::chrono_literals;
30using std::endl;
31using std::optional;
32
33::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) {
34 if (set.size() == 0)
35 os << "(Empty)" << ::std::endl;
36 else {
37 os << "\n";
38 for (size_t i = 0; i < set.size(); ++i) os << set[i] << ::std::endl;
39 }
40 return os;
41}
42
43namespace test {
44
45ErrorCode KeyMintAidlTestBase::GetReturnErrorCode(Status result) {
46 if (result.isOk()) return ErrorCode::OK;
47
48 if (result.exceptionCode() == binder::Status::EX_SERVICE_SPECIFIC) {
49 return static_cast<ErrorCode>(result.serviceSpecificErrorCode());
50 }
51
52 return ErrorCode::UNKNOWN_ERROR;
53}
54
55void KeyMintAidlTestBase::InitializeKeyMint(sp<IKeyMintDevice> keyMint) {
56 ASSERT_NE(keyMint, nullptr);
57 keymint_ = keyMint;
58
59 KeyMintHardwareInfo info;
60 ASSERT_TRUE(keymint_->getHardwareInfo(&info).isOk());
61
62 securityLevel_ = info.securityLevel;
63 name_.assign(info.keyMintName.begin(), info.keyMintName.end());
64 author_.assign(info.keyMintAuthorName.begin(), info.keyMintAuthorName.end());
65
66 os_version_ = getOsVersion();
67 os_patch_level_ = getOsPatchlevel();
68}
69
70void KeyMintAidlTestBase::SetUp() {
71 InitializeKeyMint(
72 android::waitForDeclaredService<IKeyMintDevice>(String16(GetParam().c_str())));
73}
74
75ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
76 vector<uint8_t>* keyBlob, KeyCharacteristics* keyChar) {
77 EXPECT_NE(keyBlob, nullptr) << "Key blob pointer must not be null. Test bug";
78 EXPECT_NE(keyChar, nullptr)
79 << "Previous characteristics not deleted before generating key. Test bug.";
80
81 // Aidl does not clear these output parameters if the function returns
82 // error. This is different from hal where output parameter is always
83 // cleared due to hal returning void. So now we need to do our own clearing
84 // of the output variables prior to calling keyMint aidl libraries.
85 keyBlob->clear();
86 keyChar->softwareEnforced.clear();
87 keyChar->hardwareEnforced.clear();
88 certChain_.clear();
89
90 Status result;
91 ByteArray blob;
92
93 result = keymint_->generateKey(key_desc.vector_data(), &blob, keyChar, &certChain_);
94
95 // On result, blob & characteristics should be empty.
96 if (result.isOk()) {
97 if (SecLevel() != SecurityLevel::SOFTWARE) {
98 EXPECT_GT(keyChar->hardwareEnforced.size(), 0);
99 }
100 EXPECT_GT(keyChar->softwareEnforced.size(), 0);
101 // TODO(seleneh) in a later version where we return @nullable
102 // single Certificate, check non-null single certificate is always
103 // non-empty.
104 *keyBlob = blob.data;
105 }
106
107 return GetReturnErrorCode(result);
108}
109
110ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) {
111 return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
112}
113
114ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
115 const string& key_material, vector<uint8_t>* key_blob,
116 KeyCharacteristics* key_characteristics) {
117 Status result;
118
119 certChain_.clear();
120 key_characteristics->softwareEnforced.clear();
121 key_characteristics->hardwareEnforced.clear();
122 key_blob->clear();
123
124 ByteArray blob;
125 result = keymint_->importKey(key_desc.vector_data(), format,
126 vector<uint8_t>(key_material.begin(), key_material.end()), &blob,
127 key_characteristics, &certChain_);
128
129 if (result.isOk()) {
130 if (SecLevel() != SecurityLevel::SOFTWARE) {
131 EXPECT_GT(key_characteristics->hardwareEnforced.size(), 0);
132 }
133 EXPECT_GT(key_characteristics->softwareEnforced.size(), 0);
134 *key_blob = blob.data;
135 }
136
137 return GetReturnErrorCode(result);
138}
139
140ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
141 const string& key_material) {
142 return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_);
143}
144
145ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapping_key,
146 const AuthorizationSet& wrapping_key_desc,
147 string masking_key,
148 const AuthorizationSet& unwrapping_params) {
149 Status result;
150 EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key));
151
152 ByteArray outBlob;
153 key_characteristics_.softwareEnforced.clear();
154 key_characteristics_.hardwareEnforced.clear();
155
156 result = keymint_->importWrappedKey(vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()),
157 key_blob_,
158 vector<uint8_t>(masking_key.begin(), masking_key.end()),
159 unwrapping_params.vector_data(), 0 /* passwordSid */,
160 0 /* biometricSid */, &outBlob, &key_characteristics_);
161
162 if (result.isOk()) {
163 key_blob_ = outBlob.data;
164 if (SecLevel() != SecurityLevel::SOFTWARE) {
165 EXPECT_GT(key_characteristics_.hardwareEnforced.size(), 0);
166 }
167 EXPECT_GT(key_characteristics_.softwareEnforced.size(), 0);
168 }
169
170 return GetReturnErrorCode(result);
171}
172
173ErrorCode KeyMintAidlTestBase::DeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
174 Status result = keymint_->deleteKey(*key_blob);
175 if (!keep_key_blob) {
176 *key_blob = vector<uint8_t>();
177 }
178
179 EXPECT_TRUE(result.isOk()) << result.serviceSpecificErrorCode() << endl;
180 return GetReturnErrorCode(result);
181}
182
183ErrorCode KeyMintAidlTestBase::DeleteKey(bool keep_key_blob) {
184 return DeleteKey(&key_blob_, keep_key_blob);
185}
186
187ErrorCode KeyMintAidlTestBase::DeleteAllKeys() {
188 Status result = keymint_->deleteAllKeys();
189 EXPECT_TRUE(result.isOk()) << result.serviceSpecificErrorCode() << endl;
190 return GetReturnErrorCode(result);
191}
192
193void KeyMintAidlTestBase::CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
194 ErrorCode result = DeleteKey(key_blob, keep_key_blob);
195 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED) << result << endl;
196}
197
198void KeyMintAidlTestBase::CheckedDeleteKey() {
199 CheckedDeleteKey(&key_blob_);
200}
201
202ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
203 const AuthorizationSet& in_params,
204 AuthorizationSet* out_params, sp<IKeyMintOperation>& op) {
205 SCOPED_TRACE("Begin");
206 Status result;
207 BeginResult out;
208 result = keymint_->begin(purpose, key_blob, in_params.vector_data(), HardwareAuthToken(), &out);
209
210 if (result.isOk()) {
211 *out_params = out.params;
212 challenge_ = out.challenge;
213 op = out.operation;
214 }
215
216 return GetReturnErrorCode(result);
217}
218
219ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
220 const AuthorizationSet& in_params,
221 AuthorizationSet* out_params) {
222 SCOPED_TRACE("Begin");
223 Status result;
224 BeginResult out;
225
226 result = keymint_->begin(purpose, key_blob, in_params.vector_data(), HardwareAuthToken(), &out);
227
228 if (result.isOk()) {
229 *out_params = out.params;
230 challenge_ = out.challenge;
231 op_ = out.operation;
232 }
233
234 return GetReturnErrorCode(result);
235}
236
237ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const AuthorizationSet& in_params,
238 AuthorizationSet* out_params) {
239 SCOPED_TRACE("Begin");
240 EXPECT_EQ(nullptr, op_);
241 return Begin(purpose, key_blob_, in_params, out_params);
242}
243
244ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const AuthorizationSet& in_params) {
245 SCOPED_TRACE("Begin");
246 AuthorizationSet out_params;
247 ErrorCode result = Begin(purpose, in_params, &out_params);
248 EXPECT_TRUE(out_params.empty());
249 return result;
250}
251
252ErrorCode KeyMintAidlTestBase::Update(const AuthorizationSet& in_params, const string& input,
253 AuthorizationSet* out_params, string* output,
254 int32_t* input_consumed) {
255 SCOPED_TRACE("Update");
256
257 Status result;
258 EXPECT_NE(op_, nullptr);
259 if (!op_) {
260 return ErrorCode::UNEXPECTED_NULL_POINTER;
261 }
262
263 KeyParameterArray key_params;
264 key_params.params = in_params.vector_data();
265
266 KeyParameterArray in_keyParams;
267 in_keyParams.params = in_params.vector_data();
268
269 optional<KeyParameterArray> out_keyParams;
270 optional<ByteArray> o_put;
271 result = op_->update(in_keyParams, vector<uint8_t>(input.begin(), input.end()), {}, {},
272 &out_keyParams, &o_put, input_consumed);
273
274 if (result.isOk()) {
275 if (o_put) {
276 output->append(o_put->data.begin(), o_put->data.end());
277 }
278
279 if (out_keyParams) {
280 out_params->push_back(AuthorizationSet(out_keyParams->params));
281 }
282 }
283
284 return GetReturnErrorCode(result);
285}
286
287ErrorCode KeyMintAidlTestBase::Update(const string& input, string* out, int32_t* input_consumed) {
288 SCOPED_TRACE("Update");
289 AuthorizationSet out_params;
290 ErrorCode result =
291 Update(AuthorizationSet() /* in_params */, input, &out_params, out, input_consumed);
292 EXPECT_TRUE(out_params.empty());
293 return result;
294}
295
296ErrorCode KeyMintAidlTestBase::Finish(const AuthorizationSet& in_params, const string& input,
297 const string& signature, AuthorizationSet* out_params,
298 string* output) {
299 SCOPED_TRACE("Finish");
300 Status result;
301
302 EXPECT_NE(op_, nullptr);
303 if (!op_) {
304 return ErrorCode::UNEXPECTED_NULL_POINTER;
305 }
306
307 KeyParameterArray key_params;
308 key_params.params = in_params.vector_data();
309
310 KeyParameterArray in_keyParams;
311 in_keyParams.params = in_params.vector_data();
312
313 optional<KeyParameterArray> out_keyParams;
314 optional<vector<uint8_t>> o_put;
315
316 vector<uint8_t> oPut;
317 result = op_->finish(in_keyParams, vector<uint8_t>(input.begin(), input.end()),
318 vector<uint8_t>(signature.begin(), signature.end()), {}, {},
319 &out_keyParams, &oPut);
320
321 if (result.isOk()) {
322 if (out_keyParams) {
323 out_params->push_back(AuthorizationSet(out_keyParams->params));
324 }
325
326 output->append(oPut.begin(), oPut.end());
327 }
328
329 op_.clear(); // So dtor doesn't Abort().
330 return GetReturnErrorCode(result);
331}
332
333ErrorCode KeyMintAidlTestBase::Finish(const string& message, string* output) {
334 SCOPED_TRACE("Finish");
335 AuthorizationSet out_params;
336 string finish_output;
337 ErrorCode result = Finish(AuthorizationSet() /* in_params */, message, "" /* signature */,
338 &out_params, output);
339 if (result != ErrorCode::OK) {
340 return result;
341 }
342 EXPECT_EQ(0U, out_params.size());
343 return result;
344}
345
346ErrorCode KeyMintAidlTestBase::Finish(const string& message, const string& signature,
347 string* output) {
348 SCOPED_TRACE("Finish");
349 AuthorizationSet out_params;
350 ErrorCode result =
351 Finish(AuthorizationSet() /* in_params */, message, signature, &out_params, output);
352
353 if (result != ErrorCode::OK) {
354 return result;
355 }
356
357 EXPECT_EQ(0U, out_params.size());
358 return result;
359}
360
361ErrorCode KeyMintAidlTestBase::Abort(const sp<IKeyMintOperation>& op) {
362 SCOPED_TRACE("Abort");
363
364 EXPECT_NE(op, nullptr);
365 if (!op) {
366 return ErrorCode::UNEXPECTED_NULL_POINTER;
367 }
368
369 Status retval = op->abort();
370 EXPECT_TRUE(retval.isOk());
371 return static_cast<ErrorCode>(retval.serviceSpecificErrorCode());
372}
373
374ErrorCode KeyMintAidlTestBase::Abort() {
375 SCOPED_TRACE("Abort");
376
377 EXPECT_NE(op_, nullptr);
378 if (!op_) {
379 return ErrorCode::UNEXPECTED_NULL_POINTER;
380 }
381
382 Status retval = op_->abort();
383 return static_cast<ErrorCode>(retval.serviceSpecificErrorCode());
384}
385
386void KeyMintAidlTestBase::AbortIfNeeded() {
387 SCOPED_TRACE("AbortIfNeeded");
388 if (op_) {
389 EXPECT_EQ(ErrorCode::OK, Abort());
390 op_.clear();
391 }
392}
393
394string KeyMintAidlTestBase::ProcessMessage(const vector<uint8_t>& key_blob, KeyPurpose operation,
395 const string& message, const AuthorizationSet& in_params,
396 AuthorizationSet* out_params) {
397 SCOPED_TRACE("ProcessMessage");
398 AuthorizationSet begin_out_params;
399 ErrorCode result = Begin(operation, key_blob, in_params, &begin_out_params);
400 EXPECT_EQ(ErrorCode::OK, result);
401 if (result != ErrorCode::OK) {
402 return "";
403 }
404
405 string output;
406 int32_t consumed = 0;
407 AuthorizationSet update_params;
408 AuthorizationSet update_out_params;
409 result = Update(update_params, message, &update_out_params, &output, &consumed);
410 EXPECT_EQ(ErrorCode::OK, result);
411 if (result != ErrorCode::OK) {
412 return "";
413 }
414
415 string unused;
416 AuthorizationSet finish_params;
417 AuthorizationSet finish_out_params;
418 EXPECT_EQ(ErrorCode::OK,
419 Finish(finish_params, message.substr(consumed), unused, &finish_out_params, &output));
420
421 out_params->push_back(begin_out_params);
422 out_params->push_back(finish_out_params);
423 return output;
424}
425
426string KeyMintAidlTestBase::SignMessage(const vector<uint8_t>& key_blob, const string& message,
427 const AuthorizationSet& params) {
428 SCOPED_TRACE("SignMessage");
429 AuthorizationSet out_params;
430 string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params);
431 EXPECT_TRUE(out_params.empty());
432 return signature;
433}
434
435string KeyMintAidlTestBase::SignMessage(const string& message, const AuthorizationSet& params) {
436 SCOPED_TRACE("SignMessage");
437 return SignMessage(key_blob_, message, params);
438}
439
440string KeyMintAidlTestBase::MacMessage(const string& message, Digest digest, size_t mac_length) {
441 SCOPED_TRACE("MacMessage");
442 return SignMessage(
443 key_blob_, message,
444 AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length));
445}
446
447void KeyMintAidlTestBase::CheckHmacTestVector(const string& key, const string& message,
448 Digest digest, const string& expected_mac) {
449 SCOPED_TRACE("CheckHmacTestVector");
450 ASSERT_EQ(ErrorCode::OK,
451 ImportKey(AuthorizationSetBuilder()
452 .Authorization(TAG_NO_AUTH_REQUIRED)
453 .HmacKey(key.size() * 8)
454 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8)
455 .Digest(digest),
456 KeyFormat::RAW, key));
457 string signature = MacMessage(message, digest, expected_mac.size() * 8);
458 EXPECT_EQ(expected_mac, signature)
459 << "Test vector didn't match for key of size " << key.size() << " message of size "
460 << message.size() << " and digest " << digest;
461 CheckedDeleteKey();
462}
463
464void KeyMintAidlTestBase::CheckAesCtrTestVector(const string& key, const string& nonce,
465 const string& message,
466 const string& expected_ciphertext) {
467 SCOPED_TRACE("CheckAesCtrTestVector");
468 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
469 .Authorization(TAG_NO_AUTH_REQUIRED)
470 .AesEncryptionKey(key.size() * 8)
471 .BlockMode(BlockMode::CTR)
472 .Authorization(TAG_CALLER_NONCE)
473 .Padding(PaddingMode::NONE),
474 KeyFormat::RAW, key));
475
476 auto params = AuthorizationSetBuilder()
477 .Authorization(TAG_NONCE, nonce.data(), nonce.size())
478 .BlockMode(BlockMode::CTR)
479 .Padding(PaddingMode::NONE);
480 AuthorizationSet out_params;
481 string ciphertext = EncryptMessage(key_blob_, message, params, &out_params);
482 EXPECT_EQ(expected_ciphertext, ciphertext);
483}
484
485void KeyMintAidlTestBase::CheckTripleDesTestVector(KeyPurpose purpose, BlockMode block_mode,
486 PaddingMode padding_mode, const string& key,
487 const string& iv, const string& input,
488 const string& expected_output) {
489 auto authset = AuthorizationSetBuilder()
490 .TripleDesEncryptionKey(key.size() * 7)
491 .BlockMode(block_mode)
492 .Authorization(TAG_NO_AUTH_REQUIRED)
493 .Padding(padding_mode);
494 if (iv.size()) authset.Authorization(TAG_CALLER_NONCE);
495 ASSERT_EQ(ErrorCode::OK, ImportKey(authset, KeyFormat::RAW, key));
496 ASSERT_GT(key_blob_.size(), 0U);
497
498 auto begin_params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
499 if (iv.size()) begin_params.Authorization(TAG_NONCE, iv.data(), iv.size());
500 AuthorizationSet output_params;
501 string output = ProcessMessage(key_blob_, purpose, input, begin_params, &output_params);
502 EXPECT_EQ(expected_output, output);
503}
504
505void KeyMintAidlTestBase::VerifyMessage(const vector<uint8_t>& key_blob, const string& message,
506 const string& signature, const AuthorizationSet& params) {
507 SCOPED_TRACE("VerifyMessage");
508 AuthorizationSet begin_out_params;
509 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params));
510
511 string output;
512 AuthorizationSet update_params;
513 AuthorizationSet update_out_params;
514 int32_t consumed;
515 ASSERT_EQ(ErrorCode::OK,
516 Update(update_params, message, &update_out_params, &output, &consumed));
517 EXPECT_TRUE(output.empty());
518 EXPECT_GT(consumed, 0U);
519
520 string unused;
521 AuthorizationSet finish_params;
522 AuthorizationSet finish_out_params;
523 EXPECT_EQ(ErrorCode::OK, Finish(finish_params, message.substr(consumed), signature,
524 &finish_out_params, &output));
525 op_.clear();
526 EXPECT_TRUE(output.empty());
527}
528
529void KeyMintAidlTestBase::VerifyMessage(const string& message, const string& signature,
530 const AuthorizationSet& params) {
531 SCOPED_TRACE("VerifyMessage");
532 VerifyMessage(key_blob_, message, signature, params);
533}
534
535string KeyMintAidlTestBase::EncryptMessage(const vector<uint8_t>& key_blob, const string& message,
536 const AuthorizationSet& in_params,
537 AuthorizationSet* out_params) {
538 SCOPED_TRACE("EncryptMessage");
539 return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params);
540}
541
542string KeyMintAidlTestBase::EncryptMessage(const string& message, const AuthorizationSet& params,
543 AuthorizationSet* out_params) {
544 SCOPED_TRACE("EncryptMessage");
545 return EncryptMessage(key_blob_, message, params, out_params);
546}
547
548string KeyMintAidlTestBase::EncryptMessage(const string& message, const AuthorizationSet& params) {
549 SCOPED_TRACE("EncryptMessage");
550 AuthorizationSet out_params;
551 string ciphertext = EncryptMessage(message, params, &out_params);
552 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
553 return ciphertext;
554}
555
556string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
557 PaddingMode padding) {
558 SCOPED_TRACE("EncryptMessage");
559 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
560 AuthorizationSet out_params;
561 string ciphertext = EncryptMessage(message, params, &out_params);
562 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
563 return ciphertext;
564}
565
566string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
567 PaddingMode padding, vector<uint8_t>* iv_out) {
568 SCOPED_TRACE("EncryptMessage");
569 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
570 AuthorizationSet out_params;
571 string ciphertext = EncryptMessage(message, params, &out_params);
572 EXPECT_EQ(1U, out_params.size());
573 auto ivVal = out_params.GetTagValue(TAG_NONCE);
574 EXPECT_TRUE(ivVal.isOk());
575 if (ivVal.isOk()) *iv_out = ivVal.value();
576 return ciphertext;
577}
578
579string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
580 PaddingMode padding, const vector<uint8_t>& iv_in) {
581 SCOPED_TRACE("EncryptMessage");
582 auto params = AuthorizationSetBuilder()
583 .BlockMode(block_mode)
584 .Padding(padding)
585 .Authorization(TAG_NONCE, iv_in);
586 AuthorizationSet out_params;
587 string ciphertext = EncryptMessage(message, params, &out_params);
588 return ciphertext;
589}
590
591string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
592 PaddingMode padding, uint8_t mac_length_bits,
593 const vector<uint8_t>& iv_in) {
594 SCOPED_TRACE("EncryptMessage");
595 auto params = AuthorizationSetBuilder()
596 .BlockMode(block_mode)
597 .Padding(padding)
598 .Authorization(TAG_MAC_LENGTH, mac_length_bits)
599 .Authorization(TAG_NONCE, iv_in);
600 AuthorizationSet out_params;
601 string ciphertext = EncryptMessage(message, params, &out_params);
602 return ciphertext;
603}
604
605string KeyMintAidlTestBase::DecryptMessage(const vector<uint8_t>& key_blob,
606 const string& ciphertext,
607 const AuthorizationSet& params) {
608 SCOPED_TRACE("DecryptMessage");
609 AuthorizationSet out_params;
610 string plaintext =
611 ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params);
612 EXPECT_TRUE(out_params.empty());
613 return plaintext;
614}
615
616string KeyMintAidlTestBase::DecryptMessage(const string& ciphertext,
617 const AuthorizationSet& params) {
618 SCOPED_TRACE("DecryptMessage");
619 return DecryptMessage(key_blob_, ciphertext, params);
620}
621
622string KeyMintAidlTestBase::DecryptMessage(const string& ciphertext, BlockMode block_mode,
623 PaddingMode padding_mode, const vector<uint8_t>& iv) {
624 SCOPED_TRACE("DecryptMessage");
625 auto params = AuthorizationSetBuilder()
626 .BlockMode(block_mode)
627 .Padding(padding_mode)
628 .Authorization(TAG_NONCE, iv);
629 return DecryptMessage(key_blob_, ciphertext, params);
630}
631
632std::pair<ErrorCode, vector<uint8_t>> KeyMintAidlTestBase::UpgradeKey(
633 const vector<uint8_t>& key_blob) {
634 std::pair<ErrorCode, vector<uint8_t>> retval;
635 vector<uint8_t> outKeyBlob;
636 Status result = keymint_->upgradeKey(key_blob, vector<KeyParameter>(), &outKeyBlob);
637 ErrorCode errorcode = GetReturnErrorCode(result);
638 retval = std::tie(errorcode, outKeyBlob);
639
640 return retval;
641}
642vector<uint32_t> KeyMintAidlTestBase::ValidKeySizes(Algorithm algorithm) {
643 switch (algorithm) {
644 case Algorithm::RSA:
645 switch (SecLevel()) {
646 case SecurityLevel::SOFTWARE:
647 case SecurityLevel::TRUSTED_ENVIRONMENT:
648 return {2048, 3072, 4096};
649 case SecurityLevel::STRONGBOX:
650 return {2048};
651 default:
652 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
653 break;
654 }
655 break;
656 case Algorithm::EC:
657 switch (SecLevel()) {
658 case SecurityLevel::SOFTWARE:
659 case SecurityLevel::TRUSTED_ENVIRONMENT:
660 return {224, 256, 384, 521};
661 case SecurityLevel::STRONGBOX:
662 return {256};
663 default:
664 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
665 break;
666 }
667 break;
668 case Algorithm::AES:
669 return {128, 256};
670 case Algorithm::TRIPLE_DES:
671 return {168};
672 case Algorithm::HMAC: {
673 vector<uint32_t> retval((512 - 64) / 8 + 1);
674 uint32_t size = 64 - 8;
675 std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); });
676 return retval;
677 }
678 default:
679 ADD_FAILURE() << "Invalid Algorithm: " << algorithm;
680 return {};
681 }
682 ADD_FAILURE() << "Should be impossible to get here";
683 return {};
684}
685
686vector<uint32_t> KeyMintAidlTestBase::InvalidKeySizes(Algorithm algorithm) {
687 if (SecLevel() == SecurityLevel::STRONGBOX) {
688 switch (algorithm) {
689 case Algorithm::RSA:
690 return {3072, 4096};
691 case Algorithm::EC:
692 return {224, 384, 521};
693 case Algorithm::AES:
694 return {192};
695 default:
696 return {};
697 }
698 }
699 return {};
700}
701
702vector<EcCurve> KeyMintAidlTestBase::ValidCurves() {
703 if (securityLevel_ == SecurityLevel::STRONGBOX) {
704 return {EcCurve::P_256};
705 } else {
706 return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521};
707 }
708}
709
710vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() {
711 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {};
712 CHECK(SecLevel() == SecurityLevel::STRONGBOX);
713 return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521};
714}
715
716vector<Digest> KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) {
717 switch (SecLevel()) {
718 case SecurityLevel::SOFTWARE:
719 case SecurityLevel::TRUSTED_ENVIRONMENT:
720 if (withNone) {
721 if (withMD5)
722 return {Digest::NONE, Digest::MD5, Digest::SHA1,
723 Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
724 Digest::SHA_2_512};
725 else
726 return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224,
727 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
728 } else {
729 if (withMD5)
730 return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
731 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
732 else
733 return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
734 Digest::SHA_2_512};
735 }
736 break;
737 case SecurityLevel::STRONGBOX:
738 if (withNone)
739 return {Digest::NONE, Digest::SHA_2_256};
740 else
741 return {Digest::SHA_2_256};
742 break;
743 default:
744 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
745 break;
746 }
747 ADD_FAILURE() << "Should be impossible to get here";
748 return {};
749}
750
751} // namespace test
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]752
753} // namespace android::hardware::security::keymint