Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 24f75791306dc1cbd8da4e06c3de8b106f206e4c / . / security / keymint / aidl / vts / functional / KeyMintTest.cpp
blob: c0aa1a613b04b4cb13ac3e14f1a069d31d419711 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]17#define LOG_TAG "keymint_1_test"
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]18#include <cutils/log.h>
19
20#include <signal.h>
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]21
22#include <algorithm>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]23#include <iostream>
24
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]25#include <openssl/curve25519.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]26#include <openssl/ec.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]27#include <openssl/evp.h>
28#include <openssl/mem.h>
David Drysdalead785f52023-03-27 19:53:01 +0100[diff] [blame]29#include <openssl/x509.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]30#include <openssl/x509v3.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]31
32#include <cutils/properties.h>
33
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]34#include <android/binder_manager.h>
35
36#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]37#include <aidl/android/hardware/security/keymint/KeyFormat.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]38
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]39#include <keymint_support/key_param_output.h>
40#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]41
42#include "KeyMintAidlTestBase.h"
43
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]44using aidl::android::hardware::security::keymint::AuthorizationSet;
45using aidl::android::hardware::security::keymint::KeyCharacteristics;
46using aidl::android::hardware::security::keymint::KeyFormat;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]47
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]48namespace std {
49
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]50using namespace aidl::android::hardware::security::keymint;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]51
52template <>
53struct std::equal_to<KeyCharacteristics> {
54 bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]55 if (a.securityLevel != b.securityLevel) return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]56
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]57 // this isn't very efficient. Oh, well.
58 AuthorizationSet a_auths(a.authorizations);
59 AuthorizationSet b_auths(b.authorizations);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]60
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]61 a_auths.Sort();
62 b_auths.Sort();
63
64 return a_auths == b_auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]65 }
66};
67
68} // namespace std
69
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]70namespace aidl::android::hardware::security::keymint::test {
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]71
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]72namespace {
73
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]74// Maximum supported Ed25519 message size.
75const size_t MAX_ED25519_MSG_SIZE = 16 * 1024;
76
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]77// Whether to check that BOOT_PATCHLEVEL is populated.
78bool check_boot_pl = true;
79
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]80// The maximum number of times we'll attempt to verify that corruption
David Drysdale4c1f6ac2021-11-25 16:08:29 +0000[diff] [blame]81// of an encrypted blob results in an error. Retries are necessary as there
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]82// is a small (roughly 1/256) chance that corrupting ciphertext still results
83// in valid PKCS7 padding.
84constexpr size_t kMaxPaddingCorruptionRetries = 8;
85
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]86template <TagType tag_type, Tag tag, typename ValueT>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]87bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
88 ValueT expected_value) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]89 auto it = std::find_if(set.begin(), set.end(), [&](const KeyParameter& param) {
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]90 if (auto p = authorizationValue(ttag, param)) {
91 return *p == expected_value;
92 }
93 return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]94 });
95 return (it != set.end());
96}
97
98template <TagType tag_type, Tag tag>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]99bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag>) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]100 auto it = std::find_if(set.begin(), set.end(),
101 [&](const KeyParameter& param) { return param.tag == tag; });
102 return (it != set.end());
103}
104
105constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
106 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
107 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
108 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
109 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
110 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
111 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
112 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
113 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
114 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
115 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
116 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
117 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
118 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
119 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
120 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
121
122string hex2str(string a) {
123 string b;
124 size_t num = a.size() / 2;
125 b.resize(num);
126 for (size_t i = 0; i < num; i++) {
127 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
128 }
129 return b;
130}
131
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]132string rsa_key = hex2str(
133 // RFC 5208 s5
134 "30820275" // SEQUENCE length 0x275 (PrivateKeyInfo) {
135 "020100" // INTEGER length 1 value 0x00 (version)
136 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
137 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
138 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
139 "0500" // NULL (parameters)
140 // } end SEQUENCE (AlgorithmIdentifier)
141 "0482025f" // OCTET STRING length 0x25f (privateKey) holding...
142 // RFC 8017 A.1.2
143 "3082025b" // SEQUENCE length 0x25b (RSAPrivateKey) {
144 "020100" // INTEGER length 1 value 0x00 (version)
145 "028181" // INTEGER length 0x81 value (modulus) ...
146 "00c6095409047d8634812d5a218176e4"
147 "5c41d60a75b13901f234226cffe77652"
148 "1c5a77b9e389417b71c0b6a44d13afe4"
149 "e4a2805d46c9da2935adb1ff0c1f24ea"
150 "06e62b20d776430a4d435157233c6f91"
151 "6783c30e310fcbd89b85c2d567711697"
152 "85ac12bca244abda72bfb19fc44d27c8"
153 "1e1d92de284f4061edfd99280745ea6d"
154 "25"
155 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
156 "028180" // INTEGER length 0x80 (privateExponent) value...
157 "1be0f04d9cae3718691f035338308e91"
158 "564b55899ffb5084d2460e6630257e05"
159 "b3ceab02972dfabcd6ce5f6ee2589eb6"
160 "7911ed0fac16e43a444b8c861e544a05"
161 "93365772f8baf6b22fc9e3c5f1024b06"
162 "3ac080a7b2234cf8aee8f6c47bbf4fd3"
163 "ace7240290bef16c0b3f7f3cdd64ce3a"
164 "b5912cf6e32f39ab188358afcccd8081"
165 "0241" // INTEGER length 0x41 (prime1)
166 "00e4b49ef50f765d3b24dde01aceaaf1"
167 "30f2c76670a91a61ae08af497b4a82be"
168 "6dee8fcdd5e3f7ba1cfb1f0c926b88f8"
169 "8c92bfab137fba2285227b83c342ff7c"
170 "55"
171 "0241" // INTEGER length 0x41 (prime2)
172 "00ddabb5839c4c7f6bf3d4183231f005"
173 "b31aa58affdda5c79e4cce217f6bc930"
174 "dbe563d480706c24e9ebfcab28a6cdef"
175 "d324b77e1bf7251b709092c24ff501fd"
176 "91"
177 "0240" // INTEGER length 0x40 (exponent1)
178 "23d4340eda3445d8cd26c14411da6fdc"
179 "a63c1ccd4b80a98ad52b78cc8ad8beb2"
180 "842c1d280405bc2f6c1bea214a1d742a"
181 "b996b35b63a82a5e470fa88dbf823cdd"
182 "0240" // INTEGER length 0x40 (exponent2)
183 "1b7b57449ad30d1518249a5f56bb9829"
184 "4d4b6ac12ffc86940497a5a5837a6cf9"
185 "46262b494526d328c11e1126380fde04"
186 "c24f916dec250892db09a6d77cdba351"
187 "0240" // INTEGER length 0x40 (coefficient)
188 "7762cd8f4d050da56bd591adb515d24d"
189 "7ccd32cca0d05f866d583514bd7324d5"
190 "f33645e8ed8b4a1cb3cc4a1d67987399"
191 "f2a09f5b3fb68c88d5e5d90ac33492d6"
192 // } end SEQUENCE (PrivateKey)
193 // } end SEQUENCE (PrivateKeyInfo)
194);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]195
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]196/*
197 * DER-encoded PKCS#8 format RSA key. Generated using:
198 *
199 * openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
200 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]201string rsa_2048_key = hex2str(
202 // RFC 5208 s5
203 "308204BD" // SEQUENCE length 0x4bd (PrivateKeyInfo) {
204 "020100" // INTEGER length 1 value 0x00 (version)
205 "300D" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
206 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
207 "2A864886F70D010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
208 "0500" // NULL (parameters)
209 // } end SEQUENCE (AlgorithmIdentifier)
210 "048204A7" // OCTET STRING length 0x25f (privateKey) holding...
211 // RFC 8017 A.1.2
212 "308204A3" // SEQUENCE length 0x4a3 (RSAPrivateKey) {
213 "020100" // INTEGER length 1 value 0x00 (version)
214 "02820101" // INTEGER length 0x101 value (modulus) ...
215 "00BEBC342B56D443B1299F9A6A7056E8"
216 "0A897E318476A5A18029E63B2ED739A6"
217 "1791D339F58DC763D9D14911F2EDEC38"
218 "3DEE11F6319B44510E7A3ECD9B79B973"
219 "82E49500ACF8117DC89CAF0E621F7775"
220 "6554A2FD4664BFE7AB8B59AB48340DBF"
221 "A27B93B5A81F6ECDEB02D0759307128D"
222 "F3E3BAD4055C8B840216DFAA5700670E"
223 "6C5126F0962FCB70FF308F25049164CC"
224 "F76CC2DA66A7DD9A81A714C2809D6918"
225 "6133D29D84568E892B6FFBF3199BDB14"
226 "383EE224407F190358F111A949552ABA"
227 "6714227D1BD7F6B20DD0CB88F9467B71"
228 "9339F33BFF35B3870B3F62204E4286B0"
229 "948EA348B524544B5F9838F29EE643B0"
230 "79EEF8A713B220D7806924CDF7295070"
231 "C5"
232 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
233 "02820100" // INTEGER length 0x100 (privateExponent) value...
234 "69F377F35F2F584EF075353CCD1CA997"
235 "38DB3DBC7C7FF35F9366CE176DFD1B13"
236 "5AB10030344ABF5FBECF1D4659FDEF1C"
237 "0FC430834BE1BE3911951377BB3D563A"
238 "2EA9CA8F4AD9C48A8CE6FD516A735C66"
239 "2686C7B4B3C09A7B8354133E6F93F790"
240 "D59EAEB92E84C9A4339302CCE28FDF04"
241 "CCCAFA7DE3F3A827D4F6F7D38E68B0EC"
242 "6AB706645BF074A4E4090D06FB163124"
243 "365FD5EE7A20D350E9958CC30D91326E"
244 "1B292E9EF5DB408EC42DAF737D201497"
245 "04D0A678A0FB5B5446863B099228A352"
246 "D604BA8091A164D01D5AB05397C71EAD"
247 "20BE2A08FC528FE442817809C787FEE4"
248 "AB97F97B9130D022153EDC6EB6CBE7B0"
249 "F8E3473F2E901209B5DB10F93604DB01"
250 "028181" // INTEGER length 0x81 (prime1)
251 "00E83C0998214941EA4F9293F1B77E2E"
252 "99E6CF305FAF358238E126124FEAF2EB"
253 "9724B2EA7B78E6032343821A80E55D1D"
254 "88FB12D220C3F41A56142FEC85796D19"
255 "17F1E8C774F142B67D3D6E7B7E6B4383"
256 "E94DB5929089DBB346D5BDAB40CC2D96"
257 "EE0409475E175C63BF78CFD744136740"
258 "838127EA723FF3FE7FA368C1311B4A4E"
259 "05"
260 "028181" // INTEGER length 0x81 (prime2)
261 "00D240FCC0F5D7715CDE21CB2DC86EA1"
262 "46132EA3B06F61FF2AF54BF38473F59D"
263 "ADCCE32B5F4CC32DD0BA6F509347B4B5"
264 "B1B58C39F95E4798CCBB43E83D0119AC"
265 "F532F359CA743C85199F0286610E2009"
266 "97D7312917179AC9B67558773212EC96"
267 "1E8BCE7A3CC809BC5486A96E4B0E6AF3"
268 "94D94E066A0900B7B70E82A44FB30053"
269 "C1"
270 "028181" // INTEGER length 0x81 (exponent1)
271 "00AD15DA1CBD6A492B66851BA8C316D3"
272 "8AB700E2CFDDD926A658003513C54BAA"
273 "152B30021D667D20078F500F8AD3E7F3"
274 "945D74A891ED1A28EAD0FEEAEC8C14A8"
275 "E834CF46A13D1378C99D18940823CFDD"
276 "27EC5810D59339E0C34198AC638E09C8"
277 "7CBB1B634A9864AE9F4D5EB2D53514F6"
278 "7B4CAEC048C8AB849A02E397618F3271"
279 "35"
280 "028180" // INTEGER length 0x80 (exponent2)
281 "1FA2C1A5331880A92D8F3E281C617108"
282 "BF38244F16E352E69ED417C7153F9EC3"
283 "18F211839C643DCF8B4DD67CE2AC312E"
284 "95178D5D952F06B1BF779F4916924B70"
285 "F582A23F11304E02A5E7565AE22A35E7"
286 "4FECC8B6FDC93F92A1A37703E4CF0E63"
287 "783BD02EB716A7ECBBFA606B10B74D01"
288 "579522E7EF84D91FC522292108D902C1"
289 "028180" // INTEGER length 0x80 (coefficient)
290 "796FE3825F9DCC85DF22D58690065D93"
291 "898ACD65C087BEA8DA3A63BF4549B795"
292 "E2CD0E3BE08CDEBD9FCF1720D9CDC507"
293 "0D74F40DED8E1102C52152A31B6165F8"
294 "3A6722AECFCC35A493D7634664B888A0"
295 "8D3EB034F12EA28BFEE346E205D33482"
296 "7F778B16ED40872BD29FCB36536B6E93"
297 "FFB06778696B4A9D81BB0A9423E63DE5"
298 // } end SEQUENCE (PrivateKey)
299 // } end SEQUENCE (PrivateKeyInfo)
300);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]301
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]302string ec_256_key = hex2str(
303 // RFC 5208 s5
304 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
305 "020100" // INTEGER length 1 value 0 (version)
306 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
307 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
308 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
309 "0608" // OBJECT IDENTIFIER length 8 (param)
310 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
311 // } end SEQUENCE (AlgorithmIdentifier)
312 "046d" // OCTET STRING length 0x6d (privateKey) holding...
313 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
314 "020101" // INTEGER length 1 value 1 (version)
315 "0420" // OCTET STRING length 0x20 (privateKey)
316 "737c2ecd7b8d1940bf2930aa9b4ed3ff"
317 "941eed09366bc03299986481f3a4d859"
318 "a144" // TAG [1] len 0x44 (publicKey) {
319 "03420004bf85d7720d07c25461683bc6"
320 "48b4778a9a14dd8a024e3bdd8c7ddd9a"
321 "b2b528bbc7aa1b51f14ebbbb0bd0ce21"
322 "bcc41c6eb00083cf3376d11fd44949e0"
323 "b2183bfe"
324 // } end SEQUENCE (ECPrivateKey)
325 // } end SEQUENCE (PrivateKeyInfo)
326);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]327
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]328string ec_521_key = hex2str(
329 // RFC 5208 s5
330 "3081EE" // SEQUENCE length 0xee (PrivateKeyInfo) {
331 "020100" // INTEGER length 1 value 0 (version)
332 "3010" // SEQUENCE length 0x10 (AlgorithmIdentifier) {
333 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
334 "2A8648CE3D0201" // 1.2.840.10045.2.1 (ecPublicKey)
335 "0605" // OBJECT IDENTIFIER length 5 (param)
336 "2B81040023" // 1.3.132.0.35 (secp521r1)
337 // } end SEQUENCE (AlgorithmIdentifier)
338 "0481D6" // OCTET STRING length 0xd6 (privateKey) holding...
339 "3081D3" // SEQUENCE length 0xd3 (ECPrivateKey)
340 "020101" // INTEGER length 1 value 1 (version)
341 "0442" // OCTET STRING length 0x42 (privateKey)
342 "0011458C586DB5DAA92AFAB03F4FE46A"
343 "A9D9C3CE9A9B7A006A8384BEC4C78E8E"
344 "9D18D7D08B5BCFA0E53C75B064AD51C4"
345 "49BAE0258D54B94B1E885DED08ED4FB2"
346 "5CE9"
347 "A18189" // TAG [1] len 0x89 (publicKey) {
348 "03818600040149EC11C6DF0FA122C6A9"
349 "AFD9754A4FA9513A627CA329E349535A"
350 "5629875A8ADFBE27DCB932C051986377"
351 "108D054C28C6F39B6F2C9AF81802F9F3"
352 "26B842FF2E5F3C00AB7635CFB36157FC"
353 "0882D574A10D839C1A0C049DC5E0D775"
354 "E2EE50671A208431BB45E78E70BEFE93"
355 "0DB34818EE4D5C26259F5C6B8E28A652"
356 "950F9F88D7B4B2C9D9"
357 // } end SEQUENCE (ECPrivateKey)
358 // } end SEQUENCE (PrivateKeyInfo)
359);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]360
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]361string ec_256_key_rfc5915 = hex2str(
362 // RFC 5208 s5
363 "308193" // SEQUENCE length 0x93 (PrivateKeyInfo) {
364 "020100" // INTEGER length 1 value 0 (version)
365 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
366 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
367 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
368 "0608" // OBJECT IDENTIFIER length 8 (param)
369 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
370 // } end SEQUENCE (AlgorithmIdentifier)
371 "0479" // OCTET STRING length 0x79 (privateKey) holding...
372 // RFC 5915 s3
373 "3077" // SEQUENCE length 0x77 (ECPrivateKey)
374 "020101" // INTEGER length 1 value 1 (version)
375 "0420" // OCTET STRING length 0x42 (privateKey)
376 "782370a8c8ce5537baadd04dcff079c8"
377 "158cfa9c67b818b38e8d21c9fa750c1d"
378 "a00a" // TAG [0] length 0xa (parameters)
379 "0608" // OBJECT IDENTIFIER length 8
380 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
381 // } end TAG [0]
382 "a144" // TAG [1] length 0x44 (publicKey) {
383 "0342" // BIT STRING length 0x42
384 "00" // no pad bits
385 "04e2cc561ee701da0ad0ef0d176bb0c9"
386 "19d42e79c393fdc1bd6c4010d85cf2cf"
387 "8e68c905464666f98dad4f01573ba810"
388 "78b3428570a439ba3229fbc026c55068"
389 "2f"
390 // } end SEQUENCE (ECPrivateKey)
391 // } end SEQUENCE (PrivateKeyInfo)
392);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]393
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]394string ec_256_key_sec1 = hex2str(
395 // RFC 5208 s5
396 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
397 "020100" // INTEGER length 1 value 0 (version)
398 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
399 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
400 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
401 "0608" // OBJECT IDENTIFIER length 8 (param)
402 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
403 // } end SEQUENCE (AlgorithmIdentifier)
404 "046d" // OCTET STRING length 0x6d (privateKey) holding...
405 // SEC1-v2 C.4
406 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
407 "020101" // INTEGER length 1 value 0x01 (version)
408 "0420" // OCTET STRING length 0x20 (privateKey)
409 "782370a8c8ce5537baadd04dcff079c8"
410 "158cfa9c67b818b38e8d21c9fa750c1d"
411 "a144" // TAG [1] length 0x44 (publicKey) {
412 "0342" // BIT STRING length 0x42
413 "00" // no pad bits
414 "04e2cc561ee701da0ad0ef0d176bb0c9"
415 "19d42e79c393fdc1bd6c4010d85cf2cf"
416 "8e68c905464666f98dad4f01573ba810"
417 "78b3428570a439ba3229fbc026c55068"
418 "2f"
419 // } end TAG [1] (publicKey)
420 // } end SEQUENCE (PrivateKeyInfo)
421);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]422
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]423/**
424 * Ed25519 key pair generated as follows:
425 * ```
426 * % openssl req -x509 -newkey ED25519 -days 700 -nodes \
427 * -keyout ed25519_priv.key -out ed25519.pem * -subj "/CN=fake.ed25519.com"
428 * Generating a ED25519 private key writing new private key to
429 * 'ed25519_priv.key'
430 * -----
431 * % cat ed25519_priv.key
432 * -----BEGIN PRIVATE KEY-----
433 * MC4CAQAwBQYDK2VwBCIEIKl3A5quNywcj1P+0XI9SBalFPIvO52NxceMLRH6dVmR
434 * -----END PRIVATE KEY-----
435 * % der2ascii -pem -i ed25519_priv.key
436 * SEQUENCE {
437 * INTEGER { 0 }
438 * SEQUENCE {
439 * # ed25519
440 * OBJECT_IDENTIFIER { 1.3.101.112 }
441 * }
442 * OCTET_STRING {
443 * OCTET_STRING { `a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991` }
444 * }
445 * }
446 * % cat ed25519.pem
447 * -----BEGIN CERTIFICATE-----
448 * MIIBSjCB/aADAgECAhR0Jron3eKcdgqyecv/eEfGWAzn8DAFBgMrZXAwGzEZMBcG
449 * A1UEAwwQZmFrZS5lZDI1NTE5LmNvbTAeFw0yMTEwMjAwODI3NDJaFw0yMzA5MjAw
450 * ODI3NDJaMBsxGTAXBgNVBAMMEGZha2UuZWQyNTUxOS5jb20wKjAFBgMrZXADIQDv
451 * uwHz+3TaQ69D2digxlz0fFfsZg0rPqgQae3jBPRWkaNTMFEwHQYDVR0OBBYEFN9O
452 * od30SY4JTs66ZR403UPya+iXMB8GA1UdIwQYMBaAFN9Ood30SY4JTs66ZR403UPy
453 * a+iXMA8GA1UdEwEB/wQFMAMBAf8wBQYDK2VwA0EAKjVrYQjuE/gEL2j/ABpDbFjV
454 * Ilg5tJ6MN/P3psAv3Cs7f0X1lFqdlt15nJ/6aj2cmGCwNRXt5wcyYDKNu+v2Dw==
455 * -----END CERTIFICATE-----
456 * % openssl x509 -in ed25519.pem -text -noout
457 * Certificate:
458 * Data:
459 * Version: 3 (0x2)
460 * Serial Number:
461 * 74:26:ba:27:dd:e2:9c:76:0a:b2:79:cb:ff:78:47:c6:58:0c:e7:f0
462 * Signature Algorithm: ED25519
463 * Issuer: CN = fake.ed25519.com
464 * Validity
465 * Not Before: Oct 20 08:27:42 2021 GMT
466 * Not After : Sep 20 08:27:42 2023 GMT
467 * Subject: CN = fake.ed25519.com
468 * Subject Public Key Info:
469 * Public Key Algorithm: ED25519
470 * ED25519 Public-Key:
471 * pub:
472 * ef:bb:01:f3:fb:74:da:43:af:43:d9:d8:a0:c6:5c:
473 * f4:7c:57:ec:66:0d:2b:3e:a8:10:69:ed:e3:04:f4:
474 * 56:91
475 * X509v3 extensions:
476 * X509v3 Subject Key Identifier:
477 * DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
478 * X509v3 Authority Key Identifier:
479 * keyid:DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
480 *
481 * X509v3 Basic Constraints: critical
482 * CA:TRUE
483 * Signature Algorithm: ED25519
484 * 2a:35:6b:61:08:ee:13:f8:04:2f:68:ff:00:1a:43:6c:58:d5:
485 * 22:58:39:b4:9e:8c:37:f3:f7:a6:c0:2f:dc:2b:3b:7f:45:f5:
486 * 94:5a:9d:96:dd:79:9c:9f:fa:6a:3d:9c:98:60:b0:35:15:ed:
487 * e7:07:32:60:32:8d:bb:eb:f6:0f
488 * ```
489 */
490string ed25519_key = hex2str("a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991");
491string ed25519_pkcs8_key = hex2str(
492 // RFC 5208 s5
493 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
494 "0201" // INTEGER length 1 (Version)
495 "00" // version 0
496 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
497 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
498 "2b6570" // 1.3.101.112 (id-Ed125519 RFC 8410 s3)
499 // } end SEQUENCE (AlgorithmIdentifier)
500 "0422" // OCTET STRING length 0x22 (PrivateKey)
501 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
502 "a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991"
503 // } end SEQUENCE (PrivateKeyInfo)
504);
505string ed25519_pubkey = hex2str("efbb01f3fb74da43af43d9d8a0c65cf47c57ec660d2b3ea81069ede304f45691");
506
507/**
508 * X25519 key pair generated as follows:
509 * ```
510 * % openssl genpkey -algorithm X25519 > x25519_priv.key
511 * % cat x25519_priv.key
512 * -----BEGIN PRIVATE KEY-----
513 * MC4CAQAwBQYDK2VuBCIEIGgPwF3NLwQx/Sfwr2nfJvXitwlDNh3Skzh+TISN/y1C
514 * -----END PRIVATE KEY-----
515 * % der2ascii -pem -i x25519_priv.key
516 * SEQUENCE {
517 * INTEGER { 0 }
518 * SEQUENCE {
519 * # x25519
520 * OBJECT_IDENTIFIER { 1.3.101.110 }
521 * }
522 * OCTET_STRING {
523 * OCTET_STRING { `680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42` }
524 * }
525 * }
526 * ```
527 */
528
529string x25519_key = hex2str("680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
530string x25519_pkcs8_key = hex2str(
531 // RFC 5208 s5
532 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
533 "0201" // INTEGER length 1 (Version)
534 "00" // version 0
535 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
536 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
537 "2b656e" // 1.3.101.110 (id-X125519 RFC 8410 s3)
538 "0422" // OCTET STRING length 0x22 (PrivateKey)
539 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
540 "680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
541string x25519_pubkey = hex2str("be46925a857f17831d6d454b9d3d36a4a30166edf80eb82b684661c3e258f768");
542
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]543struct RSA_Delete {
544 void operator()(RSA* p) { RSA_free(p); }
545};
546
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]547std::string make_string(const uint8_t* data, size_t length) {
548 return std::string(reinterpret_cast<const char*>(data), length);
549}
550
551template <size_t N>
552std::string make_string(const uint8_t (&a)[N]) {
553 return make_string(a, N);
554}
555
556class AidlBuf : public vector<uint8_t> {
557 typedef vector<uint8_t> super;
558
559 public:
560 AidlBuf() {}
561 AidlBuf(const super& other) : super(other) {}
562 AidlBuf(super&& other) : super(std::move(other)) {}
563 explicit AidlBuf(const std::string& other) : AidlBuf() { *this = other; }
564
565 AidlBuf& operator=(const super& other) {
566 super::operator=(other);
567 return *this;
568 }
569
570 AidlBuf& operator=(super&& other) {
571 super::operator=(std::move(other));
572 return *this;
573 }
574
575 AidlBuf& operator=(const string& other) {
576 resize(other.size());
577 for (size_t i = 0; i < other.size(); ++i) {
578 (*this)[i] = static_cast<uint8_t>(other[i]);
579 }
580 return *this;
581 }
582
583 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
584};
585
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]586string device_suffix(const string& name) {
587 size_t pos = name.find('/');
588 if (pos == string::npos) {
589 return name;
590 }
591 return name.substr(pos + 1);
592}
593
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]594std::shared_ptr<IRemotelyProvisionedComponent> matching_rp_instance(const std::string& km_name) {
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]595 string km_suffix = device_suffix(km_name);
596
597 vector<string> rp_names =
598 ::android::getAidlHalInstanceNames(IRemotelyProvisionedComponent::descriptor);
599 for (const string& rp_name : rp_names) {
600 // If the suffix of the RemotelyProvisionedComponent instance equals the suffix of the
601 // KeyMint instance, assume they match.
602 if (device_suffix(rp_name) == km_suffix && AServiceManager_isDeclared(rp_name.c_str())) {
603 ::ndk::SpAIBinder binder(AServiceManager_waitForService(rp_name.c_str()));
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]604 return IRemotelyProvisionedComponent::fromBinder(binder);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]605 }
606 }
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]607 return nullptr;
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]608}
609
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]610} // namespace
611
612class NewKeyGenerationTest : public KeyMintAidlTestBase {
613 protected:
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]614 void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]615 AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]616 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]617
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]618 // Check that some unexpected tags/values are NOT present.
619 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
620 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]621 }
622
623 void CheckSymmetricParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]624 AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]625 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
626 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
627
628 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]629 }
630
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]631 AuthorizationSet CheckCommonParams(const vector<KeyCharacteristics>& keyCharacteristics,
632 const KeyOrigin expectedKeyOrigin) {
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]633 // TODO(swillden): Distinguish which params should be in which auth list.
634 AuthorizationSet auths;
635 for (auto& entry : keyCharacteristics) {
636 auths.push_back(AuthorizationSet(entry.authorizations));
637 }
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]638 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, expectedKeyOrigin));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]639
640 // Verify that App data, ROT and auth timeout are NOT included.
641 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
642 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]643 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
644
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]645 // None of the tests specify CREATION_DATETIME so check that the KeyMint implementation
646 // never adds it.
647 EXPECT_FALSE(auths.Contains(TAG_CREATION_DATETIME));
648
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]649 // Check OS details match the original hardware info.
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]650 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]651 EXPECT_TRUE(os_ver);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]652 EXPECT_EQ(*os_ver, os_version());
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]653 auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]654 EXPECT_TRUE(os_pl);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]655 EXPECT_EQ(*os_pl, os_patch_level());
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]656
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]657 // Should include vendor patchlevel.
David Drysdalef5bfa002021-09-27 17:30:41 +0100[diff] [blame]658 auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
659 EXPECT_TRUE(vendor_pl);
660 EXPECT_EQ(*vendor_pl, vendor_patch_level());
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]661
662 // Should include boot patchlevel (but there are some test scenarios where this is not
663 // possible).
664 if (check_boot_pl) {
665 auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
666 EXPECT_TRUE(boot_pl);
667 }
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]668
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]669 return auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]670 }
671};
672
673/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]674 * NewKeyGenerationTest.Aes
675 *
676 * Verifies that keymint can generate all required AES key sizes, and that the resulting keys
677 * have correct characteristics.
678 */
679TEST_P(NewKeyGenerationTest, Aes) {
680 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
681 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
682 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
683 SCOPED_TRACE(testing::Message()
684 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
685 vector<uint8_t> key_blob;
686 vector<KeyCharacteristics> key_characteristics;
687 auto builder = AuthorizationSetBuilder()
688 .AesEncryptionKey(key_size)
689 .BlockMode(block_mode)
690 .Padding(padding_mode)
691 .SetDefaultValidity();
692 if (block_mode == BlockMode::GCM) {
693 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
694 }
695 ASSERT_EQ(ErrorCode::OK, GenerateKey(builder, &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]696 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]697
698 EXPECT_GT(key_blob.size(), 0U);
699 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]700 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]701
702 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
703
704 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::AES));
705 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
706 << "Key size " << key_size << "missing";
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]707 }
708 }
709 }
710}
711
712/*
713 * NewKeyGenerationTest.AesInvalidSize
714 *
715 * Verifies that specifying an invalid key size for AES key generation returns
716 * UNSUPPORTED_KEY_SIZE.
717 */
718TEST_P(NewKeyGenerationTest, AesInvalidSize) {
719 for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
720 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
721 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
722 SCOPED_TRACE(testing::Message()
723 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
724 vector<uint8_t> key_blob;
725 vector<KeyCharacteristics> key_characteristics;
726 auto builder = AuthorizationSetBuilder()
727 .AesEncryptionKey(key_size)
728 .BlockMode(block_mode)
729 .Padding(padding_mode)
730 .SetDefaultValidity();
731 if (block_mode == BlockMode::GCM) {
732 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
733 }
734 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
735 GenerateKey(builder, &key_blob, &key_characteristics));
736 }
737 }
738 }
739
740 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
741 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]742 SCOPED_TRACE(testing::Message() << "AES-unknown-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]743 vector<uint8_t> key_blob;
744 vector<KeyCharacteristics> key_characteristics;
745 // No key size specified
746 auto builder = AuthorizationSetBuilder()
747 .Authorization(TAG_ALGORITHM, Algorithm::AES)
748 .BlockMode(block_mode)
749 .Padding(padding_mode)
750 .SetDefaultValidity();
751 if (block_mode == BlockMode::GCM) {
752 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
753 }
754 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
755 GenerateKey(builder, &key_blob, &key_characteristics));
756 }
757 }
758}
759
760/*
761 * NewKeyGenerationTest.AesInvalidPadding
762 *
763 * Verifies that specifying an invalid padding on AES keys gives a failure
764 * somewhere along the way.
765 */
766TEST_P(NewKeyGenerationTest, AesInvalidPadding) {
767 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
768 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
769 for (auto padding_mode : InvalidPaddingModes(Algorithm::AES, block_mode)) {
770 SCOPED_TRACE(testing::Message()
771 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]772 auto builder = AuthorizationSetBuilder()
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]773 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]774 .AesEncryptionKey(key_size)
775 .BlockMode(block_mode)
776 .Padding(padding_mode)
777 .SetDefaultValidity();
778 if (block_mode == BlockMode::GCM) {
779 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
780 }
781
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]782 auto result = GenerateKey(builder);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]783 if (result == ErrorCode::OK) {
784 // Key creation was OK but has generated a key that cannot be used.
785 auto params =
786 AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]787 if (block_mode == BlockMode::GCM) {
788 params.Authorization(TAG_MAC_LENGTH, 128);
789 }
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]790 auto result = Begin(KeyPurpose::ENCRYPT, params);
791 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]792 result == ErrorCode::INVALID_KEY_BLOB)
793 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]794 } else {
795 // The KeyMint implementation detected that the generated key
796 // is unusable.
797 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, result);
798 }
799 }
800 }
801 }
802}
803
804/*
805 * NewKeyGenerationTest.AesGcmMissingMinMac
806 *
807 * Verifies that specifying an invalid key size for AES key generation returns
808 * UNSUPPORTED_KEY_SIZE.
809 */
810TEST_P(NewKeyGenerationTest, AesGcmMissingMinMac) {
811 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
812 BlockMode block_mode = BlockMode::GCM;
813 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
814 SCOPED_TRACE(testing::Message()
815 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
816 vector<uint8_t> key_blob;
817 vector<KeyCharacteristics> key_characteristics;
818 // No MIN_MAC_LENGTH provided.
819 auto builder = AuthorizationSetBuilder()
820 .AesEncryptionKey(key_size)
821 .BlockMode(block_mode)
822 .Padding(padding_mode)
823 .SetDefaultValidity();
824 EXPECT_EQ(ErrorCode::MISSING_MIN_MAC_LENGTH,
825 GenerateKey(builder, &key_blob, &key_characteristics));
826 }
827 }
828}
829
830/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]831 * NewKeyGenerationTest.AesGcmMinMacOutOfRange
832 *
833 * Verifies that specifying an invalid min MAC size for AES key generation returns
834 * UNSUPPORTED_MIN_MAC_LENGTH.
835 */
836TEST_P(NewKeyGenerationTest, AesGcmMinMacOutOfRange) {
837 for (size_t min_mac_len : {88, 136}) {
838 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
839 BlockMode block_mode = BlockMode::GCM;
840 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
841 SCOPED_TRACE(testing::Message()
842 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
843 vector<uint8_t> key_blob;
844 vector<KeyCharacteristics> key_characteristics;
845 auto builder = AuthorizationSetBuilder()
846 .AesEncryptionKey(key_size)
847 .BlockMode(block_mode)
848 .Padding(padding_mode)
849 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_len)
850 .SetDefaultValidity();
851 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
852 GenerateKey(builder, &key_blob, &key_characteristics));
853 }
854 }
855 }
856}
857
858/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]859 * NewKeyGenerationTest.TripleDes
860 *
861 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
862 * have correct characteristics.
863 */
864TEST_P(NewKeyGenerationTest, TripleDes) {
865 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
866 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
867 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
868 SCOPED_TRACE(testing::Message()
869 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
870 vector<uint8_t> key_blob;
871 vector<KeyCharacteristics> key_characteristics;
872 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
873 .TripleDesEncryptionKey(key_size)
874 .BlockMode(block_mode)
875 .Padding(padding_mode)
876 .Authorization(TAG_NO_AUTH_REQUIRED)
877 .SetDefaultValidity(),
878 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]879 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]880
881 EXPECT_GT(key_blob.size(), 0U);
882 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]883 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]884
885 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
886
887 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
888 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
889 << "Key size " << key_size << "missing";
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]890 }
891 }
892 }
893}
894
895/*
896 * NewKeyGenerationTest.TripleDesWithAttestation
897 *
898 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
899 * have correct characteristics.
900 *
901 * Request attestation, which doesn't help for symmetric keys (as there is no public key to
902 * put in a certificate) but which isn't an error.
903 */
904TEST_P(NewKeyGenerationTest, TripleDesWithAttestation) {
905 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
906 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
907 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
908 SCOPED_TRACE(testing::Message()
909 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
910
911 auto challenge = "hello";
912 auto app_id = "foo";
913
914 vector<uint8_t> key_blob;
915 vector<KeyCharacteristics> key_characteristics;
916 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
917 .TripleDesEncryptionKey(key_size)
918 .BlockMode(block_mode)
919 .Padding(padding_mode)
920 .Authorization(TAG_NO_AUTH_REQUIRED)
921 .AttestationChallenge(challenge)
922 .AttestationApplicationId(app_id)
923 .SetDefaultValidity(),
924 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]925 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]926
927 EXPECT_GT(key_blob.size(), 0U);
928 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]929 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]930
931 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
932
933 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
934 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
935 << "Key size " << key_size << "missing";
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]936 }
937 }
938 }
939}
940
941/*
942 * NewKeyGenerationTest.TripleDesInvalidSize
943 *
944 * Verifies that specifying an invalid key size for 3-DES key generation returns
945 * UNSUPPORTED_KEY_SIZE.
946 */
947TEST_P(NewKeyGenerationTest, TripleDesInvalidSize) {
948 for (auto key_size : InvalidKeySizes(Algorithm::TRIPLE_DES)) {
949 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
950 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
951 SCOPED_TRACE(testing::Message()
952 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
953 vector<uint8_t> key_blob;
954 vector<KeyCharacteristics> key_characteristics;
955 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
956 GenerateKey(AuthorizationSetBuilder()
957 .TripleDesEncryptionKey(key_size)
958 .BlockMode(block_mode)
959 .Padding(padding_mode)
960 .Authorization(TAG_NO_AUTH_REQUIRED)
961 .SetDefaultValidity(),
962 &key_blob, &key_characteristics));
963 }
964 }
965 }
966
967 // Omitting the key size fails.
968 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
969 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
970 SCOPED_TRACE(testing::Message()
971 << "3DES-default-" << block_mode << "-" << padding_mode);
972 vector<uint8_t> key_blob;
973 vector<KeyCharacteristics> key_characteristics;
974 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
975 GenerateKey(AuthorizationSetBuilder()
976 .Authorization(TAG_ALGORITHM, Algorithm::TRIPLE_DES)
977 .BlockMode(block_mode)
978 .Padding(padding_mode)
979 .Authorization(TAG_NO_AUTH_REQUIRED)
980 .SetDefaultValidity(),
981 &key_blob, &key_characteristics));
982 }
983 }
984}
985
986/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]987 * NewKeyGenerationTest.Rsa
988 *
989 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
990 * have correct characteristics.
991 */
992TEST_P(NewKeyGenerationTest, Rsa) {
993 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]994 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]995 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]996 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]997 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
998 .RsaSigningKey(key_size, 65537)
999 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1000 .Padding(PaddingMode::NONE)
1001 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1002 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1003 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1004
1005 ASSERT_GT(key_blob.size(), 0U);
1006 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1007 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1008
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1009 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1010
1011 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1012 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1013 << "Key size " << key_size << "missing";
1014 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1015 }
1016}
1017
1018/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1019 * NewKeyGenerationTest.RsaWithMissingValidity
1020 *
1021 * Verifies that keymint returns an error while generating asymmetric key
1022 * without providing NOT_BEFORE and NOT_AFTER parameters.
1023 */
1024TEST_P(NewKeyGenerationTest, RsaWithMissingValidity) {
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1025 if (AidlVersion() < 3) {
Tommy Chiu7d22f602022-11-14 21:03:34 +0800[diff] [blame]1026 /*
1027 * The KeyMint V1 spec required that CERTIFICATE_NOT_{BEFORE,AFTER} be
1028 * specified for asymmetric key generation. However, this was not
1029 * checked at the time so we can only be strict about checking this for
1030 * implementations of KeyMint version 2 and above.
1031 */
1032 GTEST_SKIP() << "Validity strict since KeyMint v2";
1033 }
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1034 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1035 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1036 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1037
1038 vector<uint8_t> key_blob;
1039 vector<KeyCharacteristics> key_characteristics;
1040 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1041 GenerateKey(AuthorizationSetBuilder()
1042 .RsaSigningKey(2048, 65537)
1043 .Digest(Digest::NONE)
1044 .Padding(PaddingMode::NONE)
1045 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1046 kUndefinedExpirationDateTime),
1047 &key_blob, &key_characteristics));
1048
1049 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1050 GenerateKey(AuthorizationSetBuilder()
1051 .RsaSigningKey(2048, 65537)
1052 .Digest(Digest::NONE)
1053 .Padding(PaddingMode::NONE)
1054 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1055 &key_blob, &key_characteristics));
1056}
1057
1058/*
David Drysdalead785f52023-03-27 19:53:01 +0100[diff] [blame]1059 * NewKeyGenerationTest.RsaWithSpecifiedValidity
1060 *
1061 * Verifies that KeyMint respects specified NOT_BEFORE and NOT_AFTER certificate dates.
1062 */
1063TEST_P(NewKeyGenerationTest, RsaWithSpecifiedValidity) {
1064 vector<uint8_t> key_blob;
1065 vector<KeyCharacteristics> key_characteristics;
1066 ASSERT_EQ(ErrorCode::OK,
1067 GenerateKey(AuthorizationSetBuilder()
1068 .RsaSigningKey(2048, 65537)
1069 .Digest(Digest::NONE)
1070 .Padding(PaddingMode::NONE)
1071 .Authorization(TAG_CERTIFICATE_NOT_BEFORE,
1072 1183806000000 /* 2007-07-07T11:00:00Z */)
1073 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1074 1916049600000 /* 2030-09-19T12:00:00Z */),
1075 &key_blob, &key_characteristics));
1076 ASSERT_GT(cert_chain_.size(), 0);
1077
1078 X509_Ptr cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1079 ASSERT_TRUE(!!cert.get());
1080
1081 const ASN1_TIME* not_before = X509_get0_notBefore(cert.get());
1082 ASSERT_NE(not_before, nullptr);
1083 time_t not_before_time;
1084 ASSERT_EQ(ASN1_TIME_to_time_t(not_before, &not_before_time), 1);
1085 EXPECT_EQ(not_before_time, 1183806000);
1086
1087 const ASN1_TIME* not_after = X509_get0_notAfter(cert.get());
1088 ASSERT_NE(not_after, nullptr);
1089 time_t not_after_time;
1090 ASSERT_EQ(ASN1_TIME_to_time_t(not_after, &not_after_time), 1);
1091 EXPECT_EQ(not_after_time, 1916049600);
1092}
1093
1094/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1095 * NewKeyGenerationTest.RsaWithAttestation
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1096 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1097 * Verifies that keymint can generate all required RSA key sizes with attestation, and that the
1098 * resulting keys have correct characteristics.
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1099 */
1100TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1101 auto challenge = "hello";
1102 auto app_id = "foo";
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1103
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1104 auto subject = "cert subj 2";
1105 vector<uint8_t> subject_der(make_name_from_str(subject));
1106
1107 uint64_t serial_int = 66;
1108 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1109
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1110 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1111 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1112 vector<uint8_t> key_blob;
1113 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1114 auto builder = AuthorizationSetBuilder()
1115 .RsaSigningKey(key_size, 65537)
1116 .Digest(Digest::NONE)
1117 .Padding(PaddingMode::NONE)
1118 .AttestationChallenge(challenge)
1119 .AttestationApplicationId(app_id)
1120 .Authorization(TAG_NO_AUTH_REQUIRED)
1121 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1122 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1123 .SetDefaultValidity();
1124
1125 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1126 // Strongbox may not support factory provisioned attestation key.
1127 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1128 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1129 result = GenerateKeyWithSelfSignedAttestKey(
1130 AuthorizationSetBuilder()
1131 .RsaKey(key_size, 65537)
1132 .AttestKey()
1133 .SetDefaultValidity(), /* attest key params */
1134 builder, &key_blob, &key_characteristics);
1135 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1136 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1137 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1138 KeyBlobDeleter deleter(keymint_, key_blob);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1139 ASSERT_GT(key_blob.size(), 0U);
1140 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1141 CheckCharacteristics(key_blob, key_characteristics);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1142
1143 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1144
1145 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1146 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1147 << "Key size " << key_size << "missing";
1148 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1149
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1150 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1151 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1152 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1153
1154 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1155 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1156 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1157 sw_enforced, hw_enforced, SecLevel(),
1158 cert_chain_[0].encodedCertificate));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1159 }
1160}
1161
1162/*
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1163 * NewKeyGenerationTest.RsaWithRkpAttestation
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1164 *
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1165 * Verifies that keymint can generate all required RSA key sizes using an attestation key
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1166 * that has been generated using an associate IRemotelyProvisionedComponent.
1167 */
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1168TEST_P(NewKeyGenerationTest, RsaWithRkpAttestation) {
Seth Moorea12ac742023-03-03 13:40:30 -0800[diff] [blame]1169 if (!IsRkpSupportRequired()) {
1170 GTEST_SKIP() << "RKP support is not required on this platform";
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1171 }
1172
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]1173 // Check for an IRemotelyProvisionedComponent instance associated with the
1174 // KeyMint instance.
1175 std::shared_ptr<IRemotelyProvisionedComponent> rp = matching_rp_instance(GetParam());
1176 if (rp == nullptr && SecLevel() == SecurityLevel::STRONGBOX) {
1177 GTEST_SKIP() << "Encountered StrongBox implementation that does not support RKP";
1178 }
1179 ASSERT_NE(rp, nullptr) << "No IRemotelyProvisionedComponent found that matches KeyMint device "
1180 << GetParam();
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1181
1182 // Generate a P-256 keypair to use as an attestation key.
1183 MacedPublicKey macedPubKey;
1184 std::vector<uint8_t> privateKeyBlob;
1185 auto status =
1186 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
1187 ASSERT_TRUE(status.isOk());
1188 vector<uint8_t> coseKeyData;
1189 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
1190
1191 AttestationKey attestation_key;
1192 attestation_key.keyBlob = std::move(privateKeyBlob);
1193 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
1194
1195 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1196 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1197 auto challenge = "hello";
1198 auto app_id = "foo";
1199
1200 vector<uint8_t> key_blob;
1201 vector<KeyCharacteristics> key_characteristics;
1202 ASSERT_EQ(ErrorCode::OK,
1203 GenerateKey(AuthorizationSetBuilder()
1204 .RsaSigningKey(key_size, 65537)
1205 .Digest(Digest::NONE)
1206 .Padding(PaddingMode::NONE)
1207 .AttestationChallenge(challenge)
1208 .AttestationApplicationId(app_id)
1209 .Authorization(TAG_NO_AUTH_REQUIRED)
1210 .SetDefaultValidity(),
1211 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1212 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1213
1214 ASSERT_GT(key_blob.size(), 0U);
1215 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1216 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1217
1218 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1219
1220 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1221 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1222 << "Key size " << key_size << "missing";
1223 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1224
1225 // Attestation by itself is not valid (last entry is not self-signed).
1226 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
1227
1228 // The signature over the attested key should correspond to the P256 public key.
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1229 ASSERT_GT(cert_chain_.size(), 0);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1230 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1231 ASSERT_TRUE(key_cert.get());
1232 EVP_PKEY_Ptr signing_pubkey;
1233 p256_pub_key(coseKeyData, &signing_pubkey);
1234 ASSERT_TRUE(signing_pubkey.get());
1235
1236 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1237 << "Verification of attested certificate failed "
1238 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1239 }
1240}
1241
1242/*
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1243 * NewKeyGenerationTest.EcdsaWithRkpAttestation
1244 *
1245 * Verifies that keymint can generate all required ECDSA key sizes using an attestation key
1246 * that has been generated using an associate IRemotelyProvisionedComponent.
1247 */
1248TEST_P(NewKeyGenerationTest, EcdsaWithRkpAttestation) {
Seth Moorea12ac742023-03-03 13:40:30 -0800[diff] [blame]1249 if (!IsRkpSupportRequired()) {
1250 GTEST_SKIP() << "RKP support is not required on this platform";
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1251 }
1252
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]1253 // Check for an IRemotelyProvisionedComponent instance associated with the
1254 // KeyMint instance.
1255 std::shared_ptr<IRemotelyProvisionedComponent> rp = matching_rp_instance(GetParam());
1256 if (rp == nullptr && SecLevel() == SecurityLevel::STRONGBOX) {
1257 GTEST_SKIP() << "Encountered StrongBox implementation that does not support RKP";
1258 }
1259 ASSERT_NE(rp, nullptr) << "No IRemotelyProvisionedComponent found that matches KeyMint device "
1260 << GetParam();
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1261
1262 // Generate a P-256 keypair to use as an attestation key.
1263 MacedPublicKey macedPubKey;
1264 std::vector<uint8_t> privateKeyBlob;
1265 auto status =
1266 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
1267 ASSERT_TRUE(status.isOk());
1268 vector<uint8_t> coseKeyData;
1269 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
1270
1271 AttestationKey attestation_key;
1272 attestation_key.keyBlob = std::move(privateKeyBlob);
1273 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
1274
1275 for (auto curve : ValidCurves()) {
1276 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
1277 auto challenge = "hello";
1278 auto app_id = "foo";
1279
1280 vector<uint8_t> key_blob;
1281 vector<KeyCharacteristics> key_characteristics;
1282 ASSERT_EQ(ErrorCode::OK,
1283 GenerateKey(AuthorizationSetBuilder()
1284 .EcdsaSigningKey(curve)
1285 .Digest(Digest::NONE)
1286 .AttestationChallenge(challenge)
1287 .AttestationApplicationId(app_id)
1288 .Authorization(TAG_NO_AUTH_REQUIRED)
1289 .SetDefaultValidity(),
1290 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1291 KeyBlobDeleter deleter(keymint_, key_blob);
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1292
1293 ASSERT_GT(key_blob.size(), 0U);
1294 CheckBaseParams(key_characteristics);
1295 CheckCharacteristics(key_blob, key_characteristics);
1296
1297 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1298
1299 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1300 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1301
1302 // Attestation by itself is not valid (last entry is not self-signed).
1303 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
1304
1305 // The signature over the attested key should correspond to the P256 public key.
1306 ASSERT_GT(cert_chain_.size(), 0);
1307 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1308 ASSERT_TRUE(key_cert.get());
1309 EVP_PKEY_Ptr signing_pubkey;
1310 p256_pub_key(coseKeyData, &signing_pubkey);
1311 ASSERT_TRUE(signing_pubkey.get());
1312
1313 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1314 << "Verification of attested certificate failed "
1315 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1316 }
1317}
1318
1319/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1320 * NewKeyGenerationTest.RsaEncryptionWithAttestation
1321 *
1322 * Verifies that keymint attestation for RSA encryption keys with challenge and
1323 * app id is also successful.
1324 */
1325TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
1326 auto key_size = 2048;
1327 auto challenge = "hello";
1328 auto app_id = "foo";
1329
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1330 auto subject = "subj 2";
1331 vector<uint8_t> subject_der(make_name_from_str(subject));
1332
1333 uint64_t serial_int = 111166;
1334 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1335
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1336 vector<uint8_t> key_blob;
1337 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1338 auto builder = AuthorizationSetBuilder()
1339 .RsaEncryptionKey(key_size, 65537)
1340 .Padding(PaddingMode::NONE)
1341 .AttestationChallenge(challenge)
1342 .AttestationApplicationId(app_id)
1343 .Authorization(TAG_NO_AUTH_REQUIRED)
1344 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1345 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1346 .SetDefaultValidity();
1347
1348 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1349 // Strongbox may not support factory provisioned attestation key.
1350 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1351 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1352 result = GenerateKeyWithSelfSignedAttestKey(
1353 AuthorizationSetBuilder()
1354 .RsaKey(key_size, 65537)
1355 .AttestKey()
1356 .SetDefaultValidity(), /* attest key params */
1357 builder, &key_blob, &key_characteristics);
1358 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1359 }
1360 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1361 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1362
1363 ASSERT_GT(key_blob.size(), 0U);
1364 AuthorizationSet auths;
1365 for (auto& entry : key_characteristics) {
1366 auths.push_back(AuthorizationSet(entry.authorizations));
1367 }
1368
1369 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
1370 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
1371
1372 // Verify that App data and ROT are NOT included.
1373 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
1374 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
1375
1376 // Check that some unexpected tags/values are NOT present.
1377 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
1378 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
1379
1380 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
1381
1382 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
1383 ASSERT_TRUE(os_ver);
1384 EXPECT_EQ(*os_ver, os_version());
1385
1386 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1387
1388 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1389 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1390 << "Key size " << key_size << "missing";
1391 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1392
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1393 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1394 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1395 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1396
1397 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1398 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1399 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1400 sw_enforced, hw_enforced, SecLevel(),
1401 cert_chain_[0].encodedCertificate));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1402}
1403
1404/*
1405 * NewKeyGenerationTest.RsaWithSelfSign
1406 *
1407 * Verifies that attesting to RSA key generation is successful, and returns
1408 * self signed certificate if no challenge is provided. And signing etc
1409 * works as expected.
1410 */
1411TEST_P(NewKeyGenerationTest, RsaWithSelfSign) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1412 auto subject = "cert subj subj subj subj subj subj 22222222222222222222";
1413 vector<uint8_t> subject_der(make_name_from_str(subject));
1414
1415 uint64_t serial_int = 0;
1416 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1417
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1418 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1419 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1420 vector<uint8_t> key_blob;
1421 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1422 ASSERT_EQ(ErrorCode::OK,
1423 GenerateKey(AuthorizationSetBuilder()
1424 .RsaSigningKey(key_size, 65537)
1425 .Digest(Digest::NONE)
1426 .Padding(PaddingMode::NONE)
1427 .Authorization(TAG_NO_AUTH_REQUIRED)
1428 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1429 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1430 .SetDefaultValidity(),
1431 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1432 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1433
1434 ASSERT_GT(key_blob.size(), 0U);
1435 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1436 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1437
1438 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1439
1440 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1441 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1442 << "Key size " << key_size << "missing";
1443 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1444
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1445 ASSERT_EQ(cert_chain_.size(), 1);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1446 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1447 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1448 }
1449}
1450
1451/*
1452 * NewKeyGenerationTest.RsaWithAttestationMissAppId
1453 *
1454 * Verifies that attesting to RSA checks for missing app ID.
1455 */
1456TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
1457 auto challenge = "hello";
1458 vector<uint8_t> key_blob;
1459 vector<KeyCharacteristics> key_characteristics;
1460
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1461 auto builder = AuthorizationSetBuilder()
1462 .RsaSigningKey(2048, 65537)
1463 .Digest(Digest::NONE)
1464 .Padding(PaddingMode::NONE)
1465 .AttestationChallenge(challenge)
1466 .Authorization(TAG_NO_AUTH_REQUIRED)
1467 .SetDefaultValidity();
1468
1469 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1470 // Strongbox may not support factory provisioned attestation key.
1471 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1472 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1473 result = GenerateKeyWithSelfSignedAttestKey(
1474 AuthorizationSetBuilder()
1475 .RsaKey(2048, 65537)
1476 .AttestKey()
1477 .SetDefaultValidity(), /* attest key params */
1478 builder, &key_blob, &key_characteristics);
1479 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1480 }
1481 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1482}
1483
1484/*
1485 * NewKeyGenerationTest.RsaWithAttestationAppIdIgnored
1486 *
1487 * Verifies that attesting to RSA ignores app id if challenge is missing.
1488 */
1489TEST_P(NewKeyGenerationTest, RsaWithAttestationAppIdIgnored) {
1490 auto key_size = 2048;
1491 auto app_id = "foo";
1492
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1493 auto subject = "cert subj 2";
1494 vector<uint8_t> subject_der(make_name_from_str(subject));
1495
1496 uint64_t serial_int = 1;
1497 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1498
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1499 vector<uint8_t> key_blob;
1500 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1501 ASSERT_EQ(ErrorCode::OK,
1502 GenerateKey(AuthorizationSetBuilder()
1503 .RsaSigningKey(key_size, 65537)
1504 .Digest(Digest::NONE)
1505 .Padding(PaddingMode::NONE)
1506 .AttestationApplicationId(app_id)
1507 .Authorization(TAG_NO_AUTH_REQUIRED)
1508 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1509 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1510 .SetDefaultValidity(),
1511 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1512 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1513
1514 ASSERT_GT(key_blob.size(), 0U);
1515 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1516 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1517
1518 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1519
1520 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1521 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1522 << "Key size " << key_size << "missing";
1523 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1524
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1525 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1526 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1527 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1528 ASSERT_EQ(cert_chain_.size(), 1);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1529}
1530
1531/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1532 * NewKeyGenerationTest.LimitedUsageRsa
1533 *
1534 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1535 * resulting keys have correct characteristics.
1536 */
1537TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
1538 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1539 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1540 vector<uint8_t> key_blob;
1541 vector<KeyCharacteristics> key_characteristics;
1542 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1543 .RsaSigningKey(key_size, 65537)
1544 .Digest(Digest::NONE)
1545 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1546 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1547 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1548 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1549 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1550
1551 ASSERT_GT(key_blob.size(), 0U);
1552 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1553 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1554
1555 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1556
1557 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1558 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1559 << "Key size " << key_size << "missing";
1560 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1561
1562 // Check the usage count limit tag appears in the authorizations.
1563 AuthorizationSet auths;
1564 for (auto& entry : key_characteristics) {
1565 auths.push_back(AuthorizationSet(entry.authorizations));
1566 }
1567 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1568 << "key usage count limit " << 1U << " missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1569 }
1570}
1571
1572/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1573 * NewKeyGenerationTest.LimitedUsageRsaWithAttestation
1574 *
1575 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1576 * resulting keys have correct characteristics and attestation.
1577 */
1578TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1579 auto challenge = "hello";
1580 auto app_id = "foo";
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1581
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1582 auto subject = "cert subj 2";
1583 vector<uint8_t> subject_der(make_name_from_str(subject));
1584
1585 uint64_t serial_int = 66;
1586 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1587
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1588 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1589 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1590 vector<uint8_t> key_blob;
1591 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1592 auto builder = AuthorizationSetBuilder()
1593 .RsaSigningKey(key_size, 65537)
1594 .Digest(Digest::NONE)
1595 .Padding(PaddingMode::NONE)
1596 .AttestationChallenge(challenge)
1597 .AttestationApplicationId(app_id)
1598 .Authorization(TAG_NO_AUTH_REQUIRED)
1599 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1600 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1601 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1602 .SetDefaultValidity();
1603
1604 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1605 // Strongbox may not support factory provisioned attestation key.
1606 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1607 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1608 result = GenerateKeyWithSelfSignedAttestKey(
1609 AuthorizationSetBuilder()
1610 .RsaKey(key_size, 65537)
1611 .AttestKey()
1612 .SetDefaultValidity(), /* attest key params */
1613 builder, &key_blob, &key_characteristics);
1614 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1615 }
1616 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1617 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1618
1619 ASSERT_GT(key_blob.size(), 0U);
1620 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1621 CheckCharacteristics(key_blob, key_characteristics);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1622
1623 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1624
1625 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1626 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1627 << "Key size " << key_size << "missing";
1628 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1629
1630 // Check the usage count limit tag appears in the authorizations.
1631 AuthorizationSet auths;
1632 for (auto& entry : key_characteristics) {
1633 auths.push_back(AuthorizationSet(entry.authorizations));
1634 }
1635 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1636 << "key usage count limit " << 1U << " missing";
1637
1638 // Check the usage count limit tag also appears in the attestation.
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1639 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1640 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1641 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1642
1643 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1644 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1645 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1646 sw_enforced, hw_enforced, SecLevel(),
1647 cert_chain_[0].encodedCertificate));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1648 }
1649}
1650
1651/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1652 * NewKeyGenerationTest.NoInvalidRsaSizes
1653 *
1654 * Verifies that keymint cannot generate any RSA key sizes that are designated as invalid.
1655 */
1656TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
1657 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1658 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1659 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1660 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1661 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1662 GenerateKey(AuthorizationSetBuilder()
1663 .RsaSigningKey(key_size, 65537)
1664 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1665 .Padding(PaddingMode::NONE)
1666 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1667 &key_blob, &key_characteristics));
1668 }
1669}
1670
1671/*
1672 * NewKeyGenerationTest.RsaNoDefaultSize
1673 *
1674 * Verifies that failing to specify a key size for RSA key generation returns
1675 * UNSUPPORTED_KEY_SIZE.
1676 */
1677TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
1678 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1679 GenerateKey(AuthorizationSetBuilder()
1680 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
1681 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1682 .SigningKey()
1683 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1684}
1685
1686/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1687 * NewKeyGenerationTest.RsaMissingParams
1688 *
1689 * Verifies that omitting optional tags works.
1690 */
1691TEST_P(NewKeyGenerationTest, RsaMissingParams) {
1692 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1693 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1694 ASSERT_EQ(ErrorCode::OK,
1695 GenerateKey(
1696 AuthorizationSetBuilder().RsaKey(key_size, 65537).SetDefaultValidity()));
1697 CheckedDeleteKey();
1698 }
1699}
1700
1701/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1702 * NewKeyGenerationTest.Ecdsa
1703 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1704 * Verifies that keymint can generate all required EC curves, and that the resulting keys
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1705 * have correct characteristics.
1706 */
1707TEST_P(NewKeyGenerationTest, Ecdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1708 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1709 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1710 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1711 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1712 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1713 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1714 .Digest(Digest::NONE)
1715 .SetDefaultValidity(),
1716 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1717 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1718 ASSERT_GT(key_blob.size(), 0U);
1719 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1720 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1721
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1722 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1723
1724 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1725 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1726 }
1727}
1728
1729/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1730 * NewKeyGenerationTest.EcdsaCurve25519
1731 *
1732 * Verifies that keymint can generate a curve25519 key, and that the resulting key
1733 * has correct characteristics.
1734 */
1735TEST_P(NewKeyGenerationTest, EcdsaCurve25519) {
1736 if (!Curve25519Supported()) {
1737 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1738 }
1739
1740 EcCurve curve = EcCurve::CURVE_25519;
1741 vector<uint8_t> key_blob;
1742 vector<KeyCharacteristics> key_characteristics;
1743 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1744 .EcdsaSigningKey(curve)
1745 .Digest(Digest::NONE)
1746 .SetDefaultValidity(),
1747 &key_blob, &key_characteristics);
1748 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1749 KeyBlobDeleter deleter(keymint_, key_blob);
1750
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1751 ASSERT_GT(key_blob.size(), 0U);
1752
1753 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1754 ASSERT_GT(cert_chain_.size(), 0);
1755
1756 CheckBaseParams(key_characteristics);
1757 CheckCharacteristics(key_blob, key_characteristics);
1758
1759 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1760
1761 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1762 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1763}
1764
1765/*
1766 * NewKeyGenerationTest.EcCurve25519MultiPurposeFail
1767 *
1768 * Verifies that KeyMint rejects an attempt to generate a curve 25519 key for both
1769 * SIGN and AGREE_KEY.
1770 */
1771TEST_P(NewKeyGenerationTest, EcdsaCurve25519MultiPurposeFail) {
1772 if (!Curve25519Supported()) {
1773 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1774 }
1775
1776 EcCurve curve = EcCurve::CURVE_25519;
1777 vector<uint8_t> key_blob;
1778 vector<KeyCharacteristics> key_characteristics;
1779 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1780 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
1781 .EcdsaSigningKey(curve)
1782 .Digest(Digest::NONE)
1783 .SetDefaultValidity(),
1784 &key_blob, &key_characteristics);
1785 ASSERT_EQ(result, ErrorCode::INCOMPATIBLE_PURPOSE);
1786}
1787
1788/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1789 * NewKeyGenerationTest.EcdsaWithMissingValidity
1790 *
1791 * Verifies that keymint returns an error while generating asymmetric key
1792 * without providing NOT_BEFORE and NOT_AFTER parameters.
1793 */
1794TEST_P(NewKeyGenerationTest, EcdsaWithMissingValidity) {
Tommy Chiu7d22f602022-11-14 21:03:34 +0800[diff] [blame]1795 if (AidlVersion() < 2) {
1796 /*
1797 * The KeyMint V1 spec required that CERTIFICATE_NOT_{BEFORE,AFTER} be
1798 * specified for asymmetric key generation. However, this was not
1799 * checked at the time so we can only be strict about checking this for
1800 * implementations of KeyMint version 2 and above.
1801 */
1802 GTEST_SKIP() << "Validity strict since KeyMint v2";
1803 }
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1804 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1805 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1806 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1807
1808 vector<uint8_t> key_blob;
1809 vector<KeyCharacteristics> key_characteristics;
1810 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1811 GenerateKey(AuthorizationSetBuilder()
1812 .EcdsaSigningKey(EcCurve::P_256)
1813 .Digest(Digest::NONE)
1814 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1815 kUndefinedExpirationDateTime),
1816 &key_blob, &key_characteristics));
1817
1818 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1819 GenerateKey(AuthorizationSetBuilder()
1820 .EcdsaSigningKey(EcCurve::P_256)
1821 .Digest(Digest::NONE)
1822 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1823 &key_blob, &key_characteristics));
1824}
1825
1826/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1827 * NewKeyGenerationTest.EcdsaAttestation
1828 *
1829 * Verifies that for all Ecdsa key sizes, if challenge and app id is provided,
1830 * an attestation will be generated.
1831 */
1832TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
1833 auto challenge = "hello";
1834 auto app_id = "foo";
1835
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1836 auto subject = "cert subj 2";
1837 vector<uint8_t> subject_der(make_name_from_str(subject));
1838
1839 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1840 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1841
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1842 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1843 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1844 vector<uint8_t> key_blob;
1845 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1846 auto builder = AuthorizationSetBuilder()
1847 .Authorization(TAG_NO_AUTH_REQUIRED)
1848 .EcdsaSigningKey(curve)
1849 .Digest(Digest::NONE)
1850 .AttestationChallenge(challenge)
1851 .AttestationApplicationId(app_id)
1852 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1853 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1854 .SetDefaultValidity();
1855
1856 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1857 // Strongbox may not support factory provisioned attestation key.
1858 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1859 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1860 result = GenerateKeyWithSelfSignedAttestKey(
1861 AuthorizationSetBuilder()
1862 .EcdsaKey(curve)
1863 .AttestKey()
1864 .SetDefaultValidity(), /* attest key params */
1865 builder, &key_blob, &key_characteristics);
1866 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1867 }
1868 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1869 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1870 ASSERT_GT(key_blob.size(), 0U);
1871 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1872 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1873
1874 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1875
1876 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1877 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1878
1879 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1880 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1881 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1882
1883 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1884 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1885 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1886 sw_enforced, hw_enforced, SecLevel(),
1887 cert_chain_[0].encodedCertificate));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1888 }
1889}
1890
1891/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1892 * NewKeyGenerationTest.EcdsaAttestationCurve25519
1893 *
1894 * Verifies that for a curve 25519 key, if challenge and app id is provided,
1895 * an attestation will be generated.
1896 */
1897TEST_P(NewKeyGenerationTest, EcdsaAttestationCurve25519) {
1898 if (!Curve25519Supported()) {
1899 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1900 }
1901
1902 EcCurve curve = EcCurve::CURVE_25519;
1903 auto challenge = "hello";
1904 auto app_id = "foo";
1905
1906 auto subject = "cert subj 2";
1907 vector<uint8_t> subject_der(make_name_from_str(subject));
1908
1909 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1910 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1911
1912 vector<uint8_t> key_blob;
1913 vector<KeyCharacteristics> key_characteristics;
1914 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1915 .Authorization(TAG_NO_AUTH_REQUIRED)
1916 .EcdsaSigningKey(curve)
1917 .Digest(Digest::NONE)
1918 .AttestationChallenge(challenge)
1919 .AttestationApplicationId(app_id)
1920 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1921 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1922 .SetDefaultValidity(),
1923 &key_blob, &key_characteristics);
1924 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1925 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1926 ASSERT_GT(key_blob.size(), 0U);
1927 CheckBaseParams(key_characteristics);
1928 CheckCharacteristics(key_blob, key_characteristics);
1929
1930 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1931
1932 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1933 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1934
1935 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1936 ASSERT_GT(cert_chain_.size(), 0);
1937 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
1938
1939 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1940 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1941 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
1942 sw_enforced, hw_enforced, SecLevel(),
1943 cert_chain_[0].encodedCertificate));
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1944}
1945
1946/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1947 * NewKeyGenerationTest.EcdsaAttestationTags
1948 *
1949 * Verifies that creation of an attested ECDSA key includes various tags in the
1950 * attestation extension.
1951 */
1952TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
1953 auto challenge = "hello";
1954 auto app_id = "foo";
1955 auto subject = "cert subj 2";
1956 vector<uint8_t> subject_der(make_name_from_str(subject));
1957 uint64_t serial_int = 0x1010;
1958 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1959 const AuthorizationSetBuilder base_builder =
1960 AuthorizationSetBuilder()
1961 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1962 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1963 .Digest(Digest::NONE)
1964 .AttestationChallenge(challenge)
1965 .AttestationApplicationId(app_id)
1966 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1967 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1968 .SetDefaultValidity();
1969
1970 // Various tags that map to fields in the attestation extension ASN.1 schema.
1971 auto extra_tags = AuthorizationSetBuilder()
1972 .Authorization(TAG_ROLLBACK_RESISTANCE)
1973 .Authorization(TAG_EARLY_BOOT_ONLY)
1974 .Authorization(TAG_ACTIVE_DATETIME, 1619621648000)
1975 .Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, 1619621648000)
1976 .Authorization(TAG_USAGE_EXPIRE_DATETIME, 1619621999000)
1977 .Authorization(TAG_USAGE_COUNT_LIMIT, 42)
1978 .Authorization(TAG_AUTH_TIMEOUT, 100000)
1979 .Authorization(TAG_ALLOW_WHILE_ON_BODY)
1980 .Authorization(TAG_TRUSTED_USER_PRESENCE_REQUIRED)
1981 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
1982 .Authorization(TAG_UNLOCKED_DEVICE_REQUIRED)
1983 .Authorization(TAG_CREATION_DATETIME, 1619621648000);
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1984
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1985 for (const KeyParameter& tag : extra_tags) {
1986 SCOPED_TRACE(testing::Message() << "tag-" << tag);
1987 vector<uint8_t> key_blob;
1988 vector<KeyCharacteristics> key_characteristics;
1989 AuthorizationSetBuilder builder = base_builder;
1990 builder.push_back(tag);
1991 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
1992 if (result == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE &&
1993 tag.tag == TAG_ROLLBACK_RESISTANCE) {
1994 continue;
1995 }
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]1996 if (result == ErrorCode::UNSUPPORTED_TAG && tag.tag == TAG_TRUSTED_USER_PRESENCE_REQUIRED) {
1997 // Tag not required to be supported by all KeyMint implementations.
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1998 continue;
1999 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2000 // Strongbox may not support factory provisioned attestation key.
2001 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2002 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2003 result = GenerateKeyWithSelfSignedAttestKey(
2004 AuthorizationSetBuilder()
2005 .EcdsaKey(EcCurve::P_256)
2006 .AttestKey()
2007 .SetDefaultValidity(), /* attest key params */
2008 builder, &key_blob, &key_characteristics);
2009 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2010 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2011 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2012 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2013 ASSERT_GT(key_blob.size(), 0U);
2014
2015 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2016 ASSERT_GT(cert_chain_.size(), 0);
2017 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2018
2019 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2020 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]2021 // Some tags are optional, so don't require them to be in the enforcements.
2022 if (tag.tag != TAG_ATTESTATION_APPLICATION_ID && tag.tag != TAG_ALLOW_WHILE_ON_BODY) {
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2023 EXPECT_TRUE(hw_enforced.Contains(tag.tag) || sw_enforced.Contains(tag.tag))
2024 << tag << " not in hw:" << hw_enforced << " nor sw:" << sw_enforced;
2025 }
2026
2027 // Verifying the attestation record will check for the specific tag because
2028 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2029 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2030 hw_enforced, SecLevel(),
2031 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2032 }
2033
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2034 // Collection of invalid attestation ID tags.
2035 auto invalid_tags =
2036 AuthorizationSetBuilder()
2037 .Authorization(TAG_ATTESTATION_ID_BRAND, "bogus-brand")
2038 .Authorization(TAG_ATTESTATION_ID_DEVICE, "devious-device")
2039 .Authorization(TAG_ATTESTATION_ID_PRODUCT, "punctured-product")
2040 .Authorization(TAG_ATTESTATION_ID_SERIAL, "suspicious-serial")
2041 .Authorization(TAG_ATTESTATION_ID_IMEI, "invalid-imei")
2042 .Authorization(TAG_ATTESTATION_ID_MEID, "mismatching-meid")
2043 .Authorization(TAG_ATTESTATION_ID_MANUFACTURER, "malformed-manufacturer")
2044 .Authorization(TAG_ATTESTATION_ID_MODEL, "malicious-model");
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2045 for (const KeyParameter& tag : invalid_tags) {
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2046 SCOPED_TRACE(testing::Message() << "-incorrect-tag-" << tag);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2047 vector<uint8_t> key_blob;
2048 vector<KeyCharacteristics> key_characteristics;
2049 AuthorizationSetBuilder builder =
2050 AuthorizationSetBuilder()
2051 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2052 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2053 .Digest(Digest::NONE)
2054 .AttestationChallenge(challenge)
2055 .AttestationApplicationId(app_id)
2056 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2057 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2058 .SetDefaultValidity();
2059 builder.push_back(tag);
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2060
2061 auto error = GenerateKey(builder, &key_blob, &key_characteristics);
2062 // Strongbox may not support factory provisioned attestation key.
2063 if (SecLevel() == SecurityLevel::STRONGBOX) {
2064 if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2065 error = GenerateKeyWithSelfSignedAttestKey(
2066 AuthorizationSetBuilder()
2067 .EcdsaKey(EcCurve::P_256)
2068 .AttestKey()
2069 .SetDefaultValidity(), /* attest key params */
2070 builder, &key_blob, &key_characteristics);
2071 }
2072 }
David Drysdalec68dc932023-07-06 10:05:12 +0100[diff] [blame]2073
2074 device_id_attestation_check_acceptable_error(tag.tag, error);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2075 }
2076}
2077
2078/*
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2079 * NewKeyGenerationTest.EcdsaAttestationIdTags
2080 *
2081 * Verifies that creation of an attested ECDSA key includes various ID tags in the
2082 * attestation extension.
2083 */
2084TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
2085 auto challenge = "hello";
2086 auto app_id = "foo";
2087 auto subject = "cert subj 2";
2088 vector<uint8_t> subject_der(make_name_from_str(subject));
2089 uint64_t serial_int = 0x1010;
2090 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2091 const AuthorizationSetBuilder base_builder =
2092 AuthorizationSetBuilder()
2093 .Authorization(TAG_NO_AUTH_REQUIRED)
2094 .EcdsaSigningKey(EcCurve::P_256)
2095 .Digest(Digest::NONE)
2096 .AttestationChallenge(challenge)
2097 .AttestationApplicationId(app_id)
2098 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2099 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2100 .SetDefaultValidity();
2101
2102 // Various ATTESTATION_ID_* tags that map to fields in the attestation extension ASN.1 schema.
2103 auto extra_tags = AuthorizationSetBuilder();
Prashant Patil24f75792023-09-07 15:25:14 +0000[diff] [blame^]2104 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_BRAND, "brand");
2105 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_DEVICE, "device");
2106 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_PRODUCT, "name");
2107 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_MANUFACTURER, "manufacturer");
2108 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_MODEL, "model");
Tri Vo799e4352022-11-07 17:23:50 -0800[diff] [blame]2109 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_SERIAL, "ro.serialno");
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2110
2111 for (const KeyParameter& tag : extra_tags) {
2112 SCOPED_TRACE(testing::Message() << "tag-" << tag);
2113 vector<uint8_t> key_blob;
2114 vector<KeyCharacteristics> key_characteristics;
2115 AuthorizationSetBuilder builder = base_builder;
2116 builder.push_back(tag);
2117 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2118 // Strongbox may not support factory provisioned attestation key.
2119 if (SecLevel() == SecurityLevel::STRONGBOX) {
2120 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
2121 }
Prashant Patil88ad1892022-03-15 16:31:02 +0000[diff] [blame]2122 if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
2123 // ID attestation was optional till api level 32, from api level 33 it is mandatory.
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2124 continue;
2125 }
2126 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2127 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2128 ASSERT_GT(key_blob.size(), 0U);
2129
2130 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2131 ASSERT_GT(cert_chain_.size(), 0);
2132 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2133
2134 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2135 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
2136
2137 // The attested key characteristics will not contain APPLICATION_ID_* fields (their
2138 // spec definitions all have "Must never appear in KeyCharacteristics"), but the
2139 // attestation extension should contain them, so make sure the extra tag is added.
2140 hw_enforced.push_back(tag);
2141
2142 // Verifying the attestation record will check for the specific tag because
2143 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2144 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2145 hw_enforced, SecLevel(),
2146 cert_chain_[0].encodedCertificate));
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2147 }
2148}
2149
2150/*
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2151 * NewKeyGenerationTest.EcdsaAttestationUniqueId
2152 *
2153 * Verifies that creation of an attested ECDSA key with a UNIQUE_ID included.
2154 */
2155TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
2156 auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2157 vector<uint8_t>* unique_id, bool reset = false) {
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2158 auto challenge = "hello";
2159 auto subject = "cert subj 2";
2160 vector<uint8_t> subject_der(make_name_from_str(subject));
2161 uint64_t serial_int = 0x1010;
2162 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2163 AuthorizationSetBuilder builder =
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2164 AuthorizationSetBuilder()
2165 .Authorization(TAG_NO_AUTH_REQUIRED)
2166 .Authorization(TAG_INCLUDE_UNIQUE_ID)
2167 .EcdsaSigningKey(EcCurve::P_256)
2168 .Digest(Digest::NONE)
2169 .AttestationChallenge(challenge)
2170 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2171 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2172 .AttestationApplicationId(app_id)
2173 .Authorization(TAG_CREATION_DATETIME, datetime)
2174 .SetDefaultValidity();
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2175 if (reset) {
2176 builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
2177 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2178 auto result = GenerateKey(builder);
2179 if (SecLevel() == SecurityLevel::STRONGBOX) {
2180 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2181 result = GenerateKeyWithSelfSignedAttestKey(
2182 AuthorizationSetBuilder()
2183 .EcdsaKey(EcCurve::P_256)
2184 .AttestKey()
2185 .SetDefaultValidity(), /* attest key params */
2186 builder, &key_blob_, &key_characteristics_, &cert_chain_);
2187 }
2188 }
2189 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2190 ASSERT_GT(key_blob_.size(), 0U);
2191
2192 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2193 ASSERT_GT(cert_chain_.size(), 0);
2194 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2195
2196 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics_);
2197 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics_);
2198
2199 // Check that the unique ID field in the extension is non-empty.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2200 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2201 hw_enforced, SecLevel(),
2202 cert_chain_[0].encodedCertificate, unique_id));
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2203 EXPECT_GT(unique_id->size(), 0);
2204 CheckedDeleteKey();
2205 };
2206
2207 // Generate unique ID
2208 auto app_id = "foo";
2209 uint64_t cert_date = 1619621648000; // Wed Apr 28 14:54:08 2021 in ms since epoch
2210 vector<uint8_t> unique_id;
2211 get_unique_id(app_id, cert_date, &unique_id);
2212
2213 // Generating a new key with the same parameters should give the same unique ID.
2214 vector<uint8_t> unique_id2;
2215 get_unique_id(app_id, cert_date, &unique_id2);
2216 EXPECT_EQ(unique_id, unique_id2);
2217
2218 // Generating a new key with a slightly different date should give the same unique ID.
2219 uint64_t rounded_date = cert_date / 2592000000LLU;
2220 uint64_t min_date = rounded_date * 2592000000LLU;
2221 uint64_t max_date = ((rounded_date + 1) * 2592000000LLU) - 1;
2222
2223 vector<uint8_t> unique_id3;
2224 get_unique_id(app_id, min_date, &unique_id3);
2225 EXPECT_EQ(unique_id, unique_id3);
2226
2227 vector<uint8_t> unique_id4;
2228 get_unique_id(app_id, max_date, &unique_id4);
2229 EXPECT_EQ(unique_id, unique_id4);
2230
2231 // A different attestation application ID should yield a different unique ID.
2232 auto app_id2 = "different_foo";
2233 vector<uint8_t> unique_id5;
2234 get_unique_id(app_id2, cert_date, &unique_id5);
2235 EXPECT_NE(unique_id, unique_id5);
2236
2237 // A radically different date should yield a different unique ID.
2238 vector<uint8_t> unique_id6;
2239 get_unique_id(app_id, 1611621648000, &unique_id6);
2240 EXPECT_NE(unique_id, unique_id6);
2241
2242 vector<uint8_t> unique_id7;
2243 get_unique_id(app_id, max_date + 1, &unique_id7);
2244 EXPECT_NE(unique_id, unique_id7);
2245
2246 vector<uint8_t> unique_id8;
2247 get_unique_id(app_id, min_date - 1, &unique_id8);
2248 EXPECT_NE(unique_id, unique_id8);
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2249
2250 // Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
2251 vector<uint8_t> unique_id9;
2252 get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
2253 EXPECT_NE(unique_id, unique_id9);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2254}
2255
2256/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2257 * NewKeyGenerationTest.EcdsaAttestationTagNoApplicationId
2258 *
2259 * Verifies that creation of an attested ECDSA key does not include APPLICATION_ID.
2260 */
2261TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
2262 auto challenge = "hello";
2263 auto attest_app_id = "foo";
2264 auto subject = "cert subj 2";
2265 vector<uint8_t> subject_der(make_name_from_str(subject));
2266 uint64_t serial_int = 0x1010;
2267 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2268
2269 // Earlier versions of the attestation extension schema included a slot:
2270 // applicationId [601] EXPLICIT OCTET_STRING OPTIONAL,
2271 // This should never have been included, and should never be filled in.
2272 // Generate an attested key that include APPLICATION_ID and APPLICATION_DATA,
2273 // to confirm that this field never makes it into the attestation extension.
2274 vector<uint8_t> key_blob;
2275 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2276 auto builder = AuthorizationSetBuilder()
2277 .Authorization(TAG_NO_AUTH_REQUIRED)
2278 .EcdsaSigningKey(EcCurve::P_256)
2279 .Digest(Digest::NONE)
2280 .AttestationChallenge(challenge)
2281 .AttestationApplicationId(attest_app_id)
2282 .Authorization(TAG_APPLICATION_ID, "client_id")
2283 .Authorization(TAG_APPLICATION_DATA, "appdata")
2284 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2285 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2286 .SetDefaultValidity();
2287
2288 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2289 // Strongbox may not support factory provisioned attestation key.
2290 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2291 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2292 result = GenerateKeyWithSelfSignedAttestKey(
2293 AuthorizationSetBuilder()
2294 .EcdsaKey(EcCurve::P_256)
2295 .AttestKey()
2296 .SetDefaultValidity(), /* attest key params */
2297 builder, &key_blob, &key_characteristics);
2298 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2299 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2300 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2301 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2302 ASSERT_GT(key_blob.size(), 0U);
2303
2304 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2305 ASSERT_GT(cert_chain_.size(), 0);
2306 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2307
2308 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2309 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2310 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, attest_app_id, sw_enforced,
2311 hw_enforced, SecLevel(),
2312 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2313
2314 // Check that the app id is not in the cert.
2315 string app_id = "clientid";
2316 std::vector<uint8_t> needle(reinterpret_cast<const uint8_t*>(app_id.data()),
2317 reinterpret_cast<const uint8_t*>(app_id.data()) + app_id.size());
2318 ASSERT_EQ(std::search(cert_chain_[0].encodedCertificate.begin(),
2319 cert_chain_[0].encodedCertificate.end(), needle.begin(), needle.end()),
2320 cert_chain_[0].encodedCertificate.end());
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2321}
2322
2323/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2324 * NewKeyGenerationTest.EcdsaSelfSignAttestation
2325 *
2326 * Verifies that if no challenge is provided to an Ecdsa key generation, then
2327 * the key will generate a self signed attestation.
2328 */
2329TEST_P(NewKeyGenerationTest, EcdsaSelfSignAttestation) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2330 auto subject = "cert subj 2";
2331 vector<uint8_t> subject_der(make_name_from_str(subject));
2332
2333 uint64_t serial_int = 0x123456FFF1234;
2334 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2335
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2336 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2337 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2338 vector<uint8_t> key_blob;
2339 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2340 ASSERT_EQ(ErrorCode::OK,
2341 GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2342 .EcdsaSigningKey(curve)
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2343 .Digest(Digest::NONE)
2344 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2345 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2346 .SetDefaultValidity(),
2347 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2348 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2349 ASSERT_GT(key_blob.size(), 0U);
2350 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2351 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2352
2353 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2354
2355 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2356 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2357
2358 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2359 ASSERT_EQ(cert_chain_.size(), 1);
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]2360 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2361
2362 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2363 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2364 }
2365}
2366
2367/*
2368 * NewKeyGenerationTest.EcdsaAttestationRequireAppId
2369 *
2370 * Verifies that if attestation challenge is provided to Ecdsa key generation, then
2371 * app id must also be provided or else it will fail.
2372 */
2373TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
2374 auto challenge = "hello";
2375 vector<uint8_t> key_blob;
2376 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2377 auto builder = AuthorizationSetBuilder()
2378 .EcdsaSigningKey(EcCurve::P_256)
2379 .Digest(Digest::NONE)
2380 .AttestationChallenge(challenge)
2381 .SetDefaultValidity();
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2382
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2383 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2384 // Strongbox may not support factory provisioned attestation key.
2385 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2386 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2387 result = GenerateKeyWithSelfSignedAttestKey(
2388 AuthorizationSetBuilder()
2389 .EcdsaKey(EcCurve::P_256)
2390 .AttestKey()
2391 .SetDefaultValidity(), /* attest key params */
2392 builder, &key_blob, &key_characteristics);
2393 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2394 }
2395 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2396}
2397
2398/*
2399 * NewKeyGenerationTest.EcdsaIgnoreAppId
2400 *
2401 * Verifies that if no challenge is provided to the Ecdsa key generation, then
2402 * any appid will be ignored, and keymint will generate a self sign certificate.
2403 */
2404TEST_P(NewKeyGenerationTest, EcdsaIgnoreAppId) {
2405 auto app_id = "foo";
2406
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2407 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2408 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2409 vector<uint8_t> key_blob;
2410 vector<KeyCharacteristics> key_characteristics;
2411 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2412 .EcdsaSigningKey(curve)
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2413 .Digest(Digest::NONE)
2414 .AttestationApplicationId(app_id)
2415 .SetDefaultValidity(),
2416 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2417 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2418
2419 ASSERT_GT(key_blob.size(), 0U);
2420 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2421 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2422
2423 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2424
2425 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2426 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2427
2428 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2429 ASSERT_EQ(cert_chain_.size(), 1);
2430
2431 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2432 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2433 }
2434}
2435
2436/*
2437 * NewKeyGenerationTest.AttestationApplicationIDLengthProperlyEncoded
2438 *
2439 * Verifies that the Attestation Application ID software enforced tag has a proper length encoding.
2440 * Some implementations break strict encoding rules by encoding a length between 127 and 256 in one
2441 * byte. Proper DER encoding specifies that for lengths greater than 127, one byte should be used
2442 * to specify how many following bytes will be used to encode the length.
2443 */
2444TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
2445 auto challenge = "hello";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2446 std::vector<uint32_t> app_id_lengths{143, 258};
2447
2448 for (uint32_t length : app_id_lengths) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2449 SCOPED_TRACE(testing::Message() << "app_id_len=" << length);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2450 const string app_id(length, 'a');
2451 vector<uint8_t> key_blob;
2452 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2453 auto builder = AuthorizationSetBuilder()
2454 .Authorization(TAG_NO_AUTH_REQUIRED)
2455 .EcdsaSigningKey(EcCurve::P_256)
2456 .Digest(Digest::NONE)
2457 .AttestationChallenge(challenge)
2458 .AttestationApplicationId(app_id)
2459 .SetDefaultValidity();
2460
2461 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2462 // Strongbox may not support factory provisioned attestation key.
2463 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2464 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2465 result = GenerateKeyWithSelfSignedAttestKey(
2466 AuthorizationSetBuilder()
2467 .EcdsaKey(EcCurve::P_256)
2468 .AttestKey()
2469 .SetDefaultValidity(), /* attest key params */
2470 builder, &key_blob, &key_characteristics);
2471 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2472 }
2473 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2474 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2475 ASSERT_GT(key_blob.size(), 0U);
2476 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2477 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2478
2479 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2480
2481 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2482 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, EcCurve::P_256)) << "Curve P256 missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2483
2484 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2485 ASSERT_GT(cert_chain_.size(), 0);
2486
2487 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2488 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2489 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2490 sw_enforced, hw_enforced, SecLevel(),
2491 cert_chain_[0].encodedCertificate));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2492 }
2493}
2494
2495/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2496 * NewKeyGenerationTest.LimitedUsageEcdsa
2497 *
2498 * Verifies that KeyMint can generate all required EC key sizes with limited usage, and that the
2499 * resulting keys have correct characteristics.
2500 */
2501TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2502 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2503 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2504 vector<uint8_t> key_blob;
2505 vector<KeyCharacteristics> key_characteristics;
2506 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2507 .EcdsaSigningKey(curve)
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2508 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2509 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
2510 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2511 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2512 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2513
2514 ASSERT_GT(key_blob.size(), 0U);
2515 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2516 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2517
2518 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2519
2520 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2521 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2522
2523 // Check the usage count limit tag appears in the authorizations.
2524 AuthorizationSet auths;
2525 for (auto& entry : key_characteristics) {
2526 auths.push_back(AuthorizationSet(entry.authorizations));
2527 }
2528 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2529 << "key usage count limit " << 1U << " missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2530 }
2531}
2532
2533/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2534 * NewKeyGenerationTest.EcdsaDefaultSize
2535 *
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2536 * Verifies that failing to specify a curve for EC key generation returns
David Drysdale84b685a2023-08-09 07:00:34 +0100[diff] [blame]2537 * UNSUPPORTED_KEY_SIZE or UNSUPPORTED_EC_CURVE.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2538 */
2539TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
David Drysdale84b685a2023-08-09 07:00:34 +0100[diff] [blame]2540 auto result = GenerateKey(AuthorizationSetBuilder()
2541 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2542 .SigningKey()
2543 .Digest(Digest::NONE)
2544 .SetDefaultValidity());
2545 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
2546 result == ErrorCode::UNSUPPORTED_EC_CURVE)
2547 << "unexpected result " << result;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2548}
2549
2550/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2551 * NewKeyGenerationTest.EcdsaInvalidCurve
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2552 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2553 * Verifies that specifying an invalid curve for EC key generation returns
David Drysdale84b685a2023-08-09 07:00:34 +0100[diff] [blame]2554 * UNSUPPORTED_KEY_SIZE or UNSUPPORTED_EC_CURVE.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2555 */
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2556TEST_P(NewKeyGenerationTest, EcdsaInvalidCurve) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2557 for (auto curve : InvalidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2558 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2559 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2560 vector<KeyCharacteristics> key_characteristics;
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2561 auto result = GenerateKey(AuthorizationSetBuilder()
2562 .EcdsaSigningKey(curve)
2563 .Digest(Digest::NONE)
2564 .SetDefaultValidity(),
2565 &key_blob, &key_characteristics);
2566 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
David Drysdale84b685a2023-08-09 07:00:34 +0100[diff] [blame]2567 result == ErrorCode::UNSUPPORTED_EC_CURVE)
2568 << "unexpected result " << result;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2569 }
2570
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2571 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2572 GenerateKey(AuthorizationSetBuilder()
2573 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2574 .Authorization(TAG_KEY_SIZE, 190)
2575 .SigningKey()
2576 .Digest(Digest::NONE)
2577 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2578}
2579
2580/*
Prashant Patil60f8d4d2022-03-29 13:11:09 +0000[diff] [blame]2581 * NewKeyGenerationTest.EcdsaMissingCurve
2582 *
2583 * Verifies that EC key generation fails if EC_CURVE not specified after KeyMint V2.
2584 */
2585TEST_P(NewKeyGenerationTest, EcdsaMissingCurve) {
2586 if (AidlVersion() < 2) {
2587 /*
2588 * The KeyMint V1 spec required that EC_CURVE be specified for EC keys.
2589 * However, this was not checked at the time so we can only be strict about checking this
2590 * for implementations of KeyMint version 2 and above.
2591 */
2592 GTEST_SKIP() << "Requiring EC_CURVE only strict since KeyMint v2";
2593 }
2594 /* If EC_CURVE not provided, generateKey
2595 * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE.
2596 */
2597 auto result = GenerateKey(
2598 AuthorizationSetBuilder().EcdsaKey(256).Digest(Digest::NONE).SetDefaultValidity());
2599 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
2600 result == ErrorCode::UNSUPPORTED_EC_CURVE);
2601}
2602
2603/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2604 * NewKeyGenerationTest.EcdsaMismatchKeySize
2605 *
2606 * Verifies that specifying mismatched key size and curve for EC key generation returns
2607 * INVALID_ARGUMENT.
2608 */
2609TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2610 if (SecLevel() == SecurityLevel::STRONGBOX) {
2611 GTEST_SKIP() << "Test not applicable to StrongBox device";
2612 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2613
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2614 auto result = GenerateKey(AuthorizationSetBuilder()
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2615 .Authorization(TAG_ALGORITHM, Algorithm::EC)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2616 .Authorization(TAG_KEY_SIZE, 224)
2617 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2618 .SigningKey()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2619 .Digest(Digest::NONE)
2620 .SetDefaultValidity());
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2621 ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2622}
2623
2624/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2625 * NewKeyGenerationTest.EcdsaAllValidCurves
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2626 *
2627 * Verifies that keymint does not support any curve designated as unsupported.
2628 */
2629TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
2630 Digest digest;
2631 if (SecLevel() == SecurityLevel::STRONGBOX) {
2632 digest = Digest::SHA_2_256;
2633 } else {
2634 digest = Digest::SHA_2_512;
2635 }
2636 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2637 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2638 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2639 .EcdsaSigningKey(curve)
2640 .Digest(digest)
2641 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2642 << "Failed to generate key on curve: " << curve;
2643 CheckedDeleteKey();
2644 }
2645}
2646
2647/*
2648 * NewKeyGenerationTest.Hmac
2649 *
2650 * Verifies that keymint supports all required digests, and that the resulting keys have correct
2651 * characteristics.
2652 */
2653TEST_P(NewKeyGenerationTest, Hmac) {
2654 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2655 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2656 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2657 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2658 constexpr size_t key_size = 128;
2659 ASSERT_EQ(ErrorCode::OK,
2660 GenerateKey(
2661 AuthorizationSetBuilder().HmacKey(key_size).Digest(digest).Authorization(
2662 TAG_MIN_MAC_LENGTH, 128),
2663 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2664 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2665
2666 ASSERT_GT(key_blob.size(), 0U);
2667 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2668 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2669
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2670 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2671 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2672 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2673 << "Key size " << key_size << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2674 }
2675}
2676
2677/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2678 * NewKeyGenerationTest.HmacNoAttestation
2679 *
2680 * Verifies that for Hmac key generation, no attestation will be generated even if challenge
2681 * and app id are provided.
2682 */
2683TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
2684 auto challenge = "hello";
2685 auto app_id = "foo";
2686
2687 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2688 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2689 vector<uint8_t> key_blob;
2690 vector<KeyCharacteristics> key_characteristics;
2691 constexpr size_t key_size = 128;
2692 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2693 .HmacKey(key_size)
2694 .Digest(digest)
2695 .AttestationChallenge(challenge)
2696 .AttestationApplicationId(app_id)
2697 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2698 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2699 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2700
2701 ASSERT_GT(key_blob.size(), 0U);
2702 ASSERT_EQ(cert_chain_.size(), 0);
2703 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2704 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2705
2706 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2707 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2708 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2709 << "Key size " << key_size << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2710 }
2711}
2712
2713/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2714 * NewKeyGenerationTest.LimitedUsageHmac
2715 *
2716 * Verifies that KeyMint supports all required digests with limited usage Hmac, and that the
2717 * resulting keys have correct characteristics.
2718 */
2719TEST_P(NewKeyGenerationTest, LimitedUsageHmac) {
2720 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2721 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2722 vector<uint8_t> key_blob;
2723 vector<KeyCharacteristics> key_characteristics;
2724 constexpr size_t key_size = 128;
2725 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2726 .HmacKey(key_size)
2727 .Digest(digest)
2728 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2729 .Authorization(TAG_USAGE_COUNT_LIMIT, 1),
2730 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2731 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2732
2733 ASSERT_GT(key_blob.size(), 0U);
2734 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2735 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2736
2737 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2738 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2739 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2740 << "Key size " << key_size << "missing";
2741
2742 // Check the usage count limit tag appears in the authorizations.
2743 AuthorizationSet auths;
2744 for (auto& entry : key_characteristics) {
2745 auths.push_back(AuthorizationSet(entry.authorizations));
2746 }
2747 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2748 << "key usage count limit " << 1U << " missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2749 }
2750}
2751
2752/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2753 * NewKeyGenerationTest.HmacCheckKeySizes
2754 *
2755 * Verifies that keymint supports all key sizes, and rejects all invalid key sizes.
2756 */
2757TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
2758 for (size_t key_size = 0; key_size <= 512; ++key_size) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2759 SCOPED_TRACE(testing::Message() << "HMAC-" << key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2760 if (key_size < 64 || key_size % 8 != 0) {
2761 // To keep this test from being very slow, we only test a random fraction of
2762 // non-byte key sizes. We test only ~10% of such cases. Since there are 392 of
2763 // them, we expect to run ~40 of them in each run.
2764 if (key_size % 8 == 0 || random() % 10 == 0) {
2765 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2766 GenerateKey(AuthorizationSetBuilder()
2767 .HmacKey(key_size)
2768 .Digest(Digest::SHA_2_256)
2769 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2770 << "HMAC key size " << key_size << " invalid";
2771 }
2772 } else {
2773 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2774 .HmacKey(key_size)
2775 .Digest(Digest::SHA_2_256)
2776 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2777 << "Failed to generate HMAC key of size " << key_size;
2778 CheckedDeleteKey();
2779 }
2780 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2781 if (SecLevel() == SecurityLevel::STRONGBOX) {
2782 // STRONGBOX devices must not support keys larger than 512 bits.
2783 size_t key_size = 520;
2784 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2785 GenerateKey(AuthorizationSetBuilder()
2786 .HmacKey(key_size)
2787 .Digest(Digest::SHA_2_256)
2788 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2789 << "HMAC key size " << key_size << " unexpectedly valid";
2790 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2791}
2792
2793/*
2794 * NewKeyGenerationTest.HmacCheckMinMacLengths
2795 *
2796 * Verifies that keymint supports all required MAC lengths and rejects all invalid lengths. This
2797 * test is probabilistic in order to keep the runtime down, but any failure prints out the
2798 * specific MAC length that failed, so reproducing a failed run will be easy.
2799 */
2800TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
2801 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2802 SCOPED_TRACE(testing::Message() << "MIN_MAC_LENGTH=" << min_mac_length);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2803 if (min_mac_length < 64 || min_mac_length % 8 != 0) {
2804 // To keep this test from being very long, we only test a random fraction of
2805 // non-byte lengths. We test only ~10% of such cases. Since there are 172 of them,
2806 // we expect to run ~17 of them in each run.
2807 if (min_mac_length % 8 == 0 || random() % 10 == 0) {
2808 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2809 GenerateKey(AuthorizationSetBuilder()
2810 .HmacKey(128)
2811 .Digest(Digest::SHA_2_256)
2812 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2813 << "HMAC min mac length " << min_mac_length << " invalid.";
2814 }
2815 } else {
2816 EXPECT_EQ(ErrorCode::OK,
2817 GenerateKey(AuthorizationSetBuilder()
2818 .HmacKey(128)
2819 .Digest(Digest::SHA_2_256)
2820 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2821 << "Failed to generate HMAC key with min MAC length " << min_mac_length;
2822 CheckedDeleteKey();
2823 }
2824 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2825
2826 // Minimum MAC length must be no more than 512 bits.
2827 size_t min_mac_length = 520;
2828 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2829 GenerateKey(AuthorizationSetBuilder()
2830 .HmacKey(128)
2831 .Digest(Digest::SHA_2_256)
2832 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2833 << "HMAC min mac length " << min_mac_length << " invalid.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2834}
2835
2836/*
2837 * NewKeyGenerationTest.HmacMultipleDigests
2838 *
2839 * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms.
2840 */
2841TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2842 if (SecLevel() == SecurityLevel::STRONGBOX) {
2843 GTEST_SKIP() << "Test not applicable to StrongBox device";
2844 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2845
2846 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2847 GenerateKey(AuthorizationSetBuilder()
2848 .HmacKey(128)
2849 .Digest(Digest::SHA1)
2850 .Digest(Digest::SHA_2_256)
2851 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2852}
2853
2854/*
2855 * NewKeyGenerationTest.HmacDigestNone
2856 *
2857 * Verifies that keymint rejects HMAC key generation with no digest or Digest::NONE
2858 */
2859TEST_P(NewKeyGenerationTest, HmacDigestNone) {
2860 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2861 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH,
2862 128)));
2863
2864 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2865 GenerateKey(AuthorizationSetBuilder()
2866 .HmacKey(128)
2867 .Digest(Digest::NONE)
2868 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2869}
2870
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2871/*
2872 * NewKeyGenerationTest.AesNoAttestation
2873 *
2874 * Verifies that attestation parameters to AES keys are ignored and generateKey
2875 * will succeed.
2876 */
2877TEST_P(NewKeyGenerationTest, AesNoAttestation) {
2878 auto challenge = "hello";
2879 auto app_id = "foo";
2880
2881 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2882 .Authorization(TAG_NO_AUTH_REQUIRED)
2883 .AesEncryptionKey(128)
2884 .EcbMode()
2885 .Padding(PaddingMode::PKCS7)
2886 .AttestationChallenge(challenge)
2887 .AttestationApplicationId(app_id)));
2888
2889 ASSERT_EQ(cert_chain_.size(), 0);
2890}
2891
2892/*
2893 * NewKeyGenerationTest.TripleDesNoAttestation
2894 *
2895 * Verifies that attesting parameters to 3DES keys are ignored and generate key
2896 * will be successful. No attestation should be generated.
2897 */
2898TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
2899 auto challenge = "hello";
2900 auto app_id = "foo";
2901
2902 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2903 .TripleDesEncryptionKey(168)
2904 .BlockMode(BlockMode::ECB)
2905 .Authorization(TAG_NO_AUTH_REQUIRED)
2906 .Padding(PaddingMode::NONE)
2907 .AttestationChallenge(challenge)
2908 .AttestationApplicationId(app_id)));
2909 ASSERT_EQ(cert_chain_.size(), 0);
2910}
2911
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2912INSTANTIATE_KEYMINT_AIDL_TEST(NewKeyGenerationTest);
2913
2914typedef KeyMintAidlTestBase SigningOperationsTest;
2915
2916/*
2917 * SigningOperationsTest.RsaSuccess
2918 *
2919 * Verifies that raw RSA signature operations succeed.
2920 */
2921TEST_P(SigningOperationsTest, RsaSuccess) {
2922 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2923 .RsaSigningKey(2048, 65537)
2924 .Digest(Digest::NONE)
2925 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2926 .Authorization(TAG_NO_AUTH_REQUIRED)
2927 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2928 string message = "12345678901234567890123456789012";
2929 string signature = SignMessage(
2930 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2931 LocalVerifyMessage(message, signature,
2932 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2933}
2934
2935/*
2936 * SigningOperationsTest.RsaAllPaddingsAndDigests
2937 *
2938 * Verifies RSA signature/verification for all padding modes and digests.
2939 */
2940TEST_P(SigningOperationsTest, RsaAllPaddingsAndDigests) {
2941 auto authorizations = AuthorizationSetBuilder()
2942 .Authorization(TAG_NO_AUTH_REQUIRED)
2943 .RsaSigningKey(2048, 65537)
2944 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
2945 .Padding(PaddingMode::NONE)
2946 .Padding(PaddingMode::RSA_PSS)
2947 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2948 .SetDefaultValidity();
2949
2950 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
2951
2952 string message(128, 'a');
2953 string corrupt_message(message);
2954 ++corrupt_message[corrupt_message.size() / 2];
2955
2956 for (auto padding :
2957 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
2958 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2959 SCOPED_TRACE(testing::Message() << "RSA padding=" << padding << " digest=" << digest);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2960 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
2961 // Digesting only makes sense with padding.
2962 continue;
2963 }
2964
2965 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
2966 // PSS requires digesting.
2967 continue;
2968 }
2969
2970 string signature =
2971 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
2972 LocalVerifyMessage(message, signature,
2973 AuthorizationSetBuilder().Digest(digest).Padding(padding));
2974 }
2975 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2976}
2977
2978/*
2979 * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
2980 *
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2981 * Verifies that using an RSA key requires the correct app data.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2982 */
2983TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
2984 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2985 .Authorization(TAG_NO_AUTH_REQUIRED)
2986 .RsaSigningKey(2048, 65537)
2987 .Digest(Digest::NONE)
2988 .Padding(PaddingMode::NONE)
2989 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2990 .Authorization(TAG_APPLICATION_DATA, "appdata")
2991 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2992
2993 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
2994
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2995 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2996 Begin(KeyPurpose::SIGN,
2997 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2998 AbortIfNeeded();
2999 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3000 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3001 .Digest(Digest::NONE)
3002 .Padding(PaddingMode::NONE)
3003 .Authorization(TAG_APPLICATION_ID, "clientid")));
3004 AbortIfNeeded();
3005 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3006 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3007 .Digest(Digest::NONE)
3008 .Padding(PaddingMode::NONE)
3009 .Authorization(TAG_APPLICATION_DATA, "appdata")));
3010 AbortIfNeeded();
3011 EXPECT_EQ(ErrorCode::OK,
3012 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3013 .Digest(Digest::NONE)
3014 .Padding(PaddingMode::NONE)
3015 .Authorization(TAG_APPLICATION_DATA, "appdata")
3016 .Authorization(TAG_APPLICATION_ID, "clientid")));
3017 AbortIfNeeded();
3018}
3019
3020/*
3021 * SigningOperationsTest.RsaPssSha256Success
3022 *
3023 * Verifies that RSA-PSS signature operations succeed.
3024 */
3025TEST_P(SigningOperationsTest, RsaPssSha256Success) {
3026 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3027 .RsaSigningKey(2048, 65537)
3028 .Digest(Digest::SHA_2_256)
3029 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3030 .Authorization(TAG_NO_AUTH_REQUIRED)
3031 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3032 // Use large message, which won't work without digesting.
3033 string message(1024, 'a');
3034 string signature = SignMessage(
3035 message,
3036 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
3037}
3038
3039/*
3040 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
3041 *
3042 * Verifies that keymint rejects signature operations that specify a padding mode when the key
3043 * supports only unpadded operations.
3044 */
3045TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
3046 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3047 .RsaSigningKey(2048, 65537)
3048 .Digest(Digest::NONE)
3049 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3050 .Padding(PaddingMode::NONE)
3051 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3052 string message = "12345678901234567890123456789012";
3053 string signature;
3054
3055 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
3056 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3057 .Digest(Digest::NONE)
3058 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3059}
3060
3061/*
3062 * SigningOperationsTest.NoUserConfirmation
3063 *
3064 * Verifies that keymint rejects signing operations for keys with
3065 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
3066 * presented.
3067 */
3068TEST_P(SigningOperationsTest, NoUserConfirmation) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3069 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
Subrahmanyamance2bebd2023-04-28 23:37:02 +0000[diff] [blame]3070 .RsaSigningKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3071 .Digest(Digest::NONE)
3072 .Padding(PaddingMode::NONE)
3073 .Authorization(TAG_NO_AUTH_REQUIRED)
3074 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
3075 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3076
3077 const string message = "12345678901234567890123456789012";
3078 EXPECT_EQ(ErrorCode::OK,
3079 Begin(KeyPurpose::SIGN,
3080 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3081 string signature;
3082 EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
3083}
3084
3085/*
3086 * SigningOperationsTest.RsaPkcs1Sha256Success
3087 *
3088 * Verifies that digested RSA-PKCS1 signature operations succeed.
3089 */
3090TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
3091 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3092 .RsaSigningKey(2048, 65537)
3093 .Digest(Digest::SHA_2_256)
3094 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3095 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3096 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3097 string message(1024, 'a');
3098 string signature = SignMessage(message, AuthorizationSetBuilder()
3099 .Digest(Digest::SHA_2_256)
3100 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3101}
3102
3103/*
3104 * SigningOperationsTest.RsaPkcs1NoDigestSuccess
3105 *
3106 * Verifies that undigested RSA-PKCS1 signature operations succeed.
3107 */
3108TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
3109 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3110 .RsaSigningKey(2048, 65537)
3111 .Digest(Digest::NONE)
3112 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3113 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3114 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3115 string message(53, 'a');
3116 string signature = SignMessage(message, AuthorizationSetBuilder()
3117 .Digest(Digest::NONE)
3118 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3119}
3120
3121/*
3122 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
3123 *
3124 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
3125 * given a too-long message.
3126 */
3127TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
3128 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3129 .RsaSigningKey(2048, 65537)
3130 .Digest(Digest::NONE)
3131 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3132 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3133 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3134 string message(257, 'a');
3135
3136 EXPECT_EQ(ErrorCode::OK,
3137 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3138 .Digest(Digest::NONE)
3139 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3140 string signature;
3141 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
3142}
3143
3144/*
3145 * SigningOperationsTest.RsaPssSha512TooSmallKey
3146 *
3147 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
3148 * used with a key that is too small for the message.
3149 *
3150 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the
3151 * keymint specification requires that salt_size == digest_size, so the message will be
3152 * digest_size * 2 +
3153 * 16. Such a message can only be signed by a given key if the key is at least that size. This
3154 * test uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large
3155 * for a 1024-bit key.
3156 */
3157TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]3158 if (SecLevel() == SecurityLevel::STRONGBOX) {
3159 GTEST_SKIP() << "Test not applicable to StrongBox device";
3160 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3161 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3162 .RsaSigningKey(1024, 65537)
3163 .Digest(Digest::SHA_2_512)
3164 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3165 .Padding(PaddingMode::RSA_PSS)
3166 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3167 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3168 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3169 .Digest(Digest::SHA_2_512)
3170 .Padding(PaddingMode::RSA_PSS)));
3171}
3172
3173/*
3174 * SigningOperationsTest.RsaNoPaddingTooLong
3175 *
3176 * Verifies that raw RSA signature operations fail with the correct error code when
3177 * given a too-long message.
3178 */
3179TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
3180 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3181 .RsaSigningKey(2048, 65537)
3182 .Digest(Digest::NONE)
3183 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3184 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3185 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3186 // One byte too long
3187 string message(2048 / 8 + 1, 'a');
3188 ASSERT_EQ(ErrorCode::OK,
3189 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3190 .Digest(Digest::NONE)
3191 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3192 string result;
3193 ErrorCode finish_error_code = Finish(message, &result);
3194 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3195 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3196
3197 // Very large message that should exceed the transfer buffer size of any reasonable TEE.
3198 message = string(128 * 1024, 'a');
3199 ASSERT_EQ(ErrorCode::OK,
3200 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3201 .Digest(Digest::NONE)
3202 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3203 finish_error_code = Finish(message, &result);
3204 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3205 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3206}
3207
3208/*
3209 * SigningOperationsTest.RsaAbort
3210 *
3211 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the
3212 * test, but the behavior should be algorithm and purpose-independent.
3213 */
3214TEST_P(SigningOperationsTest, RsaAbort) {
3215 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3216 .RsaSigningKey(2048, 65537)
3217 .Digest(Digest::NONE)
3218 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3219 .Padding(PaddingMode::NONE)
3220 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3221
3222 ASSERT_EQ(ErrorCode::OK,
3223 Begin(KeyPurpose::SIGN,
3224 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3225 EXPECT_EQ(ErrorCode::OK, Abort());
3226
3227 // Another abort should fail
3228 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
3229
3230 // Set to sentinel, so TearDown() doesn't try to abort again.
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]3231 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3232}
3233
3234/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3235 * SigningOperationsTest.RsaNonUniqueParams
3236 *
3237 * Verifies that an operation with multiple padding modes is rejected.
3238 */
3239TEST_P(SigningOperationsTest, RsaNonUniqueParams) {
3240 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3241 .RsaSigningKey(2048, 65537)
3242 .Digest(Digest::NONE)
3243 .Digest(Digest::SHA1)
3244 .Authorization(TAG_NO_AUTH_REQUIRED)
3245 .Padding(PaddingMode::NONE)
3246 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3247 .SetDefaultValidity()));
3248
3249 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3250 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3251 .Digest(Digest::NONE)
3252 .Padding(PaddingMode::NONE)
3253 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3254
Tommy Chiuc93c4392021-05-11 18:36:50 +0800[diff] [blame]3255 auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3256 .Digest(Digest::NONE)
3257 .Digest(Digest::SHA1)
3258 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3259 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3260
3261 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3262 Begin(KeyPurpose::SIGN,
3263 AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3264}
3265
3266/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3267 * SigningOperationsTest.RsaUnsupportedPadding
3268 *
3269 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used
3270 * with a padding mode inappropriate for RSA.
3271 */
3272TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
3273 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3274 .RsaSigningKey(2048, 65537)
3275 .Authorization(TAG_NO_AUTH_REQUIRED)
3276 .Digest(Digest::SHA_2_256 /* supported digest */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3277 .Padding(PaddingMode::PKCS7)
3278 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3279 ASSERT_EQ(
3280 ErrorCode::UNSUPPORTED_PADDING_MODE,
3281 Begin(KeyPurpose::SIGN,
3282 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3283 CheckedDeleteKey();
3284
3285 ASSERT_EQ(ErrorCode::OK,
3286 GenerateKey(
3287 AuthorizationSetBuilder()
3288 .RsaSigningKey(2048, 65537)
3289 .Authorization(TAG_NO_AUTH_REQUIRED)
3290 .Digest(Digest::SHA_2_256 /* supported digest */)
3291 .Padding(PaddingMode::RSA_OAEP) /* padding mode for encryption only */
3292 .SetDefaultValidity()));
3293 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3294 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3295 .Digest(Digest::SHA_2_256)
3296 .Padding(PaddingMode::RSA_OAEP)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3297}
3298
3299/*
3300 * SigningOperationsTest.RsaPssNoDigest
3301 *
3302 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest.
3303 */
3304TEST_P(SigningOperationsTest, RsaNoDigest) {
3305 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3306 .RsaSigningKey(2048, 65537)
3307 .Authorization(TAG_NO_AUTH_REQUIRED)
3308 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3309 .Padding(PaddingMode::RSA_PSS)
3310 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3311 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3312 Begin(KeyPurpose::SIGN,
3313 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
3314
3315 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3316 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
3317}
3318
3319/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3320 * SigningOperationsTest.RsaPssNoPadding
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3321 *
3322 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is
3323 * supported in some cases (as validated in other tests), but a mode must be specified.
3324 */
3325TEST_P(SigningOperationsTest, RsaNoPadding) {
3326 // Padding must be specified
3327 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3328 .RsaKey(2048, 65537)
3329 .Authorization(TAG_NO_AUTH_REQUIRED)
3330 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3331 .Digest(Digest::NONE)
3332 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3333 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3334 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3335}
3336
3337/*
3338 * SigningOperationsTest.RsaShortMessage
3339 *
3340 * Verifies that raw RSA signatures succeed with a message shorter than the key size.
3341 */
3342TEST_P(SigningOperationsTest, RsaTooShortMessage) {
3343 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3344 .Authorization(TAG_NO_AUTH_REQUIRED)
3345 .RsaSigningKey(2048, 65537)
3346 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3347 .Padding(PaddingMode::NONE)
3348 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3349
3350 // Barely shorter
3351 string message(2048 / 8 - 1, 'a');
3352 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3353
3354 // Much shorter
3355 message = "a";
3356 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3357}
3358
3359/*
3360 * SigningOperationsTest.RsaSignWithEncryptionKey
3361 *
3362 * Verifies that RSA encryption keys cannot be used to sign.
3363 */
3364TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
3365 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3366 .Authorization(TAG_NO_AUTH_REQUIRED)
3367 .RsaEncryptionKey(2048, 65537)
3368 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3369 .Padding(PaddingMode::NONE)
3370 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3371 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3372 Begin(KeyPurpose::SIGN,
3373 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3374}
3375
3376/*
3377 * SigningOperationsTest.RsaSignTooLargeMessage
3378 *
3379 * Verifies that attempting a raw signature of a message which is the same length as the key,
3380 * but numerically larger than the public modulus, fails with the correct error.
3381 */
3382TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
3383 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3384 .Authorization(TAG_NO_AUTH_REQUIRED)
3385 .RsaSigningKey(2048, 65537)
3386 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3387 .Padding(PaddingMode::NONE)
3388 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3389
3390 // Largest possible message will always be larger than the public modulus.
3391 string message(2048 / 8, static_cast<char>(0xff));
3392 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3393 .Authorization(TAG_NO_AUTH_REQUIRED)
3394 .Digest(Digest::NONE)
3395 .Padding(PaddingMode::NONE)));
3396 string signature;
3397 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
3398}
3399
3400/*
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3401 * SigningOperationsTest.EcdsaAllDigestsAndCurves
3402 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3403 * Verifies ECDSA signature/verification for all digests and required curves.
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3404 */
3405TEST_P(SigningOperationsTest, EcdsaAllDigestsAndCurves) {
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3406 string message = "1234567890";
3407 string corrupt_message = "2234567890";
3408 for (auto curve : ValidCurves()) {
3409 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3410 // Ed25519 only allows Digest::NONE.
3411 auto digests = (curve == EcCurve::CURVE_25519)
3412 ? std::vector<Digest>(1, Digest::NONE)
3413 : ValidDigests(true /* withNone */, false /* withMD5 */);
3414
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3415 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3416 .Authorization(TAG_NO_AUTH_REQUIRED)
3417 .EcdsaSigningKey(curve)
3418 .Digest(digests)
3419 .SetDefaultValidity());
3420 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
3421 if (error != ErrorCode::OK) {
3422 continue;
3423 }
3424
3425 for (auto digest : digests) {
3426 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
3427 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
3428 LocalVerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
3429 }
3430
3431 auto rc = DeleteKey();
3432 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
3433 }
3434}
3435
3436/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3437 * SigningOperationsTest.EcdsaAllCurves
3438 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3439 * Verifies that ECDSA operations succeed with all required curves.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3440 */
3441TEST_P(SigningOperationsTest, EcdsaAllCurves) {
3442 for (auto curve : ValidCurves()) {
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3443 Digest digest = (curve == EcCurve::CURVE_25519 ? Digest::NONE : Digest::SHA_2_256);
3444 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3445 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3446 .Authorization(TAG_NO_AUTH_REQUIRED)
3447 .EcdsaSigningKey(curve)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3448 .Digest(digest)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3449 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3450 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3451 if (error != ErrorCode::OK) continue;
3452
3453 string message(1024, 'a');
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3454 SignMessage(message, AuthorizationSetBuilder().Digest(digest));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3455 CheckedDeleteKey();
3456 }
3457}
3458
3459/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3460 * SigningOperationsTest.EcdsaCurve25519
3461 *
3462 * Verifies that ECDSA operations succeed with curve25519.
3463 */
3464TEST_P(SigningOperationsTest, EcdsaCurve25519) {
3465 if (!Curve25519Supported()) {
3466 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3467 }
3468
3469 EcCurve curve = EcCurve::CURVE_25519;
3470 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3471 .Authorization(TAG_NO_AUTH_REQUIRED)
3472 .EcdsaSigningKey(curve)
3473 .Digest(Digest::NONE)
3474 .SetDefaultValidity());
3475 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3476
3477 string message(1024, 'a');
3478 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3479 CheckedDeleteKey();
3480}
3481
3482/*
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]3483 * SigningOperationsTest.EcdsaCurve25519MaxSize
3484 *
3485 * Verifies that EDDSA operations with curve25519 under the maximum message size succeed.
3486 */
3487TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSize) {
3488 if (!Curve25519Supported()) {
3489 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3490 }
3491
3492 EcCurve curve = EcCurve::CURVE_25519;
3493 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3494 .Authorization(TAG_NO_AUTH_REQUIRED)
3495 .EcdsaSigningKey(curve)
3496 .Digest(Digest::NONE)
3497 .SetDefaultValidity());
3498 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3499
3500 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3501
3502 for (size_t msg_size : {MAX_ED25519_MSG_SIZE - 1, MAX_ED25519_MSG_SIZE}) {
3503 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3504 string message(msg_size, 'a');
3505
3506 // Attempt to sign via Begin+Finish.
3507 AuthorizationSet out_params;
3508 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3509 EXPECT_TRUE(out_params.empty());
3510 string signature;
3511 auto result = Finish(message, &signature);
3512 EXPECT_EQ(result, ErrorCode::OK);
3513 LocalVerifyMessage(message, signature, params);
3514
3515 // Attempt to sign via Begin+Update+Finish
3516 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3517 EXPECT_TRUE(out_params.empty());
3518 string output;
3519 result = Update(message, &output);
3520 EXPECT_EQ(result, ErrorCode::OK);
3521 EXPECT_EQ(output.size(), 0);
3522 string signature2;
3523 EXPECT_EQ(ErrorCode::OK, Finish({}, &signature2));
3524 LocalVerifyMessage(message, signature2, params);
3525 }
3526
3527 CheckedDeleteKey();
3528}
3529
3530/*
3531 * SigningOperationsTest.EcdsaCurve25519MaxSizeFail
3532 *
3533 * Verifies that EDDSA operations with curve25519 fail when message size is too large.
3534 */
3535TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSizeFail) {
3536 if (!Curve25519Supported()) {
3537 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3538 }
3539
3540 EcCurve curve = EcCurve::CURVE_25519;
3541 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3542 .Authorization(TAG_NO_AUTH_REQUIRED)
3543 .EcdsaSigningKey(curve)
3544 .Digest(Digest::NONE)
3545 .SetDefaultValidity());
3546 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3547
3548 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3549
3550 for (size_t msg_size : {MAX_ED25519_MSG_SIZE + 1, MAX_ED25519_MSG_SIZE * 2}) {
3551 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3552 string message(msg_size, 'a');
3553
3554 // Attempt to sign via Begin+Finish.
3555 AuthorizationSet out_params;
3556 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3557 EXPECT_TRUE(out_params.empty());
3558 string signature;
3559 auto result = Finish(message, &signature);
3560 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3561
3562 // Attempt to sign via Begin+Update (but never get to Finish)
3563 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3564 EXPECT_TRUE(out_params.empty());
3565 string output;
3566 result = Update(message, &output);
3567 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3568 }
3569
3570 CheckedDeleteKey();
3571}
3572
3573/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3574 * SigningOperationsTest.EcdsaNoDigestHugeData
3575 *
3576 * Verifies that ECDSA operations support very large messages, even without digesting. This
3577 * should work because ECDSA actually only signs the leftmost L_n bits of the message, however
3578 * large it may be. Not using digesting is a bad idea, but in some cases digesting is done by
3579 * the framework.
3580 */
3581TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
3582 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3583 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3584 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3585 .Digest(Digest::NONE)
3586 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3587 string message(1 * 1024, 'a');
3588 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3589}
3590
3591/*
3592 * SigningOperationsTest.EcUseRequiresCorrectAppIdAppData
3593 *
3594 * Verifies that using an EC key requires the correct app ID/data.
3595 */
3596TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
3597 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3598 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3599 .EcdsaSigningKey(EcCurve::P_256)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3600 .Digest(Digest::NONE)
3601 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3602 .Authorization(TAG_APPLICATION_DATA, "appdata")
3603 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]3604
3605 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
3606
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3607 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3608 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3609 AbortIfNeeded();
3610 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3611 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3612 .Digest(Digest::NONE)
3613 .Authorization(TAG_APPLICATION_ID, "clientid")));
3614 AbortIfNeeded();
3615 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3616 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3617 .Digest(Digest::NONE)
3618 .Authorization(TAG_APPLICATION_DATA, "appdata")));
3619 AbortIfNeeded();
3620 EXPECT_EQ(ErrorCode::OK,
3621 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3622 .Digest(Digest::NONE)
3623 .Authorization(TAG_APPLICATION_DATA, "appdata")
3624 .Authorization(TAG_APPLICATION_ID, "clientid")));
3625 AbortIfNeeded();
3626}
3627
3628/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3629 * SigningOperationsTest.EcdsaIncompatibleDigest
3630 *
3631 * Verifies that using an EC key requires compatible digest.
3632 */
3633TEST_P(SigningOperationsTest, EcdsaIncompatibleDigest) {
3634 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3635 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3636 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3637 .Digest(Digest::NONE)
3638 .Digest(Digest::SHA1)
3639 .SetDefaultValidity()));
3640 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3641 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)));
3642 AbortIfNeeded();
3643}
3644
3645/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3646 * SigningOperationsTest.AesEcbSign
3647 *
3648 * Verifies that attempts to use AES keys to sign fail in the correct way.
3649 */
3650TEST_P(SigningOperationsTest, AesEcbSign) {
3651 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3652 .Authorization(TAG_NO_AUTH_REQUIRED)
3653 .SigningKey()
3654 .AesEncryptionKey(128)
3655 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)));
3656
3657 AuthorizationSet out_params;
3658 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3659 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params));
3660 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3661 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params));
3662}
3663
3664/*
3665 * SigningOperationsTest.HmacAllDigests
3666 *
3667 * Verifies that HMAC works with all digests.
3668 */
3669TEST_P(SigningOperationsTest, HmacAllDigests) {
3670 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]3671 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3672 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3673 .Authorization(TAG_NO_AUTH_REQUIRED)
3674 .HmacKey(128)
3675 .Digest(digest)
3676 .Authorization(TAG_MIN_MAC_LENGTH, 160)))
3677 << "Failed to create HMAC key with digest " << digest;
3678 string message = "12345678901234567890123456789012";
3679 string signature = MacMessage(message, digest, 160);
3680 EXPECT_EQ(160U / 8U, signature.size())
3681 << "Failed to sign with HMAC key with digest " << digest;
3682 CheckedDeleteKey();
3683 }
3684}
3685
3686/*
3687 * SigningOperationsTest.HmacSha256TooLargeMacLength
3688 *
3689 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the
3690 * digest size.
3691 */
3692TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
3693 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3694 .Authorization(TAG_NO_AUTH_REQUIRED)
3695 .HmacKey(128)
3696 .Digest(Digest::SHA_2_256)
3697 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
3698 AuthorizationSet output_params;
3699 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3700 AuthorizationSetBuilder()
3701 .Digest(Digest::SHA_2_256)
3702 .Authorization(TAG_MAC_LENGTH, 264),
3703 &output_params));
3704}
3705
3706/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3707 * SigningOperationsTest.HmacSha256InvalidMacLength
3708 *
3709 * Verifies that HMAC fails in the correct way when asked to generate a MAC whose length is
3710 * not a multiple of 8.
3711 */
3712TEST_P(SigningOperationsTest, HmacSha256InvalidMacLength) {
3713 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3714 .Authorization(TAG_NO_AUTH_REQUIRED)
3715 .HmacKey(128)
3716 .Digest(Digest::SHA_2_256)
3717 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
3718 AuthorizationSet output_params;
3719 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3720 AuthorizationSetBuilder()
3721 .Digest(Digest::SHA_2_256)
3722 .Authorization(TAG_MAC_LENGTH, 161),
3723 &output_params));
3724}
3725
3726/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3727 * SigningOperationsTest.HmacSha256TooSmallMacLength
3728 *
3729 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
3730 * specified minimum MAC length.
3731 */
3732TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
3733 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3734 .Authorization(TAG_NO_AUTH_REQUIRED)
3735 .HmacKey(128)
3736 .Digest(Digest::SHA_2_256)
3737 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3738 AuthorizationSet output_params;
3739 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3740 AuthorizationSetBuilder()
3741 .Digest(Digest::SHA_2_256)
3742 .Authorization(TAG_MAC_LENGTH, 120),
3743 &output_params));
3744}
3745
3746/*
3747 * SigningOperationsTest.HmacRfc4231TestCase3
3748 *
3749 * Validates against the test vectors from RFC 4231 test case 3.
3750 */
3751TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
3752 string key(20, 0xaa);
3753 string message(50, 0xdd);
3754 uint8_t sha_224_expected[] = {
3755 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
3756 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
3757 };
3758 uint8_t sha_256_expected[] = {
3759 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
3760 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
3761 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
3762 };
3763 uint8_t sha_384_expected[] = {
3764 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
3765 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
3766 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
3767 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
3768 };
3769 uint8_t sha_512_expected[] = {
3770 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
3771 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
3772 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
3773 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
3774 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
3775 };
3776
3777 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3778 if (SecLevel() != SecurityLevel::STRONGBOX) {
3779 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3780 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3781 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3782 }
3783}
3784
3785/*
3786 * SigningOperationsTest.HmacRfc4231TestCase5
3787 *
3788 * Validates against the test vectors from RFC 4231 test case 5.
3789 */
3790TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
3791 string key(20, 0x0c);
3792 string message = "Test With Truncation";
3793
3794 uint8_t sha_224_expected[] = {
3795 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
3796 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
3797 };
3798 uint8_t sha_256_expected[] = {
3799 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
3800 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
3801 };
3802 uint8_t sha_384_expected[] = {
3803 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
3804 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
3805 };
3806 uint8_t sha_512_expected[] = {
3807 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
3808 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
3809 };
3810
3811 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3812 if (SecLevel() != SecurityLevel::STRONGBOX) {
3813 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3814 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3815 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3816 }
3817}
3818
3819INSTANTIATE_KEYMINT_AIDL_TEST(SigningOperationsTest);
3820
3821typedef KeyMintAidlTestBase VerificationOperationsTest;
3822
3823/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3824 * VerificationOperationsTest.HmacSigningKeyCannotVerify
3825 *
3826 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
3827 */
3828TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
3829 string key_material = "HelloThisIsAKey";
3830
3831 vector<uint8_t> signing_key, verification_key;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3832 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3833 EXPECT_EQ(ErrorCode::OK,
3834 ImportKey(AuthorizationSetBuilder()
3835 .Authorization(TAG_NO_AUTH_REQUIRED)
3836 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3837 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3838 .Digest(Digest::SHA_2_256)
3839 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3840 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3841 KeyBlobDeleter sign_deleter(keymint_, signing_key);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3842 EXPECT_EQ(ErrorCode::OK,
3843 ImportKey(AuthorizationSetBuilder()
3844 .Authorization(TAG_NO_AUTH_REQUIRED)
3845 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3846 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3847 .Digest(Digest::SHA_2_256)
3848 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3849 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3850 KeyBlobDeleter verify_deleter(keymint_, verification_key);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3851
3852 string message = "This is a message.";
3853 string signature = SignMessage(
3854 signing_key, message,
3855 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3856
3857 // Signing key should not work.
3858 AuthorizationSet out_params;
3859 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3860 Begin(KeyPurpose::VERIFY, signing_key,
3861 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &out_params));
3862
3863 // Verification key should work.
3864 VerifyMessage(verification_key, message, signature,
3865 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3866}
3867
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3868/*
3869 * VerificationOperationsTest.HmacVerificationFailsForCorruptSignature
3870 *
3871 * Verifies HMAC signature verification should fails if message or signature is corrupted.
3872 */
3873TEST_P(VerificationOperationsTest, HmacVerificationFailsForCorruptSignature) {
3874 string key_material = "HelloThisIsAKey";
3875
3876 vector<uint8_t> signing_key, verification_key;
3877 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
3878 EXPECT_EQ(ErrorCode::OK,
3879 ImportKey(AuthorizationSetBuilder()
3880 .Authorization(TAG_NO_AUTH_REQUIRED)
3881 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3882 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3883 .Digest(Digest::SHA_2_256)
3884 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3885 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3886 KeyBlobDeleter sign_deleter(keymint_, signing_key);
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3887 EXPECT_EQ(ErrorCode::OK,
3888 ImportKey(AuthorizationSetBuilder()
3889 .Authorization(TAG_NO_AUTH_REQUIRED)
3890 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3891 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3892 .Digest(Digest::SHA_2_256)
3893 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3894 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3895 KeyBlobDeleter verify_deleter(keymint_, verification_key);
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3896
3897 string message = "This is a message.";
3898 string signature = SignMessage(
3899 signing_key, message,
3900 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3901
3902 AuthorizationSet begin_out_params;
3903 ASSERT_EQ(ErrorCode::OK,
3904 Begin(KeyPurpose::VERIFY, verification_key,
3905 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3906
3907 string corruptMessage = "This is b message."; // Corrupted message
3908 string output;
3909 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corruptMessage, signature, &output));
3910
3911 ASSERT_EQ(ErrorCode::OK,
3912 Begin(KeyPurpose::VERIFY, verification_key,
3913 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3914
3915 signature[0] += 1; // Corrupt a signature
3916 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, signature, &output));
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3917}
3918
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3919INSTANTIATE_KEYMINT_AIDL_TEST(VerificationOperationsTest);
3920
3921typedef KeyMintAidlTestBase ExportKeyTest;
3922
3923/*
3924 * ExportKeyTest.RsaUnsupportedKeyFormat
3925 *
3926 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
3927 */
3928// TODO(seleneh) add ExportKey to GenerateKey
3929// check result
3930
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]3931class ImportKeyTest : public NewKeyGenerationTest {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3932 public:
3933 template <TagType tag_type, Tag tag, typename ValueT>
3934 void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
3935 SCOPED_TRACE("CheckCryptoParam");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3936 for (auto& entry : key_characteristics_) {
3937 if (entry.securityLevel == SecLevel()) {
3938 EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
3939 << "Tag " << tag << " with value " << expected
3940 << " not found at security level" << entry.securityLevel;
3941 } else {
3942 EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
3943 << "Tag " << tag << " found at security level " << entry.securityLevel;
3944 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3945 }
3946 }
3947
3948 void CheckOrigin() {
3949 SCOPED_TRACE("CheckOrigin");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3950 // Origin isn't a crypto param, but it always lives with them.
3951 return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3952 }
3953};
3954
3955/*
3956 * ImportKeyTest.RsaSuccess
3957 *
3958 * Verifies that importing and using an RSA key pair works correctly.
3959 */
3960TEST_P(ImportKeyTest, RsaSuccess) {
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3961 uint32_t key_size;
3962 string key;
3963
3964 if (SecLevel() == SecurityLevel::STRONGBOX) {
3965 key_size = 2048;
3966 key = rsa_2048_key;
3967 } else {
3968 key_size = 1024;
3969 key = rsa_key;
3970 }
3971
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3972 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3973 .Authorization(TAG_NO_AUTH_REQUIRED)
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3974 .RsaSigningKey(key_size, 65537)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3975 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3976 .Padding(PaddingMode::RSA_PSS)
3977 .SetDefaultValidity(),
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3978 KeyFormat::PKCS8, key));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3979
3980 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3981 CheckCryptoParam(TAG_KEY_SIZE, key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3982 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
3983 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3984 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
3985 CheckOrigin();
3986
3987 string message(1024 / 8, 'a');
3988 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
3989 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3990 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3991}
3992
3993/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3994 * ImportKeyTest.RsaSuccessWithoutParams
3995 *
3996 * Verifies that importing and using an RSA key pair without specifying parameters
3997 * works correctly.
3998 */
3999TEST_P(ImportKeyTest, RsaSuccessWithoutParams) {
4000 uint32_t key_size;
4001 string key;
4002
4003 if (SecLevel() == SecurityLevel::STRONGBOX) {
4004 key_size = 2048;
4005 key = rsa_2048_key;
4006 } else {
4007 key_size = 1024;
4008 key = rsa_key;
4009 }
4010
4011 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4012 .Authorization(TAG_NO_AUTH_REQUIRED)
4013 .SigningKey()
4014 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
4015 .Digest(Digest::SHA_2_256)
4016 .Padding(PaddingMode::RSA_PSS)
4017 .SetDefaultValidity(),
4018 KeyFormat::PKCS8, key));
4019
4020 // Key size and public exponent are determined from the imported key material.
4021 CheckCryptoParam(TAG_KEY_SIZE, key_size);
4022 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
4023
4024 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
4025 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4026 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
4027 CheckOrigin();
4028
4029 string message(1024 / 8, 'a');
4030 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
4031 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4032 LocalVerifyMessage(message, signature, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4033}
4034
4035/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4036 * ImportKeyTest.RsaKeySizeMismatch
4037 *
4038 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
4039 * correct way.
4040 */
4041TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
4042 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4043 ImportKey(AuthorizationSetBuilder()
4044 .RsaSigningKey(2048 /* Doesn't match key */, 65537)
4045 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4046 .Padding(PaddingMode::NONE)
4047 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4048 KeyFormat::PKCS8, rsa_key));
4049}
4050
4051/*
4052 * ImportKeyTest.RsaPublicExponentMismatch
4053 *
4054 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key
4055 * fails in the correct way.
4056 */
4057TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
4058 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4059 ImportKey(AuthorizationSetBuilder()
4060 .RsaSigningKey(1024, 3 /* Doesn't match key */)
4061 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4062 .Padding(PaddingMode::NONE)
4063 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4064 KeyFormat::PKCS8, rsa_key));
4065}
4066
4067/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4068 * ImportKeyTest.RsaAttestMultiPurposeFail
4069 *
4070 * Verifies that importing an RSA key pair with purpose ATTEST_KEY+SIGN fails.
4071 */
4072TEST_P(ImportKeyTest, RsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]4073 if (AidlVersion() < 2) {
4074 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
4075 // with other key purposes. However, this was not checked at the time
4076 // so we can only be strict about checking this for implementations of KeyMint
4077 // version 2 and above.
4078 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
4079 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4080 uint32_t key_size = 2048;
4081 string key = rsa_2048_key;
4082
4083 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
4084 ImportKey(AuthorizationSetBuilder()
4085 .Authorization(TAG_NO_AUTH_REQUIRED)
4086 .RsaSigningKey(key_size, 65537)
4087 .AttestKey()
4088 .Digest(Digest::SHA_2_256)
4089 .Padding(PaddingMode::RSA_PSS)
4090 .SetDefaultValidity(),
4091 KeyFormat::PKCS8, key));
4092}
4093
4094/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4095 * ImportKeyTest.EcdsaSuccess
4096 *
4097 * Verifies that importing and using an ECDSA P-256 key pair works correctly.
4098 */
4099TEST_P(ImportKeyTest, EcdsaSuccess) {
4100 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4101 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4102 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4103 .Digest(Digest::SHA_2_256)
4104 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4105 KeyFormat::PKCS8, ec_256_key));
4106
4107 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4108 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4109 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4110
4111 CheckOrigin();
4112
4113 string message(32, 'a');
4114 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4115 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4116 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4117}
4118
4119/*
4120 * ImportKeyTest.EcdsaP256RFC5915Success
4121 *
4122 * Verifies that importing and using an ECDSA P-256 key pair encoded using RFC5915 works
4123 * correctly.
4124 */
4125TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
4126 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4127 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4128 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4129 .Digest(Digest::SHA_2_256)
4130 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4131 KeyFormat::PKCS8, ec_256_key_rfc5915));
4132
4133 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4134 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4135 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4136
4137 CheckOrigin();
4138
4139 string message(32, 'a');
4140 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4141 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4142 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4143}
4144
4145/*
4146 * ImportKeyTest.EcdsaP256SEC1Success
4147 *
4148 * Verifies that importing and using an ECDSA P-256 key pair encoded using SEC1 works correctly.
4149 */
4150TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
4151 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4152 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4153 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4154 .Digest(Digest::SHA_2_256)
4155 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4156 KeyFormat::PKCS8, ec_256_key_sec1));
4157
4158 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4159 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4160 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4161
4162 CheckOrigin();
4163
4164 string message(32, 'a');
4165 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4166 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4167 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4168}
4169
4170/*
4171 * ImportKeyTest.Ecdsa521Success
4172 *
4173 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
4174 */
4175TEST_P(ImportKeyTest, Ecdsa521Success) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]4176 if (SecLevel() == SecurityLevel::STRONGBOX) {
4177 GTEST_SKIP() << "Test not applicable to StrongBox device";
4178 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4179 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4180 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4181 .EcdsaSigningKey(EcCurve::P_521)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4182 .Digest(Digest::SHA_2_256)
4183 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4184 KeyFormat::PKCS8, ec_521_key));
4185
4186 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4187 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4188 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_521);
4189 CheckOrigin();
4190
4191 string message(32, 'a');
4192 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4193 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4194 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4195}
4196
4197/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4198 * ImportKeyTest.EcdsaCurveMismatch
4199 *
4200 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in
4201 * the correct way.
4202 */
4203TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
4204 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4205 ImportKey(AuthorizationSetBuilder()
4206 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4207 .Digest(Digest::NONE)
4208 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4209 KeyFormat::PKCS8, ec_256_key));
4210}
4211
4212/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4213 * ImportKeyTest.EcdsaAttestMultiPurposeFail
4214 *
4215 * Verifies that importing and using an ECDSA P-256 key pair with purpose ATTEST_KEY+SIGN fails.
4216 */
4217TEST_P(ImportKeyTest, EcdsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]4218 if (AidlVersion() < 2) {
4219 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
4220 // with other key purposes. However, this was not checked at the time
4221 // so we can only be strict about checking this for implementations of KeyMint
4222 // version 2 and above.
4223 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
4224 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4225 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
4226 ImportKey(AuthorizationSetBuilder()
4227 .Authorization(TAG_NO_AUTH_REQUIRED)
4228 .EcdsaSigningKey(EcCurve::P_256)
4229 .AttestKey()
4230 .Digest(Digest::SHA_2_256)
4231 .SetDefaultValidity(),
4232 KeyFormat::PKCS8, ec_256_key));
4233}
4234
4235/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]4236 * ImportKeyTest.Ed25519RawSuccess
4237 *
4238 * Verifies that importing and using a raw Ed25519 private key works correctly.
4239 */
4240TEST_P(ImportKeyTest, Ed25519RawSuccess) {
4241 if (!Curve25519Supported()) {
4242 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4243 }
4244
4245 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4246 .Authorization(TAG_NO_AUTH_REQUIRED)
4247 .EcdsaSigningKey(EcCurve::CURVE_25519)
4248 .Digest(Digest::NONE)
4249 .SetDefaultValidity(),
4250 KeyFormat::RAW, ed25519_key));
4251 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4252 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4253 CheckOrigin();
4254
4255 // The returned cert should hold the correct public key.
4256 ASSERT_GT(cert_chain_.size(), 0);
4257 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4258 ASSERT_NE(kmKeyCert, nullptr);
4259 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4260 ASSERT_NE(kmPubKey.get(), nullptr);
4261 size_t kmPubKeySize = 32;
4262 uint8_t kmPubKeyData[32];
4263 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4264 ASSERT_EQ(kmPubKeySize, 32);
4265 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4266
4267 string message(32, 'a');
4268 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4269 string signature = SignMessage(message, params);
4270 LocalVerifyMessage(message, signature, params);
4271}
4272
4273/*
4274 * ImportKeyTest.Ed25519Pkcs8Success
4275 *
4276 * Verifies that importing and using a PKCS#8-encoded Ed25519 private key works correctly.
4277 */
4278TEST_P(ImportKeyTest, Ed25519Pkcs8Success) {
4279 if (!Curve25519Supported()) {
4280 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4281 }
4282
4283 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4284 .Authorization(TAG_NO_AUTH_REQUIRED)
4285 .EcdsaSigningKey(EcCurve::CURVE_25519)
4286 .Digest(Digest::NONE)
4287 .SetDefaultValidity(),
4288 KeyFormat::PKCS8, ed25519_pkcs8_key));
4289 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4290 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4291 CheckOrigin();
4292
4293 // The returned cert should hold the correct public key.
4294 ASSERT_GT(cert_chain_.size(), 0);
4295 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4296 ASSERT_NE(kmKeyCert, nullptr);
4297 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4298 ASSERT_NE(kmPubKey.get(), nullptr);
4299 size_t kmPubKeySize = 32;
4300 uint8_t kmPubKeyData[32];
4301 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4302 ASSERT_EQ(kmPubKeySize, 32);
4303 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4304
4305 string message(32, 'a');
4306 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4307 string signature = SignMessage(message, params);
4308 LocalVerifyMessage(message, signature, params);
4309}
4310
4311/*
4312 * ImportKeyTest.Ed25519CurveMismatch
4313 *
4314 * Verifies that importing an Ed25519 key pair with a curve that doesn't match the key fails in
4315 * the correct way.
4316 */
4317TEST_P(ImportKeyTest, Ed25519CurveMismatch) {
4318 if (!Curve25519Supported()) {
4319 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4320 }
4321
4322 ASSERT_NE(ErrorCode::OK,
4323 ImportKey(AuthorizationSetBuilder()
4324 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
4325 .Digest(Digest::NONE)
4326 .SetDefaultValidity(),
4327 KeyFormat::RAW, ed25519_key));
4328}
4329
4330/*
4331 * ImportKeyTest.Ed25519FormatMismatch
4332 *
4333 * Verifies that importing an Ed25519 key pair with an invalid format fails.
4334 */
4335TEST_P(ImportKeyTest, Ed25519FormatMismatch) {
4336 if (!Curve25519Supported()) {
4337 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4338 }
4339
4340 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4341 .EcdsaSigningKey(EcCurve::CURVE_25519)
4342 .Digest(Digest::NONE)
4343 .SetDefaultValidity(),
4344 KeyFormat::PKCS8, ed25519_key));
4345 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4346 .EcdsaSigningKey(EcCurve::CURVE_25519)
4347 .Digest(Digest::NONE)
4348 .SetDefaultValidity(),
4349 KeyFormat::RAW, ed25519_pkcs8_key));
4350}
4351
4352/*
4353 * ImportKeyTest.Ed25519PurposeMismatch
4354 *
4355 * Verifies that importing an Ed25519 key pair with an invalid purpose fails.
4356 */
4357TEST_P(ImportKeyTest, Ed25519PurposeMismatch) {
4358 if (!Curve25519Supported()) {
4359 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4360 }
4361
4362 // Can't have both SIGN and ATTEST_KEY
4363 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4364 .EcdsaSigningKey(EcCurve::CURVE_25519)
4365 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4366 .Digest(Digest::NONE)
4367 .SetDefaultValidity(),
4368 KeyFormat::RAW, ed25519_key));
4369 // AGREE_KEY is for X25519 (but can only tell the difference if the import key is in
4370 // PKCS#8 format and so includes an OID).
4371 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4372 .EcdsaKey(EcCurve::CURVE_25519)
4373 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4374 .Digest(Digest::NONE)
4375 .SetDefaultValidity(),
4376 KeyFormat::PKCS8, ed25519_pkcs8_key));
4377}
4378
4379/*
4380 * ImportKeyTest.X25519RawSuccess
4381 *
4382 * Verifies that importing and using a raw X25519 private key works correctly.
4383 */
4384TEST_P(ImportKeyTest, X25519RawSuccess) {
4385 if (!Curve25519Supported()) {
4386 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4387 }
4388
4389 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4390 .Authorization(TAG_NO_AUTH_REQUIRED)
4391 .EcdsaKey(EcCurve::CURVE_25519)
4392 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4393 .SetDefaultValidity(),
4394 KeyFormat::RAW, x25519_key));
4395
4396 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4397 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4398 CheckOrigin();
4399}
4400
4401/*
4402 * ImportKeyTest.X25519Pkcs8Success
4403 *
4404 * Verifies that importing and using a PKCS#8-encoded X25519 private key works correctly.
4405 */
4406TEST_P(ImportKeyTest, X25519Pkcs8Success) {
4407 if (!Curve25519Supported()) {
4408 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4409 }
4410
4411 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4412 .Authorization(TAG_NO_AUTH_REQUIRED)
4413 .EcdsaKey(EcCurve::CURVE_25519)
4414 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4415 .SetDefaultValidity(),
4416 KeyFormat::PKCS8, x25519_pkcs8_key));
4417
4418 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4419 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4420 CheckOrigin();
4421}
4422
4423/*
4424 * ImportKeyTest.X25519CurveMismatch
4425 *
4426 * Verifies that importing an X25519 key with a curve that doesn't match the key fails in
4427 * the correct way.
4428 */
4429TEST_P(ImportKeyTest, X25519CurveMismatch) {
4430 if (!Curve25519Supported()) {
4431 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4432 }
4433
4434 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4435 .EcdsaKey(EcCurve::P_224 /* Doesn't match key */)
4436 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4437 .SetDefaultValidity(),
4438 KeyFormat::RAW, x25519_key));
4439}
4440
4441/*
4442 * ImportKeyTest.X25519FormatMismatch
4443 *
4444 * Verifies that importing an X25519 key with an invalid format fails.
4445 */
4446TEST_P(ImportKeyTest, X25519FormatMismatch) {
4447 if (!Curve25519Supported()) {
4448 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4449 }
4450
4451 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4452 .EcdsaKey(EcCurve::CURVE_25519)
4453 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4454 .SetDefaultValidity(),
4455 KeyFormat::PKCS8, x25519_key));
4456 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4457 .EcdsaKey(EcCurve::CURVE_25519)
4458 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4459 .SetDefaultValidity(),
4460 KeyFormat::RAW, x25519_pkcs8_key));
4461}
4462
4463/*
4464 * ImportKeyTest.X25519PurposeMismatch
4465 *
4466 * Verifies that importing an X25519 key pair with an invalid format fails.
4467 */
4468TEST_P(ImportKeyTest, X25519PurposeMismatch) {
4469 if (!Curve25519Supported()) {
4470 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4471 }
4472
4473 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4474 .EcdsaKey(EcCurve::CURVE_25519)
4475 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4476 .SetDefaultValidity(),
4477 KeyFormat::PKCS8, x25519_pkcs8_key));
4478 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4479 .EcdsaSigningKey(EcCurve::CURVE_25519)
4480 .SetDefaultValidity(),
4481 KeyFormat::PKCS8, x25519_pkcs8_key));
4482}
4483
4484/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4485 * ImportKeyTest.AesSuccess
4486 *
4487 * Verifies that importing and using an AES key works.
4488 */
4489TEST_P(ImportKeyTest, AesSuccess) {
4490 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4491 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4492 .Authorization(TAG_NO_AUTH_REQUIRED)
4493 .AesEncryptionKey(key.size() * 8)
4494 .EcbMode()
4495 .Padding(PaddingMode::PKCS7),
4496 KeyFormat::RAW, key));
4497
4498 CheckCryptoParam(TAG_ALGORITHM, Algorithm::AES);
4499 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4500 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4501 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4502 CheckOrigin();
4503
4504 string message = "Hello World!";
4505 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4506 string ciphertext = EncryptMessage(message, params);
4507 string plaintext = DecryptMessage(ciphertext, params);
4508 EXPECT_EQ(message, plaintext);
4509}
4510
4511/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4512 * ImportKeyTest.AesFailure
4513 *
4514 * Verifies that importing an invalid AES key fails.
4515 */
4516TEST_P(ImportKeyTest, AesFailure) {
4517 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4518 uint32_t bitlen = key.size() * 8;
4519 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]4520 SCOPED_TRACE(testing::Message() << "import-key-size=" << key_size);
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4521 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4522 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4523 .Authorization(TAG_NO_AUTH_REQUIRED)
4524 .AesEncryptionKey(key_size)
4525 .EcbMode()
4526 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4527 KeyFormat::RAW, key);
4528 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4529 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4530 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4531 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4532
4533 // Explicit key size matches that of the provided key, but it's not a valid size.
4534 string long_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4535 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4536 ImportKey(AuthorizationSetBuilder()
4537 .Authorization(TAG_NO_AUTH_REQUIRED)
4538 .AesEncryptionKey(long_key.size() * 8)
4539 .EcbMode()
4540 .Padding(PaddingMode::PKCS7),
4541 KeyFormat::RAW, long_key));
4542 string short_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4543 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4544 ImportKey(AuthorizationSetBuilder()
4545 .Authorization(TAG_NO_AUTH_REQUIRED)
4546 .AesEncryptionKey(short_key.size() * 8)
4547 .EcbMode()
4548 .Padding(PaddingMode::PKCS7),
4549 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4550}
4551
4552/*
4553 * ImportKeyTest.TripleDesSuccess
4554 *
4555 * Verifies that importing and using a 3DES key works.
4556 */
4557TEST_P(ImportKeyTest, TripleDesSuccess) {
4558 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
4559 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4560 .Authorization(TAG_NO_AUTH_REQUIRED)
4561 .TripleDesEncryptionKey(168)
4562 .EcbMode()
4563 .Padding(PaddingMode::PKCS7),
4564 KeyFormat::RAW, key));
4565
4566 CheckCryptoParam(TAG_ALGORITHM, Algorithm::TRIPLE_DES);
4567 CheckCryptoParam(TAG_KEY_SIZE, 168U);
4568 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4569 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4570 CheckOrigin();
4571
4572 string message = "Hello World!";
4573 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4574 string ciphertext = EncryptMessage(message, params);
4575 string plaintext = DecryptMessage(ciphertext, params);
4576 EXPECT_EQ(message, plaintext);
4577}
4578
4579/*
4580 * ImportKeyTest.TripleDesFailure
4581 *
4582 * Verifies that importing an invalid 3DES key fails.
4583 */
4584TEST_P(ImportKeyTest, TripleDesFailure) {
4585 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4586 uint32_t bitlen = key.size() * 7;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4587 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]4588 SCOPED_TRACE(testing::Message() << "import-key-size=" << key_size);
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4589 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4590 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4591 .Authorization(TAG_NO_AUTH_REQUIRED)
4592 .TripleDesEncryptionKey(key_size)
4593 .EcbMode()
4594 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4595 KeyFormat::RAW, key);
4596 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4597 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4598 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4599 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4600 // Explicit key size matches that of the provided key, but it's not a valid size.
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4601 string long_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f735800");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4602 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4603 ImportKey(AuthorizationSetBuilder()
4604 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4605 .TripleDesEncryptionKey(long_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4606 .EcbMode()
4607 .Padding(PaddingMode::PKCS7),
4608 KeyFormat::RAW, long_key));
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4609 string short_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f73");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4610 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4611 ImportKey(AuthorizationSetBuilder()
4612 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4613 .TripleDesEncryptionKey(short_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4614 .EcbMode()
4615 .Padding(PaddingMode::PKCS7),
4616 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4617}
4618
4619/*
4620 * ImportKeyTest.HmacKeySuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4621 *
4622 * Verifies that importing and using an HMAC key works.
4623 */
4624TEST_P(ImportKeyTest, HmacKeySuccess) {
4625 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4626 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4627 .Authorization(TAG_NO_AUTH_REQUIRED)
4628 .HmacKey(key.size() * 8)
4629 .Digest(Digest::SHA_2_256)
4630 .Authorization(TAG_MIN_MAC_LENGTH, 256),
4631 KeyFormat::RAW, key));
4632
4633 CheckCryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
4634 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4635 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4636 CheckOrigin();
4637
4638 string message = "Hello World!";
4639 string signature = MacMessage(message, Digest::SHA_2_256, 256);
4640 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
4641}
4642
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]4643/*
4644 * ImportKeyTest.GetKeyCharacteristics
4645 *
4646 * Verifies that imported keys have the correct characteristics.
4647 */
4648TEST_P(ImportKeyTest, GetKeyCharacteristics) {
4649 vector<uint8_t> key_blob;
4650 vector<KeyCharacteristics> key_characteristics;
4651 auto base_builder = AuthorizationSetBuilder()
4652 .Padding(PaddingMode::NONE)
4653 .Authorization(TAG_NO_AUTH_REQUIRED)
4654 .SetDefaultValidity();
4655 vector<Algorithm> algorithms = {Algorithm::RSA, Algorithm::EC, Algorithm::HMAC, Algorithm::AES,
4656 Algorithm::TRIPLE_DES};
4657 ErrorCode result;
4658 string symKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98"); // 128 bits
4659 string tdesKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358"); // 192 bits
4660 for (auto alg : algorithms) {
4661 SCOPED_TRACE(testing::Message() << "Algorithm-" << alg);
4662 AuthorizationSetBuilder builder(base_builder);
4663 switch (alg) {
4664 case Algorithm::RSA:
4665 builder.RsaSigningKey(2048, 65537).Digest(Digest::NONE);
4666
4667 result = ImportKey(builder, KeyFormat::PKCS8, rsa_2048_key, &key_blob,
4668 &key_characteristics);
4669 break;
4670 case Algorithm::EC:
4671 builder.EcdsaSigningKey(EcCurve::P_256).Digest(Digest::NONE);
4672 result = ImportKey(builder, KeyFormat::PKCS8, ec_256_key, &key_blob,
4673 &key_characteristics);
4674 break;
4675 case Algorithm::HMAC:
4676 builder.HmacKey(128)
4677 .Digest(Digest::SHA_2_256)
4678 .Authorization(TAG_MIN_MAC_LENGTH, 128);
4679 result =
4680 ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
4681 break;
4682 case Algorithm::AES:
4683 builder.AesEncryptionKey(128).BlockMode(BlockMode::ECB);
4684 result =
4685 ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
4686 break;
4687 case Algorithm::TRIPLE_DES:
4688 builder.TripleDesEncryptionKey(168).BlockMode(BlockMode::ECB);
4689 result = ImportKey(builder, KeyFormat::RAW, tdesKey, &key_blob,
4690 &key_characteristics);
4691 break;
4692 default:
4693 ADD_FAILURE() << "Invalid Algorithm " << uint32_t(alg);
4694 continue;
4695 }
4696 ASSERT_EQ(ErrorCode::OK, result);
4697 CheckCharacteristics(key_blob, key_characteristics);
4698 CheckCommonParams(key_characteristics, KeyOrigin::IMPORTED);
4699 }
4700}
4701
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]4702/*
4703 * ImportKeyTest.RsaOaepMGFDigestSuccess
4704 *
4705 * Include MGF-Digest explicitly in import key authorization list.
4706 * Test should import RSA key with OAEP padding and mgf-digests and verify that imported key
4707 * should have the correct characteristics.
4708 */
4709TEST_P(ImportKeyTest, RsaOaepMGFDigestSuccess) {
4710 auto mgf_digests = ValidDigests(false /* withNone */, true /* withMD5 */);
4711 size_t key_size = 2048;
4712
4713 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4714 .OaepMGFDigest(mgf_digests)
4715 .Authorization(TAG_NO_AUTH_REQUIRED)
4716 .RsaEncryptionKey(key_size, 65537)
4717 .Digest(Digest::SHA_2_256)
4718 .Padding(PaddingMode::RSA_OAEP)
4719 .SetDefaultValidity(),
4720 KeyFormat::PKCS8, rsa_2048_key));
4721
4722 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
4723 CheckCryptoParam(TAG_KEY_SIZE, key_size);
4724 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
4725 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4726 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_OAEP);
4727 CheckOrigin();
4728
4729 // Make sure explicitly specified mgf-digests exist in key characteristics.
4730 assert_mgf_digests_present_in_key_characteristics(key_characteristics_, mgf_digests);
4731
4732 string message = "Hello";
4733
4734 for (auto digest : mgf_digests) {
4735 SCOPED_TRACE(testing::Message() << "digest-" << digest);
4736 auto params = AuthorizationSetBuilder()
4737 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
4738 .Digest(Digest::SHA_2_256)
4739 .Padding(PaddingMode::RSA_OAEP);
4740 string ciphertext1 = LocalRsaEncryptMessage(message, params);
4741 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
4742 EXPECT_EQ(key_size / 8, ciphertext1.size());
4743
4744 string ciphertext2 = LocalRsaEncryptMessage(message, params);
4745 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
4746 EXPECT_EQ(key_size / 8, ciphertext2.size());
4747
4748 // OAEP randomizes padding so every result should be different (with astronomically high
4749 // probability).
4750 EXPECT_NE(ciphertext1, ciphertext2);
4751
4752 string plaintext1 = DecryptMessage(ciphertext1, params);
4753 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
4754 string plaintext2 = DecryptMessage(ciphertext2, params);
4755 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
4756
4757 // Decrypting corrupted ciphertext should fail.
4758 size_t offset_to_corrupt = ciphertext1.size() - 1;
4759 char corrupt_byte = ~ciphertext1[offset_to_corrupt];
4760 ciphertext1[offset_to_corrupt] = corrupt_byte;
4761
4762 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
4763 string result;
4764 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
4765 EXPECT_EQ(0U, result.size());
4766 }
4767}
4768
4769/*
4770 * ImportKeyTest.RsaOaepMGFDigestDefaultSuccess
4771 *
4772 * Don't specify MGF-Digest explicitly in import key authorization list.
4773 * Test should import RSA key with OAEP padding and default mgf-digest (SHA1) and
4774 * verify that imported key should have the correct characteristics. Default
4775 * mgf-digest shouldn't be included in key charecteristics.
4776 */
4777TEST_P(ImportKeyTest, RsaOaepMGFDigestDefaultSuccess) {
4778 size_t key_size = 2048;
4779 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4780 .Authorization(TAG_NO_AUTH_REQUIRED)
4781 .RsaEncryptionKey(key_size, 65537)
4782 .Digest(Digest::SHA_2_256)
4783 .Padding(PaddingMode::RSA_OAEP)
4784 .SetDefaultValidity(),
4785 KeyFormat::PKCS8, rsa_2048_key));
4786
4787 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
4788 CheckCryptoParam(TAG_KEY_SIZE, key_size);
4789 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
4790 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4791 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_OAEP);
4792 CheckOrigin();
4793
4794 // Make sure default mgf-digest (SHA1) is not included in Key characteristics.
4795 ASSERT_FALSE(is_mgf_digest_present(key_characteristics_, Digest::SHA1));
4796}
4797
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4798INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);
4799
4800auto wrapped_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4801 // IKeyMintDevice.aidl
4802 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4803 "020100" // INTEGER length 1 value 0x00 (version)
4804 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4805 "934bf94e2aa28a3f83c9f79297250262"
4806 "fbe3276b5a1c91159bbfa3ef8957aac8"
4807 "4b59b30b455a79c2973480823d8b3863"
4808 "c3deef4a8e243590268d80e18751a0e1"
4809 "30f67ce6a1ace9f79b95e097474febc9"
4810 "81195b1d13a69086c0863f66a7b7fdb4"
4811 "8792227b1ac5e2489febdf087ab54864"
4812 "83033a6f001ca5d1ec1e27f5c30f4cec"
4813 "2642074a39ae68aee552e196627a8e3d"
4814 "867e67a8c01b11e75f13cca0a97ab668"
4815 "b50cda07a8ecb7cd8e3dd7009c963653"
4816 "4f6f239cffe1fc8daa466f78b676c711"
4817 "9efb96bce4e69ca2a25d0b34ed9c3ff9"
4818 "99b801597d5220e307eaa5bee507fb94"
4819 "d1fa69f9e519b2de315bac92c36f2ea1"
4820 "fa1df4478c0ddedeae8c70e0233cd098"
4821 "040c" // OCTET STRING length 0x0c (initializationVector)
4822 "d796b02c370f1fa4cc0124f1"
4823 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4824 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4825 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4826 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4827 "3106" // SET length 0x06
4828 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4829 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4830 // } end SET
4831 // } end [1]
4832 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4833 "020120" // INTEGER length 1 value 0x20 (AES)
4834 // } end [2]
4835 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4836 "02020100" // INTEGER length 2 value 0x100
4837 // } end [3]
4838 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode)
4839 "3103" // SET length 0x03 {
4840 "020101" // INTEGER length 1 value 0x01 (ECB)
4841 // } end SET
4842 // } end [4]
4843 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4844 "3103" // SET length 0x03 {
4845 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4846 // } end SET
4847 // } end [5]
4848 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4849 // (noAuthRequired)
4850 "0500" // NULL
4851 // } end [503]
4852 // } end SEQUENCE (AuthorizationList)
4853 // } end SEQUENCE (KeyDescription)
4854 "0420" // OCTET STRING length 0x20 (encryptedKey)
4855 "ccd540855f833a5e1480bfd2d36faf3a"
4856 "eee15df5beabe2691bc82dde2a7aa910"
4857 "0410" // OCTET STRING length 0x10 (tag)
4858 "64c9f689c60ff6223ab6e6999e0eb6e5"
4859 // } SEQUENCE (SecureKeyWrapper)
4860);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4861
4862auto wrapped_key_masked = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4863 // IKeyMintDevice.aidl
4864 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4865 "020100" // INTEGER length 1 value 0x00 (version)
4866 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4867 "aad93ed5924f283b4bb5526fbe7a1412"
4868 "f9d9749ec30db9062b29e574a8546f33"
4869 "c88732452f5b8e6a391ee76c39ed1712"
4870 "c61d8df6213dec1cffbc17a8c6d04c7b"
4871 "30893d8daa9b2015213e219468215532"
4872 "07f8f9931c4caba23ed3bee28b36947e"
4873 "47f10e0a5c3dc51c988a628daad3e5e1"
4874 "f4005e79c2d5a96c284b4b8d7e4948f3"
4875 "31e5b85dd5a236f85579f3ea1d1b8484"
4876 "87470bdb0ab4f81a12bee42c99fe0df4"
4877 "bee3759453e69ad1d68a809ce06b949f"
4878 "7694a990429b2fe81e066ff43e56a216"
4879 "02db70757922a4bcc23ab89f1e35da77"
4880 "586775f423e519c2ea394caf48a28d0c"
4881 "8020f1dcf6b3a68ec246f615ae96dae9"
4882 "a079b1f6eb959033c1af5c125fd94168"
4883 "040c" // OCTET STRING length 0x0c (initializationVector)
4884 "6d9721d08589581ab49204a3"
4885 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4886 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4887 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4888 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4889 "3106" // SET length 0x06
4890 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4891 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4892 // } end SET
4893 // } end [1]
4894 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4895 "020120" // INTEGER length 1 value 0x20 (AES)
4896 // } end [2]
4897 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4898 "02020100" // INTEGER length 2 value 0x100
4899 // } end [3]
4900 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode
4901 "3103" // SET length 0x03 {
4902 "020101" // INTEGER length 1 value 0x01 (ECB)
4903 // } end SET
4904 // } end [4]
4905 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4906 "3103" // SET length 0x03 {
4907 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4908 // } end SET
4909 // } end [5]
4910 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4911 // (noAuthRequired)
4912 "0500" // NULL
4913 // } end [503]
4914 // } end SEQUENCE (AuthorizationList)
4915 // } end SEQUENCE (KeyDescription)
4916 "0420" // OCTET STRING length 0x20 (encryptedKey)
4917 "a61c6e247e25b3e6e69aa78eb03c2d4a"
4918 "c20d1f99a9a024a76f35c8e2cab9b68d"
4919 "0410" // OCTET STRING length 0x10 (tag)
4920 "2560c70109ae67c030f00b98b512a670"
4921 // } SEQUENCE (SecureKeyWrapper)
4922);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4923
4924auto wrapping_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4925 // RFC 5208 s5
4926 "308204be" // SEQUENCE length 0x4be (PrivateKeyInfo) {
4927 "020100" // INTEGER length 1 value 0x00 (version)
4928 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
4929 "0609" // OBJECT IDENTIFIER length 0x09 (algorithm)
4930 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (RSAES-PKCS1-v1_5 encryption scheme)
4931 "0500" // NULL (parameters)
4932 // } SEQUENCE (AlgorithmIdentifier)
4933 "048204a8" // OCTET STRING len 0x4a8 (privateKey), which contains...
4934 // RFC 8017 A.1.2
4935 "308204a4" // SEQUENCE len 0x4a4 (RSAPrivateKey) {
4936 "020100" // INTEGER length 1 value 0x00 (version)
4937 "02820101" // INTEGER length 0x0101 (modulus) value...
4938 "00aec367931d8900ce56b0067f7d70e1" // 0x10
4939 "fc653f3f34d194c1fed50018fb43db93" // 0x20
4940 "7b06e673a837313d56b1c725150a3fef" // 0x30
4941 "86acbddc41bb759c2854eae32d35841e" // 0x40
4942 "fb5c18d82bc90a1cb5c1d55adf245b02" // 0x50
4943 "911f0b7cda88c421ff0ebafe7c0d23be" // 0x60
4944 "312d7bd5921ffaea1347c157406fef71" // 0x70
4945 "8f682643e4e5d33c6703d61c0cf7ac0b" // 0x80
4946 "f4645c11f5c1374c3886427411c44979" // 0x90
4947 "6792e0bef75dec858a2123c36753e02a" // 0xa0
4948 "95a96d7c454b504de385a642e0dfc3e6" // 0xb0
4949 "0ac3a7ee4991d0d48b0172a95f9536f0" // 0xc0
4950 "2ba13cecccb92b727db5c27e5b2f5cec" // 0xd0
4951 "09600b286af5cf14c42024c61ddfe71c" // 0xe0
4952 "2a8d7458f185234cb00e01d282f10f8f" // 0xf0
4953 "c6721d2aed3f4833cca2bd8fa62821dd" // 0x100
4954 "55" // 0x101
4955 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
4956 "02820100" // INTEGER length 0x100 (privateExponent) value...
4957 "431447b6251908112b1ee76f99f3711a" // 0x10
4958 "52b6630960046c2de70de188d833f8b8" // 0x20
4959 "b91e4d785caeeeaf4f0f74414e2cda40" // 0x30
4960 "641f7fe24f14c67a88959bdb27766df9" // 0x40
4961 "e710b630a03adc683b5d2c43080e52be" // 0x50
4962 "e71e9eaeb6de297a5fea1072070d181c" // 0x60
4963 "822bccff087d63c940ba8a45f670feb2" // 0x70
4964 "9fb4484d1c95e6d2579ba02aae0a0090" // 0x80
4965 "0c3ebf490e3d2cd7ee8d0e20c536e4dc" // 0x90
4966 "5a5097272888cddd7e91f228b1c4d747" // 0xa0
4967 "4c55b8fcd618c4a957bbddd5ad7407cc" // 0xb0
4968 "312d8d98a5caf7e08f4a0d6b45bb41c6" // 0xc0
4969 "52659d5a5ba05b663737a8696281865b" // 0xd0
4970 "a20fbdd7f851e6c56e8cbe0ddbbf24dc" // 0xe0
4971 "03b2d2cb4c3d540fb0af52e034a2d066" // 0xf0
4972 "98b128e5f101e3b51a34f8d8b4f86181" // 0x100
4973 "028181" // INTEGER length 0x81 (prime1) value...
4974 "00de392e18d682c829266cc3454e1d61" // 0x10
4975 "66242f32d9a1d10577753e904ea7d08b" // 0x20
4976 "ff841be5bac82a164c5970007047b8c5" // 0x30
4977 "17db8f8f84e37bd5988561bdf503d4dc" // 0x40
4978 "2bdb38f885434ae42c355f725c9a60f9" // 0x50
4979 "1f0788e1f1a97223b524b5357fdf72e2" // 0x60
4980 "f696bab7d78e32bf92ba8e1864eab122" // 0x70
4981 "9e91346130748a6e3c124f9149d71c74" // 0x80
4982 "35"
4983 "028181" // INTEGER length 0x81 (prime2) value...
4984 "00c95387c0f9d35f137b57d0d65c397c" // 0x10
4985 "5e21cc251e47008ed62a542409c8b6b6" // 0x20
4986 "ac7f8967b3863ca645fcce49582a9aa1" // 0x30
4987 "7349db6c4a95affdae0dae612e1afac9" // 0x40
4988 "9ed39a2d934c880440aed8832f984316" // 0x50
4989 "3a47f27f392199dc1202f9a0f9bd0830" // 0x60
4990 "8007cb1e4e7f58309366a7de25f7c3c9" // 0x70
4991 "b880677c068e1be936e81288815252a8" // 0x80
4992 "a1"
4993 "028180" // INTEGER length 0x80 (exponent1) value...
4994 "57ff8ca1895080b2cae486ef0adfd791" // 0x10
4995 "fb0235c0b8b36cd6c136e52e4085f4ea" // 0x20
4996 "5a063212a4f105a3764743e53281988a" // 0x30
4997 "ba073f6e0027298e1c4378556e0efca0" // 0x40
4998 "e14ece1af76ad0b030f27af6f0ab35fb" // 0x50
4999 "73a060d8b1a0e142fa2647e93b32e36d" // 0x60
5000 "8282ae0a4de50ab7afe85500a16f43a6" // 0x70
5001 "4719d6e2b9439823719cd08bcd031781" // 0x80
5002 "028181" // INTEGER length 0x81 (exponent2) value...
5003 "00ba73b0bb28e3f81e9bd1c568713b10" // 0x10
5004 "1241acc607976c4ddccc90e65b6556ca" // 0x20
5005 "31516058f92b6e09f3b160ff0e374ec4" // 0x30
5006 "0d78ae4d4979fde6ac06a1a400c61dd3" // 0x40
5007 "1254186af30b22c10582a8a43e34fe94" // 0x50
5008 "9c5f3b9755bae7baa7b7b7a6bd03b38c" // 0x60
5009 "ef55c86885fc6c1978b9cee7ef33da50" // 0x70
5010 "7c9df6b9277cff1e6aaa5d57aca52846" // 0x80
5011 "61"
5012 "028181" // INTEGER length 0x81 (coefficient) value...
5013 "00c931617c77829dfb1270502be9195c" // 0x10
5014 "8f2830885f57dba869536811e6864236" // 0x20
5015 "d0c4736a0008a145af36b8357a7c3d13" // 0x30
5016 "9966d04c4e00934ea1aede3bb6b8ec84" // 0x40
5017 "1dc95e3f579751e2bfdfe27ae778983f" // 0x50
5018 "959356210723287b0affcc9f727044d4" // 0x60
5019 "8c373f1babde0724fa17a4fd4da0902c" // 0x70
5020 "7c9b9bf27ba61be6ad02dfddda8f4e68" // 0x80
5021 "22"
5022 // } SEQUENCE
5023 // } SEQUENCE ()
5024);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5025
5026string zero_masking_key =
5027 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
5028string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
5029
5030class ImportWrappedKeyTest : public KeyMintAidlTestBase {};
5031
5032TEST_P(ImportWrappedKeyTest, Success) {
5033 auto wrapping_key_desc = AuthorizationSetBuilder()
5034 .RsaEncryptionKey(2048, 65537)
5035 .Digest(Digest::SHA_2_256)
5036 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5037 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5038 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5039
5040 ASSERT_EQ(ErrorCode::OK,
5041 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5042 AuthorizationSetBuilder()
5043 .Digest(Digest::SHA_2_256)
5044 .Padding(PaddingMode::RSA_OAEP)));
5045
5046 string message = "Hello World!";
5047 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5048 string ciphertext = EncryptMessage(message, params);
5049 string plaintext = DecryptMessage(ciphertext, params);
5050 EXPECT_EQ(message, plaintext);
5051}
5052
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5053/*
5054 * ImportWrappedKeyTest.SuccessSidsIgnored
5055 *
5056 * Verifies that password_sid and biometric_sid are ignored on import if the authorizations don't
5057 * include Tag:USER_SECURE_ID.
5058 */
5059TEST_P(ImportWrappedKeyTest, SuccessSidsIgnored) {
5060 auto wrapping_key_desc = AuthorizationSetBuilder()
5061 .RsaEncryptionKey(2048, 65537)
5062 .Digest(Digest::SHA_2_256)
5063 .Padding(PaddingMode::RSA_OAEP)
5064 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5065 .SetDefaultValidity();
5066
5067 int64_t password_sid = 42;
5068 int64_t biometric_sid = 24;
5069 ASSERT_EQ(ErrorCode::OK,
5070 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5071 AuthorizationSetBuilder()
5072 .Digest(Digest::SHA_2_256)
5073 .Padding(PaddingMode::RSA_OAEP),
5074 password_sid, biometric_sid));
5075
5076 string message = "Hello World!";
5077 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5078 string ciphertext = EncryptMessage(message, params);
5079 string plaintext = DecryptMessage(ciphertext, params);
5080 EXPECT_EQ(message, plaintext);
5081}
5082
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5083TEST_P(ImportWrappedKeyTest, SuccessMasked) {
5084 auto wrapping_key_desc = AuthorizationSetBuilder()
5085 .RsaEncryptionKey(2048, 65537)
5086 .Digest(Digest::SHA_2_256)
5087 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5088 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5089 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5090
5091 ASSERT_EQ(ErrorCode::OK,
5092 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
5093 AuthorizationSetBuilder()
5094 .Digest(Digest::SHA_2_256)
5095 .Padding(PaddingMode::RSA_OAEP)));
5096}
5097
5098TEST_P(ImportWrappedKeyTest, WrongMask) {
5099 auto wrapping_key_desc = AuthorizationSetBuilder()
5100 .RsaEncryptionKey(2048, 65537)
5101 .Digest(Digest::SHA_2_256)
5102 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5103 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5104 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5105
5106 ASSERT_EQ(
5107 ErrorCode::VERIFICATION_FAILED,
5108 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
5109 AuthorizationSetBuilder()
5110 .Digest(Digest::SHA_2_256)
5111 .Padding(PaddingMode::RSA_OAEP)));
5112}
5113
5114TEST_P(ImportWrappedKeyTest, WrongPurpose) {
5115 auto wrapping_key_desc = AuthorizationSetBuilder()
5116 .RsaEncryptionKey(2048, 65537)
5117 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5118 .Padding(PaddingMode::RSA_OAEP)
5119 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5120
5121 ASSERT_EQ(
5122 ErrorCode::INCOMPATIBLE_PURPOSE,
5123 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
5124 AuthorizationSetBuilder()
5125 .Digest(Digest::SHA_2_256)
5126 .Padding(PaddingMode::RSA_OAEP)));
5127}
5128
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5129TEST_P(ImportWrappedKeyTest, WrongPaddingMode) {
5130 auto wrapping_key_desc = AuthorizationSetBuilder()
5131 .RsaEncryptionKey(2048, 65537)
5132 .Digest(Digest::SHA_2_256)
5133 .Padding(PaddingMode::RSA_PSS)
5134 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5135 .SetDefaultValidity();
5136
5137 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
5138 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5139 AuthorizationSetBuilder()
5140 .Digest(Digest::SHA_2_256)
5141 .Padding(PaddingMode::RSA_OAEP)));
5142}
5143
5144TEST_P(ImportWrappedKeyTest, WrongDigest) {
5145 auto wrapping_key_desc = AuthorizationSetBuilder()
5146 .RsaEncryptionKey(2048, 65537)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5147 .Padding(PaddingMode::RSA_OAEP)
Tommy Chiu4fdcccc2022-10-25 20:56:47 +0800[diff] [blame]5148 .Digest(Digest::SHA_2_256)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5149 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5150 .SetDefaultValidity();
5151
5152 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
5153 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5154 AuthorizationSetBuilder()
Tommy Chiu4fdcccc2022-10-25 20:56:47 +0800[diff] [blame]5155 .Digest(Digest::SHA_2_512)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5156 .Padding(PaddingMode::RSA_OAEP)));
5157}
5158
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5159INSTANTIATE_KEYMINT_AIDL_TEST(ImportWrappedKeyTest);
5160
5161typedef KeyMintAidlTestBase EncryptionOperationsTest;
5162
5163/*
5164 * EncryptionOperationsTest.RsaNoPaddingSuccess
5165 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5166 * Verifies that raw RSA decryption works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5167 */
5168TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]5169 for (uint64_t exponent : ValidExponents()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]5170 SCOPED_TRACE(testing::Message() << "RSA exponent=" << exponent);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5171 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5172 .Authorization(TAG_NO_AUTH_REQUIRED)
5173 .RsaEncryptionKey(2048, exponent)
5174 .Padding(PaddingMode::NONE)
5175 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5176
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5177 string message = string(2048 / 8, 'a');
5178 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5179 string ciphertext1 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5180 EXPECT_EQ(2048U / 8, ciphertext1.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5181
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5182 string ciphertext2 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5183 EXPECT_EQ(2048U / 8, ciphertext2.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5184
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5185 // Unpadded RSA is deterministic
5186 EXPECT_EQ(ciphertext1, ciphertext2);
5187
5188 CheckedDeleteKey();
5189 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5190}
5191
5192/*
5193 * EncryptionOperationsTest.RsaNoPaddingShortMessage
5194 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5195 * Verifies that raw RSA decryption of short messages works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5196 */
5197TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
5198 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5199 .Authorization(TAG_NO_AUTH_REQUIRED)
5200 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5201 .Padding(PaddingMode::NONE)
5202 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5203
5204 string message = "1";
5205 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
5206
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5207 string ciphertext = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5208 EXPECT_EQ(2048U / 8, ciphertext.size());
5209
5210 string expected_plaintext = string(2048U / 8 - 1, 0) + message;
5211 string plaintext = DecryptMessage(ciphertext, params);
5212
5213 EXPECT_EQ(expected_plaintext, plaintext);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5214}
5215
5216/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5217 * EncryptionOperationsTest.RsaOaepSuccess
5218 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5219 * Verifies that RSA-OAEP decryption operations work, with all digests.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5220 */
5221TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
5222 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5223 auto mgf_digest = Digest::SHA1;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5224
5225 size_t key_size = 2048; // Need largish key for SHA-512 test.
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5226 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5227 .Authorization(TAG_NO_AUTH_REQUIRED)
5228 .RsaEncryptionKey(key_size, 65537)
5229 .Padding(PaddingMode::RSA_OAEP)
5230 .Digest(digests)
5231 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, mgf_digest)
5232 .SetDefaultValidity()));
5233
5234 // Make sure explicitly specified mgf-digest exist in key characteristics.
5235 ASSERT_TRUE(is_mgf_digest_present(key_characteristics_, mgf_digest));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5236
5237 string message = "Hello";
5238
5239 for (auto digest : digests) {
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5240 SCOPED_TRACE(testing::Message() << "digest-" << digest);
5241
5242 auto params = AuthorizationSetBuilder()
5243 .Digest(digest)
5244 .Padding(PaddingMode::RSA_OAEP)
5245 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1);
5246 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5247 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
5248 EXPECT_EQ(key_size / 8, ciphertext1.size());
5249
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5250 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5251 EXPECT_EQ(key_size / 8, ciphertext2.size());
5252
5253 // OAEP randomizes padding so every result should be different (with astronomically high
5254 // probability).
5255 EXPECT_NE(ciphertext1, ciphertext2);
5256
5257 string plaintext1 = DecryptMessage(ciphertext1, params);
5258 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
5259 string plaintext2 = DecryptMessage(ciphertext2, params);
5260 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
5261
5262 // Decrypting corrupted ciphertext should fail.
5263 size_t offset_to_corrupt = random() % ciphertext1.size();
5264 char corrupt_byte;
5265 do {
5266 corrupt_byte = static_cast<char>(random() % 256);
5267 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5268 ciphertext1[offset_to_corrupt] = corrupt_byte;
5269
5270 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5271 string result;
5272 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5273 EXPECT_EQ(0U, result.size());
5274 }
5275}
5276
5277/*
5278 * EncryptionOperationsTest.RsaOaepInvalidDigest
5279 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5280 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5281 * without a digest.
5282 */
5283TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
5284 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5285 .Authorization(TAG_NO_AUTH_REQUIRED)
5286 .RsaEncryptionKey(2048, 65537)
5287 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5288 .Digest(Digest::NONE)
5289 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5290
5291 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5292 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5293}
5294
5295/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5296 * EncryptionOperationsTest.RsaOaepInvalidPadding
5297 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5298 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5299 * with a padding value that is only suitable for signing/verifying.
5300 */
5301TEST_P(EncryptionOperationsTest, RsaOaepInvalidPadding) {
5302 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5303 .Authorization(TAG_NO_AUTH_REQUIRED)
5304 .RsaEncryptionKey(2048, 65537)
5305 .Padding(PaddingMode::RSA_PSS)
5306 .Digest(Digest::NONE)
5307 .SetDefaultValidity()));
5308
5309 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5310 EXPECT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE, Begin(KeyPurpose::DECRYPT, params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5311}
5312
5313/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5314 * EncryptionOperationsTest.RsaOaepDecryptWithWrongDigest
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5315 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5316 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5317 * with a different digest than was used to encrypt.
5318 */
5319TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]5320 if (SecLevel() == SecurityLevel::STRONGBOX) {
5321 GTEST_SKIP() << "Test not applicable to StrongBox device";
5322 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5323
5324 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5325 .Authorization(TAG_NO_AUTH_REQUIRED)
5326 .RsaEncryptionKey(1024, 65537)
5327 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5328 .Digest(Digest::SHA_2_224, Digest::SHA_2_256)
5329 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5330 string message = "Hello World!";
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5331 string ciphertext = LocalRsaEncryptMessage(
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5332 message,
5333 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
5334
5335 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5336 .Digest(Digest::SHA_2_256)
5337 .Padding(PaddingMode::RSA_OAEP)));
5338 string result;
5339 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
5340 EXPECT_EQ(0U, result.size());
5341}
5342
5343/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5344 * EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess
5345 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5346 * Verifies that RSA-OAEP decryption operations work, with all SHA 256 digests and all type of MGF1
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5347 * digests.
5348 */
5349TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
5350 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
5351
5352 size_t key_size = 2048; // Need largish key for SHA-512 test.
5353 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5354 .OaepMGFDigest(digests)
5355 .Authorization(TAG_NO_AUTH_REQUIRED)
5356 .RsaEncryptionKey(key_size, 65537)
5357 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5358 .Digest(Digest::SHA_2_256)
5359 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5360
Shawn Willden20732262023-04-21 16:36:00 -0600[diff] [blame]5361 std::vector<Digest> mgf1DigestsInAuths;
5362 mgf1DigestsInAuths.reserve(digests.size());
5363 const auto& hw_auths = SecLevelAuthorizations(key_characteristics_);
5364 std::for_each(hw_auths.begin(), hw_auths.end(), [&](auto& param) {
5365 if (param.tag == Tag::RSA_OAEP_MGF_DIGEST) {
5366 KeyParameterValue value = param.value;
5367 mgf1DigestsInAuths.push_back(param.value.template get<KeyParameterValue::digest>());
5368 }
5369 });
5370
5371 std::sort(digests.begin(), digests.end());
5372 std::sort(mgf1DigestsInAuths.begin(), mgf1DigestsInAuths.end());
5373 EXPECT_EQ(digests, mgf1DigestsInAuths);
5374
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5375 string message = "Hello";
5376
5377 for (auto digest : digests) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]5378 SCOPED_TRACE(testing::Message() << "digest-" << digest);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5379 auto params = AuthorizationSetBuilder()
5380 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
5381 .Digest(Digest::SHA_2_256)
5382 .Padding(PaddingMode::RSA_OAEP);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5383 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5384 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
5385 EXPECT_EQ(key_size / 8, ciphertext1.size());
5386
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5387 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5388 EXPECT_EQ(key_size / 8, ciphertext2.size());
5389
5390 // OAEP randomizes padding so every result should be different (with astronomically high
5391 // probability).
5392 EXPECT_NE(ciphertext1, ciphertext2);
5393
5394 string plaintext1 = DecryptMessage(ciphertext1, params);
5395 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
5396 string plaintext2 = DecryptMessage(ciphertext2, params);
5397 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
5398
5399 // Decrypting corrupted ciphertext should fail.
5400 size_t offset_to_corrupt = random() % ciphertext1.size();
5401 char corrupt_byte;
5402 do {
5403 corrupt_byte = static_cast<char>(random() % 256);
5404 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5405 ciphertext1[offset_to_corrupt] = corrupt_byte;
5406
5407 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5408 string result;
5409 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5410 EXPECT_EQ(0U, result.size());
5411 }
5412}
5413
5414/*
David Drysdaleae3727b2021-11-11 09:00:14 +0000[diff] [blame]5415 * EncryptionOperationsTest.RsaOaepMGFDigestDefaultSuccess
5416 *
5417 * Verifies that RSA-OAEP decryption operations work when no MGF digest is
5418 * specified, defaulting to SHA-1.
5419 */
5420TEST_P(EncryptionOperationsTest, RsaOaepMGFDigestDefaultSuccess) {
5421 size_t key_size = 2048;
5422 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5423 .Authorization(TAG_NO_AUTH_REQUIRED)
5424 .RsaEncryptionKey(key_size, 65537)
5425 .Padding(PaddingMode::RSA_OAEP)
5426 .Digest(Digest::SHA_2_256)
5427 .SetDefaultValidity()));
5428
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5429 // Make sure default mgf-digest (SHA1) is not included in Key characteristics.
5430 ASSERT_FALSE(is_mgf_digest_present(key_characteristics_, Digest::SHA1));
5431
David Drysdaleae3727b2021-11-11 09:00:14 +0000[diff] [blame]5432 // Do local RSA encryption using the default MGF digest of SHA-1.
5433 string message = "Hello";
5434 auto params =
5435 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP);
5436 string ciphertext = LocalRsaEncryptMessage(message, params);
5437 EXPECT_EQ(key_size / 8, ciphertext.size());
5438
5439 // Do KeyMint RSA decryption also using the default MGF digest of SHA-1.
5440 string plaintext = DecryptMessage(ciphertext, params);
5441 EXPECT_EQ(message, plaintext) << "RSA-OAEP failed with default digest";
5442
5443 // Decrypting corrupted ciphertext should fail.
5444 size_t offset_to_corrupt = random() % ciphertext.size();
5445 char corrupt_byte;
5446 do {
5447 corrupt_byte = static_cast<char>(random() % 256);
5448 } while (corrupt_byte == ciphertext[offset_to_corrupt]);
5449 ciphertext[offset_to_corrupt] = corrupt_byte;
5450
5451 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5452 string result;
5453 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
5454 EXPECT_EQ(0U, result.size());
5455}
5456
5457/*
5458 * EncryptionOperationsTest.RsaOaepMGFDigestDefaultFail
5459 *
5460 * Verifies that RSA-OAEP decryption operations fail when no MGF digest is
5461 * specified on begin (thus defaulting to SHA-1), but the key characteristics
5462 * has an explicit set of values for MGF_DIGEST that do not contain SHA-1.
5463 */
5464TEST_P(EncryptionOperationsTest, RsaOaepMGFDigestDefaultFail) {
5465 size_t key_size = 2048;
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5466 auto mgf_digest = Digest::SHA_2_256;
5467 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5468 .Authorization(TAG_NO_AUTH_REQUIRED)
5469 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, mgf_digest)
5470 .RsaEncryptionKey(key_size, 65537)
5471 .Padding(PaddingMode::RSA_OAEP)
5472 .Digest(Digest::SHA_2_256)
5473 .SetDefaultValidity()));
5474
5475 // Make sure explicitly specified mgf-digest exist in key characteristics.
5476 ASSERT_TRUE(is_mgf_digest_present(key_characteristics_, mgf_digest));
5477 // Make sure default mgf-digest is not included in key characteristics.
5478 ASSERT_FALSE(is_mgf_digest_present(key_characteristics_, Digest::SHA1));
David Drysdaleae3727b2021-11-11 09:00:14 +0000[diff] [blame]5479
5480 // Do local RSA encryption using the default MGF digest of SHA-1.
5481 string message = "Hello";
5482 auto params =
5483 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP);
5484 string ciphertext = LocalRsaEncryptMessage(message, params);
5485 EXPECT_EQ(key_size / 8, ciphertext.size());
5486
5487 // begin() params do not include MGF_DIGEST, so a default of SHA1 is assumed.
5488 // Key characteristics *do* include values for MGF_DIGEST, so the SHA1 value
5489 // is checked against those values, and found absent.
5490 auto result = Begin(KeyPurpose::DECRYPT, params);
5491 EXPECT_TRUE(result == ErrorCode::UNSUPPORTED_MGF_DIGEST ||
5492 result == ErrorCode::INCOMPATIBLE_MGF_DIGEST);
5493}
5494
5495/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5496 * EncryptionOperationsTest.RsaOaepWithMGFIncompatibleDigest
5497 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5498 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5499 * with incompatible MGF digest.
5500 */
5501TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5502 auto mgf_digest = Digest::SHA_2_256;
5503 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5504 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, mgf_digest)
5505 .Authorization(TAG_NO_AUTH_REQUIRED)
5506 .RsaEncryptionKey(2048, 65537)
5507 .Padding(PaddingMode::RSA_OAEP)
5508 .Digest(Digest::SHA_2_256)
5509 .SetDefaultValidity()));
5510 // Make sure explicitly specified mgf-digest exist in key characteristics.
5511 ASSERT_TRUE(is_mgf_digest_present(key_characteristics_, mgf_digest));
5512
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5513 string message = "Hello World!";
5514
5515 auto params = AuthorizationSetBuilder()
5516 .Padding(PaddingMode::RSA_OAEP)
5517 .Digest(Digest::SHA_2_256)
5518 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_224);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5519 EXPECT_EQ(ErrorCode::INCOMPATIBLE_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5520}
5521
5522/*
5523 * EncryptionOperationsTest.RsaOaepWithMGFUnsupportedDigest
5524 *
5525 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
5526 * with unsupported MGF digest.
5527 */
5528TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5529 auto mgf_digest = Digest::SHA_2_256;
5530 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5531 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, mgf_digest)
5532 .Authorization(TAG_NO_AUTH_REQUIRED)
5533 .RsaEncryptionKey(2048, 65537)
5534 .Padding(PaddingMode::RSA_OAEP)
5535 .Digest(Digest::SHA_2_256)
5536 .SetDefaultValidity()));
5537 // Make sure explicitly specified mgf-digest exist in key characteristics.
5538 ASSERT_TRUE(is_mgf_digest_present(key_characteristics_, mgf_digest));
5539
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5540 string message = "Hello World!";
5541
5542 auto params = AuthorizationSetBuilder()
5543 .Padding(PaddingMode::RSA_OAEP)
5544 .Digest(Digest::SHA_2_256)
5545 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5546 EXPECT_EQ(ErrorCode::UNSUPPORTED_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5547}
5548
5549/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5550 * EncryptionOperationsTest.RsaPkcs1Success
5551 *
5552 * Verifies that RSA PKCS encryption/decrypts works.
5553 */
5554TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
5555 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5556 .Authorization(TAG_NO_AUTH_REQUIRED)
5557 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5558 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
5559 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5560
5561 string message = "Hello World!";
5562 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5563 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5564 EXPECT_EQ(2048U / 8, ciphertext1.size());
5565
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5566 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5567 EXPECT_EQ(2048U / 8, ciphertext2.size());
5568
5569 // PKCS1 v1.5 randomizes padding so every result should be different.
5570 EXPECT_NE(ciphertext1, ciphertext2);
5571
5572 string plaintext = DecryptMessage(ciphertext1, params);
5573 EXPECT_EQ(message, plaintext);
5574
5575 // Decrypting corrupted ciphertext should fail.
5576 size_t offset_to_corrupt = random() % ciphertext1.size();
5577 char corrupt_byte;
5578 do {
5579 corrupt_byte = static_cast<char>(random() % 256);
5580 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5581 ciphertext1[offset_to_corrupt] = corrupt_byte;
5582
5583 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5584 string result;
5585 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5586 EXPECT_EQ(0U, result.size());
5587}
5588
5589/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5590 * EncryptionOperationsTest.EcdsaEncrypt
5591 *
5592 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
5593 */
5594TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
5595 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5596 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]5597 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5598 .Digest(Digest::NONE)
5599 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5600 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
5601 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5602 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5603}
5604
5605/*
5606 * EncryptionOperationsTest.HmacEncrypt
5607 *
5608 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
5609 */
5610TEST_P(EncryptionOperationsTest, HmacEncrypt) {
5611 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5612 .Authorization(TAG_NO_AUTH_REQUIRED)
5613 .HmacKey(128)
5614 .Digest(Digest::SHA_2_256)
5615 .Padding(PaddingMode::NONE)
5616 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5617 auto params = AuthorizationSetBuilder()
5618 .Digest(Digest::SHA_2_256)
5619 .Padding(PaddingMode::NONE)
5620 .Authorization(TAG_MAC_LENGTH, 128);
5621 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5622 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5623}
5624
5625/*
5626 * EncryptionOperationsTest.AesEcbRoundTripSuccess
5627 *
5628 * Verifies that AES ECB mode works.
5629 */
5630TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
5631 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5632 .Authorization(TAG_NO_AUTH_REQUIRED)
5633 .AesEncryptionKey(128)
5634 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5635 .Padding(PaddingMode::NONE)));
5636
5637 ASSERT_GT(key_blob_.size(), 0U);
5638 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5639
5640 // Two-block message.
5641 string message = "12345678901234567890123456789012";
5642 string ciphertext1 = EncryptMessage(message, params);
5643 EXPECT_EQ(message.size(), ciphertext1.size());
5644
5645 string ciphertext2 = EncryptMessage(string(message), params);
5646 EXPECT_EQ(message.size(), ciphertext2.size());
5647
5648 // ECB is deterministic.
5649 EXPECT_EQ(ciphertext1, ciphertext2);
5650
5651 string plaintext = DecryptMessage(ciphertext1, params);
5652 EXPECT_EQ(message, plaintext);
5653}
5654
5655/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5656 * EncryptionOperationsTest.AesEcbUnknownTag
5657 *
5658 * Verifies that AES ECB operations ignore unknown tags.
5659 */
5660TEST_P(EncryptionOperationsTest, AesEcbUnknownTag) {
5661 int32_t unknown_tag_value = ((7 << 28) /* TagType:BOOL */ | 150);
5662 Tag unknown_tag = static_cast<Tag>(unknown_tag_value);
5663 KeyParameter unknown_param;
5664 unknown_param.tag = unknown_tag;
5665
5666 vector<KeyCharacteristics> key_characteristics;
5667 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5668 .Authorization(TAG_NO_AUTH_REQUIRED)
5669 .AesEncryptionKey(128)
5670 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5671 .Padding(PaddingMode::NONE)
5672 .Authorization(unknown_param),
5673 &key_blob_, &key_characteristics));
5674 ASSERT_GT(key_blob_.size(), 0U);
5675
5676 // Unknown tags should not be returned in key characteristics.
5677 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
5678 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
5679 EXPECT_EQ(hw_enforced.find(unknown_tag), -1);
5680 EXPECT_EQ(sw_enforced.find(unknown_tag), -1);
5681
5682 // Encrypt without mentioning the unknown parameter.
5683 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5684 string message = "12345678901234567890123456789012";
5685 string ciphertext = EncryptMessage(message, params);
5686 EXPECT_EQ(message.size(), ciphertext.size());
5687
5688 // Decrypt including the unknown parameter.
5689 auto decrypt_params = AuthorizationSetBuilder()
5690 .BlockMode(BlockMode::ECB)
5691 .Padding(PaddingMode::NONE)
5692 .Authorization(unknown_param);
5693 string plaintext = DecryptMessage(ciphertext, decrypt_params);
5694 EXPECT_EQ(message, plaintext);
5695}
5696
5697/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5698 * EncryptionOperationsTest.AesWrongMode
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5699 *
5700 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
5701 */
5702TEST_P(EncryptionOperationsTest, AesWrongMode) {
5703 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5704 .Authorization(TAG_NO_AUTH_REQUIRED)
5705 .AesEncryptionKey(128)
5706 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5707 .Padding(PaddingMode::NONE)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5708 ASSERT_GT(key_blob_.size(), 0U);
5709
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5710 EXPECT_EQ(
5711 ErrorCode::INCOMPATIBLE_BLOCK_MODE,
5712 Begin(KeyPurpose::ENCRYPT,
5713 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
5714}
5715
5716/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5717 * EncryptionOperationsTest.AesWrongPadding
5718 *
5719 * Verifies that AES encryption fails in the correct way when an unauthorized padding is specified.
5720 */
5721TEST_P(EncryptionOperationsTest, AesWrongPadding) {
5722 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5723 .Authorization(TAG_NO_AUTH_REQUIRED)
5724 .AesEncryptionKey(128)
5725 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5726 .Padding(PaddingMode::NONE)));
5727 ASSERT_GT(key_blob_.size(), 0U);
5728
5729 EXPECT_EQ(
5730 ErrorCode::INCOMPATIBLE_PADDING_MODE,
5731 Begin(KeyPurpose::ENCRYPT,
5732 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7)));
5733}
5734
5735/*
5736 * EncryptionOperationsTest.AesInvalidParams
5737 *
5738 * Verifies that AES encryption fails in the correct way when an duplicate parameters are specified.
5739 */
5740TEST_P(EncryptionOperationsTest, AesInvalidParams) {
5741 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5742 .Authorization(TAG_NO_AUTH_REQUIRED)
5743 .AesEncryptionKey(128)
5744 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5745 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5746 .Padding(PaddingMode::NONE)
5747 .Padding(PaddingMode::PKCS7)));
5748 ASSERT_GT(key_blob_.size(), 0U);
5749
5750 auto result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5751 .BlockMode(BlockMode::CBC)
5752 .BlockMode(BlockMode::ECB)
5753 .Padding(PaddingMode::NONE));
5754 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_BLOCK_MODE ||
5755 result == ErrorCode::UNSUPPORTED_BLOCK_MODE);
5756
5757 result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5758 .BlockMode(BlockMode::ECB)
5759 .Padding(PaddingMode::NONE)
5760 .Padding(PaddingMode::PKCS7));
5761 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
5762 result == ErrorCode::UNSUPPORTED_PADDING_MODE);
5763}
5764
5765/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5766 * EncryptionOperationsTest.AesWrongPurpose
5767 *
5768 * Verifies that AES encryption fails in the correct way when an unauthorized purpose is
5769 * specified.
5770 */
5771TEST_P(EncryptionOperationsTest, AesWrongPurpose) {
5772 auto err = GenerateKey(AuthorizationSetBuilder()
5773 .Authorization(TAG_NO_AUTH_REQUIRED)
5774 .AesKey(128)
5775 .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
5776 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5777 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5778 .Padding(PaddingMode::NONE));
5779 ASSERT_EQ(ErrorCode::OK, err) << "Got " << err;
5780 ASSERT_GT(key_blob_.size(), 0U);
5781
5782 err = Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5783 .BlockMode(BlockMode::GCM)
5784 .Padding(PaddingMode::NONE)
5785 .Authorization(TAG_MAC_LENGTH, 128));
5786 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5787
5788 CheckedDeleteKey();
5789
5790 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5791 .Authorization(TAG_NO_AUTH_REQUIRED)
5792 .AesKey(128)
5793 .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
5794 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5795 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5796 .Padding(PaddingMode::NONE)));
5797
5798 err = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5799 .BlockMode(BlockMode::GCM)
5800 .Padding(PaddingMode::NONE)
5801 .Authorization(TAG_MAC_LENGTH, 128));
5802 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5803}
5804
5805/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5806 * EncryptionOperationsTest.AesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5807 *
5808 * Verifies that AES encryption fails in the correct way when provided an input that is not a
5809 * multiple of the block size and no padding is specified.
5810 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5811TEST_P(EncryptionOperationsTest, AesEcbCbcNoPaddingWrongInputSize) {
5812 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]5813 SCOPED_TRACE(testing::Message() << "AES-" << blockMode);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5814 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5815 .Authorization(TAG_NO_AUTH_REQUIRED)
5816 .AesEncryptionKey(128)
5817 .Authorization(TAG_BLOCK_MODE, blockMode)
5818 .Padding(PaddingMode::NONE)));
5819 // Message is slightly shorter than two blocks.
5820 string message(16 * 2 - 1, 'a');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5821
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5822 auto params = AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
5823 AuthorizationSet out_params;
5824 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &out_params));
5825 string ciphertext;
5826 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
5827 EXPECT_EQ(0U, ciphertext.size());
5828
5829 CheckedDeleteKey();
5830 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5831}
5832
5833/*
5834 * EncryptionOperationsTest.AesEcbPkcs7Padding
5835 *
5836 * Verifies that AES PKCS7 padding works for any message length.
5837 */
5838TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
5839 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5840 .Authorization(TAG_NO_AUTH_REQUIRED)
5841 .AesEncryptionKey(128)
5842 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5843 .Padding(PaddingMode::PKCS7)));
5844
5845 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5846
5847 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5848 for (size_t i = 0; i <= 48; i++) {
5849 SCOPED_TRACE(testing::Message() << "i = " << i);
5850 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character.
5851 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5852 string ciphertext = EncryptMessage(message, params);
5853 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
5854 string plaintext = DecryptMessage(ciphertext, params);
5855 EXPECT_EQ(message, plaintext);
5856 }
5857}
5858
5859/*
5860 * EncryptionOperationsTest.AesEcbWrongPadding
5861 *
5862 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
5863 * specified.
5864 */
5865TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
5866 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5867 .Authorization(TAG_NO_AUTH_REQUIRED)
5868 .AesEncryptionKey(128)
5869 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5870 .Padding(PaddingMode::NONE)));
5871
5872 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5873
5874 // Try various message lengths; all should fail
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5875 for (size_t i = 0; i <= 48; i++) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5876 string message(i, 'a');
5877 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
5878 }
5879}
5880
5881/*
5882 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
5883 *
5884 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5885 */
5886TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
5887 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5888 .Authorization(TAG_NO_AUTH_REQUIRED)
5889 .AesEncryptionKey(128)
5890 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5891 .Padding(PaddingMode::PKCS7)));
5892
5893 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5894
5895 string message = "a";
5896 string ciphertext = EncryptMessage(message, params);
5897 EXPECT_EQ(16U, ciphertext.size());
5898 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5899
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5900 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
5901 ++ciphertext[ciphertext.size() / 2];
5902
5903 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5904 string plaintext;
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5905 ErrorCode error = Finish(ciphertext, &plaintext);
5906 if (error == ErrorCode::INVALID_ARGUMENT) {
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5907 // This is the expected error, we can exit the test now.
5908 return;
5909 } else {
5910 // Very small chance we got valid decryption, so try again.
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5911 ASSERT_EQ(error, ErrorCode::OK)
5912 << "Expected INVALID_ARGUMENT or (rarely) OK, got " << error;
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5913 }
5914 }
5915 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5916}
5917
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5918/*
5919 * EncryptionOperationsTest.AesEcbPkcs7CiphertextTooShort
5920 *
5921 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5922 */
5923TEST_P(EncryptionOperationsTest, AesEcbPkcs7CiphertextTooShort) {
5924 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5925 .Authorization(TAG_NO_AUTH_REQUIRED)
5926 .AesEncryptionKey(128)
5927 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5928 .Padding(PaddingMode::PKCS7)));
5929
5930 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5931
5932 string message = "a";
5933 string ciphertext = EncryptMessage(message, params);
5934 EXPECT_EQ(16U, ciphertext.size());
5935 EXPECT_NE(ciphertext, message);
5936
5937 // Shorten the ciphertext.
5938 ciphertext.resize(ciphertext.size() - 1);
5939 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5940 string plaintext;
5941 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(ciphertext, &plaintext));
5942}
5943
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5944vector<uint8_t> CopyIv(const AuthorizationSet& set) {
5945 auto iv = set.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5946 EXPECT_TRUE(iv);
5947 return iv->get();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5948}
5949
5950/*
5951 * EncryptionOperationsTest.AesCtrRoundTripSuccess
5952 *
5953 * Verifies that AES CTR mode works.
5954 */
5955TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
5956 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5957 .Authorization(TAG_NO_AUTH_REQUIRED)
5958 .AesEncryptionKey(128)
5959 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
5960 .Padding(PaddingMode::NONE)));
5961
5962 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
5963
5964 string message = "123";
5965 AuthorizationSet out_params;
5966 string ciphertext1 = EncryptMessage(message, params, &out_params);
5967 vector<uint8_t> iv1 = CopyIv(out_params);
5968 EXPECT_EQ(16U, iv1.size());
5969
5970 EXPECT_EQ(message.size(), ciphertext1.size());
5971
5972 out_params.Clear();
5973 string ciphertext2 = EncryptMessage(message, params, &out_params);
5974 vector<uint8_t> iv2 = CopyIv(out_params);
5975 EXPECT_EQ(16U, iv2.size());
5976
5977 // IVs should be random, so ciphertexts should differ.
5978 EXPECT_NE(ciphertext1, ciphertext2);
5979
5980 auto params_iv1 =
5981 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
5982 auto params_iv2 =
5983 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
5984
5985 string plaintext = DecryptMessage(ciphertext1, params_iv1);
5986 EXPECT_EQ(message, plaintext);
5987 plaintext = DecryptMessage(ciphertext2, params_iv2);
5988 EXPECT_EQ(message, plaintext);
5989
5990 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
5991 plaintext = DecryptMessage(ciphertext1, params_iv2);
5992 EXPECT_NE(message, plaintext);
5993 plaintext = DecryptMessage(ciphertext2, params_iv1);
5994 EXPECT_NE(message, plaintext);
5995}
5996
5997/*
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5998 * EncryptionOperationsTest.AesEcbIncremental
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5999 *
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6000 * Verifies that AES works for ECB block mode, when provided data in various size increments.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6001 */
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6002TEST_P(EncryptionOperationsTest, AesEcbIncremental) {
6003 CheckAesIncrementalEncryptOperation(BlockMode::ECB, 240);
6004}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6005
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6006/*
6007 * EncryptionOperationsTest.AesCbcIncremental
6008 *
6009 * Verifies that AES works for CBC block mode, when provided data in various size increments.
6010 */
6011TEST_P(EncryptionOperationsTest, AesCbcIncremental) {
6012 CheckAesIncrementalEncryptOperation(BlockMode::CBC, 240);
6013}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6014
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6015/*
6016 * EncryptionOperationsTest.AesCtrIncremental
6017 *
6018 * Verifies that AES works for CTR block mode, when provided data in various size increments.
6019 */
6020TEST_P(EncryptionOperationsTest, AesCtrIncremental) {
6021 CheckAesIncrementalEncryptOperation(BlockMode::CTR, 240);
6022}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6023
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6024/*
6025 * EncryptionOperationsTest.AesGcmIncremental
6026 *
6027 * Verifies that AES works for GCM block mode, when provided data in various size increments.
6028 */
6029TEST_P(EncryptionOperationsTest, AesGcmIncremental) {
6030 CheckAesIncrementalEncryptOperation(BlockMode::GCM, 240);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6031}
6032
Prashant Patildd5f7f02022-07-06 18:58:07 +0000[diff] [blame]6033/*
6034 * EncryptionOperationsTest.Aes128CBCNoPaddingOneByteAtATime
6035 * Verifies input and output sizes of AES/CBC/NoPadding Algorithm.
6036 */
6037TEST_P(EncryptionOperationsTest, Aes128CBCNoPaddingOneByteAtATime) {
6038 string kat_key = hex2str("7E3D723C09A9852B24F584F9D916F6A8");
6039 string kat_iv = hex2str("944AE274D983892EADE422274858A96A");
6040 string kat_plaintext =
6041 hex2str("044E15899A080AADEB6778F64323B64D2CBCBADB338DF93B9AC459D4F41029"
6042 "809FFF37081C22EF278F896AB213A2A631");
6043 string kat_ciphertext =
6044 hex2str("B419293FCBD686F2913D1CF947E510D42FAFEDE5593C98AFD6AEE272596A"
6045 "56FE42C22F2A5E3B6A02BA9D8D0DE1E9A810");
6046 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::NONE, kat_iv, kat_plaintext,
6047 kat_ciphertext);
6048}
6049
6050/*
6051 * EncryptionOperationsTest.Aes128CBCPKCS7PaddingOneByteAtATime
6052 * Verifies input and output sizes of AES/CBC/PKCS7Padding Algorithm.
6053 */
6054TEST_P(EncryptionOperationsTest, Aes128CBCPKCS7PaddingOneByteAtATime) {
6055 string kat_key = hex2str("F16E698472578E919D92806262C5169F");
6056 string kat_iv = hex2str("EF743540F8421ACA128A3247521F3E7D");
6057 string kat_plaintext =
6058 hex2str("5BEBF33569D90BF5E853814E12E7C7AA5758013F755773E29F4A25EC26EEB7"
6059 "65F7F2DC251F7DC62AEFCA1E8A5A11A1DCD44F0BD8FB593A5AE3");
6060 string kat_ciphertext =
6061 hex2str("3197CF6DB9466188B5FED375329324EE7D6092A8C0E41DFAF49E3724271427"
6062 "896D56A6243C0D59D6639722AF93CD53449BDDABF9C5F153EBDBFED9ED98C8CC37");
6063 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::PKCS7, kat_iv,
6064 kat_plaintext, kat_ciphertext);
6065}
6066
6067/*
6068 * EncryptionOperationsTest.Aes128CTRNoPaddingOneByteAtATime
6069 * Verifies input and output sizes of AES/CTR/NoPadding Algorithm.
6070 */
6071TEST_P(EncryptionOperationsTest, Aes128CTRNoPaddingOneByteAtATime) {
6072 string kat_key = hex2str("4713a7b2f93efe809b42ecc45213ef9f");
6073 string kat_iv = hex2str("ebfa19b0ebf3d57feabd4c4bd04bea01");
6074 string kat_plaintext =
6075 hex2str("6d2c07e1fc86f99c6e2a8f6567828b4262a9c23d0f3ed8ab32482283c79796"
6076 "f0adba1bcd3736084996452a917fae98005aebe61f9e91c3");
6077 string kat_ciphertext =
6078 hex2str("345deb1d67b95e600e05cad4c32ec381aadb3e2c1ec7e0fb956dc38e6860cf"
6079 "0553535566e1b12fa9f87d29266ca26df427233df035df28");
6080 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CTR, PaddingMode::NONE, kat_iv, kat_plaintext,
6081 kat_ciphertext);
6082}
6083
6084/*
6085 * EncryptionOperationsTest.Aes128ECBNoPaddingOneByteAtATime
6086 * Verifies input and output sizes of AES/ECB/NoPadding Algorithm.
6087 */
6088TEST_P(EncryptionOperationsTest, Aes128ECBNoPaddingOneByteAtATime) {
6089 string kat_key = hex2str("7DA2467F068854B3CB36E5C333A16619");
6090 string kat_plaintext =
6091 hex2str("9A07C9575AD9CE209DF9F3953965CEBE8208587C7AE575A1904BF25048946D"
6092 "7B6168A9A27BCE554BEA94EF26E6C742A0");
6093 string kat_ciphertext =
6094 hex2str("8C47E49420FC92AC4CA2C601BC3F8AC31D01B260B7B849F2B8EEDFFFED8F36"
6095 "C31CBDA0D22F95C9C2A48C347E8C77AC82");
6096 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::NONE, "", kat_plaintext,
6097 kat_ciphertext);
6098}
6099
6100/*
6101 * EncryptionOperationsTest.Aes128ECBPKCS7PaddingOneByteAtATime
6102 * Verifies input and output sizes of AES/ECB/PKCS7Padding Algorithm.
6103 */
6104TEST_P(EncryptionOperationsTest, Aes128ECBPKCS7PaddingOneByteAtATime) {
6105 string kat_key = hex2str("C3BE04BCCB3D99B85290F113FE7AF194");
6106 string kat_plaintext =
6107 hex2str("348C213FD8DF3F990C20C5ACBF07B34B6264AE245784A5A6176DBFB1C2E7DD"
6108 "27E52CC92B8EEE40614F05B507B355F6354A2705BD86");
6109 string kat_ciphertext =
6110 hex2str("07CD05C41FEDEDDC5DB4B3E35E676153184A119AA4DFDDC290616F1FA60093"
6111 "1DE6BEA9BDB90D1D733899946F8C8E5C0C4383F99F5D88E27F3EBC0C6E52759ED3");
6112 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::PKCS7, "", kat_plaintext,
6113 kat_ciphertext);
6114}
6115
6116/*
6117 * EncryptionOperationsTest.Aes128GCMNoPaddingOneByteAtATime
6118 * Verifies input and output sizes of AES/GCM/NoPadding Algorithm.
6119 */
6120TEST_P(EncryptionOperationsTest, Aes128GCMNoPaddingOneByteAtATime) {
6121 string kat_key = hex2str("ba76354f0aed6e8d91f45c4ff5a062db");
6122 string kat_iv = hex2str("b79437ae08ff355d7d8a4d0f");
6123 string kat_plaintext =
6124 hex2str("6d7596a8fd56ceaec61de7940984b7736fec44f572afc3c8952e4dc6541e2b"
6125 "c6a702c440a37610989543f63fedb047ca2173bc18581944");
6126 string kat_ciphertext =
6127 hex2str("b3f6799e8f9326f2df1e80fcd2cb16d78c9dc7cc14bb677862dc6c639b3a63"
6128 "38d24b312d3989e5920b5dbfc976765efbfe57bb385940a7a43bdf05bddae3c9d6a2fb"
6129 "bdfcc0cba0");
6130
6131 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::GCM, PaddingMode::NONE, kat_iv, kat_plaintext,
6132 kat_ciphertext);
6133}
6134
6135/*
6136 * EncryptionOperationsTest.Aes192CBCNoPaddingOneByteAtATime
6137 * Verifies input and output sizes of AES/CBC/NoPadding Algorithm.
6138 */
6139TEST_P(EncryptionOperationsTest, Aes192CBCNoPaddingOneByteAtATime) {
6140 if (SecLevel() == SecurityLevel::STRONGBOX) {
6141 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6142 }
6143 string kat_key = hex2str("be8cc4e25cce46e5d55725e2391f7d3cf59ed60062f5a43b");
6144 string kat_iv = hex2str("80a199aab0eee77e7762ddf3b3a32f40");
6145 string kat_plaintext =
6146 hex2str("064f9200e0df37d4711af4a69d11addf9e1c345d9d8195f9f1f715019ce96a"
6147 "167f2497c994bd496eb80bfb2ba2c9d5af");
6148 string kat_ciphertext =
6149 hex2str("859b90becaa85e95a71e104efbd7a3b723bcbf4eb39865544a05d9e90b6fe5"
6150 "72c134552f3a138e726fbe493b3a839598");
6151 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::NONE, kat_iv, kat_plaintext,
6152 kat_ciphertext);
6153}
6154
6155/*
6156 * EncryptionOperationsTest.Aes192CBCPKCS7PaddingOneByteAtATime
6157 * Verifies input and output sizes of AES/CBC/PKCS7Padding Algorithm.
6158 */
6159TEST_P(EncryptionOperationsTest, Aes192CBCPKCS7PaddingOneByteAtATime) {
6160 if (SecLevel() == SecurityLevel::STRONGBOX) {
6161 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6162 }
6163 string kat_key = hex2str("68969215ec41e4df7d23de0e806f458f52aff492bd7c5263");
6164 string kat_iv = hex2str("e61d13dfbf0533289f0e7950209da418");
6165 string kat_plaintext =
6166 hex2str("8d4c1cac27511ee2d82409a7f378e7e402b0eb189c1eaa5c506eb72a9074"
6167 "b170");
6168 string kat_ciphertext =
6169 hex2str("e70bcd62c595dc1b2b8c197bb91a7447e1be2cbcf3fdc69e7e991faf0f57cf"
6170 "4e3884138ff403a41fd99818708ada301c");
6171 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::PKCS7, kat_iv,
6172 kat_plaintext, kat_ciphertext);
6173}
6174
6175/*
6176 * EncryptionOperationsTest.Aes192CTRNoPaddingOneByteAtATime
6177 * Verifies input and output sizes of AES/CTR/NoPadding Algorithm.
6178 */
6179TEST_P(EncryptionOperationsTest, Aes192CTRNoPaddingOneByteAtATime) {
6180 if (SecLevel() == SecurityLevel::STRONGBOX) {
6181 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6182 }
6183 string kat_key = hex2str("5e2036e790d38815c90beb67a1c9e5aa0e167ef082927317");
6184 string kat_iv = hex2str("df0694959b89054156962d68a226965c");
6185 string kat_plaintext =
6186 hex2str("6ed2781c99e03e45314d6019932220c2c98130c53f9f67ad10ac519adf50e9"
6187 "28091e09cdbbd3b42b");
6188 string kat_ciphertext =
6189 hex2str("e427b6666502e05b82d0b20ae50e862b1936d71266fc49178ac984e71571f2"
6190 "2ae0f90f0c19f42b4a");
6191 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CTR, PaddingMode::NONE, kat_iv, kat_plaintext,
6192 kat_ciphertext);
6193}
6194
6195/*
6196 * EncryptionOperationsTest.Aes192ECBNoPaddingOneByteAtATime
6197 * Verifies input and output sizes of AES/ECB/NoPadding Algorithm.
6198 */
6199TEST_P(EncryptionOperationsTest, Aes192ECBNoPaddingOneByteAtATime) {
6200 if (SecLevel() == SecurityLevel::STRONGBOX) {
6201 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6202 }
6203 string kat_key = hex2str("3cab83fb338ba985fbfe74c5e9d2e900adb570b1d67faf92");
6204 string kat_plaintext =
6205 hex2str("2cc64c335a13fb838f3c6aad0a6b47297ca90bb886ddb059200f0b41740c"
6206 "44ab");
6207 string kat_ciphertext =
6208 hex2str("9c5c825328f5ee0aa24947e374d3f9165f484b39dd808c790d7a12964810"
6209 "2453");
6210 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::NONE, "", kat_plaintext,
6211 kat_ciphertext);
6212}
6213
6214/*
6215 * EncryptionOperationsTest.Aes192ECBPKCS7PaddingOneByteAtATime
6216 * Verifies input and output sizes of AES/ECB/PKCS7Padding Algorithm.
6217 */
6218TEST_P(EncryptionOperationsTest, Aes192ECBPKCS7PaddingOneByteAtATime) {
6219 if (SecLevel() == SecurityLevel::STRONGBOX) {
6220 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6221 }
6222 string kat_key = hex2str("d57f4e5446f736c16476ec4db5decc7b1bf3936e4f7e4618");
6223 string kat_plaintext =
6224 hex2str("b115777f1ee7a43a07daa6401e59c46b7a98213a8747eabfbe3ca4ec93524d"
6225 "e2c7");
6226 string kat_ciphertext =
6227 hex2str("1e92cd20da08bb5fa174a7a69879d4fc25a155e6af06d75b26c5b450d273c8"
6228 "bb7e3a889dd4a9589098b44acf1056e7aa");
6229 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::PKCS7, "", kat_plaintext,
6230 kat_ciphertext);
6231}
6232
6233/*
6234 * EncryptionOperationsTest.Aes192GCMNoPaddingOneByteAtATime
6235 * Verifies input and output sizes of AES/GCM/NoPadding Algorithm.
6236 */
6237TEST_P(EncryptionOperationsTest, Aes192GCMNoPaddingOneByteAtATime) {
6238 if (SecLevel() == SecurityLevel::STRONGBOX) {
6239 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6240 }
6241 string kat_key = hex2str("21339fc1d011abca65d50ce2365230603fd47d07e8830f6e");
6242 string kat_iv = hex2str("d5fb1469a8d81dd75286a418");
6243 string kat_plaintext =
6244 hex2str("cf776dedf53a828d51a0073db3ef0dd1ee19e2e9e243ce97e95841bb9ad4e3"
6245 "ff52");
6246 string kat_ciphertext =
6247 hex2str("3a0d48278111d3296bc663df8a5dbeb2474ea47fd85b608f8d9375d9dcf7de"
6248 "1413ad70fb0e1970669095ad77ebb5974ae8");
6249
6250 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::GCM, PaddingMode::NONE, kat_iv, kat_plaintext,
6251 kat_ciphertext);
6252}
6253
6254/*
6255 * EncryptionOperationsTest.Aes256CBCNoPaddingOneByteAtATime
6256 * Verifies input and output sizes of AES/CBC/NoPadding Algorithm.
6257 */
6258TEST_P(EncryptionOperationsTest, Aes256CBCNoPaddingOneByteAtATime) {
6259 string kat_key = hex2str("dd2f20dc6b98c100bac919120ff95eb5d96003f8229987b283a1e777b0cd5c30");
6260 string kat_iv = hex2str("23b4d85239fb90db93b07a981e90a170");
6261 string kat_plaintext =
6262 hex2str("2fbe5d46dca5cea433e550d8b291740ab9551c2a2d37680d7fb7b993225f58"
6263 "494cb53caca353e4b637ba05687be20f8d");
6264 string kat_ciphertext =
6265 hex2str("5aba24fc316936c8369061ee8fe463e4faed04288e204456626b988c0e376b"
6266 "6047da1e4fd7c4e1cf2656097f75ae8685");
6267 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::NONE, kat_iv, kat_plaintext,
6268 kat_ciphertext);
6269}
6270
6271/*
6272 * EncryptionOperationsTest.Aes256CBCPKCS7PaddingOneByteAtATime
6273 * Verifies input and output sizes of AES/CBC/PKCS7Padding Algorithm.
6274 */
6275TEST_P(EncryptionOperationsTest, Aes256CBCPKCS7PaddingOneByteAtATime) {
6276 string kat_key = hex2str("03ab2510520f5cfebfab0a17a7f8324c9634911f6fc59e586f85346bb38ac88a");
6277 string kat_iv = hex2str("9af96967195bb0184f129beffa8241ae");
6278 string kat_plaintext =
6279 hex2str("2d6944653ac14988a772a2730b7c5bfa99a21732ae26f40cdc5b3a2874c794"
6280 "2545a82b73c48078b9dae62261c65909");
6281 string kat_ciphertext =
6282 hex2str("26b308f7e1668b55705a79c8b3ad10e244655f705f027f390a5c34e4536f51"
6283 "9403a71987b95124073d69f2a3cb95b0ab");
6284 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::PKCS7, kat_iv,
6285 kat_plaintext, kat_ciphertext);
6286}
6287
6288/*
6289 * EncryptionOperationsTest.Aes256CTRNoPaddingOneByteAtATime
6290 * Verifies input and output sizes of AES/CTR/NoPadding Algorithm.
6291 */
6292TEST_P(EncryptionOperationsTest, Aes256CTRNoPaddingOneByteAtATime) {
6293 string kat_key = hex2str("928b380a8fed4b4b4cfeb56e0c66a4cb0f9ff58d61ac68bcfd0e3fbd910a684f");
6294 string kat_iv = hex2str("0b678a5249e6eeda461dfb4776b6c58e");
6295 string kat_plaintext =
6296 hex2str("f358de57543b297e997cba46fb9100553d6abd65377e55b9aac3006400ead1"
6297 "1f6db3c884");
6298 string kat_ciphertext =
6299 hex2str("a07a35fbd1776ad81462e1935f542337add60962bf289249476817b6ddd532"
6300 "a7be30d4c3");
6301 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CTR, PaddingMode::NONE, kat_iv, kat_plaintext,
6302 kat_ciphertext);
6303}
6304
6305/*
6306 * EncryptionOperationsTest.Aes256ECBNoPaddingOneByteAtATime
6307 * Verifies input and output sizes of AES/ECB/NoPadding Algorithm.
6308 */
6309TEST_P(EncryptionOperationsTest, Aes256ECBNoPaddingOneByteAtATime) {
6310 string kat_key = hex2str("fa4622d9cf6485075daedd33d2c4fffdf859e2edb7f7df4f04603f7e647fae90");
6311 string kat_plaintext =
6312 hex2str("96ccabbe0c68970d8cdee2b30ab43c2d61cc50ee68271e77571e72478d713a"
6313 "31a476d6806b8116089c6ec50bb543200f");
6314 string kat_ciphertext =
6315 hex2str("0e81839e9dfbfe3b503d619e676abe5ac80fac3f245d8f09b9134b1b32a67d"
6316 "c83e377faf246288931136bef2a07c0be4");
6317 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::NONE, "", kat_plaintext,
6318 kat_ciphertext);
6319}
6320
6321/*
6322 * EncryptionOperationsTest.Aes256ECBPKCS7PaddingOneByteAtATime
6323 * Verifies input and output sizes of AES/ECB/PKCS7Padding Algorithm.
6324 */
6325TEST_P(EncryptionOperationsTest, Aes256ECBPKCS7PaddingOneByteAtATime) {
6326 string kat_key = hex2str("bf3f07c68467fead0ca8e2754500ab514258abf02eb7e615a493bcaaa45d5ee1");
6327 string kat_plaintext =
6328 hex2str("af0757e49018dad628f16998628a407db5f28291bef3bc2e4d8a5a31fb238e"
6329 "6f");
6330 string kat_ciphertext =
6331 hex2str("21ec3011074bf1ef140643d47130326c5e183f61237c69bc77551ca207d71f"
6332 "c2b90cfac6c8d2d125e5cd9ff353dee0df");
6333 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::PKCS7, "", kat_plaintext,
6334 kat_ciphertext);
6335}
6336
6337/*
6338 * EncryptionOperationsTest.Aes256GCMNoPaddingOneByteAtATime
6339 * Verifies input and output sizes of AES/GCM/NoPadding Algorithm.
6340 */
6341TEST_P(EncryptionOperationsTest, Aes256GCMNoPaddingOneByteAtATime) {
6342 string kat_key = hex2str("7972140d831eedac75d5ea515c9a4c3bb124499a90b5f317ac1a685e88fae395");
6343 string kat_iv = hex2str("a66c5252808d823dd4151fed");
6344 string kat_plaintext =
6345 hex2str("c2b9dabf3a55adaa94e8c0d1e77a84a3435aee23b2c3c4abb587b09a9c2afb"
6346 "f0");
6347 string kat_ciphertext =
6348 hex2str("a960619314657b2afb96b93bebb372bffd09e19d53e351f17d1ba2611f9dc3"
6349 "3c9c92d563e8fd381254ac262aa2a4ea0d");
6350
6351 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::GCM, PaddingMode::NONE, kat_iv, kat_plaintext,
6352 kat_ciphertext);
6353}
6354
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6355struct AesCtrSp80038aTestVector {
6356 const char* key;
6357 const char* nonce;
6358 const char* plaintext;
6359 const char* ciphertext;
6360};
6361
6362// These test vectors are taken from
6363// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
6364static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
6365 // AES-128
6366 {
6367 "2b7e151628aed2a6abf7158809cf4f3c",
6368 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
6369 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
6370 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
6371 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
6372 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
6373 },
6374 // AES-192
6375 {
6376 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
6377 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
6378 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
6379 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
6380 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
6381 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
6382 },
6383 // AES-256
6384 {
6385 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
6386 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
6387 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
6388 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
6389 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
6390 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
6391 },
6392};
6393
6394/*
6395 * EncryptionOperationsTest.AesCtrSp80038aTestVector
6396 *
6397 * Verifies AES CTR implementation against SP800-38A test vectors.
6398 */
6399TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
6400 std::vector<uint32_t> InvalidSizes = InvalidKeySizes(Algorithm::AES);
6401 for (size_t i = 0; i < 3; i++) {
6402 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
6403 const string key = hex2str(test.key);
6404 if (std::find(InvalidSizes.begin(), InvalidSizes.end(), (key.size() * 8)) !=
6405 InvalidSizes.end())
6406 continue;
6407 const string nonce = hex2str(test.nonce);
6408 const string plaintext = hex2str(test.plaintext);
6409 const string ciphertext = hex2str(test.ciphertext);
6410 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
6411 }
6412}
6413
6414/*
6415 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
6416 *
6417 * Verifies that keymint rejects use of CTR mode with PKCS7 padding in the correct way.
6418 */
6419TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
6420 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6421 .Authorization(TAG_NO_AUTH_REQUIRED)
6422 .AesEncryptionKey(128)
6423 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
6424 .Padding(PaddingMode::PKCS7)));
6425 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
6426 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
6427}
6428
6429/*
6430 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
6431 *
6432 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
6433 */
6434TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
6435 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6436 .Authorization(TAG_NO_AUTH_REQUIRED)
6437 .AesEncryptionKey(128)
6438 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
6439 .Authorization(TAG_CALLER_NONCE)
6440 .Padding(PaddingMode::NONE)));
6441
6442 auto params = AuthorizationSetBuilder()
6443 .BlockMode(BlockMode::CTR)
6444 .Padding(PaddingMode::NONE)
6445 .Authorization(TAG_NONCE, AidlBuf(string(1, 'a')));
6446 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6447
6448 params = AuthorizationSetBuilder()
6449 .BlockMode(BlockMode::CTR)
6450 .Padding(PaddingMode::NONE)
6451 .Authorization(TAG_NONCE, AidlBuf(string(15, 'a')));
6452 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6453
6454 params = AuthorizationSetBuilder()
6455 .BlockMode(BlockMode::CTR)
6456 .Padding(PaddingMode::NONE)
6457 .Authorization(TAG_NONCE, AidlBuf(string(17, 'a')));
6458 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6459}
6460
6461/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]6462 * EncryptionOperationsTest.AesCbcRoundTripSuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6463 *
6464 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
6465 */
6466TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
6467 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6468 .Authorization(TAG_NO_AUTH_REQUIRED)
6469 .AesEncryptionKey(128)
6470 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
6471 .Padding(PaddingMode::NONE)));
6472 // Two-block message.
6473 string message = "12345678901234567890123456789012";
6474 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6475 AuthorizationSet out_params;
6476 string ciphertext1 = EncryptMessage(message, params, &out_params);
6477 vector<uint8_t> iv1 = CopyIv(out_params);
6478 EXPECT_EQ(message.size(), ciphertext1.size());
6479
6480 out_params.Clear();
6481
6482 string ciphertext2 = EncryptMessage(message, params, &out_params);
6483 vector<uint8_t> iv2 = CopyIv(out_params);
6484 EXPECT_EQ(message.size(), ciphertext2.size());
6485
6486 // IVs should be random, so ciphertexts should differ.
6487 EXPECT_NE(ciphertext1, ciphertext2);
6488
6489 params.push_back(TAG_NONCE, iv1);
6490 string plaintext = DecryptMessage(ciphertext1, params);
6491 EXPECT_EQ(message, plaintext);
6492}
6493
6494/*
Tommy Chiuee705692021-09-23 20:09:13 +0800[diff] [blame]6495 * EncryptionOperationsTest.AesCbcZeroInputSuccessb
6496 *
6497 * Verifies that keymaster generates correct output on zero-input with
6498 * NonePadding mode
6499 */
6500TEST_P(EncryptionOperationsTest, AesCbcZeroInputSuccess) {
6501 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6502 .Authorization(TAG_NO_AUTH_REQUIRED)
6503 .AesEncryptionKey(128)
6504 .BlockMode(BlockMode::CBC)
6505 .Padding(PaddingMode::NONE, PaddingMode::PKCS7)));
6506
6507 // Zero input message
6508 string message = "";
6509 for (auto padding : {PaddingMode::NONE, PaddingMode::PKCS7}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]6510 SCOPED_TRACE(testing::Message() << "AES padding=" << padding);
Tommy Chiuee705692021-09-23 20:09:13 +0800[diff] [blame]6511 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(padding);
6512 AuthorizationSet out_params;
6513 string ciphertext1 = EncryptMessage(message, params, &out_params);
6514 vector<uint8_t> iv1 = CopyIv(out_params);
6515 if (padding == PaddingMode::NONE)
6516 EXPECT_EQ(message.size(), ciphertext1.size()) << "PaddingMode: " << padding;
6517 else
6518 EXPECT_EQ(message.size(), ciphertext1.size() - 16) << "PaddingMode: " << padding;
6519
6520 out_params.Clear();
6521
6522 string ciphertext2 = EncryptMessage(message, params, &out_params);
6523 vector<uint8_t> iv2 = CopyIv(out_params);
6524 if (padding == PaddingMode::NONE)
6525 EXPECT_EQ(message.size(), ciphertext2.size()) << "PaddingMode: " << padding;
6526 else
6527 EXPECT_EQ(message.size(), ciphertext2.size() - 16) << "PaddingMode: " << padding;
6528
6529 // IVs should be random
6530 EXPECT_NE(iv1, iv2) << "PaddingMode: " << padding;
6531
6532 params.push_back(TAG_NONCE, iv1);
6533 string plaintext = DecryptMessage(ciphertext1, params);
6534 EXPECT_EQ(message, plaintext) << "PaddingMode: " << padding;
6535 }
6536}
6537
6538/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6539 * EncryptionOperationsTest.AesCallerNonce
6540 *
6541 * Verifies that AES caller-provided nonces work correctly.
6542 */
6543TEST_P(EncryptionOperationsTest, AesCallerNonce) {
6544 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6545 .Authorization(TAG_NO_AUTH_REQUIRED)
6546 .AesEncryptionKey(128)
6547 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
6548 .Authorization(TAG_CALLER_NONCE)
6549 .Padding(PaddingMode::NONE)));
6550
6551 string message = "12345678901234567890123456789012";
6552
6553 // Don't specify nonce, should get a random one.
6554 AuthorizationSetBuilder params =
6555 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6556 AuthorizationSet out_params;
6557 string ciphertext = EncryptMessage(message, params, &out_params);
6558 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6559 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6560
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6561 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6562 string plaintext = DecryptMessage(ciphertext, params);
6563 EXPECT_EQ(message, plaintext);
6564
6565 // Now specify a nonce, should also work.
6566 params = AuthorizationSetBuilder()
6567 .BlockMode(BlockMode::CBC)
6568 .Padding(PaddingMode::NONE)
6569 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
6570 out_params.Clear();
6571 ciphertext = EncryptMessage(message, params, &out_params);
6572
6573 // Decrypt with correct nonce.
6574 plaintext = DecryptMessage(ciphertext, params);
6575 EXPECT_EQ(message, plaintext);
6576
6577 // Try with wrong nonce.
6578 params = AuthorizationSetBuilder()
6579 .BlockMode(BlockMode::CBC)
6580 .Padding(PaddingMode::NONE)
6581 .Authorization(TAG_NONCE, AidlBuf("aaaaaaaaaaaaaaaa"));
6582 plaintext = DecryptMessage(ciphertext, params);
6583 EXPECT_NE(message, plaintext);
6584}
6585
6586/*
6587 * EncryptionOperationsTest.AesCallerNonceProhibited
6588 *
6589 * Verifies that caller-provided nonces are not permitted when not specified in the key
6590 * authorizations.
6591 */
6592TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
6593 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6594 .Authorization(TAG_NO_AUTH_REQUIRED)
6595 .AesEncryptionKey(128)
6596 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
6597 .Padding(PaddingMode::NONE)));
6598
6599 string message = "12345678901234567890123456789012";
6600
6601 // Don't specify nonce, should get a random one.
6602 AuthorizationSetBuilder params =
6603 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6604 AuthorizationSet out_params;
6605 string ciphertext = EncryptMessage(message, params, &out_params);
6606 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6607 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6608
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6609 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6610 string plaintext = DecryptMessage(ciphertext, params);
6611 EXPECT_EQ(message, plaintext);
6612
6613 // Now specify a nonce, should fail
6614 params = AuthorizationSetBuilder()
6615 .BlockMode(BlockMode::CBC)
6616 .Padding(PaddingMode::NONE)
6617 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
6618 out_params.Clear();
6619 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
6620}
6621
6622/*
6623 * EncryptionOperationsTest.AesGcmRoundTripSuccess
6624 *
6625 * Verifies that AES GCM mode works.
6626 */
6627TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
6628 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6629 .Authorization(TAG_NO_AUTH_REQUIRED)
6630 .AesEncryptionKey(128)
6631 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6632 .Padding(PaddingMode::NONE)
6633 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6634
6635 string aad = "foobar";
6636 string message = "123456789012345678901234567890123456";
6637
6638 auto begin_params = AuthorizationSetBuilder()
6639 .BlockMode(BlockMode::GCM)
6640 .Padding(PaddingMode::NONE)
6641 .Authorization(TAG_MAC_LENGTH, 128);
6642
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6643 // Encrypt
6644 AuthorizationSet begin_out_params;
6645 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
6646 << "Begin encrypt";
6647 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6648 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6649 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6650 ASSERT_EQ(ciphertext.length(), message.length() + 16);
6651
6652 // Grab nonce
6653 begin_params.push_back(begin_out_params);
6654
6655 // Decrypt.
6656 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6657 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6658 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6659 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6660 EXPECT_EQ(message.length(), plaintext.length());
6661 EXPECT_EQ(message, plaintext);
6662}
6663
6664/*
6665 * EncryptionOperationsTest.AesGcmRoundTripWithDelaySuccess
6666 *
6667 * Verifies that AES GCM mode works, even when there's a long delay
6668 * between operations.
6669 */
6670TEST_P(EncryptionOperationsTest, AesGcmRoundTripWithDelaySuccess) {
6671 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6672 .Authorization(TAG_NO_AUTH_REQUIRED)
6673 .AesEncryptionKey(128)
6674 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6675 .Padding(PaddingMode::NONE)
6676 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6677
6678 string aad = "foobar";
6679 string message = "123456789012345678901234567890123456";
6680
6681 auto begin_params = AuthorizationSetBuilder()
6682 .BlockMode(BlockMode::GCM)
6683 .Padding(PaddingMode::NONE)
6684 .Authorization(TAG_MAC_LENGTH, 128);
6685
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6686 // Encrypt
6687 AuthorizationSet begin_out_params;
6688 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
6689 << "Begin encrypt";
6690 string ciphertext;
6691 AuthorizationSet update_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6692 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6693 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6694 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6695
6696 ASSERT_EQ(ciphertext.length(), message.length() + 16);
6697
6698 // Grab nonce
6699 begin_params.push_back(begin_out_params);
6700
6701 // Decrypt.
6702 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
6703 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6704 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6705 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6706 ASSERT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6707 sleep(5);
6708 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
6709 EXPECT_EQ(message.length(), plaintext.length());
6710 EXPECT_EQ(message, plaintext);
6711}
6712
6713/*
6714 * EncryptionOperationsTest.AesGcmDifferentNonces
6715 *
6716 * Verifies that encrypting the same data with different nonces produces different outputs.
6717 */
6718TEST_P(EncryptionOperationsTest, AesGcmDifferentNonces) {
6719 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6720 .Authorization(TAG_NO_AUTH_REQUIRED)
6721 .AesEncryptionKey(128)
6722 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6723 .Padding(PaddingMode::NONE)
6724 .Authorization(TAG_MIN_MAC_LENGTH, 128)
6725 .Authorization(TAG_CALLER_NONCE)));
6726
6727 string aad = "foobar";
6728 string message = "123456789012345678901234567890123456";
6729 string nonce1 = "000000000000";
6730 string nonce2 = "111111111111";
6731 string nonce3 = "222222222222";
6732
6733 string ciphertext1 =
6734 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce1));
6735 string ciphertext2 =
6736 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce2));
6737 string ciphertext3 =
6738 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce3));
6739
6740 ASSERT_NE(ciphertext1, ciphertext2);
6741 ASSERT_NE(ciphertext1, ciphertext3);
6742 ASSERT_NE(ciphertext2, ciphertext3);
6743}
6744
6745/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6746 * EncryptionOperationsTest.AesGcmDifferentAutoNonces
6747 *
6748 * Verifies that encrypting the same data with KeyMint generated nonces produces different outputs.
6749 */
6750TEST_P(EncryptionOperationsTest, AesGcmDifferentAutoNonces) {
6751 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6752 .Authorization(TAG_NO_AUTH_REQUIRED)
6753 .AesEncryptionKey(128)
6754 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6755 .Padding(PaddingMode::NONE)
6756 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6757
6758 string aad = "foobar";
6759 string message = "123456789012345678901234567890123456";
6760
6761 string ciphertext1 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6762 string ciphertext2 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6763 string ciphertext3 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6764
6765 ASSERT_NE(ciphertext1, ciphertext2);
6766 ASSERT_NE(ciphertext1, ciphertext3);
6767 ASSERT_NE(ciphertext2, ciphertext3);
6768}
6769
6770/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6771 * EncryptionOperationsTest.AesGcmTooShortTag
6772 *
6773 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
6774 */
6775TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
6776 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6777 .Authorization(TAG_NO_AUTH_REQUIRED)
6778 .AesEncryptionKey(128)
6779 .BlockMode(BlockMode::GCM)
6780 .Padding(PaddingMode::NONE)
6781 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6782 string message = "123456789012345678901234567890123456";
6783 auto params = AuthorizationSetBuilder()
6784 .BlockMode(BlockMode::GCM)
6785 .Padding(PaddingMode::NONE)
6786 .Authorization(TAG_MAC_LENGTH, 96);
6787
6788 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
6789}
6790
6791/*
6792 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
6793 *
6794 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
6795 */
6796TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
6797 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6798 .Authorization(TAG_NO_AUTH_REQUIRED)
6799 .AesEncryptionKey(128)
6800 .BlockMode(BlockMode::GCM)
6801 .Padding(PaddingMode::NONE)
6802 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6803 string aad = "foobar";
6804 string message = "123456789012345678901234567890123456";
6805 auto params = AuthorizationSetBuilder()
6806 .BlockMode(BlockMode::GCM)
6807 .Padding(PaddingMode::NONE)
6808 .Authorization(TAG_MAC_LENGTH, 128);
6809
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6810 // Encrypt
6811 AuthorizationSet begin_out_params;
6812 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
6813 EXPECT_EQ(1U, begin_out_params.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6814 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6815
6816 AuthorizationSet finish_out_params;
6817 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6818 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6819 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6820
6821 params = AuthorizationSetBuilder()
6822 .Authorizations(begin_out_params)
6823 .BlockMode(BlockMode::GCM)
6824 .Padding(PaddingMode::NONE)
6825 .Authorization(TAG_MAC_LENGTH, 96);
6826
6827 // Decrypt.
6828 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
6829}
6830
6831/*
6832 * EncryptionOperationsTest.AesGcmCorruptKey
6833 *
6834 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
6835 */
6836TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
6837 const uint8_t nonce_bytes[] = {
6838 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
6839 };
6840 string nonce = make_string(nonce_bytes);
6841 const uint8_t ciphertext_bytes[] = {
6842 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc,
6843 0xd2, 0xcb, 0x16, 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78,
6844 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d,
6845 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 0x76, 0x5e, 0xfb,
6846 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
6847 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
6848 };
6849 string ciphertext = make_string(ciphertext_bytes);
6850
6851 auto params = AuthorizationSetBuilder()
6852 .BlockMode(BlockMode::GCM)
6853 .Padding(PaddingMode::NONE)
6854 .Authorization(TAG_MAC_LENGTH, 128)
6855 .Authorization(TAG_NONCE, nonce.data(), nonce.size());
6856
6857 auto import_params = AuthorizationSetBuilder()
6858 .Authorization(TAG_NO_AUTH_REQUIRED)
6859 .AesEncryptionKey(128)
6860 .BlockMode(BlockMode::GCM)
6861 .Padding(PaddingMode::NONE)
6862 .Authorization(TAG_CALLER_NONCE)
6863 .Authorization(TAG_MIN_MAC_LENGTH, 128);
6864
6865 // Import correct key and decrypt
6866 const uint8_t key_bytes[] = {
6867 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
6868 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
6869 };
6870 string key = make_string(key_bytes);
6871 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6872 string plaintext = DecryptMessage(ciphertext, params);
6873 CheckedDeleteKey();
6874
6875 // Corrupt key and attempt to decrypt
6876 key[0] = 0;
6877 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6878 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
6879 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
6880 CheckedDeleteKey();
6881}
6882
6883/*
6884 * EncryptionOperationsTest.AesGcmAadNoData
6885 *
6886 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
6887 * encrypt.
6888 */
6889TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
6890 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6891 .Authorization(TAG_NO_AUTH_REQUIRED)
6892 .AesEncryptionKey(128)
6893 .BlockMode(BlockMode::GCM)
6894 .Padding(PaddingMode::NONE)
6895 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6896
6897 string aad = "1234567890123456";
6898 auto params = AuthorizationSetBuilder()
6899 .BlockMode(BlockMode::GCM)
6900 .Padding(PaddingMode::NONE)
6901 .Authorization(TAG_MAC_LENGTH, 128);
6902
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6903 // Encrypt
6904 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6905 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6906 string ciphertext;
6907 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6908 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6909 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6910 EXPECT_TRUE(finish_out_params.empty());
6911
6912 // Grab nonce
6913 params.push_back(begin_out_params);
6914
6915 // Decrypt.
6916 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6917 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6918 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6919 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6920
6921 EXPECT_TRUE(finish_out_params.empty());
6922
6923 EXPECT_EQ("", plaintext);
6924}
6925
6926/*
6927 * EncryptionOperationsTest.AesGcmMultiPartAad
6928 *
6929 * Verifies that AES GCM mode works when provided additional authenticated data in multiple
6930 * chunks.
6931 */
6932TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
6933 const size_t tag_bits = 128;
6934 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6935 .Authorization(TAG_NO_AUTH_REQUIRED)
6936 .AesEncryptionKey(128)
6937 .BlockMode(BlockMode::GCM)
6938 .Padding(PaddingMode::NONE)
6939 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6940
6941 string message = "123456789012345678901234567890123456";
6942 auto begin_params = AuthorizationSetBuilder()
6943 .BlockMode(BlockMode::GCM)
6944 .Padding(PaddingMode::NONE)
6945 .Authorization(TAG_MAC_LENGTH, tag_bits);
6946 AuthorizationSet begin_out_params;
6947
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6948 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6949
6950 // No data, AAD only.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6951 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
6952 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6953 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6954 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
6955 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6956
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6957 // Expect 128-bit (16-byte) tag appended to ciphertext.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6958 EXPECT_EQ(message.size() + (tag_bits / 8), ciphertext.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6959
6960 // Grab nonce.
6961 begin_params.push_back(begin_out_params);
6962
6963 // Decrypt
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6964 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6965 EXPECT_EQ(ErrorCode::OK, UpdateAad("foofoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6966 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6967 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6968 EXPECT_EQ(message, plaintext);
6969}
6970
6971/*
6972 * EncryptionOperationsTest.AesGcmAadOutOfOrder
6973 *
6974 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
6975 */
6976TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
6977 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6978 .Authorization(TAG_NO_AUTH_REQUIRED)
6979 .AesEncryptionKey(128)
6980 .BlockMode(BlockMode::GCM)
6981 .Padding(PaddingMode::NONE)
6982 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6983
6984 string message = "123456789012345678901234567890123456";
6985 auto begin_params = AuthorizationSetBuilder()
6986 .BlockMode(BlockMode::GCM)
6987 .Padding(PaddingMode::NONE)
6988 .Authorization(TAG_MAC_LENGTH, 128);
6989 AuthorizationSet begin_out_params;
6990
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6991 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6992
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6993 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6994 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6995 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
6996 EXPECT_EQ(ErrorCode::INVALID_TAG, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6997
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6998 // The failure should have already cancelled the operation.
6999 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
7000
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7001 op_ = {};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7002}
7003
7004/*
7005 * EncryptionOperationsTest.AesGcmBadAad
7006 *
7007 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
7008 */
7009TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
7010 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7011 .Authorization(TAG_NO_AUTH_REQUIRED)
7012 .AesEncryptionKey(128)
7013 .BlockMode(BlockMode::GCM)
7014 .Padding(PaddingMode::NONE)
7015 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
7016
7017 string message = "12345678901234567890123456789012";
7018 auto begin_params = AuthorizationSetBuilder()
7019 .BlockMode(BlockMode::GCM)
7020 .Padding(PaddingMode::NONE)
7021 .Authorization(TAG_MAC_LENGTH, 128);
7022
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7023 // Encrypt
7024 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7025 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7026 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7027 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7028 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7029
7030 // Grab nonce
7031 begin_params.push_back(begin_out_params);
7032
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7033 // Decrypt.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7034 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7035 EXPECT_EQ(ErrorCode::OK, UpdateAad("barfoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7036 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7037 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7038}
7039
7040/*
7041 * EncryptionOperationsTest.AesGcmWrongNonce
7042 *
7043 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
7044 */
7045TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
7046 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7047 .Authorization(TAG_NO_AUTH_REQUIRED)
7048 .AesEncryptionKey(128)
7049 .BlockMode(BlockMode::GCM)
7050 .Padding(PaddingMode::NONE)
7051 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
7052
7053 string message = "12345678901234567890123456789012";
7054 auto begin_params = AuthorizationSetBuilder()
7055 .BlockMode(BlockMode::GCM)
7056 .Padding(PaddingMode::NONE)
7057 .Authorization(TAG_MAC_LENGTH, 128);
7058
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7059 // Encrypt
7060 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7061 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7062 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7063 string ciphertext;
7064 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7065 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7066
7067 // Wrong nonce
7068 begin_params.push_back(TAG_NONCE, AidlBuf("123456789012"));
7069
7070 // Decrypt.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7071 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7072 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7073 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7074 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7075
7076 // With wrong nonce, should have gotten garbage plaintext (or none).
7077 EXPECT_NE(message, plaintext);
7078}
7079
7080/*
7081 * EncryptionOperationsTest.AesGcmCorruptTag
7082 *
7083 * Verifies that AES GCM decryption fails correctly when the tag is wrong.
7084 */
7085TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
7086 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7087 .Authorization(TAG_NO_AUTH_REQUIRED)
7088 .AesEncryptionKey(128)
7089 .BlockMode(BlockMode::GCM)
7090 .Padding(PaddingMode::NONE)
7091 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
7092
7093 string aad = "1234567890123456";
7094 string message = "123456789012345678901234567890123456";
7095
7096 auto params = AuthorizationSetBuilder()
7097 .BlockMode(BlockMode::GCM)
7098 .Padding(PaddingMode::NONE)
7099 .Authorization(TAG_MAC_LENGTH, 128);
7100
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7101 // Encrypt
7102 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7103 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7104 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7105 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7106 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7107
7108 // Corrupt tag
7109 ++(*ciphertext.rbegin());
7110
7111 // Grab nonce
7112 params.push_back(begin_out_params);
7113
7114 // Decrypt.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7115 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7116 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7117 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7118 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7119}
7120
7121/*
7122 * EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
7123 *
7124 * Verifies that 3DES is basically functional.
7125 */
7126TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
7127 auto auths = AuthorizationSetBuilder()
7128 .TripleDesEncryptionKey(168)
7129 .BlockMode(BlockMode::ECB)
7130 .Authorization(TAG_NO_AUTH_REQUIRED)
7131 .Padding(PaddingMode::NONE);
7132
7133 ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
7134 // Two-block message.
7135 string message = "1234567890123456";
7136 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
7137 string ciphertext1 = EncryptMessage(message, inParams);
7138 EXPECT_EQ(message.size(), ciphertext1.size());
7139
7140 string ciphertext2 = EncryptMessage(string(message), inParams);
7141 EXPECT_EQ(message.size(), ciphertext2.size());
7142
7143 // ECB is deterministic.
7144 EXPECT_EQ(ciphertext1, ciphertext2);
7145
7146 string plaintext = DecryptMessage(ciphertext1, inParams);
7147 EXPECT_EQ(message, plaintext);
7148}
7149
7150/*
7151 * EncryptionOperationsTest.TripleDesEcbNotAuthorized
7152 *
7153 * Verifies that CBC keys reject ECB usage.
7154 */
7155TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
7156 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7157 .TripleDesEncryptionKey(168)
7158 .BlockMode(BlockMode::CBC)
7159 .Authorization(TAG_NO_AUTH_REQUIRED)
7160 .Padding(PaddingMode::NONE)));
7161
7162 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
7163 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
7164}
7165
7166/*
7167 * EncryptionOperationsTest.TripleDesEcbPkcs7Padding
7168 *
7169 * Tests ECB mode with PKCS#7 padding, various message sizes.
7170 */
7171TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
7172 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7173 .TripleDesEncryptionKey(168)
7174 .BlockMode(BlockMode::ECB)
7175 .Authorization(TAG_NO_AUTH_REQUIRED)
7176 .Padding(PaddingMode::PKCS7)));
7177
7178 for (size_t i = 0; i < 32; ++i) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]7179 SCOPED_TRACE(testing::Message() << "msg size=" << i);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7180 string message(i, 'a');
7181 auto inParams =
7182 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
7183 string ciphertext = EncryptMessage(message, inParams);
7184 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
7185 string plaintext = DecryptMessage(ciphertext, inParams);
7186 EXPECT_EQ(message, plaintext);
7187 }
7188}
7189
7190/*
7191 * EncryptionOperationsTest.TripleDesEcbNoPaddingKeyWithPkcs7Padding
7192 *
7193 * Verifies that keys configured for no padding reject PKCS7 padding
7194 */
7195TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
7196 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7197 .TripleDesEncryptionKey(168)
7198 .BlockMode(BlockMode::ECB)
7199 .Authorization(TAG_NO_AUTH_REQUIRED)
7200 .Padding(PaddingMode::NONE)));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7201 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
7202 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7203}
7204
7205/*
7206 * EncryptionOperationsTest.TripleDesEcbPkcs7PaddingCorrupted
7207 *
7208 * Verifies that corrupted padding is detected.
7209 */
7210TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
7211 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7212 .TripleDesEncryptionKey(168)
7213 .BlockMode(BlockMode::ECB)
7214 .Authorization(TAG_NO_AUTH_REQUIRED)
7215 .Padding(PaddingMode::PKCS7)));
7216
7217 string message = "a";
7218 string ciphertext = EncryptMessage(message, BlockMode::ECB, PaddingMode::PKCS7);
7219 EXPECT_EQ(8U, ciphertext.size());
7220 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7221
7222 AuthorizationSetBuilder begin_params;
7223 begin_params.push_back(TAG_BLOCK_MODE, BlockMode::ECB);
7224 begin_params.push_back(TAG_PADDING, PaddingMode::PKCS7);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7225
7226 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
7227 ++ciphertext[ciphertext.size() / 2];
7228
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7229 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7230 string plaintext;
7231 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
7232 ErrorCode error = Finish(&plaintext);
7233 if (error == ErrorCode::INVALID_ARGUMENT) {
7234 // This is the expected error, we can exit the test now.
7235 return;
7236 } else {
7237 // Very small chance we got valid decryption, so try again.
7238 ASSERT_EQ(error, ErrorCode::OK);
7239 }
7240 }
7241 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7242}
7243
7244struct TripleDesTestVector {
7245 const char* name;
7246 const KeyPurpose purpose;
7247 const BlockMode block_mode;
7248 const PaddingMode padding_mode;
7249 const char* key;
7250 const char* iv;
7251 const char* input;
7252 const char* output;
7253};
7254
7255// These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all
7256// of the NIST vectors are multiples of the block size.
7257static const TripleDesTestVector kTripleDesTestVectors[] = {
7258 {
7259 "TECBMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
7260 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
7261 "", // IV
7262 "329d86bdf1bc5af4", // input
7263 "d946c2756d78633f", // output
7264 },
7265 {
7266 "TECBMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
7267 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
7268 "", // IV
7269 "6b1540781b01ce1997adae102dbf3c5b", // input
7270 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
7271 },
7272 {
7273 "TECBMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
7274 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
7275 "", // IV
7276 "6daad94ce08acfe7", // input
7277 "660e7d32dcc90e79", // output
7278 },
7279 {
7280 "TECBMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
7281 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
7282 "", // IV
7283 "e9653a0a1f05d31b9acd12d73aa9879d", // input
7284 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
7285 },
7286 {
7287 "TCBCMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
7288 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
7289 "43f791134c5647ba", // IV
7290 "dcc153cef81d6f24", // input
7291 "92538bd8af18d3ba", // output
7292 },
7293 {
7294 "TCBCMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
7295 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
7296 "c2e999cb6249023c", // IV
7297 "c689aee38a301bb316da75db36f110b5", // input
7298 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
7299 },
7300 {
7301 "TCBCMMT3 Encrypt 1 PKCS7 variant", KeyPurpose::ENCRYPT, BlockMode::CBC,
7302 PaddingMode::PKCS7,
7303 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
7304 "c2e999cb6249023c", // IV
7305 "c689aee38a301bb316da75db36f110b500", // input
7306 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
7307 },
7308 {
7309 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KeyPurpose::DECRYPT, BlockMode::CBC,
7310 PaddingMode::PKCS7,
7311 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
7312 "c2e999cb6249023c", // IV
7313 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
7314 "c689aee38a301bb316da75db36f110b500", // output
7315 },
7316 {
7317 "TCBCMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
7318 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
7319 "41746c7e442d3681", // IV
7320 "c53a7b0ec40600fe", // input
7321 "d4f00eb455de1034", // output
7322 },
7323 {
7324 "TCBCMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
7325 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
7326 "3982bc02c3727d45", // IV
7327 "6006f10adef52991fcc777a1238bbb65", // input
7328 "edae09288e9e3bc05746d872b48e3b29", // output
7329 },
7330};
7331
7332/*
7333 * EncryptionOperationsTest.TripleDesTestVector
7334 *
7335 * Verifies that NIST (plus a few extra) test vectors produce the correct results.
7336 */
7337TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
7338 constexpr size_t num_tests = sizeof(kTripleDesTestVectors) / sizeof(TripleDesTestVector);
7339 for (auto* test = kTripleDesTestVectors; test < kTripleDesTestVectors + num_tests; ++test) {
7340 SCOPED_TRACE(test->name);
7341 CheckTripleDesTestVector(test->purpose, test->block_mode, test->padding_mode,
7342 hex2str(test->key), hex2str(test->iv), hex2str(test->input),
7343 hex2str(test->output));
7344 }
7345}
7346
7347/*
7348 * EncryptionOperationsTest.TripleDesCbcRoundTripSuccess
7349 *
7350 * Validates CBC mode functionality.
7351 */
7352TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
7353 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7354 .TripleDesEncryptionKey(168)
7355 .BlockMode(BlockMode::CBC)
7356 .Authorization(TAG_NO_AUTH_REQUIRED)
7357 .Padding(PaddingMode::NONE)));
7358
7359 ASSERT_GT(key_blob_.size(), 0U);
7360
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7361 // Four-block message.
7362 string message = "12345678901234561234567890123456";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7363 vector<uint8_t> iv1;
7364 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv1);
7365 EXPECT_EQ(message.size(), ciphertext1.size());
7366
7367 vector<uint8_t> iv2;
7368 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv2);
7369 EXPECT_EQ(message.size(), ciphertext2.size());
7370
7371 // IVs should be random, so ciphertexts should differ.
7372 EXPECT_NE(iv1, iv2);
7373 EXPECT_NE(ciphertext1, ciphertext2);
7374
7375 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv1);
7376 EXPECT_EQ(message, plaintext);
7377}
7378
7379/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7380 * EncryptionOperationsTest.TripleDesInvalidCallerIv
7381 *
7382 * Validates that keymint fails correctly when the user supplies an incorrect-size IV.
7383 */
7384TEST_P(EncryptionOperationsTest, TripleDesInvalidCallerIv) {
7385 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7386 .TripleDesEncryptionKey(168)
7387 .BlockMode(BlockMode::CBC)
7388 .Authorization(TAG_NO_AUTH_REQUIRED)
7389 .Authorization(TAG_CALLER_NONCE)
7390 .Padding(PaddingMode::NONE)));
7391 auto params = AuthorizationSetBuilder()
7392 .BlockMode(BlockMode::CBC)
7393 .Padding(PaddingMode::NONE)
7394 .Authorization(TAG_NONCE, AidlBuf("abcdefg"));
7395 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
7396}
7397
7398/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7399 * EncryptionOperationsTest.TripleDesCallerIv
7400 *
7401 * Validates that 3DES keys can allow caller-specified IVs, and use them correctly.
7402 */
7403TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
7404 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7405 .TripleDesEncryptionKey(168)
7406 .BlockMode(BlockMode::CBC)
7407 .Authorization(TAG_NO_AUTH_REQUIRED)
7408 .Authorization(TAG_CALLER_NONCE)
7409 .Padding(PaddingMode::NONE)));
7410 string message = "1234567890123456";
7411 vector<uint8_t> iv;
7412 // Don't specify IV, should get a random one.
7413 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
7414 EXPECT_EQ(message.size(), ciphertext1.size());
7415 EXPECT_EQ(8U, iv.size());
7416
7417 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
7418 EXPECT_EQ(message, plaintext);
7419
7420 // Now specify an IV, should also work.
7421 iv = AidlBuf("abcdefgh");
7422 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, iv);
7423
7424 // Decrypt with correct IV.
7425 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, iv);
7426 EXPECT_EQ(message, plaintext);
7427
7428 // Now try with wrong IV.
7429 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, AidlBuf("aaaaaaaa"));
7430 EXPECT_NE(message, plaintext);
7431}
7432
7433/*
7434 * EncryptionOperationsTest, TripleDesCallerNonceProhibited.
7435 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7436 * Verifies that 3DES keys without TAG_CALLER_NONCE do not allow caller-specified IVs.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7437 */
7438TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
7439 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7440 .TripleDesEncryptionKey(168)
7441 .BlockMode(BlockMode::CBC)
7442 .Authorization(TAG_NO_AUTH_REQUIRED)
7443 .Padding(PaddingMode::NONE)));
7444
7445 string message = "12345678901234567890123456789012";
7446 vector<uint8_t> iv;
7447 // Don't specify nonce, should get a random one.
7448 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
7449 EXPECT_EQ(message.size(), ciphertext1.size());
7450 EXPECT_EQ(8U, iv.size());
7451
7452 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
7453 EXPECT_EQ(message, plaintext);
7454
7455 // Now specify a nonce, should fail.
7456 auto input_params = AuthorizationSetBuilder()
7457 .Authorization(TAG_NONCE, AidlBuf("abcdefgh"))
7458 .BlockMode(BlockMode::CBC)
7459 .Padding(PaddingMode::NONE);
7460 AuthorizationSet output_params;
7461 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED,
7462 Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
7463}
7464
7465/*
7466 * EncryptionOperationsTest.TripleDesCbcNotAuthorized
7467 *
7468 * Verifies that 3DES ECB-only keys do not allow CBC usage.
7469 */
7470TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
7471 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7472 .TripleDesEncryptionKey(168)
7473 .BlockMode(BlockMode::ECB)
7474 .Authorization(TAG_NO_AUTH_REQUIRED)
7475 .Padding(PaddingMode::NONE)));
7476 // Two-block message.
7477 string message = "1234567890123456";
7478 auto begin_params =
7479 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
7480 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
7481}
7482
7483/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7484 * EncryptionOperationsTest.TripleDesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7485 *
7486 * Verifies that unpadded CBC operations reject inputs that are not a multiple of block size.
7487 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7488TEST_P(EncryptionOperationsTest, TripleDesEcbCbcNoPaddingWrongInputSize) {
7489 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]7490 SCOPED_TRACE(testing::Message() << "BlockMode::" << blockMode);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7491 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7492 .TripleDesEncryptionKey(168)
7493 .BlockMode(blockMode)
7494 .Authorization(TAG_NO_AUTH_REQUIRED)
7495 .Padding(PaddingMode::NONE)));
7496 // Message is slightly shorter than two blocks.
7497 string message = "123456789012345";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7498
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7499 auto begin_params =
7500 AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
7501 AuthorizationSet output_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7502 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &output_params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7503 string ciphertext;
7504 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, "", &ciphertext));
7505
7506 CheckedDeleteKey();
7507 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7508}
7509
7510/*
7511 * EncryptionOperationsTest, TripleDesCbcPkcs7Padding.
7512 *
7513 * Verifies that PKCS7 padding works correctly in CBC mode.
7514 */
7515TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
7516 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7517 .TripleDesEncryptionKey(168)
7518 .BlockMode(BlockMode::CBC)
7519 .Authorization(TAG_NO_AUTH_REQUIRED)
7520 .Padding(PaddingMode::PKCS7)));
7521
7522 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7523 for (size_t i = 0; i <= 32; i++) {
7524 SCOPED_TRACE(testing::Message() << "i = " << i);
7525 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character, albeit not for 3DES.
7526 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7527 vector<uint8_t> iv;
7528 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
7529 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
7530 string plaintext = DecryptMessage(ciphertext, BlockMode::CBC, PaddingMode::PKCS7, iv);
7531 EXPECT_EQ(message, plaintext);
7532 }
7533}
7534
7535/*
7536 * EncryptionOperationsTest.TripleDesCbcNoPaddingKeyWithPkcs7Padding
7537 *
7538 * Verifies that a key that requires PKCS7 padding cannot be used in unpadded mode.
7539 */
7540TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
7541 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7542 .TripleDesEncryptionKey(168)
7543 .BlockMode(BlockMode::CBC)
7544 .Authorization(TAG_NO_AUTH_REQUIRED)
7545 .Padding(PaddingMode::NONE)));
7546
7547 // Try various message lengths; all should fail.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7548 for (size_t i = 0; i <= 32; i++) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]7549 SCOPED_TRACE(testing::Message() << "i = " << i);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7550 auto begin_params =
7551 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7);
7552 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
7553 }
7554}
7555
7556/*
7557 * EncryptionOperationsTest.TripleDesCbcPkcs7PaddingCorrupted
7558 *
7559 * Verifies that corrupted PKCS7 padding is rejected during decryption.
7560 */
7561TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
7562 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7563 .TripleDesEncryptionKey(168)
7564 .BlockMode(BlockMode::CBC)
7565 .Authorization(TAG_NO_AUTH_REQUIRED)
7566 .Padding(PaddingMode::PKCS7)));
7567
7568 string message = "a";
7569 vector<uint8_t> iv;
7570 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
7571 EXPECT_EQ(8U, ciphertext.size());
7572 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7573
7574 auto begin_params = AuthorizationSetBuilder()
7575 .BlockMode(BlockMode::CBC)
7576 .Padding(PaddingMode::PKCS7)
7577 .Authorization(TAG_NONCE, iv);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7578
7579 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7580 SCOPED_TRACE(testing::Message() << "i = " << i);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7581 ++ciphertext[ciphertext.size() / 2];
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7582 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7583 string plaintext;
7584 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
7585 ErrorCode error = Finish(&plaintext);
7586 if (error == ErrorCode::INVALID_ARGUMENT) {
7587 // This is the expected error, we can exit the test now.
7588 return;
7589 } else {
7590 // Very small chance we got valid decryption, so try again.
7591 ASSERT_EQ(error, ErrorCode::OK);
7592 }
7593 }
7594 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7595}
7596
7597/*
7598 * EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding.
7599 *
7600 * Verifies that 3DES CBC works with many different input sizes.
7601 */
7602TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
7603 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7604 .TripleDesEncryptionKey(168)
7605 .BlockMode(BlockMode::CBC)
7606 .Authorization(TAG_NO_AUTH_REQUIRED)
7607 .Padding(PaddingMode::NONE)));
7608
7609 int increment = 7;
7610 string message(240, 'a');
7611 AuthorizationSet input_params =
7612 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
7613 AuthorizationSet output_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7614 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7615
7616 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7617 for (size_t i = 0; i < message.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7618 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7619 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
7620 EXPECT_EQ(message.size(), ciphertext.size());
7621
7622 // Move TAG_NONCE into input_params
7623 input_params = output_params;
7624 input_params.push_back(TAG_BLOCK_MODE, BlockMode::CBC);
7625 input_params.push_back(TAG_PADDING, PaddingMode::NONE);
7626 output_params.Clear();
7627
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7628 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, input_params, &output_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7629 string plaintext;
7630 for (size_t i = 0; i < ciphertext.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7631 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7632 EXPECT_EQ(ErrorCode::OK, Finish(&plaintext));
7633 EXPECT_EQ(ciphertext.size(), plaintext.size());
7634 EXPECT_EQ(message, plaintext);
7635}
7636
7637INSTANTIATE_KEYMINT_AIDL_TEST(EncryptionOperationsTest);
7638
7639typedef KeyMintAidlTestBase MaxOperationsTest;
7640
7641/*
7642 * MaxOperationsTest.TestLimitAes
7643 *
7644 * Verifies that the max uses per boot tag works correctly with AES keys.
7645 */
7646TEST_P(MaxOperationsTest, TestLimitAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7647 if (SecLevel() == SecurityLevel::STRONGBOX) {
7648 GTEST_SKIP() << "Test not applicable to StrongBox device";
7649 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7650
7651 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7652 .Authorization(TAG_NO_AUTH_REQUIRED)
7653 .AesEncryptionKey(128)
7654 .EcbMode()
7655 .Padding(PaddingMode::NONE)
7656 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
7657
7658 string message = "1234567890123456";
7659
7660 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7661
7662 EncryptMessage(message, params);
7663 EncryptMessage(message, params);
7664 EncryptMessage(message, params);
7665
7666 // Fourth time should fail.
7667 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
7668}
7669
7670/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7671 * MaxOperationsTest.TestLimitRsa
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7672 *
7673 * Verifies that the max uses per boot tag works correctly with RSA keys.
7674 */
7675TEST_P(MaxOperationsTest, TestLimitRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7676 if (SecLevel() == SecurityLevel::STRONGBOX) {
7677 GTEST_SKIP() << "Test not applicable to StrongBox device";
7678 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7679
7680 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7681 .Authorization(TAG_NO_AUTH_REQUIRED)
7682 .RsaSigningKey(1024, 65537)
7683 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7684 .Authorization(TAG_MAX_USES_PER_BOOT, 3)
7685 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7686
7687 string message = "1234567890123456";
7688
7689 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7690
7691 SignMessage(message, params);
7692 SignMessage(message, params);
7693 SignMessage(message, params);
7694
7695 // Fourth time should fail.
7696 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
7697}
7698
7699INSTANTIATE_KEYMINT_AIDL_TEST(MaxOperationsTest);
7700
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7701typedef KeyMintAidlTestBase UsageCountLimitTest;
7702
7703/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7704 * UsageCountLimitTest.TestSingleUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7705 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7706 * Verifies that the usage count limit tag = 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7707 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7708TEST_P(UsageCountLimitTest, TestSingleUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7709 if (SecLevel() == SecurityLevel::STRONGBOX) {
7710 GTEST_SKIP() << "Test not applicable to StrongBox device";
7711 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7712
7713 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7714 .Authorization(TAG_NO_AUTH_REQUIRED)
7715 .AesEncryptionKey(128)
7716 .EcbMode()
7717 .Padding(PaddingMode::NONE)
7718 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
7719
7720 // Check the usage count limit tag appears in the authorizations.
7721 AuthorizationSet auths;
7722 for (auto& entry : key_characteristics_) {
7723 auths.push_back(AuthorizationSet(entry.authorizations));
7724 }
7725 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7726 << "key usage count limit " << 1U << " missing";
7727
7728 string message = "1234567890123456";
7729 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7730
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7731 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7732 AuthorizationSet keystore_auths =
7733 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7734
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7735 // First usage of AES key should work.
7736 EncryptMessage(message, params);
7737
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7738 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
7739 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7740 // must be invalidated from secure storage (such as RPMB partition).
7741 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
7742 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7743 // Usage count limit tag is enforced by keystore, keymint does nothing.
7744 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7745 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7746 }
7747}
7748
7749/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7750 * UsageCountLimitTest.TestLimitedUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7751 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7752 * Verifies that the usage count limit tag > 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7753 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7754TEST_P(UsageCountLimitTest, TestLimitedUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7755 if (SecLevel() == SecurityLevel::STRONGBOX) {
7756 GTEST_SKIP() << "Test not applicable to StrongBox device";
7757 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7758
7759 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7760 .Authorization(TAG_NO_AUTH_REQUIRED)
7761 .AesEncryptionKey(128)
7762 .EcbMode()
7763 .Padding(PaddingMode::NONE)
7764 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
7765
7766 // Check the usage count limit tag appears in the authorizations.
7767 AuthorizationSet auths;
7768 for (auto& entry : key_characteristics_) {
7769 auths.push_back(AuthorizationSet(entry.authorizations));
7770 }
7771 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
7772 << "key usage count limit " << 3U << " missing";
7773
7774 string message = "1234567890123456";
7775 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7776
7777 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7778 AuthorizationSet keystore_auths =
7779 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7780
7781 EncryptMessage(message, params);
7782 EncryptMessage(message, params);
7783 EncryptMessage(message, params);
7784
7785 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
7786 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7787 // must be invalidated from secure storage (such as RPMB partition).
7788 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
7789 } else {
7790 // Usage count limit tag is enforced by keystore, keymint does nothing.
7791 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7792 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7793 }
7794}
7795
7796/*
7797 * UsageCountLimitTest.TestSingleUseRsa
7798 *
7799 * Verifies that the usage count limit tag = 1 works correctly with RSA keys.
7800 */
7801TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7802 if (SecLevel() == SecurityLevel::STRONGBOX) {
7803 GTEST_SKIP() << "Test not applicable to StrongBox device";
7804 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7805
7806 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7807 .Authorization(TAG_NO_AUTH_REQUIRED)
7808 .RsaSigningKey(1024, 65537)
7809 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7810 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7811 .SetDefaultValidity()));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7812
7813 // Check the usage count limit tag appears in the authorizations.
7814 AuthorizationSet auths;
7815 for (auto& entry : key_characteristics_) {
7816 auths.push_back(AuthorizationSet(entry.authorizations));
7817 }
7818 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7819 << "key usage count limit " << 1U << " missing";
7820
7821 string message = "1234567890123456";
7822 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7823
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7824 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7825 AuthorizationSet keystore_auths =
7826 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7827
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7828 // First usage of RSA key should work.
7829 SignMessage(message, params);
7830
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7831 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
7832 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7833 // must be invalidated from secure storage (such as RPMB partition).
7834 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7835 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7836 // Usage count limit tag is enforced by keystore, keymint does nothing.
7837 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7838 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7839 }
7840}
7841
7842/*
7843 * UsageCountLimitTest.TestLimitUseRsa
7844 *
7845 * Verifies that the usage count limit tag > 1 works correctly with RSA keys.
7846 */
7847TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7848 if (SecLevel() == SecurityLevel::STRONGBOX) {
7849 GTEST_SKIP() << "Test not applicable to StrongBox device";
7850 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7851
7852 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7853 .Authorization(TAG_NO_AUTH_REQUIRED)
7854 .RsaSigningKey(1024, 65537)
7855 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7856 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)
7857 .SetDefaultValidity()));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7858
7859 // Check the usage count limit tag appears in the authorizations.
7860 AuthorizationSet auths;
7861 for (auto& entry : key_characteristics_) {
7862 auths.push_back(AuthorizationSet(entry.authorizations));
7863 }
7864 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
7865 << "key usage count limit " << 3U << " missing";
7866
7867 string message = "1234567890123456";
7868 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7869
7870 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7871 AuthorizationSet keystore_auths =
7872 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7873
7874 SignMessage(message, params);
7875 SignMessage(message, params);
7876 SignMessage(message, params);
7877
7878 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
7879 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7880 // must be invalidated from secure storage (such as RPMB partition).
7881 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7882 } else {
7883 // Usage count limit tag is enforced by keystore, keymint does nothing.
7884 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7885 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7886 }
7887}
7888
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7889/*
7890 * UsageCountLimitTest.TestSingleUseKeyAndRollbackResistance
7891 *
7892 * Verifies that when rollback resistance is supported by the KeyMint implementation with
7893 * the secure hardware, the single use key with usage count limit tag = 1 must also be enforced
7894 * in hardware.
7895 */
7896TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) {
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7897 auto error = GenerateKey(AuthorizationSetBuilder()
7898 .RsaSigningKey(2048, 65537)
7899 .Digest(Digest::NONE)
7900 .Padding(PaddingMode::NONE)
7901 .Authorization(TAG_NO_AUTH_REQUIRED)
7902 .Authorization(TAG_ROLLBACK_RESISTANCE)
7903 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7904 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7905 GTEST_SKIP() << "Rollback resistance not supported";
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7906 }
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7907
7908 // Rollback resistance is supported by KeyMint, verify it is enforced in hardware.
7909 ASSERT_EQ(ErrorCode::OK, error);
7910 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7911 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
7912 ASSERT_EQ(ErrorCode::OK, DeleteKey());
7913
7914 // The KeyMint should also enforce single use key in hardware when it supports rollback
7915 // resistance.
7916 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7917 .Authorization(TAG_NO_AUTH_REQUIRED)
7918 .RsaSigningKey(1024, 65537)
7919 .NoDigestOrPadding()
7920 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7921 .SetDefaultValidity()));
7922
7923 // Check the usage count limit tag appears in the hardware authorizations.
7924 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7925 EXPECT_TRUE(hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7926 << "key usage count limit " << 1U << " missing";
7927
7928 string message = "1234567890123456";
7929 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7930
7931 // First usage of RSA key should work.
7932 SignMessage(message, params);
7933
7934 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7935 // must be invalidated from secure storage (such as RPMB partition).
7936 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7937}
7938
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7939INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest);
7940
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7941typedef KeyMintAidlTestBase GetHardwareInfoTest;
7942
7943TEST_P(GetHardwareInfoTest, GetHardwareInfo) {
7944 // Retrieving hardware info should give the same result each time.
7945 KeyMintHardwareInfo info;
7946 ASSERT_TRUE(keyMint().getHardwareInfo(&info).isOk());
7947 KeyMintHardwareInfo info2;
7948 ASSERT_TRUE(keyMint().getHardwareInfo(&info2).isOk());
7949 EXPECT_EQ(info, info2);
7950}
7951
7952INSTANTIATE_KEYMINT_AIDL_TEST(GetHardwareInfoTest);
7953
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7954typedef KeyMintAidlTestBase AddEntropyTest;
7955
7956/*
7957 * AddEntropyTest.AddEntropy
7958 *
7959 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy
7960 * is actually added.
7961 */
7962TEST_P(AddEntropyTest, AddEntropy) {
7963 string data = "foo";
7964 EXPECT_TRUE(keyMint().addRngEntropy(vector<uint8_t>(data.begin(), data.end())).isOk());
7965}
7966
7967/*
7968 * AddEntropyTest.AddEmptyEntropy
7969 *
7970 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
7971 */
7972TEST_P(AddEntropyTest, AddEmptyEntropy) {
7973 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf()).isOk());
7974}
7975
7976/*
7977 * AddEntropyTest.AddLargeEntropy
7978 *
7979 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
7980 */
7981TEST_P(AddEntropyTest, AddLargeEntropy) {
7982 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
7983}
7984
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]7985/*
7986 * AddEntropyTest.AddTooLargeEntropy
7987 *
7988 * Verifies that the addRngEntropy method rejects more than 2KiB of data.
7989 */
7990TEST_P(AddEntropyTest, AddTooLargeEntropy) {
7991 ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a'))));
7992 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc);
7993}
7994
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7995INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);
7996
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7997typedef KeyMintAidlTestBase KeyDeletionTest;
7998
7999/**
8000 * KeyDeletionTest.DeleteKey
8001 *
8002 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
8003 * valid key blob.
8004 */
8005TEST_P(KeyDeletionTest, DeleteKey) {
8006 auto error = GenerateKey(AuthorizationSetBuilder()
8007 .RsaSigningKey(2048, 65537)
8008 .Digest(Digest::NONE)
8009 .Padding(PaddingMode::NONE)
8010 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]8011 .Authorization(TAG_ROLLBACK_RESISTANCE)
8012 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8013 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
8014 GTEST_SKIP() << "Rollback resistance not supported";
8015 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8016
8017 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8018 ASSERT_EQ(ErrorCode::OK, error);
8019 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
8020 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8021
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8022 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8023
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8024 string message = "12345678901234567890123456789012";
8025 AuthorizationSet begin_out_params;
8026 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
8027 Begin(KeyPurpose::SIGN, key_blob_,
8028 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
8029 &begin_out_params));
8030 AbortIfNeeded();
8031 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8032}
8033
8034/**
8035 * KeyDeletionTest.DeleteInvalidKey
8036 *
8037 * This test checks that the HAL excepts invalid key blobs..
8038 */
8039TEST_P(KeyDeletionTest, DeleteInvalidKey) {
8040 // Generate key just to check if rollback protection is implemented
8041 auto error = GenerateKey(AuthorizationSetBuilder()
8042 .RsaSigningKey(2048, 65537)
8043 .Digest(Digest::NONE)
8044 .Padding(PaddingMode::NONE)
8045 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]8046 .Authorization(TAG_ROLLBACK_RESISTANCE)
8047 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8048 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
8049 GTEST_SKIP() << "Rollback resistance not supported";
8050 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8051
8052 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8053 ASSERT_EQ(ErrorCode::OK, error);
8054 AuthorizationSet enforced(SecLevelAuthorizations());
8055 ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8056
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8057 // Delete the key we don't care about the result at this point.
8058 DeleteKey();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8059
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8060 // Now create an invalid key blob and delete it.
8061 key_blob_ = AidlBuf("just some garbage data which is not a valid key blob");
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8062
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8063 ASSERT_EQ(ErrorCode::OK, DeleteKey());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8064}
8065
8066/**
8067 * KeyDeletionTest.DeleteAllKeys
8068 *
8069 * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
8070 *
8071 * BEWARE: This test has serious side effects. All user keys will be lost! This includes
8072 * FBE/FDE encryption keys, which means that the device will not even boot until after the
8073 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
8074 * been provisioned. Use this test only on dedicated testing devices that have no valuable
8075 * credentials stored in Keystore/Keymint.
8076 */
8077TEST_P(KeyDeletionTest, DeleteAllKeys) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8078 if (!arm_deleteAllKeys) {
8079 GTEST_SKIP() << "Option --arm_deleteAllKeys not set";
8080 return;
8081 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8082 auto error = GenerateKey(AuthorizationSetBuilder()
8083 .RsaSigningKey(2048, 65537)
8084 .Digest(Digest::NONE)
8085 .Padding(PaddingMode::NONE)
8086 .Authorization(TAG_NO_AUTH_REQUIRED)
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]8087 .Authorization(TAG_ROLLBACK_RESISTANCE)
8088 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8089 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
8090 GTEST_SKIP() << "Rollback resistance not supported";
8091 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8092
8093 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8094 ASSERT_EQ(ErrorCode::OK, error);
8095 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
8096 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8097
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8098 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8099
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8100 string message = "12345678901234567890123456789012";
8101 AuthorizationSet begin_out_params;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8102
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8103 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
8104 Begin(KeyPurpose::SIGN, key_blob_,
8105 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
8106 &begin_out_params));
8107 AbortIfNeeded();
8108 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8109}
8110
8111INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest);
8112
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8113typedef KeyMintAidlTestBase KeyUpgradeTest;
8114
8115/**
8116 * KeyUpgradeTest.UpgradeInvalidKey
8117 *
8118 * This test checks that the HAL excepts invalid key blobs..
8119 */
8120TEST_P(KeyUpgradeTest, UpgradeInvalidKey) {
8121 AidlBuf key_blob = AidlBuf("just some garbage data which is not a valid key blob");
8122
8123 std::vector<uint8_t> new_blob;
8124 Status result = keymint_->upgradeKey(key_blob,
8125 AuthorizationSetBuilder()
8126 .Authorization(TAG_APPLICATION_ID, "clientid")
8127 .Authorization(TAG_APPLICATION_DATA, "appdata")
8128 .vector_data(),
8129 &new_blob);
8130 ASSERT_EQ(ErrorCode::INVALID_KEY_BLOB, GetReturnErrorCode(result));
8131}
8132
8133INSTANTIATE_KEYMINT_AIDL_TEST(KeyUpgradeTest);
8134
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8135using UpgradeKeyTest = KeyMintAidlTestBase;
8136
8137/*
8138 * UpgradeKeyTest.UpgradeKey
8139 *
8140 * Verifies that calling upgrade key on an up-to-date key works (i.e. does nothing).
8141 */
8142TEST_P(UpgradeKeyTest, UpgradeKey) {
8143 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8144 .AesEncryptionKey(128)
8145 .Padding(PaddingMode::NONE)
8146 .Authorization(TAG_NO_AUTH_REQUIRED)));
8147
8148 auto result = UpgradeKey(key_blob_);
8149
8150 // Key doesn't need upgrading. Should get okay, but no new key blob.
8151 EXPECT_EQ(result, std::make_pair(ErrorCode::OK, vector<uint8_t>()));
8152}
8153
8154INSTANTIATE_KEYMINT_AIDL_TEST(UpgradeKeyTest);
8155
8156using ClearOperationsTest = KeyMintAidlTestBase;
8157
8158/*
8159 * ClearSlotsTest.TooManyOperations
8160 *
8161 * Verifies that TOO_MANY_OPERATIONS is returned after the max number of
8162 * operations are started without being finished or aborted. Also verifies
8163 * that aborting the operations clears the operations.
8164 *
8165 */
8166TEST_P(ClearOperationsTest, TooManyOperations) {
8167 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8168 .Authorization(TAG_NO_AUTH_REQUIRED)
8169 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]8170 .Padding(PaddingMode::NONE)
8171 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8172
8173 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
8174 constexpr size_t max_operations = 100; // set to arbituary large number
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]8175 std::shared_ptr<IKeyMintOperation> op_handles[max_operations];
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8176 AuthorizationSet out_params;
8177 ErrorCode result;
8178 size_t i;
8179
8180 for (i = 0; i < max_operations; i++) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]8181 result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8182 if (ErrorCode::OK != result) {
8183 break;
8184 }
8185 }
8186 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
8187 // Try again just in case there's a weird overflow bug
8188 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]8189 Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8190 for (size_t j = 0; j < i; j++) {
8191 EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
8192 << "Aboort failed for i = " << j << std::endl;
8193 }
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8194 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8195 AbortIfNeeded();
8196}
8197
8198INSTANTIATE_KEYMINT_AIDL_TEST(ClearOperationsTest);
8199
8200typedef KeyMintAidlTestBase TransportLimitTest;
8201
8202/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]8203 * TransportLimitTest.LargeFinishInput
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8204 *
8205 * Verifies that passing input data to finish succeeds as expected.
8206 */
8207TEST_P(TransportLimitTest, LargeFinishInput) {
8208 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8209 .Authorization(TAG_NO_AUTH_REQUIRED)
8210 .AesEncryptionKey(128)
8211 .BlockMode(BlockMode::ECB)
8212 .Padding(PaddingMode::NONE)));
8213
8214 for (int msg_size = 8 /* 256 bytes */; msg_size <= 11 /* 2 KiB */; msg_size++) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]8215 SCOPED_TRACE(testing::Message() << "msg_size = " << msg_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8216 auto cipher_params =
8217 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
8218
8219 AuthorizationSet out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8220 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, cipher_params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8221
8222 string plain_message = std::string(1 << msg_size, 'x');
8223 string encrypted_message;
8224 auto rc = Finish(plain_message, &encrypted_message);
8225
8226 EXPECT_EQ(ErrorCode::OK, rc);
8227 EXPECT_EQ(plain_message.size(), encrypted_message.size())
8228 << "Encrypt finish returned OK, but did not consume all of the given input";
8229 cipher_params.push_back(out_params);
8230
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8231 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, cipher_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8232
8233 string decrypted_message;
8234 rc = Finish(encrypted_message, &decrypted_message);
8235 EXPECT_EQ(ErrorCode::OK, rc);
8236 EXPECT_EQ(plain_message.size(), decrypted_message.size())
8237 << "Decrypt finish returned OK, did not consume all of the given input";
8238 }
8239}
8240
8241INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
8242
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]8243static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8244 switch (curve) {
8245 case EcCurve::P_224:
8246 return NID_secp224r1;
8247 case EcCurve::P_256:
8248 return NID_X9_62_prime256v1;
8249 case EcCurve::P_384:
8250 return NID_secp384r1;
8251 case EcCurve::P_521:
8252 return NID_secp521r1;
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]8253 case EcCurve::CURVE_25519:
8254 return NID_X25519;
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8255 }
8256}
8257
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8258class KeyAgreementTest : public KeyMintAidlTestBase {
8259 protected:
8260 void GenerateLocalEcKey(EcCurve localCurve, EVP_PKEY_Ptr* localPrivKey,
8261 std::vector<uint8_t>* localPublicKey) {
8262 // Generate EC key locally (with access to private key material)
8263 if (localCurve == EcCurve::CURVE_25519) {
8264 uint8_t privKeyData[32];
8265 uint8_t pubKeyData[32];
8266 X25519_keypair(pubKeyData, privKeyData);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8267 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new_raw_private_key(
8268 EVP_PKEY_X25519, nullptr, privKeyData, sizeof(privKeyData)));
8269 } else {
8270 auto ecKey = EC_KEY_Ptr(EC_KEY_new());
8271 int curveName = EcdhCurveToOpenSslCurveName(localCurve);
8272 auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
8273 ASSERT_NE(group, nullptr);
8274 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
8275 ASSERT_EQ(EC_KEY_generate_key(ecKey.get()), 1);
8276 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new());
8277 ASSERT_EQ(EVP_PKEY_set1_EC_KEY(localPrivKey->get(), ecKey.get()), 1);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8278 }
David Drysdalea410b772022-05-09 16:44:13 +0100[diff] [blame]8279
8280 // Get encoded form of the public part of the locally generated key...
8281 unsigned char* p = nullptr;
8282 int localPublicKeySize = i2d_PUBKEY(localPrivKey->get(), &p);
8283 ASSERT_GT(localPublicKeySize, 0);
8284 *localPublicKey = vector<uint8_t>(reinterpret_cast<const uint8_t*>(p),
8285 reinterpret_cast<const uint8_t*>(p + localPublicKeySize));
8286 OPENSSL_free(p);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8287 }
8288
8289 void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
8290 vector<uint8_t> challenge = {0x41, 0x42};
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]8291 auto builder = AuthorizationSetBuilder()
8292 .Authorization(TAG_NO_AUTH_REQUIRED)
8293 .Authorization(TAG_EC_CURVE, curve)
8294 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
8295 .Authorization(TAG_ALGORITHM, Algorithm::EC)
8296 .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
8297 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
8298 .SetDefaultValidity();
8299 ErrorCode result = GenerateKey(builder);
8300
8301 if (SecLevel() == SecurityLevel::STRONGBOX) {
8302 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
8303 result = GenerateKeyWithSelfSignedAttestKey(
8304 AuthorizationSetBuilder()
8305 .EcdsaKey(EcCurve::P_256)
8306 .AttestKey()
8307 .SetDefaultValidity(), /* attest key params */
8308 builder, &key_blob_, &key_characteristics_, &cert_chain_);
8309 }
8310 }
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8311 ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
8312 ASSERT_GT(cert_chain_.size(), 0);
8313 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
8314 ASSERT_NE(kmKeyCert, nullptr);
8315 // Check that keyAgreement (bit 4) is set in KeyUsage
8316 EXPECT_TRUE((X509_get_key_usage(kmKeyCert.get()) & X509v3_KU_KEY_AGREEMENT) != 0);
8317 *kmPubKey = EVP_PKEY_Ptr(X509_get_pubkey(kmKeyCert.get()));
8318 ASSERT_NE(*kmPubKey, nullptr);
8319 if (dump_Attestations) {
8320 for (size_t n = 0; n < cert_chain_.size(); n++) {
8321 std::cout << bin2hex(cert_chain_[n].encodedCertificate) << std::endl;
8322 }
8323 }
8324 }
8325
8326 void CheckAgreement(EVP_PKEY_Ptr kmPubKey, EVP_PKEY_Ptr localPrivKey,
8327 const std::vector<uint8_t>& localPublicKey) {
8328 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
8329 string ZabFromKeyMintStr;
8330 ASSERT_EQ(ErrorCode::OK,
8331 Finish(string(localPublicKey.begin(), localPublicKey.end()), &ZabFromKeyMintStr));
8332 vector<uint8_t> ZabFromKeyMint(ZabFromKeyMintStr.begin(), ZabFromKeyMintStr.end());
8333 vector<uint8_t> ZabFromTest;
8334
8335 if (EVP_PKEY_id(kmPubKey.get()) == EVP_PKEY_X25519) {
8336 size_t kmPubKeySize = 32;
8337 uint8_t kmPubKeyData[32];
8338 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
8339 ASSERT_EQ(kmPubKeySize, 32);
8340
8341 uint8_t localPrivKeyData[32];
8342 size_t localPrivKeySize = 32;
8343 ASSERT_EQ(1, EVP_PKEY_get_raw_private_key(localPrivKey.get(), localPrivKeyData,
8344 &localPrivKeySize));
8345 ASSERT_EQ(localPrivKeySize, 32);
8346
8347 uint8_t sharedKey[32];
8348 ASSERT_EQ(1, X25519(sharedKey, localPrivKeyData, kmPubKeyData));
8349 ZabFromTest = std::vector<uint8_t>(sharedKey, sharedKey + 32);
8350 } else {
8351 // Perform local ECDH between the two keys so we can check if we get the same Zab..
8352 auto ctx = EVP_PKEY_CTX_Ptr(EVP_PKEY_CTX_new(localPrivKey.get(), nullptr));
8353 ASSERT_NE(ctx, nullptr);
8354 ASSERT_EQ(EVP_PKEY_derive_init(ctx.get()), 1);
8355 ASSERT_EQ(EVP_PKEY_derive_set_peer(ctx.get(), kmPubKey.get()), 1);
8356 size_t ZabFromTestLen = 0;
8357 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), nullptr, &ZabFromTestLen), 1);
8358 ZabFromTest.resize(ZabFromTestLen);
8359 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), ZabFromTest.data(), &ZabFromTestLen), 1);
8360 }
8361 EXPECT_EQ(ZabFromKeyMint, ZabFromTest);
8362 }
8363};
8364
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8365/*
8366 * KeyAgreementTest.Ecdh
8367 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8368 * Verifies that ECDH works for all required curves
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8369 */
8370TEST_P(KeyAgreementTest, Ecdh) {
8371 // Because it's possible to use this API with keys on different curves, we
8372 // check all N^2 combinations where N is the number of supported
8373 // curves.
8374 //
8375 // This is not a big deal as N is 4 so we only do 16 runs. If we end up with a
8376 // lot more curves we can be smart about things and just pick |otherCurve| so
8377 // it's not |curve| and that way we end up with only 2*N runs
8378 //
8379 for (auto curve : ValidCurves()) {
8380 for (auto localCurve : ValidCurves()) {
David Drysdalea410b772022-05-09 16:44:13 +0100[diff] [blame]8381 SCOPED_TRACE(testing::Message()
8382 << "local-curve-" << localCurve << "-keymint-curve-" << curve);
8383
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8384 // Generate EC key locally (with access to private key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8385 EVP_PKEY_Ptr localPrivKey;
8386 vector<uint8_t> localPublicKey;
8387 GenerateLocalEcKey(localCurve, &localPrivKey, &localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8388
8389 // Generate EC key in KeyMint (only access to public key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8390 EVP_PKEY_Ptr kmPubKey;
8391 GenerateKeyMintEcKey(curve, &kmPubKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8392
8393 // Now that we have the two keys, we ask KeyMint to perform ECDH...
8394 if (curve != localCurve) {
8395 // If the keys are using different curves KeyMint should fail with
8396 // ErrorCode:INVALID_ARGUMENT. Check that.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8397 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8398 string ZabFromKeyMintStr;
8399 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8400 Finish(string(localPublicKey.begin(), localPublicKey.end()),
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8401 &ZabFromKeyMintStr));
8402
8403 } else {
8404 // Otherwise if the keys are using the same curve, it should work.
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8405 CheckAgreement(std::move(kmPubKey), std::move(localPrivKey), localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8406 }
8407
8408 CheckedDeleteKey();
8409 }
8410 }
8411}
8412
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8413/*
8414 * KeyAgreementTest.EcdhCurve25519
8415 *
8416 * Verifies that ECDH works for curve25519. This is also covered by the general
8417 * KeyAgreementTest.Ecdh case, but is pulled out separately here because this curve was added after
8418 * KeyMint 1.0.
8419 */
8420TEST_P(KeyAgreementTest, EcdhCurve25519) {
8421 if (!Curve25519Supported()) {
8422 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8423 }
8424
8425 // Generate EC key in KeyMint (only access to public key material)
8426 EcCurve curve = EcCurve::CURVE_25519;
8427 EVP_PKEY_Ptr kmPubKey = nullptr;
8428 GenerateKeyMintEcKey(curve, &kmPubKey);
8429
8430 // Generate EC key on same curve locally (with access to private key material).
8431 EVP_PKEY_Ptr privKey;
8432 vector<uint8_t> encodedPublicKey;
8433 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
8434
8435 // Agree on a key between local and KeyMint and check it.
8436 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
8437
8438 CheckedDeleteKey();
8439}
8440
8441/*
8442 * KeyAgreementTest.EcdhCurve25519Imported
8443 *
8444 * Verifies that ECDH works for an imported curve25519 key.
8445 */
8446TEST_P(KeyAgreementTest, EcdhCurve25519Imported) {
8447 if (!Curve25519Supported()) {
8448 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8449 }
8450
8451 // Import x25519 key into KeyMint.
8452 EcCurve curve = EcCurve::CURVE_25519;
8453 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
8454 .Authorization(TAG_NO_AUTH_REQUIRED)
8455 .EcdsaKey(EcCurve::CURVE_25519)
8456 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
8457 .SetDefaultValidity(),
8458 KeyFormat::PKCS8, x25519_pkcs8_key));
8459 ASSERT_GT(cert_chain_.size(), 0);
8460 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
8461 ASSERT_NE(kmKeyCert, nullptr);
8462 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
8463 ASSERT_NE(kmPubKey.get(), nullptr);
8464
8465 // Expect the import to emit corresponding public key data.
8466 size_t kmPubKeySize = 32;
8467 uint8_t kmPubKeyData[32];
8468 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
8469 ASSERT_EQ(kmPubKeySize, 32);
8470 EXPECT_EQ(bin2hex(std::vector<uint8_t>(kmPubKeyData, kmPubKeyData + 32)),
8471 bin2hex(std::vector<uint8_t>(x25519_pubkey.begin(), x25519_pubkey.end())));
8472
8473 // Generate EC key on same curve locally (with access to private key material).
8474 EVP_PKEY_Ptr privKey;
8475 vector<uint8_t> encodedPublicKey;
8476 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
8477
8478 // Agree on a key between local and KeyMint and check it.
8479 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
8480
8481 CheckedDeleteKey();
8482}
8483
8484/*
8485 * KeyAgreementTest.EcdhCurve25519InvalidSize
8486 *
8487 * Verifies that ECDH fails for curve25519 if the wrong size of public key is provided.
8488 */
8489TEST_P(KeyAgreementTest, EcdhCurve25519InvalidSize) {
8490 if (!Curve25519Supported()) {
8491 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8492 }
8493
8494 // Generate EC key in KeyMint (only access to public key material)
8495 EcCurve curve = EcCurve::CURVE_25519;
8496 EVP_PKEY_Ptr kmPubKey = nullptr;
8497 GenerateKeyMintEcKey(curve, &kmPubKey);
8498
8499 // Generate EC key on same curve locally (with access to private key material).
8500 EVP_PKEY_Ptr privKey;
8501 vector<uint8_t> encodedPublicKey;
8502 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
8503
8504 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
8505 string ZabFromKeyMintStr;
8506 // Send in an incomplete public key.
8507 ASSERT_NE(ErrorCode::OK, Finish(string(encodedPublicKey.begin(), encodedPublicKey.end() - 1),
8508 &ZabFromKeyMintStr));
8509
8510 CheckedDeleteKey();
8511}
8512
8513/*
8514 * KeyAgreementTest.EcdhCurve25519Mismatch
8515 *
8516 * Verifies that ECDH fails between curve25519 and other curves.
8517 */
8518TEST_P(KeyAgreementTest, EcdhCurve25519Mismatch) {
8519 if (!Curve25519Supported()) {
8520 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8521 }
8522
8523 // Generate EC key in KeyMint (only access to public key material)
8524 EcCurve curve = EcCurve::CURVE_25519;
8525 EVP_PKEY_Ptr kmPubKey = nullptr;
8526 GenerateKeyMintEcKey(curve, &kmPubKey);
8527
8528 for (auto localCurve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]8529 SCOPED_TRACE(testing::Message() << "local-curve-" << localCurve);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8530 if (localCurve == curve) {
8531 continue;
8532 }
8533 // Generate EC key on a different curve locally (with access to private key material).
8534 EVP_PKEY_Ptr privKey;
8535 vector<uint8_t> encodedPublicKey;
8536 GenerateLocalEcKey(localCurve, &privKey, &encodedPublicKey);
8537
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8538 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8539 string ZabFromKeyMintStr;
8540 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
8541 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
8542 &ZabFromKeyMintStr));
8543 }
8544
8545 CheckedDeleteKey();
8546}
8547
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8548INSTANTIATE_KEYMINT_AIDL_TEST(KeyAgreementTest);
8549
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8550using DestroyAttestationIdsTest = KeyMintAidlTestBase;
8551
8552// This is a problematic test, as it can render the device under test permanently unusable.
8553// Re-enable and run at your own risk.
8554TEST_P(DestroyAttestationIdsTest, DISABLED_DestroyTest) {
8555 auto result = DestroyAttestationIds();
8556 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED);
8557}
8558
8559INSTANTIATE_KEYMINT_AIDL_TEST(DestroyAttestationIdsTest);
8560
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8561using EarlyBootKeyTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8562
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8563/*
8564 * EarlyBootKeyTest.CreateEarlyBootKeys
8565 *
8566 * Verifies that creating early boot keys succeeds, even at a later stage (after boot).
8567 */
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8568TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8569 // Early boot keys can be created after early boot.
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8570 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
8571 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8572 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8573 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8574 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8575 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8576
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8577 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
8578 ASSERT_GT(keyData.blob.size(), 0U);
8579 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
8580 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
8581 }
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8582}
8583
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8584/*
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8585 * EarlyBootKeyTest.CreateAttestedEarlyBootKey
8586 *
8587 * Verifies that creating an early boot key with attestation succeeds.
8588 */
8589TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
8590 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys(
8591 TAG_EARLY_BOOT_ONLY, ErrorCode::OK, [](AuthorizationSetBuilder* builder) {
8592 builder->AttestationChallenge("challenge");
8593 builder->AttestationApplicationId("app_id");
8594 });
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8595 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8596 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8597 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8598 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8599
8600 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]8601 // Strongbox may not support factory attestation. Key creation might fail with
8602 // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
8603 if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
8604 continue;
8605 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8606 ASSERT_GT(keyData.blob.size(), 0U);
8607 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
8608 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
8609 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8610}
8611
8612/*
8613 * EarlyBootKeyTest.UseEarlyBootKeyFailure
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8614 *
8615 * Verifies that using early boot keys at a later stage fails.
8616 */
8617TEST_P(EarlyBootKeyTest, UseEarlyBootKeyFailure) {
8618 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8619 .Authorization(TAG_NO_AUTH_REQUIRED)
8620 .Authorization(TAG_EARLY_BOOT_ONLY)
8621 .HmacKey(128)
8622 .Digest(Digest::SHA_2_256)
8623 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
8624 AuthorizationSet output_params;
8625 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, Begin(KeyPurpose::SIGN, key_blob_,
8626 AuthorizationSetBuilder()
8627 .Digest(Digest::SHA_2_256)
8628 .Authorization(TAG_MAC_LENGTH, 256),
8629 &output_params));
8630}
8631
8632/*
8633 * EarlyBootKeyTest.ImportEarlyBootKeyFailure
8634 *
8635 * Verifies that importing early boot keys fails.
8636 */
8637TEST_P(EarlyBootKeyTest, ImportEarlyBootKeyFailure) {
8638 ASSERT_EQ(ErrorCode::EARLY_BOOT_ENDED, ImportKey(AuthorizationSetBuilder()
8639 .Authorization(TAG_NO_AUTH_REQUIRED)
8640 .Authorization(TAG_EARLY_BOOT_ONLY)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]8641 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8642 .Digest(Digest::SHA_2_256)
8643 .SetDefaultValidity(),
8644 KeyFormat::PKCS8, ec_256_key));
8645}
8646
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8647// This is a more comprehensive test, but it can only be run on a machine which is still in early
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8648// boot stage, which no proper Android device is by the time we can run VTS. To use this,
8649// un-disable it and modify vold to remove the call to earlyBootEnded(). Running the test will end
8650// early boot, so you'll have to reboot between runs.
8651TEST_P(EarlyBootKeyTest, DISABLED_FullTest) {
8652 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
8653 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8654 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8655 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8656 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8657 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
8658
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8659 // TAG_EARLY_BOOT_ONLY should be in hw-enforced.
8660 EXPECT_TRUE(HwEnforcedAuthorizations(aesKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8661 EXPECT_TRUE(
8662 HwEnforcedAuthorizations(hmacKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8663 EXPECT_TRUE(HwEnforcedAuthorizations(rsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8664 EXPECT_TRUE(
8665 HwEnforcedAuthorizations(ecdsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8666
8667 // Should be able to use keys, since early boot has not ended
8668 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
8669 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
8670 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
8671 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
8672
8673 // End early boot
8674 ErrorCode earlyBootResult = GetReturnErrorCode(keyMint().earlyBootEnded());
8675 EXPECT_EQ(earlyBootResult, ErrorCode::OK);
8676
8677 // Should not be able to use already-created keys.
8678 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseAesKey(aesKeyData.blob));
8679 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseHmacKey(hmacKeyData.blob));
8680 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseRsaKey(rsaKeyData.blob));
8681 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseEcdsaKey(ecdsaKeyData.blob));
8682
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8683 // Should not be able to create new keys
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8684 auto [aesKeyData2, hmacKeyData2, rsaKeyData2, ecdsaKeyData2] =
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8685 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::EARLY_BOOT_ENDED);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8686 KeyBlobDeleter aes_deleter2(keymint_, aesKeyData2.blob);
8687 KeyBlobDeleter hmac_deleter2(keymint_, hmacKeyData2.blob);
8688 KeyBlobDeleter rsa_deleter2(keymint_, rsaKeyData2.blob);
8689 KeyBlobDeleter ecdsa_deleter2(keymint_, ecdsaKeyData2.blob);
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8690}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8691
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8692INSTANTIATE_KEYMINT_AIDL_TEST(EarlyBootKeyTest);
8693
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8694using UnlockedDeviceRequiredTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8695
8696// This may be a problematic test. It can't be run repeatedly without unlocking the device in
8697// between runs... and on most test devices there are no enrolled credentials so it can't be
8698// unlocked at all, meaning the only way to get the test to pass again on a properly-functioning
8699// device is to reboot it. For that reason, this is disabled by default. It can be used as part of
8700// a manual test process, which includes unlocking between runs, which is why it's included here.
8701// Well, that and the fact that it's the only test we can do without also making calls into the
8702// Gatekeeper HAL. We haven't written any cross-HAL tests, and don't know what all of the
8703// implications might be, so that may or may not be a solution.
8704TEST_P(UnlockedDeviceRequiredTest, DISABLED_KeysBecomeUnusable) {
8705 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
8706 CreateTestKeys(TAG_UNLOCKED_DEVICE_REQUIRED, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8707 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8708 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8709 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8710 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8711
8712 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
8713 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
8714 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
8715 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
8716
8717 ErrorCode rc = GetReturnErrorCode(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8718 keyMint().deviceLocked(false /* passwordOnly */, {} /* timestampToken */));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8719 ASSERT_EQ(ErrorCode::OK, rc);
8720 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseAesKey(aesKeyData.blob));
8721 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseHmacKey(hmacKeyData.blob));
8722 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseRsaKey(rsaKeyData.blob));
8723 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseEcdsaKey(ecdsaKeyData.blob));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8724}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8725
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8726INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
8727
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8728using VsrRequirementTest = KeyMintAidlTestBase;
8729
Eran Messeri5fe06ea2023-08-02 22:34:24 +0100[diff] [blame]8730// @VsrTest = VSR-3.10-008
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8731TEST_P(VsrRequirementTest, Vsr13Test) {
8732 int vsr_api_level = get_vsr_api_level();
Shawn Willden1a545db2023-02-22 14:32:33 -0700[diff] [blame]8733 if (vsr_api_level < __ANDROID_API_T__) {
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8734 GTEST_SKIP() << "Applies only to VSR API level 33, this device is: " << vsr_api_level;
8735 }
8736 EXPECT_GE(AidlVersion(), 2) << "VSR 13+ requires KeyMint version 2";
8737}
8738
Eran Messeri5fe06ea2023-08-02 22:34:24 +0100[diff] [blame]8739// @VsrTest = VSR-3.10-013.001
Eran Messerib9346f52022-12-15 14:58:34 +0000[diff] [blame]8740TEST_P(VsrRequirementTest, Vsr14Test) {
8741 int vsr_api_level = get_vsr_api_level();
Shawn Willden1a545db2023-02-22 14:32:33 -0700[diff] [blame]8742 if (vsr_api_level < __ANDROID_API_U__) {
Eran Messerib9346f52022-12-15 14:58:34 +0000[diff] [blame]8743 GTEST_SKIP() << "Applies only to VSR API level 34, this device is: " << vsr_api_level;
8744 }
8745 EXPECT_GE(AidlVersion(), 3) << "VSR 14+ requires KeyMint version 3";
8746}
8747
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8748INSTANTIATE_KEYMINT_AIDL_TEST(VsrRequirementTest);
8749
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]8750} // namespace aidl::android::hardware::security::keymint::test
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8751
8752int main(int argc, char** argv) {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8753 std::cout << "Testing ";
8754 auto halInstances =
8755 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::build_params();
8756 std::cout << "HAL instances:\n";
8757 for (auto& entry : halInstances) {
8758 std::cout << " " << entry << '\n';
8759 }
8760
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8761 ::testing::InitGoogleTest(&argc, argv);
8762 for (int i = 1; i < argc; ++i) {
8763 if (argv[i][0] == '-') {
8764 if (std::string(argv[i]) == "--arm_deleteAllKeys") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8765 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
8766 arm_deleteAllKeys = true;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8767 }
8768 if (std::string(argv[i]) == "--dump_attestations") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8769 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
8770 dump_Attestations = true;
8771 } else {
8772 std::cout << "NOT dumping attestations" << std::endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8773 }
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]8774 if (std::string(argv[i]) == "--skip_boot_pl_check") {
8775 // Allow checks of BOOT_PATCHLEVEL to be disabled, so that the tests can
8776 // be run in emulated environments that don't have the normal bootloader
8777 // interactions.
8778 aidl::android::hardware::security::keymint::test::check_boot_pl = false;
8779 }
David Drysdale9f5c0c52022-11-03 15:10:16 +0000[diff] [blame]8780 if (std::string(argv[i]) == "--keyblob_dir") {
8781 if (i + 1 >= argc) {
8782 std::cerr << "Missing argument for --keyblob_dir\n";
8783 return 1;
8784 }
8785 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::keyblob_dir =
8786 std::string(argv[i + 1]);
8787 ++i;
8788 }
Tommy Chiu025f3c52023-05-15 06:23:44 +0000[diff] [blame]8789 if (std::string(argv[i]) == "--expect_upgrade") {
8790 if (i + 1 >= argc) {
8791 std::cerr << "Missing argument for --expect_upgrade\n";
8792 return 1;
8793 }
8794 std::string arg = argv[i + 1];
8795 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
8796 expect_upgrade =
8797 arg == "yes"
8798 ? true
8799 : (arg == "no" ? false : std::optional<bool>(std::nullopt));
8800 ++i;
8801 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8802 }
8803 }
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]8804 return RUN_ALL_TESTS();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8805}