Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 300b555b6b4008be4dbe53d1a8ce66dcc1696207 / . / security / keymint / aidl / vts / functional / KeyMintAidlTestBase.h
blob: c49b303f50055972a9c0f87b686666ae6bc81557 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]17#pragma once
18
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame^]19#include <string_view>
20
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]21#include <aidl/Gtest.h>
22#include <aidl/Vintf.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]23#include <binder/IServiceManager.h>
24#include <binder/ProcessState.h>
25#include <gtest/gtest.h>
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]26#include <openssl/x509.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]27
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]28#include <aidl/android/hardware/security/keymint/ErrorCode.h>
29#include <aidl/android/hardware/security/keymint/IKeyMintDevice.h>
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]30#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>
Shawn Willden1d3f85e2020-12-09 14:18:44 -0700[diff] [blame]31
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]32#include <keymint_support/authorization_set.h>
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]33#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]34
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]35namespace aidl::android::hardware::security::keymint {
36
37::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set);
38
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]39inline bool operator==(const keymint::AuthorizationSet& a, const keymint::AuthorizationSet& b) {
40 return a.size() == b.size() && std::equal(a.begin(), a.end(), b.begin());
41}
42
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]43namespace test {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]44
45using ::android::sp;
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]46using Status = ::ndk::ScopedAStatus;
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]47using ::std::optional;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]48using ::std::shared_ptr;
49using ::std::string;
50using ::std::vector;
51
52constexpr uint64_t kOpHandleSentinel = 0xFFFFFFFFFFFFFFFF;
53
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]54class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
55 public:
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]56 struct KeyData {
57 vector<uint8_t> blob;
58 vector<KeyCharacteristics> characteristics;
59 };
60
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]61 static bool arm_deleteAllKeys;
62 static bool dump_Attestations;
63
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]64 void SetUp() override;
65 void TearDown() override {
66 if (key_blob_.size()) {
67 CheckedDeleteKey();
68 }
69 AbortIfNeeded();
70 }
71
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]72 void InitializeKeyMint(std::shared_ptr<IKeyMintDevice> keyMint);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]73 IKeyMintDevice& keyMint() { return *keymint_; }
74 uint32_t os_version() { return os_version_; }
75 uint32_t os_patch_level() { return os_patch_level_; }
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]76 uint32_t vendor_patch_level() { return vendor_patch_level_; }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]77
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]78 ErrorCode GetReturnErrorCode(const Status& result);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]79
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]80 ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector<uint8_t>* key_blob,
81 vector<KeyCharacteristics>* key_characteristics) {
82 return GenerateKey(key_desc, std::nullopt /* attest_key */, key_blob, key_characteristics,
83 &cert_chain_);
84 }
85 ErrorCode GenerateKey(const AuthorizationSet& key_desc,
86 const optional<AttestationKey>& attest_key, vector<uint8_t>* key_blob,
87 vector<KeyCharacteristics>* key_characteristics,
88 vector<Certificate>* cert_chain);
89 ErrorCode GenerateKey(const AuthorizationSet& key_desc,
90 const optional<AttestationKey>& attest_key = std::nullopt);
91
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]92 ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
93 const string& key_material, vector<uint8_t>* key_blob,
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]94 vector<KeyCharacteristics>* key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]95 ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
96 const string& key_material);
97
98 ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,
99 const AuthorizationSet& wrapping_key_desc, string masking_key,
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]100 const AuthorizationSet& unwrapping_params, int64_t password_sid,
101 int64_t biometric_sid);
102 ErrorCode ImportWrappedKey(string wrapped_key, string wrapping_key,
103 const AuthorizationSet& wrapping_key_desc, string masking_key,
104 const AuthorizationSet& unwrapping_params) {
105 return ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, masking_key,
106 unwrapping_params, 0 /* password_sid */, 0 /* biometric_sid */);
107 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]108
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame^]109 ErrorCode GetCharacteristics(const vector<uint8_t>& key_blob, const vector<uint8_t>& app_id,
110 const vector<uint8_t>& app_data,
111 vector<KeyCharacteristics>* key_characteristics);
112 ErrorCode GetCharacteristics(const vector<uint8_t>& key_blob,
113 vector<KeyCharacteristics>* key_characteristics);
114
115 void CheckCharacteristics(const vector<uint8_t>& key_blob,
116 const vector<KeyCharacteristics>& generate_characteristics);
117 void CheckAppIdCharacteristics(const vector<uint8_t>& key_blob, std::string_view app_id_string,
118 std::string_view app_data_string,
119 const vector<KeyCharacteristics>& generate_characteristics);
120
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]121 ErrorCode DeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);
122 ErrorCode DeleteKey(bool keep_key_blob = false);
123
124 ErrorCode DeleteAllKeys();
125
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]126 ErrorCode DestroyAttestationIds();
127
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]128 void CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob = false);
129 void CheckedDeleteKey();
130
131 ErrorCode Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
132 const AuthorizationSet& in_params, AuthorizationSet* out_params,
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]133 std::shared_ptr<IKeyMintOperation>& op);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]134 ErrorCode Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
135 const AuthorizationSet& in_params, AuthorizationSet* out_params);
136 ErrorCode Begin(KeyPurpose purpose, const AuthorizationSet& in_params,
137 AuthorizationSet* out_params);
138 ErrorCode Begin(KeyPurpose purpose, const AuthorizationSet& in_params);
139
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]140 ErrorCode UpdateAad(const string& input);
141 ErrorCode Update(const string& input, string* output);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]142
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]143 ErrorCode Finish(const string& message, const string& signature, string* output);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]144 ErrorCode Finish(const string& message, string* output) {
145 return Finish(message, {} /* signature */, output);
146 }
147 ErrorCode Finish(string* output) { return Finish({} /* message */, output); }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]148
149 ErrorCode Abort();
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]150 ErrorCode Abort(const shared_ptr<IKeyMintOperation>& op);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]151 void AbortIfNeeded();
152
153 string ProcessMessage(const vector<uint8_t>& key_blob, KeyPurpose operation,
154 const string& message, const AuthorizationSet& in_params,
155 AuthorizationSet* out_params);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]156 std::tuple<ErrorCode, std::string /* processedMessage */> ProcessMessage(
157 const vector<uint8_t>& key_blob, KeyPurpose operation, const std::string& message,
158 const AuthorizationSet& in_params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]159 string SignMessage(const vector<uint8_t>& key_blob, const string& message,
160 const AuthorizationSet& params);
161 string SignMessage(const string& message, const AuthorizationSet& params);
162
163 string MacMessage(const string& message, Digest digest, size_t mac_length);
164
165 void CheckHmacTestVector(const string& key, const string& message, Digest digest,
166 const string& expected_mac);
167
168 void CheckAesCtrTestVector(const string& key, const string& nonce, const string& message,
169 const string& expected_ciphertext);
170
171 void CheckTripleDesTestVector(KeyPurpose purpose, BlockMode block_mode,
172 PaddingMode padding_mode, const string& key, const string& iv,
173 const string& input, const string& expected_output);
174
175 void VerifyMessage(const vector<uint8_t>& key_blob, const string& message,
176 const string& signature, const AuthorizationSet& params);
177 void VerifyMessage(const string& message, const string& signature,
178 const AuthorizationSet& params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]179 void LocalVerifyMessage(const string& message, const string& signature,
180 const AuthorizationSet& params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]181
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]182 string LocalRsaEncryptMessage(const string& message, const AuthorizationSet& params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]183 string EncryptMessage(const vector<uint8_t>& key_blob, const string& message,
184 const AuthorizationSet& in_params, AuthorizationSet* out_params);
185 string EncryptMessage(const string& message, const AuthorizationSet& params,
186 AuthorizationSet* out_params);
187 string EncryptMessage(const string& message, const AuthorizationSet& params);
188 string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding);
189 string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
190 vector<uint8_t>* iv_out);
191 string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
192 const vector<uint8_t>& iv_in);
193 string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
194 uint8_t mac_length_bits, const vector<uint8_t>& iv_in);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]195 string EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding,
196 uint8_t mac_length_bits);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]197
198 string DecryptMessage(const vector<uint8_t>& key_blob, const string& ciphertext,
199 const AuthorizationSet& params);
200 string DecryptMessage(const string& ciphertext, const AuthorizationSet& params);
201 string DecryptMessage(const string& ciphertext, BlockMode block_mode, PaddingMode padding_mode,
202 const vector<uint8_t>& iv);
203
204 std::pair<ErrorCode, vector<uint8_t>> UpgradeKey(const vector<uint8_t>& key_blob);
205
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]206 template <typename TagType>
207 std::tuple<KeyData /* aesKey */, KeyData /* hmacKey */, KeyData /* rsaKey */,
208 KeyData /* ecdsaKey */>
209 CreateTestKeys(TagType tagToTest, ErrorCode expectedReturn) {
210 /* AES */
211 KeyData aesKeyData;
212 ErrorCode errorCode = GenerateKey(AuthorizationSetBuilder()
213 .AesEncryptionKey(128)
214 .Authorization(tagToTest)
215 .BlockMode(BlockMode::ECB)
216 .Padding(PaddingMode::NONE)
217 .Authorization(TAG_NO_AUTH_REQUIRED),
218 &aesKeyData.blob, &aesKeyData.characteristics);
219 EXPECT_EQ(expectedReturn, errorCode);
220
221 /* HMAC */
222 KeyData hmacKeyData;
223 errorCode = GenerateKey(AuthorizationSetBuilder()
224 .HmacKey(128)
225 .Authorization(tagToTest)
226 .Digest(Digest::SHA_2_256)
227 .Authorization(TAG_MIN_MAC_LENGTH, 128)
228 .Authorization(TAG_NO_AUTH_REQUIRED),
229 &hmacKeyData.blob, &hmacKeyData.characteristics);
230 EXPECT_EQ(expectedReturn, errorCode);
231
232 /* RSA */
233 KeyData rsaKeyData;
234 errorCode = GenerateKey(AuthorizationSetBuilder()
235 .RsaSigningKey(2048, 65537)
236 .Authorization(tagToTest)
237 .Digest(Digest::NONE)
238 .Padding(PaddingMode::NONE)
239 .Authorization(TAG_NO_AUTH_REQUIRED)
240 .SetDefaultValidity(),
241 &rsaKeyData.blob, &rsaKeyData.characteristics);
242 EXPECT_EQ(expectedReturn, errorCode);
243
244 /* ECDSA */
245 KeyData ecdsaKeyData;
246 errorCode = GenerateKey(AuthorizationSetBuilder()
247 .EcdsaSigningKey(256)
248 .Authorization(tagToTest)
249 .Digest(Digest::SHA_2_256)
250 .Authorization(TAG_NO_AUTH_REQUIRED)
251 .SetDefaultValidity(),
252 &ecdsaKeyData.blob, &ecdsaKeyData.characteristics);
253 EXPECT_EQ(expectedReturn, errorCode);
254 return {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData};
255 }
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]256 bool IsSecure() const { return securityLevel_ != SecurityLevel::SOFTWARE; }
257 SecurityLevel SecLevel() const { return securityLevel_; }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]258
259 vector<uint32_t> ValidKeySizes(Algorithm algorithm);
260 vector<uint32_t> InvalidKeySizes(Algorithm algorithm);
261
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]262 vector<BlockMode> ValidBlockModes(Algorithm algorithm);
263 vector<PaddingMode> ValidPaddingModes(Algorithm algorithm, BlockMode blockMode);
264 vector<PaddingMode> InvalidPaddingModes(Algorithm algorithm, BlockMode blockMode);
265
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]266 vector<EcCurve> ValidCurves();
267 vector<EcCurve> InvalidCurves();
268
269 vector<Digest> ValidDigests(bool withNone, bool withMD5);
270
271 static vector<string> build_params() {
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]272 auto params = ::android::getAidlHalInstanceNames(IKeyMintDevice::descriptor);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]273 return params;
274 }
275
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]276 std::shared_ptr<IKeyMintOperation> op_;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]277 vector<Certificate> cert_chain_;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]278 vector<uint8_t> key_blob_;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]279 vector<KeyCharacteristics> key_characteristics_;
280
281 const vector<KeyParameter>& SecLevelAuthorizations(
282 const vector<KeyCharacteristics>& key_characteristics);
283 inline const vector<KeyParameter>& SecLevelAuthorizations() {
284 return SecLevelAuthorizations(key_characteristics_);
285 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]286 const vector<KeyParameter>& SecLevelAuthorizations(
287 const vector<KeyCharacteristics>& key_characteristics, SecurityLevel securityLevel);
288
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]289 ErrorCode UseAesKey(const vector<uint8_t>& aesKeyBlob);
290 ErrorCode UseHmacKey(const vector<uint8_t>& hmacKeyBlob);
291 ErrorCode UseRsaKey(const vector<uint8_t>& rsaKeyBlob);
292 ErrorCode UseEcdsaKey(const vector<uint8_t>& ecdsaKeyBlob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]293
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]294 protected:
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]295 std::shared_ptr<IKeyMintDevice> keymint_;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]296 uint32_t os_version_;
297 uint32_t os_patch_level_;
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]298 uint32_t vendor_patch_level_;
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]299 bool timestamp_token_required_;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]300
301 SecurityLevel securityLevel_;
302 string name_;
303 string author_;
304 long challenge_;
305};
306
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]307vector<uint8_t> build_serial_blob(const uint64_t serial_int);
308void verify_subject(const X509* cert, const string& subject, bool self_signed);
309void verify_serial(X509* cert, const uint64_t expected_serial);
310void verify_subject_and_serial(const Certificate& certificate, //
311 const uint64_t expected_serial, //
312 const string& subject, bool self_signed);
313
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]314bool verify_attestation_record(const string& challenge, //
315 const string& app_id, //
316 AuthorizationSet expected_sw_enforced, //
317 AuthorizationSet expected_hw_enforced, //
318 SecurityLevel security_level,
319 const vector<uint8_t>& attestation_cert);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]320
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]321string bin2hex(const vector<uint8_t>& data);
322X509_Ptr parse_cert_blob(const vector<uint8_t>& blob);
David Drysdalef0d516d2021-03-22 07:51:43 +0000[diff] [blame]323vector<uint8_t> make_name_from_str(const string& name);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]324void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,
325 vector<uint8_t>* payload_value);
326void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey);
327
David Drysdalef0d516d2021-03-22 07:51:43 +0000[diff] [blame]328AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);
329AuthorizationSet SwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics);
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]330::testing::AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain);
331
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]332#define INSTANTIATE_KEYMINT_AIDL_TEST(name) \
333 INSTANTIATE_TEST_SUITE_P(PerInstance, name, \
334 testing::ValuesIn(KeyMintAidlTestBase::build_params()), \
Shawn Willden7e71f1e2021-04-01 16:44:22 -0600[diff] [blame]335 ::android::PrintInstanceNameToString); \
336 GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(name);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]337
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]338} // namespace test
339
340} // namespace aidl::android::hardware::security::keymint