Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 31ab404a5e631d0d4cc2b37ce9513fc91d20b18d / . / keymint / aidl / vts / functional / KeyMintAidlTestBase.cpp
blob: 05461492be4091d22c987873762f156e6d3679f6 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame^]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "KeyMintAidlTestBase.h"
18
19#include <chrono>
20#include <vector>
21
22#include <android-base/logging.h>
23
24#include <keymintSupport/key_param_output.h>
25#include <keymintSupport/keymint_utils.h>
26
27namespace android {
28namespace hardware {
29namespace keymint {
30
31using namespace std::literals::chrono_literals;
32using std::endl;
33using std::optional;
34
35::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) {
36 if (set.size() == 0)
37 os << "(Empty)" << ::std::endl;
38 else {
39 os << "\n";
40 for (size_t i = 0; i < set.size(); ++i) os << set[i] << ::std::endl;
41 }
42 return os;
43}
44
45namespace test {
46
47ErrorCode KeyMintAidlTestBase::GetReturnErrorCode(Status result) {
48 if (result.isOk()) return ErrorCode::OK;
49
50 if (result.exceptionCode() == binder::Status::EX_SERVICE_SPECIFIC) {
51 return static_cast<ErrorCode>(result.serviceSpecificErrorCode());
52 }
53
54 return ErrorCode::UNKNOWN_ERROR;
55}
56
57void KeyMintAidlTestBase::InitializeKeyMint(sp<IKeyMintDevice> keyMint) {
58 ASSERT_NE(keyMint, nullptr);
59 keymint_ = keyMint;
60
61 KeyMintHardwareInfo info;
62 ASSERT_TRUE(keymint_->getHardwareInfo(&info).isOk());
63
64 securityLevel_ = info.securityLevel;
65 name_.assign(info.keyMintName.begin(), info.keyMintName.end());
66 author_.assign(info.keyMintAuthorName.begin(), info.keyMintAuthorName.end());
67
68 os_version_ = getOsVersion();
69 os_patch_level_ = getOsPatchlevel();
70}
71
72void KeyMintAidlTestBase::SetUp() {
73 InitializeKeyMint(
74 android::waitForDeclaredService<IKeyMintDevice>(String16(GetParam().c_str())));
75}
76
77ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
78 vector<uint8_t>* keyBlob, KeyCharacteristics* keyChar) {
79 EXPECT_NE(keyBlob, nullptr) << "Key blob pointer must not be null. Test bug";
80 EXPECT_NE(keyChar, nullptr)
81 << "Previous characteristics not deleted before generating key. Test bug.";
82
83 // Aidl does not clear these output parameters if the function returns
84 // error. This is different from hal where output parameter is always
85 // cleared due to hal returning void. So now we need to do our own clearing
86 // of the output variables prior to calling keyMint aidl libraries.
87 keyBlob->clear();
88 keyChar->softwareEnforced.clear();
89 keyChar->hardwareEnforced.clear();
90 certChain_.clear();
91
92 Status result;
93 ByteArray blob;
94
95 result = keymint_->generateKey(key_desc.vector_data(), &blob, keyChar, &certChain_);
96
97 // On result, blob & characteristics should be empty.
98 if (result.isOk()) {
99 if (SecLevel() != SecurityLevel::SOFTWARE) {
100 EXPECT_GT(keyChar->hardwareEnforced.size(), 0);
101 }
102 EXPECT_GT(keyChar->softwareEnforced.size(), 0);
103 // TODO(seleneh) in a later version where we return @nullable
104 // single Certificate, check non-null single certificate is always
105 // non-empty.
106 *keyBlob = blob.data;
107 }
108
109 return GetReturnErrorCode(result);
110}
111
112ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) {
113 return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
114}
115
116ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
117 const string& key_material, vector<uint8_t>* key_blob,
118 KeyCharacteristics* key_characteristics) {
119 Status result;
120
121 certChain_.clear();
122 key_characteristics->softwareEnforced.clear();
123 key_characteristics->hardwareEnforced.clear();
124 key_blob->clear();
125
126 ByteArray blob;
127 result = keymint_->importKey(key_desc.vector_data(), format,
128 vector<uint8_t>(key_material.begin(), key_material.end()), &blob,
129 key_characteristics, &certChain_);
130
131 if (result.isOk()) {
132 if (SecLevel() != SecurityLevel::SOFTWARE) {
133 EXPECT_GT(key_characteristics->hardwareEnforced.size(), 0);
134 }
135 EXPECT_GT(key_characteristics->softwareEnforced.size(), 0);
136 *key_blob = blob.data;
137 }
138
139 return GetReturnErrorCode(result);
140}
141
142ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
143 const string& key_material) {
144 return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_);
145}
146
147ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapping_key,
148 const AuthorizationSet& wrapping_key_desc,
149 string masking_key,
150 const AuthorizationSet& unwrapping_params) {
151 Status result;
152 EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key));
153
154 ByteArray outBlob;
155 key_characteristics_.softwareEnforced.clear();
156 key_characteristics_.hardwareEnforced.clear();
157
158 result = keymint_->importWrappedKey(vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()),
159 key_blob_,
160 vector<uint8_t>(masking_key.begin(), masking_key.end()),
161 unwrapping_params.vector_data(), 0 /* passwordSid */,
162 0 /* biometricSid */, &outBlob, &key_characteristics_);
163
164 if (result.isOk()) {
165 key_blob_ = outBlob.data;
166 if (SecLevel() != SecurityLevel::SOFTWARE) {
167 EXPECT_GT(key_characteristics_.hardwareEnforced.size(), 0);
168 }
169 EXPECT_GT(key_characteristics_.softwareEnforced.size(), 0);
170 }
171
172 return GetReturnErrorCode(result);
173}
174
175ErrorCode KeyMintAidlTestBase::DeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
176 Status result = keymint_->deleteKey(*key_blob);
177 if (!keep_key_blob) {
178 *key_blob = vector<uint8_t>();
179 }
180
181 EXPECT_TRUE(result.isOk()) << result.serviceSpecificErrorCode() << endl;
182 return GetReturnErrorCode(result);
183}
184
185ErrorCode KeyMintAidlTestBase::DeleteKey(bool keep_key_blob) {
186 return DeleteKey(&key_blob_, keep_key_blob);
187}
188
189ErrorCode KeyMintAidlTestBase::DeleteAllKeys() {
190 Status result = keymint_->deleteAllKeys();
191 EXPECT_TRUE(result.isOk()) << result.serviceSpecificErrorCode() << endl;
192 return GetReturnErrorCode(result);
193}
194
195void KeyMintAidlTestBase::CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
196 ErrorCode result = DeleteKey(key_blob, keep_key_blob);
197 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED) << result << endl;
198}
199
200void KeyMintAidlTestBase::CheckedDeleteKey() {
201 CheckedDeleteKey(&key_blob_);
202}
203
204ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
205 const AuthorizationSet& in_params,
206 AuthorizationSet* out_params, sp<IKeyMintOperation>& op) {
207 SCOPED_TRACE("Begin");
208 Status result;
209 BeginResult out;
210 result = keymint_->begin(purpose, key_blob, in_params.vector_data(), HardwareAuthToken(), &out);
211
212 if (result.isOk()) {
213 *out_params = out.params;
214 challenge_ = out.challenge;
215 op = out.operation;
216 }
217
218 return GetReturnErrorCode(result);
219}
220
221ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
222 const AuthorizationSet& in_params,
223 AuthorizationSet* out_params) {
224 SCOPED_TRACE("Begin");
225 Status result;
226 BeginResult out;
227
228 result = keymint_->begin(purpose, key_blob, in_params.vector_data(), HardwareAuthToken(), &out);
229
230 if (result.isOk()) {
231 *out_params = out.params;
232 challenge_ = out.challenge;
233 op_ = out.operation;
234 }
235
236 return GetReturnErrorCode(result);
237}
238
239ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const AuthorizationSet& in_params,
240 AuthorizationSet* out_params) {
241 SCOPED_TRACE("Begin");
242 EXPECT_EQ(nullptr, op_);
243 return Begin(purpose, key_blob_, in_params, out_params);
244}
245
246ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const AuthorizationSet& in_params) {
247 SCOPED_TRACE("Begin");
248 AuthorizationSet out_params;
249 ErrorCode result = Begin(purpose, in_params, &out_params);
250 EXPECT_TRUE(out_params.empty());
251 return result;
252}
253
254ErrorCode KeyMintAidlTestBase::Update(const AuthorizationSet& in_params, const string& input,
255 AuthorizationSet* out_params, string* output,
256 int32_t* input_consumed) {
257 SCOPED_TRACE("Update");
258
259 Status result;
260 EXPECT_NE(op_, nullptr);
261 if (!op_) {
262 return ErrorCode::UNEXPECTED_NULL_POINTER;
263 }
264
265 KeyParameterArray key_params;
266 key_params.params = in_params.vector_data();
267
268 KeyParameterArray in_keyParams;
269 in_keyParams.params = in_params.vector_data();
270
271 optional<KeyParameterArray> out_keyParams;
272 optional<ByteArray> o_put;
273 result = op_->update(in_keyParams, vector<uint8_t>(input.begin(), input.end()), {}, {},
274 &out_keyParams, &o_put, input_consumed);
275
276 if (result.isOk()) {
277 if (o_put) {
278 output->append(o_put->data.begin(), o_put->data.end());
279 }
280
281 if (out_keyParams) {
282 out_params->push_back(AuthorizationSet(out_keyParams->params));
283 }
284 }
285
286 return GetReturnErrorCode(result);
287}
288
289ErrorCode KeyMintAidlTestBase::Update(const string& input, string* out, int32_t* input_consumed) {
290 SCOPED_TRACE("Update");
291 AuthorizationSet out_params;
292 ErrorCode result =
293 Update(AuthorizationSet() /* in_params */, input, &out_params, out, input_consumed);
294 EXPECT_TRUE(out_params.empty());
295 return result;
296}
297
298ErrorCode KeyMintAidlTestBase::Finish(const AuthorizationSet& in_params, const string& input,
299 const string& signature, AuthorizationSet* out_params,
300 string* output) {
301 SCOPED_TRACE("Finish");
302 Status result;
303
304 EXPECT_NE(op_, nullptr);
305 if (!op_) {
306 return ErrorCode::UNEXPECTED_NULL_POINTER;
307 }
308
309 KeyParameterArray key_params;
310 key_params.params = in_params.vector_data();
311
312 KeyParameterArray in_keyParams;
313 in_keyParams.params = in_params.vector_data();
314
315 optional<KeyParameterArray> out_keyParams;
316 optional<vector<uint8_t>> o_put;
317
318 vector<uint8_t> oPut;
319 result = op_->finish(in_keyParams, vector<uint8_t>(input.begin(), input.end()),
320 vector<uint8_t>(signature.begin(), signature.end()), {}, {},
321 &out_keyParams, &oPut);
322
323 if (result.isOk()) {
324 if (out_keyParams) {
325 out_params->push_back(AuthorizationSet(out_keyParams->params));
326 }
327
328 output->append(oPut.begin(), oPut.end());
329 }
330
331 op_.clear(); // So dtor doesn't Abort().
332 return GetReturnErrorCode(result);
333}
334
335ErrorCode KeyMintAidlTestBase::Finish(const string& message, string* output) {
336 SCOPED_TRACE("Finish");
337 AuthorizationSet out_params;
338 string finish_output;
339 ErrorCode result = Finish(AuthorizationSet() /* in_params */, message, "" /* signature */,
340 &out_params, output);
341 if (result != ErrorCode::OK) {
342 return result;
343 }
344 EXPECT_EQ(0U, out_params.size());
345 return result;
346}
347
348ErrorCode KeyMintAidlTestBase::Finish(const string& message, const string& signature,
349 string* output) {
350 SCOPED_TRACE("Finish");
351 AuthorizationSet out_params;
352 ErrorCode result =
353 Finish(AuthorizationSet() /* in_params */, message, signature, &out_params, output);
354
355 if (result != ErrorCode::OK) {
356 return result;
357 }
358
359 EXPECT_EQ(0U, out_params.size());
360 return result;
361}
362
363ErrorCode KeyMintAidlTestBase::Abort(const sp<IKeyMintOperation>& op) {
364 SCOPED_TRACE("Abort");
365
366 EXPECT_NE(op, nullptr);
367 if (!op) {
368 return ErrorCode::UNEXPECTED_NULL_POINTER;
369 }
370
371 Status retval = op->abort();
372 EXPECT_TRUE(retval.isOk());
373 return static_cast<ErrorCode>(retval.serviceSpecificErrorCode());
374}
375
376ErrorCode KeyMintAidlTestBase::Abort() {
377 SCOPED_TRACE("Abort");
378
379 EXPECT_NE(op_, nullptr);
380 if (!op_) {
381 return ErrorCode::UNEXPECTED_NULL_POINTER;
382 }
383
384 Status retval = op_->abort();
385 return static_cast<ErrorCode>(retval.serviceSpecificErrorCode());
386}
387
388void KeyMintAidlTestBase::AbortIfNeeded() {
389 SCOPED_TRACE("AbortIfNeeded");
390 if (op_) {
391 EXPECT_EQ(ErrorCode::OK, Abort());
392 op_.clear();
393 }
394}
395
396string KeyMintAidlTestBase::ProcessMessage(const vector<uint8_t>& key_blob, KeyPurpose operation,
397 const string& message, const AuthorizationSet& in_params,
398 AuthorizationSet* out_params) {
399 SCOPED_TRACE("ProcessMessage");
400 AuthorizationSet begin_out_params;
401 ErrorCode result = Begin(operation, key_blob, in_params, &begin_out_params);
402 EXPECT_EQ(ErrorCode::OK, result);
403 if (result != ErrorCode::OK) {
404 return "";
405 }
406
407 string output;
408 int32_t consumed = 0;
409 AuthorizationSet update_params;
410 AuthorizationSet update_out_params;
411 result = Update(update_params, message, &update_out_params, &output, &consumed);
412 EXPECT_EQ(ErrorCode::OK, result);
413 if (result != ErrorCode::OK) {
414 return "";
415 }
416
417 string unused;
418 AuthorizationSet finish_params;
419 AuthorizationSet finish_out_params;
420 EXPECT_EQ(ErrorCode::OK,
421 Finish(finish_params, message.substr(consumed), unused, &finish_out_params, &output));
422
423 out_params->push_back(begin_out_params);
424 out_params->push_back(finish_out_params);
425 return output;
426}
427
428string KeyMintAidlTestBase::SignMessage(const vector<uint8_t>& key_blob, const string& message,
429 const AuthorizationSet& params) {
430 SCOPED_TRACE("SignMessage");
431 AuthorizationSet out_params;
432 string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params);
433 EXPECT_TRUE(out_params.empty());
434 return signature;
435}
436
437string KeyMintAidlTestBase::SignMessage(const string& message, const AuthorizationSet& params) {
438 SCOPED_TRACE("SignMessage");
439 return SignMessage(key_blob_, message, params);
440}
441
442string KeyMintAidlTestBase::MacMessage(const string& message, Digest digest, size_t mac_length) {
443 SCOPED_TRACE("MacMessage");
444 return SignMessage(
445 key_blob_, message,
446 AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length));
447}
448
449void KeyMintAidlTestBase::CheckHmacTestVector(const string& key, const string& message,
450 Digest digest, const string& expected_mac) {
451 SCOPED_TRACE("CheckHmacTestVector");
452 ASSERT_EQ(ErrorCode::OK,
453 ImportKey(AuthorizationSetBuilder()
454 .Authorization(TAG_NO_AUTH_REQUIRED)
455 .HmacKey(key.size() * 8)
456 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8)
457 .Digest(digest),
458 KeyFormat::RAW, key));
459 string signature = MacMessage(message, digest, expected_mac.size() * 8);
460 EXPECT_EQ(expected_mac, signature)
461 << "Test vector didn't match for key of size " << key.size() << " message of size "
462 << message.size() << " and digest " << digest;
463 CheckedDeleteKey();
464}
465
466void KeyMintAidlTestBase::CheckAesCtrTestVector(const string& key, const string& nonce,
467 const string& message,
468 const string& expected_ciphertext) {
469 SCOPED_TRACE("CheckAesCtrTestVector");
470 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
471 .Authorization(TAG_NO_AUTH_REQUIRED)
472 .AesEncryptionKey(key.size() * 8)
473 .BlockMode(BlockMode::CTR)
474 .Authorization(TAG_CALLER_NONCE)
475 .Padding(PaddingMode::NONE),
476 KeyFormat::RAW, key));
477
478 auto params = AuthorizationSetBuilder()
479 .Authorization(TAG_NONCE, nonce.data(), nonce.size())
480 .BlockMode(BlockMode::CTR)
481 .Padding(PaddingMode::NONE);
482 AuthorizationSet out_params;
483 string ciphertext = EncryptMessage(key_blob_, message, params, &out_params);
484 EXPECT_EQ(expected_ciphertext, ciphertext);
485}
486
487void KeyMintAidlTestBase::CheckTripleDesTestVector(KeyPurpose purpose, BlockMode block_mode,
488 PaddingMode padding_mode, const string& key,
489 const string& iv, const string& input,
490 const string& expected_output) {
491 auto authset = AuthorizationSetBuilder()
492 .TripleDesEncryptionKey(key.size() * 7)
493 .BlockMode(block_mode)
494 .Authorization(TAG_NO_AUTH_REQUIRED)
495 .Padding(padding_mode);
496 if (iv.size()) authset.Authorization(TAG_CALLER_NONCE);
497 ASSERT_EQ(ErrorCode::OK, ImportKey(authset, KeyFormat::RAW, key));
498 ASSERT_GT(key_blob_.size(), 0U);
499
500 auto begin_params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
501 if (iv.size()) begin_params.Authorization(TAG_NONCE, iv.data(), iv.size());
502 AuthorizationSet output_params;
503 string output = ProcessMessage(key_blob_, purpose, input, begin_params, &output_params);
504 EXPECT_EQ(expected_output, output);
505}
506
507void KeyMintAidlTestBase::VerifyMessage(const vector<uint8_t>& key_blob, const string& message,
508 const string& signature, const AuthorizationSet& params) {
509 SCOPED_TRACE("VerifyMessage");
510 AuthorizationSet begin_out_params;
511 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params));
512
513 string output;
514 AuthorizationSet update_params;
515 AuthorizationSet update_out_params;
516 int32_t consumed;
517 ASSERT_EQ(ErrorCode::OK,
518 Update(update_params, message, &update_out_params, &output, &consumed));
519 EXPECT_TRUE(output.empty());
520 EXPECT_GT(consumed, 0U);
521
522 string unused;
523 AuthorizationSet finish_params;
524 AuthorizationSet finish_out_params;
525 EXPECT_EQ(ErrorCode::OK, Finish(finish_params, message.substr(consumed), signature,
526 &finish_out_params, &output));
527 op_.clear();
528 EXPECT_TRUE(output.empty());
529}
530
531void KeyMintAidlTestBase::VerifyMessage(const string& message, const string& signature,
532 const AuthorizationSet& params) {
533 SCOPED_TRACE("VerifyMessage");
534 VerifyMessage(key_blob_, message, signature, params);
535}
536
537string KeyMintAidlTestBase::EncryptMessage(const vector<uint8_t>& key_blob, const string& message,
538 const AuthorizationSet& in_params,
539 AuthorizationSet* out_params) {
540 SCOPED_TRACE("EncryptMessage");
541 return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params);
542}
543
544string KeyMintAidlTestBase::EncryptMessage(const string& message, const AuthorizationSet& params,
545 AuthorizationSet* out_params) {
546 SCOPED_TRACE("EncryptMessage");
547 return EncryptMessage(key_blob_, message, params, out_params);
548}
549
550string KeyMintAidlTestBase::EncryptMessage(const string& message, const AuthorizationSet& params) {
551 SCOPED_TRACE("EncryptMessage");
552 AuthorizationSet out_params;
553 string ciphertext = EncryptMessage(message, params, &out_params);
554 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
555 return ciphertext;
556}
557
558string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
559 PaddingMode padding) {
560 SCOPED_TRACE("EncryptMessage");
561 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
562 AuthorizationSet out_params;
563 string ciphertext = EncryptMessage(message, params, &out_params);
564 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
565 return ciphertext;
566}
567
568string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
569 PaddingMode padding, vector<uint8_t>* iv_out) {
570 SCOPED_TRACE("EncryptMessage");
571 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
572 AuthorizationSet out_params;
573 string ciphertext = EncryptMessage(message, params, &out_params);
574 EXPECT_EQ(1U, out_params.size());
575 auto ivVal = out_params.GetTagValue(TAG_NONCE);
576 EXPECT_TRUE(ivVal.isOk());
577 if (ivVal.isOk()) *iv_out = ivVal.value();
578 return ciphertext;
579}
580
581string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
582 PaddingMode padding, const vector<uint8_t>& iv_in) {
583 SCOPED_TRACE("EncryptMessage");
584 auto params = AuthorizationSetBuilder()
585 .BlockMode(block_mode)
586 .Padding(padding)
587 .Authorization(TAG_NONCE, iv_in);
588 AuthorizationSet out_params;
589 string ciphertext = EncryptMessage(message, params, &out_params);
590 return ciphertext;
591}
592
593string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
594 PaddingMode padding, uint8_t mac_length_bits,
595 const vector<uint8_t>& iv_in) {
596 SCOPED_TRACE("EncryptMessage");
597 auto params = AuthorizationSetBuilder()
598 .BlockMode(block_mode)
599 .Padding(padding)
600 .Authorization(TAG_MAC_LENGTH, mac_length_bits)
601 .Authorization(TAG_NONCE, iv_in);
602 AuthorizationSet out_params;
603 string ciphertext = EncryptMessage(message, params, &out_params);
604 return ciphertext;
605}
606
607string KeyMintAidlTestBase::DecryptMessage(const vector<uint8_t>& key_blob,
608 const string& ciphertext,
609 const AuthorizationSet& params) {
610 SCOPED_TRACE("DecryptMessage");
611 AuthorizationSet out_params;
612 string plaintext =
613 ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params);
614 EXPECT_TRUE(out_params.empty());
615 return plaintext;
616}
617
618string KeyMintAidlTestBase::DecryptMessage(const string& ciphertext,
619 const AuthorizationSet& params) {
620 SCOPED_TRACE("DecryptMessage");
621 return DecryptMessage(key_blob_, ciphertext, params);
622}
623
624string KeyMintAidlTestBase::DecryptMessage(const string& ciphertext, BlockMode block_mode,
625 PaddingMode padding_mode, const vector<uint8_t>& iv) {
626 SCOPED_TRACE("DecryptMessage");
627 auto params = AuthorizationSetBuilder()
628 .BlockMode(block_mode)
629 .Padding(padding_mode)
630 .Authorization(TAG_NONCE, iv);
631 return DecryptMessage(key_blob_, ciphertext, params);
632}
633
634std::pair<ErrorCode, vector<uint8_t>> KeyMintAidlTestBase::UpgradeKey(
635 const vector<uint8_t>& key_blob) {
636 std::pair<ErrorCode, vector<uint8_t>> retval;
637 vector<uint8_t> outKeyBlob;
638 Status result = keymint_->upgradeKey(key_blob, vector<KeyParameter>(), &outKeyBlob);
639 ErrorCode errorcode = GetReturnErrorCode(result);
640 retval = std::tie(errorcode, outKeyBlob);
641
642 return retval;
643}
644vector<uint32_t> KeyMintAidlTestBase::ValidKeySizes(Algorithm algorithm) {
645 switch (algorithm) {
646 case Algorithm::RSA:
647 switch (SecLevel()) {
648 case SecurityLevel::SOFTWARE:
649 case SecurityLevel::TRUSTED_ENVIRONMENT:
650 return {2048, 3072, 4096};
651 case SecurityLevel::STRONGBOX:
652 return {2048};
653 default:
654 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
655 break;
656 }
657 break;
658 case Algorithm::EC:
659 switch (SecLevel()) {
660 case SecurityLevel::SOFTWARE:
661 case SecurityLevel::TRUSTED_ENVIRONMENT:
662 return {224, 256, 384, 521};
663 case SecurityLevel::STRONGBOX:
664 return {256};
665 default:
666 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
667 break;
668 }
669 break;
670 case Algorithm::AES:
671 return {128, 256};
672 case Algorithm::TRIPLE_DES:
673 return {168};
674 case Algorithm::HMAC: {
675 vector<uint32_t> retval((512 - 64) / 8 + 1);
676 uint32_t size = 64 - 8;
677 std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); });
678 return retval;
679 }
680 default:
681 ADD_FAILURE() << "Invalid Algorithm: " << algorithm;
682 return {};
683 }
684 ADD_FAILURE() << "Should be impossible to get here";
685 return {};
686}
687
688vector<uint32_t> KeyMintAidlTestBase::InvalidKeySizes(Algorithm algorithm) {
689 if (SecLevel() == SecurityLevel::STRONGBOX) {
690 switch (algorithm) {
691 case Algorithm::RSA:
692 return {3072, 4096};
693 case Algorithm::EC:
694 return {224, 384, 521};
695 case Algorithm::AES:
696 return {192};
697 default:
698 return {};
699 }
700 }
701 return {};
702}
703
704vector<EcCurve> KeyMintAidlTestBase::ValidCurves() {
705 if (securityLevel_ == SecurityLevel::STRONGBOX) {
706 return {EcCurve::P_256};
707 } else {
708 return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521};
709 }
710}
711
712vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() {
713 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {};
714 CHECK(SecLevel() == SecurityLevel::STRONGBOX);
715 return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521};
716}
717
718vector<Digest> KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) {
719 switch (SecLevel()) {
720 case SecurityLevel::SOFTWARE:
721 case SecurityLevel::TRUSTED_ENVIRONMENT:
722 if (withNone) {
723 if (withMD5)
724 return {Digest::NONE, Digest::MD5, Digest::SHA1,
725 Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
726 Digest::SHA_2_512};
727 else
728 return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224,
729 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
730 } else {
731 if (withMD5)
732 return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
733 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
734 else
735 return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
736 Digest::SHA_2_512};
737 }
738 break;
739 case SecurityLevel::STRONGBOX:
740 if (withNone)
741 return {Digest::NONE, Digest::SHA_2_256};
742 else
743 return {Digest::SHA_2_256};
744 break;
745 default:
746 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
747 break;
748 }
749 ADD_FAILURE() << "Should be impossible to get here";
750 return {};
751}
752
753} // namespace test
754} // namespace keymint
755} // namespace hardware
756} // namespace android