Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 4dc010739d287542518ba65701e5f2ac7a400a2e / . / security / keymint / aidl / vts / functional / KeyMintTest.cpp
blob: d5308dc9a4810ab7635ff686559103b952748e7e [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]17#define LOG_TAG "keymint_1_test"
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]18#include <cutils/log.h>
19
20#include <signal.h>
21#include <iostream>
22
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]23#include <openssl/ec.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]24#include <openssl/evp.h>
25#include <openssl/mem.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]26#include <openssl/x509v3.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]27
28#include <cutils/properties.h>
29
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame^]30#include <android/binder_manager.h>
31
32#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]33#include <aidl/android/hardware/security/keymint/KeyFormat.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]34
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]35#include <keymint_support/key_param_output.h>
36#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]37
38#include "KeyMintAidlTestBase.h"
39
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]40using aidl::android::hardware::security::keymint::AuthorizationSet;
41using aidl::android::hardware::security::keymint::KeyCharacteristics;
42using aidl::android::hardware::security::keymint::KeyFormat;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]43
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]44namespace std {
45
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]46using namespace aidl::android::hardware::security::keymint;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]47
48template <>
49struct std::equal_to<KeyCharacteristics> {
50 bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]51 if (a.securityLevel != b.securityLevel) return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]52
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]53 // this isn't very efficient. Oh, well.
54 AuthorizationSet a_auths(a.authorizations);
55 AuthorizationSet b_auths(b.authorizations);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]56
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]57 a_auths.Sort();
58 b_auths.Sort();
59
60 return a_auths == b_auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]61 }
62};
63
64} // namespace std
65
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]66namespace aidl::android::hardware::security::keymint::test {
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]67
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]68namespace {
69
70template <TagType tag_type, Tag tag, typename ValueT>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]71bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
72 ValueT expected_value) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]73 auto it = std::find_if(set.begin(), set.end(), [&](const KeyParameter& param) {
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]74 if (auto p = authorizationValue(ttag, param)) {
75 return *p == expected_value;
76 }
77 return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]78 });
79 return (it != set.end());
80}
81
82template <TagType tag_type, Tag tag>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]83bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag>) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]84 auto it = std::find_if(set.begin(), set.end(),
85 [&](const KeyParameter& param) { return param.tag == tag; });
86 return (it != set.end());
87}
88
89constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
90 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
91 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
92 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
93 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
94 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
95 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
96 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
97 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
98 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
99 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
100 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
101 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
102 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
103 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
104 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
105
106string hex2str(string a) {
107 string b;
108 size_t num = a.size() / 2;
109 b.resize(num);
110 for (size_t i = 0; i < num; i++) {
111 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
112 }
113 return b;
114}
115
116string rsa_key =
117 hex2str("30820275020100300d06092a864886f70d01010105000482025f3082025b"
118 "02010002818100c6095409047d8634812d5a218176e45c41d60a75b13901"
119 "f234226cffe776521c5a77b9e389417b71c0b6a44d13afe4e4a2805d46c9"
120 "da2935adb1ff0c1f24ea06e62b20d776430a4d435157233c6f916783c30e"
121 "310fcbd89b85c2d56771169785ac12bca244abda72bfb19fc44d27c81e1d"
122 "92de284f4061edfd99280745ea6d2502030100010281801be0f04d9cae37"
123 "18691f035338308e91564b55899ffb5084d2460e6630257e05b3ceab0297"
124 "2dfabcd6ce5f6ee2589eb67911ed0fac16e43a444b8c861e544a05933657"
125 "72f8baf6b22fc9e3c5f1024b063ac080a7b2234cf8aee8f6c47bbf4fd3ac"
126 "e7240290bef16c0b3f7f3cdd64ce3ab5912cf6e32f39ab188358afcccd80"
127 "81024100e4b49ef50f765d3b24dde01aceaaf130f2c76670a91a61ae08af"
128 "497b4a82be6dee8fcdd5e3f7ba1cfb1f0c926b88f88c92bfab137fba2285"
129 "227b83c342ff7c55024100ddabb5839c4c7f6bf3d4183231f005b31aa58a"
130 "ffdda5c79e4cce217f6bc930dbe563d480706c24e9ebfcab28a6cdefd324"
131 "b77e1bf7251b709092c24ff501fd91024023d4340eda3445d8cd26c14411"
132 "da6fdca63c1ccd4b80a98ad52b78cc8ad8beb2842c1d280405bc2f6c1bea"
133 "214a1d742ab996b35b63a82a5e470fa88dbf823cdd02401b7b57449ad30d"
134 "1518249a5f56bb98294d4b6ac12ffc86940497a5a5837a6cf946262b4945"
135 "26d328c11e1126380fde04c24f916dec250892db09a6d77cdba351024077"
136 "62cd8f4d050da56bd591adb515d24d7ccd32cca0d05f866d583514bd7324"
137 "d5f33645e8ed8b4a1cb3cc4a1d67987399f2a09f5b3fb68c88d5e5d90ac3"
138 "3492d6");
139
140string ec_256_key =
141 hex2str("308187020100301306072a8648ce3d020106082a8648ce3d030107046d30"
142 "6b0201010420737c2ecd7b8d1940bf2930aa9b4ed3ff941eed09366bc032"
143 "99986481f3a4d859a14403420004bf85d7720d07c25461683bc648b4778a"
144 "9a14dd8a024e3bdd8c7ddd9ab2b528bbc7aa1b51f14ebbbb0bd0ce21bcc4"
145 "1c6eb00083cf3376d11fd44949e0b2183bfe");
146
147string ec_521_key =
148 hex2str("3081EE020100301006072A8648CE3D020106052B810400230481D63081D3"
149 "02010104420011458C586DB5DAA92AFAB03F4FE46AA9D9C3CE9A9B7A006A"
150 "8384BEC4C78E8E9D18D7D08B5BCFA0E53C75B064AD51C449BAE0258D54B9"
151 "4B1E885DED08ED4FB25CE9A1818903818600040149EC11C6DF0FA122C6A9"
152 "AFD9754A4FA9513A627CA329E349535A5629875A8ADFBE27DCB932C05198"
153 "6377108D054C28C6F39B6F2C9AF81802F9F326B842FF2E5F3C00AB7635CF"
154 "B36157FC0882D574A10D839C1A0C049DC5E0D775E2EE50671A208431BB45"
155 "E78E70BEFE930DB34818EE4D5C26259F5C6B8E28A652950F9F88D7B4B2C9"
156 "D9");
157
158string ec_256_key_rfc5915 =
159 hex2str("308193020100301306072a8648ce3d020106082a8648ce3d030107047930"
160 "770201010420782370a8c8ce5537baadd04dcff079c8158cfa9c67b818b3"
161 "8e8d21c9fa750c1da00a06082a8648ce3d030107a14403420004e2cc561e"
162 "e701da0ad0ef0d176bb0c919d42e79c393fdc1bd6c4010d85cf2cf8e68c9"
163 "05464666f98dad4f01573ba81078b3428570a439ba3229fbc026c550682f");
164
165string ec_256_key_sec1 =
166 hex2str("308187020100301306072a8648ce3d020106082a8648ce3d030107046d30"
167 "6b0201010420782370a8c8ce5537baadd04dcff079c8158cfa9c67b818b3"
168 "8e8d21c9fa750c1da14403420004e2cc561ee701da0ad0ef0d176bb0c919"
169 "d42e79c393fdc1bd6c4010d85cf2cf8e68c905464666f98dad4f01573ba8"
170 "1078b3428570a439ba3229fbc026c550682f");
171
172struct RSA_Delete {
173 void operator()(RSA* p) { RSA_free(p); }
174};
175
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]176std::string make_string(const uint8_t* data, size_t length) {
177 return std::string(reinterpret_cast<const char*>(data), length);
178}
179
180template <size_t N>
181std::string make_string(const uint8_t (&a)[N]) {
182 return make_string(a, N);
183}
184
185class AidlBuf : public vector<uint8_t> {
186 typedef vector<uint8_t> super;
187
188 public:
189 AidlBuf() {}
190 AidlBuf(const super& other) : super(other) {}
191 AidlBuf(super&& other) : super(std::move(other)) {}
192 explicit AidlBuf(const std::string& other) : AidlBuf() { *this = other; }
193
194 AidlBuf& operator=(const super& other) {
195 super::operator=(other);
196 return *this;
197 }
198
199 AidlBuf& operator=(super&& other) {
200 super::operator=(std::move(other));
201 return *this;
202 }
203
204 AidlBuf& operator=(const string& other) {
205 resize(other.size());
206 for (size_t i = 0; i < other.size(); ++i) {
207 (*this)[i] = static_cast<uint8_t>(other[i]);
208 }
209 return *this;
210 }
211
212 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
213};
214
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame^]215string device_suffix(const string& name) {
216 size_t pos = name.find('/');
217 if (pos == string::npos) {
218 return name;
219 }
220 return name.substr(pos + 1);
221}
222
223bool matching_rp_instance(const string& km_name,
224 std::shared_ptr<IRemotelyProvisionedComponent>* rp) {
225 string km_suffix = device_suffix(km_name);
226
227 vector<string> rp_names =
228 ::android::getAidlHalInstanceNames(IRemotelyProvisionedComponent::descriptor);
229 for (const string& rp_name : rp_names) {
230 // If the suffix of the RemotelyProvisionedComponent instance equals the suffix of the
231 // KeyMint instance, assume they match.
232 if (device_suffix(rp_name) == km_suffix && AServiceManager_isDeclared(rp_name.c_str())) {
233 ::ndk::SpAIBinder binder(AServiceManager_waitForService(rp_name.c_str()));
234 *rp = IRemotelyProvisionedComponent::fromBinder(binder);
235 return true;
236 }
237 }
238 return false;
239}
240
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]241} // namespace
242
243class NewKeyGenerationTest : public KeyMintAidlTestBase {
244 protected:
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]245 void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]246 // TODO(swillden): Distinguish which params should be in which auth list.
247
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]248 AuthorizationSet auths;
249 for (auto& entry : keyCharacteristics) {
250 auths.push_back(AuthorizationSet(entry.authorizations));
251 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]252
253 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
254 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
255 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
256
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]257 // Verify that App data and ROT are NOT included.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]258 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]259 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
260
261 // Check that some unexpected tags/values are NOT present.
262 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
263 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
264 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
265
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]266 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
267 ASSERT_TRUE(os_ver);
268 EXPECT_EQ(*os_ver, os_version());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]269
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]270 auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
271 ASSERT_TRUE(os_pl);
272 EXPECT_EQ(*os_pl, os_patch_level());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]273 }
274};
275
276/*
277 * NewKeyGenerationTest.Rsa
278 *
279 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
280 * have correct characteristics.
281 */
282TEST_P(NewKeyGenerationTest, Rsa) {
283 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
284 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]285 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]286 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
287 .RsaSigningKey(key_size, 65537)
288 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]289 .Padding(PaddingMode::NONE)
290 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]291 &key_blob, &key_characteristics));
292
293 ASSERT_GT(key_blob.size(), 0U);
294 CheckBaseParams(key_characteristics);
295
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]296 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]297
298 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
299 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
300 << "Key size " << key_size << "missing";
301 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
302
303 CheckedDeleteKey(&key_blob);
304 }
305}
306
307/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]308 * NewKeyGenerationTest.RsaWithAttestation
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]309 *
310 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
311 * have correct characteristics.
312 */
313TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
314 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
315 auto challenge = "hello";
316 auto app_id = "foo";
317
318 vector<uint8_t> key_blob;
319 vector<KeyCharacteristics> key_characteristics;
320 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
321 .RsaSigningKey(key_size, 65537)
322 .Digest(Digest::NONE)
323 .Padding(PaddingMode::NONE)
324 .AttestationChallenge(challenge)
325 .AttestationApplicationId(app_id)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]326 .Authorization(TAG_NO_AUTH_REQUIRED)
327 .SetDefaultValidity(),
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]328 &key_blob, &key_characteristics));
329
330 ASSERT_GT(key_blob.size(), 0U);
331 CheckBaseParams(key_characteristics);
332
333 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
334
335 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
336 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
337 << "Key size " << key_size << "missing";
338 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
339
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]340 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]341 ASSERT_GT(cert_chain_.size(), 0);
342
343 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
344 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
345 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
346 sw_enforced, hw_enforced, SecLevel(),
347 cert_chain_[0].encodedCertificate));
348
349 CheckedDeleteKey(&key_blob);
350 }
351}
352
353/*
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame^]354 * NewKeyGenerationTest.RsaWithRpkAttestation
355 *
356 * Verifies that keymint can generate all required RSA key sizes, using an attestation key
357 * that has been generated using an associate IRemotelyProvisionedComponent.
358 */
359TEST_P(NewKeyGenerationTest, RsaWithRpkAttestation) {
360 // There should be an IRemotelyProvisionedComponent instance associated with the KeyMint
361 // instance.
362 std::shared_ptr<IRemotelyProvisionedComponent> rp;
363 ASSERT_TRUE(matching_rp_instance(GetParam(), &rp))
364 << "No IRemotelyProvisionedComponent found that matches KeyMint device " << GetParam();
365
366 // Generate a P-256 keypair to use as an attestation key.
367 MacedPublicKey macedPubKey;
368 std::vector<uint8_t> privateKeyBlob;
369 auto status =
370 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
371 ASSERT_TRUE(status.isOk());
372 vector<uint8_t> coseKeyData;
373 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
374
375 AttestationKey attestation_key;
376 attestation_key.keyBlob = std::move(privateKeyBlob);
377 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
378
379 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
380 auto challenge = "hello";
381 auto app_id = "foo";
382
383 vector<uint8_t> key_blob;
384 vector<KeyCharacteristics> key_characteristics;
385 ASSERT_EQ(ErrorCode::OK,
386 GenerateKey(AuthorizationSetBuilder()
387 .RsaSigningKey(key_size, 65537)
388 .Digest(Digest::NONE)
389 .Padding(PaddingMode::NONE)
390 .AttestationChallenge(challenge)
391 .AttestationApplicationId(app_id)
392 .Authorization(TAG_NO_AUTH_REQUIRED)
393 .SetDefaultValidity(),
394 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
395
396 ASSERT_GT(key_blob.size(), 0U);
397 CheckBaseParams(key_characteristics);
398
399 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
400
401 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
402 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
403 << "Key size " << key_size << "missing";
404 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
405
406 // Attestation by itself is not valid (last entry is not self-signed).
407 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
408
409 // The signature over the attested key should correspond to the P256 public key.
410 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
411 ASSERT_TRUE(key_cert.get());
412 EVP_PKEY_Ptr signing_pubkey;
413 p256_pub_key(coseKeyData, &signing_pubkey);
414 ASSERT_TRUE(signing_pubkey.get());
415
416 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
417 << "Verification of attested certificate failed "
418 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
419
420 CheckedDeleteKey(&key_blob);
421 }
422}
423
424/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]425 * NewKeyGenerationTest.LimitedUsageRsa
426 *
427 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
428 * resulting keys have correct characteristics.
429 */
430TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
431 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
432 vector<uint8_t> key_blob;
433 vector<KeyCharacteristics> key_characteristics;
434 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
435 .RsaSigningKey(key_size, 65537)
436 .Digest(Digest::NONE)
437 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]438 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
439 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]440 &key_blob, &key_characteristics));
441
442 ASSERT_GT(key_blob.size(), 0U);
443 CheckBaseParams(key_characteristics);
444
445 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
446
447 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
448 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
449 << "Key size " << key_size << "missing";
450 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
451
452 // Check the usage count limit tag appears in the authorizations.
453 AuthorizationSet auths;
454 for (auto& entry : key_characteristics) {
455 auths.push_back(AuthorizationSet(entry.authorizations));
456 }
457 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
458 << "key usage count limit " << 1U << " missing";
459
460 CheckedDeleteKey(&key_blob);
461 }
462}
463
464/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]465 * NewKeyGenerationTest.LimitedUsageRsaWithAttestation
466 *
467 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
468 * resulting keys have correct characteristics and attestation.
469 */
470TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
471 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
472 auto challenge = "hello";
473 auto app_id = "foo";
474
475 vector<uint8_t> key_blob;
476 vector<KeyCharacteristics> key_characteristics;
477 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
478 .RsaSigningKey(key_size, 65537)
479 .Digest(Digest::NONE)
480 .Padding(PaddingMode::NONE)
481 .AttestationChallenge(challenge)
482 .AttestationApplicationId(app_id)
483 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]484 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
485 .SetDefaultValidity(),
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]486 &key_blob, &key_characteristics));
487
488 ASSERT_GT(key_blob.size(), 0U);
489 CheckBaseParams(key_characteristics);
490
491 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
492
493 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
494 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
495 << "Key size " << key_size << "missing";
496 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
497
498 // Check the usage count limit tag appears in the authorizations.
499 AuthorizationSet auths;
500 for (auto& entry : key_characteristics) {
501 auths.push_back(AuthorizationSet(entry.authorizations));
502 }
503 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
504 << "key usage count limit " << 1U << " missing";
505
506 // Check the usage count limit tag also appears in the attestation.
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]507 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]508 ASSERT_GT(cert_chain_.size(), 0);
509
510 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
511 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
512 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
513 sw_enforced, hw_enforced, SecLevel(),
514 cert_chain_[0].encodedCertificate));
515
516 CheckedDeleteKey(&key_blob);
517 }
518}
519
520/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]521 * NewKeyGenerationTest.NoInvalidRsaSizes
522 *
523 * Verifies that keymint cannot generate any RSA key sizes that are designated as invalid.
524 */
525TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
526 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
527 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]528 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]529 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
530 GenerateKey(AuthorizationSetBuilder()
531 .RsaSigningKey(key_size, 65537)
532 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]533 .Padding(PaddingMode::NONE)
534 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]535 &key_blob, &key_characteristics));
536 }
537}
538
539/*
540 * NewKeyGenerationTest.RsaNoDefaultSize
541 *
542 * Verifies that failing to specify a key size for RSA key generation returns
543 * UNSUPPORTED_KEY_SIZE.
544 */
545TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
546 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
547 GenerateKey(AuthorizationSetBuilder()
548 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
549 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]550 .SigningKey()
551 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]552}
553
554/*
555 * NewKeyGenerationTest.Ecdsa
556 *
557 * Verifies that keymint can generate all required EC key sizes, and that the resulting keys
558 * have correct characteristics.
559 */
560TEST_P(NewKeyGenerationTest, Ecdsa) {
561 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
562 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]563 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]564 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
565 .EcdsaSigningKey(key_size)
566 .Digest(Digest::NONE)
567 .SetDefaultValidity(),
568 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]569 ASSERT_GT(key_blob.size(), 0U);
570 CheckBaseParams(key_characteristics);
571
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]572 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]573
574 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
575 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
576 << "Key size " << key_size << "missing";
577
578 CheckedDeleteKey(&key_blob);
579 }
580}
581
582/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]583 * NewKeyGenerationTest.LimitedUsageEcdsa
584 *
585 * Verifies that KeyMint can generate all required EC key sizes with limited usage, and that the
586 * resulting keys have correct characteristics.
587 */
588TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
589 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
590 vector<uint8_t> key_blob;
591 vector<KeyCharacteristics> key_characteristics;
592 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
593 .EcdsaSigningKey(key_size)
594 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]595 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
596 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]597 &key_blob, &key_characteristics));
598
599 ASSERT_GT(key_blob.size(), 0U);
600 CheckBaseParams(key_characteristics);
601
602 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
603
604 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
605 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
606 << "Key size " << key_size << "missing";
607
608 // Check the usage count limit tag appears in the authorizations.
609 AuthorizationSet auths;
610 for (auto& entry : key_characteristics) {
611 auths.push_back(AuthorizationSet(entry.authorizations));
612 }
613 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
614 << "key usage count limit " << 1U << " missing";
615
616 CheckedDeleteKey(&key_blob);
617 }
618}
619
620/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]621 * NewKeyGenerationTest.EcdsaDefaultSize
622 *
623 * Verifies that failing to specify a key size for EC key generation returns
624 * UNSUPPORTED_KEY_SIZE.
625 */
626TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
627 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
628 GenerateKey(AuthorizationSetBuilder()
629 .Authorization(TAG_ALGORITHM, Algorithm::EC)
630 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]631 .Digest(Digest::NONE)
632 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]633}
634
635/*
636 * NewKeyGenerationTest.EcdsaInvalidSize
637 *
638 * Verifies that specifying an invalid key size for EC key generation returns
639 * UNSUPPORTED_KEY_SIZE.
640 */
641TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) {
642 for (auto key_size : InvalidKeySizes(Algorithm::EC)) {
643 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]644 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]645 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
646 .EcdsaSigningKey(key_size)
647 .Digest(Digest::NONE)
648 .SetDefaultValidity(),
649 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]650 }
651
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]652 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
653 .EcdsaSigningKey(190)
654 .Digest(Digest::NONE)
655 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]656}
657
658/*
659 * NewKeyGenerationTest.EcdsaMismatchKeySize
660 *
661 * Verifies that specifying mismatched key size and curve for EC key generation returns
662 * INVALID_ARGUMENT.
663 */
664TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
665 if (SecLevel() == SecurityLevel::STRONGBOX) return;
666
667 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT,
668 GenerateKey(AuthorizationSetBuilder()
669 .EcdsaSigningKey(224)
670 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]671 .Digest(Digest::NONE)
672 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]673}
674
675/*
676 * NewKeyGenerationTest.EcdsaAllValidSizes
677 *
678 * Verifies that keymint supports all required EC key sizes.
679 */
680TEST_P(NewKeyGenerationTest, EcdsaAllValidSizes) {
681 auto valid_sizes = ValidKeySizes(Algorithm::EC);
682 for (size_t size : valid_sizes) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]683 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
684 .EcdsaSigningKey(size)
685 .Digest(Digest::NONE)
686 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]687 << "Failed to generate size: " << size;
688 CheckedDeleteKey();
689 }
690}
691
692/*
693 * NewKeyGenerationTest.EcdsaInvalidCurves
694 *
695 * Verifies that keymint does not support any curve designated as unsupported.
696 */
697TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
698 Digest digest;
699 if (SecLevel() == SecurityLevel::STRONGBOX) {
700 digest = Digest::SHA_2_256;
701 } else {
702 digest = Digest::SHA_2_512;
703 }
704 for (auto curve : ValidCurves()) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]705 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
706 .EcdsaSigningKey(curve)
707 .Digest(digest)
708 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]709 << "Failed to generate key on curve: " << curve;
710 CheckedDeleteKey();
711 }
712}
713
714/*
715 * NewKeyGenerationTest.Hmac
716 *
717 * Verifies that keymint supports all required digests, and that the resulting keys have correct
718 * characteristics.
719 */
720TEST_P(NewKeyGenerationTest, Hmac) {
721 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
722 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]723 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]724 constexpr size_t key_size = 128;
725 ASSERT_EQ(ErrorCode::OK,
726 GenerateKey(
727 AuthorizationSetBuilder().HmacKey(key_size).Digest(digest).Authorization(
728 TAG_MIN_MAC_LENGTH, 128),
729 &key_blob, &key_characteristics));
730
731 ASSERT_GT(key_blob.size(), 0U);
732 CheckBaseParams(key_characteristics);
733
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]734 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
735 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
736 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
737 << "Key size " << key_size << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]738
739 CheckedDeleteKey(&key_blob);
740 }
741}
742
743/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]744 * NewKeyGenerationTest.LimitedUsageHmac
745 *
746 * Verifies that KeyMint supports all required digests with limited usage Hmac, and that the
747 * resulting keys have correct characteristics.
748 */
749TEST_P(NewKeyGenerationTest, LimitedUsageHmac) {
750 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
751 vector<uint8_t> key_blob;
752 vector<KeyCharacteristics> key_characteristics;
753 constexpr size_t key_size = 128;
754 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
755 .HmacKey(key_size)
756 .Digest(digest)
757 .Authorization(TAG_MIN_MAC_LENGTH, 128)
758 .Authorization(TAG_USAGE_COUNT_LIMIT, 1),
759 &key_blob, &key_characteristics));
760
761 ASSERT_GT(key_blob.size(), 0U);
762 CheckBaseParams(key_characteristics);
763
764 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
765 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
766 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
767 << "Key size " << key_size << "missing";
768
769 // Check the usage count limit tag appears in the authorizations.
770 AuthorizationSet auths;
771 for (auto& entry : key_characteristics) {
772 auths.push_back(AuthorizationSet(entry.authorizations));
773 }
774 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
775 << "key usage count limit " << 1U << " missing";
776
777 CheckedDeleteKey(&key_blob);
778 }
779}
780
781/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]782 * NewKeyGenerationTest.HmacCheckKeySizes
783 *
784 * Verifies that keymint supports all key sizes, and rejects all invalid key sizes.
785 */
786TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
787 for (size_t key_size = 0; key_size <= 512; ++key_size) {
788 if (key_size < 64 || key_size % 8 != 0) {
789 // To keep this test from being very slow, we only test a random fraction of
790 // non-byte key sizes. We test only ~10% of such cases. Since there are 392 of
791 // them, we expect to run ~40 of them in each run.
792 if (key_size % 8 == 0 || random() % 10 == 0) {
793 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
794 GenerateKey(AuthorizationSetBuilder()
795 .HmacKey(key_size)
796 .Digest(Digest::SHA_2_256)
797 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
798 << "HMAC key size " << key_size << " invalid";
799 }
800 } else {
801 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
802 .HmacKey(key_size)
803 .Digest(Digest::SHA_2_256)
804 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
805 << "Failed to generate HMAC key of size " << key_size;
806 CheckedDeleteKey();
807 }
808 }
809}
810
811/*
812 * NewKeyGenerationTest.HmacCheckMinMacLengths
813 *
814 * Verifies that keymint supports all required MAC lengths and rejects all invalid lengths. This
815 * test is probabilistic in order to keep the runtime down, but any failure prints out the
816 * specific MAC length that failed, so reproducing a failed run will be easy.
817 */
818TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
819 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
820 if (min_mac_length < 64 || min_mac_length % 8 != 0) {
821 // To keep this test from being very long, we only test a random fraction of
822 // non-byte lengths. We test only ~10% of such cases. Since there are 172 of them,
823 // we expect to run ~17 of them in each run.
824 if (min_mac_length % 8 == 0 || random() % 10 == 0) {
825 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
826 GenerateKey(AuthorizationSetBuilder()
827 .HmacKey(128)
828 .Digest(Digest::SHA_2_256)
829 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
830 << "HMAC min mac length " << min_mac_length << " invalid.";
831 }
832 } else {
833 EXPECT_EQ(ErrorCode::OK,
834 GenerateKey(AuthorizationSetBuilder()
835 .HmacKey(128)
836 .Digest(Digest::SHA_2_256)
837 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
838 << "Failed to generate HMAC key with min MAC length " << min_mac_length;
839 CheckedDeleteKey();
840 }
841 }
842}
843
844/*
845 * NewKeyGenerationTest.HmacMultipleDigests
846 *
847 * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms.
848 */
849TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
850 if (SecLevel() == SecurityLevel::STRONGBOX) return;
851
852 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
853 GenerateKey(AuthorizationSetBuilder()
854 .HmacKey(128)
855 .Digest(Digest::SHA1)
856 .Digest(Digest::SHA_2_256)
857 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
858}
859
860/*
861 * NewKeyGenerationTest.HmacDigestNone
862 *
863 * Verifies that keymint rejects HMAC key generation with no digest or Digest::NONE
864 */
865TEST_P(NewKeyGenerationTest, HmacDigestNone) {
866 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
867 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH,
868 128)));
869
870 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
871 GenerateKey(AuthorizationSetBuilder()
872 .HmacKey(128)
873 .Digest(Digest::NONE)
874 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
875}
876
877INSTANTIATE_KEYMINT_AIDL_TEST(NewKeyGenerationTest);
878
879typedef KeyMintAidlTestBase SigningOperationsTest;
880
881/*
882 * SigningOperationsTest.RsaSuccess
883 *
884 * Verifies that raw RSA signature operations succeed.
885 */
886TEST_P(SigningOperationsTest, RsaSuccess) {
887 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
888 .RsaSigningKey(2048, 65537)
889 .Digest(Digest::NONE)
890 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]891 .Authorization(TAG_NO_AUTH_REQUIRED)
892 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]893 string message = "12345678901234567890123456789012";
894 string signature = SignMessage(
895 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
896}
897
898/*
899 * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
900 *
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]901 * Verifies that using an RSA key requires the correct app data.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]902 */
903TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
904 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
905 .Authorization(TAG_NO_AUTH_REQUIRED)
906 .RsaSigningKey(2048, 65537)
907 .Digest(Digest::NONE)
908 .Padding(PaddingMode::NONE)
909 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]910 .Authorization(TAG_APPLICATION_DATA, "appdata")
911 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]912 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
913 Begin(KeyPurpose::SIGN,
914 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
915 AbortIfNeeded();
916 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
917 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
918 .Digest(Digest::NONE)
919 .Padding(PaddingMode::NONE)
920 .Authorization(TAG_APPLICATION_ID, "clientid")));
921 AbortIfNeeded();
922 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
923 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
924 .Digest(Digest::NONE)
925 .Padding(PaddingMode::NONE)
926 .Authorization(TAG_APPLICATION_DATA, "appdata")));
927 AbortIfNeeded();
928 EXPECT_EQ(ErrorCode::OK,
929 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
930 .Digest(Digest::NONE)
931 .Padding(PaddingMode::NONE)
932 .Authorization(TAG_APPLICATION_DATA, "appdata")
933 .Authorization(TAG_APPLICATION_ID, "clientid")));
934 AbortIfNeeded();
935}
936
937/*
938 * SigningOperationsTest.RsaPssSha256Success
939 *
940 * Verifies that RSA-PSS signature operations succeed.
941 */
942TEST_P(SigningOperationsTest, RsaPssSha256Success) {
943 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
944 .RsaSigningKey(2048, 65537)
945 .Digest(Digest::SHA_2_256)
946 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]947 .Authorization(TAG_NO_AUTH_REQUIRED)
948 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]949 // Use large message, which won't work without digesting.
950 string message(1024, 'a');
951 string signature = SignMessage(
952 message,
953 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
954}
955
956/*
957 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
958 *
959 * Verifies that keymint rejects signature operations that specify a padding mode when the key
960 * supports only unpadded operations.
961 */
962TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
963 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
964 .RsaSigningKey(2048, 65537)
965 .Digest(Digest::NONE)
966 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]967 .Padding(PaddingMode::NONE)
968 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]969 string message = "12345678901234567890123456789012";
970 string signature;
971
972 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
973 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
974 .Digest(Digest::NONE)
975 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
976}
977
978/*
979 * SigningOperationsTest.NoUserConfirmation
980 *
981 * Verifies that keymint rejects signing operations for keys with
982 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
983 * presented.
984 */
985TEST_P(SigningOperationsTest, NoUserConfirmation) {
986 if (SecLevel() == SecurityLevel::STRONGBOX) return;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]987 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
988 .RsaSigningKey(1024, 65537)
989 .Digest(Digest::NONE)
990 .Padding(PaddingMode::NONE)
991 .Authorization(TAG_NO_AUTH_REQUIRED)
992 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
993 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]994
995 const string message = "12345678901234567890123456789012";
996 EXPECT_EQ(ErrorCode::OK,
997 Begin(KeyPurpose::SIGN,
998 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
999 string signature;
1000 EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
1001}
1002
1003/*
1004 * SigningOperationsTest.RsaPkcs1Sha256Success
1005 *
1006 * Verifies that digested RSA-PKCS1 signature operations succeed.
1007 */
1008TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
1009 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1010 .RsaSigningKey(2048, 65537)
1011 .Digest(Digest::SHA_2_256)
1012 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1013 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
1014 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1015 string message(1024, 'a');
1016 string signature = SignMessage(message, AuthorizationSetBuilder()
1017 .Digest(Digest::SHA_2_256)
1018 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
1019}
1020
1021/*
1022 * SigningOperationsTest.RsaPkcs1NoDigestSuccess
1023 *
1024 * Verifies that undigested RSA-PKCS1 signature operations succeed.
1025 */
1026TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
1027 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1028 .RsaSigningKey(2048, 65537)
1029 .Digest(Digest::NONE)
1030 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1031 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
1032 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1033 string message(53, 'a');
1034 string signature = SignMessage(message, AuthorizationSetBuilder()
1035 .Digest(Digest::NONE)
1036 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
1037}
1038
1039/*
1040 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
1041 *
1042 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
1043 * given a too-long message.
1044 */
1045TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
1046 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1047 .RsaSigningKey(2048, 65537)
1048 .Digest(Digest::NONE)
1049 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1050 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
1051 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1052 string message(257, 'a');
1053
1054 EXPECT_EQ(ErrorCode::OK,
1055 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1056 .Digest(Digest::NONE)
1057 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1058 string signature;
1059 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
1060}
1061
1062/*
1063 * SigningOperationsTest.RsaPssSha512TooSmallKey
1064 *
1065 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
1066 * used with a key that is too small for the message.
1067 *
1068 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the
1069 * keymint specification requires that salt_size == digest_size, so the message will be
1070 * digest_size * 2 +
1071 * 16. Such a message can only be signed by a given key if the key is at least that size. This
1072 * test uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large
1073 * for a 1024-bit key.
1074 */
1075TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
1076 if (SecLevel() == SecurityLevel::STRONGBOX) return;
1077 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1078 .RsaSigningKey(1024, 65537)
1079 .Digest(Digest::SHA_2_512)
1080 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1081 .Padding(PaddingMode::RSA_PSS)
1082 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1083 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
1084 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1085 .Digest(Digest::SHA_2_512)
1086 .Padding(PaddingMode::RSA_PSS)));
1087}
1088
1089/*
1090 * SigningOperationsTest.RsaNoPaddingTooLong
1091 *
1092 * Verifies that raw RSA signature operations fail with the correct error code when
1093 * given a too-long message.
1094 */
1095TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
1096 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1097 .RsaSigningKey(2048, 65537)
1098 .Digest(Digest::NONE)
1099 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1100 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
1101 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1102 // One byte too long
1103 string message(2048 / 8 + 1, 'a');
1104 ASSERT_EQ(ErrorCode::OK,
1105 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1106 .Digest(Digest::NONE)
1107 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1108 string result;
1109 ErrorCode finish_error_code = Finish(message, &result);
1110 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
1111 finish_error_code == ErrorCode::INVALID_ARGUMENT);
1112
1113 // Very large message that should exceed the transfer buffer size of any reasonable TEE.
1114 message = string(128 * 1024, 'a');
1115 ASSERT_EQ(ErrorCode::OK,
1116 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1117 .Digest(Digest::NONE)
1118 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1119 finish_error_code = Finish(message, &result);
1120 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
1121 finish_error_code == ErrorCode::INVALID_ARGUMENT);
1122}
1123
1124/*
1125 * SigningOperationsTest.RsaAbort
1126 *
1127 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the
1128 * test, but the behavior should be algorithm and purpose-independent.
1129 */
1130TEST_P(SigningOperationsTest, RsaAbort) {
1131 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1132 .RsaSigningKey(2048, 65537)
1133 .Digest(Digest::NONE)
1134 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1135 .Padding(PaddingMode::NONE)
1136 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1137
1138 ASSERT_EQ(ErrorCode::OK,
1139 Begin(KeyPurpose::SIGN,
1140 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
1141 EXPECT_EQ(ErrorCode::OK, Abort());
1142
1143 // Another abort should fail
1144 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
1145
1146 // Set to sentinel, so TearDown() doesn't try to abort again.
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]1147 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1148}
1149
1150/*
1151 * SigningOperationsTest.RsaUnsupportedPadding
1152 *
1153 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used
1154 * with a padding mode inappropriate for RSA.
1155 */
1156TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
1157 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1158 .RsaSigningKey(2048, 65537)
1159 .Authorization(TAG_NO_AUTH_REQUIRED)
1160 .Digest(Digest::SHA_2_256 /* supported digest */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1161 .Padding(PaddingMode::PKCS7)
1162 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1163 ASSERT_EQ(
1164 ErrorCode::UNSUPPORTED_PADDING_MODE,
1165 Begin(KeyPurpose::SIGN,
1166 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
1167}
1168
1169/*
1170 * SigningOperationsTest.RsaPssNoDigest
1171 *
1172 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest.
1173 */
1174TEST_P(SigningOperationsTest, RsaNoDigest) {
1175 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1176 .RsaSigningKey(2048, 65537)
1177 .Authorization(TAG_NO_AUTH_REQUIRED)
1178 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1179 .Padding(PaddingMode::RSA_PSS)
1180 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1181 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
1182 Begin(KeyPurpose::SIGN,
1183 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
1184
1185 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
1186 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
1187}
1188
1189/*
1190 * SigningOperationsTest.RsaPssNoDigest
1191 *
1192 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is
1193 * supported in some cases (as validated in other tests), but a mode must be specified.
1194 */
1195TEST_P(SigningOperationsTest, RsaNoPadding) {
1196 // Padding must be specified
1197 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1198 .RsaKey(2048, 65537)
1199 .Authorization(TAG_NO_AUTH_REQUIRED)
1200 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1201 .Digest(Digest::NONE)
1202 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1203 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
1204 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
1205}
1206
1207/*
1208 * SigningOperationsTest.RsaShortMessage
1209 *
1210 * Verifies that raw RSA signatures succeed with a message shorter than the key size.
1211 */
1212TEST_P(SigningOperationsTest, RsaTooShortMessage) {
1213 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1214 .Authorization(TAG_NO_AUTH_REQUIRED)
1215 .RsaSigningKey(2048, 65537)
1216 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1217 .Padding(PaddingMode::NONE)
1218 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1219
1220 // Barely shorter
1221 string message(2048 / 8 - 1, 'a');
1222 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1223
1224 // Much shorter
1225 message = "a";
1226 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1227}
1228
1229/*
1230 * SigningOperationsTest.RsaSignWithEncryptionKey
1231 *
1232 * Verifies that RSA encryption keys cannot be used to sign.
1233 */
1234TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
1235 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1236 .Authorization(TAG_NO_AUTH_REQUIRED)
1237 .RsaEncryptionKey(2048, 65537)
1238 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1239 .Padding(PaddingMode::NONE)
1240 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1241 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
1242 Begin(KeyPurpose::SIGN,
1243 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
1244}
1245
1246/*
1247 * SigningOperationsTest.RsaSignTooLargeMessage
1248 *
1249 * Verifies that attempting a raw signature of a message which is the same length as the key,
1250 * but numerically larger than the public modulus, fails with the correct error.
1251 */
1252TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
1253 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1254 .Authorization(TAG_NO_AUTH_REQUIRED)
1255 .RsaSigningKey(2048, 65537)
1256 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1257 .Padding(PaddingMode::NONE)
1258 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1259
1260 // Largest possible message will always be larger than the public modulus.
1261 string message(2048 / 8, static_cast<char>(0xff));
1262 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1263 .Authorization(TAG_NO_AUTH_REQUIRED)
1264 .Digest(Digest::NONE)
1265 .Padding(PaddingMode::NONE)));
1266 string signature;
1267 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
1268}
1269
1270/*
1271 * SigningOperationsTest.EcdsaAllSizesAndHashes
1272 *
1273 * Verifies that ECDSA operations succeed with all possible key sizes and hashes.
1274 */
1275TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) {
1276 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
1277 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
1278 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1279 .Authorization(TAG_NO_AUTH_REQUIRED)
1280 .EcdsaSigningKey(key_size)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1281 .Digest(digest)
1282 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1283 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with size " << key_size
1284 << " and digest " << digest;
1285 if (error != ErrorCode::OK) continue;
1286
1287 string message(1024, 'a');
1288 if (digest == Digest::NONE) message.resize(key_size / 8);
1289 SignMessage(message, AuthorizationSetBuilder().Digest(digest));
1290 CheckedDeleteKey();
1291 }
1292 }
1293}
1294
1295/*
1296 * SigningOperationsTest.EcdsaAllCurves
1297 *
1298 * Verifies that ECDSA operations succeed with all possible curves.
1299 */
1300TEST_P(SigningOperationsTest, EcdsaAllCurves) {
1301 for (auto curve : ValidCurves()) {
1302 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1303 .Authorization(TAG_NO_AUTH_REQUIRED)
1304 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1305 .Digest(Digest::SHA_2_256)
1306 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1307 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
1308 if (error != ErrorCode::OK) continue;
1309
1310 string message(1024, 'a');
1311 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
1312 CheckedDeleteKey();
1313 }
1314}
1315
1316/*
1317 * SigningOperationsTest.EcdsaNoDigestHugeData
1318 *
1319 * Verifies that ECDSA operations support very large messages, even without digesting. This
1320 * should work because ECDSA actually only signs the leftmost L_n bits of the message, however
1321 * large it may be. Not using digesting is a bad idea, but in some cases digesting is done by
1322 * the framework.
1323 */
1324TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
1325 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1326 .Authorization(TAG_NO_AUTH_REQUIRED)
1327 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1328 .Digest(Digest::NONE)
1329 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1330 string message(1 * 1024, 'a');
1331 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
1332}
1333
1334/*
1335 * SigningOperationsTest.EcUseRequiresCorrectAppIdAppData
1336 *
1337 * Verifies that using an EC key requires the correct app ID/data.
1338 */
1339TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
1340 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1341 .Authorization(TAG_NO_AUTH_REQUIRED)
1342 .EcdsaSigningKey(256)
1343 .Digest(Digest::NONE)
1344 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1345 .Authorization(TAG_APPLICATION_DATA, "appdata")
1346 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1347 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
1348 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
1349 AbortIfNeeded();
1350 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
1351 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1352 .Digest(Digest::NONE)
1353 .Authorization(TAG_APPLICATION_ID, "clientid")));
1354 AbortIfNeeded();
1355 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
1356 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1357 .Digest(Digest::NONE)
1358 .Authorization(TAG_APPLICATION_DATA, "appdata")));
1359 AbortIfNeeded();
1360 EXPECT_EQ(ErrorCode::OK,
1361 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1362 .Digest(Digest::NONE)
1363 .Authorization(TAG_APPLICATION_DATA, "appdata")
1364 .Authorization(TAG_APPLICATION_ID, "clientid")));
1365 AbortIfNeeded();
1366}
1367
1368/*
1369 * SigningOperationsTest.AesEcbSign
1370 *
1371 * Verifies that attempts to use AES keys to sign fail in the correct way.
1372 */
1373TEST_P(SigningOperationsTest, AesEcbSign) {
1374 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1375 .Authorization(TAG_NO_AUTH_REQUIRED)
1376 .SigningKey()
1377 .AesEncryptionKey(128)
1378 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)));
1379
1380 AuthorizationSet out_params;
1381 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
1382 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params));
1383 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
1384 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params));
1385}
1386
1387/*
1388 * SigningOperationsTest.HmacAllDigests
1389 *
1390 * Verifies that HMAC works with all digests.
1391 */
1392TEST_P(SigningOperationsTest, HmacAllDigests) {
1393 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
1394 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1395 .Authorization(TAG_NO_AUTH_REQUIRED)
1396 .HmacKey(128)
1397 .Digest(digest)
1398 .Authorization(TAG_MIN_MAC_LENGTH, 160)))
1399 << "Failed to create HMAC key with digest " << digest;
1400 string message = "12345678901234567890123456789012";
1401 string signature = MacMessage(message, digest, 160);
1402 EXPECT_EQ(160U / 8U, signature.size())
1403 << "Failed to sign with HMAC key with digest " << digest;
1404 CheckedDeleteKey();
1405 }
1406}
1407
1408/*
1409 * SigningOperationsTest.HmacSha256TooLargeMacLength
1410 *
1411 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the
1412 * digest size.
1413 */
1414TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
1415 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1416 .Authorization(TAG_NO_AUTH_REQUIRED)
1417 .HmacKey(128)
1418 .Digest(Digest::SHA_2_256)
1419 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
1420 AuthorizationSet output_params;
1421 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
1422 AuthorizationSetBuilder()
1423 .Digest(Digest::SHA_2_256)
1424 .Authorization(TAG_MAC_LENGTH, 264),
1425 &output_params));
1426}
1427
1428/*
1429 * SigningOperationsTest.HmacSha256TooSmallMacLength
1430 *
1431 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
1432 * specified minimum MAC length.
1433 */
1434TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
1435 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1436 .Authorization(TAG_NO_AUTH_REQUIRED)
1437 .HmacKey(128)
1438 .Digest(Digest::SHA_2_256)
1439 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1440 AuthorizationSet output_params;
1441 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
1442 AuthorizationSetBuilder()
1443 .Digest(Digest::SHA_2_256)
1444 .Authorization(TAG_MAC_LENGTH, 120),
1445 &output_params));
1446}
1447
1448/*
1449 * SigningOperationsTest.HmacRfc4231TestCase3
1450 *
1451 * Validates against the test vectors from RFC 4231 test case 3.
1452 */
1453TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
1454 string key(20, 0xaa);
1455 string message(50, 0xdd);
1456 uint8_t sha_224_expected[] = {
1457 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
1458 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
1459 };
1460 uint8_t sha_256_expected[] = {
1461 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
1462 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
1463 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
1464 };
1465 uint8_t sha_384_expected[] = {
1466 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
1467 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
1468 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
1469 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
1470 };
1471 uint8_t sha_512_expected[] = {
1472 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
1473 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
1474 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
1475 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
1476 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
1477 };
1478
1479 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
1480 if (SecLevel() != SecurityLevel::STRONGBOX) {
1481 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
1482 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
1483 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
1484 }
1485}
1486
1487/*
1488 * SigningOperationsTest.HmacRfc4231TestCase5
1489 *
1490 * Validates against the test vectors from RFC 4231 test case 5.
1491 */
1492TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
1493 string key(20, 0x0c);
1494 string message = "Test With Truncation";
1495
1496 uint8_t sha_224_expected[] = {
1497 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
1498 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
1499 };
1500 uint8_t sha_256_expected[] = {
1501 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
1502 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
1503 };
1504 uint8_t sha_384_expected[] = {
1505 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
1506 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
1507 };
1508 uint8_t sha_512_expected[] = {
1509 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
1510 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
1511 };
1512
1513 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
1514 if (SecLevel() != SecurityLevel::STRONGBOX) {
1515 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
1516 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
1517 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
1518 }
1519}
1520
1521INSTANTIATE_KEYMINT_AIDL_TEST(SigningOperationsTest);
1522
1523typedef KeyMintAidlTestBase VerificationOperationsTest;
1524
1525/*
1526 * VerificationOperationsTest.RsaSuccess
1527 *
1528 * Verifies that a simple RSA signature/verification sequence succeeds.
1529 */
1530TEST_P(VerificationOperationsTest, RsaSuccess) {
1531 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1532 .Authorization(TAG_NO_AUTH_REQUIRED)
1533 .RsaSigningKey(2048, 65537)
1534 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1535 .Padding(PaddingMode::NONE)
1536 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1537 string message = "12345678901234567890123456789012";
1538 string signature = SignMessage(
1539 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1540 VerifyMessage(message, signature,
1541 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1542}
1543
1544/*
1545 * VerificationOperationsTest.RsaSuccess
1546 *
1547 * Verifies RSA signature/verification for all padding modes and digests.
1548 */
1549TEST_P(VerificationOperationsTest, RsaAllPaddingsAndDigests) {
1550 auto authorizations = AuthorizationSetBuilder()
1551 .Authorization(TAG_NO_AUTH_REQUIRED)
1552 .RsaSigningKey(2048, 65537)
1553 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
1554 .Padding(PaddingMode::NONE)
1555 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1556 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
1557 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1558
1559 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
1560
1561 string message(128, 'a');
1562 string corrupt_message(message);
1563 ++corrupt_message[corrupt_message.size() / 2];
1564
1565 for (auto padding :
1566 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
1567 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
1568 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
1569 // Digesting only makes sense with padding.
1570 continue;
1571 }
1572
1573 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
1574 // PSS requires digesting.
1575 continue;
1576 }
1577
1578 string signature =
1579 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
1580 VerifyMessage(message, signature,
1581 AuthorizationSetBuilder().Digest(digest).Padding(padding));
1582
1583 /* TODO(seleneh) add exportkey tests back later when we have decided on
1584 * the new api.
1585 if (digest != Digest::NONE) {
1586 // Verify with OpenSSL.
1587 vector<uint8_t> pubkey;
1588 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey));
1589
1590 const uint8_t* p = pubkey.data();
1591 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr, &p, pubkey.size()));
1592 ASSERT_TRUE(pkey.get());
1593
1594 EVP_MD_CTX digest_ctx;
1595 EVP_MD_CTX_init(&digest_ctx);
1596 EVP_PKEY_CTX* pkey_ctx;
1597 const EVP_MD* md = openssl_digest(digest);
1598 ASSERT_NE(md, nullptr);
1599 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md,
1600 nullptr, pkey.get()));
1601
1602 switch (padding) {
1603 case PaddingMode::RSA_PSS:
1604 EXPECT_GT(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx,
1605 RSA_PKCS1_PSS_PADDING), 0); EXPECT_GT(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx,
1606 EVP_MD_size(md)), 0); break; case PaddingMode::RSA_PKCS1_1_5_SIGN:
1607 // PKCS1 is the default; don't need to set anything.
1608 break;
1609 default:
1610 FAIL();
1611 break;
1612 }
1613
1614 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(),
1615 message.size())); EXPECT_EQ(1, EVP_DigestVerifyFinal(&digest_ctx,
1616 reinterpret_cast<const
1617 uint8_t*>(signature.data()), signature.size())); EVP_MD_CTX_cleanup(&digest_ctx);
1618 }
1619 */
1620
1621 // Corrupt signature shouldn't verify.
1622 string corrupt_signature(signature);
1623 ++corrupt_signature[corrupt_signature.size() / 2];
1624
1625 EXPECT_EQ(ErrorCode::OK,
1626 Begin(KeyPurpose::VERIFY,
1627 AuthorizationSetBuilder().Digest(digest).Padding(padding)));
1628 string result;
1629 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result));
1630
1631 // Corrupt message shouldn't verify
1632 EXPECT_EQ(ErrorCode::OK,
1633 Begin(KeyPurpose::VERIFY,
1634 AuthorizationSetBuilder().Digest(digest).Padding(padding)));
1635 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result));
1636 }
1637 }
1638}
1639
1640/*
1641 * VerificationOperationsTest.RsaSuccess
1642 *
1643 * Verifies ECDSA signature/verification for all digests and curves.
1644 */
1645TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndCurves) {
1646 auto digests = ValidDigests(true /* withNone */, false /* withMD5 */);
1647
1648 string message = "1234567890";
1649 string corrupt_message = "2234567890";
1650 for (auto curve : ValidCurves()) {
1651 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1652 .Authorization(TAG_NO_AUTH_REQUIRED)
1653 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1654 .Digest(digests)
1655 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1656 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
1657 if (error != ErrorCode::OK) {
1658 continue;
1659 }
1660
1661 for (auto digest : digests) {
1662 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
1663 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
1664
1665 /* TODO(seleneh) add exportkey tests back later when we have decided on
1666 * the new api.
1667
1668 // Verify with OpenSSL
1669 if (digest != Digest::NONE) {
1670 vector<uint8_t> pubkey;
1671 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey))
1672 << curve << ' ' << digest;
1673
1674 const uint8_t* p = pubkey.data();
1675 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr, &p, pubkey.size()));
1676 ASSERT_TRUE(pkey.get());
1677
1678 EVP_MD_CTX digest_ctx;
1679 EVP_MD_CTX_init(&digest_ctx);
1680 EVP_PKEY_CTX* pkey_ctx;
1681 const EVP_MD* md = openssl_digest(digest);
1682
1683 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md,
1684 nullptr, pkey.get()))
1685 << curve << ' ' << digest;
1686
1687 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(),
1688 message.size()))
1689 << curve << ' ' << digest;
1690
1691 EXPECT_EQ(1,
1692 EVP_DigestVerifyFinal(&digest_ctx,
1693 reinterpret_cast<const
1694 uint8_t*>(signature.data()), signature.size()))
1695 << curve << ' ' << digest;
1696
1697 EVP_MD_CTX_cleanup(&digest_ctx);
1698 }
1699 */
1700 // Corrupt signature shouldn't verify.
1701 string corrupt_signature(signature);
1702 ++corrupt_signature[corrupt_signature.size() / 2];
1703
1704 EXPECT_EQ(ErrorCode::OK,
1705 Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest)))
1706 << curve << ' ' << digest;
1707
1708 string result;
1709 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result))
1710 << curve << ' ' << digest;
1711
1712 // Corrupt message shouldn't verify
1713 EXPECT_EQ(ErrorCode::OK,
1714 Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest)))
1715 << curve << ' ' << digest;
1716
1717 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result))
1718 << curve << ' ' << digest;
1719 }
1720
1721 auto rc = DeleteKey();
1722 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
1723 }
1724}
1725
1726/*
1727 * VerificationOperationsTest.HmacSigningKeyCannotVerify
1728 *
1729 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
1730 */
1731TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
1732 string key_material = "HelloThisIsAKey";
1733
1734 vector<uint8_t> signing_key, verification_key;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1735 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1736 EXPECT_EQ(ErrorCode::OK,
1737 ImportKey(AuthorizationSetBuilder()
1738 .Authorization(TAG_NO_AUTH_REQUIRED)
1739 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
1740 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
1741 .Digest(Digest::SHA_2_256)
1742 .Authorization(TAG_MIN_MAC_LENGTH, 160),
1743 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
1744 EXPECT_EQ(ErrorCode::OK,
1745 ImportKey(AuthorizationSetBuilder()
1746 .Authorization(TAG_NO_AUTH_REQUIRED)
1747 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
1748 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
1749 .Digest(Digest::SHA_2_256)
1750 .Authorization(TAG_MIN_MAC_LENGTH, 160),
1751 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
1752
1753 string message = "This is a message.";
1754 string signature = SignMessage(
1755 signing_key, message,
1756 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
1757
1758 // Signing key should not work.
1759 AuthorizationSet out_params;
1760 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
1761 Begin(KeyPurpose::VERIFY, signing_key,
1762 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &out_params));
1763
1764 // Verification key should work.
1765 VerifyMessage(verification_key, message, signature,
1766 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
1767
1768 CheckedDeleteKey(&signing_key);
1769 CheckedDeleteKey(&verification_key);
1770}
1771
1772INSTANTIATE_KEYMINT_AIDL_TEST(VerificationOperationsTest);
1773
1774typedef KeyMintAidlTestBase ExportKeyTest;
1775
1776/*
1777 * ExportKeyTest.RsaUnsupportedKeyFormat
1778 *
1779 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
1780 */
1781// TODO(seleneh) add ExportKey to GenerateKey
1782// check result
1783
1784class ImportKeyTest : public KeyMintAidlTestBase {
1785 public:
1786 template <TagType tag_type, Tag tag, typename ValueT>
1787 void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
1788 SCOPED_TRACE("CheckCryptoParam");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1789 for (auto& entry : key_characteristics_) {
1790 if (entry.securityLevel == SecLevel()) {
1791 EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
1792 << "Tag " << tag << " with value " << expected
1793 << " not found at security level" << entry.securityLevel;
1794 } else {
1795 EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
1796 << "Tag " << tag << " found at security level " << entry.securityLevel;
1797 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1798 }
1799 }
1800
1801 void CheckOrigin() {
1802 SCOPED_TRACE("CheckOrigin");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1803 // Origin isn't a crypto param, but it always lives with them.
1804 return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1805 }
1806};
1807
1808/*
1809 * ImportKeyTest.RsaSuccess
1810 *
1811 * Verifies that importing and using an RSA key pair works correctly.
1812 */
1813TEST_P(ImportKeyTest, RsaSuccess) {
1814 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1815 .Authorization(TAG_NO_AUTH_REQUIRED)
1816 .RsaSigningKey(1024, 65537)
1817 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1818 .Padding(PaddingMode::RSA_PSS)
1819 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1820 KeyFormat::PKCS8, rsa_key));
1821
1822 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
1823 CheckCryptoParam(TAG_KEY_SIZE, 1024U);
1824 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
1825 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1826 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
1827 CheckOrigin();
1828
1829 string message(1024 / 8, 'a');
1830 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
1831 string signature = SignMessage(message, params);
1832 VerifyMessage(message, signature, params);
1833}
1834
1835/*
1836 * ImportKeyTest.RsaKeySizeMismatch
1837 *
1838 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
1839 * correct way.
1840 */
1841TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
1842 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
1843 ImportKey(AuthorizationSetBuilder()
1844 .RsaSigningKey(2048 /* Doesn't match key */, 65537)
1845 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1846 .Padding(PaddingMode::NONE)
1847 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1848 KeyFormat::PKCS8, rsa_key));
1849}
1850
1851/*
1852 * ImportKeyTest.RsaPublicExponentMismatch
1853 *
1854 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key
1855 * fails in the correct way.
1856 */
1857TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
1858 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
1859 ImportKey(AuthorizationSetBuilder()
1860 .RsaSigningKey(1024, 3 /* Doesn't match key */)
1861 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1862 .Padding(PaddingMode::NONE)
1863 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1864 KeyFormat::PKCS8, rsa_key));
1865}
1866
1867/*
1868 * ImportKeyTest.EcdsaSuccess
1869 *
1870 * Verifies that importing and using an ECDSA P-256 key pair works correctly.
1871 */
1872TEST_P(ImportKeyTest, EcdsaSuccess) {
1873 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1874 .Authorization(TAG_NO_AUTH_REQUIRED)
1875 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1876 .Digest(Digest::SHA_2_256)
1877 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1878 KeyFormat::PKCS8, ec_256_key));
1879
1880 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
1881 CheckCryptoParam(TAG_KEY_SIZE, 256U);
1882 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1883 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
1884
1885 CheckOrigin();
1886
1887 string message(32, 'a');
1888 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
1889 string signature = SignMessage(message, params);
1890 VerifyMessage(message, signature, params);
1891}
1892
1893/*
1894 * ImportKeyTest.EcdsaP256RFC5915Success
1895 *
1896 * Verifies that importing and using an ECDSA P-256 key pair encoded using RFC5915 works
1897 * correctly.
1898 */
1899TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
1900 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1901 .Authorization(TAG_NO_AUTH_REQUIRED)
1902 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1903 .Digest(Digest::SHA_2_256)
1904 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1905 KeyFormat::PKCS8, ec_256_key_rfc5915));
1906
1907 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
1908 CheckCryptoParam(TAG_KEY_SIZE, 256U);
1909 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1910 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
1911
1912 CheckOrigin();
1913
1914 string message(32, 'a');
1915 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
1916 string signature = SignMessage(message, params);
1917 VerifyMessage(message, signature, params);
1918}
1919
1920/*
1921 * ImportKeyTest.EcdsaP256SEC1Success
1922 *
1923 * Verifies that importing and using an ECDSA P-256 key pair encoded using SEC1 works correctly.
1924 */
1925TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
1926 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1927 .Authorization(TAG_NO_AUTH_REQUIRED)
1928 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1929 .Digest(Digest::SHA_2_256)
1930 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1931 KeyFormat::PKCS8, ec_256_key_sec1));
1932
1933 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
1934 CheckCryptoParam(TAG_KEY_SIZE, 256U);
1935 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1936 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
1937
1938 CheckOrigin();
1939
1940 string message(32, 'a');
1941 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
1942 string signature = SignMessage(message, params);
1943 VerifyMessage(message, signature, params);
1944}
1945
1946/*
1947 * ImportKeyTest.Ecdsa521Success
1948 *
1949 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
1950 */
1951TEST_P(ImportKeyTest, Ecdsa521Success) {
1952 if (SecLevel() == SecurityLevel::STRONGBOX) return;
1953 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1954 .Authorization(TAG_NO_AUTH_REQUIRED)
1955 .EcdsaSigningKey(521)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1956 .Digest(Digest::SHA_2_256)
1957 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1958 KeyFormat::PKCS8, ec_521_key));
1959
1960 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
1961 CheckCryptoParam(TAG_KEY_SIZE, 521U);
1962 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1963 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_521);
1964 CheckOrigin();
1965
1966 string message(32, 'a');
1967 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
1968 string signature = SignMessage(message, params);
1969 VerifyMessage(message, signature, params);
1970}
1971
1972/*
1973 * ImportKeyTest.EcdsaSizeMismatch
1974 *
1975 * Verifies that importing an ECDSA key pair with a size that doesn't match the key fails in the
1976 * correct way.
1977 */
1978TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
1979 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
1980 ImportKey(AuthorizationSetBuilder()
1981 .EcdsaSigningKey(224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1982 .Digest(Digest::NONE)
1983 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1984 KeyFormat::PKCS8, ec_256_key));
1985}
1986
1987/*
1988 * ImportKeyTest.EcdsaCurveMismatch
1989 *
1990 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in
1991 * the correct way.
1992 */
1993TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
1994 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
1995 ImportKey(AuthorizationSetBuilder()
1996 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1997 .Digest(Digest::NONE)
1998 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1999 KeyFormat::PKCS8, ec_256_key));
2000}
2001
2002/*
2003 * ImportKeyTest.AesSuccess
2004 *
2005 * Verifies that importing and using an AES key works.
2006 */
2007TEST_P(ImportKeyTest, AesSuccess) {
2008 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
2009 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
2010 .Authorization(TAG_NO_AUTH_REQUIRED)
2011 .AesEncryptionKey(key.size() * 8)
2012 .EcbMode()
2013 .Padding(PaddingMode::PKCS7),
2014 KeyFormat::RAW, key));
2015
2016 CheckCryptoParam(TAG_ALGORITHM, Algorithm::AES);
2017 CheckCryptoParam(TAG_KEY_SIZE, 128U);
2018 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
2019 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
2020 CheckOrigin();
2021
2022 string message = "Hello World!";
2023 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2024 string ciphertext = EncryptMessage(message, params);
2025 string plaintext = DecryptMessage(ciphertext, params);
2026 EXPECT_EQ(message, plaintext);
2027}
2028
2029/*
2030 * ImportKeyTest.AesSuccess
2031 *
2032 * Verifies that importing and using an HMAC key works.
2033 */
2034TEST_P(ImportKeyTest, HmacKeySuccess) {
2035 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
2036 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
2037 .Authorization(TAG_NO_AUTH_REQUIRED)
2038 .HmacKey(key.size() * 8)
2039 .Digest(Digest::SHA_2_256)
2040 .Authorization(TAG_MIN_MAC_LENGTH, 256),
2041 KeyFormat::RAW, key));
2042
2043 CheckCryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
2044 CheckCryptoParam(TAG_KEY_SIZE, 128U);
2045 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
2046 CheckOrigin();
2047
2048 string message = "Hello World!";
2049 string signature = MacMessage(message, Digest::SHA_2_256, 256);
2050 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
2051}
2052
2053INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);
2054
2055auto wrapped_key = hex2str(
2056 "3082017902010004820100934bf94e2aa28a3f83c9f79297250262fbe3276b5a1c91159bbfa3ef8957aac8"
2057 "4b59b30b455a79c2973480823d8b3863c3deef4a8e243590268d80e18751a0e130f67ce6a1ace9f79b95e0"
2058 "97474febc981195b1d13a69086c0863f66a7b7fdb48792227b1ac5e2489febdf087ab5486483033a6f001c"
2059 "a5d1ec1e27f5c30f4cec2642074a39ae68aee552e196627a8e3d867e67a8c01b11e75f13cca0a97ab668b5"
2060 "0cda07a8ecb7cd8e3dd7009c9636534f6f239cffe1fc8daa466f78b676c7119efb96bce4e69ca2a25d0b34"
2061 "ed9c3ff999b801597d5220e307eaa5bee507fb94d1fa69f9e519b2de315bac92c36f2ea1fa1df4478c0dde"
2062 "deae8c70e0233cd098040cd796b02c370f1fa4cc0124f1302e0201033029a1083106020100020101a20302"
2063 "0120a30402020100a4053103020101a6053103020140bf83770205000420ccd540855f833a5e1480bfd2d3"
2064 "6faf3aeee15df5beabe2691bc82dde2a7aa910041064c9f689c60ff6223ab6e6999e0eb6e5");
2065
2066auto wrapped_key_masked = hex2str(
2067 "3082017902010004820100aad93ed5924f283b4bb5526fbe7a1412f9d9749ec30db9062b29e574a8546f33"
2068 "c88732452f5b8e6a391ee76c39ed1712c61d8df6213dec1cffbc17a8c6d04c7b30893d8daa9b2015213e21"
2069 "946821553207f8f9931c4caba23ed3bee28b36947e47f10e0a5c3dc51c988a628daad3e5e1f4005e79c2d5"
2070 "a96c284b4b8d7e4948f331e5b85dd5a236f85579f3ea1d1b848487470bdb0ab4f81a12bee42c99fe0df4be"
2071 "e3759453e69ad1d68a809ce06b949f7694a990429b2fe81e066ff43e56a21602db70757922a4bcc23ab89f"
2072 "1e35da77586775f423e519c2ea394caf48a28d0c8020f1dcf6b3a68ec246f615ae96dae9a079b1f6eb9590"
2073 "33c1af5c125fd94168040c6d9721d08589581ab49204a3302e0201033029a1083106020100020101a20302"
2074 "0120a30402020100a4053103020101a6053103020140bf83770205000420a61c6e247e25b3e6e69aa78eb0"
2075 "3c2d4ac20d1f99a9a024a76f35c8e2cab9b68d04102560c70109ae67c030f00b98b512a670");
2076
2077auto wrapping_key = hex2str(
2078 "308204be020100300d06092a864886f70d0101010500048204a8308204a40201000282010100aec367931d"
2079 "8900ce56b0067f7d70e1fc653f3f34d194c1fed50018fb43db937b06e673a837313d56b1c725150a3fef86"
2080 "acbddc41bb759c2854eae32d35841efb5c18d82bc90a1cb5c1d55adf245b02911f0b7cda88c421ff0ebafe"
2081 "7c0d23be312d7bd5921ffaea1347c157406fef718f682643e4e5d33c6703d61c0cf7ac0bf4645c11f5c137"
2082 "4c3886427411c449796792e0bef75dec858a2123c36753e02a95a96d7c454b504de385a642e0dfc3e60ac3"
2083 "a7ee4991d0d48b0172a95f9536f02ba13cecccb92b727db5c27e5b2f5cec09600b286af5cf14c42024c61d"
2084 "dfe71c2a8d7458f185234cb00e01d282f10f8fc6721d2aed3f4833cca2bd8fa62821dd5502030100010282"
2085 "0100431447b6251908112b1ee76f99f3711a52b6630960046c2de70de188d833f8b8b91e4d785caeeeaf4f"
2086 "0f74414e2cda40641f7fe24f14c67a88959bdb27766df9e710b630a03adc683b5d2c43080e52bee71e9eae"
2087 "b6de297a5fea1072070d181c822bccff087d63c940ba8a45f670feb29fb4484d1c95e6d2579ba02aae0a00"
2088 "900c3ebf490e3d2cd7ee8d0e20c536e4dc5a5097272888cddd7e91f228b1c4d7474c55b8fcd618c4a957bb"
2089 "ddd5ad7407cc312d8d98a5caf7e08f4a0d6b45bb41c652659d5a5ba05b663737a8696281865ba20fbdd7f8"
2090 "51e6c56e8cbe0ddbbf24dc03b2d2cb4c3d540fb0af52e034a2d06698b128e5f101e3b51a34f8d8b4f86181"
2091 "02818100de392e18d682c829266cc3454e1d6166242f32d9a1d10577753e904ea7d08bff841be5bac82a16"
2092 "4c5970007047b8c517db8f8f84e37bd5988561bdf503d4dc2bdb38f885434ae42c355f725c9a60f91f0788"
2093 "e1f1a97223b524b5357fdf72e2f696bab7d78e32bf92ba8e1864eab1229e91346130748a6e3c124f9149d7"
2094 "1c743502818100c95387c0f9d35f137b57d0d65c397c5e21cc251e47008ed62a542409c8b6b6ac7f8967b3"
2095 "863ca645fcce49582a9aa17349db6c4a95affdae0dae612e1afac99ed39a2d934c880440aed8832f984316"
2096 "3a47f27f392199dc1202f9a0f9bd08308007cb1e4e7f58309366a7de25f7c3c9b880677c068e1be936e812"
2097 "88815252a8a102818057ff8ca1895080b2cae486ef0adfd791fb0235c0b8b36cd6c136e52e4085f4ea5a06"
2098 "3212a4f105a3764743e53281988aba073f6e0027298e1c4378556e0efca0e14ece1af76ad0b030f27af6f0"
2099 "ab35fb73a060d8b1a0e142fa2647e93b32e36d8282ae0a4de50ab7afe85500a16f43a64719d6e2b9439823"
2100 "719cd08bcd03178102818100ba73b0bb28e3f81e9bd1c568713b101241acc607976c4ddccc90e65b6556ca"
2101 "31516058f92b6e09f3b160ff0e374ec40d78ae4d4979fde6ac06a1a400c61dd31254186af30b22c10582a8"
2102 "a43e34fe949c5f3b9755bae7baa7b7b7a6bd03b38cef55c86885fc6c1978b9cee7ef33da507c9df6b9277c"
2103 "ff1e6aaa5d57aca528466102818100c931617c77829dfb1270502be9195c8f2830885f57dba869536811e6"
2104 "864236d0c4736a0008a145af36b8357a7c3d139966d04c4e00934ea1aede3bb6b8ec841dc95e3f579751e2"
2105 "bfdfe27ae778983f959356210723287b0affcc9f727044d48c373f1babde0724fa17a4fd4da0902c7c9b9b"
2106 "f27ba61be6ad02dfddda8f4e6822");
2107
2108string zero_masking_key =
2109 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
2110string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
2111
2112class ImportWrappedKeyTest : public KeyMintAidlTestBase {};
2113
2114TEST_P(ImportWrappedKeyTest, Success) {
2115 auto wrapping_key_desc = AuthorizationSetBuilder()
2116 .RsaEncryptionKey(2048, 65537)
2117 .Digest(Digest::SHA_2_256)
2118 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2119 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
2120 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2121
2122 ASSERT_EQ(ErrorCode::OK,
2123 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
2124 AuthorizationSetBuilder()
2125 .Digest(Digest::SHA_2_256)
2126 .Padding(PaddingMode::RSA_OAEP)));
2127
2128 string message = "Hello World!";
2129 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2130 string ciphertext = EncryptMessage(message, params);
2131 string plaintext = DecryptMessage(ciphertext, params);
2132 EXPECT_EQ(message, plaintext);
2133}
2134
2135TEST_P(ImportWrappedKeyTest, SuccessMasked) {
2136 auto wrapping_key_desc = AuthorizationSetBuilder()
2137 .RsaEncryptionKey(2048, 65537)
2138 .Digest(Digest::SHA_2_256)
2139 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2140 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
2141 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2142
2143 ASSERT_EQ(ErrorCode::OK,
2144 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
2145 AuthorizationSetBuilder()
2146 .Digest(Digest::SHA_2_256)
2147 .Padding(PaddingMode::RSA_OAEP)));
2148}
2149
2150TEST_P(ImportWrappedKeyTest, WrongMask) {
2151 auto wrapping_key_desc = AuthorizationSetBuilder()
2152 .RsaEncryptionKey(2048, 65537)
2153 .Digest(Digest::SHA_2_256)
2154 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2155 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
2156 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2157
2158 ASSERT_EQ(
2159 ErrorCode::VERIFICATION_FAILED,
2160 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
2161 AuthorizationSetBuilder()
2162 .Digest(Digest::SHA_2_256)
2163 .Padding(PaddingMode::RSA_OAEP)));
2164}
2165
2166TEST_P(ImportWrappedKeyTest, WrongPurpose) {
2167 auto wrapping_key_desc = AuthorizationSetBuilder()
2168 .RsaEncryptionKey(2048, 65537)
2169 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2170 .Padding(PaddingMode::RSA_OAEP)
2171 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2172
2173 ASSERT_EQ(
2174 ErrorCode::INCOMPATIBLE_PURPOSE,
2175 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
2176 AuthorizationSetBuilder()
2177 .Digest(Digest::SHA_2_256)
2178 .Padding(PaddingMode::RSA_OAEP)));
2179}
2180
2181INSTANTIATE_KEYMINT_AIDL_TEST(ImportWrappedKeyTest);
2182
2183typedef KeyMintAidlTestBase EncryptionOperationsTest;
2184
2185/*
2186 * EncryptionOperationsTest.RsaNoPaddingSuccess
2187 *
2188 * Verifies that raw RSA encryption works.
2189 */
2190TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
2191 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2192 .Authorization(TAG_NO_AUTH_REQUIRED)
2193 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2194 .Padding(PaddingMode::NONE)
2195 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2196
2197 string message = string(2048 / 8, 'a');
2198 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2199 string ciphertext1 = EncryptMessage(message, params);
2200 EXPECT_EQ(2048U / 8, ciphertext1.size());
2201
2202 string ciphertext2 = EncryptMessage(message, params);
2203 EXPECT_EQ(2048U / 8, ciphertext2.size());
2204
2205 // Unpadded RSA is deterministic
2206 EXPECT_EQ(ciphertext1, ciphertext2);
2207}
2208
2209/*
2210 * EncryptionOperationsTest.RsaNoPaddingShortMessage
2211 *
2212 * Verifies that raw RSA encryption of short messages works.
2213 */
2214TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
2215 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2216 .Authorization(TAG_NO_AUTH_REQUIRED)
2217 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2218 .Padding(PaddingMode::NONE)
2219 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2220
2221 string message = "1";
2222 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2223
2224 string ciphertext = EncryptMessage(message, params);
2225 EXPECT_EQ(2048U / 8, ciphertext.size());
2226
2227 string expected_plaintext = string(2048U / 8 - 1, 0) + message;
2228 string plaintext = DecryptMessage(ciphertext, params);
2229
2230 EXPECT_EQ(expected_plaintext, plaintext);
2231
2232 // Degenerate case, encrypting a numeric 1 yields 0x00..01 as the ciphertext.
2233 message = static_cast<char>(1);
2234 ciphertext = EncryptMessage(message, params);
2235 EXPECT_EQ(2048U / 8, ciphertext.size());
2236 EXPECT_EQ(ciphertext, string(2048U / 8 - 1, 0) + message);
2237}
2238
2239/*
2240 * EncryptionOperationsTest.RsaNoPaddingTooLong
2241 *
2242 * Verifies that raw RSA encryption of too-long messages fails in the expected way.
2243 */
2244TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) {
2245 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2246 .Authorization(TAG_NO_AUTH_REQUIRED)
2247 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2248 .Padding(PaddingMode::NONE)
2249 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2250
2251 string message(2048 / 8 + 1, 'a');
2252
2253 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2254 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2255
2256 string result;
2257 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));
2258}
2259
2260/*
2261 * EncryptionOperationsTest.RsaNoPaddingTooLarge
2262 *
2263 * Verifies that raw RSA encryption of too-large (numerically) messages fails in the expected
2264 * way.
2265 */
2266// TODO(seleneh) add RsaNoPaddingTooLarge test back after decided and implemented new
2267// version of ExportKey inside generateKey
2268
2269/*
2270 * EncryptionOperationsTest.RsaOaepSuccess
2271 *
2272 * Verifies that RSA-OAEP encryption operations work, with all digests.
2273 */
2274TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
2275 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
2276
2277 size_t key_size = 2048; // Need largish key for SHA-512 test.
2278 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2279 .Authorization(TAG_NO_AUTH_REQUIRED)
2280 .RsaEncryptionKey(key_size, 65537)
2281 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2282 .Digest(digests)
2283 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2284
2285 string message = "Hello";
2286
2287 for (auto digest : digests) {
2288 auto params = AuthorizationSetBuilder().Digest(digest).Padding(PaddingMode::RSA_OAEP);
2289 string ciphertext1 = EncryptMessage(message, params);
2290 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
2291 EXPECT_EQ(key_size / 8, ciphertext1.size());
2292
2293 string ciphertext2 = EncryptMessage(message, params);
2294 EXPECT_EQ(key_size / 8, ciphertext2.size());
2295
2296 // OAEP randomizes padding so every result should be different (with astronomically high
2297 // probability).
2298 EXPECT_NE(ciphertext1, ciphertext2);
2299
2300 string plaintext1 = DecryptMessage(ciphertext1, params);
2301 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
2302 string plaintext2 = DecryptMessage(ciphertext2, params);
2303 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
2304
2305 // Decrypting corrupted ciphertext should fail.
2306 size_t offset_to_corrupt = random() % ciphertext1.size();
2307 char corrupt_byte;
2308 do {
2309 corrupt_byte = static_cast<char>(random() % 256);
2310 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
2311 ciphertext1[offset_to_corrupt] = corrupt_byte;
2312
2313 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2314 string result;
2315 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
2316 EXPECT_EQ(0U, result.size());
2317 }
2318}
2319
2320/*
2321 * EncryptionOperationsTest.RsaOaepInvalidDigest
2322 *
2323 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
2324 * without a digest.
2325 */
2326TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
2327 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2328 .Authorization(TAG_NO_AUTH_REQUIRED)
2329 .RsaEncryptionKey(2048, 65537)
2330 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2331 .Digest(Digest::NONE)
2332 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2333 string message = "Hello World!";
2334
2335 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
2336 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::ENCRYPT, params));
2337}
2338
2339/*
2340 * EncryptionOperationsTest.RsaOaepInvalidDigest
2341 *
2342 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to decrypt
2343 * with a different digest than was used to encrypt.
2344 */
2345TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
2346 if (SecLevel() == SecurityLevel::STRONGBOX) return;
2347
2348 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2349 .Authorization(TAG_NO_AUTH_REQUIRED)
2350 .RsaEncryptionKey(1024, 65537)
2351 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2352 .Digest(Digest::SHA_2_224, Digest::SHA_2_256)
2353 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2354 string message = "Hello World!";
2355 string ciphertext = EncryptMessage(
2356 message,
2357 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
2358
2359 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
2360 .Digest(Digest::SHA_2_256)
2361 .Padding(PaddingMode::RSA_OAEP)));
2362 string result;
2363 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
2364 EXPECT_EQ(0U, result.size());
2365}
2366
2367/*
2368 * EncryptionOperationsTest.RsaOaepTooLarge
2369 *
2370 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to encrypt a
2371 * too-large message.
2372 */
2373TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) {
2374 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2375 .Authorization(TAG_NO_AUTH_REQUIRED)
2376 .RsaEncryptionKey(2048, 65537)
2377 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2378 .Digest(Digest::SHA_2_256)
2379 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2380 constexpr size_t digest_size = 256 /* SHA_2_256 */ / 8;
2381 constexpr size_t oaep_overhead = 2 * digest_size + 2;
2382 string message(2048 / 8 - oaep_overhead + 1, 'a');
2383 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
2384 .Padding(PaddingMode::RSA_OAEP)
2385 .Digest(Digest::SHA_2_256)));
2386 string result;
2387 ErrorCode error = Finish(message, &result);
2388 EXPECT_TRUE(error == ErrorCode::INVALID_INPUT_LENGTH || error == ErrorCode::INVALID_ARGUMENT);
2389 EXPECT_EQ(0U, result.size());
2390}
2391
2392/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]2393 * EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess
2394 *
2395 * Verifies that RSA-OAEP encryption operations work, with all SHA 256 digests and all type of MGF1
2396 * digests.
2397 */
2398TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
2399 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
2400
2401 size_t key_size = 2048; // Need largish key for SHA-512 test.
2402 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2403 .OaepMGFDigest(digests)
2404 .Authorization(TAG_NO_AUTH_REQUIRED)
2405 .RsaEncryptionKey(key_size, 65537)
2406 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2407 .Digest(Digest::SHA_2_256)
2408 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]2409
2410 string message = "Hello";
2411
2412 for (auto digest : digests) {
2413 auto params = AuthorizationSetBuilder()
2414 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
2415 .Digest(Digest::SHA_2_256)
2416 .Padding(PaddingMode::RSA_OAEP);
2417 string ciphertext1 = EncryptMessage(message, params);
2418 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
2419 EXPECT_EQ(key_size / 8, ciphertext1.size());
2420
2421 string ciphertext2 = EncryptMessage(message, params);
2422 EXPECT_EQ(key_size / 8, ciphertext2.size());
2423
2424 // OAEP randomizes padding so every result should be different (with astronomically high
2425 // probability).
2426 EXPECT_NE(ciphertext1, ciphertext2);
2427
2428 string plaintext1 = DecryptMessage(ciphertext1, params);
2429 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
2430 string plaintext2 = DecryptMessage(ciphertext2, params);
2431 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
2432
2433 // Decrypting corrupted ciphertext should fail.
2434 size_t offset_to_corrupt = random() % ciphertext1.size();
2435 char corrupt_byte;
2436 do {
2437 corrupt_byte = static_cast<char>(random() % 256);
2438 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
2439 ciphertext1[offset_to_corrupt] = corrupt_byte;
2440
2441 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2442 string result;
2443 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
2444 EXPECT_EQ(0U, result.size());
2445 }
2446}
2447
2448/*
2449 * EncryptionOperationsTest.RsaOaepWithMGFIncompatibleDigest
2450 *
2451 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
2452 * with incompatible MGF digest.
2453 */
2454TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
2455 ASSERT_EQ(ErrorCode::OK,
2456 GenerateKey(AuthorizationSetBuilder()
2457 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
2458 .Authorization(TAG_NO_AUTH_REQUIRED)
2459 .RsaEncryptionKey(2048, 65537)
2460 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2461 .Digest(Digest::SHA_2_256)
2462 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]2463 string message = "Hello World!";
2464
2465 auto params = AuthorizationSetBuilder()
2466 .Padding(PaddingMode::RSA_OAEP)
2467 .Digest(Digest::SHA_2_256)
2468 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_224);
2469 EXPECT_EQ(ErrorCode::INCOMPATIBLE_MGF_DIGEST, Begin(KeyPurpose::ENCRYPT, params));
2470}
2471
2472/*
2473 * EncryptionOperationsTest.RsaOaepWithMGFUnsupportedDigest
2474 *
2475 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
2476 * with unsupported MGF digest.
2477 */
2478TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
2479 ASSERT_EQ(ErrorCode::OK,
2480 GenerateKey(AuthorizationSetBuilder()
2481 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
2482 .Authorization(TAG_NO_AUTH_REQUIRED)
2483 .RsaEncryptionKey(2048, 65537)
2484 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2485 .Digest(Digest::SHA_2_256)
2486 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]2487 string message = "Hello World!";
2488
2489 auto params = AuthorizationSetBuilder()
2490 .Padding(PaddingMode::RSA_OAEP)
2491 .Digest(Digest::SHA_2_256)
2492 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::NONE);
2493 EXPECT_EQ(ErrorCode::UNSUPPORTED_MGF_DIGEST, Begin(KeyPurpose::ENCRYPT, params));
2494}
2495
2496/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2497 * EncryptionOperationsTest.RsaPkcs1Success
2498 *
2499 * Verifies that RSA PKCS encryption/decrypts works.
2500 */
2501TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
2502 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2503 .Authorization(TAG_NO_AUTH_REQUIRED)
2504 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2505 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
2506 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2507
2508 string message = "Hello World!";
2509 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
2510 string ciphertext1 = EncryptMessage(message, params);
2511 EXPECT_EQ(2048U / 8, ciphertext1.size());
2512
2513 string ciphertext2 = EncryptMessage(message, params);
2514 EXPECT_EQ(2048U / 8, ciphertext2.size());
2515
2516 // PKCS1 v1.5 randomizes padding so every result should be different.
2517 EXPECT_NE(ciphertext1, ciphertext2);
2518
2519 string plaintext = DecryptMessage(ciphertext1, params);
2520 EXPECT_EQ(message, plaintext);
2521
2522 // Decrypting corrupted ciphertext should fail.
2523 size_t offset_to_corrupt = random() % ciphertext1.size();
2524 char corrupt_byte;
2525 do {
2526 corrupt_byte = static_cast<char>(random() % 256);
2527 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
2528 ciphertext1[offset_to_corrupt] = corrupt_byte;
2529
2530 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2531 string result;
2532 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
2533 EXPECT_EQ(0U, result.size());
2534}
2535
2536/*
2537 * EncryptionOperationsTest.RsaPkcs1TooLarge
2538 *
2539 * Verifies that RSA PKCS encryption fails in the correct way when the mssage is too large.
2540 */
2541TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) {
2542 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2543 .Authorization(TAG_NO_AUTH_REQUIRED)
2544 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2545 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
2546 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2547 string message(2048 / 8 - 10, 'a');
2548
2549 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
2550 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2551 string result;
2552 ErrorCode error = Finish(message, &result);
2553 EXPECT_TRUE(error == ErrorCode::INVALID_INPUT_LENGTH || error == ErrorCode::INVALID_ARGUMENT);
2554 EXPECT_EQ(0U, result.size());
2555}
2556
2557/*
2558 * EncryptionOperationsTest.EcdsaEncrypt
2559 *
2560 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
2561 */
2562TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
2563 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2564 .Authorization(TAG_NO_AUTH_REQUIRED)
2565 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2566 .Digest(Digest::NONE)
2567 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2568 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
2569 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
2570 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
2571}
2572
2573/*
2574 * EncryptionOperationsTest.HmacEncrypt
2575 *
2576 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
2577 */
2578TEST_P(EncryptionOperationsTest, HmacEncrypt) {
2579 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2580 .Authorization(TAG_NO_AUTH_REQUIRED)
2581 .HmacKey(128)
2582 .Digest(Digest::SHA_2_256)
2583 .Padding(PaddingMode::NONE)
2584 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2585 auto params = AuthorizationSetBuilder()
2586 .Digest(Digest::SHA_2_256)
2587 .Padding(PaddingMode::NONE)
2588 .Authorization(TAG_MAC_LENGTH, 128);
2589 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
2590 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
2591}
2592
2593/*
2594 * EncryptionOperationsTest.AesEcbRoundTripSuccess
2595 *
2596 * Verifies that AES ECB mode works.
2597 */
2598TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
2599 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2600 .Authorization(TAG_NO_AUTH_REQUIRED)
2601 .AesEncryptionKey(128)
2602 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2603 .Padding(PaddingMode::NONE)));
2604
2605 ASSERT_GT(key_blob_.size(), 0U);
2606 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
2607
2608 // Two-block message.
2609 string message = "12345678901234567890123456789012";
2610 string ciphertext1 = EncryptMessage(message, params);
2611 EXPECT_EQ(message.size(), ciphertext1.size());
2612
2613 string ciphertext2 = EncryptMessage(string(message), params);
2614 EXPECT_EQ(message.size(), ciphertext2.size());
2615
2616 // ECB is deterministic.
2617 EXPECT_EQ(ciphertext1, ciphertext2);
2618
2619 string plaintext = DecryptMessage(ciphertext1, params);
2620 EXPECT_EQ(message, plaintext);
2621}
2622
2623/*
2624 * EncryptionOperationsTest.AesEcbRoundTripSuccess
2625 *
2626 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
2627 */
2628TEST_P(EncryptionOperationsTest, AesWrongMode) {
2629 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2630 .Authorization(TAG_NO_AUTH_REQUIRED)
2631 .AesEncryptionKey(128)
2632 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
2633 .Padding(PaddingMode::NONE)));
2634
2635 ASSERT_GT(key_blob_.size(), 0U);
2636
2637 // Two-block message.
2638 string message = "12345678901234567890123456789012";
2639 EXPECT_EQ(
2640 ErrorCode::INCOMPATIBLE_BLOCK_MODE,
2641 Begin(KeyPurpose::ENCRYPT,
2642 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
2643}
2644
2645/*
2646 * EncryptionOperationsTest.AesWrongPurpose
2647 *
2648 * Verifies that AES encryption fails in the correct way when an unauthorized purpose is
2649 * specified.
2650 */
2651TEST_P(EncryptionOperationsTest, AesWrongPurpose) {
2652 auto err = GenerateKey(AuthorizationSetBuilder()
2653 .Authorization(TAG_NO_AUTH_REQUIRED)
2654 .AesKey(128)
2655 .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
2656 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
2657 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2658 .Padding(PaddingMode::NONE));
2659 ASSERT_EQ(ErrorCode::OK, err) << "Got " << err;
2660 ASSERT_GT(key_blob_.size(), 0U);
2661
2662 err = Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
2663 .BlockMode(BlockMode::GCM)
2664 .Padding(PaddingMode::NONE)
2665 .Authorization(TAG_MAC_LENGTH, 128));
2666 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
2667
2668 CheckedDeleteKey();
2669
2670 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2671 .Authorization(TAG_NO_AUTH_REQUIRED)
2672 .AesKey(128)
2673 .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
2674 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
2675 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2676 .Padding(PaddingMode::NONE)));
2677
2678 err = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
2679 .BlockMode(BlockMode::GCM)
2680 .Padding(PaddingMode::NONE)
2681 .Authorization(TAG_MAC_LENGTH, 128));
2682 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
2683}
2684
2685/*
2686 * EncryptionOperationsTest.AesEcbNoPaddingWrongInputSize
2687 *
2688 * Verifies that AES encryption fails in the correct way when provided an input that is not a
2689 * multiple of the block size and no padding is specified.
2690 */
2691TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) {
2692 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2693 .Authorization(TAG_NO_AUTH_REQUIRED)
2694 .AesEncryptionKey(128)
2695 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2696 .Padding(PaddingMode::NONE)));
2697 // Message is slightly shorter than two blocks.
2698 string message(16 * 2 - 1, 'a');
2699
2700 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
2701 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2702 string ciphertext;
2703 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
2704 EXPECT_EQ(0U, ciphertext.size());
2705}
2706
2707/*
2708 * EncryptionOperationsTest.AesEcbPkcs7Padding
2709 *
2710 * Verifies that AES PKCS7 padding works for any message length.
2711 */
2712TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
2713 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2714 .Authorization(TAG_NO_AUTH_REQUIRED)
2715 .AesEncryptionKey(128)
2716 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2717 .Padding(PaddingMode::PKCS7)));
2718
2719 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2720
2721 // Try various message lengths; all should work.
2722 for (size_t i = 0; i < 32; ++i) {
2723 string message(i, 'a');
2724 string ciphertext = EncryptMessage(message, params);
2725 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2726 string plaintext = DecryptMessage(ciphertext, params);
2727 EXPECT_EQ(message, plaintext);
2728 }
2729}
2730
2731/*
2732 * EncryptionOperationsTest.AesEcbWrongPadding
2733 *
2734 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
2735 * specified.
2736 */
2737TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
2738 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2739 .Authorization(TAG_NO_AUTH_REQUIRED)
2740 .AesEncryptionKey(128)
2741 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2742 .Padding(PaddingMode::NONE)));
2743
2744 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2745
2746 // Try various message lengths; all should fail
2747 for (size_t i = 0; i < 32; ++i) {
2748 string message(i, 'a');
2749 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
2750 }
2751}
2752
2753/*
2754 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
2755 *
2756 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
2757 */
2758TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
2759 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2760 .Authorization(TAG_NO_AUTH_REQUIRED)
2761 .AesEncryptionKey(128)
2762 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2763 .Padding(PaddingMode::PKCS7)));
2764
2765 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2766
2767 string message = "a";
2768 string ciphertext = EncryptMessage(message, params);
2769 EXPECT_EQ(16U, ciphertext.size());
2770 EXPECT_NE(ciphertext, message);
2771 ++ciphertext[ciphertext.size() / 2];
2772
2773 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2774 string plaintext;
2775 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &plaintext));
2776}
2777
2778vector<uint8_t> CopyIv(const AuthorizationSet& set) {
2779 auto iv = set.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]2780 EXPECT_TRUE(iv);
2781 return iv->get();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2782}
2783
2784/*
2785 * EncryptionOperationsTest.AesCtrRoundTripSuccess
2786 *
2787 * Verifies that AES CTR mode works.
2788 */
2789TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
2790 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2791 .Authorization(TAG_NO_AUTH_REQUIRED)
2792 .AesEncryptionKey(128)
2793 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
2794 .Padding(PaddingMode::NONE)));
2795
2796 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
2797
2798 string message = "123";
2799 AuthorizationSet out_params;
2800 string ciphertext1 = EncryptMessage(message, params, &out_params);
2801 vector<uint8_t> iv1 = CopyIv(out_params);
2802 EXPECT_EQ(16U, iv1.size());
2803
2804 EXPECT_EQ(message.size(), ciphertext1.size());
2805
2806 out_params.Clear();
2807 string ciphertext2 = EncryptMessage(message, params, &out_params);
2808 vector<uint8_t> iv2 = CopyIv(out_params);
2809 EXPECT_EQ(16U, iv2.size());
2810
2811 // IVs should be random, so ciphertexts should differ.
2812 EXPECT_NE(ciphertext1, ciphertext2);
2813
2814 auto params_iv1 =
2815 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
2816 auto params_iv2 =
2817 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
2818
2819 string plaintext = DecryptMessage(ciphertext1, params_iv1);
2820 EXPECT_EQ(message, plaintext);
2821 plaintext = DecryptMessage(ciphertext2, params_iv2);
2822 EXPECT_EQ(message, plaintext);
2823
2824 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
2825 plaintext = DecryptMessage(ciphertext1, params_iv2);
2826 EXPECT_NE(message, plaintext);
2827 plaintext = DecryptMessage(ciphertext2, params_iv1);
2828 EXPECT_NE(message, plaintext);
2829}
2830
2831/*
2832 * EncryptionOperationsTest.AesIncremental
2833 *
2834 * Verifies that AES works, all modes, when provided data in various size increments.
2835 */
2836TEST_P(EncryptionOperationsTest, AesIncremental) {
2837 auto block_modes = {
2838 BlockMode::ECB,
2839 BlockMode::CBC,
2840 BlockMode::CTR,
2841 BlockMode::GCM,
2842 };
2843
2844 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2845 .Authorization(TAG_NO_AUTH_REQUIRED)
2846 .AesEncryptionKey(128)
2847 .BlockMode(block_modes)
2848 .Padding(PaddingMode::NONE)
2849 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2850
2851 for (int increment = 1; increment <= 240; ++increment) {
2852 for (auto block_mode : block_modes) {
2853 string message(240, 'a');
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]2854 auto params =
2855 AuthorizationSetBuilder().BlockMode(block_mode).Padding(PaddingMode::NONE);
2856 if (block_mode == BlockMode::GCM) {
2857 params.Authorization(TAG_MAC_LENGTH, 128) /* for GCM */;
2858 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2859
2860 AuthorizationSet output_params;
2861 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &output_params));
2862
2863 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2864 string to_send;
2865 for (size_t i = 0; i < message.size(); i += increment) {
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]2866 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2867 }
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]2868 EXPECT_EQ(ErrorCode::OK, Finish(to_send, &ciphertext))
2869 << "Error sending " << to_send << " with block mode " << block_mode;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2870
2871 switch (block_mode) {
2872 case BlockMode::GCM:
2873 EXPECT_EQ(message.size() + 16, ciphertext.size());
2874 break;
2875 case BlockMode::CTR:
2876 EXPECT_EQ(message.size(), ciphertext.size());
2877 break;
2878 case BlockMode::CBC:
2879 case BlockMode::ECB:
2880 EXPECT_EQ(message.size() + message.size() % 16, ciphertext.size());
2881 break;
2882 }
2883
2884 auto iv = output_params.GetTagValue(TAG_NONCE);
2885 switch (block_mode) {
2886 case BlockMode::CBC:
2887 case BlockMode::GCM:
2888 case BlockMode::CTR:
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]2889 ASSERT_TRUE(iv) << "No IV for block mode " << block_mode;
2890 EXPECT_EQ(block_mode == BlockMode::GCM ? 12U : 16U, iv->get().size());
2891 params.push_back(TAG_NONCE, iv->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2892 break;
2893
2894 case BlockMode::ECB:
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]2895 EXPECT_FALSE(iv) << "ECB mode should not generate IV";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2896 break;
2897 }
2898
2899 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params))
2900 << "Decrypt begin() failed for block mode " << block_mode;
2901
2902 string plaintext;
2903 for (size_t i = 0; i < ciphertext.size(); i += increment) {
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]2904 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2905 }
2906 ErrorCode error = Finish(to_send, &plaintext);
2907 ASSERT_EQ(ErrorCode::OK, error) << "Decryption failed for block mode " << block_mode
2908 << " and increment " << increment;
2909 if (error == ErrorCode::OK) {
2910 ASSERT_EQ(message, plaintext) << "Decryption didn't match for block mode "
2911 << block_mode << " and increment " << increment;
2912 }
2913 }
2914 }
2915}
2916
2917struct AesCtrSp80038aTestVector {
2918 const char* key;
2919 const char* nonce;
2920 const char* plaintext;
2921 const char* ciphertext;
2922};
2923
2924// These test vectors are taken from
2925// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
2926static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
2927 // AES-128
2928 {
2929 "2b7e151628aed2a6abf7158809cf4f3c",
2930 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2931 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2932 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2933 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
2934 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
2935 },
2936 // AES-192
2937 {
2938 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
2939 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2940 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2941 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2942 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
2943 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
2944 },
2945 // AES-256
2946 {
2947 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
2948 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2949 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2950 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2951 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
2952 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
2953 },
2954};
2955
2956/*
2957 * EncryptionOperationsTest.AesCtrSp80038aTestVector
2958 *
2959 * Verifies AES CTR implementation against SP800-38A test vectors.
2960 */
2961TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
2962 std::vector<uint32_t> InvalidSizes = InvalidKeySizes(Algorithm::AES);
2963 for (size_t i = 0; i < 3; i++) {
2964 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
2965 const string key = hex2str(test.key);
2966 if (std::find(InvalidSizes.begin(), InvalidSizes.end(), (key.size() * 8)) !=
2967 InvalidSizes.end())
2968 continue;
2969 const string nonce = hex2str(test.nonce);
2970 const string plaintext = hex2str(test.plaintext);
2971 const string ciphertext = hex2str(test.ciphertext);
2972 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
2973 }
2974}
2975
2976/*
2977 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
2978 *
2979 * Verifies that keymint rejects use of CTR mode with PKCS7 padding in the correct way.
2980 */
2981TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
2982 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2983 .Authorization(TAG_NO_AUTH_REQUIRED)
2984 .AesEncryptionKey(128)
2985 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
2986 .Padding(PaddingMode::PKCS7)));
2987 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
2988 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
2989}
2990
2991/*
2992 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
2993 *
2994 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
2995 */
2996TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
2997 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2998 .Authorization(TAG_NO_AUTH_REQUIRED)
2999 .AesEncryptionKey(128)
3000 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
3001 .Authorization(TAG_CALLER_NONCE)
3002 .Padding(PaddingMode::NONE)));
3003
3004 auto params = AuthorizationSetBuilder()
3005 .BlockMode(BlockMode::CTR)
3006 .Padding(PaddingMode::NONE)
3007 .Authorization(TAG_NONCE, AidlBuf(string(1, 'a')));
3008 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
3009
3010 params = AuthorizationSetBuilder()
3011 .BlockMode(BlockMode::CTR)
3012 .Padding(PaddingMode::NONE)
3013 .Authorization(TAG_NONCE, AidlBuf(string(15, 'a')));
3014 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
3015
3016 params = AuthorizationSetBuilder()
3017 .BlockMode(BlockMode::CTR)
3018 .Padding(PaddingMode::NONE)
3019 .Authorization(TAG_NONCE, AidlBuf(string(17, 'a')));
3020 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
3021}
3022
3023/*
3024 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
3025 *
3026 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
3027 */
3028TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
3029 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3030 .Authorization(TAG_NO_AUTH_REQUIRED)
3031 .AesEncryptionKey(128)
3032 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
3033 .Padding(PaddingMode::NONE)));
3034 // Two-block message.
3035 string message = "12345678901234567890123456789012";
3036 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3037 AuthorizationSet out_params;
3038 string ciphertext1 = EncryptMessage(message, params, &out_params);
3039 vector<uint8_t> iv1 = CopyIv(out_params);
3040 EXPECT_EQ(message.size(), ciphertext1.size());
3041
3042 out_params.Clear();
3043
3044 string ciphertext2 = EncryptMessage(message, params, &out_params);
3045 vector<uint8_t> iv2 = CopyIv(out_params);
3046 EXPECT_EQ(message.size(), ciphertext2.size());
3047
3048 // IVs should be random, so ciphertexts should differ.
3049 EXPECT_NE(ciphertext1, ciphertext2);
3050
3051 params.push_back(TAG_NONCE, iv1);
3052 string plaintext = DecryptMessage(ciphertext1, params);
3053 EXPECT_EQ(message, plaintext);
3054}
3055
3056/*
3057 * EncryptionOperationsTest.AesCallerNonce
3058 *
3059 * Verifies that AES caller-provided nonces work correctly.
3060 */
3061TEST_P(EncryptionOperationsTest, AesCallerNonce) {
3062 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3063 .Authorization(TAG_NO_AUTH_REQUIRED)
3064 .AesEncryptionKey(128)
3065 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
3066 .Authorization(TAG_CALLER_NONCE)
3067 .Padding(PaddingMode::NONE)));
3068
3069 string message = "12345678901234567890123456789012";
3070
3071 // Don't specify nonce, should get a random one.
3072 AuthorizationSetBuilder params =
3073 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3074 AuthorizationSet out_params;
3075 string ciphertext = EncryptMessage(message, params, &out_params);
3076 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]3077 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3078
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]3079 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3080 string plaintext = DecryptMessage(ciphertext, params);
3081 EXPECT_EQ(message, plaintext);
3082
3083 // Now specify a nonce, should also work.
3084 params = AuthorizationSetBuilder()
3085 .BlockMode(BlockMode::CBC)
3086 .Padding(PaddingMode::NONE)
3087 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
3088 out_params.Clear();
3089 ciphertext = EncryptMessage(message, params, &out_params);
3090
3091 // Decrypt with correct nonce.
3092 plaintext = DecryptMessage(ciphertext, params);
3093 EXPECT_EQ(message, plaintext);
3094
3095 // Try with wrong nonce.
3096 params = AuthorizationSetBuilder()
3097 .BlockMode(BlockMode::CBC)
3098 .Padding(PaddingMode::NONE)
3099 .Authorization(TAG_NONCE, AidlBuf("aaaaaaaaaaaaaaaa"));
3100 plaintext = DecryptMessage(ciphertext, params);
3101 EXPECT_NE(message, plaintext);
3102}
3103
3104/*
3105 * EncryptionOperationsTest.AesCallerNonceProhibited
3106 *
3107 * Verifies that caller-provided nonces are not permitted when not specified in the key
3108 * authorizations.
3109 */
3110TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
3111 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3112 .Authorization(TAG_NO_AUTH_REQUIRED)
3113 .AesEncryptionKey(128)
3114 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
3115 .Padding(PaddingMode::NONE)));
3116
3117 string message = "12345678901234567890123456789012";
3118
3119 // Don't specify nonce, should get a random one.
3120 AuthorizationSetBuilder params =
3121 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3122 AuthorizationSet out_params;
3123 string ciphertext = EncryptMessage(message, params, &out_params);
3124 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]3125 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3126
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]3127 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3128 string plaintext = DecryptMessage(ciphertext, params);
3129 EXPECT_EQ(message, plaintext);
3130
3131 // Now specify a nonce, should fail
3132 params = AuthorizationSetBuilder()
3133 .BlockMode(BlockMode::CBC)
3134 .Padding(PaddingMode::NONE)
3135 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
3136 out_params.Clear();
3137 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
3138}
3139
3140/*
3141 * EncryptionOperationsTest.AesGcmRoundTripSuccess
3142 *
3143 * Verifies that AES GCM mode works.
3144 */
3145TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
3146 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3147 .Authorization(TAG_NO_AUTH_REQUIRED)
3148 .AesEncryptionKey(128)
3149 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
3150 .Padding(PaddingMode::NONE)
3151 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3152
3153 string aad = "foobar";
3154 string message = "123456789012345678901234567890123456";
3155
3156 auto begin_params = AuthorizationSetBuilder()
3157 .BlockMode(BlockMode::GCM)
3158 .Padding(PaddingMode::NONE)
3159 .Authorization(TAG_MAC_LENGTH, 128);
3160
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3161 // Encrypt
3162 AuthorizationSet begin_out_params;
3163 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
3164 << "Begin encrypt";
3165 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3166 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
3167 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3168 ASSERT_EQ(ciphertext.length(), message.length() + 16);
3169
3170 // Grab nonce
3171 begin_params.push_back(begin_out_params);
3172
3173 // Decrypt.
3174 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3175 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3176 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3177 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3178 EXPECT_EQ(message.length(), plaintext.length());
3179 EXPECT_EQ(message, plaintext);
3180}
3181
3182/*
3183 * EncryptionOperationsTest.AesGcmRoundTripWithDelaySuccess
3184 *
3185 * Verifies that AES GCM mode works, even when there's a long delay
3186 * between operations.
3187 */
3188TEST_P(EncryptionOperationsTest, AesGcmRoundTripWithDelaySuccess) {
3189 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3190 .Authorization(TAG_NO_AUTH_REQUIRED)
3191 .AesEncryptionKey(128)
3192 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
3193 .Padding(PaddingMode::NONE)
3194 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3195
3196 string aad = "foobar";
3197 string message = "123456789012345678901234567890123456";
3198
3199 auto begin_params = AuthorizationSetBuilder()
3200 .BlockMode(BlockMode::GCM)
3201 .Padding(PaddingMode::NONE)
3202 .Authorization(TAG_MAC_LENGTH, 128);
3203
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3204 // Encrypt
3205 AuthorizationSet begin_out_params;
3206 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
3207 << "Begin encrypt";
3208 string ciphertext;
3209 AuthorizationSet update_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3210 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3211 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3212 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3213
3214 ASSERT_EQ(ciphertext.length(), message.length() + 16);
3215
3216 // Grab nonce
3217 begin_params.push_back(begin_out_params);
3218
3219 // Decrypt.
3220 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
3221 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3222 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3223 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3224 ASSERT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3225 sleep(5);
3226 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
3227 EXPECT_EQ(message.length(), plaintext.length());
3228 EXPECT_EQ(message, plaintext);
3229}
3230
3231/*
3232 * EncryptionOperationsTest.AesGcmDifferentNonces
3233 *
3234 * Verifies that encrypting the same data with different nonces produces different outputs.
3235 */
3236TEST_P(EncryptionOperationsTest, AesGcmDifferentNonces) {
3237 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3238 .Authorization(TAG_NO_AUTH_REQUIRED)
3239 .AesEncryptionKey(128)
3240 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
3241 .Padding(PaddingMode::NONE)
3242 .Authorization(TAG_MIN_MAC_LENGTH, 128)
3243 .Authorization(TAG_CALLER_NONCE)));
3244
3245 string aad = "foobar";
3246 string message = "123456789012345678901234567890123456";
3247 string nonce1 = "000000000000";
3248 string nonce2 = "111111111111";
3249 string nonce3 = "222222222222";
3250
3251 string ciphertext1 =
3252 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce1));
3253 string ciphertext2 =
3254 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce2));
3255 string ciphertext3 =
3256 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce3));
3257
3258 ASSERT_NE(ciphertext1, ciphertext2);
3259 ASSERT_NE(ciphertext1, ciphertext3);
3260 ASSERT_NE(ciphertext2, ciphertext3);
3261}
3262
3263/*
3264 * EncryptionOperationsTest.AesGcmTooShortTag
3265 *
3266 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
3267 */
3268TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
3269 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3270 .Authorization(TAG_NO_AUTH_REQUIRED)
3271 .AesEncryptionKey(128)
3272 .BlockMode(BlockMode::GCM)
3273 .Padding(PaddingMode::NONE)
3274 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3275 string message = "123456789012345678901234567890123456";
3276 auto params = AuthorizationSetBuilder()
3277 .BlockMode(BlockMode::GCM)
3278 .Padding(PaddingMode::NONE)
3279 .Authorization(TAG_MAC_LENGTH, 96);
3280
3281 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
3282}
3283
3284/*
3285 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
3286 *
3287 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
3288 */
3289TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
3290 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3291 .Authorization(TAG_NO_AUTH_REQUIRED)
3292 .AesEncryptionKey(128)
3293 .BlockMode(BlockMode::GCM)
3294 .Padding(PaddingMode::NONE)
3295 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3296 string aad = "foobar";
3297 string message = "123456789012345678901234567890123456";
3298 auto params = AuthorizationSetBuilder()
3299 .BlockMode(BlockMode::GCM)
3300 .Padding(PaddingMode::NONE)
3301 .Authorization(TAG_MAC_LENGTH, 128);
3302
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3303 // Encrypt
3304 AuthorizationSet begin_out_params;
3305 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
3306 EXPECT_EQ(1U, begin_out_params.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]3307 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3308
3309 AuthorizationSet finish_out_params;
3310 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3311 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
3312 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3313
3314 params = AuthorizationSetBuilder()
3315 .Authorizations(begin_out_params)
3316 .BlockMode(BlockMode::GCM)
3317 .Padding(PaddingMode::NONE)
3318 .Authorization(TAG_MAC_LENGTH, 96);
3319
3320 // Decrypt.
3321 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
3322}
3323
3324/*
3325 * EncryptionOperationsTest.AesGcmCorruptKey
3326 *
3327 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
3328 */
3329TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
3330 const uint8_t nonce_bytes[] = {
3331 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
3332 };
3333 string nonce = make_string(nonce_bytes);
3334 const uint8_t ciphertext_bytes[] = {
3335 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc,
3336 0xd2, 0xcb, 0x16, 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78,
3337 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d,
3338 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 0x76, 0x5e, 0xfb,
3339 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
3340 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
3341 };
3342 string ciphertext = make_string(ciphertext_bytes);
3343
3344 auto params = AuthorizationSetBuilder()
3345 .BlockMode(BlockMode::GCM)
3346 .Padding(PaddingMode::NONE)
3347 .Authorization(TAG_MAC_LENGTH, 128)
3348 .Authorization(TAG_NONCE, nonce.data(), nonce.size());
3349
3350 auto import_params = AuthorizationSetBuilder()
3351 .Authorization(TAG_NO_AUTH_REQUIRED)
3352 .AesEncryptionKey(128)
3353 .BlockMode(BlockMode::GCM)
3354 .Padding(PaddingMode::NONE)
3355 .Authorization(TAG_CALLER_NONCE)
3356 .Authorization(TAG_MIN_MAC_LENGTH, 128);
3357
3358 // Import correct key and decrypt
3359 const uint8_t key_bytes[] = {
3360 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
3361 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
3362 };
3363 string key = make_string(key_bytes);
3364 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
3365 string plaintext = DecryptMessage(ciphertext, params);
3366 CheckedDeleteKey();
3367
3368 // Corrupt key and attempt to decrypt
3369 key[0] = 0;
3370 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
3371 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
3372 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
3373 CheckedDeleteKey();
3374}
3375
3376/*
3377 * EncryptionOperationsTest.AesGcmAadNoData
3378 *
3379 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
3380 * encrypt.
3381 */
3382TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
3383 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3384 .Authorization(TAG_NO_AUTH_REQUIRED)
3385 .AesEncryptionKey(128)
3386 .BlockMode(BlockMode::GCM)
3387 .Padding(PaddingMode::NONE)
3388 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3389
3390 string aad = "1234567890123456";
3391 auto params = AuthorizationSetBuilder()
3392 .BlockMode(BlockMode::GCM)
3393 .Padding(PaddingMode::NONE)
3394 .Authorization(TAG_MAC_LENGTH, 128);
3395
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3396 // Encrypt
3397 AuthorizationSet begin_out_params;
3398 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
3399 string ciphertext;
3400 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3401 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
3402 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3403 EXPECT_TRUE(finish_out_params.empty());
3404
3405 // Grab nonce
3406 params.push_back(begin_out_params);
3407
3408 // Decrypt.
3409 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3410 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3411 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3412 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3413
3414 EXPECT_TRUE(finish_out_params.empty());
3415
3416 EXPECT_EQ("", plaintext);
3417}
3418
3419/*
3420 * EncryptionOperationsTest.AesGcmMultiPartAad
3421 *
3422 * Verifies that AES GCM mode works when provided additional authenticated data in multiple
3423 * chunks.
3424 */
3425TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
3426 const size_t tag_bits = 128;
3427 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3428 .Authorization(TAG_NO_AUTH_REQUIRED)
3429 .AesEncryptionKey(128)
3430 .BlockMode(BlockMode::GCM)
3431 .Padding(PaddingMode::NONE)
3432 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3433
3434 string message = "123456789012345678901234567890123456";
3435 auto begin_params = AuthorizationSetBuilder()
3436 .BlockMode(BlockMode::GCM)
3437 .Padding(PaddingMode::NONE)
3438 .Authorization(TAG_MAC_LENGTH, tag_bits);
3439 AuthorizationSet begin_out_params;
3440
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3441 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
3442
3443 // No data, AAD only.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3444 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
3445 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3446 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3447 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
3448 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3449
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3450 // Expect 128-bit (16-byte) tag appended to ciphertext.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3451 EXPECT_EQ(message.size() + (tag_bits / 8), ciphertext.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3452
3453 // Grab nonce.
3454 begin_params.push_back(begin_out_params);
3455
3456 // Decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3457 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3458 EXPECT_EQ(ErrorCode::OK, UpdateAad("foofoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3459 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3460 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3461 EXPECT_EQ(message, plaintext);
3462}
3463
3464/*
3465 * EncryptionOperationsTest.AesGcmAadOutOfOrder
3466 *
3467 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
3468 */
3469TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
3470 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3471 .Authorization(TAG_NO_AUTH_REQUIRED)
3472 .AesEncryptionKey(128)
3473 .BlockMode(BlockMode::GCM)
3474 .Padding(PaddingMode::NONE)
3475 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3476
3477 string message = "123456789012345678901234567890123456";
3478 auto begin_params = AuthorizationSetBuilder()
3479 .BlockMode(BlockMode::GCM)
3480 .Padding(PaddingMode::NONE)
3481 .Authorization(TAG_MAC_LENGTH, 128);
3482 AuthorizationSet begin_out_params;
3483
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3484 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
3485
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3486 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3487 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3488 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
3489 EXPECT_EQ(ErrorCode::INVALID_TAG, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3490
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3491 op_ = {};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3492}
3493
3494/*
3495 * EncryptionOperationsTest.AesGcmBadAad
3496 *
3497 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
3498 */
3499TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
3500 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3501 .Authorization(TAG_NO_AUTH_REQUIRED)
3502 .AesEncryptionKey(128)
3503 .BlockMode(BlockMode::GCM)
3504 .Padding(PaddingMode::NONE)
3505 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3506
3507 string message = "12345678901234567890123456789012";
3508 auto begin_params = AuthorizationSetBuilder()
3509 .BlockMode(BlockMode::GCM)
3510 .Padding(PaddingMode::NONE)
3511 .Authorization(TAG_MAC_LENGTH, 128);
3512
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3513 // Encrypt
3514 AuthorizationSet begin_out_params;
3515 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3516 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3517 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3518 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3519
3520 // Grab nonce
3521 begin_params.push_back(begin_out_params);
3522
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3523 // Decrypt.
3524 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3525 EXPECT_EQ(ErrorCode::OK, UpdateAad("barfoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3526 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3527 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3528}
3529
3530/*
3531 * EncryptionOperationsTest.AesGcmWrongNonce
3532 *
3533 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
3534 */
3535TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
3536 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3537 .Authorization(TAG_NO_AUTH_REQUIRED)
3538 .AesEncryptionKey(128)
3539 .BlockMode(BlockMode::GCM)
3540 .Padding(PaddingMode::NONE)
3541 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3542
3543 string message = "12345678901234567890123456789012";
3544 auto begin_params = AuthorizationSetBuilder()
3545 .BlockMode(BlockMode::GCM)
3546 .Padding(PaddingMode::NONE)
3547 .Authorization(TAG_MAC_LENGTH, 128);
3548
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3549 // Encrypt
3550 AuthorizationSet begin_out_params;
3551 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3552 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3553 string ciphertext;
3554 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3555 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3556
3557 // Wrong nonce
3558 begin_params.push_back(TAG_NONCE, AidlBuf("123456789012"));
3559
3560 // Decrypt.
3561 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3562 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3563 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3564 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3565
3566 // With wrong nonce, should have gotten garbage plaintext (or none).
3567 EXPECT_NE(message, plaintext);
3568}
3569
3570/*
3571 * EncryptionOperationsTest.AesGcmCorruptTag
3572 *
3573 * Verifies that AES GCM decryption fails correctly when the tag is wrong.
3574 */
3575TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
3576 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3577 .Authorization(TAG_NO_AUTH_REQUIRED)
3578 .AesEncryptionKey(128)
3579 .BlockMode(BlockMode::GCM)
3580 .Padding(PaddingMode::NONE)
3581 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3582
3583 string aad = "1234567890123456";
3584 string message = "123456789012345678901234567890123456";
3585
3586 auto params = AuthorizationSetBuilder()
3587 .BlockMode(BlockMode::GCM)
3588 .Padding(PaddingMode::NONE)
3589 .Authorization(TAG_MAC_LENGTH, 128);
3590
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3591 // Encrypt
3592 AuthorizationSet begin_out_params;
3593 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3594 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3595 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3596 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3597
3598 // Corrupt tag
3599 ++(*ciphertext.rbegin());
3600
3601 // Grab nonce
3602 params.push_back(begin_out_params);
3603
3604 // Decrypt.
3605 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3606 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3607 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3608 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3609}
3610
3611/*
3612 * EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
3613 *
3614 * Verifies that 3DES is basically functional.
3615 */
3616TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
3617 auto auths = AuthorizationSetBuilder()
3618 .TripleDesEncryptionKey(168)
3619 .BlockMode(BlockMode::ECB)
3620 .Authorization(TAG_NO_AUTH_REQUIRED)
3621 .Padding(PaddingMode::NONE);
3622
3623 ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
3624 // Two-block message.
3625 string message = "1234567890123456";
3626 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
3627 string ciphertext1 = EncryptMessage(message, inParams);
3628 EXPECT_EQ(message.size(), ciphertext1.size());
3629
3630 string ciphertext2 = EncryptMessage(string(message), inParams);
3631 EXPECT_EQ(message.size(), ciphertext2.size());
3632
3633 // ECB is deterministic.
3634 EXPECT_EQ(ciphertext1, ciphertext2);
3635
3636 string plaintext = DecryptMessage(ciphertext1, inParams);
3637 EXPECT_EQ(message, plaintext);
3638}
3639
3640/*
3641 * EncryptionOperationsTest.TripleDesEcbNotAuthorized
3642 *
3643 * Verifies that CBC keys reject ECB usage.
3644 */
3645TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
3646 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3647 .TripleDesEncryptionKey(168)
3648 .BlockMode(BlockMode::CBC)
3649 .Authorization(TAG_NO_AUTH_REQUIRED)
3650 .Padding(PaddingMode::NONE)));
3651
3652 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
3653 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
3654}
3655
3656/*
3657 * EncryptionOperationsTest.TripleDesEcbPkcs7Padding
3658 *
3659 * Tests ECB mode with PKCS#7 padding, various message sizes.
3660 */
3661TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
3662 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3663 .TripleDesEncryptionKey(168)
3664 .BlockMode(BlockMode::ECB)
3665 .Authorization(TAG_NO_AUTH_REQUIRED)
3666 .Padding(PaddingMode::PKCS7)));
3667
3668 for (size_t i = 0; i < 32; ++i) {
3669 string message(i, 'a');
3670 auto inParams =
3671 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3672 string ciphertext = EncryptMessage(message, inParams);
3673 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
3674 string plaintext = DecryptMessage(ciphertext, inParams);
3675 EXPECT_EQ(message, plaintext);
3676 }
3677}
3678
3679/*
3680 * EncryptionOperationsTest.TripleDesEcbNoPaddingKeyWithPkcs7Padding
3681 *
3682 * Verifies that keys configured for no padding reject PKCS7 padding
3683 */
3684TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
3685 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3686 .TripleDesEncryptionKey(168)
3687 .BlockMode(BlockMode::ECB)
3688 .Authorization(TAG_NO_AUTH_REQUIRED)
3689 .Padding(PaddingMode::NONE)));
3690 for (size_t i = 0; i < 32; ++i) {
3691 auto inParams =
3692 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3693 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
3694 }
3695}
3696
3697/*
3698 * EncryptionOperationsTest.TripleDesEcbPkcs7PaddingCorrupted
3699 *
3700 * Verifies that corrupted padding is detected.
3701 */
3702TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
3703 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3704 .TripleDesEncryptionKey(168)
3705 .BlockMode(BlockMode::ECB)
3706 .Authorization(TAG_NO_AUTH_REQUIRED)
3707 .Padding(PaddingMode::PKCS7)));
3708
3709 string message = "a";
3710 string ciphertext = EncryptMessage(message, BlockMode::ECB, PaddingMode::PKCS7);
3711 EXPECT_EQ(8U, ciphertext.size());
3712 EXPECT_NE(ciphertext, message);
3713 ++ciphertext[ciphertext.size() / 2];
3714
3715 AuthorizationSetBuilder begin_params;
3716 begin_params.push_back(TAG_BLOCK_MODE, BlockMode::ECB);
3717 begin_params.push_back(TAG_PADDING, PaddingMode::PKCS7);
3718 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
3719 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3720 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3721 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(&plaintext));
3722}
3723
3724struct TripleDesTestVector {
3725 const char* name;
3726 const KeyPurpose purpose;
3727 const BlockMode block_mode;
3728 const PaddingMode padding_mode;
3729 const char* key;
3730 const char* iv;
3731 const char* input;
3732 const char* output;
3733};
3734
3735// These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all
3736// of the NIST vectors are multiples of the block size.
3737static const TripleDesTestVector kTripleDesTestVectors[] = {
3738 {
3739 "TECBMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
3740 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
3741 "", // IV
3742 "329d86bdf1bc5af4", // input
3743 "d946c2756d78633f", // output
3744 },
3745 {
3746 "TECBMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
3747 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
3748 "", // IV
3749 "6b1540781b01ce1997adae102dbf3c5b", // input
3750 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
3751 },
3752 {
3753 "TECBMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
3754 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
3755 "", // IV
3756 "6daad94ce08acfe7", // input
3757 "660e7d32dcc90e79", // output
3758 },
3759 {
3760 "TECBMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
3761 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
3762 "", // IV
3763 "e9653a0a1f05d31b9acd12d73aa9879d", // input
3764 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
3765 },
3766 {
3767 "TCBCMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
3768 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
3769 "43f791134c5647ba", // IV
3770 "dcc153cef81d6f24", // input
3771 "92538bd8af18d3ba", // output
3772 },
3773 {
3774 "TCBCMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
3775 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
3776 "c2e999cb6249023c", // IV
3777 "c689aee38a301bb316da75db36f110b5", // input
3778 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
3779 },
3780 {
3781 "TCBCMMT3 Encrypt 1 PKCS7 variant", KeyPurpose::ENCRYPT, BlockMode::CBC,
3782 PaddingMode::PKCS7,
3783 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
3784 "c2e999cb6249023c", // IV
3785 "c689aee38a301bb316da75db36f110b500", // input
3786 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
3787 },
3788 {
3789 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KeyPurpose::DECRYPT, BlockMode::CBC,
3790 PaddingMode::PKCS7,
3791 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
3792 "c2e999cb6249023c", // IV
3793 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
3794 "c689aee38a301bb316da75db36f110b500", // output
3795 },
3796 {
3797 "TCBCMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
3798 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
3799 "41746c7e442d3681", // IV
3800 "c53a7b0ec40600fe", // input
3801 "d4f00eb455de1034", // output
3802 },
3803 {
3804 "TCBCMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
3805 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
3806 "3982bc02c3727d45", // IV
3807 "6006f10adef52991fcc777a1238bbb65", // input
3808 "edae09288e9e3bc05746d872b48e3b29", // output
3809 },
3810};
3811
3812/*
3813 * EncryptionOperationsTest.TripleDesTestVector
3814 *
3815 * Verifies that NIST (plus a few extra) test vectors produce the correct results.
3816 */
3817TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
3818 constexpr size_t num_tests = sizeof(kTripleDesTestVectors) / sizeof(TripleDesTestVector);
3819 for (auto* test = kTripleDesTestVectors; test < kTripleDesTestVectors + num_tests; ++test) {
3820 SCOPED_TRACE(test->name);
3821 CheckTripleDesTestVector(test->purpose, test->block_mode, test->padding_mode,
3822 hex2str(test->key), hex2str(test->iv), hex2str(test->input),
3823 hex2str(test->output));
3824 }
3825}
3826
3827/*
3828 * EncryptionOperationsTest.TripleDesCbcRoundTripSuccess
3829 *
3830 * Validates CBC mode functionality.
3831 */
3832TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
3833 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3834 .TripleDesEncryptionKey(168)
3835 .BlockMode(BlockMode::CBC)
3836 .Authorization(TAG_NO_AUTH_REQUIRED)
3837 .Padding(PaddingMode::NONE)));
3838
3839 ASSERT_GT(key_blob_.size(), 0U);
3840
3841 // Two-block message.
3842 string message = "1234567890123456";
3843 vector<uint8_t> iv1;
3844 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv1);
3845 EXPECT_EQ(message.size(), ciphertext1.size());
3846
3847 vector<uint8_t> iv2;
3848 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv2);
3849 EXPECT_EQ(message.size(), ciphertext2.size());
3850
3851 // IVs should be random, so ciphertexts should differ.
3852 EXPECT_NE(iv1, iv2);
3853 EXPECT_NE(ciphertext1, ciphertext2);
3854
3855 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv1);
3856 EXPECT_EQ(message, plaintext);
3857}
3858
3859/*
3860 * EncryptionOperationsTest.TripleDesCallerIv
3861 *
3862 * Validates that 3DES keys can allow caller-specified IVs, and use them correctly.
3863 */
3864TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
3865 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3866 .TripleDesEncryptionKey(168)
3867 .BlockMode(BlockMode::CBC)
3868 .Authorization(TAG_NO_AUTH_REQUIRED)
3869 .Authorization(TAG_CALLER_NONCE)
3870 .Padding(PaddingMode::NONE)));
3871 string message = "1234567890123456";
3872 vector<uint8_t> iv;
3873 // Don't specify IV, should get a random one.
3874 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
3875 EXPECT_EQ(message.size(), ciphertext1.size());
3876 EXPECT_EQ(8U, iv.size());
3877
3878 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
3879 EXPECT_EQ(message, plaintext);
3880
3881 // Now specify an IV, should also work.
3882 iv = AidlBuf("abcdefgh");
3883 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, iv);
3884
3885 // Decrypt with correct IV.
3886 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, iv);
3887 EXPECT_EQ(message, plaintext);
3888
3889 // Now try with wrong IV.
3890 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, AidlBuf("aaaaaaaa"));
3891 EXPECT_NE(message, plaintext);
3892}
3893
3894/*
3895 * EncryptionOperationsTest, TripleDesCallerNonceProhibited.
3896 *
3897 * Verifies that 3DES keys without TAG_CALLER_NONCE do not allow caller-specified IVS.
3898 */
3899TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
3900 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3901 .TripleDesEncryptionKey(168)
3902 .BlockMode(BlockMode::CBC)
3903 .Authorization(TAG_NO_AUTH_REQUIRED)
3904 .Padding(PaddingMode::NONE)));
3905
3906 string message = "12345678901234567890123456789012";
3907 vector<uint8_t> iv;
3908 // Don't specify nonce, should get a random one.
3909 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
3910 EXPECT_EQ(message.size(), ciphertext1.size());
3911 EXPECT_EQ(8U, iv.size());
3912
3913 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
3914 EXPECT_EQ(message, plaintext);
3915
3916 // Now specify a nonce, should fail.
3917 auto input_params = AuthorizationSetBuilder()
3918 .Authorization(TAG_NONCE, AidlBuf("abcdefgh"))
3919 .BlockMode(BlockMode::CBC)
3920 .Padding(PaddingMode::NONE);
3921 AuthorizationSet output_params;
3922 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED,
3923 Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
3924}
3925
3926/*
3927 * EncryptionOperationsTest.TripleDesCbcNotAuthorized
3928 *
3929 * Verifies that 3DES ECB-only keys do not allow CBC usage.
3930 */
3931TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
3932 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3933 .TripleDesEncryptionKey(168)
3934 .BlockMode(BlockMode::ECB)
3935 .Authorization(TAG_NO_AUTH_REQUIRED)
3936 .Padding(PaddingMode::NONE)));
3937 // Two-block message.
3938 string message = "1234567890123456";
3939 auto begin_params =
3940 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3941 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
3942}
3943
3944/*
3945 * EncryptionOperationsTest.TripleDesCbcNoPaddingWrongInputSize
3946 *
3947 * Verifies that unpadded CBC operations reject inputs that are not a multiple of block size.
3948 */
3949TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingWrongInputSize) {
3950 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3951 .TripleDesEncryptionKey(168)
3952 .BlockMode(BlockMode::CBC)
3953 .Authorization(TAG_NO_AUTH_REQUIRED)
3954 .Padding(PaddingMode::NONE)));
3955 // Message is slightly shorter than two blocks.
3956 string message = "123456789012345";
3957
3958 auto begin_params =
3959 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3960 AuthorizationSet output_params;
3961 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &output_params));
3962 string ciphertext;
3963 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, "", &ciphertext));
3964}
3965
3966/*
3967 * EncryptionOperationsTest, TripleDesCbcPkcs7Padding.
3968 *
3969 * Verifies that PKCS7 padding works correctly in CBC mode.
3970 */
3971TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
3972 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3973 .TripleDesEncryptionKey(168)
3974 .BlockMode(BlockMode::CBC)
3975 .Authorization(TAG_NO_AUTH_REQUIRED)
3976 .Padding(PaddingMode::PKCS7)));
3977
3978 // Try various message lengths; all should work.
3979 for (size_t i = 0; i < 32; ++i) {
3980 string message(i, 'a');
3981 vector<uint8_t> iv;
3982 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
3983 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
3984 string plaintext = DecryptMessage(ciphertext, BlockMode::CBC, PaddingMode::PKCS7, iv);
3985 EXPECT_EQ(message, plaintext);
3986 }
3987}
3988
3989/*
3990 * EncryptionOperationsTest.TripleDesCbcNoPaddingKeyWithPkcs7Padding
3991 *
3992 * Verifies that a key that requires PKCS7 padding cannot be used in unpadded mode.
3993 */
3994TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
3995 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3996 .TripleDesEncryptionKey(168)
3997 .BlockMode(BlockMode::CBC)
3998 .Authorization(TAG_NO_AUTH_REQUIRED)
3999 .Padding(PaddingMode::NONE)));
4000
4001 // Try various message lengths; all should fail.
4002 for (size_t i = 0; i < 32; ++i) {
4003 auto begin_params =
4004 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7);
4005 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
4006 }
4007}
4008
4009/*
4010 * EncryptionOperationsTest.TripleDesCbcPkcs7PaddingCorrupted
4011 *
4012 * Verifies that corrupted PKCS7 padding is rejected during decryption.
4013 */
4014TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
4015 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4016 .TripleDesEncryptionKey(168)
4017 .BlockMode(BlockMode::CBC)
4018 .Authorization(TAG_NO_AUTH_REQUIRED)
4019 .Padding(PaddingMode::PKCS7)));
4020
4021 string message = "a";
4022 vector<uint8_t> iv;
4023 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
4024 EXPECT_EQ(8U, ciphertext.size());
4025 EXPECT_NE(ciphertext, message);
4026 ++ciphertext[ciphertext.size() / 2];
4027
4028 auto begin_params = AuthorizationSetBuilder()
4029 .BlockMode(BlockMode::CBC)
4030 .Padding(PaddingMode::PKCS7)
4031 .Authorization(TAG_NONCE, iv);
4032 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
4033 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4034 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4035 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(&plaintext));
4036}
4037
4038/*
4039 * EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding.
4040 *
4041 * Verifies that 3DES CBC works with many different input sizes.
4042 */
4043TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
4044 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4045 .TripleDesEncryptionKey(168)
4046 .BlockMode(BlockMode::CBC)
4047 .Authorization(TAG_NO_AUTH_REQUIRED)
4048 .Padding(PaddingMode::NONE)));
4049
4050 int increment = 7;
4051 string message(240, 'a');
4052 AuthorizationSet input_params =
4053 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
4054 AuthorizationSet output_params;
4055 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
4056
4057 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4058 for (size_t i = 0; i < message.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4059 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4060 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
4061 EXPECT_EQ(message.size(), ciphertext.size());
4062
4063 // Move TAG_NONCE into input_params
4064 input_params = output_params;
4065 input_params.push_back(TAG_BLOCK_MODE, BlockMode::CBC);
4066 input_params.push_back(TAG_PADDING, PaddingMode::NONE);
4067 output_params.Clear();
4068
4069 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, input_params, &output_params));
4070 string plaintext;
4071 for (size_t i = 0; i < ciphertext.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4072 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4073 EXPECT_EQ(ErrorCode::OK, Finish(&plaintext));
4074 EXPECT_EQ(ciphertext.size(), plaintext.size());
4075 EXPECT_EQ(message, plaintext);
4076}
4077
4078INSTANTIATE_KEYMINT_AIDL_TEST(EncryptionOperationsTest);
4079
4080typedef KeyMintAidlTestBase MaxOperationsTest;
4081
4082/*
4083 * MaxOperationsTest.TestLimitAes
4084 *
4085 * Verifies that the max uses per boot tag works correctly with AES keys.
4086 */
4087TEST_P(MaxOperationsTest, TestLimitAes) {
4088 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4089
4090 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4091 .Authorization(TAG_NO_AUTH_REQUIRED)
4092 .AesEncryptionKey(128)
4093 .EcbMode()
4094 .Padding(PaddingMode::NONE)
4095 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
4096
4097 string message = "1234567890123456";
4098
4099 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
4100
4101 EncryptMessage(message, params);
4102 EncryptMessage(message, params);
4103 EncryptMessage(message, params);
4104
4105 // Fourth time should fail.
4106 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
4107}
4108
4109/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4110 * MaxOperationsTest.TestLimitRsa
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4111 *
4112 * Verifies that the max uses per boot tag works correctly with RSA keys.
4113 */
4114TEST_P(MaxOperationsTest, TestLimitRsa) {
4115 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4116
4117 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4118 .Authorization(TAG_NO_AUTH_REQUIRED)
4119 .RsaSigningKey(1024, 65537)
4120 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4121 .Authorization(TAG_MAX_USES_PER_BOOT, 3)
4122 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4123
4124 string message = "1234567890123456";
4125
4126 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
4127
4128 SignMessage(message, params);
4129 SignMessage(message, params);
4130 SignMessage(message, params);
4131
4132 // Fourth time should fail.
4133 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
4134}
4135
4136INSTANTIATE_KEYMINT_AIDL_TEST(MaxOperationsTest);
4137
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4138typedef KeyMintAidlTestBase UsageCountLimitTest;
4139
4140/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4141 * UsageCountLimitTest.TestSingleUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4142 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4143 * Verifies that the usage count limit tag = 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4144 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4145TEST_P(UsageCountLimitTest, TestSingleUseAes) {
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4146 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4147
4148 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4149 .Authorization(TAG_NO_AUTH_REQUIRED)
4150 .AesEncryptionKey(128)
4151 .EcbMode()
4152 .Padding(PaddingMode::NONE)
4153 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
4154
4155 // Check the usage count limit tag appears in the authorizations.
4156 AuthorizationSet auths;
4157 for (auto& entry : key_characteristics_) {
4158 auths.push_back(AuthorizationSet(entry.authorizations));
4159 }
4160 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
4161 << "key usage count limit " << 1U << " missing";
4162
4163 string message = "1234567890123456";
4164 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
4165
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4166 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4167 AuthorizationSet keystore_auths =
4168 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
4169
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4170 // First usage of AES key should work.
4171 EncryptMessage(message, params);
4172
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4173 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
4174 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4175 // must be invalidated from secure storage (such as RPMB partition).
4176 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
4177 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4178 // Usage count limit tag is enforced by keystore, keymint does nothing.
4179 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4180 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
4181 }
4182}
4183
4184/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4185 * UsageCountLimitTest.TestLimitedUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4186 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4187 * Verifies that the usage count limit tag > 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4188 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4189TEST_P(UsageCountLimitTest, TestLimitedUseAes) {
4190 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4191
4192 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4193 .Authorization(TAG_NO_AUTH_REQUIRED)
4194 .AesEncryptionKey(128)
4195 .EcbMode()
4196 .Padding(PaddingMode::NONE)
4197 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
4198
4199 // Check the usage count limit tag appears in the authorizations.
4200 AuthorizationSet auths;
4201 for (auto& entry : key_characteristics_) {
4202 auths.push_back(AuthorizationSet(entry.authorizations));
4203 }
4204 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
4205 << "key usage count limit " << 3U << " missing";
4206
4207 string message = "1234567890123456";
4208 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
4209
4210 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4211 AuthorizationSet keystore_auths =
4212 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
4213
4214 EncryptMessage(message, params);
4215 EncryptMessage(message, params);
4216 EncryptMessage(message, params);
4217
4218 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
4219 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4220 // must be invalidated from secure storage (such as RPMB partition).
4221 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
4222 } else {
4223 // Usage count limit tag is enforced by keystore, keymint does nothing.
4224 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
4225 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
4226 }
4227}
4228
4229/*
4230 * UsageCountLimitTest.TestSingleUseRsa
4231 *
4232 * Verifies that the usage count limit tag = 1 works correctly with RSA keys.
4233 */
4234TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4235 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4236
4237 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4238 .Authorization(TAG_NO_AUTH_REQUIRED)
4239 .RsaSigningKey(1024, 65537)
4240 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4241 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
4242 .SetDefaultValidity()));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4243
4244 // Check the usage count limit tag appears in the authorizations.
4245 AuthorizationSet auths;
4246 for (auto& entry : key_characteristics_) {
4247 auths.push_back(AuthorizationSet(entry.authorizations));
4248 }
4249 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
4250 << "key usage count limit " << 1U << " missing";
4251
4252 string message = "1234567890123456";
4253 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
4254
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4255 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4256 AuthorizationSet keystore_auths =
4257 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
4258
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4259 // First usage of RSA key should work.
4260 SignMessage(message, params);
4261
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4262 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
4263 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4264 // must be invalidated from secure storage (such as RPMB partition).
4265 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
4266 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4267 // Usage count limit tag is enforced by keystore, keymint does nothing.
4268 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
4269 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
4270 }
4271}
4272
4273/*
4274 * UsageCountLimitTest.TestLimitUseRsa
4275 *
4276 * Verifies that the usage count limit tag > 1 works correctly with RSA keys.
4277 */
4278TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
4279 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4280
4281 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4282 .Authorization(TAG_NO_AUTH_REQUIRED)
4283 .RsaSigningKey(1024, 65537)
4284 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4285 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)
4286 .SetDefaultValidity()));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4287
4288 // Check the usage count limit tag appears in the authorizations.
4289 AuthorizationSet auths;
4290 for (auto& entry : key_characteristics_) {
4291 auths.push_back(AuthorizationSet(entry.authorizations));
4292 }
4293 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
4294 << "key usage count limit " << 3U << " missing";
4295
4296 string message = "1234567890123456";
4297 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
4298
4299 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4300 AuthorizationSet keystore_auths =
4301 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
4302
4303 SignMessage(message, params);
4304 SignMessage(message, params);
4305 SignMessage(message, params);
4306
4307 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
4308 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4309 // must be invalidated from secure storage (such as RPMB partition).
4310 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
4311 } else {
4312 // Usage count limit tag is enforced by keystore, keymint does nothing.
4313 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4314 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
4315 }
4316}
4317
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]4318/*
4319 * UsageCountLimitTest.TestSingleUseKeyAndRollbackResistance
4320 *
4321 * Verifies that when rollback resistance is supported by the KeyMint implementation with
4322 * the secure hardware, the single use key with usage count limit tag = 1 must also be enforced
4323 * in hardware.
4324 */
4325TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) {
4326 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4327
4328 auto error = GenerateKey(AuthorizationSetBuilder()
4329 .RsaSigningKey(2048, 65537)
4330 .Digest(Digest::NONE)
4331 .Padding(PaddingMode::NONE)
4332 .Authorization(TAG_NO_AUTH_REQUIRED)
4333 .Authorization(TAG_ROLLBACK_RESISTANCE)
4334 .SetDefaultValidity());
4335 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
4336
4337 if (error == ErrorCode::OK) {
4338 // Rollback resistance is supported by KeyMint, verify it is enforced in hardware.
4339 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
4340 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
4341 ASSERT_EQ(ErrorCode::OK, DeleteKey());
4342
4343 // The KeyMint should also enforce single use key in hardware when it supports rollback
4344 // resistance.
4345 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4346 .Authorization(TAG_NO_AUTH_REQUIRED)
4347 .RsaSigningKey(1024, 65537)
4348 .NoDigestOrPadding()
4349 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
4350 .SetDefaultValidity()));
4351
4352 // Check the usage count limit tag appears in the hardware authorizations.
4353 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4354 EXPECT_TRUE(hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
4355 << "key usage count limit " << 1U << " missing";
4356
4357 string message = "1234567890123456";
4358 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
4359
4360 // First usage of RSA key should work.
4361 SignMessage(message, params);
4362
4363 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4364 // must be invalidated from secure storage (such as RPMB partition).
4365 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
4366 }
4367}
4368
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4369INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest);
4370
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4371typedef KeyMintAidlTestBase AddEntropyTest;
4372
4373/*
4374 * AddEntropyTest.AddEntropy
4375 *
4376 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy
4377 * is actually added.
4378 */
4379TEST_P(AddEntropyTest, AddEntropy) {
4380 string data = "foo";
4381 EXPECT_TRUE(keyMint().addRngEntropy(vector<uint8_t>(data.begin(), data.end())).isOk());
4382}
4383
4384/*
4385 * AddEntropyTest.AddEmptyEntropy
4386 *
4387 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
4388 */
4389TEST_P(AddEntropyTest, AddEmptyEntropy) {
4390 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf()).isOk());
4391}
4392
4393/*
4394 * AddEntropyTest.AddLargeEntropy
4395 *
4396 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
4397 */
4398TEST_P(AddEntropyTest, AddLargeEntropy) {
4399 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
4400}
4401
4402INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);
4403
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4404typedef KeyMintAidlTestBase KeyDeletionTest;
4405
4406/**
4407 * KeyDeletionTest.DeleteKey
4408 *
4409 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
4410 * valid key blob.
4411 */
4412TEST_P(KeyDeletionTest, DeleteKey) {
4413 auto error = GenerateKey(AuthorizationSetBuilder()
4414 .RsaSigningKey(2048, 65537)
4415 .Digest(Digest::NONE)
4416 .Padding(PaddingMode::NONE)
4417 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]4418 .Authorization(TAG_ROLLBACK_RESISTANCE)
4419 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4420 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
4421
4422 // Delete must work if rollback protection is implemented
4423 if (error == ErrorCode::OK) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]4424 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4425 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
4426
4427 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
4428
4429 string message = "12345678901234567890123456789012";
4430 AuthorizationSet begin_out_params;
4431 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
4432 Begin(KeyPurpose::SIGN, key_blob_,
4433 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
4434 &begin_out_params));
4435 AbortIfNeeded();
4436 key_blob_ = AidlBuf();
4437 }
4438}
4439
4440/**
4441 * KeyDeletionTest.DeleteInvalidKey
4442 *
4443 * This test checks that the HAL excepts invalid key blobs..
4444 */
4445TEST_P(KeyDeletionTest, DeleteInvalidKey) {
4446 // Generate key just to check if rollback protection is implemented
4447 auto error = GenerateKey(AuthorizationSetBuilder()
4448 .RsaSigningKey(2048, 65537)
4449 .Digest(Digest::NONE)
4450 .Padding(PaddingMode::NONE)
4451 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]4452 .Authorization(TAG_ROLLBACK_RESISTANCE)
4453 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4454 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
4455
4456 // Delete must work if rollback protection is implemented
4457 if (error == ErrorCode::OK) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]4458 AuthorizationSet enforced(SecLevelAuthorizations());
4459 ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4460
4461 // Delete the key we don't care about the result at this point.
4462 DeleteKey();
4463
4464 // Now create an invalid key blob and delete it.
4465 key_blob_ = AidlBuf("just some garbage data which is not a valid key blob");
4466
4467 ASSERT_EQ(ErrorCode::OK, DeleteKey());
4468 }
4469}
4470
4471/**
4472 * KeyDeletionTest.DeleteAllKeys
4473 *
4474 * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
4475 *
4476 * BEWARE: This test has serious side effects. All user keys will be lost! This includes
4477 * FBE/FDE encryption keys, which means that the device will not even boot until after the
4478 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
4479 * been provisioned. Use this test only on dedicated testing devices that have no valuable
4480 * credentials stored in Keystore/Keymint.
4481 */
4482TEST_P(KeyDeletionTest, DeleteAllKeys) {
4483 if (!arm_deleteAllKeys) return;
4484 auto error = GenerateKey(AuthorizationSetBuilder()
4485 .RsaSigningKey(2048, 65537)
4486 .Digest(Digest::NONE)
4487 .Padding(PaddingMode::NONE)
4488 .Authorization(TAG_NO_AUTH_REQUIRED)
4489 .Authorization(TAG_ROLLBACK_RESISTANCE));
4490 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
4491
4492 // Delete must work if rollback protection is implemented
4493 if (error == ErrorCode::OK) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]4494 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4495 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
4496
4497 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
4498
4499 string message = "12345678901234567890123456789012";
4500 AuthorizationSet begin_out_params;
4501
4502 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
4503 Begin(KeyPurpose::SIGN, key_blob_,
4504 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
4505 &begin_out_params));
4506 AbortIfNeeded();
4507 key_blob_ = AidlBuf();
4508 }
4509}
4510
4511INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest);
4512
4513using UpgradeKeyTest = KeyMintAidlTestBase;
4514
4515/*
4516 * UpgradeKeyTest.UpgradeKey
4517 *
4518 * Verifies that calling upgrade key on an up-to-date key works (i.e. does nothing).
4519 */
4520TEST_P(UpgradeKeyTest, UpgradeKey) {
4521 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4522 .AesEncryptionKey(128)
4523 .Padding(PaddingMode::NONE)
4524 .Authorization(TAG_NO_AUTH_REQUIRED)));
4525
4526 auto result = UpgradeKey(key_blob_);
4527
4528 // Key doesn't need upgrading. Should get okay, but no new key blob.
4529 EXPECT_EQ(result, std::make_pair(ErrorCode::OK, vector<uint8_t>()));
4530}
4531
4532INSTANTIATE_KEYMINT_AIDL_TEST(UpgradeKeyTest);
4533
4534using ClearOperationsTest = KeyMintAidlTestBase;
4535
4536/*
4537 * ClearSlotsTest.TooManyOperations
4538 *
4539 * Verifies that TOO_MANY_OPERATIONS is returned after the max number of
4540 * operations are started without being finished or aborted. Also verifies
4541 * that aborting the operations clears the operations.
4542 *
4543 */
4544TEST_P(ClearOperationsTest, TooManyOperations) {
4545 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4546 .Authorization(TAG_NO_AUTH_REQUIRED)
4547 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4548 .Padding(PaddingMode::NONE)
4549 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4550
4551 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
4552 constexpr size_t max_operations = 100; // set to arbituary large number
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]4553 std::shared_ptr<IKeyMintOperation> op_handles[max_operations];
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4554 AuthorizationSet out_params;
4555 ErrorCode result;
4556 size_t i;
4557
4558 for (i = 0; i < max_operations; i++) {
4559 result = Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params, op_handles[i]);
4560 if (ErrorCode::OK != result) {
4561 break;
4562 }
4563 }
4564 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
4565 // Try again just in case there's a weird overflow bug
4566 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
4567 Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
4568 for (size_t j = 0; j < i; j++) {
4569 EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
4570 << "Aboort failed for i = " << j << std::endl;
4571 }
4572 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
4573 AbortIfNeeded();
4574}
4575
4576INSTANTIATE_KEYMINT_AIDL_TEST(ClearOperationsTest);
4577
4578typedef KeyMintAidlTestBase TransportLimitTest;
4579
4580/*
4581 * TransportLimitTest.FinishInput
4582 *
4583 * Verifies that passing input data to finish succeeds as expected.
4584 */
4585TEST_P(TransportLimitTest, LargeFinishInput) {
4586 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4587 .Authorization(TAG_NO_AUTH_REQUIRED)
4588 .AesEncryptionKey(128)
4589 .BlockMode(BlockMode::ECB)
4590 .Padding(PaddingMode::NONE)));
4591
4592 for (int msg_size = 8 /* 256 bytes */; msg_size <= 11 /* 2 KiB */; msg_size++) {
4593 auto cipher_params =
4594 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
4595
4596 AuthorizationSet out_params;
4597 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, cipher_params, &out_params));
4598
4599 string plain_message = std::string(1 << msg_size, 'x');
4600 string encrypted_message;
4601 auto rc = Finish(plain_message, &encrypted_message);
4602
4603 EXPECT_EQ(ErrorCode::OK, rc);
4604 EXPECT_EQ(plain_message.size(), encrypted_message.size())
4605 << "Encrypt finish returned OK, but did not consume all of the given input";
4606 cipher_params.push_back(out_params);
4607
4608 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, cipher_params));
4609
4610 string decrypted_message;
4611 rc = Finish(encrypted_message, &decrypted_message);
4612 EXPECT_EQ(ErrorCode::OK, rc);
4613 EXPECT_EQ(plain_message.size(), decrypted_message.size())
4614 << "Decrypt finish returned OK, did not consume all of the given input";
4615 }
4616}
4617
4618INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
4619
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]4620typedef KeyMintAidlTestBase KeyAgreementTest;
4621
4622int CurveToOpenSslCurveName(EcCurve curve) {
4623 switch (curve) {
4624 case EcCurve::P_224:
4625 return NID_secp224r1;
4626 case EcCurve::P_256:
4627 return NID_X9_62_prime256v1;
4628 case EcCurve::P_384:
4629 return NID_secp384r1;
4630 case EcCurve::P_521:
4631 return NID_secp521r1;
4632 }
4633}
4634
4635/*
4636 * KeyAgreementTest.Ecdh
4637 *
4638 * Verifies that ECDH works for all curves
4639 */
4640TEST_P(KeyAgreementTest, Ecdh) {
4641 // Because it's possible to use this API with keys on different curves, we
4642 // check all N^2 combinations where N is the number of supported
4643 // curves.
4644 //
4645 // This is not a big deal as N is 4 so we only do 16 runs. If we end up with a
4646 // lot more curves we can be smart about things and just pick |otherCurve| so
4647 // it's not |curve| and that way we end up with only 2*N runs
4648 //
4649 for (auto curve : ValidCurves()) {
4650 for (auto localCurve : ValidCurves()) {
4651 // Generate EC key locally (with access to private key material)
4652 auto ecKey = EC_KEY_Ptr(EC_KEY_new());
4653 int curveName = CurveToOpenSslCurveName(localCurve);
4654 auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
4655 ASSERT_NE(group, nullptr);
4656 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
4657 ASSERT_EQ(EC_KEY_generate_key(ecKey.get()), 1);
4658 auto pkey = EVP_PKEY_Ptr(EVP_PKEY_new());
4659 ASSERT_EQ(EVP_PKEY_set1_EC_KEY(pkey.get(), ecKey.get()), 1);
4660
4661 // Get encoded form of the public part of the locally generated key...
4662 unsigned char* p = nullptr;
4663 int encodedPublicKeySize = i2d_PUBKEY(pkey.get(), &p);
4664 ASSERT_GT(encodedPublicKeySize, 0);
4665 vector<uint8_t> encodedPublicKey(
4666 reinterpret_cast<const uint8_t*>(p),
4667 reinterpret_cast<const uint8_t*>(p + encodedPublicKeySize));
4668 OPENSSL_free(p);
4669
4670 // Generate EC key in KeyMint (only access to public key material)
4671 vector<uint8_t> challenge = {0x41, 0x42};
4672 EXPECT_EQ(
4673 ErrorCode::OK,
4674 GenerateKey(AuthorizationSetBuilder()
4675 .Authorization(TAG_NO_AUTH_REQUIRED)
4676 .Authorization(TAG_EC_CURVE, curve)
4677 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4678 .Authorization(TAG_ALGORITHM, Algorithm::EC)
4679 .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4680 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
4681 .SetDefaultValidity()))
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]4682 << "Failed to generate key";
4683 ASSERT_GT(cert_chain_.size(), 0);
4684 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4685 ASSERT_NE(kmKeyCert, nullptr);
4686 // Check that keyAgreement (bit 4) is set in KeyUsage
4687 EXPECT_TRUE((X509_get_key_usage(kmKeyCert.get()) & X509v3_KU_KEY_AGREEMENT) != 0);
4688 auto kmPkey = EVP_PKEY_Ptr(X509_get_pubkey(kmKeyCert.get()));
4689 ASSERT_NE(kmPkey, nullptr);
4690 if (dump_Attestations) {
4691 for (size_t n = 0; n < cert_chain_.size(); n++) {
4692 std::cout << bin2hex(cert_chain_[n].encodedCertificate) << std::endl;
4693 }
4694 }
4695
4696 // Now that we have the two keys, we ask KeyMint to perform ECDH...
4697 if (curve != localCurve) {
4698 // If the keys are using different curves KeyMint should fail with
4699 // ErrorCode:INVALID_ARGUMENT. Check that.
4700 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
4701 string ZabFromKeyMintStr;
4702 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
4703 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
4704 &ZabFromKeyMintStr));
4705
4706 } else {
4707 // Otherwise if the keys are using the same curve, it should work.
4708 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
4709 string ZabFromKeyMintStr;
4710 EXPECT_EQ(ErrorCode::OK,
4711 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
4712 &ZabFromKeyMintStr));
4713 vector<uint8_t> ZabFromKeyMint(ZabFromKeyMintStr.begin(), ZabFromKeyMintStr.end());
4714
4715 // Perform local ECDH between the two keys so we can check if we get the same Zab..
4716 auto ctx = EVP_PKEY_CTX_Ptr(EVP_PKEY_CTX_new(pkey.get(), nullptr));
4717 ASSERT_NE(ctx, nullptr);
4718 ASSERT_EQ(EVP_PKEY_derive_init(ctx.get()), 1);
4719 ASSERT_EQ(EVP_PKEY_derive_set_peer(ctx.get(), kmPkey.get()), 1);
4720 size_t ZabFromTestLen = 0;
4721 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), nullptr, &ZabFromTestLen), 1);
4722 vector<uint8_t> ZabFromTest;
4723 ZabFromTest.resize(ZabFromTestLen);
4724 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), ZabFromTest.data(), &ZabFromTestLen), 1);
4725
4726 EXPECT_EQ(ZabFromKeyMint, ZabFromTest);
4727 }
4728
4729 CheckedDeleteKey();
4730 }
4731 }
4732}
4733
4734INSTANTIATE_KEYMINT_AIDL_TEST(KeyAgreementTest);
4735
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]4736using EarlyBootKeyTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]4737
4738TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
4739 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
4740 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
4741
4742 CheckedDeleteKey(&aesKeyData.blob);
4743 CheckedDeleteKey(&hmacKeyData.blob);
4744 CheckedDeleteKey(&rsaKeyData.blob);
4745 CheckedDeleteKey(&ecdsaKeyData.blob);
4746}
4747
4748// This is a more comprenhensive test, but it can only be run on a machine which is still in early
4749// boot stage, which no proper Android device is by the time we can run VTS. To use this,
4750// un-disable it and modify vold to remove the call to earlyBootEnded(). Running the test will end
4751// early boot, so you'll have to reboot between runs.
4752TEST_P(EarlyBootKeyTest, DISABLED_FullTest) {
4753 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
4754 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
4755 // TAG_EARLY_BOOT_ONLY should be in hw-enforced.
4756 EXPECT_TRUE(HwEnforcedAuthorizations(aesKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
4757 EXPECT_TRUE(
4758 HwEnforcedAuthorizations(hmacKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
4759 EXPECT_TRUE(HwEnforcedAuthorizations(rsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
4760 EXPECT_TRUE(
4761 HwEnforcedAuthorizations(ecdsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
4762
4763 // Should be able to use keys, since early boot has not ended
4764 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
4765 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
4766 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
4767 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
4768
4769 // End early boot
4770 ErrorCode earlyBootResult = GetReturnErrorCode(keyMint().earlyBootEnded());
4771 EXPECT_EQ(earlyBootResult, ErrorCode::OK);
4772
4773 // Should not be able to use already-created keys.
4774 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseAesKey(aesKeyData.blob));
4775 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseHmacKey(hmacKeyData.blob));
4776 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseRsaKey(rsaKeyData.blob));
4777 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseEcdsaKey(ecdsaKeyData.blob));
4778
4779 CheckedDeleteKey(&aesKeyData.blob);
4780 CheckedDeleteKey(&hmacKeyData.blob);
4781 CheckedDeleteKey(&rsaKeyData.blob);
4782 CheckedDeleteKey(&ecdsaKeyData.blob);
4783
4784 // Should not be able to create new keys
4785 std::tie(aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData) =
4786 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::EARLY_BOOT_ENDED);
4787
4788 CheckedDeleteKey(&aesKeyData.blob);
4789 CheckedDeleteKey(&hmacKeyData.blob);
4790 CheckedDeleteKey(&rsaKeyData.blob);
4791 CheckedDeleteKey(&ecdsaKeyData.blob);
4792}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]4793
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]4794INSTANTIATE_KEYMINT_AIDL_TEST(EarlyBootKeyTest);
4795
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]4796using UnlockedDeviceRequiredTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]4797
4798// This may be a problematic test. It can't be run repeatedly without unlocking the device in
4799// between runs... and on most test devices there are no enrolled credentials so it can't be
4800// unlocked at all, meaning the only way to get the test to pass again on a properly-functioning
4801// device is to reboot it. For that reason, this is disabled by default. It can be used as part of
4802// a manual test process, which includes unlocking between runs, which is why it's included here.
4803// Well, that and the fact that it's the only test we can do without also making calls into the
4804// Gatekeeper HAL. We haven't written any cross-HAL tests, and don't know what all of the
4805// implications might be, so that may or may not be a solution.
4806TEST_P(UnlockedDeviceRequiredTest, DISABLED_KeysBecomeUnusable) {
4807 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
4808 CreateTestKeys(TAG_UNLOCKED_DEVICE_REQUIRED, ErrorCode::OK);
4809
4810 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
4811 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
4812 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
4813 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
4814
4815 ErrorCode rc = GetReturnErrorCode(
4816 keyMint().deviceLocked(false /* passwordOnly */, {} /* verificationToken */));
4817 ASSERT_EQ(ErrorCode::OK, rc);
4818 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseAesKey(aesKeyData.blob));
4819 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseHmacKey(hmacKeyData.blob));
4820 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseRsaKey(rsaKeyData.blob));
4821 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseEcdsaKey(ecdsaKeyData.blob));
4822
4823 CheckedDeleteKey(&aesKeyData.blob);
4824 CheckedDeleteKey(&hmacKeyData.blob);
4825 CheckedDeleteKey(&rsaKeyData.blob);
4826 CheckedDeleteKey(&ecdsaKeyData.blob);
4827}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]4828
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]4829INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
4830
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]4831using PerformOperationTest = KeyMintAidlTestBase;
4832
4833TEST_P(PerformOperationTest, RequireUnimplemented) {
4834 vector<uint8_t> response;
4835 auto result = keymint_->performOperation({} /* request */, &response);
4836 ASSERT_EQ(GetReturnErrorCode(result), ErrorCode::UNIMPLEMENTED);
4837}
4838
4839INSTANTIATE_KEYMINT_AIDL_TEST(PerformOperationTest);
4840
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]4841} // namespace aidl::android::hardware::security::keymint::test
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4842
4843int main(int argc, char** argv) {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]4844 std::cout << "Testing ";
4845 auto halInstances =
4846 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::build_params();
4847 std::cout << "HAL instances:\n";
4848 for (auto& entry : halInstances) {
4849 std::cout << " " << entry << '\n';
4850 }
4851
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4852 ::testing::InitGoogleTest(&argc, argv);
4853 for (int i = 1; i < argc; ++i) {
4854 if (argv[i][0] == '-') {
4855 if (std::string(argv[i]) == "--arm_deleteAllKeys") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]4856 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
4857 arm_deleteAllKeys = true;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4858 }
4859 if (std::string(argv[i]) == "--dump_attestations") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]4860 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
4861 dump_Attestations = true;
4862 } else {
4863 std::cout << "NOT dumping attestations" << std::endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4864 }
4865 }
4866 }
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]4867 return RUN_ALL_TESTS();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4868}