Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 565ccc70ed0dd31965ca4ca86ddce1be741da1c5 / . / security / keymint / aidl / vts / functional / KeyMintTest.cpp
blob: 670043d0dd97b560c4a3f2cc4b9fec6275ef87a6 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]17#define LOG_TAG "keymint_1_test"
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]18#include <cutils/log.h>
19
20#include <signal.h>
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]21
22#include <algorithm>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]23#include <iostream>
24
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]25#include <openssl/ec.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]26#include <openssl/evp.h>
27#include <openssl/mem.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]28#include <openssl/x509v3.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]29
30#include <cutils/properties.h>
31
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]32#include <android/binder_manager.h>
33
34#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]35#include <aidl/android/hardware/security/keymint/KeyFormat.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]36
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]37#include <keymint_support/key_param_output.h>
38#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]39
40#include "KeyMintAidlTestBase.h"
41
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]42using aidl::android::hardware::security::keymint::AuthorizationSet;
43using aidl::android::hardware::security::keymint::KeyCharacteristics;
44using aidl::android::hardware::security::keymint::KeyFormat;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]45
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]46namespace std {
47
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]48using namespace aidl::android::hardware::security::keymint;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]49
50template <>
51struct std::equal_to<KeyCharacteristics> {
52 bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]53 if (a.securityLevel != b.securityLevel) return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]54
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]55 // this isn't very efficient. Oh, well.
56 AuthorizationSet a_auths(a.authorizations);
57 AuthorizationSet b_auths(b.authorizations);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]58
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]59 a_auths.Sort();
60 b_auths.Sort();
61
62 return a_auths == b_auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]63 }
64};
65
66} // namespace std
67
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]68namespace aidl::android::hardware::security::keymint::test {
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]69
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]70namespace {
71
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]72// The maximum number of times we'll attempt to verify that corruption
73// of an ecrypted blob results in an error. Retries are necessary as there
74// is a small (roughly 1/256) chance that corrupting ciphertext still results
75// in valid PKCS7 padding.
76constexpr size_t kMaxPaddingCorruptionRetries = 8;
77
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]78template <TagType tag_type, Tag tag, typename ValueT>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]79bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
80 ValueT expected_value) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]81 auto it = std::find_if(set.begin(), set.end(), [&](const KeyParameter& param) {
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]82 if (auto p = authorizationValue(ttag, param)) {
83 return *p == expected_value;
84 }
85 return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]86 });
87 return (it != set.end());
88}
89
90template <TagType tag_type, Tag tag>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]91bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag>) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]92 auto it = std::find_if(set.begin(), set.end(),
93 [&](const KeyParameter& param) { return param.tag == tag; });
94 return (it != set.end());
95}
96
97constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
98 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
99 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
100 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
101 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
102 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
103 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
104 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
105 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
106 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
107 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
108 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
109 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
110 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
111 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
112 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
113
114string hex2str(string a) {
115 string b;
116 size_t num = a.size() / 2;
117 b.resize(num);
118 for (size_t i = 0; i < num; i++) {
119 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
120 }
121 return b;
122}
123
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]124string rsa_key = hex2str(
125 // RFC 5208 s5
126 "30820275" // SEQUENCE length 0x275 (PrivateKeyInfo) {
127 "020100" // INTEGER length 1 value 0x00 (version)
128 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
129 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
130 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
131 "0500" // NULL (parameters)
132 // } end SEQUENCE (AlgorithmIdentifier)
133 "0482025f" // OCTET STRING length 0x25f (privateKey) holding...
134 // RFC 8017 A.1.2
135 "3082025b" // SEQUENCE length 0x25b (RSAPrivateKey) {
136 "020100" // INTEGER length 1 value 0x00 (version)
137 "028181" // INTEGER length 0x81 value (modulus) ...
138 "00c6095409047d8634812d5a218176e4"
139 "5c41d60a75b13901f234226cffe77652"
140 "1c5a77b9e389417b71c0b6a44d13afe4"
141 "e4a2805d46c9da2935adb1ff0c1f24ea"
142 "06e62b20d776430a4d435157233c6f91"
143 "6783c30e310fcbd89b85c2d567711697"
144 "85ac12bca244abda72bfb19fc44d27c8"
145 "1e1d92de284f4061edfd99280745ea6d"
146 "25"
147 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
148 "028180" // INTEGER length 0x80 (privateExponent) value...
149 "1be0f04d9cae3718691f035338308e91"
150 "564b55899ffb5084d2460e6630257e05"
151 "b3ceab02972dfabcd6ce5f6ee2589eb6"
152 "7911ed0fac16e43a444b8c861e544a05"
153 "93365772f8baf6b22fc9e3c5f1024b06"
154 "3ac080a7b2234cf8aee8f6c47bbf4fd3"
155 "ace7240290bef16c0b3f7f3cdd64ce3a"
156 "b5912cf6e32f39ab188358afcccd8081"
157 "0241" // INTEGER length 0x41 (prime1)
158 "00e4b49ef50f765d3b24dde01aceaaf1"
159 "30f2c76670a91a61ae08af497b4a82be"
160 "6dee8fcdd5e3f7ba1cfb1f0c926b88f8"
161 "8c92bfab137fba2285227b83c342ff7c"
162 "55"
163 "0241" // INTEGER length 0x41 (prime2)
164 "00ddabb5839c4c7f6bf3d4183231f005"
165 "b31aa58affdda5c79e4cce217f6bc930"
166 "dbe563d480706c24e9ebfcab28a6cdef"
167 "d324b77e1bf7251b709092c24ff501fd"
168 "91"
169 "0240" // INTEGER length 0x40 (exponent1)
170 "23d4340eda3445d8cd26c14411da6fdc"
171 "a63c1ccd4b80a98ad52b78cc8ad8beb2"
172 "842c1d280405bc2f6c1bea214a1d742a"
173 "b996b35b63a82a5e470fa88dbf823cdd"
174 "0240" // INTEGER length 0x40 (exponent2)
175 "1b7b57449ad30d1518249a5f56bb9829"
176 "4d4b6ac12ffc86940497a5a5837a6cf9"
177 "46262b494526d328c11e1126380fde04"
178 "c24f916dec250892db09a6d77cdba351"
179 "0240" // INTEGER length 0x40 (coefficient)
180 "7762cd8f4d050da56bd591adb515d24d"
181 "7ccd32cca0d05f866d583514bd7324d5"
182 "f33645e8ed8b4a1cb3cc4a1d67987399"
183 "f2a09f5b3fb68c88d5e5d90ac33492d6"
184 // } end SEQUENCE (PrivateKey)
185 // } end SEQUENCE (PrivateKeyInfo)
186);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]187
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]188/*
189 * DER-encoded PKCS#8 format RSA key. Generated using:
190 *
191 * openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
192 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]193string rsa_2048_key = hex2str(
194 // RFC 5208 s5
195 "308204BD" // SEQUENCE length 0x4bd (PrivateKeyInfo) {
196 "020100" // INTEGER length 1 value 0x00 (version)
197 "300D" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
198 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
199 "2A864886F70D010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
200 "0500" // NULL (parameters)
201 // } end SEQUENCE (AlgorithmIdentifier)
202 "048204A7" // OCTET STRING length 0x25f (privateKey) holding...
203 // RFC 8017 A.1.2
204 "308204A3" // SEQUENCE length 0x4a3 (RSAPrivateKey) {
205 "020100" // INTEGER length 1 value 0x00 (version)
206 "02820101" // INTEGER length 0x101 value (modulus) ...
207 "00BEBC342B56D443B1299F9A6A7056E8"
208 "0A897E318476A5A18029E63B2ED739A6"
209 "1791D339F58DC763D9D14911F2EDEC38"
210 "3DEE11F6319B44510E7A3ECD9B79B973"
211 "82E49500ACF8117DC89CAF0E621F7775"
212 "6554A2FD4664BFE7AB8B59AB48340DBF"
213 "A27B93B5A81F6ECDEB02D0759307128D"
214 "F3E3BAD4055C8B840216DFAA5700670E"
215 "6C5126F0962FCB70FF308F25049164CC"
216 "F76CC2DA66A7DD9A81A714C2809D6918"
217 "6133D29D84568E892B6FFBF3199BDB14"
218 "383EE224407F190358F111A949552ABA"
219 "6714227D1BD7F6B20DD0CB88F9467B71"
220 "9339F33BFF35B3870B3F62204E4286B0"
221 "948EA348B524544B5F9838F29EE643B0"
222 "79EEF8A713B220D7806924CDF7295070"
223 "C5"
224 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
225 "02820100" // INTEGER length 0x100 (privateExponent) value...
226 "69F377F35F2F584EF075353CCD1CA997"
227 "38DB3DBC7C7FF35F9366CE176DFD1B13"
228 "5AB10030344ABF5FBECF1D4659FDEF1C"
229 "0FC430834BE1BE3911951377BB3D563A"
230 "2EA9CA8F4AD9C48A8CE6FD516A735C66"
231 "2686C7B4B3C09A7B8354133E6F93F790"
232 "D59EAEB92E84C9A4339302CCE28FDF04"
233 "CCCAFA7DE3F3A827D4F6F7D38E68B0EC"
234 "6AB706645BF074A4E4090D06FB163124"
235 "365FD5EE7A20D350E9958CC30D91326E"
236 "1B292E9EF5DB408EC42DAF737D201497"
237 "04D0A678A0FB5B5446863B099228A352"
238 "D604BA8091A164D01D5AB05397C71EAD"
239 "20BE2A08FC528FE442817809C787FEE4"
240 "AB97F97B9130D022153EDC6EB6CBE7B0"
241 "F8E3473F2E901209B5DB10F93604DB01"
242 "028181" // INTEGER length 0x81 (prime1)
243 "00E83C0998214941EA4F9293F1B77E2E"
244 "99E6CF305FAF358238E126124FEAF2EB"
245 "9724B2EA7B78E6032343821A80E55D1D"
246 "88FB12D220C3F41A56142FEC85796D19"
247 "17F1E8C774F142B67D3D6E7B7E6B4383"
248 "E94DB5929089DBB346D5BDAB40CC2D96"
249 "EE0409475E175C63BF78CFD744136740"
250 "838127EA723FF3FE7FA368C1311B4A4E"
251 "05"
252 "028181" // INTEGER length 0x81 (prime2)
253 "00D240FCC0F5D7715CDE21CB2DC86EA1"
254 "46132EA3B06F61FF2AF54BF38473F59D"
255 "ADCCE32B5F4CC32DD0BA6F509347B4B5"
256 "B1B58C39F95E4798CCBB43E83D0119AC"
257 "F532F359CA743C85199F0286610E2009"
258 "97D7312917179AC9B67558773212EC96"
259 "1E8BCE7A3CC809BC5486A96E4B0E6AF3"
260 "94D94E066A0900B7B70E82A44FB30053"
261 "C1"
262 "028181" // INTEGER length 0x81 (exponent1)
263 "00AD15DA1CBD6A492B66851BA8C316D3"
264 "8AB700E2CFDDD926A658003513C54BAA"
265 "152B30021D667D20078F500F8AD3E7F3"
266 "945D74A891ED1A28EAD0FEEAEC8C14A8"
267 "E834CF46A13D1378C99D18940823CFDD"
268 "27EC5810D59339E0C34198AC638E09C8"
269 "7CBB1B634A9864AE9F4D5EB2D53514F6"
270 "7B4CAEC048C8AB849A02E397618F3271"
271 "35"
272 "028180" // INTEGER length 0x80 (exponent2)
273 "1FA2C1A5331880A92D8F3E281C617108"
274 "BF38244F16E352E69ED417C7153F9EC3"
275 "18F211839C643DCF8B4DD67CE2AC312E"
276 "95178D5D952F06B1BF779F4916924B70"
277 "F582A23F11304E02A5E7565AE22A35E7"
278 "4FECC8B6FDC93F92A1A37703E4CF0E63"
279 "783BD02EB716A7ECBBFA606B10B74D01"
280 "579522E7EF84D91FC522292108D902C1"
281 "028180" // INTEGER length 0x80 (coefficient)
282 "796FE3825F9DCC85DF22D58690065D93"
283 "898ACD65C087BEA8DA3A63BF4549B795"
284 "E2CD0E3BE08CDEBD9FCF1720D9CDC507"
285 "0D74F40DED8E1102C52152A31B6165F8"
286 "3A6722AECFCC35A493D7634664B888A0"
287 "8D3EB034F12EA28BFEE346E205D33482"
288 "7F778B16ED40872BD29FCB36536B6E93"
289 "FFB06778696B4A9D81BB0A9423E63DE5"
290 // } end SEQUENCE (PrivateKey)
291 // } end SEQUENCE (PrivateKeyInfo)
292);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]293
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]294string ec_256_key = hex2str(
295 // RFC 5208 s5
296 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
297 "020100" // INTEGER length 1 value 0 (version)
298 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
299 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
300 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
301 "0608" // OBJECT IDENTIFIER length 8 (param)
302 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
303 // } end SEQUENCE (AlgorithmIdentifier)
304 "046d" // OCTET STRING length 0x6d (privateKey) holding...
305 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
306 "020101" // INTEGER length 1 value 1 (version)
307 "0420" // OCTET STRING length 0x20 (privateKey)
308 "737c2ecd7b8d1940bf2930aa9b4ed3ff"
309 "941eed09366bc03299986481f3a4d859"
310 "a144" // TAG [1] len 0x44 (publicKey) {
311 "03420004bf85d7720d07c25461683bc6"
312 "48b4778a9a14dd8a024e3bdd8c7ddd9a"
313 "b2b528bbc7aa1b51f14ebbbb0bd0ce21"
314 "bcc41c6eb00083cf3376d11fd44949e0"
315 "b2183bfe"
316 // } end SEQUENCE (ECPrivateKey)
317 // } end SEQUENCE (PrivateKeyInfo)
318);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]319
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]320string ec_521_key = hex2str(
321 // RFC 5208 s5
322 "3081EE" // SEQUENCE length 0xee (PrivateKeyInfo) {
323 "020100" // INTEGER length 1 value 0 (version)
324 "3010" // SEQUENCE length 0x10 (AlgorithmIdentifier) {
325 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
326 "2A8648CE3D0201" // 1.2.840.10045.2.1 (ecPublicKey)
327 "0605" // OBJECT IDENTIFIER length 5 (param)
328 "2B81040023" // 1.3.132.0.35 (secp521r1)
329 // } end SEQUENCE (AlgorithmIdentifier)
330 "0481D6" // OCTET STRING length 0xd6 (privateKey) holding...
331 "3081D3" // SEQUENCE length 0xd3 (ECPrivateKey)
332 "020101" // INTEGER length 1 value 1 (version)
333 "0442" // OCTET STRING length 0x42 (privateKey)
334 "0011458C586DB5DAA92AFAB03F4FE46A"
335 "A9D9C3CE9A9B7A006A8384BEC4C78E8E"
336 "9D18D7D08B5BCFA0E53C75B064AD51C4"
337 "49BAE0258D54B94B1E885DED08ED4FB2"
338 "5CE9"
339 "A18189" // TAG [1] len 0x89 (publicKey) {
340 "03818600040149EC11C6DF0FA122C6A9"
341 "AFD9754A4FA9513A627CA329E349535A"
342 "5629875A8ADFBE27DCB932C051986377"
343 "108D054C28C6F39B6F2C9AF81802F9F3"
344 "26B842FF2E5F3C00AB7635CFB36157FC"
345 "0882D574A10D839C1A0C049DC5E0D775"
346 "E2EE50671A208431BB45E78E70BEFE93"
347 "0DB34818EE4D5C26259F5C6B8E28A652"
348 "950F9F88D7B4B2C9D9"
349 // } end SEQUENCE (ECPrivateKey)
350 // } end SEQUENCE (PrivateKeyInfo)
351);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]352
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]353string ec_256_key_rfc5915 = hex2str(
354 // RFC 5208 s5
355 "308193" // SEQUENCE length 0x93 (PrivateKeyInfo) {
356 "020100" // INTEGER length 1 value 0 (version)
357 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
358 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
359 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
360 "0608" // OBJECT IDENTIFIER length 8 (param)
361 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
362 // } end SEQUENCE (AlgorithmIdentifier)
363 "0479" // OCTET STRING length 0x79 (privateKey) holding...
364 // RFC 5915 s3
365 "3077" // SEQUENCE length 0x77 (ECPrivateKey)
366 "020101" // INTEGER length 1 value 1 (version)
367 "0420" // OCTET STRING length 0x42 (privateKey)
368 "782370a8c8ce5537baadd04dcff079c8"
369 "158cfa9c67b818b38e8d21c9fa750c1d"
370 "a00a" // TAG [0] length 0xa (parameters)
371 "0608" // OBJECT IDENTIFIER length 8
372 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
373 // } end TAG [0]
374 "a144" // TAG [1] length 0x44 (publicKey) {
375 "0342" // BIT STRING length 0x42
376 "00" // no pad bits
377 "04e2cc561ee701da0ad0ef0d176bb0c9"
378 "19d42e79c393fdc1bd6c4010d85cf2cf"
379 "8e68c905464666f98dad4f01573ba810"
380 "78b3428570a439ba3229fbc026c55068"
381 "2f"
382 // } end SEQUENCE (ECPrivateKey)
383 // } end SEQUENCE (PrivateKeyInfo)
384);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]385
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]386string ec_256_key_sec1 = hex2str(
387 // RFC 5208 s5
388 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
389 "020100" // INTEGER length 1 value 0 (version)
390 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
391 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
392 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
393 "0608" // OBJECT IDENTIFIER length 8 (param)
394 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
395 // } end SEQUENCE (AlgorithmIdentifier)
396 "046d" // OCTET STRING length 0x6d (privateKey) holding...
397 // SEC1-v2 C.4
398 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
399 "020101" // INTEGER length 1 value 0x01 (version)
400 "0420" // OCTET STRING length 0x20 (privateKey)
401 "782370a8c8ce5537baadd04dcff079c8"
402 "158cfa9c67b818b38e8d21c9fa750c1d"
403 "a144" // TAG [1] length 0x44 (publicKey) {
404 "0342" // BIT STRING length 0x42
405 "00" // no pad bits
406 "04e2cc561ee701da0ad0ef0d176bb0c9"
407 "19d42e79c393fdc1bd6c4010d85cf2cf"
408 "8e68c905464666f98dad4f01573ba810"
409 "78b3428570a439ba3229fbc026c55068"
410 "2f"
411 // } end TAG [1] (publicKey)
412 // } end SEQUENCE (PrivateKeyInfo)
413);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]414
415struct RSA_Delete {
416 void operator()(RSA* p) { RSA_free(p); }
417};
418
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]419std::string make_string(const uint8_t* data, size_t length) {
420 return std::string(reinterpret_cast<const char*>(data), length);
421}
422
423template <size_t N>
424std::string make_string(const uint8_t (&a)[N]) {
425 return make_string(a, N);
426}
427
428class AidlBuf : public vector<uint8_t> {
429 typedef vector<uint8_t> super;
430
431 public:
432 AidlBuf() {}
433 AidlBuf(const super& other) : super(other) {}
434 AidlBuf(super&& other) : super(std::move(other)) {}
435 explicit AidlBuf(const std::string& other) : AidlBuf() { *this = other; }
436
437 AidlBuf& operator=(const super& other) {
438 super::operator=(other);
439 return *this;
440 }
441
442 AidlBuf& operator=(super&& other) {
443 super::operator=(std::move(other));
444 return *this;
445 }
446
447 AidlBuf& operator=(const string& other) {
448 resize(other.size());
449 for (size_t i = 0; i < other.size(); ++i) {
450 (*this)[i] = static_cast<uint8_t>(other[i]);
451 }
452 return *this;
453 }
454
455 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
456};
457
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]458string device_suffix(const string& name) {
459 size_t pos = name.find('/');
460 if (pos == string::npos) {
461 return name;
462 }
463 return name.substr(pos + 1);
464}
465
466bool matching_rp_instance(const string& km_name,
467 std::shared_ptr<IRemotelyProvisionedComponent>* rp) {
468 string km_suffix = device_suffix(km_name);
469
470 vector<string> rp_names =
471 ::android::getAidlHalInstanceNames(IRemotelyProvisionedComponent::descriptor);
472 for (const string& rp_name : rp_names) {
473 // If the suffix of the RemotelyProvisionedComponent instance equals the suffix of the
474 // KeyMint instance, assume they match.
475 if (device_suffix(rp_name) == km_suffix && AServiceManager_isDeclared(rp_name.c_str())) {
476 ::ndk::SpAIBinder binder(AServiceManager_waitForService(rp_name.c_str()));
477 *rp = IRemotelyProvisionedComponent::fromBinder(binder);
478 return true;
479 }
480 }
481 return false;
482}
483
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]484} // namespace
485
486class NewKeyGenerationTest : public KeyMintAidlTestBase {
487 protected:
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]488 void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]489 AuthorizationSet auths = CheckCommonParams(keyCharacteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]490 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]491
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]492 // Check that some unexpected tags/values are NOT present.
493 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
494 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]495 }
496
497 void CheckSymmetricParams(const vector<KeyCharacteristics>& keyCharacteristics) {
498 AuthorizationSet auths = CheckCommonParams(keyCharacteristics);
499 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
500 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
501
502 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]503 }
504
505 AuthorizationSet CheckCommonParams(const vector<KeyCharacteristics>& keyCharacteristics) {
506 // TODO(swillden): Distinguish which params should be in which auth list.
507 AuthorizationSet auths;
508 for (auto& entry : keyCharacteristics) {
509 auths.push_back(AuthorizationSet(entry.authorizations));
510 }
511 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
512
513 // Verify that App data, ROT and auth timeout are NOT included.
514 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
515 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]516 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
517
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]518 // None of the tests specify CREATION_DATETIME so check that the KeyMint implementation
519 // never adds it.
520 EXPECT_FALSE(auths.Contains(TAG_CREATION_DATETIME));
521
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]522 // Check OS details match the original hardware info.
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]523 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]524 EXPECT_TRUE(os_ver);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]525 EXPECT_EQ(*os_ver, os_version());
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]526 auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]527 EXPECT_TRUE(os_pl);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]528 EXPECT_EQ(*os_pl, os_patch_level());
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]529
David Drysdalef5bfa002021-09-27 17:30:41 +0100[diff] [blame]530 // Should include vendor and boot patchlevels.
531 auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
532 EXPECT_TRUE(vendor_pl);
533 EXPECT_EQ(*vendor_pl, vendor_patch_level());
534 auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
535 EXPECT_TRUE(boot_pl);
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]536
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]537 return auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]538 }
539};
540
541/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]542 * NewKeyGenerationTest.Aes
543 *
544 * Verifies that keymint can generate all required AES key sizes, and that the resulting keys
545 * have correct characteristics.
546 */
547TEST_P(NewKeyGenerationTest, Aes) {
548 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
549 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
550 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
551 SCOPED_TRACE(testing::Message()
552 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
553 vector<uint8_t> key_blob;
554 vector<KeyCharacteristics> key_characteristics;
555 auto builder = AuthorizationSetBuilder()
556 .AesEncryptionKey(key_size)
557 .BlockMode(block_mode)
558 .Padding(padding_mode)
559 .SetDefaultValidity();
560 if (block_mode == BlockMode::GCM) {
561 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
562 }
563 ASSERT_EQ(ErrorCode::OK, GenerateKey(builder, &key_blob, &key_characteristics));
564
565 EXPECT_GT(key_blob.size(), 0U);
566 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]567 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]568
569 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
570
571 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::AES));
572 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
573 << "Key size " << key_size << "missing";
574
575 CheckedDeleteKey(&key_blob);
576 }
577 }
578 }
579}
580
581/*
582 * NewKeyGenerationTest.AesInvalidSize
583 *
584 * Verifies that specifying an invalid key size for AES key generation returns
585 * UNSUPPORTED_KEY_SIZE.
586 */
587TEST_P(NewKeyGenerationTest, AesInvalidSize) {
588 for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
589 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
590 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
591 SCOPED_TRACE(testing::Message()
592 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
593 vector<uint8_t> key_blob;
594 vector<KeyCharacteristics> key_characteristics;
595 auto builder = AuthorizationSetBuilder()
596 .AesEncryptionKey(key_size)
597 .BlockMode(block_mode)
598 .Padding(padding_mode)
599 .SetDefaultValidity();
600 if (block_mode == BlockMode::GCM) {
601 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
602 }
603 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
604 GenerateKey(builder, &key_blob, &key_characteristics));
605 }
606 }
607 }
608
609 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
610 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
611 vector<uint8_t> key_blob;
612 vector<KeyCharacteristics> key_characteristics;
613 // No key size specified
614 auto builder = AuthorizationSetBuilder()
615 .Authorization(TAG_ALGORITHM, Algorithm::AES)
616 .BlockMode(block_mode)
617 .Padding(padding_mode)
618 .SetDefaultValidity();
619 if (block_mode == BlockMode::GCM) {
620 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
621 }
622 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
623 GenerateKey(builder, &key_blob, &key_characteristics));
624 }
625 }
626}
627
628/*
629 * NewKeyGenerationTest.AesInvalidPadding
630 *
631 * Verifies that specifying an invalid padding on AES keys gives a failure
632 * somewhere along the way.
633 */
634TEST_P(NewKeyGenerationTest, AesInvalidPadding) {
635 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
636 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
637 for (auto padding_mode : InvalidPaddingModes(Algorithm::AES, block_mode)) {
638 SCOPED_TRACE(testing::Message()
639 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]640 auto builder = AuthorizationSetBuilder()
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]641 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]642 .AesEncryptionKey(key_size)
643 .BlockMode(block_mode)
644 .Padding(padding_mode)
645 .SetDefaultValidity();
646 if (block_mode == BlockMode::GCM) {
647 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
648 }
649
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]650 auto result = GenerateKey(builder);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]651 if (result == ErrorCode::OK) {
652 // Key creation was OK but has generated a key that cannot be used.
653 auto params =
654 AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]655 if (block_mode == BlockMode::GCM) {
656 params.Authorization(TAG_MAC_LENGTH, 128);
657 }
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]658 auto result = Begin(KeyPurpose::ENCRYPT, params);
659 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]660 result == ErrorCode::INVALID_KEY_BLOB)
661 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]662 } else {
663 // The KeyMint implementation detected that the generated key
664 // is unusable.
665 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, result);
666 }
667 }
668 }
669 }
670}
671
672/*
673 * NewKeyGenerationTest.AesGcmMissingMinMac
674 *
675 * Verifies that specifying an invalid key size for AES key generation returns
676 * UNSUPPORTED_KEY_SIZE.
677 */
678TEST_P(NewKeyGenerationTest, AesGcmMissingMinMac) {
679 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
680 BlockMode block_mode = BlockMode::GCM;
681 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
682 SCOPED_TRACE(testing::Message()
683 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
684 vector<uint8_t> key_blob;
685 vector<KeyCharacteristics> key_characteristics;
686 // No MIN_MAC_LENGTH provided.
687 auto builder = AuthorizationSetBuilder()
688 .AesEncryptionKey(key_size)
689 .BlockMode(block_mode)
690 .Padding(padding_mode)
691 .SetDefaultValidity();
692 EXPECT_EQ(ErrorCode::MISSING_MIN_MAC_LENGTH,
693 GenerateKey(builder, &key_blob, &key_characteristics));
694 }
695 }
696}
697
698/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]699 * NewKeyGenerationTest.AesGcmMinMacOutOfRange
700 *
701 * Verifies that specifying an invalid min MAC size for AES key generation returns
702 * UNSUPPORTED_MIN_MAC_LENGTH.
703 */
704TEST_P(NewKeyGenerationTest, AesGcmMinMacOutOfRange) {
705 for (size_t min_mac_len : {88, 136}) {
706 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
707 BlockMode block_mode = BlockMode::GCM;
708 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
709 SCOPED_TRACE(testing::Message()
710 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
711 vector<uint8_t> key_blob;
712 vector<KeyCharacteristics> key_characteristics;
713 auto builder = AuthorizationSetBuilder()
714 .AesEncryptionKey(key_size)
715 .BlockMode(block_mode)
716 .Padding(padding_mode)
717 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_len)
718 .SetDefaultValidity();
719 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
720 GenerateKey(builder, &key_blob, &key_characteristics));
721 }
722 }
723 }
724}
725
726/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]727 * NewKeyGenerationTest.TripleDes
728 *
729 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
730 * have correct characteristics.
731 */
732TEST_P(NewKeyGenerationTest, TripleDes) {
733 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
734 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
735 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
736 SCOPED_TRACE(testing::Message()
737 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
738 vector<uint8_t> key_blob;
739 vector<KeyCharacteristics> key_characteristics;
740 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
741 .TripleDesEncryptionKey(key_size)
742 .BlockMode(block_mode)
743 .Padding(padding_mode)
744 .Authorization(TAG_NO_AUTH_REQUIRED)
745 .SetDefaultValidity(),
746 &key_blob, &key_characteristics));
747
748 EXPECT_GT(key_blob.size(), 0U);
749 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]750 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]751
752 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
753
754 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
755 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
756 << "Key size " << key_size << "missing";
757
758 CheckedDeleteKey(&key_blob);
759 }
760 }
761 }
762}
763
764/*
765 * NewKeyGenerationTest.TripleDesWithAttestation
766 *
767 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
768 * have correct characteristics.
769 *
770 * Request attestation, which doesn't help for symmetric keys (as there is no public key to
771 * put in a certificate) but which isn't an error.
772 */
773TEST_P(NewKeyGenerationTest, TripleDesWithAttestation) {
774 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
775 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
776 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
777 SCOPED_TRACE(testing::Message()
778 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
779
780 auto challenge = "hello";
781 auto app_id = "foo";
782
783 vector<uint8_t> key_blob;
784 vector<KeyCharacteristics> key_characteristics;
785 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
786 .TripleDesEncryptionKey(key_size)
787 .BlockMode(block_mode)
788 .Padding(padding_mode)
789 .Authorization(TAG_NO_AUTH_REQUIRED)
790 .AttestationChallenge(challenge)
791 .AttestationApplicationId(app_id)
792 .SetDefaultValidity(),
793 &key_blob, &key_characteristics));
794
795 EXPECT_GT(key_blob.size(), 0U);
796 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]797 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]798
799 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
800
801 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
802 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
803 << "Key size " << key_size << "missing";
804
805 CheckedDeleteKey(&key_blob);
806 }
807 }
808 }
809}
810
811/*
812 * NewKeyGenerationTest.TripleDesInvalidSize
813 *
814 * Verifies that specifying an invalid key size for 3-DES key generation returns
815 * UNSUPPORTED_KEY_SIZE.
816 */
817TEST_P(NewKeyGenerationTest, TripleDesInvalidSize) {
818 for (auto key_size : InvalidKeySizes(Algorithm::TRIPLE_DES)) {
819 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
820 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
821 SCOPED_TRACE(testing::Message()
822 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
823 vector<uint8_t> key_blob;
824 vector<KeyCharacteristics> key_characteristics;
825 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
826 GenerateKey(AuthorizationSetBuilder()
827 .TripleDesEncryptionKey(key_size)
828 .BlockMode(block_mode)
829 .Padding(padding_mode)
830 .Authorization(TAG_NO_AUTH_REQUIRED)
831 .SetDefaultValidity(),
832 &key_blob, &key_characteristics));
833 }
834 }
835 }
836
837 // Omitting the key size fails.
838 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
839 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
840 SCOPED_TRACE(testing::Message()
841 << "3DES-default-" << block_mode << "-" << padding_mode);
842 vector<uint8_t> key_blob;
843 vector<KeyCharacteristics> key_characteristics;
844 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
845 GenerateKey(AuthorizationSetBuilder()
846 .Authorization(TAG_ALGORITHM, Algorithm::TRIPLE_DES)
847 .BlockMode(block_mode)
848 .Padding(padding_mode)
849 .Authorization(TAG_NO_AUTH_REQUIRED)
850 .SetDefaultValidity(),
851 &key_blob, &key_characteristics));
852 }
853 }
854}
855
856/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]857 * NewKeyGenerationTest.Rsa
858 *
859 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
860 * have correct characteristics.
861 */
862TEST_P(NewKeyGenerationTest, Rsa) {
863 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
864 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]865 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]866 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
867 .RsaSigningKey(key_size, 65537)
868 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]869 .Padding(PaddingMode::NONE)
870 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]871 &key_blob, &key_characteristics));
872
873 ASSERT_GT(key_blob.size(), 0U);
874 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]875 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]876
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]877 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]878
879 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
880 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
881 << "Key size " << key_size << "missing";
882 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
883
884 CheckedDeleteKey(&key_blob);
885 }
886}
887
888/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]889 * NewKeyGenerationTest.RsaWithAttestation
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]890 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]891 * Verifies that keymint can generate all required RSA key sizes with attestation, and that the
892 * resulting keys have correct characteristics.
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]893 */
894TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]895 auto challenge = "hello";
896 auto app_id = "foo";
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]897
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]898 auto subject = "cert subj 2";
899 vector<uint8_t> subject_der(make_name_from_str(subject));
900
901 uint64_t serial_int = 66;
902 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
903
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]904 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]905 vector<uint8_t> key_blob;
906 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]907 ASSERT_EQ(ErrorCode::OK,
908 GenerateKey(AuthorizationSetBuilder()
909 .RsaSigningKey(key_size, 65537)
910 .Digest(Digest::NONE)
911 .Padding(PaddingMode::NONE)
912 .AttestationChallenge(challenge)
913 .AttestationApplicationId(app_id)
914 .Authorization(TAG_NO_AUTH_REQUIRED)
915 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
916 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
917 .SetDefaultValidity(),
918 &key_blob, &key_characteristics));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]919
920 ASSERT_GT(key_blob.size(), 0U);
921 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]922 CheckCharacteristics(key_blob, key_characteristics);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]923
924 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
925
926 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
927 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
928 << "Key size " << key_size << "missing";
929 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
930
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]931 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]932 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]933 ASSERT_GT(cert_chain_.size(), 0);
934
935 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
936 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
937 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
938 sw_enforced, hw_enforced, SecLevel(),
939 cert_chain_[0].encodedCertificate));
940
941 CheckedDeleteKey(&key_blob);
942 }
943}
944
945/*
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]946 * NewKeyGenerationTest.RsaWithRpkAttestation
947 *
948 * Verifies that keymint can generate all required RSA key sizes, using an attestation key
949 * that has been generated using an associate IRemotelyProvisionedComponent.
David Drysdale0fce69d2021-04-13 17:22:13 +0100[diff] [blame]950 *
951 * This test is disabled because the KeyMint specification does not require that implementations
952 * of the first version of KeyMint have to also implement IRemotelyProvisionedComponent.
953 * However, the test is kept in the code because KeyMint v2 will impose this requirement.
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]954 */
David Drysdale0fce69d2021-04-13 17:22:13 +0100[diff] [blame]955TEST_P(NewKeyGenerationTest, DISABLED_RsaWithRpkAttestation) {
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]956 // There should be an IRemotelyProvisionedComponent instance associated with the KeyMint
957 // instance.
958 std::shared_ptr<IRemotelyProvisionedComponent> rp;
959 ASSERT_TRUE(matching_rp_instance(GetParam(), &rp))
960 << "No IRemotelyProvisionedComponent found that matches KeyMint device " << GetParam();
961
962 // Generate a P-256 keypair to use as an attestation key.
963 MacedPublicKey macedPubKey;
964 std::vector<uint8_t> privateKeyBlob;
965 auto status =
966 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
967 ASSERT_TRUE(status.isOk());
968 vector<uint8_t> coseKeyData;
969 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
970
971 AttestationKey attestation_key;
972 attestation_key.keyBlob = std::move(privateKeyBlob);
973 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
974
975 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
976 auto challenge = "hello";
977 auto app_id = "foo";
978
979 vector<uint8_t> key_blob;
980 vector<KeyCharacteristics> key_characteristics;
981 ASSERT_EQ(ErrorCode::OK,
982 GenerateKey(AuthorizationSetBuilder()
983 .RsaSigningKey(key_size, 65537)
984 .Digest(Digest::NONE)
985 .Padding(PaddingMode::NONE)
986 .AttestationChallenge(challenge)
987 .AttestationApplicationId(app_id)
988 .Authorization(TAG_NO_AUTH_REQUIRED)
989 .SetDefaultValidity(),
990 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
991
992 ASSERT_GT(key_blob.size(), 0U);
993 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]994 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]995
996 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
997
998 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
999 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1000 << "Key size " << key_size << "missing";
1001 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1002
1003 // Attestation by itself is not valid (last entry is not self-signed).
1004 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
1005
1006 // The signature over the attested key should correspond to the P256 public key.
1007 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1008 ASSERT_TRUE(key_cert.get());
1009 EVP_PKEY_Ptr signing_pubkey;
1010 p256_pub_key(coseKeyData, &signing_pubkey);
1011 ASSERT_TRUE(signing_pubkey.get());
1012
1013 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1014 << "Verification of attested certificate failed "
1015 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
1016
1017 CheckedDeleteKey(&key_blob);
1018 }
1019}
1020
1021/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1022 * NewKeyGenerationTest.RsaEncryptionWithAttestation
1023 *
1024 * Verifies that keymint attestation for RSA encryption keys with challenge and
1025 * app id is also successful.
1026 */
1027TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
1028 auto key_size = 2048;
1029 auto challenge = "hello";
1030 auto app_id = "foo";
1031
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1032 auto subject = "subj 2";
1033 vector<uint8_t> subject_der(make_name_from_str(subject));
1034
1035 uint64_t serial_int = 111166;
1036 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1037
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1038 vector<uint8_t> key_blob;
1039 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1040 ASSERT_EQ(ErrorCode::OK,
1041 GenerateKey(AuthorizationSetBuilder()
1042 .RsaEncryptionKey(key_size, 65537)
1043 .Padding(PaddingMode::NONE)
1044 .AttestationChallenge(challenge)
1045 .AttestationApplicationId(app_id)
1046 .Authorization(TAG_NO_AUTH_REQUIRED)
1047 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1048 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1049 .SetDefaultValidity(),
1050 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1051
1052 ASSERT_GT(key_blob.size(), 0U);
1053 AuthorizationSet auths;
1054 for (auto& entry : key_characteristics) {
1055 auths.push_back(AuthorizationSet(entry.authorizations));
1056 }
1057
1058 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
1059 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
1060
1061 // Verify that App data and ROT are NOT included.
1062 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
1063 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
1064
1065 // Check that some unexpected tags/values are NOT present.
1066 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
1067 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
1068
1069 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
1070
1071 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
1072 ASSERT_TRUE(os_ver);
1073 EXPECT_EQ(*os_ver, os_version());
1074
1075 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1076
1077 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1078 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1079 << "Key size " << key_size << "missing";
1080 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1081
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1082 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1083 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1084 ASSERT_GT(cert_chain_.size(), 0);
1085
1086 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1087 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1088 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
1089 sw_enforced, hw_enforced, SecLevel(),
1090 cert_chain_[0].encodedCertificate));
1091
1092 CheckedDeleteKey(&key_blob);
1093}
1094
1095/*
1096 * NewKeyGenerationTest.RsaWithSelfSign
1097 *
1098 * Verifies that attesting to RSA key generation is successful, and returns
1099 * self signed certificate if no challenge is provided. And signing etc
1100 * works as expected.
1101 */
1102TEST_P(NewKeyGenerationTest, RsaWithSelfSign) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1103 auto subject = "cert subj subj subj subj subj subj 22222222222222222222";
1104 vector<uint8_t> subject_der(make_name_from_str(subject));
1105
1106 uint64_t serial_int = 0;
1107 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1108
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1109 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1110 vector<uint8_t> key_blob;
1111 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1112 ASSERT_EQ(ErrorCode::OK,
1113 GenerateKey(AuthorizationSetBuilder()
1114 .RsaSigningKey(key_size, 65537)
1115 .Digest(Digest::NONE)
1116 .Padding(PaddingMode::NONE)
1117 .Authorization(TAG_NO_AUTH_REQUIRED)
1118 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1119 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1120 .SetDefaultValidity(),
1121 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1122
1123 ASSERT_GT(key_blob.size(), 0U);
1124 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1125 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1126
1127 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1128
1129 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1130 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1131 << "Key size " << key_size << "missing";
1132 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1133
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1134 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1135 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1136 ASSERT_EQ(cert_chain_.size(), 1);
1137
1138 CheckedDeleteKey(&key_blob);
1139 }
1140}
1141
1142/*
1143 * NewKeyGenerationTest.RsaWithAttestationMissAppId
1144 *
1145 * Verifies that attesting to RSA checks for missing app ID.
1146 */
1147TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
1148 auto challenge = "hello";
1149 vector<uint8_t> key_blob;
1150 vector<KeyCharacteristics> key_characteristics;
1151
1152 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
1153 GenerateKey(AuthorizationSetBuilder()
1154 .RsaSigningKey(2048, 65537)
1155 .Digest(Digest::NONE)
1156 .Padding(PaddingMode::NONE)
1157 .AttestationChallenge(challenge)
1158 .Authorization(TAG_NO_AUTH_REQUIRED)
1159 .SetDefaultValidity(),
1160 &key_blob, &key_characteristics));
1161}
1162
1163/*
1164 * NewKeyGenerationTest.RsaWithAttestationAppIdIgnored
1165 *
1166 * Verifies that attesting to RSA ignores app id if challenge is missing.
1167 */
1168TEST_P(NewKeyGenerationTest, RsaWithAttestationAppIdIgnored) {
1169 auto key_size = 2048;
1170 auto app_id = "foo";
1171
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1172 auto subject = "cert subj 2";
1173 vector<uint8_t> subject_der(make_name_from_str(subject));
1174
1175 uint64_t serial_int = 1;
1176 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1177
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1178 vector<uint8_t> key_blob;
1179 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1180 ASSERT_EQ(ErrorCode::OK,
1181 GenerateKey(AuthorizationSetBuilder()
1182 .RsaSigningKey(key_size, 65537)
1183 .Digest(Digest::NONE)
1184 .Padding(PaddingMode::NONE)
1185 .AttestationApplicationId(app_id)
1186 .Authorization(TAG_NO_AUTH_REQUIRED)
1187 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1188 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1189 .SetDefaultValidity(),
1190 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1191
1192 ASSERT_GT(key_blob.size(), 0U);
1193 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1194 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1195
1196 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1197
1198 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1199 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1200 << "Key size " << key_size << "missing";
1201 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1202
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1203 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1204 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1205 ASSERT_EQ(cert_chain_.size(), 1);
1206
1207 CheckedDeleteKey(&key_blob);
1208}
1209
1210/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1211 * NewKeyGenerationTest.LimitedUsageRsa
1212 *
1213 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1214 * resulting keys have correct characteristics.
1215 */
1216TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
1217 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1218 vector<uint8_t> key_blob;
1219 vector<KeyCharacteristics> key_characteristics;
1220 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1221 .RsaSigningKey(key_size, 65537)
1222 .Digest(Digest::NONE)
1223 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1224 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1225 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1226 &key_blob, &key_characteristics));
1227
1228 ASSERT_GT(key_blob.size(), 0U);
1229 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1230 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1231
1232 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1233
1234 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1235 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1236 << "Key size " << key_size << "missing";
1237 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1238
1239 // Check the usage count limit tag appears in the authorizations.
1240 AuthorizationSet auths;
1241 for (auto& entry : key_characteristics) {
1242 auths.push_back(AuthorizationSet(entry.authorizations));
1243 }
1244 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1245 << "key usage count limit " << 1U << " missing";
1246
1247 CheckedDeleteKey(&key_blob);
1248 }
1249}
1250
1251/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1252 * NewKeyGenerationTest.LimitedUsageRsaWithAttestation
1253 *
1254 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1255 * resulting keys have correct characteristics and attestation.
1256 */
1257TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1258 auto challenge = "hello";
1259 auto app_id = "foo";
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1260
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1261 auto subject = "cert subj 2";
1262 vector<uint8_t> subject_der(make_name_from_str(subject));
1263
1264 uint64_t serial_int = 66;
1265 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1266
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1267 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1268 vector<uint8_t> key_blob;
1269 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1270 ASSERT_EQ(ErrorCode::OK,
1271 GenerateKey(AuthorizationSetBuilder()
1272 .RsaSigningKey(key_size, 65537)
1273 .Digest(Digest::NONE)
1274 .Padding(PaddingMode::NONE)
1275 .AttestationChallenge(challenge)
1276 .AttestationApplicationId(app_id)
1277 .Authorization(TAG_NO_AUTH_REQUIRED)
1278 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1279 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1280 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1281 .SetDefaultValidity(),
1282 &key_blob, &key_characteristics));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1283
1284 ASSERT_GT(key_blob.size(), 0U);
1285 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1286 CheckCharacteristics(key_blob, key_characteristics);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1287
1288 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1289
1290 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1291 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1292 << "Key size " << key_size << "missing";
1293 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1294
1295 // Check the usage count limit tag appears in the authorizations.
1296 AuthorizationSet auths;
1297 for (auto& entry : key_characteristics) {
1298 auths.push_back(AuthorizationSet(entry.authorizations));
1299 }
1300 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1301 << "key usage count limit " << 1U << " missing";
1302
1303 // Check the usage count limit tag also appears in the attestation.
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1304 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1305 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1306 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1307
1308 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1309 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1310 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
1311 sw_enforced, hw_enforced, SecLevel(),
1312 cert_chain_[0].encodedCertificate));
1313
1314 CheckedDeleteKey(&key_blob);
1315 }
1316}
1317
1318/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1319 * NewKeyGenerationTest.NoInvalidRsaSizes
1320 *
1321 * Verifies that keymint cannot generate any RSA key sizes that are designated as invalid.
1322 */
1323TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
1324 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
1325 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1326 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1327 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1328 GenerateKey(AuthorizationSetBuilder()
1329 .RsaSigningKey(key_size, 65537)
1330 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1331 .Padding(PaddingMode::NONE)
1332 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1333 &key_blob, &key_characteristics));
1334 }
1335}
1336
1337/*
1338 * NewKeyGenerationTest.RsaNoDefaultSize
1339 *
1340 * Verifies that failing to specify a key size for RSA key generation returns
1341 * UNSUPPORTED_KEY_SIZE.
1342 */
1343TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
1344 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1345 GenerateKey(AuthorizationSetBuilder()
1346 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
1347 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1348 .SigningKey()
1349 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1350}
1351
1352/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1353 * NewKeyGenerationTest.RsaMissingParams
1354 *
1355 * Verifies that omitting optional tags works.
1356 */
1357TEST_P(NewKeyGenerationTest, RsaMissingParams) {
1358 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1359 ASSERT_EQ(ErrorCode::OK,
1360 GenerateKey(
1361 AuthorizationSetBuilder().RsaKey(key_size, 65537).SetDefaultValidity()));
1362 CheckedDeleteKey();
1363 }
1364}
1365
1366/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1367 * NewKeyGenerationTest.Ecdsa
1368 *
1369 * Verifies that keymint can generate all required EC key sizes, and that the resulting keys
1370 * have correct characteristics.
1371 */
1372TEST_P(NewKeyGenerationTest, Ecdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1373 for (auto curve : ValidCurves()) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1374 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1375 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1376 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1377 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1378 .Digest(Digest::NONE)
1379 .SetDefaultValidity(),
1380 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1381 ASSERT_GT(key_blob.size(), 0U);
1382 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1383 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1384
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1385 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1386
1387 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1388 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1389
1390 CheckedDeleteKey(&key_blob);
1391 }
1392}
1393
1394/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1395 * NewKeyGenerationTest.EcdsaAttestation
1396 *
1397 * Verifies that for all Ecdsa key sizes, if challenge and app id is provided,
1398 * an attestation will be generated.
1399 */
1400TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
1401 auto challenge = "hello";
1402 auto app_id = "foo";
1403
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1404 auto subject = "cert subj 2";
1405 vector<uint8_t> subject_der(make_name_from_str(subject));
1406
1407 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1408 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1409
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1410 for (auto curve : ValidCurves()) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1411 vector<uint8_t> key_blob;
1412 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1413 ASSERT_EQ(ErrorCode::OK,
1414 GenerateKey(AuthorizationSetBuilder()
1415 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1416 .EcdsaSigningKey(curve)
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1417 .Digest(Digest::NONE)
1418 .AttestationChallenge(challenge)
1419 .AttestationApplicationId(app_id)
1420 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1421 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1422 .SetDefaultValidity(),
1423 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1424 ASSERT_GT(key_blob.size(), 0U);
1425 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1426 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1427
1428 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1429
1430 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1431 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1432
1433 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1434 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1435 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1436
1437 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1438 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1439 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
1440 sw_enforced, hw_enforced, SecLevel(),
1441 cert_chain_[0].encodedCertificate));
1442
1443 CheckedDeleteKey(&key_blob);
1444 }
1445}
1446
1447/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1448 * NewKeyGenerationTest.EcdsaAttestationTags
1449 *
1450 * Verifies that creation of an attested ECDSA key includes various tags in the
1451 * attestation extension.
1452 */
1453TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
1454 auto challenge = "hello";
1455 auto app_id = "foo";
1456 auto subject = "cert subj 2";
1457 vector<uint8_t> subject_der(make_name_from_str(subject));
1458 uint64_t serial_int = 0x1010;
1459 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1460 const AuthorizationSetBuilder base_builder =
1461 AuthorizationSetBuilder()
1462 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1463 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1464 .Digest(Digest::NONE)
1465 .AttestationChallenge(challenge)
1466 .AttestationApplicationId(app_id)
1467 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1468 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1469 .SetDefaultValidity();
1470
1471 // Various tags that map to fields in the attestation extension ASN.1 schema.
1472 auto extra_tags = AuthorizationSetBuilder()
1473 .Authorization(TAG_ROLLBACK_RESISTANCE)
1474 .Authorization(TAG_EARLY_BOOT_ONLY)
1475 .Authorization(TAG_ACTIVE_DATETIME, 1619621648000)
1476 .Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, 1619621648000)
1477 .Authorization(TAG_USAGE_EXPIRE_DATETIME, 1619621999000)
1478 .Authorization(TAG_USAGE_COUNT_LIMIT, 42)
1479 .Authorization(TAG_AUTH_TIMEOUT, 100000)
1480 .Authorization(TAG_ALLOW_WHILE_ON_BODY)
1481 .Authorization(TAG_TRUSTED_USER_PRESENCE_REQUIRED)
1482 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
1483 .Authorization(TAG_UNLOCKED_DEVICE_REQUIRED)
1484 .Authorization(TAG_CREATION_DATETIME, 1619621648000);
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1485
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1486 for (const KeyParameter& tag : extra_tags) {
1487 SCOPED_TRACE(testing::Message() << "tag-" << tag);
1488 vector<uint8_t> key_blob;
1489 vector<KeyCharacteristics> key_characteristics;
1490 AuthorizationSetBuilder builder = base_builder;
1491 builder.push_back(tag);
1492 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
1493 if (result == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE &&
1494 tag.tag == TAG_ROLLBACK_RESISTANCE) {
1495 continue;
1496 }
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]1497 if (result == ErrorCode::UNSUPPORTED_TAG && tag.tag == TAG_TRUSTED_USER_PRESENCE_REQUIRED) {
1498 // Tag not required to be supported by all KeyMint implementations.
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1499 continue;
1500 }
1501 ASSERT_EQ(result, ErrorCode::OK);
1502 ASSERT_GT(key_blob.size(), 0U);
1503
1504 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1505 ASSERT_GT(cert_chain_.size(), 0);
1506 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
1507
1508 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1509 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]1510 // Some tags are optional, so don't require them to be in the enforcements.
1511 if (tag.tag != TAG_ATTESTATION_APPLICATION_ID && tag.tag != TAG_ALLOW_WHILE_ON_BODY) {
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1512 EXPECT_TRUE(hw_enforced.Contains(tag.tag) || sw_enforced.Contains(tag.tag))
1513 << tag << " not in hw:" << hw_enforced << " nor sw:" << sw_enforced;
1514 }
1515
1516 // Verifying the attestation record will check for the specific tag because
1517 // it's included in the authorizations.
1518 EXPECT_TRUE(verify_attestation_record(challenge, app_id, sw_enforced, hw_enforced,
1519 SecLevel(), cert_chain_[0].encodedCertificate));
1520
1521 CheckedDeleteKey(&key_blob);
1522 }
1523
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1524 // Collection of invalid attestation ID tags.
1525 auto invalid_tags =
1526 AuthorizationSetBuilder()
1527 .Authorization(TAG_ATTESTATION_ID_BRAND, "bogus-brand")
1528 .Authorization(TAG_ATTESTATION_ID_DEVICE, "devious-device")
1529 .Authorization(TAG_ATTESTATION_ID_PRODUCT, "punctured-product")
1530 .Authorization(TAG_ATTESTATION_ID_SERIAL, "suspicious-serial")
1531 .Authorization(TAG_ATTESTATION_ID_IMEI, "invalid-imei")
1532 .Authorization(TAG_ATTESTATION_ID_MEID, "mismatching-meid")
1533 .Authorization(TAG_ATTESTATION_ID_MANUFACTURER, "malformed-manufacturer")
1534 .Authorization(TAG_ATTESTATION_ID_MODEL, "malicious-model");
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1535 for (const KeyParameter& tag : invalid_tags) {
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1536 SCOPED_TRACE(testing::Message() << "-incorrect-tag-" << tag);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1537 vector<uint8_t> key_blob;
1538 vector<KeyCharacteristics> key_characteristics;
1539 AuthorizationSetBuilder builder =
1540 AuthorizationSetBuilder()
1541 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1542 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1543 .Digest(Digest::NONE)
1544 .AttestationChallenge(challenge)
1545 .AttestationApplicationId(app_id)
1546 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1547 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1548 .SetDefaultValidity();
1549 builder.push_back(tag);
1550 ASSERT_EQ(ErrorCode::CANNOT_ATTEST_IDS,
1551 GenerateKey(builder, &key_blob, &key_characteristics));
1552 }
1553}
1554
1555/*
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1556 * NewKeyGenerationTest.EcdsaAttestationIdTags
1557 *
1558 * Verifies that creation of an attested ECDSA key includes various ID tags in the
1559 * attestation extension.
1560 */
1561TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
1562 auto challenge = "hello";
1563 auto app_id = "foo";
1564 auto subject = "cert subj 2";
1565 vector<uint8_t> subject_der(make_name_from_str(subject));
1566 uint64_t serial_int = 0x1010;
1567 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1568 const AuthorizationSetBuilder base_builder =
1569 AuthorizationSetBuilder()
1570 .Authorization(TAG_NO_AUTH_REQUIRED)
1571 .EcdsaSigningKey(EcCurve::P_256)
1572 .Digest(Digest::NONE)
1573 .AttestationChallenge(challenge)
1574 .AttestationApplicationId(app_id)
1575 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1576 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1577 .SetDefaultValidity();
1578
1579 // Various ATTESTATION_ID_* tags that map to fields in the attestation extension ASN.1 schema.
1580 auto extra_tags = AuthorizationSetBuilder();
1581 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_BRAND, "ro.product.brand");
1582 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_DEVICE, "ro.product.device");
1583 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_PRODUCT, "ro.product.name");
1584 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_SERIAL, "ro.serial");
1585 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_MANUFACTURER, "ro.product.manufacturer");
1586 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_MODEL, "ro.product.model");
1587
1588 for (const KeyParameter& tag : extra_tags) {
1589 SCOPED_TRACE(testing::Message() << "tag-" << tag);
1590 vector<uint8_t> key_blob;
1591 vector<KeyCharacteristics> key_characteristics;
1592 AuthorizationSetBuilder builder = base_builder;
1593 builder.push_back(tag);
1594 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
1595 if (result == ErrorCode::CANNOT_ATTEST_IDS) {
1596 // Device ID attestation is optional; KeyMint may not support it at all.
1597 continue;
1598 }
1599 ASSERT_EQ(result, ErrorCode::OK);
1600 ASSERT_GT(key_blob.size(), 0U);
1601
1602 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1603 ASSERT_GT(cert_chain_.size(), 0);
1604 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
1605
1606 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1607 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1608
1609 // The attested key characteristics will not contain APPLICATION_ID_* fields (their
1610 // spec definitions all have "Must never appear in KeyCharacteristics"), but the
1611 // attestation extension should contain them, so make sure the extra tag is added.
1612 hw_enforced.push_back(tag);
1613
1614 // Verifying the attestation record will check for the specific tag because
1615 // it's included in the authorizations.
1616 EXPECT_TRUE(verify_attestation_record(challenge, app_id, sw_enforced, hw_enforced,
1617 SecLevel(), cert_chain_[0].encodedCertificate));
1618
1619 CheckedDeleteKey(&key_blob);
1620 }
1621}
1622
1623/*
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame^]1624 * NewKeyGenerationTest.EcdsaAttestationUniqueId
1625 *
1626 * Verifies that creation of an attested ECDSA key with a UNIQUE_ID included.
1627 */
1628TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
1629 auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
1630 vector<uint8_t>* unique_id) {
1631 auto challenge = "hello";
1632 auto subject = "cert subj 2";
1633 vector<uint8_t> subject_der(make_name_from_str(subject));
1634 uint64_t serial_int = 0x1010;
1635 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1636 const AuthorizationSetBuilder builder =
1637 AuthorizationSetBuilder()
1638 .Authorization(TAG_NO_AUTH_REQUIRED)
1639 .Authorization(TAG_INCLUDE_UNIQUE_ID)
1640 .EcdsaSigningKey(EcCurve::P_256)
1641 .Digest(Digest::NONE)
1642 .AttestationChallenge(challenge)
1643 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1644 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1645 .AttestationApplicationId(app_id)
1646 .Authorization(TAG_CREATION_DATETIME, datetime)
1647 .SetDefaultValidity();
1648
1649 ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
1650 ASSERT_GT(key_blob_.size(), 0U);
1651
1652 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1653 ASSERT_GT(cert_chain_.size(), 0);
1654 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
1655
1656 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics_);
1657 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics_);
1658
1659 // Check that the unique ID field in the extension is non-empty.
1660 EXPECT_TRUE(verify_attestation_record(challenge, app_id, sw_enforced, hw_enforced,
1661 SecLevel(), cert_chain_[0].encodedCertificate,
1662 unique_id));
1663 EXPECT_GT(unique_id->size(), 0);
1664 CheckedDeleteKey();
1665 };
1666
1667 // Generate unique ID
1668 auto app_id = "foo";
1669 uint64_t cert_date = 1619621648000; // Wed Apr 28 14:54:08 2021 in ms since epoch
1670 vector<uint8_t> unique_id;
1671 get_unique_id(app_id, cert_date, &unique_id);
1672
1673 // Generating a new key with the same parameters should give the same unique ID.
1674 vector<uint8_t> unique_id2;
1675 get_unique_id(app_id, cert_date, &unique_id2);
1676 EXPECT_EQ(unique_id, unique_id2);
1677
1678 // Generating a new key with a slightly different date should give the same unique ID.
1679 uint64_t rounded_date = cert_date / 2592000000LLU;
1680 uint64_t min_date = rounded_date * 2592000000LLU;
1681 uint64_t max_date = ((rounded_date + 1) * 2592000000LLU) - 1;
1682
1683 vector<uint8_t> unique_id3;
1684 get_unique_id(app_id, min_date, &unique_id3);
1685 EXPECT_EQ(unique_id, unique_id3);
1686
1687 vector<uint8_t> unique_id4;
1688 get_unique_id(app_id, max_date, &unique_id4);
1689 EXPECT_EQ(unique_id, unique_id4);
1690
1691 // A different attestation application ID should yield a different unique ID.
1692 auto app_id2 = "different_foo";
1693 vector<uint8_t> unique_id5;
1694 get_unique_id(app_id2, cert_date, &unique_id5);
1695 EXPECT_NE(unique_id, unique_id5);
1696
1697 // A radically different date should yield a different unique ID.
1698 vector<uint8_t> unique_id6;
1699 get_unique_id(app_id, 1611621648000, &unique_id6);
1700 EXPECT_NE(unique_id, unique_id6);
1701
1702 vector<uint8_t> unique_id7;
1703 get_unique_id(app_id, max_date + 1, &unique_id7);
1704 EXPECT_NE(unique_id, unique_id7);
1705
1706 vector<uint8_t> unique_id8;
1707 get_unique_id(app_id, min_date - 1, &unique_id8);
1708 EXPECT_NE(unique_id, unique_id8);
1709}
1710
1711/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1712 * NewKeyGenerationTest.EcdsaAttestationTagNoApplicationId
1713 *
1714 * Verifies that creation of an attested ECDSA key does not include APPLICATION_ID.
1715 */
1716TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
1717 auto challenge = "hello";
1718 auto attest_app_id = "foo";
1719 auto subject = "cert subj 2";
1720 vector<uint8_t> subject_der(make_name_from_str(subject));
1721 uint64_t serial_int = 0x1010;
1722 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1723
1724 // Earlier versions of the attestation extension schema included a slot:
1725 // applicationId [601] EXPLICIT OCTET_STRING OPTIONAL,
1726 // This should never have been included, and should never be filled in.
1727 // Generate an attested key that include APPLICATION_ID and APPLICATION_DATA,
1728 // to confirm that this field never makes it into the attestation extension.
1729 vector<uint8_t> key_blob;
1730 vector<KeyCharacteristics> key_characteristics;
1731 auto result = GenerateKey(AuthorizationSetBuilder()
1732 .Authorization(TAG_NO_AUTH_REQUIRED)
1733 .EcdsaSigningKey(EcCurve::P_256)
1734 .Digest(Digest::NONE)
1735 .AttestationChallenge(challenge)
1736 .AttestationApplicationId(attest_app_id)
1737 .Authorization(TAG_APPLICATION_ID, "client_id")
1738 .Authorization(TAG_APPLICATION_DATA, "appdata")
1739 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1740 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1741 .SetDefaultValidity(),
1742 &key_blob, &key_characteristics);
1743 ASSERT_EQ(result, ErrorCode::OK);
1744 ASSERT_GT(key_blob.size(), 0U);
1745
1746 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1747 ASSERT_GT(cert_chain_.size(), 0);
1748 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
1749
1750 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1751 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1752 EXPECT_TRUE(verify_attestation_record(challenge, attest_app_id, sw_enforced, hw_enforced,
1753 SecLevel(), cert_chain_[0].encodedCertificate));
1754
1755 // Check that the app id is not in the cert.
1756 string app_id = "clientid";
1757 std::vector<uint8_t> needle(reinterpret_cast<const uint8_t*>(app_id.data()),
1758 reinterpret_cast<const uint8_t*>(app_id.data()) + app_id.size());
1759 ASSERT_EQ(std::search(cert_chain_[0].encodedCertificate.begin(),
1760 cert_chain_[0].encodedCertificate.end(), needle.begin(), needle.end()),
1761 cert_chain_[0].encodedCertificate.end());
1762
1763 CheckedDeleteKey(&key_blob);
1764}
1765
1766/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1767 * NewKeyGenerationTest.EcdsaSelfSignAttestation
1768 *
1769 * Verifies that if no challenge is provided to an Ecdsa key generation, then
1770 * the key will generate a self signed attestation.
1771 */
1772TEST_P(NewKeyGenerationTest, EcdsaSelfSignAttestation) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1773 auto subject = "cert subj 2";
1774 vector<uint8_t> subject_der(make_name_from_str(subject));
1775
1776 uint64_t serial_int = 0x123456FFF1234;
1777 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1778
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1779 for (auto curve : ValidCurves()) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1780 vector<uint8_t> key_blob;
1781 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1782 ASSERT_EQ(ErrorCode::OK,
1783 GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1784 .EcdsaSigningKey(curve)
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1785 .Digest(Digest::NONE)
1786 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1787 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1788 .SetDefaultValidity(),
1789 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1790 ASSERT_GT(key_blob.size(), 0U);
1791 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1792 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1793
1794 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1795
1796 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1797 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1798
1799 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1800 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1801 ASSERT_EQ(cert_chain_.size(), 1);
1802
1803 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1804 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1805
1806 CheckedDeleteKey(&key_blob);
1807 }
1808}
1809
1810/*
1811 * NewKeyGenerationTest.EcdsaAttestationRequireAppId
1812 *
1813 * Verifies that if attestation challenge is provided to Ecdsa key generation, then
1814 * app id must also be provided or else it will fail.
1815 */
1816TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
1817 auto challenge = "hello";
1818 vector<uint8_t> key_blob;
1819 vector<KeyCharacteristics> key_characteristics;
1820
1821 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
1822 GenerateKey(AuthorizationSetBuilder()
1823 .EcdsaSigningKey(EcCurve::P_256)
1824 .Digest(Digest::NONE)
1825 .AttestationChallenge(challenge)
1826 .SetDefaultValidity(),
1827 &key_blob, &key_characteristics));
1828}
1829
1830/*
1831 * NewKeyGenerationTest.EcdsaIgnoreAppId
1832 *
1833 * Verifies that if no challenge is provided to the Ecdsa key generation, then
1834 * any appid will be ignored, and keymint will generate a self sign certificate.
1835 */
1836TEST_P(NewKeyGenerationTest, EcdsaIgnoreAppId) {
1837 auto app_id = "foo";
1838
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1839 for (auto curve : ValidCurves()) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1840 vector<uint8_t> key_blob;
1841 vector<KeyCharacteristics> key_characteristics;
1842 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1843 .EcdsaSigningKey(curve)
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1844 .Digest(Digest::NONE)
1845 .AttestationApplicationId(app_id)
1846 .SetDefaultValidity(),
1847 &key_blob, &key_characteristics));
1848
1849 ASSERT_GT(key_blob.size(), 0U);
1850 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1851 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1852
1853 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1854
1855 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1856 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1857
1858 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1859 ASSERT_EQ(cert_chain_.size(), 1);
1860
1861 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1862 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1863
1864 CheckedDeleteKey(&key_blob);
1865 }
1866}
1867
1868/*
1869 * NewKeyGenerationTest.AttestationApplicationIDLengthProperlyEncoded
1870 *
1871 * Verifies that the Attestation Application ID software enforced tag has a proper length encoding.
1872 * Some implementations break strict encoding rules by encoding a length between 127 and 256 in one
1873 * byte. Proper DER encoding specifies that for lengths greater than 127, one byte should be used
1874 * to specify how many following bytes will be used to encode the length.
1875 */
1876TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
1877 auto challenge = "hello";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1878 std::vector<uint32_t> app_id_lengths{143, 258};
1879
1880 for (uint32_t length : app_id_lengths) {
1881 const string app_id(length, 'a');
1882 vector<uint8_t> key_blob;
1883 vector<KeyCharacteristics> key_characteristics;
1884 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1885 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1886 .EcdsaSigningKey(EcCurve::P_256)
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1887 .Digest(Digest::NONE)
1888 .AttestationChallenge(challenge)
1889 .AttestationApplicationId(app_id)
1890 .SetDefaultValidity(),
1891 &key_blob, &key_characteristics));
1892 ASSERT_GT(key_blob.size(), 0U);
1893 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1894 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1895
1896 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1897
1898 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1899 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, EcCurve::P_256)) << "Curve P256 missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1900
1901 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1902 ASSERT_GT(cert_chain_.size(), 0);
1903
1904 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1905 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1906 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
1907 sw_enforced, hw_enforced, SecLevel(),
1908 cert_chain_[0].encodedCertificate));
1909
1910 CheckedDeleteKey(&key_blob);
1911 }
1912}
1913
1914/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1915 * NewKeyGenerationTest.LimitedUsageEcdsa
1916 *
1917 * Verifies that KeyMint can generate all required EC key sizes with limited usage, and that the
1918 * resulting keys have correct characteristics.
1919 */
1920TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1921 for (auto curve : ValidCurves()) {
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1922 vector<uint8_t> key_blob;
1923 vector<KeyCharacteristics> key_characteristics;
1924 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1925 .EcdsaSigningKey(curve)
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1926 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1927 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1928 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1929 &key_blob, &key_characteristics));
1930
1931 ASSERT_GT(key_blob.size(), 0U);
1932 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1933 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1934
1935 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1936
1937 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1938 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1939
1940 // Check the usage count limit tag appears in the authorizations.
1941 AuthorizationSet auths;
1942 for (auto& entry : key_characteristics) {
1943 auths.push_back(AuthorizationSet(entry.authorizations));
1944 }
1945 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1946 << "key usage count limit " << 1U << " missing";
1947
1948 CheckedDeleteKey(&key_blob);
1949 }
1950}
1951
1952/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1953 * NewKeyGenerationTest.EcdsaDefaultSize
1954 *
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1955 * Verifies that failing to specify a curve for EC key generation returns
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1956 * UNSUPPORTED_KEY_SIZE.
1957 */
1958TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
1959 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1960 GenerateKey(AuthorizationSetBuilder()
1961 .Authorization(TAG_ALGORITHM, Algorithm::EC)
1962 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1963 .Digest(Digest::NONE)
1964 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1965}
1966
1967/*
1968 * NewKeyGenerationTest.EcdsaInvalidSize
1969 *
1970 * Verifies that specifying an invalid key size for EC key generation returns
1971 * UNSUPPORTED_KEY_SIZE.
1972 */
1973TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1974 for (auto curve : InvalidCurves()) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1975 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1976 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1977 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1978 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1979 .Digest(Digest::NONE)
1980 .SetDefaultValidity(),
1981 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1982 }
1983
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1984 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1985 GenerateKey(AuthorizationSetBuilder()
1986 .Authorization(TAG_ALGORITHM, Algorithm::EC)
1987 .Authorization(TAG_KEY_SIZE, 190)
1988 .SigningKey()
1989 .Digest(Digest::NONE)
1990 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1991}
1992
1993/*
1994 * NewKeyGenerationTest.EcdsaMismatchKeySize
1995 *
1996 * Verifies that specifying mismatched key size and curve for EC key generation returns
1997 * INVALID_ARGUMENT.
1998 */
1999TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2000 if (SecLevel() == SecurityLevel::STRONGBOX) {
2001 GTEST_SKIP() << "Test not applicable to StrongBox device";
2002 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2003
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2004 auto result = GenerateKey(AuthorizationSetBuilder()
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2005 .Authorization(TAG_ALGORITHM, Algorithm::EC)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2006 .Authorization(TAG_KEY_SIZE, 224)
2007 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2008 .SigningKey()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2009 .Digest(Digest::NONE)
2010 .SetDefaultValidity());
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2011 ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2012}
2013
2014/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2015 * NewKeyGenerationTest.EcdsaAllValidCurves
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2016 *
2017 * Verifies that keymint does not support any curve designated as unsupported.
2018 */
2019TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
2020 Digest digest;
2021 if (SecLevel() == SecurityLevel::STRONGBOX) {
2022 digest = Digest::SHA_2_256;
2023 } else {
2024 digest = Digest::SHA_2_512;
2025 }
2026 for (auto curve : ValidCurves()) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2027 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2028 .EcdsaSigningKey(curve)
2029 .Digest(digest)
2030 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2031 << "Failed to generate key on curve: " << curve;
2032 CheckedDeleteKey();
2033 }
2034}
2035
2036/*
2037 * NewKeyGenerationTest.Hmac
2038 *
2039 * Verifies that keymint supports all required digests, and that the resulting keys have correct
2040 * characteristics.
2041 */
2042TEST_P(NewKeyGenerationTest, Hmac) {
2043 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
2044 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2045 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2046 constexpr size_t key_size = 128;
2047 ASSERT_EQ(ErrorCode::OK,
2048 GenerateKey(
2049 AuthorizationSetBuilder().HmacKey(key_size).Digest(digest).Authorization(
2050 TAG_MIN_MAC_LENGTH, 128),
2051 &key_blob, &key_characteristics));
2052
2053 ASSERT_GT(key_blob.size(), 0U);
2054 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2055 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2056
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2057 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2058 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2059 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2060 << "Key size " << key_size << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2061
2062 CheckedDeleteKey(&key_blob);
2063 }
2064}
2065
2066/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2067 * NewKeyGenerationTest.HmacNoAttestation
2068 *
2069 * Verifies that for Hmac key generation, no attestation will be generated even if challenge
2070 * and app id are provided.
2071 */
2072TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
2073 auto challenge = "hello";
2074 auto app_id = "foo";
2075
2076 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
2077 vector<uint8_t> key_blob;
2078 vector<KeyCharacteristics> key_characteristics;
2079 constexpr size_t key_size = 128;
2080 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2081 .HmacKey(key_size)
2082 .Digest(digest)
2083 .AttestationChallenge(challenge)
2084 .AttestationApplicationId(app_id)
2085 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2086 &key_blob, &key_characteristics));
2087
2088 ASSERT_GT(key_blob.size(), 0U);
2089 ASSERT_EQ(cert_chain_.size(), 0);
2090 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2091 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2092
2093 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2094 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2095 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2096 << "Key size " << key_size << "missing";
2097
2098 CheckedDeleteKey(&key_blob);
2099 }
2100}
2101
2102/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2103 * NewKeyGenerationTest.LimitedUsageHmac
2104 *
2105 * Verifies that KeyMint supports all required digests with limited usage Hmac, and that the
2106 * resulting keys have correct characteristics.
2107 */
2108TEST_P(NewKeyGenerationTest, LimitedUsageHmac) {
2109 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
2110 vector<uint8_t> key_blob;
2111 vector<KeyCharacteristics> key_characteristics;
2112 constexpr size_t key_size = 128;
2113 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2114 .HmacKey(key_size)
2115 .Digest(digest)
2116 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2117 .Authorization(TAG_USAGE_COUNT_LIMIT, 1),
2118 &key_blob, &key_characteristics));
2119
2120 ASSERT_GT(key_blob.size(), 0U);
2121 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2122 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2123
2124 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2125 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2126 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2127 << "Key size " << key_size << "missing";
2128
2129 // Check the usage count limit tag appears in the authorizations.
2130 AuthorizationSet auths;
2131 for (auto& entry : key_characteristics) {
2132 auths.push_back(AuthorizationSet(entry.authorizations));
2133 }
2134 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2135 << "key usage count limit " << 1U << " missing";
2136
2137 CheckedDeleteKey(&key_blob);
2138 }
2139}
2140
2141/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2142 * NewKeyGenerationTest.HmacCheckKeySizes
2143 *
2144 * Verifies that keymint supports all key sizes, and rejects all invalid key sizes.
2145 */
2146TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
2147 for (size_t key_size = 0; key_size <= 512; ++key_size) {
2148 if (key_size < 64 || key_size % 8 != 0) {
2149 // To keep this test from being very slow, we only test a random fraction of
2150 // non-byte key sizes. We test only ~10% of such cases. Since there are 392 of
2151 // them, we expect to run ~40 of them in each run.
2152 if (key_size % 8 == 0 || random() % 10 == 0) {
2153 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2154 GenerateKey(AuthorizationSetBuilder()
2155 .HmacKey(key_size)
2156 .Digest(Digest::SHA_2_256)
2157 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2158 << "HMAC key size " << key_size << " invalid";
2159 }
2160 } else {
2161 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2162 .HmacKey(key_size)
2163 .Digest(Digest::SHA_2_256)
2164 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2165 << "Failed to generate HMAC key of size " << key_size;
2166 CheckedDeleteKey();
2167 }
2168 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2169 if (SecLevel() == SecurityLevel::STRONGBOX) {
2170 // STRONGBOX devices must not support keys larger than 512 bits.
2171 size_t key_size = 520;
2172 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2173 GenerateKey(AuthorizationSetBuilder()
2174 .HmacKey(key_size)
2175 .Digest(Digest::SHA_2_256)
2176 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2177 << "HMAC key size " << key_size << " unexpectedly valid";
2178 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2179}
2180
2181/*
2182 * NewKeyGenerationTest.HmacCheckMinMacLengths
2183 *
2184 * Verifies that keymint supports all required MAC lengths and rejects all invalid lengths. This
2185 * test is probabilistic in order to keep the runtime down, but any failure prints out the
2186 * specific MAC length that failed, so reproducing a failed run will be easy.
2187 */
2188TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
2189 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
2190 if (min_mac_length < 64 || min_mac_length % 8 != 0) {
2191 // To keep this test from being very long, we only test a random fraction of
2192 // non-byte lengths. We test only ~10% of such cases. Since there are 172 of them,
2193 // we expect to run ~17 of them in each run.
2194 if (min_mac_length % 8 == 0 || random() % 10 == 0) {
2195 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2196 GenerateKey(AuthorizationSetBuilder()
2197 .HmacKey(128)
2198 .Digest(Digest::SHA_2_256)
2199 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2200 << "HMAC min mac length " << min_mac_length << " invalid.";
2201 }
2202 } else {
2203 EXPECT_EQ(ErrorCode::OK,
2204 GenerateKey(AuthorizationSetBuilder()
2205 .HmacKey(128)
2206 .Digest(Digest::SHA_2_256)
2207 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2208 << "Failed to generate HMAC key with min MAC length " << min_mac_length;
2209 CheckedDeleteKey();
2210 }
2211 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2212
2213 // Minimum MAC length must be no more than 512 bits.
2214 size_t min_mac_length = 520;
2215 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2216 GenerateKey(AuthorizationSetBuilder()
2217 .HmacKey(128)
2218 .Digest(Digest::SHA_2_256)
2219 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2220 << "HMAC min mac length " << min_mac_length << " invalid.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2221}
2222
2223/*
2224 * NewKeyGenerationTest.HmacMultipleDigests
2225 *
2226 * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms.
2227 */
2228TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2229 if (SecLevel() == SecurityLevel::STRONGBOX) {
2230 GTEST_SKIP() << "Test not applicable to StrongBox device";
2231 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2232
2233 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2234 GenerateKey(AuthorizationSetBuilder()
2235 .HmacKey(128)
2236 .Digest(Digest::SHA1)
2237 .Digest(Digest::SHA_2_256)
2238 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2239}
2240
2241/*
2242 * NewKeyGenerationTest.HmacDigestNone
2243 *
2244 * Verifies that keymint rejects HMAC key generation with no digest or Digest::NONE
2245 */
2246TEST_P(NewKeyGenerationTest, HmacDigestNone) {
2247 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2248 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH,
2249 128)));
2250
2251 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2252 GenerateKey(AuthorizationSetBuilder()
2253 .HmacKey(128)
2254 .Digest(Digest::NONE)
2255 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2256}
2257
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2258/*
2259 * NewKeyGenerationTest.AesNoAttestation
2260 *
2261 * Verifies that attestation parameters to AES keys are ignored and generateKey
2262 * will succeed.
2263 */
2264TEST_P(NewKeyGenerationTest, AesNoAttestation) {
2265 auto challenge = "hello";
2266 auto app_id = "foo";
2267
2268 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2269 .Authorization(TAG_NO_AUTH_REQUIRED)
2270 .AesEncryptionKey(128)
2271 .EcbMode()
2272 .Padding(PaddingMode::PKCS7)
2273 .AttestationChallenge(challenge)
2274 .AttestationApplicationId(app_id)));
2275
2276 ASSERT_EQ(cert_chain_.size(), 0);
2277}
2278
2279/*
2280 * NewKeyGenerationTest.TripleDesNoAttestation
2281 *
2282 * Verifies that attesting parameters to 3DES keys are ignored and generate key
2283 * will be successful. No attestation should be generated.
2284 */
2285TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
2286 auto challenge = "hello";
2287 auto app_id = "foo";
2288
2289 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2290 .TripleDesEncryptionKey(168)
2291 .BlockMode(BlockMode::ECB)
2292 .Authorization(TAG_NO_AUTH_REQUIRED)
2293 .Padding(PaddingMode::NONE)
2294 .AttestationChallenge(challenge)
2295 .AttestationApplicationId(app_id)));
2296 ASSERT_EQ(cert_chain_.size(), 0);
2297}
2298
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2299INSTANTIATE_KEYMINT_AIDL_TEST(NewKeyGenerationTest);
2300
2301typedef KeyMintAidlTestBase SigningOperationsTest;
2302
2303/*
2304 * SigningOperationsTest.RsaSuccess
2305 *
2306 * Verifies that raw RSA signature operations succeed.
2307 */
2308TEST_P(SigningOperationsTest, RsaSuccess) {
2309 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2310 .RsaSigningKey(2048, 65537)
2311 .Digest(Digest::NONE)
2312 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2313 .Authorization(TAG_NO_AUTH_REQUIRED)
2314 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2315 string message = "12345678901234567890123456789012";
2316 string signature = SignMessage(
2317 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2318 LocalVerifyMessage(message, signature,
2319 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2320}
2321
2322/*
2323 * SigningOperationsTest.RsaAllPaddingsAndDigests
2324 *
2325 * Verifies RSA signature/verification for all padding modes and digests.
2326 */
2327TEST_P(SigningOperationsTest, RsaAllPaddingsAndDigests) {
2328 auto authorizations = AuthorizationSetBuilder()
2329 .Authorization(TAG_NO_AUTH_REQUIRED)
2330 .RsaSigningKey(2048, 65537)
2331 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
2332 .Padding(PaddingMode::NONE)
2333 .Padding(PaddingMode::RSA_PSS)
2334 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2335 .SetDefaultValidity();
2336
2337 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
2338
2339 string message(128, 'a');
2340 string corrupt_message(message);
2341 ++corrupt_message[corrupt_message.size() / 2];
2342
2343 for (auto padding :
2344 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
2345 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
2346 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
2347 // Digesting only makes sense with padding.
2348 continue;
2349 }
2350
2351 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
2352 // PSS requires digesting.
2353 continue;
2354 }
2355
2356 string signature =
2357 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
2358 LocalVerifyMessage(message, signature,
2359 AuthorizationSetBuilder().Digest(digest).Padding(padding));
2360 }
2361 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2362}
2363
2364/*
2365 * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
2366 *
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2367 * Verifies that using an RSA key requires the correct app data.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2368 */
2369TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
2370 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2371 .Authorization(TAG_NO_AUTH_REQUIRED)
2372 .RsaSigningKey(2048, 65537)
2373 .Digest(Digest::NONE)
2374 .Padding(PaddingMode::NONE)
2375 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2376 .Authorization(TAG_APPLICATION_DATA, "appdata")
2377 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2378
2379 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
2380
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2381 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2382 Begin(KeyPurpose::SIGN,
2383 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2384 AbortIfNeeded();
2385 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2386 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2387 .Digest(Digest::NONE)
2388 .Padding(PaddingMode::NONE)
2389 .Authorization(TAG_APPLICATION_ID, "clientid")));
2390 AbortIfNeeded();
2391 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2392 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2393 .Digest(Digest::NONE)
2394 .Padding(PaddingMode::NONE)
2395 .Authorization(TAG_APPLICATION_DATA, "appdata")));
2396 AbortIfNeeded();
2397 EXPECT_EQ(ErrorCode::OK,
2398 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2399 .Digest(Digest::NONE)
2400 .Padding(PaddingMode::NONE)
2401 .Authorization(TAG_APPLICATION_DATA, "appdata")
2402 .Authorization(TAG_APPLICATION_ID, "clientid")));
2403 AbortIfNeeded();
2404}
2405
2406/*
2407 * SigningOperationsTest.RsaPssSha256Success
2408 *
2409 * Verifies that RSA-PSS signature operations succeed.
2410 */
2411TEST_P(SigningOperationsTest, RsaPssSha256Success) {
2412 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2413 .RsaSigningKey(2048, 65537)
2414 .Digest(Digest::SHA_2_256)
2415 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2416 .Authorization(TAG_NO_AUTH_REQUIRED)
2417 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2418 // Use large message, which won't work without digesting.
2419 string message(1024, 'a');
2420 string signature = SignMessage(
2421 message,
2422 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
2423}
2424
2425/*
2426 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
2427 *
2428 * Verifies that keymint rejects signature operations that specify a padding mode when the key
2429 * supports only unpadded operations.
2430 */
2431TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
2432 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2433 .RsaSigningKey(2048, 65537)
2434 .Digest(Digest::NONE)
2435 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2436 .Padding(PaddingMode::NONE)
2437 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2438 string message = "12345678901234567890123456789012";
2439 string signature;
2440
2441 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
2442 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2443 .Digest(Digest::NONE)
2444 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2445}
2446
2447/*
2448 * SigningOperationsTest.NoUserConfirmation
2449 *
2450 * Verifies that keymint rejects signing operations for keys with
2451 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
2452 * presented.
2453 */
2454TEST_P(SigningOperationsTest, NoUserConfirmation) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2455 if (SecLevel() == SecurityLevel::STRONGBOX) {
2456 GTEST_SKIP() << "Test not applicable to StrongBox device";
2457 }
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2458 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2459 .RsaSigningKey(1024, 65537)
2460 .Digest(Digest::NONE)
2461 .Padding(PaddingMode::NONE)
2462 .Authorization(TAG_NO_AUTH_REQUIRED)
2463 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
2464 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2465
2466 const string message = "12345678901234567890123456789012";
2467 EXPECT_EQ(ErrorCode::OK,
2468 Begin(KeyPurpose::SIGN,
2469 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2470 string signature;
2471 EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
2472}
2473
2474/*
2475 * SigningOperationsTest.RsaPkcs1Sha256Success
2476 *
2477 * Verifies that digested RSA-PKCS1 signature operations succeed.
2478 */
2479TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
2480 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2481 .RsaSigningKey(2048, 65537)
2482 .Digest(Digest::SHA_2_256)
2483 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2484 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2485 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2486 string message(1024, 'a');
2487 string signature = SignMessage(message, AuthorizationSetBuilder()
2488 .Digest(Digest::SHA_2_256)
2489 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2490}
2491
2492/*
2493 * SigningOperationsTest.RsaPkcs1NoDigestSuccess
2494 *
2495 * Verifies that undigested RSA-PKCS1 signature operations succeed.
2496 */
2497TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
2498 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2499 .RsaSigningKey(2048, 65537)
2500 .Digest(Digest::NONE)
2501 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2502 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2503 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2504 string message(53, 'a');
2505 string signature = SignMessage(message, AuthorizationSetBuilder()
2506 .Digest(Digest::NONE)
2507 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2508}
2509
2510/*
2511 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
2512 *
2513 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
2514 * given a too-long message.
2515 */
2516TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
2517 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2518 .RsaSigningKey(2048, 65537)
2519 .Digest(Digest::NONE)
2520 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2521 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2522 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2523 string message(257, 'a');
2524
2525 EXPECT_EQ(ErrorCode::OK,
2526 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2527 .Digest(Digest::NONE)
2528 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2529 string signature;
2530 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
2531}
2532
2533/*
2534 * SigningOperationsTest.RsaPssSha512TooSmallKey
2535 *
2536 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
2537 * used with a key that is too small for the message.
2538 *
2539 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the
2540 * keymint specification requires that salt_size == digest_size, so the message will be
2541 * digest_size * 2 +
2542 * 16. Such a message can only be signed by a given key if the key is at least that size. This
2543 * test uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large
2544 * for a 1024-bit key.
2545 */
2546TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2547 if (SecLevel() == SecurityLevel::STRONGBOX) {
2548 GTEST_SKIP() << "Test not applicable to StrongBox device";
2549 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2550 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2551 .RsaSigningKey(1024, 65537)
2552 .Digest(Digest::SHA_2_512)
2553 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2554 .Padding(PaddingMode::RSA_PSS)
2555 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2556 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
2557 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2558 .Digest(Digest::SHA_2_512)
2559 .Padding(PaddingMode::RSA_PSS)));
2560}
2561
2562/*
2563 * SigningOperationsTest.RsaNoPaddingTooLong
2564 *
2565 * Verifies that raw RSA signature operations fail with the correct error code when
2566 * given a too-long message.
2567 */
2568TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
2569 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2570 .RsaSigningKey(2048, 65537)
2571 .Digest(Digest::NONE)
2572 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2573 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2574 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2575 // One byte too long
2576 string message(2048 / 8 + 1, 'a');
2577 ASSERT_EQ(ErrorCode::OK,
2578 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2579 .Digest(Digest::NONE)
2580 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2581 string result;
2582 ErrorCode finish_error_code = Finish(message, &result);
2583 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
2584 finish_error_code == ErrorCode::INVALID_ARGUMENT);
2585
2586 // Very large message that should exceed the transfer buffer size of any reasonable TEE.
2587 message = string(128 * 1024, 'a');
2588 ASSERT_EQ(ErrorCode::OK,
2589 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2590 .Digest(Digest::NONE)
2591 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2592 finish_error_code = Finish(message, &result);
2593 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
2594 finish_error_code == ErrorCode::INVALID_ARGUMENT);
2595}
2596
2597/*
2598 * SigningOperationsTest.RsaAbort
2599 *
2600 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the
2601 * test, but the behavior should be algorithm and purpose-independent.
2602 */
2603TEST_P(SigningOperationsTest, RsaAbort) {
2604 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2605 .RsaSigningKey(2048, 65537)
2606 .Digest(Digest::NONE)
2607 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2608 .Padding(PaddingMode::NONE)
2609 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2610
2611 ASSERT_EQ(ErrorCode::OK,
2612 Begin(KeyPurpose::SIGN,
2613 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2614 EXPECT_EQ(ErrorCode::OK, Abort());
2615
2616 // Another abort should fail
2617 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
2618
2619 // Set to sentinel, so TearDown() doesn't try to abort again.
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]2620 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2621}
2622
2623/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2624 * SigningOperationsTest.RsaNonUniqueParams
2625 *
2626 * Verifies that an operation with multiple padding modes is rejected.
2627 */
2628TEST_P(SigningOperationsTest, RsaNonUniqueParams) {
2629 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2630 .RsaSigningKey(2048, 65537)
2631 .Digest(Digest::NONE)
2632 .Digest(Digest::SHA1)
2633 .Authorization(TAG_NO_AUTH_REQUIRED)
2634 .Padding(PaddingMode::NONE)
2635 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2636 .SetDefaultValidity()));
2637
2638 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
2639 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2640 .Digest(Digest::NONE)
2641 .Padding(PaddingMode::NONE)
2642 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2643
Tommy Chiuc93c4392021-05-11 18:36:50 +0800[diff] [blame]2644 auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2645 .Digest(Digest::NONE)
2646 .Digest(Digest::SHA1)
2647 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2648 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2649
2650 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2651 Begin(KeyPurpose::SIGN,
2652 AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2653}
2654
2655/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2656 * SigningOperationsTest.RsaUnsupportedPadding
2657 *
2658 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used
2659 * with a padding mode inappropriate for RSA.
2660 */
2661TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
2662 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2663 .RsaSigningKey(2048, 65537)
2664 .Authorization(TAG_NO_AUTH_REQUIRED)
2665 .Digest(Digest::SHA_2_256 /* supported digest */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2666 .Padding(PaddingMode::PKCS7)
2667 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2668 ASSERT_EQ(
2669 ErrorCode::UNSUPPORTED_PADDING_MODE,
2670 Begin(KeyPurpose::SIGN,
2671 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2672 CheckedDeleteKey();
2673
2674 ASSERT_EQ(ErrorCode::OK,
2675 GenerateKey(
2676 AuthorizationSetBuilder()
2677 .RsaSigningKey(2048, 65537)
2678 .Authorization(TAG_NO_AUTH_REQUIRED)
2679 .Digest(Digest::SHA_2_256 /* supported digest */)
2680 .Padding(PaddingMode::RSA_OAEP) /* padding mode for encryption only */
2681 .SetDefaultValidity()));
2682 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
2683 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2684 .Digest(Digest::SHA_2_256)
2685 .Padding(PaddingMode::RSA_OAEP)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2686}
2687
2688/*
2689 * SigningOperationsTest.RsaPssNoDigest
2690 *
2691 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest.
2692 */
2693TEST_P(SigningOperationsTest, RsaNoDigest) {
2694 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2695 .RsaSigningKey(2048, 65537)
2696 .Authorization(TAG_NO_AUTH_REQUIRED)
2697 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2698 .Padding(PaddingMode::RSA_PSS)
2699 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2700 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
2701 Begin(KeyPurpose::SIGN,
2702 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
2703
2704 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2705 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
2706}
2707
2708/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]2709 * SigningOperationsTest.RsaPssNoPadding
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2710 *
2711 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is
2712 * supported in some cases (as validated in other tests), but a mode must be specified.
2713 */
2714TEST_P(SigningOperationsTest, RsaNoPadding) {
2715 // Padding must be specified
2716 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2717 .RsaKey(2048, 65537)
2718 .Authorization(TAG_NO_AUTH_REQUIRED)
2719 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2720 .Digest(Digest::NONE)
2721 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2722 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
2723 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
2724}
2725
2726/*
2727 * SigningOperationsTest.RsaShortMessage
2728 *
2729 * Verifies that raw RSA signatures succeed with a message shorter than the key size.
2730 */
2731TEST_P(SigningOperationsTest, RsaTooShortMessage) {
2732 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2733 .Authorization(TAG_NO_AUTH_REQUIRED)
2734 .RsaSigningKey(2048, 65537)
2735 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2736 .Padding(PaddingMode::NONE)
2737 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2738
2739 // Barely shorter
2740 string message(2048 / 8 - 1, 'a');
2741 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2742
2743 // Much shorter
2744 message = "a";
2745 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2746}
2747
2748/*
2749 * SigningOperationsTest.RsaSignWithEncryptionKey
2750 *
2751 * Verifies that RSA encryption keys cannot be used to sign.
2752 */
2753TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
2754 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2755 .Authorization(TAG_NO_AUTH_REQUIRED)
2756 .RsaEncryptionKey(2048, 65537)
2757 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2758 .Padding(PaddingMode::NONE)
2759 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2760 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
2761 Begin(KeyPurpose::SIGN,
2762 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2763}
2764
2765/*
2766 * SigningOperationsTest.RsaSignTooLargeMessage
2767 *
2768 * Verifies that attempting a raw signature of a message which is the same length as the key,
2769 * but numerically larger than the public modulus, fails with the correct error.
2770 */
2771TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
2772 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2773 .Authorization(TAG_NO_AUTH_REQUIRED)
2774 .RsaSigningKey(2048, 65537)
2775 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2776 .Padding(PaddingMode::NONE)
2777 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2778
2779 // Largest possible message will always be larger than the public modulus.
2780 string message(2048 / 8, static_cast<char>(0xff));
2781 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2782 .Authorization(TAG_NO_AUTH_REQUIRED)
2783 .Digest(Digest::NONE)
2784 .Padding(PaddingMode::NONE)));
2785 string signature;
2786 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
2787}
2788
2789/*
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2790 * SigningOperationsTest.EcdsaAllDigestsAndCurves
2791 *
2792 * Verifies ECDSA signature/verification for all digests and curves.
2793 */
2794TEST_P(SigningOperationsTest, EcdsaAllDigestsAndCurves) {
2795 auto digests = ValidDigests(true /* withNone */, false /* withMD5 */);
2796
2797 string message = "1234567890";
2798 string corrupt_message = "2234567890";
2799 for (auto curve : ValidCurves()) {
2800 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
2801 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
2802 .Authorization(TAG_NO_AUTH_REQUIRED)
2803 .EcdsaSigningKey(curve)
2804 .Digest(digests)
2805 .SetDefaultValidity());
2806 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
2807 if (error != ErrorCode::OK) {
2808 continue;
2809 }
2810
2811 for (auto digest : digests) {
2812 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
2813 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
2814 LocalVerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
2815 }
2816
2817 auto rc = DeleteKey();
2818 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
2819 }
2820}
2821
2822/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2823 * SigningOperationsTest.EcdsaAllCurves
2824 *
2825 * Verifies that ECDSA operations succeed with all possible curves.
2826 */
2827TEST_P(SigningOperationsTest, EcdsaAllCurves) {
2828 for (auto curve : ValidCurves()) {
2829 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
2830 .Authorization(TAG_NO_AUTH_REQUIRED)
2831 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2832 .Digest(Digest::SHA_2_256)
2833 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2834 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
2835 if (error != ErrorCode::OK) continue;
2836
2837 string message(1024, 'a');
2838 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
2839 CheckedDeleteKey();
2840 }
2841}
2842
2843/*
2844 * SigningOperationsTest.EcdsaNoDigestHugeData
2845 *
2846 * Verifies that ECDSA operations support very large messages, even without digesting. This
2847 * should work because ECDSA actually only signs the leftmost L_n bits of the message, however
2848 * large it may be. Not using digesting is a bad idea, but in some cases digesting is done by
2849 * the framework.
2850 */
2851TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
2852 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2853 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2854 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2855 .Digest(Digest::NONE)
2856 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2857 string message(1 * 1024, 'a');
2858 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
2859}
2860
2861/*
2862 * SigningOperationsTest.EcUseRequiresCorrectAppIdAppData
2863 *
2864 * Verifies that using an EC key requires the correct app ID/data.
2865 */
2866TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
2867 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2868 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2869 .EcdsaSigningKey(EcCurve::P_256)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2870 .Digest(Digest::NONE)
2871 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2872 .Authorization(TAG_APPLICATION_DATA, "appdata")
2873 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2874
2875 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
2876
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2877 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2878 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
2879 AbortIfNeeded();
2880 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2881 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2882 .Digest(Digest::NONE)
2883 .Authorization(TAG_APPLICATION_ID, "clientid")));
2884 AbortIfNeeded();
2885 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2886 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2887 .Digest(Digest::NONE)
2888 .Authorization(TAG_APPLICATION_DATA, "appdata")));
2889 AbortIfNeeded();
2890 EXPECT_EQ(ErrorCode::OK,
2891 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2892 .Digest(Digest::NONE)
2893 .Authorization(TAG_APPLICATION_DATA, "appdata")
2894 .Authorization(TAG_APPLICATION_ID, "clientid")));
2895 AbortIfNeeded();
2896}
2897
2898/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2899 * SigningOperationsTest.EcdsaIncompatibleDigest
2900 *
2901 * Verifies that using an EC key requires compatible digest.
2902 */
2903TEST_P(SigningOperationsTest, EcdsaIncompatibleDigest) {
2904 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2905 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2906 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2907 .Digest(Digest::NONE)
2908 .Digest(Digest::SHA1)
2909 .SetDefaultValidity()));
2910 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
2911 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)));
2912 AbortIfNeeded();
2913}
2914
2915/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2916 * SigningOperationsTest.AesEcbSign
2917 *
2918 * Verifies that attempts to use AES keys to sign fail in the correct way.
2919 */
2920TEST_P(SigningOperationsTest, AesEcbSign) {
2921 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2922 .Authorization(TAG_NO_AUTH_REQUIRED)
2923 .SigningKey()
2924 .AesEncryptionKey(128)
2925 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)));
2926
2927 AuthorizationSet out_params;
2928 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
2929 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params));
2930 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
2931 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params));
2932}
2933
2934/*
2935 * SigningOperationsTest.HmacAllDigests
2936 *
2937 * Verifies that HMAC works with all digests.
2938 */
2939TEST_P(SigningOperationsTest, HmacAllDigests) {
2940 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
2941 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2942 .Authorization(TAG_NO_AUTH_REQUIRED)
2943 .HmacKey(128)
2944 .Digest(digest)
2945 .Authorization(TAG_MIN_MAC_LENGTH, 160)))
2946 << "Failed to create HMAC key with digest " << digest;
2947 string message = "12345678901234567890123456789012";
2948 string signature = MacMessage(message, digest, 160);
2949 EXPECT_EQ(160U / 8U, signature.size())
2950 << "Failed to sign with HMAC key with digest " << digest;
2951 CheckedDeleteKey();
2952 }
2953}
2954
2955/*
2956 * SigningOperationsTest.HmacSha256TooLargeMacLength
2957 *
2958 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the
2959 * digest size.
2960 */
2961TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
2962 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2963 .Authorization(TAG_NO_AUTH_REQUIRED)
2964 .HmacKey(128)
2965 .Digest(Digest::SHA_2_256)
2966 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
2967 AuthorizationSet output_params;
2968 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
2969 AuthorizationSetBuilder()
2970 .Digest(Digest::SHA_2_256)
2971 .Authorization(TAG_MAC_LENGTH, 264),
2972 &output_params));
2973}
2974
2975/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2976 * SigningOperationsTest.HmacSha256InvalidMacLength
2977 *
2978 * Verifies that HMAC fails in the correct way when asked to generate a MAC whose length is
2979 * not a multiple of 8.
2980 */
2981TEST_P(SigningOperationsTest, HmacSha256InvalidMacLength) {
2982 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2983 .Authorization(TAG_NO_AUTH_REQUIRED)
2984 .HmacKey(128)
2985 .Digest(Digest::SHA_2_256)
2986 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
2987 AuthorizationSet output_params;
2988 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
2989 AuthorizationSetBuilder()
2990 .Digest(Digest::SHA_2_256)
2991 .Authorization(TAG_MAC_LENGTH, 161),
2992 &output_params));
2993}
2994
2995/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2996 * SigningOperationsTest.HmacSha256TooSmallMacLength
2997 *
2998 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
2999 * specified minimum MAC length.
3000 */
3001TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
3002 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3003 .Authorization(TAG_NO_AUTH_REQUIRED)
3004 .HmacKey(128)
3005 .Digest(Digest::SHA_2_256)
3006 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3007 AuthorizationSet output_params;
3008 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3009 AuthorizationSetBuilder()
3010 .Digest(Digest::SHA_2_256)
3011 .Authorization(TAG_MAC_LENGTH, 120),
3012 &output_params));
3013}
3014
3015/*
3016 * SigningOperationsTest.HmacRfc4231TestCase3
3017 *
3018 * Validates against the test vectors from RFC 4231 test case 3.
3019 */
3020TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
3021 string key(20, 0xaa);
3022 string message(50, 0xdd);
3023 uint8_t sha_224_expected[] = {
3024 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
3025 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
3026 };
3027 uint8_t sha_256_expected[] = {
3028 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
3029 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
3030 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
3031 };
3032 uint8_t sha_384_expected[] = {
3033 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
3034 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
3035 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
3036 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
3037 };
3038 uint8_t sha_512_expected[] = {
3039 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
3040 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
3041 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
3042 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
3043 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
3044 };
3045
3046 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3047 if (SecLevel() != SecurityLevel::STRONGBOX) {
3048 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3049 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3050 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3051 }
3052}
3053
3054/*
3055 * SigningOperationsTest.HmacRfc4231TestCase5
3056 *
3057 * Validates against the test vectors from RFC 4231 test case 5.
3058 */
3059TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
3060 string key(20, 0x0c);
3061 string message = "Test With Truncation";
3062
3063 uint8_t sha_224_expected[] = {
3064 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
3065 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
3066 };
3067 uint8_t sha_256_expected[] = {
3068 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
3069 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
3070 };
3071 uint8_t sha_384_expected[] = {
3072 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
3073 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
3074 };
3075 uint8_t sha_512_expected[] = {
3076 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
3077 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
3078 };
3079
3080 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3081 if (SecLevel() != SecurityLevel::STRONGBOX) {
3082 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3083 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3084 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3085 }
3086}
3087
3088INSTANTIATE_KEYMINT_AIDL_TEST(SigningOperationsTest);
3089
3090typedef KeyMintAidlTestBase VerificationOperationsTest;
3091
3092/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3093 * VerificationOperationsTest.HmacSigningKeyCannotVerify
3094 *
3095 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
3096 */
3097TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
3098 string key_material = "HelloThisIsAKey";
3099
3100 vector<uint8_t> signing_key, verification_key;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3101 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3102 EXPECT_EQ(ErrorCode::OK,
3103 ImportKey(AuthorizationSetBuilder()
3104 .Authorization(TAG_NO_AUTH_REQUIRED)
3105 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3106 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3107 .Digest(Digest::SHA_2_256)
3108 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3109 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
3110 EXPECT_EQ(ErrorCode::OK,
3111 ImportKey(AuthorizationSetBuilder()
3112 .Authorization(TAG_NO_AUTH_REQUIRED)
3113 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3114 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3115 .Digest(Digest::SHA_2_256)
3116 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3117 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
3118
3119 string message = "This is a message.";
3120 string signature = SignMessage(
3121 signing_key, message,
3122 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3123
3124 // Signing key should not work.
3125 AuthorizationSet out_params;
3126 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3127 Begin(KeyPurpose::VERIFY, signing_key,
3128 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &out_params));
3129
3130 // Verification key should work.
3131 VerifyMessage(verification_key, message, signature,
3132 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
3133
3134 CheckedDeleteKey(&signing_key);
3135 CheckedDeleteKey(&verification_key);
3136}
3137
3138INSTANTIATE_KEYMINT_AIDL_TEST(VerificationOperationsTest);
3139
3140typedef KeyMintAidlTestBase ExportKeyTest;
3141
3142/*
3143 * ExportKeyTest.RsaUnsupportedKeyFormat
3144 *
3145 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
3146 */
3147// TODO(seleneh) add ExportKey to GenerateKey
3148// check result
3149
3150class ImportKeyTest : public KeyMintAidlTestBase {
3151 public:
3152 template <TagType tag_type, Tag tag, typename ValueT>
3153 void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
3154 SCOPED_TRACE("CheckCryptoParam");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3155 for (auto& entry : key_characteristics_) {
3156 if (entry.securityLevel == SecLevel()) {
3157 EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
3158 << "Tag " << tag << " with value " << expected
3159 << " not found at security level" << entry.securityLevel;
3160 } else {
3161 EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
3162 << "Tag " << tag << " found at security level " << entry.securityLevel;
3163 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3164 }
3165 }
3166
3167 void CheckOrigin() {
3168 SCOPED_TRACE("CheckOrigin");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3169 // Origin isn't a crypto param, but it always lives with them.
3170 return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3171 }
3172};
3173
3174/*
3175 * ImportKeyTest.RsaSuccess
3176 *
3177 * Verifies that importing and using an RSA key pair works correctly.
3178 */
3179TEST_P(ImportKeyTest, RsaSuccess) {
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3180 uint32_t key_size;
3181 string key;
3182
3183 if (SecLevel() == SecurityLevel::STRONGBOX) {
3184 key_size = 2048;
3185 key = rsa_2048_key;
3186 } else {
3187 key_size = 1024;
3188 key = rsa_key;
3189 }
3190
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3191 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3192 .Authorization(TAG_NO_AUTH_REQUIRED)
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3193 .RsaSigningKey(key_size, 65537)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3194 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3195 .Padding(PaddingMode::RSA_PSS)
3196 .SetDefaultValidity(),
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3197 KeyFormat::PKCS8, key));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3198
3199 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3200 CheckCryptoParam(TAG_KEY_SIZE, key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3201 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
3202 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3203 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
3204 CheckOrigin();
3205
3206 string message(1024 / 8, 'a');
3207 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
3208 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3209 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3210}
3211
3212/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3213 * ImportKeyTest.RsaSuccessWithoutParams
3214 *
3215 * Verifies that importing and using an RSA key pair without specifying parameters
3216 * works correctly.
3217 */
3218TEST_P(ImportKeyTest, RsaSuccessWithoutParams) {
3219 uint32_t key_size;
3220 string key;
3221
3222 if (SecLevel() == SecurityLevel::STRONGBOX) {
3223 key_size = 2048;
3224 key = rsa_2048_key;
3225 } else {
3226 key_size = 1024;
3227 key = rsa_key;
3228 }
3229
3230 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3231 .Authorization(TAG_NO_AUTH_REQUIRED)
3232 .SigningKey()
3233 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
3234 .Digest(Digest::SHA_2_256)
3235 .Padding(PaddingMode::RSA_PSS)
3236 .SetDefaultValidity(),
3237 KeyFormat::PKCS8, key));
3238
3239 // Key size and public exponent are determined from the imported key material.
3240 CheckCryptoParam(TAG_KEY_SIZE, key_size);
3241 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
3242
3243 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
3244 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3245 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
3246 CheckOrigin();
3247
3248 string message(1024 / 8, 'a');
3249 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
3250 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3251 LocalVerifyMessage(message, signature, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3252}
3253
3254/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3255 * ImportKeyTest.RsaKeySizeMismatch
3256 *
3257 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
3258 * correct way.
3259 */
3260TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
3261 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
3262 ImportKey(AuthorizationSetBuilder()
3263 .RsaSigningKey(2048 /* Doesn't match key */, 65537)
3264 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3265 .Padding(PaddingMode::NONE)
3266 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3267 KeyFormat::PKCS8, rsa_key));
3268}
3269
3270/*
3271 * ImportKeyTest.RsaPublicExponentMismatch
3272 *
3273 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key
3274 * fails in the correct way.
3275 */
3276TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
3277 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
3278 ImportKey(AuthorizationSetBuilder()
3279 .RsaSigningKey(1024, 3 /* Doesn't match key */)
3280 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3281 .Padding(PaddingMode::NONE)
3282 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3283 KeyFormat::PKCS8, rsa_key));
3284}
3285
3286/*
3287 * ImportKeyTest.EcdsaSuccess
3288 *
3289 * Verifies that importing and using an ECDSA P-256 key pair works correctly.
3290 */
3291TEST_P(ImportKeyTest, EcdsaSuccess) {
3292 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3293 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3294 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3295 .Digest(Digest::SHA_2_256)
3296 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3297 KeyFormat::PKCS8, ec_256_key));
3298
3299 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3300 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3301 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3302
3303 CheckOrigin();
3304
3305 string message(32, 'a');
3306 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3307 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3308 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3309}
3310
3311/*
3312 * ImportKeyTest.EcdsaP256RFC5915Success
3313 *
3314 * Verifies that importing and using an ECDSA P-256 key pair encoded using RFC5915 works
3315 * correctly.
3316 */
3317TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
3318 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3319 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3320 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3321 .Digest(Digest::SHA_2_256)
3322 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3323 KeyFormat::PKCS8, ec_256_key_rfc5915));
3324
3325 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3326 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3327 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3328
3329 CheckOrigin();
3330
3331 string message(32, 'a');
3332 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3333 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3334 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3335}
3336
3337/*
3338 * ImportKeyTest.EcdsaP256SEC1Success
3339 *
3340 * Verifies that importing and using an ECDSA P-256 key pair encoded using SEC1 works correctly.
3341 */
3342TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
3343 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3344 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3345 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3346 .Digest(Digest::SHA_2_256)
3347 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3348 KeyFormat::PKCS8, ec_256_key_sec1));
3349
3350 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3351 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3352 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3353
3354 CheckOrigin();
3355
3356 string message(32, 'a');
3357 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3358 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3359 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3360}
3361
3362/*
3363 * ImportKeyTest.Ecdsa521Success
3364 *
3365 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
3366 */
3367TEST_P(ImportKeyTest, Ecdsa521Success) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]3368 if (SecLevel() == SecurityLevel::STRONGBOX) {
3369 GTEST_SKIP() << "Test not applicable to StrongBox device";
3370 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3371 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3372 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3373 .EcdsaSigningKey(EcCurve::P_521)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3374 .Digest(Digest::SHA_2_256)
3375 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3376 KeyFormat::PKCS8, ec_521_key));
3377
3378 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3379 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3380 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_521);
3381 CheckOrigin();
3382
3383 string message(32, 'a');
3384 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3385 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3386 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3387}
3388
3389/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3390 * ImportKeyTest.EcdsaCurveMismatch
3391 *
3392 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in
3393 * the correct way.
3394 */
3395TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
3396 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
3397 ImportKey(AuthorizationSetBuilder()
3398 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3399 .Digest(Digest::NONE)
3400 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3401 KeyFormat::PKCS8, ec_256_key));
3402}
3403
3404/*
3405 * ImportKeyTest.AesSuccess
3406 *
3407 * Verifies that importing and using an AES key works.
3408 */
3409TEST_P(ImportKeyTest, AesSuccess) {
3410 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3411 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3412 .Authorization(TAG_NO_AUTH_REQUIRED)
3413 .AesEncryptionKey(key.size() * 8)
3414 .EcbMode()
3415 .Padding(PaddingMode::PKCS7),
3416 KeyFormat::RAW, key));
3417
3418 CheckCryptoParam(TAG_ALGORITHM, Algorithm::AES);
3419 CheckCryptoParam(TAG_KEY_SIZE, 128U);
3420 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
3421 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
3422 CheckOrigin();
3423
3424 string message = "Hello World!";
3425 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3426 string ciphertext = EncryptMessage(message, params);
3427 string plaintext = DecryptMessage(ciphertext, params);
3428 EXPECT_EQ(message, plaintext);
3429}
3430
3431/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3432 * ImportKeyTest.AesFailure
3433 *
3434 * Verifies that importing an invalid AES key fails.
3435 */
3436TEST_P(ImportKeyTest, AesFailure) {
3437 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3438 uint32_t bitlen = key.size() * 8;
3439 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3440 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]3441 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]3442 .Authorization(TAG_NO_AUTH_REQUIRED)
3443 .AesEncryptionKey(key_size)
3444 .EcbMode()
3445 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]3446 KeyFormat::RAW, key);
3447 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3448 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
3449 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3450 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3451
3452 // Explicit key size matches that of the provided key, but it's not a valid size.
3453 string long_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3454 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
3455 ImportKey(AuthorizationSetBuilder()
3456 .Authorization(TAG_NO_AUTH_REQUIRED)
3457 .AesEncryptionKey(long_key.size() * 8)
3458 .EcbMode()
3459 .Padding(PaddingMode::PKCS7),
3460 KeyFormat::RAW, long_key));
3461 string short_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3462 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
3463 ImportKey(AuthorizationSetBuilder()
3464 .Authorization(TAG_NO_AUTH_REQUIRED)
3465 .AesEncryptionKey(short_key.size() * 8)
3466 .EcbMode()
3467 .Padding(PaddingMode::PKCS7),
3468 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3469}
3470
3471/*
3472 * ImportKeyTest.TripleDesSuccess
3473 *
3474 * Verifies that importing and using a 3DES key works.
3475 */
3476TEST_P(ImportKeyTest, TripleDesSuccess) {
3477 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
3478 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3479 .Authorization(TAG_NO_AUTH_REQUIRED)
3480 .TripleDesEncryptionKey(168)
3481 .EcbMode()
3482 .Padding(PaddingMode::PKCS7),
3483 KeyFormat::RAW, key));
3484
3485 CheckCryptoParam(TAG_ALGORITHM, Algorithm::TRIPLE_DES);
3486 CheckCryptoParam(TAG_KEY_SIZE, 168U);
3487 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
3488 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
3489 CheckOrigin();
3490
3491 string message = "Hello World!";
3492 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3493 string ciphertext = EncryptMessage(message, params);
3494 string plaintext = DecryptMessage(ciphertext, params);
3495 EXPECT_EQ(message, plaintext);
3496}
3497
3498/*
3499 * ImportKeyTest.TripleDesFailure
3500 *
3501 * Verifies that importing an invalid 3DES key fails.
3502 */
3503TEST_P(ImportKeyTest, TripleDesFailure) {
3504 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3505 uint32_t bitlen = key.size() * 7;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3506 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3507 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]3508 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]3509 .Authorization(TAG_NO_AUTH_REQUIRED)
3510 .TripleDesEncryptionKey(key_size)
3511 .EcbMode()
3512 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]3513 KeyFormat::RAW, key);
3514 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3515 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
3516 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3517 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3518 // Explicit key size matches that of the provided key, but it's not a valid size.
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3519 string long_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f735800");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3520 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
3521 ImportKey(AuthorizationSetBuilder()
3522 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3523 .TripleDesEncryptionKey(long_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3524 .EcbMode()
3525 .Padding(PaddingMode::PKCS7),
3526 KeyFormat::RAW, long_key));
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3527 string short_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f73");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3528 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
3529 ImportKey(AuthorizationSetBuilder()
3530 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3531 .TripleDesEncryptionKey(short_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3532 .EcbMode()
3533 .Padding(PaddingMode::PKCS7),
3534 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3535}
3536
3537/*
3538 * ImportKeyTest.HmacKeySuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3539 *
3540 * Verifies that importing and using an HMAC key works.
3541 */
3542TEST_P(ImportKeyTest, HmacKeySuccess) {
3543 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3544 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3545 .Authorization(TAG_NO_AUTH_REQUIRED)
3546 .HmacKey(key.size() * 8)
3547 .Digest(Digest::SHA_2_256)
3548 .Authorization(TAG_MIN_MAC_LENGTH, 256),
3549 KeyFormat::RAW, key));
3550
3551 CheckCryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
3552 CheckCryptoParam(TAG_KEY_SIZE, 128U);
3553 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3554 CheckOrigin();
3555
3556 string message = "Hello World!";
3557 string signature = MacMessage(message, Digest::SHA_2_256, 256);
3558 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
3559}
3560
3561INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);
3562
3563auto wrapped_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3564 // IKeyMintDevice.aidl
3565 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
3566 "020100" // INTEGER length 1 value 0x00 (version)
3567 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
3568 "934bf94e2aa28a3f83c9f79297250262"
3569 "fbe3276b5a1c91159bbfa3ef8957aac8"
3570 "4b59b30b455a79c2973480823d8b3863"
3571 "c3deef4a8e243590268d80e18751a0e1"
3572 "30f67ce6a1ace9f79b95e097474febc9"
3573 "81195b1d13a69086c0863f66a7b7fdb4"
3574 "8792227b1ac5e2489febdf087ab54864"
3575 "83033a6f001ca5d1ec1e27f5c30f4cec"
3576 "2642074a39ae68aee552e196627a8e3d"
3577 "867e67a8c01b11e75f13cca0a97ab668"
3578 "b50cda07a8ecb7cd8e3dd7009c963653"
3579 "4f6f239cffe1fc8daa466f78b676c711"
3580 "9efb96bce4e69ca2a25d0b34ed9c3ff9"
3581 "99b801597d5220e307eaa5bee507fb94"
3582 "d1fa69f9e519b2de315bac92c36f2ea1"
3583 "fa1df4478c0ddedeae8c70e0233cd098"
3584 "040c" // OCTET STRING length 0x0c (initializationVector)
3585 "d796b02c370f1fa4cc0124f1"
3586 "302e" // SEQUENCE length 0x2e (KeyDescription) {
3587 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
3588 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
3589 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
3590 "3106" // SET length 0x06
3591 "020100" // INTEGER length 1 value 0x00 (Encrypt)
3592 "020101" // INTEGER length 1 value 0x01 (Decrypt)
3593 // } end SET
3594 // } end [1]
3595 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
3596 "020120" // INTEGER length 1 value 0x20 (AES)
3597 // } end [2]
3598 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
3599 "02020100" // INTEGER length 2 value 0x100
3600 // } end [3]
3601 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode)
3602 "3103" // SET length 0x03 {
3603 "020101" // INTEGER length 1 value 0x01 (ECB)
3604 // } end SET
3605 // } end [4]
3606 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
3607 "3103" // SET length 0x03 {
3608 "020140" // INTEGER length 1 value 0x40 (PKCS7)
3609 // } end SET
3610 // } end [5]
3611 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
3612 // (noAuthRequired)
3613 "0500" // NULL
3614 // } end [503]
3615 // } end SEQUENCE (AuthorizationList)
3616 // } end SEQUENCE (KeyDescription)
3617 "0420" // OCTET STRING length 0x20 (encryptedKey)
3618 "ccd540855f833a5e1480bfd2d36faf3a"
3619 "eee15df5beabe2691bc82dde2a7aa910"
3620 "0410" // OCTET STRING length 0x10 (tag)
3621 "64c9f689c60ff6223ab6e6999e0eb6e5"
3622 // } SEQUENCE (SecureKeyWrapper)
3623);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3624
3625auto wrapped_key_masked = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3626 // IKeyMintDevice.aidl
3627 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
3628 "020100" // INTEGER length 1 value 0x00 (version)
3629 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
3630 "aad93ed5924f283b4bb5526fbe7a1412"
3631 "f9d9749ec30db9062b29e574a8546f33"
3632 "c88732452f5b8e6a391ee76c39ed1712"
3633 "c61d8df6213dec1cffbc17a8c6d04c7b"
3634 "30893d8daa9b2015213e219468215532"
3635 "07f8f9931c4caba23ed3bee28b36947e"
3636 "47f10e0a5c3dc51c988a628daad3e5e1"
3637 "f4005e79c2d5a96c284b4b8d7e4948f3"
3638 "31e5b85dd5a236f85579f3ea1d1b8484"
3639 "87470bdb0ab4f81a12bee42c99fe0df4"
3640 "bee3759453e69ad1d68a809ce06b949f"
3641 "7694a990429b2fe81e066ff43e56a216"
3642 "02db70757922a4bcc23ab89f1e35da77"
3643 "586775f423e519c2ea394caf48a28d0c"
3644 "8020f1dcf6b3a68ec246f615ae96dae9"
3645 "a079b1f6eb959033c1af5c125fd94168"
3646 "040c" // OCTET STRING length 0x0c (initializationVector)
3647 "6d9721d08589581ab49204a3"
3648 "302e" // SEQUENCE length 0x2e (KeyDescription) {
3649 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
3650 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
3651 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
3652 "3106" // SET length 0x06
3653 "020100" // INTEGER length 1 value 0x00 (Encrypt)
3654 "020101" // INTEGER length 1 value 0x01 (Decrypt)
3655 // } end SET
3656 // } end [1]
3657 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
3658 "020120" // INTEGER length 1 value 0x20 (AES)
3659 // } end [2]
3660 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
3661 "02020100" // INTEGER length 2 value 0x100
3662 // } end [3]
3663 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode
3664 "3103" // SET length 0x03 {
3665 "020101" // INTEGER length 1 value 0x01 (ECB)
3666 // } end SET
3667 // } end [4]
3668 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
3669 "3103" // SET length 0x03 {
3670 "020140" // INTEGER length 1 value 0x40 (PKCS7)
3671 // } end SET
3672 // } end [5]
3673 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
3674 // (noAuthRequired)
3675 "0500" // NULL
3676 // } end [503]
3677 // } end SEQUENCE (AuthorizationList)
3678 // } end SEQUENCE (KeyDescription)
3679 "0420" // OCTET STRING length 0x20 (encryptedKey)
3680 "a61c6e247e25b3e6e69aa78eb03c2d4a"
3681 "c20d1f99a9a024a76f35c8e2cab9b68d"
3682 "0410" // OCTET STRING length 0x10 (tag)
3683 "2560c70109ae67c030f00b98b512a670"
3684 // } SEQUENCE (SecureKeyWrapper)
3685);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3686
3687auto wrapping_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3688 // RFC 5208 s5
3689 "308204be" // SEQUENCE length 0x4be (PrivateKeyInfo) {
3690 "020100" // INTEGER length 1 value 0x00 (version)
3691 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
3692 "0609" // OBJECT IDENTIFIER length 0x09 (algorithm)
3693 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (RSAES-PKCS1-v1_5 encryption scheme)
3694 "0500" // NULL (parameters)
3695 // } SEQUENCE (AlgorithmIdentifier)
3696 "048204a8" // OCTET STRING len 0x4a8 (privateKey), which contains...
3697 // RFC 8017 A.1.2
3698 "308204a4" // SEQUENCE len 0x4a4 (RSAPrivateKey) {
3699 "020100" // INTEGER length 1 value 0x00 (version)
3700 "02820101" // INTEGER length 0x0101 (modulus) value...
3701 "00aec367931d8900ce56b0067f7d70e1" // 0x10
3702 "fc653f3f34d194c1fed50018fb43db93" // 0x20
3703 "7b06e673a837313d56b1c725150a3fef" // 0x30
3704 "86acbddc41bb759c2854eae32d35841e" // 0x40
3705 "fb5c18d82bc90a1cb5c1d55adf245b02" // 0x50
3706 "911f0b7cda88c421ff0ebafe7c0d23be" // 0x60
3707 "312d7bd5921ffaea1347c157406fef71" // 0x70
3708 "8f682643e4e5d33c6703d61c0cf7ac0b" // 0x80
3709 "f4645c11f5c1374c3886427411c44979" // 0x90
3710 "6792e0bef75dec858a2123c36753e02a" // 0xa0
3711 "95a96d7c454b504de385a642e0dfc3e6" // 0xb0
3712 "0ac3a7ee4991d0d48b0172a95f9536f0" // 0xc0
3713 "2ba13cecccb92b727db5c27e5b2f5cec" // 0xd0
3714 "09600b286af5cf14c42024c61ddfe71c" // 0xe0
3715 "2a8d7458f185234cb00e01d282f10f8f" // 0xf0
3716 "c6721d2aed3f4833cca2bd8fa62821dd" // 0x100
3717 "55" // 0x101
3718 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
3719 "02820100" // INTEGER length 0x100 (privateExponent) value...
3720 "431447b6251908112b1ee76f99f3711a" // 0x10
3721 "52b6630960046c2de70de188d833f8b8" // 0x20
3722 "b91e4d785caeeeaf4f0f74414e2cda40" // 0x30
3723 "641f7fe24f14c67a88959bdb27766df9" // 0x40
3724 "e710b630a03adc683b5d2c43080e52be" // 0x50
3725 "e71e9eaeb6de297a5fea1072070d181c" // 0x60
3726 "822bccff087d63c940ba8a45f670feb2" // 0x70
3727 "9fb4484d1c95e6d2579ba02aae0a0090" // 0x80
3728 "0c3ebf490e3d2cd7ee8d0e20c536e4dc" // 0x90
3729 "5a5097272888cddd7e91f228b1c4d747" // 0xa0
3730 "4c55b8fcd618c4a957bbddd5ad7407cc" // 0xb0
3731 "312d8d98a5caf7e08f4a0d6b45bb41c6" // 0xc0
3732 "52659d5a5ba05b663737a8696281865b" // 0xd0
3733 "a20fbdd7f851e6c56e8cbe0ddbbf24dc" // 0xe0
3734 "03b2d2cb4c3d540fb0af52e034a2d066" // 0xf0
3735 "98b128e5f101e3b51a34f8d8b4f86181" // 0x100
3736 "028181" // INTEGER length 0x81 (prime1) value...
3737 "00de392e18d682c829266cc3454e1d61" // 0x10
3738 "66242f32d9a1d10577753e904ea7d08b" // 0x20
3739 "ff841be5bac82a164c5970007047b8c5" // 0x30
3740 "17db8f8f84e37bd5988561bdf503d4dc" // 0x40
3741 "2bdb38f885434ae42c355f725c9a60f9" // 0x50
3742 "1f0788e1f1a97223b524b5357fdf72e2" // 0x60
3743 "f696bab7d78e32bf92ba8e1864eab122" // 0x70
3744 "9e91346130748a6e3c124f9149d71c74" // 0x80
3745 "35"
3746 "028181" // INTEGER length 0x81 (prime2) value...
3747 "00c95387c0f9d35f137b57d0d65c397c" // 0x10
3748 "5e21cc251e47008ed62a542409c8b6b6" // 0x20
3749 "ac7f8967b3863ca645fcce49582a9aa1" // 0x30
3750 "7349db6c4a95affdae0dae612e1afac9" // 0x40
3751 "9ed39a2d934c880440aed8832f984316" // 0x50
3752 "3a47f27f392199dc1202f9a0f9bd0830" // 0x60
3753 "8007cb1e4e7f58309366a7de25f7c3c9" // 0x70
3754 "b880677c068e1be936e81288815252a8" // 0x80
3755 "a1"
3756 "028180" // INTEGER length 0x80 (exponent1) value...
3757 "57ff8ca1895080b2cae486ef0adfd791" // 0x10
3758 "fb0235c0b8b36cd6c136e52e4085f4ea" // 0x20
3759 "5a063212a4f105a3764743e53281988a" // 0x30
3760 "ba073f6e0027298e1c4378556e0efca0" // 0x40
3761 "e14ece1af76ad0b030f27af6f0ab35fb" // 0x50
3762 "73a060d8b1a0e142fa2647e93b32e36d" // 0x60
3763 "8282ae0a4de50ab7afe85500a16f43a6" // 0x70
3764 "4719d6e2b9439823719cd08bcd031781" // 0x80
3765 "028181" // INTEGER length 0x81 (exponent2) value...
3766 "00ba73b0bb28e3f81e9bd1c568713b10" // 0x10
3767 "1241acc607976c4ddccc90e65b6556ca" // 0x20
3768 "31516058f92b6e09f3b160ff0e374ec4" // 0x30
3769 "0d78ae4d4979fde6ac06a1a400c61dd3" // 0x40
3770 "1254186af30b22c10582a8a43e34fe94" // 0x50
3771 "9c5f3b9755bae7baa7b7b7a6bd03b38c" // 0x60
3772 "ef55c86885fc6c1978b9cee7ef33da50" // 0x70
3773 "7c9df6b9277cff1e6aaa5d57aca52846" // 0x80
3774 "61"
3775 "028181" // INTEGER length 0x81 (coefficient) value...
3776 "00c931617c77829dfb1270502be9195c" // 0x10
3777 "8f2830885f57dba869536811e6864236" // 0x20
3778 "d0c4736a0008a145af36b8357a7c3d13" // 0x30
3779 "9966d04c4e00934ea1aede3bb6b8ec84" // 0x40
3780 "1dc95e3f579751e2bfdfe27ae778983f" // 0x50
3781 "959356210723287b0affcc9f727044d4" // 0x60
3782 "8c373f1babde0724fa17a4fd4da0902c" // 0x70
3783 "7c9b9bf27ba61be6ad02dfddda8f4e68" // 0x80
3784 "22"
3785 // } SEQUENCE
3786 // } SEQUENCE ()
3787);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3788
3789string zero_masking_key =
3790 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
3791string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
3792
3793class ImportWrappedKeyTest : public KeyMintAidlTestBase {};
3794
3795TEST_P(ImportWrappedKeyTest, Success) {
3796 auto wrapping_key_desc = AuthorizationSetBuilder()
3797 .RsaEncryptionKey(2048, 65537)
3798 .Digest(Digest::SHA_2_256)
3799 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3800 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3801 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3802
3803 ASSERT_EQ(ErrorCode::OK,
3804 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
3805 AuthorizationSetBuilder()
3806 .Digest(Digest::SHA_2_256)
3807 .Padding(PaddingMode::RSA_OAEP)));
3808
3809 string message = "Hello World!";
3810 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3811 string ciphertext = EncryptMessage(message, params);
3812 string plaintext = DecryptMessage(ciphertext, params);
3813 EXPECT_EQ(message, plaintext);
3814}
3815
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3816/*
3817 * ImportWrappedKeyTest.SuccessSidsIgnored
3818 *
3819 * Verifies that password_sid and biometric_sid are ignored on import if the authorizations don't
3820 * include Tag:USER_SECURE_ID.
3821 */
3822TEST_P(ImportWrappedKeyTest, SuccessSidsIgnored) {
3823 auto wrapping_key_desc = AuthorizationSetBuilder()
3824 .RsaEncryptionKey(2048, 65537)
3825 .Digest(Digest::SHA_2_256)
3826 .Padding(PaddingMode::RSA_OAEP)
3827 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3828 .SetDefaultValidity();
3829
3830 int64_t password_sid = 42;
3831 int64_t biometric_sid = 24;
3832 ASSERT_EQ(ErrorCode::OK,
3833 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
3834 AuthorizationSetBuilder()
3835 .Digest(Digest::SHA_2_256)
3836 .Padding(PaddingMode::RSA_OAEP),
3837 password_sid, biometric_sid));
3838
3839 string message = "Hello World!";
3840 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3841 string ciphertext = EncryptMessage(message, params);
3842 string plaintext = DecryptMessage(ciphertext, params);
3843 EXPECT_EQ(message, plaintext);
3844}
3845
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3846TEST_P(ImportWrappedKeyTest, SuccessMasked) {
3847 auto wrapping_key_desc = AuthorizationSetBuilder()
3848 .RsaEncryptionKey(2048, 65537)
3849 .Digest(Digest::SHA_2_256)
3850 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3851 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3852 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3853
3854 ASSERT_EQ(ErrorCode::OK,
3855 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
3856 AuthorizationSetBuilder()
3857 .Digest(Digest::SHA_2_256)
3858 .Padding(PaddingMode::RSA_OAEP)));
3859}
3860
3861TEST_P(ImportWrappedKeyTest, WrongMask) {
3862 auto wrapping_key_desc = AuthorizationSetBuilder()
3863 .RsaEncryptionKey(2048, 65537)
3864 .Digest(Digest::SHA_2_256)
3865 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3866 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3867 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3868
3869 ASSERT_EQ(
3870 ErrorCode::VERIFICATION_FAILED,
3871 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
3872 AuthorizationSetBuilder()
3873 .Digest(Digest::SHA_2_256)
3874 .Padding(PaddingMode::RSA_OAEP)));
3875}
3876
3877TEST_P(ImportWrappedKeyTest, WrongPurpose) {
3878 auto wrapping_key_desc = AuthorizationSetBuilder()
3879 .RsaEncryptionKey(2048, 65537)
3880 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3881 .Padding(PaddingMode::RSA_OAEP)
3882 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3883
3884 ASSERT_EQ(
3885 ErrorCode::INCOMPATIBLE_PURPOSE,
3886 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
3887 AuthorizationSetBuilder()
3888 .Digest(Digest::SHA_2_256)
3889 .Padding(PaddingMode::RSA_OAEP)));
3890}
3891
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3892TEST_P(ImportWrappedKeyTest, WrongPaddingMode) {
3893 auto wrapping_key_desc = AuthorizationSetBuilder()
3894 .RsaEncryptionKey(2048, 65537)
3895 .Digest(Digest::SHA_2_256)
3896 .Padding(PaddingMode::RSA_PSS)
3897 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3898 .SetDefaultValidity();
3899
3900 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
3901 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
3902 AuthorizationSetBuilder()
3903 .Digest(Digest::SHA_2_256)
3904 .Padding(PaddingMode::RSA_OAEP)));
3905}
3906
3907TEST_P(ImportWrappedKeyTest, WrongDigest) {
3908 auto wrapping_key_desc = AuthorizationSetBuilder()
3909 .RsaEncryptionKey(2048, 65537)
3910 .Digest(Digest::SHA_2_512)
3911 .Padding(PaddingMode::RSA_OAEP)
3912 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3913 .SetDefaultValidity();
3914
3915 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3916 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
3917 AuthorizationSetBuilder()
3918 .Digest(Digest::SHA_2_256)
3919 .Padding(PaddingMode::RSA_OAEP)));
3920}
3921
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3922INSTANTIATE_KEYMINT_AIDL_TEST(ImportWrappedKeyTest);
3923
3924typedef KeyMintAidlTestBase EncryptionOperationsTest;
3925
3926/*
3927 * EncryptionOperationsTest.RsaNoPaddingSuccess
3928 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3929 * Verifies that raw RSA decryption works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3930 */
3931TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3932 for (uint64_t exponent : {3, 65537}) {
3933 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3934 .Authorization(TAG_NO_AUTH_REQUIRED)
3935 .RsaEncryptionKey(2048, exponent)
3936 .Padding(PaddingMode::NONE)
3937 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3938
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3939 string message = string(2048 / 8, 'a');
3940 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3941 string ciphertext1 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3942 EXPECT_EQ(2048U / 8, ciphertext1.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3943
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3944 string ciphertext2 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3945 EXPECT_EQ(2048U / 8, ciphertext2.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3946
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3947 // Unpadded RSA is deterministic
3948 EXPECT_EQ(ciphertext1, ciphertext2);
3949
3950 CheckedDeleteKey();
3951 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3952}
3953
3954/*
3955 * EncryptionOperationsTest.RsaNoPaddingShortMessage
3956 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3957 * Verifies that raw RSA decryption of short messages works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3958 */
3959TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
3960 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3961 .Authorization(TAG_NO_AUTH_REQUIRED)
3962 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3963 .Padding(PaddingMode::NONE)
3964 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3965
3966 string message = "1";
3967 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
3968
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3969 string ciphertext = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3970 EXPECT_EQ(2048U / 8, ciphertext.size());
3971
3972 string expected_plaintext = string(2048U / 8 - 1, 0) + message;
3973 string plaintext = DecryptMessage(ciphertext, params);
3974
3975 EXPECT_EQ(expected_plaintext, plaintext);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3976}
3977
3978/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3979 * EncryptionOperationsTest.RsaOaepSuccess
3980 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3981 * Verifies that RSA-OAEP decryption operations work, with all digests.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3982 */
3983TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
3984 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
3985
3986 size_t key_size = 2048; // Need largish key for SHA-512 test.
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3987 ASSERT_EQ(ErrorCode::OK,
3988 GenerateKey(AuthorizationSetBuilder()
3989 .Authorization(TAG_NO_AUTH_REQUIRED)
3990 .RsaEncryptionKey(key_size, 65537)
3991 .Padding(PaddingMode::RSA_OAEP)
3992 .Digest(digests)
3993 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1)
3994 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3995
3996 string message = "Hello";
3997
3998 for (auto digest : digests) {
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3999 SCOPED_TRACE(testing::Message() << "digest-" << digest);
4000
4001 auto params = AuthorizationSetBuilder()
4002 .Digest(digest)
4003 .Padding(PaddingMode::RSA_OAEP)
4004 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1);
4005 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4006 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
4007 EXPECT_EQ(key_size / 8, ciphertext1.size());
4008
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4009 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4010 EXPECT_EQ(key_size / 8, ciphertext2.size());
4011
4012 // OAEP randomizes padding so every result should be different (with astronomically high
4013 // probability).
4014 EXPECT_NE(ciphertext1, ciphertext2);
4015
4016 string plaintext1 = DecryptMessage(ciphertext1, params);
4017 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
4018 string plaintext2 = DecryptMessage(ciphertext2, params);
4019 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
4020
4021 // Decrypting corrupted ciphertext should fail.
4022 size_t offset_to_corrupt = random() % ciphertext1.size();
4023 char corrupt_byte;
4024 do {
4025 corrupt_byte = static_cast<char>(random() % 256);
4026 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
4027 ciphertext1[offset_to_corrupt] = corrupt_byte;
4028
4029 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
4030 string result;
4031 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
4032 EXPECT_EQ(0U, result.size());
4033 }
4034}
4035
4036/*
4037 * EncryptionOperationsTest.RsaOaepInvalidDigest
4038 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4039 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4040 * without a digest.
4041 */
4042TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
4043 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4044 .Authorization(TAG_NO_AUTH_REQUIRED)
4045 .RsaEncryptionKey(2048, 65537)
4046 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4047 .Digest(Digest::NONE)
4048 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4049
4050 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4051 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4052}
4053
4054/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4055 * EncryptionOperationsTest.RsaOaepInvalidPadding
4056 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4057 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4058 * with a padding value that is only suitable for signing/verifying.
4059 */
4060TEST_P(EncryptionOperationsTest, RsaOaepInvalidPadding) {
4061 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4062 .Authorization(TAG_NO_AUTH_REQUIRED)
4063 .RsaEncryptionKey(2048, 65537)
4064 .Padding(PaddingMode::RSA_PSS)
4065 .Digest(Digest::NONE)
4066 .SetDefaultValidity()));
4067
4068 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4069 EXPECT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE, Begin(KeyPurpose::DECRYPT, params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4070}
4071
4072/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4073 * EncryptionOperationsTest.RsaOaepDecryptWithWrongDigest
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4074 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4075 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4076 * with a different digest than was used to encrypt.
4077 */
4078TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]4079 if (SecLevel() == SecurityLevel::STRONGBOX) {
4080 GTEST_SKIP() << "Test not applicable to StrongBox device";
4081 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4082
4083 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4084 .Authorization(TAG_NO_AUTH_REQUIRED)
4085 .RsaEncryptionKey(1024, 65537)
4086 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4087 .Digest(Digest::SHA_2_224, Digest::SHA_2_256)
4088 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4089 string message = "Hello World!";
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4090 string ciphertext = LocalRsaEncryptMessage(
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4091 message,
4092 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
4093
4094 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
4095 .Digest(Digest::SHA_2_256)
4096 .Padding(PaddingMode::RSA_OAEP)));
4097 string result;
4098 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
4099 EXPECT_EQ(0U, result.size());
4100}
4101
4102/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4103 * EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess
4104 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4105 * Verifies that RSA-OAEP decryption operations work, with all SHA 256 digests and all type of MGF1
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4106 * digests.
4107 */
4108TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
4109 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
4110
4111 size_t key_size = 2048; // Need largish key for SHA-512 test.
4112 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4113 .OaepMGFDigest(digests)
4114 .Authorization(TAG_NO_AUTH_REQUIRED)
4115 .RsaEncryptionKey(key_size, 65537)
4116 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4117 .Digest(Digest::SHA_2_256)
4118 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4119
4120 string message = "Hello";
4121
4122 for (auto digest : digests) {
4123 auto params = AuthorizationSetBuilder()
4124 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
4125 .Digest(Digest::SHA_2_256)
4126 .Padding(PaddingMode::RSA_OAEP);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4127 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4128 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
4129 EXPECT_EQ(key_size / 8, ciphertext1.size());
4130
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4131 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4132 EXPECT_EQ(key_size / 8, ciphertext2.size());
4133
4134 // OAEP randomizes padding so every result should be different (with astronomically high
4135 // probability).
4136 EXPECT_NE(ciphertext1, ciphertext2);
4137
4138 string plaintext1 = DecryptMessage(ciphertext1, params);
4139 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
4140 string plaintext2 = DecryptMessage(ciphertext2, params);
4141 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
4142
4143 // Decrypting corrupted ciphertext should fail.
4144 size_t offset_to_corrupt = random() % ciphertext1.size();
4145 char corrupt_byte;
4146 do {
4147 corrupt_byte = static_cast<char>(random() % 256);
4148 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
4149 ciphertext1[offset_to_corrupt] = corrupt_byte;
4150
4151 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
4152 string result;
4153 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
4154 EXPECT_EQ(0U, result.size());
4155 }
4156}
4157
4158/*
4159 * EncryptionOperationsTest.RsaOaepWithMGFIncompatibleDigest
4160 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4161 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4162 * with incompatible MGF digest.
4163 */
4164TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
4165 ASSERT_EQ(ErrorCode::OK,
4166 GenerateKey(AuthorizationSetBuilder()
4167 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
4168 .Authorization(TAG_NO_AUTH_REQUIRED)
4169 .RsaEncryptionKey(2048, 65537)
4170 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4171 .Digest(Digest::SHA_2_256)
4172 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4173 string message = "Hello World!";
4174
4175 auto params = AuthorizationSetBuilder()
4176 .Padding(PaddingMode::RSA_OAEP)
4177 .Digest(Digest::SHA_2_256)
4178 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_224);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4179 EXPECT_EQ(ErrorCode::INCOMPATIBLE_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4180}
4181
4182/*
4183 * EncryptionOperationsTest.RsaOaepWithMGFUnsupportedDigest
4184 *
4185 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
4186 * with unsupported MGF digest.
4187 */
4188TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
4189 ASSERT_EQ(ErrorCode::OK,
4190 GenerateKey(AuthorizationSetBuilder()
4191 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
4192 .Authorization(TAG_NO_AUTH_REQUIRED)
4193 .RsaEncryptionKey(2048, 65537)
4194 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4195 .Digest(Digest::SHA_2_256)
4196 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4197 string message = "Hello World!";
4198
4199 auto params = AuthorizationSetBuilder()
4200 .Padding(PaddingMode::RSA_OAEP)
4201 .Digest(Digest::SHA_2_256)
4202 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4203 EXPECT_EQ(ErrorCode::UNSUPPORTED_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]4204}
4205
4206/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4207 * EncryptionOperationsTest.RsaPkcs1Success
4208 *
4209 * Verifies that RSA PKCS encryption/decrypts works.
4210 */
4211TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
4212 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4213 .Authorization(TAG_NO_AUTH_REQUIRED)
4214 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4215 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
4216 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4217
4218 string message = "Hello World!";
4219 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4220 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4221 EXPECT_EQ(2048U / 8, ciphertext1.size());
4222
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4223 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4224 EXPECT_EQ(2048U / 8, ciphertext2.size());
4225
4226 // PKCS1 v1.5 randomizes padding so every result should be different.
4227 EXPECT_NE(ciphertext1, ciphertext2);
4228
4229 string plaintext = DecryptMessage(ciphertext1, params);
4230 EXPECT_EQ(message, plaintext);
4231
4232 // Decrypting corrupted ciphertext should fail.
4233 size_t offset_to_corrupt = random() % ciphertext1.size();
4234 char corrupt_byte;
4235 do {
4236 corrupt_byte = static_cast<char>(random() % 256);
4237 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
4238 ciphertext1[offset_to_corrupt] = corrupt_byte;
4239
4240 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
4241 string result;
4242 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
4243 EXPECT_EQ(0U, result.size());
4244}
4245
4246/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4247 * EncryptionOperationsTest.EcdsaEncrypt
4248 *
4249 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
4250 */
4251TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
4252 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4253 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4254 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4255 .Digest(Digest::NONE)
4256 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4257 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4258 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
4259 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
4260}
4261
4262/*
4263 * EncryptionOperationsTest.HmacEncrypt
4264 *
4265 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
4266 */
4267TEST_P(EncryptionOperationsTest, HmacEncrypt) {
4268 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4269 .Authorization(TAG_NO_AUTH_REQUIRED)
4270 .HmacKey(128)
4271 .Digest(Digest::SHA_2_256)
4272 .Padding(PaddingMode::NONE)
4273 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4274 auto params = AuthorizationSetBuilder()
4275 .Digest(Digest::SHA_2_256)
4276 .Padding(PaddingMode::NONE)
4277 .Authorization(TAG_MAC_LENGTH, 128);
4278 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
4279 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
4280}
4281
4282/*
4283 * EncryptionOperationsTest.AesEcbRoundTripSuccess
4284 *
4285 * Verifies that AES ECB mode works.
4286 */
4287TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
4288 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4289 .Authorization(TAG_NO_AUTH_REQUIRED)
4290 .AesEncryptionKey(128)
4291 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4292 .Padding(PaddingMode::NONE)));
4293
4294 ASSERT_GT(key_blob_.size(), 0U);
4295 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
4296
4297 // Two-block message.
4298 string message = "12345678901234567890123456789012";
4299 string ciphertext1 = EncryptMessage(message, params);
4300 EXPECT_EQ(message.size(), ciphertext1.size());
4301
4302 string ciphertext2 = EncryptMessage(string(message), params);
4303 EXPECT_EQ(message.size(), ciphertext2.size());
4304
4305 // ECB is deterministic.
4306 EXPECT_EQ(ciphertext1, ciphertext2);
4307
4308 string plaintext = DecryptMessage(ciphertext1, params);
4309 EXPECT_EQ(message, plaintext);
4310}
4311
4312/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4313 * EncryptionOperationsTest.AesEcbUnknownTag
4314 *
4315 * Verifies that AES ECB operations ignore unknown tags.
4316 */
4317TEST_P(EncryptionOperationsTest, AesEcbUnknownTag) {
4318 int32_t unknown_tag_value = ((7 << 28) /* TagType:BOOL */ | 150);
4319 Tag unknown_tag = static_cast<Tag>(unknown_tag_value);
4320 KeyParameter unknown_param;
4321 unknown_param.tag = unknown_tag;
4322
4323 vector<KeyCharacteristics> key_characteristics;
4324 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4325 .Authorization(TAG_NO_AUTH_REQUIRED)
4326 .AesEncryptionKey(128)
4327 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4328 .Padding(PaddingMode::NONE)
4329 .Authorization(unknown_param),
4330 &key_blob_, &key_characteristics));
4331 ASSERT_GT(key_blob_.size(), 0U);
4332
4333 // Unknown tags should not be returned in key characteristics.
4334 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
4335 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
4336 EXPECT_EQ(hw_enforced.find(unknown_tag), -1);
4337 EXPECT_EQ(sw_enforced.find(unknown_tag), -1);
4338
4339 // Encrypt without mentioning the unknown parameter.
4340 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
4341 string message = "12345678901234567890123456789012";
4342 string ciphertext = EncryptMessage(message, params);
4343 EXPECT_EQ(message.size(), ciphertext.size());
4344
4345 // Decrypt including the unknown parameter.
4346 auto decrypt_params = AuthorizationSetBuilder()
4347 .BlockMode(BlockMode::ECB)
4348 .Padding(PaddingMode::NONE)
4349 .Authorization(unknown_param);
4350 string plaintext = DecryptMessage(ciphertext, decrypt_params);
4351 EXPECT_EQ(message, plaintext);
4352}
4353
4354/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4355 * EncryptionOperationsTest.AesWrongMode
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4356 *
4357 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
4358 */
4359TEST_P(EncryptionOperationsTest, AesWrongMode) {
4360 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4361 .Authorization(TAG_NO_AUTH_REQUIRED)
4362 .AesEncryptionKey(128)
4363 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4364 .Padding(PaddingMode::NONE)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4365 ASSERT_GT(key_blob_.size(), 0U);
4366
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4367 EXPECT_EQ(
4368 ErrorCode::INCOMPATIBLE_BLOCK_MODE,
4369 Begin(KeyPurpose::ENCRYPT,
4370 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
4371}
4372
4373/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4374 * EncryptionOperationsTest.AesWrongPadding
4375 *
4376 * Verifies that AES encryption fails in the correct way when an unauthorized padding is specified.
4377 */
4378TEST_P(EncryptionOperationsTest, AesWrongPadding) {
4379 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4380 .Authorization(TAG_NO_AUTH_REQUIRED)
4381 .AesEncryptionKey(128)
4382 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4383 .Padding(PaddingMode::NONE)));
4384 ASSERT_GT(key_blob_.size(), 0U);
4385
4386 EXPECT_EQ(
4387 ErrorCode::INCOMPATIBLE_PADDING_MODE,
4388 Begin(KeyPurpose::ENCRYPT,
4389 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7)));
4390}
4391
4392/*
4393 * EncryptionOperationsTest.AesInvalidParams
4394 *
4395 * Verifies that AES encryption fails in the correct way when an duplicate parameters are specified.
4396 */
4397TEST_P(EncryptionOperationsTest, AesInvalidParams) {
4398 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4399 .Authorization(TAG_NO_AUTH_REQUIRED)
4400 .AesEncryptionKey(128)
4401 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4402 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4403 .Padding(PaddingMode::NONE)
4404 .Padding(PaddingMode::PKCS7)));
4405 ASSERT_GT(key_blob_.size(), 0U);
4406
4407 auto result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
4408 .BlockMode(BlockMode::CBC)
4409 .BlockMode(BlockMode::ECB)
4410 .Padding(PaddingMode::NONE));
4411 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_BLOCK_MODE ||
4412 result == ErrorCode::UNSUPPORTED_BLOCK_MODE);
4413
4414 result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
4415 .BlockMode(BlockMode::ECB)
4416 .Padding(PaddingMode::NONE)
4417 .Padding(PaddingMode::PKCS7));
4418 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
4419 result == ErrorCode::UNSUPPORTED_PADDING_MODE);
4420}
4421
4422/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4423 * EncryptionOperationsTest.AesWrongPurpose
4424 *
4425 * Verifies that AES encryption fails in the correct way when an unauthorized purpose is
4426 * specified.
4427 */
4428TEST_P(EncryptionOperationsTest, AesWrongPurpose) {
4429 auto err = GenerateKey(AuthorizationSetBuilder()
4430 .Authorization(TAG_NO_AUTH_REQUIRED)
4431 .AesKey(128)
4432 .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
4433 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4434 .Authorization(TAG_MIN_MAC_LENGTH, 128)
4435 .Padding(PaddingMode::NONE));
4436 ASSERT_EQ(ErrorCode::OK, err) << "Got " << err;
4437 ASSERT_GT(key_blob_.size(), 0U);
4438
4439 err = Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
4440 .BlockMode(BlockMode::GCM)
4441 .Padding(PaddingMode::NONE)
4442 .Authorization(TAG_MAC_LENGTH, 128));
4443 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
4444
4445 CheckedDeleteKey();
4446
4447 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4448 .Authorization(TAG_NO_AUTH_REQUIRED)
4449 .AesKey(128)
4450 .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
4451 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4452 .Authorization(TAG_MIN_MAC_LENGTH, 128)
4453 .Padding(PaddingMode::NONE)));
4454
4455 err = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
4456 .BlockMode(BlockMode::GCM)
4457 .Padding(PaddingMode::NONE)
4458 .Authorization(TAG_MAC_LENGTH, 128));
4459 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
4460}
4461
4462/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4463 * EncryptionOperationsTest.AesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4464 *
4465 * Verifies that AES encryption fails in the correct way when provided an input that is not a
4466 * multiple of the block size and no padding is specified.
4467 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4468TEST_P(EncryptionOperationsTest, AesEcbCbcNoPaddingWrongInputSize) {
4469 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
4470 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4471 .Authorization(TAG_NO_AUTH_REQUIRED)
4472 .AesEncryptionKey(128)
4473 .Authorization(TAG_BLOCK_MODE, blockMode)
4474 .Padding(PaddingMode::NONE)));
4475 // Message is slightly shorter than two blocks.
4476 string message(16 * 2 - 1, 'a');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4477
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4478 auto params = AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
4479 AuthorizationSet out_params;
4480 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &out_params));
4481 string ciphertext;
4482 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
4483 EXPECT_EQ(0U, ciphertext.size());
4484
4485 CheckedDeleteKey();
4486 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4487}
4488
4489/*
4490 * EncryptionOperationsTest.AesEcbPkcs7Padding
4491 *
4492 * Verifies that AES PKCS7 padding works for any message length.
4493 */
4494TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
4495 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4496 .Authorization(TAG_NO_AUTH_REQUIRED)
4497 .AesEncryptionKey(128)
4498 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4499 .Padding(PaddingMode::PKCS7)));
4500
4501 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4502
4503 // Try various message lengths; all should work.
4504 for (size_t i = 0; i < 32; ++i) {
4505 string message(i, 'a');
4506 string ciphertext = EncryptMessage(message, params);
4507 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
4508 string plaintext = DecryptMessage(ciphertext, params);
4509 EXPECT_EQ(message, plaintext);
4510 }
4511}
4512
4513/*
4514 * EncryptionOperationsTest.AesEcbWrongPadding
4515 *
4516 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
4517 * specified.
4518 */
4519TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
4520 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4521 .Authorization(TAG_NO_AUTH_REQUIRED)
4522 .AesEncryptionKey(128)
4523 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4524 .Padding(PaddingMode::NONE)));
4525
4526 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4527
4528 // Try various message lengths; all should fail
4529 for (size_t i = 0; i < 32; ++i) {
4530 string message(i, 'a');
4531 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
4532 }
4533}
4534
4535/*
4536 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
4537 *
4538 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
4539 */
4540TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
4541 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4542 .Authorization(TAG_NO_AUTH_REQUIRED)
4543 .AesEncryptionKey(128)
4544 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4545 .Padding(PaddingMode::PKCS7)));
4546
4547 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4548
4549 string message = "a";
4550 string ciphertext = EncryptMessage(message, params);
4551 EXPECT_EQ(16U, ciphertext.size());
4552 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4553
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]4554 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
4555 ++ciphertext[ciphertext.size() / 2];
4556
4557 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
4558 string plaintext;
4559 ErrorCode error = Finish(message, &plaintext);
4560 if (error == ErrorCode::INVALID_INPUT_LENGTH) {
4561 // This is the expected error, we can exit the test now.
4562 return;
4563 } else {
4564 // Very small chance we got valid decryption, so try again.
4565 ASSERT_EQ(error, ErrorCode::OK);
4566 }
4567 }
4568 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4569}
4570
4571vector<uint8_t> CopyIv(const AuthorizationSet& set) {
4572 auto iv = set.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4573 EXPECT_TRUE(iv);
4574 return iv->get();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4575}
4576
4577/*
4578 * EncryptionOperationsTest.AesCtrRoundTripSuccess
4579 *
4580 * Verifies that AES CTR mode works.
4581 */
4582TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
4583 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4584 .Authorization(TAG_NO_AUTH_REQUIRED)
4585 .AesEncryptionKey(128)
4586 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
4587 .Padding(PaddingMode::NONE)));
4588
4589 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
4590
4591 string message = "123";
4592 AuthorizationSet out_params;
4593 string ciphertext1 = EncryptMessage(message, params, &out_params);
4594 vector<uint8_t> iv1 = CopyIv(out_params);
4595 EXPECT_EQ(16U, iv1.size());
4596
4597 EXPECT_EQ(message.size(), ciphertext1.size());
4598
4599 out_params.Clear();
4600 string ciphertext2 = EncryptMessage(message, params, &out_params);
4601 vector<uint8_t> iv2 = CopyIv(out_params);
4602 EXPECT_EQ(16U, iv2.size());
4603
4604 // IVs should be random, so ciphertexts should differ.
4605 EXPECT_NE(ciphertext1, ciphertext2);
4606
4607 auto params_iv1 =
4608 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
4609 auto params_iv2 =
4610 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
4611
4612 string plaintext = DecryptMessage(ciphertext1, params_iv1);
4613 EXPECT_EQ(message, plaintext);
4614 plaintext = DecryptMessage(ciphertext2, params_iv2);
4615 EXPECT_EQ(message, plaintext);
4616
4617 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
4618 plaintext = DecryptMessage(ciphertext1, params_iv2);
4619 EXPECT_NE(message, plaintext);
4620 plaintext = DecryptMessage(ciphertext2, params_iv1);
4621 EXPECT_NE(message, plaintext);
4622}
4623
4624/*
4625 * EncryptionOperationsTest.AesIncremental
4626 *
4627 * Verifies that AES works, all modes, when provided data in various size increments.
4628 */
4629TEST_P(EncryptionOperationsTest, AesIncremental) {
4630 auto block_modes = {
4631 BlockMode::ECB,
4632 BlockMode::CBC,
4633 BlockMode::CTR,
4634 BlockMode::GCM,
4635 };
4636
4637 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4638 .Authorization(TAG_NO_AUTH_REQUIRED)
4639 .AesEncryptionKey(128)
4640 .BlockMode(block_modes)
4641 .Padding(PaddingMode::NONE)
4642 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4643
4644 for (int increment = 1; increment <= 240; ++increment) {
4645 for (auto block_mode : block_modes) {
4646 string message(240, 'a');
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4647 auto params =
4648 AuthorizationSetBuilder().BlockMode(block_mode).Padding(PaddingMode::NONE);
4649 if (block_mode == BlockMode::GCM) {
4650 params.Authorization(TAG_MAC_LENGTH, 128) /* for GCM */;
4651 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4652
4653 AuthorizationSet output_params;
4654 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &output_params));
4655
4656 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4657 string to_send;
4658 for (size_t i = 0; i < message.size(); i += increment) {
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4659 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4660 }
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4661 EXPECT_EQ(ErrorCode::OK, Finish(to_send, &ciphertext))
4662 << "Error sending " << to_send << " with block mode " << block_mode;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4663
4664 switch (block_mode) {
4665 case BlockMode::GCM:
4666 EXPECT_EQ(message.size() + 16, ciphertext.size());
4667 break;
4668 case BlockMode::CTR:
4669 EXPECT_EQ(message.size(), ciphertext.size());
4670 break;
4671 case BlockMode::CBC:
4672 case BlockMode::ECB:
4673 EXPECT_EQ(message.size() + message.size() % 16, ciphertext.size());
4674 break;
4675 }
4676
4677 auto iv = output_params.GetTagValue(TAG_NONCE);
4678 switch (block_mode) {
4679 case BlockMode::CBC:
4680 case BlockMode::GCM:
4681 case BlockMode::CTR:
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4682 ASSERT_TRUE(iv) << "No IV for block mode " << block_mode;
4683 EXPECT_EQ(block_mode == BlockMode::GCM ? 12U : 16U, iv->get().size());
4684 params.push_back(TAG_NONCE, iv->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4685 break;
4686
4687 case BlockMode::ECB:
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4688 EXPECT_FALSE(iv) << "ECB mode should not generate IV";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4689 break;
4690 }
4691
4692 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params))
4693 << "Decrypt begin() failed for block mode " << block_mode;
4694
4695 string plaintext;
4696 for (size_t i = 0; i < ciphertext.size(); i += increment) {
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4697 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4698 }
4699 ErrorCode error = Finish(to_send, &plaintext);
4700 ASSERT_EQ(ErrorCode::OK, error) << "Decryption failed for block mode " << block_mode
4701 << " and increment " << increment;
4702 if (error == ErrorCode::OK) {
4703 ASSERT_EQ(message, plaintext) << "Decryption didn't match for block mode "
4704 << block_mode << " and increment " << increment;
4705 }
4706 }
4707 }
4708}
4709
4710struct AesCtrSp80038aTestVector {
4711 const char* key;
4712 const char* nonce;
4713 const char* plaintext;
4714 const char* ciphertext;
4715};
4716
4717// These test vectors are taken from
4718// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
4719static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
4720 // AES-128
4721 {
4722 "2b7e151628aed2a6abf7158809cf4f3c",
4723 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
4724 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
4725 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
4726 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
4727 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
4728 },
4729 // AES-192
4730 {
4731 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
4732 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
4733 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
4734 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
4735 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
4736 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
4737 },
4738 // AES-256
4739 {
4740 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
4741 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
4742 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
4743 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
4744 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
4745 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
4746 },
4747};
4748
4749/*
4750 * EncryptionOperationsTest.AesCtrSp80038aTestVector
4751 *
4752 * Verifies AES CTR implementation against SP800-38A test vectors.
4753 */
4754TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
4755 std::vector<uint32_t> InvalidSizes = InvalidKeySizes(Algorithm::AES);
4756 for (size_t i = 0; i < 3; i++) {
4757 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
4758 const string key = hex2str(test.key);
4759 if (std::find(InvalidSizes.begin(), InvalidSizes.end(), (key.size() * 8)) !=
4760 InvalidSizes.end())
4761 continue;
4762 const string nonce = hex2str(test.nonce);
4763 const string plaintext = hex2str(test.plaintext);
4764 const string ciphertext = hex2str(test.ciphertext);
4765 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
4766 }
4767}
4768
4769/*
4770 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
4771 *
4772 * Verifies that keymint rejects use of CTR mode with PKCS7 padding in the correct way.
4773 */
4774TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
4775 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4776 .Authorization(TAG_NO_AUTH_REQUIRED)
4777 .AesEncryptionKey(128)
4778 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
4779 .Padding(PaddingMode::PKCS7)));
4780 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
4781 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
4782}
4783
4784/*
4785 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
4786 *
4787 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
4788 */
4789TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
4790 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4791 .Authorization(TAG_NO_AUTH_REQUIRED)
4792 .AesEncryptionKey(128)
4793 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
4794 .Authorization(TAG_CALLER_NONCE)
4795 .Padding(PaddingMode::NONE)));
4796
4797 auto params = AuthorizationSetBuilder()
4798 .BlockMode(BlockMode::CTR)
4799 .Padding(PaddingMode::NONE)
4800 .Authorization(TAG_NONCE, AidlBuf(string(1, 'a')));
4801 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
4802
4803 params = AuthorizationSetBuilder()
4804 .BlockMode(BlockMode::CTR)
4805 .Padding(PaddingMode::NONE)
4806 .Authorization(TAG_NONCE, AidlBuf(string(15, 'a')));
4807 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
4808
4809 params = AuthorizationSetBuilder()
4810 .BlockMode(BlockMode::CTR)
4811 .Padding(PaddingMode::NONE)
4812 .Authorization(TAG_NONCE, AidlBuf(string(17, 'a')));
4813 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
4814}
4815
4816/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4817 * EncryptionOperationsTest.AesCbcRoundTripSuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4818 *
4819 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
4820 */
4821TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
4822 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4823 .Authorization(TAG_NO_AUTH_REQUIRED)
4824 .AesEncryptionKey(128)
4825 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4826 .Padding(PaddingMode::NONE)));
4827 // Two-block message.
4828 string message = "12345678901234567890123456789012";
4829 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
4830 AuthorizationSet out_params;
4831 string ciphertext1 = EncryptMessage(message, params, &out_params);
4832 vector<uint8_t> iv1 = CopyIv(out_params);
4833 EXPECT_EQ(message.size(), ciphertext1.size());
4834
4835 out_params.Clear();
4836
4837 string ciphertext2 = EncryptMessage(message, params, &out_params);
4838 vector<uint8_t> iv2 = CopyIv(out_params);
4839 EXPECT_EQ(message.size(), ciphertext2.size());
4840
4841 // IVs should be random, so ciphertexts should differ.
4842 EXPECT_NE(ciphertext1, ciphertext2);
4843
4844 params.push_back(TAG_NONCE, iv1);
4845 string plaintext = DecryptMessage(ciphertext1, params);
4846 EXPECT_EQ(message, plaintext);
4847}
4848
4849/*
4850 * EncryptionOperationsTest.AesCallerNonce
4851 *
4852 * Verifies that AES caller-provided nonces work correctly.
4853 */
4854TEST_P(EncryptionOperationsTest, AesCallerNonce) {
4855 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4856 .Authorization(TAG_NO_AUTH_REQUIRED)
4857 .AesEncryptionKey(128)
4858 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4859 .Authorization(TAG_CALLER_NONCE)
4860 .Padding(PaddingMode::NONE)));
4861
4862 string message = "12345678901234567890123456789012";
4863
4864 // Don't specify nonce, should get a random one.
4865 AuthorizationSetBuilder params =
4866 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
4867 AuthorizationSet out_params;
4868 string ciphertext = EncryptMessage(message, params, &out_params);
4869 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4870 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4871
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4872 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4873 string plaintext = DecryptMessage(ciphertext, params);
4874 EXPECT_EQ(message, plaintext);
4875
4876 // Now specify a nonce, should also work.
4877 params = AuthorizationSetBuilder()
4878 .BlockMode(BlockMode::CBC)
4879 .Padding(PaddingMode::NONE)
4880 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
4881 out_params.Clear();
4882 ciphertext = EncryptMessage(message, params, &out_params);
4883
4884 // Decrypt with correct nonce.
4885 plaintext = DecryptMessage(ciphertext, params);
4886 EXPECT_EQ(message, plaintext);
4887
4888 // Try with wrong nonce.
4889 params = AuthorizationSetBuilder()
4890 .BlockMode(BlockMode::CBC)
4891 .Padding(PaddingMode::NONE)
4892 .Authorization(TAG_NONCE, AidlBuf("aaaaaaaaaaaaaaaa"));
4893 plaintext = DecryptMessage(ciphertext, params);
4894 EXPECT_NE(message, plaintext);
4895}
4896
4897/*
4898 * EncryptionOperationsTest.AesCallerNonceProhibited
4899 *
4900 * Verifies that caller-provided nonces are not permitted when not specified in the key
4901 * authorizations.
4902 */
4903TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
4904 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4905 .Authorization(TAG_NO_AUTH_REQUIRED)
4906 .AesEncryptionKey(128)
4907 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4908 .Padding(PaddingMode::NONE)));
4909
4910 string message = "12345678901234567890123456789012";
4911
4912 // Don't specify nonce, should get a random one.
4913 AuthorizationSetBuilder params =
4914 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
4915 AuthorizationSet out_params;
4916 string ciphertext = EncryptMessage(message, params, &out_params);
4917 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4918 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4919
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4920 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4921 string plaintext = DecryptMessage(ciphertext, params);
4922 EXPECT_EQ(message, plaintext);
4923
4924 // Now specify a nonce, should fail
4925 params = AuthorizationSetBuilder()
4926 .BlockMode(BlockMode::CBC)
4927 .Padding(PaddingMode::NONE)
4928 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
4929 out_params.Clear();
4930 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
4931}
4932
4933/*
4934 * EncryptionOperationsTest.AesGcmRoundTripSuccess
4935 *
4936 * Verifies that AES GCM mode works.
4937 */
4938TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
4939 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4940 .Authorization(TAG_NO_AUTH_REQUIRED)
4941 .AesEncryptionKey(128)
4942 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4943 .Padding(PaddingMode::NONE)
4944 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4945
4946 string aad = "foobar";
4947 string message = "123456789012345678901234567890123456";
4948
4949 auto begin_params = AuthorizationSetBuilder()
4950 .BlockMode(BlockMode::GCM)
4951 .Padding(PaddingMode::NONE)
4952 .Authorization(TAG_MAC_LENGTH, 128);
4953
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4954 // Encrypt
4955 AuthorizationSet begin_out_params;
4956 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
4957 << "Begin encrypt";
4958 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4959 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
4960 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4961 ASSERT_EQ(ciphertext.length(), message.length() + 16);
4962
4963 // Grab nonce
4964 begin_params.push_back(begin_out_params);
4965
4966 // Decrypt.
4967 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4968 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4969 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4970 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4971 EXPECT_EQ(message.length(), plaintext.length());
4972 EXPECT_EQ(message, plaintext);
4973}
4974
4975/*
4976 * EncryptionOperationsTest.AesGcmRoundTripWithDelaySuccess
4977 *
4978 * Verifies that AES GCM mode works, even when there's a long delay
4979 * between operations.
4980 */
4981TEST_P(EncryptionOperationsTest, AesGcmRoundTripWithDelaySuccess) {
4982 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4983 .Authorization(TAG_NO_AUTH_REQUIRED)
4984 .AesEncryptionKey(128)
4985 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4986 .Padding(PaddingMode::NONE)
4987 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4988
4989 string aad = "foobar";
4990 string message = "123456789012345678901234567890123456";
4991
4992 auto begin_params = AuthorizationSetBuilder()
4993 .BlockMode(BlockMode::GCM)
4994 .Padding(PaddingMode::NONE)
4995 .Authorization(TAG_MAC_LENGTH, 128);
4996
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4997 // Encrypt
4998 AuthorizationSet begin_out_params;
4999 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
5000 << "Begin encrypt";
5001 string ciphertext;
5002 AuthorizationSet update_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5003 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5004 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5005 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5006
5007 ASSERT_EQ(ciphertext.length(), message.length() + 16);
5008
5009 // Grab nonce
5010 begin_params.push_back(begin_out_params);
5011
5012 // Decrypt.
5013 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
5014 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5015 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5016 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5017 ASSERT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5018 sleep(5);
5019 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
5020 EXPECT_EQ(message.length(), plaintext.length());
5021 EXPECT_EQ(message, plaintext);
5022}
5023
5024/*
5025 * EncryptionOperationsTest.AesGcmDifferentNonces
5026 *
5027 * Verifies that encrypting the same data with different nonces produces different outputs.
5028 */
5029TEST_P(EncryptionOperationsTest, AesGcmDifferentNonces) {
5030 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5031 .Authorization(TAG_NO_AUTH_REQUIRED)
5032 .AesEncryptionKey(128)
5033 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5034 .Padding(PaddingMode::NONE)
5035 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5036 .Authorization(TAG_CALLER_NONCE)));
5037
5038 string aad = "foobar";
5039 string message = "123456789012345678901234567890123456";
5040 string nonce1 = "000000000000";
5041 string nonce2 = "111111111111";
5042 string nonce3 = "222222222222";
5043
5044 string ciphertext1 =
5045 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce1));
5046 string ciphertext2 =
5047 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce2));
5048 string ciphertext3 =
5049 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce3));
5050
5051 ASSERT_NE(ciphertext1, ciphertext2);
5052 ASSERT_NE(ciphertext1, ciphertext3);
5053 ASSERT_NE(ciphertext2, ciphertext3);
5054}
5055
5056/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5057 * EncryptionOperationsTest.AesGcmDifferentAutoNonces
5058 *
5059 * Verifies that encrypting the same data with KeyMint generated nonces produces different outputs.
5060 */
5061TEST_P(EncryptionOperationsTest, AesGcmDifferentAutoNonces) {
5062 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5063 .Authorization(TAG_NO_AUTH_REQUIRED)
5064 .AesEncryptionKey(128)
5065 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5066 .Padding(PaddingMode::NONE)
5067 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5068
5069 string aad = "foobar";
5070 string message = "123456789012345678901234567890123456";
5071
5072 string ciphertext1 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
5073 string ciphertext2 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
5074 string ciphertext3 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
5075
5076 ASSERT_NE(ciphertext1, ciphertext2);
5077 ASSERT_NE(ciphertext1, ciphertext3);
5078 ASSERT_NE(ciphertext2, ciphertext3);
5079}
5080
5081/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5082 * EncryptionOperationsTest.AesGcmTooShortTag
5083 *
5084 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
5085 */
5086TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
5087 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5088 .Authorization(TAG_NO_AUTH_REQUIRED)
5089 .AesEncryptionKey(128)
5090 .BlockMode(BlockMode::GCM)
5091 .Padding(PaddingMode::NONE)
5092 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5093 string message = "123456789012345678901234567890123456";
5094 auto params = AuthorizationSetBuilder()
5095 .BlockMode(BlockMode::GCM)
5096 .Padding(PaddingMode::NONE)
5097 .Authorization(TAG_MAC_LENGTH, 96);
5098
5099 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
5100}
5101
5102/*
5103 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
5104 *
5105 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
5106 */
5107TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
5108 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5109 .Authorization(TAG_NO_AUTH_REQUIRED)
5110 .AesEncryptionKey(128)
5111 .BlockMode(BlockMode::GCM)
5112 .Padding(PaddingMode::NONE)
5113 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5114 string aad = "foobar";
5115 string message = "123456789012345678901234567890123456";
5116 auto params = AuthorizationSetBuilder()
5117 .BlockMode(BlockMode::GCM)
5118 .Padding(PaddingMode::NONE)
5119 .Authorization(TAG_MAC_LENGTH, 128);
5120
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5121 // Encrypt
5122 AuthorizationSet begin_out_params;
5123 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
5124 EXPECT_EQ(1U, begin_out_params.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5125 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5126
5127 AuthorizationSet finish_out_params;
5128 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5129 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
5130 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5131
5132 params = AuthorizationSetBuilder()
5133 .Authorizations(begin_out_params)
5134 .BlockMode(BlockMode::GCM)
5135 .Padding(PaddingMode::NONE)
5136 .Authorization(TAG_MAC_LENGTH, 96);
5137
5138 // Decrypt.
5139 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
5140}
5141
5142/*
5143 * EncryptionOperationsTest.AesGcmCorruptKey
5144 *
5145 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
5146 */
5147TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
5148 const uint8_t nonce_bytes[] = {
5149 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
5150 };
5151 string nonce = make_string(nonce_bytes);
5152 const uint8_t ciphertext_bytes[] = {
5153 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc,
5154 0xd2, 0xcb, 0x16, 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78,
5155 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d,
5156 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 0x76, 0x5e, 0xfb,
5157 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
5158 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
5159 };
5160 string ciphertext = make_string(ciphertext_bytes);
5161
5162 auto params = AuthorizationSetBuilder()
5163 .BlockMode(BlockMode::GCM)
5164 .Padding(PaddingMode::NONE)
5165 .Authorization(TAG_MAC_LENGTH, 128)
5166 .Authorization(TAG_NONCE, nonce.data(), nonce.size());
5167
5168 auto import_params = AuthorizationSetBuilder()
5169 .Authorization(TAG_NO_AUTH_REQUIRED)
5170 .AesEncryptionKey(128)
5171 .BlockMode(BlockMode::GCM)
5172 .Padding(PaddingMode::NONE)
5173 .Authorization(TAG_CALLER_NONCE)
5174 .Authorization(TAG_MIN_MAC_LENGTH, 128);
5175
5176 // Import correct key and decrypt
5177 const uint8_t key_bytes[] = {
5178 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
5179 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
5180 };
5181 string key = make_string(key_bytes);
5182 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
5183 string plaintext = DecryptMessage(ciphertext, params);
5184 CheckedDeleteKey();
5185
5186 // Corrupt key and attempt to decrypt
5187 key[0] = 0;
5188 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
5189 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5190 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
5191 CheckedDeleteKey();
5192}
5193
5194/*
5195 * EncryptionOperationsTest.AesGcmAadNoData
5196 *
5197 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
5198 * encrypt.
5199 */
5200TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
5201 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5202 .Authorization(TAG_NO_AUTH_REQUIRED)
5203 .AesEncryptionKey(128)
5204 .BlockMode(BlockMode::GCM)
5205 .Padding(PaddingMode::NONE)
5206 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5207
5208 string aad = "1234567890123456";
5209 auto params = AuthorizationSetBuilder()
5210 .BlockMode(BlockMode::GCM)
5211 .Padding(PaddingMode::NONE)
5212 .Authorization(TAG_MAC_LENGTH, 128);
5213
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5214 // Encrypt
5215 AuthorizationSet begin_out_params;
5216 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
5217 string ciphertext;
5218 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5219 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
5220 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5221 EXPECT_TRUE(finish_out_params.empty());
5222
5223 // Grab nonce
5224 params.push_back(begin_out_params);
5225
5226 // Decrypt.
5227 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5228 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5229 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5230 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5231
5232 EXPECT_TRUE(finish_out_params.empty());
5233
5234 EXPECT_EQ("", plaintext);
5235}
5236
5237/*
5238 * EncryptionOperationsTest.AesGcmMultiPartAad
5239 *
5240 * Verifies that AES GCM mode works when provided additional authenticated data in multiple
5241 * chunks.
5242 */
5243TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
5244 const size_t tag_bits = 128;
5245 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5246 .Authorization(TAG_NO_AUTH_REQUIRED)
5247 .AesEncryptionKey(128)
5248 .BlockMode(BlockMode::GCM)
5249 .Padding(PaddingMode::NONE)
5250 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5251
5252 string message = "123456789012345678901234567890123456";
5253 auto begin_params = AuthorizationSetBuilder()
5254 .BlockMode(BlockMode::GCM)
5255 .Padding(PaddingMode::NONE)
5256 .Authorization(TAG_MAC_LENGTH, tag_bits);
5257 AuthorizationSet begin_out_params;
5258
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5259 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
5260
5261 // No data, AAD only.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5262 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
5263 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5264 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5265 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
5266 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5267
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5268 // Expect 128-bit (16-byte) tag appended to ciphertext.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5269 EXPECT_EQ(message.size() + (tag_bits / 8), ciphertext.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5270
5271 // Grab nonce.
5272 begin_params.push_back(begin_out_params);
5273
5274 // Decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5275 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5276 EXPECT_EQ(ErrorCode::OK, UpdateAad("foofoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5277 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5278 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5279 EXPECT_EQ(message, plaintext);
5280}
5281
5282/*
5283 * EncryptionOperationsTest.AesGcmAadOutOfOrder
5284 *
5285 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
5286 */
5287TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
5288 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5289 .Authorization(TAG_NO_AUTH_REQUIRED)
5290 .AesEncryptionKey(128)
5291 .BlockMode(BlockMode::GCM)
5292 .Padding(PaddingMode::NONE)
5293 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5294
5295 string message = "123456789012345678901234567890123456";
5296 auto begin_params = AuthorizationSetBuilder()
5297 .BlockMode(BlockMode::GCM)
5298 .Padding(PaddingMode::NONE)
5299 .Authorization(TAG_MAC_LENGTH, 128);
5300 AuthorizationSet begin_out_params;
5301
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5302 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
5303
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5304 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5305 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5306 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
5307 EXPECT_EQ(ErrorCode::INVALID_TAG, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5308
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5309 // The failure should have already cancelled the operation.
5310 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
5311
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5312 op_ = {};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5313}
5314
5315/*
5316 * EncryptionOperationsTest.AesGcmBadAad
5317 *
5318 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
5319 */
5320TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
5321 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5322 .Authorization(TAG_NO_AUTH_REQUIRED)
5323 .AesEncryptionKey(128)
5324 .BlockMode(BlockMode::GCM)
5325 .Padding(PaddingMode::NONE)
5326 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5327
5328 string message = "12345678901234567890123456789012";
5329 auto begin_params = AuthorizationSetBuilder()
5330 .BlockMode(BlockMode::GCM)
5331 .Padding(PaddingMode::NONE)
5332 .Authorization(TAG_MAC_LENGTH, 128);
5333
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5334 // Encrypt
5335 AuthorizationSet begin_out_params;
5336 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5337 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5338 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5339 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5340
5341 // Grab nonce
5342 begin_params.push_back(begin_out_params);
5343
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5344 // Decrypt.
5345 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5346 EXPECT_EQ(ErrorCode::OK, UpdateAad("barfoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5347 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5348 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5349}
5350
5351/*
5352 * EncryptionOperationsTest.AesGcmWrongNonce
5353 *
5354 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
5355 */
5356TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
5357 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5358 .Authorization(TAG_NO_AUTH_REQUIRED)
5359 .AesEncryptionKey(128)
5360 .BlockMode(BlockMode::GCM)
5361 .Padding(PaddingMode::NONE)
5362 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5363
5364 string message = "12345678901234567890123456789012";
5365 auto begin_params = AuthorizationSetBuilder()
5366 .BlockMode(BlockMode::GCM)
5367 .Padding(PaddingMode::NONE)
5368 .Authorization(TAG_MAC_LENGTH, 128);
5369
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5370 // Encrypt
5371 AuthorizationSet begin_out_params;
5372 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5373 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5374 string ciphertext;
5375 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5376 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5377
5378 // Wrong nonce
5379 begin_params.push_back(TAG_NONCE, AidlBuf("123456789012"));
5380
5381 // Decrypt.
5382 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5383 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5384 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5385 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5386
5387 // With wrong nonce, should have gotten garbage plaintext (or none).
5388 EXPECT_NE(message, plaintext);
5389}
5390
5391/*
5392 * EncryptionOperationsTest.AesGcmCorruptTag
5393 *
5394 * Verifies that AES GCM decryption fails correctly when the tag is wrong.
5395 */
5396TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
5397 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5398 .Authorization(TAG_NO_AUTH_REQUIRED)
5399 .AesEncryptionKey(128)
5400 .BlockMode(BlockMode::GCM)
5401 .Padding(PaddingMode::NONE)
5402 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5403
5404 string aad = "1234567890123456";
5405 string message = "123456789012345678901234567890123456";
5406
5407 auto params = AuthorizationSetBuilder()
5408 .BlockMode(BlockMode::GCM)
5409 .Padding(PaddingMode::NONE)
5410 .Authorization(TAG_MAC_LENGTH, 128);
5411
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5412 // Encrypt
5413 AuthorizationSet begin_out_params;
5414 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5415 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5416 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5417 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5418
5419 // Corrupt tag
5420 ++(*ciphertext.rbegin());
5421
5422 // Grab nonce
5423 params.push_back(begin_out_params);
5424
5425 // Decrypt.
5426 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5427 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5428 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5429 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5430}
5431
5432/*
5433 * EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
5434 *
5435 * Verifies that 3DES is basically functional.
5436 */
5437TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
5438 auto auths = AuthorizationSetBuilder()
5439 .TripleDesEncryptionKey(168)
5440 .BlockMode(BlockMode::ECB)
5441 .Authorization(TAG_NO_AUTH_REQUIRED)
5442 .Padding(PaddingMode::NONE);
5443
5444 ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
5445 // Two-block message.
5446 string message = "1234567890123456";
5447 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5448 string ciphertext1 = EncryptMessage(message, inParams);
5449 EXPECT_EQ(message.size(), ciphertext1.size());
5450
5451 string ciphertext2 = EncryptMessage(string(message), inParams);
5452 EXPECT_EQ(message.size(), ciphertext2.size());
5453
5454 // ECB is deterministic.
5455 EXPECT_EQ(ciphertext1, ciphertext2);
5456
5457 string plaintext = DecryptMessage(ciphertext1, inParams);
5458 EXPECT_EQ(message, plaintext);
5459}
5460
5461/*
5462 * EncryptionOperationsTest.TripleDesEcbNotAuthorized
5463 *
5464 * Verifies that CBC keys reject ECB usage.
5465 */
5466TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
5467 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5468 .TripleDesEncryptionKey(168)
5469 .BlockMode(BlockMode::CBC)
5470 .Authorization(TAG_NO_AUTH_REQUIRED)
5471 .Padding(PaddingMode::NONE)));
5472
5473 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5474 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
5475}
5476
5477/*
5478 * EncryptionOperationsTest.TripleDesEcbPkcs7Padding
5479 *
5480 * Tests ECB mode with PKCS#7 padding, various message sizes.
5481 */
5482TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
5483 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5484 .TripleDesEncryptionKey(168)
5485 .BlockMode(BlockMode::ECB)
5486 .Authorization(TAG_NO_AUTH_REQUIRED)
5487 .Padding(PaddingMode::PKCS7)));
5488
5489 for (size_t i = 0; i < 32; ++i) {
5490 string message(i, 'a');
5491 auto inParams =
5492 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5493 string ciphertext = EncryptMessage(message, inParams);
5494 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
5495 string plaintext = DecryptMessage(ciphertext, inParams);
5496 EXPECT_EQ(message, plaintext);
5497 }
5498}
5499
5500/*
5501 * EncryptionOperationsTest.TripleDesEcbNoPaddingKeyWithPkcs7Padding
5502 *
5503 * Verifies that keys configured for no padding reject PKCS7 padding
5504 */
5505TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
5506 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5507 .TripleDesEncryptionKey(168)
5508 .BlockMode(BlockMode::ECB)
5509 .Authorization(TAG_NO_AUTH_REQUIRED)
5510 .Padding(PaddingMode::NONE)));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5511 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5512 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5513}
5514
5515/*
5516 * EncryptionOperationsTest.TripleDesEcbPkcs7PaddingCorrupted
5517 *
5518 * Verifies that corrupted padding is detected.
5519 */
5520TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
5521 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5522 .TripleDesEncryptionKey(168)
5523 .BlockMode(BlockMode::ECB)
5524 .Authorization(TAG_NO_AUTH_REQUIRED)
5525 .Padding(PaddingMode::PKCS7)));
5526
5527 string message = "a";
5528 string ciphertext = EncryptMessage(message, BlockMode::ECB, PaddingMode::PKCS7);
5529 EXPECT_EQ(8U, ciphertext.size());
5530 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5531
5532 AuthorizationSetBuilder begin_params;
5533 begin_params.push_back(TAG_BLOCK_MODE, BlockMode::ECB);
5534 begin_params.push_back(TAG_PADDING, PaddingMode::PKCS7);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5535
5536 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
5537 ++ciphertext[ciphertext.size() / 2];
5538
5539 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
5540 string plaintext;
5541 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
5542 ErrorCode error = Finish(&plaintext);
5543 if (error == ErrorCode::INVALID_ARGUMENT) {
5544 // This is the expected error, we can exit the test now.
5545 return;
5546 } else {
5547 // Very small chance we got valid decryption, so try again.
5548 ASSERT_EQ(error, ErrorCode::OK);
5549 }
5550 }
5551 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5552}
5553
5554struct TripleDesTestVector {
5555 const char* name;
5556 const KeyPurpose purpose;
5557 const BlockMode block_mode;
5558 const PaddingMode padding_mode;
5559 const char* key;
5560 const char* iv;
5561 const char* input;
5562 const char* output;
5563};
5564
5565// These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all
5566// of the NIST vectors are multiples of the block size.
5567static const TripleDesTestVector kTripleDesTestVectors[] = {
5568 {
5569 "TECBMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
5570 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
5571 "", // IV
5572 "329d86bdf1bc5af4", // input
5573 "d946c2756d78633f", // output
5574 },
5575 {
5576 "TECBMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
5577 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
5578 "", // IV
5579 "6b1540781b01ce1997adae102dbf3c5b", // input
5580 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
5581 },
5582 {
5583 "TECBMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
5584 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
5585 "", // IV
5586 "6daad94ce08acfe7", // input
5587 "660e7d32dcc90e79", // output
5588 },
5589 {
5590 "TECBMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
5591 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
5592 "", // IV
5593 "e9653a0a1f05d31b9acd12d73aa9879d", // input
5594 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
5595 },
5596 {
5597 "TCBCMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
5598 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
5599 "43f791134c5647ba", // IV
5600 "dcc153cef81d6f24", // input
5601 "92538bd8af18d3ba", // output
5602 },
5603 {
5604 "TCBCMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
5605 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
5606 "c2e999cb6249023c", // IV
5607 "c689aee38a301bb316da75db36f110b5", // input
5608 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
5609 },
5610 {
5611 "TCBCMMT3 Encrypt 1 PKCS7 variant", KeyPurpose::ENCRYPT, BlockMode::CBC,
5612 PaddingMode::PKCS7,
5613 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
5614 "c2e999cb6249023c", // IV
5615 "c689aee38a301bb316da75db36f110b500", // input
5616 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
5617 },
5618 {
5619 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KeyPurpose::DECRYPT, BlockMode::CBC,
5620 PaddingMode::PKCS7,
5621 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
5622 "c2e999cb6249023c", // IV
5623 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
5624 "c689aee38a301bb316da75db36f110b500", // output
5625 },
5626 {
5627 "TCBCMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
5628 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
5629 "41746c7e442d3681", // IV
5630 "c53a7b0ec40600fe", // input
5631 "d4f00eb455de1034", // output
5632 },
5633 {
5634 "TCBCMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
5635 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
5636 "3982bc02c3727d45", // IV
5637 "6006f10adef52991fcc777a1238bbb65", // input
5638 "edae09288e9e3bc05746d872b48e3b29", // output
5639 },
5640};
5641
5642/*
5643 * EncryptionOperationsTest.TripleDesTestVector
5644 *
5645 * Verifies that NIST (plus a few extra) test vectors produce the correct results.
5646 */
5647TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
5648 constexpr size_t num_tests = sizeof(kTripleDesTestVectors) / sizeof(TripleDesTestVector);
5649 for (auto* test = kTripleDesTestVectors; test < kTripleDesTestVectors + num_tests; ++test) {
5650 SCOPED_TRACE(test->name);
5651 CheckTripleDesTestVector(test->purpose, test->block_mode, test->padding_mode,
5652 hex2str(test->key), hex2str(test->iv), hex2str(test->input),
5653 hex2str(test->output));
5654 }
5655}
5656
5657/*
5658 * EncryptionOperationsTest.TripleDesCbcRoundTripSuccess
5659 *
5660 * Validates CBC mode functionality.
5661 */
5662TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
5663 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5664 .TripleDesEncryptionKey(168)
5665 .BlockMode(BlockMode::CBC)
5666 .Authorization(TAG_NO_AUTH_REQUIRED)
5667 .Padding(PaddingMode::NONE)));
5668
5669 ASSERT_GT(key_blob_.size(), 0U);
5670
5671 // Two-block message.
5672 string message = "1234567890123456";
5673 vector<uint8_t> iv1;
5674 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv1);
5675 EXPECT_EQ(message.size(), ciphertext1.size());
5676
5677 vector<uint8_t> iv2;
5678 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv2);
5679 EXPECT_EQ(message.size(), ciphertext2.size());
5680
5681 // IVs should be random, so ciphertexts should differ.
5682 EXPECT_NE(iv1, iv2);
5683 EXPECT_NE(ciphertext1, ciphertext2);
5684
5685 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv1);
5686 EXPECT_EQ(message, plaintext);
5687}
5688
5689/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5690 * EncryptionOperationsTest.TripleDesInvalidCallerIv
5691 *
5692 * Validates that keymint fails correctly when the user supplies an incorrect-size IV.
5693 */
5694TEST_P(EncryptionOperationsTest, TripleDesInvalidCallerIv) {
5695 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5696 .TripleDesEncryptionKey(168)
5697 .BlockMode(BlockMode::CBC)
5698 .Authorization(TAG_NO_AUTH_REQUIRED)
5699 .Authorization(TAG_CALLER_NONCE)
5700 .Padding(PaddingMode::NONE)));
5701 auto params = AuthorizationSetBuilder()
5702 .BlockMode(BlockMode::CBC)
5703 .Padding(PaddingMode::NONE)
5704 .Authorization(TAG_NONCE, AidlBuf("abcdefg"));
5705 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
5706}
5707
5708/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5709 * EncryptionOperationsTest.TripleDesCallerIv
5710 *
5711 * Validates that 3DES keys can allow caller-specified IVs, and use them correctly.
5712 */
5713TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
5714 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5715 .TripleDesEncryptionKey(168)
5716 .BlockMode(BlockMode::CBC)
5717 .Authorization(TAG_NO_AUTH_REQUIRED)
5718 .Authorization(TAG_CALLER_NONCE)
5719 .Padding(PaddingMode::NONE)));
5720 string message = "1234567890123456";
5721 vector<uint8_t> iv;
5722 // Don't specify IV, should get a random one.
5723 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
5724 EXPECT_EQ(message.size(), ciphertext1.size());
5725 EXPECT_EQ(8U, iv.size());
5726
5727 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
5728 EXPECT_EQ(message, plaintext);
5729
5730 // Now specify an IV, should also work.
5731 iv = AidlBuf("abcdefgh");
5732 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, iv);
5733
5734 // Decrypt with correct IV.
5735 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, iv);
5736 EXPECT_EQ(message, plaintext);
5737
5738 // Now try with wrong IV.
5739 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, AidlBuf("aaaaaaaa"));
5740 EXPECT_NE(message, plaintext);
5741}
5742
5743/*
5744 * EncryptionOperationsTest, TripleDesCallerNonceProhibited.
5745 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5746 * Verifies that 3DES keys without TAG_CALLER_NONCE do not allow caller-specified IVs.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5747 */
5748TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
5749 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5750 .TripleDesEncryptionKey(168)
5751 .BlockMode(BlockMode::CBC)
5752 .Authorization(TAG_NO_AUTH_REQUIRED)
5753 .Padding(PaddingMode::NONE)));
5754
5755 string message = "12345678901234567890123456789012";
5756 vector<uint8_t> iv;
5757 // Don't specify nonce, should get a random one.
5758 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
5759 EXPECT_EQ(message.size(), ciphertext1.size());
5760 EXPECT_EQ(8U, iv.size());
5761
5762 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
5763 EXPECT_EQ(message, plaintext);
5764
5765 // Now specify a nonce, should fail.
5766 auto input_params = AuthorizationSetBuilder()
5767 .Authorization(TAG_NONCE, AidlBuf("abcdefgh"))
5768 .BlockMode(BlockMode::CBC)
5769 .Padding(PaddingMode::NONE);
5770 AuthorizationSet output_params;
5771 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED,
5772 Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
5773}
5774
5775/*
5776 * EncryptionOperationsTest.TripleDesCbcNotAuthorized
5777 *
5778 * Verifies that 3DES ECB-only keys do not allow CBC usage.
5779 */
5780TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
5781 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5782 .TripleDesEncryptionKey(168)
5783 .BlockMode(BlockMode::ECB)
5784 .Authorization(TAG_NO_AUTH_REQUIRED)
5785 .Padding(PaddingMode::NONE)));
5786 // Two-block message.
5787 string message = "1234567890123456";
5788 auto begin_params =
5789 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5790 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
5791}
5792
5793/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5794 * EncryptionOperationsTest.TripleDesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5795 *
5796 * Verifies that unpadded CBC operations reject inputs that are not a multiple of block size.
5797 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5798TEST_P(EncryptionOperationsTest, TripleDesEcbCbcNoPaddingWrongInputSize) {
5799 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
5800 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5801 .TripleDesEncryptionKey(168)
5802 .BlockMode(blockMode)
5803 .Authorization(TAG_NO_AUTH_REQUIRED)
5804 .Padding(PaddingMode::NONE)));
5805 // Message is slightly shorter than two blocks.
5806 string message = "123456789012345";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5807
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5808 auto begin_params =
5809 AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
5810 AuthorizationSet output_params;
5811 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &output_params));
5812 string ciphertext;
5813 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, "", &ciphertext));
5814
5815 CheckedDeleteKey();
5816 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5817}
5818
5819/*
5820 * EncryptionOperationsTest, TripleDesCbcPkcs7Padding.
5821 *
5822 * Verifies that PKCS7 padding works correctly in CBC mode.
5823 */
5824TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
5825 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5826 .TripleDesEncryptionKey(168)
5827 .BlockMode(BlockMode::CBC)
5828 .Authorization(TAG_NO_AUTH_REQUIRED)
5829 .Padding(PaddingMode::PKCS7)));
5830
5831 // Try various message lengths; all should work.
5832 for (size_t i = 0; i < 32; ++i) {
5833 string message(i, 'a');
5834 vector<uint8_t> iv;
5835 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
5836 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
5837 string plaintext = DecryptMessage(ciphertext, BlockMode::CBC, PaddingMode::PKCS7, iv);
5838 EXPECT_EQ(message, plaintext);
5839 }
5840}
5841
5842/*
5843 * EncryptionOperationsTest.TripleDesCbcNoPaddingKeyWithPkcs7Padding
5844 *
5845 * Verifies that a key that requires PKCS7 padding cannot be used in unpadded mode.
5846 */
5847TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
5848 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5849 .TripleDesEncryptionKey(168)
5850 .BlockMode(BlockMode::CBC)
5851 .Authorization(TAG_NO_AUTH_REQUIRED)
5852 .Padding(PaddingMode::NONE)));
5853
5854 // Try various message lengths; all should fail.
5855 for (size_t i = 0; i < 32; ++i) {
5856 auto begin_params =
5857 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7);
5858 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
5859 }
5860}
5861
5862/*
5863 * EncryptionOperationsTest.TripleDesCbcPkcs7PaddingCorrupted
5864 *
5865 * Verifies that corrupted PKCS7 padding is rejected during decryption.
5866 */
5867TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
5868 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5869 .TripleDesEncryptionKey(168)
5870 .BlockMode(BlockMode::CBC)
5871 .Authorization(TAG_NO_AUTH_REQUIRED)
5872 .Padding(PaddingMode::PKCS7)));
5873
5874 string message = "a";
5875 vector<uint8_t> iv;
5876 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
5877 EXPECT_EQ(8U, ciphertext.size());
5878 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5879
5880 auto begin_params = AuthorizationSetBuilder()
5881 .BlockMode(BlockMode::CBC)
5882 .Padding(PaddingMode::PKCS7)
5883 .Authorization(TAG_NONCE, iv);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5884
5885 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
5886 ++ciphertext[ciphertext.size() / 2];
5887 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
5888 string plaintext;
5889 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
5890 ErrorCode error = Finish(&plaintext);
5891 if (error == ErrorCode::INVALID_ARGUMENT) {
5892 // This is the expected error, we can exit the test now.
5893 return;
5894 } else {
5895 // Very small chance we got valid decryption, so try again.
5896 ASSERT_EQ(error, ErrorCode::OK);
5897 }
5898 }
5899 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5900}
5901
5902/*
5903 * EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding.
5904 *
5905 * Verifies that 3DES CBC works with many different input sizes.
5906 */
5907TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
5908 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5909 .TripleDesEncryptionKey(168)
5910 .BlockMode(BlockMode::CBC)
5911 .Authorization(TAG_NO_AUTH_REQUIRED)
5912 .Padding(PaddingMode::NONE)));
5913
5914 int increment = 7;
5915 string message(240, 'a');
5916 AuthorizationSet input_params =
5917 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5918 AuthorizationSet output_params;
5919 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
5920
5921 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5922 for (size_t i = 0; i < message.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5923 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5924 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
5925 EXPECT_EQ(message.size(), ciphertext.size());
5926
5927 // Move TAG_NONCE into input_params
5928 input_params = output_params;
5929 input_params.push_back(TAG_BLOCK_MODE, BlockMode::CBC);
5930 input_params.push_back(TAG_PADDING, PaddingMode::NONE);
5931 output_params.Clear();
5932
5933 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, input_params, &output_params));
5934 string plaintext;
5935 for (size_t i = 0; i < ciphertext.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5936 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5937 EXPECT_EQ(ErrorCode::OK, Finish(&plaintext));
5938 EXPECT_EQ(ciphertext.size(), plaintext.size());
5939 EXPECT_EQ(message, plaintext);
5940}
5941
5942INSTANTIATE_KEYMINT_AIDL_TEST(EncryptionOperationsTest);
5943
5944typedef KeyMintAidlTestBase MaxOperationsTest;
5945
5946/*
5947 * MaxOperationsTest.TestLimitAes
5948 *
5949 * Verifies that the max uses per boot tag works correctly with AES keys.
5950 */
5951TEST_P(MaxOperationsTest, TestLimitAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]5952 if (SecLevel() == SecurityLevel::STRONGBOX) {
5953 GTEST_SKIP() << "Test not applicable to StrongBox device";
5954 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5955
5956 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5957 .Authorization(TAG_NO_AUTH_REQUIRED)
5958 .AesEncryptionKey(128)
5959 .EcbMode()
5960 .Padding(PaddingMode::NONE)
5961 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
5962
5963 string message = "1234567890123456";
5964
5965 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
5966
5967 EncryptMessage(message, params);
5968 EncryptMessage(message, params);
5969 EncryptMessage(message, params);
5970
5971 // Fourth time should fail.
5972 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
5973}
5974
5975/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5976 * MaxOperationsTest.TestLimitRsa
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5977 *
5978 * Verifies that the max uses per boot tag works correctly with RSA keys.
5979 */
5980TEST_P(MaxOperationsTest, TestLimitRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]5981 if (SecLevel() == SecurityLevel::STRONGBOX) {
5982 GTEST_SKIP() << "Test not applicable to StrongBox device";
5983 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5984
5985 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5986 .Authorization(TAG_NO_AUTH_REQUIRED)
5987 .RsaSigningKey(1024, 65537)
5988 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5989 .Authorization(TAG_MAX_USES_PER_BOOT, 3)
5990 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5991
5992 string message = "1234567890123456";
5993
5994 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
5995
5996 SignMessage(message, params);
5997 SignMessage(message, params);
5998 SignMessage(message, params);
5999
6000 // Fourth time should fail.
6001 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
6002}
6003
6004INSTANTIATE_KEYMINT_AIDL_TEST(MaxOperationsTest);
6005
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6006typedef KeyMintAidlTestBase UsageCountLimitTest;
6007
6008/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6009 * UsageCountLimitTest.TestSingleUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6010 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6011 * Verifies that the usage count limit tag = 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6012 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6013TEST_P(UsageCountLimitTest, TestSingleUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6014 if (SecLevel() == SecurityLevel::STRONGBOX) {
6015 GTEST_SKIP() << "Test not applicable to StrongBox device";
6016 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6017
6018 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6019 .Authorization(TAG_NO_AUTH_REQUIRED)
6020 .AesEncryptionKey(128)
6021 .EcbMode()
6022 .Padding(PaddingMode::NONE)
6023 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
6024
6025 // Check the usage count limit tag appears in the authorizations.
6026 AuthorizationSet auths;
6027 for (auto& entry : key_characteristics_) {
6028 auths.push_back(AuthorizationSet(entry.authorizations));
6029 }
6030 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
6031 << "key usage count limit " << 1U << " missing";
6032
6033 string message = "1234567890123456";
6034 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
6035
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6036 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
6037 AuthorizationSet keystore_auths =
6038 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
6039
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6040 // First usage of AES key should work.
6041 EncryptMessage(message, params);
6042
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6043 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
6044 // Usage count limit tag is enforced by hardware. After using the key, the key blob
6045 // must be invalidated from secure storage (such as RPMB partition).
6046 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
6047 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6048 // Usage count limit tag is enforced by keystore, keymint does nothing.
6049 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6050 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
6051 }
6052}
6053
6054/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6055 * UsageCountLimitTest.TestLimitedUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6056 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6057 * Verifies that the usage count limit tag > 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6058 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6059TEST_P(UsageCountLimitTest, TestLimitedUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6060 if (SecLevel() == SecurityLevel::STRONGBOX) {
6061 GTEST_SKIP() << "Test not applicable to StrongBox device";
6062 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6063
6064 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6065 .Authorization(TAG_NO_AUTH_REQUIRED)
6066 .AesEncryptionKey(128)
6067 .EcbMode()
6068 .Padding(PaddingMode::NONE)
6069 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
6070
6071 // Check the usage count limit tag appears in the authorizations.
6072 AuthorizationSet auths;
6073 for (auto& entry : key_characteristics_) {
6074 auths.push_back(AuthorizationSet(entry.authorizations));
6075 }
6076 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
6077 << "key usage count limit " << 3U << " missing";
6078
6079 string message = "1234567890123456";
6080 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
6081
6082 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
6083 AuthorizationSet keystore_auths =
6084 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
6085
6086 EncryptMessage(message, params);
6087 EncryptMessage(message, params);
6088 EncryptMessage(message, params);
6089
6090 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
6091 // Usage count limit tag is enforced by hardware. After using the key, the key blob
6092 // must be invalidated from secure storage (such as RPMB partition).
6093 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
6094 } else {
6095 // Usage count limit tag is enforced by keystore, keymint does nothing.
6096 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
6097 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
6098 }
6099}
6100
6101/*
6102 * UsageCountLimitTest.TestSingleUseRsa
6103 *
6104 * Verifies that the usage count limit tag = 1 works correctly with RSA keys.
6105 */
6106TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6107 if (SecLevel() == SecurityLevel::STRONGBOX) {
6108 GTEST_SKIP() << "Test not applicable to StrongBox device";
6109 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6110
6111 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6112 .Authorization(TAG_NO_AUTH_REQUIRED)
6113 .RsaSigningKey(1024, 65537)
6114 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]6115 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
6116 .SetDefaultValidity()));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6117
6118 // Check the usage count limit tag appears in the authorizations.
6119 AuthorizationSet auths;
6120 for (auto& entry : key_characteristics_) {
6121 auths.push_back(AuthorizationSet(entry.authorizations));
6122 }
6123 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
6124 << "key usage count limit " << 1U << " missing";
6125
6126 string message = "1234567890123456";
6127 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
6128
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6129 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
6130 AuthorizationSet keystore_auths =
6131 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
6132
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6133 // First usage of RSA key should work.
6134 SignMessage(message, params);
6135
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6136 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
6137 // Usage count limit tag is enforced by hardware. After using the key, the key blob
6138 // must be invalidated from secure storage (such as RPMB partition).
6139 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
6140 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6141 // Usage count limit tag is enforced by keystore, keymint does nothing.
6142 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
6143 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
6144 }
6145}
6146
6147/*
6148 * UsageCountLimitTest.TestLimitUseRsa
6149 *
6150 * Verifies that the usage count limit tag > 1 works correctly with RSA keys.
6151 */
6152TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6153 if (SecLevel() == SecurityLevel::STRONGBOX) {
6154 GTEST_SKIP() << "Test not applicable to StrongBox device";
6155 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6156
6157 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6158 .Authorization(TAG_NO_AUTH_REQUIRED)
6159 .RsaSigningKey(1024, 65537)
6160 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]6161 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)
6162 .SetDefaultValidity()));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6163
6164 // Check the usage count limit tag appears in the authorizations.
6165 AuthorizationSet auths;
6166 for (auto& entry : key_characteristics_) {
6167 auths.push_back(AuthorizationSet(entry.authorizations));
6168 }
6169 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
6170 << "key usage count limit " << 3U << " missing";
6171
6172 string message = "1234567890123456";
6173 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
6174
6175 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
6176 AuthorizationSet keystore_auths =
6177 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
6178
6179 SignMessage(message, params);
6180 SignMessage(message, params);
6181 SignMessage(message, params);
6182
6183 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
6184 // Usage count limit tag is enforced by hardware. After using the key, the key blob
6185 // must be invalidated from secure storage (such as RPMB partition).
6186 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
6187 } else {
6188 // Usage count limit tag is enforced by keystore, keymint does nothing.
6189 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6190 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
6191 }
6192}
6193
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]6194/*
6195 * UsageCountLimitTest.TestSingleUseKeyAndRollbackResistance
6196 *
6197 * Verifies that when rollback resistance is supported by the KeyMint implementation with
6198 * the secure hardware, the single use key with usage count limit tag = 1 must also be enforced
6199 * in hardware.
6200 */
6201TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6202 if (SecLevel() == SecurityLevel::STRONGBOX) {
6203 GTEST_SKIP() << "Test not applicable to StrongBox device";
6204 }
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]6205
6206 auto error = GenerateKey(AuthorizationSetBuilder()
6207 .RsaSigningKey(2048, 65537)
6208 .Digest(Digest::NONE)
6209 .Padding(PaddingMode::NONE)
6210 .Authorization(TAG_NO_AUTH_REQUIRED)
6211 .Authorization(TAG_ROLLBACK_RESISTANCE)
6212 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6213 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
6214 GTEST_SKIP() << "Rollback resistance not supported";
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]6215 }
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6216
6217 // Rollback resistance is supported by KeyMint, verify it is enforced in hardware.
6218 ASSERT_EQ(ErrorCode::OK, error);
6219 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
6220 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
6221 ASSERT_EQ(ErrorCode::OK, DeleteKey());
6222
6223 // The KeyMint should also enforce single use key in hardware when it supports rollback
6224 // resistance.
6225 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6226 .Authorization(TAG_NO_AUTH_REQUIRED)
6227 .RsaSigningKey(1024, 65537)
6228 .NoDigestOrPadding()
6229 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
6230 .SetDefaultValidity()));
6231
6232 // Check the usage count limit tag appears in the hardware authorizations.
6233 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
6234 EXPECT_TRUE(hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
6235 << "key usage count limit " << 1U << " missing";
6236
6237 string message = "1234567890123456";
6238 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
6239
6240 // First usage of RSA key should work.
6241 SignMessage(message, params);
6242
6243 // Usage count limit tag is enforced by hardware. After using the key, the key blob
6244 // must be invalidated from secure storage (such as RPMB partition).
6245 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]6246}
6247
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6248INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest);
6249
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]6250typedef KeyMintAidlTestBase GetHardwareInfoTest;
6251
6252TEST_P(GetHardwareInfoTest, GetHardwareInfo) {
6253 // Retrieving hardware info should give the same result each time.
6254 KeyMintHardwareInfo info;
6255 ASSERT_TRUE(keyMint().getHardwareInfo(&info).isOk());
6256 KeyMintHardwareInfo info2;
6257 ASSERT_TRUE(keyMint().getHardwareInfo(&info2).isOk());
6258 EXPECT_EQ(info, info2);
6259}
6260
6261INSTANTIATE_KEYMINT_AIDL_TEST(GetHardwareInfoTest);
6262
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6263typedef KeyMintAidlTestBase AddEntropyTest;
6264
6265/*
6266 * AddEntropyTest.AddEntropy
6267 *
6268 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy
6269 * is actually added.
6270 */
6271TEST_P(AddEntropyTest, AddEntropy) {
6272 string data = "foo";
6273 EXPECT_TRUE(keyMint().addRngEntropy(vector<uint8_t>(data.begin(), data.end())).isOk());
6274}
6275
6276/*
6277 * AddEntropyTest.AddEmptyEntropy
6278 *
6279 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
6280 */
6281TEST_P(AddEntropyTest, AddEmptyEntropy) {
6282 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf()).isOk());
6283}
6284
6285/*
6286 * AddEntropyTest.AddLargeEntropy
6287 *
6288 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
6289 */
6290TEST_P(AddEntropyTest, AddLargeEntropy) {
6291 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
6292}
6293
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]6294/*
6295 * AddEntropyTest.AddTooLargeEntropy
6296 *
6297 * Verifies that the addRngEntropy method rejects more than 2KiB of data.
6298 */
6299TEST_P(AddEntropyTest, AddTooLargeEntropy) {
6300 ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a'))));
6301 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc);
6302}
6303
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6304INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);
6305
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6306typedef KeyMintAidlTestBase KeyDeletionTest;
6307
6308/**
6309 * KeyDeletionTest.DeleteKey
6310 *
6311 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
6312 * valid key blob.
6313 */
6314TEST_P(KeyDeletionTest, DeleteKey) {
6315 auto error = GenerateKey(AuthorizationSetBuilder()
6316 .RsaSigningKey(2048, 65537)
6317 .Digest(Digest::NONE)
6318 .Padding(PaddingMode::NONE)
6319 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]6320 .Authorization(TAG_ROLLBACK_RESISTANCE)
6321 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6322 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
6323 GTEST_SKIP() << "Rollback resistance not supported";
6324 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6325
6326 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6327 ASSERT_EQ(ErrorCode::OK, error);
6328 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
6329 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6330
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6331 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6332
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6333 string message = "12345678901234567890123456789012";
6334 AuthorizationSet begin_out_params;
6335 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
6336 Begin(KeyPurpose::SIGN, key_blob_,
6337 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
6338 &begin_out_params));
6339 AbortIfNeeded();
6340 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6341}
6342
6343/**
6344 * KeyDeletionTest.DeleteInvalidKey
6345 *
6346 * This test checks that the HAL excepts invalid key blobs..
6347 */
6348TEST_P(KeyDeletionTest, DeleteInvalidKey) {
6349 // Generate key just to check if rollback protection is implemented
6350 auto error = GenerateKey(AuthorizationSetBuilder()
6351 .RsaSigningKey(2048, 65537)
6352 .Digest(Digest::NONE)
6353 .Padding(PaddingMode::NONE)
6354 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]6355 .Authorization(TAG_ROLLBACK_RESISTANCE)
6356 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6357 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
6358 GTEST_SKIP() << "Rollback resistance not supported";
6359 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6360
6361 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6362 ASSERT_EQ(ErrorCode::OK, error);
6363 AuthorizationSet enforced(SecLevelAuthorizations());
6364 ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6365
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6366 // Delete the key we don't care about the result at this point.
6367 DeleteKey();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6368
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6369 // Now create an invalid key blob and delete it.
6370 key_blob_ = AidlBuf("just some garbage data which is not a valid key blob");
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6371
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6372 ASSERT_EQ(ErrorCode::OK, DeleteKey());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6373}
6374
6375/**
6376 * KeyDeletionTest.DeleteAllKeys
6377 *
6378 * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
6379 *
6380 * BEWARE: This test has serious side effects. All user keys will be lost! This includes
6381 * FBE/FDE encryption keys, which means that the device will not even boot until after the
6382 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
6383 * been provisioned. Use this test only on dedicated testing devices that have no valuable
6384 * credentials stored in Keystore/Keymint.
6385 */
6386TEST_P(KeyDeletionTest, DeleteAllKeys) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6387 if (!arm_deleteAllKeys) {
6388 GTEST_SKIP() << "Option --arm_deleteAllKeys not set";
6389 return;
6390 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6391 auto error = GenerateKey(AuthorizationSetBuilder()
6392 .RsaSigningKey(2048, 65537)
6393 .Digest(Digest::NONE)
6394 .Padding(PaddingMode::NONE)
6395 .Authorization(TAG_NO_AUTH_REQUIRED)
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]6396 .Authorization(TAG_ROLLBACK_RESISTANCE)
6397 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6398 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
6399 GTEST_SKIP() << "Rollback resistance not supported";
6400 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6401
6402 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6403 ASSERT_EQ(ErrorCode::OK, error);
6404 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
6405 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6406
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6407 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6408
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6409 string message = "12345678901234567890123456789012";
6410 AuthorizationSet begin_out_params;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6411
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6412 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
6413 Begin(KeyPurpose::SIGN, key_blob_,
6414 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
6415 &begin_out_params));
6416 AbortIfNeeded();
6417 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6418}
6419
6420INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest);
6421
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6422typedef KeyMintAidlTestBase KeyUpgradeTest;
6423
6424/**
6425 * KeyUpgradeTest.UpgradeInvalidKey
6426 *
6427 * This test checks that the HAL excepts invalid key blobs..
6428 */
6429TEST_P(KeyUpgradeTest, UpgradeInvalidKey) {
6430 AidlBuf key_blob = AidlBuf("just some garbage data which is not a valid key blob");
6431
6432 std::vector<uint8_t> new_blob;
6433 Status result = keymint_->upgradeKey(key_blob,
6434 AuthorizationSetBuilder()
6435 .Authorization(TAG_APPLICATION_ID, "clientid")
6436 .Authorization(TAG_APPLICATION_DATA, "appdata")
6437 .vector_data(),
6438 &new_blob);
6439 ASSERT_EQ(ErrorCode::INVALID_KEY_BLOB, GetReturnErrorCode(result));
6440}
6441
6442INSTANTIATE_KEYMINT_AIDL_TEST(KeyUpgradeTest);
6443
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6444using UpgradeKeyTest = KeyMintAidlTestBase;
6445
6446/*
6447 * UpgradeKeyTest.UpgradeKey
6448 *
6449 * Verifies that calling upgrade key on an up-to-date key works (i.e. does nothing).
6450 */
6451TEST_P(UpgradeKeyTest, UpgradeKey) {
6452 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6453 .AesEncryptionKey(128)
6454 .Padding(PaddingMode::NONE)
6455 .Authorization(TAG_NO_AUTH_REQUIRED)));
6456
6457 auto result = UpgradeKey(key_blob_);
6458
6459 // Key doesn't need upgrading. Should get okay, but no new key blob.
6460 EXPECT_EQ(result, std::make_pair(ErrorCode::OK, vector<uint8_t>()));
6461}
6462
6463INSTANTIATE_KEYMINT_AIDL_TEST(UpgradeKeyTest);
6464
6465using ClearOperationsTest = KeyMintAidlTestBase;
6466
6467/*
6468 * ClearSlotsTest.TooManyOperations
6469 *
6470 * Verifies that TOO_MANY_OPERATIONS is returned after the max number of
6471 * operations are started without being finished or aborted. Also verifies
6472 * that aborting the operations clears the operations.
6473 *
6474 */
6475TEST_P(ClearOperationsTest, TooManyOperations) {
6476 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6477 .Authorization(TAG_NO_AUTH_REQUIRED)
6478 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]6479 .Padding(PaddingMode::NONE)
6480 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6481
6482 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
6483 constexpr size_t max_operations = 100; // set to arbituary large number
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]6484 std::shared_ptr<IKeyMintOperation> op_handles[max_operations];
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6485 AuthorizationSet out_params;
6486 ErrorCode result;
6487 size_t i;
6488
6489 for (i = 0; i < max_operations; i++) {
6490 result = Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params, op_handles[i]);
6491 if (ErrorCode::OK != result) {
6492 break;
6493 }
6494 }
6495 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
6496 // Try again just in case there's a weird overflow bug
6497 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
6498 Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
6499 for (size_t j = 0; j < i; j++) {
6500 EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
6501 << "Aboort failed for i = " << j << std::endl;
6502 }
6503 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
6504 AbortIfNeeded();
6505}
6506
6507INSTANTIATE_KEYMINT_AIDL_TEST(ClearOperationsTest);
6508
6509typedef KeyMintAidlTestBase TransportLimitTest;
6510
6511/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]6512 * TransportLimitTest.LargeFinishInput
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6513 *
6514 * Verifies that passing input data to finish succeeds as expected.
6515 */
6516TEST_P(TransportLimitTest, LargeFinishInput) {
6517 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6518 .Authorization(TAG_NO_AUTH_REQUIRED)
6519 .AesEncryptionKey(128)
6520 .BlockMode(BlockMode::ECB)
6521 .Padding(PaddingMode::NONE)));
6522
6523 for (int msg_size = 8 /* 256 bytes */; msg_size <= 11 /* 2 KiB */; msg_size++) {
6524 auto cipher_params =
6525 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
6526
6527 AuthorizationSet out_params;
6528 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, cipher_params, &out_params));
6529
6530 string plain_message = std::string(1 << msg_size, 'x');
6531 string encrypted_message;
6532 auto rc = Finish(plain_message, &encrypted_message);
6533
6534 EXPECT_EQ(ErrorCode::OK, rc);
6535 EXPECT_EQ(plain_message.size(), encrypted_message.size())
6536 << "Encrypt finish returned OK, but did not consume all of the given input";
6537 cipher_params.push_back(out_params);
6538
6539 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, cipher_params));
6540
6541 string decrypted_message;
6542 rc = Finish(encrypted_message, &decrypted_message);
6543 EXPECT_EQ(ErrorCode::OK, rc);
6544 EXPECT_EQ(plain_message.size(), decrypted_message.size())
6545 << "Decrypt finish returned OK, did not consume all of the given input";
6546 }
6547}
6548
6549INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
6550
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]6551typedef KeyMintAidlTestBase KeyAgreementTest;
6552
6553int CurveToOpenSslCurveName(EcCurve curve) {
6554 switch (curve) {
6555 case EcCurve::P_224:
6556 return NID_secp224r1;
6557 case EcCurve::P_256:
6558 return NID_X9_62_prime256v1;
6559 case EcCurve::P_384:
6560 return NID_secp384r1;
6561 case EcCurve::P_521:
6562 return NID_secp521r1;
6563 }
6564}
6565
6566/*
6567 * KeyAgreementTest.Ecdh
6568 *
6569 * Verifies that ECDH works for all curves
6570 */
6571TEST_P(KeyAgreementTest, Ecdh) {
6572 // Because it's possible to use this API with keys on different curves, we
6573 // check all N^2 combinations where N is the number of supported
6574 // curves.
6575 //
6576 // This is not a big deal as N is 4 so we only do 16 runs. If we end up with a
6577 // lot more curves we can be smart about things and just pick |otherCurve| so
6578 // it's not |curve| and that way we end up with only 2*N runs
6579 //
6580 for (auto curve : ValidCurves()) {
6581 for (auto localCurve : ValidCurves()) {
6582 // Generate EC key locally (with access to private key material)
6583 auto ecKey = EC_KEY_Ptr(EC_KEY_new());
6584 int curveName = CurveToOpenSslCurveName(localCurve);
6585 auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
6586 ASSERT_NE(group, nullptr);
6587 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
6588 ASSERT_EQ(EC_KEY_generate_key(ecKey.get()), 1);
6589 auto pkey = EVP_PKEY_Ptr(EVP_PKEY_new());
6590 ASSERT_EQ(EVP_PKEY_set1_EC_KEY(pkey.get(), ecKey.get()), 1);
6591
6592 // Get encoded form of the public part of the locally generated key...
6593 unsigned char* p = nullptr;
6594 int encodedPublicKeySize = i2d_PUBKEY(pkey.get(), &p);
6595 ASSERT_GT(encodedPublicKeySize, 0);
6596 vector<uint8_t> encodedPublicKey(
6597 reinterpret_cast<const uint8_t*>(p),
6598 reinterpret_cast<const uint8_t*>(p + encodedPublicKeySize));
6599 OPENSSL_free(p);
6600
6601 // Generate EC key in KeyMint (only access to public key material)
6602 vector<uint8_t> challenge = {0x41, 0x42};
6603 EXPECT_EQ(
6604 ErrorCode::OK,
6605 GenerateKey(AuthorizationSetBuilder()
6606 .Authorization(TAG_NO_AUTH_REQUIRED)
6607 .Authorization(TAG_EC_CURVE, curve)
6608 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
6609 .Authorization(TAG_ALGORITHM, Algorithm::EC)
6610 .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]6611 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
6612 .SetDefaultValidity()))
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]6613 << "Failed to generate key";
6614 ASSERT_GT(cert_chain_.size(), 0);
6615 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
6616 ASSERT_NE(kmKeyCert, nullptr);
6617 // Check that keyAgreement (bit 4) is set in KeyUsage
6618 EXPECT_TRUE((X509_get_key_usage(kmKeyCert.get()) & X509v3_KU_KEY_AGREEMENT) != 0);
6619 auto kmPkey = EVP_PKEY_Ptr(X509_get_pubkey(kmKeyCert.get()));
6620 ASSERT_NE(kmPkey, nullptr);
6621 if (dump_Attestations) {
6622 for (size_t n = 0; n < cert_chain_.size(); n++) {
6623 std::cout << bin2hex(cert_chain_[n].encodedCertificate) << std::endl;
6624 }
6625 }
6626
6627 // Now that we have the two keys, we ask KeyMint to perform ECDH...
6628 if (curve != localCurve) {
6629 // If the keys are using different curves KeyMint should fail with
6630 // ErrorCode:INVALID_ARGUMENT. Check that.
6631 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
6632 string ZabFromKeyMintStr;
6633 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
6634 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
6635 &ZabFromKeyMintStr));
6636
6637 } else {
6638 // Otherwise if the keys are using the same curve, it should work.
6639 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
6640 string ZabFromKeyMintStr;
6641 EXPECT_EQ(ErrorCode::OK,
6642 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
6643 &ZabFromKeyMintStr));
6644 vector<uint8_t> ZabFromKeyMint(ZabFromKeyMintStr.begin(), ZabFromKeyMintStr.end());
6645
6646 // Perform local ECDH between the two keys so we can check if we get the same Zab..
6647 auto ctx = EVP_PKEY_CTX_Ptr(EVP_PKEY_CTX_new(pkey.get(), nullptr));
6648 ASSERT_NE(ctx, nullptr);
6649 ASSERT_EQ(EVP_PKEY_derive_init(ctx.get()), 1);
6650 ASSERT_EQ(EVP_PKEY_derive_set_peer(ctx.get(), kmPkey.get()), 1);
6651 size_t ZabFromTestLen = 0;
6652 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), nullptr, &ZabFromTestLen), 1);
6653 vector<uint8_t> ZabFromTest;
6654 ZabFromTest.resize(ZabFromTestLen);
6655 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), ZabFromTest.data(), &ZabFromTestLen), 1);
6656
6657 EXPECT_EQ(ZabFromKeyMint, ZabFromTest);
6658 }
6659
6660 CheckedDeleteKey();
6661 }
6662 }
6663}
6664
6665INSTANTIATE_KEYMINT_AIDL_TEST(KeyAgreementTest);
6666
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6667using DestroyAttestationIdsTest = KeyMintAidlTestBase;
6668
6669// This is a problematic test, as it can render the device under test permanently unusable.
6670// Re-enable and run at your own risk.
6671TEST_P(DestroyAttestationIdsTest, DISABLED_DestroyTest) {
6672 auto result = DestroyAttestationIds();
6673 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED);
6674}
6675
6676INSTANTIATE_KEYMINT_AIDL_TEST(DestroyAttestationIdsTest);
6677
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]6678using EarlyBootKeyTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6679
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]6680/*
6681 * EarlyBootKeyTest.CreateEarlyBootKeys
6682 *
6683 * Verifies that creating early boot keys succeeds, even at a later stage (after boot).
6684 */
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6685TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]6686 // Early boot keys can be created after early boot.
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6687 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
6688 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
6689
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]6690 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
6691 ASSERT_GT(keyData.blob.size(), 0U);
6692 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
6693 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
6694 }
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6695 CheckedDeleteKey(&aesKeyData.blob);
6696 CheckedDeleteKey(&hmacKeyData.blob);
6697 CheckedDeleteKey(&rsaKeyData.blob);
6698 CheckedDeleteKey(&ecdsaKeyData.blob);
6699}
6700
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]6701/*
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]6702 * EarlyBootKeyTest.CreateAttestedEarlyBootKey
6703 *
6704 * Verifies that creating an early boot key with attestation succeeds.
6705 */
6706TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
6707 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys(
6708 TAG_EARLY_BOOT_ONLY, ErrorCode::OK, [](AuthorizationSetBuilder* builder) {
6709 builder->AttestationChallenge("challenge");
6710 builder->AttestationApplicationId("app_id");
6711 });
6712
6713 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
6714 ASSERT_GT(keyData.blob.size(), 0U);
6715 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
6716 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
6717 }
6718 CheckedDeleteKey(&aesKeyData.blob);
6719 CheckedDeleteKey(&hmacKeyData.blob);
6720 CheckedDeleteKey(&rsaKeyData.blob);
6721 CheckedDeleteKey(&ecdsaKeyData.blob);
6722}
6723
6724/*
6725 * EarlyBootKeyTest.UseEarlyBootKeyFailure
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]6726 *
6727 * Verifies that using early boot keys at a later stage fails.
6728 */
6729TEST_P(EarlyBootKeyTest, UseEarlyBootKeyFailure) {
6730 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6731 .Authorization(TAG_NO_AUTH_REQUIRED)
6732 .Authorization(TAG_EARLY_BOOT_ONLY)
6733 .HmacKey(128)
6734 .Digest(Digest::SHA_2_256)
6735 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
6736 AuthorizationSet output_params;
6737 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, Begin(KeyPurpose::SIGN, key_blob_,
6738 AuthorizationSetBuilder()
6739 .Digest(Digest::SHA_2_256)
6740 .Authorization(TAG_MAC_LENGTH, 256),
6741 &output_params));
6742}
6743
6744/*
6745 * EarlyBootKeyTest.ImportEarlyBootKeyFailure
6746 *
6747 * Verifies that importing early boot keys fails.
6748 */
6749TEST_P(EarlyBootKeyTest, ImportEarlyBootKeyFailure) {
6750 ASSERT_EQ(ErrorCode::EARLY_BOOT_ENDED, ImportKey(AuthorizationSetBuilder()
6751 .Authorization(TAG_NO_AUTH_REQUIRED)
6752 .Authorization(TAG_EARLY_BOOT_ONLY)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]6753 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]6754 .Digest(Digest::SHA_2_256)
6755 .SetDefaultValidity(),
6756 KeyFormat::PKCS8, ec_256_key));
6757}
6758
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6759// This is a more comprehensive test, but it can only be run on a machine which is still in early
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6760// boot stage, which no proper Android device is by the time we can run VTS. To use this,
6761// un-disable it and modify vold to remove the call to earlyBootEnded(). Running the test will end
6762// early boot, so you'll have to reboot between runs.
6763TEST_P(EarlyBootKeyTest, DISABLED_FullTest) {
6764 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
6765 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
6766 // TAG_EARLY_BOOT_ONLY should be in hw-enforced.
6767 EXPECT_TRUE(HwEnforcedAuthorizations(aesKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
6768 EXPECT_TRUE(
6769 HwEnforcedAuthorizations(hmacKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
6770 EXPECT_TRUE(HwEnforcedAuthorizations(rsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
6771 EXPECT_TRUE(
6772 HwEnforcedAuthorizations(ecdsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
6773
6774 // Should be able to use keys, since early boot has not ended
6775 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
6776 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
6777 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
6778 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
6779
6780 // End early boot
6781 ErrorCode earlyBootResult = GetReturnErrorCode(keyMint().earlyBootEnded());
6782 EXPECT_EQ(earlyBootResult, ErrorCode::OK);
6783
6784 // Should not be able to use already-created keys.
6785 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseAesKey(aesKeyData.blob));
6786 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseHmacKey(hmacKeyData.blob));
6787 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseRsaKey(rsaKeyData.blob));
6788 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseEcdsaKey(ecdsaKeyData.blob));
6789
6790 CheckedDeleteKey(&aesKeyData.blob);
6791 CheckedDeleteKey(&hmacKeyData.blob);
6792 CheckedDeleteKey(&rsaKeyData.blob);
6793 CheckedDeleteKey(&ecdsaKeyData.blob);
6794
6795 // Should not be able to create new keys
6796 std::tie(aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData) =
6797 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::EARLY_BOOT_ENDED);
6798
6799 CheckedDeleteKey(&aesKeyData.blob);
6800 CheckedDeleteKey(&hmacKeyData.blob);
6801 CheckedDeleteKey(&rsaKeyData.blob);
6802 CheckedDeleteKey(&ecdsaKeyData.blob);
6803}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]6804
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6805INSTANTIATE_KEYMINT_AIDL_TEST(EarlyBootKeyTest);
6806
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]6807using UnlockedDeviceRequiredTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6808
6809// This may be a problematic test. It can't be run repeatedly without unlocking the device in
6810// between runs... and on most test devices there are no enrolled credentials so it can't be
6811// unlocked at all, meaning the only way to get the test to pass again on a properly-functioning
6812// device is to reboot it. For that reason, this is disabled by default. It can be used as part of
6813// a manual test process, which includes unlocking between runs, which is why it's included here.
6814// Well, that and the fact that it's the only test we can do without also making calls into the
6815// Gatekeeper HAL. We haven't written any cross-HAL tests, and don't know what all of the
6816// implications might be, so that may or may not be a solution.
6817TEST_P(UnlockedDeviceRequiredTest, DISABLED_KeysBecomeUnusable) {
6818 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
6819 CreateTestKeys(TAG_UNLOCKED_DEVICE_REQUIRED, ErrorCode::OK);
6820
6821 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
6822 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
6823 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
6824 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
6825
6826 ErrorCode rc = GetReturnErrorCode(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6827 keyMint().deviceLocked(false /* passwordOnly */, {} /* timestampToken */));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6828 ASSERT_EQ(ErrorCode::OK, rc);
6829 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseAesKey(aesKeyData.blob));
6830 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseHmacKey(hmacKeyData.blob));
6831 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseRsaKey(rsaKeyData.blob));
6832 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseEcdsaKey(ecdsaKeyData.blob));
6833
6834 CheckedDeleteKey(&aesKeyData.blob);
6835 CheckedDeleteKey(&hmacKeyData.blob);
6836 CheckedDeleteKey(&rsaKeyData.blob);
6837 CheckedDeleteKey(&ecdsaKeyData.blob);
6838}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]6839
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6840INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
6841
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]6842} // namespace aidl::android::hardware::security::keymint::test
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6843
6844int main(int argc, char** argv) {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]6845 std::cout << "Testing ";
6846 auto halInstances =
6847 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::build_params();
6848 std::cout << "HAL instances:\n";
6849 for (auto& entry : halInstances) {
6850 std::cout << " " << entry << '\n';
6851 }
6852
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6853 ::testing::InitGoogleTest(&argc, argv);
6854 for (int i = 1; i < argc; ++i) {
6855 if (argv[i][0] == '-') {
6856 if (std::string(argv[i]) == "--arm_deleteAllKeys") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]6857 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
6858 arm_deleteAllKeys = true;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6859 }
6860 if (std::string(argv[i]) == "--dump_attestations") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]6861 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
6862 dump_Attestations = true;
6863 } else {
6864 std::cout << "NOT dumping attestations" << std::endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6865 }
6866 }
6867 }
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]6868 return RUN_ALL_TESTS();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6869}