Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 6c9bdb839f86874ccff3b8d16c9275e02087b4fc / . / security / keymint / aidl / vts / functional / KeyMintTest.cpp
blob: 3d2d7fb83b04c39abf9b9c3b71addeb88ec4004b [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]17#define LOG_TAG "keymint_1_test"
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]18#include <cutils/log.h>
19
20#include <signal.h>
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]21
22#include <algorithm>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]23#include <iostream>
David Drysdale6c9bdb82024-01-23 09:32:04 +0000[diff] [blame^]24#include <map>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]25
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]26#include <openssl/curve25519.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]27#include <openssl/ec.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]28#include <openssl/evp.h>
29#include <openssl/mem.h>
David Drysdalead785f52023-03-27 19:53:01 +0100[diff] [blame]30#include <openssl/x509.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]31#include <openssl/x509v3.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]32
33#include <cutils/properties.h>
34
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]35#include <android/binder_manager.h>
36
37#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]38#include <aidl/android/hardware/security/keymint/KeyFormat.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]39
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]40#include <keymint_support/key_param_output.h>
41#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]42
43#include "KeyMintAidlTestBase.h"
44
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]45using aidl::android::hardware::security::keymint::AuthorizationSet;
46using aidl::android::hardware::security::keymint::KeyCharacteristics;
47using aidl::android::hardware::security::keymint::KeyFormat;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]48
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]49namespace std {
50
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]51using namespace aidl::android::hardware::security::keymint;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]52
53template <>
54struct std::equal_to<KeyCharacteristics> {
55 bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]56 if (a.securityLevel != b.securityLevel) return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]57
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]58 // this isn't very efficient. Oh, well.
59 AuthorizationSet a_auths(a.authorizations);
60 AuthorizationSet b_auths(b.authorizations);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]61
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]62 a_auths.Sort();
63 b_auths.Sort();
64
65 return a_auths == b_auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]66 }
67};
68
69} // namespace std
70
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]71namespace aidl::android::hardware::security::keymint::test {
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]72
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]73namespace {
74
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]75// Maximum supported Ed25519 message size.
76const size_t MAX_ED25519_MSG_SIZE = 16 * 1024;
77
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]78// Whether to check that BOOT_PATCHLEVEL is populated.
79bool check_boot_pl = true;
80
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]81// The maximum number of times we'll attempt to verify that corruption
David Drysdale4c1f6ac2021-11-25 16:08:29 +0000[diff] [blame]82// of an encrypted blob results in an error. Retries are necessary as there
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]83// is a small (roughly 1/256) chance that corrupting ciphertext still results
84// in valid PKCS7 padding.
85constexpr size_t kMaxPaddingCorruptionRetries = 8;
86
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]87template <TagType tag_type, Tag tag, typename ValueT>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]88bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
89 ValueT expected_value) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]90 auto it = std::find_if(set.begin(), set.end(), [&](const KeyParameter& param) {
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]91 if (auto p = authorizationValue(ttag, param)) {
92 return *p == expected_value;
93 }
94 return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]95 });
96 return (it != set.end());
97}
98
99template <TagType tag_type, Tag tag>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]100bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag>) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]101 auto it = std::find_if(set.begin(), set.end(),
102 [&](const KeyParameter& param) { return param.tag == tag; });
103 return (it != set.end());
104}
105
106constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
107 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
108 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
109 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
110 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
111 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
112 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
113 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
114 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
115 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
116 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
117 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
118 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
119 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
120 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
121 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
122
123string hex2str(string a) {
124 string b;
125 size_t num = a.size() / 2;
126 b.resize(num);
127 for (size_t i = 0; i < num; i++) {
128 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
129 }
130 return b;
131}
132
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]133string rsa_key = hex2str(
134 // RFC 5208 s5
135 "30820275" // SEQUENCE length 0x275 (PrivateKeyInfo) {
136 "020100" // INTEGER length 1 value 0x00 (version)
137 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
138 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
139 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
140 "0500" // NULL (parameters)
141 // } end SEQUENCE (AlgorithmIdentifier)
142 "0482025f" // OCTET STRING length 0x25f (privateKey) holding...
143 // RFC 8017 A.1.2
144 "3082025b" // SEQUENCE length 0x25b (RSAPrivateKey) {
145 "020100" // INTEGER length 1 value 0x00 (version)
146 "028181" // INTEGER length 0x81 value (modulus) ...
147 "00c6095409047d8634812d5a218176e4"
148 "5c41d60a75b13901f234226cffe77652"
149 "1c5a77b9e389417b71c0b6a44d13afe4"
150 "e4a2805d46c9da2935adb1ff0c1f24ea"
151 "06e62b20d776430a4d435157233c6f91"
152 "6783c30e310fcbd89b85c2d567711697"
153 "85ac12bca244abda72bfb19fc44d27c8"
154 "1e1d92de284f4061edfd99280745ea6d"
155 "25"
156 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
157 "028180" // INTEGER length 0x80 (privateExponent) value...
158 "1be0f04d9cae3718691f035338308e91"
159 "564b55899ffb5084d2460e6630257e05"
160 "b3ceab02972dfabcd6ce5f6ee2589eb6"
161 "7911ed0fac16e43a444b8c861e544a05"
162 "93365772f8baf6b22fc9e3c5f1024b06"
163 "3ac080a7b2234cf8aee8f6c47bbf4fd3"
164 "ace7240290bef16c0b3f7f3cdd64ce3a"
165 "b5912cf6e32f39ab188358afcccd8081"
166 "0241" // INTEGER length 0x41 (prime1)
167 "00e4b49ef50f765d3b24dde01aceaaf1"
168 "30f2c76670a91a61ae08af497b4a82be"
169 "6dee8fcdd5e3f7ba1cfb1f0c926b88f8"
170 "8c92bfab137fba2285227b83c342ff7c"
171 "55"
172 "0241" // INTEGER length 0x41 (prime2)
173 "00ddabb5839c4c7f6bf3d4183231f005"
174 "b31aa58affdda5c79e4cce217f6bc930"
175 "dbe563d480706c24e9ebfcab28a6cdef"
176 "d324b77e1bf7251b709092c24ff501fd"
177 "91"
178 "0240" // INTEGER length 0x40 (exponent1)
179 "23d4340eda3445d8cd26c14411da6fdc"
180 "a63c1ccd4b80a98ad52b78cc8ad8beb2"
181 "842c1d280405bc2f6c1bea214a1d742a"
182 "b996b35b63a82a5e470fa88dbf823cdd"
183 "0240" // INTEGER length 0x40 (exponent2)
184 "1b7b57449ad30d1518249a5f56bb9829"
185 "4d4b6ac12ffc86940497a5a5837a6cf9"
186 "46262b494526d328c11e1126380fde04"
187 "c24f916dec250892db09a6d77cdba351"
188 "0240" // INTEGER length 0x40 (coefficient)
189 "7762cd8f4d050da56bd591adb515d24d"
190 "7ccd32cca0d05f866d583514bd7324d5"
191 "f33645e8ed8b4a1cb3cc4a1d67987399"
192 "f2a09f5b3fb68c88d5e5d90ac33492d6"
193 // } end SEQUENCE (PrivateKey)
194 // } end SEQUENCE (PrivateKeyInfo)
195);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]196
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]197/*
198 * DER-encoded PKCS#8 format RSA key. Generated using:
199 *
200 * openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
201 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]202string rsa_2048_key = hex2str(
203 // RFC 5208 s5
204 "308204BD" // SEQUENCE length 0x4bd (PrivateKeyInfo) {
205 "020100" // INTEGER length 1 value 0x00 (version)
206 "300D" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
207 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
208 "2A864886F70D010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
209 "0500" // NULL (parameters)
210 // } end SEQUENCE (AlgorithmIdentifier)
211 "048204A7" // OCTET STRING length 0x25f (privateKey) holding...
212 // RFC 8017 A.1.2
213 "308204A3" // SEQUENCE length 0x4a3 (RSAPrivateKey) {
214 "020100" // INTEGER length 1 value 0x00 (version)
215 "02820101" // INTEGER length 0x101 value (modulus) ...
216 "00BEBC342B56D443B1299F9A6A7056E8"
217 "0A897E318476A5A18029E63B2ED739A6"
218 "1791D339F58DC763D9D14911F2EDEC38"
219 "3DEE11F6319B44510E7A3ECD9B79B973"
220 "82E49500ACF8117DC89CAF0E621F7775"
221 "6554A2FD4664BFE7AB8B59AB48340DBF"
222 "A27B93B5A81F6ECDEB02D0759307128D"
223 "F3E3BAD4055C8B840216DFAA5700670E"
224 "6C5126F0962FCB70FF308F25049164CC"
225 "F76CC2DA66A7DD9A81A714C2809D6918"
226 "6133D29D84568E892B6FFBF3199BDB14"
227 "383EE224407F190358F111A949552ABA"
228 "6714227D1BD7F6B20DD0CB88F9467B71"
229 "9339F33BFF35B3870B3F62204E4286B0"
230 "948EA348B524544B5F9838F29EE643B0"
231 "79EEF8A713B220D7806924CDF7295070"
232 "C5"
233 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
234 "02820100" // INTEGER length 0x100 (privateExponent) value...
235 "69F377F35F2F584EF075353CCD1CA997"
236 "38DB3DBC7C7FF35F9366CE176DFD1B13"
237 "5AB10030344ABF5FBECF1D4659FDEF1C"
238 "0FC430834BE1BE3911951377BB3D563A"
239 "2EA9CA8F4AD9C48A8CE6FD516A735C66"
240 "2686C7B4B3C09A7B8354133E6F93F790"
241 "D59EAEB92E84C9A4339302CCE28FDF04"
242 "CCCAFA7DE3F3A827D4F6F7D38E68B0EC"
243 "6AB706645BF074A4E4090D06FB163124"
244 "365FD5EE7A20D350E9958CC30D91326E"
245 "1B292E9EF5DB408EC42DAF737D201497"
246 "04D0A678A0FB5B5446863B099228A352"
247 "D604BA8091A164D01D5AB05397C71EAD"
248 "20BE2A08FC528FE442817809C787FEE4"
249 "AB97F97B9130D022153EDC6EB6CBE7B0"
250 "F8E3473F2E901209B5DB10F93604DB01"
251 "028181" // INTEGER length 0x81 (prime1)
252 "00E83C0998214941EA4F9293F1B77E2E"
253 "99E6CF305FAF358238E126124FEAF2EB"
254 "9724B2EA7B78E6032343821A80E55D1D"
255 "88FB12D220C3F41A56142FEC85796D19"
256 "17F1E8C774F142B67D3D6E7B7E6B4383"
257 "E94DB5929089DBB346D5BDAB40CC2D96"
258 "EE0409475E175C63BF78CFD744136740"
259 "838127EA723FF3FE7FA368C1311B4A4E"
260 "05"
261 "028181" // INTEGER length 0x81 (prime2)
262 "00D240FCC0F5D7715CDE21CB2DC86EA1"
263 "46132EA3B06F61FF2AF54BF38473F59D"
264 "ADCCE32B5F4CC32DD0BA6F509347B4B5"
265 "B1B58C39F95E4798CCBB43E83D0119AC"
266 "F532F359CA743C85199F0286610E2009"
267 "97D7312917179AC9B67558773212EC96"
268 "1E8BCE7A3CC809BC5486A96E4B0E6AF3"
269 "94D94E066A0900B7B70E82A44FB30053"
270 "C1"
271 "028181" // INTEGER length 0x81 (exponent1)
272 "00AD15DA1CBD6A492B66851BA8C316D3"
273 "8AB700E2CFDDD926A658003513C54BAA"
274 "152B30021D667D20078F500F8AD3E7F3"
275 "945D74A891ED1A28EAD0FEEAEC8C14A8"
276 "E834CF46A13D1378C99D18940823CFDD"
277 "27EC5810D59339E0C34198AC638E09C8"
278 "7CBB1B634A9864AE9F4D5EB2D53514F6"
279 "7B4CAEC048C8AB849A02E397618F3271"
280 "35"
281 "028180" // INTEGER length 0x80 (exponent2)
282 "1FA2C1A5331880A92D8F3E281C617108"
283 "BF38244F16E352E69ED417C7153F9EC3"
284 "18F211839C643DCF8B4DD67CE2AC312E"
285 "95178D5D952F06B1BF779F4916924B70"
286 "F582A23F11304E02A5E7565AE22A35E7"
287 "4FECC8B6FDC93F92A1A37703E4CF0E63"
288 "783BD02EB716A7ECBBFA606B10B74D01"
289 "579522E7EF84D91FC522292108D902C1"
290 "028180" // INTEGER length 0x80 (coefficient)
291 "796FE3825F9DCC85DF22D58690065D93"
292 "898ACD65C087BEA8DA3A63BF4549B795"
293 "E2CD0E3BE08CDEBD9FCF1720D9CDC507"
294 "0D74F40DED8E1102C52152A31B6165F8"
295 "3A6722AECFCC35A493D7634664B888A0"
296 "8D3EB034F12EA28BFEE346E205D33482"
297 "7F778B16ED40872BD29FCB36536B6E93"
298 "FFB06778696B4A9D81BB0A9423E63DE5"
299 // } end SEQUENCE (PrivateKey)
300 // } end SEQUENCE (PrivateKeyInfo)
301);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]302
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]303string ec_256_key = hex2str(
304 // RFC 5208 s5
305 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
306 "020100" // INTEGER length 1 value 0 (version)
307 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
308 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
309 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
310 "0608" // OBJECT IDENTIFIER length 8 (param)
311 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
312 // } end SEQUENCE (AlgorithmIdentifier)
313 "046d" // OCTET STRING length 0x6d (privateKey) holding...
314 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
315 "020101" // INTEGER length 1 value 1 (version)
316 "0420" // OCTET STRING length 0x20 (privateKey)
317 "737c2ecd7b8d1940bf2930aa9b4ed3ff"
318 "941eed09366bc03299986481f3a4d859"
319 "a144" // TAG [1] len 0x44 (publicKey) {
320 "03420004bf85d7720d07c25461683bc6"
321 "48b4778a9a14dd8a024e3bdd8c7ddd9a"
322 "b2b528bbc7aa1b51f14ebbbb0bd0ce21"
323 "bcc41c6eb00083cf3376d11fd44949e0"
324 "b2183bfe"
325 // } end SEQUENCE (ECPrivateKey)
326 // } end SEQUENCE (PrivateKeyInfo)
327);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]328
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]329string ec_521_key = hex2str(
330 // RFC 5208 s5
331 "3081EE" // SEQUENCE length 0xee (PrivateKeyInfo) {
332 "020100" // INTEGER length 1 value 0 (version)
333 "3010" // SEQUENCE length 0x10 (AlgorithmIdentifier) {
334 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
335 "2A8648CE3D0201" // 1.2.840.10045.2.1 (ecPublicKey)
336 "0605" // OBJECT IDENTIFIER length 5 (param)
337 "2B81040023" // 1.3.132.0.35 (secp521r1)
338 // } end SEQUENCE (AlgorithmIdentifier)
339 "0481D6" // OCTET STRING length 0xd6 (privateKey) holding...
340 "3081D3" // SEQUENCE length 0xd3 (ECPrivateKey)
341 "020101" // INTEGER length 1 value 1 (version)
342 "0442" // OCTET STRING length 0x42 (privateKey)
343 "0011458C586DB5DAA92AFAB03F4FE46A"
344 "A9D9C3CE9A9B7A006A8384BEC4C78E8E"
345 "9D18D7D08B5BCFA0E53C75B064AD51C4"
346 "49BAE0258D54B94B1E885DED08ED4FB2"
347 "5CE9"
348 "A18189" // TAG [1] len 0x89 (publicKey) {
349 "03818600040149EC11C6DF0FA122C6A9"
350 "AFD9754A4FA9513A627CA329E349535A"
351 "5629875A8ADFBE27DCB932C051986377"
352 "108D054C28C6F39B6F2C9AF81802F9F3"
353 "26B842FF2E5F3C00AB7635CFB36157FC"
354 "0882D574A10D839C1A0C049DC5E0D775"
355 "E2EE50671A208431BB45E78E70BEFE93"
356 "0DB34818EE4D5C26259F5C6B8E28A652"
357 "950F9F88D7B4B2C9D9"
358 // } end SEQUENCE (ECPrivateKey)
359 // } end SEQUENCE (PrivateKeyInfo)
360);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]361
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]362string ec_256_key_rfc5915 = hex2str(
363 // RFC 5208 s5
364 "308193" // SEQUENCE length 0x93 (PrivateKeyInfo) {
365 "020100" // INTEGER length 1 value 0 (version)
366 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
367 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
368 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
369 "0608" // OBJECT IDENTIFIER length 8 (param)
370 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
371 // } end SEQUENCE (AlgorithmIdentifier)
372 "0479" // OCTET STRING length 0x79 (privateKey) holding...
373 // RFC 5915 s3
374 "3077" // SEQUENCE length 0x77 (ECPrivateKey)
375 "020101" // INTEGER length 1 value 1 (version)
376 "0420" // OCTET STRING length 0x42 (privateKey)
377 "782370a8c8ce5537baadd04dcff079c8"
378 "158cfa9c67b818b38e8d21c9fa750c1d"
379 "a00a" // TAG [0] length 0xa (parameters)
380 "0608" // OBJECT IDENTIFIER length 8
381 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
382 // } end TAG [0]
383 "a144" // TAG [1] length 0x44 (publicKey) {
384 "0342" // BIT STRING length 0x42
385 "00" // no pad bits
386 "04e2cc561ee701da0ad0ef0d176bb0c9"
387 "19d42e79c393fdc1bd6c4010d85cf2cf"
388 "8e68c905464666f98dad4f01573ba810"
389 "78b3428570a439ba3229fbc026c55068"
390 "2f"
391 // } end SEQUENCE (ECPrivateKey)
392 // } end SEQUENCE (PrivateKeyInfo)
393);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]394
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]395string ec_256_key_sec1 = hex2str(
396 // RFC 5208 s5
397 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
398 "020100" // INTEGER length 1 value 0 (version)
399 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
400 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
401 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
402 "0608" // OBJECT IDENTIFIER length 8 (param)
403 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
404 // } end SEQUENCE (AlgorithmIdentifier)
405 "046d" // OCTET STRING length 0x6d (privateKey) holding...
406 // SEC1-v2 C.4
407 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
408 "020101" // INTEGER length 1 value 0x01 (version)
409 "0420" // OCTET STRING length 0x20 (privateKey)
410 "782370a8c8ce5537baadd04dcff079c8"
411 "158cfa9c67b818b38e8d21c9fa750c1d"
412 "a144" // TAG [1] length 0x44 (publicKey) {
413 "0342" // BIT STRING length 0x42
414 "00" // no pad bits
415 "04e2cc561ee701da0ad0ef0d176bb0c9"
416 "19d42e79c393fdc1bd6c4010d85cf2cf"
417 "8e68c905464666f98dad4f01573ba810"
418 "78b3428570a439ba3229fbc026c55068"
419 "2f"
420 // } end TAG [1] (publicKey)
421 // } end SEQUENCE (PrivateKeyInfo)
422);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]423
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]424/**
425 * Ed25519 key pair generated as follows:
426 * ```
427 * % openssl req -x509 -newkey ED25519 -days 700 -nodes \
428 * -keyout ed25519_priv.key -out ed25519.pem * -subj "/CN=fake.ed25519.com"
429 * Generating a ED25519 private key writing new private key to
430 * 'ed25519_priv.key'
431 * -----
432 * % cat ed25519_priv.key
433 * -----BEGIN PRIVATE KEY-----
434 * MC4CAQAwBQYDK2VwBCIEIKl3A5quNywcj1P+0XI9SBalFPIvO52NxceMLRH6dVmR
435 * -----END PRIVATE KEY-----
436 * % der2ascii -pem -i ed25519_priv.key
437 * SEQUENCE {
438 * INTEGER { 0 }
439 * SEQUENCE {
440 * # ed25519
441 * OBJECT_IDENTIFIER { 1.3.101.112 }
442 * }
443 * OCTET_STRING {
444 * OCTET_STRING { `a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991` }
445 * }
446 * }
447 * % cat ed25519.pem
448 * -----BEGIN CERTIFICATE-----
449 * MIIBSjCB/aADAgECAhR0Jron3eKcdgqyecv/eEfGWAzn8DAFBgMrZXAwGzEZMBcG
450 * A1UEAwwQZmFrZS5lZDI1NTE5LmNvbTAeFw0yMTEwMjAwODI3NDJaFw0yMzA5MjAw
451 * ODI3NDJaMBsxGTAXBgNVBAMMEGZha2UuZWQyNTUxOS5jb20wKjAFBgMrZXADIQDv
452 * uwHz+3TaQ69D2digxlz0fFfsZg0rPqgQae3jBPRWkaNTMFEwHQYDVR0OBBYEFN9O
453 * od30SY4JTs66ZR403UPya+iXMB8GA1UdIwQYMBaAFN9Ood30SY4JTs66ZR403UPy
454 * a+iXMA8GA1UdEwEB/wQFMAMBAf8wBQYDK2VwA0EAKjVrYQjuE/gEL2j/ABpDbFjV
455 * Ilg5tJ6MN/P3psAv3Cs7f0X1lFqdlt15nJ/6aj2cmGCwNRXt5wcyYDKNu+v2Dw==
456 * -----END CERTIFICATE-----
457 * % openssl x509 -in ed25519.pem -text -noout
458 * Certificate:
459 * Data:
460 * Version: 3 (0x2)
461 * Serial Number:
462 * 74:26:ba:27:dd:e2:9c:76:0a:b2:79:cb:ff:78:47:c6:58:0c:e7:f0
463 * Signature Algorithm: ED25519
464 * Issuer: CN = fake.ed25519.com
465 * Validity
466 * Not Before: Oct 20 08:27:42 2021 GMT
467 * Not After : Sep 20 08:27:42 2023 GMT
468 * Subject: CN = fake.ed25519.com
469 * Subject Public Key Info:
470 * Public Key Algorithm: ED25519
471 * ED25519 Public-Key:
472 * pub:
473 * ef:bb:01:f3:fb:74:da:43:af:43:d9:d8:a0:c6:5c:
474 * f4:7c:57:ec:66:0d:2b:3e:a8:10:69:ed:e3:04:f4:
475 * 56:91
476 * X509v3 extensions:
477 * X509v3 Subject Key Identifier:
478 * DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
479 * X509v3 Authority Key Identifier:
480 * keyid:DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
481 *
482 * X509v3 Basic Constraints: critical
483 * CA:TRUE
484 * Signature Algorithm: ED25519
485 * 2a:35:6b:61:08:ee:13:f8:04:2f:68:ff:00:1a:43:6c:58:d5:
486 * 22:58:39:b4:9e:8c:37:f3:f7:a6:c0:2f:dc:2b:3b:7f:45:f5:
487 * 94:5a:9d:96:dd:79:9c:9f:fa:6a:3d:9c:98:60:b0:35:15:ed:
488 * e7:07:32:60:32:8d:bb:eb:f6:0f
489 * ```
490 */
491string ed25519_key = hex2str("a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991");
492string ed25519_pkcs8_key = hex2str(
493 // RFC 5208 s5
494 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
495 "0201" // INTEGER length 1 (Version)
496 "00" // version 0
497 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
498 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
499 "2b6570" // 1.3.101.112 (id-Ed125519 RFC 8410 s3)
500 // } end SEQUENCE (AlgorithmIdentifier)
501 "0422" // OCTET STRING length 0x22 (PrivateKey)
502 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
503 "a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991"
504 // } end SEQUENCE (PrivateKeyInfo)
505);
506string ed25519_pubkey = hex2str("efbb01f3fb74da43af43d9d8a0c65cf47c57ec660d2b3ea81069ede304f45691");
507
508/**
509 * X25519 key pair generated as follows:
510 * ```
511 * % openssl genpkey -algorithm X25519 > x25519_priv.key
512 * % cat x25519_priv.key
513 * -----BEGIN PRIVATE KEY-----
514 * MC4CAQAwBQYDK2VuBCIEIGgPwF3NLwQx/Sfwr2nfJvXitwlDNh3Skzh+TISN/y1C
515 * -----END PRIVATE KEY-----
516 * % der2ascii -pem -i x25519_priv.key
517 * SEQUENCE {
518 * INTEGER { 0 }
519 * SEQUENCE {
520 * # x25519
521 * OBJECT_IDENTIFIER { 1.3.101.110 }
522 * }
523 * OCTET_STRING {
524 * OCTET_STRING { `680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42` }
525 * }
526 * }
527 * ```
528 */
529
530string x25519_key = hex2str("680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
531string x25519_pkcs8_key = hex2str(
532 // RFC 5208 s5
533 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
534 "0201" // INTEGER length 1 (Version)
535 "00" // version 0
536 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
537 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
538 "2b656e" // 1.3.101.110 (id-X125519 RFC 8410 s3)
539 "0422" // OCTET STRING length 0x22 (PrivateKey)
540 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
541 "680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
542string x25519_pubkey = hex2str("be46925a857f17831d6d454b9d3d36a4a30166edf80eb82b684661c3e258f768");
543
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]544struct RSA_Delete {
545 void operator()(RSA* p) { RSA_free(p); }
546};
547
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]548std::string make_string(const uint8_t* data, size_t length) {
549 return std::string(reinterpret_cast<const char*>(data), length);
550}
551
552template <size_t N>
553std::string make_string(const uint8_t (&a)[N]) {
554 return make_string(a, N);
555}
556
557class AidlBuf : public vector<uint8_t> {
558 typedef vector<uint8_t> super;
559
560 public:
561 AidlBuf() {}
562 AidlBuf(const super& other) : super(other) {}
563 AidlBuf(super&& other) : super(std::move(other)) {}
564 explicit AidlBuf(const std::string& other) : AidlBuf() { *this = other; }
565
566 AidlBuf& operator=(const super& other) {
567 super::operator=(other);
568 return *this;
569 }
570
571 AidlBuf& operator=(super&& other) {
572 super::operator=(std::move(other));
573 return *this;
574 }
575
576 AidlBuf& operator=(const string& other) {
577 resize(other.size());
578 for (size_t i = 0; i < other.size(); ++i) {
579 (*this)[i] = static_cast<uint8_t>(other[i]);
580 }
581 return *this;
582 }
583
584 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
585};
586
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]587string device_suffix(const string& name) {
588 size_t pos = name.find('/');
589 if (pos == string::npos) {
590 return name;
591 }
592 return name.substr(pos + 1);
593}
594
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]595std::shared_ptr<IRemotelyProvisionedComponent> matching_rp_instance(const std::string& km_name) {
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]596 string km_suffix = device_suffix(km_name);
597
598 vector<string> rp_names =
599 ::android::getAidlHalInstanceNames(IRemotelyProvisionedComponent::descriptor);
600 for (const string& rp_name : rp_names) {
601 // If the suffix of the RemotelyProvisionedComponent instance equals the suffix of the
602 // KeyMint instance, assume they match.
603 if (device_suffix(rp_name) == km_suffix && AServiceManager_isDeclared(rp_name.c_str())) {
604 ::ndk::SpAIBinder binder(AServiceManager_waitForService(rp_name.c_str()));
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]605 return IRemotelyProvisionedComponent::fromBinder(binder);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]606 }
607 }
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]608 return nullptr;
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]609}
610
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]611} // namespace
612
613class NewKeyGenerationTest : public KeyMintAidlTestBase {
614 protected:
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]615 void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]616 AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]617 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]618
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]619 // Check that some unexpected tags/values are NOT present.
620 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
621 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]622 }
623
624 void CheckSymmetricParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]625 AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]626 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
627 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
628
629 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]630 }
631
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]632 AuthorizationSet CheckCommonParams(const vector<KeyCharacteristics>& keyCharacteristics,
633 const KeyOrigin expectedKeyOrigin) {
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]634 // TODO(swillden): Distinguish which params should be in which auth list.
635 AuthorizationSet auths;
636 for (auto& entry : keyCharacteristics) {
637 auths.push_back(AuthorizationSet(entry.authorizations));
638 }
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]639 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, expectedKeyOrigin));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]640
641 // Verify that App data, ROT and auth timeout are NOT included.
642 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
643 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]644 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
645
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]646 // None of the tests specify CREATION_DATETIME so check that the KeyMint implementation
647 // never adds it.
648 EXPECT_FALSE(auths.Contains(TAG_CREATION_DATETIME));
649
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]650 // Check OS details match the original hardware info.
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]651 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]652 EXPECT_TRUE(os_ver);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]653 EXPECT_EQ(*os_ver, os_version());
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]654 auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]655 EXPECT_TRUE(os_pl);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]656 EXPECT_EQ(*os_pl, os_patch_level());
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]657
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]658 // Should include vendor patchlevel.
David Drysdalef5bfa002021-09-27 17:30:41 +0100[diff] [blame]659 auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
660 EXPECT_TRUE(vendor_pl);
661 EXPECT_EQ(*vendor_pl, vendor_patch_level());
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]662
663 // Should include boot patchlevel (but there are some test scenarios where this is not
664 // possible).
665 if (check_boot_pl) {
666 auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
667 EXPECT_TRUE(boot_pl);
668 }
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]669
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]670 return auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]671 }
672};
673
674/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]675 * NewKeyGenerationTest.Aes
676 *
677 * Verifies that keymint can generate all required AES key sizes, and that the resulting keys
678 * have correct characteristics.
679 */
680TEST_P(NewKeyGenerationTest, Aes) {
681 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
682 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
683 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
684 SCOPED_TRACE(testing::Message()
685 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
686 vector<uint8_t> key_blob;
687 vector<KeyCharacteristics> key_characteristics;
688 auto builder = AuthorizationSetBuilder()
689 .AesEncryptionKey(key_size)
690 .BlockMode(block_mode)
691 .Padding(padding_mode)
692 .SetDefaultValidity();
693 if (block_mode == BlockMode::GCM) {
694 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
695 }
696 ASSERT_EQ(ErrorCode::OK, GenerateKey(builder, &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]697 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]698
699 EXPECT_GT(key_blob.size(), 0U);
700 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]701 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]702
703 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
704
705 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::AES));
706 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
707 << "Key size " << key_size << "missing";
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]708 }
709 }
710 }
711}
712
713/*
714 * NewKeyGenerationTest.AesInvalidSize
715 *
716 * Verifies that specifying an invalid key size for AES key generation returns
717 * UNSUPPORTED_KEY_SIZE.
718 */
719TEST_P(NewKeyGenerationTest, AesInvalidSize) {
720 for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
721 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
722 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
723 SCOPED_TRACE(testing::Message()
724 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
725 vector<uint8_t> key_blob;
726 vector<KeyCharacteristics> key_characteristics;
727 auto builder = AuthorizationSetBuilder()
728 .AesEncryptionKey(key_size)
729 .BlockMode(block_mode)
730 .Padding(padding_mode)
731 .SetDefaultValidity();
732 if (block_mode == BlockMode::GCM) {
733 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
734 }
735 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
736 GenerateKey(builder, &key_blob, &key_characteristics));
737 }
738 }
739 }
740
741 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
742 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]743 SCOPED_TRACE(testing::Message() << "AES-unknown-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]744 vector<uint8_t> key_blob;
745 vector<KeyCharacteristics> key_characteristics;
746 // No key size specified
747 auto builder = AuthorizationSetBuilder()
748 .Authorization(TAG_ALGORITHM, Algorithm::AES)
749 .BlockMode(block_mode)
750 .Padding(padding_mode)
751 .SetDefaultValidity();
752 if (block_mode == BlockMode::GCM) {
753 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
754 }
755 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
756 GenerateKey(builder, &key_blob, &key_characteristics));
757 }
758 }
759}
760
761/*
762 * NewKeyGenerationTest.AesInvalidPadding
763 *
764 * Verifies that specifying an invalid padding on AES keys gives a failure
765 * somewhere along the way.
766 */
767TEST_P(NewKeyGenerationTest, AesInvalidPadding) {
768 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
769 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
770 for (auto padding_mode : InvalidPaddingModes(Algorithm::AES, block_mode)) {
771 SCOPED_TRACE(testing::Message()
772 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]773 auto builder = AuthorizationSetBuilder()
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]774 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]775 .AesEncryptionKey(key_size)
776 .BlockMode(block_mode)
777 .Padding(padding_mode)
778 .SetDefaultValidity();
779 if (block_mode == BlockMode::GCM) {
780 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
781 }
782
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]783 auto result = GenerateKey(builder);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]784 if (result == ErrorCode::OK) {
785 // Key creation was OK but has generated a key that cannot be used.
786 auto params =
787 AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]788 if (block_mode == BlockMode::GCM) {
789 params.Authorization(TAG_MAC_LENGTH, 128);
790 }
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]791 auto result = Begin(KeyPurpose::ENCRYPT, params);
792 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]793 result == ErrorCode::INVALID_KEY_BLOB)
794 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]795 } else {
796 // The KeyMint implementation detected that the generated key
797 // is unusable.
798 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, result);
799 }
800 }
801 }
802 }
803}
804
805/*
806 * NewKeyGenerationTest.AesGcmMissingMinMac
807 *
808 * Verifies that specifying an invalid key size for AES key generation returns
809 * UNSUPPORTED_KEY_SIZE.
810 */
811TEST_P(NewKeyGenerationTest, AesGcmMissingMinMac) {
812 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
813 BlockMode block_mode = BlockMode::GCM;
814 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
815 SCOPED_TRACE(testing::Message()
816 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
817 vector<uint8_t> key_blob;
818 vector<KeyCharacteristics> key_characteristics;
819 // No MIN_MAC_LENGTH provided.
820 auto builder = AuthorizationSetBuilder()
821 .AesEncryptionKey(key_size)
822 .BlockMode(block_mode)
823 .Padding(padding_mode)
824 .SetDefaultValidity();
825 EXPECT_EQ(ErrorCode::MISSING_MIN_MAC_LENGTH,
826 GenerateKey(builder, &key_blob, &key_characteristics));
827 }
828 }
829}
830
831/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]832 * NewKeyGenerationTest.AesGcmMinMacOutOfRange
833 *
834 * Verifies that specifying an invalid min MAC size for AES key generation returns
835 * UNSUPPORTED_MIN_MAC_LENGTH.
836 */
837TEST_P(NewKeyGenerationTest, AesGcmMinMacOutOfRange) {
838 for (size_t min_mac_len : {88, 136}) {
839 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
840 BlockMode block_mode = BlockMode::GCM;
841 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
842 SCOPED_TRACE(testing::Message()
843 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
844 vector<uint8_t> key_blob;
845 vector<KeyCharacteristics> key_characteristics;
846 auto builder = AuthorizationSetBuilder()
847 .AesEncryptionKey(key_size)
848 .BlockMode(block_mode)
849 .Padding(padding_mode)
850 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_len)
851 .SetDefaultValidity();
852 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
853 GenerateKey(builder, &key_blob, &key_characteristics));
854 }
855 }
856 }
857}
858
859/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]860 * NewKeyGenerationTest.TripleDes
861 *
862 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
863 * have correct characteristics.
864 */
865TEST_P(NewKeyGenerationTest, TripleDes) {
866 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
867 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
868 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
869 SCOPED_TRACE(testing::Message()
870 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
871 vector<uint8_t> key_blob;
872 vector<KeyCharacteristics> key_characteristics;
873 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
874 .TripleDesEncryptionKey(key_size)
875 .BlockMode(block_mode)
876 .Padding(padding_mode)
877 .Authorization(TAG_NO_AUTH_REQUIRED)
878 .SetDefaultValidity(),
879 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]880 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]881
882 EXPECT_GT(key_blob.size(), 0U);
883 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]884 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]885
886 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
887
888 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
889 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
890 << "Key size " << key_size << "missing";
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]891 }
892 }
893 }
894}
895
896/*
897 * NewKeyGenerationTest.TripleDesWithAttestation
898 *
899 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
900 * have correct characteristics.
901 *
902 * Request attestation, which doesn't help for symmetric keys (as there is no public key to
903 * put in a certificate) but which isn't an error.
904 */
905TEST_P(NewKeyGenerationTest, TripleDesWithAttestation) {
906 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
907 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
908 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
909 SCOPED_TRACE(testing::Message()
910 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
911
912 auto challenge = "hello";
913 auto app_id = "foo";
914
915 vector<uint8_t> key_blob;
916 vector<KeyCharacteristics> key_characteristics;
917 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
918 .TripleDesEncryptionKey(key_size)
919 .BlockMode(block_mode)
920 .Padding(padding_mode)
921 .Authorization(TAG_NO_AUTH_REQUIRED)
922 .AttestationChallenge(challenge)
923 .AttestationApplicationId(app_id)
924 .SetDefaultValidity(),
925 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]926 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]927
928 EXPECT_GT(key_blob.size(), 0U);
929 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]930 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]931
932 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
933
934 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
935 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
936 << "Key size " << key_size << "missing";
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]937 }
938 }
939 }
940}
941
942/*
943 * NewKeyGenerationTest.TripleDesInvalidSize
944 *
945 * Verifies that specifying an invalid key size for 3-DES key generation returns
946 * UNSUPPORTED_KEY_SIZE.
947 */
948TEST_P(NewKeyGenerationTest, TripleDesInvalidSize) {
949 for (auto key_size : InvalidKeySizes(Algorithm::TRIPLE_DES)) {
950 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
951 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
952 SCOPED_TRACE(testing::Message()
953 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
954 vector<uint8_t> key_blob;
955 vector<KeyCharacteristics> key_characteristics;
956 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
957 GenerateKey(AuthorizationSetBuilder()
958 .TripleDesEncryptionKey(key_size)
959 .BlockMode(block_mode)
960 .Padding(padding_mode)
961 .Authorization(TAG_NO_AUTH_REQUIRED)
962 .SetDefaultValidity(),
963 &key_blob, &key_characteristics));
964 }
965 }
966 }
967
968 // Omitting the key size fails.
969 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
970 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
971 SCOPED_TRACE(testing::Message()
972 << "3DES-default-" << block_mode << "-" << padding_mode);
973 vector<uint8_t> key_blob;
974 vector<KeyCharacteristics> key_characteristics;
975 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
976 GenerateKey(AuthorizationSetBuilder()
977 .Authorization(TAG_ALGORITHM, Algorithm::TRIPLE_DES)
978 .BlockMode(block_mode)
979 .Padding(padding_mode)
980 .Authorization(TAG_NO_AUTH_REQUIRED)
981 .SetDefaultValidity(),
982 &key_blob, &key_characteristics));
983 }
984 }
985}
986
987/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]988 * NewKeyGenerationTest.Rsa
989 *
990 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
991 * have correct characteristics.
992 */
993TEST_P(NewKeyGenerationTest, Rsa) {
994 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]995 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]996 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]997 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]998 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
999 .RsaSigningKey(key_size, 65537)
1000 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1001 .Padding(PaddingMode::NONE)
1002 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1003 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1004 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1005
1006 ASSERT_GT(key_blob.size(), 0U);
1007 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1008 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1009
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1010 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1011
1012 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1013 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1014 << "Key size " << key_size << "missing";
1015 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1016 }
1017}
1018
1019/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1020 * NewKeyGenerationTest.RsaWithMissingValidity
1021 *
1022 * Verifies that keymint returns an error while generating asymmetric key
1023 * without providing NOT_BEFORE and NOT_AFTER parameters.
1024 */
1025TEST_P(NewKeyGenerationTest, RsaWithMissingValidity) {
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1026 if (AidlVersion() < 3) {
Tommy Chiu7d22f602022-11-14 21:03:34 +0800[diff] [blame]1027 /*
1028 * The KeyMint V1 spec required that CERTIFICATE_NOT_{BEFORE,AFTER} be
1029 * specified for asymmetric key generation. However, this was not
1030 * checked at the time so we can only be strict about checking this for
1031 * implementations of KeyMint version 2 and above.
1032 */
1033 GTEST_SKIP() << "Validity strict since KeyMint v2";
1034 }
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1035 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1036 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1037 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1038
1039 vector<uint8_t> key_blob;
1040 vector<KeyCharacteristics> key_characteristics;
1041 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1042 GenerateKey(AuthorizationSetBuilder()
1043 .RsaSigningKey(2048, 65537)
1044 .Digest(Digest::NONE)
1045 .Padding(PaddingMode::NONE)
1046 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1047 kUndefinedExpirationDateTime),
1048 &key_blob, &key_characteristics));
1049
1050 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1051 GenerateKey(AuthorizationSetBuilder()
1052 .RsaSigningKey(2048, 65537)
1053 .Digest(Digest::NONE)
1054 .Padding(PaddingMode::NONE)
1055 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1056 &key_blob, &key_characteristics));
1057}
1058
1059/*
David Drysdalead785f52023-03-27 19:53:01 +0100[diff] [blame]1060 * NewKeyGenerationTest.RsaWithSpecifiedValidity
1061 *
1062 * Verifies that KeyMint respects specified NOT_BEFORE and NOT_AFTER certificate dates.
1063 */
1064TEST_P(NewKeyGenerationTest, RsaWithSpecifiedValidity) {
1065 vector<uint8_t> key_blob;
1066 vector<KeyCharacteristics> key_characteristics;
1067 ASSERT_EQ(ErrorCode::OK,
1068 GenerateKey(AuthorizationSetBuilder()
1069 .RsaSigningKey(2048, 65537)
1070 .Digest(Digest::NONE)
1071 .Padding(PaddingMode::NONE)
1072 .Authorization(TAG_CERTIFICATE_NOT_BEFORE,
1073 1183806000000 /* 2007-07-07T11:00:00Z */)
1074 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1075 1916049600000 /* 2030-09-19T12:00:00Z */),
1076 &key_blob, &key_characteristics));
1077 ASSERT_GT(cert_chain_.size(), 0);
1078
1079 X509_Ptr cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1080 ASSERT_TRUE(!!cert.get());
1081
1082 const ASN1_TIME* not_before = X509_get0_notBefore(cert.get());
1083 ASSERT_NE(not_before, nullptr);
1084 time_t not_before_time;
1085 ASSERT_EQ(ASN1_TIME_to_time_t(not_before, &not_before_time), 1);
1086 EXPECT_EQ(not_before_time, 1183806000);
1087
1088 const ASN1_TIME* not_after = X509_get0_notAfter(cert.get());
1089 ASSERT_NE(not_after, nullptr);
1090 time_t not_after_time;
1091 ASSERT_EQ(ASN1_TIME_to_time_t(not_after, &not_after_time), 1);
1092 EXPECT_EQ(not_after_time, 1916049600);
1093}
1094
1095/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1096 * NewKeyGenerationTest.RsaWithAttestation
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1097 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1098 * Verifies that keymint can generate all required RSA key sizes with attestation, and that the
1099 * resulting keys have correct characteristics.
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1100 */
1101TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1102 auto challenge = "hello";
1103 auto app_id = "foo";
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1104
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1105 auto subject = "cert subj 2";
1106 vector<uint8_t> subject_der(make_name_from_str(subject));
1107
1108 uint64_t serial_int = 66;
1109 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1110
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1111 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1112 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1113 vector<uint8_t> key_blob;
1114 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1115 auto builder = AuthorizationSetBuilder()
1116 .RsaSigningKey(key_size, 65537)
1117 .Digest(Digest::NONE)
1118 .Padding(PaddingMode::NONE)
1119 .AttestationChallenge(challenge)
1120 .AttestationApplicationId(app_id)
1121 .Authorization(TAG_NO_AUTH_REQUIRED)
1122 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1123 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1124 .SetDefaultValidity();
1125
1126 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1127 // Strongbox may not support factory provisioned attestation key.
1128 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1129 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1130 result = GenerateKeyWithSelfSignedAttestKey(
1131 AuthorizationSetBuilder()
1132 .RsaKey(key_size, 65537)
1133 .AttestKey()
1134 .SetDefaultValidity(), /* attest key params */
1135 builder, &key_blob, &key_characteristics);
1136 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1137 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1138 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1139 KeyBlobDeleter deleter(keymint_, key_blob);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1140 ASSERT_GT(key_blob.size(), 0U);
1141 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1142 CheckCharacteristics(key_blob, key_characteristics);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1143
1144 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1145
1146 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1147 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1148 << "Key size " << key_size << "missing";
1149 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1150
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1151 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1152 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1153 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1154
1155 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1156 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1157 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1158 sw_enforced, hw_enforced, SecLevel(),
1159 cert_chain_[0].encodedCertificate));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1160 }
1161}
1162
1163/*
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1164 * NewKeyGenerationTest.RsaWithRkpAttestation
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1165 *
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1166 * Verifies that keymint can generate all required RSA key sizes using an attestation key
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1167 * that has been generated using an associate IRemotelyProvisionedComponent.
1168 */
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1169TEST_P(NewKeyGenerationTest, RsaWithRkpAttestation) {
Seth Moorea12ac742023-03-03 13:40:30 -0800[diff] [blame]1170 if (!IsRkpSupportRequired()) {
1171 GTEST_SKIP() << "RKP support is not required on this platform";
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1172 }
1173
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]1174 // Check for an IRemotelyProvisionedComponent instance associated with the
1175 // KeyMint instance.
1176 std::shared_ptr<IRemotelyProvisionedComponent> rp = matching_rp_instance(GetParam());
1177 if (rp == nullptr && SecLevel() == SecurityLevel::STRONGBOX) {
1178 GTEST_SKIP() << "Encountered StrongBox implementation that does not support RKP";
1179 }
1180 ASSERT_NE(rp, nullptr) << "No IRemotelyProvisionedComponent found that matches KeyMint device "
1181 << GetParam();
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1182
1183 // Generate a P-256 keypair to use as an attestation key.
1184 MacedPublicKey macedPubKey;
1185 std::vector<uint8_t> privateKeyBlob;
1186 auto status =
1187 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
1188 ASSERT_TRUE(status.isOk());
1189 vector<uint8_t> coseKeyData;
1190 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
1191
1192 AttestationKey attestation_key;
1193 attestation_key.keyBlob = std::move(privateKeyBlob);
1194 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
1195
1196 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1197 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1198 auto challenge = "hello";
1199 auto app_id = "foo";
1200
1201 vector<uint8_t> key_blob;
1202 vector<KeyCharacteristics> key_characteristics;
1203 ASSERT_EQ(ErrorCode::OK,
1204 GenerateKey(AuthorizationSetBuilder()
1205 .RsaSigningKey(key_size, 65537)
1206 .Digest(Digest::NONE)
1207 .Padding(PaddingMode::NONE)
1208 .AttestationChallenge(challenge)
1209 .AttestationApplicationId(app_id)
1210 .Authorization(TAG_NO_AUTH_REQUIRED)
1211 .SetDefaultValidity(),
1212 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1213 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1214
1215 ASSERT_GT(key_blob.size(), 0U);
1216 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1217 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1218
1219 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1220
1221 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1222 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1223 << "Key size " << key_size << "missing";
1224 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1225
1226 // Attestation by itself is not valid (last entry is not self-signed).
1227 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
1228
1229 // The signature over the attested key should correspond to the P256 public key.
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1230 ASSERT_GT(cert_chain_.size(), 0);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1231 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1232 ASSERT_TRUE(key_cert.get());
1233 EVP_PKEY_Ptr signing_pubkey;
1234 p256_pub_key(coseKeyData, &signing_pubkey);
1235 ASSERT_TRUE(signing_pubkey.get());
1236
1237 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1238 << "Verification of attested certificate failed "
1239 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1240 }
1241}
1242
1243/*
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1244 * NewKeyGenerationTest.EcdsaWithRkpAttestation
1245 *
1246 * Verifies that keymint can generate all required ECDSA key sizes using an attestation key
1247 * that has been generated using an associate IRemotelyProvisionedComponent.
1248 */
1249TEST_P(NewKeyGenerationTest, EcdsaWithRkpAttestation) {
Seth Moorea12ac742023-03-03 13:40:30 -0800[diff] [blame]1250 if (!IsRkpSupportRequired()) {
1251 GTEST_SKIP() << "RKP support is not required on this platform";
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1252 }
1253
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]1254 // Check for an IRemotelyProvisionedComponent instance associated with the
1255 // KeyMint instance.
1256 std::shared_ptr<IRemotelyProvisionedComponent> rp = matching_rp_instance(GetParam());
1257 if (rp == nullptr && SecLevel() == SecurityLevel::STRONGBOX) {
1258 GTEST_SKIP() << "Encountered StrongBox implementation that does not support RKP";
1259 }
1260 ASSERT_NE(rp, nullptr) << "No IRemotelyProvisionedComponent found that matches KeyMint device "
1261 << GetParam();
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1262
1263 // Generate a P-256 keypair to use as an attestation key.
1264 MacedPublicKey macedPubKey;
1265 std::vector<uint8_t> privateKeyBlob;
1266 auto status =
1267 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
1268 ASSERT_TRUE(status.isOk());
1269 vector<uint8_t> coseKeyData;
1270 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
1271
1272 AttestationKey attestation_key;
1273 attestation_key.keyBlob = std::move(privateKeyBlob);
1274 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
1275
1276 for (auto curve : ValidCurves()) {
1277 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
1278 auto challenge = "hello";
1279 auto app_id = "foo";
1280
1281 vector<uint8_t> key_blob;
1282 vector<KeyCharacteristics> key_characteristics;
1283 ASSERT_EQ(ErrorCode::OK,
1284 GenerateKey(AuthorizationSetBuilder()
1285 .EcdsaSigningKey(curve)
1286 .Digest(Digest::NONE)
1287 .AttestationChallenge(challenge)
1288 .AttestationApplicationId(app_id)
1289 .Authorization(TAG_NO_AUTH_REQUIRED)
1290 .SetDefaultValidity(),
1291 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1292 KeyBlobDeleter deleter(keymint_, key_blob);
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1293
1294 ASSERT_GT(key_blob.size(), 0U);
1295 CheckBaseParams(key_characteristics);
1296 CheckCharacteristics(key_blob, key_characteristics);
1297
1298 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1299
1300 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1301 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1302
1303 // Attestation by itself is not valid (last entry is not self-signed).
1304 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
1305
1306 // The signature over the attested key should correspond to the P256 public key.
1307 ASSERT_GT(cert_chain_.size(), 0);
1308 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1309 ASSERT_TRUE(key_cert.get());
1310 EVP_PKEY_Ptr signing_pubkey;
1311 p256_pub_key(coseKeyData, &signing_pubkey);
1312 ASSERT_TRUE(signing_pubkey.get());
1313
1314 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1315 << "Verification of attested certificate failed "
1316 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1317 }
1318}
1319
1320/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1321 * NewKeyGenerationTest.RsaEncryptionWithAttestation
1322 *
1323 * Verifies that keymint attestation for RSA encryption keys with challenge and
1324 * app id is also successful.
1325 */
1326TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
1327 auto key_size = 2048;
1328 auto challenge = "hello";
1329 auto app_id = "foo";
1330
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1331 auto subject = "subj 2";
1332 vector<uint8_t> subject_der(make_name_from_str(subject));
1333
1334 uint64_t serial_int = 111166;
1335 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1336
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1337 vector<uint8_t> key_blob;
1338 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1339 auto builder = AuthorizationSetBuilder()
1340 .RsaEncryptionKey(key_size, 65537)
1341 .Padding(PaddingMode::NONE)
1342 .AttestationChallenge(challenge)
1343 .AttestationApplicationId(app_id)
1344 .Authorization(TAG_NO_AUTH_REQUIRED)
1345 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1346 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1347 .SetDefaultValidity();
1348
1349 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1350 // Strongbox may not support factory provisioned attestation key.
1351 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1352 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1353 result = GenerateKeyWithSelfSignedAttestKey(
1354 AuthorizationSetBuilder()
1355 .RsaKey(key_size, 65537)
1356 .AttestKey()
1357 .SetDefaultValidity(), /* attest key params */
1358 builder, &key_blob, &key_characteristics);
1359 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1360 }
1361 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1362 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1363
1364 ASSERT_GT(key_blob.size(), 0U);
1365 AuthorizationSet auths;
1366 for (auto& entry : key_characteristics) {
1367 auths.push_back(AuthorizationSet(entry.authorizations));
1368 }
1369
1370 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
1371 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
1372
1373 // Verify that App data and ROT are NOT included.
1374 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
1375 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
1376
1377 // Check that some unexpected tags/values are NOT present.
1378 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
1379 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
1380
1381 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
1382
1383 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
1384 ASSERT_TRUE(os_ver);
1385 EXPECT_EQ(*os_ver, os_version());
1386
1387 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1388
1389 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1390 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1391 << "Key size " << key_size << "missing";
1392 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1393
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1394 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1395 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1396 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1397
1398 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1399 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1400 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1401 sw_enforced, hw_enforced, SecLevel(),
1402 cert_chain_[0].encodedCertificate));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1403}
1404
1405/*
1406 * NewKeyGenerationTest.RsaWithSelfSign
1407 *
1408 * Verifies that attesting to RSA key generation is successful, and returns
1409 * self signed certificate if no challenge is provided. And signing etc
1410 * works as expected.
1411 */
1412TEST_P(NewKeyGenerationTest, RsaWithSelfSign) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1413 auto subject = "cert subj subj subj subj subj subj 22222222222222222222";
1414 vector<uint8_t> subject_der(make_name_from_str(subject));
1415
1416 uint64_t serial_int = 0;
1417 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1418
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1419 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1420 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1421 vector<uint8_t> key_blob;
1422 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1423 ASSERT_EQ(ErrorCode::OK,
1424 GenerateKey(AuthorizationSetBuilder()
1425 .RsaSigningKey(key_size, 65537)
1426 .Digest(Digest::NONE)
1427 .Padding(PaddingMode::NONE)
1428 .Authorization(TAG_NO_AUTH_REQUIRED)
1429 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1430 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1431 .SetDefaultValidity(),
1432 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1433 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1434
1435 ASSERT_GT(key_blob.size(), 0U);
1436 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1437 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1438
1439 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1440
1441 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1442 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1443 << "Key size " << key_size << "missing";
1444 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1445
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1446 ASSERT_EQ(cert_chain_.size(), 1);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1447 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1448 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1449 }
1450}
1451
1452/*
1453 * NewKeyGenerationTest.RsaWithAttestationMissAppId
1454 *
1455 * Verifies that attesting to RSA checks for missing app ID.
1456 */
1457TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
1458 auto challenge = "hello";
1459 vector<uint8_t> key_blob;
1460 vector<KeyCharacteristics> key_characteristics;
1461
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1462 auto builder = AuthorizationSetBuilder()
1463 .RsaSigningKey(2048, 65537)
1464 .Digest(Digest::NONE)
1465 .Padding(PaddingMode::NONE)
1466 .AttestationChallenge(challenge)
1467 .Authorization(TAG_NO_AUTH_REQUIRED)
1468 .SetDefaultValidity();
1469
1470 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1471 // Strongbox may not support factory provisioned attestation key.
1472 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1473 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1474 result = GenerateKeyWithSelfSignedAttestKey(
1475 AuthorizationSetBuilder()
1476 .RsaKey(2048, 65537)
1477 .AttestKey()
1478 .SetDefaultValidity(), /* attest key params */
1479 builder, &key_blob, &key_characteristics);
1480 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1481 }
1482 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1483}
1484
1485/*
1486 * NewKeyGenerationTest.RsaWithAttestationAppIdIgnored
1487 *
1488 * Verifies that attesting to RSA ignores app id if challenge is missing.
1489 */
1490TEST_P(NewKeyGenerationTest, RsaWithAttestationAppIdIgnored) {
1491 auto key_size = 2048;
1492 auto app_id = "foo";
1493
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1494 auto subject = "cert subj 2";
1495 vector<uint8_t> subject_der(make_name_from_str(subject));
1496
1497 uint64_t serial_int = 1;
1498 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1499
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1500 vector<uint8_t> key_blob;
1501 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1502 ASSERT_EQ(ErrorCode::OK,
1503 GenerateKey(AuthorizationSetBuilder()
1504 .RsaSigningKey(key_size, 65537)
1505 .Digest(Digest::NONE)
1506 .Padding(PaddingMode::NONE)
1507 .AttestationApplicationId(app_id)
1508 .Authorization(TAG_NO_AUTH_REQUIRED)
1509 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1510 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1511 .SetDefaultValidity(),
1512 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1513 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1514
1515 ASSERT_GT(key_blob.size(), 0U);
1516 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1517 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1518
1519 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1520
1521 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1522 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1523 << "Key size " << key_size << "missing";
1524 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1525
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1526 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1527 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1528 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1529 ASSERT_EQ(cert_chain_.size(), 1);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1530}
1531
1532/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1533 * NewKeyGenerationTest.LimitedUsageRsa
1534 *
1535 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1536 * resulting keys have correct characteristics.
1537 */
1538TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
1539 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1540 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1541 vector<uint8_t> key_blob;
1542 vector<KeyCharacteristics> key_characteristics;
1543 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1544 .RsaSigningKey(key_size, 65537)
1545 .Digest(Digest::NONE)
1546 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1547 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1548 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1549 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1550 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1551
1552 ASSERT_GT(key_blob.size(), 0U);
1553 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1554 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1555
1556 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1557
1558 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1559 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1560 << "Key size " << key_size << "missing";
1561 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1562
1563 // Check the usage count limit tag appears in the authorizations.
1564 AuthorizationSet auths;
1565 for (auto& entry : key_characteristics) {
1566 auths.push_back(AuthorizationSet(entry.authorizations));
1567 }
1568 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1569 << "key usage count limit " << 1U << " missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1570 }
1571}
1572
1573/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1574 * NewKeyGenerationTest.LimitedUsageRsaWithAttestation
1575 *
1576 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1577 * resulting keys have correct characteristics and attestation.
1578 */
1579TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1580 auto challenge = "hello";
1581 auto app_id = "foo";
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1582
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1583 auto subject = "cert subj 2";
1584 vector<uint8_t> subject_der(make_name_from_str(subject));
1585
1586 uint64_t serial_int = 66;
1587 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1588
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1589 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1590 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1591 vector<uint8_t> key_blob;
1592 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1593 auto builder = AuthorizationSetBuilder()
1594 .RsaSigningKey(key_size, 65537)
1595 .Digest(Digest::NONE)
1596 .Padding(PaddingMode::NONE)
1597 .AttestationChallenge(challenge)
1598 .AttestationApplicationId(app_id)
1599 .Authorization(TAG_NO_AUTH_REQUIRED)
1600 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1601 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1602 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1603 .SetDefaultValidity();
1604
1605 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1606 // Strongbox may not support factory provisioned attestation key.
1607 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1608 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1609 result = GenerateKeyWithSelfSignedAttestKey(
1610 AuthorizationSetBuilder()
1611 .RsaKey(key_size, 65537)
1612 .AttestKey()
1613 .SetDefaultValidity(), /* attest key params */
1614 builder, &key_blob, &key_characteristics);
1615 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1616 }
1617 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1618 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1619
1620 ASSERT_GT(key_blob.size(), 0U);
1621 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1622 CheckCharacteristics(key_blob, key_characteristics);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1623
1624 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1625
1626 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1627 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1628 << "Key size " << key_size << "missing";
1629 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1630
1631 // Check the usage count limit tag appears in the authorizations.
1632 AuthorizationSet auths;
1633 for (auto& entry : key_characteristics) {
1634 auths.push_back(AuthorizationSet(entry.authorizations));
1635 }
1636 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1637 << "key usage count limit " << 1U << " missing";
1638
1639 // Check the usage count limit tag also appears in the attestation.
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1640 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1641 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1642 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1643
1644 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1645 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1646 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1647 sw_enforced, hw_enforced, SecLevel(),
1648 cert_chain_[0].encodedCertificate));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1649 }
1650}
1651
1652/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1653 * NewKeyGenerationTest.NoInvalidRsaSizes
1654 *
1655 * Verifies that keymint cannot generate any RSA key sizes that are designated as invalid.
1656 */
1657TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
1658 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1659 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1660 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1661 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1662 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1663 GenerateKey(AuthorizationSetBuilder()
1664 .RsaSigningKey(key_size, 65537)
1665 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1666 .Padding(PaddingMode::NONE)
1667 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1668 &key_blob, &key_characteristics));
1669 }
1670}
1671
1672/*
1673 * NewKeyGenerationTest.RsaNoDefaultSize
1674 *
1675 * Verifies that failing to specify a key size for RSA key generation returns
1676 * UNSUPPORTED_KEY_SIZE.
1677 */
1678TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
1679 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1680 GenerateKey(AuthorizationSetBuilder()
1681 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
1682 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1683 .SigningKey()
1684 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1685}
1686
1687/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1688 * NewKeyGenerationTest.RsaMissingParams
1689 *
1690 * Verifies that omitting optional tags works.
1691 */
1692TEST_P(NewKeyGenerationTest, RsaMissingParams) {
1693 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1694 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1695 ASSERT_EQ(ErrorCode::OK,
1696 GenerateKey(
1697 AuthorizationSetBuilder().RsaKey(key_size, 65537).SetDefaultValidity()));
1698 CheckedDeleteKey();
1699 }
1700}
1701
1702/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1703 * NewKeyGenerationTest.Ecdsa
1704 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1705 * Verifies that keymint can generate all required EC curves, and that the resulting keys
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1706 * have correct characteristics.
1707 */
1708TEST_P(NewKeyGenerationTest, Ecdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1709 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1710 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1711 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1712 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1713 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1714 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1715 .Digest(Digest::NONE)
1716 .SetDefaultValidity(),
1717 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1718 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1719 ASSERT_GT(key_blob.size(), 0U);
1720 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1721 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1722
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1723 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1724
1725 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1726 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1727 }
1728}
1729
1730/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1731 * NewKeyGenerationTest.EcdsaCurve25519
1732 *
1733 * Verifies that keymint can generate a curve25519 key, and that the resulting key
1734 * has correct characteristics.
1735 */
1736TEST_P(NewKeyGenerationTest, EcdsaCurve25519) {
1737 if (!Curve25519Supported()) {
1738 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1739 }
1740
1741 EcCurve curve = EcCurve::CURVE_25519;
1742 vector<uint8_t> key_blob;
1743 vector<KeyCharacteristics> key_characteristics;
1744 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1745 .EcdsaSigningKey(curve)
1746 .Digest(Digest::NONE)
1747 .SetDefaultValidity(),
1748 &key_blob, &key_characteristics);
1749 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1750 KeyBlobDeleter deleter(keymint_, key_blob);
1751
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1752 ASSERT_GT(key_blob.size(), 0U);
1753
1754 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1755 ASSERT_GT(cert_chain_.size(), 0);
1756
1757 CheckBaseParams(key_characteristics);
1758 CheckCharacteristics(key_blob, key_characteristics);
1759
1760 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1761
1762 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1763 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1764}
1765
1766/*
1767 * NewKeyGenerationTest.EcCurve25519MultiPurposeFail
1768 *
1769 * Verifies that KeyMint rejects an attempt to generate a curve 25519 key for both
1770 * SIGN and AGREE_KEY.
1771 */
1772TEST_P(NewKeyGenerationTest, EcdsaCurve25519MultiPurposeFail) {
1773 if (!Curve25519Supported()) {
1774 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1775 }
1776
1777 EcCurve curve = EcCurve::CURVE_25519;
1778 vector<uint8_t> key_blob;
1779 vector<KeyCharacteristics> key_characteristics;
1780 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1781 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
1782 .EcdsaSigningKey(curve)
1783 .Digest(Digest::NONE)
1784 .SetDefaultValidity(),
1785 &key_blob, &key_characteristics);
1786 ASSERT_EQ(result, ErrorCode::INCOMPATIBLE_PURPOSE);
1787}
1788
1789/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1790 * NewKeyGenerationTest.EcdsaWithMissingValidity
1791 *
1792 * Verifies that keymint returns an error while generating asymmetric key
1793 * without providing NOT_BEFORE and NOT_AFTER parameters.
1794 */
1795TEST_P(NewKeyGenerationTest, EcdsaWithMissingValidity) {
Tommy Chiu7d22f602022-11-14 21:03:34 +0800[diff] [blame]1796 if (AidlVersion() < 2) {
1797 /*
1798 * The KeyMint V1 spec required that CERTIFICATE_NOT_{BEFORE,AFTER} be
1799 * specified for asymmetric key generation. However, this was not
1800 * checked at the time so we can only be strict about checking this for
1801 * implementations of KeyMint version 2 and above.
1802 */
1803 GTEST_SKIP() << "Validity strict since KeyMint v2";
1804 }
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1805 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1806 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1807 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1808
1809 vector<uint8_t> key_blob;
1810 vector<KeyCharacteristics> key_characteristics;
1811 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1812 GenerateKey(AuthorizationSetBuilder()
1813 .EcdsaSigningKey(EcCurve::P_256)
1814 .Digest(Digest::NONE)
1815 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1816 kUndefinedExpirationDateTime),
1817 &key_blob, &key_characteristics));
1818
1819 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1820 GenerateKey(AuthorizationSetBuilder()
1821 .EcdsaSigningKey(EcCurve::P_256)
1822 .Digest(Digest::NONE)
1823 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1824 &key_blob, &key_characteristics));
1825}
1826
1827/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1828 * NewKeyGenerationTest.EcdsaAttestation
1829 *
1830 * Verifies that for all Ecdsa key sizes, if challenge and app id is provided,
1831 * an attestation will be generated.
1832 */
1833TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
1834 auto challenge = "hello";
1835 auto app_id = "foo";
1836
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1837 auto subject = "cert subj 2";
1838 vector<uint8_t> subject_der(make_name_from_str(subject));
1839
1840 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1841 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1842
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1843 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1844 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1845 vector<uint8_t> key_blob;
1846 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1847 auto builder = AuthorizationSetBuilder()
1848 .Authorization(TAG_NO_AUTH_REQUIRED)
1849 .EcdsaSigningKey(curve)
1850 .Digest(Digest::NONE)
1851 .AttestationChallenge(challenge)
1852 .AttestationApplicationId(app_id)
1853 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1854 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1855 .SetDefaultValidity();
1856
1857 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1858 // Strongbox may not support factory provisioned attestation key.
1859 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1860 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1861 result = GenerateKeyWithSelfSignedAttestKey(
1862 AuthorizationSetBuilder()
1863 .EcdsaKey(curve)
1864 .AttestKey()
1865 .SetDefaultValidity(), /* attest key params */
1866 builder, &key_blob, &key_characteristics);
1867 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1868 }
1869 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1870 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1871 ASSERT_GT(key_blob.size(), 0U);
1872 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1873 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1874
1875 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1876
1877 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1878 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1879
1880 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1881 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1882 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1883
1884 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1885 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1886 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1887 sw_enforced, hw_enforced, SecLevel(),
1888 cert_chain_[0].encodedCertificate));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1889 }
1890}
1891
1892/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1893 * NewKeyGenerationTest.EcdsaAttestationCurve25519
1894 *
1895 * Verifies that for a curve 25519 key, if challenge and app id is provided,
1896 * an attestation will be generated.
1897 */
1898TEST_P(NewKeyGenerationTest, EcdsaAttestationCurve25519) {
1899 if (!Curve25519Supported()) {
1900 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1901 }
1902
1903 EcCurve curve = EcCurve::CURVE_25519;
1904 auto challenge = "hello";
1905 auto app_id = "foo";
1906
1907 auto subject = "cert subj 2";
1908 vector<uint8_t> subject_der(make_name_from_str(subject));
1909
1910 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1911 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1912
1913 vector<uint8_t> key_blob;
1914 vector<KeyCharacteristics> key_characteristics;
1915 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1916 .Authorization(TAG_NO_AUTH_REQUIRED)
1917 .EcdsaSigningKey(curve)
1918 .Digest(Digest::NONE)
1919 .AttestationChallenge(challenge)
1920 .AttestationApplicationId(app_id)
1921 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1922 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1923 .SetDefaultValidity(),
1924 &key_blob, &key_characteristics);
1925 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1926 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1927 ASSERT_GT(key_blob.size(), 0U);
1928 CheckBaseParams(key_characteristics);
1929 CheckCharacteristics(key_blob, key_characteristics);
1930
1931 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1932
1933 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1934 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1935
1936 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1937 ASSERT_GT(cert_chain_.size(), 0);
1938 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
1939
1940 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1941 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1942 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
1943 sw_enforced, hw_enforced, SecLevel(),
1944 cert_chain_[0].encodedCertificate));
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1945}
1946
1947/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1948 * NewKeyGenerationTest.EcdsaAttestationTags
1949 *
1950 * Verifies that creation of an attested ECDSA key includes various tags in the
1951 * attestation extension.
1952 */
1953TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
1954 auto challenge = "hello";
1955 auto app_id = "foo";
1956 auto subject = "cert subj 2";
1957 vector<uint8_t> subject_der(make_name_from_str(subject));
1958 uint64_t serial_int = 0x1010;
1959 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1960 const AuthorizationSetBuilder base_builder =
1961 AuthorizationSetBuilder()
1962 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1963 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1964 .Digest(Digest::NONE)
1965 .AttestationChallenge(challenge)
1966 .AttestationApplicationId(app_id)
1967 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1968 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1969 .SetDefaultValidity();
1970
1971 // Various tags that map to fields in the attestation extension ASN.1 schema.
1972 auto extra_tags = AuthorizationSetBuilder()
1973 .Authorization(TAG_ROLLBACK_RESISTANCE)
1974 .Authorization(TAG_EARLY_BOOT_ONLY)
1975 .Authorization(TAG_ACTIVE_DATETIME, 1619621648000)
1976 .Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, 1619621648000)
1977 .Authorization(TAG_USAGE_EXPIRE_DATETIME, 1619621999000)
1978 .Authorization(TAG_USAGE_COUNT_LIMIT, 42)
1979 .Authorization(TAG_AUTH_TIMEOUT, 100000)
1980 .Authorization(TAG_ALLOW_WHILE_ON_BODY)
1981 .Authorization(TAG_TRUSTED_USER_PRESENCE_REQUIRED)
1982 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
1983 .Authorization(TAG_UNLOCKED_DEVICE_REQUIRED)
1984 .Authorization(TAG_CREATION_DATETIME, 1619621648000);
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1985
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1986 for (const KeyParameter& tag : extra_tags) {
1987 SCOPED_TRACE(testing::Message() << "tag-" << tag);
1988 vector<uint8_t> key_blob;
1989 vector<KeyCharacteristics> key_characteristics;
1990 AuthorizationSetBuilder builder = base_builder;
1991 builder.push_back(tag);
1992 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
1993 if (result == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE &&
1994 tag.tag == TAG_ROLLBACK_RESISTANCE) {
1995 continue;
1996 }
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]1997 if (result == ErrorCode::UNSUPPORTED_TAG && tag.tag == TAG_TRUSTED_USER_PRESENCE_REQUIRED) {
1998 // Tag not required to be supported by all KeyMint implementations.
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1999 continue;
2000 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2001 // Strongbox may not support factory provisioned attestation key.
2002 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2003 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2004 result = GenerateKeyWithSelfSignedAttestKey(
2005 AuthorizationSetBuilder()
2006 .EcdsaKey(EcCurve::P_256)
2007 .AttestKey()
2008 .SetDefaultValidity(), /* attest key params */
2009 builder, &key_blob, &key_characteristics);
2010 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2011 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2012 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2013 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2014 ASSERT_GT(key_blob.size(), 0U);
2015
2016 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2017 ASSERT_GT(cert_chain_.size(), 0);
2018 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2019
2020 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2021 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]2022 // Some tags are optional, so don't require them to be in the enforcements.
2023 if (tag.tag != TAG_ATTESTATION_APPLICATION_ID && tag.tag != TAG_ALLOW_WHILE_ON_BODY) {
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2024 EXPECT_TRUE(hw_enforced.Contains(tag.tag) || sw_enforced.Contains(tag.tag))
2025 << tag << " not in hw:" << hw_enforced << " nor sw:" << sw_enforced;
2026 }
2027
2028 // Verifying the attestation record will check for the specific tag because
2029 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2030 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2031 hw_enforced, SecLevel(),
2032 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2033 }
2034
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2035 // Collection of invalid attestation ID tags.
2036 auto invalid_tags =
2037 AuthorizationSetBuilder()
2038 .Authorization(TAG_ATTESTATION_ID_BRAND, "bogus-brand")
2039 .Authorization(TAG_ATTESTATION_ID_DEVICE, "devious-device")
2040 .Authorization(TAG_ATTESTATION_ID_PRODUCT, "punctured-product")
2041 .Authorization(TAG_ATTESTATION_ID_SERIAL, "suspicious-serial")
2042 .Authorization(TAG_ATTESTATION_ID_IMEI, "invalid-imei")
2043 .Authorization(TAG_ATTESTATION_ID_MEID, "mismatching-meid")
2044 .Authorization(TAG_ATTESTATION_ID_MANUFACTURER, "malformed-manufacturer")
2045 .Authorization(TAG_ATTESTATION_ID_MODEL, "malicious-model");
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2046 for (const KeyParameter& tag : invalid_tags) {
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2047 SCOPED_TRACE(testing::Message() << "-incorrect-tag-" << tag);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2048 vector<uint8_t> key_blob;
2049 vector<KeyCharacteristics> key_characteristics;
2050 AuthorizationSetBuilder builder =
2051 AuthorizationSetBuilder()
2052 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2053 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2054 .Digest(Digest::NONE)
2055 .AttestationChallenge(challenge)
2056 .AttestationApplicationId(app_id)
2057 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2058 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2059 .SetDefaultValidity();
2060 builder.push_back(tag);
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2061
2062 auto error = GenerateKey(builder, &key_blob, &key_characteristics);
2063 // Strongbox may not support factory provisioned attestation key.
2064 if (SecLevel() == SecurityLevel::STRONGBOX) {
2065 if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2066 error = GenerateKeyWithSelfSignedAttestKey(
2067 AuthorizationSetBuilder()
2068 .EcdsaKey(EcCurve::P_256)
2069 .AttestKey()
2070 .SetDefaultValidity(), /* attest key params */
2071 builder, &key_blob, &key_characteristics);
2072 }
2073 }
David Drysdalec68dc932023-07-06 10:05:12 +0100[diff] [blame]2074
2075 device_id_attestation_check_acceptable_error(tag.tag, error);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2076 }
2077}
2078
2079/*
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2080 * NewKeyGenerationTest.EcdsaAttestationIdTags
2081 *
2082 * Verifies that creation of an attested ECDSA key includes various ID tags in the
2083 * attestation extension.
2084 */
2085TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
2086 auto challenge = "hello";
2087 auto app_id = "foo";
2088 auto subject = "cert subj 2";
2089 vector<uint8_t> subject_der(make_name_from_str(subject));
2090 uint64_t serial_int = 0x1010;
2091 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2092 const AuthorizationSetBuilder base_builder =
2093 AuthorizationSetBuilder()
2094 .Authorization(TAG_NO_AUTH_REQUIRED)
2095 .EcdsaSigningKey(EcCurve::P_256)
2096 .Digest(Digest::NONE)
2097 .AttestationChallenge(challenge)
2098 .AttestationApplicationId(app_id)
2099 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2100 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2101 .SetDefaultValidity();
2102
2103 // Various ATTESTATION_ID_* tags that map to fields in the attestation extension ASN.1 schema.
2104 auto extra_tags = AuthorizationSetBuilder();
Prashant Patil24f75792023-09-07 15:25:14 +0000[diff] [blame]2105 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_BRAND, "brand");
2106 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_DEVICE, "device");
2107 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_PRODUCT, "name");
2108 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_MANUFACTURER, "manufacturer");
2109 add_attestation_id(&extra_tags, TAG_ATTESTATION_ID_MODEL, "model");
Tri Vo799e4352022-11-07 17:23:50 -0800[diff] [blame]2110 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_SERIAL, "ro.serialno");
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2111
2112 for (const KeyParameter& tag : extra_tags) {
2113 SCOPED_TRACE(testing::Message() << "tag-" << tag);
2114 vector<uint8_t> key_blob;
2115 vector<KeyCharacteristics> key_characteristics;
2116 AuthorizationSetBuilder builder = base_builder;
2117 builder.push_back(tag);
2118 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2119 // Strongbox may not support factory provisioned attestation key.
2120 if (SecLevel() == SecurityLevel::STRONGBOX) {
2121 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
2122 }
Prashant Patil88ad1892022-03-15 16:31:02 +0000[diff] [blame]2123 if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
2124 // ID attestation was optional till api level 32, from api level 33 it is mandatory.
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2125 continue;
2126 }
2127 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2128 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2129 ASSERT_GT(key_blob.size(), 0U);
2130
2131 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2132 ASSERT_GT(cert_chain_.size(), 0);
2133 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2134
2135 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2136 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
2137
2138 // The attested key characteristics will not contain APPLICATION_ID_* fields (their
2139 // spec definitions all have "Must never appear in KeyCharacteristics"), but the
2140 // attestation extension should contain them, so make sure the extra tag is added.
2141 hw_enforced.push_back(tag);
2142
2143 // Verifying the attestation record will check for the specific tag because
2144 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2145 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2146 hw_enforced, SecLevel(),
2147 cert_chain_[0].encodedCertificate));
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2148 }
2149}
2150
2151/*
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2152 * NewKeyGenerationTest.EcdsaAttestationUniqueId
2153 *
2154 * Verifies that creation of an attested ECDSA key with a UNIQUE_ID included.
2155 */
2156TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
2157 auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2158 vector<uint8_t>* unique_id, bool reset = false) {
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2159 auto challenge = "hello";
2160 auto subject = "cert subj 2";
2161 vector<uint8_t> subject_der(make_name_from_str(subject));
2162 uint64_t serial_int = 0x1010;
2163 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2164 AuthorizationSetBuilder builder =
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2165 AuthorizationSetBuilder()
2166 .Authorization(TAG_NO_AUTH_REQUIRED)
2167 .Authorization(TAG_INCLUDE_UNIQUE_ID)
2168 .EcdsaSigningKey(EcCurve::P_256)
2169 .Digest(Digest::NONE)
2170 .AttestationChallenge(challenge)
2171 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2172 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2173 .AttestationApplicationId(app_id)
2174 .Authorization(TAG_CREATION_DATETIME, datetime)
2175 .SetDefaultValidity();
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2176 if (reset) {
2177 builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
2178 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2179 auto result = GenerateKey(builder);
2180 if (SecLevel() == SecurityLevel::STRONGBOX) {
2181 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2182 result = GenerateKeyWithSelfSignedAttestKey(
2183 AuthorizationSetBuilder()
2184 .EcdsaKey(EcCurve::P_256)
2185 .AttestKey()
2186 .SetDefaultValidity(), /* attest key params */
2187 builder, &key_blob_, &key_characteristics_, &cert_chain_);
2188 }
2189 }
2190 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2191 ASSERT_GT(key_blob_.size(), 0U);
2192
2193 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2194 ASSERT_GT(cert_chain_.size(), 0);
2195 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2196
2197 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics_);
2198 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics_);
2199
2200 // Check that the unique ID field in the extension is non-empty.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2201 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2202 hw_enforced, SecLevel(),
2203 cert_chain_[0].encodedCertificate, unique_id));
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2204 EXPECT_GT(unique_id->size(), 0);
2205 CheckedDeleteKey();
2206 };
2207
2208 // Generate unique ID
2209 auto app_id = "foo";
2210 uint64_t cert_date = 1619621648000; // Wed Apr 28 14:54:08 2021 in ms since epoch
2211 vector<uint8_t> unique_id;
2212 get_unique_id(app_id, cert_date, &unique_id);
2213
2214 // Generating a new key with the same parameters should give the same unique ID.
2215 vector<uint8_t> unique_id2;
2216 get_unique_id(app_id, cert_date, &unique_id2);
2217 EXPECT_EQ(unique_id, unique_id2);
2218
2219 // Generating a new key with a slightly different date should give the same unique ID.
2220 uint64_t rounded_date = cert_date / 2592000000LLU;
2221 uint64_t min_date = rounded_date * 2592000000LLU;
2222 uint64_t max_date = ((rounded_date + 1) * 2592000000LLU) - 1;
2223
2224 vector<uint8_t> unique_id3;
2225 get_unique_id(app_id, min_date, &unique_id3);
2226 EXPECT_EQ(unique_id, unique_id3);
2227
2228 vector<uint8_t> unique_id4;
2229 get_unique_id(app_id, max_date, &unique_id4);
2230 EXPECT_EQ(unique_id, unique_id4);
2231
2232 // A different attestation application ID should yield a different unique ID.
2233 auto app_id2 = "different_foo";
2234 vector<uint8_t> unique_id5;
2235 get_unique_id(app_id2, cert_date, &unique_id5);
2236 EXPECT_NE(unique_id, unique_id5);
2237
2238 // A radically different date should yield a different unique ID.
2239 vector<uint8_t> unique_id6;
2240 get_unique_id(app_id, 1611621648000, &unique_id6);
2241 EXPECT_NE(unique_id, unique_id6);
2242
2243 vector<uint8_t> unique_id7;
2244 get_unique_id(app_id, max_date + 1, &unique_id7);
2245 EXPECT_NE(unique_id, unique_id7);
2246
2247 vector<uint8_t> unique_id8;
2248 get_unique_id(app_id, min_date - 1, &unique_id8);
2249 EXPECT_NE(unique_id, unique_id8);
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2250
2251 // Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
2252 vector<uint8_t> unique_id9;
2253 get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
2254 EXPECT_NE(unique_id, unique_id9);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2255}
2256
2257/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2258 * NewKeyGenerationTest.EcdsaAttestationTagNoApplicationId
2259 *
2260 * Verifies that creation of an attested ECDSA key does not include APPLICATION_ID.
2261 */
2262TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
2263 auto challenge = "hello";
2264 auto attest_app_id = "foo";
2265 auto subject = "cert subj 2";
2266 vector<uint8_t> subject_der(make_name_from_str(subject));
2267 uint64_t serial_int = 0x1010;
2268 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2269
2270 // Earlier versions of the attestation extension schema included a slot:
2271 // applicationId [601] EXPLICIT OCTET_STRING OPTIONAL,
2272 // This should never have been included, and should never be filled in.
2273 // Generate an attested key that include APPLICATION_ID and APPLICATION_DATA,
2274 // to confirm that this field never makes it into the attestation extension.
2275 vector<uint8_t> key_blob;
2276 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2277 auto builder = AuthorizationSetBuilder()
2278 .Authorization(TAG_NO_AUTH_REQUIRED)
2279 .EcdsaSigningKey(EcCurve::P_256)
2280 .Digest(Digest::NONE)
2281 .AttestationChallenge(challenge)
2282 .AttestationApplicationId(attest_app_id)
2283 .Authorization(TAG_APPLICATION_ID, "client_id")
2284 .Authorization(TAG_APPLICATION_DATA, "appdata")
2285 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2286 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2287 .SetDefaultValidity();
2288
2289 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2290 // Strongbox may not support factory provisioned attestation key.
2291 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2292 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2293 result = GenerateKeyWithSelfSignedAttestKey(
2294 AuthorizationSetBuilder()
2295 .EcdsaKey(EcCurve::P_256)
2296 .AttestKey()
2297 .SetDefaultValidity(), /* attest key params */
2298 builder, &key_blob, &key_characteristics);
2299 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2300 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2301 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2302 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2303 ASSERT_GT(key_blob.size(), 0U);
2304
2305 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2306 ASSERT_GT(cert_chain_.size(), 0);
2307 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2308
2309 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2310 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2311 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, attest_app_id, sw_enforced,
2312 hw_enforced, SecLevel(),
2313 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2314
2315 // Check that the app id is not in the cert.
2316 string app_id = "clientid";
2317 std::vector<uint8_t> needle(reinterpret_cast<const uint8_t*>(app_id.data()),
2318 reinterpret_cast<const uint8_t*>(app_id.data()) + app_id.size());
2319 ASSERT_EQ(std::search(cert_chain_[0].encodedCertificate.begin(),
2320 cert_chain_[0].encodedCertificate.end(), needle.begin(), needle.end()),
2321 cert_chain_[0].encodedCertificate.end());
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2322}
2323
2324/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2325 * NewKeyGenerationTest.EcdsaSelfSignAttestation
2326 *
2327 * Verifies that if no challenge is provided to an Ecdsa key generation, then
2328 * the key will generate a self signed attestation.
2329 */
2330TEST_P(NewKeyGenerationTest, EcdsaSelfSignAttestation) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2331 auto subject = "cert subj 2";
2332 vector<uint8_t> subject_der(make_name_from_str(subject));
2333
2334 uint64_t serial_int = 0x123456FFF1234;
2335 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2336
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2337 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2338 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2339 vector<uint8_t> key_blob;
2340 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2341 ASSERT_EQ(ErrorCode::OK,
2342 GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2343 .EcdsaSigningKey(curve)
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2344 .Digest(Digest::NONE)
2345 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2346 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2347 .SetDefaultValidity(),
2348 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2349 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2350 ASSERT_GT(key_blob.size(), 0U);
2351 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2352 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2353
2354 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2355
2356 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2357 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2358
2359 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2360 ASSERT_EQ(cert_chain_.size(), 1);
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]2361 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2362
2363 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2364 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2365 }
2366}
2367
2368/*
2369 * NewKeyGenerationTest.EcdsaAttestationRequireAppId
2370 *
2371 * Verifies that if attestation challenge is provided to Ecdsa key generation, then
2372 * app id must also be provided or else it will fail.
2373 */
2374TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
2375 auto challenge = "hello";
2376 vector<uint8_t> key_blob;
2377 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2378 auto builder = AuthorizationSetBuilder()
2379 .EcdsaSigningKey(EcCurve::P_256)
2380 .Digest(Digest::NONE)
2381 .AttestationChallenge(challenge)
2382 .SetDefaultValidity();
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2383
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2384 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2385 // Strongbox may not support factory provisioned attestation key.
2386 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2387 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2388 result = GenerateKeyWithSelfSignedAttestKey(
2389 AuthorizationSetBuilder()
2390 .EcdsaKey(EcCurve::P_256)
2391 .AttestKey()
2392 .SetDefaultValidity(), /* attest key params */
2393 builder, &key_blob, &key_characteristics);
2394 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2395 }
2396 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2397}
2398
2399/*
2400 * NewKeyGenerationTest.EcdsaIgnoreAppId
2401 *
2402 * Verifies that if no challenge is provided to the Ecdsa key generation, then
2403 * any appid will be ignored, and keymint will generate a self sign certificate.
2404 */
2405TEST_P(NewKeyGenerationTest, EcdsaIgnoreAppId) {
2406 auto app_id = "foo";
2407
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2408 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2409 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2410 vector<uint8_t> key_blob;
2411 vector<KeyCharacteristics> key_characteristics;
2412 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2413 .EcdsaSigningKey(curve)
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2414 .Digest(Digest::NONE)
2415 .AttestationApplicationId(app_id)
2416 .SetDefaultValidity(),
2417 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2418 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2419
2420 ASSERT_GT(key_blob.size(), 0U);
2421 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2422 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2423
2424 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2425
2426 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2427 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2428
2429 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2430 ASSERT_EQ(cert_chain_.size(), 1);
2431
2432 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2433 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2434 }
2435}
2436
2437/*
2438 * NewKeyGenerationTest.AttestationApplicationIDLengthProperlyEncoded
2439 *
2440 * Verifies that the Attestation Application ID software enforced tag has a proper length encoding.
2441 * Some implementations break strict encoding rules by encoding a length between 127 and 256 in one
2442 * byte. Proper DER encoding specifies that for lengths greater than 127, one byte should be used
2443 * to specify how many following bytes will be used to encode the length.
2444 */
2445TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
2446 auto challenge = "hello";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2447 std::vector<uint32_t> app_id_lengths{143, 258};
2448
2449 for (uint32_t length : app_id_lengths) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2450 SCOPED_TRACE(testing::Message() << "app_id_len=" << length);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2451 const string app_id(length, 'a');
2452 vector<uint8_t> key_blob;
2453 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2454 auto builder = AuthorizationSetBuilder()
2455 .Authorization(TAG_NO_AUTH_REQUIRED)
2456 .EcdsaSigningKey(EcCurve::P_256)
2457 .Digest(Digest::NONE)
2458 .AttestationChallenge(challenge)
2459 .AttestationApplicationId(app_id)
2460 .SetDefaultValidity();
2461
2462 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2463 // Strongbox may not support factory provisioned attestation key.
2464 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2465 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2466 result = GenerateKeyWithSelfSignedAttestKey(
2467 AuthorizationSetBuilder()
2468 .EcdsaKey(EcCurve::P_256)
2469 .AttestKey()
2470 .SetDefaultValidity(), /* attest key params */
2471 builder, &key_blob, &key_characteristics);
2472 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2473 }
2474 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2475 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2476 ASSERT_GT(key_blob.size(), 0U);
2477 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2478 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2479
2480 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2481
2482 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2483 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, EcCurve::P_256)) << "Curve P256 missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2484
2485 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2486 ASSERT_GT(cert_chain_.size(), 0);
2487
2488 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2489 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2490 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2491 sw_enforced, hw_enforced, SecLevel(),
2492 cert_chain_[0].encodedCertificate));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2493 }
2494}
2495
2496/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2497 * NewKeyGenerationTest.LimitedUsageEcdsa
2498 *
2499 * Verifies that KeyMint can generate all required EC key sizes with limited usage, and that the
2500 * resulting keys have correct characteristics.
2501 */
2502TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2503 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2504 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2505 vector<uint8_t> key_blob;
2506 vector<KeyCharacteristics> key_characteristics;
2507 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2508 .EcdsaSigningKey(curve)
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2509 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2510 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
2511 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2512 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2513 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2514
2515 ASSERT_GT(key_blob.size(), 0U);
2516 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2517 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2518
2519 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2520
2521 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2522 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2523
2524 // Check the usage count limit tag appears in the authorizations.
2525 AuthorizationSet auths;
2526 for (auto& entry : key_characteristics) {
2527 auths.push_back(AuthorizationSet(entry.authorizations));
2528 }
2529 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2530 << "key usage count limit " << 1U << " missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2531 }
2532}
2533
2534/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2535 * NewKeyGenerationTest.EcdsaDefaultSize
2536 *
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2537 * Verifies that failing to specify a curve for EC key generation returns
David Drysdale84b685a2023-08-09 07:00:34 +0100[diff] [blame]2538 * UNSUPPORTED_KEY_SIZE or UNSUPPORTED_EC_CURVE.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2539 */
2540TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
David Drysdale84b685a2023-08-09 07:00:34 +0100[diff] [blame]2541 auto result = GenerateKey(AuthorizationSetBuilder()
2542 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2543 .SigningKey()
2544 .Digest(Digest::NONE)
2545 .SetDefaultValidity());
2546 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
2547 result == ErrorCode::UNSUPPORTED_EC_CURVE)
2548 << "unexpected result " << result;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2549}
2550
2551/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2552 * NewKeyGenerationTest.EcdsaInvalidCurve
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2553 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2554 * Verifies that specifying an invalid curve for EC key generation returns
David Drysdale84b685a2023-08-09 07:00:34 +0100[diff] [blame]2555 * UNSUPPORTED_KEY_SIZE or UNSUPPORTED_EC_CURVE.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2556 */
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2557TEST_P(NewKeyGenerationTest, EcdsaInvalidCurve) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2558 for (auto curve : InvalidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2559 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2560 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2561 vector<KeyCharacteristics> key_characteristics;
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2562 auto result = GenerateKey(AuthorizationSetBuilder()
2563 .EcdsaSigningKey(curve)
2564 .Digest(Digest::NONE)
2565 .SetDefaultValidity(),
2566 &key_blob, &key_characteristics);
2567 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
David Drysdale84b685a2023-08-09 07:00:34 +0100[diff] [blame]2568 result == ErrorCode::UNSUPPORTED_EC_CURVE)
2569 << "unexpected result " << result;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2570 }
2571
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2572 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2573 GenerateKey(AuthorizationSetBuilder()
2574 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2575 .Authorization(TAG_KEY_SIZE, 190)
2576 .SigningKey()
2577 .Digest(Digest::NONE)
2578 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2579}
2580
2581/*
Prashant Patil60f8d4d2022-03-29 13:11:09 +0000[diff] [blame]2582 * NewKeyGenerationTest.EcdsaMissingCurve
2583 *
David Drysdale9ed7d2c2023-09-14 15:16:27 +0100[diff] [blame]2584 * Verifies that EC key generation fails if EC_CURVE not specified after KeyMint V3.
Prashant Patil60f8d4d2022-03-29 13:11:09 +0000[diff] [blame]2585 */
2586TEST_P(NewKeyGenerationTest, EcdsaMissingCurve) {
David Drysdale9ed7d2c2023-09-14 15:16:27 +0100[diff] [blame]2587 if (AidlVersion() < 3) {
Prashant Patil60f8d4d2022-03-29 13:11:09 +0000[diff] [blame]2588 /*
2589 * The KeyMint V1 spec required that EC_CURVE be specified for EC keys.
2590 * However, this was not checked at the time so we can only be strict about checking this
David Drysdale9ed7d2c2023-09-14 15:16:27 +0100[diff] [blame]2591 * for implementations of KeyMint version 3 and above.
Prashant Patil60f8d4d2022-03-29 13:11:09 +0000[diff] [blame]2592 */
David Drysdale9ed7d2c2023-09-14 15:16:27 +0100[diff] [blame]2593 GTEST_SKIP() << "Requiring EC_CURVE only strict since KeyMint v3";
Prashant Patil60f8d4d2022-03-29 13:11:09 +0000[diff] [blame]2594 }
2595 /* If EC_CURVE not provided, generateKey
2596 * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE.
2597 */
2598 auto result = GenerateKey(
2599 AuthorizationSetBuilder().EcdsaKey(256).Digest(Digest::NONE).SetDefaultValidity());
2600 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
2601 result == ErrorCode::UNSUPPORTED_EC_CURVE);
2602}
2603
2604/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2605 * NewKeyGenerationTest.EcdsaMismatchKeySize
2606 *
2607 * Verifies that specifying mismatched key size and curve for EC key generation returns
2608 * INVALID_ARGUMENT.
2609 */
2610TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2611 if (SecLevel() == SecurityLevel::STRONGBOX) {
2612 GTEST_SKIP() << "Test not applicable to StrongBox device";
2613 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2614
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2615 auto result = GenerateKey(AuthorizationSetBuilder()
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2616 .Authorization(TAG_ALGORITHM, Algorithm::EC)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2617 .Authorization(TAG_KEY_SIZE, 224)
2618 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2619 .SigningKey()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2620 .Digest(Digest::NONE)
2621 .SetDefaultValidity());
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2622 ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2623}
2624
2625/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2626 * NewKeyGenerationTest.EcdsaAllValidCurves
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2627 *
2628 * Verifies that keymint does not support any curve designated as unsupported.
2629 */
2630TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
2631 Digest digest;
2632 if (SecLevel() == SecurityLevel::STRONGBOX) {
2633 digest = Digest::SHA_2_256;
2634 } else {
2635 digest = Digest::SHA_2_512;
2636 }
2637 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2638 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2639 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2640 .EcdsaSigningKey(curve)
2641 .Digest(digest)
2642 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2643 << "Failed to generate key on curve: " << curve;
2644 CheckedDeleteKey();
2645 }
2646}
2647
2648/*
2649 * NewKeyGenerationTest.Hmac
2650 *
2651 * Verifies that keymint supports all required digests, and that the resulting keys have correct
2652 * characteristics.
2653 */
2654TEST_P(NewKeyGenerationTest, Hmac) {
2655 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2656 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2657 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2658 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2659 constexpr size_t key_size = 128;
2660 ASSERT_EQ(ErrorCode::OK,
2661 GenerateKey(
2662 AuthorizationSetBuilder().HmacKey(key_size).Digest(digest).Authorization(
2663 TAG_MIN_MAC_LENGTH, 128),
2664 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2665 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2666
2667 ASSERT_GT(key_blob.size(), 0U);
2668 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2669 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2670
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2671 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2672 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2673 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2674 << "Key size " << key_size << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2675 }
2676}
2677
2678/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2679 * NewKeyGenerationTest.HmacNoAttestation
2680 *
2681 * Verifies that for Hmac key generation, no attestation will be generated even if challenge
2682 * and app id are provided.
2683 */
2684TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
2685 auto challenge = "hello";
2686 auto app_id = "foo";
2687
2688 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2689 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2690 vector<uint8_t> key_blob;
2691 vector<KeyCharacteristics> key_characteristics;
2692 constexpr size_t key_size = 128;
2693 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2694 .HmacKey(key_size)
2695 .Digest(digest)
2696 .AttestationChallenge(challenge)
2697 .AttestationApplicationId(app_id)
2698 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2699 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2700 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2701
2702 ASSERT_GT(key_blob.size(), 0U);
2703 ASSERT_EQ(cert_chain_.size(), 0);
2704 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2705 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2706
2707 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2708 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2709 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2710 << "Key size " << key_size << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2711 }
2712}
2713
2714/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2715 * NewKeyGenerationTest.LimitedUsageHmac
2716 *
2717 * Verifies that KeyMint supports all required digests with limited usage Hmac, and that the
2718 * resulting keys have correct characteristics.
2719 */
2720TEST_P(NewKeyGenerationTest, LimitedUsageHmac) {
2721 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2722 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2723 vector<uint8_t> key_blob;
2724 vector<KeyCharacteristics> key_characteristics;
2725 constexpr size_t key_size = 128;
2726 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2727 .HmacKey(key_size)
2728 .Digest(digest)
2729 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2730 .Authorization(TAG_USAGE_COUNT_LIMIT, 1),
2731 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2732 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2733
2734 ASSERT_GT(key_blob.size(), 0U);
2735 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2736 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2737
2738 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2739 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2740 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2741 << "Key size " << key_size << "missing";
2742
2743 // Check the usage count limit tag appears in the authorizations.
2744 AuthorizationSet auths;
2745 for (auto& entry : key_characteristics) {
2746 auths.push_back(AuthorizationSet(entry.authorizations));
2747 }
2748 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2749 << "key usage count limit " << 1U << " missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2750 }
2751}
2752
2753/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2754 * NewKeyGenerationTest.HmacCheckKeySizes
2755 *
2756 * Verifies that keymint supports all key sizes, and rejects all invalid key sizes.
2757 */
2758TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
2759 for (size_t key_size = 0; key_size <= 512; ++key_size) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2760 SCOPED_TRACE(testing::Message() << "HMAC-" << key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2761 if (key_size < 64 || key_size % 8 != 0) {
2762 // To keep this test from being very slow, we only test a random fraction of
2763 // non-byte key sizes. We test only ~10% of such cases. Since there are 392 of
2764 // them, we expect to run ~40 of them in each run.
2765 if (key_size % 8 == 0 || random() % 10 == 0) {
2766 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2767 GenerateKey(AuthorizationSetBuilder()
2768 .HmacKey(key_size)
2769 .Digest(Digest::SHA_2_256)
2770 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2771 << "HMAC key size " << key_size << " invalid";
2772 }
2773 } else {
2774 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2775 .HmacKey(key_size)
2776 .Digest(Digest::SHA_2_256)
2777 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2778 << "Failed to generate HMAC key of size " << key_size;
2779 CheckedDeleteKey();
2780 }
2781 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2782 if (SecLevel() == SecurityLevel::STRONGBOX) {
2783 // STRONGBOX devices must not support keys larger than 512 bits.
2784 size_t key_size = 520;
2785 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2786 GenerateKey(AuthorizationSetBuilder()
2787 .HmacKey(key_size)
2788 .Digest(Digest::SHA_2_256)
2789 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2790 << "HMAC key size " << key_size << " unexpectedly valid";
2791 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2792}
2793
2794/*
2795 * NewKeyGenerationTest.HmacCheckMinMacLengths
2796 *
2797 * Verifies that keymint supports all required MAC lengths and rejects all invalid lengths. This
2798 * test is probabilistic in order to keep the runtime down, but any failure prints out the
2799 * specific MAC length that failed, so reproducing a failed run will be easy.
2800 */
2801TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
2802 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2803 SCOPED_TRACE(testing::Message() << "MIN_MAC_LENGTH=" << min_mac_length);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2804 if (min_mac_length < 64 || min_mac_length % 8 != 0) {
2805 // To keep this test from being very long, we only test a random fraction of
2806 // non-byte lengths. We test only ~10% of such cases. Since there are 172 of them,
2807 // we expect to run ~17 of them in each run.
2808 if (min_mac_length % 8 == 0 || random() % 10 == 0) {
2809 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2810 GenerateKey(AuthorizationSetBuilder()
2811 .HmacKey(128)
2812 .Digest(Digest::SHA_2_256)
2813 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2814 << "HMAC min mac length " << min_mac_length << " invalid.";
2815 }
2816 } else {
2817 EXPECT_EQ(ErrorCode::OK,
2818 GenerateKey(AuthorizationSetBuilder()
2819 .HmacKey(128)
2820 .Digest(Digest::SHA_2_256)
2821 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2822 << "Failed to generate HMAC key with min MAC length " << min_mac_length;
2823 CheckedDeleteKey();
2824 }
2825 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2826
2827 // Minimum MAC length must be no more than 512 bits.
2828 size_t min_mac_length = 520;
2829 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2830 GenerateKey(AuthorizationSetBuilder()
2831 .HmacKey(128)
2832 .Digest(Digest::SHA_2_256)
2833 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2834 << "HMAC min mac length " << min_mac_length << " invalid.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2835}
2836
2837/*
2838 * NewKeyGenerationTest.HmacMultipleDigests
2839 *
2840 * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms.
2841 */
2842TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2843 if (SecLevel() == SecurityLevel::STRONGBOX) {
2844 GTEST_SKIP() << "Test not applicable to StrongBox device";
2845 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2846
2847 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2848 GenerateKey(AuthorizationSetBuilder()
2849 .HmacKey(128)
2850 .Digest(Digest::SHA1)
2851 .Digest(Digest::SHA_2_256)
2852 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2853}
2854
2855/*
2856 * NewKeyGenerationTest.HmacDigestNone
2857 *
2858 * Verifies that keymint rejects HMAC key generation with no digest or Digest::NONE
2859 */
2860TEST_P(NewKeyGenerationTest, HmacDigestNone) {
2861 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2862 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH,
2863 128)));
2864
2865 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2866 GenerateKey(AuthorizationSetBuilder()
2867 .HmacKey(128)
2868 .Digest(Digest::NONE)
2869 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2870}
2871
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2872/*
2873 * NewKeyGenerationTest.AesNoAttestation
2874 *
2875 * Verifies that attestation parameters to AES keys are ignored and generateKey
2876 * will succeed.
2877 */
2878TEST_P(NewKeyGenerationTest, AesNoAttestation) {
2879 auto challenge = "hello";
2880 auto app_id = "foo";
2881
2882 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2883 .Authorization(TAG_NO_AUTH_REQUIRED)
2884 .AesEncryptionKey(128)
2885 .EcbMode()
2886 .Padding(PaddingMode::PKCS7)
2887 .AttestationChallenge(challenge)
2888 .AttestationApplicationId(app_id)));
2889
2890 ASSERT_EQ(cert_chain_.size(), 0);
2891}
2892
2893/*
2894 * NewKeyGenerationTest.TripleDesNoAttestation
2895 *
2896 * Verifies that attesting parameters to 3DES keys are ignored and generate key
2897 * will be successful. No attestation should be generated.
2898 */
2899TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
2900 auto challenge = "hello";
2901 auto app_id = "foo";
2902
2903 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2904 .TripleDesEncryptionKey(168)
2905 .BlockMode(BlockMode::ECB)
2906 .Authorization(TAG_NO_AUTH_REQUIRED)
2907 .Padding(PaddingMode::NONE)
2908 .AttestationChallenge(challenge)
2909 .AttestationApplicationId(app_id)));
2910 ASSERT_EQ(cert_chain_.size(), 0);
2911}
2912
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2913INSTANTIATE_KEYMINT_AIDL_TEST(NewKeyGenerationTest);
2914
2915typedef KeyMintAidlTestBase SigningOperationsTest;
2916
2917/*
2918 * SigningOperationsTest.RsaSuccess
2919 *
2920 * Verifies that raw RSA signature operations succeed.
2921 */
2922TEST_P(SigningOperationsTest, RsaSuccess) {
2923 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2924 .RsaSigningKey(2048, 65537)
2925 .Digest(Digest::NONE)
2926 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2927 .Authorization(TAG_NO_AUTH_REQUIRED)
2928 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2929 string message = "12345678901234567890123456789012";
2930 string signature = SignMessage(
2931 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2932 LocalVerifyMessage(message, signature,
2933 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2934}
2935
2936/*
2937 * SigningOperationsTest.RsaAllPaddingsAndDigests
2938 *
2939 * Verifies RSA signature/verification for all padding modes and digests.
2940 */
2941TEST_P(SigningOperationsTest, RsaAllPaddingsAndDigests) {
2942 auto authorizations = AuthorizationSetBuilder()
2943 .Authorization(TAG_NO_AUTH_REQUIRED)
2944 .RsaSigningKey(2048, 65537)
2945 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
2946 .Padding(PaddingMode::NONE)
2947 .Padding(PaddingMode::RSA_PSS)
2948 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2949 .SetDefaultValidity();
2950
2951 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
2952
2953 string message(128, 'a');
2954 string corrupt_message(message);
2955 ++corrupt_message[corrupt_message.size() / 2];
2956
2957 for (auto padding :
2958 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
2959 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2960 SCOPED_TRACE(testing::Message() << "RSA padding=" << padding << " digest=" << digest);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2961 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
2962 // Digesting only makes sense with padding.
2963 continue;
2964 }
2965
2966 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
2967 // PSS requires digesting.
2968 continue;
2969 }
2970
2971 string signature =
2972 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
2973 LocalVerifyMessage(message, signature,
2974 AuthorizationSetBuilder().Digest(digest).Padding(padding));
2975 }
2976 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2977}
2978
2979/*
2980 * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
2981 *
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2982 * Verifies that using an RSA key requires the correct app data.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2983 */
2984TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
2985 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2986 .Authorization(TAG_NO_AUTH_REQUIRED)
2987 .RsaSigningKey(2048, 65537)
2988 .Digest(Digest::NONE)
2989 .Padding(PaddingMode::NONE)
2990 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2991 .Authorization(TAG_APPLICATION_DATA, "appdata")
2992 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2993
2994 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
2995
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2996 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2997 Begin(KeyPurpose::SIGN,
2998 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2999 AbortIfNeeded();
3000 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3001 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3002 .Digest(Digest::NONE)
3003 .Padding(PaddingMode::NONE)
3004 .Authorization(TAG_APPLICATION_ID, "clientid")));
3005 AbortIfNeeded();
3006 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3007 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3008 .Digest(Digest::NONE)
3009 .Padding(PaddingMode::NONE)
3010 .Authorization(TAG_APPLICATION_DATA, "appdata")));
3011 AbortIfNeeded();
3012 EXPECT_EQ(ErrorCode::OK,
3013 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3014 .Digest(Digest::NONE)
3015 .Padding(PaddingMode::NONE)
3016 .Authorization(TAG_APPLICATION_DATA, "appdata")
3017 .Authorization(TAG_APPLICATION_ID, "clientid")));
3018 AbortIfNeeded();
3019}
3020
3021/*
3022 * SigningOperationsTest.RsaPssSha256Success
3023 *
3024 * Verifies that RSA-PSS signature operations succeed.
3025 */
3026TEST_P(SigningOperationsTest, RsaPssSha256Success) {
3027 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3028 .RsaSigningKey(2048, 65537)
3029 .Digest(Digest::SHA_2_256)
3030 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3031 .Authorization(TAG_NO_AUTH_REQUIRED)
3032 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3033 // Use large message, which won't work without digesting.
3034 string message(1024, 'a');
3035 string signature = SignMessage(
3036 message,
3037 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
3038}
3039
3040/*
3041 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
3042 *
3043 * Verifies that keymint rejects signature operations that specify a padding mode when the key
3044 * supports only unpadded operations.
3045 */
3046TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
3047 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3048 .RsaSigningKey(2048, 65537)
3049 .Digest(Digest::NONE)
3050 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3051 .Padding(PaddingMode::NONE)
3052 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3053 string message = "12345678901234567890123456789012";
3054 string signature;
3055
3056 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
3057 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3058 .Digest(Digest::NONE)
3059 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3060}
3061
3062/*
3063 * SigningOperationsTest.NoUserConfirmation
3064 *
3065 * Verifies that keymint rejects signing operations for keys with
3066 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
3067 * presented.
3068 */
3069TEST_P(SigningOperationsTest, NoUserConfirmation) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3070 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
Subrahmanyamance2bebd2023-04-28 23:37:02 +0000[diff] [blame]3071 .RsaSigningKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3072 .Digest(Digest::NONE)
3073 .Padding(PaddingMode::NONE)
3074 .Authorization(TAG_NO_AUTH_REQUIRED)
3075 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
3076 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3077
3078 const string message = "12345678901234567890123456789012";
3079 EXPECT_EQ(ErrorCode::OK,
3080 Begin(KeyPurpose::SIGN,
3081 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3082 string signature;
3083 EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
3084}
3085
3086/*
3087 * SigningOperationsTest.RsaPkcs1Sha256Success
3088 *
3089 * Verifies that digested RSA-PKCS1 signature operations succeed.
3090 */
3091TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
3092 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3093 .RsaSigningKey(2048, 65537)
3094 .Digest(Digest::SHA_2_256)
3095 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3096 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3097 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3098 string message(1024, 'a');
3099 string signature = SignMessage(message, AuthorizationSetBuilder()
3100 .Digest(Digest::SHA_2_256)
3101 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3102}
3103
3104/*
3105 * SigningOperationsTest.RsaPkcs1NoDigestSuccess
3106 *
3107 * Verifies that undigested RSA-PKCS1 signature operations succeed.
3108 */
3109TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
3110 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3111 .RsaSigningKey(2048, 65537)
3112 .Digest(Digest::NONE)
3113 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3114 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3115 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3116 string message(53, 'a');
3117 string signature = SignMessage(message, AuthorizationSetBuilder()
3118 .Digest(Digest::NONE)
3119 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3120}
3121
3122/*
3123 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
3124 *
3125 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
3126 * given a too-long message.
3127 */
3128TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
3129 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3130 .RsaSigningKey(2048, 65537)
3131 .Digest(Digest::NONE)
3132 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3133 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3134 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3135 string message(257, 'a');
3136
3137 EXPECT_EQ(ErrorCode::OK,
3138 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3139 .Digest(Digest::NONE)
3140 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3141 string signature;
3142 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
3143}
3144
3145/*
3146 * SigningOperationsTest.RsaPssSha512TooSmallKey
3147 *
3148 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
3149 * used with a key that is too small for the message.
3150 *
3151 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the
3152 * keymint specification requires that salt_size == digest_size, so the message will be
3153 * digest_size * 2 +
3154 * 16. Such a message can only be signed by a given key if the key is at least that size. This
3155 * test uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large
3156 * for a 1024-bit key.
3157 */
3158TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]3159 if (SecLevel() == SecurityLevel::STRONGBOX) {
3160 GTEST_SKIP() << "Test not applicable to StrongBox device";
3161 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3162 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3163 .RsaSigningKey(1024, 65537)
3164 .Digest(Digest::SHA_2_512)
3165 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3166 .Padding(PaddingMode::RSA_PSS)
3167 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3168 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3169 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3170 .Digest(Digest::SHA_2_512)
3171 .Padding(PaddingMode::RSA_PSS)));
3172}
3173
3174/*
3175 * SigningOperationsTest.RsaNoPaddingTooLong
3176 *
3177 * Verifies that raw RSA signature operations fail with the correct error code when
3178 * given a too-long message.
3179 */
3180TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
3181 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3182 .RsaSigningKey(2048, 65537)
3183 .Digest(Digest::NONE)
3184 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3185 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3186 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3187 // One byte too long
3188 string message(2048 / 8 + 1, 'a');
3189 ASSERT_EQ(ErrorCode::OK,
3190 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3191 .Digest(Digest::NONE)
3192 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3193 string result;
3194 ErrorCode finish_error_code = Finish(message, &result);
3195 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3196 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3197
3198 // Very large message that should exceed the transfer buffer size of any reasonable TEE.
3199 message = string(128 * 1024, 'a');
3200 ASSERT_EQ(ErrorCode::OK,
3201 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3202 .Digest(Digest::NONE)
3203 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3204 finish_error_code = Finish(message, &result);
3205 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3206 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3207}
3208
3209/*
3210 * SigningOperationsTest.RsaAbort
3211 *
3212 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the
3213 * test, but the behavior should be algorithm and purpose-independent.
3214 */
3215TEST_P(SigningOperationsTest, RsaAbort) {
3216 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3217 .RsaSigningKey(2048, 65537)
3218 .Digest(Digest::NONE)
3219 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3220 .Padding(PaddingMode::NONE)
3221 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3222
3223 ASSERT_EQ(ErrorCode::OK,
3224 Begin(KeyPurpose::SIGN,
3225 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3226 EXPECT_EQ(ErrorCode::OK, Abort());
3227
3228 // Another abort should fail
3229 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
3230
3231 // Set to sentinel, so TearDown() doesn't try to abort again.
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]3232 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3233}
3234
3235/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3236 * SigningOperationsTest.RsaNonUniqueParams
3237 *
3238 * Verifies that an operation with multiple padding modes is rejected.
3239 */
3240TEST_P(SigningOperationsTest, RsaNonUniqueParams) {
3241 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3242 .RsaSigningKey(2048, 65537)
3243 .Digest(Digest::NONE)
3244 .Digest(Digest::SHA1)
3245 .Authorization(TAG_NO_AUTH_REQUIRED)
3246 .Padding(PaddingMode::NONE)
3247 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3248 .SetDefaultValidity()));
3249
3250 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3251 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3252 .Digest(Digest::NONE)
3253 .Padding(PaddingMode::NONE)
3254 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3255
Tommy Chiuc93c4392021-05-11 18:36:50 +0800[diff] [blame]3256 auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3257 .Digest(Digest::NONE)
3258 .Digest(Digest::SHA1)
3259 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3260 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3261
3262 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3263 Begin(KeyPurpose::SIGN,
3264 AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3265}
3266
3267/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3268 * SigningOperationsTest.RsaUnsupportedPadding
3269 *
3270 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used
3271 * with a padding mode inappropriate for RSA.
3272 */
3273TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
3274 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3275 .RsaSigningKey(2048, 65537)
3276 .Authorization(TAG_NO_AUTH_REQUIRED)
3277 .Digest(Digest::SHA_2_256 /* supported digest */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3278 .Padding(PaddingMode::PKCS7)
3279 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3280 ASSERT_EQ(
3281 ErrorCode::UNSUPPORTED_PADDING_MODE,
3282 Begin(KeyPurpose::SIGN,
3283 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3284 CheckedDeleteKey();
3285
3286 ASSERT_EQ(ErrorCode::OK,
3287 GenerateKey(
3288 AuthorizationSetBuilder()
3289 .RsaSigningKey(2048, 65537)
3290 .Authorization(TAG_NO_AUTH_REQUIRED)
3291 .Digest(Digest::SHA_2_256 /* supported digest */)
3292 .Padding(PaddingMode::RSA_OAEP) /* padding mode for encryption only */
3293 .SetDefaultValidity()));
3294 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3295 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3296 .Digest(Digest::SHA_2_256)
3297 .Padding(PaddingMode::RSA_OAEP)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3298}
3299
3300/*
3301 * SigningOperationsTest.RsaPssNoDigest
3302 *
3303 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest.
3304 */
3305TEST_P(SigningOperationsTest, RsaNoDigest) {
3306 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3307 .RsaSigningKey(2048, 65537)
3308 .Authorization(TAG_NO_AUTH_REQUIRED)
3309 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3310 .Padding(PaddingMode::RSA_PSS)
3311 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3312 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3313 Begin(KeyPurpose::SIGN,
3314 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
3315
3316 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3317 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
3318}
3319
3320/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3321 * SigningOperationsTest.RsaPssNoPadding
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3322 *
3323 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is
3324 * supported in some cases (as validated in other tests), but a mode must be specified.
3325 */
3326TEST_P(SigningOperationsTest, RsaNoPadding) {
3327 // Padding must be specified
3328 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3329 .RsaKey(2048, 65537)
3330 .Authorization(TAG_NO_AUTH_REQUIRED)
3331 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3332 .Digest(Digest::NONE)
3333 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3334 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3335 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3336}
3337
3338/*
3339 * SigningOperationsTest.RsaShortMessage
3340 *
3341 * Verifies that raw RSA signatures succeed with a message shorter than the key size.
3342 */
3343TEST_P(SigningOperationsTest, RsaTooShortMessage) {
3344 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3345 .Authorization(TAG_NO_AUTH_REQUIRED)
3346 .RsaSigningKey(2048, 65537)
3347 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3348 .Padding(PaddingMode::NONE)
3349 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3350
3351 // Barely shorter
3352 string message(2048 / 8 - 1, 'a');
3353 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3354
3355 // Much shorter
3356 message = "a";
3357 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3358}
3359
3360/*
3361 * SigningOperationsTest.RsaSignWithEncryptionKey
3362 *
3363 * Verifies that RSA encryption keys cannot be used to sign.
3364 */
3365TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
3366 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3367 .Authorization(TAG_NO_AUTH_REQUIRED)
3368 .RsaEncryptionKey(2048, 65537)
3369 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3370 .Padding(PaddingMode::NONE)
3371 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3372 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3373 Begin(KeyPurpose::SIGN,
3374 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3375}
3376
3377/*
3378 * SigningOperationsTest.RsaSignTooLargeMessage
3379 *
3380 * Verifies that attempting a raw signature of a message which is the same length as the key,
3381 * but numerically larger than the public modulus, fails with the correct error.
3382 */
3383TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
3384 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3385 .Authorization(TAG_NO_AUTH_REQUIRED)
3386 .RsaSigningKey(2048, 65537)
3387 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3388 .Padding(PaddingMode::NONE)
3389 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3390
3391 // Largest possible message will always be larger than the public modulus.
3392 string message(2048 / 8, static_cast<char>(0xff));
3393 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3394 .Authorization(TAG_NO_AUTH_REQUIRED)
3395 .Digest(Digest::NONE)
3396 .Padding(PaddingMode::NONE)));
3397 string signature;
3398 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
3399}
3400
3401/*
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3402 * SigningOperationsTest.EcdsaAllDigestsAndCurves
3403 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3404 * Verifies ECDSA signature/verification for all digests and required curves.
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3405 */
3406TEST_P(SigningOperationsTest, EcdsaAllDigestsAndCurves) {
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3407 string message = "1234567890";
3408 string corrupt_message = "2234567890";
3409 for (auto curve : ValidCurves()) {
3410 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3411 // Ed25519 only allows Digest::NONE.
3412 auto digests = (curve == EcCurve::CURVE_25519)
3413 ? std::vector<Digest>(1, Digest::NONE)
3414 : ValidDigests(true /* withNone */, false /* withMD5 */);
3415
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3416 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3417 .Authorization(TAG_NO_AUTH_REQUIRED)
3418 .EcdsaSigningKey(curve)
3419 .Digest(digests)
3420 .SetDefaultValidity());
3421 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
3422 if (error != ErrorCode::OK) {
3423 continue;
3424 }
3425
3426 for (auto digest : digests) {
3427 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
3428 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
3429 LocalVerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
3430 }
3431
3432 auto rc = DeleteKey();
3433 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
3434 }
3435}
3436
3437/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3438 * SigningOperationsTest.EcdsaAllCurves
3439 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3440 * Verifies that ECDSA operations succeed with all required curves.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3441 */
3442TEST_P(SigningOperationsTest, EcdsaAllCurves) {
3443 for (auto curve : ValidCurves()) {
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3444 Digest digest = (curve == EcCurve::CURVE_25519 ? Digest::NONE : Digest::SHA_2_256);
3445 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3446 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3447 .Authorization(TAG_NO_AUTH_REQUIRED)
3448 .EcdsaSigningKey(curve)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3449 .Digest(digest)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3450 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3451 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3452 if (error != ErrorCode::OK) continue;
3453
3454 string message(1024, 'a');
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3455 SignMessage(message, AuthorizationSetBuilder().Digest(digest));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3456 CheckedDeleteKey();
3457 }
3458}
3459
3460/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3461 * SigningOperationsTest.EcdsaCurve25519
3462 *
3463 * Verifies that ECDSA operations succeed with curve25519.
3464 */
3465TEST_P(SigningOperationsTest, EcdsaCurve25519) {
3466 if (!Curve25519Supported()) {
3467 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3468 }
3469
3470 EcCurve curve = EcCurve::CURVE_25519;
3471 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3472 .Authorization(TAG_NO_AUTH_REQUIRED)
3473 .EcdsaSigningKey(curve)
3474 .Digest(Digest::NONE)
3475 .SetDefaultValidity());
3476 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3477
3478 string message(1024, 'a');
3479 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3480 CheckedDeleteKey();
3481}
3482
3483/*
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]3484 * SigningOperationsTest.EcdsaCurve25519MaxSize
3485 *
3486 * Verifies that EDDSA operations with curve25519 under the maximum message size succeed.
3487 */
3488TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSize) {
3489 if (!Curve25519Supported()) {
3490 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3491 }
3492
3493 EcCurve curve = EcCurve::CURVE_25519;
3494 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3495 .Authorization(TAG_NO_AUTH_REQUIRED)
3496 .EcdsaSigningKey(curve)
3497 .Digest(Digest::NONE)
3498 .SetDefaultValidity());
3499 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3500
3501 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3502
3503 for (size_t msg_size : {MAX_ED25519_MSG_SIZE - 1, MAX_ED25519_MSG_SIZE}) {
3504 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3505 string message(msg_size, 'a');
3506
3507 // Attempt to sign via Begin+Finish.
3508 AuthorizationSet out_params;
3509 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3510 EXPECT_TRUE(out_params.empty());
3511 string signature;
3512 auto result = Finish(message, &signature);
3513 EXPECT_EQ(result, ErrorCode::OK);
3514 LocalVerifyMessage(message, signature, params);
3515
3516 // Attempt to sign via Begin+Update+Finish
3517 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3518 EXPECT_TRUE(out_params.empty());
3519 string output;
3520 result = Update(message, &output);
3521 EXPECT_EQ(result, ErrorCode::OK);
3522 EXPECT_EQ(output.size(), 0);
3523 string signature2;
3524 EXPECT_EQ(ErrorCode::OK, Finish({}, &signature2));
3525 LocalVerifyMessage(message, signature2, params);
3526 }
3527
3528 CheckedDeleteKey();
3529}
3530
3531/*
3532 * SigningOperationsTest.EcdsaCurve25519MaxSizeFail
3533 *
3534 * Verifies that EDDSA operations with curve25519 fail when message size is too large.
3535 */
3536TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSizeFail) {
3537 if (!Curve25519Supported()) {
3538 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3539 }
3540
3541 EcCurve curve = EcCurve::CURVE_25519;
3542 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3543 .Authorization(TAG_NO_AUTH_REQUIRED)
3544 .EcdsaSigningKey(curve)
3545 .Digest(Digest::NONE)
3546 .SetDefaultValidity());
3547 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3548
3549 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3550
3551 for (size_t msg_size : {MAX_ED25519_MSG_SIZE + 1, MAX_ED25519_MSG_SIZE * 2}) {
3552 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3553 string message(msg_size, 'a');
3554
3555 // Attempt to sign via Begin+Finish.
3556 AuthorizationSet out_params;
3557 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3558 EXPECT_TRUE(out_params.empty());
3559 string signature;
3560 auto result = Finish(message, &signature);
3561 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3562
3563 // Attempt to sign via Begin+Update (but never get to Finish)
3564 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3565 EXPECT_TRUE(out_params.empty());
3566 string output;
3567 result = Update(message, &output);
3568 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3569 }
3570
3571 CheckedDeleteKey();
3572}
3573
3574/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3575 * SigningOperationsTest.EcdsaNoDigestHugeData
3576 *
3577 * Verifies that ECDSA operations support very large messages, even without digesting. This
3578 * should work because ECDSA actually only signs the leftmost L_n bits of the message, however
3579 * large it may be. Not using digesting is a bad idea, but in some cases digesting is done by
3580 * the framework.
3581 */
3582TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
3583 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3584 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3585 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3586 .Digest(Digest::NONE)
3587 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3588 string message(1 * 1024, 'a');
3589 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3590}
3591
3592/*
3593 * SigningOperationsTest.EcUseRequiresCorrectAppIdAppData
3594 *
3595 * Verifies that using an EC key requires the correct app ID/data.
3596 */
3597TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
3598 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3599 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3600 .EcdsaSigningKey(EcCurve::P_256)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3601 .Digest(Digest::NONE)
3602 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3603 .Authorization(TAG_APPLICATION_DATA, "appdata")
3604 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]3605
3606 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
3607
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3608 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3609 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3610 AbortIfNeeded();
3611 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3612 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3613 .Digest(Digest::NONE)
3614 .Authorization(TAG_APPLICATION_ID, "clientid")));
3615 AbortIfNeeded();
3616 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3617 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3618 .Digest(Digest::NONE)
3619 .Authorization(TAG_APPLICATION_DATA, "appdata")));
3620 AbortIfNeeded();
3621 EXPECT_EQ(ErrorCode::OK,
3622 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3623 .Digest(Digest::NONE)
3624 .Authorization(TAG_APPLICATION_DATA, "appdata")
3625 .Authorization(TAG_APPLICATION_ID, "clientid")));
3626 AbortIfNeeded();
3627}
3628
3629/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3630 * SigningOperationsTest.EcdsaIncompatibleDigest
3631 *
3632 * Verifies that using an EC key requires compatible digest.
3633 */
3634TEST_P(SigningOperationsTest, EcdsaIncompatibleDigest) {
3635 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3636 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3637 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3638 .Digest(Digest::NONE)
3639 .Digest(Digest::SHA1)
3640 .SetDefaultValidity()));
3641 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3642 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)));
3643 AbortIfNeeded();
3644}
3645
3646/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3647 * SigningOperationsTest.AesEcbSign
3648 *
3649 * Verifies that attempts to use AES keys to sign fail in the correct way.
3650 */
3651TEST_P(SigningOperationsTest, AesEcbSign) {
3652 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3653 .Authorization(TAG_NO_AUTH_REQUIRED)
3654 .SigningKey()
3655 .AesEncryptionKey(128)
3656 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)));
3657
3658 AuthorizationSet out_params;
3659 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3660 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params));
3661 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3662 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params));
3663}
3664
3665/*
3666 * SigningOperationsTest.HmacAllDigests
3667 *
3668 * Verifies that HMAC works with all digests.
3669 */
3670TEST_P(SigningOperationsTest, HmacAllDigests) {
3671 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]3672 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3673 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3674 .Authorization(TAG_NO_AUTH_REQUIRED)
3675 .HmacKey(128)
3676 .Digest(digest)
3677 .Authorization(TAG_MIN_MAC_LENGTH, 160)))
3678 << "Failed to create HMAC key with digest " << digest;
3679 string message = "12345678901234567890123456789012";
3680 string signature = MacMessage(message, digest, 160);
3681 EXPECT_EQ(160U / 8U, signature.size())
3682 << "Failed to sign with HMAC key with digest " << digest;
3683 CheckedDeleteKey();
3684 }
3685}
3686
3687/*
3688 * SigningOperationsTest.HmacSha256TooLargeMacLength
3689 *
3690 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the
3691 * digest size.
3692 */
3693TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
3694 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3695 .Authorization(TAG_NO_AUTH_REQUIRED)
3696 .HmacKey(128)
3697 .Digest(Digest::SHA_2_256)
3698 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
3699 AuthorizationSet output_params;
3700 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3701 AuthorizationSetBuilder()
3702 .Digest(Digest::SHA_2_256)
3703 .Authorization(TAG_MAC_LENGTH, 264),
3704 &output_params));
3705}
3706
3707/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3708 * SigningOperationsTest.HmacSha256InvalidMacLength
3709 *
3710 * Verifies that HMAC fails in the correct way when asked to generate a MAC whose length is
3711 * not a multiple of 8.
3712 */
3713TEST_P(SigningOperationsTest, HmacSha256InvalidMacLength) {
3714 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3715 .Authorization(TAG_NO_AUTH_REQUIRED)
3716 .HmacKey(128)
3717 .Digest(Digest::SHA_2_256)
3718 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
3719 AuthorizationSet output_params;
3720 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3721 AuthorizationSetBuilder()
3722 .Digest(Digest::SHA_2_256)
3723 .Authorization(TAG_MAC_LENGTH, 161),
3724 &output_params));
3725}
3726
3727/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3728 * SigningOperationsTest.HmacSha256TooSmallMacLength
3729 *
3730 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
3731 * specified minimum MAC length.
3732 */
3733TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
3734 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3735 .Authorization(TAG_NO_AUTH_REQUIRED)
3736 .HmacKey(128)
3737 .Digest(Digest::SHA_2_256)
3738 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3739 AuthorizationSet output_params;
3740 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3741 AuthorizationSetBuilder()
3742 .Digest(Digest::SHA_2_256)
3743 .Authorization(TAG_MAC_LENGTH, 120),
3744 &output_params));
3745}
3746
3747/*
3748 * SigningOperationsTest.HmacRfc4231TestCase3
3749 *
3750 * Validates against the test vectors from RFC 4231 test case 3.
3751 */
3752TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
3753 string key(20, 0xaa);
3754 string message(50, 0xdd);
3755 uint8_t sha_224_expected[] = {
3756 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
3757 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
3758 };
3759 uint8_t sha_256_expected[] = {
3760 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
3761 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
3762 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
3763 };
3764 uint8_t sha_384_expected[] = {
3765 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
3766 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
3767 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
3768 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
3769 };
3770 uint8_t sha_512_expected[] = {
3771 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
3772 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
3773 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
3774 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
3775 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
3776 };
3777
3778 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3779 if (SecLevel() != SecurityLevel::STRONGBOX) {
3780 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3781 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3782 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3783 }
3784}
3785
3786/*
3787 * SigningOperationsTest.HmacRfc4231TestCase5
3788 *
3789 * Validates against the test vectors from RFC 4231 test case 5.
3790 */
3791TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
3792 string key(20, 0x0c);
3793 string message = "Test With Truncation";
3794
3795 uint8_t sha_224_expected[] = {
3796 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
3797 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
3798 };
3799 uint8_t sha_256_expected[] = {
3800 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
3801 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
3802 };
3803 uint8_t sha_384_expected[] = {
3804 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
3805 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
3806 };
3807 uint8_t sha_512_expected[] = {
3808 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
3809 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
3810 };
3811
3812 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3813 if (SecLevel() != SecurityLevel::STRONGBOX) {
3814 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3815 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3816 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3817 }
3818}
3819
3820INSTANTIATE_KEYMINT_AIDL_TEST(SigningOperationsTest);
3821
3822typedef KeyMintAidlTestBase VerificationOperationsTest;
3823
3824/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3825 * VerificationOperationsTest.HmacSigningKeyCannotVerify
3826 *
3827 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
3828 */
3829TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
3830 string key_material = "HelloThisIsAKey";
3831
3832 vector<uint8_t> signing_key, verification_key;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3833 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3834 EXPECT_EQ(ErrorCode::OK,
3835 ImportKey(AuthorizationSetBuilder()
3836 .Authorization(TAG_NO_AUTH_REQUIRED)
3837 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3838 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3839 .Digest(Digest::SHA_2_256)
3840 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3841 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3842 KeyBlobDeleter sign_deleter(keymint_, signing_key);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3843 EXPECT_EQ(ErrorCode::OK,
3844 ImportKey(AuthorizationSetBuilder()
3845 .Authorization(TAG_NO_AUTH_REQUIRED)
3846 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3847 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3848 .Digest(Digest::SHA_2_256)
3849 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3850 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3851 KeyBlobDeleter verify_deleter(keymint_, verification_key);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3852
3853 string message = "This is a message.";
3854 string signature = SignMessage(
3855 signing_key, message,
3856 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3857
3858 // Signing key should not work.
3859 AuthorizationSet out_params;
3860 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3861 Begin(KeyPurpose::VERIFY, signing_key,
3862 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &out_params));
3863
3864 // Verification key should work.
3865 VerifyMessage(verification_key, message, signature,
3866 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3867}
3868
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3869/*
3870 * VerificationOperationsTest.HmacVerificationFailsForCorruptSignature
3871 *
3872 * Verifies HMAC signature verification should fails if message or signature is corrupted.
3873 */
3874TEST_P(VerificationOperationsTest, HmacVerificationFailsForCorruptSignature) {
3875 string key_material = "HelloThisIsAKey";
3876
3877 vector<uint8_t> signing_key, verification_key;
3878 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
3879 EXPECT_EQ(ErrorCode::OK,
3880 ImportKey(AuthorizationSetBuilder()
3881 .Authorization(TAG_NO_AUTH_REQUIRED)
3882 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3883 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3884 .Digest(Digest::SHA_2_256)
3885 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3886 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3887 KeyBlobDeleter sign_deleter(keymint_, signing_key);
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3888 EXPECT_EQ(ErrorCode::OK,
3889 ImportKey(AuthorizationSetBuilder()
3890 .Authorization(TAG_NO_AUTH_REQUIRED)
3891 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3892 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3893 .Digest(Digest::SHA_2_256)
3894 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3895 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3896 KeyBlobDeleter verify_deleter(keymint_, verification_key);
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3897
3898 string message = "This is a message.";
3899 string signature = SignMessage(
3900 signing_key, message,
3901 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3902
3903 AuthorizationSet begin_out_params;
3904 ASSERT_EQ(ErrorCode::OK,
3905 Begin(KeyPurpose::VERIFY, verification_key,
3906 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3907
3908 string corruptMessage = "This is b message."; // Corrupted message
3909 string output;
3910 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corruptMessage, signature, &output));
3911
3912 ASSERT_EQ(ErrorCode::OK,
3913 Begin(KeyPurpose::VERIFY, verification_key,
3914 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3915
3916 signature[0] += 1; // Corrupt a signature
3917 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, signature, &output));
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3918}
3919
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3920INSTANTIATE_KEYMINT_AIDL_TEST(VerificationOperationsTest);
3921
3922typedef KeyMintAidlTestBase ExportKeyTest;
3923
3924/*
3925 * ExportKeyTest.RsaUnsupportedKeyFormat
3926 *
3927 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
3928 */
3929// TODO(seleneh) add ExportKey to GenerateKey
3930// check result
3931
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]3932class ImportKeyTest : public NewKeyGenerationTest {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3933 public:
3934 template <TagType tag_type, Tag tag, typename ValueT>
3935 void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
3936 SCOPED_TRACE("CheckCryptoParam");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3937 for (auto& entry : key_characteristics_) {
3938 if (entry.securityLevel == SecLevel()) {
3939 EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
3940 << "Tag " << tag << " with value " << expected
3941 << " not found at security level" << entry.securityLevel;
3942 } else {
3943 EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
3944 << "Tag " << tag << " found at security level " << entry.securityLevel;
3945 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3946 }
3947 }
3948
3949 void CheckOrigin() {
3950 SCOPED_TRACE("CheckOrigin");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3951 // Origin isn't a crypto param, but it always lives with them.
3952 return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3953 }
3954};
3955
3956/*
3957 * ImportKeyTest.RsaSuccess
3958 *
3959 * Verifies that importing and using an RSA key pair works correctly.
3960 */
3961TEST_P(ImportKeyTest, RsaSuccess) {
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3962 uint32_t key_size;
3963 string key;
3964
3965 if (SecLevel() == SecurityLevel::STRONGBOX) {
3966 key_size = 2048;
3967 key = rsa_2048_key;
3968 } else {
3969 key_size = 1024;
3970 key = rsa_key;
3971 }
3972
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3973 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3974 .Authorization(TAG_NO_AUTH_REQUIRED)
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3975 .RsaSigningKey(key_size, 65537)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3976 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3977 .Padding(PaddingMode::RSA_PSS)
3978 .SetDefaultValidity(),
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3979 KeyFormat::PKCS8, key));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3980
3981 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3982 CheckCryptoParam(TAG_KEY_SIZE, key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3983 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
3984 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3985 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
3986 CheckOrigin();
3987
3988 string message(1024 / 8, 'a');
3989 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
3990 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3991 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3992}
3993
3994/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3995 * ImportKeyTest.RsaSuccessWithoutParams
3996 *
3997 * Verifies that importing and using an RSA key pair without specifying parameters
3998 * works correctly.
3999 */
4000TEST_P(ImportKeyTest, RsaSuccessWithoutParams) {
4001 uint32_t key_size;
4002 string key;
4003
4004 if (SecLevel() == SecurityLevel::STRONGBOX) {
4005 key_size = 2048;
4006 key = rsa_2048_key;
4007 } else {
4008 key_size = 1024;
4009 key = rsa_key;
4010 }
4011
4012 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4013 .Authorization(TAG_NO_AUTH_REQUIRED)
4014 .SigningKey()
4015 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
4016 .Digest(Digest::SHA_2_256)
4017 .Padding(PaddingMode::RSA_PSS)
4018 .SetDefaultValidity(),
4019 KeyFormat::PKCS8, key));
4020
4021 // Key size and public exponent are determined from the imported key material.
4022 CheckCryptoParam(TAG_KEY_SIZE, key_size);
4023 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
4024
4025 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
4026 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4027 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
4028 CheckOrigin();
4029
4030 string message(1024 / 8, 'a');
4031 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
4032 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4033 LocalVerifyMessage(message, signature, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4034}
4035
4036/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4037 * ImportKeyTest.RsaKeySizeMismatch
4038 *
4039 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
4040 * correct way.
4041 */
4042TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
4043 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4044 ImportKey(AuthorizationSetBuilder()
4045 .RsaSigningKey(2048 /* Doesn't match key */, 65537)
4046 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4047 .Padding(PaddingMode::NONE)
4048 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4049 KeyFormat::PKCS8, rsa_key));
4050}
4051
4052/*
4053 * ImportKeyTest.RsaPublicExponentMismatch
4054 *
4055 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key
4056 * fails in the correct way.
4057 */
4058TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
4059 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4060 ImportKey(AuthorizationSetBuilder()
4061 .RsaSigningKey(1024, 3 /* Doesn't match key */)
4062 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4063 .Padding(PaddingMode::NONE)
4064 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4065 KeyFormat::PKCS8, rsa_key));
4066}
4067
4068/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4069 * ImportKeyTest.RsaAttestMultiPurposeFail
4070 *
4071 * Verifies that importing an RSA key pair with purpose ATTEST_KEY+SIGN fails.
4072 */
4073TEST_P(ImportKeyTest, RsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]4074 if (AidlVersion() < 2) {
4075 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
4076 // with other key purposes. However, this was not checked at the time
4077 // so we can only be strict about checking this for implementations of KeyMint
4078 // version 2 and above.
4079 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
4080 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4081 uint32_t key_size = 2048;
4082 string key = rsa_2048_key;
4083
4084 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
4085 ImportKey(AuthorizationSetBuilder()
4086 .Authorization(TAG_NO_AUTH_REQUIRED)
4087 .RsaSigningKey(key_size, 65537)
4088 .AttestKey()
4089 .Digest(Digest::SHA_2_256)
4090 .Padding(PaddingMode::RSA_PSS)
4091 .SetDefaultValidity(),
4092 KeyFormat::PKCS8, key));
4093}
4094
4095/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4096 * ImportKeyTest.EcdsaSuccess
4097 *
4098 * Verifies that importing and using an ECDSA P-256 key pair works correctly.
4099 */
4100TEST_P(ImportKeyTest, EcdsaSuccess) {
4101 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4102 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4103 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4104 .Digest(Digest::SHA_2_256)
4105 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4106 KeyFormat::PKCS8, ec_256_key));
4107
4108 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4109 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4110 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4111
4112 CheckOrigin();
4113
4114 string message(32, 'a');
4115 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4116 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4117 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4118}
4119
4120/*
David Drysdale9b8d75e2023-09-05 15:16:47 +0100[diff] [blame]4121 * ImportKeyTest.EcdsaSuccessCurveNotSpecified
4122 *
4123 * Verifies that importing and using an ECDSA P-256 key pair works correctly
4124 * when the EC_CURVE is not explicitly specified.
4125 */
4126TEST_P(ImportKeyTest, EcdsaSuccessCurveNotSpecified) {
David Drysdale1405dbc2023-11-02 09:26:44 +0000[diff] [blame]4127 if (get_vsr_api_level() < __ANDROID_API_V__) {
David Drysdale9b8d75e2023-09-05 15:16:47 +0100[diff] [blame]4128 /*
David Drysdale1405dbc2023-11-02 09:26:44 +0000[diff] [blame]4129 * The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import
4130 * of EC keys. However, this was not checked at the time so we can only be strict about
4131 * checking this for implementations at VSR-V or later.
David Drysdale9b8d75e2023-09-05 15:16:47 +0100[diff] [blame]4132 */
David Drysdale1405dbc2023-11-02 09:26:44 +0000[diff] [blame]4133 GTEST_SKIP() << "Skipping EC_CURVE on import only strict >= VSR-V";
David Drysdale9b8d75e2023-09-05 15:16:47 +0100[diff] [blame]4134 }
4135
4136 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4137 .Authorization(TAG_NO_AUTH_REQUIRED)
4138 .Authorization(TAG_ALGORITHM, Algorithm::EC)
4139 .SigningKey()
4140 .Digest(Digest::SHA_2_256)
4141 .SetDefaultValidity(),
4142 KeyFormat::PKCS8, ec_256_key));
4143
4144 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4145 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4146 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4147
4148 CheckOrigin();
4149
4150 string message(32, 'a');
4151 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4152 string signature = SignMessage(message, params);
4153 LocalVerifyMessage(message, signature, params);
4154}
4155
4156/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4157 * ImportKeyTest.EcdsaP256RFC5915Success
4158 *
4159 * Verifies that importing and using an ECDSA P-256 key pair encoded using RFC5915 works
4160 * correctly.
4161 */
4162TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
4163 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4164 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4165 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4166 .Digest(Digest::SHA_2_256)
4167 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4168 KeyFormat::PKCS8, ec_256_key_rfc5915));
4169
4170 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4171 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4172 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4173
4174 CheckOrigin();
4175
4176 string message(32, 'a');
4177 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4178 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4179 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4180}
4181
4182/*
4183 * ImportKeyTest.EcdsaP256SEC1Success
4184 *
4185 * Verifies that importing and using an ECDSA P-256 key pair encoded using SEC1 works correctly.
4186 */
4187TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
4188 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4189 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4190 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4191 .Digest(Digest::SHA_2_256)
4192 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4193 KeyFormat::PKCS8, ec_256_key_sec1));
4194
4195 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4196 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4197 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4198
4199 CheckOrigin();
4200
4201 string message(32, 'a');
4202 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4203 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4204 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4205}
4206
4207/*
4208 * ImportKeyTest.Ecdsa521Success
4209 *
4210 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
4211 */
4212TEST_P(ImportKeyTest, Ecdsa521Success) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]4213 if (SecLevel() == SecurityLevel::STRONGBOX) {
4214 GTEST_SKIP() << "Test not applicable to StrongBox device";
4215 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4216 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4217 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4218 .EcdsaSigningKey(EcCurve::P_521)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4219 .Digest(Digest::SHA_2_256)
4220 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4221 KeyFormat::PKCS8, ec_521_key));
4222
4223 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4224 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4225 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_521);
4226 CheckOrigin();
4227
4228 string message(32, 'a');
4229 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4230 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4231 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4232}
4233
4234/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4235 * ImportKeyTest.EcdsaCurveMismatch
4236 *
4237 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in
4238 * the correct way.
4239 */
4240TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
4241 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4242 ImportKey(AuthorizationSetBuilder()
4243 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4244 .Digest(Digest::NONE)
4245 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4246 KeyFormat::PKCS8, ec_256_key));
4247}
4248
4249/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4250 * ImportKeyTest.EcdsaAttestMultiPurposeFail
4251 *
4252 * Verifies that importing and using an ECDSA P-256 key pair with purpose ATTEST_KEY+SIGN fails.
4253 */
4254TEST_P(ImportKeyTest, EcdsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]4255 if (AidlVersion() < 2) {
4256 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
4257 // with other key purposes. However, this was not checked at the time
4258 // so we can only be strict about checking this for implementations of KeyMint
4259 // version 2 and above.
4260 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
4261 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4262 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
4263 ImportKey(AuthorizationSetBuilder()
4264 .Authorization(TAG_NO_AUTH_REQUIRED)
4265 .EcdsaSigningKey(EcCurve::P_256)
4266 .AttestKey()
4267 .Digest(Digest::SHA_2_256)
4268 .SetDefaultValidity(),
4269 KeyFormat::PKCS8, ec_256_key));
4270}
4271
4272/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]4273 * ImportKeyTest.Ed25519RawSuccess
4274 *
4275 * Verifies that importing and using a raw Ed25519 private key works correctly.
4276 */
4277TEST_P(ImportKeyTest, Ed25519RawSuccess) {
4278 if (!Curve25519Supported()) {
4279 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4280 }
4281
4282 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4283 .Authorization(TAG_NO_AUTH_REQUIRED)
4284 .EcdsaSigningKey(EcCurve::CURVE_25519)
4285 .Digest(Digest::NONE)
4286 .SetDefaultValidity(),
4287 KeyFormat::RAW, ed25519_key));
4288 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4289 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4290 CheckOrigin();
4291
4292 // The returned cert should hold the correct public key.
4293 ASSERT_GT(cert_chain_.size(), 0);
4294 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4295 ASSERT_NE(kmKeyCert, nullptr);
4296 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4297 ASSERT_NE(kmPubKey.get(), nullptr);
4298 size_t kmPubKeySize = 32;
4299 uint8_t kmPubKeyData[32];
4300 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4301 ASSERT_EQ(kmPubKeySize, 32);
4302 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4303
4304 string message(32, 'a');
4305 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4306 string signature = SignMessage(message, params);
4307 LocalVerifyMessage(message, signature, params);
4308}
4309
4310/*
4311 * ImportKeyTest.Ed25519Pkcs8Success
4312 *
4313 * Verifies that importing and using a PKCS#8-encoded Ed25519 private key works correctly.
4314 */
4315TEST_P(ImportKeyTest, Ed25519Pkcs8Success) {
4316 if (!Curve25519Supported()) {
4317 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4318 }
4319
4320 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4321 .Authorization(TAG_NO_AUTH_REQUIRED)
4322 .EcdsaSigningKey(EcCurve::CURVE_25519)
4323 .Digest(Digest::NONE)
4324 .SetDefaultValidity(),
4325 KeyFormat::PKCS8, ed25519_pkcs8_key));
4326 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4327 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4328 CheckOrigin();
4329
4330 // The returned cert should hold the correct public key.
4331 ASSERT_GT(cert_chain_.size(), 0);
4332 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4333 ASSERT_NE(kmKeyCert, nullptr);
4334 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4335 ASSERT_NE(kmPubKey.get(), nullptr);
4336 size_t kmPubKeySize = 32;
4337 uint8_t kmPubKeyData[32];
4338 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4339 ASSERT_EQ(kmPubKeySize, 32);
4340 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4341
4342 string message(32, 'a');
4343 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4344 string signature = SignMessage(message, params);
4345 LocalVerifyMessage(message, signature, params);
4346}
4347
4348/*
4349 * ImportKeyTest.Ed25519CurveMismatch
4350 *
4351 * Verifies that importing an Ed25519 key pair with a curve that doesn't match the key fails in
4352 * the correct way.
4353 */
4354TEST_P(ImportKeyTest, Ed25519CurveMismatch) {
4355 if (!Curve25519Supported()) {
4356 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4357 }
4358
4359 ASSERT_NE(ErrorCode::OK,
4360 ImportKey(AuthorizationSetBuilder()
4361 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
4362 .Digest(Digest::NONE)
4363 .SetDefaultValidity(),
4364 KeyFormat::RAW, ed25519_key));
4365}
4366
4367/*
4368 * ImportKeyTest.Ed25519FormatMismatch
4369 *
4370 * Verifies that importing an Ed25519 key pair with an invalid format fails.
4371 */
4372TEST_P(ImportKeyTest, Ed25519FormatMismatch) {
4373 if (!Curve25519Supported()) {
4374 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4375 }
4376
4377 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4378 .EcdsaSigningKey(EcCurve::CURVE_25519)
4379 .Digest(Digest::NONE)
4380 .SetDefaultValidity(),
4381 KeyFormat::PKCS8, ed25519_key));
4382 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4383 .EcdsaSigningKey(EcCurve::CURVE_25519)
4384 .Digest(Digest::NONE)
4385 .SetDefaultValidity(),
4386 KeyFormat::RAW, ed25519_pkcs8_key));
4387}
4388
4389/*
4390 * ImportKeyTest.Ed25519PurposeMismatch
4391 *
4392 * Verifies that importing an Ed25519 key pair with an invalid purpose fails.
4393 */
4394TEST_P(ImportKeyTest, Ed25519PurposeMismatch) {
4395 if (!Curve25519Supported()) {
4396 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4397 }
4398
4399 // Can't have both SIGN and ATTEST_KEY
4400 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4401 .EcdsaSigningKey(EcCurve::CURVE_25519)
4402 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4403 .Digest(Digest::NONE)
4404 .SetDefaultValidity(),
4405 KeyFormat::RAW, ed25519_key));
4406 // AGREE_KEY is for X25519 (but can only tell the difference if the import key is in
4407 // PKCS#8 format and so includes an OID).
4408 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4409 .EcdsaKey(EcCurve::CURVE_25519)
4410 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4411 .Digest(Digest::NONE)
4412 .SetDefaultValidity(),
4413 KeyFormat::PKCS8, ed25519_pkcs8_key));
4414}
4415
4416/*
4417 * ImportKeyTest.X25519RawSuccess
4418 *
4419 * Verifies that importing and using a raw X25519 private key works correctly.
4420 */
4421TEST_P(ImportKeyTest, X25519RawSuccess) {
4422 if (!Curve25519Supported()) {
4423 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4424 }
4425
4426 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4427 .Authorization(TAG_NO_AUTH_REQUIRED)
4428 .EcdsaKey(EcCurve::CURVE_25519)
4429 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4430 .SetDefaultValidity(),
4431 KeyFormat::RAW, x25519_key));
4432
4433 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4434 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4435 CheckOrigin();
4436}
4437
4438/*
4439 * ImportKeyTest.X25519Pkcs8Success
4440 *
4441 * Verifies that importing and using a PKCS#8-encoded X25519 private key works correctly.
4442 */
4443TEST_P(ImportKeyTest, X25519Pkcs8Success) {
4444 if (!Curve25519Supported()) {
4445 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4446 }
4447
4448 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4449 .Authorization(TAG_NO_AUTH_REQUIRED)
4450 .EcdsaKey(EcCurve::CURVE_25519)
4451 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4452 .SetDefaultValidity(),
4453 KeyFormat::PKCS8, x25519_pkcs8_key));
4454
4455 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4456 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4457 CheckOrigin();
4458}
4459
4460/*
4461 * ImportKeyTest.X25519CurveMismatch
4462 *
4463 * Verifies that importing an X25519 key with a curve that doesn't match the key fails in
4464 * the correct way.
4465 */
4466TEST_P(ImportKeyTest, X25519CurveMismatch) {
4467 if (!Curve25519Supported()) {
4468 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4469 }
4470
4471 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4472 .EcdsaKey(EcCurve::P_224 /* Doesn't match key */)
4473 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4474 .SetDefaultValidity(),
4475 KeyFormat::RAW, x25519_key));
4476}
4477
4478/*
4479 * ImportKeyTest.X25519FormatMismatch
4480 *
4481 * Verifies that importing an X25519 key with an invalid format fails.
4482 */
4483TEST_P(ImportKeyTest, X25519FormatMismatch) {
4484 if (!Curve25519Supported()) {
4485 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4486 }
4487
4488 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4489 .EcdsaKey(EcCurve::CURVE_25519)
4490 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4491 .SetDefaultValidity(),
4492 KeyFormat::PKCS8, x25519_key));
4493 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4494 .EcdsaKey(EcCurve::CURVE_25519)
4495 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4496 .SetDefaultValidity(),
4497 KeyFormat::RAW, x25519_pkcs8_key));
4498}
4499
4500/*
4501 * ImportKeyTest.X25519PurposeMismatch
4502 *
4503 * Verifies that importing an X25519 key pair with an invalid format fails.
4504 */
4505TEST_P(ImportKeyTest, X25519PurposeMismatch) {
4506 if (!Curve25519Supported()) {
4507 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4508 }
4509
4510 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4511 .EcdsaKey(EcCurve::CURVE_25519)
4512 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4513 .SetDefaultValidity(),
4514 KeyFormat::PKCS8, x25519_pkcs8_key));
4515 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4516 .EcdsaSigningKey(EcCurve::CURVE_25519)
4517 .SetDefaultValidity(),
4518 KeyFormat::PKCS8, x25519_pkcs8_key));
4519}
4520
4521/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4522 * ImportKeyTest.AesSuccess
4523 *
4524 * Verifies that importing and using an AES key works.
4525 */
4526TEST_P(ImportKeyTest, AesSuccess) {
4527 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4528 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4529 .Authorization(TAG_NO_AUTH_REQUIRED)
4530 .AesEncryptionKey(key.size() * 8)
4531 .EcbMode()
4532 .Padding(PaddingMode::PKCS7),
4533 KeyFormat::RAW, key));
4534
4535 CheckCryptoParam(TAG_ALGORITHM, Algorithm::AES);
4536 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4537 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4538 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4539 CheckOrigin();
4540
4541 string message = "Hello World!";
4542 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4543 string ciphertext = EncryptMessage(message, params);
4544 string plaintext = DecryptMessage(ciphertext, params);
4545 EXPECT_EQ(message, plaintext);
4546}
4547
4548/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4549 * ImportKeyTest.AesFailure
4550 *
4551 * Verifies that importing an invalid AES key fails.
4552 */
4553TEST_P(ImportKeyTest, AesFailure) {
4554 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4555 uint32_t bitlen = key.size() * 8;
4556 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]4557 SCOPED_TRACE(testing::Message() << "import-key-size=" << key_size);
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4558 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4559 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4560 .Authorization(TAG_NO_AUTH_REQUIRED)
4561 .AesEncryptionKey(key_size)
4562 .EcbMode()
4563 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4564 KeyFormat::RAW, key);
4565 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4566 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4567 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4568 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4569
4570 // Explicit key size matches that of the provided key, but it's not a valid size.
4571 string long_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4572 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4573 ImportKey(AuthorizationSetBuilder()
4574 .Authorization(TAG_NO_AUTH_REQUIRED)
4575 .AesEncryptionKey(long_key.size() * 8)
4576 .EcbMode()
4577 .Padding(PaddingMode::PKCS7),
4578 KeyFormat::RAW, long_key));
4579 string short_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4580 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4581 ImportKey(AuthorizationSetBuilder()
4582 .Authorization(TAG_NO_AUTH_REQUIRED)
4583 .AesEncryptionKey(short_key.size() * 8)
4584 .EcbMode()
4585 .Padding(PaddingMode::PKCS7),
4586 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4587}
4588
4589/*
4590 * ImportKeyTest.TripleDesSuccess
4591 *
4592 * Verifies that importing and using a 3DES key works.
4593 */
4594TEST_P(ImportKeyTest, TripleDesSuccess) {
4595 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
4596 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4597 .Authorization(TAG_NO_AUTH_REQUIRED)
4598 .TripleDesEncryptionKey(168)
4599 .EcbMode()
4600 .Padding(PaddingMode::PKCS7),
4601 KeyFormat::RAW, key));
4602
4603 CheckCryptoParam(TAG_ALGORITHM, Algorithm::TRIPLE_DES);
4604 CheckCryptoParam(TAG_KEY_SIZE, 168U);
4605 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4606 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4607 CheckOrigin();
4608
4609 string message = "Hello World!";
4610 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4611 string ciphertext = EncryptMessage(message, params);
4612 string plaintext = DecryptMessage(ciphertext, params);
4613 EXPECT_EQ(message, plaintext);
4614}
4615
4616/*
4617 * ImportKeyTest.TripleDesFailure
4618 *
4619 * Verifies that importing an invalid 3DES key fails.
4620 */
4621TEST_P(ImportKeyTest, TripleDesFailure) {
4622 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4623 uint32_t bitlen = key.size() * 7;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4624 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]4625 SCOPED_TRACE(testing::Message() << "import-key-size=" << key_size);
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4626 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4627 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4628 .Authorization(TAG_NO_AUTH_REQUIRED)
4629 .TripleDesEncryptionKey(key_size)
4630 .EcbMode()
4631 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4632 KeyFormat::RAW, key);
4633 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4634 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4635 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4636 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4637 // Explicit key size matches that of the provided key, but it's not a valid size.
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4638 string long_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f735800");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4639 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4640 ImportKey(AuthorizationSetBuilder()
4641 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4642 .TripleDesEncryptionKey(long_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4643 .EcbMode()
4644 .Padding(PaddingMode::PKCS7),
4645 KeyFormat::RAW, long_key));
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4646 string short_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f73");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4647 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4648 ImportKey(AuthorizationSetBuilder()
4649 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4650 .TripleDesEncryptionKey(short_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4651 .EcbMode()
4652 .Padding(PaddingMode::PKCS7),
4653 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4654}
4655
4656/*
4657 * ImportKeyTest.HmacKeySuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4658 *
4659 * Verifies that importing and using an HMAC key works.
4660 */
4661TEST_P(ImportKeyTest, HmacKeySuccess) {
4662 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4663 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4664 .Authorization(TAG_NO_AUTH_REQUIRED)
4665 .HmacKey(key.size() * 8)
4666 .Digest(Digest::SHA_2_256)
4667 .Authorization(TAG_MIN_MAC_LENGTH, 256),
4668 KeyFormat::RAW, key));
4669
4670 CheckCryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
4671 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4672 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4673 CheckOrigin();
4674
4675 string message = "Hello World!";
4676 string signature = MacMessage(message, Digest::SHA_2_256, 256);
4677 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
4678}
4679
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]4680/*
4681 * ImportKeyTest.GetKeyCharacteristics
4682 *
4683 * Verifies that imported keys have the correct characteristics.
4684 */
4685TEST_P(ImportKeyTest, GetKeyCharacteristics) {
4686 vector<uint8_t> key_blob;
4687 vector<KeyCharacteristics> key_characteristics;
4688 auto base_builder = AuthorizationSetBuilder()
4689 .Padding(PaddingMode::NONE)
4690 .Authorization(TAG_NO_AUTH_REQUIRED)
4691 .SetDefaultValidity();
4692 vector<Algorithm> algorithms = {Algorithm::RSA, Algorithm::EC, Algorithm::HMAC, Algorithm::AES,
4693 Algorithm::TRIPLE_DES};
4694 ErrorCode result;
4695 string symKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98"); // 128 bits
4696 string tdesKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358"); // 192 bits
4697 for (auto alg : algorithms) {
4698 SCOPED_TRACE(testing::Message() << "Algorithm-" << alg);
4699 AuthorizationSetBuilder builder(base_builder);
4700 switch (alg) {
4701 case Algorithm::RSA:
4702 builder.RsaSigningKey(2048, 65537).Digest(Digest::NONE);
4703
4704 result = ImportKey(builder, KeyFormat::PKCS8, rsa_2048_key, &key_blob,
4705 &key_characteristics);
4706 break;
4707 case Algorithm::EC:
4708 builder.EcdsaSigningKey(EcCurve::P_256).Digest(Digest::NONE);
4709 result = ImportKey(builder, KeyFormat::PKCS8, ec_256_key, &key_blob,
4710 &key_characteristics);
4711 break;
4712 case Algorithm::HMAC:
4713 builder.HmacKey(128)
4714 .Digest(Digest::SHA_2_256)
4715 .Authorization(TAG_MIN_MAC_LENGTH, 128);
4716 result =
4717 ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
4718 break;
4719 case Algorithm::AES:
4720 builder.AesEncryptionKey(128).BlockMode(BlockMode::ECB);
4721 result =
4722 ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
4723 break;
4724 case Algorithm::TRIPLE_DES:
4725 builder.TripleDesEncryptionKey(168).BlockMode(BlockMode::ECB);
4726 result = ImportKey(builder, KeyFormat::RAW, tdesKey, &key_blob,
4727 &key_characteristics);
4728 break;
4729 default:
4730 ADD_FAILURE() << "Invalid Algorithm " << uint32_t(alg);
4731 continue;
4732 }
4733 ASSERT_EQ(ErrorCode::OK, result);
4734 CheckCharacteristics(key_blob, key_characteristics);
4735 CheckCommonParams(key_characteristics, KeyOrigin::IMPORTED);
4736 }
4737}
4738
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]4739/*
4740 * ImportKeyTest.RsaOaepMGFDigestSuccess
4741 *
4742 * Include MGF-Digest explicitly in import key authorization list.
4743 * Test should import RSA key with OAEP padding and mgf-digests and verify that imported key
4744 * should have the correct characteristics.
4745 */
4746TEST_P(ImportKeyTest, RsaOaepMGFDigestSuccess) {
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]4747 // There was no test to assert that MGF1 digest was present in generated/imported key
4748 // characteristics before Keymint V3, so there are some Keymint implementations where
4749 // this test case fails(b/297306437), hence this test is skipped for Keymint < 3.
4750 if (AidlVersion() < 3) {
4751 GTEST_SKIP() << "Test not applicable to Keymint < V3";
4752 }
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]4753 auto mgf_digests = ValidDigests(false /* withNone */, true /* withMD5 */);
4754 size_t key_size = 2048;
4755
4756 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4757 .OaepMGFDigest(mgf_digests)
4758 .Authorization(TAG_NO_AUTH_REQUIRED)
4759 .RsaEncryptionKey(key_size, 65537)
4760 .Digest(Digest::SHA_2_256)
4761 .Padding(PaddingMode::RSA_OAEP)
4762 .SetDefaultValidity(),
4763 KeyFormat::PKCS8, rsa_2048_key));
4764
4765 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
4766 CheckCryptoParam(TAG_KEY_SIZE, key_size);
4767 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
4768 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4769 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_OAEP);
4770 CheckOrigin();
4771
4772 // Make sure explicitly specified mgf-digests exist in key characteristics.
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]4773 assert_mgf_digests_present_or_not_in_key_characteristics(mgf_digests, true);
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]4774
4775 string message = "Hello";
4776
4777 for (auto digest : mgf_digests) {
4778 SCOPED_TRACE(testing::Message() << "digest-" << digest);
4779 auto params = AuthorizationSetBuilder()
4780 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
4781 .Digest(Digest::SHA_2_256)
4782 .Padding(PaddingMode::RSA_OAEP);
4783 string ciphertext1 = LocalRsaEncryptMessage(message, params);
4784 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
4785 EXPECT_EQ(key_size / 8, ciphertext1.size());
4786
4787 string ciphertext2 = LocalRsaEncryptMessage(message, params);
4788 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
4789 EXPECT_EQ(key_size / 8, ciphertext2.size());
4790
4791 // OAEP randomizes padding so every result should be different (with astronomically high
4792 // probability).
4793 EXPECT_NE(ciphertext1, ciphertext2);
4794
4795 string plaintext1 = DecryptMessage(ciphertext1, params);
4796 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
4797 string plaintext2 = DecryptMessage(ciphertext2, params);
4798 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
4799
4800 // Decrypting corrupted ciphertext should fail.
4801 size_t offset_to_corrupt = ciphertext1.size() - 1;
4802 char corrupt_byte = ~ciphertext1[offset_to_corrupt];
4803 ciphertext1[offset_to_corrupt] = corrupt_byte;
4804
4805 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
4806 string result;
Tri Vo7b565c42023-09-20 19:17:07 -0400[diff] [blame]4807 EXPECT_NE(ErrorCode::OK, Finish(ciphertext1, &result));
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]4808 EXPECT_EQ(0U, result.size());
4809 }
4810}
4811
4812/*
4813 * ImportKeyTest.RsaOaepMGFDigestDefaultSuccess
4814 *
4815 * Don't specify MGF-Digest explicitly in import key authorization list.
4816 * Test should import RSA key with OAEP padding and default mgf-digest (SHA1) and
4817 * verify that imported key should have the correct characteristics. Default
4818 * mgf-digest shouldn't be included in key charecteristics.
4819 */
4820TEST_P(ImportKeyTest, RsaOaepMGFDigestDefaultSuccess) {
4821 size_t key_size = 2048;
4822 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4823 .Authorization(TAG_NO_AUTH_REQUIRED)
4824 .RsaEncryptionKey(key_size, 65537)
4825 .Digest(Digest::SHA_2_256)
4826 .Padding(PaddingMode::RSA_OAEP)
4827 .SetDefaultValidity(),
4828 KeyFormat::PKCS8, rsa_2048_key));
4829
4830 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
4831 CheckCryptoParam(TAG_KEY_SIZE, key_size);
4832 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
4833 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4834 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_OAEP);
4835 CheckOrigin();
4836
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]4837 vector defaultDigest = {Digest::SHA1};
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]4838 // Make sure default mgf-digest (SHA1) is not included in Key characteristics.
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]4839 assert_mgf_digests_present_or_not_in_key_characteristics(defaultDigest, false);
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]4840}
4841
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4842INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);
4843
4844auto wrapped_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4845 // IKeyMintDevice.aidl
4846 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4847 "020100" // INTEGER length 1 value 0x00 (version)
4848 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4849 "934bf94e2aa28a3f83c9f79297250262"
4850 "fbe3276b5a1c91159bbfa3ef8957aac8"
4851 "4b59b30b455a79c2973480823d8b3863"
4852 "c3deef4a8e243590268d80e18751a0e1"
4853 "30f67ce6a1ace9f79b95e097474febc9"
4854 "81195b1d13a69086c0863f66a7b7fdb4"
4855 "8792227b1ac5e2489febdf087ab54864"
4856 "83033a6f001ca5d1ec1e27f5c30f4cec"
4857 "2642074a39ae68aee552e196627a8e3d"
4858 "867e67a8c01b11e75f13cca0a97ab668"
4859 "b50cda07a8ecb7cd8e3dd7009c963653"
4860 "4f6f239cffe1fc8daa466f78b676c711"
4861 "9efb96bce4e69ca2a25d0b34ed9c3ff9"
4862 "99b801597d5220e307eaa5bee507fb94"
4863 "d1fa69f9e519b2de315bac92c36f2ea1"
4864 "fa1df4478c0ddedeae8c70e0233cd098"
4865 "040c" // OCTET STRING length 0x0c (initializationVector)
4866 "d796b02c370f1fa4cc0124f1"
4867 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4868 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4869 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4870 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4871 "3106" // SET length 0x06
4872 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4873 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4874 // } end SET
4875 // } end [1]
4876 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4877 "020120" // INTEGER length 1 value 0x20 (AES)
4878 // } end [2]
4879 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4880 "02020100" // INTEGER length 2 value 0x100
4881 // } end [3]
4882 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode)
4883 "3103" // SET length 0x03 {
4884 "020101" // INTEGER length 1 value 0x01 (ECB)
4885 // } end SET
4886 // } end [4]
4887 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4888 "3103" // SET length 0x03 {
4889 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4890 // } end SET
4891 // } end [5]
4892 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4893 // (noAuthRequired)
4894 "0500" // NULL
4895 // } end [503]
4896 // } end SEQUENCE (AuthorizationList)
4897 // } end SEQUENCE (KeyDescription)
4898 "0420" // OCTET STRING length 0x20 (encryptedKey)
4899 "ccd540855f833a5e1480bfd2d36faf3a"
4900 "eee15df5beabe2691bc82dde2a7aa910"
4901 "0410" // OCTET STRING length 0x10 (tag)
4902 "64c9f689c60ff6223ab6e6999e0eb6e5"
4903 // } SEQUENCE (SecureKeyWrapper)
4904);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4905
4906auto wrapped_key_masked = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4907 // IKeyMintDevice.aidl
4908 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4909 "020100" // INTEGER length 1 value 0x00 (version)
4910 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4911 "aad93ed5924f283b4bb5526fbe7a1412"
4912 "f9d9749ec30db9062b29e574a8546f33"
4913 "c88732452f5b8e6a391ee76c39ed1712"
4914 "c61d8df6213dec1cffbc17a8c6d04c7b"
4915 "30893d8daa9b2015213e219468215532"
4916 "07f8f9931c4caba23ed3bee28b36947e"
4917 "47f10e0a5c3dc51c988a628daad3e5e1"
4918 "f4005e79c2d5a96c284b4b8d7e4948f3"
4919 "31e5b85dd5a236f85579f3ea1d1b8484"
4920 "87470bdb0ab4f81a12bee42c99fe0df4"
4921 "bee3759453e69ad1d68a809ce06b949f"
4922 "7694a990429b2fe81e066ff43e56a216"
4923 "02db70757922a4bcc23ab89f1e35da77"
4924 "586775f423e519c2ea394caf48a28d0c"
4925 "8020f1dcf6b3a68ec246f615ae96dae9"
4926 "a079b1f6eb959033c1af5c125fd94168"
4927 "040c" // OCTET STRING length 0x0c (initializationVector)
4928 "6d9721d08589581ab49204a3"
4929 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4930 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4931 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4932 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4933 "3106" // SET length 0x06
4934 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4935 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4936 // } end SET
4937 // } end [1]
4938 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4939 "020120" // INTEGER length 1 value 0x20 (AES)
4940 // } end [2]
4941 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4942 "02020100" // INTEGER length 2 value 0x100
4943 // } end [3]
4944 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode
4945 "3103" // SET length 0x03 {
4946 "020101" // INTEGER length 1 value 0x01 (ECB)
4947 // } end SET
4948 // } end [4]
4949 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4950 "3103" // SET length 0x03 {
4951 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4952 // } end SET
4953 // } end [5]
4954 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4955 // (noAuthRequired)
4956 "0500" // NULL
4957 // } end [503]
4958 // } end SEQUENCE (AuthorizationList)
4959 // } end SEQUENCE (KeyDescription)
4960 "0420" // OCTET STRING length 0x20 (encryptedKey)
4961 "a61c6e247e25b3e6e69aa78eb03c2d4a"
4962 "c20d1f99a9a024a76f35c8e2cab9b68d"
4963 "0410" // OCTET STRING length 0x10 (tag)
4964 "2560c70109ae67c030f00b98b512a670"
4965 // } SEQUENCE (SecureKeyWrapper)
4966);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4967
4968auto wrapping_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4969 // RFC 5208 s5
4970 "308204be" // SEQUENCE length 0x4be (PrivateKeyInfo) {
4971 "020100" // INTEGER length 1 value 0x00 (version)
4972 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
4973 "0609" // OBJECT IDENTIFIER length 0x09 (algorithm)
4974 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (RSAES-PKCS1-v1_5 encryption scheme)
4975 "0500" // NULL (parameters)
4976 // } SEQUENCE (AlgorithmIdentifier)
4977 "048204a8" // OCTET STRING len 0x4a8 (privateKey), which contains...
4978 // RFC 8017 A.1.2
4979 "308204a4" // SEQUENCE len 0x4a4 (RSAPrivateKey) {
4980 "020100" // INTEGER length 1 value 0x00 (version)
4981 "02820101" // INTEGER length 0x0101 (modulus) value...
4982 "00aec367931d8900ce56b0067f7d70e1" // 0x10
4983 "fc653f3f34d194c1fed50018fb43db93" // 0x20
4984 "7b06e673a837313d56b1c725150a3fef" // 0x30
4985 "86acbddc41bb759c2854eae32d35841e" // 0x40
4986 "fb5c18d82bc90a1cb5c1d55adf245b02" // 0x50
4987 "911f0b7cda88c421ff0ebafe7c0d23be" // 0x60
4988 "312d7bd5921ffaea1347c157406fef71" // 0x70
4989 "8f682643e4e5d33c6703d61c0cf7ac0b" // 0x80
4990 "f4645c11f5c1374c3886427411c44979" // 0x90
4991 "6792e0bef75dec858a2123c36753e02a" // 0xa0
4992 "95a96d7c454b504de385a642e0dfc3e6" // 0xb0
4993 "0ac3a7ee4991d0d48b0172a95f9536f0" // 0xc0
4994 "2ba13cecccb92b727db5c27e5b2f5cec" // 0xd0
4995 "09600b286af5cf14c42024c61ddfe71c" // 0xe0
4996 "2a8d7458f185234cb00e01d282f10f8f" // 0xf0
4997 "c6721d2aed3f4833cca2bd8fa62821dd" // 0x100
4998 "55" // 0x101
4999 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
5000 "02820100" // INTEGER length 0x100 (privateExponent) value...
5001 "431447b6251908112b1ee76f99f3711a" // 0x10
5002 "52b6630960046c2de70de188d833f8b8" // 0x20
5003 "b91e4d785caeeeaf4f0f74414e2cda40" // 0x30
5004 "641f7fe24f14c67a88959bdb27766df9" // 0x40
5005 "e710b630a03adc683b5d2c43080e52be" // 0x50
5006 "e71e9eaeb6de297a5fea1072070d181c" // 0x60
5007 "822bccff087d63c940ba8a45f670feb2" // 0x70
5008 "9fb4484d1c95e6d2579ba02aae0a0090" // 0x80
5009 "0c3ebf490e3d2cd7ee8d0e20c536e4dc" // 0x90
5010 "5a5097272888cddd7e91f228b1c4d747" // 0xa0
5011 "4c55b8fcd618c4a957bbddd5ad7407cc" // 0xb0
5012 "312d8d98a5caf7e08f4a0d6b45bb41c6" // 0xc0
5013 "52659d5a5ba05b663737a8696281865b" // 0xd0
5014 "a20fbdd7f851e6c56e8cbe0ddbbf24dc" // 0xe0
5015 "03b2d2cb4c3d540fb0af52e034a2d066" // 0xf0
5016 "98b128e5f101e3b51a34f8d8b4f86181" // 0x100
5017 "028181" // INTEGER length 0x81 (prime1) value...
5018 "00de392e18d682c829266cc3454e1d61" // 0x10
5019 "66242f32d9a1d10577753e904ea7d08b" // 0x20
5020 "ff841be5bac82a164c5970007047b8c5" // 0x30
5021 "17db8f8f84e37bd5988561bdf503d4dc" // 0x40
5022 "2bdb38f885434ae42c355f725c9a60f9" // 0x50
5023 "1f0788e1f1a97223b524b5357fdf72e2" // 0x60
5024 "f696bab7d78e32bf92ba8e1864eab122" // 0x70
5025 "9e91346130748a6e3c124f9149d71c74" // 0x80
5026 "35"
5027 "028181" // INTEGER length 0x81 (prime2) value...
5028 "00c95387c0f9d35f137b57d0d65c397c" // 0x10
5029 "5e21cc251e47008ed62a542409c8b6b6" // 0x20
5030 "ac7f8967b3863ca645fcce49582a9aa1" // 0x30
5031 "7349db6c4a95affdae0dae612e1afac9" // 0x40
5032 "9ed39a2d934c880440aed8832f984316" // 0x50
5033 "3a47f27f392199dc1202f9a0f9bd0830" // 0x60
5034 "8007cb1e4e7f58309366a7de25f7c3c9" // 0x70
5035 "b880677c068e1be936e81288815252a8" // 0x80
5036 "a1"
5037 "028180" // INTEGER length 0x80 (exponent1) value...
5038 "57ff8ca1895080b2cae486ef0adfd791" // 0x10
5039 "fb0235c0b8b36cd6c136e52e4085f4ea" // 0x20
5040 "5a063212a4f105a3764743e53281988a" // 0x30
5041 "ba073f6e0027298e1c4378556e0efca0" // 0x40
5042 "e14ece1af76ad0b030f27af6f0ab35fb" // 0x50
5043 "73a060d8b1a0e142fa2647e93b32e36d" // 0x60
5044 "8282ae0a4de50ab7afe85500a16f43a6" // 0x70
5045 "4719d6e2b9439823719cd08bcd031781" // 0x80
5046 "028181" // INTEGER length 0x81 (exponent2) value...
5047 "00ba73b0bb28e3f81e9bd1c568713b10" // 0x10
5048 "1241acc607976c4ddccc90e65b6556ca" // 0x20
5049 "31516058f92b6e09f3b160ff0e374ec4" // 0x30
5050 "0d78ae4d4979fde6ac06a1a400c61dd3" // 0x40
5051 "1254186af30b22c10582a8a43e34fe94" // 0x50
5052 "9c5f3b9755bae7baa7b7b7a6bd03b38c" // 0x60
5053 "ef55c86885fc6c1978b9cee7ef33da50" // 0x70
5054 "7c9df6b9277cff1e6aaa5d57aca52846" // 0x80
5055 "61"
5056 "028181" // INTEGER length 0x81 (coefficient) value...
5057 "00c931617c77829dfb1270502be9195c" // 0x10
5058 "8f2830885f57dba869536811e6864236" // 0x20
5059 "d0c4736a0008a145af36b8357a7c3d13" // 0x30
5060 "9966d04c4e00934ea1aede3bb6b8ec84" // 0x40
5061 "1dc95e3f579751e2bfdfe27ae778983f" // 0x50
5062 "959356210723287b0affcc9f727044d4" // 0x60
5063 "8c373f1babde0724fa17a4fd4da0902c" // 0x70
5064 "7c9b9bf27ba61be6ad02dfddda8f4e68" // 0x80
5065 "22"
5066 // } SEQUENCE
5067 // } SEQUENCE ()
5068);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5069
5070string zero_masking_key =
5071 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
5072string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
5073
5074class ImportWrappedKeyTest : public KeyMintAidlTestBase {};
5075
5076TEST_P(ImportWrappedKeyTest, Success) {
5077 auto wrapping_key_desc = AuthorizationSetBuilder()
5078 .RsaEncryptionKey(2048, 65537)
5079 .Digest(Digest::SHA_2_256)
5080 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5081 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5082 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5083
5084 ASSERT_EQ(ErrorCode::OK,
5085 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5086 AuthorizationSetBuilder()
5087 .Digest(Digest::SHA_2_256)
5088 .Padding(PaddingMode::RSA_OAEP)));
5089
5090 string message = "Hello World!";
5091 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5092 string ciphertext = EncryptMessage(message, params);
5093 string plaintext = DecryptMessage(ciphertext, params);
5094 EXPECT_EQ(message, plaintext);
5095}
5096
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5097/*
5098 * ImportWrappedKeyTest.SuccessSidsIgnored
5099 *
5100 * Verifies that password_sid and biometric_sid are ignored on import if the authorizations don't
5101 * include Tag:USER_SECURE_ID.
5102 */
5103TEST_P(ImportWrappedKeyTest, SuccessSidsIgnored) {
5104 auto wrapping_key_desc = AuthorizationSetBuilder()
5105 .RsaEncryptionKey(2048, 65537)
5106 .Digest(Digest::SHA_2_256)
5107 .Padding(PaddingMode::RSA_OAEP)
5108 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5109 .SetDefaultValidity();
5110
5111 int64_t password_sid = 42;
5112 int64_t biometric_sid = 24;
5113 ASSERT_EQ(ErrorCode::OK,
5114 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5115 AuthorizationSetBuilder()
5116 .Digest(Digest::SHA_2_256)
5117 .Padding(PaddingMode::RSA_OAEP),
5118 password_sid, biometric_sid));
5119
5120 string message = "Hello World!";
5121 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5122 string ciphertext = EncryptMessage(message, params);
5123 string plaintext = DecryptMessage(ciphertext, params);
5124 EXPECT_EQ(message, plaintext);
5125}
5126
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5127TEST_P(ImportWrappedKeyTest, SuccessMasked) {
5128 auto wrapping_key_desc = AuthorizationSetBuilder()
5129 .RsaEncryptionKey(2048, 65537)
5130 .Digest(Digest::SHA_2_256)
5131 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5132 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5133 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5134
5135 ASSERT_EQ(ErrorCode::OK,
5136 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
5137 AuthorizationSetBuilder()
5138 .Digest(Digest::SHA_2_256)
5139 .Padding(PaddingMode::RSA_OAEP)));
5140}
5141
5142TEST_P(ImportWrappedKeyTest, WrongMask) {
5143 auto wrapping_key_desc = AuthorizationSetBuilder()
5144 .RsaEncryptionKey(2048, 65537)
5145 .Digest(Digest::SHA_2_256)
5146 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5147 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5148 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5149
5150 ASSERT_EQ(
5151 ErrorCode::VERIFICATION_FAILED,
5152 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
5153 AuthorizationSetBuilder()
5154 .Digest(Digest::SHA_2_256)
5155 .Padding(PaddingMode::RSA_OAEP)));
5156}
5157
5158TEST_P(ImportWrappedKeyTest, WrongPurpose) {
5159 auto wrapping_key_desc = AuthorizationSetBuilder()
5160 .RsaEncryptionKey(2048, 65537)
5161 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5162 .Padding(PaddingMode::RSA_OAEP)
5163 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5164
5165 ASSERT_EQ(
5166 ErrorCode::INCOMPATIBLE_PURPOSE,
5167 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
5168 AuthorizationSetBuilder()
5169 .Digest(Digest::SHA_2_256)
5170 .Padding(PaddingMode::RSA_OAEP)));
5171}
5172
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5173TEST_P(ImportWrappedKeyTest, WrongPaddingMode) {
5174 auto wrapping_key_desc = AuthorizationSetBuilder()
5175 .RsaEncryptionKey(2048, 65537)
5176 .Digest(Digest::SHA_2_256)
5177 .Padding(PaddingMode::RSA_PSS)
5178 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5179 .SetDefaultValidity();
5180
5181 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
5182 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5183 AuthorizationSetBuilder()
5184 .Digest(Digest::SHA_2_256)
5185 .Padding(PaddingMode::RSA_OAEP)));
5186}
5187
5188TEST_P(ImportWrappedKeyTest, WrongDigest) {
5189 auto wrapping_key_desc = AuthorizationSetBuilder()
5190 .RsaEncryptionKey(2048, 65537)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5191 .Padding(PaddingMode::RSA_OAEP)
Tommy Chiu4fdcccc2022-10-25 20:56:47 +0800[diff] [blame]5192 .Digest(Digest::SHA_2_256)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5193 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5194 .SetDefaultValidity();
5195
5196 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
5197 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5198 AuthorizationSetBuilder()
Tommy Chiu4fdcccc2022-10-25 20:56:47 +0800[diff] [blame]5199 .Digest(Digest::SHA_2_512)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5200 .Padding(PaddingMode::RSA_OAEP)));
5201}
5202
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5203INSTANTIATE_KEYMINT_AIDL_TEST(ImportWrappedKeyTest);
5204
5205typedef KeyMintAidlTestBase EncryptionOperationsTest;
5206
5207/*
5208 * EncryptionOperationsTest.RsaNoPaddingSuccess
5209 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5210 * Verifies that raw RSA decryption works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5211 */
5212TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]5213 for (uint64_t exponent : ValidExponents()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]5214 SCOPED_TRACE(testing::Message() << "RSA exponent=" << exponent);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5215 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5216 .Authorization(TAG_NO_AUTH_REQUIRED)
5217 .RsaEncryptionKey(2048, exponent)
5218 .Padding(PaddingMode::NONE)
5219 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5220
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5221 string message = string(2048 / 8, 'a');
5222 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5223 string ciphertext1 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5224 EXPECT_EQ(2048U / 8, ciphertext1.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5225
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5226 string ciphertext2 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5227 EXPECT_EQ(2048U / 8, ciphertext2.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5228
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5229 // Unpadded RSA is deterministic
5230 EXPECT_EQ(ciphertext1, ciphertext2);
5231
5232 CheckedDeleteKey();
5233 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5234}
5235
5236/*
5237 * EncryptionOperationsTest.RsaNoPaddingShortMessage
5238 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5239 * Verifies that raw RSA decryption of short messages works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5240 */
5241TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
5242 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5243 .Authorization(TAG_NO_AUTH_REQUIRED)
5244 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5245 .Padding(PaddingMode::NONE)
5246 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5247
5248 string message = "1";
5249 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
5250
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5251 string ciphertext = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5252 EXPECT_EQ(2048U / 8, ciphertext.size());
5253
5254 string expected_plaintext = string(2048U / 8 - 1, 0) + message;
5255 string plaintext = DecryptMessage(ciphertext, params);
5256
5257 EXPECT_EQ(expected_plaintext, plaintext);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5258}
5259
5260/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5261 * EncryptionOperationsTest.RsaOaepSuccess
5262 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5263 * Verifies that RSA-OAEP decryption operations work, with all digests.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5264 */
5265TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
5266 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5267 auto mgf_digest = vector{Digest::SHA1};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5268
5269 size_t key_size = 2048; // Need largish key for SHA-512 test.
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5270 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5271 .Authorization(TAG_NO_AUTH_REQUIRED)
5272 .RsaEncryptionKey(key_size, 65537)
5273 .Padding(PaddingMode::RSA_OAEP)
5274 .Digest(digests)
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5275 .OaepMGFDigest(mgf_digest)
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5276 .SetDefaultValidity()));
5277
5278 // Make sure explicitly specified mgf-digest exist in key characteristics.
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5279 assert_mgf_digests_present_or_not_in_key_characteristics(mgf_digest, true);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5280
5281 string message = "Hello";
5282
5283 for (auto digest : digests) {
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5284 SCOPED_TRACE(testing::Message() << "digest-" << digest);
5285
5286 auto params = AuthorizationSetBuilder()
5287 .Digest(digest)
5288 .Padding(PaddingMode::RSA_OAEP)
5289 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1);
5290 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5291 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
5292 EXPECT_EQ(key_size / 8, ciphertext1.size());
5293
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5294 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5295 EXPECT_EQ(key_size / 8, ciphertext2.size());
5296
5297 // OAEP randomizes padding so every result should be different (with astronomically high
5298 // probability).
5299 EXPECT_NE(ciphertext1, ciphertext2);
5300
5301 string plaintext1 = DecryptMessage(ciphertext1, params);
5302 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
5303 string plaintext2 = DecryptMessage(ciphertext2, params);
5304 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
5305
5306 // Decrypting corrupted ciphertext should fail.
5307 size_t offset_to_corrupt = random() % ciphertext1.size();
5308 char corrupt_byte;
5309 do {
5310 corrupt_byte = static_cast<char>(random() % 256);
5311 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5312 ciphertext1[offset_to_corrupt] = corrupt_byte;
5313
5314 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5315 string result;
Tri Vo7b565c42023-09-20 19:17:07 -0400[diff] [blame]5316 EXPECT_NE(ErrorCode::OK, Finish(ciphertext1, &result));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5317 EXPECT_EQ(0U, result.size());
5318 }
5319}
5320
5321/*
5322 * EncryptionOperationsTest.RsaOaepInvalidDigest
5323 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5324 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5325 * without a digest.
5326 */
5327TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
5328 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5329 .Authorization(TAG_NO_AUTH_REQUIRED)
5330 .RsaEncryptionKey(2048, 65537)
5331 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5332 .Digest(Digest::NONE)
5333 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5334
5335 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5336 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5337}
5338
5339/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5340 * EncryptionOperationsTest.RsaOaepInvalidPadding
5341 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5342 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5343 * with a padding value that is only suitable for signing/verifying.
5344 */
5345TEST_P(EncryptionOperationsTest, RsaOaepInvalidPadding) {
5346 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5347 .Authorization(TAG_NO_AUTH_REQUIRED)
5348 .RsaEncryptionKey(2048, 65537)
5349 .Padding(PaddingMode::RSA_PSS)
5350 .Digest(Digest::NONE)
5351 .SetDefaultValidity()));
5352
5353 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5354 EXPECT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE, Begin(KeyPurpose::DECRYPT, params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5355}
5356
5357/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5358 * EncryptionOperationsTest.RsaOaepDecryptWithWrongDigest
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5359 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5360 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5361 * with a different digest than was used to encrypt.
5362 */
5363TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]5364 if (SecLevel() == SecurityLevel::STRONGBOX) {
5365 GTEST_SKIP() << "Test not applicable to StrongBox device";
5366 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5367
5368 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5369 .Authorization(TAG_NO_AUTH_REQUIRED)
5370 .RsaEncryptionKey(1024, 65537)
5371 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5372 .Digest(Digest::SHA_2_224, Digest::SHA_2_256)
5373 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5374 string message = "Hello World!";
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5375 string ciphertext = LocalRsaEncryptMessage(
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5376 message,
5377 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
5378
5379 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5380 .Digest(Digest::SHA_2_256)
5381 .Padding(PaddingMode::RSA_OAEP)));
5382 string result;
Tri Vo7b565c42023-09-20 19:17:07 -0400[diff] [blame]5383 EXPECT_NE(ErrorCode::OK, Finish(ciphertext, &result));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5384 EXPECT_EQ(0U, result.size());
5385}
5386
5387/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5388 * EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess
5389 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5390 * Verifies that RSA-OAEP decryption operations work, with all SHA 256 digests and all type of MGF1
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5391 * digests.
5392 */
5393TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
5394 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
5395
5396 size_t key_size = 2048; // Need largish key for SHA-512 test.
5397 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5398 .OaepMGFDigest(digests)
5399 .Authorization(TAG_NO_AUTH_REQUIRED)
5400 .RsaEncryptionKey(key_size, 65537)
5401 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5402 .Digest(Digest::SHA_2_256)
5403 .SetDefaultValidity()));
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5404 if (AidlVersion() >= 3) {
5405 std::vector<Digest> mgf1DigestsInAuths;
5406 mgf1DigestsInAuths.reserve(digests.size());
5407 const auto& hw_auths = SecLevelAuthorizations(key_characteristics_);
5408 std::for_each(hw_auths.begin(), hw_auths.end(), [&](auto& param) {
5409 if (param.tag == Tag::RSA_OAEP_MGF_DIGEST) {
5410 KeyParameterValue value = param.value;
5411 mgf1DigestsInAuths.push_back(param.value.template get<KeyParameterValue::digest>());
5412 }
5413 });
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5414
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5415 std::sort(digests.begin(), digests.end());
5416 std::sort(mgf1DigestsInAuths.begin(), mgf1DigestsInAuths.end());
5417 EXPECT_EQ(digests, mgf1DigestsInAuths);
5418 }
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5419 string message = "Hello";
5420
5421 for (auto digest : digests) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]5422 SCOPED_TRACE(testing::Message() << "digest-" << digest);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5423 auto params = AuthorizationSetBuilder()
5424 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
5425 .Digest(Digest::SHA_2_256)
5426 .Padding(PaddingMode::RSA_OAEP);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5427 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5428 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
5429 EXPECT_EQ(key_size / 8, ciphertext1.size());
5430
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5431 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5432 EXPECT_EQ(key_size / 8, ciphertext2.size());
5433
5434 // OAEP randomizes padding so every result should be different (with astronomically high
5435 // probability).
5436 EXPECT_NE(ciphertext1, ciphertext2);
5437
5438 string plaintext1 = DecryptMessage(ciphertext1, params);
5439 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
5440 string plaintext2 = DecryptMessage(ciphertext2, params);
5441 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
5442
5443 // Decrypting corrupted ciphertext should fail.
5444 size_t offset_to_corrupt = random() % ciphertext1.size();
5445 char corrupt_byte;
5446 do {
5447 corrupt_byte = static_cast<char>(random() % 256);
5448 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5449 ciphertext1[offset_to_corrupt] = corrupt_byte;
5450
5451 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5452 string result;
Tri Vo7b565c42023-09-20 19:17:07 -0400[diff] [blame]5453 EXPECT_NE(ErrorCode::OK, Finish(ciphertext1, &result));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5454 EXPECT_EQ(0U, result.size());
5455 }
5456}
5457
5458/*
David Drysdaleae3727b2021-11-11 09:00:14 +0000[diff] [blame]5459 * EncryptionOperationsTest.RsaOaepMGFDigestDefaultSuccess
5460 *
5461 * Verifies that RSA-OAEP decryption operations work when no MGF digest is
5462 * specified, defaulting to SHA-1.
5463 */
5464TEST_P(EncryptionOperationsTest, RsaOaepMGFDigestDefaultSuccess) {
5465 size_t key_size = 2048;
5466 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5467 .Authorization(TAG_NO_AUTH_REQUIRED)
5468 .RsaEncryptionKey(key_size, 65537)
5469 .Padding(PaddingMode::RSA_OAEP)
5470 .Digest(Digest::SHA_2_256)
5471 .SetDefaultValidity()));
5472
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5473 vector defaultDigest = vector{Digest::SHA1};
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5474 // Make sure default mgf-digest (SHA1) is not included in Key characteristics.
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5475 assert_mgf_digests_present_or_not_in_key_characteristics(defaultDigest, false);
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5476
David Drysdaleae3727b2021-11-11 09:00:14 +0000[diff] [blame]5477 // Do local RSA encryption using the default MGF digest of SHA-1.
5478 string message = "Hello";
5479 auto params =
5480 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP);
5481 string ciphertext = LocalRsaEncryptMessage(message, params);
5482 EXPECT_EQ(key_size / 8, ciphertext.size());
5483
5484 // Do KeyMint RSA decryption also using the default MGF digest of SHA-1.
5485 string plaintext = DecryptMessage(ciphertext, params);
5486 EXPECT_EQ(message, plaintext) << "RSA-OAEP failed with default digest";
5487
5488 // Decrypting corrupted ciphertext should fail.
5489 size_t offset_to_corrupt = random() % ciphertext.size();
5490 char corrupt_byte;
5491 do {
5492 corrupt_byte = static_cast<char>(random() % 256);
5493 } while (corrupt_byte == ciphertext[offset_to_corrupt]);
5494 ciphertext[offset_to_corrupt] = corrupt_byte;
5495
5496 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5497 string result;
Tri Vo7b565c42023-09-20 19:17:07 -0400[diff] [blame]5498 EXPECT_NE(ErrorCode::OK, Finish(ciphertext, &result));
David Drysdaleae3727b2021-11-11 09:00:14 +0000[diff] [blame]5499 EXPECT_EQ(0U, result.size());
5500}
5501
5502/*
5503 * EncryptionOperationsTest.RsaOaepMGFDigestDefaultFail
5504 *
5505 * Verifies that RSA-OAEP decryption operations fail when no MGF digest is
5506 * specified on begin (thus defaulting to SHA-1), but the key characteristics
5507 * has an explicit set of values for MGF_DIGEST that do not contain SHA-1.
5508 */
5509TEST_P(EncryptionOperationsTest, RsaOaepMGFDigestDefaultFail) {
5510 size_t key_size = 2048;
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5511 auto mgf_digest = vector{Digest::SHA_2_256};
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5512 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5513 .Authorization(TAG_NO_AUTH_REQUIRED)
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5514 .OaepMGFDigest(mgf_digest)
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5515 .RsaEncryptionKey(key_size, 65537)
5516 .Padding(PaddingMode::RSA_OAEP)
5517 .Digest(Digest::SHA_2_256)
5518 .SetDefaultValidity()));
5519
5520 // Make sure explicitly specified mgf-digest exist in key characteristics.
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5521 assert_mgf_digests_present_or_not_in_key_characteristics(mgf_digest, true);
5522 vector defaultDigest = vector{Digest::SHA1};
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5523 // Make sure default mgf-digest is not included in key characteristics.
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5524 assert_mgf_digests_present_or_not_in_key_characteristics(defaultDigest, false);
David Drysdaleae3727b2021-11-11 09:00:14 +0000[diff] [blame]5525
5526 // Do local RSA encryption using the default MGF digest of SHA-1.
5527 string message = "Hello";
5528 auto params =
5529 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP);
5530 string ciphertext = LocalRsaEncryptMessage(message, params);
5531 EXPECT_EQ(key_size / 8, ciphertext.size());
5532
5533 // begin() params do not include MGF_DIGEST, so a default of SHA1 is assumed.
5534 // Key characteristics *do* include values for MGF_DIGEST, so the SHA1 value
5535 // is checked against those values, and found absent.
5536 auto result = Begin(KeyPurpose::DECRYPT, params);
5537 EXPECT_TRUE(result == ErrorCode::UNSUPPORTED_MGF_DIGEST ||
5538 result == ErrorCode::INCOMPATIBLE_MGF_DIGEST);
5539}
5540
5541/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5542 * EncryptionOperationsTest.RsaOaepWithMGFIncompatibleDigest
5543 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5544 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5545 * with incompatible MGF digest.
5546 */
5547TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5548 auto mgf_digest = vector{Digest::SHA_2_256};
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5549 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5550 .OaepMGFDigest(mgf_digest)
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5551 .Authorization(TAG_NO_AUTH_REQUIRED)
5552 .RsaEncryptionKey(2048, 65537)
5553 .Padding(PaddingMode::RSA_OAEP)
5554 .Digest(Digest::SHA_2_256)
5555 .SetDefaultValidity()));
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5556
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5557 // Make sure explicitly specified mgf-digest exist in key characteristics.
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5558 assert_mgf_digests_present_or_not_in_key_characteristics(mgf_digest, true);
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5559
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5560 string message = "Hello World!";
5561
5562 auto params = AuthorizationSetBuilder()
5563 .Padding(PaddingMode::RSA_OAEP)
5564 .Digest(Digest::SHA_2_256)
5565 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_224);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5566 EXPECT_EQ(ErrorCode::INCOMPATIBLE_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5567}
5568
5569/*
5570 * EncryptionOperationsTest.RsaOaepWithMGFUnsupportedDigest
5571 *
5572 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
5573 * with unsupported MGF digest.
5574 */
5575TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5576 auto mgf_digest = vector{Digest::SHA_2_256};
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5577 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5578 .OaepMGFDigest(mgf_digest)
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5579 .Authorization(TAG_NO_AUTH_REQUIRED)
5580 .RsaEncryptionKey(2048, 65537)
5581 .Padding(PaddingMode::RSA_OAEP)
5582 .Digest(Digest::SHA_2_256)
5583 .SetDefaultValidity()));
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5584
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5585 // Make sure explicitly specified mgf-digest exist in key characteristics.
Prashant Patil2114dca2023-09-21 14:57:10 +0000[diff] [blame]5586 assert_mgf_digests_present_or_not_in_key_characteristics(mgf_digest, true);
Rajesh Nyamagoud7b9ae3c2023-04-27 00:43:16 +0000[diff] [blame]5587
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5588 string message = "Hello World!";
5589
5590 auto params = AuthorizationSetBuilder()
5591 .Padding(PaddingMode::RSA_OAEP)
5592 .Digest(Digest::SHA_2_256)
5593 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5594 EXPECT_EQ(ErrorCode::UNSUPPORTED_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5595}
5596
5597/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5598 * EncryptionOperationsTest.RsaPkcs1Success
5599 *
5600 * Verifies that RSA PKCS encryption/decrypts works.
5601 */
5602TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
5603 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5604 .Authorization(TAG_NO_AUTH_REQUIRED)
5605 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5606 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
5607 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5608
5609 string message = "Hello World!";
5610 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5611 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5612 EXPECT_EQ(2048U / 8, ciphertext1.size());
5613
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5614 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5615 EXPECT_EQ(2048U / 8, ciphertext2.size());
5616
5617 // PKCS1 v1.5 randomizes padding so every result should be different.
5618 EXPECT_NE(ciphertext1, ciphertext2);
5619
5620 string plaintext = DecryptMessage(ciphertext1, params);
5621 EXPECT_EQ(message, plaintext);
5622
5623 // Decrypting corrupted ciphertext should fail.
5624 size_t offset_to_corrupt = random() % ciphertext1.size();
5625 char corrupt_byte;
5626 do {
5627 corrupt_byte = static_cast<char>(random() % 256);
5628 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5629 ciphertext1[offset_to_corrupt] = corrupt_byte;
5630
5631 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5632 string result;
Tri Vo7b565c42023-09-20 19:17:07 -0400[diff] [blame]5633 EXPECT_NE(ErrorCode::OK, Finish(ciphertext1, &result));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5634 EXPECT_EQ(0U, result.size());
5635}
5636
5637/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5638 * EncryptionOperationsTest.EcdsaEncrypt
5639 *
5640 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
5641 */
5642TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
5643 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5644 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]5645 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5646 .Digest(Digest::NONE)
5647 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5648 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
5649 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5650 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5651}
5652
5653/*
5654 * EncryptionOperationsTest.HmacEncrypt
5655 *
5656 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
5657 */
5658TEST_P(EncryptionOperationsTest, HmacEncrypt) {
5659 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5660 .Authorization(TAG_NO_AUTH_REQUIRED)
5661 .HmacKey(128)
5662 .Digest(Digest::SHA_2_256)
5663 .Padding(PaddingMode::NONE)
5664 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5665 auto params = AuthorizationSetBuilder()
5666 .Digest(Digest::SHA_2_256)
5667 .Padding(PaddingMode::NONE)
5668 .Authorization(TAG_MAC_LENGTH, 128);
5669 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5670 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5671}
5672
5673/*
5674 * EncryptionOperationsTest.AesEcbRoundTripSuccess
5675 *
5676 * Verifies that AES ECB mode works.
5677 */
5678TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
5679 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5680 .Authorization(TAG_NO_AUTH_REQUIRED)
5681 .AesEncryptionKey(128)
5682 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5683 .Padding(PaddingMode::NONE)));
5684
5685 ASSERT_GT(key_blob_.size(), 0U);
5686 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5687
5688 // Two-block message.
5689 string message = "12345678901234567890123456789012";
5690 string ciphertext1 = EncryptMessage(message, params);
5691 EXPECT_EQ(message.size(), ciphertext1.size());
5692
5693 string ciphertext2 = EncryptMessage(string(message), params);
5694 EXPECT_EQ(message.size(), ciphertext2.size());
5695
5696 // ECB is deterministic.
5697 EXPECT_EQ(ciphertext1, ciphertext2);
5698
5699 string plaintext = DecryptMessage(ciphertext1, params);
5700 EXPECT_EQ(message, plaintext);
5701}
5702
5703/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5704 * EncryptionOperationsTest.AesEcbUnknownTag
5705 *
5706 * Verifies that AES ECB operations ignore unknown tags.
5707 */
5708TEST_P(EncryptionOperationsTest, AesEcbUnknownTag) {
5709 int32_t unknown_tag_value = ((7 << 28) /* TagType:BOOL */ | 150);
5710 Tag unknown_tag = static_cast<Tag>(unknown_tag_value);
5711 KeyParameter unknown_param;
5712 unknown_param.tag = unknown_tag;
5713
5714 vector<KeyCharacteristics> key_characteristics;
5715 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5716 .Authorization(TAG_NO_AUTH_REQUIRED)
5717 .AesEncryptionKey(128)
5718 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5719 .Padding(PaddingMode::NONE)
5720 .Authorization(unknown_param),
5721 &key_blob_, &key_characteristics));
5722 ASSERT_GT(key_blob_.size(), 0U);
5723
5724 // Unknown tags should not be returned in key characteristics.
5725 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
5726 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
5727 EXPECT_EQ(hw_enforced.find(unknown_tag), -1);
5728 EXPECT_EQ(sw_enforced.find(unknown_tag), -1);
5729
5730 // Encrypt without mentioning the unknown parameter.
5731 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5732 string message = "12345678901234567890123456789012";
5733 string ciphertext = EncryptMessage(message, params);
5734 EXPECT_EQ(message.size(), ciphertext.size());
5735
5736 // Decrypt including the unknown parameter.
5737 auto decrypt_params = AuthorizationSetBuilder()
5738 .BlockMode(BlockMode::ECB)
5739 .Padding(PaddingMode::NONE)
5740 .Authorization(unknown_param);
5741 string plaintext = DecryptMessage(ciphertext, decrypt_params);
5742 EXPECT_EQ(message, plaintext);
5743}
5744
5745/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5746 * EncryptionOperationsTest.AesWrongMode
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5747 *
5748 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
5749 */
5750TEST_P(EncryptionOperationsTest, AesWrongMode) {
5751 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5752 .Authorization(TAG_NO_AUTH_REQUIRED)
5753 .AesEncryptionKey(128)
5754 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5755 .Padding(PaddingMode::NONE)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5756 ASSERT_GT(key_blob_.size(), 0U);
5757
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5758 EXPECT_EQ(
5759 ErrorCode::INCOMPATIBLE_BLOCK_MODE,
5760 Begin(KeyPurpose::ENCRYPT,
5761 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
5762}
5763
5764/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5765 * EncryptionOperationsTest.AesWrongPadding
5766 *
5767 * Verifies that AES encryption fails in the correct way when an unauthorized padding is specified.
5768 */
5769TEST_P(EncryptionOperationsTest, AesWrongPadding) {
5770 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5771 .Authorization(TAG_NO_AUTH_REQUIRED)
5772 .AesEncryptionKey(128)
5773 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5774 .Padding(PaddingMode::NONE)));
5775 ASSERT_GT(key_blob_.size(), 0U);
5776
5777 EXPECT_EQ(
5778 ErrorCode::INCOMPATIBLE_PADDING_MODE,
5779 Begin(KeyPurpose::ENCRYPT,
5780 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7)));
5781}
5782
5783/*
5784 * EncryptionOperationsTest.AesInvalidParams
5785 *
5786 * Verifies that AES encryption fails in the correct way when an duplicate parameters are specified.
5787 */
5788TEST_P(EncryptionOperationsTest, AesInvalidParams) {
5789 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5790 .Authorization(TAG_NO_AUTH_REQUIRED)
5791 .AesEncryptionKey(128)
5792 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5793 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5794 .Padding(PaddingMode::NONE)
5795 .Padding(PaddingMode::PKCS7)));
5796 ASSERT_GT(key_blob_.size(), 0U);
5797
5798 auto result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5799 .BlockMode(BlockMode::CBC)
5800 .BlockMode(BlockMode::ECB)
5801 .Padding(PaddingMode::NONE));
5802 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_BLOCK_MODE ||
5803 result == ErrorCode::UNSUPPORTED_BLOCK_MODE);
5804
5805 result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5806 .BlockMode(BlockMode::ECB)
5807 .Padding(PaddingMode::NONE)
5808 .Padding(PaddingMode::PKCS7));
5809 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
5810 result == ErrorCode::UNSUPPORTED_PADDING_MODE);
5811}
5812
5813/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5814 * EncryptionOperationsTest.AesWrongPurpose
5815 *
5816 * Verifies that AES encryption fails in the correct way when an unauthorized purpose is
5817 * specified.
5818 */
5819TEST_P(EncryptionOperationsTest, AesWrongPurpose) {
5820 auto err = GenerateKey(AuthorizationSetBuilder()
5821 .Authorization(TAG_NO_AUTH_REQUIRED)
5822 .AesKey(128)
5823 .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
5824 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5825 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5826 .Padding(PaddingMode::NONE));
5827 ASSERT_EQ(ErrorCode::OK, err) << "Got " << err;
5828 ASSERT_GT(key_blob_.size(), 0U);
5829
5830 err = Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5831 .BlockMode(BlockMode::GCM)
5832 .Padding(PaddingMode::NONE)
5833 .Authorization(TAG_MAC_LENGTH, 128));
5834 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5835
5836 CheckedDeleteKey();
5837
5838 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5839 .Authorization(TAG_NO_AUTH_REQUIRED)
5840 .AesKey(128)
5841 .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
5842 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5843 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5844 .Padding(PaddingMode::NONE)));
5845
5846 err = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5847 .BlockMode(BlockMode::GCM)
5848 .Padding(PaddingMode::NONE)
5849 .Authorization(TAG_MAC_LENGTH, 128));
5850 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5851}
5852
5853/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5854 * EncryptionOperationsTest.AesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5855 *
5856 * Verifies that AES encryption fails in the correct way when provided an input that is not a
5857 * multiple of the block size and no padding is specified.
5858 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5859TEST_P(EncryptionOperationsTest, AesEcbCbcNoPaddingWrongInputSize) {
5860 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]5861 SCOPED_TRACE(testing::Message() << "AES-" << blockMode);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5862 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5863 .Authorization(TAG_NO_AUTH_REQUIRED)
5864 .AesEncryptionKey(128)
5865 .Authorization(TAG_BLOCK_MODE, blockMode)
5866 .Padding(PaddingMode::NONE)));
5867 // Message is slightly shorter than two blocks.
5868 string message(16 * 2 - 1, 'a');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5869
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5870 auto params = AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
5871 AuthorizationSet out_params;
5872 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &out_params));
5873 string ciphertext;
5874 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
5875 EXPECT_EQ(0U, ciphertext.size());
5876
5877 CheckedDeleteKey();
5878 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5879}
5880
5881/*
5882 * EncryptionOperationsTest.AesEcbPkcs7Padding
5883 *
5884 * Verifies that AES PKCS7 padding works for any message length.
5885 */
5886TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
5887 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5888 .Authorization(TAG_NO_AUTH_REQUIRED)
5889 .AesEncryptionKey(128)
5890 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5891 .Padding(PaddingMode::PKCS7)));
5892
5893 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5894
5895 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5896 for (size_t i = 0; i <= 48; i++) {
5897 SCOPED_TRACE(testing::Message() << "i = " << i);
5898 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character.
5899 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5900 string ciphertext = EncryptMessage(message, params);
5901 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
5902 string plaintext = DecryptMessage(ciphertext, params);
5903 EXPECT_EQ(message, plaintext);
5904 }
5905}
5906
5907/*
5908 * EncryptionOperationsTest.AesEcbWrongPadding
5909 *
5910 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
5911 * specified.
5912 */
5913TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
5914 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5915 .Authorization(TAG_NO_AUTH_REQUIRED)
5916 .AesEncryptionKey(128)
5917 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5918 .Padding(PaddingMode::NONE)));
5919
5920 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5921
5922 // Try various message lengths; all should fail
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5923 for (size_t i = 0; i <= 48; i++) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5924 string message(i, 'a');
5925 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
5926 }
5927}
5928
5929/*
5930 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
5931 *
5932 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5933 */
5934TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
5935 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5936 .Authorization(TAG_NO_AUTH_REQUIRED)
5937 .AesEncryptionKey(128)
5938 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5939 .Padding(PaddingMode::PKCS7)));
5940
5941 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5942
5943 string message = "a";
5944 string ciphertext = EncryptMessage(message, params);
5945 EXPECT_EQ(16U, ciphertext.size());
5946 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5947
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5948 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
5949 ++ciphertext[ciphertext.size() / 2];
5950
5951 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5952 string plaintext;
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5953 ErrorCode error = Finish(ciphertext, &plaintext);
5954 if (error == ErrorCode::INVALID_ARGUMENT) {
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5955 // This is the expected error, we can exit the test now.
5956 return;
5957 } else {
5958 // Very small chance we got valid decryption, so try again.
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5959 ASSERT_EQ(error, ErrorCode::OK)
5960 << "Expected INVALID_ARGUMENT or (rarely) OK, got " << error;
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5961 }
5962 }
5963 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5964}
5965
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5966/*
5967 * EncryptionOperationsTest.AesEcbPkcs7CiphertextTooShort
5968 *
5969 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5970 */
5971TEST_P(EncryptionOperationsTest, AesEcbPkcs7CiphertextTooShort) {
5972 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5973 .Authorization(TAG_NO_AUTH_REQUIRED)
5974 .AesEncryptionKey(128)
5975 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5976 .Padding(PaddingMode::PKCS7)));
5977
5978 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5979
5980 string message = "a";
5981 string ciphertext = EncryptMessage(message, params);
5982 EXPECT_EQ(16U, ciphertext.size());
5983 EXPECT_NE(ciphertext, message);
5984
5985 // Shorten the ciphertext.
5986 ciphertext.resize(ciphertext.size() - 1);
5987 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5988 string plaintext;
5989 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(ciphertext, &plaintext));
5990}
5991
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5992vector<uint8_t> CopyIv(const AuthorizationSet& set) {
5993 auto iv = set.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5994 EXPECT_TRUE(iv);
5995 return iv->get();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5996}
5997
5998/*
5999 * EncryptionOperationsTest.AesCtrRoundTripSuccess
6000 *
6001 * Verifies that AES CTR mode works.
6002 */
6003TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
6004 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6005 .Authorization(TAG_NO_AUTH_REQUIRED)
6006 .AesEncryptionKey(128)
6007 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
6008 .Padding(PaddingMode::NONE)));
6009
6010 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
6011
6012 string message = "123";
6013 AuthorizationSet out_params;
6014 string ciphertext1 = EncryptMessage(message, params, &out_params);
6015 vector<uint8_t> iv1 = CopyIv(out_params);
6016 EXPECT_EQ(16U, iv1.size());
6017
6018 EXPECT_EQ(message.size(), ciphertext1.size());
6019
6020 out_params.Clear();
6021 string ciphertext2 = EncryptMessage(message, params, &out_params);
6022 vector<uint8_t> iv2 = CopyIv(out_params);
6023 EXPECT_EQ(16U, iv2.size());
6024
6025 // IVs should be random, so ciphertexts should differ.
6026 EXPECT_NE(ciphertext1, ciphertext2);
6027
6028 auto params_iv1 =
6029 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
6030 auto params_iv2 =
6031 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
6032
6033 string plaintext = DecryptMessage(ciphertext1, params_iv1);
6034 EXPECT_EQ(message, plaintext);
6035 plaintext = DecryptMessage(ciphertext2, params_iv2);
6036 EXPECT_EQ(message, plaintext);
6037
6038 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
6039 plaintext = DecryptMessage(ciphertext1, params_iv2);
6040 EXPECT_NE(message, plaintext);
6041 plaintext = DecryptMessage(ciphertext2, params_iv1);
6042 EXPECT_NE(message, plaintext);
6043}
6044
6045/*
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6046 * EncryptionOperationsTest.AesEcbIncremental
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6047 *
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6048 * Verifies that AES works for ECB block mode, when provided data in various size increments.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6049 */
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6050TEST_P(EncryptionOperationsTest, AesEcbIncremental) {
6051 CheckAesIncrementalEncryptOperation(BlockMode::ECB, 240);
6052}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6053
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6054/*
6055 * EncryptionOperationsTest.AesCbcIncremental
6056 *
6057 * Verifies that AES works for CBC block mode, when provided data in various size increments.
6058 */
6059TEST_P(EncryptionOperationsTest, AesCbcIncremental) {
6060 CheckAesIncrementalEncryptOperation(BlockMode::CBC, 240);
6061}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6062
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6063/*
6064 * EncryptionOperationsTest.AesCtrIncremental
6065 *
6066 * Verifies that AES works for CTR block mode, when provided data in various size increments.
6067 */
6068TEST_P(EncryptionOperationsTest, AesCtrIncremental) {
6069 CheckAesIncrementalEncryptOperation(BlockMode::CTR, 240);
6070}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6071
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]6072/*
6073 * EncryptionOperationsTest.AesGcmIncremental
6074 *
6075 * Verifies that AES works for GCM block mode, when provided data in various size increments.
6076 */
6077TEST_P(EncryptionOperationsTest, AesGcmIncremental) {
6078 CheckAesIncrementalEncryptOperation(BlockMode::GCM, 240);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6079}
6080
Prashant Patildd5f7f02022-07-06 18:58:07 +0000[diff] [blame]6081/*
6082 * EncryptionOperationsTest.Aes128CBCNoPaddingOneByteAtATime
6083 * Verifies input and output sizes of AES/CBC/NoPadding Algorithm.
6084 */
6085TEST_P(EncryptionOperationsTest, Aes128CBCNoPaddingOneByteAtATime) {
6086 string kat_key = hex2str("7E3D723C09A9852B24F584F9D916F6A8");
6087 string kat_iv = hex2str("944AE274D983892EADE422274858A96A");
6088 string kat_plaintext =
6089 hex2str("044E15899A080AADEB6778F64323B64D2CBCBADB338DF93B9AC459D4F41029"
6090 "809FFF37081C22EF278F896AB213A2A631");
6091 string kat_ciphertext =
6092 hex2str("B419293FCBD686F2913D1CF947E510D42FAFEDE5593C98AFD6AEE272596A"
6093 "56FE42C22F2A5E3B6A02BA9D8D0DE1E9A810");
6094 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::NONE, kat_iv, kat_plaintext,
6095 kat_ciphertext);
6096}
6097
6098/*
6099 * EncryptionOperationsTest.Aes128CBCPKCS7PaddingOneByteAtATime
6100 * Verifies input and output sizes of AES/CBC/PKCS7Padding Algorithm.
6101 */
6102TEST_P(EncryptionOperationsTest, Aes128CBCPKCS7PaddingOneByteAtATime) {
6103 string kat_key = hex2str("F16E698472578E919D92806262C5169F");
6104 string kat_iv = hex2str("EF743540F8421ACA128A3247521F3E7D");
6105 string kat_plaintext =
6106 hex2str("5BEBF33569D90BF5E853814E12E7C7AA5758013F755773E29F4A25EC26EEB7"
6107 "65F7F2DC251F7DC62AEFCA1E8A5A11A1DCD44F0BD8FB593A5AE3");
6108 string kat_ciphertext =
6109 hex2str("3197CF6DB9466188B5FED375329324EE7D6092A8C0E41DFAF49E3724271427"
6110 "896D56A6243C0D59D6639722AF93CD53449BDDABF9C5F153EBDBFED9ED98C8CC37");
6111 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::PKCS7, kat_iv,
6112 kat_plaintext, kat_ciphertext);
6113}
6114
6115/*
6116 * EncryptionOperationsTest.Aes128CTRNoPaddingOneByteAtATime
6117 * Verifies input and output sizes of AES/CTR/NoPadding Algorithm.
6118 */
6119TEST_P(EncryptionOperationsTest, Aes128CTRNoPaddingOneByteAtATime) {
6120 string kat_key = hex2str("4713a7b2f93efe809b42ecc45213ef9f");
6121 string kat_iv = hex2str("ebfa19b0ebf3d57feabd4c4bd04bea01");
6122 string kat_plaintext =
6123 hex2str("6d2c07e1fc86f99c6e2a8f6567828b4262a9c23d0f3ed8ab32482283c79796"
6124 "f0adba1bcd3736084996452a917fae98005aebe61f9e91c3");
6125 string kat_ciphertext =
6126 hex2str("345deb1d67b95e600e05cad4c32ec381aadb3e2c1ec7e0fb956dc38e6860cf"
6127 "0553535566e1b12fa9f87d29266ca26df427233df035df28");
6128 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CTR, PaddingMode::NONE, kat_iv, kat_plaintext,
6129 kat_ciphertext);
6130}
6131
6132/*
6133 * EncryptionOperationsTest.Aes128ECBNoPaddingOneByteAtATime
6134 * Verifies input and output sizes of AES/ECB/NoPadding Algorithm.
6135 */
6136TEST_P(EncryptionOperationsTest, Aes128ECBNoPaddingOneByteAtATime) {
6137 string kat_key = hex2str("7DA2467F068854B3CB36E5C333A16619");
6138 string kat_plaintext =
6139 hex2str("9A07C9575AD9CE209DF9F3953965CEBE8208587C7AE575A1904BF25048946D"
6140 "7B6168A9A27BCE554BEA94EF26E6C742A0");
6141 string kat_ciphertext =
6142 hex2str("8C47E49420FC92AC4CA2C601BC3F8AC31D01B260B7B849F2B8EEDFFFED8F36"
6143 "C31CBDA0D22F95C9C2A48C347E8C77AC82");
6144 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::NONE, "", kat_plaintext,
6145 kat_ciphertext);
6146}
6147
6148/*
6149 * EncryptionOperationsTest.Aes128ECBPKCS7PaddingOneByteAtATime
6150 * Verifies input and output sizes of AES/ECB/PKCS7Padding Algorithm.
6151 */
6152TEST_P(EncryptionOperationsTest, Aes128ECBPKCS7PaddingOneByteAtATime) {
6153 string kat_key = hex2str("C3BE04BCCB3D99B85290F113FE7AF194");
6154 string kat_plaintext =
6155 hex2str("348C213FD8DF3F990C20C5ACBF07B34B6264AE245784A5A6176DBFB1C2E7DD"
6156 "27E52CC92B8EEE40614F05B507B355F6354A2705BD86");
6157 string kat_ciphertext =
6158 hex2str("07CD05C41FEDEDDC5DB4B3E35E676153184A119AA4DFDDC290616F1FA60093"
6159 "1DE6BEA9BDB90D1D733899946F8C8E5C0C4383F99F5D88E27F3EBC0C6E52759ED3");
6160 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::PKCS7, "", kat_plaintext,
6161 kat_ciphertext);
6162}
6163
6164/*
6165 * EncryptionOperationsTest.Aes128GCMNoPaddingOneByteAtATime
6166 * Verifies input and output sizes of AES/GCM/NoPadding Algorithm.
6167 */
6168TEST_P(EncryptionOperationsTest, Aes128GCMNoPaddingOneByteAtATime) {
6169 string kat_key = hex2str("ba76354f0aed6e8d91f45c4ff5a062db");
6170 string kat_iv = hex2str("b79437ae08ff355d7d8a4d0f");
6171 string kat_plaintext =
6172 hex2str("6d7596a8fd56ceaec61de7940984b7736fec44f572afc3c8952e4dc6541e2b"
6173 "c6a702c440a37610989543f63fedb047ca2173bc18581944");
6174 string kat_ciphertext =
6175 hex2str("b3f6799e8f9326f2df1e80fcd2cb16d78c9dc7cc14bb677862dc6c639b3a63"
6176 "38d24b312d3989e5920b5dbfc976765efbfe57bb385940a7a43bdf05bddae3c9d6a2fb"
6177 "bdfcc0cba0");
6178
6179 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::GCM, PaddingMode::NONE, kat_iv, kat_plaintext,
6180 kat_ciphertext);
6181}
6182
6183/*
6184 * EncryptionOperationsTest.Aes192CBCNoPaddingOneByteAtATime
6185 * Verifies input and output sizes of AES/CBC/NoPadding Algorithm.
6186 */
6187TEST_P(EncryptionOperationsTest, Aes192CBCNoPaddingOneByteAtATime) {
6188 if (SecLevel() == SecurityLevel::STRONGBOX) {
6189 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6190 }
6191 string kat_key = hex2str("be8cc4e25cce46e5d55725e2391f7d3cf59ed60062f5a43b");
6192 string kat_iv = hex2str("80a199aab0eee77e7762ddf3b3a32f40");
6193 string kat_plaintext =
6194 hex2str("064f9200e0df37d4711af4a69d11addf9e1c345d9d8195f9f1f715019ce96a"
6195 "167f2497c994bd496eb80bfb2ba2c9d5af");
6196 string kat_ciphertext =
6197 hex2str("859b90becaa85e95a71e104efbd7a3b723bcbf4eb39865544a05d9e90b6fe5"
6198 "72c134552f3a138e726fbe493b3a839598");
6199 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::NONE, kat_iv, kat_plaintext,
6200 kat_ciphertext);
6201}
6202
6203/*
6204 * EncryptionOperationsTest.Aes192CBCPKCS7PaddingOneByteAtATime
6205 * Verifies input and output sizes of AES/CBC/PKCS7Padding Algorithm.
6206 */
6207TEST_P(EncryptionOperationsTest, Aes192CBCPKCS7PaddingOneByteAtATime) {
6208 if (SecLevel() == SecurityLevel::STRONGBOX) {
6209 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6210 }
6211 string kat_key = hex2str("68969215ec41e4df7d23de0e806f458f52aff492bd7c5263");
6212 string kat_iv = hex2str("e61d13dfbf0533289f0e7950209da418");
6213 string kat_plaintext =
6214 hex2str("8d4c1cac27511ee2d82409a7f378e7e402b0eb189c1eaa5c506eb72a9074"
6215 "b170");
6216 string kat_ciphertext =
6217 hex2str("e70bcd62c595dc1b2b8c197bb91a7447e1be2cbcf3fdc69e7e991faf0f57cf"
6218 "4e3884138ff403a41fd99818708ada301c");
6219 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::PKCS7, kat_iv,
6220 kat_plaintext, kat_ciphertext);
6221}
6222
6223/*
6224 * EncryptionOperationsTest.Aes192CTRNoPaddingOneByteAtATime
6225 * Verifies input and output sizes of AES/CTR/NoPadding Algorithm.
6226 */
6227TEST_P(EncryptionOperationsTest, Aes192CTRNoPaddingOneByteAtATime) {
6228 if (SecLevel() == SecurityLevel::STRONGBOX) {
6229 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6230 }
6231 string kat_key = hex2str("5e2036e790d38815c90beb67a1c9e5aa0e167ef082927317");
6232 string kat_iv = hex2str("df0694959b89054156962d68a226965c");
6233 string kat_plaintext =
6234 hex2str("6ed2781c99e03e45314d6019932220c2c98130c53f9f67ad10ac519adf50e9"
6235 "28091e09cdbbd3b42b");
6236 string kat_ciphertext =
6237 hex2str("e427b6666502e05b82d0b20ae50e862b1936d71266fc49178ac984e71571f2"
6238 "2ae0f90f0c19f42b4a");
6239 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CTR, PaddingMode::NONE, kat_iv, kat_plaintext,
6240 kat_ciphertext);
6241}
6242
6243/*
6244 * EncryptionOperationsTest.Aes192ECBNoPaddingOneByteAtATime
6245 * Verifies input and output sizes of AES/ECB/NoPadding Algorithm.
6246 */
6247TEST_P(EncryptionOperationsTest, Aes192ECBNoPaddingOneByteAtATime) {
6248 if (SecLevel() == SecurityLevel::STRONGBOX) {
6249 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6250 }
6251 string kat_key = hex2str("3cab83fb338ba985fbfe74c5e9d2e900adb570b1d67faf92");
6252 string kat_plaintext =
6253 hex2str("2cc64c335a13fb838f3c6aad0a6b47297ca90bb886ddb059200f0b41740c"
6254 "44ab");
6255 string kat_ciphertext =
6256 hex2str("9c5c825328f5ee0aa24947e374d3f9165f484b39dd808c790d7a12964810"
6257 "2453");
6258 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::NONE, "", kat_plaintext,
6259 kat_ciphertext);
6260}
6261
6262/*
6263 * EncryptionOperationsTest.Aes192ECBPKCS7PaddingOneByteAtATime
6264 * Verifies input and output sizes of AES/ECB/PKCS7Padding Algorithm.
6265 */
6266TEST_P(EncryptionOperationsTest, Aes192ECBPKCS7PaddingOneByteAtATime) {
6267 if (SecLevel() == SecurityLevel::STRONGBOX) {
6268 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6269 }
6270 string kat_key = hex2str("d57f4e5446f736c16476ec4db5decc7b1bf3936e4f7e4618");
6271 string kat_plaintext =
6272 hex2str("b115777f1ee7a43a07daa6401e59c46b7a98213a8747eabfbe3ca4ec93524d"
6273 "e2c7");
6274 string kat_ciphertext =
6275 hex2str("1e92cd20da08bb5fa174a7a69879d4fc25a155e6af06d75b26c5b450d273c8"
6276 "bb7e3a889dd4a9589098b44acf1056e7aa");
6277 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::PKCS7, "", kat_plaintext,
6278 kat_ciphertext);
6279}
6280
6281/*
6282 * EncryptionOperationsTest.Aes192GCMNoPaddingOneByteAtATime
6283 * Verifies input and output sizes of AES/GCM/NoPadding Algorithm.
6284 */
6285TEST_P(EncryptionOperationsTest, Aes192GCMNoPaddingOneByteAtATime) {
6286 if (SecLevel() == SecurityLevel::STRONGBOX) {
6287 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6288 }
6289 string kat_key = hex2str("21339fc1d011abca65d50ce2365230603fd47d07e8830f6e");
6290 string kat_iv = hex2str("d5fb1469a8d81dd75286a418");
6291 string kat_plaintext =
6292 hex2str("cf776dedf53a828d51a0073db3ef0dd1ee19e2e9e243ce97e95841bb9ad4e3"
6293 "ff52");
6294 string kat_ciphertext =
6295 hex2str("3a0d48278111d3296bc663df8a5dbeb2474ea47fd85b608f8d9375d9dcf7de"
6296 "1413ad70fb0e1970669095ad77ebb5974ae8");
6297
6298 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::GCM, PaddingMode::NONE, kat_iv, kat_plaintext,
6299 kat_ciphertext);
6300}
6301
6302/*
6303 * EncryptionOperationsTest.Aes256CBCNoPaddingOneByteAtATime
6304 * Verifies input and output sizes of AES/CBC/NoPadding Algorithm.
6305 */
6306TEST_P(EncryptionOperationsTest, Aes256CBCNoPaddingOneByteAtATime) {
6307 string kat_key = hex2str("dd2f20dc6b98c100bac919120ff95eb5d96003f8229987b283a1e777b0cd5c30");
6308 string kat_iv = hex2str("23b4d85239fb90db93b07a981e90a170");
6309 string kat_plaintext =
6310 hex2str("2fbe5d46dca5cea433e550d8b291740ab9551c2a2d37680d7fb7b993225f58"
6311 "494cb53caca353e4b637ba05687be20f8d");
6312 string kat_ciphertext =
6313 hex2str("5aba24fc316936c8369061ee8fe463e4faed04288e204456626b988c0e376b"
6314 "6047da1e4fd7c4e1cf2656097f75ae8685");
6315 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::NONE, kat_iv, kat_plaintext,
6316 kat_ciphertext);
6317}
6318
6319/*
6320 * EncryptionOperationsTest.Aes256CBCPKCS7PaddingOneByteAtATime
6321 * Verifies input and output sizes of AES/CBC/PKCS7Padding Algorithm.
6322 */
6323TEST_P(EncryptionOperationsTest, Aes256CBCPKCS7PaddingOneByteAtATime) {
6324 string kat_key = hex2str("03ab2510520f5cfebfab0a17a7f8324c9634911f6fc59e586f85346bb38ac88a");
6325 string kat_iv = hex2str("9af96967195bb0184f129beffa8241ae");
6326 string kat_plaintext =
6327 hex2str("2d6944653ac14988a772a2730b7c5bfa99a21732ae26f40cdc5b3a2874c794"
6328 "2545a82b73c48078b9dae62261c65909");
6329 string kat_ciphertext =
6330 hex2str("26b308f7e1668b55705a79c8b3ad10e244655f705f027f390a5c34e4536f51"
6331 "9403a71987b95124073d69f2a3cb95b0ab");
6332 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::PKCS7, kat_iv,
6333 kat_plaintext, kat_ciphertext);
6334}
6335
6336/*
6337 * EncryptionOperationsTest.Aes256CTRNoPaddingOneByteAtATime
6338 * Verifies input and output sizes of AES/CTR/NoPadding Algorithm.
6339 */
6340TEST_P(EncryptionOperationsTest, Aes256CTRNoPaddingOneByteAtATime) {
6341 string kat_key = hex2str("928b380a8fed4b4b4cfeb56e0c66a4cb0f9ff58d61ac68bcfd0e3fbd910a684f");
6342 string kat_iv = hex2str("0b678a5249e6eeda461dfb4776b6c58e");
6343 string kat_plaintext =
6344 hex2str("f358de57543b297e997cba46fb9100553d6abd65377e55b9aac3006400ead1"
6345 "1f6db3c884");
6346 string kat_ciphertext =
6347 hex2str("a07a35fbd1776ad81462e1935f542337add60962bf289249476817b6ddd532"
6348 "a7be30d4c3");
6349 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CTR, PaddingMode::NONE, kat_iv, kat_plaintext,
6350 kat_ciphertext);
6351}
6352
6353/*
6354 * EncryptionOperationsTest.Aes256ECBNoPaddingOneByteAtATime
6355 * Verifies input and output sizes of AES/ECB/NoPadding Algorithm.
6356 */
6357TEST_P(EncryptionOperationsTest, Aes256ECBNoPaddingOneByteAtATime) {
6358 string kat_key = hex2str("fa4622d9cf6485075daedd33d2c4fffdf859e2edb7f7df4f04603f7e647fae90");
6359 string kat_plaintext =
6360 hex2str("96ccabbe0c68970d8cdee2b30ab43c2d61cc50ee68271e77571e72478d713a"
6361 "31a476d6806b8116089c6ec50bb543200f");
6362 string kat_ciphertext =
6363 hex2str("0e81839e9dfbfe3b503d619e676abe5ac80fac3f245d8f09b9134b1b32a67d"
6364 "c83e377faf246288931136bef2a07c0be4");
6365 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::NONE, "", kat_plaintext,
6366 kat_ciphertext);
6367}
6368
6369/*
6370 * EncryptionOperationsTest.Aes256ECBPKCS7PaddingOneByteAtATime
6371 * Verifies input and output sizes of AES/ECB/PKCS7Padding Algorithm.
6372 */
6373TEST_P(EncryptionOperationsTest, Aes256ECBPKCS7PaddingOneByteAtATime) {
6374 string kat_key = hex2str("bf3f07c68467fead0ca8e2754500ab514258abf02eb7e615a493bcaaa45d5ee1");
6375 string kat_plaintext =
6376 hex2str("af0757e49018dad628f16998628a407db5f28291bef3bc2e4d8a5a31fb238e"
6377 "6f");
6378 string kat_ciphertext =
6379 hex2str("21ec3011074bf1ef140643d47130326c5e183f61237c69bc77551ca207d71f"
6380 "c2b90cfac6c8d2d125e5cd9ff353dee0df");
6381 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::PKCS7, "", kat_plaintext,
6382 kat_ciphertext);
6383}
6384
6385/*
6386 * EncryptionOperationsTest.Aes256GCMNoPaddingOneByteAtATime
6387 * Verifies input and output sizes of AES/GCM/NoPadding Algorithm.
6388 */
6389TEST_P(EncryptionOperationsTest, Aes256GCMNoPaddingOneByteAtATime) {
6390 string kat_key = hex2str("7972140d831eedac75d5ea515c9a4c3bb124499a90b5f317ac1a685e88fae395");
6391 string kat_iv = hex2str("a66c5252808d823dd4151fed");
6392 string kat_plaintext =
6393 hex2str("c2b9dabf3a55adaa94e8c0d1e77a84a3435aee23b2c3c4abb587b09a9c2afb"
6394 "f0");
6395 string kat_ciphertext =
6396 hex2str("a960619314657b2afb96b93bebb372bffd09e19d53e351f17d1ba2611f9dc3"
6397 "3c9c92d563e8fd381254ac262aa2a4ea0d");
6398
6399 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::GCM, PaddingMode::NONE, kat_iv, kat_plaintext,
6400 kat_ciphertext);
6401}
6402
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6403struct AesCtrSp80038aTestVector {
6404 const char* key;
6405 const char* nonce;
6406 const char* plaintext;
6407 const char* ciphertext;
6408};
6409
6410// These test vectors are taken from
6411// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
6412static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
6413 // AES-128
6414 {
6415 "2b7e151628aed2a6abf7158809cf4f3c",
6416 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
6417 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
6418 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
6419 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
6420 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
6421 },
6422 // AES-192
6423 {
6424 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
6425 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
6426 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
6427 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
6428 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
6429 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
6430 },
6431 // AES-256
6432 {
6433 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
6434 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
6435 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
6436 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
6437 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
6438 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
6439 },
6440};
6441
6442/*
6443 * EncryptionOperationsTest.AesCtrSp80038aTestVector
6444 *
6445 * Verifies AES CTR implementation against SP800-38A test vectors.
6446 */
6447TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
6448 std::vector<uint32_t> InvalidSizes = InvalidKeySizes(Algorithm::AES);
6449 for (size_t i = 0; i < 3; i++) {
6450 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
6451 const string key = hex2str(test.key);
6452 if (std::find(InvalidSizes.begin(), InvalidSizes.end(), (key.size() * 8)) !=
6453 InvalidSizes.end())
6454 continue;
6455 const string nonce = hex2str(test.nonce);
6456 const string plaintext = hex2str(test.plaintext);
6457 const string ciphertext = hex2str(test.ciphertext);
6458 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
6459 }
6460}
6461
6462/*
6463 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
6464 *
6465 * Verifies that keymint rejects use of CTR mode with PKCS7 padding in the correct way.
6466 */
6467TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
6468 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6469 .Authorization(TAG_NO_AUTH_REQUIRED)
6470 .AesEncryptionKey(128)
6471 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
6472 .Padding(PaddingMode::PKCS7)));
6473 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
6474 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
6475}
6476
6477/*
6478 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
6479 *
6480 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
6481 */
6482TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
6483 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6484 .Authorization(TAG_NO_AUTH_REQUIRED)
6485 .AesEncryptionKey(128)
6486 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
6487 .Authorization(TAG_CALLER_NONCE)
6488 .Padding(PaddingMode::NONE)));
6489
6490 auto params = AuthorizationSetBuilder()
6491 .BlockMode(BlockMode::CTR)
6492 .Padding(PaddingMode::NONE)
6493 .Authorization(TAG_NONCE, AidlBuf(string(1, 'a')));
6494 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6495
6496 params = AuthorizationSetBuilder()
6497 .BlockMode(BlockMode::CTR)
6498 .Padding(PaddingMode::NONE)
6499 .Authorization(TAG_NONCE, AidlBuf(string(15, 'a')));
6500 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6501
6502 params = AuthorizationSetBuilder()
6503 .BlockMode(BlockMode::CTR)
6504 .Padding(PaddingMode::NONE)
6505 .Authorization(TAG_NONCE, AidlBuf(string(17, 'a')));
6506 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6507}
6508
6509/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]6510 * EncryptionOperationsTest.AesCbcRoundTripSuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6511 *
6512 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
6513 */
6514TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
6515 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6516 .Authorization(TAG_NO_AUTH_REQUIRED)
6517 .AesEncryptionKey(128)
6518 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
6519 .Padding(PaddingMode::NONE)));
6520 // Two-block message.
6521 string message = "12345678901234567890123456789012";
6522 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6523 AuthorizationSet out_params;
6524 string ciphertext1 = EncryptMessage(message, params, &out_params);
6525 vector<uint8_t> iv1 = CopyIv(out_params);
6526 EXPECT_EQ(message.size(), ciphertext1.size());
6527
6528 out_params.Clear();
6529
6530 string ciphertext2 = EncryptMessage(message, params, &out_params);
6531 vector<uint8_t> iv2 = CopyIv(out_params);
6532 EXPECT_EQ(message.size(), ciphertext2.size());
6533
6534 // IVs should be random, so ciphertexts should differ.
6535 EXPECT_NE(ciphertext1, ciphertext2);
6536
6537 params.push_back(TAG_NONCE, iv1);
6538 string plaintext = DecryptMessage(ciphertext1, params);
6539 EXPECT_EQ(message, plaintext);
6540}
6541
6542/*
Tommy Chiuee705692021-09-23 20:09:13 +0800[diff] [blame]6543 * EncryptionOperationsTest.AesCbcZeroInputSuccessb
6544 *
6545 * Verifies that keymaster generates correct output on zero-input with
6546 * NonePadding mode
6547 */
6548TEST_P(EncryptionOperationsTest, AesCbcZeroInputSuccess) {
6549 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6550 .Authorization(TAG_NO_AUTH_REQUIRED)
6551 .AesEncryptionKey(128)
6552 .BlockMode(BlockMode::CBC)
6553 .Padding(PaddingMode::NONE, PaddingMode::PKCS7)));
6554
6555 // Zero input message
6556 string message = "";
6557 for (auto padding : {PaddingMode::NONE, PaddingMode::PKCS7}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]6558 SCOPED_TRACE(testing::Message() << "AES padding=" << padding);
Tommy Chiuee705692021-09-23 20:09:13 +0800[diff] [blame]6559 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(padding);
6560 AuthorizationSet out_params;
6561 string ciphertext1 = EncryptMessage(message, params, &out_params);
6562 vector<uint8_t> iv1 = CopyIv(out_params);
6563 if (padding == PaddingMode::NONE)
6564 EXPECT_EQ(message.size(), ciphertext1.size()) << "PaddingMode: " << padding;
6565 else
6566 EXPECT_EQ(message.size(), ciphertext1.size() - 16) << "PaddingMode: " << padding;
6567
6568 out_params.Clear();
6569
6570 string ciphertext2 = EncryptMessage(message, params, &out_params);
6571 vector<uint8_t> iv2 = CopyIv(out_params);
6572 if (padding == PaddingMode::NONE)
6573 EXPECT_EQ(message.size(), ciphertext2.size()) << "PaddingMode: " << padding;
6574 else
6575 EXPECT_EQ(message.size(), ciphertext2.size() - 16) << "PaddingMode: " << padding;
6576
6577 // IVs should be random
6578 EXPECT_NE(iv1, iv2) << "PaddingMode: " << padding;
6579
6580 params.push_back(TAG_NONCE, iv1);
6581 string plaintext = DecryptMessage(ciphertext1, params);
6582 EXPECT_EQ(message, plaintext) << "PaddingMode: " << padding;
6583 }
6584}
6585
6586/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6587 * EncryptionOperationsTest.AesCallerNonce
6588 *
6589 * Verifies that AES caller-provided nonces work correctly.
6590 */
6591TEST_P(EncryptionOperationsTest, AesCallerNonce) {
6592 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6593 .Authorization(TAG_NO_AUTH_REQUIRED)
6594 .AesEncryptionKey(128)
6595 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
6596 .Authorization(TAG_CALLER_NONCE)
6597 .Padding(PaddingMode::NONE)));
6598
6599 string message = "12345678901234567890123456789012";
6600
6601 // Don't specify nonce, should get a random one.
6602 AuthorizationSetBuilder params =
6603 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6604 AuthorizationSet out_params;
6605 string ciphertext = EncryptMessage(message, params, &out_params);
6606 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6607 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6608
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6609 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6610 string plaintext = DecryptMessage(ciphertext, params);
6611 EXPECT_EQ(message, plaintext);
6612
6613 // Now specify a nonce, should also work.
6614 params = AuthorizationSetBuilder()
6615 .BlockMode(BlockMode::CBC)
6616 .Padding(PaddingMode::NONE)
6617 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
6618 out_params.Clear();
6619 ciphertext = EncryptMessage(message, params, &out_params);
6620
6621 // Decrypt with correct nonce.
6622 plaintext = DecryptMessage(ciphertext, params);
6623 EXPECT_EQ(message, plaintext);
6624
6625 // Try with wrong nonce.
6626 params = AuthorizationSetBuilder()
6627 .BlockMode(BlockMode::CBC)
6628 .Padding(PaddingMode::NONE)
6629 .Authorization(TAG_NONCE, AidlBuf("aaaaaaaaaaaaaaaa"));
6630 plaintext = DecryptMessage(ciphertext, params);
6631 EXPECT_NE(message, plaintext);
6632}
6633
6634/*
6635 * EncryptionOperationsTest.AesCallerNonceProhibited
6636 *
6637 * Verifies that caller-provided nonces are not permitted when not specified in the key
6638 * authorizations.
6639 */
6640TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
6641 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6642 .Authorization(TAG_NO_AUTH_REQUIRED)
6643 .AesEncryptionKey(128)
6644 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
6645 .Padding(PaddingMode::NONE)));
6646
6647 string message = "12345678901234567890123456789012";
6648
6649 // Don't specify nonce, should get a random one.
6650 AuthorizationSetBuilder params =
6651 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6652 AuthorizationSet out_params;
6653 string ciphertext = EncryptMessage(message, params, &out_params);
6654 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6655 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6656
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6657 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6658 string plaintext = DecryptMessage(ciphertext, params);
6659 EXPECT_EQ(message, plaintext);
6660
6661 // Now specify a nonce, should fail
6662 params = AuthorizationSetBuilder()
6663 .BlockMode(BlockMode::CBC)
6664 .Padding(PaddingMode::NONE)
6665 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
6666 out_params.Clear();
6667 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
6668}
6669
6670/*
6671 * EncryptionOperationsTest.AesGcmRoundTripSuccess
6672 *
6673 * Verifies that AES GCM mode works.
6674 */
6675TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
6676 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6677 .Authorization(TAG_NO_AUTH_REQUIRED)
6678 .AesEncryptionKey(128)
6679 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6680 .Padding(PaddingMode::NONE)
6681 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6682
6683 string aad = "foobar";
6684 string message = "123456789012345678901234567890123456";
6685
6686 auto begin_params = AuthorizationSetBuilder()
6687 .BlockMode(BlockMode::GCM)
6688 .Padding(PaddingMode::NONE)
6689 .Authorization(TAG_MAC_LENGTH, 128);
6690
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6691 // Encrypt
6692 AuthorizationSet begin_out_params;
6693 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
6694 << "Begin encrypt";
6695 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6696 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6697 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6698 ASSERT_EQ(ciphertext.length(), message.length() + 16);
6699
6700 // Grab nonce
6701 begin_params.push_back(begin_out_params);
6702
6703 // Decrypt.
6704 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6705 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6706 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6707 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6708 EXPECT_EQ(message.length(), plaintext.length());
6709 EXPECT_EQ(message, plaintext);
6710}
6711
6712/*
6713 * EncryptionOperationsTest.AesGcmRoundTripWithDelaySuccess
6714 *
6715 * Verifies that AES GCM mode works, even when there's a long delay
6716 * between operations.
6717 */
6718TEST_P(EncryptionOperationsTest, AesGcmRoundTripWithDelaySuccess) {
6719 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6720 .Authorization(TAG_NO_AUTH_REQUIRED)
6721 .AesEncryptionKey(128)
6722 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6723 .Padding(PaddingMode::NONE)
6724 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6725
6726 string aad = "foobar";
6727 string message = "123456789012345678901234567890123456";
6728
6729 auto begin_params = AuthorizationSetBuilder()
6730 .BlockMode(BlockMode::GCM)
6731 .Padding(PaddingMode::NONE)
6732 .Authorization(TAG_MAC_LENGTH, 128);
6733
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6734 // Encrypt
6735 AuthorizationSet begin_out_params;
6736 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
6737 << "Begin encrypt";
6738 string ciphertext;
6739 AuthorizationSet update_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6740 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6741 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6742 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6743
6744 ASSERT_EQ(ciphertext.length(), message.length() + 16);
6745
6746 // Grab nonce
6747 begin_params.push_back(begin_out_params);
6748
6749 // Decrypt.
6750 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
6751 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6752 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6753 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6754 ASSERT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6755 sleep(5);
6756 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
6757 EXPECT_EQ(message.length(), plaintext.length());
6758 EXPECT_EQ(message, plaintext);
6759}
6760
6761/*
6762 * EncryptionOperationsTest.AesGcmDifferentNonces
6763 *
6764 * Verifies that encrypting the same data with different nonces produces different outputs.
6765 */
6766TEST_P(EncryptionOperationsTest, AesGcmDifferentNonces) {
6767 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6768 .Authorization(TAG_NO_AUTH_REQUIRED)
6769 .AesEncryptionKey(128)
6770 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6771 .Padding(PaddingMode::NONE)
6772 .Authorization(TAG_MIN_MAC_LENGTH, 128)
6773 .Authorization(TAG_CALLER_NONCE)));
6774
6775 string aad = "foobar";
6776 string message = "123456789012345678901234567890123456";
6777 string nonce1 = "000000000000";
6778 string nonce2 = "111111111111";
6779 string nonce3 = "222222222222";
6780
6781 string ciphertext1 =
6782 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce1));
6783 string ciphertext2 =
6784 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce2));
6785 string ciphertext3 =
6786 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce3));
6787
6788 ASSERT_NE(ciphertext1, ciphertext2);
6789 ASSERT_NE(ciphertext1, ciphertext3);
6790 ASSERT_NE(ciphertext2, ciphertext3);
6791}
6792
6793/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6794 * EncryptionOperationsTest.AesGcmDifferentAutoNonces
6795 *
6796 * Verifies that encrypting the same data with KeyMint generated nonces produces different outputs.
6797 */
6798TEST_P(EncryptionOperationsTest, AesGcmDifferentAutoNonces) {
6799 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6800 .Authorization(TAG_NO_AUTH_REQUIRED)
6801 .AesEncryptionKey(128)
6802 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6803 .Padding(PaddingMode::NONE)
6804 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6805
6806 string aad = "foobar";
6807 string message = "123456789012345678901234567890123456";
6808
6809 string ciphertext1 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6810 string ciphertext2 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6811 string ciphertext3 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6812
6813 ASSERT_NE(ciphertext1, ciphertext2);
6814 ASSERT_NE(ciphertext1, ciphertext3);
6815 ASSERT_NE(ciphertext2, ciphertext3);
6816}
6817
6818/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6819 * EncryptionOperationsTest.AesGcmTooShortTag
6820 *
6821 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
6822 */
6823TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
6824 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6825 .Authorization(TAG_NO_AUTH_REQUIRED)
6826 .AesEncryptionKey(128)
6827 .BlockMode(BlockMode::GCM)
6828 .Padding(PaddingMode::NONE)
6829 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6830 string message = "123456789012345678901234567890123456";
6831 auto params = AuthorizationSetBuilder()
6832 .BlockMode(BlockMode::GCM)
6833 .Padding(PaddingMode::NONE)
6834 .Authorization(TAG_MAC_LENGTH, 96);
6835
6836 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
6837}
6838
6839/*
6840 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
6841 *
6842 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
6843 */
6844TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
6845 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6846 .Authorization(TAG_NO_AUTH_REQUIRED)
6847 .AesEncryptionKey(128)
6848 .BlockMode(BlockMode::GCM)
6849 .Padding(PaddingMode::NONE)
6850 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6851 string aad = "foobar";
6852 string message = "123456789012345678901234567890123456";
6853 auto params = AuthorizationSetBuilder()
6854 .BlockMode(BlockMode::GCM)
6855 .Padding(PaddingMode::NONE)
6856 .Authorization(TAG_MAC_LENGTH, 128);
6857
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6858 // Encrypt
6859 AuthorizationSet begin_out_params;
6860 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
6861 EXPECT_EQ(1U, begin_out_params.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6862 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6863
6864 AuthorizationSet finish_out_params;
6865 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6866 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6867 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6868
6869 params = AuthorizationSetBuilder()
6870 .Authorizations(begin_out_params)
6871 .BlockMode(BlockMode::GCM)
6872 .Padding(PaddingMode::NONE)
6873 .Authorization(TAG_MAC_LENGTH, 96);
6874
6875 // Decrypt.
6876 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
6877}
6878
6879/*
6880 * EncryptionOperationsTest.AesGcmCorruptKey
6881 *
6882 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
6883 */
6884TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
6885 const uint8_t nonce_bytes[] = {
6886 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
6887 };
6888 string nonce = make_string(nonce_bytes);
6889 const uint8_t ciphertext_bytes[] = {
6890 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc,
6891 0xd2, 0xcb, 0x16, 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78,
6892 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d,
6893 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 0x76, 0x5e, 0xfb,
6894 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
6895 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
6896 };
6897 string ciphertext = make_string(ciphertext_bytes);
6898
6899 auto params = AuthorizationSetBuilder()
6900 .BlockMode(BlockMode::GCM)
6901 .Padding(PaddingMode::NONE)
6902 .Authorization(TAG_MAC_LENGTH, 128)
6903 .Authorization(TAG_NONCE, nonce.data(), nonce.size());
6904
6905 auto import_params = AuthorizationSetBuilder()
6906 .Authorization(TAG_NO_AUTH_REQUIRED)
6907 .AesEncryptionKey(128)
6908 .BlockMode(BlockMode::GCM)
6909 .Padding(PaddingMode::NONE)
6910 .Authorization(TAG_CALLER_NONCE)
6911 .Authorization(TAG_MIN_MAC_LENGTH, 128);
6912
6913 // Import correct key and decrypt
6914 const uint8_t key_bytes[] = {
6915 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
6916 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
6917 };
6918 string key = make_string(key_bytes);
6919 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6920 string plaintext = DecryptMessage(ciphertext, params);
6921 CheckedDeleteKey();
6922
6923 // Corrupt key and attempt to decrypt
6924 key[0] = 0;
6925 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6926 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
6927 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
6928 CheckedDeleteKey();
6929}
6930
6931/*
6932 * EncryptionOperationsTest.AesGcmAadNoData
6933 *
6934 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
6935 * encrypt.
6936 */
6937TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
6938 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6939 .Authorization(TAG_NO_AUTH_REQUIRED)
6940 .AesEncryptionKey(128)
6941 .BlockMode(BlockMode::GCM)
6942 .Padding(PaddingMode::NONE)
6943 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6944
6945 string aad = "1234567890123456";
6946 auto params = AuthorizationSetBuilder()
6947 .BlockMode(BlockMode::GCM)
6948 .Padding(PaddingMode::NONE)
6949 .Authorization(TAG_MAC_LENGTH, 128);
6950
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6951 // Encrypt
6952 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6953 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6954 string ciphertext;
6955 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6956 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6957 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6958 EXPECT_TRUE(finish_out_params.empty());
6959
6960 // Grab nonce
6961 params.push_back(begin_out_params);
6962
6963 // Decrypt.
6964 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6965 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6966 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6967 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6968
6969 EXPECT_TRUE(finish_out_params.empty());
6970
6971 EXPECT_EQ("", plaintext);
6972}
6973
6974/*
6975 * EncryptionOperationsTest.AesGcmMultiPartAad
6976 *
6977 * Verifies that AES GCM mode works when provided additional authenticated data in multiple
6978 * chunks.
6979 */
6980TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
6981 const size_t tag_bits = 128;
6982 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6983 .Authorization(TAG_NO_AUTH_REQUIRED)
6984 .AesEncryptionKey(128)
6985 .BlockMode(BlockMode::GCM)
6986 .Padding(PaddingMode::NONE)
6987 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6988
6989 string message = "123456789012345678901234567890123456";
6990 auto begin_params = AuthorizationSetBuilder()
6991 .BlockMode(BlockMode::GCM)
6992 .Padding(PaddingMode::NONE)
6993 .Authorization(TAG_MAC_LENGTH, tag_bits);
6994 AuthorizationSet begin_out_params;
6995
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6996 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6997
6998 // No data, AAD only.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6999 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
7000 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7001 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7002 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
7003 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7004
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7005 // Expect 128-bit (16-byte) tag appended to ciphertext.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7006 EXPECT_EQ(message.size() + (tag_bits / 8), ciphertext.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7007
7008 // Grab nonce.
7009 begin_params.push_back(begin_out_params);
7010
7011 // Decrypt
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7012 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7013 EXPECT_EQ(ErrorCode::OK, UpdateAad("foofoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7014 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7015 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7016 EXPECT_EQ(message, plaintext);
7017}
7018
7019/*
7020 * EncryptionOperationsTest.AesGcmAadOutOfOrder
7021 *
7022 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
7023 */
7024TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
7025 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7026 .Authorization(TAG_NO_AUTH_REQUIRED)
7027 .AesEncryptionKey(128)
7028 .BlockMode(BlockMode::GCM)
7029 .Padding(PaddingMode::NONE)
7030 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
7031
7032 string message = "123456789012345678901234567890123456";
7033 auto begin_params = AuthorizationSetBuilder()
7034 .BlockMode(BlockMode::GCM)
7035 .Padding(PaddingMode::NONE)
7036 .Authorization(TAG_MAC_LENGTH, 128);
7037 AuthorizationSet begin_out_params;
7038
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7039 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7040
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7041 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7042 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7043 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
7044 EXPECT_EQ(ErrorCode::INVALID_TAG, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7045
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7046 // The failure should have already cancelled the operation.
7047 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
7048
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7049 op_ = {};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7050}
7051
7052/*
7053 * EncryptionOperationsTest.AesGcmBadAad
7054 *
7055 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
7056 */
7057TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
7058 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7059 .Authorization(TAG_NO_AUTH_REQUIRED)
7060 .AesEncryptionKey(128)
7061 .BlockMode(BlockMode::GCM)
7062 .Padding(PaddingMode::NONE)
7063 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
7064
7065 string message = "12345678901234567890123456789012";
7066 auto begin_params = AuthorizationSetBuilder()
7067 .BlockMode(BlockMode::GCM)
7068 .Padding(PaddingMode::NONE)
7069 .Authorization(TAG_MAC_LENGTH, 128);
7070
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7071 // Encrypt
7072 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7073 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7074 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7075 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7076 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7077
7078 // Grab nonce
7079 begin_params.push_back(begin_out_params);
7080
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7081 // Decrypt.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7082 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7083 EXPECT_EQ(ErrorCode::OK, UpdateAad("barfoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7084 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7085 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7086}
7087
7088/*
7089 * EncryptionOperationsTest.AesGcmWrongNonce
7090 *
7091 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
7092 */
7093TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
7094 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7095 .Authorization(TAG_NO_AUTH_REQUIRED)
7096 .AesEncryptionKey(128)
7097 .BlockMode(BlockMode::GCM)
7098 .Padding(PaddingMode::NONE)
7099 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
7100
7101 string message = "12345678901234567890123456789012";
7102 auto begin_params = AuthorizationSetBuilder()
7103 .BlockMode(BlockMode::GCM)
7104 .Padding(PaddingMode::NONE)
7105 .Authorization(TAG_MAC_LENGTH, 128);
7106
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7107 // Encrypt
7108 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7109 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7110 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7111 string ciphertext;
7112 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7113 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7114
7115 // Wrong nonce
7116 begin_params.push_back(TAG_NONCE, AidlBuf("123456789012"));
7117
7118 // Decrypt.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7119 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7120 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7121 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7122 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7123
7124 // With wrong nonce, should have gotten garbage plaintext (or none).
7125 EXPECT_NE(message, plaintext);
7126}
7127
7128/*
7129 * EncryptionOperationsTest.AesGcmCorruptTag
7130 *
7131 * Verifies that AES GCM decryption fails correctly when the tag is wrong.
7132 */
7133TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
7134 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7135 .Authorization(TAG_NO_AUTH_REQUIRED)
7136 .AesEncryptionKey(128)
7137 .BlockMode(BlockMode::GCM)
7138 .Padding(PaddingMode::NONE)
7139 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
7140
7141 string aad = "1234567890123456";
7142 string message = "123456789012345678901234567890123456";
7143
7144 auto params = AuthorizationSetBuilder()
7145 .BlockMode(BlockMode::GCM)
7146 .Padding(PaddingMode::NONE)
7147 .Authorization(TAG_MAC_LENGTH, 128);
7148
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7149 // Encrypt
7150 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7151 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7152 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7153 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7154 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7155
7156 // Corrupt tag
7157 ++(*ciphertext.rbegin());
7158
7159 // Grab nonce
7160 params.push_back(begin_out_params);
7161
7162 // Decrypt.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7163 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7164 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7165 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7166 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7167}
7168
7169/*
7170 * EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
7171 *
7172 * Verifies that 3DES is basically functional.
7173 */
7174TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
7175 auto auths = AuthorizationSetBuilder()
7176 .TripleDesEncryptionKey(168)
7177 .BlockMode(BlockMode::ECB)
7178 .Authorization(TAG_NO_AUTH_REQUIRED)
7179 .Padding(PaddingMode::NONE);
7180
7181 ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
7182 // Two-block message.
7183 string message = "1234567890123456";
7184 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
7185 string ciphertext1 = EncryptMessage(message, inParams);
7186 EXPECT_EQ(message.size(), ciphertext1.size());
7187
7188 string ciphertext2 = EncryptMessage(string(message), inParams);
7189 EXPECT_EQ(message.size(), ciphertext2.size());
7190
7191 // ECB is deterministic.
7192 EXPECT_EQ(ciphertext1, ciphertext2);
7193
7194 string plaintext = DecryptMessage(ciphertext1, inParams);
7195 EXPECT_EQ(message, plaintext);
7196}
7197
7198/*
7199 * EncryptionOperationsTest.TripleDesEcbNotAuthorized
7200 *
7201 * Verifies that CBC keys reject ECB usage.
7202 */
7203TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
7204 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7205 .TripleDesEncryptionKey(168)
7206 .BlockMode(BlockMode::CBC)
7207 .Authorization(TAG_NO_AUTH_REQUIRED)
7208 .Padding(PaddingMode::NONE)));
7209
7210 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
7211 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
7212}
7213
7214/*
7215 * EncryptionOperationsTest.TripleDesEcbPkcs7Padding
7216 *
7217 * Tests ECB mode with PKCS#7 padding, various message sizes.
7218 */
7219TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
7220 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7221 .TripleDesEncryptionKey(168)
7222 .BlockMode(BlockMode::ECB)
7223 .Authorization(TAG_NO_AUTH_REQUIRED)
7224 .Padding(PaddingMode::PKCS7)));
7225
7226 for (size_t i = 0; i < 32; ++i) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]7227 SCOPED_TRACE(testing::Message() << "msg size=" << i);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7228 string message(i, 'a');
7229 auto inParams =
7230 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
7231 string ciphertext = EncryptMessage(message, inParams);
7232 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
7233 string plaintext = DecryptMessage(ciphertext, inParams);
7234 EXPECT_EQ(message, plaintext);
7235 }
7236}
7237
7238/*
7239 * EncryptionOperationsTest.TripleDesEcbNoPaddingKeyWithPkcs7Padding
7240 *
7241 * Verifies that keys configured for no padding reject PKCS7 padding
7242 */
7243TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
7244 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7245 .TripleDesEncryptionKey(168)
7246 .BlockMode(BlockMode::ECB)
7247 .Authorization(TAG_NO_AUTH_REQUIRED)
7248 .Padding(PaddingMode::NONE)));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7249 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
7250 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7251}
7252
7253/*
7254 * EncryptionOperationsTest.TripleDesEcbPkcs7PaddingCorrupted
7255 *
7256 * Verifies that corrupted padding is detected.
7257 */
7258TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
7259 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7260 .TripleDesEncryptionKey(168)
7261 .BlockMode(BlockMode::ECB)
7262 .Authorization(TAG_NO_AUTH_REQUIRED)
7263 .Padding(PaddingMode::PKCS7)));
7264
7265 string message = "a";
7266 string ciphertext = EncryptMessage(message, BlockMode::ECB, PaddingMode::PKCS7);
7267 EXPECT_EQ(8U, ciphertext.size());
7268 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7269
7270 AuthorizationSetBuilder begin_params;
7271 begin_params.push_back(TAG_BLOCK_MODE, BlockMode::ECB);
7272 begin_params.push_back(TAG_PADDING, PaddingMode::PKCS7);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7273
7274 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
7275 ++ciphertext[ciphertext.size() / 2];
7276
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7277 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7278 string plaintext;
7279 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
7280 ErrorCode error = Finish(&plaintext);
7281 if (error == ErrorCode::INVALID_ARGUMENT) {
7282 // This is the expected error, we can exit the test now.
7283 return;
7284 } else {
7285 // Very small chance we got valid decryption, so try again.
7286 ASSERT_EQ(error, ErrorCode::OK);
7287 }
7288 }
7289 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7290}
7291
7292struct TripleDesTestVector {
7293 const char* name;
7294 const KeyPurpose purpose;
7295 const BlockMode block_mode;
7296 const PaddingMode padding_mode;
7297 const char* key;
7298 const char* iv;
7299 const char* input;
7300 const char* output;
7301};
7302
7303// These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all
7304// of the NIST vectors are multiples of the block size.
7305static const TripleDesTestVector kTripleDesTestVectors[] = {
7306 {
7307 "TECBMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
7308 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
7309 "", // IV
7310 "329d86bdf1bc5af4", // input
7311 "d946c2756d78633f", // output
7312 },
7313 {
7314 "TECBMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
7315 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
7316 "", // IV
7317 "6b1540781b01ce1997adae102dbf3c5b", // input
7318 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
7319 },
7320 {
7321 "TECBMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
7322 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
7323 "", // IV
7324 "6daad94ce08acfe7", // input
7325 "660e7d32dcc90e79", // output
7326 },
7327 {
7328 "TECBMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
7329 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
7330 "", // IV
7331 "e9653a0a1f05d31b9acd12d73aa9879d", // input
7332 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
7333 },
7334 {
7335 "TCBCMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
7336 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
7337 "43f791134c5647ba", // IV
7338 "dcc153cef81d6f24", // input
7339 "92538bd8af18d3ba", // output
7340 },
7341 {
7342 "TCBCMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
7343 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
7344 "c2e999cb6249023c", // IV
7345 "c689aee38a301bb316da75db36f110b5", // input
7346 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
7347 },
7348 {
7349 "TCBCMMT3 Encrypt 1 PKCS7 variant", KeyPurpose::ENCRYPT, BlockMode::CBC,
7350 PaddingMode::PKCS7,
7351 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
7352 "c2e999cb6249023c", // IV
7353 "c689aee38a301bb316da75db36f110b500", // input
7354 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
7355 },
7356 {
7357 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KeyPurpose::DECRYPT, BlockMode::CBC,
7358 PaddingMode::PKCS7,
7359 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
7360 "c2e999cb6249023c", // IV
7361 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
7362 "c689aee38a301bb316da75db36f110b500", // output
7363 },
7364 {
7365 "TCBCMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
7366 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
7367 "41746c7e442d3681", // IV
7368 "c53a7b0ec40600fe", // input
7369 "d4f00eb455de1034", // output
7370 },
7371 {
7372 "TCBCMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
7373 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
7374 "3982bc02c3727d45", // IV
7375 "6006f10adef52991fcc777a1238bbb65", // input
7376 "edae09288e9e3bc05746d872b48e3b29", // output
7377 },
7378};
7379
7380/*
7381 * EncryptionOperationsTest.TripleDesTestVector
7382 *
7383 * Verifies that NIST (plus a few extra) test vectors produce the correct results.
7384 */
7385TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
7386 constexpr size_t num_tests = sizeof(kTripleDesTestVectors) / sizeof(TripleDesTestVector);
7387 for (auto* test = kTripleDesTestVectors; test < kTripleDesTestVectors + num_tests; ++test) {
7388 SCOPED_TRACE(test->name);
7389 CheckTripleDesTestVector(test->purpose, test->block_mode, test->padding_mode,
7390 hex2str(test->key), hex2str(test->iv), hex2str(test->input),
7391 hex2str(test->output));
7392 }
7393}
7394
7395/*
7396 * EncryptionOperationsTest.TripleDesCbcRoundTripSuccess
7397 *
7398 * Validates CBC mode functionality.
7399 */
7400TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
7401 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7402 .TripleDesEncryptionKey(168)
7403 .BlockMode(BlockMode::CBC)
7404 .Authorization(TAG_NO_AUTH_REQUIRED)
7405 .Padding(PaddingMode::NONE)));
7406
7407 ASSERT_GT(key_blob_.size(), 0U);
7408
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7409 // Four-block message.
7410 string message = "12345678901234561234567890123456";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7411 vector<uint8_t> iv1;
7412 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv1);
7413 EXPECT_EQ(message.size(), ciphertext1.size());
7414
7415 vector<uint8_t> iv2;
7416 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv2);
7417 EXPECT_EQ(message.size(), ciphertext2.size());
7418
7419 // IVs should be random, so ciphertexts should differ.
7420 EXPECT_NE(iv1, iv2);
7421 EXPECT_NE(ciphertext1, ciphertext2);
7422
7423 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv1);
7424 EXPECT_EQ(message, plaintext);
7425}
7426
7427/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7428 * EncryptionOperationsTest.TripleDesInvalidCallerIv
7429 *
7430 * Validates that keymint fails correctly when the user supplies an incorrect-size IV.
7431 */
7432TEST_P(EncryptionOperationsTest, TripleDesInvalidCallerIv) {
7433 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7434 .TripleDesEncryptionKey(168)
7435 .BlockMode(BlockMode::CBC)
7436 .Authorization(TAG_NO_AUTH_REQUIRED)
7437 .Authorization(TAG_CALLER_NONCE)
7438 .Padding(PaddingMode::NONE)));
7439 auto params = AuthorizationSetBuilder()
7440 .BlockMode(BlockMode::CBC)
7441 .Padding(PaddingMode::NONE)
7442 .Authorization(TAG_NONCE, AidlBuf("abcdefg"));
7443 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
7444}
7445
7446/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7447 * EncryptionOperationsTest.TripleDesCallerIv
7448 *
7449 * Validates that 3DES keys can allow caller-specified IVs, and use them correctly.
7450 */
7451TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
7452 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7453 .TripleDesEncryptionKey(168)
7454 .BlockMode(BlockMode::CBC)
7455 .Authorization(TAG_NO_AUTH_REQUIRED)
7456 .Authorization(TAG_CALLER_NONCE)
7457 .Padding(PaddingMode::NONE)));
7458 string message = "1234567890123456";
7459 vector<uint8_t> iv;
7460 // Don't specify IV, should get a random one.
7461 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
7462 EXPECT_EQ(message.size(), ciphertext1.size());
7463 EXPECT_EQ(8U, iv.size());
7464
7465 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
7466 EXPECT_EQ(message, plaintext);
7467
7468 // Now specify an IV, should also work.
7469 iv = AidlBuf("abcdefgh");
7470 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, iv);
7471
7472 // Decrypt with correct IV.
7473 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, iv);
7474 EXPECT_EQ(message, plaintext);
7475
7476 // Now try with wrong IV.
7477 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, AidlBuf("aaaaaaaa"));
7478 EXPECT_NE(message, plaintext);
7479}
7480
7481/*
7482 * EncryptionOperationsTest, TripleDesCallerNonceProhibited.
7483 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7484 * Verifies that 3DES keys without TAG_CALLER_NONCE do not allow caller-specified IVs.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7485 */
7486TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
7487 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7488 .TripleDesEncryptionKey(168)
7489 .BlockMode(BlockMode::CBC)
7490 .Authorization(TAG_NO_AUTH_REQUIRED)
7491 .Padding(PaddingMode::NONE)));
7492
7493 string message = "12345678901234567890123456789012";
7494 vector<uint8_t> iv;
7495 // Don't specify nonce, should get a random one.
7496 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
7497 EXPECT_EQ(message.size(), ciphertext1.size());
7498 EXPECT_EQ(8U, iv.size());
7499
7500 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
7501 EXPECT_EQ(message, plaintext);
7502
7503 // Now specify a nonce, should fail.
7504 auto input_params = AuthorizationSetBuilder()
7505 .Authorization(TAG_NONCE, AidlBuf("abcdefgh"))
7506 .BlockMode(BlockMode::CBC)
7507 .Padding(PaddingMode::NONE);
7508 AuthorizationSet output_params;
7509 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED,
7510 Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
7511}
7512
7513/*
7514 * EncryptionOperationsTest.TripleDesCbcNotAuthorized
7515 *
7516 * Verifies that 3DES ECB-only keys do not allow CBC usage.
7517 */
7518TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
7519 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7520 .TripleDesEncryptionKey(168)
7521 .BlockMode(BlockMode::ECB)
7522 .Authorization(TAG_NO_AUTH_REQUIRED)
7523 .Padding(PaddingMode::NONE)));
7524 // Two-block message.
7525 string message = "1234567890123456";
7526 auto begin_params =
7527 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
7528 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
7529}
7530
7531/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7532 * EncryptionOperationsTest.TripleDesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7533 *
7534 * Verifies that unpadded CBC operations reject inputs that are not a multiple of block size.
7535 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7536TEST_P(EncryptionOperationsTest, TripleDesEcbCbcNoPaddingWrongInputSize) {
7537 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]7538 SCOPED_TRACE(testing::Message() << "BlockMode::" << blockMode);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7539 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7540 .TripleDesEncryptionKey(168)
7541 .BlockMode(blockMode)
7542 .Authorization(TAG_NO_AUTH_REQUIRED)
7543 .Padding(PaddingMode::NONE)));
7544 // Message is slightly shorter than two blocks.
7545 string message = "123456789012345";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7546
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7547 auto begin_params =
7548 AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
7549 AuthorizationSet output_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7550 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &output_params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7551 string ciphertext;
7552 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, "", &ciphertext));
7553
7554 CheckedDeleteKey();
7555 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7556}
7557
7558/*
7559 * EncryptionOperationsTest, TripleDesCbcPkcs7Padding.
7560 *
7561 * Verifies that PKCS7 padding works correctly in CBC mode.
7562 */
7563TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
7564 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7565 .TripleDesEncryptionKey(168)
7566 .BlockMode(BlockMode::CBC)
7567 .Authorization(TAG_NO_AUTH_REQUIRED)
7568 .Padding(PaddingMode::PKCS7)));
7569
7570 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7571 for (size_t i = 0; i <= 32; i++) {
7572 SCOPED_TRACE(testing::Message() << "i = " << i);
7573 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character, albeit not for 3DES.
7574 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7575 vector<uint8_t> iv;
7576 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
7577 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
7578 string plaintext = DecryptMessage(ciphertext, BlockMode::CBC, PaddingMode::PKCS7, iv);
7579 EXPECT_EQ(message, plaintext);
7580 }
7581}
7582
7583/*
7584 * EncryptionOperationsTest.TripleDesCbcNoPaddingKeyWithPkcs7Padding
7585 *
7586 * Verifies that a key that requires PKCS7 padding cannot be used in unpadded mode.
7587 */
7588TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
7589 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7590 .TripleDesEncryptionKey(168)
7591 .BlockMode(BlockMode::CBC)
7592 .Authorization(TAG_NO_AUTH_REQUIRED)
7593 .Padding(PaddingMode::NONE)));
7594
7595 // Try various message lengths; all should fail.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7596 for (size_t i = 0; i <= 32; i++) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]7597 SCOPED_TRACE(testing::Message() << "i = " << i);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7598 auto begin_params =
7599 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7);
7600 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
7601 }
7602}
7603
7604/*
7605 * EncryptionOperationsTest.TripleDesCbcPkcs7PaddingCorrupted
7606 *
7607 * Verifies that corrupted PKCS7 padding is rejected during decryption.
7608 */
7609TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
7610 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7611 .TripleDesEncryptionKey(168)
7612 .BlockMode(BlockMode::CBC)
7613 .Authorization(TAG_NO_AUTH_REQUIRED)
7614 .Padding(PaddingMode::PKCS7)));
7615
7616 string message = "a";
7617 vector<uint8_t> iv;
7618 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
7619 EXPECT_EQ(8U, ciphertext.size());
7620 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7621
7622 auto begin_params = AuthorizationSetBuilder()
7623 .BlockMode(BlockMode::CBC)
7624 .Padding(PaddingMode::PKCS7)
7625 .Authorization(TAG_NONCE, iv);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7626
7627 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7628 SCOPED_TRACE(testing::Message() << "i = " << i);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7629 ++ciphertext[ciphertext.size() / 2];
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7630 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7631 string plaintext;
7632 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
7633 ErrorCode error = Finish(&plaintext);
7634 if (error == ErrorCode::INVALID_ARGUMENT) {
7635 // This is the expected error, we can exit the test now.
7636 return;
7637 } else {
7638 // Very small chance we got valid decryption, so try again.
7639 ASSERT_EQ(error, ErrorCode::OK);
7640 }
7641 }
7642 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7643}
7644
7645/*
7646 * EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding.
7647 *
7648 * Verifies that 3DES CBC works with many different input sizes.
7649 */
7650TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
7651 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7652 .TripleDesEncryptionKey(168)
7653 .BlockMode(BlockMode::CBC)
7654 .Authorization(TAG_NO_AUTH_REQUIRED)
7655 .Padding(PaddingMode::NONE)));
7656
7657 int increment = 7;
7658 string message(240, 'a');
7659 AuthorizationSet input_params =
7660 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
7661 AuthorizationSet output_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7662 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7663
7664 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7665 for (size_t i = 0; i < message.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7666 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7667 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
7668 EXPECT_EQ(message.size(), ciphertext.size());
7669
7670 // Move TAG_NONCE into input_params
7671 input_params = output_params;
7672 input_params.push_back(TAG_BLOCK_MODE, BlockMode::CBC);
7673 input_params.push_back(TAG_PADDING, PaddingMode::NONE);
7674 output_params.Clear();
7675
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7676 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, input_params, &output_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7677 string plaintext;
7678 for (size_t i = 0; i < ciphertext.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7679 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7680 EXPECT_EQ(ErrorCode::OK, Finish(&plaintext));
7681 EXPECT_EQ(ciphertext.size(), plaintext.size());
7682 EXPECT_EQ(message, plaintext);
7683}
7684
7685INSTANTIATE_KEYMINT_AIDL_TEST(EncryptionOperationsTest);
7686
7687typedef KeyMintAidlTestBase MaxOperationsTest;
7688
7689/*
7690 * MaxOperationsTest.TestLimitAes
7691 *
7692 * Verifies that the max uses per boot tag works correctly with AES keys.
7693 */
7694TEST_P(MaxOperationsTest, TestLimitAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7695 if (SecLevel() == SecurityLevel::STRONGBOX) {
7696 GTEST_SKIP() << "Test not applicable to StrongBox device";
7697 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7698
7699 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7700 .Authorization(TAG_NO_AUTH_REQUIRED)
7701 .AesEncryptionKey(128)
7702 .EcbMode()
7703 .Padding(PaddingMode::NONE)
7704 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
7705
7706 string message = "1234567890123456";
7707
7708 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7709
7710 EncryptMessage(message, params);
7711 EncryptMessage(message, params);
7712 EncryptMessage(message, params);
7713
7714 // Fourth time should fail.
7715 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
7716}
7717
7718/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7719 * MaxOperationsTest.TestLimitRsa
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7720 *
7721 * Verifies that the max uses per boot tag works correctly with RSA keys.
7722 */
7723TEST_P(MaxOperationsTest, TestLimitRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7724 if (SecLevel() == SecurityLevel::STRONGBOX) {
7725 GTEST_SKIP() << "Test not applicable to StrongBox device";
7726 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7727
7728 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7729 .Authorization(TAG_NO_AUTH_REQUIRED)
7730 .RsaSigningKey(1024, 65537)
7731 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7732 .Authorization(TAG_MAX_USES_PER_BOOT, 3)
7733 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7734
7735 string message = "1234567890123456";
7736
7737 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7738
7739 SignMessage(message, params);
7740 SignMessage(message, params);
7741 SignMessage(message, params);
7742
7743 // Fourth time should fail.
7744 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
7745}
7746
7747INSTANTIATE_KEYMINT_AIDL_TEST(MaxOperationsTest);
7748
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7749typedef KeyMintAidlTestBase UsageCountLimitTest;
7750
7751/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7752 * UsageCountLimitTest.TestSingleUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7753 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7754 * Verifies that the usage count limit tag = 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7755 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7756TEST_P(UsageCountLimitTest, TestSingleUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7757 if (SecLevel() == SecurityLevel::STRONGBOX) {
7758 GTEST_SKIP() << "Test not applicable to StrongBox device";
7759 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7760
7761 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7762 .Authorization(TAG_NO_AUTH_REQUIRED)
7763 .AesEncryptionKey(128)
7764 .EcbMode()
7765 .Padding(PaddingMode::NONE)
7766 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
7767
7768 // Check the usage count limit tag appears in the authorizations.
7769 AuthorizationSet auths;
7770 for (auto& entry : key_characteristics_) {
7771 auths.push_back(AuthorizationSet(entry.authorizations));
7772 }
7773 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7774 << "key usage count limit " << 1U << " missing";
7775
7776 string message = "1234567890123456";
7777 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7778
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7779 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7780 AuthorizationSet keystore_auths =
7781 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7782
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7783 // First usage of AES key should work.
7784 EncryptMessage(message, params);
7785
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7786 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
7787 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7788 // must be invalidated from secure storage (such as RPMB partition).
7789 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
7790 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7791 // Usage count limit tag is enforced by keystore, keymint does nothing.
7792 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7793 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7794 }
7795}
7796
7797/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7798 * UsageCountLimitTest.TestLimitedUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7799 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7800 * Verifies that the usage count limit tag > 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7801 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7802TEST_P(UsageCountLimitTest, TestLimitedUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7803 if (SecLevel() == SecurityLevel::STRONGBOX) {
7804 GTEST_SKIP() << "Test not applicable to StrongBox device";
7805 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7806
7807 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7808 .Authorization(TAG_NO_AUTH_REQUIRED)
7809 .AesEncryptionKey(128)
7810 .EcbMode()
7811 .Padding(PaddingMode::NONE)
7812 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
7813
7814 // Check the usage count limit tag appears in the authorizations.
7815 AuthorizationSet auths;
7816 for (auto& entry : key_characteristics_) {
7817 auths.push_back(AuthorizationSet(entry.authorizations));
7818 }
7819 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
7820 << "key usage count limit " << 3U << " missing";
7821
7822 string message = "1234567890123456";
7823 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7824
7825 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7826 AuthorizationSet keystore_auths =
7827 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7828
7829 EncryptMessage(message, params);
7830 EncryptMessage(message, params);
7831 EncryptMessage(message, params);
7832
7833 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
7834 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7835 // must be invalidated from secure storage (such as RPMB partition).
7836 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
7837 } else {
7838 // Usage count limit tag is enforced by keystore, keymint does nothing.
7839 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7840 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7841 }
7842}
7843
7844/*
7845 * UsageCountLimitTest.TestSingleUseRsa
7846 *
7847 * Verifies that the usage count limit tag = 1 works correctly with RSA keys.
7848 */
7849TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7850 if (SecLevel() == SecurityLevel::STRONGBOX) {
7851 GTEST_SKIP() << "Test not applicable to StrongBox device";
7852 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7853
7854 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7855 .Authorization(TAG_NO_AUTH_REQUIRED)
7856 .RsaSigningKey(1024, 65537)
7857 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7858 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7859 .SetDefaultValidity()));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7860
7861 // Check the usage count limit tag appears in the authorizations.
7862 AuthorizationSet auths;
7863 for (auto& entry : key_characteristics_) {
7864 auths.push_back(AuthorizationSet(entry.authorizations));
7865 }
7866 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7867 << "key usage count limit " << 1U << " missing";
7868
7869 string message = "1234567890123456";
7870 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7871
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7872 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7873 AuthorizationSet keystore_auths =
7874 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7875
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7876 // First usage of RSA key should work.
7877 SignMessage(message, params);
7878
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7879 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
7880 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7881 // must be invalidated from secure storage (such as RPMB partition).
7882 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7883 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7884 // Usage count limit tag is enforced by keystore, keymint does nothing.
7885 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7886 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7887 }
7888}
7889
7890/*
7891 * UsageCountLimitTest.TestLimitUseRsa
7892 *
7893 * Verifies that the usage count limit tag > 1 works correctly with RSA keys.
7894 */
7895TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7896 if (SecLevel() == SecurityLevel::STRONGBOX) {
7897 GTEST_SKIP() << "Test not applicable to StrongBox device";
7898 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7899
7900 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7901 .Authorization(TAG_NO_AUTH_REQUIRED)
7902 .RsaSigningKey(1024, 65537)
7903 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7904 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)
7905 .SetDefaultValidity()));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7906
7907 // Check the usage count limit tag appears in the authorizations.
7908 AuthorizationSet auths;
7909 for (auto& entry : key_characteristics_) {
7910 auths.push_back(AuthorizationSet(entry.authorizations));
7911 }
7912 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
7913 << "key usage count limit " << 3U << " missing";
7914
7915 string message = "1234567890123456";
7916 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7917
7918 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7919 AuthorizationSet keystore_auths =
7920 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7921
7922 SignMessage(message, params);
7923 SignMessage(message, params);
7924 SignMessage(message, params);
7925
7926 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
7927 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7928 // must be invalidated from secure storage (such as RPMB partition).
7929 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7930 } else {
7931 // Usage count limit tag is enforced by keystore, keymint does nothing.
7932 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7933 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7934 }
7935}
7936
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7937/*
7938 * UsageCountLimitTest.TestSingleUseKeyAndRollbackResistance
7939 *
7940 * Verifies that when rollback resistance is supported by the KeyMint implementation with
7941 * the secure hardware, the single use key with usage count limit tag = 1 must also be enforced
7942 * in hardware.
7943 */
7944TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) {
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7945 auto error = GenerateKey(AuthorizationSetBuilder()
7946 .RsaSigningKey(2048, 65537)
7947 .Digest(Digest::NONE)
7948 .Padding(PaddingMode::NONE)
7949 .Authorization(TAG_NO_AUTH_REQUIRED)
7950 .Authorization(TAG_ROLLBACK_RESISTANCE)
7951 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7952 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7953 GTEST_SKIP() << "Rollback resistance not supported";
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7954 }
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7955
7956 // Rollback resistance is supported by KeyMint, verify it is enforced in hardware.
7957 ASSERT_EQ(ErrorCode::OK, error);
7958 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7959 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
7960 ASSERT_EQ(ErrorCode::OK, DeleteKey());
7961
7962 // The KeyMint should also enforce single use key in hardware when it supports rollback
7963 // resistance.
7964 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7965 .Authorization(TAG_NO_AUTH_REQUIRED)
7966 .RsaSigningKey(1024, 65537)
7967 .NoDigestOrPadding()
7968 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7969 .SetDefaultValidity()));
7970
7971 // Check the usage count limit tag appears in the hardware authorizations.
7972 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7973 EXPECT_TRUE(hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7974 << "key usage count limit " << 1U << " missing";
7975
7976 string message = "1234567890123456";
7977 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7978
7979 // First usage of RSA key should work.
7980 SignMessage(message, params);
7981
7982 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7983 // must be invalidated from secure storage (such as RPMB partition).
7984 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7985}
7986
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7987INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest);
7988
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7989typedef KeyMintAidlTestBase GetHardwareInfoTest;
7990
7991TEST_P(GetHardwareInfoTest, GetHardwareInfo) {
7992 // Retrieving hardware info should give the same result each time.
7993 KeyMintHardwareInfo info;
7994 ASSERT_TRUE(keyMint().getHardwareInfo(&info).isOk());
7995 KeyMintHardwareInfo info2;
7996 ASSERT_TRUE(keyMint().getHardwareInfo(&info2).isOk());
7997 EXPECT_EQ(info, info2);
7998}
7999
8000INSTANTIATE_KEYMINT_AIDL_TEST(GetHardwareInfoTest);
8001
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8002typedef KeyMintAidlTestBase AddEntropyTest;
8003
8004/*
8005 * AddEntropyTest.AddEntropy
8006 *
8007 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy
8008 * is actually added.
8009 */
8010TEST_P(AddEntropyTest, AddEntropy) {
8011 string data = "foo";
8012 EXPECT_TRUE(keyMint().addRngEntropy(vector<uint8_t>(data.begin(), data.end())).isOk());
8013}
8014
8015/*
8016 * AddEntropyTest.AddEmptyEntropy
8017 *
8018 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
8019 */
8020TEST_P(AddEntropyTest, AddEmptyEntropy) {
8021 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf()).isOk());
8022}
8023
8024/*
8025 * AddEntropyTest.AddLargeEntropy
8026 *
8027 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
8028 */
8029TEST_P(AddEntropyTest, AddLargeEntropy) {
8030 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
8031}
8032
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]8033/*
8034 * AddEntropyTest.AddTooLargeEntropy
8035 *
8036 * Verifies that the addRngEntropy method rejects more than 2KiB of data.
8037 */
8038TEST_P(AddEntropyTest, AddTooLargeEntropy) {
8039 ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a'))));
8040 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc);
8041}
8042
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8043INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);
8044
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8045typedef KeyMintAidlTestBase KeyDeletionTest;
8046
8047/**
8048 * KeyDeletionTest.DeleteKey
8049 *
8050 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
8051 * valid key blob.
8052 */
8053TEST_P(KeyDeletionTest, DeleteKey) {
8054 auto error = GenerateKey(AuthorizationSetBuilder()
8055 .RsaSigningKey(2048, 65537)
8056 .Digest(Digest::NONE)
8057 .Padding(PaddingMode::NONE)
8058 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]8059 .Authorization(TAG_ROLLBACK_RESISTANCE)
8060 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8061 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
8062 GTEST_SKIP() << "Rollback resistance not supported";
8063 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8064
8065 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8066 ASSERT_EQ(ErrorCode::OK, error);
8067 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
8068 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8069
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8070 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8071
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8072 string message = "12345678901234567890123456789012";
8073 AuthorizationSet begin_out_params;
8074 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
8075 Begin(KeyPurpose::SIGN, key_blob_,
8076 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
8077 &begin_out_params));
8078 AbortIfNeeded();
8079 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8080}
8081
8082/**
8083 * KeyDeletionTest.DeleteInvalidKey
8084 *
8085 * This test checks that the HAL excepts invalid key blobs..
8086 */
8087TEST_P(KeyDeletionTest, DeleteInvalidKey) {
8088 // Generate key just to check if rollback protection is implemented
8089 auto error = GenerateKey(AuthorizationSetBuilder()
8090 .RsaSigningKey(2048, 65537)
8091 .Digest(Digest::NONE)
8092 .Padding(PaddingMode::NONE)
8093 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]8094 .Authorization(TAG_ROLLBACK_RESISTANCE)
8095 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8096 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
8097 GTEST_SKIP() << "Rollback resistance not supported";
8098 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8099
8100 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8101 ASSERT_EQ(ErrorCode::OK, error);
8102 AuthorizationSet enforced(SecLevelAuthorizations());
8103 ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8104
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8105 // Delete the key we don't care about the result at this point.
8106 DeleteKey();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8107
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8108 // Now create an invalid key blob and delete it.
8109 key_blob_ = AidlBuf("just some garbage data which is not a valid key blob");
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8110
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8111 ASSERT_EQ(ErrorCode::OK, DeleteKey());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8112}
8113
8114/**
8115 * KeyDeletionTest.DeleteAllKeys
8116 *
8117 * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
8118 *
8119 * BEWARE: This test has serious side effects. All user keys will be lost! This includes
8120 * FBE/FDE encryption keys, which means that the device will not even boot until after the
8121 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
8122 * been provisioned. Use this test only on dedicated testing devices that have no valuable
8123 * credentials stored in Keystore/Keymint.
8124 */
8125TEST_P(KeyDeletionTest, DeleteAllKeys) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8126 if (!arm_deleteAllKeys) {
8127 GTEST_SKIP() << "Option --arm_deleteAllKeys not set";
8128 return;
8129 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8130 auto error = GenerateKey(AuthorizationSetBuilder()
8131 .RsaSigningKey(2048, 65537)
8132 .Digest(Digest::NONE)
8133 .Padding(PaddingMode::NONE)
8134 .Authorization(TAG_NO_AUTH_REQUIRED)
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]8135 .Authorization(TAG_ROLLBACK_RESISTANCE)
8136 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8137 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
8138 GTEST_SKIP() << "Rollback resistance not supported";
8139 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8140
8141 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8142 ASSERT_EQ(ErrorCode::OK, error);
8143 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
8144 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8145
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8146 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8147
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8148 string message = "12345678901234567890123456789012";
8149 AuthorizationSet begin_out_params;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8150
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8151 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
8152 Begin(KeyPurpose::SIGN, key_blob_,
8153 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
8154 &begin_out_params));
8155 AbortIfNeeded();
8156 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8157}
8158
8159INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest);
8160
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8161typedef KeyMintAidlTestBase KeyUpgradeTest;
8162
8163/**
8164 * KeyUpgradeTest.UpgradeInvalidKey
8165 *
8166 * This test checks that the HAL excepts invalid key blobs..
8167 */
8168TEST_P(KeyUpgradeTest, UpgradeInvalidKey) {
8169 AidlBuf key_blob = AidlBuf("just some garbage data which is not a valid key blob");
8170
8171 std::vector<uint8_t> new_blob;
8172 Status result = keymint_->upgradeKey(key_blob,
8173 AuthorizationSetBuilder()
8174 .Authorization(TAG_APPLICATION_ID, "clientid")
8175 .Authorization(TAG_APPLICATION_DATA, "appdata")
8176 .vector_data(),
8177 &new_blob);
8178 ASSERT_EQ(ErrorCode::INVALID_KEY_BLOB, GetReturnErrorCode(result));
8179}
8180
8181INSTANTIATE_KEYMINT_AIDL_TEST(KeyUpgradeTest);
8182
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8183using UpgradeKeyTest = KeyMintAidlTestBase;
8184
8185/*
8186 * UpgradeKeyTest.UpgradeKey
8187 *
8188 * Verifies that calling upgrade key on an up-to-date key works (i.e. does nothing).
8189 */
8190TEST_P(UpgradeKeyTest, UpgradeKey) {
8191 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8192 .AesEncryptionKey(128)
8193 .Padding(PaddingMode::NONE)
8194 .Authorization(TAG_NO_AUTH_REQUIRED)));
8195
8196 auto result = UpgradeKey(key_blob_);
8197
8198 // Key doesn't need upgrading. Should get okay, but no new key blob.
8199 EXPECT_EQ(result, std::make_pair(ErrorCode::OK, vector<uint8_t>()));
8200}
8201
8202INSTANTIATE_KEYMINT_AIDL_TEST(UpgradeKeyTest);
8203
8204using ClearOperationsTest = KeyMintAidlTestBase;
8205
8206/*
8207 * ClearSlotsTest.TooManyOperations
8208 *
8209 * Verifies that TOO_MANY_OPERATIONS is returned after the max number of
8210 * operations are started without being finished or aborted. Also verifies
8211 * that aborting the operations clears the operations.
8212 *
8213 */
8214TEST_P(ClearOperationsTest, TooManyOperations) {
8215 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8216 .Authorization(TAG_NO_AUTH_REQUIRED)
8217 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]8218 .Padding(PaddingMode::NONE)
8219 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8220
8221 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
8222 constexpr size_t max_operations = 100; // set to arbituary large number
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]8223 std::shared_ptr<IKeyMintOperation> op_handles[max_operations];
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8224 AuthorizationSet out_params;
8225 ErrorCode result;
8226 size_t i;
8227
8228 for (i = 0; i < max_operations; i++) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]8229 result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8230 if (ErrorCode::OK != result) {
8231 break;
8232 }
8233 }
8234 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
8235 // Try again just in case there's a weird overflow bug
8236 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]8237 Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8238 for (size_t j = 0; j < i; j++) {
8239 EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
8240 << "Aboort failed for i = " << j << std::endl;
8241 }
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8242 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8243 AbortIfNeeded();
8244}
8245
8246INSTANTIATE_KEYMINT_AIDL_TEST(ClearOperationsTest);
8247
8248typedef KeyMintAidlTestBase TransportLimitTest;
8249
8250/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]8251 * TransportLimitTest.LargeFinishInput
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8252 *
8253 * Verifies that passing input data to finish succeeds as expected.
8254 */
8255TEST_P(TransportLimitTest, LargeFinishInput) {
8256 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8257 .Authorization(TAG_NO_AUTH_REQUIRED)
8258 .AesEncryptionKey(128)
8259 .BlockMode(BlockMode::ECB)
8260 .Padding(PaddingMode::NONE)));
8261
8262 for (int msg_size = 8 /* 256 bytes */; msg_size <= 11 /* 2 KiB */; msg_size++) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]8263 SCOPED_TRACE(testing::Message() << "msg_size = " << msg_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8264 auto cipher_params =
8265 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
8266
8267 AuthorizationSet out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8268 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, cipher_params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8269
8270 string plain_message = std::string(1 << msg_size, 'x');
8271 string encrypted_message;
8272 auto rc = Finish(plain_message, &encrypted_message);
8273
8274 EXPECT_EQ(ErrorCode::OK, rc);
8275 EXPECT_EQ(plain_message.size(), encrypted_message.size())
8276 << "Encrypt finish returned OK, but did not consume all of the given input";
8277 cipher_params.push_back(out_params);
8278
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8279 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, cipher_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8280
8281 string decrypted_message;
8282 rc = Finish(encrypted_message, &decrypted_message);
8283 EXPECT_EQ(ErrorCode::OK, rc);
8284 EXPECT_EQ(plain_message.size(), decrypted_message.size())
8285 << "Decrypt finish returned OK, did not consume all of the given input";
8286 }
8287}
8288
8289INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
8290
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]8291static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8292 switch (curve) {
8293 case EcCurve::P_224:
8294 return NID_secp224r1;
8295 case EcCurve::P_256:
8296 return NID_X9_62_prime256v1;
8297 case EcCurve::P_384:
8298 return NID_secp384r1;
8299 case EcCurve::P_521:
8300 return NID_secp521r1;
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]8301 case EcCurve::CURVE_25519:
8302 return NID_X25519;
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8303 }
8304}
8305
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8306class KeyAgreementTest : public KeyMintAidlTestBase {
8307 protected:
8308 void GenerateLocalEcKey(EcCurve localCurve, EVP_PKEY_Ptr* localPrivKey,
8309 std::vector<uint8_t>* localPublicKey) {
8310 // Generate EC key locally (with access to private key material)
8311 if (localCurve == EcCurve::CURVE_25519) {
8312 uint8_t privKeyData[32];
8313 uint8_t pubKeyData[32];
8314 X25519_keypair(pubKeyData, privKeyData);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8315 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new_raw_private_key(
8316 EVP_PKEY_X25519, nullptr, privKeyData, sizeof(privKeyData)));
8317 } else {
8318 auto ecKey = EC_KEY_Ptr(EC_KEY_new());
8319 int curveName = EcdhCurveToOpenSslCurveName(localCurve);
8320 auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
8321 ASSERT_NE(group, nullptr);
8322 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
8323 ASSERT_EQ(EC_KEY_generate_key(ecKey.get()), 1);
8324 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new());
8325 ASSERT_EQ(EVP_PKEY_set1_EC_KEY(localPrivKey->get(), ecKey.get()), 1);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8326 }
David Drysdalea410b772022-05-09 16:44:13 +0100[diff] [blame]8327
8328 // Get encoded form of the public part of the locally generated key...
8329 unsigned char* p = nullptr;
8330 int localPublicKeySize = i2d_PUBKEY(localPrivKey->get(), &p);
8331 ASSERT_GT(localPublicKeySize, 0);
8332 *localPublicKey = vector<uint8_t>(reinterpret_cast<const uint8_t*>(p),
8333 reinterpret_cast<const uint8_t*>(p + localPublicKeySize));
8334 OPENSSL_free(p);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8335 }
8336
8337 void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
8338 vector<uint8_t> challenge = {0x41, 0x42};
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]8339 auto builder = AuthorizationSetBuilder()
8340 .Authorization(TAG_NO_AUTH_REQUIRED)
8341 .Authorization(TAG_EC_CURVE, curve)
8342 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
8343 .Authorization(TAG_ALGORITHM, Algorithm::EC)
8344 .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
8345 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
8346 .SetDefaultValidity();
8347 ErrorCode result = GenerateKey(builder);
8348
8349 if (SecLevel() == SecurityLevel::STRONGBOX) {
8350 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
8351 result = GenerateKeyWithSelfSignedAttestKey(
8352 AuthorizationSetBuilder()
8353 .EcdsaKey(EcCurve::P_256)
8354 .AttestKey()
8355 .SetDefaultValidity(), /* attest key params */
8356 builder, &key_blob_, &key_characteristics_, &cert_chain_);
8357 }
8358 }
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8359 ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
8360 ASSERT_GT(cert_chain_.size(), 0);
8361 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
8362 ASSERT_NE(kmKeyCert, nullptr);
8363 // Check that keyAgreement (bit 4) is set in KeyUsage
8364 EXPECT_TRUE((X509_get_key_usage(kmKeyCert.get()) & X509v3_KU_KEY_AGREEMENT) != 0);
8365 *kmPubKey = EVP_PKEY_Ptr(X509_get_pubkey(kmKeyCert.get()));
8366 ASSERT_NE(*kmPubKey, nullptr);
8367 if (dump_Attestations) {
8368 for (size_t n = 0; n < cert_chain_.size(); n++) {
8369 std::cout << bin2hex(cert_chain_[n].encodedCertificate) << std::endl;
8370 }
8371 }
8372 }
8373
8374 void CheckAgreement(EVP_PKEY_Ptr kmPubKey, EVP_PKEY_Ptr localPrivKey,
8375 const std::vector<uint8_t>& localPublicKey) {
8376 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
8377 string ZabFromKeyMintStr;
8378 ASSERT_EQ(ErrorCode::OK,
8379 Finish(string(localPublicKey.begin(), localPublicKey.end()), &ZabFromKeyMintStr));
8380 vector<uint8_t> ZabFromKeyMint(ZabFromKeyMintStr.begin(), ZabFromKeyMintStr.end());
8381 vector<uint8_t> ZabFromTest;
8382
8383 if (EVP_PKEY_id(kmPubKey.get()) == EVP_PKEY_X25519) {
8384 size_t kmPubKeySize = 32;
8385 uint8_t kmPubKeyData[32];
8386 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
8387 ASSERT_EQ(kmPubKeySize, 32);
8388
8389 uint8_t localPrivKeyData[32];
8390 size_t localPrivKeySize = 32;
8391 ASSERT_EQ(1, EVP_PKEY_get_raw_private_key(localPrivKey.get(), localPrivKeyData,
8392 &localPrivKeySize));
8393 ASSERT_EQ(localPrivKeySize, 32);
8394
8395 uint8_t sharedKey[32];
8396 ASSERT_EQ(1, X25519(sharedKey, localPrivKeyData, kmPubKeyData));
8397 ZabFromTest = std::vector<uint8_t>(sharedKey, sharedKey + 32);
8398 } else {
8399 // Perform local ECDH between the two keys so we can check if we get the same Zab..
8400 auto ctx = EVP_PKEY_CTX_Ptr(EVP_PKEY_CTX_new(localPrivKey.get(), nullptr));
8401 ASSERT_NE(ctx, nullptr);
8402 ASSERT_EQ(EVP_PKEY_derive_init(ctx.get()), 1);
8403 ASSERT_EQ(EVP_PKEY_derive_set_peer(ctx.get(), kmPubKey.get()), 1);
8404 size_t ZabFromTestLen = 0;
8405 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), nullptr, &ZabFromTestLen), 1);
8406 ZabFromTest.resize(ZabFromTestLen);
8407 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), ZabFromTest.data(), &ZabFromTestLen), 1);
8408 }
8409 EXPECT_EQ(ZabFromKeyMint, ZabFromTest);
8410 }
8411};
8412
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8413/*
8414 * KeyAgreementTest.Ecdh
8415 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8416 * Verifies that ECDH works for all required curves
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8417 */
8418TEST_P(KeyAgreementTest, Ecdh) {
8419 // Because it's possible to use this API with keys on different curves, we
8420 // check all N^2 combinations where N is the number of supported
8421 // curves.
8422 //
8423 // This is not a big deal as N is 4 so we only do 16 runs. If we end up with a
8424 // lot more curves we can be smart about things and just pick |otherCurve| so
8425 // it's not |curve| and that way we end up with only 2*N runs
8426 //
8427 for (auto curve : ValidCurves()) {
8428 for (auto localCurve : ValidCurves()) {
David Drysdalea410b772022-05-09 16:44:13 +0100[diff] [blame]8429 SCOPED_TRACE(testing::Message()
8430 << "local-curve-" << localCurve << "-keymint-curve-" << curve);
8431
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8432 // Generate EC key locally (with access to private key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8433 EVP_PKEY_Ptr localPrivKey;
8434 vector<uint8_t> localPublicKey;
8435 GenerateLocalEcKey(localCurve, &localPrivKey, &localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8436
8437 // Generate EC key in KeyMint (only access to public key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8438 EVP_PKEY_Ptr kmPubKey;
8439 GenerateKeyMintEcKey(curve, &kmPubKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8440
8441 // Now that we have the two keys, we ask KeyMint to perform ECDH...
8442 if (curve != localCurve) {
8443 // If the keys are using different curves KeyMint should fail with
8444 // ErrorCode:INVALID_ARGUMENT. Check that.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8445 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8446 string ZabFromKeyMintStr;
8447 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8448 Finish(string(localPublicKey.begin(), localPublicKey.end()),
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8449 &ZabFromKeyMintStr));
8450
8451 } else {
8452 // Otherwise if the keys are using the same curve, it should work.
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8453 CheckAgreement(std::move(kmPubKey), std::move(localPrivKey), localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8454 }
8455
8456 CheckedDeleteKey();
8457 }
8458 }
8459}
8460
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8461/*
8462 * KeyAgreementTest.EcdhCurve25519
8463 *
8464 * Verifies that ECDH works for curve25519. This is also covered by the general
8465 * KeyAgreementTest.Ecdh case, but is pulled out separately here because this curve was added after
8466 * KeyMint 1.0.
8467 */
8468TEST_P(KeyAgreementTest, EcdhCurve25519) {
8469 if (!Curve25519Supported()) {
8470 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8471 }
8472
8473 // Generate EC key in KeyMint (only access to public key material)
8474 EcCurve curve = EcCurve::CURVE_25519;
8475 EVP_PKEY_Ptr kmPubKey = nullptr;
8476 GenerateKeyMintEcKey(curve, &kmPubKey);
8477
8478 // Generate EC key on same curve locally (with access to private key material).
8479 EVP_PKEY_Ptr privKey;
8480 vector<uint8_t> encodedPublicKey;
8481 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
8482
8483 // Agree on a key between local and KeyMint and check it.
8484 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
8485
8486 CheckedDeleteKey();
8487}
8488
8489/*
8490 * KeyAgreementTest.EcdhCurve25519Imported
8491 *
8492 * Verifies that ECDH works for an imported curve25519 key.
8493 */
8494TEST_P(KeyAgreementTest, EcdhCurve25519Imported) {
8495 if (!Curve25519Supported()) {
8496 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8497 }
8498
8499 // Import x25519 key into KeyMint.
8500 EcCurve curve = EcCurve::CURVE_25519;
8501 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
8502 .Authorization(TAG_NO_AUTH_REQUIRED)
8503 .EcdsaKey(EcCurve::CURVE_25519)
8504 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
8505 .SetDefaultValidity(),
8506 KeyFormat::PKCS8, x25519_pkcs8_key));
8507 ASSERT_GT(cert_chain_.size(), 0);
8508 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
8509 ASSERT_NE(kmKeyCert, nullptr);
8510 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
8511 ASSERT_NE(kmPubKey.get(), nullptr);
8512
8513 // Expect the import to emit corresponding public key data.
8514 size_t kmPubKeySize = 32;
8515 uint8_t kmPubKeyData[32];
8516 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
8517 ASSERT_EQ(kmPubKeySize, 32);
8518 EXPECT_EQ(bin2hex(std::vector<uint8_t>(kmPubKeyData, kmPubKeyData + 32)),
8519 bin2hex(std::vector<uint8_t>(x25519_pubkey.begin(), x25519_pubkey.end())));
8520
8521 // Generate EC key on same curve locally (with access to private key material).
8522 EVP_PKEY_Ptr privKey;
8523 vector<uint8_t> encodedPublicKey;
8524 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
8525
8526 // Agree on a key between local and KeyMint and check it.
8527 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
8528
8529 CheckedDeleteKey();
8530}
8531
8532/*
8533 * KeyAgreementTest.EcdhCurve25519InvalidSize
8534 *
8535 * Verifies that ECDH fails for curve25519 if the wrong size of public key is provided.
8536 */
8537TEST_P(KeyAgreementTest, EcdhCurve25519InvalidSize) {
8538 if (!Curve25519Supported()) {
8539 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8540 }
8541
8542 // Generate EC key in KeyMint (only access to public key material)
8543 EcCurve curve = EcCurve::CURVE_25519;
8544 EVP_PKEY_Ptr kmPubKey = nullptr;
8545 GenerateKeyMintEcKey(curve, &kmPubKey);
8546
8547 // Generate EC key on same curve locally (with access to private key material).
8548 EVP_PKEY_Ptr privKey;
8549 vector<uint8_t> encodedPublicKey;
8550 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
8551
8552 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
8553 string ZabFromKeyMintStr;
8554 // Send in an incomplete public key.
8555 ASSERT_NE(ErrorCode::OK, Finish(string(encodedPublicKey.begin(), encodedPublicKey.end() - 1),
8556 &ZabFromKeyMintStr));
8557
8558 CheckedDeleteKey();
8559}
8560
8561/*
8562 * KeyAgreementTest.EcdhCurve25519Mismatch
8563 *
8564 * Verifies that ECDH fails between curve25519 and other curves.
8565 */
8566TEST_P(KeyAgreementTest, EcdhCurve25519Mismatch) {
8567 if (!Curve25519Supported()) {
8568 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8569 }
8570
8571 // Generate EC key in KeyMint (only access to public key material)
8572 EcCurve curve = EcCurve::CURVE_25519;
8573 EVP_PKEY_Ptr kmPubKey = nullptr;
8574 GenerateKeyMintEcKey(curve, &kmPubKey);
8575
8576 for (auto localCurve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]8577 SCOPED_TRACE(testing::Message() << "local-curve-" << localCurve);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8578 if (localCurve == curve) {
8579 continue;
8580 }
8581 // Generate EC key on a different curve locally (with access to private key material).
8582 EVP_PKEY_Ptr privKey;
8583 vector<uint8_t> encodedPublicKey;
8584 GenerateLocalEcKey(localCurve, &privKey, &encodedPublicKey);
8585
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8586 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8587 string ZabFromKeyMintStr;
8588 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
8589 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
8590 &ZabFromKeyMintStr));
8591 }
8592
8593 CheckedDeleteKey();
8594}
8595
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8596INSTANTIATE_KEYMINT_AIDL_TEST(KeyAgreementTest);
8597
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8598using DestroyAttestationIdsTest = KeyMintAidlTestBase;
8599
8600// This is a problematic test, as it can render the device under test permanently unusable.
8601// Re-enable and run at your own risk.
8602TEST_P(DestroyAttestationIdsTest, DISABLED_DestroyTest) {
8603 auto result = DestroyAttestationIds();
8604 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED);
8605}
8606
8607INSTANTIATE_KEYMINT_AIDL_TEST(DestroyAttestationIdsTest);
8608
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8609using EarlyBootKeyTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8610
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8611/*
8612 * EarlyBootKeyTest.CreateEarlyBootKeys
8613 *
8614 * Verifies that creating early boot keys succeeds, even at a later stage (after boot).
8615 */
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8616TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8617 // Early boot keys can be created after early boot.
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8618 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
8619 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8620 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8621 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8622 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8623 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8624
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8625 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
8626 ASSERT_GT(keyData.blob.size(), 0U);
8627 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
8628 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
8629 }
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8630}
8631
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8632/*
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8633 * EarlyBootKeyTest.CreateAttestedEarlyBootKey
8634 *
8635 * Verifies that creating an early boot key with attestation succeeds.
8636 */
8637TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
8638 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys(
8639 TAG_EARLY_BOOT_ONLY, ErrorCode::OK, [](AuthorizationSetBuilder* builder) {
8640 builder->AttestationChallenge("challenge");
8641 builder->AttestationApplicationId("app_id");
8642 });
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8643 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8644 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8645 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8646 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8647
8648 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]8649 // Strongbox may not support factory attestation. Key creation might fail with
8650 // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
8651 if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
8652 continue;
8653 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8654 ASSERT_GT(keyData.blob.size(), 0U);
8655 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
8656 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
8657 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8658}
8659
8660/*
8661 * EarlyBootKeyTest.UseEarlyBootKeyFailure
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8662 *
8663 * Verifies that using early boot keys at a later stage fails.
8664 */
8665TEST_P(EarlyBootKeyTest, UseEarlyBootKeyFailure) {
8666 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8667 .Authorization(TAG_NO_AUTH_REQUIRED)
8668 .Authorization(TAG_EARLY_BOOT_ONLY)
8669 .HmacKey(128)
8670 .Digest(Digest::SHA_2_256)
8671 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
8672 AuthorizationSet output_params;
8673 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, Begin(KeyPurpose::SIGN, key_blob_,
8674 AuthorizationSetBuilder()
8675 .Digest(Digest::SHA_2_256)
8676 .Authorization(TAG_MAC_LENGTH, 256),
8677 &output_params));
8678}
8679
8680/*
8681 * EarlyBootKeyTest.ImportEarlyBootKeyFailure
8682 *
8683 * Verifies that importing early boot keys fails.
8684 */
8685TEST_P(EarlyBootKeyTest, ImportEarlyBootKeyFailure) {
8686 ASSERT_EQ(ErrorCode::EARLY_BOOT_ENDED, ImportKey(AuthorizationSetBuilder()
8687 .Authorization(TAG_NO_AUTH_REQUIRED)
8688 .Authorization(TAG_EARLY_BOOT_ONLY)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]8689 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8690 .Digest(Digest::SHA_2_256)
8691 .SetDefaultValidity(),
8692 KeyFormat::PKCS8, ec_256_key));
8693}
8694
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8695// This is a more comprehensive test, but it can only be run on a machine which is still in early
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8696// boot stage, which no proper Android device is by the time we can run VTS. To use this,
8697// un-disable it and modify vold to remove the call to earlyBootEnded(). Running the test will end
8698// early boot, so you'll have to reboot between runs.
8699TEST_P(EarlyBootKeyTest, DISABLED_FullTest) {
8700 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
8701 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8702 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8703 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8704 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8705 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
8706
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8707 // TAG_EARLY_BOOT_ONLY should be in hw-enforced.
8708 EXPECT_TRUE(HwEnforcedAuthorizations(aesKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8709 EXPECT_TRUE(
8710 HwEnforcedAuthorizations(hmacKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8711 EXPECT_TRUE(HwEnforcedAuthorizations(rsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8712 EXPECT_TRUE(
8713 HwEnforcedAuthorizations(ecdsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8714
8715 // Should be able to use keys, since early boot has not ended
8716 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
8717 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
8718 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
8719 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
8720
8721 // End early boot
8722 ErrorCode earlyBootResult = GetReturnErrorCode(keyMint().earlyBootEnded());
8723 EXPECT_EQ(earlyBootResult, ErrorCode::OK);
8724
8725 // Should not be able to use already-created keys.
8726 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseAesKey(aesKeyData.blob));
8727 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseHmacKey(hmacKeyData.blob));
8728 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseRsaKey(rsaKeyData.blob));
8729 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseEcdsaKey(ecdsaKeyData.blob));
8730
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8731 // Should not be able to create new keys
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8732 auto [aesKeyData2, hmacKeyData2, rsaKeyData2, ecdsaKeyData2] =
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8733 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::EARLY_BOOT_ENDED);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8734 KeyBlobDeleter aes_deleter2(keymint_, aesKeyData2.blob);
8735 KeyBlobDeleter hmac_deleter2(keymint_, hmacKeyData2.blob);
8736 KeyBlobDeleter rsa_deleter2(keymint_, rsaKeyData2.blob);
8737 KeyBlobDeleter ecdsa_deleter2(keymint_, ecdsaKeyData2.blob);
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8738}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8739
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8740INSTANTIATE_KEYMINT_AIDL_TEST(EarlyBootKeyTest);
8741
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8742using UnlockedDeviceRequiredTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8743
8744// This may be a problematic test. It can't be run repeatedly without unlocking the device in
8745// between runs... and on most test devices there are no enrolled credentials so it can't be
8746// unlocked at all, meaning the only way to get the test to pass again on a properly-functioning
8747// device is to reboot it. For that reason, this is disabled by default. It can be used as part of
8748// a manual test process, which includes unlocking between runs, which is why it's included here.
8749// Well, that and the fact that it's the only test we can do without also making calls into the
8750// Gatekeeper HAL. We haven't written any cross-HAL tests, and don't know what all of the
8751// implications might be, so that may or may not be a solution.
8752TEST_P(UnlockedDeviceRequiredTest, DISABLED_KeysBecomeUnusable) {
8753 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
8754 CreateTestKeys(TAG_UNLOCKED_DEVICE_REQUIRED, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8755 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8756 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8757 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8758 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8759
8760 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
8761 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
8762 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
8763 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
8764
8765 ErrorCode rc = GetReturnErrorCode(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8766 keyMint().deviceLocked(false /* passwordOnly */, {} /* timestampToken */));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8767 ASSERT_EQ(ErrorCode::OK, rc);
8768 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseAesKey(aesKeyData.blob));
8769 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseHmacKey(hmacKeyData.blob));
8770 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseRsaKey(rsaKeyData.blob));
8771 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseEcdsaKey(ecdsaKeyData.blob));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8772}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8773
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8774INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
8775
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8776using VsrRequirementTest = KeyMintAidlTestBase;
8777
Eran Messeri5fe06ea2023-08-02 22:34:24 +0100[diff] [blame]8778// @VsrTest = VSR-3.10-008
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8779TEST_P(VsrRequirementTest, Vsr13Test) {
8780 int vsr_api_level = get_vsr_api_level();
Shawn Willden1a545db2023-02-22 14:32:33 -0700[diff] [blame]8781 if (vsr_api_level < __ANDROID_API_T__) {
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8782 GTEST_SKIP() << "Applies only to VSR API level 33, this device is: " << vsr_api_level;
8783 }
8784 EXPECT_GE(AidlVersion(), 2) << "VSR 13+ requires KeyMint version 2";
8785}
8786
Eran Messeri5fe06ea2023-08-02 22:34:24 +0100[diff] [blame]8787// @VsrTest = VSR-3.10-013.001
Eran Messerib9346f52022-12-15 14:58:34 +0000[diff] [blame]8788TEST_P(VsrRequirementTest, Vsr14Test) {
8789 int vsr_api_level = get_vsr_api_level();
Shawn Willden1a545db2023-02-22 14:32:33 -0700[diff] [blame]8790 if (vsr_api_level < __ANDROID_API_U__) {
Eran Messerib9346f52022-12-15 14:58:34 +0000[diff] [blame]8791 GTEST_SKIP() << "Applies only to VSR API level 34, this device is: " << vsr_api_level;
8792 }
8793 EXPECT_GE(AidlVersion(), 3) << "VSR 14+ requires KeyMint version 3";
8794}
8795
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8796INSTANTIATE_KEYMINT_AIDL_TEST(VsrRequirementTest);
8797
David Drysdale6c9bdb82024-01-23 09:32:04 +0000[diff] [blame^]8798class InstanceTest : public testing::Test {
8799 protected:
8800 static void SetUpTestSuite() {
8801 auto params = ::android::getAidlHalInstanceNames(IKeyMintDevice::descriptor);
8802 for (auto& param : params) {
8803 ASSERT_TRUE(AServiceManager_isDeclared(param.c_str()))
8804 << "IKeyMintDevice instance " << param << " found but not declared.";
8805 ::ndk::SpAIBinder binder(AServiceManager_waitForService(param.c_str()));
8806 auto keymint = IKeyMintDevice::fromBinder(binder);
8807 ASSERT_NE(keymint, nullptr) << "Failed to get IKeyMintDevice instance " << param;
8808
8809 KeyMintHardwareInfo info;
8810 ASSERT_TRUE(keymint->getHardwareInfo(&info).isOk());
8811 ASSERT_EQ(keymints_.count(info.securityLevel), 0)
8812 << "There must be exactly one IKeyMintDevice with security level "
8813 << info.securityLevel;
8814
8815 keymints_[info.securityLevel] = std::move(keymint);
8816 }
8817 }
8818
8819 int32_t AidlVersion(shared_ptr<IKeyMintDevice> keymint) {
8820 int32_t version = 0;
8821 auto status = keymint->getInterfaceVersion(&version);
8822 if (!status.isOk()) {
8823 ADD_FAILURE() << "Failed to determine interface version";
8824 }
8825 return version;
8826 }
8827
8828 static std::map<SecurityLevel, shared_ptr<IKeyMintDevice>> keymints_;
8829};
8830
8831std::map<SecurityLevel, shared_ptr<IKeyMintDevice>> InstanceTest::keymints_;
8832
8833// @VsrTest = VSR-3.10-017
8834// Check that the AIDL version advertised by the HAL service matches
8835// the value in the package manager feature version.
8836TEST_F(InstanceTest, AidlVersionInFeature) {
8837 if (is_gsi_image()) {
8838 GTEST_SKIP() << "Versions not required to match under GSI";
8839 }
8840 if (keymints_.count(SecurityLevel::TRUSTED_ENVIRONMENT) == 1) {
8841 auto tee = keymints_.find(SecurityLevel::TRUSTED_ENVIRONMENT)->second;
8842 int32_t tee_aidl_version = AidlVersion(tee) * 100;
8843 std::optional<int32_t> tee_feature_version = keymint_feature_value(/* strongbox */ false);
8844 ASSERT_TRUE(tee_feature_version.has_value());
8845 EXPECT_EQ(tee_aidl_version, tee_feature_version.value());
8846 }
8847 if (keymints_.count(SecurityLevel::STRONGBOX) == 1) {
8848 auto sb = keymints_.find(SecurityLevel::STRONGBOX)->second;
8849 int32_t sb_aidl_version = AidlVersion(sb) * 100;
8850 std::optional<int32_t> sb_feature_version = keymint_feature_value(/* strongbox */ true);
8851 ASSERT_TRUE(sb_feature_version.has_value());
8852 EXPECT_EQ(sb_aidl_version, sb_feature_version.value());
8853 }
8854}
8855
8856// @VsrTest = VSR-3.10-017
8857// Check that if package manager advertises support for KeyMint of a particular version, that
8858// version is present as a HAL service.
8859TEST_F(InstanceTest, FeatureVersionInAidl) {
8860 if (is_gsi_image()) {
8861 GTEST_SKIP() << "Versions not required to match under GSI";
8862 }
8863 std::optional<int32_t> tee_feature_version = keymint_feature_value(/* strongbox */ false);
8864 if (tee_feature_version.has_value() && tee_feature_version.value() >= 100) {
8865 // Feature flag advertises the existence of KeyMint; check it is present.
8866 ASSERT_EQ(keymints_.count(SecurityLevel::TRUSTED_ENVIRONMENT), 1);
8867 auto tee = keymints_.find(SecurityLevel::TRUSTED_ENVIRONMENT)->second;
8868 int32_t tee_aidl_version = AidlVersion(tee) * 100;
8869 EXPECT_EQ(tee_aidl_version, tee_feature_version.value());
8870 }
8871
8872 std::optional<int32_t> sb_feature_version = keymint_feature_value(/* strongbox */ true);
8873 if (sb_feature_version.has_value() && sb_feature_version.value() >= 100) {
8874 // Feature flag advertises the existence of KeyMint; check it is present.
8875 ASSERT_EQ(keymints_.count(SecurityLevel::STRONGBOX), 1);
8876 auto sb = keymints_.find(SecurityLevel::STRONGBOX)->second;
8877 int32_t sb_aidl_version = AidlVersion(sb) * 100;
8878 EXPECT_EQ(sb_aidl_version, sb_feature_version.value());
8879 }
8880}
8881
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]8882} // namespace aidl::android::hardware::security::keymint::test
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8883
David Drysdale77a86d82024-01-03 11:22:56 +0000[diff] [blame]8884using aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase;
8885
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8886int main(int argc, char** argv) {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8887 std::cout << "Testing ";
David Drysdale77a86d82024-01-03 11:22:56 +0000[diff] [blame]8888 auto halInstances = KeyMintAidlTestBase::build_params();
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8889 std::cout << "HAL instances:\n";
8890 for (auto& entry : halInstances) {
8891 std::cout << " " << entry << '\n';
8892 }
8893
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8894 ::testing::InitGoogleTest(&argc, argv);
8895 for (int i = 1; i < argc; ++i) {
8896 if (argv[i][0] == '-') {
8897 if (std::string(argv[i]) == "--arm_deleteAllKeys") {
David Drysdale77a86d82024-01-03 11:22:56 +0000[diff] [blame]8898 KeyMintAidlTestBase::arm_deleteAllKeys = true;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8899 }
8900 if (std::string(argv[i]) == "--dump_attestations") {
David Drysdale77a86d82024-01-03 11:22:56 +0000[diff] [blame]8901 KeyMintAidlTestBase::dump_Attestations = true;
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8902 } else {
8903 std::cout << "NOT dumping attestations" << std::endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8904 }
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]8905 if (std::string(argv[i]) == "--skip_boot_pl_check") {
8906 // Allow checks of BOOT_PATCHLEVEL to be disabled, so that the tests can
8907 // be run in emulated environments that don't have the normal bootloader
8908 // interactions.
8909 aidl::android::hardware::security::keymint::test::check_boot_pl = false;
8910 }
David Drysdale9f5c0c52022-11-03 15:10:16 +0000[diff] [blame]8911 if (std::string(argv[i]) == "--keyblob_dir") {
8912 if (i + 1 >= argc) {
8913 std::cerr << "Missing argument for --keyblob_dir\n";
8914 return 1;
8915 }
David Drysdale77a86d82024-01-03 11:22:56 +0000[diff] [blame]8916 KeyMintAidlTestBase::keyblob_dir = std::string(argv[i + 1]);
David Drysdale9f5c0c52022-11-03 15:10:16 +0000[diff] [blame]8917 ++i;
8918 }
Tommy Chiu025f3c52023-05-15 06:23:44 +0000[diff] [blame]8919 if (std::string(argv[i]) == "--expect_upgrade") {
8920 if (i + 1 >= argc) {
8921 std::cerr << "Missing argument for --expect_upgrade\n";
8922 return 1;
8923 }
8924 std::string arg = argv[i + 1];
David Drysdale77a86d82024-01-03 11:22:56 +0000[diff] [blame]8925 KeyMintAidlTestBase::expect_upgrade =
8926 arg == "yes" ? true
8927 : (arg == "no" ? false : std::optional<bool>(std::nullopt));
8928 if (KeyMintAidlTestBase::expect_upgrade.has_value()) {
8929 std::cout << "expect_upgrade = "
8930 << (KeyMintAidlTestBase::expect_upgrade.value() ? "true" : "false")
8931 << std::endl;
8932 } else {
8933 std::cerr << "Error! Option --expect_upgrade " << arg << " unrecognized"
8934 << std::endl;
8935 }
Tommy Chiu025f3c52023-05-15 06:23:44 +0000[diff] [blame]8936 ++i;
8937 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8938 }
8939 }
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]8940 return RUN_ALL_TESTS();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8941}