Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 4bf0cb2c5fc80e6a43644550cd54506fa640fcd9 / . / security / keymint / aidl / vts / functional / KeyMintTest.cpp
blob: c534a37367296dd692fe4644cb5c204807c968c7 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]17#define LOG_TAG "keymint_1_test"
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]18#include <cutils/log.h>
19
20#include <signal.h>
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]21
22#include <algorithm>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]23#include <iostream>
24
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]25#include <openssl/curve25519.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]26#include <openssl/ec.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]27#include <openssl/evp.h>
28#include <openssl/mem.h>
David Drysdalead785f52023-03-27 19:53:01 +0100[diff] [blame]29#include <openssl/x509.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]30#include <openssl/x509v3.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]31
32#include <cutils/properties.h>
33
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]34#include <android/binder_manager.h>
35
36#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]37#include <aidl/android/hardware/security/keymint/KeyFormat.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]38
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]39#include <keymint_support/key_param_output.h>
40#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]41
42#include "KeyMintAidlTestBase.h"
43
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]44using aidl::android::hardware::security::keymint::AuthorizationSet;
45using aidl::android::hardware::security::keymint::KeyCharacteristics;
46using aidl::android::hardware::security::keymint::KeyFormat;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]47
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]48namespace std {
49
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]50using namespace aidl::android::hardware::security::keymint;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]51
52template <>
53struct std::equal_to<KeyCharacteristics> {
54 bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]55 if (a.securityLevel != b.securityLevel) return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]56
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]57 // this isn't very efficient. Oh, well.
58 AuthorizationSet a_auths(a.authorizations);
59 AuthorizationSet b_auths(b.authorizations);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]60
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]61 a_auths.Sort();
62 b_auths.Sort();
63
64 return a_auths == b_auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]65 }
66};
67
68} // namespace std
69
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]70namespace aidl::android::hardware::security::keymint::test {
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]71
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]72namespace {
73
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]74// Maximum supported Ed25519 message size.
75const size_t MAX_ED25519_MSG_SIZE = 16 * 1024;
76
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]77// Whether to check that BOOT_PATCHLEVEL is populated.
78bool check_boot_pl = true;
79
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]80// The maximum number of times we'll attempt to verify that corruption
David Drysdale4c1f6ac2021-11-25 16:08:29 +0000[diff] [blame]81// of an encrypted blob results in an error. Retries are necessary as there
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]82// is a small (roughly 1/256) chance that corrupting ciphertext still results
83// in valid PKCS7 padding.
84constexpr size_t kMaxPaddingCorruptionRetries = 8;
85
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]86template <TagType tag_type, Tag tag, typename ValueT>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]87bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
88 ValueT expected_value) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]89 auto it = std::find_if(set.begin(), set.end(), [&](const KeyParameter& param) {
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]90 if (auto p = authorizationValue(ttag, param)) {
91 return *p == expected_value;
92 }
93 return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]94 });
95 return (it != set.end());
96}
97
98template <TagType tag_type, Tag tag>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]99bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag>) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]100 auto it = std::find_if(set.begin(), set.end(),
101 [&](const KeyParameter& param) { return param.tag == tag; });
102 return (it != set.end());
103}
104
105constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
106 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
107 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
108 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
109 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
110 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
111 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
112 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
113 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
114 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
115 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
116 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
117 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
118 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
119 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
120 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
121
122string hex2str(string a) {
123 string b;
124 size_t num = a.size() / 2;
125 b.resize(num);
126 for (size_t i = 0; i < num; i++) {
127 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
128 }
129 return b;
130}
131
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]132string rsa_key = hex2str(
133 // RFC 5208 s5
134 "30820275" // SEQUENCE length 0x275 (PrivateKeyInfo) {
135 "020100" // INTEGER length 1 value 0x00 (version)
136 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
137 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
138 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
139 "0500" // NULL (parameters)
140 // } end SEQUENCE (AlgorithmIdentifier)
141 "0482025f" // OCTET STRING length 0x25f (privateKey) holding...
142 // RFC 8017 A.1.2
143 "3082025b" // SEQUENCE length 0x25b (RSAPrivateKey) {
144 "020100" // INTEGER length 1 value 0x00 (version)
145 "028181" // INTEGER length 0x81 value (modulus) ...
146 "00c6095409047d8634812d5a218176e4"
147 "5c41d60a75b13901f234226cffe77652"
148 "1c5a77b9e389417b71c0b6a44d13afe4"
149 "e4a2805d46c9da2935adb1ff0c1f24ea"
150 "06e62b20d776430a4d435157233c6f91"
151 "6783c30e310fcbd89b85c2d567711697"
152 "85ac12bca244abda72bfb19fc44d27c8"
153 "1e1d92de284f4061edfd99280745ea6d"
154 "25"
155 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
156 "028180" // INTEGER length 0x80 (privateExponent) value...
157 "1be0f04d9cae3718691f035338308e91"
158 "564b55899ffb5084d2460e6630257e05"
159 "b3ceab02972dfabcd6ce5f6ee2589eb6"
160 "7911ed0fac16e43a444b8c861e544a05"
161 "93365772f8baf6b22fc9e3c5f1024b06"
162 "3ac080a7b2234cf8aee8f6c47bbf4fd3"
163 "ace7240290bef16c0b3f7f3cdd64ce3a"
164 "b5912cf6e32f39ab188358afcccd8081"
165 "0241" // INTEGER length 0x41 (prime1)
166 "00e4b49ef50f765d3b24dde01aceaaf1"
167 "30f2c76670a91a61ae08af497b4a82be"
168 "6dee8fcdd5e3f7ba1cfb1f0c926b88f8"
169 "8c92bfab137fba2285227b83c342ff7c"
170 "55"
171 "0241" // INTEGER length 0x41 (prime2)
172 "00ddabb5839c4c7f6bf3d4183231f005"
173 "b31aa58affdda5c79e4cce217f6bc930"
174 "dbe563d480706c24e9ebfcab28a6cdef"
175 "d324b77e1bf7251b709092c24ff501fd"
176 "91"
177 "0240" // INTEGER length 0x40 (exponent1)
178 "23d4340eda3445d8cd26c14411da6fdc"
179 "a63c1ccd4b80a98ad52b78cc8ad8beb2"
180 "842c1d280405bc2f6c1bea214a1d742a"
181 "b996b35b63a82a5e470fa88dbf823cdd"
182 "0240" // INTEGER length 0x40 (exponent2)
183 "1b7b57449ad30d1518249a5f56bb9829"
184 "4d4b6ac12ffc86940497a5a5837a6cf9"
185 "46262b494526d328c11e1126380fde04"
186 "c24f916dec250892db09a6d77cdba351"
187 "0240" // INTEGER length 0x40 (coefficient)
188 "7762cd8f4d050da56bd591adb515d24d"
189 "7ccd32cca0d05f866d583514bd7324d5"
190 "f33645e8ed8b4a1cb3cc4a1d67987399"
191 "f2a09f5b3fb68c88d5e5d90ac33492d6"
192 // } end SEQUENCE (PrivateKey)
193 // } end SEQUENCE (PrivateKeyInfo)
194);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]195
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]196/*
197 * DER-encoded PKCS#8 format RSA key. Generated using:
198 *
199 * openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
200 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]201string rsa_2048_key = hex2str(
202 // RFC 5208 s5
203 "308204BD" // SEQUENCE length 0x4bd (PrivateKeyInfo) {
204 "020100" // INTEGER length 1 value 0x00 (version)
205 "300D" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
206 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
207 "2A864886F70D010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
208 "0500" // NULL (parameters)
209 // } end SEQUENCE (AlgorithmIdentifier)
210 "048204A7" // OCTET STRING length 0x25f (privateKey) holding...
211 // RFC 8017 A.1.2
212 "308204A3" // SEQUENCE length 0x4a3 (RSAPrivateKey) {
213 "020100" // INTEGER length 1 value 0x00 (version)
214 "02820101" // INTEGER length 0x101 value (modulus) ...
215 "00BEBC342B56D443B1299F9A6A7056E8"
216 "0A897E318476A5A18029E63B2ED739A6"
217 "1791D339F58DC763D9D14911F2EDEC38"
218 "3DEE11F6319B44510E7A3ECD9B79B973"
219 "82E49500ACF8117DC89CAF0E621F7775"
220 "6554A2FD4664BFE7AB8B59AB48340DBF"
221 "A27B93B5A81F6ECDEB02D0759307128D"
222 "F3E3BAD4055C8B840216DFAA5700670E"
223 "6C5126F0962FCB70FF308F25049164CC"
224 "F76CC2DA66A7DD9A81A714C2809D6918"
225 "6133D29D84568E892B6FFBF3199BDB14"
226 "383EE224407F190358F111A949552ABA"
227 "6714227D1BD7F6B20DD0CB88F9467B71"
228 "9339F33BFF35B3870B3F62204E4286B0"
229 "948EA348B524544B5F9838F29EE643B0"
230 "79EEF8A713B220D7806924CDF7295070"
231 "C5"
232 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
233 "02820100" // INTEGER length 0x100 (privateExponent) value...
234 "69F377F35F2F584EF075353CCD1CA997"
235 "38DB3DBC7C7FF35F9366CE176DFD1B13"
236 "5AB10030344ABF5FBECF1D4659FDEF1C"
237 "0FC430834BE1BE3911951377BB3D563A"
238 "2EA9CA8F4AD9C48A8CE6FD516A735C66"
239 "2686C7B4B3C09A7B8354133E6F93F790"
240 "D59EAEB92E84C9A4339302CCE28FDF04"
241 "CCCAFA7DE3F3A827D4F6F7D38E68B0EC"
242 "6AB706645BF074A4E4090D06FB163124"
243 "365FD5EE7A20D350E9958CC30D91326E"
244 "1B292E9EF5DB408EC42DAF737D201497"
245 "04D0A678A0FB5B5446863B099228A352"
246 "D604BA8091A164D01D5AB05397C71EAD"
247 "20BE2A08FC528FE442817809C787FEE4"
248 "AB97F97B9130D022153EDC6EB6CBE7B0"
249 "F8E3473F2E901209B5DB10F93604DB01"
250 "028181" // INTEGER length 0x81 (prime1)
251 "00E83C0998214941EA4F9293F1B77E2E"
252 "99E6CF305FAF358238E126124FEAF2EB"
253 "9724B2EA7B78E6032343821A80E55D1D"
254 "88FB12D220C3F41A56142FEC85796D19"
255 "17F1E8C774F142B67D3D6E7B7E6B4383"
256 "E94DB5929089DBB346D5BDAB40CC2D96"
257 "EE0409475E175C63BF78CFD744136740"
258 "838127EA723FF3FE7FA368C1311B4A4E"
259 "05"
260 "028181" // INTEGER length 0x81 (prime2)
261 "00D240FCC0F5D7715CDE21CB2DC86EA1"
262 "46132EA3B06F61FF2AF54BF38473F59D"
263 "ADCCE32B5F4CC32DD0BA6F509347B4B5"
264 "B1B58C39F95E4798CCBB43E83D0119AC"
265 "F532F359CA743C85199F0286610E2009"
266 "97D7312917179AC9B67558773212EC96"
267 "1E8BCE7A3CC809BC5486A96E4B0E6AF3"
268 "94D94E066A0900B7B70E82A44FB30053"
269 "C1"
270 "028181" // INTEGER length 0x81 (exponent1)
271 "00AD15DA1CBD6A492B66851BA8C316D3"
272 "8AB700E2CFDDD926A658003513C54BAA"
273 "152B30021D667D20078F500F8AD3E7F3"
274 "945D74A891ED1A28EAD0FEEAEC8C14A8"
275 "E834CF46A13D1378C99D18940823CFDD"
276 "27EC5810D59339E0C34198AC638E09C8"
277 "7CBB1B634A9864AE9F4D5EB2D53514F6"
278 "7B4CAEC048C8AB849A02E397618F3271"
279 "35"
280 "028180" // INTEGER length 0x80 (exponent2)
281 "1FA2C1A5331880A92D8F3E281C617108"
282 "BF38244F16E352E69ED417C7153F9EC3"
283 "18F211839C643DCF8B4DD67CE2AC312E"
284 "95178D5D952F06B1BF779F4916924B70"
285 "F582A23F11304E02A5E7565AE22A35E7"
286 "4FECC8B6FDC93F92A1A37703E4CF0E63"
287 "783BD02EB716A7ECBBFA606B10B74D01"
288 "579522E7EF84D91FC522292108D902C1"
289 "028180" // INTEGER length 0x80 (coefficient)
290 "796FE3825F9DCC85DF22D58690065D93"
291 "898ACD65C087BEA8DA3A63BF4549B795"
292 "E2CD0E3BE08CDEBD9FCF1720D9CDC507"
293 "0D74F40DED8E1102C52152A31B6165F8"
294 "3A6722AECFCC35A493D7634664B888A0"
295 "8D3EB034F12EA28BFEE346E205D33482"
296 "7F778B16ED40872BD29FCB36536B6E93"
297 "FFB06778696B4A9D81BB0A9423E63DE5"
298 // } end SEQUENCE (PrivateKey)
299 // } end SEQUENCE (PrivateKeyInfo)
300);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]301
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]302string ec_256_key = hex2str(
303 // RFC 5208 s5
304 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
305 "020100" // INTEGER length 1 value 0 (version)
306 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
307 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
308 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
309 "0608" // OBJECT IDENTIFIER length 8 (param)
310 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
311 // } end SEQUENCE (AlgorithmIdentifier)
312 "046d" // OCTET STRING length 0x6d (privateKey) holding...
313 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
314 "020101" // INTEGER length 1 value 1 (version)
315 "0420" // OCTET STRING length 0x20 (privateKey)
316 "737c2ecd7b8d1940bf2930aa9b4ed3ff"
317 "941eed09366bc03299986481f3a4d859"
318 "a144" // TAG [1] len 0x44 (publicKey) {
319 "03420004bf85d7720d07c25461683bc6"
320 "48b4778a9a14dd8a024e3bdd8c7ddd9a"
321 "b2b528bbc7aa1b51f14ebbbb0bd0ce21"
322 "bcc41c6eb00083cf3376d11fd44949e0"
323 "b2183bfe"
324 // } end SEQUENCE (ECPrivateKey)
325 // } end SEQUENCE (PrivateKeyInfo)
326);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]327
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]328string ec_521_key = hex2str(
329 // RFC 5208 s5
330 "3081EE" // SEQUENCE length 0xee (PrivateKeyInfo) {
331 "020100" // INTEGER length 1 value 0 (version)
332 "3010" // SEQUENCE length 0x10 (AlgorithmIdentifier) {
333 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
334 "2A8648CE3D0201" // 1.2.840.10045.2.1 (ecPublicKey)
335 "0605" // OBJECT IDENTIFIER length 5 (param)
336 "2B81040023" // 1.3.132.0.35 (secp521r1)
337 // } end SEQUENCE (AlgorithmIdentifier)
338 "0481D6" // OCTET STRING length 0xd6 (privateKey) holding...
339 "3081D3" // SEQUENCE length 0xd3 (ECPrivateKey)
340 "020101" // INTEGER length 1 value 1 (version)
341 "0442" // OCTET STRING length 0x42 (privateKey)
342 "0011458C586DB5DAA92AFAB03F4FE46A"
343 "A9D9C3CE9A9B7A006A8384BEC4C78E8E"
344 "9D18D7D08B5BCFA0E53C75B064AD51C4"
345 "49BAE0258D54B94B1E885DED08ED4FB2"
346 "5CE9"
347 "A18189" // TAG [1] len 0x89 (publicKey) {
348 "03818600040149EC11C6DF0FA122C6A9"
349 "AFD9754A4FA9513A627CA329E349535A"
350 "5629875A8ADFBE27DCB932C051986377"
351 "108D054C28C6F39B6F2C9AF81802F9F3"
352 "26B842FF2E5F3C00AB7635CFB36157FC"
353 "0882D574A10D839C1A0C049DC5E0D775"
354 "E2EE50671A208431BB45E78E70BEFE93"
355 "0DB34818EE4D5C26259F5C6B8E28A652"
356 "950F9F88D7B4B2C9D9"
357 // } end SEQUENCE (ECPrivateKey)
358 // } end SEQUENCE (PrivateKeyInfo)
359);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]360
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]361string ec_256_key_rfc5915 = hex2str(
362 // RFC 5208 s5
363 "308193" // SEQUENCE length 0x93 (PrivateKeyInfo) {
364 "020100" // INTEGER length 1 value 0 (version)
365 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
366 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
367 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
368 "0608" // OBJECT IDENTIFIER length 8 (param)
369 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
370 // } end SEQUENCE (AlgorithmIdentifier)
371 "0479" // OCTET STRING length 0x79 (privateKey) holding...
372 // RFC 5915 s3
373 "3077" // SEQUENCE length 0x77 (ECPrivateKey)
374 "020101" // INTEGER length 1 value 1 (version)
375 "0420" // OCTET STRING length 0x42 (privateKey)
376 "782370a8c8ce5537baadd04dcff079c8"
377 "158cfa9c67b818b38e8d21c9fa750c1d"
378 "a00a" // TAG [0] length 0xa (parameters)
379 "0608" // OBJECT IDENTIFIER length 8
380 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
381 // } end TAG [0]
382 "a144" // TAG [1] length 0x44 (publicKey) {
383 "0342" // BIT STRING length 0x42
384 "00" // no pad bits
385 "04e2cc561ee701da0ad0ef0d176bb0c9"
386 "19d42e79c393fdc1bd6c4010d85cf2cf"
387 "8e68c905464666f98dad4f01573ba810"
388 "78b3428570a439ba3229fbc026c55068"
389 "2f"
390 // } end SEQUENCE (ECPrivateKey)
391 // } end SEQUENCE (PrivateKeyInfo)
392);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]393
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]394string ec_256_key_sec1 = hex2str(
395 // RFC 5208 s5
396 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
397 "020100" // INTEGER length 1 value 0 (version)
398 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
399 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
400 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
401 "0608" // OBJECT IDENTIFIER length 8 (param)
402 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
403 // } end SEQUENCE (AlgorithmIdentifier)
404 "046d" // OCTET STRING length 0x6d (privateKey) holding...
405 // SEC1-v2 C.4
406 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
407 "020101" // INTEGER length 1 value 0x01 (version)
408 "0420" // OCTET STRING length 0x20 (privateKey)
409 "782370a8c8ce5537baadd04dcff079c8"
410 "158cfa9c67b818b38e8d21c9fa750c1d"
411 "a144" // TAG [1] length 0x44 (publicKey) {
412 "0342" // BIT STRING length 0x42
413 "00" // no pad bits
414 "04e2cc561ee701da0ad0ef0d176bb0c9"
415 "19d42e79c393fdc1bd6c4010d85cf2cf"
416 "8e68c905464666f98dad4f01573ba810"
417 "78b3428570a439ba3229fbc026c55068"
418 "2f"
419 // } end TAG [1] (publicKey)
420 // } end SEQUENCE (PrivateKeyInfo)
421);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]422
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]423/**
424 * Ed25519 key pair generated as follows:
425 * ```
426 * % openssl req -x509 -newkey ED25519 -days 700 -nodes \
427 * -keyout ed25519_priv.key -out ed25519.pem * -subj "/CN=fake.ed25519.com"
428 * Generating a ED25519 private key writing new private key to
429 * 'ed25519_priv.key'
430 * -----
431 * % cat ed25519_priv.key
432 * -----BEGIN PRIVATE KEY-----
433 * MC4CAQAwBQYDK2VwBCIEIKl3A5quNywcj1P+0XI9SBalFPIvO52NxceMLRH6dVmR
434 * -----END PRIVATE KEY-----
435 * % der2ascii -pem -i ed25519_priv.key
436 * SEQUENCE {
437 * INTEGER { 0 }
438 * SEQUENCE {
439 * # ed25519
440 * OBJECT_IDENTIFIER { 1.3.101.112 }
441 * }
442 * OCTET_STRING {
443 * OCTET_STRING { `a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991` }
444 * }
445 * }
446 * % cat ed25519.pem
447 * -----BEGIN CERTIFICATE-----
448 * MIIBSjCB/aADAgECAhR0Jron3eKcdgqyecv/eEfGWAzn8DAFBgMrZXAwGzEZMBcG
449 * A1UEAwwQZmFrZS5lZDI1NTE5LmNvbTAeFw0yMTEwMjAwODI3NDJaFw0yMzA5MjAw
450 * ODI3NDJaMBsxGTAXBgNVBAMMEGZha2UuZWQyNTUxOS5jb20wKjAFBgMrZXADIQDv
451 * uwHz+3TaQ69D2digxlz0fFfsZg0rPqgQae3jBPRWkaNTMFEwHQYDVR0OBBYEFN9O
452 * od30SY4JTs66ZR403UPya+iXMB8GA1UdIwQYMBaAFN9Ood30SY4JTs66ZR403UPy
453 * a+iXMA8GA1UdEwEB/wQFMAMBAf8wBQYDK2VwA0EAKjVrYQjuE/gEL2j/ABpDbFjV
454 * Ilg5tJ6MN/P3psAv3Cs7f0X1lFqdlt15nJ/6aj2cmGCwNRXt5wcyYDKNu+v2Dw==
455 * -----END CERTIFICATE-----
456 * % openssl x509 -in ed25519.pem -text -noout
457 * Certificate:
458 * Data:
459 * Version: 3 (0x2)
460 * Serial Number:
461 * 74:26:ba:27:dd:e2:9c:76:0a:b2:79:cb:ff:78:47:c6:58:0c:e7:f0
462 * Signature Algorithm: ED25519
463 * Issuer: CN = fake.ed25519.com
464 * Validity
465 * Not Before: Oct 20 08:27:42 2021 GMT
466 * Not After : Sep 20 08:27:42 2023 GMT
467 * Subject: CN = fake.ed25519.com
468 * Subject Public Key Info:
469 * Public Key Algorithm: ED25519
470 * ED25519 Public-Key:
471 * pub:
472 * ef:bb:01:f3:fb:74:da:43:af:43:d9:d8:a0:c6:5c:
473 * f4:7c:57:ec:66:0d:2b:3e:a8:10:69:ed:e3:04:f4:
474 * 56:91
475 * X509v3 extensions:
476 * X509v3 Subject Key Identifier:
477 * DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
478 * X509v3 Authority Key Identifier:
479 * keyid:DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
480 *
481 * X509v3 Basic Constraints: critical
482 * CA:TRUE
483 * Signature Algorithm: ED25519
484 * 2a:35:6b:61:08:ee:13:f8:04:2f:68:ff:00:1a:43:6c:58:d5:
485 * 22:58:39:b4:9e:8c:37:f3:f7:a6:c0:2f:dc:2b:3b:7f:45:f5:
486 * 94:5a:9d:96:dd:79:9c:9f:fa:6a:3d:9c:98:60:b0:35:15:ed:
487 * e7:07:32:60:32:8d:bb:eb:f6:0f
488 * ```
489 */
490string ed25519_key = hex2str("a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991");
491string ed25519_pkcs8_key = hex2str(
492 // RFC 5208 s5
493 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
494 "0201" // INTEGER length 1 (Version)
495 "00" // version 0
496 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
497 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
498 "2b6570" // 1.3.101.112 (id-Ed125519 RFC 8410 s3)
499 // } end SEQUENCE (AlgorithmIdentifier)
500 "0422" // OCTET STRING length 0x22 (PrivateKey)
501 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
502 "a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991"
503 // } end SEQUENCE (PrivateKeyInfo)
504);
505string ed25519_pubkey = hex2str("efbb01f3fb74da43af43d9d8a0c65cf47c57ec660d2b3ea81069ede304f45691");
506
507/**
508 * X25519 key pair generated as follows:
509 * ```
510 * % openssl genpkey -algorithm X25519 > x25519_priv.key
511 * % cat x25519_priv.key
512 * -----BEGIN PRIVATE KEY-----
513 * MC4CAQAwBQYDK2VuBCIEIGgPwF3NLwQx/Sfwr2nfJvXitwlDNh3Skzh+TISN/y1C
514 * -----END PRIVATE KEY-----
515 * % der2ascii -pem -i x25519_priv.key
516 * SEQUENCE {
517 * INTEGER { 0 }
518 * SEQUENCE {
519 * # x25519
520 * OBJECT_IDENTIFIER { 1.3.101.110 }
521 * }
522 * OCTET_STRING {
523 * OCTET_STRING { `680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42` }
524 * }
525 * }
526 * ```
527 */
528
529string x25519_key = hex2str("680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
530string x25519_pkcs8_key = hex2str(
531 // RFC 5208 s5
532 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
533 "0201" // INTEGER length 1 (Version)
534 "00" // version 0
535 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
536 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
537 "2b656e" // 1.3.101.110 (id-X125519 RFC 8410 s3)
538 "0422" // OCTET STRING length 0x22 (PrivateKey)
539 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
540 "680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
541string x25519_pubkey = hex2str("be46925a857f17831d6d454b9d3d36a4a30166edf80eb82b684661c3e258f768");
542
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]543struct RSA_Delete {
544 void operator()(RSA* p) { RSA_free(p); }
545};
546
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]547std::string make_string(const uint8_t* data, size_t length) {
548 return std::string(reinterpret_cast<const char*>(data), length);
549}
550
551template <size_t N>
552std::string make_string(const uint8_t (&a)[N]) {
553 return make_string(a, N);
554}
555
556class AidlBuf : public vector<uint8_t> {
557 typedef vector<uint8_t> super;
558
559 public:
560 AidlBuf() {}
561 AidlBuf(const super& other) : super(other) {}
562 AidlBuf(super&& other) : super(std::move(other)) {}
563 explicit AidlBuf(const std::string& other) : AidlBuf() { *this = other; }
564
565 AidlBuf& operator=(const super& other) {
566 super::operator=(other);
567 return *this;
568 }
569
570 AidlBuf& operator=(super&& other) {
571 super::operator=(std::move(other));
572 return *this;
573 }
574
575 AidlBuf& operator=(const string& other) {
576 resize(other.size());
577 for (size_t i = 0; i < other.size(); ++i) {
578 (*this)[i] = static_cast<uint8_t>(other[i]);
579 }
580 return *this;
581 }
582
583 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
584};
585
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]586string device_suffix(const string& name) {
587 size_t pos = name.find('/');
588 if (pos == string::npos) {
589 return name;
590 }
591 return name.substr(pos + 1);
592}
593
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]594std::shared_ptr<IRemotelyProvisionedComponent> matching_rp_instance(const std::string& km_name) {
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]595 string km_suffix = device_suffix(km_name);
596
597 vector<string> rp_names =
598 ::android::getAidlHalInstanceNames(IRemotelyProvisionedComponent::descriptor);
599 for (const string& rp_name : rp_names) {
600 // If the suffix of the RemotelyProvisionedComponent instance equals the suffix of the
601 // KeyMint instance, assume they match.
602 if (device_suffix(rp_name) == km_suffix && AServiceManager_isDeclared(rp_name.c_str())) {
603 ::ndk::SpAIBinder binder(AServiceManager_waitForService(rp_name.c_str()));
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]604 return IRemotelyProvisionedComponent::fromBinder(binder);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]605 }
606 }
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]607 return nullptr;
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]608}
609
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]610} // namespace
611
612class NewKeyGenerationTest : public KeyMintAidlTestBase {
613 protected:
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]614 void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]615 AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]616 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]617
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]618 // Check that some unexpected tags/values are NOT present.
619 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
620 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]621 }
622
623 void CheckSymmetricParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]624 AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]625 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
626 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
627
628 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]629 }
630
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]631 AuthorizationSet CheckCommonParams(const vector<KeyCharacteristics>& keyCharacteristics,
632 const KeyOrigin expectedKeyOrigin) {
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]633 // TODO(swillden): Distinguish which params should be in which auth list.
634 AuthorizationSet auths;
635 for (auto& entry : keyCharacteristics) {
636 auths.push_back(AuthorizationSet(entry.authorizations));
637 }
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]638 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, expectedKeyOrigin));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]639
640 // Verify that App data, ROT and auth timeout are NOT included.
641 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
642 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]643 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
644
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]645 // None of the tests specify CREATION_DATETIME so check that the KeyMint implementation
646 // never adds it.
647 EXPECT_FALSE(auths.Contains(TAG_CREATION_DATETIME));
648
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]649 // Check OS details match the original hardware info.
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]650 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]651 EXPECT_TRUE(os_ver);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]652 EXPECT_EQ(*os_ver, os_version());
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]653 auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]654 EXPECT_TRUE(os_pl);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]655 EXPECT_EQ(*os_pl, os_patch_level());
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]656
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]657 // Should include vendor patchlevel.
David Drysdalef5bfa002021-09-27 17:30:41 +0100[diff] [blame]658 auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
659 EXPECT_TRUE(vendor_pl);
660 EXPECT_EQ(*vendor_pl, vendor_patch_level());
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]661
662 // Should include boot patchlevel (but there are some test scenarios where this is not
663 // possible).
664 if (check_boot_pl) {
665 auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
666 EXPECT_TRUE(boot_pl);
667 }
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]668
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]669 return auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]670 }
671};
672
673/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]674 * NewKeyGenerationTest.Aes
675 *
676 * Verifies that keymint can generate all required AES key sizes, and that the resulting keys
677 * have correct characteristics.
678 */
679TEST_P(NewKeyGenerationTest, Aes) {
680 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
681 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
682 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
683 SCOPED_TRACE(testing::Message()
684 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
685 vector<uint8_t> key_blob;
686 vector<KeyCharacteristics> key_characteristics;
687 auto builder = AuthorizationSetBuilder()
688 .AesEncryptionKey(key_size)
689 .BlockMode(block_mode)
690 .Padding(padding_mode)
691 .SetDefaultValidity();
692 if (block_mode == BlockMode::GCM) {
693 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
694 }
695 ASSERT_EQ(ErrorCode::OK, GenerateKey(builder, &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]696 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]697
698 EXPECT_GT(key_blob.size(), 0U);
699 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]700 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]701
702 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
703
704 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::AES));
705 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
706 << "Key size " << key_size << "missing";
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]707 }
708 }
709 }
710}
711
712/*
713 * NewKeyGenerationTest.AesInvalidSize
714 *
715 * Verifies that specifying an invalid key size for AES key generation returns
716 * UNSUPPORTED_KEY_SIZE.
717 */
718TEST_P(NewKeyGenerationTest, AesInvalidSize) {
719 for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
720 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
721 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
722 SCOPED_TRACE(testing::Message()
723 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
724 vector<uint8_t> key_blob;
725 vector<KeyCharacteristics> key_characteristics;
726 auto builder = AuthorizationSetBuilder()
727 .AesEncryptionKey(key_size)
728 .BlockMode(block_mode)
729 .Padding(padding_mode)
730 .SetDefaultValidity();
731 if (block_mode == BlockMode::GCM) {
732 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
733 }
734 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
735 GenerateKey(builder, &key_blob, &key_characteristics));
736 }
737 }
738 }
739
740 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
741 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]742 SCOPED_TRACE(testing::Message() << "AES-unknown-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]743 vector<uint8_t> key_blob;
744 vector<KeyCharacteristics> key_characteristics;
745 // No key size specified
746 auto builder = AuthorizationSetBuilder()
747 .Authorization(TAG_ALGORITHM, Algorithm::AES)
748 .BlockMode(block_mode)
749 .Padding(padding_mode)
750 .SetDefaultValidity();
751 if (block_mode == BlockMode::GCM) {
752 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
753 }
754 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
755 GenerateKey(builder, &key_blob, &key_characteristics));
756 }
757 }
758}
759
760/*
761 * NewKeyGenerationTest.AesInvalidPadding
762 *
763 * Verifies that specifying an invalid padding on AES keys gives a failure
764 * somewhere along the way.
765 */
766TEST_P(NewKeyGenerationTest, AesInvalidPadding) {
767 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
768 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
769 for (auto padding_mode : InvalidPaddingModes(Algorithm::AES, block_mode)) {
770 SCOPED_TRACE(testing::Message()
771 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]772 auto builder = AuthorizationSetBuilder()
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]773 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]774 .AesEncryptionKey(key_size)
775 .BlockMode(block_mode)
776 .Padding(padding_mode)
777 .SetDefaultValidity();
778 if (block_mode == BlockMode::GCM) {
779 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
780 }
781
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]782 auto result = GenerateKey(builder);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]783 if (result == ErrorCode::OK) {
784 // Key creation was OK but has generated a key that cannot be used.
785 auto params =
786 AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]787 if (block_mode == BlockMode::GCM) {
788 params.Authorization(TAG_MAC_LENGTH, 128);
789 }
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]790 auto result = Begin(KeyPurpose::ENCRYPT, params);
791 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]792 result == ErrorCode::INVALID_KEY_BLOB)
793 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]794 } else {
795 // The KeyMint implementation detected that the generated key
796 // is unusable.
797 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, result);
798 }
799 }
800 }
801 }
802}
803
804/*
805 * NewKeyGenerationTest.AesGcmMissingMinMac
806 *
807 * Verifies that specifying an invalid key size for AES key generation returns
808 * UNSUPPORTED_KEY_SIZE.
809 */
810TEST_P(NewKeyGenerationTest, AesGcmMissingMinMac) {
811 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
812 BlockMode block_mode = BlockMode::GCM;
813 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
814 SCOPED_TRACE(testing::Message()
815 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
816 vector<uint8_t> key_blob;
817 vector<KeyCharacteristics> key_characteristics;
818 // No MIN_MAC_LENGTH provided.
819 auto builder = AuthorizationSetBuilder()
820 .AesEncryptionKey(key_size)
821 .BlockMode(block_mode)
822 .Padding(padding_mode)
823 .SetDefaultValidity();
824 EXPECT_EQ(ErrorCode::MISSING_MIN_MAC_LENGTH,
825 GenerateKey(builder, &key_blob, &key_characteristics));
826 }
827 }
828}
829
830/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]831 * NewKeyGenerationTest.AesGcmMinMacOutOfRange
832 *
833 * Verifies that specifying an invalid min MAC size for AES key generation returns
834 * UNSUPPORTED_MIN_MAC_LENGTH.
835 */
836TEST_P(NewKeyGenerationTest, AesGcmMinMacOutOfRange) {
837 for (size_t min_mac_len : {88, 136}) {
838 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
839 BlockMode block_mode = BlockMode::GCM;
840 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
841 SCOPED_TRACE(testing::Message()
842 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
843 vector<uint8_t> key_blob;
844 vector<KeyCharacteristics> key_characteristics;
845 auto builder = AuthorizationSetBuilder()
846 .AesEncryptionKey(key_size)
847 .BlockMode(block_mode)
848 .Padding(padding_mode)
849 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_len)
850 .SetDefaultValidity();
851 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
852 GenerateKey(builder, &key_blob, &key_characteristics));
853 }
854 }
855 }
856}
857
858/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]859 * NewKeyGenerationTest.TripleDes
860 *
861 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
862 * have correct characteristics.
863 */
864TEST_P(NewKeyGenerationTest, TripleDes) {
865 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
866 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
867 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
868 SCOPED_TRACE(testing::Message()
869 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
870 vector<uint8_t> key_blob;
871 vector<KeyCharacteristics> key_characteristics;
872 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
873 .TripleDesEncryptionKey(key_size)
874 .BlockMode(block_mode)
875 .Padding(padding_mode)
876 .Authorization(TAG_NO_AUTH_REQUIRED)
877 .SetDefaultValidity(),
878 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]879 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]880
881 EXPECT_GT(key_blob.size(), 0U);
882 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]883 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]884
885 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
886
887 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
888 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
889 << "Key size " << key_size << "missing";
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]890 }
891 }
892 }
893}
894
895/*
896 * NewKeyGenerationTest.TripleDesWithAttestation
897 *
898 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
899 * have correct characteristics.
900 *
901 * Request attestation, which doesn't help for symmetric keys (as there is no public key to
902 * put in a certificate) but which isn't an error.
903 */
904TEST_P(NewKeyGenerationTest, TripleDesWithAttestation) {
905 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
906 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
907 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
908 SCOPED_TRACE(testing::Message()
909 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
910
911 auto challenge = "hello";
912 auto app_id = "foo";
913
914 vector<uint8_t> key_blob;
915 vector<KeyCharacteristics> key_characteristics;
916 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
917 .TripleDesEncryptionKey(key_size)
918 .BlockMode(block_mode)
919 .Padding(padding_mode)
920 .Authorization(TAG_NO_AUTH_REQUIRED)
921 .AttestationChallenge(challenge)
922 .AttestationApplicationId(app_id)
923 .SetDefaultValidity(),
924 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]925 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]926
927 EXPECT_GT(key_blob.size(), 0U);
928 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]929 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]930
931 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
932
933 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
934 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
935 << "Key size " << key_size << "missing";
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]936 }
937 }
938 }
939}
940
941/*
942 * NewKeyGenerationTest.TripleDesInvalidSize
943 *
944 * Verifies that specifying an invalid key size for 3-DES key generation returns
945 * UNSUPPORTED_KEY_SIZE.
946 */
947TEST_P(NewKeyGenerationTest, TripleDesInvalidSize) {
948 for (auto key_size : InvalidKeySizes(Algorithm::TRIPLE_DES)) {
949 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
950 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
951 SCOPED_TRACE(testing::Message()
952 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
953 vector<uint8_t> key_blob;
954 vector<KeyCharacteristics> key_characteristics;
955 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
956 GenerateKey(AuthorizationSetBuilder()
957 .TripleDesEncryptionKey(key_size)
958 .BlockMode(block_mode)
959 .Padding(padding_mode)
960 .Authorization(TAG_NO_AUTH_REQUIRED)
961 .SetDefaultValidity(),
962 &key_blob, &key_characteristics));
963 }
964 }
965 }
966
967 // Omitting the key size fails.
968 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
969 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
970 SCOPED_TRACE(testing::Message()
971 << "3DES-default-" << block_mode << "-" << padding_mode);
972 vector<uint8_t> key_blob;
973 vector<KeyCharacteristics> key_characteristics;
974 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
975 GenerateKey(AuthorizationSetBuilder()
976 .Authorization(TAG_ALGORITHM, Algorithm::TRIPLE_DES)
977 .BlockMode(block_mode)
978 .Padding(padding_mode)
979 .Authorization(TAG_NO_AUTH_REQUIRED)
980 .SetDefaultValidity(),
981 &key_blob, &key_characteristics));
982 }
983 }
984}
985
986/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]987 * NewKeyGenerationTest.Rsa
988 *
989 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
990 * have correct characteristics.
991 */
992TEST_P(NewKeyGenerationTest, Rsa) {
993 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]994 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]995 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]996 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]997 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
998 .RsaSigningKey(key_size, 65537)
999 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1000 .Padding(PaddingMode::NONE)
1001 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1002 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1003 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1004
1005 ASSERT_GT(key_blob.size(), 0U);
1006 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1007 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1008
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1009 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1010
1011 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1012 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1013 << "Key size " << key_size << "missing";
1014 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1015 }
1016}
1017
1018/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1019 * NewKeyGenerationTest.RsaWithMissingValidity
1020 *
1021 * Verifies that keymint returns an error while generating asymmetric key
1022 * without providing NOT_BEFORE and NOT_AFTER parameters.
1023 */
1024TEST_P(NewKeyGenerationTest, RsaWithMissingValidity) {
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1025 if (AidlVersion() < 3) {
Tommy Chiu7d22f602022-11-14 21:03:34 +0800[diff] [blame]1026 /*
1027 * The KeyMint V1 spec required that CERTIFICATE_NOT_{BEFORE,AFTER} be
1028 * specified for asymmetric key generation. However, this was not
1029 * checked at the time so we can only be strict about checking this for
1030 * implementations of KeyMint version 2 and above.
1031 */
1032 GTEST_SKIP() << "Validity strict since KeyMint v2";
1033 }
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1034 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1035 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1036 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1037
1038 vector<uint8_t> key_blob;
1039 vector<KeyCharacteristics> key_characteristics;
1040 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1041 GenerateKey(AuthorizationSetBuilder()
1042 .RsaSigningKey(2048, 65537)
1043 .Digest(Digest::NONE)
1044 .Padding(PaddingMode::NONE)
1045 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1046 kUndefinedExpirationDateTime),
1047 &key_blob, &key_characteristics));
1048
1049 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1050 GenerateKey(AuthorizationSetBuilder()
1051 .RsaSigningKey(2048, 65537)
1052 .Digest(Digest::NONE)
1053 .Padding(PaddingMode::NONE)
1054 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1055 &key_blob, &key_characteristics));
1056}
1057
1058/*
David Drysdalead785f52023-03-27 19:53:01 +0100[diff] [blame]1059 * NewKeyGenerationTest.RsaWithSpecifiedValidity
1060 *
1061 * Verifies that KeyMint respects specified NOT_BEFORE and NOT_AFTER certificate dates.
1062 */
1063TEST_P(NewKeyGenerationTest, RsaWithSpecifiedValidity) {
1064 vector<uint8_t> key_blob;
1065 vector<KeyCharacteristics> key_characteristics;
1066 ASSERT_EQ(ErrorCode::OK,
1067 GenerateKey(AuthorizationSetBuilder()
1068 .RsaSigningKey(2048, 65537)
1069 .Digest(Digest::NONE)
1070 .Padding(PaddingMode::NONE)
1071 .Authorization(TAG_CERTIFICATE_NOT_BEFORE,
1072 1183806000000 /* 2007-07-07T11:00:00Z */)
1073 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1074 1916049600000 /* 2030-09-19T12:00:00Z */),
1075 &key_blob, &key_characteristics));
1076 ASSERT_GT(cert_chain_.size(), 0);
1077
1078 X509_Ptr cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1079 ASSERT_TRUE(!!cert.get());
1080
1081 const ASN1_TIME* not_before = X509_get0_notBefore(cert.get());
1082 ASSERT_NE(not_before, nullptr);
1083 time_t not_before_time;
1084 ASSERT_EQ(ASN1_TIME_to_time_t(not_before, &not_before_time), 1);
1085 EXPECT_EQ(not_before_time, 1183806000);
1086
1087 const ASN1_TIME* not_after = X509_get0_notAfter(cert.get());
1088 ASSERT_NE(not_after, nullptr);
1089 time_t not_after_time;
1090 ASSERT_EQ(ASN1_TIME_to_time_t(not_after, &not_after_time), 1);
1091 EXPECT_EQ(not_after_time, 1916049600);
1092}
1093
1094/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1095 * NewKeyGenerationTest.RsaWithAttestation
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1096 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1097 * Verifies that keymint can generate all required RSA key sizes with attestation, and that the
1098 * resulting keys have correct characteristics.
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1099 */
1100TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1101 auto challenge = "hello";
1102 auto app_id = "foo";
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1103
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1104 auto subject = "cert subj 2";
1105 vector<uint8_t> subject_der(make_name_from_str(subject));
1106
1107 uint64_t serial_int = 66;
1108 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1109
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1110 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1111 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1112 vector<uint8_t> key_blob;
1113 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1114 auto builder = AuthorizationSetBuilder()
1115 .RsaSigningKey(key_size, 65537)
1116 .Digest(Digest::NONE)
1117 .Padding(PaddingMode::NONE)
1118 .AttestationChallenge(challenge)
1119 .AttestationApplicationId(app_id)
1120 .Authorization(TAG_NO_AUTH_REQUIRED)
1121 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1122 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1123 .SetDefaultValidity();
1124
1125 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1126 // Strongbox may not support factory provisioned attestation key.
1127 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1128 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1129 result = GenerateKeyWithSelfSignedAttestKey(
1130 AuthorizationSetBuilder()
1131 .RsaKey(key_size, 65537)
1132 .AttestKey()
1133 .SetDefaultValidity(), /* attest key params */
1134 builder, &key_blob, &key_characteristics);
1135 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1136 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1137 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1138 KeyBlobDeleter deleter(keymint_, key_blob);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1139 ASSERT_GT(key_blob.size(), 0U);
1140 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1141 CheckCharacteristics(key_blob, key_characteristics);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1142
1143 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1144
1145 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1146 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1147 << "Key size " << key_size << "missing";
1148 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1149
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1150 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1151 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1152 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1153
1154 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1155 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1156 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1157 sw_enforced, hw_enforced, SecLevel(),
1158 cert_chain_[0].encodedCertificate));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1159 }
1160}
1161
1162/*
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1163 * NewKeyGenerationTest.RsaWithRkpAttestation
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1164 *
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1165 * Verifies that keymint can generate all required RSA key sizes using an attestation key
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1166 * that has been generated using an associate IRemotelyProvisionedComponent.
1167 */
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1168TEST_P(NewKeyGenerationTest, RsaWithRkpAttestation) {
Seth Moorea12ac742023-03-03 13:40:30 -0800[diff] [blame]1169 if (!IsRkpSupportRequired()) {
1170 GTEST_SKIP() << "RKP support is not required on this platform";
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1171 }
1172
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]1173 // Check for an IRemotelyProvisionedComponent instance associated with the
1174 // KeyMint instance.
1175 std::shared_ptr<IRemotelyProvisionedComponent> rp = matching_rp_instance(GetParam());
1176 if (rp == nullptr && SecLevel() == SecurityLevel::STRONGBOX) {
1177 GTEST_SKIP() << "Encountered StrongBox implementation that does not support RKP";
1178 }
1179 ASSERT_NE(rp, nullptr) << "No IRemotelyProvisionedComponent found that matches KeyMint device "
1180 << GetParam();
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1181
1182 // Generate a P-256 keypair to use as an attestation key.
1183 MacedPublicKey macedPubKey;
1184 std::vector<uint8_t> privateKeyBlob;
1185 auto status =
1186 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
1187 ASSERT_TRUE(status.isOk());
1188 vector<uint8_t> coseKeyData;
1189 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
1190
1191 AttestationKey attestation_key;
1192 attestation_key.keyBlob = std::move(privateKeyBlob);
1193 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
1194
1195 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1196 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1197 auto challenge = "hello";
1198 auto app_id = "foo";
1199
1200 vector<uint8_t> key_blob;
1201 vector<KeyCharacteristics> key_characteristics;
1202 ASSERT_EQ(ErrorCode::OK,
1203 GenerateKey(AuthorizationSetBuilder()
1204 .RsaSigningKey(key_size, 65537)
1205 .Digest(Digest::NONE)
1206 .Padding(PaddingMode::NONE)
1207 .AttestationChallenge(challenge)
1208 .AttestationApplicationId(app_id)
1209 .Authorization(TAG_NO_AUTH_REQUIRED)
1210 .SetDefaultValidity(),
1211 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1212 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1213
1214 ASSERT_GT(key_blob.size(), 0U);
1215 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1216 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1217
1218 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1219
1220 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1221 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1222 << "Key size " << key_size << "missing";
1223 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1224
1225 // Attestation by itself is not valid (last entry is not self-signed).
1226 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
1227
1228 // The signature over the attested key should correspond to the P256 public key.
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1229 ASSERT_GT(cert_chain_.size(), 0);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1230 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1231 ASSERT_TRUE(key_cert.get());
1232 EVP_PKEY_Ptr signing_pubkey;
1233 p256_pub_key(coseKeyData, &signing_pubkey);
1234 ASSERT_TRUE(signing_pubkey.get());
1235
1236 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1237 << "Verification of attested certificate failed "
1238 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1239 }
1240}
1241
1242/*
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1243 * NewKeyGenerationTest.EcdsaWithRkpAttestation
1244 *
1245 * Verifies that keymint can generate all required ECDSA key sizes using an attestation key
1246 * that has been generated using an associate IRemotelyProvisionedComponent.
1247 */
1248TEST_P(NewKeyGenerationTest, EcdsaWithRkpAttestation) {
Seth Moorea12ac742023-03-03 13:40:30 -0800[diff] [blame]1249 if (!IsRkpSupportRequired()) {
1250 GTEST_SKIP() << "RKP support is not required on this platform";
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1251 }
1252
Seth Moore5a0320f2023-03-24 12:29:08 -0700[diff] [blame]1253 // Check for an IRemotelyProvisionedComponent instance associated with the
1254 // KeyMint instance.
1255 std::shared_ptr<IRemotelyProvisionedComponent> rp = matching_rp_instance(GetParam());
1256 if (rp == nullptr && SecLevel() == SecurityLevel::STRONGBOX) {
1257 GTEST_SKIP() << "Encountered StrongBox implementation that does not support RKP";
1258 }
1259 ASSERT_NE(rp, nullptr) << "No IRemotelyProvisionedComponent found that matches KeyMint device "
1260 << GetParam();
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1261
1262 // Generate a P-256 keypair to use as an attestation key.
1263 MacedPublicKey macedPubKey;
1264 std::vector<uint8_t> privateKeyBlob;
1265 auto status =
1266 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
1267 ASSERT_TRUE(status.isOk());
1268 vector<uint8_t> coseKeyData;
1269 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
1270
1271 AttestationKey attestation_key;
1272 attestation_key.keyBlob = std::move(privateKeyBlob);
1273 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
1274
1275 for (auto curve : ValidCurves()) {
1276 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
1277 auto challenge = "hello";
1278 auto app_id = "foo";
1279
1280 vector<uint8_t> key_blob;
1281 vector<KeyCharacteristics> key_characteristics;
1282 ASSERT_EQ(ErrorCode::OK,
1283 GenerateKey(AuthorizationSetBuilder()
1284 .EcdsaSigningKey(curve)
1285 .Digest(Digest::NONE)
1286 .AttestationChallenge(challenge)
1287 .AttestationApplicationId(app_id)
1288 .Authorization(TAG_NO_AUTH_REQUIRED)
1289 .SetDefaultValidity(),
1290 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1291 KeyBlobDeleter deleter(keymint_, key_blob);
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1292
1293 ASSERT_GT(key_blob.size(), 0U);
1294 CheckBaseParams(key_characteristics);
1295 CheckCharacteristics(key_blob, key_characteristics);
1296
1297 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1298
1299 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1300 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1301
1302 // Attestation by itself is not valid (last entry is not self-signed).
1303 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
1304
1305 // The signature over the attested key should correspond to the P256 public key.
1306 ASSERT_GT(cert_chain_.size(), 0);
1307 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1308 ASSERT_TRUE(key_cert.get());
1309 EVP_PKEY_Ptr signing_pubkey;
1310 p256_pub_key(coseKeyData, &signing_pubkey);
1311 ASSERT_TRUE(signing_pubkey.get());
1312
1313 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1314 << "Verification of attested certificate failed "
1315 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
Seth Moore7dc1fda2022-12-12 16:56:20 -0800[diff] [blame]1316 }
1317}
1318
1319/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1320 * NewKeyGenerationTest.RsaEncryptionWithAttestation
1321 *
1322 * Verifies that keymint attestation for RSA encryption keys with challenge and
1323 * app id is also successful.
1324 */
1325TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
1326 auto key_size = 2048;
1327 auto challenge = "hello";
1328 auto app_id = "foo";
1329
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1330 auto subject = "subj 2";
1331 vector<uint8_t> subject_der(make_name_from_str(subject));
1332
1333 uint64_t serial_int = 111166;
1334 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1335
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1336 vector<uint8_t> key_blob;
1337 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1338 auto builder = AuthorizationSetBuilder()
1339 .RsaEncryptionKey(key_size, 65537)
1340 .Padding(PaddingMode::NONE)
1341 .AttestationChallenge(challenge)
1342 .AttestationApplicationId(app_id)
1343 .Authorization(TAG_NO_AUTH_REQUIRED)
1344 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1345 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1346 .SetDefaultValidity();
1347
1348 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1349 // Strongbox may not support factory provisioned attestation key.
1350 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1351 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1352 result = GenerateKeyWithSelfSignedAttestKey(
1353 AuthorizationSetBuilder()
1354 .RsaKey(key_size, 65537)
1355 .AttestKey()
1356 .SetDefaultValidity(), /* attest key params */
1357 builder, &key_blob, &key_characteristics);
1358 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1359 }
1360 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1361 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1362
1363 ASSERT_GT(key_blob.size(), 0U);
1364 AuthorizationSet auths;
1365 for (auto& entry : key_characteristics) {
1366 auths.push_back(AuthorizationSet(entry.authorizations));
1367 }
1368
1369 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
1370 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
1371
1372 // Verify that App data and ROT are NOT included.
1373 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
1374 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
1375
1376 // Check that some unexpected tags/values are NOT present.
1377 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
1378 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
1379
1380 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
1381
1382 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
1383 ASSERT_TRUE(os_ver);
1384 EXPECT_EQ(*os_ver, os_version());
1385
1386 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1387
1388 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1389 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1390 << "Key size " << key_size << "missing";
1391 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1392
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1393 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1394 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1395 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1396
1397 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1398 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1399 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1400 sw_enforced, hw_enforced, SecLevel(),
1401 cert_chain_[0].encodedCertificate));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1402}
1403
1404/*
1405 * NewKeyGenerationTest.RsaWithSelfSign
1406 *
1407 * Verifies that attesting to RSA key generation is successful, and returns
1408 * self signed certificate if no challenge is provided. And signing etc
1409 * works as expected.
1410 */
1411TEST_P(NewKeyGenerationTest, RsaWithSelfSign) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1412 auto subject = "cert subj subj subj subj subj subj 22222222222222222222";
1413 vector<uint8_t> subject_der(make_name_from_str(subject));
1414
1415 uint64_t serial_int = 0;
1416 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1417
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1418 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1419 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1420 vector<uint8_t> key_blob;
1421 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1422 ASSERT_EQ(ErrorCode::OK,
1423 GenerateKey(AuthorizationSetBuilder()
1424 .RsaSigningKey(key_size, 65537)
1425 .Digest(Digest::NONE)
1426 .Padding(PaddingMode::NONE)
1427 .Authorization(TAG_NO_AUTH_REQUIRED)
1428 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1429 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1430 .SetDefaultValidity(),
1431 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1432 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1433
1434 ASSERT_GT(key_blob.size(), 0U);
1435 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1436 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1437
1438 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1439
1440 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1441 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1442 << "Key size " << key_size << "missing";
1443 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1444
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1445 ASSERT_EQ(cert_chain_.size(), 1);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1446 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1447 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1448 }
1449}
1450
1451/*
1452 * NewKeyGenerationTest.RsaWithAttestationMissAppId
1453 *
1454 * Verifies that attesting to RSA checks for missing app ID.
1455 */
1456TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
1457 auto challenge = "hello";
1458 vector<uint8_t> key_blob;
1459 vector<KeyCharacteristics> key_characteristics;
1460
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1461 auto builder = AuthorizationSetBuilder()
1462 .RsaSigningKey(2048, 65537)
1463 .Digest(Digest::NONE)
1464 .Padding(PaddingMode::NONE)
1465 .AttestationChallenge(challenge)
1466 .Authorization(TAG_NO_AUTH_REQUIRED)
1467 .SetDefaultValidity();
1468
1469 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1470 // Strongbox may not support factory provisioned attestation key.
1471 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1472 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1473 result = GenerateKeyWithSelfSignedAttestKey(
1474 AuthorizationSetBuilder()
1475 .RsaKey(2048, 65537)
1476 .AttestKey()
1477 .SetDefaultValidity(), /* attest key params */
1478 builder, &key_blob, &key_characteristics);
1479 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1480 }
1481 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1482}
1483
1484/*
1485 * NewKeyGenerationTest.RsaWithAttestationAppIdIgnored
1486 *
1487 * Verifies that attesting to RSA ignores app id if challenge is missing.
1488 */
1489TEST_P(NewKeyGenerationTest, RsaWithAttestationAppIdIgnored) {
1490 auto key_size = 2048;
1491 auto app_id = "foo";
1492
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1493 auto subject = "cert subj 2";
1494 vector<uint8_t> subject_der(make_name_from_str(subject));
1495
1496 uint64_t serial_int = 1;
1497 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1498
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1499 vector<uint8_t> key_blob;
1500 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1501 ASSERT_EQ(ErrorCode::OK,
1502 GenerateKey(AuthorizationSetBuilder()
1503 .RsaSigningKey(key_size, 65537)
1504 .Digest(Digest::NONE)
1505 .Padding(PaddingMode::NONE)
1506 .AttestationApplicationId(app_id)
1507 .Authorization(TAG_NO_AUTH_REQUIRED)
1508 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1509 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1510 .SetDefaultValidity(),
1511 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1512 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1513
1514 ASSERT_GT(key_blob.size(), 0U);
1515 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1516 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1517
1518 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1519
1520 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1521 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1522 << "Key size " << key_size << "missing";
1523 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1524
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]1525 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1526 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1527 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1528 ASSERT_EQ(cert_chain_.size(), 1);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1529}
1530
1531/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1532 * NewKeyGenerationTest.LimitedUsageRsa
1533 *
1534 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1535 * resulting keys have correct characteristics.
1536 */
1537TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
1538 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1539 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1540 vector<uint8_t> key_blob;
1541 vector<KeyCharacteristics> key_characteristics;
1542 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1543 .RsaSigningKey(key_size, 65537)
1544 .Digest(Digest::NONE)
1545 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1546 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1547 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1548 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1549 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1550
1551 ASSERT_GT(key_blob.size(), 0U);
1552 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1553 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1554
1555 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1556
1557 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1558 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1559 << "Key size " << key_size << "missing";
1560 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1561
1562 // Check the usage count limit tag appears in the authorizations.
1563 AuthorizationSet auths;
1564 for (auto& entry : key_characteristics) {
1565 auths.push_back(AuthorizationSet(entry.authorizations));
1566 }
1567 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1568 << "key usage count limit " << 1U << " missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1569 }
1570}
1571
1572/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1573 * NewKeyGenerationTest.LimitedUsageRsaWithAttestation
1574 *
1575 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1576 * resulting keys have correct characteristics and attestation.
1577 */
1578TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1579 auto challenge = "hello";
1580 auto app_id = "foo";
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1581
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1582 auto subject = "cert subj 2";
1583 vector<uint8_t> subject_der(make_name_from_str(subject));
1584
1585 uint64_t serial_int = 66;
1586 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1587
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1588 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1589 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1590 vector<uint8_t> key_blob;
1591 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1592 auto builder = AuthorizationSetBuilder()
1593 .RsaSigningKey(key_size, 65537)
1594 .Digest(Digest::NONE)
1595 .Padding(PaddingMode::NONE)
1596 .AttestationChallenge(challenge)
1597 .AttestationApplicationId(app_id)
1598 .Authorization(TAG_NO_AUTH_REQUIRED)
1599 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1600 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1601 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1602 .SetDefaultValidity();
1603
1604 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1605 // Strongbox may not support factory provisioned attestation key.
1606 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1607 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1608 result = GenerateKeyWithSelfSignedAttestKey(
1609 AuthorizationSetBuilder()
1610 .RsaKey(key_size, 65537)
1611 .AttestKey()
1612 .SetDefaultValidity(), /* attest key params */
1613 builder, &key_blob, &key_characteristics);
1614 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1615 }
1616 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1617 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1618
1619 ASSERT_GT(key_blob.size(), 0U);
1620 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1621 CheckCharacteristics(key_blob, key_characteristics);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1622
1623 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1624
1625 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1626 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1627 << "Key size " << key_size << "missing";
1628 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1629
1630 // Check the usage count limit tag appears in the authorizations.
1631 AuthorizationSet auths;
1632 for (auto& entry : key_characteristics) {
1633 auths.push_back(AuthorizationSet(entry.authorizations));
1634 }
1635 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1636 << "key usage count limit " << 1U << " missing";
1637
1638 // Check the usage count limit tag also appears in the attestation.
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1639 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1640 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1641 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1642
1643 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1644 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1645 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1646 sw_enforced, hw_enforced, SecLevel(),
1647 cert_chain_[0].encodedCertificate));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1648 }
1649}
1650
1651/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1652 * NewKeyGenerationTest.NoInvalidRsaSizes
1653 *
1654 * Verifies that keymint cannot generate any RSA key sizes that are designated as invalid.
1655 */
1656TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
1657 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1658 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1659 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1660 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1661 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1662 GenerateKey(AuthorizationSetBuilder()
1663 .RsaSigningKey(key_size, 65537)
1664 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1665 .Padding(PaddingMode::NONE)
1666 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1667 &key_blob, &key_characteristics));
1668 }
1669}
1670
1671/*
1672 * NewKeyGenerationTest.RsaNoDefaultSize
1673 *
1674 * Verifies that failing to specify a key size for RSA key generation returns
1675 * UNSUPPORTED_KEY_SIZE.
1676 */
1677TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
1678 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1679 GenerateKey(AuthorizationSetBuilder()
1680 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
1681 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1682 .SigningKey()
1683 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1684}
1685
1686/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1687 * NewKeyGenerationTest.RsaMissingParams
1688 *
1689 * Verifies that omitting optional tags works.
1690 */
1691TEST_P(NewKeyGenerationTest, RsaMissingParams) {
1692 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1693 SCOPED_TRACE(testing::Message() << "RSA-" << key_size);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1694 ASSERT_EQ(ErrorCode::OK,
1695 GenerateKey(
1696 AuthorizationSetBuilder().RsaKey(key_size, 65537).SetDefaultValidity()));
1697 CheckedDeleteKey();
1698 }
1699}
1700
1701/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1702 * NewKeyGenerationTest.Ecdsa
1703 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1704 * Verifies that keymint can generate all required EC curves, and that the resulting keys
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1705 * have correct characteristics.
1706 */
1707TEST_P(NewKeyGenerationTest, Ecdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1708 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1709 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1710 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1711 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1712 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1713 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1714 .Digest(Digest::NONE)
1715 .SetDefaultValidity(),
1716 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1717 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1718 ASSERT_GT(key_blob.size(), 0U);
1719 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1720 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1721
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1722 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1723
1724 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1725 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1726 }
1727}
1728
1729/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1730 * NewKeyGenerationTest.EcdsaCurve25519
1731 *
1732 * Verifies that keymint can generate a curve25519 key, and that the resulting key
1733 * has correct characteristics.
1734 */
1735TEST_P(NewKeyGenerationTest, EcdsaCurve25519) {
1736 if (!Curve25519Supported()) {
1737 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1738 }
1739
1740 EcCurve curve = EcCurve::CURVE_25519;
1741 vector<uint8_t> key_blob;
1742 vector<KeyCharacteristics> key_characteristics;
1743 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1744 .EcdsaSigningKey(curve)
1745 .Digest(Digest::NONE)
1746 .SetDefaultValidity(),
1747 &key_blob, &key_characteristics);
1748 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1749 KeyBlobDeleter deleter(keymint_, key_blob);
1750
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1751 ASSERT_GT(key_blob.size(), 0U);
1752
1753 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1754 ASSERT_GT(cert_chain_.size(), 0);
1755
1756 CheckBaseParams(key_characteristics);
1757 CheckCharacteristics(key_blob, key_characteristics);
1758
1759 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1760
1761 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1762 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1763}
1764
1765/*
1766 * NewKeyGenerationTest.EcCurve25519MultiPurposeFail
1767 *
1768 * Verifies that KeyMint rejects an attempt to generate a curve 25519 key for both
1769 * SIGN and AGREE_KEY.
1770 */
1771TEST_P(NewKeyGenerationTest, EcdsaCurve25519MultiPurposeFail) {
1772 if (!Curve25519Supported()) {
1773 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1774 }
1775
1776 EcCurve curve = EcCurve::CURVE_25519;
1777 vector<uint8_t> key_blob;
1778 vector<KeyCharacteristics> key_characteristics;
1779 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1780 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
1781 .EcdsaSigningKey(curve)
1782 .Digest(Digest::NONE)
1783 .SetDefaultValidity(),
1784 &key_blob, &key_characteristics);
1785 ASSERT_EQ(result, ErrorCode::INCOMPATIBLE_PURPOSE);
1786}
1787
1788/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1789 * NewKeyGenerationTest.EcdsaWithMissingValidity
1790 *
1791 * Verifies that keymint returns an error while generating asymmetric key
1792 * without providing NOT_BEFORE and NOT_AFTER parameters.
1793 */
1794TEST_P(NewKeyGenerationTest, EcdsaWithMissingValidity) {
Tommy Chiu7d22f602022-11-14 21:03:34 +0800[diff] [blame]1795 if (AidlVersion() < 2) {
1796 /*
1797 * The KeyMint V1 spec required that CERTIFICATE_NOT_{BEFORE,AFTER} be
1798 * specified for asymmetric key generation. However, this was not
1799 * checked at the time so we can only be strict about checking this for
1800 * implementations of KeyMint version 2 and above.
1801 */
1802 GTEST_SKIP() << "Validity strict since KeyMint v2";
1803 }
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1804 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1805 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1806 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1807
1808 vector<uint8_t> key_blob;
1809 vector<KeyCharacteristics> key_characteristics;
1810 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1811 GenerateKey(AuthorizationSetBuilder()
1812 .EcdsaSigningKey(EcCurve::P_256)
1813 .Digest(Digest::NONE)
1814 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1815 kUndefinedExpirationDateTime),
1816 &key_blob, &key_characteristics));
1817
1818 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1819 GenerateKey(AuthorizationSetBuilder()
1820 .EcdsaSigningKey(EcCurve::P_256)
1821 .Digest(Digest::NONE)
1822 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1823 &key_blob, &key_characteristics));
1824}
1825
1826/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1827 * NewKeyGenerationTest.EcdsaAttestation
1828 *
1829 * Verifies that for all Ecdsa key sizes, if challenge and app id is provided,
1830 * an attestation will be generated.
1831 */
1832TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
1833 auto challenge = "hello";
1834 auto app_id = "foo";
1835
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1836 auto subject = "cert subj 2";
1837 vector<uint8_t> subject_der(make_name_from_str(subject));
1838
1839 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1840 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1841
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1842 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]1843 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1844 vector<uint8_t> key_blob;
1845 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1846 auto builder = AuthorizationSetBuilder()
1847 .Authorization(TAG_NO_AUTH_REQUIRED)
1848 .EcdsaSigningKey(curve)
1849 .Digest(Digest::NONE)
1850 .AttestationChallenge(challenge)
1851 .AttestationApplicationId(app_id)
1852 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1853 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1854 .SetDefaultValidity();
1855
1856 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1857 // Strongbox may not support factory provisioned attestation key.
1858 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1859 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1860 result = GenerateKeyWithSelfSignedAttestKey(
1861 AuthorizationSetBuilder()
1862 .EcdsaKey(curve)
1863 .AttestKey()
1864 .SetDefaultValidity(), /* attest key params */
1865 builder, &key_blob, &key_characteristics);
1866 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1867 }
1868 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1869 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1870 ASSERT_GT(key_blob.size(), 0U);
1871 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1872 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1873
1874 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1875
1876 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1877 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1878
1879 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1880 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1881 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1882
1883 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1884 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1885 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1886 sw_enforced, hw_enforced, SecLevel(),
1887 cert_chain_[0].encodedCertificate));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1888 }
1889}
1890
1891/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1892 * NewKeyGenerationTest.EcdsaAttestationCurve25519
1893 *
1894 * Verifies that for a curve 25519 key, if challenge and app id is provided,
1895 * an attestation will be generated.
1896 */
1897TEST_P(NewKeyGenerationTest, EcdsaAttestationCurve25519) {
1898 if (!Curve25519Supported()) {
1899 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1900 }
1901
1902 EcCurve curve = EcCurve::CURVE_25519;
1903 auto challenge = "hello";
1904 auto app_id = "foo";
1905
1906 auto subject = "cert subj 2";
1907 vector<uint8_t> subject_der(make_name_from_str(subject));
1908
1909 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1910 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1911
1912 vector<uint8_t> key_blob;
1913 vector<KeyCharacteristics> key_characteristics;
1914 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1915 .Authorization(TAG_NO_AUTH_REQUIRED)
1916 .EcdsaSigningKey(curve)
1917 .Digest(Digest::NONE)
1918 .AttestationChallenge(challenge)
1919 .AttestationApplicationId(app_id)
1920 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1921 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1922 .SetDefaultValidity(),
1923 &key_blob, &key_characteristics);
1924 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]1925 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1926 ASSERT_GT(key_blob.size(), 0U);
1927 CheckBaseParams(key_characteristics);
1928 CheckCharacteristics(key_blob, key_characteristics);
1929
1930 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1931
1932 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1933 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1934
1935 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1936 ASSERT_GT(cert_chain_.size(), 0);
1937 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
1938
1939 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1940 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1941 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
1942 sw_enforced, hw_enforced, SecLevel(),
1943 cert_chain_[0].encodedCertificate));
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1944}
1945
1946/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1947 * NewKeyGenerationTest.EcdsaAttestationTags
1948 *
1949 * Verifies that creation of an attested ECDSA key includes various tags in the
1950 * attestation extension.
1951 */
1952TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
1953 auto challenge = "hello";
1954 auto app_id = "foo";
1955 auto subject = "cert subj 2";
1956 vector<uint8_t> subject_der(make_name_from_str(subject));
1957 uint64_t serial_int = 0x1010;
1958 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1959 const AuthorizationSetBuilder base_builder =
1960 AuthorizationSetBuilder()
1961 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1962 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1963 .Digest(Digest::NONE)
1964 .AttestationChallenge(challenge)
1965 .AttestationApplicationId(app_id)
1966 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1967 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1968 .SetDefaultValidity();
1969
1970 // Various tags that map to fields in the attestation extension ASN.1 schema.
1971 auto extra_tags = AuthorizationSetBuilder()
1972 .Authorization(TAG_ROLLBACK_RESISTANCE)
1973 .Authorization(TAG_EARLY_BOOT_ONLY)
1974 .Authorization(TAG_ACTIVE_DATETIME, 1619621648000)
1975 .Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, 1619621648000)
1976 .Authorization(TAG_USAGE_EXPIRE_DATETIME, 1619621999000)
1977 .Authorization(TAG_USAGE_COUNT_LIMIT, 42)
1978 .Authorization(TAG_AUTH_TIMEOUT, 100000)
1979 .Authorization(TAG_ALLOW_WHILE_ON_BODY)
1980 .Authorization(TAG_TRUSTED_USER_PRESENCE_REQUIRED)
1981 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
1982 .Authorization(TAG_UNLOCKED_DEVICE_REQUIRED)
1983 .Authorization(TAG_CREATION_DATETIME, 1619621648000);
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1984
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1985 for (const KeyParameter& tag : extra_tags) {
1986 SCOPED_TRACE(testing::Message() << "tag-" << tag);
1987 vector<uint8_t> key_blob;
1988 vector<KeyCharacteristics> key_characteristics;
1989 AuthorizationSetBuilder builder = base_builder;
1990 builder.push_back(tag);
1991 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
1992 if (result == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE &&
1993 tag.tag == TAG_ROLLBACK_RESISTANCE) {
1994 continue;
1995 }
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]1996 if (result == ErrorCode::UNSUPPORTED_TAG && tag.tag == TAG_TRUSTED_USER_PRESENCE_REQUIRED) {
1997 // Tag not required to be supported by all KeyMint implementations.
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1998 continue;
1999 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2000 // Strongbox may not support factory provisioned attestation key.
2001 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2002 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2003 result = GenerateKeyWithSelfSignedAttestKey(
2004 AuthorizationSetBuilder()
2005 .EcdsaKey(EcCurve::P_256)
2006 .AttestKey()
2007 .SetDefaultValidity(), /* attest key params */
2008 builder, &key_blob, &key_characteristics);
2009 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2010 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2011 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2012 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2013 ASSERT_GT(key_blob.size(), 0U);
2014
2015 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2016 ASSERT_GT(cert_chain_.size(), 0);
2017 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2018
2019 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2020 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]2021 // Some tags are optional, so don't require them to be in the enforcements.
2022 if (tag.tag != TAG_ATTESTATION_APPLICATION_ID && tag.tag != TAG_ALLOW_WHILE_ON_BODY) {
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2023 EXPECT_TRUE(hw_enforced.Contains(tag.tag) || sw_enforced.Contains(tag.tag))
2024 << tag << " not in hw:" << hw_enforced << " nor sw:" << sw_enforced;
2025 }
2026
2027 // Verifying the attestation record will check for the specific tag because
2028 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2029 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2030 hw_enforced, SecLevel(),
2031 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2032 }
2033
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2034 // Collection of invalid attestation ID tags.
2035 auto invalid_tags =
2036 AuthorizationSetBuilder()
2037 .Authorization(TAG_ATTESTATION_ID_BRAND, "bogus-brand")
2038 .Authorization(TAG_ATTESTATION_ID_DEVICE, "devious-device")
2039 .Authorization(TAG_ATTESTATION_ID_PRODUCT, "punctured-product")
2040 .Authorization(TAG_ATTESTATION_ID_SERIAL, "suspicious-serial")
2041 .Authorization(TAG_ATTESTATION_ID_IMEI, "invalid-imei")
2042 .Authorization(TAG_ATTESTATION_ID_MEID, "mismatching-meid")
2043 .Authorization(TAG_ATTESTATION_ID_MANUFACTURER, "malformed-manufacturer")
2044 .Authorization(TAG_ATTESTATION_ID_MODEL, "malicious-model");
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2045 for (const KeyParameter& tag : invalid_tags) {
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2046 SCOPED_TRACE(testing::Message() << "-incorrect-tag-" << tag);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2047 vector<uint8_t> key_blob;
2048 vector<KeyCharacteristics> key_characteristics;
2049 AuthorizationSetBuilder builder =
2050 AuthorizationSetBuilder()
2051 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2052 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2053 .Digest(Digest::NONE)
2054 .AttestationChallenge(challenge)
2055 .AttestationApplicationId(app_id)
2056 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2057 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2058 .SetDefaultValidity();
2059 builder.push_back(tag);
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2060
2061 auto error = GenerateKey(builder, &key_blob, &key_characteristics);
2062 // Strongbox may not support factory provisioned attestation key.
2063 if (SecLevel() == SecurityLevel::STRONGBOX) {
2064 if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2065 error = GenerateKeyWithSelfSignedAttestKey(
2066 AuthorizationSetBuilder()
2067 .EcdsaKey(EcCurve::P_256)
2068 .AttestKey()
2069 .SetDefaultValidity(), /* attest key params */
2070 builder, &key_blob, &key_characteristics);
2071 }
2072 }
2073 ASSERT_EQ(error, ErrorCode::CANNOT_ATTEST_IDS);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2074 }
2075}
2076
2077/*
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2078 * NewKeyGenerationTest.EcdsaAttestationIdTags
2079 *
2080 * Verifies that creation of an attested ECDSA key includes various ID tags in the
2081 * attestation extension.
2082 */
2083TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
David Drysdale555ba002022-05-03 18:48:57 +0100[diff] [blame]2084 if (is_gsi_image()) {
2085 // GSI sets up a standard set of device identifiers that may not match
2086 // the device identifiers held by the device.
2087 GTEST_SKIP() << "Test not applicable under GSI";
2088 }
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2089 auto challenge = "hello";
2090 auto app_id = "foo";
2091 auto subject = "cert subj 2";
2092 vector<uint8_t> subject_der(make_name_from_str(subject));
2093 uint64_t serial_int = 0x1010;
2094 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2095 const AuthorizationSetBuilder base_builder =
2096 AuthorizationSetBuilder()
2097 .Authorization(TAG_NO_AUTH_REQUIRED)
2098 .EcdsaSigningKey(EcCurve::P_256)
2099 .Digest(Digest::NONE)
2100 .AttestationChallenge(challenge)
2101 .AttestationApplicationId(app_id)
2102 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2103 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2104 .SetDefaultValidity();
2105
2106 // Various ATTESTATION_ID_* tags that map to fields in the attestation extension ASN.1 schema.
2107 auto extra_tags = AuthorizationSetBuilder();
Prashant Patil8d779bf2022-09-28 16:09:29 +0100[diff] [blame]2108 // Use ro.product.brand_for_attestation property for attestation if it is present else fallback
2109 // to ro.product.brand
2110 std::string prop_value =
2111 ::android::base::GetProperty("ro.product.brand_for_attestation", /* default= */ "");
2112 if (!prop_value.empty()) {
2113 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_BRAND,
2114 "ro.product.brand_for_attestation");
2115 } else {
2116 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_BRAND, "ro.product.brand");
2117 }
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2118 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_DEVICE, "ro.product.device");
Prashant Patil8d779bf2022-09-28 16:09:29 +0100[diff] [blame]2119 // Use ro.product.name_for_attestation property for attestation if it is present else fallback
2120 // to ro.product.name
2121 prop_value = ::android::base::GetProperty("ro.product.name_for_attestation", /* default= */ "");
2122 if (!prop_value.empty()) {
2123 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_PRODUCT,
2124 "ro.product.name_for_attestation");
2125 } else {
2126 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_PRODUCT, "ro.product.name");
2127 }
Tri Vo799e4352022-11-07 17:23:50 -0800[diff] [blame]2128 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_SERIAL, "ro.serialno");
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2129 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_MANUFACTURER, "ro.product.manufacturer");
Prashant Patil8d779bf2022-09-28 16:09:29 +0100[diff] [blame]2130 // Use ro.product.model_for_attestation property for attestation if it is present else fallback
2131 // to ro.product.model
2132 prop_value =
2133 ::android::base::GetProperty("ro.product.model_for_attestation", /* default= */ "");
2134 if (!prop_value.empty()) {
2135 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_MODEL,
2136 "ro.product.model_for_attestation");
2137 } else {
2138 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_MODEL, "ro.product.model");
2139 }
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2140
2141 for (const KeyParameter& tag : extra_tags) {
2142 SCOPED_TRACE(testing::Message() << "tag-" << tag);
2143 vector<uint8_t> key_blob;
2144 vector<KeyCharacteristics> key_characteristics;
2145 AuthorizationSetBuilder builder = base_builder;
2146 builder.push_back(tag);
2147 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2148 // Strongbox may not support factory provisioned attestation key.
2149 if (SecLevel() == SecurityLevel::STRONGBOX) {
2150 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
2151 }
Prashant Patil88ad1892022-03-15 16:31:02 +0000[diff] [blame]2152 if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
2153 // ID attestation was optional till api level 32, from api level 33 it is mandatory.
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2154 continue;
2155 }
2156 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2157 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2158 ASSERT_GT(key_blob.size(), 0U);
2159
2160 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2161 ASSERT_GT(cert_chain_.size(), 0);
2162 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2163
2164 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2165 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
2166
2167 // The attested key characteristics will not contain APPLICATION_ID_* fields (their
2168 // spec definitions all have "Must never appear in KeyCharacteristics"), but the
2169 // attestation extension should contain them, so make sure the extra tag is added.
2170 hw_enforced.push_back(tag);
2171
2172 // Verifying the attestation record will check for the specific tag because
2173 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2174 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2175 hw_enforced, SecLevel(),
2176 cert_chain_[0].encodedCertificate));
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2177 }
2178}
2179
2180/*
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2181 * NewKeyGenerationTest.EcdsaAttestationUniqueId
2182 *
2183 * Verifies that creation of an attested ECDSA key with a UNIQUE_ID included.
2184 */
2185TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
2186 auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2187 vector<uint8_t>* unique_id, bool reset = false) {
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2188 auto challenge = "hello";
2189 auto subject = "cert subj 2";
2190 vector<uint8_t> subject_der(make_name_from_str(subject));
2191 uint64_t serial_int = 0x1010;
2192 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2193 AuthorizationSetBuilder builder =
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2194 AuthorizationSetBuilder()
2195 .Authorization(TAG_NO_AUTH_REQUIRED)
2196 .Authorization(TAG_INCLUDE_UNIQUE_ID)
2197 .EcdsaSigningKey(EcCurve::P_256)
2198 .Digest(Digest::NONE)
2199 .AttestationChallenge(challenge)
2200 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2201 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2202 .AttestationApplicationId(app_id)
2203 .Authorization(TAG_CREATION_DATETIME, datetime)
2204 .SetDefaultValidity();
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2205 if (reset) {
2206 builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
2207 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2208 auto result = GenerateKey(builder);
2209 if (SecLevel() == SecurityLevel::STRONGBOX) {
2210 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2211 result = GenerateKeyWithSelfSignedAttestKey(
2212 AuthorizationSetBuilder()
2213 .EcdsaKey(EcCurve::P_256)
2214 .AttestKey()
2215 .SetDefaultValidity(), /* attest key params */
2216 builder, &key_blob_, &key_characteristics_, &cert_chain_);
2217 }
2218 }
2219 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2220 ASSERT_GT(key_blob_.size(), 0U);
2221
2222 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2223 ASSERT_GT(cert_chain_.size(), 0);
2224 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2225
2226 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics_);
2227 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics_);
2228
2229 // Check that the unique ID field in the extension is non-empty.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2230 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2231 hw_enforced, SecLevel(),
2232 cert_chain_[0].encodedCertificate, unique_id));
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2233 EXPECT_GT(unique_id->size(), 0);
2234 CheckedDeleteKey();
2235 };
2236
2237 // Generate unique ID
2238 auto app_id = "foo";
2239 uint64_t cert_date = 1619621648000; // Wed Apr 28 14:54:08 2021 in ms since epoch
2240 vector<uint8_t> unique_id;
2241 get_unique_id(app_id, cert_date, &unique_id);
2242
2243 // Generating a new key with the same parameters should give the same unique ID.
2244 vector<uint8_t> unique_id2;
2245 get_unique_id(app_id, cert_date, &unique_id2);
2246 EXPECT_EQ(unique_id, unique_id2);
2247
2248 // Generating a new key with a slightly different date should give the same unique ID.
2249 uint64_t rounded_date = cert_date / 2592000000LLU;
2250 uint64_t min_date = rounded_date * 2592000000LLU;
2251 uint64_t max_date = ((rounded_date + 1) * 2592000000LLU) - 1;
2252
2253 vector<uint8_t> unique_id3;
2254 get_unique_id(app_id, min_date, &unique_id3);
2255 EXPECT_EQ(unique_id, unique_id3);
2256
2257 vector<uint8_t> unique_id4;
2258 get_unique_id(app_id, max_date, &unique_id4);
2259 EXPECT_EQ(unique_id, unique_id4);
2260
2261 // A different attestation application ID should yield a different unique ID.
2262 auto app_id2 = "different_foo";
2263 vector<uint8_t> unique_id5;
2264 get_unique_id(app_id2, cert_date, &unique_id5);
2265 EXPECT_NE(unique_id, unique_id5);
2266
2267 // A radically different date should yield a different unique ID.
2268 vector<uint8_t> unique_id6;
2269 get_unique_id(app_id, 1611621648000, &unique_id6);
2270 EXPECT_NE(unique_id, unique_id6);
2271
2272 vector<uint8_t> unique_id7;
2273 get_unique_id(app_id, max_date + 1, &unique_id7);
2274 EXPECT_NE(unique_id, unique_id7);
2275
2276 vector<uint8_t> unique_id8;
2277 get_unique_id(app_id, min_date - 1, &unique_id8);
2278 EXPECT_NE(unique_id, unique_id8);
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2279
2280 // Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
2281 vector<uint8_t> unique_id9;
2282 get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
2283 EXPECT_NE(unique_id, unique_id9);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2284}
2285
2286/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2287 * NewKeyGenerationTest.EcdsaAttestationTagNoApplicationId
2288 *
2289 * Verifies that creation of an attested ECDSA key does not include APPLICATION_ID.
2290 */
2291TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
2292 auto challenge = "hello";
2293 auto attest_app_id = "foo";
2294 auto subject = "cert subj 2";
2295 vector<uint8_t> subject_der(make_name_from_str(subject));
2296 uint64_t serial_int = 0x1010;
2297 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2298
2299 // Earlier versions of the attestation extension schema included a slot:
2300 // applicationId [601] EXPLICIT OCTET_STRING OPTIONAL,
2301 // This should never have been included, and should never be filled in.
2302 // Generate an attested key that include APPLICATION_ID and APPLICATION_DATA,
2303 // to confirm that this field never makes it into the attestation extension.
2304 vector<uint8_t> key_blob;
2305 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2306 auto builder = AuthorizationSetBuilder()
2307 .Authorization(TAG_NO_AUTH_REQUIRED)
2308 .EcdsaSigningKey(EcCurve::P_256)
2309 .Digest(Digest::NONE)
2310 .AttestationChallenge(challenge)
2311 .AttestationApplicationId(attest_app_id)
2312 .Authorization(TAG_APPLICATION_ID, "client_id")
2313 .Authorization(TAG_APPLICATION_DATA, "appdata")
2314 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2315 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2316 .SetDefaultValidity();
2317
2318 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2319 // Strongbox may not support factory provisioned attestation key.
2320 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2321 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2322 result = GenerateKeyWithSelfSignedAttestKey(
2323 AuthorizationSetBuilder()
2324 .EcdsaKey(EcCurve::P_256)
2325 .AttestKey()
2326 .SetDefaultValidity(), /* attest key params */
2327 builder, &key_blob, &key_characteristics);
2328 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2329 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2330 ASSERT_EQ(result, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2331 KeyBlobDeleter deleter(keymint_, key_blob);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2332 ASSERT_GT(key_blob.size(), 0U);
2333
2334 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2335 ASSERT_GT(cert_chain_.size(), 0);
2336 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2337
2338 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2339 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2340 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, attest_app_id, sw_enforced,
2341 hw_enforced, SecLevel(),
2342 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2343
2344 // Check that the app id is not in the cert.
2345 string app_id = "clientid";
2346 std::vector<uint8_t> needle(reinterpret_cast<const uint8_t*>(app_id.data()),
2347 reinterpret_cast<const uint8_t*>(app_id.data()) + app_id.size());
2348 ASSERT_EQ(std::search(cert_chain_[0].encodedCertificate.begin(),
2349 cert_chain_[0].encodedCertificate.end(), needle.begin(), needle.end()),
2350 cert_chain_[0].encodedCertificate.end());
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2351}
2352
2353/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2354 * NewKeyGenerationTest.EcdsaSelfSignAttestation
2355 *
2356 * Verifies that if no challenge is provided to an Ecdsa key generation, then
2357 * the key will generate a self signed attestation.
2358 */
2359TEST_P(NewKeyGenerationTest, EcdsaSelfSignAttestation) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2360 auto subject = "cert subj 2";
2361 vector<uint8_t> subject_der(make_name_from_str(subject));
2362
2363 uint64_t serial_int = 0x123456FFF1234;
2364 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2365
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2366 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2367 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2368 vector<uint8_t> key_blob;
2369 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2370 ASSERT_EQ(ErrorCode::OK,
2371 GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2372 .EcdsaSigningKey(curve)
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2373 .Digest(Digest::NONE)
2374 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2375 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2376 .SetDefaultValidity(),
2377 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2378 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2379 ASSERT_GT(key_blob.size(), 0U);
2380 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2381 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2382
2383 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2384
2385 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2386 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2387
2388 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2389 ASSERT_EQ(cert_chain_.size(), 1);
David Drysdalea8a888e2022-06-08 12:43:56 +0100[diff] [blame]2390 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2391
2392 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2393 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2394 }
2395}
2396
2397/*
2398 * NewKeyGenerationTest.EcdsaAttestationRequireAppId
2399 *
2400 * Verifies that if attestation challenge is provided to Ecdsa key generation, then
2401 * app id must also be provided or else it will fail.
2402 */
2403TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
2404 auto challenge = "hello";
2405 vector<uint8_t> key_blob;
2406 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2407 auto builder = AuthorizationSetBuilder()
2408 .EcdsaSigningKey(EcCurve::P_256)
2409 .Digest(Digest::NONE)
2410 .AttestationChallenge(challenge)
2411 .SetDefaultValidity();
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2412
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2413 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2414 // Strongbox may not support factory provisioned attestation key.
2415 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2416 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2417 result = GenerateKeyWithSelfSignedAttestKey(
2418 AuthorizationSetBuilder()
2419 .EcdsaKey(EcCurve::P_256)
2420 .AttestKey()
2421 .SetDefaultValidity(), /* attest key params */
2422 builder, &key_blob, &key_characteristics);
2423 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2424 }
2425 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2426}
2427
2428/*
2429 * NewKeyGenerationTest.EcdsaIgnoreAppId
2430 *
2431 * Verifies that if no challenge is provided to the Ecdsa key generation, then
2432 * any appid will be ignored, and keymint will generate a self sign certificate.
2433 */
2434TEST_P(NewKeyGenerationTest, EcdsaIgnoreAppId) {
2435 auto app_id = "foo";
2436
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2437 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2438 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2439 vector<uint8_t> key_blob;
2440 vector<KeyCharacteristics> key_characteristics;
2441 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2442 .EcdsaSigningKey(curve)
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2443 .Digest(Digest::NONE)
2444 .AttestationApplicationId(app_id)
2445 .SetDefaultValidity(),
2446 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2447 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2448
2449 ASSERT_GT(key_blob.size(), 0U);
2450 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2451 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2452
2453 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2454
2455 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2456 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2457
2458 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2459 ASSERT_EQ(cert_chain_.size(), 1);
2460
2461 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2462 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2463 }
2464}
2465
2466/*
2467 * NewKeyGenerationTest.AttestationApplicationIDLengthProperlyEncoded
2468 *
2469 * Verifies that the Attestation Application ID software enforced tag has a proper length encoding.
2470 * Some implementations break strict encoding rules by encoding a length between 127 and 256 in one
2471 * byte. Proper DER encoding specifies that for lengths greater than 127, one byte should be used
2472 * to specify how many following bytes will be used to encode the length.
2473 */
2474TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
2475 auto challenge = "hello";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2476 std::vector<uint32_t> app_id_lengths{143, 258};
2477
2478 for (uint32_t length : app_id_lengths) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2479 SCOPED_TRACE(testing::Message() << "app_id_len=" << length);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2480 const string app_id(length, 'a');
2481 vector<uint8_t> key_blob;
2482 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2483 auto builder = AuthorizationSetBuilder()
2484 .Authorization(TAG_NO_AUTH_REQUIRED)
2485 .EcdsaSigningKey(EcCurve::P_256)
2486 .Digest(Digest::NONE)
2487 .AttestationChallenge(challenge)
2488 .AttestationApplicationId(app_id)
2489 .SetDefaultValidity();
2490
2491 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2492 // Strongbox may not support factory provisioned attestation key.
2493 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2494 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2495 result = GenerateKeyWithSelfSignedAttestKey(
2496 AuthorizationSetBuilder()
2497 .EcdsaKey(EcCurve::P_256)
2498 .AttestKey()
2499 .SetDefaultValidity(), /* attest key params */
2500 builder, &key_blob, &key_characteristics);
2501 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2502 }
2503 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2504 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2505 ASSERT_GT(key_blob.size(), 0U);
2506 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2507 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2508
2509 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2510
2511 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2512 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, EcCurve::P_256)) << "Curve P256 missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2513
2514 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2515 ASSERT_GT(cert_chain_.size(), 0);
2516
2517 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2518 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2519 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2520 sw_enforced, hw_enforced, SecLevel(),
2521 cert_chain_[0].encodedCertificate));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2522 }
2523}
2524
2525/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2526 * NewKeyGenerationTest.LimitedUsageEcdsa
2527 *
2528 * Verifies that KeyMint can generate all required EC key sizes with limited usage, and that the
2529 * resulting keys have correct characteristics.
2530 */
2531TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2532 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2533 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2534 vector<uint8_t> key_blob;
2535 vector<KeyCharacteristics> key_characteristics;
2536 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2537 .EcdsaSigningKey(curve)
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2538 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2539 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
2540 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2541 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2542 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2543
2544 ASSERT_GT(key_blob.size(), 0U);
2545 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2546 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2547
2548 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2549
2550 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2551 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2552
2553 // Check the usage count limit tag appears in the authorizations.
2554 AuthorizationSet auths;
2555 for (auto& entry : key_characteristics) {
2556 auths.push_back(AuthorizationSet(entry.authorizations));
2557 }
2558 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2559 << "key usage count limit " << 1U << " missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2560 }
2561}
2562
2563/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2564 * NewKeyGenerationTest.EcdsaDefaultSize
2565 *
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2566 * Verifies that failing to specify a curve for EC key generation returns
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2567 * UNSUPPORTED_KEY_SIZE.
2568 */
2569TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
2570 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2571 GenerateKey(AuthorizationSetBuilder()
2572 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2573 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2574 .Digest(Digest::NONE)
2575 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2576}
2577
2578/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2579 * NewKeyGenerationTest.EcdsaInvalidCurve
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2580 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2581 * Verifies that specifying an invalid curve for EC key generation returns
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2582 * UNSUPPORTED_KEY_SIZE.
2583 */
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2584TEST_P(NewKeyGenerationTest, EcdsaInvalidCurve) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2585 for (auto curve : InvalidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2586 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2587 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2588 vector<KeyCharacteristics> key_characteristics;
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2589 auto result = GenerateKey(AuthorizationSetBuilder()
2590 .EcdsaSigningKey(curve)
2591 .Digest(Digest::NONE)
2592 .SetDefaultValidity(),
2593 &key_blob, &key_characteristics);
2594 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
2595 result == ErrorCode::UNSUPPORTED_EC_CURVE);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2596 }
2597
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2598 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2599 GenerateKey(AuthorizationSetBuilder()
2600 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2601 .Authorization(TAG_KEY_SIZE, 190)
2602 .SigningKey()
2603 .Digest(Digest::NONE)
2604 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2605}
2606
2607/*
Prashant Patil60f8d4d2022-03-29 13:11:09 +0000[diff] [blame]2608 * NewKeyGenerationTest.EcdsaMissingCurve
2609 *
2610 * Verifies that EC key generation fails if EC_CURVE not specified after KeyMint V2.
2611 */
2612TEST_P(NewKeyGenerationTest, EcdsaMissingCurve) {
2613 if (AidlVersion() < 2) {
2614 /*
2615 * The KeyMint V1 spec required that EC_CURVE be specified for EC keys.
2616 * However, this was not checked at the time so we can only be strict about checking this
2617 * for implementations of KeyMint version 2 and above.
2618 */
2619 GTEST_SKIP() << "Requiring EC_CURVE only strict since KeyMint v2";
2620 }
2621 /* If EC_CURVE not provided, generateKey
2622 * must return ErrorCode::UNSUPPORTED_KEY_SIZE or ErrorCode::UNSUPPORTED_EC_CURVE.
2623 */
2624 auto result = GenerateKey(
2625 AuthorizationSetBuilder().EcdsaKey(256).Digest(Digest::NONE).SetDefaultValidity());
2626 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
2627 result == ErrorCode::UNSUPPORTED_EC_CURVE);
2628}
2629
2630/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2631 * NewKeyGenerationTest.EcdsaMismatchKeySize
2632 *
2633 * Verifies that specifying mismatched key size and curve for EC key generation returns
2634 * INVALID_ARGUMENT.
2635 */
2636TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2637 if (SecLevel() == SecurityLevel::STRONGBOX) {
2638 GTEST_SKIP() << "Test not applicable to StrongBox device";
2639 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2640
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2641 auto result = GenerateKey(AuthorizationSetBuilder()
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2642 .Authorization(TAG_ALGORITHM, Algorithm::EC)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2643 .Authorization(TAG_KEY_SIZE, 224)
2644 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2645 .SigningKey()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2646 .Digest(Digest::NONE)
2647 .SetDefaultValidity());
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2648 ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2649}
2650
2651/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2652 * NewKeyGenerationTest.EcdsaAllValidCurves
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2653 *
2654 * Verifies that keymint does not support any curve designated as unsupported.
2655 */
2656TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
2657 Digest digest;
2658 if (SecLevel() == SecurityLevel::STRONGBOX) {
2659 digest = Digest::SHA_2_256;
2660 } else {
2661 digest = Digest::SHA_2_512;
2662 }
2663 for (auto curve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2664 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2665 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2666 .EcdsaSigningKey(curve)
2667 .Digest(digest)
2668 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2669 << "Failed to generate key on curve: " << curve;
2670 CheckedDeleteKey();
2671 }
2672}
2673
2674/*
2675 * NewKeyGenerationTest.Hmac
2676 *
2677 * Verifies that keymint supports all required digests, and that the resulting keys have correct
2678 * characteristics.
2679 */
2680TEST_P(NewKeyGenerationTest, Hmac) {
2681 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2682 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2683 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2684 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2685 constexpr size_t key_size = 128;
2686 ASSERT_EQ(ErrorCode::OK,
2687 GenerateKey(
2688 AuthorizationSetBuilder().HmacKey(key_size).Digest(digest).Authorization(
2689 TAG_MIN_MAC_LENGTH, 128),
2690 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2691 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2692
2693 ASSERT_GT(key_blob.size(), 0U);
2694 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2695 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2696
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2697 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2698 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2699 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2700 << "Key size " << key_size << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2701 }
2702}
2703
2704/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2705 * NewKeyGenerationTest.HmacNoAttestation
2706 *
2707 * Verifies that for Hmac key generation, no attestation will be generated even if challenge
2708 * and app id are provided.
2709 */
2710TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
2711 auto challenge = "hello";
2712 auto app_id = "foo";
2713
2714 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2715 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2716 vector<uint8_t> key_blob;
2717 vector<KeyCharacteristics> key_characteristics;
2718 constexpr size_t key_size = 128;
2719 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2720 .HmacKey(key_size)
2721 .Digest(digest)
2722 .AttestationChallenge(challenge)
2723 .AttestationApplicationId(app_id)
2724 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2725 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2726 KeyBlobDeleter deleter(keymint_, key_blob);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2727
2728 ASSERT_GT(key_blob.size(), 0U);
2729 ASSERT_EQ(cert_chain_.size(), 0);
2730 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2731 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2732
2733 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2734 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2735 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2736 << "Key size " << key_size << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2737 }
2738}
2739
2740/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2741 * NewKeyGenerationTest.LimitedUsageHmac
2742 *
2743 * Verifies that KeyMint supports all required digests with limited usage Hmac, and that the
2744 * resulting keys have correct characteristics.
2745 */
2746TEST_P(NewKeyGenerationTest, LimitedUsageHmac) {
2747 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2748 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2749 vector<uint8_t> key_blob;
2750 vector<KeyCharacteristics> key_characteristics;
2751 constexpr size_t key_size = 128;
2752 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2753 .HmacKey(key_size)
2754 .Digest(digest)
2755 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2756 .Authorization(TAG_USAGE_COUNT_LIMIT, 1),
2757 &key_blob, &key_characteristics));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]2758 KeyBlobDeleter deleter(keymint_, key_blob);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2759
2760 ASSERT_GT(key_blob.size(), 0U);
2761 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2762 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2763
2764 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2765 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2766 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2767 << "Key size " << key_size << "missing";
2768
2769 // Check the usage count limit tag appears in the authorizations.
2770 AuthorizationSet auths;
2771 for (auto& entry : key_characteristics) {
2772 auths.push_back(AuthorizationSet(entry.authorizations));
2773 }
2774 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2775 << "key usage count limit " << 1U << " missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2776 }
2777}
2778
2779/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2780 * NewKeyGenerationTest.HmacCheckKeySizes
2781 *
2782 * Verifies that keymint supports all key sizes, and rejects all invalid key sizes.
2783 */
2784TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
2785 for (size_t key_size = 0; key_size <= 512; ++key_size) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2786 SCOPED_TRACE(testing::Message() << "HMAC-" << key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2787 if (key_size < 64 || key_size % 8 != 0) {
2788 // To keep this test from being very slow, we only test a random fraction of
2789 // non-byte key sizes. We test only ~10% of such cases. Since there are 392 of
2790 // them, we expect to run ~40 of them in each run.
2791 if (key_size % 8 == 0 || random() % 10 == 0) {
2792 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2793 GenerateKey(AuthorizationSetBuilder()
2794 .HmacKey(key_size)
2795 .Digest(Digest::SHA_2_256)
2796 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2797 << "HMAC key size " << key_size << " invalid";
2798 }
2799 } else {
2800 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2801 .HmacKey(key_size)
2802 .Digest(Digest::SHA_2_256)
2803 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2804 << "Failed to generate HMAC key of size " << key_size;
2805 CheckedDeleteKey();
2806 }
2807 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2808 if (SecLevel() == SecurityLevel::STRONGBOX) {
2809 // STRONGBOX devices must not support keys larger than 512 bits.
2810 size_t key_size = 520;
2811 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2812 GenerateKey(AuthorizationSetBuilder()
2813 .HmacKey(key_size)
2814 .Digest(Digest::SHA_2_256)
2815 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2816 << "HMAC key size " << key_size << " unexpectedly valid";
2817 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2818}
2819
2820/*
2821 * NewKeyGenerationTest.HmacCheckMinMacLengths
2822 *
2823 * Verifies that keymint supports all required MAC lengths and rejects all invalid lengths. This
2824 * test is probabilistic in order to keep the runtime down, but any failure prints out the
2825 * specific MAC length that failed, so reproducing a failed run will be easy.
2826 */
2827TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
2828 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2829 SCOPED_TRACE(testing::Message() << "MIN_MAC_LENGTH=" << min_mac_length);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2830 if (min_mac_length < 64 || min_mac_length % 8 != 0) {
2831 // To keep this test from being very long, we only test a random fraction of
2832 // non-byte lengths. We test only ~10% of such cases. Since there are 172 of them,
2833 // we expect to run ~17 of them in each run.
2834 if (min_mac_length % 8 == 0 || random() % 10 == 0) {
2835 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2836 GenerateKey(AuthorizationSetBuilder()
2837 .HmacKey(128)
2838 .Digest(Digest::SHA_2_256)
2839 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2840 << "HMAC min mac length " << min_mac_length << " invalid.";
2841 }
2842 } else {
2843 EXPECT_EQ(ErrorCode::OK,
2844 GenerateKey(AuthorizationSetBuilder()
2845 .HmacKey(128)
2846 .Digest(Digest::SHA_2_256)
2847 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2848 << "Failed to generate HMAC key with min MAC length " << min_mac_length;
2849 CheckedDeleteKey();
2850 }
2851 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2852
2853 // Minimum MAC length must be no more than 512 bits.
2854 size_t min_mac_length = 520;
2855 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2856 GenerateKey(AuthorizationSetBuilder()
2857 .HmacKey(128)
2858 .Digest(Digest::SHA_2_256)
2859 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2860 << "HMAC min mac length " << min_mac_length << " invalid.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2861}
2862
2863/*
2864 * NewKeyGenerationTest.HmacMultipleDigests
2865 *
2866 * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms.
2867 */
2868TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2869 if (SecLevel() == SecurityLevel::STRONGBOX) {
2870 GTEST_SKIP() << "Test not applicable to StrongBox device";
2871 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2872
2873 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2874 GenerateKey(AuthorizationSetBuilder()
2875 .HmacKey(128)
2876 .Digest(Digest::SHA1)
2877 .Digest(Digest::SHA_2_256)
2878 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2879}
2880
2881/*
2882 * NewKeyGenerationTest.HmacDigestNone
2883 *
2884 * Verifies that keymint rejects HMAC key generation with no digest or Digest::NONE
2885 */
2886TEST_P(NewKeyGenerationTest, HmacDigestNone) {
2887 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2888 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH,
2889 128)));
2890
2891 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2892 GenerateKey(AuthorizationSetBuilder()
2893 .HmacKey(128)
2894 .Digest(Digest::NONE)
2895 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2896}
2897
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2898/*
2899 * NewKeyGenerationTest.AesNoAttestation
2900 *
2901 * Verifies that attestation parameters to AES keys are ignored and generateKey
2902 * will succeed.
2903 */
2904TEST_P(NewKeyGenerationTest, AesNoAttestation) {
2905 auto challenge = "hello";
2906 auto app_id = "foo";
2907
2908 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2909 .Authorization(TAG_NO_AUTH_REQUIRED)
2910 .AesEncryptionKey(128)
2911 .EcbMode()
2912 .Padding(PaddingMode::PKCS7)
2913 .AttestationChallenge(challenge)
2914 .AttestationApplicationId(app_id)));
2915
2916 ASSERT_EQ(cert_chain_.size(), 0);
2917}
2918
2919/*
2920 * NewKeyGenerationTest.TripleDesNoAttestation
2921 *
2922 * Verifies that attesting parameters to 3DES keys are ignored and generate key
2923 * will be successful. No attestation should be generated.
2924 */
2925TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
2926 auto challenge = "hello";
2927 auto app_id = "foo";
2928
2929 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2930 .TripleDesEncryptionKey(168)
2931 .BlockMode(BlockMode::ECB)
2932 .Authorization(TAG_NO_AUTH_REQUIRED)
2933 .Padding(PaddingMode::NONE)
2934 .AttestationChallenge(challenge)
2935 .AttestationApplicationId(app_id)));
2936 ASSERT_EQ(cert_chain_.size(), 0);
2937}
2938
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2939INSTANTIATE_KEYMINT_AIDL_TEST(NewKeyGenerationTest);
2940
2941typedef KeyMintAidlTestBase SigningOperationsTest;
2942
2943/*
2944 * SigningOperationsTest.RsaSuccess
2945 *
2946 * Verifies that raw RSA signature operations succeed.
2947 */
2948TEST_P(SigningOperationsTest, RsaSuccess) {
2949 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2950 .RsaSigningKey(2048, 65537)
2951 .Digest(Digest::NONE)
2952 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2953 .Authorization(TAG_NO_AUTH_REQUIRED)
2954 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2955 string message = "12345678901234567890123456789012";
2956 string signature = SignMessage(
2957 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2958 LocalVerifyMessage(message, signature,
2959 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2960}
2961
2962/*
2963 * SigningOperationsTest.RsaAllPaddingsAndDigests
2964 *
2965 * Verifies RSA signature/verification for all padding modes and digests.
2966 */
2967TEST_P(SigningOperationsTest, RsaAllPaddingsAndDigests) {
2968 auto authorizations = AuthorizationSetBuilder()
2969 .Authorization(TAG_NO_AUTH_REQUIRED)
2970 .RsaSigningKey(2048, 65537)
2971 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
2972 .Padding(PaddingMode::NONE)
2973 .Padding(PaddingMode::RSA_PSS)
2974 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2975 .SetDefaultValidity();
2976
2977 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
2978
2979 string message(128, 'a');
2980 string corrupt_message(message);
2981 ++corrupt_message[corrupt_message.size() / 2];
2982
2983 for (auto padding :
2984 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
2985 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]2986 SCOPED_TRACE(testing::Message() << "RSA padding=" << padding << " digest=" << digest);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2987 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
2988 // Digesting only makes sense with padding.
2989 continue;
2990 }
2991
2992 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
2993 // PSS requires digesting.
2994 continue;
2995 }
2996
2997 string signature =
2998 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
2999 LocalVerifyMessage(message, signature,
3000 AuthorizationSetBuilder().Digest(digest).Padding(padding));
3001 }
3002 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3003}
3004
3005/*
3006 * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
3007 *
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3008 * Verifies that using an RSA key requires the correct app data.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3009 */
3010TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
3011 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3012 .Authorization(TAG_NO_AUTH_REQUIRED)
3013 .RsaSigningKey(2048, 65537)
3014 .Digest(Digest::NONE)
3015 .Padding(PaddingMode::NONE)
3016 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3017 .Authorization(TAG_APPLICATION_DATA, "appdata")
3018 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]3019
3020 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
3021
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3022 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3023 Begin(KeyPurpose::SIGN,
3024 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3025 AbortIfNeeded();
3026 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3027 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3028 .Digest(Digest::NONE)
3029 .Padding(PaddingMode::NONE)
3030 .Authorization(TAG_APPLICATION_ID, "clientid")));
3031 AbortIfNeeded();
3032 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3033 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3034 .Digest(Digest::NONE)
3035 .Padding(PaddingMode::NONE)
3036 .Authorization(TAG_APPLICATION_DATA, "appdata")));
3037 AbortIfNeeded();
3038 EXPECT_EQ(ErrorCode::OK,
3039 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3040 .Digest(Digest::NONE)
3041 .Padding(PaddingMode::NONE)
3042 .Authorization(TAG_APPLICATION_DATA, "appdata")
3043 .Authorization(TAG_APPLICATION_ID, "clientid")));
3044 AbortIfNeeded();
3045}
3046
3047/*
3048 * SigningOperationsTest.RsaPssSha256Success
3049 *
3050 * Verifies that RSA-PSS signature operations succeed.
3051 */
3052TEST_P(SigningOperationsTest, RsaPssSha256Success) {
3053 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3054 .RsaSigningKey(2048, 65537)
3055 .Digest(Digest::SHA_2_256)
3056 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3057 .Authorization(TAG_NO_AUTH_REQUIRED)
3058 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3059 // Use large message, which won't work without digesting.
3060 string message(1024, 'a');
3061 string signature = SignMessage(
3062 message,
3063 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
3064}
3065
3066/*
3067 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
3068 *
3069 * Verifies that keymint rejects signature operations that specify a padding mode when the key
3070 * supports only unpadded operations.
3071 */
3072TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
3073 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3074 .RsaSigningKey(2048, 65537)
3075 .Digest(Digest::NONE)
3076 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3077 .Padding(PaddingMode::NONE)
3078 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3079 string message = "12345678901234567890123456789012";
3080 string signature;
3081
3082 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
3083 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3084 .Digest(Digest::NONE)
3085 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3086}
3087
3088/*
3089 * SigningOperationsTest.NoUserConfirmation
3090 *
3091 * Verifies that keymint rejects signing operations for keys with
3092 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
3093 * presented.
3094 */
3095TEST_P(SigningOperationsTest, NoUserConfirmation) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3096 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
Subrahmanyamance2bebd2023-04-28 23:37:02 +0000[diff] [blame]3097 .RsaSigningKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3098 .Digest(Digest::NONE)
3099 .Padding(PaddingMode::NONE)
3100 .Authorization(TAG_NO_AUTH_REQUIRED)
3101 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
3102 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3103
3104 const string message = "12345678901234567890123456789012";
3105 EXPECT_EQ(ErrorCode::OK,
3106 Begin(KeyPurpose::SIGN,
3107 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3108 string signature;
3109 EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
3110}
3111
3112/*
3113 * SigningOperationsTest.RsaPkcs1Sha256Success
3114 *
3115 * Verifies that digested RSA-PKCS1 signature operations succeed.
3116 */
3117TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
3118 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3119 .RsaSigningKey(2048, 65537)
3120 .Digest(Digest::SHA_2_256)
3121 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3122 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3123 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3124 string message(1024, 'a');
3125 string signature = SignMessage(message, AuthorizationSetBuilder()
3126 .Digest(Digest::SHA_2_256)
3127 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3128}
3129
3130/*
3131 * SigningOperationsTest.RsaPkcs1NoDigestSuccess
3132 *
3133 * Verifies that undigested RSA-PKCS1 signature operations succeed.
3134 */
3135TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
3136 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3137 .RsaSigningKey(2048, 65537)
3138 .Digest(Digest::NONE)
3139 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3140 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3141 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3142 string message(53, 'a');
3143 string signature = SignMessage(message, AuthorizationSetBuilder()
3144 .Digest(Digest::NONE)
3145 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3146}
3147
3148/*
3149 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
3150 *
3151 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
3152 * given a too-long message.
3153 */
3154TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
3155 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3156 .RsaSigningKey(2048, 65537)
3157 .Digest(Digest::NONE)
3158 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3159 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3160 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3161 string message(257, 'a');
3162
3163 EXPECT_EQ(ErrorCode::OK,
3164 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3165 .Digest(Digest::NONE)
3166 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3167 string signature;
3168 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
3169}
3170
3171/*
3172 * SigningOperationsTest.RsaPssSha512TooSmallKey
3173 *
3174 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
3175 * used with a key that is too small for the message.
3176 *
3177 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the
3178 * keymint specification requires that salt_size == digest_size, so the message will be
3179 * digest_size * 2 +
3180 * 16. Such a message can only be signed by a given key if the key is at least that size. This
3181 * test uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large
3182 * for a 1024-bit key.
3183 */
3184TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]3185 if (SecLevel() == SecurityLevel::STRONGBOX) {
3186 GTEST_SKIP() << "Test not applicable to StrongBox device";
3187 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3188 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3189 .RsaSigningKey(1024, 65537)
3190 .Digest(Digest::SHA_2_512)
3191 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3192 .Padding(PaddingMode::RSA_PSS)
3193 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3194 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3195 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3196 .Digest(Digest::SHA_2_512)
3197 .Padding(PaddingMode::RSA_PSS)));
3198}
3199
3200/*
3201 * SigningOperationsTest.RsaNoPaddingTooLong
3202 *
3203 * Verifies that raw RSA signature operations fail with the correct error code when
3204 * given a too-long message.
3205 */
3206TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
3207 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3208 .RsaSigningKey(2048, 65537)
3209 .Digest(Digest::NONE)
3210 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3211 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3212 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3213 // One byte too long
3214 string message(2048 / 8 + 1, 'a');
3215 ASSERT_EQ(ErrorCode::OK,
3216 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3217 .Digest(Digest::NONE)
3218 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3219 string result;
3220 ErrorCode finish_error_code = Finish(message, &result);
3221 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3222 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3223
3224 // Very large message that should exceed the transfer buffer size of any reasonable TEE.
3225 message = string(128 * 1024, 'a');
3226 ASSERT_EQ(ErrorCode::OK,
3227 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3228 .Digest(Digest::NONE)
3229 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3230 finish_error_code = Finish(message, &result);
3231 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3232 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3233}
3234
3235/*
3236 * SigningOperationsTest.RsaAbort
3237 *
3238 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the
3239 * test, but the behavior should be algorithm and purpose-independent.
3240 */
3241TEST_P(SigningOperationsTest, RsaAbort) {
3242 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3243 .RsaSigningKey(2048, 65537)
3244 .Digest(Digest::NONE)
3245 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3246 .Padding(PaddingMode::NONE)
3247 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3248
3249 ASSERT_EQ(ErrorCode::OK,
3250 Begin(KeyPurpose::SIGN,
3251 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3252 EXPECT_EQ(ErrorCode::OK, Abort());
3253
3254 // Another abort should fail
3255 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
3256
3257 // Set to sentinel, so TearDown() doesn't try to abort again.
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]3258 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3259}
3260
3261/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3262 * SigningOperationsTest.RsaNonUniqueParams
3263 *
3264 * Verifies that an operation with multiple padding modes is rejected.
3265 */
3266TEST_P(SigningOperationsTest, RsaNonUniqueParams) {
3267 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3268 .RsaSigningKey(2048, 65537)
3269 .Digest(Digest::NONE)
3270 .Digest(Digest::SHA1)
3271 .Authorization(TAG_NO_AUTH_REQUIRED)
3272 .Padding(PaddingMode::NONE)
3273 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3274 .SetDefaultValidity()));
3275
3276 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3277 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3278 .Digest(Digest::NONE)
3279 .Padding(PaddingMode::NONE)
3280 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3281
Tommy Chiuc93c4392021-05-11 18:36:50 +0800[diff] [blame]3282 auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3283 .Digest(Digest::NONE)
3284 .Digest(Digest::SHA1)
3285 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3286 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3287
3288 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3289 Begin(KeyPurpose::SIGN,
3290 AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3291}
3292
3293/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3294 * SigningOperationsTest.RsaUnsupportedPadding
3295 *
3296 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used
3297 * with a padding mode inappropriate for RSA.
3298 */
3299TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
3300 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3301 .RsaSigningKey(2048, 65537)
3302 .Authorization(TAG_NO_AUTH_REQUIRED)
3303 .Digest(Digest::SHA_2_256 /* supported digest */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3304 .Padding(PaddingMode::PKCS7)
3305 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3306 ASSERT_EQ(
3307 ErrorCode::UNSUPPORTED_PADDING_MODE,
3308 Begin(KeyPurpose::SIGN,
3309 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3310 CheckedDeleteKey();
3311
3312 ASSERT_EQ(ErrorCode::OK,
3313 GenerateKey(
3314 AuthorizationSetBuilder()
3315 .RsaSigningKey(2048, 65537)
3316 .Authorization(TAG_NO_AUTH_REQUIRED)
3317 .Digest(Digest::SHA_2_256 /* supported digest */)
3318 .Padding(PaddingMode::RSA_OAEP) /* padding mode for encryption only */
3319 .SetDefaultValidity()));
3320 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3321 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3322 .Digest(Digest::SHA_2_256)
3323 .Padding(PaddingMode::RSA_OAEP)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3324}
3325
3326/*
3327 * SigningOperationsTest.RsaPssNoDigest
3328 *
3329 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest.
3330 */
3331TEST_P(SigningOperationsTest, RsaNoDigest) {
3332 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3333 .RsaSigningKey(2048, 65537)
3334 .Authorization(TAG_NO_AUTH_REQUIRED)
3335 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3336 .Padding(PaddingMode::RSA_PSS)
3337 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3338 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3339 Begin(KeyPurpose::SIGN,
3340 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
3341
3342 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3343 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
3344}
3345
3346/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3347 * SigningOperationsTest.RsaPssNoPadding
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3348 *
3349 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is
3350 * supported in some cases (as validated in other tests), but a mode must be specified.
3351 */
3352TEST_P(SigningOperationsTest, RsaNoPadding) {
3353 // Padding must be specified
3354 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3355 .RsaKey(2048, 65537)
3356 .Authorization(TAG_NO_AUTH_REQUIRED)
3357 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3358 .Digest(Digest::NONE)
3359 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3360 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3361 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3362}
3363
3364/*
3365 * SigningOperationsTest.RsaShortMessage
3366 *
3367 * Verifies that raw RSA signatures succeed with a message shorter than the key size.
3368 */
3369TEST_P(SigningOperationsTest, RsaTooShortMessage) {
3370 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3371 .Authorization(TAG_NO_AUTH_REQUIRED)
3372 .RsaSigningKey(2048, 65537)
3373 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3374 .Padding(PaddingMode::NONE)
3375 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3376
3377 // Barely shorter
3378 string message(2048 / 8 - 1, 'a');
3379 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3380
3381 // Much shorter
3382 message = "a";
3383 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3384}
3385
3386/*
3387 * SigningOperationsTest.RsaSignWithEncryptionKey
3388 *
3389 * Verifies that RSA encryption keys cannot be used to sign.
3390 */
3391TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
3392 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3393 .Authorization(TAG_NO_AUTH_REQUIRED)
3394 .RsaEncryptionKey(2048, 65537)
3395 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3396 .Padding(PaddingMode::NONE)
3397 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3398 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3399 Begin(KeyPurpose::SIGN,
3400 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3401}
3402
3403/*
3404 * SigningOperationsTest.RsaSignTooLargeMessage
3405 *
3406 * Verifies that attempting a raw signature of a message which is the same length as the key,
3407 * but numerically larger than the public modulus, fails with the correct error.
3408 */
3409TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
3410 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3411 .Authorization(TAG_NO_AUTH_REQUIRED)
3412 .RsaSigningKey(2048, 65537)
3413 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3414 .Padding(PaddingMode::NONE)
3415 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3416
3417 // Largest possible message will always be larger than the public modulus.
3418 string message(2048 / 8, static_cast<char>(0xff));
3419 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3420 .Authorization(TAG_NO_AUTH_REQUIRED)
3421 .Digest(Digest::NONE)
3422 .Padding(PaddingMode::NONE)));
3423 string signature;
3424 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
3425}
3426
3427/*
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3428 * SigningOperationsTest.EcdsaAllDigestsAndCurves
3429 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3430 * Verifies ECDSA signature/verification for all digests and required curves.
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3431 */
3432TEST_P(SigningOperationsTest, EcdsaAllDigestsAndCurves) {
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3433
3434 string message = "1234567890";
3435 string corrupt_message = "2234567890";
3436 for (auto curve : ValidCurves()) {
3437 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3438 // Ed25519 only allows Digest::NONE.
3439 auto digests = (curve == EcCurve::CURVE_25519)
3440 ? std::vector<Digest>(1, Digest::NONE)
3441 : ValidDigests(true /* withNone */, false /* withMD5 */);
3442
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3443 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3444 .Authorization(TAG_NO_AUTH_REQUIRED)
3445 .EcdsaSigningKey(curve)
3446 .Digest(digests)
3447 .SetDefaultValidity());
3448 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
3449 if (error != ErrorCode::OK) {
3450 continue;
3451 }
3452
3453 for (auto digest : digests) {
3454 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
3455 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
3456 LocalVerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
3457 }
3458
3459 auto rc = DeleteKey();
3460 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
3461 }
3462}
3463
3464/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3465 * SigningOperationsTest.EcdsaAllCurves
3466 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3467 * Verifies that ECDSA operations succeed with all required curves.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3468 */
3469TEST_P(SigningOperationsTest, EcdsaAllCurves) {
3470 for (auto curve : ValidCurves()) {
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3471 Digest digest = (curve == EcCurve::CURVE_25519 ? Digest::NONE : Digest::SHA_2_256);
3472 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3473 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3474 .Authorization(TAG_NO_AUTH_REQUIRED)
3475 .EcdsaSigningKey(curve)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3476 .Digest(digest)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3477 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3478 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3479 if (error != ErrorCode::OK) continue;
3480
3481 string message(1024, 'a');
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3482 SignMessage(message, AuthorizationSetBuilder().Digest(digest));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3483 CheckedDeleteKey();
3484 }
3485}
3486
3487/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3488 * SigningOperationsTest.EcdsaCurve25519
3489 *
3490 * Verifies that ECDSA operations succeed with curve25519.
3491 */
3492TEST_P(SigningOperationsTest, EcdsaCurve25519) {
3493 if (!Curve25519Supported()) {
3494 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3495 }
3496
3497 EcCurve curve = EcCurve::CURVE_25519;
3498 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3499 .Authorization(TAG_NO_AUTH_REQUIRED)
3500 .EcdsaSigningKey(curve)
3501 .Digest(Digest::NONE)
3502 .SetDefaultValidity());
3503 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3504
3505 string message(1024, 'a');
3506 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3507 CheckedDeleteKey();
3508}
3509
3510/*
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]3511 * SigningOperationsTest.EcdsaCurve25519MaxSize
3512 *
3513 * Verifies that EDDSA operations with curve25519 under the maximum message size succeed.
3514 */
3515TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSize) {
3516 if (!Curve25519Supported()) {
3517 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3518 }
3519
3520 EcCurve curve = EcCurve::CURVE_25519;
3521 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3522 .Authorization(TAG_NO_AUTH_REQUIRED)
3523 .EcdsaSigningKey(curve)
3524 .Digest(Digest::NONE)
3525 .SetDefaultValidity());
3526 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3527
3528 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3529
3530 for (size_t msg_size : {MAX_ED25519_MSG_SIZE - 1, MAX_ED25519_MSG_SIZE}) {
3531 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3532 string message(msg_size, 'a');
3533
3534 // Attempt to sign via Begin+Finish.
3535 AuthorizationSet out_params;
3536 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3537 EXPECT_TRUE(out_params.empty());
3538 string signature;
3539 auto result = Finish(message, &signature);
3540 EXPECT_EQ(result, ErrorCode::OK);
3541 LocalVerifyMessage(message, signature, params);
3542
3543 // Attempt to sign via Begin+Update+Finish
3544 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3545 EXPECT_TRUE(out_params.empty());
3546 string output;
3547 result = Update(message, &output);
3548 EXPECT_EQ(result, ErrorCode::OK);
3549 EXPECT_EQ(output.size(), 0);
3550 string signature2;
3551 EXPECT_EQ(ErrorCode::OK, Finish({}, &signature2));
3552 LocalVerifyMessage(message, signature2, params);
3553 }
3554
3555 CheckedDeleteKey();
3556}
3557
3558/*
3559 * SigningOperationsTest.EcdsaCurve25519MaxSizeFail
3560 *
3561 * Verifies that EDDSA operations with curve25519 fail when message size is too large.
3562 */
3563TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSizeFail) {
3564 if (!Curve25519Supported()) {
3565 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3566 }
3567
3568 EcCurve curve = EcCurve::CURVE_25519;
3569 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3570 .Authorization(TAG_NO_AUTH_REQUIRED)
3571 .EcdsaSigningKey(curve)
3572 .Digest(Digest::NONE)
3573 .SetDefaultValidity());
3574 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3575
3576 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3577
3578 for (size_t msg_size : {MAX_ED25519_MSG_SIZE + 1, MAX_ED25519_MSG_SIZE * 2}) {
3579 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3580 string message(msg_size, 'a');
3581
3582 // Attempt to sign via Begin+Finish.
3583 AuthorizationSet out_params;
3584 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3585 EXPECT_TRUE(out_params.empty());
3586 string signature;
3587 auto result = Finish(message, &signature);
3588 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3589
3590 // Attempt to sign via Begin+Update (but never get to Finish)
3591 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3592 EXPECT_TRUE(out_params.empty());
3593 string output;
3594 result = Update(message, &output);
3595 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3596 }
3597
3598 CheckedDeleteKey();
3599}
3600
3601/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3602 * SigningOperationsTest.EcdsaNoDigestHugeData
3603 *
3604 * Verifies that ECDSA operations support very large messages, even without digesting. This
3605 * should work because ECDSA actually only signs the leftmost L_n bits of the message, however
3606 * large it may be. Not using digesting is a bad idea, but in some cases digesting is done by
3607 * the framework.
3608 */
3609TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
3610 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3611 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3612 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3613 .Digest(Digest::NONE)
3614 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3615 string message(1 * 1024, 'a');
3616 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3617}
3618
3619/*
3620 * SigningOperationsTest.EcUseRequiresCorrectAppIdAppData
3621 *
3622 * Verifies that using an EC key requires the correct app ID/data.
3623 */
3624TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
3625 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3626 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3627 .EcdsaSigningKey(EcCurve::P_256)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3628 .Digest(Digest::NONE)
3629 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3630 .Authorization(TAG_APPLICATION_DATA, "appdata")
3631 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]3632
3633 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
3634
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3635 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3636 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3637 AbortIfNeeded();
3638 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3639 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3640 .Digest(Digest::NONE)
3641 .Authorization(TAG_APPLICATION_ID, "clientid")));
3642 AbortIfNeeded();
3643 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3644 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3645 .Digest(Digest::NONE)
3646 .Authorization(TAG_APPLICATION_DATA, "appdata")));
3647 AbortIfNeeded();
3648 EXPECT_EQ(ErrorCode::OK,
3649 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3650 .Digest(Digest::NONE)
3651 .Authorization(TAG_APPLICATION_DATA, "appdata")
3652 .Authorization(TAG_APPLICATION_ID, "clientid")));
3653 AbortIfNeeded();
3654}
3655
3656/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3657 * SigningOperationsTest.EcdsaIncompatibleDigest
3658 *
3659 * Verifies that using an EC key requires compatible digest.
3660 */
3661TEST_P(SigningOperationsTest, EcdsaIncompatibleDigest) {
3662 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3663 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3664 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3665 .Digest(Digest::NONE)
3666 .Digest(Digest::SHA1)
3667 .SetDefaultValidity()));
3668 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3669 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)));
3670 AbortIfNeeded();
3671}
3672
3673/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3674 * SigningOperationsTest.AesEcbSign
3675 *
3676 * Verifies that attempts to use AES keys to sign fail in the correct way.
3677 */
3678TEST_P(SigningOperationsTest, AesEcbSign) {
3679 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3680 .Authorization(TAG_NO_AUTH_REQUIRED)
3681 .SigningKey()
3682 .AesEncryptionKey(128)
3683 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)));
3684
3685 AuthorizationSet out_params;
3686 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3687 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params));
3688 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3689 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params));
3690}
3691
3692/*
3693 * SigningOperationsTest.HmacAllDigests
3694 *
3695 * Verifies that HMAC works with all digests.
3696 */
3697TEST_P(SigningOperationsTest, HmacAllDigests) {
3698 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]3699 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3700 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3701 .Authorization(TAG_NO_AUTH_REQUIRED)
3702 .HmacKey(128)
3703 .Digest(digest)
3704 .Authorization(TAG_MIN_MAC_LENGTH, 160)))
3705 << "Failed to create HMAC key with digest " << digest;
3706 string message = "12345678901234567890123456789012";
3707 string signature = MacMessage(message, digest, 160);
3708 EXPECT_EQ(160U / 8U, signature.size())
3709 << "Failed to sign with HMAC key with digest " << digest;
3710 CheckedDeleteKey();
3711 }
3712}
3713
3714/*
3715 * SigningOperationsTest.HmacSha256TooLargeMacLength
3716 *
3717 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the
3718 * digest size.
3719 */
3720TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
3721 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3722 .Authorization(TAG_NO_AUTH_REQUIRED)
3723 .HmacKey(128)
3724 .Digest(Digest::SHA_2_256)
3725 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
3726 AuthorizationSet output_params;
3727 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3728 AuthorizationSetBuilder()
3729 .Digest(Digest::SHA_2_256)
3730 .Authorization(TAG_MAC_LENGTH, 264),
3731 &output_params));
3732}
3733
3734/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3735 * SigningOperationsTest.HmacSha256InvalidMacLength
3736 *
3737 * Verifies that HMAC fails in the correct way when asked to generate a MAC whose length is
3738 * not a multiple of 8.
3739 */
3740TEST_P(SigningOperationsTest, HmacSha256InvalidMacLength) {
3741 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3742 .Authorization(TAG_NO_AUTH_REQUIRED)
3743 .HmacKey(128)
3744 .Digest(Digest::SHA_2_256)
3745 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
3746 AuthorizationSet output_params;
3747 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3748 AuthorizationSetBuilder()
3749 .Digest(Digest::SHA_2_256)
3750 .Authorization(TAG_MAC_LENGTH, 161),
3751 &output_params));
3752}
3753
3754/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3755 * SigningOperationsTest.HmacSha256TooSmallMacLength
3756 *
3757 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
3758 * specified minimum MAC length.
3759 */
3760TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
3761 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3762 .Authorization(TAG_NO_AUTH_REQUIRED)
3763 .HmacKey(128)
3764 .Digest(Digest::SHA_2_256)
3765 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3766 AuthorizationSet output_params;
3767 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3768 AuthorizationSetBuilder()
3769 .Digest(Digest::SHA_2_256)
3770 .Authorization(TAG_MAC_LENGTH, 120),
3771 &output_params));
3772}
3773
3774/*
3775 * SigningOperationsTest.HmacRfc4231TestCase3
3776 *
3777 * Validates against the test vectors from RFC 4231 test case 3.
3778 */
3779TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
3780 string key(20, 0xaa);
3781 string message(50, 0xdd);
3782 uint8_t sha_224_expected[] = {
3783 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
3784 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
3785 };
3786 uint8_t sha_256_expected[] = {
3787 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
3788 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
3789 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
3790 };
3791 uint8_t sha_384_expected[] = {
3792 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
3793 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
3794 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
3795 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
3796 };
3797 uint8_t sha_512_expected[] = {
3798 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
3799 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
3800 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
3801 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
3802 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
3803 };
3804
3805 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3806 if (SecLevel() != SecurityLevel::STRONGBOX) {
3807 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3808 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3809 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3810 }
3811}
3812
3813/*
3814 * SigningOperationsTest.HmacRfc4231TestCase5
3815 *
3816 * Validates against the test vectors from RFC 4231 test case 5.
3817 */
3818TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
3819 string key(20, 0x0c);
3820 string message = "Test With Truncation";
3821
3822 uint8_t sha_224_expected[] = {
3823 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
3824 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
3825 };
3826 uint8_t sha_256_expected[] = {
3827 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
3828 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
3829 };
3830 uint8_t sha_384_expected[] = {
3831 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
3832 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
3833 };
3834 uint8_t sha_512_expected[] = {
3835 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
3836 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
3837 };
3838
3839 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3840 if (SecLevel() != SecurityLevel::STRONGBOX) {
3841 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3842 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3843 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3844 }
3845}
3846
3847INSTANTIATE_KEYMINT_AIDL_TEST(SigningOperationsTest);
3848
3849typedef KeyMintAidlTestBase VerificationOperationsTest;
3850
3851/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3852 * VerificationOperationsTest.HmacSigningKeyCannotVerify
3853 *
3854 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
3855 */
3856TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
3857 string key_material = "HelloThisIsAKey";
3858
3859 vector<uint8_t> signing_key, verification_key;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3860 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3861 EXPECT_EQ(ErrorCode::OK,
3862 ImportKey(AuthorizationSetBuilder()
3863 .Authorization(TAG_NO_AUTH_REQUIRED)
3864 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3865 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3866 .Digest(Digest::SHA_2_256)
3867 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3868 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3869 KeyBlobDeleter sign_deleter(keymint_, signing_key);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3870 EXPECT_EQ(ErrorCode::OK,
3871 ImportKey(AuthorizationSetBuilder()
3872 .Authorization(TAG_NO_AUTH_REQUIRED)
3873 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3874 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3875 .Digest(Digest::SHA_2_256)
3876 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3877 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3878 KeyBlobDeleter verify_deleter(keymint_, verification_key);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3879
3880 string message = "This is a message.";
3881 string signature = SignMessage(
3882 signing_key, message,
3883 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3884
3885 // Signing key should not work.
3886 AuthorizationSet out_params;
3887 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3888 Begin(KeyPurpose::VERIFY, signing_key,
3889 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &out_params));
3890
3891 // Verification key should work.
3892 VerifyMessage(verification_key, message, signature,
3893 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3894}
3895
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3896/*
3897 * VerificationOperationsTest.HmacVerificationFailsForCorruptSignature
3898 *
3899 * Verifies HMAC signature verification should fails if message or signature is corrupted.
3900 */
3901TEST_P(VerificationOperationsTest, HmacVerificationFailsForCorruptSignature) {
3902 string key_material = "HelloThisIsAKey";
3903
3904 vector<uint8_t> signing_key, verification_key;
3905 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
3906 EXPECT_EQ(ErrorCode::OK,
3907 ImportKey(AuthorizationSetBuilder()
3908 .Authorization(TAG_NO_AUTH_REQUIRED)
3909 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3910 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3911 .Digest(Digest::SHA_2_256)
3912 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3913 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3914 KeyBlobDeleter sign_deleter(keymint_, signing_key);
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3915 EXPECT_EQ(ErrorCode::OK,
3916 ImportKey(AuthorizationSetBuilder()
3917 .Authorization(TAG_NO_AUTH_REQUIRED)
3918 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3919 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3920 .Digest(Digest::SHA_2_256)
3921 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3922 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]3923 KeyBlobDeleter verify_deleter(keymint_, verification_key);
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3924
3925 string message = "This is a message.";
3926 string signature = SignMessage(
3927 signing_key, message,
3928 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3929
3930 AuthorizationSet begin_out_params;
3931 ASSERT_EQ(ErrorCode::OK,
3932 Begin(KeyPurpose::VERIFY, verification_key,
3933 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3934
3935 string corruptMessage = "This is b message."; // Corrupted message
3936 string output;
3937 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corruptMessage, signature, &output));
3938
3939 ASSERT_EQ(ErrorCode::OK,
3940 Begin(KeyPurpose::VERIFY, verification_key,
3941 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3942
3943 signature[0] += 1; // Corrupt a signature
3944 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, signature, &output));
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3945}
3946
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3947INSTANTIATE_KEYMINT_AIDL_TEST(VerificationOperationsTest);
3948
3949typedef KeyMintAidlTestBase ExportKeyTest;
3950
3951/*
3952 * ExportKeyTest.RsaUnsupportedKeyFormat
3953 *
3954 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
3955 */
3956// TODO(seleneh) add ExportKey to GenerateKey
3957// check result
3958
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]3959class ImportKeyTest : public NewKeyGenerationTest {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3960 public:
3961 template <TagType tag_type, Tag tag, typename ValueT>
3962 void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
3963 SCOPED_TRACE("CheckCryptoParam");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3964 for (auto& entry : key_characteristics_) {
3965 if (entry.securityLevel == SecLevel()) {
3966 EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
3967 << "Tag " << tag << " with value " << expected
3968 << " not found at security level" << entry.securityLevel;
3969 } else {
3970 EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
3971 << "Tag " << tag << " found at security level " << entry.securityLevel;
3972 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3973 }
3974 }
3975
3976 void CheckOrigin() {
3977 SCOPED_TRACE("CheckOrigin");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3978 // Origin isn't a crypto param, but it always lives with them.
3979 return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3980 }
3981};
3982
3983/*
3984 * ImportKeyTest.RsaSuccess
3985 *
3986 * Verifies that importing and using an RSA key pair works correctly.
3987 */
3988TEST_P(ImportKeyTest, RsaSuccess) {
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3989 uint32_t key_size;
3990 string key;
3991
3992 if (SecLevel() == SecurityLevel::STRONGBOX) {
3993 key_size = 2048;
3994 key = rsa_2048_key;
3995 } else {
3996 key_size = 1024;
3997 key = rsa_key;
3998 }
3999
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4000 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4001 .Authorization(TAG_NO_AUTH_REQUIRED)
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]4002 .RsaSigningKey(key_size, 65537)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4003 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4004 .Padding(PaddingMode::RSA_PSS)
4005 .SetDefaultValidity(),
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]4006 KeyFormat::PKCS8, key));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4007
4008 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]4009 CheckCryptoParam(TAG_KEY_SIZE, key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4010 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
4011 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4012 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
4013 CheckOrigin();
4014
4015 string message(1024 / 8, 'a');
4016 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
4017 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4018 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4019}
4020
4021/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4022 * ImportKeyTest.RsaSuccessWithoutParams
4023 *
4024 * Verifies that importing and using an RSA key pair without specifying parameters
4025 * works correctly.
4026 */
4027TEST_P(ImportKeyTest, RsaSuccessWithoutParams) {
4028 uint32_t key_size;
4029 string key;
4030
4031 if (SecLevel() == SecurityLevel::STRONGBOX) {
4032 key_size = 2048;
4033 key = rsa_2048_key;
4034 } else {
4035 key_size = 1024;
4036 key = rsa_key;
4037 }
4038
4039 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4040 .Authorization(TAG_NO_AUTH_REQUIRED)
4041 .SigningKey()
4042 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
4043 .Digest(Digest::SHA_2_256)
4044 .Padding(PaddingMode::RSA_PSS)
4045 .SetDefaultValidity(),
4046 KeyFormat::PKCS8, key));
4047
4048 // Key size and public exponent are determined from the imported key material.
4049 CheckCryptoParam(TAG_KEY_SIZE, key_size);
4050 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
4051
4052 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
4053 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4054 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
4055 CheckOrigin();
4056
4057 string message(1024 / 8, 'a');
4058 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
4059 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4060 LocalVerifyMessage(message, signature, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4061}
4062
4063/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4064 * ImportKeyTest.RsaKeySizeMismatch
4065 *
4066 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
4067 * correct way.
4068 */
4069TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
4070 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4071 ImportKey(AuthorizationSetBuilder()
4072 .RsaSigningKey(2048 /* Doesn't match key */, 65537)
4073 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4074 .Padding(PaddingMode::NONE)
4075 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4076 KeyFormat::PKCS8, rsa_key));
4077}
4078
4079/*
4080 * ImportKeyTest.RsaPublicExponentMismatch
4081 *
4082 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key
4083 * fails in the correct way.
4084 */
4085TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
4086 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4087 ImportKey(AuthorizationSetBuilder()
4088 .RsaSigningKey(1024, 3 /* Doesn't match key */)
4089 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4090 .Padding(PaddingMode::NONE)
4091 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4092 KeyFormat::PKCS8, rsa_key));
4093}
4094
4095/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4096 * ImportKeyTest.RsaAttestMultiPurposeFail
4097 *
4098 * Verifies that importing an RSA key pair with purpose ATTEST_KEY+SIGN fails.
4099 */
4100TEST_P(ImportKeyTest, RsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]4101 if (AidlVersion() < 2) {
4102 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
4103 // with other key purposes. However, this was not checked at the time
4104 // so we can only be strict about checking this for implementations of KeyMint
4105 // version 2 and above.
4106 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
4107 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4108 uint32_t key_size = 2048;
4109 string key = rsa_2048_key;
4110
4111 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
4112 ImportKey(AuthorizationSetBuilder()
4113 .Authorization(TAG_NO_AUTH_REQUIRED)
4114 .RsaSigningKey(key_size, 65537)
4115 .AttestKey()
4116 .Digest(Digest::SHA_2_256)
4117 .Padding(PaddingMode::RSA_PSS)
4118 .SetDefaultValidity(),
4119 KeyFormat::PKCS8, key));
4120}
4121
4122/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4123 * ImportKeyTest.EcdsaSuccess
4124 *
4125 * Verifies that importing and using an ECDSA P-256 key pair works correctly.
4126 */
4127TEST_P(ImportKeyTest, EcdsaSuccess) {
4128 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4129 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4130 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4131 .Digest(Digest::SHA_2_256)
4132 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4133 KeyFormat::PKCS8, ec_256_key));
4134
4135 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4136 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4137 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4138
4139 CheckOrigin();
4140
4141 string message(32, 'a');
4142 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4143 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4144 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4145}
4146
4147/*
4148 * ImportKeyTest.EcdsaP256RFC5915Success
4149 *
4150 * Verifies that importing and using an ECDSA P-256 key pair encoded using RFC5915 works
4151 * correctly.
4152 */
4153TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
4154 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4155 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4156 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4157 .Digest(Digest::SHA_2_256)
4158 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4159 KeyFormat::PKCS8, ec_256_key_rfc5915));
4160
4161 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4162 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4163 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4164
4165 CheckOrigin();
4166
4167 string message(32, 'a');
4168 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4169 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4170 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4171}
4172
4173/*
4174 * ImportKeyTest.EcdsaP256SEC1Success
4175 *
4176 * Verifies that importing and using an ECDSA P-256 key pair encoded using SEC1 works correctly.
4177 */
4178TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
4179 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4180 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4181 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4182 .Digest(Digest::SHA_2_256)
4183 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4184 KeyFormat::PKCS8, ec_256_key_sec1));
4185
4186 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4187 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4188 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4189
4190 CheckOrigin();
4191
4192 string message(32, 'a');
4193 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4194 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4195 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4196}
4197
4198/*
4199 * ImportKeyTest.Ecdsa521Success
4200 *
4201 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
4202 */
4203TEST_P(ImportKeyTest, Ecdsa521Success) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]4204 if (SecLevel() == SecurityLevel::STRONGBOX) {
4205 GTEST_SKIP() << "Test not applicable to StrongBox device";
4206 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4207 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4208 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4209 .EcdsaSigningKey(EcCurve::P_521)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4210 .Digest(Digest::SHA_2_256)
4211 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4212 KeyFormat::PKCS8, ec_521_key));
4213
4214 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4215 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4216 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_521);
4217 CheckOrigin();
4218
4219 string message(32, 'a');
4220 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4221 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4222 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4223}
4224
4225/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4226 * ImportKeyTest.EcdsaCurveMismatch
4227 *
4228 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in
4229 * the correct way.
4230 */
4231TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
4232 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4233 ImportKey(AuthorizationSetBuilder()
4234 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4235 .Digest(Digest::NONE)
4236 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4237 KeyFormat::PKCS8, ec_256_key));
4238}
4239
4240/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4241 * ImportKeyTest.EcdsaAttestMultiPurposeFail
4242 *
4243 * Verifies that importing and using an ECDSA P-256 key pair with purpose ATTEST_KEY+SIGN fails.
4244 */
4245TEST_P(ImportKeyTest, EcdsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]4246 if (AidlVersion() < 2) {
4247 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
4248 // with other key purposes. However, this was not checked at the time
4249 // so we can only be strict about checking this for implementations of KeyMint
4250 // version 2 and above.
4251 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
4252 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4253 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
4254 ImportKey(AuthorizationSetBuilder()
4255 .Authorization(TAG_NO_AUTH_REQUIRED)
4256 .EcdsaSigningKey(EcCurve::P_256)
4257 .AttestKey()
4258 .Digest(Digest::SHA_2_256)
4259 .SetDefaultValidity(),
4260 KeyFormat::PKCS8, ec_256_key));
4261}
4262
4263/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]4264 * ImportKeyTest.Ed25519RawSuccess
4265 *
4266 * Verifies that importing and using a raw Ed25519 private key works correctly.
4267 */
4268TEST_P(ImportKeyTest, Ed25519RawSuccess) {
4269 if (!Curve25519Supported()) {
4270 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4271 }
4272
4273 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4274 .Authorization(TAG_NO_AUTH_REQUIRED)
4275 .EcdsaSigningKey(EcCurve::CURVE_25519)
4276 .Digest(Digest::NONE)
4277 .SetDefaultValidity(),
4278 KeyFormat::RAW, ed25519_key));
4279 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4280 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4281 CheckOrigin();
4282
4283 // The returned cert should hold the correct public key.
4284 ASSERT_GT(cert_chain_.size(), 0);
4285 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4286 ASSERT_NE(kmKeyCert, nullptr);
4287 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4288 ASSERT_NE(kmPubKey.get(), nullptr);
4289 size_t kmPubKeySize = 32;
4290 uint8_t kmPubKeyData[32];
4291 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4292 ASSERT_EQ(kmPubKeySize, 32);
4293 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4294
4295 string message(32, 'a');
4296 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4297 string signature = SignMessage(message, params);
4298 LocalVerifyMessage(message, signature, params);
4299}
4300
4301/*
4302 * ImportKeyTest.Ed25519Pkcs8Success
4303 *
4304 * Verifies that importing and using a PKCS#8-encoded Ed25519 private key works correctly.
4305 */
4306TEST_P(ImportKeyTest, Ed25519Pkcs8Success) {
4307 if (!Curve25519Supported()) {
4308 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4309 }
4310
4311 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4312 .Authorization(TAG_NO_AUTH_REQUIRED)
4313 .EcdsaSigningKey(EcCurve::CURVE_25519)
4314 .Digest(Digest::NONE)
4315 .SetDefaultValidity(),
4316 KeyFormat::PKCS8, ed25519_pkcs8_key));
4317 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4318 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4319 CheckOrigin();
4320
4321 // The returned cert should hold the correct public key.
4322 ASSERT_GT(cert_chain_.size(), 0);
4323 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4324 ASSERT_NE(kmKeyCert, nullptr);
4325 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4326 ASSERT_NE(kmPubKey.get(), nullptr);
4327 size_t kmPubKeySize = 32;
4328 uint8_t kmPubKeyData[32];
4329 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4330 ASSERT_EQ(kmPubKeySize, 32);
4331 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4332
4333 string message(32, 'a');
4334 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4335 string signature = SignMessage(message, params);
4336 LocalVerifyMessage(message, signature, params);
4337}
4338
4339/*
4340 * ImportKeyTest.Ed25519CurveMismatch
4341 *
4342 * Verifies that importing an Ed25519 key pair with a curve that doesn't match the key fails in
4343 * the correct way.
4344 */
4345TEST_P(ImportKeyTest, Ed25519CurveMismatch) {
4346 if (!Curve25519Supported()) {
4347 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4348 }
4349
4350 ASSERT_NE(ErrorCode::OK,
4351 ImportKey(AuthorizationSetBuilder()
4352 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
4353 .Digest(Digest::NONE)
4354 .SetDefaultValidity(),
4355 KeyFormat::RAW, ed25519_key));
4356}
4357
4358/*
4359 * ImportKeyTest.Ed25519FormatMismatch
4360 *
4361 * Verifies that importing an Ed25519 key pair with an invalid format fails.
4362 */
4363TEST_P(ImportKeyTest, Ed25519FormatMismatch) {
4364 if (!Curve25519Supported()) {
4365 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4366 }
4367
4368 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4369 .EcdsaSigningKey(EcCurve::CURVE_25519)
4370 .Digest(Digest::NONE)
4371 .SetDefaultValidity(),
4372 KeyFormat::PKCS8, ed25519_key));
4373 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4374 .EcdsaSigningKey(EcCurve::CURVE_25519)
4375 .Digest(Digest::NONE)
4376 .SetDefaultValidity(),
4377 KeyFormat::RAW, ed25519_pkcs8_key));
4378}
4379
4380/*
4381 * ImportKeyTest.Ed25519PurposeMismatch
4382 *
4383 * Verifies that importing an Ed25519 key pair with an invalid purpose fails.
4384 */
4385TEST_P(ImportKeyTest, Ed25519PurposeMismatch) {
4386 if (!Curve25519Supported()) {
4387 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4388 }
4389
4390 // Can't have both SIGN and ATTEST_KEY
4391 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4392 .EcdsaSigningKey(EcCurve::CURVE_25519)
4393 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4394 .Digest(Digest::NONE)
4395 .SetDefaultValidity(),
4396 KeyFormat::RAW, ed25519_key));
4397 // AGREE_KEY is for X25519 (but can only tell the difference if the import key is in
4398 // PKCS#8 format and so includes an OID).
4399 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4400 .EcdsaKey(EcCurve::CURVE_25519)
4401 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4402 .Digest(Digest::NONE)
4403 .SetDefaultValidity(),
4404 KeyFormat::PKCS8, ed25519_pkcs8_key));
4405}
4406
4407/*
4408 * ImportKeyTest.X25519RawSuccess
4409 *
4410 * Verifies that importing and using a raw X25519 private key works correctly.
4411 */
4412TEST_P(ImportKeyTest, X25519RawSuccess) {
4413 if (!Curve25519Supported()) {
4414 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4415 }
4416
4417 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4418 .Authorization(TAG_NO_AUTH_REQUIRED)
4419 .EcdsaKey(EcCurve::CURVE_25519)
4420 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4421 .SetDefaultValidity(),
4422 KeyFormat::RAW, x25519_key));
4423
4424 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4425 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4426 CheckOrigin();
4427}
4428
4429/*
4430 * ImportKeyTest.X25519Pkcs8Success
4431 *
4432 * Verifies that importing and using a PKCS#8-encoded X25519 private key works correctly.
4433 */
4434TEST_P(ImportKeyTest, X25519Pkcs8Success) {
4435 if (!Curve25519Supported()) {
4436 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4437 }
4438
4439 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4440 .Authorization(TAG_NO_AUTH_REQUIRED)
4441 .EcdsaKey(EcCurve::CURVE_25519)
4442 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4443 .SetDefaultValidity(),
4444 KeyFormat::PKCS8, x25519_pkcs8_key));
4445
4446 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4447 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4448 CheckOrigin();
4449}
4450
4451/*
4452 * ImportKeyTest.X25519CurveMismatch
4453 *
4454 * Verifies that importing an X25519 key with a curve that doesn't match the key fails in
4455 * the correct way.
4456 */
4457TEST_P(ImportKeyTest, X25519CurveMismatch) {
4458 if (!Curve25519Supported()) {
4459 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4460 }
4461
4462 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4463 .EcdsaKey(EcCurve::P_224 /* Doesn't match key */)
4464 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4465 .SetDefaultValidity(),
4466 KeyFormat::RAW, x25519_key));
4467}
4468
4469/*
4470 * ImportKeyTest.X25519FormatMismatch
4471 *
4472 * Verifies that importing an X25519 key with an invalid format fails.
4473 */
4474TEST_P(ImportKeyTest, X25519FormatMismatch) {
4475 if (!Curve25519Supported()) {
4476 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4477 }
4478
4479 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4480 .EcdsaKey(EcCurve::CURVE_25519)
4481 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4482 .SetDefaultValidity(),
4483 KeyFormat::PKCS8, x25519_key));
4484 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4485 .EcdsaKey(EcCurve::CURVE_25519)
4486 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4487 .SetDefaultValidity(),
4488 KeyFormat::RAW, x25519_pkcs8_key));
4489}
4490
4491/*
4492 * ImportKeyTest.X25519PurposeMismatch
4493 *
4494 * Verifies that importing an X25519 key pair with an invalid format fails.
4495 */
4496TEST_P(ImportKeyTest, X25519PurposeMismatch) {
4497 if (!Curve25519Supported()) {
4498 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4499 }
4500
4501 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4502 .EcdsaKey(EcCurve::CURVE_25519)
4503 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4504 .SetDefaultValidity(),
4505 KeyFormat::PKCS8, x25519_pkcs8_key));
4506 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4507 .EcdsaSigningKey(EcCurve::CURVE_25519)
4508 .SetDefaultValidity(),
4509 KeyFormat::PKCS8, x25519_pkcs8_key));
4510}
4511
4512/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4513 * ImportKeyTest.AesSuccess
4514 *
4515 * Verifies that importing and using an AES key works.
4516 */
4517TEST_P(ImportKeyTest, AesSuccess) {
4518 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4519 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4520 .Authorization(TAG_NO_AUTH_REQUIRED)
4521 .AesEncryptionKey(key.size() * 8)
4522 .EcbMode()
4523 .Padding(PaddingMode::PKCS7),
4524 KeyFormat::RAW, key));
4525
4526 CheckCryptoParam(TAG_ALGORITHM, Algorithm::AES);
4527 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4528 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4529 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4530 CheckOrigin();
4531
4532 string message = "Hello World!";
4533 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4534 string ciphertext = EncryptMessage(message, params);
4535 string plaintext = DecryptMessage(ciphertext, params);
4536 EXPECT_EQ(message, plaintext);
4537}
4538
4539/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4540 * ImportKeyTest.AesFailure
4541 *
4542 * Verifies that importing an invalid AES key fails.
4543 */
4544TEST_P(ImportKeyTest, AesFailure) {
4545 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4546 uint32_t bitlen = key.size() * 8;
4547 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]4548 SCOPED_TRACE(testing::Message() << "import-key-size=" << key_size);
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4549 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4550 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4551 .Authorization(TAG_NO_AUTH_REQUIRED)
4552 .AesEncryptionKey(key_size)
4553 .EcbMode()
4554 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4555 KeyFormat::RAW, key);
4556 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4557 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4558 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4559 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4560
4561 // Explicit key size matches that of the provided key, but it's not a valid size.
4562 string long_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4563 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4564 ImportKey(AuthorizationSetBuilder()
4565 .Authorization(TAG_NO_AUTH_REQUIRED)
4566 .AesEncryptionKey(long_key.size() * 8)
4567 .EcbMode()
4568 .Padding(PaddingMode::PKCS7),
4569 KeyFormat::RAW, long_key));
4570 string short_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4571 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4572 ImportKey(AuthorizationSetBuilder()
4573 .Authorization(TAG_NO_AUTH_REQUIRED)
4574 .AesEncryptionKey(short_key.size() * 8)
4575 .EcbMode()
4576 .Padding(PaddingMode::PKCS7),
4577 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4578}
4579
4580/*
4581 * ImportKeyTest.TripleDesSuccess
4582 *
4583 * Verifies that importing and using a 3DES key works.
4584 */
4585TEST_P(ImportKeyTest, TripleDesSuccess) {
4586 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
4587 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4588 .Authorization(TAG_NO_AUTH_REQUIRED)
4589 .TripleDesEncryptionKey(168)
4590 .EcbMode()
4591 .Padding(PaddingMode::PKCS7),
4592 KeyFormat::RAW, key));
4593
4594 CheckCryptoParam(TAG_ALGORITHM, Algorithm::TRIPLE_DES);
4595 CheckCryptoParam(TAG_KEY_SIZE, 168U);
4596 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4597 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4598 CheckOrigin();
4599
4600 string message = "Hello World!";
4601 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4602 string ciphertext = EncryptMessage(message, params);
4603 string plaintext = DecryptMessage(ciphertext, params);
4604 EXPECT_EQ(message, plaintext);
4605}
4606
4607/*
4608 * ImportKeyTest.TripleDesFailure
4609 *
4610 * Verifies that importing an invalid 3DES key fails.
4611 */
4612TEST_P(ImportKeyTest, TripleDesFailure) {
4613 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4614 uint32_t bitlen = key.size() * 7;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4615 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]4616 SCOPED_TRACE(testing::Message() << "import-key-size=" << key_size);
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4617 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4618 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4619 .Authorization(TAG_NO_AUTH_REQUIRED)
4620 .TripleDesEncryptionKey(key_size)
4621 .EcbMode()
4622 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4623 KeyFormat::RAW, key);
4624 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4625 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4626 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4627 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4628 // Explicit key size matches that of the provided key, but it's not a valid size.
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4629 string long_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f735800");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4630 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4631 ImportKey(AuthorizationSetBuilder()
4632 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4633 .TripleDesEncryptionKey(long_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4634 .EcbMode()
4635 .Padding(PaddingMode::PKCS7),
4636 KeyFormat::RAW, long_key));
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4637 string short_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f73");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4638 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4639 ImportKey(AuthorizationSetBuilder()
4640 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4641 .TripleDesEncryptionKey(short_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4642 .EcbMode()
4643 .Padding(PaddingMode::PKCS7),
4644 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4645}
4646
4647/*
4648 * ImportKeyTest.HmacKeySuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4649 *
4650 * Verifies that importing and using an HMAC key works.
4651 */
4652TEST_P(ImportKeyTest, HmacKeySuccess) {
4653 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4654 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4655 .Authorization(TAG_NO_AUTH_REQUIRED)
4656 .HmacKey(key.size() * 8)
4657 .Digest(Digest::SHA_2_256)
4658 .Authorization(TAG_MIN_MAC_LENGTH, 256),
4659 KeyFormat::RAW, key));
4660
4661 CheckCryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
4662 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4663 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4664 CheckOrigin();
4665
4666 string message = "Hello World!";
4667 string signature = MacMessage(message, Digest::SHA_2_256, 256);
4668 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
4669}
4670
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame]4671/*
4672 * ImportKeyTest.GetKeyCharacteristics
4673 *
4674 * Verifies that imported keys have the correct characteristics.
4675 */
4676TEST_P(ImportKeyTest, GetKeyCharacteristics) {
4677 vector<uint8_t> key_blob;
4678 vector<KeyCharacteristics> key_characteristics;
4679 auto base_builder = AuthorizationSetBuilder()
4680 .Padding(PaddingMode::NONE)
4681 .Authorization(TAG_NO_AUTH_REQUIRED)
4682 .SetDefaultValidity();
4683 vector<Algorithm> algorithms = {Algorithm::RSA, Algorithm::EC, Algorithm::HMAC, Algorithm::AES,
4684 Algorithm::TRIPLE_DES};
4685 ErrorCode result;
4686 string symKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98"); // 128 bits
4687 string tdesKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358"); // 192 bits
4688 for (auto alg : algorithms) {
4689 SCOPED_TRACE(testing::Message() << "Algorithm-" << alg);
4690 AuthorizationSetBuilder builder(base_builder);
4691 switch (alg) {
4692 case Algorithm::RSA:
4693 builder.RsaSigningKey(2048, 65537).Digest(Digest::NONE);
4694
4695 result = ImportKey(builder, KeyFormat::PKCS8, rsa_2048_key, &key_blob,
4696 &key_characteristics);
4697 break;
4698 case Algorithm::EC:
4699 builder.EcdsaSigningKey(EcCurve::P_256).Digest(Digest::NONE);
4700 result = ImportKey(builder, KeyFormat::PKCS8, ec_256_key, &key_blob,
4701 &key_characteristics);
4702 break;
4703 case Algorithm::HMAC:
4704 builder.HmacKey(128)
4705 .Digest(Digest::SHA_2_256)
4706 .Authorization(TAG_MIN_MAC_LENGTH, 128);
4707 result =
4708 ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
4709 break;
4710 case Algorithm::AES:
4711 builder.AesEncryptionKey(128).BlockMode(BlockMode::ECB);
4712 result =
4713 ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
4714 break;
4715 case Algorithm::TRIPLE_DES:
4716 builder.TripleDesEncryptionKey(168).BlockMode(BlockMode::ECB);
4717 result = ImportKey(builder, KeyFormat::RAW, tdesKey, &key_blob,
4718 &key_characteristics);
4719 break;
4720 default:
4721 ADD_FAILURE() << "Invalid Algorithm " << uint32_t(alg);
4722 continue;
4723 }
4724 ASSERT_EQ(ErrorCode::OK, result);
4725 CheckCharacteristics(key_blob, key_characteristics);
4726 CheckCommonParams(key_characteristics, KeyOrigin::IMPORTED);
4727 }
4728}
4729
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4730INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);
4731
4732auto wrapped_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4733 // IKeyMintDevice.aidl
4734 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4735 "020100" // INTEGER length 1 value 0x00 (version)
4736 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4737 "934bf94e2aa28a3f83c9f79297250262"
4738 "fbe3276b5a1c91159bbfa3ef8957aac8"
4739 "4b59b30b455a79c2973480823d8b3863"
4740 "c3deef4a8e243590268d80e18751a0e1"
4741 "30f67ce6a1ace9f79b95e097474febc9"
4742 "81195b1d13a69086c0863f66a7b7fdb4"
4743 "8792227b1ac5e2489febdf087ab54864"
4744 "83033a6f001ca5d1ec1e27f5c30f4cec"
4745 "2642074a39ae68aee552e196627a8e3d"
4746 "867e67a8c01b11e75f13cca0a97ab668"
4747 "b50cda07a8ecb7cd8e3dd7009c963653"
4748 "4f6f239cffe1fc8daa466f78b676c711"
4749 "9efb96bce4e69ca2a25d0b34ed9c3ff9"
4750 "99b801597d5220e307eaa5bee507fb94"
4751 "d1fa69f9e519b2de315bac92c36f2ea1"
4752 "fa1df4478c0ddedeae8c70e0233cd098"
4753 "040c" // OCTET STRING length 0x0c (initializationVector)
4754 "d796b02c370f1fa4cc0124f1"
4755 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4756 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4757 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4758 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4759 "3106" // SET length 0x06
4760 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4761 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4762 // } end SET
4763 // } end [1]
4764 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4765 "020120" // INTEGER length 1 value 0x20 (AES)
4766 // } end [2]
4767 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4768 "02020100" // INTEGER length 2 value 0x100
4769 // } end [3]
4770 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode)
4771 "3103" // SET length 0x03 {
4772 "020101" // INTEGER length 1 value 0x01 (ECB)
4773 // } end SET
4774 // } end [4]
4775 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4776 "3103" // SET length 0x03 {
4777 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4778 // } end SET
4779 // } end [5]
4780 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4781 // (noAuthRequired)
4782 "0500" // NULL
4783 // } end [503]
4784 // } end SEQUENCE (AuthorizationList)
4785 // } end SEQUENCE (KeyDescription)
4786 "0420" // OCTET STRING length 0x20 (encryptedKey)
4787 "ccd540855f833a5e1480bfd2d36faf3a"
4788 "eee15df5beabe2691bc82dde2a7aa910"
4789 "0410" // OCTET STRING length 0x10 (tag)
4790 "64c9f689c60ff6223ab6e6999e0eb6e5"
4791 // } SEQUENCE (SecureKeyWrapper)
4792);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4793
4794auto wrapped_key_masked = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4795 // IKeyMintDevice.aidl
4796 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4797 "020100" // INTEGER length 1 value 0x00 (version)
4798 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4799 "aad93ed5924f283b4bb5526fbe7a1412"
4800 "f9d9749ec30db9062b29e574a8546f33"
4801 "c88732452f5b8e6a391ee76c39ed1712"
4802 "c61d8df6213dec1cffbc17a8c6d04c7b"
4803 "30893d8daa9b2015213e219468215532"
4804 "07f8f9931c4caba23ed3bee28b36947e"
4805 "47f10e0a5c3dc51c988a628daad3e5e1"
4806 "f4005e79c2d5a96c284b4b8d7e4948f3"
4807 "31e5b85dd5a236f85579f3ea1d1b8484"
4808 "87470bdb0ab4f81a12bee42c99fe0df4"
4809 "bee3759453e69ad1d68a809ce06b949f"
4810 "7694a990429b2fe81e066ff43e56a216"
4811 "02db70757922a4bcc23ab89f1e35da77"
4812 "586775f423e519c2ea394caf48a28d0c"
4813 "8020f1dcf6b3a68ec246f615ae96dae9"
4814 "a079b1f6eb959033c1af5c125fd94168"
4815 "040c" // OCTET STRING length 0x0c (initializationVector)
4816 "6d9721d08589581ab49204a3"
4817 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4818 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4819 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4820 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4821 "3106" // SET length 0x06
4822 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4823 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4824 // } end SET
4825 // } end [1]
4826 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4827 "020120" // INTEGER length 1 value 0x20 (AES)
4828 // } end [2]
4829 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4830 "02020100" // INTEGER length 2 value 0x100
4831 // } end [3]
4832 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode
4833 "3103" // SET length 0x03 {
4834 "020101" // INTEGER length 1 value 0x01 (ECB)
4835 // } end SET
4836 // } end [4]
4837 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4838 "3103" // SET length 0x03 {
4839 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4840 // } end SET
4841 // } end [5]
4842 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4843 // (noAuthRequired)
4844 "0500" // NULL
4845 // } end [503]
4846 // } end SEQUENCE (AuthorizationList)
4847 // } end SEQUENCE (KeyDescription)
4848 "0420" // OCTET STRING length 0x20 (encryptedKey)
4849 "a61c6e247e25b3e6e69aa78eb03c2d4a"
4850 "c20d1f99a9a024a76f35c8e2cab9b68d"
4851 "0410" // OCTET STRING length 0x10 (tag)
4852 "2560c70109ae67c030f00b98b512a670"
4853 // } SEQUENCE (SecureKeyWrapper)
4854);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4855
4856auto wrapping_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4857 // RFC 5208 s5
4858 "308204be" // SEQUENCE length 0x4be (PrivateKeyInfo) {
4859 "020100" // INTEGER length 1 value 0x00 (version)
4860 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
4861 "0609" // OBJECT IDENTIFIER length 0x09 (algorithm)
4862 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (RSAES-PKCS1-v1_5 encryption scheme)
4863 "0500" // NULL (parameters)
4864 // } SEQUENCE (AlgorithmIdentifier)
4865 "048204a8" // OCTET STRING len 0x4a8 (privateKey), which contains...
4866 // RFC 8017 A.1.2
4867 "308204a4" // SEQUENCE len 0x4a4 (RSAPrivateKey) {
4868 "020100" // INTEGER length 1 value 0x00 (version)
4869 "02820101" // INTEGER length 0x0101 (modulus) value...
4870 "00aec367931d8900ce56b0067f7d70e1" // 0x10
4871 "fc653f3f34d194c1fed50018fb43db93" // 0x20
4872 "7b06e673a837313d56b1c725150a3fef" // 0x30
4873 "86acbddc41bb759c2854eae32d35841e" // 0x40
4874 "fb5c18d82bc90a1cb5c1d55adf245b02" // 0x50
4875 "911f0b7cda88c421ff0ebafe7c0d23be" // 0x60
4876 "312d7bd5921ffaea1347c157406fef71" // 0x70
4877 "8f682643e4e5d33c6703d61c0cf7ac0b" // 0x80
4878 "f4645c11f5c1374c3886427411c44979" // 0x90
4879 "6792e0bef75dec858a2123c36753e02a" // 0xa0
4880 "95a96d7c454b504de385a642e0dfc3e6" // 0xb0
4881 "0ac3a7ee4991d0d48b0172a95f9536f0" // 0xc0
4882 "2ba13cecccb92b727db5c27e5b2f5cec" // 0xd0
4883 "09600b286af5cf14c42024c61ddfe71c" // 0xe0
4884 "2a8d7458f185234cb00e01d282f10f8f" // 0xf0
4885 "c6721d2aed3f4833cca2bd8fa62821dd" // 0x100
4886 "55" // 0x101
4887 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
4888 "02820100" // INTEGER length 0x100 (privateExponent) value...
4889 "431447b6251908112b1ee76f99f3711a" // 0x10
4890 "52b6630960046c2de70de188d833f8b8" // 0x20
4891 "b91e4d785caeeeaf4f0f74414e2cda40" // 0x30
4892 "641f7fe24f14c67a88959bdb27766df9" // 0x40
4893 "e710b630a03adc683b5d2c43080e52be" // 0x50
4894 "e71e9eaeb6de297a5fea1072070d181c" // 0x60
4895 "822bccff087d63c940ba8a45f670feb2" // 0x70
4896 "9fb4484d1c95e6d2579ba02aae0a0090" // 0x80
4897 "0c3ebf490e3d2cd7ee8d0e20c536e4dc" // 0x90
4898 "5a5097272888cddd7e91f228b1c4d747" // 0xa0
4899 "4c55b8fcd618c4a957bbddd5ad7407cc" // 0xb0
4900 "312d8d98a5caf7e08f4a0d6b45bb41c6" // 0xc0
4901 "52659d5a5ba05b663737a8696281865b" // 0xd0
4902 "a20fbdd7f851e6c56e8cbe0ddbbf24dc" // 0xe0
4903 "03b2d2cb4c3d540fb0af52e034a2d066" // 0xf0
4904 "98b128e5f101e3b51a34f8d8b4f86181" // 0x100
4905 "028181" // INTEGER length 0x81 (prime1) value...
4906 "00de392e18d682c829266cc3454e1d61" // 0x10
4907 "66242f32d9a1d10577753e904ea7d08b" // 0x20
4908 "ff841be5bac82a164c5970007047b8c5" // 0x30
4909 "17db8f8f84e37bd5988561bdf503d4dc" // 0x40
4910 "2bdb38f885434ae42c355f725c9a60f9" // 0x50
4911 "1f0788e1f1a97223b524b5357fdf72e2" // 0x60
4912 "f696bab7d78e32bf92ba8e1864eab122" // 0x70
4913 "9e91346130748a6e3c124f9149d71c74" // 0x80
4914 "35"
4915 "028181" // INTEGER length 0x81 (prime2) value...
4916 "00c95387c0f9d35f137b57d0d65c397c" // 0x10
4917 "5e21cc251e47008ed62a542409c8b6b6" // 0x20
4918 "ac7f8967b3863ca645fcce49582a9aa1" // 0x30
4919 "7349db6c4a95affdae0dae612e1afac9" // 0x40
4920 "9ed39a2d934c880440aed8832f984316" // 0x50
4921 "3a47f27f392199dc1202f9a0f9bd0830" // 0x60
4922 "8007cb1e4e7f58309366a7de25f7c3c9" // 0x70
4923 "b880677c068e1be936e81288815252a8" // 0x80
4924 "a1"
4925 "028180" // INTEGER length 0x80 (exponent1) value...
4926 "57ff8ca1895080b2cae486ef0adfd791" // 0x10
4927 "fb0235c0b8b36cd6c136e52e4085f4ea" // 0x20
4928 "5a063212a4f105a3764743e53281988a" // 0x30
4929 "ba073f6e0027298e1c4378556e0efca0" // 0x40
4930 "e14ece1af76ad0b030f27af6f0ab35fb" // 0x50
4931 "73a060d8b1a0e142fa2647e93b32e36d" // 0x60
4932 "8282ae0a4de50ab7afe85500a16f43a6" // 0x70
4933 "4719d6e2b9439823719cd08bcd031781" // 0x80
4934 "028181" // INTEGER length 0x81 (exponent2) value...
4935 "00ba73b0bb28e3f81e9bd1c568713b10" // 0x10
4936 "1241acc607976c4ddccc90e65b6556ca" // 0x20
4937 "31516058f92b6e09f3b160ff0e374ec4" // 0x30
4938 "0d78ae4d4979fde6ac06a1a400c61dd3" // 0x40
4939 "1254186af30b22c10582a8a43e34fe94" // 0x50
4940 "9c5f3b9755bae7baa7b7b7a6bd03b38c" // 0x60
4941 "ef55c86885fc6c1978b9cee7ef33da50" // 0x70
4942 "7c9df6b9277cff1e6aaa5d57aca52846" // 0x80
4943 "61"
4944 "028181" // INTEGER length 0x81 (coefficient) value...
4945 "00c931617c77829dfb1270502be9195c" // 0x10
4946 "8f2830885f57dba869536811e6864236" // 0x20
4947 "d0c4736a0008a145af36b8357a7c3d13" // 0x30
4948 "9966d04c4e00934ea1aede3bb6b8ec84" // 0x40
4949 "1dc95e3f579751e2bfdfe27ae778983f" // 0x50
4950 "959356210723287b0affcc9f727044d4" // 0x60
4951 "8c373f1babde0724fa17a4fd4da0902c" // 0x70
4952 "7c9b9bf27ba61be6ad02dfddda8f4e68" // 0x80
4953 "22"
4954 // } SEQUENCE
4955 // } SEQUENCE ()
4956);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4957
4958string zero_masking_key =
4959 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
4960string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
4961
4962class ImportWrappedKeyTest : public KeyMintAidlTestBase {};
4963
4964TEST_P(ImportWrappedKeyTest, Success) {
4965 auto wrapping_key_desc = AuthorizationSetBuilder()
4966 .RsaEncryptionKey(2048, 65537)
4967 .Digest(Digest::SHA_2_256)
4968 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4969 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4970 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4971
4972 ASSERT_EQ(ErrorCode::OK,
4973 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
4974 AuthorizationSetBuilder()
4975 .Digest(Digest::SHA_2_256)
4976 .Padding(PaddingMode::RSA_OAEP)));
4977
4978 string message = "Hello World!";
4979 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4980 string ciphertext = EncryptMessage(message, params);
4981 string plaintext = DecryptMessage(ciphertext, params);
4982 EXPECT_EQ(message, plaintext);
4983}
4984
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4985/*
4986 * ImportWrappedKeyTest.SuccessSidsIgnored
4987 *
4988 * Verifies that password_sid and biometric_sid are ignored on import if the authorizations don't
4989 * include Tag:USER_SECURE_ID.
4990 */
4991TEST_P(ImportWrappedKeyTest, SuccessSidsIgnored) {
4992 auto wrapping_key_desc = AuthorizationSetBuilder()
4993 .RsaEncryptionKey(2048, 65537)
4994 .Digest(Digest::SHA_2_256)
4995 .Padding(PaddingMode::RSA_OAEP)
4996 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4997 .SetDefaultValidity();
4998
4999 int64_t password_sid = 42;
5000 int64_t biometric_sid = 24;
5001 ASSERT_EQ(ErrorCode::OK,
5002 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5003 AuthorizationSetBuilder()
5004 .Digest(Digest::SHA_2_256)
5005 .Padding(PaddingMode::RSA_OAEP),
5006 password_sid, biometric_sid));
5007
5008 string message = "Hello World!";
5009 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5010 string ciphertext = EncryptMessage(message, params);
5011 string plaintext = DecryptMessage(ciphertext, params);
5012 EXPECT_EQ(message, plaintext);
5013}
5014
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5015TEST_P(ImportWrappedKeyTest, SuccessMasked) {
5016 auto wrapping_key_desc = AuthorizationSetBuilder()
5017 .RsaEncryptionKey(2048, 65537)
5018 .Digest(Digest::SHA_2_256)
5019 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5020 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5021 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5022
5023 ASSERT_EQ(ErrorCode::OK,
5024 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
5025 AuthorizationSetBuilder()
5026 .Digest(Digest::SHA_2_256)
5027 .Padding(PaddingMode::RSA_OAEP)));
5028}
5029
5030TEST_P(ImportWrappedKeyTest, WrongMask) {
5031 auto wrapping_key_desc = AuthorizationSetBuilder()
5032 .RsaEncryptionKey(2048, 65537)
5033 .Digest(Digest::SHA_2_256)
5034 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5035 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5036 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5037
5038 ASSERT_EQ(
5039 ErrorCode::VERIFICATION_FAILED,
5040 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
5041 AuthorizationSetBuilder()
5042 .Digest(Digest::SHA_2_256)
5043 .Padding(PaddingMode::RSA_OAEP)));
5044}
5045
5046TEST_P(ImportWrappedKeyTest, WrongPurpose) {
5047 auto wrapping_key_desc = AuthorizationSetBuilder()
5048 .RsaEncryptionKey(2048, 65537)
5049 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5050 .Padding(PaddingMode::RSA_OAEP)
5051 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5052
5053 ASSERT_EQ(
5054 ErrorCode::INCOMPATIBLE_PURPOSE,
5055 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
5056 AuthorizationSetBuilder()
5057 .Digest(Digest::SHA_2_256)
5058 .Padding(PaddingMode::RSA_OAEP)));
5059}
5060
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5061TEST_P(ImportWrappedKeyTest, WrongPaddingMode) {
5062 auto wrapping_key_desc = AuthorizationSetBuilder()
5063 .RsaEncryptionKey(2048, 65537)
5064 .Digest(Digest::SHA_2_256)
5065 .Padding(PaddingMode::RSA_PSS)
5066 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5067 .SetDefaultValidity();
5068
5069 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
5070 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5071 AuthorizationSetBuilder()
5072 .Digest(Digest::SHA_2_256)
5073 .Padding(PaddingMode::RSA_OAEP)));
5074}
5075
5076TEST_P(ImportWrappedKeyTest, WrongDigest) {
5077 auto wrapping_key_desc = AuthorizationSetBuilder()
5078 .RsaEncryptionKey(2048, 65537)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5079 .Padding(PaddingMode::RSA_OAEP)
Tommy Chiu4fdcccc2022-10-25 20:56:47 +0800[diff] [blame]5080 .Digest(Digest::SHA_2_256)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5081 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
5082 .SetDefaultValidity();
5083
5084 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
5085 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
5086 AuthorizationSetBuilder()
Tommy Chiu4fdcccc2022-10-25 20:56:47 +0800[diff] [blame]5087 .Digest(Digest::SHA_2_512)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5088 .Padding(PaddingMode::RSA_OAEP)));
5089}
5090
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5091INSTANTIATE_KEYMINT_AIDL_TEST(ImportWrappedKeyTest);
5092
5093typedef KeyMintAidlTestBase EncryptionOperationsTest;
5094
5095/*
5096 * EncryptionOperationsTest.RsaNoPaddingSuccess
5097 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5098 * Verifies that raw RSA decryption works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5099 */
5100TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]5101 for (uint64_t exponent : ValidExponents()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]5102 SCOPED_TRACE(testing::Message() << "RSA exponent=" << exponent);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5103 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5104 .Authorization(TAG_NO_AUTH_REQUIRED)
5105 .RsaEncryptionKey(2048, exponent)
5106 .Padding(PaddingMode::NONE)
5107 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5108
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5109 string message = string(2048 / 8, 'a');
5110 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5111 string ciphertext1 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5112 EXPECT_EQ(2048U / 8, ciphertext1.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5113
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5114 string ciphertext2 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5115 EXPECT_EQ(2048U / 8, ciphertext2.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5116
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5117 // Unpadded RSA is deterministic
5118 EXPECT_EQ(ciphertext1, ciphertext2);
5119
5120 CheckedDeleteKey();
5121 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5122}
5123
5124/*
5125 * EncryptionOperationsTest.RsaNoPaddingShortMessage
5126 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5127 * Verifies that raw RSA decryption of short messages works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5128 */
5129TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
5130 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5131 .Authorization(TAG_NO_AUTH_REQUIRED)
5132 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5133 .Padding(PaddingMode::NONE)
5134 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5135
5136 string message = "1";
5137 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
5138
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5139 string ciphertext = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5140 EXPECT_EQ(2048U / 8, ciphertext.size());
5141
5142 string expected_plaintext = string(2048U / 8 - 1, 0) + message;
5143 string plaintext = DecryptMessage(ciphertext, params);
5144
5145 EXPECT_EQ(expected_plaintext, plaintext);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5146}
5147
5148/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5149 * EncryptionOperationsTest.RsaOaepSuccess
5150 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5151 * Verifies that RSA-OAEP decryption operations work, with all digests.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5152 */
5153TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
5154 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
5155
5156 size_t key_size = 2048; // Need largish key for SHA-512 test.
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5157 ASSERT_EQ(ErrorCode::OK,
5158 GenerateKey(AuthorizationSetBuilder()
5159 .Authorization(TAG_NO_AUTH_REQUIRED)
5160 .RsaEncryptionKey(key_size, 65537)
5161 .Padding(PaddingMode::RSA_OAEP)
5162 .Digest(digests)
5163 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1)
5164 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5165
5166 string message = "Hello";
5167
5168 for (auto digest : digests) {
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5169 SCOPED_TRACE(testing::Message() << "digest-" << digest);
5170
5171 auto params = AuthorizationSetBuilder()
5172 .Digest(digest)
5173 .Padding(PaddingMode::RSA_OAEP)
5174 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1);
5175 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5176 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
5177 EXPECT_EQ(key_size / 8, ciphertext1.size());
5178
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5179 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5180 EXPECT_EQ(key_size / 8, ciphertext2.size());
5181
5182 // OAEP randomizes padding so every result should be different (with astronomically high
5183 // probability).
5184 EXPECT_NE(ciphertext1, ciphertext2);
5185
5186 string plaintext1 = DecryptMessage(ciphertext1, params);
5187 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
5188 string plaintext2 = DecryptMessage(ciphertext2, params);
5189 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
5190
5191 // Decrypting corrupted ciphertext should fail.
5192 size_t offset_to_corrupt = random() % ciphertext1.size();
5193 char corrupt_byte;
5194 do {
5195 corrupt_byte = static_cast<char>(random() % 256);
5196 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5197 ciphertext1[offset_to_corrupt] = corrupt_byte;
5198
5199 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5200 string result;
5201 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5202 EXPECT_EQ(0U, result.size());
5203 }
5204}
5205
5206/*
5207 * EncryptionOperationsTest.RsaOaepInvalidDigest
5208 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5209 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5210 * without a digest.
5211 */
5212TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
5213 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5214 .Authorization(TAG_NO_AUTH_REQUIRED)
5215 .RsaEncryptionKey(2048, 65537)
5216 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5217 .Digest(Digest::NONE)
5218 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5219
5220 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5221 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5222}
5223
5224/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5225 * EncryptionOperationsTest.RsaOaepInvalidPadding
5226 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5227 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5228 * with a padding value that is only suitable for signing/verifying.
5229 */
5230TEST_P(EncryptionOperationsTest, RsaOaepInvalidPadding) {
5231 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5232 .Authorization(TAG_NO_AUTH_REQUIRED)
5233 .RsaEncryptionKey(2048, 65537)
5234 .Padding(PaddingMode::RSA_PSS)
5235 .Digest(Digest::NONE)
5236 .SetDefaultValidity()));
5237
5238 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5239 EXPECT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE, Begin(KeyPurpose::DECRYPT, params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5240}
5241
5242/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5243 * EncryptionOperationsTest.RsaOaepDecryptWithWrongDigest
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5244 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5245 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5246 * with a different digest than was used to encrypt.
5247 */
5248TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]5249 if (SecLevel() == SecurityLevel::STRONGBOX) {
5250 GTEST_SKIP() << "Test not applicable to StrongBox device";
5251 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5252
5253 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5254 .Authorization(TAG_NO_AUTH_REQUIRED)
5255 .RsaEncryptionKey(1024, 65537)
5256 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5257 .Digest(Digest::SHA_2_224, Digest::SHA_2_256)
5258 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5259 string message = "Hello World!";
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5260 string ciphertext = LocalRsaEncryptMessage(
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5261 message,
5262 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
5263
5264 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5265 .Digest(Digest::SHA_2_256)
5266 .Padding(PaddingMode::RSA_OAEP)));
5267 string result;
5268 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
5269 EXPECT_EQ(0U, result.size());
5270}
5271
5272/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5273 * EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess
5274 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5275 * Verifies that RSA-OAEP decryption operations work, with all SHA 256 digests and all type of MGF1
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5276 * digests.
5277 */
5278TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
5279 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
5280
5281 size_t key_size = 2048; // Need largish key for SHA-512 test.
5282 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5283 .OaepMGFDigest(digests)
5284 .Authorization(TAG_NO_AUTH_REQUIRED)
5285 .RsaEncryptionKey(key_size, 65537)
5286 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5287 .Digest(Digest::SHA_2_256)
5288 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5289
5290 string message = "Hello";
5291
5292 for (auto digest : digests) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]5293 SCOPED_TRACE(testing::Message() << "digest-" << digest);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5294 auto params = AuthorizationSetBuilder()
5295 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
5296 .Digest(Digest::SHA_2_256)
5297 .Padding(PaddingMode::RSA_OAEP);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5298 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5299 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
5300 EXPECT_EQ(key_size / 8, ciphertext1.size());
5301
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5302 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5303 EXPECT_EQ(key_size / 8, ciphertext2.size());
5304
5305 // OAEP randomizes padding so every result should be different (with astronomically high
5306 // probability).
5307 EXPECT_NE(ciphertext1, ciphertext2);
5308
5309 string plaintext1 = DecryptMessage(ciphertext1, params);
5310 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
5311 string plaintext2 = DecryptMessage(ciphertext2, params);
5312 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
5313
5314 // Decrypting corrupted ciphertext should fail.
5315 size_t offset_to_corrupt = random() % ciphertext1.size();
5316 char corrupt_byte;
5317 do {
5318 corrupt_byte = static_cast<char>(random() % 256);
5319 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5320 ciphertext1[offset_to_corrupt] = corrupt_byte;
5321
5322 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5323 string result;
5324 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5325 EXPECT_EQ(0U, result.size());
5326 }
5327}
5328
5329/*
David Drysdaleae3727b2021-11-11 09:00:14 +0000[diff] [blame]5330 * EncryptionOperationsTest.RsaOaepMGFDigestDefaultSuccess
5331 *
5332 * Verifies that RSA-OAEP decryption operations work when no MGF digest is
5333 * specified, defaulting to SHA-1.
5334 */
5335TEST_P(EncryptionOperationsTest, RsaOaepMGFDigestDefaultSuccess) {
5336 size_t key_size = 2048;
5337 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5338 .Authorization(TAG_NO_AUTH_REQUIRED)
5339 .RsaEncryptionKey(key_size, 65537)
5340 .Padding(PaddingMode::RSA_OAEP)
5341 .Digest(Digest::SHA_2_256)
5342 .SetDefaultValidity()));
5343
5344 // Do local RSA encryption using the default MGF digest of SHA-1.
5345 string message = "Hello";
5346 auto params =
5347 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP);
5348 string ciphertext = LocalRsaEncryptMessage(message, params);
5349 EXPECT_EQ(key_size / 8, ciphertext.size());
5350
5351 // Do KeyMint RSA decryption also using the default MGF digest of SHA-1.
5352 string plaintext = DecryptMessage(ciphertext, params);
5353 EXPECT_EQ(message, plaintext) << "RSA-OAEP failed with default digest";
5354
5355 // Decrypting corrupted ciphertext should fail.
5356 size_t offset_to_corrupt = random() % ciphertext.size();
5357 char corrupt_byte;
5358 do {
5359 corrupt_byte = static_cast<char>(random() % 256);
5360 } while (corrupt_byte == ciphertext[offset_to_corrupt]);
5361 ciphertext[offset_to_corrupt] = corrupt_byte;
5362
5363 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5364 string result;
5365 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
5366 EXPECT_EQ(0U, result.size());
5367}
5368
5369/*
5370 * EncryptionOperationsTest.RsaOaepMGFDigestDefaultFail
5371 *
5372 * Verifies that RSA-OAEP decryption operations fail when no MGF digest is
5373 * specified on begin (thus defaulting to SHA-1), but the key characteristics
5374 * has an explicit set of values for MGF_DIGEST that do not contain SHA-1.
5375 */
5376TEST_P(EncryptionOperationsTest, RsaOaepMGFDigestDefaultFail) {
5377 size_t key_size = 2048;
5378 ASSERT_EQ(ErrorCode::OK,
5379 GenerateKey(AuthorizationSetBuilder()
5380 .Authorization(TAG_NO_AUTH_REQUIRED)
5381 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
5382 .RsaEncryptionKey(key_size, 65537)
5383 .Padding(PaddingMode::RSA_OAEP)
5384 .Digest(Digest::SHA_2_256)
5385 .SetDefaultValidity()));
5386
5387 // Do local RSA encryption using the default MGF digest of SHA-1.
5388 string message = "Hello";
5389 auto params =
5390 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP);
5391 string ciphertext = LocalRsaEncryptMessage(message, params);
5392 EXPECT_EQ(key_size / 8, ciphertext.size());
5393
5394 // begin() params do not include MGF_DIGEST, so a default of SHA1 is assumed.
5395 // Key characteristics *do* include values for MGF_DIGEST, so the SHA1 value
5396 // is checked against those values, and found absent.
5397 auto result = Begin(KeyPurpose::DECRYPT, params);
5398 EXPECT_TRUE(result == ErrorCode::UNSUPPORTED_MGF_DIGEST ||
5399 result == ErrorCode::INCOMPATIBLE_MGF_DIGEST);
5400}
5401
5402/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5403 * EncryptionOperationsTest.RsaOaepWithMGFIncompatibleDigest
5404 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5405 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5406 * with incompatible MGF digest.
5407 */
5408TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
5409 ASSERT_EQ(ErrorCode::OK,
5410 GenerateKey(AuthorizationSetBuilder()
5411 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
5412 .Authorization(TAG_NO_AUTH_REQUIRED)
5413 .RsaEncryptionKey(2048, 65537)
5414 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5415 .Digest(Digest::SHA_2_256)
5416 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5417 string message = "Hello World!";
5418
5419 auto params = AuthorizationSetBuilder()
5420 .Padding(PaddingMode::RSA_OAEP)
5421 .Digest(Digest::SHA_2_256)
5422 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_224);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5423 EXPECT_EQ(ErrorCode::INCOMPATIBLE_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5424}
5425
5426/*
5427 * EncryptionOperationsTest.RsaOaepWithMGFUnsupportedDigest
5428 *
5429 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
5430 * with unsupported MGF digest.
5431 */
5432TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
5433 ASSERT_EQ(ErrorCode::OK,
5434 GenerateKey(AuthorizationSetBuilder()
5435 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
5436 .Authorization(TAG_NO_AUTH_REQUIRED)
5437 .RsaEncryptionKey(2048, 65537)
5438 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5439 .Digest(Digest::SHA_2_256)
5440 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5441 string message = "Hello World!";
5442
5443 auto params = AuthorizationSetBuilder()
5444 .Padding(PaddingMode::RSA_OAEP)
5445 .Digest(Digest::SHA_2_256)
5446 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5447 EXPECT_EQ(ErrorCode::UNSUPPORTED_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5448}
5449
5450/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5451 * EncryptionOperationsTest.RsaPkcs1Success
5452 *
5453 * Verifies that RSA PKCS encryption/decrypts works.
5454 */
5455TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
5456 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5457 .Authorization(TAG_NO_AUTH_REQUIRED)
5458 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5459 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
5460 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5461
5462 string message = "Hello World!";
5463 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5464 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5465 EXPECT_EQ(2048U / 8, ciphertext1.size());
5466
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5467 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5468 EXPECT_EQ(2048U / 8, ciphertext2.size());
5469
5470 // PKCS1 v1.5 randomizes padding so every result should be different.
5471 EXPECT_NE(ciphertext1, ciphertext2);
5472
5473 string plaintext = DecryptMessage(ciphertext1, params);
5474 EXPECT_EQ(message, plaintext);
5475
5476 // Decrypting corrupted ciphertext should fail.
5477 size_t offset_to_corrupt = random() % ciphertext1.size();
5478 char corrupt_byte;
5479 do {
5480 corrupt_byte = static_cast<char>(random() % 256);
5481 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5482 ciphertext1[offset_to_corrupt] = corrupt_byte;
5483
5484 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5485 string result;
5486 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5487 EXPECT_EQ(0U, result.size());
5488}
5489
5490/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5491 * EncryptionOperationsTest.EcdsaEncrypt
5492 *
5493 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
5494 */
5495TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
5496 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5497 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]5498 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5499 .Digest(Digest::NONE)
5500 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5501 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
5502 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5503 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5504}
5505
5506/*
5507 * EncryptionOperationsTest.HmacEncrypt
5508 *
5509 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
5510 */
5511TEST_P(EncryptionOperationsTest, HmacEncrypt) {
5512 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5513 .Authorization(TAG_NO_AUTH_REQUIRED)
5514 .HmacKey(128)
5515 .Digest(Digest::SHA_2_256)
5516 .Padding(PaddingMode::NONE)
5517 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5518 auto params = AuthorizationSetBuilder()
5519 .Digest(Digest::SHA_2_256)
5520 .Padding(PaddingMode::NONE)
5521 .Authorization(TAG_MAC_LENGTH, 128);
5522 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5523 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5524}
5525
5526/*
5527 * EncryptionOperationsTest.AesEcbRoundTripSuccess
5528 *
5529 * Verifies that AES ECB mode works.
5530 */
5531TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
5532 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5533 .Authorization(TAG_NO_AUTH_REQUIRED)
5534 .AesEncryptionKey(128)
5535 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5536 .Padding(PaddingMode::NONE)));
5537
5538 ASSERT_GT(key_blob_.size(), 0U);
5539 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5540
5541 // Two-block message.
5542 string message = "12345678901234567890123456789012";
5543 string ciphertext1 = EncryptMessage(message, params);
5544 EXPECT_EQ(message.size(), ciphertext1.size());
5545
5546 string ciphertext2 = EncryptMessage(string(message), params);
5547 EXPECT_EQ(message.size(), ciphertext2.size());
5548
5549 // ECB is deterministic.
5550 EXPECT_EQ(ciphertext1, ciphertext2);
5551
5552 string plaintext = DecryptMessage(ciphertext1, params);
5553 EXPECT_EQ(message, plaintext);
5554}
5555
5556/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5557 * EncryptionOperationsTest.AesEcbUnknownTag
5558 *
5559 * Verifies that AES ECB operations ignore unknown tags.
5560 */
5561TEST_P(EncryptionOperationsTest, AesEcbUnknownTag) {
5562 int32_t unknown_tag_value = ((7 << 28) /* TagType:BOOL */ | 150);
5563 Tag unknown_tag = static_cast<Tag>(unknown_tag_value);
5564 KeyParameter unknown_param;
5565 unknown_param.tag = unknown_tag;
5566
5567 vector<KeyCharacteristics> key_characteristics;
5568 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5569 .Authorization(TAG_NO_AUTH_REQUIRED)
5570 .AesEncryptionKey(128)
5571 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5572 .Padding(PaddingMode::NONE)
5573 .Authorization(unknown_param),
5574 &key_blob_, &key_characteristics));
5575 ASSERT_GT(key_blob_.size(), 0U);
5576
5577 // Unknown tags should not be returned in key characteristics.
5578 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
5579 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
5580 EXPECT_EQ(hw_enforced.find(unknown_tag), -1);
5581 EXPECT_EQ(sw_enforced.find(unknown_tag), -1);
5582
5583 // Encrypt without mentioning the unknown parameter.
5584 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5585 string message = "12345678901234567890123456789012";
5586 string ciphertext = EncryptMessage(message, params);
5587 EXPECT_EQ(message.size(), ciphertext.size());
5588
5589 // Decrypt including the unknown parameter.
5590 auto decrypt_params = AuthorizationSetBuilder()
5591 .BlockMode(BlockMode::ECB)
5592 .Padding(PaddingMode::NONE)
5593 .Authorization(unknown_param);
5594 string plaintext = DecryptMessage(ciphertext, decrypt_params);
5595 EXPECT_EQ(message, plaintext);
5596}
5597
5598/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5599 * EncryptionOperationsTest.AesWrongMode
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5600 *
5601 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
5602 */
5603TEST_P(EncryptionOperationsTest, AesWrongMode) {
5604 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5605 .Authorization(TAG_NO_AUTH_REQUIRED)
5606 .AesEncryptionKey(128)
5607 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5608 .Padding(PaddingMode::NONE)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5609 ASSERT_GT(key_blob_.size(), 0U);
5610
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5611 EXPECT_EQ(
5612 ErrorCode::INCOMPATIBLE_BLOCK_MODE,
5613 Begin(KeyPurpose::ENCRYPT,
5614 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
5615}
5616
5617/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5618 * EncryptionOperationsTest.AesWrongPadding
5619 *
5620 * Verifies that AES encryption fails in the correct way when an unauthorized padding is specified.
5621 */
5622TEST_P(EncryptionOperationsTest, AesWrongPadding) {
5623 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5624 .Authorization(TAG_NO_AUTH_REQUIRED)
5625 .AesEncryptionKey(128)
5626 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5627 .Padding(PaddingMode::NONE)));
5628 ASSERT_GT(key_blob_.size(), 0U);
5629
5630 EXPECT_EQ(
5631 ErrorCode::INCOMPATIBLE_PADDING_MODE,
5632 Begin(KeyPurpose::ENCRYPT,
5633 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7)));
5634}
5635
5636/*
5637 * EncryptionOperationsTest.AesInvalidParams
5638 *
5639 * Verifies that AES encryption fails in the correct way when an duplicate parameters are specified.
5640 */
5641TEST_P(EncryptionOperationsTest, AesInvalidParams) {
5642 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5643 .Authorization(TAG_NO_AUTH_REQUIRED)
5644 .AesEncryptionKey(128)
5645 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5646 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5647 .Padding(PaddingMode::NONE)
5648 .Padding(PaddingMode::PKCS7)));
5649 ASSERT_GT(key_blob_.size(), 0U);
5650
5651 auto result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5652 .BlockMode(BlockMode::CBC)
5653 .BlockMode(BlockMode::ECB)
5654 .Padding(PaddingMode::NONE));
5655 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_BLOCK_MODE ||
5656 result == ErrorCode::UNSUPPORTED_BLOCK_MODE);
5657
5658 result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5659 .BlockMode(BlockMode::ECB)
5660 .Padding(PaddingMode::NONE)
5661 .Padding(PaddingMode::PKCS7));
5662 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
5663 result == ErrorCode::UNSUPPORTED_PADDING_MODE);
5664}
5665
5666/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5667 * EncryptionOperationsTest.AesWrongPurpose
5668 *
5669 * Verifies that AES encryption fails in the correct way when an unauthorized purpose is
5670 * specified.
5671 */
5672TEST_P(EncryptionOperationsTest, AesWrongPurpose) {
5673 auto err = GenerateKey(AuthorizationSetBuilder()
5674 .Authorization(TAG_NO_AUTH_REQUIRED)
5675 .AesKey(128)
5676 .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
5677 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5678 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5679 .Padding(PaddingMode::NONE));
5680 ASSERT_EQ(ErrorCode::OK, err) << "Got " << err;
5681 ASSERT_GT(key_blob_.size(), 0U);
5682
5683 err = Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5684 .BlockMode(BlockMode::GCM)
5685 .Padding(PaddingMode::NONE)
5686 .Authorization(TAG_MAC_LENGTH, 128));
5687 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5688
5689 CheckedDeleteKey();
5690
5691 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5692 .Authorization(TAG_NO_AUTH_REQUIRED)
5693 .AesKey(128)
5694 .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
5695 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5696 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5697 .Padding(PaddingMode::NONE)));
5698
5699 err = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5700 .BlockMode(BlockMode::GCM)
5701 .Padding(PaddingMode::NONE)
5702 .Authorization(TAG_MAC_LENGTH, 128));
5703 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5704}
5705
5706/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5707 * EncryptionOperationsTest.AesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5708 *
5709 * Verifies that AES encryption fails in the correct way when provided an input that is not a
5710 * multiple of the block size and no padding is specified.
5711 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5712TEST_P(EncryptionOperationsTest, AesEcbCbcNoPaddingWrongInputSize) {
5713 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]5714 SCOPED_TRACE(testing::Message() << "AES-" << blockMode);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5715 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5716 .Authorization(TAG_NO_AUTH_REQUIRED)
5717 .AesEncryptionKey(128)
5718 .Authorization(TAG_BLOCK_MODE, blockMode)
5719 .Padding(PaddingMode::NONE)));
5720 // Message is slightly shorter than two blocks.
5721 string message(16 * 2 - 1, 'a');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5722
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5723 auto params = AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
5724 AuthorizationSet out_params;
5725 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &out_params));
5726 string ciphertext;
5727 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
5728 EXPECT_EQ(0U, ciphertext.size());
5729
5730 CheckedDeleteKey();
5731 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5732}
5733
5734/*
5735 * EncryptionOperationsTest.AesEcbPkcs7Padding
5736 *
5737 * Verifies that AES PKCS7 padding works for any message length.
5738 */
5739TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
5740 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5741 .Authorization(TAG_NO_AUTH_REQUIRED)
5742 .AesEncryptionKey(128)
5743 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5744 .Padding(PaddingMode::PKCS7)));
5745
5746 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5747
5748 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5749 for (size_t i = 0; i <= 48; i++) {
5750 SCOPED_TRACE(testing::Message() << "i = " << i);
5751 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character.
5752 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5753 string ciphertext = EncryptMessage(message, params);
5754 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
5755 string plaintext = DecryptMessage(ciphertext, params);
5756 EXPECT_EQ(message, plaintext);
5757 }
5758}
5759
5760/*
5761 * EncryptionOperationsTest.AesEcbWrongPadding
5762 *
5763 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
5764 * specified.
5765 */
5766TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
5767 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5768 .Authorization(TAG_NO_AUTH_REQUIRED)
5769 .AesEncryptionKey(128)
5770 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5771 .Padding(PaddingMode::NONE)));
5772
5773 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5774
5775 // Try various message lengths; all should fail
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5776 for (size_t i = 0; i <= 48; i++) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5777 string message(i, 'a');
5778 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
5779 }
5780}
5781
5782/*
5783 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
5784 *
5785 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5786 */
5787TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
5788 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5789 .Authorization(TAG_NO_AUTH_REQUIRED)
5790 .AesEncryptionKey(128)
5791 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5792 .Padding(PaddingMode::PKCS7)));
5793
5794 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5795
5796 string message = "a";
5797 string ciphertext = EncryptMessage(message, params);
5798 EXPECT_EQ(16U, ciphertext.size());
5799 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5800
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5801 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
5802 ++ciphertext[ciphertext.size() / 2];
5803
5804 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5805 string plaintext;
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5806 ErrorCode error = Finish(ciphertext, &plaintext);
5807 if (error == ErrorCode::INVALID_ARGUMENT) {
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5808 // This is the expected error, we can exit the test now.
5809 return;
5810 } else {
5811 // Very small chance we got valid decryption, so try again.
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5812 ASSERT_EQ(error, ErrorCode::OK)
5813 << "Expected INVALID_ARGUMENT or (rarely) OK, got " << error;
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5814 }
5815 }
5816 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5817}
5818
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5819/*
5820 * EncryptionOperationsTest.AesEcbPkcs7CiphertextTooShort
5821 *
5822 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5823 */
5824TEST_P(EncryptionOperationsTest, AesEcbPkcs7CiphertextTooShort) {
5825 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5826 .Authorization(TAG_NO_AUTH_REQUIRED)
5827 .AesEncryptionKey(128)
5828 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5829 .Padding(PaddingMode::PKCS7)));
5830
5831 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5832
5833 string message = "a";
5834 string ciphertext = EncryptMessage(message, params);
5835 EXPECT_EQ(16U, ciphertext.size());
5836 EXPECT_NE(ciphertext, message);
5837
5838 // Shorten the ciphertext.
5839 ciphertext.resize(ciphertext.size() - 1);
5840 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5841 string plaintext;
5842 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(ciphertext, &plaintext));
5843}
5844
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5845vector<uint8_t> CopyIv(const AuthorizationSet& set) {
5846 auto iv = set.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5847 EXPECT_TRUE(iv);
5848 return iv->get();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5849}
5850
5851/*
5852 * EncryptionOperationsTest.AesCtrRoundTripSuccess
5853 *
5854 * Verifies that AES CTR mode works.
5855 */
5856TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
5857 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5858 .Authorization(TAG_NO_AUTH_REQUIRED)
5859 .AesEncryptionKey(128)
5860 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
5861 .Padding(PaddingMode::NONE)));
5862
5863 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
5864
5865 string message = "123";
5866 AuthorizationSet out_params;
5867 string ciphertext1 = EncryptMessage(message, params, &out_params);
5868 vector<uint8_t> iv1 = CopyIv(out_params);
5869 EXPECT_EQ(16U, iv1.size());
5870
5871 EXPECT_EQ(message.size(), ciphertext1.size());
5872
5873 out_params.Clear();
5874 string ciphertext2 = EncryptMessage(message, params, &out_params);
5875 vector<uint8_t> iv2 = CopyIv(out_params);
5876 EXPECT_EQ(16U, iv2.size());
5877
5878 // IVs should be random, so ciphertexts should differ.
5879 EXPECT_NE(ciphertext1, ciphertext2);
5880
5881 auto params_iv1 =
5882 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
5883 auto params_iv2 =
5884 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
5885
5886 string plaintext = DecryptMessage(ciphertext1, params_iv1);
5887 EXPECT_EQ(message, plaintext);
5888 plaintext = DecryptMessage(ciphertext2, params_iv2);
5889 EXPECT_EQ(message, plaintext);
5890
5891 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
5892 plaintext = DecryptMessage(ciphertext1, params_iv2);
5893 EXPECT_NE(message, plaintext);
5894 plaintext = DecryptMessage(ciphertext2, params_iv1);
5895 EXPECT_NE(message, plaintext);
5896}
5897
5898/*
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5899 * EncryptionOperationsTest.AesEcbIncremental
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5900 *
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5901 * Verifies that AES works for ECB block mode, when provided data in various size increments.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5902 */
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5903TEST_P(EncryptionOperationsTest, AesEcbIncremental) {
5904 CheckAesIncrementalEncryptOperation(BlockMode::ECB, 240);
5905}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5906
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5907/*
5908 * EncryptionOperationsTest.AesCbcIncremental
5909 *
5910 * Verifies that AES works for CBC block mode, when provided data in various size increments.
5911 */
5912TEST_P(EncryptionOperationsTest, AesCbcIncremental) {
5913 CheckAesIncrementalEncryptOperation(BlockMode::CBC, 240);
5914}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5915
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5916/*
5917 * EncryptionOperationsTest.AesCtrIncremental
5918 *
5919 * Verifies that AES works for CTR block mode, when provided data in various size increments.
5920 */
5921TEST_P(EncryptionOperationsTest, AesCtrIncremental) {
5922 CheckAesIncrementalEncryptOperation(BlockMode::CTR, 240);
5923}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5924
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5925/*
5926 * EncryptionOperationsTest.AesGcmIncremental
5927 *
5928 * Verifies that AES works for GCM block mode, when provided data in various size increments.
5929 */
5930TEST_P(EncryptionOperationsTest, AesGcmIncremental) {
5931 CheckAesIncrementalEncryptOperation(BlockMode::GCM, 240);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5932}
5933
Prashant Patildd5f7f02022-07-06 18:58:07 +0000[diff] [blame]5934/*
5935 * EncryptionOperationsTest.Aes128CBCNoPaddingOneByteAtATime
5936 * Verifies input and output sizes of AES/CBC/NoPadding Algorithm.
5937 */
5938TEST_P(EncryptionOperationsTest, Aes128CBCNoPaddingOneByteAtATime) {
5939 string kat_key = hex2str("7E3D723C09A9852B24F584F9D916F6A8");
5940 string kat_iv = hex2str("944AE274D983892EADE422274858A96A");
5941 string kat_plaintext =
5942 hex2str("044E15899A080AADEB6778F64323B64D2CBCBADB338DF93B9AC459D4F41029"
5943 "809FFF37081C22EF278F896AB213A2A631");
5944 string kat_ciphertext =
5945 hex2str("B419293FCBD686F2913D1CF947E510D42FAFEDE5593C98AFD6AEE272596A"
5946 "56FE42C22F2A5E3B6A02BA9D8D0DE1E9A810");
5947 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::NONE, kat_iv, kat_plaintext,
5948 kat_ciphertext);
5949}
5950
5951/*
5952 * EncryptionOperationsTest.Aes128CBCPKCS7PaddingOneByteAtATime
5953 * Verifies input and output sizes of AES/CBC/PKCS7Padding Algorithm.
5954 */
5955TEST_P(EncryptionOperationsTest, Aes128CBCPKCS7PaddingOneByteAtATime) {
5956 string kat_key = hex2str("F16E698472578E919D92806262C5169F");
5957 string kat_iv = hex2str("EF743540F8421ACA128A3247521F3E7D");
5958 string kat_plaintext =
5959 hex2str("5BEBF33569D90BF5E853814E12E7C7AA5758013F755773E29F4A25EC26EEB7"
5960 "65F7F2DC251F7DC62AEFCA1E8A5A11A1DCD44F0BD8FB593A5AE3");
5961 string kat_ciphertext =
5962 hex2str("3197CF6DB9466188B5FED375329324EE7D6092A8C0E41DFAF49E3724271427"
5963 "896D56A6243C0D59D6639722AF93CD53449BDDABF9C5F153EBDBFED9ED98C8CC37");
5964 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::PKCS7, kat_iv,
5965 kat_plaintext, kat_ciphertext);
5966}
5967
5968/*
5969 * EncryptionOperationsTest.Aes128CTRNoPaddingOneByteAtATime
5970 * Verifies input and output sizes of AES/CTR/NoPadding Algorithm.
5971 */
5972TEST_P(EncryptionOperationsTest, Aes128CTRNoPaddingOneByteAtATime) {
5973 string kat_key = hex2str("4713a7b2f93efe809b42ecc45213ef9f");
5974 string kat_iv = hex2str("ebfa19b0ebf3d57feabd4c4bd04bea01");
5975 string kat_plaintext =
5976 hex2str("6d2c07e1fc86f99c6e2a8f6567828b4262a9c23d0f3ed8ab32482283c79796"
5977 "f0adba1bcd3736084996452a917fae98005aebe61f9e91c3");
5978 string kat_ciphertext =
5979 hex2str("345deb1d67b95e600e05cad4c32ec381aadb3e2c1ec7e0fb956dc38e6860cf"
5980 "0553535566e1b12fa9f87d29266ca26df427233df035df28");
5981 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CTR, PaddingMode::NONE, kat_iv, kat_plaintext,
5982 kat_ciphertext);
5983}
5984
5985/*
5986 * EncryptionOperationsTest.Aes128ECBNoPaddingOneByteAtATime
5987 * Verifies input and output sizes of AES/ECB/NoPadding Algorithm.
5988 */
5989TEST_P(EncryptionOperationsTest, Aes128ECBNoPaddingOneByteAtATime) {
5990 string kat_key = hex2str("7DA2467F068854B3CB36E5C333A16619");
5991 string kat_plaintext =
5992 hex2str("9A07C9575AD9CE209DF9F3953965CEBE8208587C7AE575A1904BF25048946D"
5993 "7B6168A9A27BCE554BEA94EF26E6C742A0");
5994 string kat_ciphertext =
5995 hex2str("8C47E49420FC92AC4CA2C601BC3F8AC31D01B260B7B849F2B8EEDFFFED8F36"
5996 "C31CBDA0D22F95C9C2A48C347E8C77AC82");
5997 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::NONE, "", kat_plaintext,
5998 kat_ciphertext);
5999}
6000
6001/*
6002 * EncryptionOperationsTest.Aes128ECBPKCS7PaddingOneByteAtATime
6003 * Verifies input and output sizes of AES/ECB/PKCS7Padding Algorithm.
6004 */
6005TEST_P(EncryptionOperationsTest, Aes128ECBPKCS7PaddingOneByteAtATime) {
6006 string kat_key = hex2str("C3BE04BCCB3D99B85290F113FE7AF194");
6007 string kat_plaintext =
6008 hex2str("348C213FD8DF3F990C20C5ACBF07B34B6264AE245784A5A6176DBFB1C2E7DD"
6009 "27E52CC92B8EEE40614F05B507B355F6354A2705BD86");
6010 string kat_ciphertext =
6011 hex2str("07CD05C41FEDEDDC5DB4B3E35E676153184A119AA4DFDDC290616F1FA60093"
6012 "1DE6BEA9BDB90D1D733899946F8C8E5C0C4383F99F5D88E27F3EBC0C6E52759ED3");
6013 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::PKCS7, "", kat_plaintext,
6014 kat_ciphertext);
6015}
6016
6017/*
6018 * EncryptionOperationsTest.Aes128GCMNoPaddingOneByteAtATime
6019 * Verifies input and output sizes of AES/GCM/NoPadding Algorithm.
6020 */
6021TEST_P(EncryptionOperationsTest, Aes128GCMNoPaddingOneByteAtATime) {
6022 string kat_key = hex2str("ba76354f0aed6e8d91f45c4ff5a062db");
6023 string kat_iv = hex2str("b79437ae08ff355d7d8a4d0f");
6024 string kat_plaintext =
6025 hex2str("6d7596a8fd56ceaec61de7940984b7736fec44f572afc3c8952e4dc6541e2b"
6026 "c6a702c440a37610989543f63fedb047ca2173bc18581944");
6027 string kat_ciphertext =
6028 hex2str("b3f6799e8f9326f2df1e80fcd2cb16d78c9dc7cc14bb677862dc6c639b3a63"
6029 "38d24b312d3989e5920b5dbfc976765efbfe57bb385940a7a43bdf05bddae3c9d6a2fb"
6030 "bdfcc0cba0");
6031
6032 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::GCM, PaddingMode::NONE, kat_iv, kat_plaintext,
6033 kat_ciphertext);
6034}
6035
6036/*
6037 * EncryptionOperationsTest.Aes192CBCNoPaddingOneByteAtATime
6038 * Verifies input and output sizes of AES/CBC/NoPadding Algorithm.
6039 */
6040TEST_P(EncryptionOperationsTest, Aes192CBCNoPaddingOneByteAtATime) {
6041 if (SecLevel() == SecurityLevel::STRONGBOX) {
6042 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6043 }
6044 string kat_key = hex2str("be8cc4e25cce46e5d55725e2391f7d3cf59ed60062f5a43b");
6045 string kat_iv = hex2str("80a199aab0eee77e7762ddf3b3a32f40");
6046 string kat_plaintext =
6047 hex2str("064f9200e0df37d4711af4a69d11addf9e1c345d9d8195f9f1f715019ce96a"
6048 "167f2497c994bd496eb80bfb2ba2c9d5af");
6049 string kat_ciphertext =
6050 hex2str("859b90becaa85e95a71e104efbd7a3b723bcbf4eb39865544a05d9e90b6fe5"
6051 "72c134552f3a138e726fbe493b3a839598");
6052 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::NONE, kat_iv, kat_plaintext,
6053 kat_ciphertext);
6054}
6055
6056/*
6057 * EncryptionOperationsTest.Aes192CBCPKCS7PaddingOneByteAtATime
6058 * Verifies input and output sizes of AES/CBC/PKCS7Padding Algorithm.
6059 */
6060TEST_P(EncryptionOperationsTest, Aes192CBCPKCS7PaddingOneByteAtATime) {
6061 if (SecLevel() == SecurityLevel::STRONGBOX) {
6062 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6063 }
6064 string kat_key = hex2str("68969215ec41e4df7d23de0e806f458f52aff492bd7c5263");
6065 string kat_iv = hex2str("e61d13dfbf0533289f0e7950209da418");
6066 string kat_plaintext =
6067 hex2str("8d4c1cac27511ee2d82409a7f378e7e402b0eb189c1eaa5c506eb72a9074"
6068 "b170");
6069 string kat_ciphertext =
6070 hex2str("e70bcd62c595dc1b2b8c197bb91a7447e1be2cbcf3fdc69e7e991faf0f57cf"
6071 "4e3884138ff403a41fd99818708ada301c");
6072 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::PKCS7, kat_iv,
6073 kat_plaintext, kat_ciphertext);
6074}
6075
6076/*
6077 * EncryptionOperationsTest.Aes192CTRNoPaddingOneByteAtATime
6078 * Verifies input and output sizes of AES/CTR/NoPadding Algorithm.
6079 */
6080TEST_P(EncryptionOperationsTest, Aes192CTRNoPaddingOneByteAtATime) {
6081 if (SecLevel() == SecurityLevel::STRONGBOX) {
6082 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6083 }
6084 string kat_key = hex2str("5e2036e790d38815c90beb67a1c9e5aa0e167ef082927317");
6085 string kat_iv = hex2str("df0694959b89054156962d68a226965c");
6086 string kat_plaintext =
6087 hex2str("6ed2781c99e03e45314d6019932220c2c98130c53f9f67ad10ac519adf50e9"
6088 "28091e09cdbbd3b42b");
6089 string kat_ciphertext =
6090 hex2str("e427b6666502e05b82d0b20ae50e862b1936d71266fc49178ac984e71571f2"
6091 "2ae0f90f0c19f42b4a");
6092 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CTR, PaddingMode::NONE, kat_iv, kat_plaintext,
6093 kat_ciphertext);
6094}
6095
6096/*
6097 * EncryptionOperationsTest.Aes192ECBNoPaddingOneByteAtATime
6098 * Verifies input and output sizes of AES/ECB/NoPadding Algorithm.
6099 */
6100TEST_P(EncryptionOperationsTest, Aes192ECBNoPaddingOneByteAtATime) {
6101 if (SecLevel() == SecurityLevel::STRONGBOX) {
6102 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6103 }
6104 string kat_key = hex2str("3cab83fb338ba985fbfe74c5e9d2e900adb570b1d67faf92");
6105 string kat_plaintext =
6106 hex2str("2cc64c335a13fb838f3c6aad0a6b47297ca90bb886ddb059200f0b41740c"
6107 "44ab");
6108 string kat_ciphertext =
6109 hex2str("9c5c825328f5ee0aa24947e374d3f9165f484b39dd808c790d7a12964810"
6110 "2453");
6111 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::NONE, "", kat_plaintext,
6112 kat_ciphertext);
6113}
6114
6115/*
6116 * EncryptionOperationsTest.Aes192ECBPKCS7PaddingOneByteAtATime
6117 * Verifies input and output sizes of AES/ECB/PKCS7Padding Algorithm.
6118 */
6119TEST_P(EncryptionOperationsTest, Aes192ECBPKCS7PaddingOneByteAtATime) {
6120 if (SecLevel() == SecurityLevel::STRONGBOX) {
6121 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6122 }
6123 string kat_key = hex2str("d57f4e5446f736c16476ec4db5decc7b1bf3936e4f7e4618");
6124 string kat_plaintext =
6125 hex2str("b115777f1ee7a43a07daa6401e59c46b7a98213a8747eabfbe3ca4ec93524d"
6126 "e2c7");
6127 string kat_ciphertext =
6128 hex2str("1e92cd20da08bb5fa174a7a69879d4fc25a155e6af06d75b26c5b450d273c8"
6129 "bb7e3a889dd4a9589098b44acf1056e7aa");
6130 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::PKCS7, "", kat_plaintext,
6131 kat_ciphertext);
6132}
6133
6134/*
6135 * EncryptionOperationsTest.Aes192GCMNoPaddingOneByteAtATime
6136 * Verifies input and output sizes of AES/GCM/NoPadding Algorithm.
6137 */
6138TEST_P(EncryptionOperationsTest, Aes192GCMNoPaddingOneByteAtATime) {
6139 if (SecLevel() == SecurityLevel::STRONGBOX) {
6140 GTEST_SKIP() << "Key size 192 is not supported by Strongbox.";
6141 }
6142 string kat_key = hex2str("21339fc1d011abca65d50ce2365230603fd47d07e8830f6e");
6143 string kat_iv = hex2str("d5fb1469a8d81dd75286a418");
6144 string kat_plaintext =
6145 hex2str("cf776dedf53a828d51a0073db3ef0dd1ee19e2e9e243ce97e95841bb9ad4e3"
6146 "ff52");
6147 string kat_ciphertext =
6148 hex2str("3a0d48278111d3296bc663df8a5dbeb2474ea47fd85b608f8d9375d9dcf7de"
6149 "1413ad70fb0e1970669095ad77ebb5974ae8");
6150
6151 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::GCM, PaddingMode::NONE, kat_iv, kat_plaintext,
6152 kat_ciphertext);
6153}
6154
6155/*
6156 * EncryptionOperationsTest.Aes256CBCNoPaddingOneByteAtATime
6157 * Verifies input and output sizes of AES/CBC/NoPadding Algorithm.
6158 */
6159TEST_P(EncryptionOperationsTest, Aes256CBCNoPaddingOneByteAtATime) {
6160 string kat_key = hex2str("dd2f20dc6b98c100bac919120ff95eb5d96003f8229987b283a1e777b0cd5c30");
6161 string kat_iv = hex2str("23b4d85239fb90db93b07a981e90a170");
6162 string kat_plaintext =
6163 hex2str("2fbe5d46dca5cea433e550d8b291740ab9551c2a2d37680d7fb7b993225f58"
6164 "494cb53caca353e4b637ba05687be20f8d");
6165 string kat_ciphertext =
6166 hex2str("5aba24fc316936c8369061ee8fe463e4faed04288e204456626b988c0e376b"
6167 "6047da1e4fd7c4e1cf2656097f75ae8685");
6168 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::NONE, kat_iv, kat_plaintext,
6169 kat_ciphertext);
6170}
6171
6172/*
6173 * EncryptionOperationsTest.Aes256CBCPKCS7PaddingOneByteAtATime
6174 * Verifies input and output sizes of AES/CBC/PKCS7Padding Algorithm.
6175 */
6176TEST_P(EncryptionOperationsTest, Aes256CBCPKCS7PaddingOneByteAtATime) {
6177 string kat_key = hex2str("03ab2510520f5cfebfab0a17a7f8324c9634911f6fc59e586f85346bb38ac88a");
6178 string kat_iv = hex2str("9af96967195bb0184f129beffa8241ae");
6179 string kat_plaintext =
6180 hex2str("2d6944653ac14988a772a2730b7c5bfa99a21732ae26f40cdc5b3a2874c794"
6181 "2545a82b73c48078b9dae62261c65909");
6182 string kat_ciphertext =
6183 hex2str("26b308f7e1668b55705a79c8b3ad10e244655f705f027f390a5c34e4536f51"
6184 "9403a71987b95124073d69f2a3cb95b0ab");
6185 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CBC, PaddingMode::PKCS7, kat_iv,
6186 kat_plaintext, kat_ciphertext);
6187}
6188
6189/*
6190 * EncryptionOperationsTest.Aes256CTRNoPaddingOneByteAtATime
6191 * Verifies input and output sizes of AES/CTR/NoPadding Algorithm.
6192 */
6193TEST_P(EncryptionOperationsTest, Aes256CTRNoPaddingOneByteAtATime) {
6194 string kat_key = hex2str("928b380a8fed4b4b4cfeb56e0c66a4cb0f9ff58d61ac68bcfd0e3fbd910a684f");
6195 string kat_iv = hex2str("0b678a5249e6eeda461dfb4776b6c58e");
6196 string kat_plaintext =
6197 hex2str("f358de57543b297e997cba46fb9100553d6abd65377e55b9aac3006400ead1"
6198 "1f6db3c884");
6199 string kat_ciphertext =
6200 hex2str("a07a35fbd1776ad81462e1935f542337add60962bf289249476817b6ddd532"
6201 "a7be30d4c3");
6202 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::CTR, PaddingMode::NONE, kat_iv, kat_plaintext,
6203 kat_ciphertext);
6204}
6205
6206/*
6207 * EncryptionOperationsTest.Aes256ECBNoPaddingOneByteAtATime
6208 * Verifies input and output sizes of AES/ECB/NoPadding Algorithm.
6209 */
6210TEST_P(EncryptionOperationsTest, Aes256ECBNoPaddingOneByteAtATime) {
6211 string kat_key = hex2str("fa4622d9cf6485075daedd33d2c4fffdf859e2edb7f7df4f04603f7e647fae90");
6212 string kat_plaintext =
6213 hex2str("96ccabbe0c68970d8cdee2b30ab43c2d61cc50ee68271e77571e72478d713a"
6214 "31a476d6806b8116089c6ec50bb543200f");
6215 string kat_ciphertext =
6216 hex2str("0e81839e9dfbfe3b503d619e676abe5ac80fac3f245d8f09b9134b1b32a67d"
6217 "c83e377faf246288931136bef2a07c0be4");
6218 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::NONE, "", kat_plaintext,
6219 kat_ciphertext);
6220}
6221
6222/*
6223 * EncryptionOperationsTest.Aes256ECBPKCS7PaddingOneByteAtATime
6224 * Verifies input and output sizes of AES/ECB/PKCS7Padding Algorithm.
6225 */
6226TEST_P(EncryptionOperationsTest, Aes256ECBPKCS7PaddingOneByteAtATime) {
6227 string kat_key = hex2str("bf3f07c68467fead0ca8e2754500ab514258abf02eb7e615a493bcaaa45d5ee1");
6228 string kat_plaintext =
6229 hex2str("af0757e49018dad628f16998628a407db5f28291bef3bc2e4d8a5a31fb238e"
6230 "6f");
6231 string kat_ciphertext =
6232 hex2str("21ec3011074bf1ef140643d47130326c5e183f61237c69bc77551ca207d71f"
6233 "c2b90cfac6c8d2d125e5cd9ff353dee0df");
6234 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::ECB, PaddingMode::PKCS7, "", kat_plaintext,
6235 kat_ciphertext);
6236}
6237
6238/*
6239 * EncryptionOperationsTest.Aes256GCMNoPaddingOneByteAtATime
6240 * Verifies input and output sizes of AES/GCM/NoPadding Algorithm.
6241 */
6242TEST_P(EncryptionOperationsTest, Aes256GCMNoPaddingOneByteAtATime) {
6243 string kat_key = hex2str("7972140d831eedac75d5ea515c9a4c3bb124499a90b5f317ac1a685e88fae395");
6244 string kat_iv = hex2str("a66c5252808d823dd4151fed");
6245 string kat_plaintext =
6246 hex2str("c2b9dabf3a55adaa94e8c0d1e77a84a3435aee23b2c3c4abb587b09a9c2afb"
6247 "f0");
6248 string kat_ciphertext =
6249 hex2str("a960619314657b2afb96b93bebb372bffd09e19d53e351f17d1ba2611f9dc3"
6250 "3c9c92d563e8fd381254ac262aa2a4ea0d");
6251
6252 AesCheckEncryptOneByteAtATime(kat_key, BlockMode::GCM, PaddingMode::NONE, kat_iv, kat_plaintext,
6253 kat_ciphertext);
6254}
6255
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6256struct AesCtrSp80038aTestVector {
6257 const char* key;
6258 const char* nonce;
6259 const char* plaintext;
6260 const char* ciphertext;
6261};
6262
6263// These test vectors are taken from
6264// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
6265static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
6266 // AES-128
6267 {
6268 "2b7e151628aed2a6abf7158809cf4f3c",
6269 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
6270 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
6271 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
6272 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
6273 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
6274 },
6275 // AES-192
6276 {
6277 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
6278 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
6279 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
6280 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
6281 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
6282 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
6283 },
6284 // AES-256
6285 {
6286 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
6287 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
6288 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
6289 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
6290 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
6291 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
6292 },
6293};
6294
6295/*
6296 * EncryptionOperationsTest.AesCtrSp80038aTestVector
6297 *
6298 * Verifies AES CTR implementation against SP800-38A test vectors.
6299 */
6300TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
6301 std::vector<uint32_t> InvalidSizes = InvalidKeySizes(Algorithm::AES);
6302 for (size_t i = 0; i < 3; i++) {
6303 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
6304 const string key = hex2str(test.key);
6305 if (std::find(InvalidSizes.begin(), InvalidSizes.end(), (key.size() * 8)) !=
6306 InvalidSizes.end())
6307 continue;
6308 const string nonce = hex2str(test.nonce);
6309 const string plaintext = hex2str(test.plaintext);
6310 const string ciphertext = hex2str(test.ciphertext);
6311 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
6312 }
6313}
6314
6315/*
6316 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
6317 *
6318 * Verifies that keymint rejects use of CTR mode with PKCS7 padding in the correct way.
6319 */
6320TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
6321 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6322 .Authorization(TAG_NO_AUTH_REQUIRED)
6323 .AesEncryptionKey(128)
6324 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
6325 .Padding(PaddingMode::PKCS7)));
6326 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
6327 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
6328}
6329
6330/*
6331 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
6332 *
6333 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
6334 */
6335TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
6336 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6337 .Authorization(TAG_NO_AUTH_REQUIRED)
6338 .AesEncryptionKey(128)
6339 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
6340 .Authorization(TAG_CALLER_NONCE)
6341 .Padding(PaddingMode::NONE)));
6342
6343 auto params = AuthorizationSetBuilder()
6344 .BlockMode(BlockMode::CTR)
6345 .Padding(PaddingMode::NONE)
6346 .Authorization(TAG_NONCE, AidlBuf(string(1, 'a')));
6347 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6348
6349 params = AuthorizationSetBuilder()
6350 .BlockMode(BlockMode::CTR)
6351 .Padding(PaddingMode::NONE)
6352 .Authorization(TAG_NONCE, AidlBuf(string(15, 'a')));
6353 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6354
6355 params = AuthorizationSetBuilder()
6356 .BlockMode(BlockMode::CTR)
6357 .Padding(PaddingMode::NONE)
6358 .Authorization(TAG_NONCE, AidlBuf(string(17, 'a')));
6359 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6360}
6361
6362/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]6363 * EncryptionOperationsTest.AesCbcRoundTripSuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6364 *
6365 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
6366 */
6367TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
6368 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6369 .Authorization(TAG_NO_AUTH_REQUIRED)
6370 .AesEncryptionKey(128)
6371 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
6372 .Padding(PaddingMode::NONE)));
6373 // Two-block message.
6374 string message = "12345678901234567890123456789012";
6375 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6376 AuthorizationSet out_params;
6377 string ciphertext1 = EncryptMessage(message, params, &out_params);
6378 vector<uint8_t> iv1 = CopyIv(out_params);
6379 EXPECT_EQ(message.size(), ciphertext1.size());
6380
6381 out_params.Clear();
6382
6383 string ciphertext2 = EncryptMessage(message, params, &out_params);
6384 vector<uint8_t> iv2 = CopyIv(out_params);
6385 EXPECT_EQ(message.size(), ciphertext2.size());
6386
6387 // IVs should be random, so ciphertexts should differ.
6388 EXPECT_NE(ciphertext1, ciphertext2);
6389
6390 params.push_back(TAG_NONCE, iv1);
6391 string plaintext = DecryptMessage(ciphertext1, params);
6392 EXPECT_EQ(message, plaintext);
6393}
6394
6395/*
Tommy Chiuee705692021-09-23 20:09:13 +0800[diff] [blame]6396 * EncryptionOperationsTest.AesCbcZeroInputSuccessb
6397 *
6398 * Verifies that keymaster generates correct output on zero-input with
6399 * NonePadding mode
6400 */
6401TEST_P(EncryptionOperationsTest, AesCbcZeroInputSuccess) {
6402 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6403 .Authorization(TAG_NO_AUTH_REQUIRED)
6404 .AesEncryptionKey(128)
6405 .BlockMode(BlockMode::CBC)
6406 .Padding(PaddingMode::NONE, PaddingMode::PKCS7)));
6407
6408 // Zero input message
6409 string message = "";
6410 for (auto padding : {PaddingMode::NONE, PaddingMode::PKCS7}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]6411 SCOPED_TRACE(testing::Message() << "AES padding=" << padding);
Tommy Chiuee705692021-09-23 20:09:13 +0800[diff] [blame]6412 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(padding);
6413 AuthorizationSet out_params;
6414 string ciphertext1 = EncryptMessage(message, params, &out_params);
6415 vector<uint8_t> iv1 = CopyIv(out_params);
6416 if (padding == PaddingMode::NONE)
6417 EXPECT_EQ(message.size(), ciphertext1.size()) << "PaddingMode: " << padding;
6418 else
6419 EXPECT_EQ(message.size(), ciphertext1.size() - 16) << "PaddingMode: " << padding;
6420
6421 out_params.Clear();
6422
6423 string ciphertext2 = EncryptMessage(message, params, &out_params);
6424 vector<uint8_t> iv2 = CopyIv(out_params);
6425 if (padding == PaddingMode::NONE)
6426 EXPECT_EQ(message.size(), ciphertext2.size()) << "PaddingMode: " << padding;
6427 else
6428 EXPECT_EQ(message.size(), ciphertext2.size() - 16) << "PaddingMode: " << padding;
6429
6430 // IVs should be random
6431 EXPECT_NE(iv1, iv2) << "PaddingMode: " << padding;
6432
6433 params.push_back(TAG_NONCE, iv1);
6434 string plaintext = DecryptMessage(ciphertext1, params);
6435 EXPECT_EQ(message, plaintext) << "PaddingMode: " << padding;
6436 }
6437}
6438
6439/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6440 * EncryptionOperationsTest.AesCallerNonce
6441 *
6442 * Verifies that AES caller-provided nonces work correctly.
6443 */
6444TEST_P(EncryptionOperationsTest, AesCallerNonce) {
6445 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6446 .Authorization(TAG_NO_AUTH_REQUIRED)
6447 .AesEncryptionKey(128)
6448 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
6449 .Authorization(TAG_CALLER_NONCE)
6450 .Padding(PaddingMode::NONE)));
6451
6452 string message = "12345678901234567890123456789012";
6453
6454 // Don't specify nonce, should get a random one.
6455 AuthorizationSetBuilder params =
6456 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6457 AuthorizationSet out_params;
6458 string ciphertext = EncryptMessage(message, params, &out_params);
6459 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6460 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6461
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6462 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6463 string plaintext = DecryptMessage(ciphertext, params);
6464 EXPECT_EQ(message, plaintext);
6465
6466 // Now specify a nonce, should also work.
6467 params = AuthorizationSetBuilder()
6468 .BlockMode(BlockMode::CBC)
6469 .Padding(PaddingMode::NONE)
6470 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
6471 out_params.Clear();
6472 ciphertext = EncryptMessage(message, params, &out_params);
6473
6474 // Decrypt with correct nonce.
6475 plaintext = DecryptMessage(ciphertext, params);
6476 EXPECT_EQ(message, plaintext);
6477
6478 // Try with wrong nonce.
6479 params = AuthorizationSetBuilder()
6480 .BlockMode(BlockMode::CBC)
6481 .Padding(PaddingMode::NONE)
6482 .Authorization(TAG_NONCE, AidlBuf("aaaaaaaaaaaaaaaa"));
6483 plaintext = DecryptMessage(ciphertext, params);
6484 EXPECT_NE(message, plaintext);
6485}
6486
6487/*
6488 * EncryptionOperationsTest.AesCallerNonceProhibited
6489 *
6490 * Verifies that caller-provided nonces are not permitted when not specified in the key
6491 * authorizations.
6492 */
6493TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
6494 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6495 .Authorization(TAG_NO_AUTH_REQUIRED)
6496 .AesEncryptionKey(128)
6497 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
6498 .Padding(PaddingMode::NONE)));
6499
6500 string message = "12345678901234567890123456789012";
6501
6502 // Don't specify nonce, should get a random one.
6503 AuthorizationSetBuilder params =
6504 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6505 AuthorizationSet out_params;
6506 string ciphertext = EncryptMessage(message, params, &out_params);
6507 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6508 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6509
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6510 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6511 string plaintext = DecryptMessage(ciphertext, params);
6512 EXPECT_EQ(message, plaintext);
6513
6514 // Now specify a nonce, should fail
6515 params = AuthorizationSetBuilder()
6516 .BlockMode(BlockMode::CBC)
6517 .Padding(PaddingMode::NONE)
6518 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
6519 out_params.Clear();
6520 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
6521}
6522
6523/*
6524 * EncryptionOperationsTest.AesGcmRoundTripSuccess
6525 *
6526 * Verifies that AES GCM mode works.
6527 */
6528TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
6529 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6530 .Authorization(TAG_NO_AUTH_REQUIRED)
6531 .AesEncryptionKey(128)
6532 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6533 .Padding(PaddingMode::NONE)
6534 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6535
6536 string aad = "foobar";
6537 string message = "123456789012345678901234567890123456";
6538
6539 auto begin_params = AuthorizationSetBuilder()
6540 .BlockMode(BlockMode::GCM)
6541 .Padding(PaddingMode::NONE)
6542 .Authorization(TAG_MAC_LENGTH, 128);
6543
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6544 // Encrypt
6545 AuthorizationSet begin_out_params;
6546 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
6547 << "Begin encrypt";
6548 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6549 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6550 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6551 ASSERT_EQ(ciphertext.length(), message.length() + 16);
6552
6553 // Grab nonce
6554 begin_params.push_back(begin_out_params);
6555
6556 // Decrypt.
6557 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6558 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6559 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6560 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6561 EXPECT_EQ(message.length(), plaintext.length());
6562 EXPECT_EQ(message, plaintext);
6563}
6564
6565/*
6566 * EncryptionOperationsTest.AesGcmRoundTripWithDelaySuccess
6567 *
6568 * Verifies that AES GCM mode works, even when there's a long delay
6569 * between operations.
6570 */
6571TEST_P(EncryptionOperationsTest, AesGcmRoundTripWithDelaySuccess) {
6572 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6573 .Authorization(TAG_NO_AUTH_REQUIRED)
6574 .AesEncryptionKey(128)
6575 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6576 .Padding(PaddingMode::NONE)
6577 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6578
6579 string aad = "foobar";
6580 string message = "123456789012345678901234567890123456";
6581
6582 auto begin_params = AuthorizationSetBuilder()
6583 .BlockMode(BlockMode::GCM)
6584 .Padding(PaddingMode::NONE)
6585 .Authorization(TAG_MAC_LENGTH, 128);
6586
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6587 // Encrypt
6588 AuthorizationSet begin_out_params;
6589 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
6590 << "Begin encrypt";
6591 string ciphertext;
6592 AuthorizationSet update_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6593 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6594 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6595 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6596
6597 ASSERT_EQ(ciphertext.length(), message.length() + 16);
6598
6599 // Grab nonce
6600 begin_params.push_back(begin_out_params);
6601
6602 // Decrypt.
6603 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
6604 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6605 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6606 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6607 ASSERT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6608 sleep(5);
6609 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
6610 EXPECT_EQ(message.length(), plaintext.length());
6611 EXPECT_EQ(message, plaintext);
6612}
6613
6614/*
6615 * EncryptionOperationsTest.AesGcmDifferentNonces
6616 *
6617 * Verifies that encrypting the same data with different nonces produces different outputs.
6618 */
6619TEST_P(EncryptionOperationsTest, AesGcmDifferentNonces) {
6620 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6621 .Authorization(TAG_NO_AUTH_REQUIRED)
6622 .AesEncryptionKey(128)
6623 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6624 .Padding(PaddingMode::NONE)
6625 .Authorization(TAG_MIN_MAC_LENGTH, 128)
6626 .Authorization(TAG_CALLER_NONCE)));
6627
6628 string aad = "foobar";
6629 string message = "123456789012345678901234567890123456";
6630 string nonce1 = "000000000000";
6631 string nonce2 = "111111111111";
6632 string nonce3 = "222222222222";
6633
6634 string ciphertext1 =
6635 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce1));
6636 string ciphertext2 =
6637 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce2));
6638 string ciphertext3 =
6639 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce3));
6640
6641 ASSERT_NE(ciphertext1, ciphertext2);
6642 ASSERT_NE(ciphertext1, ciphertext3);
6643 ASSERT_NE(ciphertext2, ciphertext3);
6644}
6645
6646/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6647 * EncryptionOperationsTest.AesGcmDifferentAutoNonces
6648 *
6649 * Verifies that encrypting the same data with KeyMint generated nonces produces different outputs.
6650 */
6651TEST_P(EncryptionOperationsTest, AesGcmDifferentAutoNonces) {
6652 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6653 .Authorization(TAG_NO_AUTH_REQUIRED)
6654 .AesEncryptionKey(128)
6655 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6656 .Padding(PaddingMode::NONE)
6657 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6658
6659 string aad = "foobar";
6660 string message = "123456789012345678901234567890123456";
6661
6662 string ciphertext1 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6663 string ciphertext2 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6664 string ciphertext3 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6665
6666 ASSERT_NE(ciphertext1, ciphertext2);
6667 ASSERT_NE(ciphertext1, ciphertext3);
6668 ASSERT_NE(ciphertext2, ciphertext3);
6669}
6670
6671/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6672 * EncryptionOperationsTest.AesGcmTooShortTag
6673 *
6674 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
6675 */
6676TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
6677 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6678 .Authorization(TAG_NO_AUTH_REQUIRED)
6679 .AesEncryptionKey(128)
6680 .BlockMode(BlockMode::GCM)
6681 .Padding(PaddingMode::NONE)
6682 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6683 string message = "123456789012345678901234567890123456";
6684 auto params = AuthorizationSetBuilder()
6685 .BlockMode(BlockMode::GCM)
6686 .Padding(PaddingMode::NONE)
6687 .Authorization(TAG_MAC_LENGTH, 96);
6688
6689 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
6690}
6691
6692/*
6693 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
6694 *
6695 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
6696 */
6697TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
6698 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6699 .Authorization(TAG_NO_AUTH_REQUIRED)
6700 .AesEncryptionKey(128)
6701 .BlockMode(BlockMode::GCM)
6702 .Padding(PaddingMode::NONE)
6703 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6704 string aad = "foobar";
6705 string message = "123456789012345678901234567890123456";
6706 auto params = AuthorizationSetBuilder()
6707 .BlockMode(BlockMode::GCM)
6708 .Padding(PaddingMode::NONE)
6709 .Authorization(TAG_MAC_LENGTH, 128);
6710
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6711 // Encrypt
6712 AuthorizationSet begin_out_params;
6713 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
6714 EXPECT_EQ(1U, begin_out_params.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6715 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6716
6717 AuthorizationSet finish_out_params;
6718 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6719 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6720 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6721
6722 params = AuthorizationSetBuilder()
6723 .Authorizations(begin_out_params)
6724 .BlockMode(BlockMode::GCM)
6725 .Padding(PaddingMode::NONE)
6726 .Authorization(TAG_MAC_LENGTH, 96);
6727
6728 // Decrypt.
6729 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
6730}
6731
6732/*
6733 * EncryptionOperationsTest.AesGcmCorruptKey
6734 *
6735 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
6736 */
6737TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
6738 const uint8_t nonce_bytes[] = {
6739 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
6740 };
6741 string nonce = make_string(nonce_bytes);
6742 const uint8_t ciphertext_bytes[] = {
6743 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc,
6744 0xd2, 0xcb, 0x16, 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78,
6745 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d,
6746 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 0x76, 0x5e, 0xfb,
6747 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
6748 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
6749 };
6750 string ciphertext = make_string(ciphertext_bytes);
6751
6752 auto params = AuthorizationSetBuilder()
6753 .BlockMode(BlockMode::GCM)
6754 .Padding(PaddingMode::NONE)
6755 .Authorization(TAG_MAC_LENGTH, 128)
6756 .Authorization(TAG_NONCE, nonce.data(), nonce.size());
6757
6758 auto import_params = AuthorizationSetBuilder()
6759 .Authorization(TAG_NO_AUTH_REQUIRED)
6760 .AesEncryptionKey(128)
6761 .BlockMode(BlockMode::GCM)
6762 .Padding(PaddingMode::NONE)
6763 .Authorization(TAG_CALLER_NONCE)
6764 .Authorization(TAG_MIN_MAC_LENGTH, 128);
6765
6766 // Import correct key and decrypt
6767 const uint8_t key_bytes[] = {
6768 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
6769 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
6770 };
6771 string key = make_string(key_bytes);
6772 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6773 string plaintext = DecryptMessage(ciphertext, params);
6774 CheckedDeleteKey();
6775
6776 // Corrupt key and attempt to decrypt
6777 key[0] = 0;
6778 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6779 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
6780 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
6781 CheckedDeleteKey();
6782}
6783
6784/*
6785 * EncryptionOperationsTest.AesGcmAadNoData
6786 *
6787 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
6788 * encrypt.
6789 */
6790TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
6791 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6792 .Authorization(TAG_NO_AUTH_REQUIRED)
6793 .AesEncryptionKey(128)
6794 .BlockMode(BlockMode::GCM)
6795 .Padding(PaddingMode::NONE)
6796 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6797
6798 string aad = "1234567890123456";
6799 auto params = AuthorizationSetBuilder()
6800 .BlockMode(BlockMode::GCM)
6801 .Padding(PaddingMode::NONE)
6802 .Authorization(TAG_MAC_LENGTH, 128);
6803
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6804 // Encrypt
6805 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6806 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6807 string ciphertext;
6808 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6809 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6810 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6811 EXPECT_TRUE(finish_out_params.empty());
6812
6813 // Grab nonce
6814 params.push_back(begin_out_params);
6815
6816 // Decrypt.
6817 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6818 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6819 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6820 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6821
6822 EXPECT_TRUE(finish_out_params.empty());
6823
6824 EXPECT_EQ("", plaintext);
6825}
6826
6827/*
6828 * EncryptionOperationsTest.AesGcmMultiPartAad
6829 *
6830 * Verifies that AES GCM mode works when provided additional authenticated data in multiple
6831 * chunks.
6832 */
6833TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
6834 const size_t tag_bits = 128;
6835 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6836 .Authorization(TAG_NO_AUTH_REQUIRED)
6837 .AesEncryptionKey(128)
6838 .BlockMode(BlockMode::GCM)
6839 .Padding(PaddingMode::NONE)
6840 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6841
6842 string message = "123456789012345678901234567890123456";
6843 auto begin_params = AuthorizationSetBuilder()
6844 .BlockMode(BlockMode::GCM)
6845 .Padding(PaddingMode::NONE)
6846 .Authorization(TAG_MAC_LENGTH, tag_bits);
6847 AuthorizationSet begin_out_params;
6848
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6849 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6850
6851 // No data, AAD only.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6852 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
6853 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6854 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6855 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
6856 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6857
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6858 // Expect 128-bit (16-byte) tag appended to ciphertext.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6859 EXPECT_EQ(message.size() + (tag_bits / 8), ciphertext.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6860
6861 // Grab nonce.
6862 begin_params.push_back(begin_out_params);
6863
6864 // Decrypt
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6865 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6866 EXPECT_EQ(ErrorCode::OK, UpdateAad("foofoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6867 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6868 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6869 EXPECT_EQ(message, plaintext);
6870}
6871
6872/*
6873 * EncryptionOperationsTest.AesGcmAadOutOfOrder
6874 *
6875 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
6876 */
6877TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
6878 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6879 .Authorization(TAG_NO_AUTH_REQUIRED)
6880 .AesEncryptionKey(128)
6881 .BlockMode(BlockMode::GCM)
6882 .Padding(PaddingMode::NONE)
6883 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6884
6885 string message = "123456789012345678901234567890123456";
6886 auto begin_params = AuthorizationSetBuilder()
6887 .BlockMode(BlockMode::GCM)
6888 .Padding(PaddingMode::NONE)
6889 .Authorization(TAG_MAC_LENGTH, 128);
6890 AuthorizationSet begin_out_params;
6891
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6892 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6893
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6894 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6895 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6896 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
6897 EXPECT_EQ(ErrorCode::INVALID_TAG, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6898
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6899 // The failure should have already cancelled the operation.
6900 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
6901
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6902 op_ = {};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6903}
6904
6905/*
6906 * EncryptionOperationsTest.AesGcmBadAad
6907 *
6908 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
6909 */
6910TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
6911 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6912 .Authorization(TAG_NO_AUTH_REQUIRED)
6913 .AesEncryptionKey(128)
6914 .BlockMode(BlockMode::GCM)
6915 .Padding(PaddingMode::NONE)
6916 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6917
6918 string message = "12345678901234567890123456789012";
6919 auto begin_params = AuthorizationSetBuilder()
6920 .BlockMode(BlockMode::GCM)
6921 .Padding(PaddingMode::NONE)
6922 .Authorization(TAG_MAC_LENGTH, 128);
6923
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6924 // Encrypt
6925 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6926 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6927 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6928 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6929 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6930
6931 // Grab nonce
6932 begin_params.push_back(begin_out_params);
6933
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6934 // Decrypt.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6935 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6936 EXPECT_EQ(ErrorCode::OK, UpdateAad("barfoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6937 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6938 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6939}
6940
6941/*
6942 * EncryptionOperationsTest.AesGcmWrongNonce
6943 *
6944 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
6945 */
6946TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
6947 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6948 .Authorization(TAG_NO_AUTH_REQUIRED)
6949 .AesEncryptionKey(128)
6950 .BlockMode(BlockMode::GCM)
6951 .Padding(PaddingMode::NONE)
6952 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6953
6954 string message = "12345678901234567890123456789012";
6955 auto begin_params = AuthorizationSetBuilder()
6956 .BlockMode(BlockMode::GCM)
6957 .Padding(PaddingMode::NONE)
6958 .Authorization(TAG_MAC_LENGTH, 128);
6959
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6960 // Encrypt
6961 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6962 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6963 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6964 string ciphertext;
6965 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6966 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6967
6968 // Wrong nonce
6969 begin_params.push_back(TAG_NONCE, AidlBuf("123456789012"));
6970
6971 // Decrypt.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]6972 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6973 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6974 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6975 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6976
6977 // With wrong nonce, should have gotten garbage plaintext (or none).
6978 EXPECT_NE(message, plaintext);
6979}
6980
6981/*
6982 * EncryptionOperationsTest.AesGcmCorruptTag
6983 *
6984 * Verifies that AES GCM decryption fails correctly when the tag is wrong.
6985 */
6986TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
6987 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6988 .Authorization(TAG_NO_AUTH_REQUIRED)
6989 .AesEncryptionKey(128)
6990 .BlockMode(BlockMode::GCM)
6991 .Padding(PaddingMode::NONE)
6992 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6993
6994 string aad = "1234567890123456";
6995 string message = "123456789012345678901234567890123456";
6996
6997 auto params = AuthorizationSetBuilder()
6998 .BlockMode(BlockMode::GCM)
6999 .Padding(PaddingMode::NONE)
7000 .Authorization(TAG_MAC_LENGTH, 128);
7001
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7002 // Encrypt
7003 AuthorizationSet begin_out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7004 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7005 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7006 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7007 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7008
7009 // Corrupt tag
7010 ++(*ciphertext.rbegin());
7011
7012 // Grab nonce
7013 params.push_back(begin_out_params);
7014
7015 // Decrypt.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7016 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7017 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7018 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7019 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7020}
7021
7022/*
7023 * EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
7024 *
7025 * Verifies that 3DES is basically functional.
7026 */
7027TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
7028 auto auths = AuthorizationSetBuilder()
7029 .TripleDesEncryptionKey(168)
7030 .BlockMode(BlockMode::ECB)
7031 .Authorization(TAG_NO_AUTH_REQUIRED)
7032 .Padding(PaddingMode::NONE);
7033
7034 ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
7035 // Two-block message.
7036 string message = "1234567890123456";
7037 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
7038 string ciphertext1 = EncryptMessage(message, inParams);
7039 EXPECT_EQ(message.size(), ciphertext1.size());
7040
7041 string ciphertext2 = EncryptMessage(string(message), inParams);
7042 EXPECT_EQ(message.size(), ciphertext2.size());
7043
7044 // ECB is deterministic.
7045 EXPECT_EQ(ciphertext1, ciphertext2);
7046
7047 string plaintext = DecryptMessage(ciphertext1, inParams);
7048 EXPECT_EQ(message, plaintext);
7049}
7050
7051/*
7052 * EncryptionOperationsTest.TripleDesEcbNotAuthorized
7053 *
7054 * Verifies that CBC keys reject ECB usage.
7055 */
7056TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
7057 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7058 .TripleDesEncryptionKey(168)
7059 .BlockMode(BlockMode::CBC)
7060 .Authorization(TAG_NO_AUTH_REQUIRED)
7061 .Padding(PaddingMode::NONE)));
7062
7063 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
7064 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
7065}
7066
7067/*
7068 * EncryptionOperationsTest.TripleDesEcbPkcs7Padding
7069 *
7070 * Tests ECB mode with PKCS#7 padding, various message sizes.
7071 */
7072TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
7073 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7074 .TripleDesEncryptionKey(168)
7075 .BlockMode(BlockMode::ECB)
7076 .Authorization(TAG_NO_AUTH_REQUIRED)
7077 .Padding(PaddingMode::PKCS7)));
7078
7079 for (size_t i = 0; i < 32; ++i) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]7080 SCOPED_TRACE(testing::Message() << "msg size=" << i);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7081 string message(i, 'a');
7082 auto inParams =
7083 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
7084 string ciphertext = EncryptMessage(message, inParams);
7085 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
7086 string plaintext = DecryptMessage(ciphertext, inParams);
7087 EXPECT_EQ(message, plaintext);
7088 }
7089}
7090
7091/*
7092 * EncryptionOperationsTest.TripleDesEcbNoPaddingKeyWithPkcs7Padding
7093 *
7094 * Verifies that keys configured for no padding reject PKCS7 padding
7095 */
7096TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
7097 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7098 .TripleDesEncryptionKey(168)
7099 .BlockMode(BlockMode::ECB)
7100 .Authorization(TAG_NO_AUTH_REQUIRED)
7101 .Padding(PaddingMode::NONE)));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7102 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
7103 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7104}
7105
7106/*
7107 * EncryptionOperationsTest.TripleDesEcbPkcs7PaddingCorrupted
7108 *
7109 * Verifies that corrupted padding is detected.
7110 */
7111TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
7112 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7113 .TripleDesEncryptionKey(168)
7114 .BlockMode(BlockMode::ECB)
7115 .Authorization(TAG_NO_AUTH_REQUIRED)
7116 .Padding(PaddingMode::PKCS7)));
7117
7118 string message = "a";
7119 string ciphertext = EncryptMessage(message, BlockMode::ECB, PaddingMode::PKCS7);
7120 EXPECT_EQ(8U, ciphertext.size());
7121 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7122
7123 AuthorizationSetBuilder begin_params;
7124 begin_params.push_back(TAG_BLOCK_MODE, BlockMode::ECB);
7125 begin_params.push_back(TAG_PADDING, PaddingMode::PKCS7);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7126
7127 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
7128 ++ciphertext[ciphertext.size() / 2];
7129
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7130 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7131 string plaintext;
7132 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
7133 ErrorCode error = Finish(&plaintext);
7134 if (error == ErrorCode::INVALID_ARGUMENT) {
7135 // This is the expected error, we can exit the test now.
7136 return;
7137 } else {
7138 // Very small chance we got valid decryption, so try again.
7139 ASSERT_EQ(error, ErrorCode::OK);
7140 }
7141 }
7142 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7143}
7144
7145struct TripleDesTestVector {
7146 const char* name;
7147 const KeyPurpose purpose;
7148 const BlockMode block_mode;
7149 const PaddingMode padding_mode;
7150 const char* key;
7151 const char* iv;
7152 const char* input;
7153 const char* output;
7154};
7155
7156// These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all
7157// of the NIST vectors are multiples of the block size.
7158static const TripleDesTestVector kTripleDesTestVectors[] = {
7159 {
7160 "TECBMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
7161 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
7162 "", // IV
7163 "329d86bdf1bc5af4", // input
7164 "d946c2756d78633f", // output
7165 },
7166 {
7167 "TECBMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
7168 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
7169 "", // IV
7170 "6b1540781b01ce1997adae102dbf3c5b", // input
7171 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
7172 },
7173 {
7174 "TECBMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
7175 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
7176 "", // IV
7177 "6daad94ce08acfe7", // input
7178 "660e7d32dcc90e79", // output
7179 },
7180 {
7181 "TECBMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
7182 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
7183 "", // IV
7184 "e9653a0a1f05d31b9acd12d73aa9879d", // input
7185 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
7186 },
7187 {
7188 "TCBCMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
7189 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
7190 "43f791134c5647ba", // IV
7191 "dcc153cef81d6f24", // input
7192 "92538bd8af18d3ba", // output
7193 },
7194 {
7195 "TCBCMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
7196 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
7197 "c2e999cb6249023c", // IV
7198 "c689aee38a301bb316da75db36f110b5", // input
7199 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
7200 },
7201 {
7202 "TCBCMMT3 Encrypt 1 PKCS7 variant", KeyPurpose::ENCRYPT, BlockMode::CBC,
7203 PaddingMode::PKCS7,
7204 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
7205 "c2e999cb6249023c", // IV
7206 "c689aee38a301bb316da75db36f110b500", // input
7207 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
7208 },
7209 {
7210 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KeyPurpose::DECRYPT, BlockMode::CBC,
7211 PaddingMode::PKCS7,
7212 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
7213 "c2e999cb6249023c", // IV
7214 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
7215 "c689aee38a301bb316da75db36f110b500", // output
7216 },
7217 {
7218 "TCBCMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
7219 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
7220 "41746c7e442d3681", // IV
7221 "c53a7b0ec40600fe", // input
7222 "d4f00eb455de1034", // output
7223 },
7224 {
7225 "TCBCMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
7226 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
7227 "3982bc02c3727d45", // IV
7228 "6006f10adef52991fcc777a1238bbb65", // input
7229 "edae09288e9e3bc05746d872b48e3b29", // output
7230 },
7231};
7232
7233/*
7234 * EncryptionOperationsTest.TripleDesTestVector
7235 *
7236 * Verifies that NIST (plus a few extra) test vectors produce the correct results.
7237 */
7238TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
7239 constexpr size_t num_tests = sizeof(kTripleDesTestVectors) / sizeof(TripleDesTestVector);
7240 for (auto* test = kTripleDesTestVectors; test < kTripleDesTestVectors + num_tests; ++test) {
7241 SCOPED_TRACE(test->name);
7242 CheckTripleDesTestVector(test->purpose, test->block_mode, test->padding_mode,
7243 hex2str(test->key), hex2str(test->iv), hex2str(test->input),
7244 hex2str(test->output));
7245 }
7246}
7247
7248/*
7249 * EncryptionOperationsTest.TripleDesCbcRoundTripSuccess
7250 *
7251 * Validates CBC mode functionality.
7252 */
7253TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
7254 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7255 .TripleDesEncryptionKey(168)
7256 .BlockMode(BlockMode::CBC)
7257 .Authorization(TAG_NO_AUTH_REQUIRED)
7258 .Padding(PaddingMode::NONE)));
7259
7260 ASSERT_GT(key_blob_.size(), 0U);
7261
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7262 // Four-block message.
7263 string message = "12345678901234561234567890123456";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7264 vector<uint8_t> iv1;
7265 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv1);
7266 EXPECT_EQ(message.size(), ciphertext1.size());
7267
7268 vector<uint8_t> iv2;
7269 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv2);
7270 EXPECT_EQ(message.size(), ciphertext2.size());
7271
7272 // IVs should be random, so ciphertexts should differ.
7273 EXPECT_NE(iv1, iv2);
7274 EXPECT_NE(ciphertext1, ciphertext2);
7275
7276 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv1);
7277 EXPECT_EQ(message, plaintext);
7278}
7279
7280/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7281 * EncryptionOperationsTest.TripleDesInvalidCallerIv
7282 *
7283 * Validates that keymint fails correctly when the user supplies an incorrect-size IV.
7284 */
7285TEST_P(EncryptionOperationsTest, TripleDesInvalidCallerIv) {
7286 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7287 .TripleDesEncryptionKey(168)
7288 .BlockMode(BlockMode::CBC)
7289 .Authorization(TAG_NO_AUTH_REQUIRED)
7290 .Authorization(TAG_CALLER_NONCE)
7291 .Padding(PaddingMode::NONE)));
7292 auto params = AuthorizationSetBuilder()
7293 .BlockMode(BlockMode::CBC)
7294 .Padding(PaddingMode::NONE)
7295 .Authorization(TAG_NONCE, AidlBuf("abcdefg"));
7296 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
7297}
7298
7299/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7300 * EncryptionOperationsTest.TripleDesCallerIv
7301 *
7302 * Validates that 3DES keys can allow caller-specified IVs, and use them correctly.
7303 */
7304TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
7305 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7306 .TripleDesEncryptionKey(168)
7307 .BlockMode(BlockMode::CBC)
7308 .Authorization(TAG_NO_AUTH_REQUIRED)
7309 .Authorization(TAG_CALLER_NONCE)
7310 .Padding(PaddingMode::NONE)));
7311 string message = "1234567890123456";
7312 vector<uint8_t> iv;
7313 // Don't specify IV, should get a random one.
7314 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
7315 EXPECT_EQ(message.size(), ciphertext1.size());
7316 EXPECT_EQ(8U, iv.size());
7317
7318 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
7319 EXPECT_EQ(message, plaintext);
7320
7321 // Now specify an IV, should also work.
7322 iv = AidlBuf("abcdefgh");
7323 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, iv);
7324
7325 // Decrypt with correct IV.
7326 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, iv);
7327 EXPECT_EQ(message, plaintext);
7328
7329 // Now try with wrong IV.
7330 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, AidlBuf("aaaaaaaa"));
7331 EXPECT_NE(message, plaintext);
7332}
7333
7334/*
7335 * EncryptionOperationsTest, TripleDesCallerNonceProhibited.
7336 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7337 * Verifies that 3DES keys without TAG_CALLER_NONCE do not allow caller-specified IVs.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7338 */
7339TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
7340 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7341 .TripleDesEncryptionKey(168)
7342 .BlockMode(BlockMode::CBC)
7343 .Authorization(TAG_NO_AUTH_REQUIRED)
7344 .Padding(PaddingMode::NONE)));
7345
7346 string message = "12345678901234567890123456789012";
7347 vector<uint8_t> iv;
7348 // Don't specify nonce, should get a random one.
7349 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
7350 EXPECT_EQ(message.size(), ciphertext1.size());
7351 EXPECT_EQ(8U, iv.size());
7352
7353 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
7354 EXPECT_EQ(message, plaintext);
7355
7356 // Now specify a nonce, should fail.
7357 auto input_params = AuthorizationSetBuilder()
7358 .Authorization(TAG_NONCE, AidlBuf("abcdefgh"))
7359 .BlockMode(BlockMode::CBC)
7360 .Padding(PaddingMode::NONE);
7361 AuthorizationSet output_params;
7362 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED,
7363 Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
7364}
7365
7366/*
7367 * EncryptionOperationsTest.TripleDesCbcNotAuthorized
7368 *
7369 * Verifies that 3DES ECB-only keys do not allow CBC usage.
7370 */
7371TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
7372 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7373 .TripleDesEncryptionKey(168)
7374 .BlockMode(BlockMode::ECB)
7375 .Authorization(TAG_NO_AUTH_REQUIRED)
7376 .Padding(PaddingMode::NONE)));
7377 // Two-block message.
7378 string message = "1234567890123456";
7379 auto begin_params =
7380 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
7381 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
7382}
7383
7384/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7385 * EncryptionOperationsTest.TripleDesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7386 *
7387 * Verifies that unpadded CBC operations reject inputs that are not a multiple of block size.
7388 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7389TEST_P(EncryptionOperationsTest, TripleDesEcbCbcNoPaddingWrongInputSize) {
7390 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]7391 SCOPED_TRACE(testing::Message() << "BlockMode::" << blockMode);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7392 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7393 .TripleDesEncryptionKey(168)
7394 .BlockMode(blockMode)
7395 .Authorization(TAG_NO_AUTH_REQUIRED)
7396 .Padding(PaddingMode::NONE)));
7397 // Message is slightly shorter than two blocks.
7398 string message = "123456789012345";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7399
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7400 auto begin_params =
7401 AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
7402 AuthorizationSet output_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7403 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &output_params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7404 string ciphertext;
7405 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, "", &ciphertext));
7406
7407 CheckedDeleteKey();
7408 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7409}
7410
7411/*
7412 * EncryptionOperationsTest, TripleDesCbcPkcs7Padding.
7413 *
7414 * Verifies that PKCS7 padding works correctly in CBC mode.
7415 */
7416TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
7417 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7418 .TripleDesEncryptionKey(168)
7419 .BlockMode(BlockMode::CBC)
7420 .Authorization(TAG_NO_AUTH_REQUIRED)
7421 .Padding(PaddingMode::PKCS7)));
7422
7423 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7424 for (size_t i = 0; i <= 32; i++) {
7425 SCOPED_TRACE(testing::Message() << "i = " << i);
7426 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character, albeit not for 3DES.
7427 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7428 vector<uint8_t> iv;
7429 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
7430 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
7431 string plaintext = DecryptMessage(ciphertext, BlockMode::CBC, PaddingMode::PKCS7, iv);
7432 EXPECT_EQ(message, plaintext);
7433 }
7434}
7435
7436/*
7437 * EncryptionOperationsTest.TripleDesCbcNoPaddingKeyWithPkcs7Padding
7438 *
7439 * Verifies that a key that requires PKCS7 padding cannot be used in unpadded mode.
7440 */
7441TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
7442 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7443 .TripleDesEncryptionKey(168)
7444 .BlockMode(BlockMode::CBC)
7445 .Authorization(TAG_NO_AUTH_REQUIRED)
7446 .Padding(PaddingMode::NONE)));
7447
7448 // Try various message lengths; all should fail.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7449 for (size_t i = 0; i <= 32; i++) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]7450 SCOPED_TRACE(testing::Message() << "i = " << i);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7451 auto begin_params =
7452 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7);
7453 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
7454 }
7455}
7456
7457/*
7458 * EncryptionOperationsTest.TripleDesCbcPkcs7PaddingCorrupted
7459 *
7460 * Verifies that corrupted PKCS7 padding is rejected during decryption.
7461 */
7462TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
7463 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7464 .TripleDesEncryptionKey(168)
7465 .BlockMode(BlockMode::CBC)
7466 .Authorization(TAG_NO_AUTH_REQUIRED)
7467 .Padding(PaddingMode::PKCS7)));
7468
7469 string message = "a";
7470 vector<uint8_t> iv;
7471 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
7472 EXPECT_EQ(8U, ciphertext.size());
7473 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7474
7475 auto begin_params = AuthorizationSetBuilder()
7476 .BlockMode(BlockMode::CBC)
7477 .Padding(PaddingMode::PKCS7)
7478 .Authorization(TAG_NONCE, iv);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7479
7480 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]7481 SCOPED_TRACE(testing::Message() << "i = " << i);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7482 ++ciphertext[ciphertext.size() / 2];
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7483 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]7484 string plaintext;
7485 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
7486 ErrorCode error = Finish(&plaintext);
7487 if (error == ErrorCode::INVALID_ARGUMENT) {
7488 // This is the expected error, we can exit the test now.
7489 return;
7490 } else {
7491 // Very small chance we got valid decryption, so try again.
7492 ASSERT_EQ(error, ErrorCode::OK);
7493 }
7494 }
7495 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7496}
7497
7498/*
7499 * EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding.
7500 *
7501 * Verifies that 3DES CBC works with many different input sizes.
7502 */
7503TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
7504 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7505 .TripleDesEncryptionKey(168)
7506 .BlockMode(BlockMode::CBC)
7507 .Authorization(TAG_NO_AUTH_REQUIRED)
7508 .Padding(PaddingMode::NONE)));
7509
7510 int increment = 7;
7511 string message(240, 'a');
7512 AuthorizationSet input_params =
7513 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
7514 AuthorizationSet output_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7515 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7516
7517 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7518 for (size_t i = 0; i < message.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7519 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7520 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
7521 EXPECT_EQ(message.size(), ciphertext.size());
7522
7523 // Move TAG_NONCE into input_params
7524 input_params = output_params;
7525 input_params.push_back(TAG_BLOCK_MODE, BlockMode::CBC);
7526 input_params.push_back(TAG_PADDING, PaddingMode::NONE);
7527 output_params.Clear();
7528
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7529 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, input_params, &output_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7530 string plaintext;
7531 for (size_t i = 0; i < ciphertext.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]7532 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7533 EXPECT_EQ(ErrorCode::OK, Finish(&plaintext));
7534 EXPECT_EQ(ciphertext.size(), plaintext.size());
7535 EXPECT_EQ(message, plaintext);
7536}
7537
7538INSTANTIATE_KEYMINT_AIDL_TEST(EncryptionOperationsTest);
7539
7540typedef KeyMintAidlTestBase MaxOperationsTest;
7541
7542/*
7543 * MaxOperationsTest.TestLimitAes
7544 *
7545 * Verifies that the max uses per boot tag works correctly with AES keys.
7546 */
7547TEST_P(MaxOperationsTest, TestLimitAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7548 if (SecLevel() == SecurityLevel::STRONGBOX) {
7549 GTEST_SKIP() << "Test not applicable to StrongBox device";
7550 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7551
7552 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7553 .Authorization(TAG_NO_AUTH_REQUIRED)
7554 .AesEncryptionKey(128)
7555 .EcbMode()
7556 .Padding(PaddingMode::NONE)
7557 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
7558
7559 string message = "1234567890123456";
7560
7561 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7562
7563 EncryptMessage(message, params);
7564 EncryptMessage(message, params);
7565 EncryptMessage(message, params);
7566
7567 // Fourth time should fail.
7568 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
7569}
7570
7571/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7572 * MaxOperationsTest.TestLimitRsa
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7573 *
7574 * Verifies that the max uses per boot tag works correctly with RSA keys.
7575 */
7576TEST_P(MaxOperationsTest, TestLimitRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7577 if (SecLevel() == SecurityLevel::STRONGBOX) {
7578 GTEST_SKIP() << "Test not applicable to StrongBox device";
7579 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7580
7581 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7582 .Authorization(TAG_NO_AUTH_REQUIRED)
7583 .RsaSigningKey(1024, 65537)
7584 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7585 .Authorization(TAG_MAX_USES_PER_BOOT, 3)
7586 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7587
7588 string message = "1234567890123456";
7589
7590 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7591
7592 SignMessage(message, params);
7593 SignMessage(message, params);
7594 SignMessage(message, params);
7595
7596 // Fourth time should fail.
7597 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
7598}
7599
7600INSTANTIATE_KEYMINT_AIDL_TEST(MaxOperationsTest);
7601
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7602typedef KeyMintAidlTestBase UsageCountLimitTest;
7603
7604/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7605 * UsageCountLimitTest.TestSingleUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7606 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7607 * Verifies that the usage count limit tag = 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7608 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7609TEST_P(UsageCountLimitTest, TestSingleUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7610 if (SecLevel() == SecurityLevel::STRONGBOX) {
7611 GTEST_SKIP() << "Test not applicable to StrongBox device";
7612 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7613
7614 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7615 .Authorization(TAG_NO_AUTH_REQUIRED)
7616 .AesEncryptionKey(128)
7617 .EcbMode()
7618 .Padding(PaddingMode::NONE)
7619 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
7620
7621 // Check the usage count limit tag appears in the authorizations.
7622 AuthorizationSet auths;
7623 for (auto& entry : key_characteristics_) {
7624 auths.push_back(AuthorizationSet(entry.authorizations));
7625 }
7626 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7627 << "key usage count limit " << 1U << " missing";
7628
7629 string message = "1234567890123456";
7630 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7631
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7632 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7633 AuthorizationSet keystore_auths =
7634 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7635
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7636 // First usage of AES key should work.
7637 EncryptMessage(message, params);
7638
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7639 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
7640 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7641 // must be invalidated from secure storage (such as RPMB partition).
7642 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
7643 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7644 // Usage count limit tag is enforced by keystore, keymint does nothing.
7645 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7646 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7647 }
7648}
7649
7650/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7651 * UsageCountLimitTest.TestLimitedUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7652 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7653 * Verifies that the usage count limit tag > 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7654 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7655TEST_P(UsageCountLimitTest, TestLimitedUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7656 if (SecLevel() == SecurityLevel::STRONGBOX) {
7657 GTEST_SKIP() << "Test not applicable to StrongBox device";
7658 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7659
7660 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7661 .Authorization(TAG_NO_AUTH_REQUIRED)
7662 .AesEncryptionKey(128)
7663 .EcbMode()
7664 .Padding(PaddingMode::NONE)
7665 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
7666
7667 // Check the usage count limit tag appears in the authorizations.
7668 AuthorizationSet auths;
7669 for (auto& entry : key_characteristics_) {
7670 auths.push_back(AuthorizationSet(entry.authorizations));
7671 }
7672 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
7673 << "key usage count limit " << 3U << " missing";
7674
7675 string message = "1234567890123456";
7676 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7677
7678 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7679 AuthorizationSet keystore_auths =
7680 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7681
7682 EncryptMessage(message, params);
7683 EncryptMessage(message, params);
7684 EncryptMessage(message, params);
7685
7686 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
7687 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7688 // must be invalidated from secure storage (such as RPMB partition).
7689 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
7690 } else {
7691 // Usage count limit tag is enforced by keystore, keymint does nothing.
7692 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7693 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7694 }
7695}
7696
7697/*
7698 * UsageCountLimitTest.TestSingleUseRsa
7699 *
7700 * Verifies that the usage count limit tag = 1 works correctly with RSA keys.
7701 */
7702TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7703 if (SecLevel() == SecurityLevel::STRONGBOX) {
7704 GTEST_SKIP() << "Test not applicable to StrongBox device";
7705 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7706
7707 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7708 .Authorization(TAG_NO_AUTH_REQUIRED)
7709 .RsaSigningKey(1024, 65537)
7710 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7711 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7712 .SetDefaultValidity()));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7713
7714 // Check the usage count limit tag appears in the authorizations.
7715 AuthorizationSet auths;
7716 for (auto& entry : key_characteristics_) {
7717 auths.push_back(AuthorizationSet(entry.authorizations));
7718 }
7719 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7720 << "key usage count limit " << 1U << " missing";
7721
7722 string message = "1234567890123456";
7723 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7724
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7725 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7726 AuthorizationSet keystore_auths =
7727 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7728
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7729 // First usage of RSA key should work.
7730 SignMessage(message, params);
7731
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7732 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
7733 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7734 // must be invalidated from secure storage (such as RPMB partition).
7735 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7736 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7737 // Usage count limit tag is enforced by keystore, keymint does nothing.
7738 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7739 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7740 }
7741}
7742
7743/*
7744 * UsageCountLimitTest.TestLimitUseRsa
7745 *
7746 * Verifies that the usage count limit tag > 1 works correctly with RSA keys.
7747 */
7748TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7749 if (SecLevel() == SecurityLevel::STRONGBOX) {
7750 GTEST_SKIP() << "Test not applicable to StrongBox device";
7751 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7752
7753 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7754 .Authorization(TAG_NO_AUTH_REQUIRED)
7755 .RsaSigningKey(1024, 65537)
7756 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7757 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)
7758 .SetDefaultValidity()));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7759
7760 // Check the usage count limit tag appears in the authorizations.
7761 AuthorizationSet auths;
7762 for (auto& entry : key_characteristics_) {
7763 auths.push_back(AuthorizationSet(entry.authorizations));
7764 }
7765 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
7766 << "key usage count limit " << 3U << " missing";
7767
7768 string message = "1234567890123456";
7769 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7770
7771 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7772 AuthorizationSet keystore_auths =
7773 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7774
7775 SignMessage(message, params);
7776 SignMessage(message, params);
7777 SignMessage(message, params);
7778
7779 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
7780 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7781 // must be invalidated from secure storage (such as RPMB partition).
7782 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7783 } else {
7784 // Usage count limit tag is enforced by keystore, keymint does nothing.
7785 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]7786 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7787 }
7788}
7789
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7790/*
7791 * UsageCountLimitTest.TestSingleUseKeyAndRollbackResistance
7792 *
7793 * Verifies that when rollback resistance is supported by the KeyMint implementation with
7794 * the secure hardware, the single use key with usage count limit tag = 1 must also be enforced
7795 * in hardware.
7796 */
7797TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) {
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7798 auto error = GenerateKey(AuthorizationSetBuilder()
7799 .RsaSigningKey(2048, 65537)
7800 .Digest(Digest::NONE)
7801 .Padding(PaddingMode::NONE)
7802 .Authorization(TAG_NO_AUTH_REQUIRED)
7803 .Authorization(TAG_ROLLBACK_RESISTANCE)
7804 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7805 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7806 GTEST_SKIP() << "Rollback resistance not supported";
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7807 }
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7808
7809 // Rollback resistance is supported by KeyMint, verify it is enforced in hardware.
7810 ASSERT_EQ(ErrorCode::OK, error);
7811 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7812 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
7813 ASSERT_EQ(ErrorCode::OK, DeleteKey());
7814
7815 // The KeyMint should also enforce single use key in hardware when it supports rollback
7816 // resistance.
7817 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7818 .Authorization(TAG_NO_AUTH_REQUIRED)
7819 .RsaSigningKey(1024, 65537)
7820 .NoDigestOrPadding()
7821 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7822 .SetDefaultValidity()));
7823
7824 // Check the usage count limit tag appears in the hardware authorizations.
7825 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7826 EXPECT_TRUE(hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7827 << "key usage count limit " << 1U << " missing";
7828
7829 string message = "1234567890123456";
7830 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7831
7832 // First usage of RSA key should work.
7833 SignMessage(message, params);
7834
7835 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7836 // must be invalidated from secure storage (such as RPMB partition).
7837 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7838}
7839
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7840INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest);
7841
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7842typedef KeyMintAidlTestBase GetHardwareInfoTest;
7843
7844TEST_P(GetHardwareInfoTest, GetHardwareInfo) {
7845 // Retrieving hardware info should give the same result each time.
7846 KeyMintHardwareInfo info;
7847 ASSERT_TRUE(keyMint().getHardwareInfo(&info).isOk());
7848 KeyMintHardwareInfo info2;
7849 ASSERT_TRUE(keyMint().getHardwareInfo(&info2).isOk());
7850 EXPECT_EQ(info, info2);
7851}
7852
7853INSTANTIATE_KEYMINT_AIDL_TEST(GetHardwareInfoTest);
7854
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7855typedef KeyMintAidlTestBase AddEntropyTest;
7856
7857/*
7858 * AddEntropyTest.AddEntropy
7859 *
7860 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy
7861 * is actually added.
7862 */
7863TEST_P(AddEntropyTest, AddEntropy) {
7864 string data = "foo";
7865 EXPECT_TRUE(keyMint().addRngEntropy(vector<uint8_t>(data.begin(), data.end())).isOk());
7866}
7867
7868/*
7869 * AddEntropyTest.AddEmptyEntropy
7870 *
7871 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
7872 */
7873TEST_P(AddEntropyTest, AddEmptyEntropy) {
7874 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf()).isOk());
7875}
7876
7877/*
7878 * AddEntropyTest.AddLargeEntropy
7879 *
7880 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
7881 */
7882TEST_P(AddEntropyTest, AddLargeEntropy) {
7883 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
7884}
7885
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]7886/*
7887 * AddEntropyTest.AddTooLargeEntropy
7888 *
7889 * Verifies that the addRngEntropy method rejects more than 2KiB of data.
7890 */
7891TEST_P(AddEntropyTest, AddTooLargeEntropy) {
7892 ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a'))));
7893 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc);
7894}
7895
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7896INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);
7897
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7898typedef KeyMintAidlTestBase KeyDeletionTest;
7899
7900/**
7901 * KeyDeletionTest.DeleteKey
7902 *
7903 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
7904 * valid key blob.
7905 */
7906TEST_P(KeyDeletionTest, DeleteKey) {
7907 auto error = GenerateKey(AuthorizationSetBuilder()
7908 .RsaSigningKey(2048, 65537)
7909 .Digest(Digest::NONE)
7910 .Padding(PaddingMode::NONE)
7911 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7912 .Authorization(TAG_ROLLBACK_RESISTANCE)
7913 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7914 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7915 GTEST_SKIP() << "Rollback resistance not supported";
7916 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7917
7918 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7919 ASSERT_EQ(ErrorCode::OK, error);
7920 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7921 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7922
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7923 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7924
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7925 string message = "12345678901234567890123456789012";
7926 AuthorizationSet begin_out_params;
7927 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
7928 Begin(KeyPurpose::SIGN, key_blob_,
7929 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
7930 &begin_out_params));
7931 AbortIfNeeded();
7932 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7933}
7934
7935/**
7936 * KeyDeletionTest.DeleteInvalidKey
7937 *
7938 * This test checks that the HAL excepts invalid key blobs..
7939 */
7940TEST_P(KeyDeletionTest, DeleteInvalidKey) {
7941 // Generate key just to check if rollback protection is implemented
7942 auto error = GenerateKey(AuthorizationSetBuilder()
7943 .RsaSigningKey(2048, 65537)
7944 .Digest(Digest::NONE)
7945 .Padding(PaddingMode::NONE)
7946 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7947 .Authorization(TAG_ROLLBACK_RESISTANCE)
7948 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7949 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7950 GTEST_SKIP() << "Rollback resistance not supported";
7951 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7952
7953 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7954 ASSERT_EQ(ErrorCode::OK, error);
7955 AuthorizationSet enforced(SecLevelAuthorizations());
7956 ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7957
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7958 // Delete the key we don't care about the result at this point.
7959 DeleteKey();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7960
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7961 // Now create an invalid key blob and delete it.
7962 key_blob_ = AidlBuf("just some garbage data which is not a valid key blob");
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7963
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7964 ASSERT_EQ(ErrorCode::OK, DeleteKey());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7965}
7966
7967/**
7968 * KeyDeletionTest.DeleteAllKeys
7969 *
7970 * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
7971 *
7972 * BEWARE: This test has serious side effects. All user keys will be lost! This includes
7973 * FBE/FDE encryption keys, which means that the device will not even boot until after the
7974 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
7975 * been provisioned. Use this test only on dedicated testing devices that have no valuable
7976 * credentials stored in Keystore/Keymint.
7977 */
7978TEST_P(KeyDeletionTest, DeleteAllKeys) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7979 if (!arm_deleteAllKeys) {
7980 GTEST_SKIP() << "Option --arm_deleteAllKeys not set";
7981 return;
7982 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7983 auto error = GenerateKey(AuthorizationSetBuilder()
7984 .RsaSigningKey(2048, 65537)
7985 .Digest(Digest::NONE)
7986 .Padding(PaddingMode::NONE)
7987 .Authorization(TAG_NO_AUTH_REQUIRED)
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]7988 .Authorization(TAG_ROLLBACK_RESISTANCE)
7989 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7990 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7991 GTEST_SKIP() << "Rollback resistance not supported";
7992 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7993
7994 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7995 ASSERT_EQ(ErrorCode::OK, error);
7996 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7997 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7998
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7999 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8000
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8001 string message = "12345678901234567890123456789012";
8002 AuthorizationSet begin_out_params;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8003
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]8004 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
8005 Begin(KeyPurpose::SIGN, key_blob_,
8006 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
8007 &begin_out_params));
8008 AbortIfNeeded();
8009 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8010}
8011
8012INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest);
8013
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8014typedef KeyMintAidlTestBase KeyUpgradeTest;
8015
8016/**
8017 * KeyUpgradeTest.UpgradeInvalidKey
8018 *
8019 * This test checks that the HAL excepts invalid key blobs..
8020 */
8021TEST_P(KeyUpgradeTest, UpgradeInvalidKey) {
8022 AidlBuf key_blob = AidlBuf("just some garbage data which is not a valid key blob");
8023
8024 std::vector<uint8_t> new_blob;
8025 Status result = keymint_->upgradeKey(key_blob,
8026 AuthorizationSetBuilder()
8027 .Authorization(TAG_APPLICATION_ID, "clientid")
8028 .Authorization(TAG_APPLICATION_DATA, "appdata")
8029 .vector_data(),
8030 &new_blob);
8031 ASSERT_EQ(ErrorCode::INVALID_KEY_BLOB, GetReturnErrorCode(result));
8032}
8033
8034INSTANTIATE_KEYMINT_AIDL_TEST(KeyUpgradeTest);
8035
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8036using UpgradeKeyTest = KeyMintAidlTestBase;
8037
8038/*
8039 * UpgradeKeyTest.UpgradeKey
8040 *
8041 * Verifies that calling upgrade key on an up-to-date key works (i.e. does nothing).
8042 */
8043TEST_P(UpgradeKeyTest, UpgradeKey) {
8044 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8045 .AesEncryptionKey(128)
8046 .Padding(PaddingMode::NONE)
8047 .Authorization(TAG_NO_AUTH_REQUIRED)));
8048
8049 auto result = UpgradeKey(key_blob_);
8050
8051 // Key doesn't need upgrading. Should get okay, but no new key blob.
8052 EXPECT_EQ(result, std::make_pair(ErrorCode::OK, vector<uint8_t>()));
8053}
8054
8055INSTANTIATE_KEYMINT_AIDL_TEST(UpgradeKeyTest);
8056
8057using ClearOperationsTest = KeyMintAidlTestBase;
8058
8059/*
8060 * ClearSlotsTest.TooManyOperations
8061 *
8062 * Verifies that TOO_MANY_OPERATIONS is returned after the max number of
8063 * operations are started without being finished or aborted. Also verifies
8064 * that aborting the operations clears the operations.
8065 *
8066 */
8067TEST_P(ClearOperationsTest, TooManyOperations) {
8068 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8069 .Authorization(TAG_NO_AUTH_REQUIRED)
8070 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]8071 .Padding(PaddingMode::NONE)
8072 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8073
8074 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
8075 constexpr size_t max_operations = 100; // set to arbituary large number
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]8076 std::shared_ptr<IKeyMintOperation> op_handles[max_operations];
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8077 AuthorizationSet out_params;
8078 ErrorCode result;
8079 size_t i;
8080
8081 for (i = 0; i < max_operations; i++) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]8082 result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8083 if (ErrorCode::OK != result) {
8084 break;
8085 }
8086 }
8087 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
8088 // Try again just in case there's a weird overflow bug
8089 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]8090 Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8091 for (size_t j = 0; j < i; j++) {
8092 EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
8093 << "Aboort failed for i = " << j << std::endl;
8094 }
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8095 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8096 AbortIfNeeded();
8097}
8098
8099INSTANTIATE_KEYMINT_AIDL_TEST(ClearOperationsTest);
8100
8101typedef KeyMintAidlTestBase TransportLimitTest;
8102
8103/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]8104 * TransportLimitTest.LargeFinishInput
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8105 *
8106 * Verifies that passing input data to finish succeeds as expected.
8107 */
8108TEST_P(TransportLimitTest, LargeFinishInput) {
8109 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8110 .Authorization(TAG_NO_AUTH_REQUIRED)
8111 .AesEncryptionKey(128)
8112 .BlockMode(BlockMode::ECB)
8113 .Padding(PaddingMode::NONE)));
8114
8115 for (int msg_size = 8 /* 256 bytes */; msg_size <= 11 /* 2 KiB */; msg_size++) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]8116 SCOPED_TRACE(testing::Message() << "msg_size = " << msg_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8117 auto cipher_params =
8118 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
8119
8120 AuthorizationSet out_params;
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8121 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, cipher_params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8122
8123 string plain_message = std::string(1 << msg_size, 'x');
8124 string encrypted_message;
8125 auto rc = Finish(plain_message, &encrypted_message);
8126
8127 EXPECT_EQ(ErrorCode::OK, rc);
8128 EXPECT_EQ(plain_message.size(), encrypted_message.size())
8129 << "Encrypt finish returned OK, but did not consume all of the given input";
8130 cipher_params.push_back(out_params);
8131
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8132 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, cipher_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8133
8134 string decrypted_message;
8135 rc = Finish(encrypted_message, &decrypted_message);
8136 EXPECT_EQ(ErrorCode::OK, rc);
8137 EXPECT_EQ(plain_message.size(), decrypted_message.size())
8138 << "Decrypt finish returned OK, did not consume all of the given input";
8139 }
8140}
8141
8142INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
8143
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]8144static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8145 switch (curve) {
8146 case EcCurve::P_224:
8147 return NID_secp224r1;
8148 case EcCurve::P_256:
8149 return NID_X9_62_prime256v1;
8150 case EcCurve::P_384:
8151 return NID_secp384r1;
8152 case EcCurve::P_521:
8153 return NID_secp521r1;
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]8154 case EcCurve::CURVE_25519:
8155 return NID_X25519;
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8156 }
8157}
8158
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8159class KeyAgreementTest : public KeyMintAidlTestBase {
8160 protected:
8161 void GenerateLocalEcKey(EcCurve localCurve, EVP_PKEY_Ptr* localPrivKey,
8162 std::vector<uint8_t>* localPublicKey) {
8163 // Generate EC key locally (with access to private key material)
8164 if (localCurve == EcCurve::CURVE_25519) {
8165 uint8_t privKeyData[32];
8166 uint8_t pubKeyData[32];
8167 X25519_keypair(pubKeyData, privKeyData);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8168 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new_raw_private_key(
8169 EVP_PKEY_X25519, nullptr, privKeyData, sizeof(privKeyData)));
8170 } else {
8171 auto ecKey = EC_KEY_Ptr(EC_KEY_new());
8172 int curveName = EcdhCurveToOpenSslCurveName(localCurve);
8173 auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
8174 ASSERT_NE(group, nullptr);
8175 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
8176 ASSERT_EQ(EC_KEY_generate_key(ecKey.get()), 1);
8177 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new());
8178 ASSERT_EQ(EVP_PKEY_set1_EC_KEY(localPrivKey->get(), ecKey.get()), 1);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8179 }
David Drysdalea410b772022-05-09 16:44:13 +0100[diff] [blame]8180
8181 // Get encoded form of the public part of the locally generated key...
8182 unsigned char* p = nullptr;
8183 int localPublicKeySize = i2d_PUBKEY(localPrivKey->get(), &p);
8184 ASSERT_GT(localPublicKeySize, 0);
8185 *localPublicKey = vector<uint8_t>(reinterpret_cast<const uint8_t*>(p),
8186 reinterpret_cast<const uint8_t*>(p + localPublicKeySize));
8187 OPENSSL_free(p);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8188 }
8189
8190 void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
8191 vector<uint8_t> challenge = {0x41, 0x42};
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]8192 auto builder = AuthorizationSetBuilder()
8193 .Authorization(TAG_NO_AUTH_REQUIRED)
8194 .Authorization(TAG_EC_CURVE, curve)
8195 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
8196 .Authorization(TAG_ALGORITHM, Algorithm::EC)
8197 .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
8198 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
8199 .SetDefaultValidity();
8200 ErrorCode result = GenerateKey(builder);
8201
8202 if (SecLevel() == SecurityLevel::STRONGBOX) {
8203 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
8204 result = GenerateKeyWithSelfSignedAttestKey(
8205 AuthorizationSetBuilder()
8206 .EcdsaKey(EcCurve::P_256)
8207 .AttestKey()
8208 .SetDefaultValidity(), /* attest key params */
8209 builder, &key_blob_, &key_characteristics_, &cert_chain_);
8210 }
8211 }
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8212 ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
8213 ASSERT_GT(cert_chain_.size(), 0);
8214 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
8215 ASSERT_NE(kmKeyCert, nullptr);
8216 // Check that keyAgreement (bit 4) is set in KeyUsage
8217 EXPECT_TRUE((X509_get_key_usage(kmKeyCert.get()) & X509v3_KU_KEY_AGREEMENT) != 0);
8218 *kmPubKey = EVP_PKEY_Ptr(X509_get_pubkey(kmKeyCert.get()));
8219 ASSERT_NE(*kmPubKey, nullptr);
8220 if (dump_Attestations) {
8221 for (size_t n = 0; n < cert_chain_.size(); n++) {
8222 std::cout << bin2hex(cert_chain_[n].encodedCertificate) << std::endl;
8223 }
8224 }
8225 }
8226
8227 void CheckAgreement(EVP_PKEY_Ptr kmPubKey, EVP_PKEY_Ptr localPrivKey,
8228 const std::vector<uint8_t>& localPublicKey) {
8229 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
8230 string ZabFromKeyMintStr;
8231 ASSERT_EQ(ErrorCode::OK,
8232 Finish(string(localPublicKey.begin(), localPublicKey.end()), &ZabFromKeyMintStr));
8233 vector<uint8_t> ZabFromKeyMint(ZabFromKeyMintStr.begin(), ZabFromKeyMintStr.end());
8234 vector<uint8_t> ZabFromTest;
8235
8236 if (EVP_PKEY_id(kmPubKey.get()) == EVP_PKEY_X25519) {
8237 size_t kmPubKeySize = 32;
8238 uint8_t kmPubKeyData[32];
8239 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
8240 ASSERT_EQ(kmPubKeySize, 32);
8241
8242 uint8_t localPrivKeyData[32];
8243 size_t localPrivKeySize = 32;
8244 ASSERT_EQ(1, EVP_PKEY_get_raw_private_key(localPrivKey.get(), localPrivKeyData,
8245 &localPrivKeySize));
8246 ASSERT_EQ(localPrivKeySize, 32);
8247
8248 uint8_t sharedKey[32];
8249 ASSERT_EQ(1, X25519(sharedKey, localPrivKeyData, kmPubKeyData));
8250 ZabFromTest = std::vector<uint8_t>(sharedKey, sharedKey + 32);
8251 } else {
8252 // Perform local ECDH between the two keys so we can check if we get the same Zab..
8253 auto ctx = EVP_PKEY_CTX_Ptr(EVP_PKEY_CTX_new(localPrivKey.get(), nullptr));
8254 ASSERT_NE(ctx, nullptr);
8255 ASSERT_EQ(EVP_PKEY_derive_init(ctx.get()), 1);
8256 ASSERT_EQ(EVP_PKEY_derive_set_peer(ctx.get(), kmPubKey.get()), 1);
8257 size_t ZabFromTestLen = 0;
8258 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), nullptr, &ZabFromTestLen), 1);
8259 ZabFromTest.resize(ZabFromTestLen);
8260 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), ZabFromTest.data(), &ZabFromTestLen), 1);
8261 }
8262 EXPECT_EQ(ZabFromKeyMint, ZabFromTest);
8263 }
8264};
8265
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8266/*
8267 * KeyAgreementTest.Ecdh
8268 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8269 * Verifies that ECDH works for all required curves
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8270 */
8271TEST_P(KeyAgreementTest, Ecdh) {
8272 // Because it's possible to use this API with keys on different curves, we
8273 // check all N^2 combinations where N is the number of supported
8274 // curves.
8275 //
8276 // This is not a big deal as N is 4 so we only do 16 runs. If we end up with a
8277 // lot more curves we can be smart about things and just pick |otherCurve| so
8278 // it's not |curve| and that way we end up with only 2*N runs
8279 //
8280 for (auto curve : ValidCurves()) {
8281 for (auto localCurve : ValidCurves()) {
David Drysdalea410b772022-05-09 16:44:13 +0100[diff] [blame]8282 SCOPED_TRACE(testing::Message()
8283 << "local-curve-" << localCurve << "-keymint-curve-" << curve);
8284
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8285 // Generate EC key locally (with access to private key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8286 EVP_PKEY_Ptr localPrivKey;
8287 vector<uint8_t> localPublicKey;
8288 GenerateLocalEcKey(localCurve, &localPrivKey, &localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8289
8290 // Generate EC key in KeyMint (only access to public key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8291 EVP_PKEY_Ptr kmPubKey;
8292 GenerateKeyMintEcKey(curve, &kmPubKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8293
8294 // Now that we have the two keys, we ask KeyMint to perform ECDH...
8295 if (curve != localCurve) {
8296 // If the keys are using different curves KeyMint should fail with
8297 // ErrorCode:INVALID_ARGUMENT. Check that.
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8298 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8299 string ZabFromKeyMintStr;
8300 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8301 Finish(string(localPublicKey.begin(), localPublicKey.end()),
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8302 &ZabFromKeyMintStr));
8303
8304 } else {
8305 // Otherwise if the keys are using the same curve, it should work.
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8306 CheckAgreement(std::move(kmPubKey), std::move(localPrivKey), localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8307 }
8308
8309 CheckedDeleteKey();
8310 }
8311 }
8312}
8313
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8314/*
8315 * KeyAgreementTest.EcdhCurve25519
8316 *
8317 * Verifies that ECDH works for curve25519. This is also covered by the general
8318 * KeyAgreementTest.Ecdh case, but is pulled out separately here because this curve was added after
8319 * KeyMint 1.0.
8320 */
8321TEST_P(KeyAgreementTest, EcdhCurve25519) {
8322 if (!Curve25519Supported()) {
8323 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8324 }
8325
8326 // Generate EC key in KeyMint (only access to public key material)
8327 EcCurve curve = EcCurve::CURVE_25519;
8328 EVP_PKEY_Ptr kmPubKey = nullptr;
8329 GenerateKeyMintEcKey(curve, &kmPubKey);
8330
8331 // Generate EC key on same curve locally (with access to private key material).
8332 EVP_PKEY_Ptr privKey;
8333 vector<uint8_t> encodedPublicKey;
8334 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
8335
8336 // Agree on a key between local and KeyMint and check it.
8337 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
8338
8339 CheckedDeleteKey();
8340}
8341
8342/*
8343 * KeyAgreementTest.EcdhCurve25519Imported
8344 *
8345 * Verifies that ECDH works for an imported curve25519 key.
8346 */
8347TEST_P(KeyAgreementTest, EcdhCurve25519Imported) {
8348 if (!Curve25519Supported()) {
8349 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8350 }
8351
8352 // Import x25519 key into KeyMint.
8353 EcCurve curve = EcCurve::CURVE_25519;
8354 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
8355 .Authorization(TAG_NO_AUTH_REQUIRED)
8356 .EcdsaKey(EcCurve::CURVE_25519)
8357 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
8358 .SetDefaultValidity(),
8359 KeyFormat::PKCS8, x25519_pkcs8_key));
8360 ASSERT_GT(cert_chain_.size(), 0);
8361 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
8362 ASSERT_NE(kmKeyCert, nullptr);
8363 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
8364 ASSERT_NE(kmPubKey.get(), nullptr);
8365
8366 // Expect the import to emit corresponding public key data.
8367 size_t kmPubKeySize = 32;
8368 uint8_t kmPubKeyData[32];
8369 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
8370 ASSERT_EQ(kmPubKeySize, 32);
8371 EXPECT_EQ(bin2hex(std::vector<uint8_t>(kmPubKeyData, kmPubKeyData + 32)),
8372 bin2hex(std::vector<uint8_t>(x25519_pubkey.begin(), x25519_pubkey.end())));
8373
8374 // Generate EC key on same curve locally (with access to private key material).
8375 EVP_PKEY_Ptr privKey;
8376 vector<uint8_t> encodedPublicKey;
8377 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
8378
8379 // Agree on a key between local and KeyMint and check it.
8380 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
8381
8382 CheckedDeleteKey();
8383}
8384
8385/*
8386 * KeyAgreementTest.EcdhCurve25519InvalidSize
8387 *
8388 * Verifies that ECDH fails for curve25519 if the wrong size of public key is provided.
8389 */
8390TEST_P(KeyAgreementTest, EcdhCurve25519InvalidSize) {
8391 if (!Curve25519Supported()) {
8392 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8393 }
8394
8395 // Generate EC key in KeyMint (only access to public key material)
8396 EcCurve curve = EcCurve::CURVE_25519;
8397 EVP_PKEY_Ptr kmPubKey = nullptr;
8398 GenerateKeyMintEcKey(curve, &kmPubKey);
8399
8400 // Generate EC key on same curve locally (with access to private key material).
8401 EVP_PKEY_Ptr privKey;
8402 vector<uint8_t> encodedPublicKey;
8403 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
8404
8405 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
8406 string ZabFromKeyMintStr;
8407 // Send in an incomplete public key.
8408 ASSERT_NE(ErrorCode::OK, Finish(string(encodedPublicKey.begin(), encodedPublicKey.end() - 1),
8409 &ZabFromKeyMintStr));
8410
8411 CheckedDeleteKey();
8412}
8413
8414/*
8415 * KeyAgreementTest.EcdhCurve25519Mismatch
8416 *
8417 * Verifies that ECDH fails between curve25519 and other curves.
8418 */
8419TEST_P(KeyAgreementTest, EcdhCurve25519Mismatch) {
8420 if (!Curve25519Supported()) {
8421 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
8422 }
8423
8424 // Generate EC key in KeyMint (only access to public key material)
8425 EcCurve curve = EcCurve::CURVE_25519;
8426 EVP_PKEY_Ptr kmPubKey = nullptr;
8427 GenerateKeyMintEcKey(curve, &kmPubKey);
8428
8429 for (auto localCurve : ValidCurves()) {
David Drysdaleb97121d2022-08-12 11:54:08 +0100[diff] [blame]8430 SCOPED_TRACE(testing::Message() << "local-curve-" << localCurve);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8431 if (localCurve == curve) {
8432 continue;
8433 }
8434 // Generate EC key on a different curve locally (with access to private key material).
8435 EVP_PKEY_Ptr privKey;
8436 vector<uint8_t> encodedPublicKey;
8437 GenerateLocalEcKey(localCurve, &privKey, &encodedPublicKey);
8438
David Drysdale7fc26b92022-05-13 09:54:24 +0100[diff] [blame]8439 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]8440 string ZabFromKeyMintStr;
8441 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
8442 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
8443 &ZabFromKeyMintStr));
8444 }
8445
8446 CheckedDeleteKey();
8447}
8448
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]8449INSTANTIATE_KEYMINT_AIDL_TEST(KeyAgreementTest);
8450
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8451using DestroyAttestationIdsTest = KeyMintAidlTestBase;
8452
8453// This is a problematic test, as it can render the device under test permanently unusable.
8454// Re-enable and run at your own risk.
8455TEST_P(DestroyAttestationIdsTest, DISABLED_DestroyTest) {
8456 auto result = DestroyAttestationIds();
8457 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED);
8458}
8459
8460INSTANTIATE_KEYMINT_AIDL_TEST(DestroyAttestationIdsTest);
8461
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8462using EarlyBootKeyTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8463
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8464/*
8465 * EarlyBootKeyTest.CreateEarlyBootKeys
8466 *
8467 * Verifies that creating early boot keys succeeds, even at a later stage (after boot).
8468 */
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8469TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8470 // Early boot keys can be created after early boot.
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8471 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
8472 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8473 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8474 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8475 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8476 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8477
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8478 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
8479 ASSERT_GT(keyData.blob.size(), 0U);
8480 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
8481 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
8482 }
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8483}
8484
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8485/*
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8486 * EarlyBootKeyTest.CreateAttestedEarlyBootKey
8487 *
8488 * Verifies that creating an early boot key with attestation succeeds.
8489 */
8490TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
8491 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys(
8492 TAG_EARLY_BOOT_ONLY, ErrorCode::OK, [](AuthorizationSetBuilder* builder) {
8493 builder->AttestationChallenge("challenge");
8494 builder->AttestationApplicationId("app_id");
8495 });
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8496 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8497 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8498 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8499 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8500
8501 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]8502 // Strongbox may not support factory attestation. Key creation might fail with
8503 // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
8504 if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
8505 continue;
8506 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8507 ASSERT_GT(keyData.blob.size(), 0U);
8508 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
8509 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
8510 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]8511}
8512
8513/*
8514 * EarlyBootKeyTest.UseEarlyBootKeyFailure
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8515 *
8516 * Verifies that using early boot keys at a later stage fails.
8517 */
8518TEST_P(EarlyBootKeyTest, UseEarlyBootKeyFailure) {
8519 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
8520 .Authorization(TAG_NO_AUTH_REQUIRED)
8521 .Authorization(TAG_EARLY_BOOT_ONLY)
8522 .HmacKey(128)
8523 .Digest(Digest::SHA_2_256)
8524 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
8525 AuthorizationSet output_params;
8526 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, Begin(KeyPurpose::SIGN, key_blob_,
8527 AuthorizationSetBuilder()
8528 .Digest(Digest::SHA_2_256)
8529 .Authorization(TAG_MAC_LENGTH, 256),
8530 &output_params));
8531}
8532
8533/*
8534 * EarlyBootKeyTest.ImportEarlyBootKeyFailure
8535 *
8536 * Verifies that importing early boot keys fails.
8537 */
8538TEST_P(EarlyBootKeyTest, ImportEarlyBootKeyFailure) {
8539 ASSERT_EQ(ErrorCode::EARLY_BOOT_ENDED, ImportKey(AuthorizationSetBuilder()
8540 .Authorization(TAG_NO_AUTH_REQUIRED)
8541 .Authorization(TAG_EARLY_BOOT_ONLY)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]8542 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]8543 .Digest(Digest::SHA_2_256)
8544 .SetDefaultValidity(),
8545 KeyFormat::PKCS8, ec_256_key));
8546}
8547
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8548// This is a more comprehensive test, but it can only be run on a machine which is still in early
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8549// boot stage, which no proper Android device is by the time we can run VTS. To use this,
8550// un-disable it and modify vold to remove the call to earlyBootEnded(). Running the test will end
8551// early boot, so you'll have to reboot between runs.
8552TEST_P(EarlyBootKeyTest, DISABLED_FullTest) {
8553 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
8554 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8555 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8556 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8557 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8558 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
8559
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8560 // TAG_EARLY_BOOT_ONLY should be in hw-enforced.
8561 EXPECT_TRUE(HwEnforcedAuthorizations(aesKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8562 EXPECT_TRUE(
8563 HwEnforcedAuthorizations(hmacKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8564 EXPECT_TRUE(HwEnforcedAuthorizations(rsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8565 EXPECT_TRUE(
8566 HwEnforcedAuthorizations(ecdsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
8567
8568 // Should be able to use keys, since early boot has not ended
8569 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
8570 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
8571 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
8572 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
8573
8574 // End early boot
8575 ErrorCode earlyBootResult = GetReturnErrorCode(keyMint().earlyBootEnded());
8576 EXPECT_EQ(earlyBootResult, ErrorCode::OK);
8577
8578 // Should not be able to use already-created keys.
8579 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseAesKey(aesKeyData.blob));
8580 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseHmacKey(hmacKeyData.blob));
8581 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseRsaKey(rsaKeyData.blob));
8582 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseEcdsaKey(ecdsaKeyData.blob));
8583
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8584 // Should not be able to create new keys
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8585 auto [aesKeyData2, hmacKeyData2, rsaKeyData2, ecdsaKeyData2] =
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8586 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::EARLY_BOOT_ENDED);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8587 KeyBlobDeleter aes_deleter2(keymint_, aesKeyData2.blob);
8588 KeyBlobDeleter hmac_deleter2(keymint_, hmacKeyData2.blob);
8589 KeyBlobDeleter rsa_deleter2(keymint_, rsaKeyData2.blob);
8590 KeyBlobDeleter ecdsa_deleter2(keymint_, ecdsaKeyData2.blob);
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8591}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8592
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8593INSTANTIATE_KEYMINT_AIDL_TEST(EarlyBootKeyTest);
8594
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8595using UnlockedDeviceRequiredTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8596
8597// This may be a problematic test. It can't be run repeatedly without unlocking the device in
8598// between runs... and on most test devices there are no enrolled credentials so it can't be
8599// unlocked at all, meaning the only way to get the test to pass again on a properly-functioning
8600// device is to reboot it. For that reason, this is disabled by default. It can be used as part of
8601// a manual test process, which includes unlocking between runs, which is why it's included here.
8602// Well, that and the fact that it's the only test we can do without also making calls into the
8603// Gatekeeper HAL. We haven't written any cross-HAL tests, and don't know what all of the
8604// implications might be, so that may or may not be a solution.
8605TEST_P(UnlockedDeviceRequiredTest, DISABLED_KeysBecomeUnusable) {
8606 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
8607 CreateTestKeys(TAG_UNLOCKED_DEVICE_REQUIRED, ErrorCode::OK);
David Drysdale1b9febc2023-06-07 13:43:24 +0100[diff] [blame]8608 KeyBlobDeleter aes_deleter(keymint_, aesKeyData.blob);
8609 KeyBlobDeleter hmac_deleter(keymint_, hmacKeyData.blob);
8610 KeyBlobDeleter rsa_deleter(keymint_, rsaKeyData.blob);
8611 KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8612
8613 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
8614 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
8615 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
8616 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
8617
8618 ErrorCode rc = GetReturnErrorCode(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]8619 keyMint().deviceLocked(false /* passwordOnly */, {} /* timestampToken */));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8620 ASSERT_EQ(ErrorCode::OK, rc);
8621 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseAesKey(aesKeyData.blob));
8622 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseHmacKey(hmacKeyData.blob));
8623 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseRsaKey(rsaKeyData.blob));
8624 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseEcdsaKey(ecdsaKeyData.blob));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8625}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8626
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8627INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
8628
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8629using VsrRequirementTest = KeyMintAidlTestBase;
8630
8631TEST_P(VsrRequirementTest, Vsr13Test) {
8632 int vsr_api_level = get_vsr_api_level();
Shawn Willden1a545db2023-02-22 14:32:33 -0700[diff] [blame]8633 if (vsr_api_level < __ANDROID_API_T__) {
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8634 GTEST_SKIP() << "Applies only to VSR API level 33, this device is: " << vsr_api_level;
8635 }
8636 EXPECT_GE(AidlVersion(), 2) << "VSR 13+ requires KeyMint version 2";
8637}
8638
Eran Messerib9346f52022-12-15 14:58:34 +0000[diff] [blame]8639TEST_P(VsrRequirementTest, Vsr14Test) {
8640 int vsr_api_level = get_vsr_api_level();
Shawn Willden1a545db2023-02-22 14:32:33 -0700[diff] [blame]8641 if (vsr_api_level < __ANDROID_API_U__) {
Eran Messerib9346f52022-12-15 14:58:34 +0000[diff] [blame]8642 GTEST_SKIP() << "Applies only to VSR API level 34, this device is: " << vsr_api_level;
8643 }
8644 EXPECT_GE(AidlVersion(), 3) << "VSR 14+ requires KeyMint version 3";
8645}
8646
Shawn Willden22fb9c12022-06-02 14:04:33 -0600[diff] [blame]8647INSTANTIATE_KEYMINT_AIDL_TEST(VsrRequirementTest);
8648
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]8649} // namespace aidl::android::hardware::security::keymint::test
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8650
8651int main(int argc, char** argv) {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8652 std::cout << "Testing ";
8653 auto halInstances =
8654 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::build_params();
8655 std::cout << "HAL instances:\n";
8656 for (auto& entry : halInstances) {
8657 std::cout << " " << entry << '\n';
8658 }
8659
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8660 ::testing::InitGoogleTest(&argc, argv);
8661 for (int i = 1; i < argc; ++i) {
8662 if (argv[i][0] == '-') {
8663 if (std::string(argv[i]) == "--arm_deleteAllKeys") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8664 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
8665 arm_deleteAllKeys = true;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8666 }
8667 if (std::string(argv[i]) == "--dump_attestations") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8668 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
8669 dump_Attestations = true;
8670 } else {
8671 std::cout << "NOT dumping attestations" << std::endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8672 }
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]8673 if (std::string(argv[i]) == "--skip_boot_pl_check") {
8674 // Allow checks of BOOT_PATCHLEVEL to be disabled, so that the tests can
8675 // be run in emulated environments that don't have the normal bootloader
8676 // interactions.
8677 aidl::android::hardware::security::keymint::test::check_boot_pl = false;
8678 }
David Drysdale9f5c0c52022-11-03 15:10:16 +0000[diff] [blame]8679 if (std::string(argv[i]) == "--keyblob_dir") {
8680 if (i + 1 >= argc) {
8681 std::cerr << "Missing argument for --keyblob_dir\n";
8682 return 1;
8683 }
8684 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::keyblob_dir =
8685 std::string(argv[i + 1]);
8686 ++i;
8687 }
Tommy Chiu025f3c52023-05-15 06:23:44 +0000[diff] [blame]8688 if (std::string(argv[i]) == "--expect_upgrade") {
8689 if (i + 1 >= argc) {
8690 std::cerr << "Missing argument for --expect_upgrade\n";
8691 return 1;
8692 }
8693 std::string arg = argv[i + 1];
8694 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
8695 expect_upgrade =
8696 arg == "yes"
8697 ? true
8698 : (arg == "no" ? false : std::optional<bool>(std::nullopt));
8699 ++i;
8700 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8701 }
8702 }
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]8703 return RUN_ALL_TESTS();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8704}