Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 812a9d10f94ae13557c46d87e4ce54efc58c26eb / . / security / keymint / aidl / vts / functional / KeyMintTest.cpp
blob: 7ec68e37a95804ccc3b96b5e0d22ca8933da7fc1 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]17#define LOG_TAG "keymint_1_test"
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]18#include <cutils/log.h>
19
20#include <signal.h>
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]21
22#include <algorithm>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]23#include <iostream>
24
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]25#include <openssl/curve25519.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]26#include <openssl/ec.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]27#include <openssl/evp.h>
28#include <openssl/mem.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]29#include <openssl/x509v3.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]30
31#include <cutils/properties.h>
32
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]33#include <android/binder_manager.h>
34
35#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]36#include <aidl/android/hardware/security/keymint/KeyFormat.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]37
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]38#include <keymint_support/key_param_output.h>
39#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]40
41#include "KeyMintAidlTestBase.h"
42
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]43using aidl::android::hardware::security::keymint::AuthorizationSet;
44using aidl::android::hardware::security::keymint::KeyCharacteristics;
45using aidl::android::hardware::security::keymint::KeyFormat;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]46
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]47namespace std {
48
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]49using namespace aidl::android::hardware::security::keymint;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]50
51template <>
52struct std::equal_to<KeyCharacteristics> {
53 bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]54 if (a.securityLevel != b.securityLevel) return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]55
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]56 // this isn't very efficient. Oh, well.
57 AuthorizationSet a_auths(a.authorizations);
58 AuthorizationSet b_auths(b.authorizations);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]59
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]60 a_auths.Sort();
61 b_auths.Sort();
62
63 return a_auths == b_auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]64 }
65};
66
67} // namespace std
68
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]69namespace aidl::android::hardware::security::keymint::test {
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]70
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]71namespace {
72
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]73// Maximum supported Ed25519 message size.
74const size_t MAX_ED25519_MSG_SIZE = 16 * 1024;
75
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]76// Whether to check that BOOT_PATCHLEVEL is populated.
77bool check_boot_pl = true;
78
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]79// The maximum number of times we'll attempt to verify that corruption
David Drysdale4c1f6ac2021-11-25 16:08:29 +0000[diff] [blame]80// of an encrypted blob results in an error. Retries are necessary as there
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]81// is a small (roughly 1/256) chance that corrupting ciphertext still results
82// in valid PKCS7 padding.
83constexpr size_t kMaxPaddingCorruptionRetries = 8;
84
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]85template <TagType tag_type, Tag tag, typename ValueT>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]86bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
87 ValueT expected_value) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]88 auto it = std::find_if(set.begin(), set.end(), [&](const KeyParameter& param) {
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]89 if (auto p = authorizationValue(ttag, param)) {
90 return *p == expected_value;
91 }
92 return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]93 });
94 return (it != set.end());
95}
96
97template <TagType tag_type, Tag tag>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]98bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag>) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]99 auto it = std::find_if(set.begin(), set.end(),
100 [&](const KeyParameter& param) { return param.tag == tag; });
101 return (it != set.end());
102}
103
104constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
105 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
106 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
107 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
108 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
109 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
110 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
111 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
112 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
113 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
114 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
115 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
116 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
117 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
118 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
119 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
120
121string hex2str(string a) {
122 string b;
123 size_t num = a.size() / 2;
124 b.resize(num);
125 for (size_t i = 0; i < num; i++) {
126 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
127 }
128 return b;
129}
130
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]131string rsa_key = hex2str(
132 // RFC 5208 s5
133 "30820275" // SEQUENCE length 0x275 (PrivateKeyInfo) {
134 "020100" // INTEGER length 1 value 0x00 (version)
135 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
136 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
137 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
138 "0500" // NULL (parameters)
139 // } end SEQUENCE (AlgorithmIdentifier)
140 "0482025f" // OCTET STRING length 0x25f (privateKey) holding...
141 // RFC 8017 A.1.2
142 "3082025b" // SEQUENCE length 0x25b (RSAPrivateKey) {
143 "020100" // INTEGER length 1 value 0x00 (version)
144 "028181" // INTEGER length 0x81 value (modulus) ...
145 "00c6095409047d8634812d5a218176e4"
146 "5c41d60a75b13901f234226cffe77652"
147 "1c5a77b9e389417b71c0b6a44d13afe4"
148 "e4a2805d46c9da2935adb1ff0c1f24ea"
149 "06e62b20d776430a4d435157233c6f91"
150 "6783c30e310fcbd89b85c2d567711697"
151 "85ac12bca244abda72bfb19fc44d27c8"
152 "1e1d92de284f4061edfd99280745ea6d"
153 "25"
154 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
155 "028180" // INTEGER length 0x80 (privateExponent) value...
156 "1be0f04d9cae3718691f035338308e91"
157 "564b55899ffb5084d2460e6630257e05"
158 "b3ceab02972dfabcd6ce5f6ee2589eb6"
159 "7911ed0fac16e43a444b8c861e544a05"
160 "93365772f8baf6b22fc9e3c5f1024b06"
161 "3ac080a7b2234cf8aee8f6c47bbf4fd3"
162 "ace7240290bef16c0b3f7f3cdd64ce3a"
163 "b5912cf6e32f39ab188358afcccd8081"
164 "0241" // INTEGER length 0x41 (prime1)
165 "00e4b49ef50f765d3b24dde01aceaaf1"
166 "30f2c76670a91a61ae08af497b4a82be"
167 "6dee8fcdd5e3f7ba1cfb1f0c926b88f8"
168 "8c92bfab137fba2285227b83c342ff7c"
169 "55"
170 "0241" // INTEGER length 0x41 (prime2)
171 "00ddabb5839c4c7f6bf3d4183231f005"
172 "b31aa58affdda5c79e4cce217f6bc930"
173 "dbe563d480706c24e9ebfcab28a6cdef"
174 "d324b77e1bf7251b709092c24ff501fd"
175 "91"
176 "0240" // INTEGER length 0x40 (exponent1)
177 "23d4340eda3445d8cd26c14411da6fdc"
178 "a63c1ccd4b80a98ad52b78cc8ad8beb2"
179 "842c1d280405bc2f6c1bea214a1d742a"
180 "b996b35b63a82a5e470fa88dbf823cdd"
181 "0240" // INTEGER length 0x40 (exponent2)
182 "1b7b57449ad30d1518249a5f56bb9829"
183 "4d4b6ac12ffc86940497a5a5837a6cf9"
184 "46262b494526d328c11e1126380fde04"
185 "c24f916dec250892db09a6d77cdba351"
186 "0240" // INTEGER length 0x40 (coefficient)
187 "7762cd8f4d050da56bd591adb515d24d"
188 "7ccd32cca0d05f866d583514bd7324d5"
189 "f33645e8ed8b4a1cb3cc4a1d67987399"
190 "f2a09f5b3fb68c88d5e5d90ac33492d6"
191 // } end SEQUENCE (PrivateKey)
192 // } end SEQUENCE (PrivateKeyInfo)
193);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]194
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]195/*
196 * DER-encoded PKCS#8 format RSA key. Generated using:
197 *
198 * openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
199 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]200string rsa_2048_key = hex2str(
201 // RFC 5208 s5
202 "308204BD" // SEQUENCE length 0x4bd (PrivateKeyInfo) {
203 "020100" // INTEGER length 1 value 0x00 (version)
204 "300D" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
205 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
206 "2A864886F70D010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
207 "0500" // NULL (parameters)
208 // } end SEQUENCE (AlgorithmIdentifier)
209 "048204A7" // OCTET STRING length 0x25f (privateKey) holding...
210 // RFC 8017 A.1.2
211 "308204A3" // SEQUENCE length 0x4a3 (RSAPrivateKey) {
212 "020100" // INTEGER length 1 value 0x00 (version)
213 "02820101" // INTEGER length 0x101 value (modulus) ...
214 "00BEBC342B56D443B1299F9A6A7056E8"
215 "0A897E318476A5A18029E63B2ED739A6"
216 "1791D339F58DC763D9D14911F2EDEC38"
217 "3DEE11F6319B44510E7A3ECD9B79B973"
218 "82E49500ACF8117DC89CAF0E621F7775"
219 "6554A2FD4664BFE7AB8B59AB48340DBF"
220 "A27B93B5A81F6ECDEB02D0759307128D"
221 "F3E3BAD4055C8B840216DFAA5700670E"
222 "6C5126F0962FCB70FF308F25049164CC"
223 "F76CC2DA66A7DD9A81A714C2809D6918"
224 "6133D29D84568E892B6FFBF3199BDB14"
225 "383EE224407F190358F111A949552ABA"
226 "6714227D1BD7F6B20DD0CB88F9467B71"
227 "9339F33BFF35B3870B3F62204E4286B0"
228 "948EA348B524544B5F9838F29EE643B0"
229 "79EEF8A713B220D7806924CDF7295070"
230 "C5"
231 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
232 "02820100" // INTEGER length 0x100 (privateExponent) value...
233 "69F377F35F2F584EF075353CCD1CA997"
234 "38DB3DBC7C7FF35F9366CE176DFD1B13"
235 "5AB10030344ABF5FBECF1D4659FDEF1C"
236 "0FC430834BE1BE3911951377BB3D563A"
237 "2EA9CA8F4AD9C48A8CE6FD516A735C66"
238 "2686C7B4B3C09A7B8354133E6F93F790"
239 "D59EAEB92E84C9A4339302CCE28FDF04"
240 "CCCAFA7DE3F3A827D4F6F7D38E68B0EC"
241 "6AB706645BF074A4E4090D06FB163124"
242 "365FD5EE7A20D350E9958CC30D91326E"
243 "1B292E9EF5DB408EC42DAF737D201497"
244 "04D0A678A0FB5B5446863B099228A352"
245 "D604BA8091A164D01D5AB05397C71EAD"
246 "20BE2A08FC528FE442817809C787FEE4"
247 "AB97F97B9130D022153EDC6EB6CBE7B0"
248 "F8E3473F2E901209B5DB10F93604DB01"
249 "028181" // INTEGER length 0x81 (prime1)
250 "00E83C0998214941EA4F9293F1B77E2E"
251 "99E6CF305FAF358238E126124FEAF2EB"
252 "9724B2EA7B78E6032343821A80E55D1D"
253 "88FB12D220C3F41A56142FEC85796D19"
254 "17F1E8C774F142B67D3D6E7B7E6B4383"
255 "E94DB5929089DBB346D5BDAB40CC2D96"
256 "EE0409475E175C63BF78CFD744136740"
257 "838127EA723FF3FE7FA368C1311B4A4E"
258 "05"
259 "028181" // INTEGER length 0x81 (prime2)
260 "00D240FCC0F5D7715CDE21CB2DC86EA1"
261 "46132EA3B06F61FF2AF54BF38473F59D"
262 "ADCCE32B5F4CC32DD0BA6F509347B4B5"
263 "B1B58C39F95E4798CCBB43E83D0119AC"
264 "F532F359CA743C85199F0286610E2009"
265 "97D7312917179AC9B67558773212EC96"
266 "1E8BCE7A3CC809BC5486A96E4B0E6AF3"
267 "94D94E066A0900B7B70E82A44FB30053"
268 "C1"
269 "028181" // INTEGER length 0x81 (exponent1)
270 "00AD15DA1CBD6A492B66851BA8C316D3"
271 "8AB700E2CFDDD926A658003513C54BAA"
272 "152B30021D667D20078F500F8AD3E7F3"
273 "945D74A891ED1A28EAD0FEEAEC8C14A8"
274 "E834CF46A13D1378C99D18940823CFDD"
275 "27EC5810D59339E0C34198AC638E09C8"
276 "7CBB1B634A9864AE9F4D5EB2D53514F6"
277 "7B4CAEC048C8AB849A02E397618F3271"
278 "35"
279 "028180" // INTEGER length 0x80 (exponent2)
280 "1FA2C1A5331880A92D8F3E281C617108"
281 "BF38244F16E352E69ED417C7153F9EC3"
282 "18F211839C643DCF8B4DD67CE2AC312E"
283 "95178D5D952F06B1BF779F4916924B70"
284 "F582A23F11304E02A5E7565AE22A35E7"
285 "4FECC8B6FDC93F92A1A37703E4CF0E63"
286 "783BD02EB716A7ECBBFA606B10B74D01"
287 "579522E7EF84D91FC522292108D902C1"
288 "028180" // INTEGER length 0x80 (coefficient)
289 "796FE3825F9DCC85DF22D58690065D93"
290 "898ACD65C087BEA8DA3A63BF4549B795"
291 "E2CD0E3BE08CDEBD9FCF1720D9CDC507"
292 "0D74F40DED8E1102C52152A31B6165F8"
293 "3A6722AECFCC35A493D7634664B888A0"
294 "8D3EB034F12EA28BFEE346E205D33482"
295 "7F778B16ED40872BD29FCB36536B6E93"
296 "FFB06778696B4A9D81BB0A9423E63DE5"
297 // } end SEQUENCE (PrivateKey)
298 // } end SEQUENCE (PrivateKeyInfo)
299);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]300
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]301string ec_256_key = hex2str(
302 // RFC 5208 s5
303 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
304 "020100" // INTEGER length 1 value 0 (version)
305 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
306 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
307 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
308 "0608" // OBJECT IDENTIFIER length 8 (param)
309 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
310 // } end SEQUENCE (AlgorithmIdentifier)
311 "046d" // OCTET STRING length 0x6d (privateKey) holding...
312 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
313 "020101" // INTEGER length 1 value 1 (version)
314 "0420" // OCTET STRING length 0x20 (privateKey)
315 "737c2ecd7b8d1940bf2930aa9b4ed3ff"
316 "941eed09366bc03299986481f3a4d859"
317 "a144" // TAG [1] len 0x44 (publicKey) {
318 "03420004bf85d7720d07c25461683bc6"
319 "48b4778a9a14dd8a024e3bdd8c7ddd9a"
320 "b2b528bbc7aa1b51f14ebbbb0bd0ce21"
321 "bcc41c6eb00083cf3376d11fd44949e0"
322 "b2183bfe"
323 // } end SEQUENCE (ECPrivateKey)
324 // } end SEQUENCE (PrivateKeyInfo)
325);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]326
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]327string ec_521_key = hex2str(
328 // RFC 5208 s5
329 "3081EE" // SEQUENCE length 0xee (PrivateKeyInfo) {
330 "020100" // INTEGER length 1 value 0 (version)
331 "3010" // SEQUENCE length 0x10 (AlgorithmIdentifier) {
332 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
333 "2A8648CE3D0201" // 1.2.840.10045.2.1 (ecPublicKey)
334 "0605" // OBJECT IDENTIFIER length 5 (param)
335 "2B81040023" // 1.3.132.0.35 (secp521r1)
336 // } end SEQUENCE (AlgorithmIdentifier)
337 "0481D6" // OCTET STRING length 0xd6 (privateKey) holding...
338 "3081D3" // SEQUENCE length 0xd3 (ECPrivateKey)
339 "020101" // INTEGER length 1 value 1 (version)
340 "0442" // OCTET STRING length 0x42 (privateKey)
341 "0011458C586DB5DAA92AFAB03F4FE46A"
342 "A9D9C3CE9A9B7A006A8384BEC4C78E8E"
343 "9D18D7D08B5BCFA0E53C75B064AD51C4"
344 "49BAE0258D54B94B1E885DED08ED4FB2"
345 "5CE9"
346 "A18189" // TAG [1] len 0x89 (publicKey) {
347 "03818600040149EC11C6DF0FA122C6A9"
348 "AFD9754A4FA9513A627CA329E349535A"
349 "5629875A8ADFBE27DCB932C051986377"
350 "108D054C28C6F39B6F2C9AF81802F9F3"
351 "26B842FF2E5F3C00AB7635CFB36157FC"
352 "0882D574A10D839C1A0C049DC5E0D775"
353 "E2EE50671A208431BB45E78E70BEFE93"
354 "0DB34818EE4D5C26259F5C6B8E28A652"
355 "950F9F88D7B4B2C9D9"
356 // } end SEQUENCE (ECPrivateKey)
357 // } end SEQUENCE (PrivateKeyInfo)
358);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]359
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]360string ec_256_key_rfc5915 = hex2str(
361 // RFC 5208 s5
362 "308193" // SEQUENCE length 0x93 (PrivateKeyInfo) {
363 "020100" // INTEGER length 1 value 0 (version)
364 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
365 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
366 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
367 "0608" // OBJECT IDENTIFIER length 8 (param)
368 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
369 // } end SEQUENCE (AlgorithmIdentifier)
370 "0479" // OCTET STRING length 0x79 (privateKey) holding...
371 // RFC 5915 s3
372 "3077" // SEQUENCE length 0x77 (ECPrivateKey)
373 "020101" // INTEGER length 1 value 1 (version)
374 "0420" // OCTET STRING length 0x42 (privateKey)
375 "782370a8c8ce5537baadd04dcff079c8"
376 "158cfa9c67b818b38e8d21c9fa750c1d"
377 "a00a" // TAG [0] length 0xa (parameters)
378 "0608" // OBJECT IDENTIFIER length 8
379 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
380 // } end TAG [0]
381 "a144" // TAG [1] length 0x44 (publicKey) {
382 "0342" // BIT STRING length 0x42
383 "00" // no pad bits
384 "04e2cc561ee701da0ad0ef0d176bb0c9"
385 "19d42e79c393fdc1bd6c4010d85cf2cf"
386 "8e68c905464666f98dad4f01573ba810"
387 "78b3428570a439ba3229fbc026c55068"
388 "2f"
389 // } end SEQUENCE (ECPrivateKey)
390 // } end SEQUENCE (PrivateKeyInfo)
391);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]392
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]393string ec_256_key_sec1 = hex2str(
394 // RFC 5208 s5
395 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
396 "020100" // INTEGER length 1 value 0 (version)
397 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
398 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
399 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
400 "0608" // OBJECT IDENTIFIER length 8 (param)
401 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
402 // } end SEQUENCE (AlgorithmIdentifier)
403 "046d" // OCTET STRING length 0x6d (privateKey) holding...
404 // SEC1-v2 C.4
405 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
406 "020101" // INTEGER length 1 value 0x01 (version)
407 "0420" // OCTET STRING length 0x20 (privateKey)
408 "782370a8c8ce5537baadd04dcff079c8"
409 "158cfa9c67b818b38e8d21c9fa750c1d"
410 "a144" // TAG [1] length 0x44 (publicKey) {
411 "0342" // BIT STRING length 0x42
412 "00" // no pad bits
413 "04e2cc561ee701da0ad0ef0d176bb0c9"
414 "19d42e79c393fdc1bd6c4010d85cf2cf"
415 "8e68c905464666f98dad4f01573ba810"
416 "78b3428570a439ba3229fbc026c55068"
417 "2f"
418 // } end TAG [1] (publicKey)
419 // } end SEQUENCE (PrivateKeyInfo)
420);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]421
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]422/**
423 * Ed25519 key pair generated as follows:
424 * ```
425 * % openssl req -x509 -newkey ED25519 -days 700 -nodes \
426 * -keyout ed25519_priv.key -out ed25519.pem * -subj "/CN=fake.ed25519.com"
427 * Generating a ED25519 private key writing new private key to
428 * 'ed25519_priv.key'
429 * -----
430 * % cat ed25519_priv.key
431 * -----BEGIN PRIVATE KEY-----
432 * MC4CAQAwBQYDK2VwBCIEIKl3A5quNywcj1P+0XI9SBalFPIvO52NxceMLRH6dVmR
433 * -----END PRIVATE KEY-----
434 * % der2ascii -pem -i ed25519_priv.key
435 * SEQUENCE {
436 * INTEGER { 0 }
437 * SEQUENCE {
438 * # ed25519
439 * OBJECT_IDENTIFIER { 1.3.101.112 }
440 * }
441 * OCTET_STRING {
442 * OCTET_STRING { `a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991` }
443 * }
444 * }
445 * % cat ed25519.pem
446 * -----BEGIN CERTIFICATE-----
447 * MIIBSjCB/aADAgECAhR0Jron3eKcdgqyecv/eEfGWAzn8DAFBgMrZXAwGzEZMBcG
448 * A1UEAwwQZmFrZS5lZDI1NTE5LmNvbTAeFw0yMTEwMjAwODI3NDJaFw0yMzA5MjAw
449 * ODI3NDJaMBsxGTAXBgNVBAMMEGZha2UuZWQyNTUxOS5jb20wKjAFBgMrZXADIQDv
450 * uwHz+3TaQ69D2digxlz0fFfsZg0rPqgQae3jBPRWkaNTMFEwHQYDVR0OBBYEFN9O
451 * od30SY4JTs66ZR403UPya+iXMB8GA1UdIwQYMBaAFN9Ood30SY4JTs66ZR403UPy
452 * a+iXMA8GA1UdEwEB/wQFMAMBAf8wBQYDK2VwA0EAKjVrYQjuE/gEL2j/ABpDbFjV
453 * Ilg5tJ6MN/P3psAv3Cs7f0X1lFqdlt15nJ/6aj2cmGCwNRXt5wcyYDKNu+v2Dw==
454 * -----END CERTIFICATE-----
455 * % openssl x509 -in ed25519.pem -text -noout
456 * Certificate:
457 * Data:
458 * Version: 3 (0x2)
459 * Serial Number:
460 * 74:26:ba:27:dd:e2:9c:76:0a:b2:79:cb:ff:78:47:c6:58:0c:e7:f0
461 * Signature Algorithm: ED25519
462 * Issuer: CN = fake.ed25519.com
463 * Validity
464 * Not Before: Oct 20 08:27:42 2021 GMT
465 * Not After : Sep 20 08:27:42 2023 GMT
466 * Subject: CN = fake.ed25519.com
467 * Subject Public Key Info:
468 * Public Key Algorithm: ED25519
469 * ED25519 Public-Key:
470 * pub:
471 * ef:bb:01:f3:fb:74:da:43:af:43:d9:d8:a0:c6:5c:
472 * f4:7c:57:ec:66:0d:2b:3e:a8:10:69:ed:e3:04:f4:
473 * 56:91
474 * X509v3 extensions:
475 * X509v3 Subject Key Identifier:
476 * DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
477 * X509v3 Authority Key Identifier:
478 * keyid:DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
479 *
480 * X509v3 Basic Constraints: critical
481 * CA:TRUE
482 * Signature Algorithm: ED25519
483 * 2a:35:6b:61:08:ee:13:f8:04:2f:68:ff:00:1a:43:6c:58:d5:
484 * 22:58:39:b4:9e:8c:37:f3:f7:a6:c0:2f:dc:2b:3b:7f:45:f5:
485 * 94:5a:9d:96:dd:79:9c:9f:fa:6a:3d:9c:98:60:b0:35:15:ed:
486 * e7:07:32:60:32:8d:bb:eb:f6:0f
487 * ```
488 */
489string ed25519_key = hex2str("a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991");
490string ed25519_pkcs8_key = hex2str(
491 // RFC 5208 s5
492 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
493 "0201" // INTEGER length 1 (Version)
494 "00" // version 0
495 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
496 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
497 "2b6570" // 1.3.101.112 (id-Ed125519 RFC 8410 s3)
498 // } end SEQUENCE (AlgorithmIdentifier)
499 "0422" // OCTET STRING length 0x22 (PrivateKey)
500 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
501 "a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991"
502 // } end SEQUENCE (PrivateKeyInfo)
503);
504string ed25519_pubkey = hex2str("efbb01f3fb74da43af43d9d8a0c65cf47c57ec660d2b3ea81069ede304f45691");
505
506/**
507 * X25519 key pair generated as follows:
508 * ```
509 * % openssl genpkey -algorithm X25519 > x25519_priv.key
510 * % cat x25519_priv.key
511 * -----BEGIN PRIVATE KEY-----
512 * MC4CAQAwBQYDK2VuBCIEIGgPwF3NLwQx/Sfwr2nfJvXitwlDNh3Skzh+TISN/y1C
513 * -----END PRIVATE KEY-----
514 * % der2ascii -pem -i x25519_priv.key
515 * SEQUENCE {
516 * INTEGER { 0 }
517 * SEQUENCE {
518 * # x25519
519 * OBJECT_IDENTIFIER { 1.3.101.110 }
520 * }
521 * OCTET_STRING {
522 * OCTET_STRING { `680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42` }
523 * }
524 * }
525 * ```
526 */
527
528string x25519_key = hex2str("680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
529string x25519_pkcs8_key = hex2str(
530 // RFC 5208 s5
531 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
532 "0201" // INTEGER length 1 (Version)
533 "00" // version 0
534 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
535 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
536 "2b656e" // 1.3.101.110 (id-X125519 RFC 8410 s3)
537 "0422" // OCTET STRING length 0x22 (PrivateKey)
538 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
539 "680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
540string x25519_pubkey = hex2str("be46925a857f17831d6d454b9d3d36a4a30166edf80eb82b684661c3e258f768");
541
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]542struct RSA_Delete {
543 void operator()(RSA* p) { RSA_free(p); }
544};
545
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]546std::string make_string(const uint8_t* data, size_t length) {
547 return std::string(reinterpret_cast<const char*>(data), length);
548}
549
550template <size_t N>
551std::string make_string(const uint8_t (&a)[N]) {
552 return make_string(a, N);
553}
554
555class AidlBuf : public vector<uint8_t> {
556 typedef vector<uint8_t> super;
557
558 public:
559 AidlBuf() {}
560 AidlBuf(const super& other) : super(other) {}
561 AidlBuf(super&& other) : super(std::move(other)) {}
562 explicit AidlBuf(const std::string& other) : AidlBuf() { *this = other; }
563
564 AidlBuf& operator=(const super& other) {
565 super::operator=(other);
566 return *this;
567 }
568
569 AidlBuf& operator=(super&& other) {
570 super::operator=(std::move(other));
571 return *this;
572 }
573
574 AidlBuf& operator=(const string& other) {
575 resize(other.size());
576 for (size_t i = 0; i < other.size(); ++i) {
577 (*this)[i] = static_cast<uint8_t>(other[i]);
578 }
579 return *this;
580 }
581
582 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
583};
584
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]585string device_suffix(const string& name) {
586 size_t pos = name.find('/');
587 if (pos == string::npos) {
588 return name;
589 }
590 return name.substr(pos + 1);
591}
592
593bool matching_rp_instance(const string& km_name,
594 std::shared_ptr<IRemotelyProvisionedComponent>* rp) {
595 string km_suffix = device_suffix(km_name);
596
597 vector<string> rp_names =
598 ::android::getAidlHalInstanceNames(IRemotelyProvisionedComponent::descriptor);
599 for (const string& rp_name : rp_names) {
600 // If the suffix of the RemotelyProvisionedComponent instance equals the suffix of the
601 // KeyMint instance, assume they match.
602 if (device_suffix(rp_name) == km_suffix && AServiceManager_isDeclared(rp_name.c_str())) {
603 ::ndk::SpAIBinder binder(AServiceManager_waitForService(rp_name.c_str()));
604 *rp = IRemotelyProvisionedComponent::fromBinder(binder);
605 return true;
606 }
607 }
608 return false;
609}
610
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]611} // namespace
612
613class NewKeyGenerationTest : public KeyMintAidlTestBase {
614 protected:
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]615 void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame^]616 AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]617 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]618
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]619 // Check that some unexpected tags/values are NOT present.
620 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
621 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]622 }
623
624 void CheckSymmetricParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame^]625 AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]626 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
627 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
628
629 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]630 }
631
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame^]632 AuthorizationSet CheckCommonParams(const vector<KeyCharacteristics>& keyCharacteristics,
633 const KeyOrigin expectedKeyOrigin) {
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]634 // TODO(swillden): Distinguish which params should be in which auth list.
635 AuthorizationSet auths;
636 for (auto& entry : keyCharacteristics) {
637 auths.push_back(AuthorizationSet(entry.authorizations));
638 }
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame^]639 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, expectedKeyOrigin));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]640
641 // Verify that App data, ROT and auth timeout are NOT included.
642 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
643 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]644 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
645
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]646 // None of the tests specify CREATION_DATETIME so check that the KeyMint implementation
647 // never adds it.
648 EXPECT_FALSE(auths.Contains(TAG_CREATION_DATETIME));
649
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]650 // Check OS details match the original hardware info.
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]651 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]652 EXPECT_TRUE(os_ver);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]653 EXPECT_EQ(*os_ver, os_version());
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]654 auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]655 EXPECT_TRUE(os_pl);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]656 EXPECT_EQ(*os_pl, os_patch_level());
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]657
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]658 // Should include vendor patchlevel.
David Drysdalef5bfa002021-09-27 17:30:41 +0100[diff] [blame]659 auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
660 EXPECT_TRUE(vendor_pl);
661 EXPECT_EQ(*vendor_pl, vendor_patch_level());
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]662
663 // Should include boot patchlevel (but there are some test scenarios where this is not
664 // possible).
665 if (check_boot_pl) {
666 auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
667 EXPECT_TRUE(boot_pl);
668 }
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]669
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]670 return auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]671 }
672};
673
674/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]675 * NewKeyGenerationTest.Aes
676 *
677 * Verifies that keymint can generate all required AES key sizes, and that the resulting keys
678 * have correct characteristics.
679 */
680TEST_P(NewKeyGenerationTest, Aes) {
681 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
682 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
683 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
684 SCOPED_TRACE(testing::Message()
685 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
686 vector<uint8_t> key_blob;
687 vector<KeyCharacteristics> key_characteristics;
688 auto builder = AuthorizationSetBuilder()
689 .AesEncryptionKey(key_size)
690 .BlockMode(block_mode)
691 .Padding(padding_mode)
692 .SetDefaultValidity();
693 if (block_mode == BlockMode::GCM) {
694 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
695 }
696 ASSERT_EQ(ErrorCode::OK, GenerateKey(builder, &key_blob, &key_characteristics));
697
698 EXPECT_GT(key_blob.size(), 0U);
699 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]700 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]701
702 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
703
704 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::AES));
705 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
706 << "Key size " << key_size << "missing";
707
708 CheckedDeleteKey(&key_blob);
709 }
710 }
711 }
712}
713
714/*
715 * NewKeyGenerationTest.AesInvalidSize
716 *
717 * Verifies that specifying an invalid key size for AES key generation returns
718 * UNSUPPORTED_KEY_SIZE.
719 */
720TEST_P(NewKeyGenerationTest, AesInvalidSize) {
721 for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
722 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
723 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
724 SCOPED_TRACE(testing::Message()
725 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
726 vector<uint8_t> key_blob;
727 vector<KeyCharacteristics> key_characteristics;
728 auto builder = AuthorizationSetBuilder()
729 .AesEncryptionKey(key_size)
730 .BlockMode(block_mode)
731 .Padding(padding_mode)
732 .SetDefaultValidity();
733 if (block_mode == BlockMode::GCM) {
734 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
735 }
736 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
737 GenerateKey(builder, &key_blob, &key_characteristics));
738 }
739 }
740 }
741
742 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
743 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
744 vector<uint8_t> key_blob;
745 vector<KeyCharacteristics> key_characteristics;
746 // No key size specified
747 auto builder = AuthorizationSetBuilder()
748 .Authorization(TAG_ALGORITHM, Algorithm::AES)
749 .BlockMode(block_mode)
750 .Padding(padding_mode)
751 .SetDefaultValidity();
752 if (block_mode == BlockMode::GCM) {
753 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
754 }
755 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
756 GenerateKey(builder, &key_blob, &key_characteristics));
757 }
758 }
759}
760
761/*
762 * NewKeyGenerationTest.AesInvalidPadding
763 *
764 * Verifies that specifying an invalid padding on AES keys gives a failure
765 * somewhere along the way.
766 */
767TEST_P(NewKeyGenerationTest, AesInvalidPadding) {
768 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
769 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
770 for (auto padding_mode : InvalidPaddingModes(Algorithm::AES, block_mode)) {
771 SCOPED_TRACE(testing::Message()
772 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]773 auto builder = AuthorizationSetBuilder()
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]774 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]775 .AesEncryptionKey(key_size)
776 .BlockMode(block_mode)
777 .Padding(padding_mode)
778 .SetDefaultValidity();
779 if (block_mode == BlockMode::GCM) {
780 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
781 }
782
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]783 auto result = GenerateKey(builder);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]784 if (result == ErrorCode::OK) {
785 // Key creation was OK but has generated a key that cannot be used.
786 auto params =
787 AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]788 if (block_mode == BlockMode::GCM) {
789 params.Authorization(TAG_MAC_LENGTH, 128);
790 }
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]791 auto result = Begin(KeyPurpose::ENCRYPT, params);
792 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]793 result == ErrorCode::INVALID_KEY_BLOB)
794 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]795 } else {
796 // The KeyMint implementation detected that the generated key
797 // is unusable.
798 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, result);
799 }
800 }
801 }
802 }
803}
804
805/*
806 * NewKeyGenerationTest.AesGcmMissingMinMac
807 *
808 * Verifies that specifying an invalid key size for AES key generation returns
809 * UNSUPPORTED_KEY_SIZE.
810 */
811TEST_P(NewKeyGenerationTest, AesGcmMissingMinMac) {
812 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
813 BlockMode block_mode = BlockMode::GCM;
814 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
815 SCOPED_TRACE(testing::Message()
816 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
817 vector<uint8_t> key_blob;
818 vector<KeyCharacteristics> key_characteristics;
819 // No MIN_MAC_LENGTH provided.
820 auto builder = AuthorizationSetBuilder()
821 .AesEncryptionKey(key_size)
822 .BlockMode(block_mode)
823 .Padding(padding_mode)
824 .SetDefaultValidity();
825 EXPECT_EQ(ErrorCode::MISSING_MIN_MAC_LENGTH,
826 GenerateKey(builder, &key_blob, &key_characteristics));
827 }
828 }
829}
830
831/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]832 * NewKeyGenerationTest.AesGcmMinMacOutOfRange
833 *
834 * Verifies that specifying an invalid min MAC size for AES key generation returns
835 * UNSUPPORTED_MIN_MAC_LENGTH.
836 */
837TEST_P(NewKeyGenerationTest, AesGcmMinMacOutOfRange) {
838 for (size_t min_mac_len : {88, 136}) {
839 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
840 BlockMode block_mode = BlockMode::GCM;
841 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
842 SCOPED_TRACE(testing::Message()
843 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
844 vector<uint8_t> key_blob;
845 vector<KeyCharacteristics> key_characteristics;
846 auto builder = AuthorizationSetBuilder()
847 .AesEncryptionKey(key_size)
848 .BlockMode(block_mode)
849 .Padding(padding_mode)
850 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_len)
851 .SetDefaultValidity();
852 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
853 GenerateKey(builder, &key_blob, &key_characteristics));
854 }
855 }
856 }
857}
858
859/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]860 * NewKeyGenerationTest.TripleDes
861 *
862 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
863 * have correct characteristics.
864 */
865TEST_P(NewKeyGenerationTest, TripleDes) {
866 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
867 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
868 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
869 SCOPED_TRACE(testing::Message()
870 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
871 vector<uint8_t> key_blob;
872 vector<KeyCharacteristics> key_characteristics;
873 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
874 .TripleDesEncryptionKey(key_size)
875 .BlockMode(block_mode)
876 .Padding(padding_mode)
877 .Authorization(TAG_NO_AUTH_REQUIRED)
878 .SetDefaultValidity(),
879 &key_blob, &key_characteristics));
880
881 EXPECT_GT(key_blob.size(), 0U);
882 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]883 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]884
885 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
886
887 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
888 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
889 << "Key size " << key_size << "missing";
890
891 CheckedDeleteKey(&key_blob);
892 }
893 }
894 }
895}
896
897/*
898 * NewKeyGenerationTest.TripleDesWithAttestation
899 *
900 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
901 * have correct characteristics.
902 *
903 * Request attestation, which doesn't help for symmetric keys (as there is no public key to
904 * put in a certificate) but which isn't an error.
905 */
906TEST_P(NewKeyGenerationTest, TripleDesWithAttestation) {
907 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
908 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
909 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
910 SCOPED_TRACE(testing::Message()
911 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
912
913 auto challenge = "hello";
914 auto app_id = "foo";
915
916 vector<uint8_t> key_blob;
917 vector<KeyCharacteristics> key_characteristics;
918 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
919 .TripleDesEncryptionKey(key_size)
920 .BlockMode(block_mode)
921 .Padding(padding_mode)
922 .Authorization(TAG_NO_AUTH_REQUIRED)
923 .AttestationChallenge(challenge)
924 .AttestationApplicationId(app_id)
925 .SetDefaultValidity(),
926 &key_blob, &key_characteristics));
927
928 EXPECT_GT(key_blob.size(), 0U);
929 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]930 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]931
932 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
933
934 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
935 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
936 << "Key size " << key_size << "missing";
937
938 CheckedDeleteKey(&key_blob);
939 }
940 }
941 }
942}
943
944/*
945 * NewKeyGenerationTest.TripleDesInvalidSize
946 *
947 * Verifies that specifying an invalid key size for 3-DES key generation returns
948 * UNSUPPORTED_KEY_SIZE.
949 */
950TEST_P(NewKeyGenerationTest, TripleDesInvalidSize) {
951 for (auto key_size : InvalidKeySizes(Algorithm::TRIPLE_DES)) {
952 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
953 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
954 SCOPED_TRACE(testing::Message()
955 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
956 vector<uint8_t> key_blob;
957 vector<KeyCharacteristics> key_characteristics;
958 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
959 GenerateKey(AuthorizationSetBuilder()
960 .TripleDesEncryptionKey(key_size)
961 .BlockMode(block_mode)
962 .Padding(padding_mode)
963 .Authorization(TAG_NO_AUTH_REQUIRED)
964 .SetDefaultValidity(),
965 &key_blob, &key_characteristics));
966 }
967 }
968 }
969
970 // Omitting the key size fails.
971 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
972 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
973 SCOPED_TRACE(testing::Message()
974 << "3DES-default-" << block_mode << "-" << padding_mode);
975 vector<uint8_t> key_blob;
976 vector<KeyCharacteristics> key_characteristics;
977 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
978 GenerateKey(AuthorizationSetBuilder()
979 .Authorization(TAG_ALGORITHM, Algorithm::TRIPLE_DES)
980 .BlockMode(block_mode)
981 .Padding(padding_mode)
982 .Authorization(TAG_NO_AUTH_REQUIRED)
983 .SetDefaultValidity(),
984 &key_blob, &key_characteristics));
985 }
986 }
987}
988
989/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]990 * NewKeyGenerationTest.Rsa
991 *
992 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
993 * have correct characteristics.
994 */
995TEST_P(NewKeyGenerationTest, Rsa) {
996 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
997 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]998 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]999 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1000 .RsaSigningKey(key_size, 65537)
1001 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1002 .Padding(PaddingMode::NONE)
1003 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1004 &key_blob, &key_characteristics));
1005
1006 ASSERT_GT(key_blob.size(), 0U);
1007 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1008 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1009
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1010 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1011
1012 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1013 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1014 << "Key size " << key_size << "missing";
1015 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1016
1017 CheckedDeleteKey(&key_blob);
1018 }
1019}
1020
1021/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1022 * NewKeyGenerationTest.RsaWithMissingValidity
1023 *
1024 * Verifies that keymint returns an error while generating asymmetric key
1025 * without providing NOT_BEFORE and NOT_AFTER parameters.
1026 */
1027TEST_P(NewKeyGenerationTest, RsaWithMissingValidity) {
1028 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1029 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1030 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1031
1032 vector<uint8_t> key_blob;
1033 vector<KeyCharacteristics> key_characteristics;
1034 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1035 GenerateKey(AuthorizationSetBuilder()
1036 .RsaSigningKey(2048, 65537)
1037 .Digest(Digest::NONE)
1038 .Padding(PaddingMode::NONE)
1039 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1040 kUndefinedExpirationDateTime),
1041 &key_blob, &key_characteristics));
1042
1043 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1044 GenerateKey(AuthorizationSetBuilder()
1045 .RsaSigningKey(2048, 65537)
1046 .Digest(Digest::NONE)
1047 .Padding(PaddingMode::NONE)
1048 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1049 &key_blob, &key_characteristics));
1050}
1051
1052/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1053 * NewKeyGenerationTest.RsaWithAttestation
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1054 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1055 * Verifies that keymint can generate all required RSA key sizes with attestation, and that the
1056 * resulting keys have correct characteristics.
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1057 */
1058TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1059 auto challenge = "hello";
1060 auto app_id = "foo";
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1061
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1062 auto subject = "cert subj 2";
1063 vector<uint8_t> subject_der(make_name_from_str(subject));
1064
1065 uint64_t serial_int = 66;
1066 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1067
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1068 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1069 vector<uint8_t> key_blob;
1070 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1071 auto builder = AuthorizationSetBuilder()
1072 .RsaSigningKey(key_size, 65537)
1073 .Digest(Digest::NONE)
1074 .Padding(PaddingMode::NONE)
1075 .AttestationChallenge(challenge)
1076 .AttestationApplicationId(app_id)
1077 .Authorization(TAG_NO_AUTH_REQUIRED)
1078 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1079 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1080 .SetDefaultValidity();
1081
1082 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1083 // Strongbox may not support factory provisioned attestation key.
1084 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1085 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1086 result = GenerateKeyWithSelfSignedAttestKey(
1087 AuthorizationSetBuilder()
1088 .RsaKey(key_size, 65537)
1089 .AttestKey()
1090 .SetDefaultValidity(), /* attest key params */
1091 builder, &key_blob, &key_characteristics);
1092 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1093 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1094 ASSERT_EQ(ErrorCode::OK, result);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1095 ASSERT_GT(key_blob.size(), 0U);
1096 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1097 CheckCharacteristics(key_blob, key_characteristics);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1098
1099 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1100
1101 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1102 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1103 << "Key size " << key_size << "missing";
1104 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1105
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1106 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1107 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1108 ASSERT_GT(cert_chain_.size(), 0);
1109
1110 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1111 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1112 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1113 sw_enforced, hw_enforced, SecLevel(),
1114 cert_chain_[0].encodedCertificate));
1115
1116 CheckedDeleteKey(&key_blob);
1117 }
1118}
1119
1120/*
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1121 * NewKeyGenerationTest.RsaWithRpkAttestation
1122 *
1123 * Verifies that keymint can generate all required RSA key sizes, using an attestation key
1124 * that has been generated using an associate IRemotelyProvisionedComponent.
David Drysdale0fce69d2021-04-13 17:22:13 +0100[diff] [blame]1125 *
1126 * This test is disabled because the KeyMint specification does not require that implementations
1127 * of the first version of KeyMint have to also implement IRemotelyProvisionedComponent.
1128 * However, the test is kept in the code because KeyMint v2 will impose this requirement.
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1129 */
David Drysdale0fce69d2021-04-13 17:22:13 +0100[diff] [blame]1130TEST_P(NewKeyGenerationTest, DISABLED_RsaWithRpkAttestation) {
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1131 // There should be an IRemotelyProvisionedComponent instance associated with the KeyMint
1132 // instance.
1133 std::shared_ptr<IRemotelyProvisionedComponent> rp;
1134 ASSERT_TRUE(matching_rp_instance(GetParam(), &rp))
1135 << "No IRemotelyProvisionedComponent found that matches KeyMint device " << GetParam();
1136
1137 // Generate a P-256 keypair to use as an attestation key.
1138 MacedPublicKey macedPubKey;
1139 std::vector<uint8_t> privateKeyBlob;
1140 auto status =
1141 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
1142 ASSERT_TRUE(status.isOk());
1143 vector<uint8_t> coseKeyData;
1144 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
1145
1146 AttestationKey attestation_key;
1147 attestation_key.keyBlob = std::move(privateKeyBlob);
1148 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
1149
1150 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1151 auto challenge = "hello";
1152 auto app_id = "foo";
1153
1154 vector<uint8_t> key_blob;
1155 vector<KeyCharacteristics> key_characteristics;
1156 ASSERT_EQ(ErrorCode::OK,
1157 GenerateKey(AuthorizationSetBuilder()
1158 .RsaSigningKey(key_size, 65537)
1159 .Digest(Digest::NONE)
1160 .Padding(PaddingMode::NONE)
1161 .AttestationChallenge(challenge)
1162 .AttestationApplicationId(app_id)
1163 .Authorization(TAG_NO_AUTH_REQUIRED)
1164 .SetDefaultValidity(),
1165 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
1166
1167 ASSERT_GT(key_blob.size(), 0U);
1168 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1169 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1170
1171 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1172
1173 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1174 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1175 << "Key size " << key_size << "missing";
1176 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1177
1178 // Attestation by itself is not valid (last entry is not self-signed).
1179 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
1180
1181 // The signature over the attested key should correspond to the P256 public key.
1182 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1183 ASSERT_TRUE(key_cert.get());
1184 EVP_PKEY_Ptr signing_pubkey;
1185 p256_pub_key(coseKeyData, &signing_pubkey);
1186 ASSERT_TRUE(signing_pubkey.get());
1187
1188 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1189 << "Verification of attested certificate failed "
1190 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
1191
1192 CheckedDeleteKey(&key_blob);
1193 }
1194}
1195
1196/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1197 * NewKeyGenerationTest.RsaEncryptionWithAttestation
1198 *
1199 * Verifies that keymint attestation for RSA encryption keys with challenge and
1200 * app id is also successful.
1201 */
1202TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
1203 auto key_size = 2048;
1204 auto challenge = "hello";
1205 auto app_id = "foo";
1206
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1207 auto subject = "subj 2";
1208 vector<uint8_t> subject_der(make_name_from_str(subject));
1209
1210 uint64_t serial_int = 111166;
1211 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1212
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1213 vector<uint8_t> key_blob;
1214 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1215 auto builder = AuthorizationSetBuilder()
1216 .RsaEncryptionKey(key_size, 65537)
1217 .Padding(PaddingMode::NONE)
1218 .AttestationChallenge(challenge)
1219 .AttestationApplicationId(app_id)
1220 .Authorization(TAG_NO_AUTH_REQUIRED)
1221 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1222 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1223 .SetDefaultValidity();
1224
1225 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1226 // Strongbox may not support factory provisioned attestation key.
1227 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1228 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1229 result = GenerateKeyWithSelfSignedAttestKey(
1230 AuthorizationSetBuilder()
1231 .RsaKey(key_size, 65537)
1232 .AttestKey()
1233 .SetDefaultValidity(), /* attest key params */
1234 builder, &key_blob, &key_characteristics);
1235 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1236 }
1237 ASSERT_EQ(ErrorCode::OK, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1238
1239 ASSERT_GT(key_blob.size(), 0U);
1240 AuthorizationSet auths;
1241 for (auto& entry : key_characteristics) {
1242 auths.push_back(AuthorizationSet(entry.authorizations));
1243 }
1244
1245 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
1246 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
1247
1248 // Verify that App data and ROT are NOT included.
1249 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
1250 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
1251
1252 // Check that some unexpected tags/values are NOT present.
1253 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
1254 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
1255
1256 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
1257
1258 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
1259 ASSERT_TRUE(os_ver);
1260 EXPECT_EQ(*os_ver, os_version());
1261
1262 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1263
1264 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1265 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1266 << "Key size " << key_size << "missing";
1267 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1268
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1269 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1270 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1271 ASSERT_GT(cert_chain_.size(), 0);
1272
1273 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1274 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1275 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1276 sw_enforced, hw_enforced, SecLevel(),
1277 cert_chain_[0].encodedCertificate));
1278
1279 CheckedDeleteKey(&key_blob);
1280}
1281
1282/*
1283 * NewKeyGenerationTest.RsaWithSelfSign
1284 *
1285 * Verifies that attesting to RSA key generation is successful, and returns
1286 * self signed certificate if no challenge is provided. And signing etc
1287 * works as expected.
1288 */
1289TEST_P(NewKeyGenerationTest, RsaWithSelfSign) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1290 auto subject = "cert subj subj subj subj subj subj 22222222222222222222";
1291 vector<uint8_t> subject_der(make_name_from_str(subject));
1292
1293 uint64_t serial_int = 0;
1294 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1295
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1296 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1297 vector<uint8_t> key_blob;
1298 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1299 ASSERT_EQ(ErrorCode::OK,
1300 GenerateKey(AuthorizationSetBuilder()
1301 .RsaSigningKey(key_size, 65537)
1302 .Digest(Digest::NONE)
1303 .Padding(PaddingMode::NONE)
1304 .Authorization(TAG_NO_AUTH_REQUIRED)
1305 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1306 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1307 .SetDefaultValidity(),
1308 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1309
1310 ASSERT_GT(key_blob.size(), 0U);
1311 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1312 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1313
1314 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1315
1316 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1317 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1318 << "Key size " << key_size << "missing";
1319 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1320
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1321 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1322 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1323 ASSERT_EQ(cert_chain_.size(), 1);
1324
1325 CheckedDeleteKey(&key_blob);
1326 }
1327}
1328
1329/*
1330 * NewKeyGenerationTest.RsaWithAttestationMissAppId
1331 *
1332 * Verifies that attesting to RSA checks for missing app ID.
1333 */
1334TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
1335 auto challenge = "hello";
1336 vector<uint8_t> key_blob;
1337 vector<KeyCharacteristics> key_characteristics;
1338
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1339 auto builder = AuthorizationSetBuilder()
1340 .RsaSigningKey(2048, 65537)
1341 .Digest(Digest::NONE)
1342 .Padding(PaddingMode::NONE)
1343 .AttestationChallenge(challenge)
1344 .Authorization(TAG_NO_AUTH_REQUIRED)
1345 .SetDefaultValidity();
1346
1347 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1348 // Strongbox may not support factory provisioned attestation key.
1349 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1350 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1351 result = GenerateKeyWithSelfSignedAttestKey(
1352 AuthorizationSetBuilder()
1353 .RsaKey(2048, 65537)
1354 .AttestKey()
1355 .SetDefaultValidity(), /* attest key params */
1356 builder, &key_blob, &key_characteristics);
1357 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1358 }
1359 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1360}
1361
1362/*
1363 * NewKeyGenerationTest.RsaWithAttestationAppIdIgnored
1364 *
1365 * Verifies that attesting to RSA ignores app id if challenge is missing.
1366 */
1367TEST_P(NewKeyGenerationTest, RsaWithAttestationAppIdIgnored) {
1368 auto key_size = 2048;
1369 auto app_id = "foo";
1370
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1371 auto subject = "cert subj 2";
1372 vector<uint8_t> subject_der(make_name_from_str(subject));
1373
1374 uint64_t serial_int = 1;
1375 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1376
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1377 vector<uint8_t> key_blob;
1378 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1379 ASSERT_EQ(ErrorCode::OK,
1380 GenerateKey(AuthorizationSetBuilder()
1381 .RsaSigningKey(key_size, 65537)
1382 .Digest(Digest::NONE)
1383 .Padding(PaddingMode::NONE)
1384 .AttestationApplicationId(app_id)
1385 .Authorization(TAG_NO_AUTH_REQUIRED)
1386 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1387 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1388 .SetDefaultValidity(),
1389 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1390
1391 ASSERT_GT(key_blob.size(), 0U);
1392 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1393 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1394
1395 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1396
1397 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1398 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1399 << "Key size " << key_size << "missing";
1400 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1401
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1402 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1403 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1404 ASSERT_EQ(cert_chain_.size(), 1);
1405
1406 CheckedDeleteKey(&key_blob);
1407}
1408
1409/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1410 * NewKeyGenerationTest.LimitedUsageRsa
1411 *
1412 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1413 * resulting keys have correct characteristics.
1414 */
1415TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
1416 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1417 vector<uint8_t> key_blob;
1418 vector<KeyCharacteristics> key_characteristics;
1419 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1420 .RsaSigningKey(key_size, 65537)
1421 .Digest(Digest::NONE)
1422 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1423 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1424 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1425 &key_blob, &key_characteristics));
1426
1427 ASSERT_GT(key_blob.size(), 0U);
1428 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1429 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1430
1431 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1432
1433 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1434 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1435 << "Key size " << key_size << "missing";
1436 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1437
1438 // Check the usage count limit tag appears in the authorizations.
1439 AuthorizationSet auths;
1440 for (auto& entry : key_characteristics) {
1441 auths.push_back(AuthorizationSet(entry.authorizations));
1442 }
1443 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1444 << "key usage count limit " << 1U << " missing";
1445
1446 CheckedDeleteKey(&key_blob);
1447 }
1448}
1449
1450/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1451 * NewKeyGenerationTest.LimitedUsageRsaWithAttestation
1452 *
1453 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1454 * resulting keys have correct characteristics and attestation.
1455 */
1456TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1457 auto challenge = "hello";
1458 auto app_id = "foo";
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1459
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1460 auto subject = "cert subj 2";
1461 vector<uint8_t> subject_der(make_name_from_str(subject));
1462
1463 uint64_t serial_int = 66;
1464 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1465
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1466 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1467 vector<uint8_t> key_blob;
1468 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1469 auto builder = AuthorizationSetBuilder()
1470 .RsaSigningKey(key_size, 65537)
1471 .Digest(Digest::NONE)
1472 .Padding(PaddingMode::NONE)
1473 .AttestationChallenge(challenge)
1474 .AttestationApplicationId(app_id)
1475 .Authorization(TAG_NO_AUTH_REQUIRED)
1476 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1477 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1478 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1479 .SetDefaultValidity();
1480
1481 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1482 // Strongbox may not support factory provisioned attestation key.
1483 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1484 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1485 result = GenerateKeyWithSelfSignedAttestKey(
1486 AuthorizationSetBuilder()
1487 .RsaKey(key_size, 65537)
1488 .AttestKey()
1489 .SetDefaultValidity(), /* attest key params */
1490 builder, &key_blob, &key_characteristics);
1491 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1492 }
1493 ASSERT_EQ(ErrorCode::OK, result);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1494
1495 ASSERT_GT(key_blob.size(), 0U);
1496 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1497 CheckCharacteristics(key_blob, key_characteristics);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1498
1499 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1500
1501 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1502 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1503 << "Key size " << key_size << "missing";
1504 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1505
1506 // Check the usage count limit tag appears in the authorizations.
1507 AuthorizationSet auths;
1508 for (auto& entry : key_characteristics) {
1509 auths.push_back(AuthorizationSet(entry.authorizations));
1510 }
1511 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1512 << "key usage count limit " << 1U << " missing";
1513
1514 // Check the usage count limit tag also appears in the attestation.
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1515 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1516 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1517 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1518
1519 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1520 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1521 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1522 sw_enforced, hw_enforced, SecLevel(),
1523 cert_chain_[0].encodedCertificate));
1524
1525 CheckedDeleteKey(&key_blob);
1526 }
1527}
1528
1529/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1530 * NewKeyGenerationTest.NoInvalidRsaSizes
1531 *
1532 * Verifies that keymint cannot generate any RSA key sizes that are designated as invalid.
1533 */
1534TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
1535 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
1536 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1537 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1538 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1539 GenerateKey(AuthorizationSetBuilder()
1540 .RsaSigningKey(key_size, 65537)
1541 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1542 .Padding(PaddingMode::NONE)
1543 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1544 &key_blob, &key_characteristics));
1545 }
1546}
1547
1548/*
1549 * NewKeyGenerationTest.RsaNoDefaultSize
1550 *
1551 * Verifies that failing to specify a key size for RSA key generation returns
1552 * UNSUPPORTED_KEY_SIZE.
1553 */
1554TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
1555 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1556 GenerateKey(AuthorizationSetBuilder()
1557 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
1558 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1559 .SigningKey()
1560 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1561}
1562
1563/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1564 * NewKeyGenerationTest.RsaMissingParams
1565 *
1566 * Verifies that omitting optional tags works.
1567 */
1568TEST_P(NewKeyGenerationTest, RsaMissingParams) {
1569 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1570 ASSERT_EQ(ErrorCode::OK,
1571 GenerateKey(
1572 AuthorizationSetBuilder().RsaKey(key_size, 65537).SetDefaultValidity()));
1573 CheckedDeleteKey();
1574 }
1575}
1576
1577/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1578 * NewKeyGenerationTest.Ecdsa
1579 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1580 * Verifies that keymint can generate all required EC curves, and that the resulting keys
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1581 * have correct characteristics.
1582 */
1583TEST_P(NewKeyGenerationTest, Ecdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1584 for (auto curve : ValidCurves()) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1585 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1586 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1587 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1588 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1589 .Digest(Digest::NONE)
1590 .SetDefaultValidity(),
1591 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1592 ASSERT_GT(key_blob.size(), 0U);
1593 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1594 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1595
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1596 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1597
1598 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1599 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1600
1601 CheckedDeleteKey(&key_blob);
1602 }
1603}
1604
1605/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1606 * NewKeyGenerationTest.EcdsaCurve25519
1607 *
1608 * Verifies that keymint can generate a curve25519 key, and that the resulting key
1609 * has correct characteristics.
1610 */
1611TEST_P(NewKeyGenerationTest, EcdsaCurve25519) {
1612 if (!Curve25519Supported()) {
1613 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1614 }
1615
1616 EcCurve curve = EcCurve::CURVE_25519;
1617 vector<uint8_t> key_blob;
1618 vector<KeyCharacteristics> key_characteristics;
1619 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1620 .EcdsaSigningKey(curve)
1621 .Digest(Digest::NONE)
1622 .SetDefaultValidity(),
1623 &key_blob, &key_characteristics);
1624 ASSERT_EQ(result, ErrorCode::OK);
1625 ASSERT_GT(key_blob.size(), 0U);
1626
1627 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1628 ASSERT_GT(cert_chain_.size(), 0);
1629
1630 CheckBaseParams(key_characteristics);
1631 CheckCharacteristics(key_blob, key_characteristics);
1632
1633 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1634
1635 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1636 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1637
1638 CheckedDeleteKey(&key_blob);
1639}
1640
1641/*
1642 * NewKeyGenerationTest.EcCurve25519MultiPurposeFail
1643 *
1644 * Verifies that KeyMint rejects an attempt to generate a curve 25519 key for both
1645 * SIGN and AGREE_KEY.
1646 */
1647TEST_P(NewKeyGenerationTest, EcdsaCurve25519MultiPurposeFail) {
1648 if (!Curve25519Supported()) {
1649 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1650 }
1651
1652 EcCurve curve = EcCurve::CURVE_25519;
1653 vector<uint8_t> key_blob;
1654 vector<KeyCharacteristics> key_characteristics;
1655 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1656 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
1657 .EcdsaSigningKey(curve)
1658 .Digest(Digest::NONE)
1659 .SetDefaultValidity(),
1660 &key_blob, &key_characteristics);
1661 ASSERT_EQ(result, ErrorCode::INCOMPATIBLE_PURPOSE);
1662}
1663
1664/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1665 * NewKeyGenerationTest.EcdsaWithMissingValidity
1666 *
1667 * Verifies that keymint returns an error while generating asymmetric key
1668 * without providing NOT_BEFORE and NOT_AFTER parameters.
1669 */
1670TEST_P(NewKeyGenerationTest, EcdsaWithMissingValidity) {
1671 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1672 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1673 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1674
1675 vector<uint8_t> key_blob;
1676 vector<KeyCharacteristics> key_characteristics;
1677 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1678 GenerateKey(AuthorizationSetBuilder()
1679 .EcdsaSigningKey(EcCurve::P_256)
1680 .Digest(Digest::NONE)
1681 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1682 kUndefinedExpirationDateTime),
1683 &key_blob, &key_characteristics));
1684
1685 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1686 GenerateKey(AuthorizationSetBuilder()
1687 .EcdsaSigningKey(EcCurve::P_256)
1688 .Digest(Digest::NONE)
1689 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1690 &key_blob, &key_characteristics));
1691}
1692
1693/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1694 * NewKeyGenerationTest.EcdsaAttestation
1695 *
1696 * Verifies that for all Ecdsa key sizes, if challenge and app id is provided,
1697 * an attestation will be generated.
1698 */
1699TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
1700 auto challenge = "hello";
1701 auto app_id = "foo";
1702
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1703 auto subject = "cert subj 2";
1704 vector<uint8_t> subject_der(make_name_from_str(subject));
1705
1706 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1707 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1708
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1709 for (auto curve : ValidCurves()) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1710 vector<uint8_t> key_blob;
1711 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1712 auto builder = AuthorizationSetBuilder()
1713 .Authorization(TAG_NO_AUTH_REQUIRED)
1714 .EcdsaSigningKey(curve)
1715 .Digest(Digest::NONE)
1716 .AttestationChallenge(challenge)
1717 .AttestationApplicationId(app_id)
1718 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1719 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1720 .SetDefaultValidity();
1721
1722 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1723 // Strongbox may not support factory provisioned attestation key.
1724 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1725 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1726 result = GenerateKeyWithSelfSignedAttestKey(
1727 AuthorizationSetBuilder()
1728 .EcdsaKey(curve)
1729 .AttestKey()
1730 .SetDefaultValidity(), /* attest key params */
1731 builder, &key_blob, &key_characteristics);
1732 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1733 }
1734 ASSERT_EQ(ErrorCode::OK, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1735 ASSERT_GT(key_blob.size(), 0U);
1736 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1737 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1738
1739 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1740
1741 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1742 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1743
1744 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1745 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1746 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1747
1748 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1749 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1750 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1751 sw_enforced, hw_enforced, SecLevel(),
1752 cert_chain_[0].encodedCertificate));
1753
1754 CheckedDeleteKey(&key_blob);
1755 }
1756}
1757
1758/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1759 * NewKeyGenerationTest.EcdsaAttestationCurve25519
1760 *
1761 * Verifies that for a curve 25519 key, if challenge and app id is provided,
1762 * an attestation will be generated.
1763 */
1764TEST_P(NewKeyGenerationTest, EcdsaAttestationCurve25519) {
1765 if (!Curve25519Supported()) {
1766 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1767 }
1768
1769 EcCurve curve = EcCurve::CURVE_25519;
1770 auto challenge = "hello";
1771 auto app_id = "foo";
1772
1773 auto subject = "cert subj 2";
1774 vector<uint8_t> subject_der(make_name_from_str(subject));
1775
1776 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1777 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1778
1779 vector<uint8_t> key_blob;
1780 vector<KeyCharacteristics> key_characteristics;
1781 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1782 .Authorization(TAG_NO_AUTH_REQUIRED)
1783 .EcdsaSigningKey(curve)
1784 .Digest(Digest::NONE)
1785 .AttestationChallenge(challenge)
1786 .AttestationApplicationId(app_id)
1787 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1788 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1789 .SetDefaultValidity(),
1790 &key_blob, &key_characteristics);
1791 ASSERT_EQ(ErrorCode::OK, result);
1792 ASSERT_GT(key_blob.size(), 0U);
1793 CheckBaseParams(key_characteristics);
1794 CheckCharacteristics(key_blob, key_characteristics);
1795
1796 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1797
1798 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1799 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1800
1801 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1802 ASSERT_GT(cert_chain_.size(), 0);
1803 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
1804
1805 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1806 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1807 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
1808 sw_enforced, hw_enforced, SecLevel(),
1809 cert_chain_[0].encodedCertificate));
1810
1811 CheckedDeleteKey(&key_blob);
1812}
1813
1814/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1815 * NewKeyGenerationTest.EcdsaAttestationTags
1816 *
1817 * Verifies that creation of an attested ECDSA key includes various tags in the
1818 * attestation extension.
1819 */
1820TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
1821 auto challenge = "hello";
1822 auto app_id = "foo";
1823 auto subject = "cert subj 2";
1824 vector<uint8_t> subject_der(make_name_from_str(subject));
1825 uint64_t serial_int = 0x1010;
1826 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1827 const AuthorizationSetBuilder base_builder =
1828 AuthorizationSetBuilder()
1829 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1830 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1831 .Digest(Digest::NONE)
1832 .AttestationChallenge(challenge)
1833 .AttestationApplicationId(app_id)
1834 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1835 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1836 .SetDefaultValidity();
1837
1838 // Various tags that map to fields in the attestation extension ASN.1 schema.
1839 auto extra_tags = AuthorizationSetBuilder()
1840 .Authorization(TAG_ROLLBACK_RESISTANCE)
1841 .Authorization(TAG_EARLY_BOOT_ONLY)
1842 .Authorization(TAG_ACTIVE_DATETIME, 1619621648000)
1843 .Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, 1619621648000)
1844 .Authorization(TAG_USAGE_EXPIRE_DATETIME, 1619621999000)
1845 .Authorization(TAG_USAGE_COUNT_LIMIT, 42)
1846 .Authorization(TAG_AUTH_TIMEOUT, 100000)
1847 .Authorization(TAG_ALLOW_WHILE_ON_BODY)
1848 .Authorization(TAG_TRUSTED_USER_PRESENCE_REQUIRED)
1849 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
1850 .Authorization(TAG_UNLOCKED_DEVICE_REQUIRED)
1851 .Authorization(TAG_CREATION_DATETIME, 1619621648000);
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1852
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1853 for (const KeyParameter& tag : extra_tags) {
1854 SCOPED_TRACE(testing::Message() << "tag-" << tag);
1855 vector<uint8_t> key_blob;
1856 vector<KeyCharacteristics> key_characteristics;
1857 AuthorizationSetBuilder builder = base_builder;
1858 builder.push_back(tag);
1859 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
1860 if (result == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE &&
1861 tag.tag == TAG_ROLLBACK_RESISTANCE) {
1862 continue;
1863 }
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]1864 if (result == ErrorCode::UNSUPPORTED_TAG && tag.tag == TAG_TRUSTED_USER_PRESENCE_REQUIRED) {
1865 // Tag not required to be supported by all KeyMint implementations.
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1866 continue;
1867 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1868 // Strongbox may not support factory provisioned attestation key.
1869 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1870 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1871 result = GenerateKeyWithSelfSignedAttestKey(
1872 AuthorizationSetBuilder()
1873 .EcdsaKey(EcCurve::P_256)
1874 .AttestKey()
1875 .SetDefaultValidity(), /* attest key params */
1876 builder, &key_blob, &key_characteristics);
1877 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1878 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1879 ASSERT_EQ(result, ErrorCode::OK);
1880 ASSERT_GT(key_blob.size(), 0U);
1881
1882 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1883 ASSERT_GT(cert_chain_.size(), 0);
1884 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
1885
1886 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1887 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]1888 // Some tags are optional, so don't require them to be in the enforcements.
1889 if (tag.tag != TAG_ATTESTATION_APPLICATION_ID && tag.tag != TAG_ALLOW_WHILE_ON_BODY) {
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1890 EXPECT_TRUE(hw_enforced.Contains(tag.tag) || sw_enforced.Contains(tag.tag))
1891 << tag << " not in hw:" << hw_enforced << " nor sw:" << sw_enforced;
1892 }
1893
1894 // Verifying the attestation record will check for the specific tag because
1895 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1896 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
1897 hw_enforced, SecLevel(),
1898 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1899
1900 CheckedDeleteKey(&key_blob);
1901 }
1902
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1903 // Collection of invalid attestation ID tags.
1904 auto invalid_tags =
1905 AuthorizationSetBuilder()
1906 .Authorization(TAG_ATTESTATION_ID_BRAND, "bogus-brand")
1907 .Authorization(TAG_ATTESTATION_ID_DEVICE, "devious-device")
1908 .Authorization(TAG_ATTESTATION_ID_PRODUCT, "punctured-product")
1909 .Authorization(TAG_ATTESTATION_ID_SERIAL, "suspicious-serial")
1910 .Authorization(TAG_ATTESTATION_ID_IMEI, "invalid-imei")
1911 .Authorization(TAG_ATTESTATION_ID_MEID, "mismatching-meid")
1912 .Authorization(TAG_ATTESTATION_ID_MANUFACTURER, "malformed-manufacturer")
1913 .Authorization(TAG_ATTESTATION_ID_MODEL, "malicious-model");
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1914 for (const KeyParameter& tag : invalid_tags) {
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1915 SCOPED_TRACE(testing::Message() << "-incorrect-tag-" << tag);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1916 vector<uint8_t> key_blob;
1917 vector<KeyCharacteristics> key_characteristics;
1918 AuthorizationSetBuilder builder =
1919 AuthorizationSetBuilder()
1920 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1921 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1922 .Digest(Digest::NONE)
1923 .AttestationChallenge(challenge)
1924 .AttestationApplicationId(app_id)
1925 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1926 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1927 .SetDefaultValidity();
1928 builder.push_back(tag);
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1929
1930 auto error = GenerateKey(builder, &key_blob, &key_characteristics);
1931 // Strongbox may not support factory provisioned attestation key.
1932 if (SecLevel() == SecurityLevel::STRONGBOX) {
1933 if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1934 error = GenerateKeyWithSelfSignedAttestKey(
1935 AuthorizationSetBuilder()
1936 .EcdsaKey(EcCurve::P_256)
1937 .AttestKey()
1938 .SetDefaultValidity(), /* attest key params */
1939 builder, &key_blob, &key_characteristics);
1940 }
1941 }
1942 ASSERT_EQ(error, ErrorCode::CANNOT_ATTEST_IDS);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1943 }
1944}
1945
1946/*
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1947 * NewKeyGenerationTest.EcdsaAttestationIdTags
1948 *
1949 * Verifies that creation of an attested ECDSA key includes various ID tags in the
1950 * attestation extension.
1951 */
1952TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
1953 auto challenge = "hello";
1954 auto app_id = "foo";
1955 auto subject = "cert subj 2";
1956 vector<uint8_t> subject_der(make_name_from_str(subject));
1957 uint64_t serial_int = 0x1010;
1958 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1959 const AuthorizationSetBuilder base_builder =
1960 AuthorizationSetBuilder()
1961 .Authorization(TAG_NO_AUTH_REQUIRED)
1962 .EcdsaSigningKey(EcCurve::P_256)
1963 .Digest(Digest::NONE)
1964 .AttestationChallenge(challenge)
1965 .AttestationApplicationId(app_id)
1966 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1967 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1968 .SetDefaultValidity();
1969
1970 // Various ATTESTATION_ID_* tags that map to fields in the attestation extension ASN.1 schema.
1971 auto extra_tags = AuthorizationSetBuilder();
1972 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_BRAND, "ro.product.brand");
1973 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_DEVICE, "ro.product.device");
1974 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_PRODUCT, "ro.product.name");
1975 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_SERIAL, "ro.serial");
1976 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_MANUFACTURER, "ro.product.manufacturer");
1977 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_MODEL, "ro.product.model");
1978
1979 for (const KeyParameter& tag : extra_tags) {
1980 SCOPED_TRACE(testing::Message() << "tag-" << tag);
1981 vector<uint8_t> key_blob;
1982 vector<KeyCharacteristics> key_characteristics;
1983 AuthorizationSetBuilder builder = base_builder;
1984 builder.push_back(tag);
1985 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1986 // Strongbox may not support factory provisioned attestation key.
1987 if (SecLevel() == SecurityLevel::STRONGBOX) {
1988 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
1989 }
Prashant Patil88ad1892022-03-15 16:31:02 +0000[diff] [blame]1990 if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
1991 // ID attestation was optional till api level 32, from api level 33 it is mandatory.
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1992 continue;
1993 }
1994 ASSERT_EQ(result, ErrorCode::OK);
1995 ASSERT_GT(key_blob.size(), 0U);
1996
1997 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1998 ASSERT_GT(cert_chain_.size(), 0);
1999 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2000
2001 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2002 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
2003
2004 // The attested key characteristics will not contain APPLICATION_ID_* fields (their
2005 // spec definitions all have "Must never appear in KeyCharacteristics"), but the
2006 // attestation extension should contain them, so make sure the extra tag is added.
2007 hw_enforced.push_back(tag);
2008
2009 // Verifying the attestation record will check for the specific tag because
2010 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2011 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2012 hw_enforced, SecLevel(),
2013 cert_chain_[0].encodedCertificate));
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2014
2015 CheckedDeleteKey(&key_blob);
2016 }
2017}
2018
2019/*
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2020 * NewKeyGenerationTest.EcdsaAttestationUniqueId
2021 *
2022 * Verifies that creation of an attested ECDSA key with a UNIQUE_ID included.
2023 */
2024TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
2025 auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2026 vector<uint8_t>* unique_id, bool reset = false) {
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2027 auto challenge = "hello";
2028 auto subject = "cert subj 2";
2029 vector<uint8_t> subject_der(make_name_from_str(subject));
2030 uint64_t serial_int = 0x1010;
2031 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2032 AuthorizationSetBuilder builder =
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2033 AuthorizationSetBuilder()
2034 .Authorization(TAG_NO_AUTH_REQUIRED)
2035 .Authorization(TAG_INCLUDE_UNIQUE_ID)
2036 .EcdsaSigningKey(EcCurve::P_256)
2037 .Digest(Digest::NONE)
2038 .AttestationChallenge(challenge)
2039 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2040 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2041 .AttestationApplicationId(app_id)
2042 .Authorization(TAG_CREATION_DATETIME, datetime)
2043 .SetDefaultValidity();
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2044 if (reset) {
2045 builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
2046 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2047 auto result = GenerateKey(builder);
2048 if (SecLevel() == SecurityLevel::STRONGBOX) {
2049 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2050 result = GenerateKeyWithSelfSignedAttestKey(
2051 AuthorizationSetBuilder()
2052 .EcdsaKey(EcCurve::P_256)
2053 .AttestKey()
2054 .SetDefaultValidity(), /* attest key params */
2055 builder, &key_blob_, &key_characteristics_, &cert_chain_);
2056 }
2057 }
2058 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2059 ASSERT_GT(key_blob_.size(), 0U);
2060
2061 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2062 ASSERT_GT(cert_chain_.size(), 0);
2063 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2064
2065 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics_);
2066 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics_);
2067
2068 // Check that the unique ID field in the extension is non-empty.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2069 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2070 hw_enforced, SecLevel(),
2071 cert_chain_[0].encodedCertificate, unique_id));
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2072 EXPECT_GT(unique_id->size(), 0);
2073 CheckedDeleteKey();
2074 };
2075
2076 // Generate unique ID
2077 auto app_id = "foo";
2078 uint64_t cert_date = 1619621648000; // Wed Apr 28 14:54:08 2021 in ms since epoch
2079 vector<uint8_t> unique_id;
2080 get_unique_id(app_id, cert_date, &unique_id);
2081
2082 // Generating a new key with the same parameters should give the same unique ID.
2083 vector<uint8_t> unique_id2;
2084 get_unique_id(app_id, cert_date, &unique_id2);
2085 EXPECT_EQ(unique_id, unique_id2);
2086
2087 // Generating a new key with a slightly different date should give the same unique ID.
2088 uint64_t rounded_date = cert_date / 2592000000LLU;
2089 uint64_t min_date = rounded_date * 2592000000LLU;
2090 uint64_t max_date = ((rounded_date + 1) * 2592000000LLU) - 1;
2091
2092 vector<uint8_t> unique_id3;
2093 get_unique_id(app_id, min_date, &unique_id3);
2094 EXPECT_EQ(unique_id, unique_id3);
2095
2096 vector<uint8_t> unique_id4;
2097 get_unique_id(app_id, max_date, &unique_id4);
2098 EXPECT_EQ(unique_id, unique_id4);
2099
2100 // A different attestation application ID should yield a different unique ID.
2101 auto app_id2 = "different_foo";
2102 vector<uint8_t> unique_id5;
2103 get_unique_id(app_id2, cert_date, &unique_id5);
2104 EXPECT_NE(unique_id, unique_id5);
2105
2106 // A radically different date should yield a different unique ID.
2107 vector<uint8_t> unique_id6;
2108 get_unique_id(app_id, 1611621648000, &unique_id6);
2109 EXPECT_NE(unique_id, unique_id6);
2110
2111 vector<uint8_t> unique_id7;
2112 get_unique_id(app_id, max_date + 1, &unique_id7);
2113 EXPECT_NE(unique_id, unique_id7);
2114
2115 vector<uint8_t> unique_id8;
2116 get_unique_id(app_id, min_date - 1, &unique_id8);
2117 EXPECT_NE(unique_id, unique_id8);
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2118
2119 // Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
2120 vector<uint8_t> unique_id9;
2121 get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
2122 EXPECT_NE(unique_id, unique_id9);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2123}
2124
2125/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2126 * NewKeyGenerationTest.EcdsaAttestationTagNoApplicationId
2127 *
2128 * Verifies that creation of an attested ECDSA key does not include APPLICATION_ID.
2129 */
2130TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
2131 auto challenge = "hello";
2132 auto attest_app_id = "foo";
2133 auto subject = "cert subj 2";
2134 vector<uint8_t> subject_der(make_name_from_str(subject));
2135 uint64_t serial_int = 0x1010;
2136 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2137
2138 // Earlier versions of the attestation extension schema included a slot:
2139 // applicationId [601] EXPLICIT OCTET_STRING OPTIONAL,
2140 // This should never have been included, and should never be filled in.
2141 // Generate an attested key that include APPLICATION_ID and APPLICATION_DATA,
2142 // to confirm that this field never makes it into the attestation extension.
2143 vector<uint8_t> key_blob;
2144 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2145 auto builder = AuthorizationSetBuilder()
2146 .Authorization(TAG_NO_AUTH_REQUIRED)
2147 .EcdsaSigningKey(EcCurve::P_256)
2148 .Digest(Digest::NONE)
2149 .AttestationChallenge(challenge)
2150 .AttestationApplicationId(attest_app_id)
2151 .Authorization(TAG_APPLICATION_ID, "client_id")
2152 .Authorization(TAG_APPLICATION_DATA, "appdata")
2153 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2154 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2155 .SetDefaultValidity();
2156
2157 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2158 // Strongbox may not support factory provisioned attestation key.
2159 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2160 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2161 result = GenerateKeyWithSelfSignedAttestKey(
2162 AuthorizationSetBuilder()
2163 .EcdsaKey(EcCurve::P_256)
2164 .AttestKey()
2165 .SetDefaultValidity(), /* attest key params */
2166 builder, &key_blob, &key_characteristics);
2167 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2168 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2169 ASSERT_EQ(result, ErrorCode::OK);
2170 ASSERT_GT(key_blob.size(), 0U);
2171
2172 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2173 ASSERT_GT(cert_chain_.size(), 0);
2174 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2175
2176 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2177 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2178 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, attest_app_id, sw_enforced,
2179 hw_enforced, SecLevel(),
2180 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2181
2182 // Check that the app id is not in the cert.
2183 string app_id = "clientid";
2184 std::vector<uint8_t> needle(reinterpret_cast<const uint8_t*>(app_id.data()),
2185 reinterpret_cast<const uint8_t*>(app_id.data()) + app_id.size());
2186 ASSERT_EQ(std::search(cert_chain_[0].encodedCertificate.begin(),
2187 cert_chain_[0].encodedCertificate.end(), needle.begin(), needle.end()),
2188 cert_chain_[0].encodedCertificate.end());
2189
2190 CheckedDeleteKey(&key_blob);
2191}
2192
2193/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2194 * NewKeyGenerationTest.EcdsaSelfSignAttestation
2195 *
2196 * Verifies that if no challenge is provided to an Ecdsa key generation, then
2197 * the key will generate a self signed attestation.
2198 */
2199TEST_P(NewKeyGenerationTest, EcdsaSelfSignAttestation) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2200 auto subject = "cert subj 2";
2201 vector<uint8_t> subject_der(make_name_from_str(subject));
2202
2203 uint64_t serial_int = 0x123456FFF1234;
2204 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2205
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2206 for (auto curve : ValidCurves()) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2207 vector<uint8_t> key_blob;
2208 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2209 ASSERT_EQ(ErrorCode::OK,
2210 GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2211 .EcdsaSigningKey(curve)
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2212 .Digest(Digest::NONE)
2213 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2214 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2215 .SetDefaultValidity(),
2216 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2217 ASSERT_GT(key_blob.size(), 0U);
2218 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2219 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2220
2221 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2222
2223 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2224 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2225
2226 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2227 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2228 ASSERT_EQ(cert_chain_.size(), 1);
2229
2230 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2231 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
2232
2233 CheckedDeleteKey(&key_blob);
2234 }
2235}
2236
2237/*
2238 * NewKeyGenerationTest.EcdsaAttestationRequireAppId
2239 *
2240 * Verifies that if attestation challenge is provided to Ecdsa key generation, then
2241 * app id must also be provided or else it will fail.
2242 */
2243TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
2244 auto challenge = "hello";
2245 vector<uint8_t> key_blob;
2246 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2247 auto builder = AuthorizationSetBuilder()
2248 .EcdsaSigningKey(EcCurve::P_256)
2249 .Digest(Digest::NONE)
2250 .AttestationChallenge(challenge)
2251 .SetDefaultValidity();
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2252
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2253 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2254 // Strongbox may not support factory provisioned attestation key.
2255 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2256 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2257 result = GenerateKeyWithSelfSignedAttestKey(
2258 AuthorizationSetBuilder()
2259 .EcdsaKey(EcCurve::P_256)
2260 .AttestKey()
2261 .SetDefaultValidity(), /* attest key params */
2262 builder, &key_blob, &key_characteristics);
2263 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2264 }
2265 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2266}
2267
2268/*
2269 * NewKeyGenerationTest.EcdsaIgnoreAppId
2270 *
2271 * Verifies that if no challenge is provided to the Ecdsa key generation, then
2272 * any appid will be ignored, and keymint will generate a self sign certificate.
2273 */
2274TEST_P(NewKeyGenerationTest, EcdsaIgnoreAppId) {
2275 auto app_id = "foo";
2276
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2277 for (auto curve : ValidCurves()) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2278 vector<uint8_t> key_blob;
2279 vector<KeyCharacteristics> key_characteristics;
2280 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2281 .EcdsaSigningKey(curve)
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2282 .Digest(Digest::NONE)
2283 .AttestationApplicationId(app_id)
2284 .SetDefaultValidity(),
2285 &key_blob, &key_characteristics));
2286
2287 ASSERT_GT(key_blob.size(), 0U);
2288 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2289 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2290
2291 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2292
2293 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2294 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2295
2296 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2297 ASSERT_EQ(cert_chain_.size(), 1);
2298
2299 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2300 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
2301
2302 CheckedDeleteKey(&key_blob);
2303 }
2304}
2305
2306/*
2307 * NewKeyGenerationTest.AttestationApplicationIDLengthProperlyEncoded
2308 *
2309 * Verifies that the Attestation Application ID software enforced tag has a proper length encoding.
2310 * Some implementations break strict encoding rules by encoding a length between 127 and 256 in one
2311 * byte. Proper DER encoding specifies that for lengths greater than 127, one byte should be used
2312 * to specify how many following bytes will be used to encode the length.
2313 */
2314TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
2315 auto challenge = "hello";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2316 std::vector<uint32_t> app_id_lengths{143, 258};
2317
2318 for (uint32_t length : app_id_lengths) {
2319 const string app_id(length, 'a');
2320 vector<uint8_t> key_blob;
2321 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2322 auto builder = AuthorizationSetBuilder()
2323 .Authorization(TAG_NO_AUTH_REQUIRED)
2324 .EcdsaSigningKey(EcCurve::P_256)
2325 .Digest(Digest::NONE)
2326 .AttestationChallenge(challenge)
2327 .AttestationApplicationId(app_id)
2328 .SetDefaultValidity();
2329
2330 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2331 // Strongbox may not support factory provisioned attestation key.
2332 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2333 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2334 result = GenerateKeyWithSelfSignedAttestKey(
2335 AuthorizationSetBuilder()
2336 .EcdsaKey(EcCurve::P_256)
2337 .AttestKey()
2338 .SetDefaultValidity(), /* attest key params */
2339 builder, &key_blob, &key_characteristics);
2340 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2341 }
2342 ASSERT_EQ(ErrorCode::OK, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2343 ASSERT_GT(key_blob.size(), 0U);
2344 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2345 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2346
2347 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2348
2349 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2350 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, EcCurve::P_256)) << "Curve P256 missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2351
2352 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2353 ASSERT_GT(cert_chain_.size(), 0);
2354
2355 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2356 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2357 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2358 sw_enforced, hw_enforced, SecLevel(),
2359 cert_chain_[0].encodedCertificate));
2360
2361 CheckedDeleteKey(&key_blob);
2362 }
2363}
2364
2365/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2366 * NewKeyGenerationTest.LimitedUsageEcdsa
2367 *
2368 * Verifies that KeyMint can generate all required EC key sizes with limited usage, and that the
2369 * resulting keys have correct characteristics.
2370 */
2371TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2372 for (auto curve : ValidCurves()) {
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2373 vector<uint8_t> key_blob;
2374 vector<KeyCharacteristics> key_characteristics;
2375 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2376 .EcdsaSigningKey(curve)
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2377 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2378 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
2379 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2380 &key_blob, &key_characteristics));
2381
2382 ASSERT_GT(key_blob.size(), 0U);
2383 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2384 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2385
2386 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2387
2388 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2389 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2390
2391 // Check the usage count limit tag appears in the authorizations.
2392 AuthorizationSet auths;
2393 for (auto& entry : key_characteristics) {
2394 auths.push_back(AuthorizationSet(entry.authorizations));
2395 }
2396 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2397 << "key usage count limit " << 1U << " missing";
2398
2399 CheckedDeleteKey(&key_blob);
2400 }
2401}
2402
2403/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2404 * NewKeyGenerationTest.EcdsaDefaultSize
2405 *
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2406 * Verifies that failing to specify a curve for EC key generation returns
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2407 * UNSUPPORTED_KEY_SIZE.
2408 */
2409TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
2410 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2411 GenerateKey(AuthorizationSetBuilder()
2412 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2413 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2414 .Digest(Digest::NONE)
2415 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2416}
2417
2418/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2419 * NewKeyGenerationTest.EcdsaInvalidCurve
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2420 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2421 * Verifies that specifying an invalid curve for EC key generation returns
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2422 * UNSUPPORTED_KEY_SIZE.
2423 */
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2424TEST_P(NewKeyGenerationTest, EcdsaInvalidCurve) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2425 for (auto curve : InvalidCurves()) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2426 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2427 vector<KeyCharacteristics> key_characteristics;
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2428 auto result = GenerateKey(AuthorizationSetBuilder()
2429 .EcdsaSigningKey(curve)
2430 .Digest(Digest::NONE)
2431 .SetDefaultValidity(),
2432 &key_blob, &key_characteristics);
2433 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
2434 result == ErrorCode::UNSUPPORTED_EC_CURVE);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2435 }
2436
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2437 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2438 GenerateKey(AuthorizationSetBuilder()
2439 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2440 .Authorization(TAG_KEY_SIZE, 190)
2441 .SigningKey()
2442 .Digest(Digest::NONE)
2443 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2444}
2445
2446/*
2447 * NewKeyGenerationTest.EcdsaMismatchKeySize
2448 *
2449 * Verifies that specifying mismatched key size and curve for EC key generation returns
2450 * INVALID_ARGUMENT.
2451 */
2452TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2453 if (SecLevel() == SecurityLevel::STRONGBOX) {
2454 GTEST_SKIP() << "Test not applicable to StrongBox device";
2455 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2456
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2457 auto result = GenerateKey(AuthorizationSetBuilder()
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2458 .Authorization(TAG_ALGORITHM, Algorithm::EC)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2459 .Authorization(TAG_KEY_SIZE, 224)
2460 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2461 .SigningKey()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2462 .Digest(Digest::NONE)
2463 .SetDefaultValidity());
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2464 ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2465}
2466
2467/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2468 * NewKeyGenerationTest.EcdsaAllValidCurves
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2469 *
2470 * Verifies that keymint does not support any curve designated as unsupported.
2471 */
2472TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
2473 Digest digest;
2474 if (SecLevel() == SecurityLevel::STRONGBOX) {
2475 digest = Digest::SHA_2_256;
2476 } else {
2477 digest = Digest::SHA_2_512;
2478 }
2479 for (auto curve : ValidCurves()) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2480 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2481 .EcdsaSigningKey(curve)
2482 .Digest(digest)
2483 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2484 << "Failed to generate key on curve: " << curve;
2485 CheckedDeleteKey();
2486 }
2487}
2488
2489/*
2490 * NewKeyGenerationTest.Hmac
2491 *
2492 * Verifies that keymint supports all required digests, and that the resulting keys have correct
2493 * characteristics.
2494 */
2495TEST_P(NewKeyGenerationTest, Hmac) {
2496 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
2497 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2498 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2499 constexpr size_t key_size = 128;
2500 ASSERT_EQ(ErrorCode::OK,
2501 GenerateKey(
2502 AuthorizationSetBuilder().HmacKey(key_size).Digest(digest).Authorization(
2503 TAG_MIN_MAC_LENGTH, 128),
2504 &key_blob, &key_characteristics));
2505
2506 ASSERT_GT(key_blob.size(), 0U);
2507 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2508 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2509
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2510 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2511 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2512 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2513 << "Key size " << key_size << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2514
2515 CheckedDeleteKey(&key_blob);
2516 }
2517}
2518
2519/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2520 * NewKeyGenerationTest.HmacNoAttestation
2521 *
2522 * Verifies that for Hmac key generation, no attestation will be generated even if challenge
2523 * and app id are provided.
2524 */
2525TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
2526 auto challenge = "hello";
2527 auto app_id = "foo";
2528
2529 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
2530 vector<uint8_t> key_blob;
2531 vector<KeyCharacteristics> key_characteristics;
2532 constexpr size_t key_size = 128;
2533 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2534 .HmacKey(key_size)
2535 .Digest(digest)
2536 .AttestationChallenge(challenge)
2537 .AttestationApplicationId(app_id)
2538 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2539 &key_blob, &key_characteristics));
2540
2541 ASSERT_GT(key_blob.size(), 0U);
2542 ASSERT_EQ(cert_chain_.size(), 0);
2543 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2544 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2545
2546 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2547 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2548 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2549 << "Key size " << key_size << "missing";
2550
2551 CheckedDeleteKey(&key_blob);
2552 }
2553}
2554
2555/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2556 * NewKeyGenerationTest.LimitedUsageHmac
2557 *
2558 * Verifies that KeyMint supports all required digests with limited usage Hmac, and that the
2559 * resulting keys have correct characteristics.
2560 */
2561TEST_P(NewKeyGenerationTest, LimitedUsageHmac) {
2562 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
2563 vector<uint8_t> key_blob;
2564 vector<KeyCharacteristics> key_characteristics;
2565 constexpr size_t key_size = 128;
2566 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2567 .HmacKey(key_size)
2568 .Digest(digest)
2569 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2570 .Authorization(TAG_USAGE_COUNT_LIMIT, 1),
2571 &key_blob, &key_characteristics));
2572
2573 ASSERT_GT(key_blob.size(), 0U);
2574 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2575 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2576
2577 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2578 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2579 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2580 << "Key size " << key_size << "missing";
2581
2582 // Check the usage count limit tag appears in the authorizations.
2583 AuthorizationSet auths;
2584 for (auto& entry : key_characteristics) {
2585 auths.push_back(AuthorizationSet(entry.authorizations));
2586 }
2587 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2588 << "key usage count limit " << 1U << " missing";
2589
2590 CheckedDeleteKey(&key_blob);
2591 }
2592}
2593
2594/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2595 * NewKeyGenerationTest.HmacCheckKeySizes
2596 *
2597 * Verifies that keymint supports all key sizes, and rejects all invalid key sizes.
2598 */
2599TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
2600 for (size_t key_size = 0; key_size <= 512; ++key_size) {
2601 if (key_size < 64 || key_size % 8 != 0) {
2602 // To keep this test from being very slow, we only test a random fraction of
2603 // non-byte key sizes. We test only ~10% of such cases. Since there are 392 of
2604 // them, we expect to run ~40 of them in each run.
2605 if (key_size % 8 == 0 || random() % 10 == 0) {
2606 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2607 GenerateKey(AuthorizationSetBuilder()
2608 .HmacKey(key_size)
2609 .Digest(Digest::SHA_2_256)
2610 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2611 << "HMAC key size " << key_size << " invalid";
2612 }
2613 } else {
2614 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2615 .HmacKey(key_size)
2616 .Digest(Digest::SHA_2_256)
2617 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2618 << "Failed to generate HMAC key of size " << key_size;
2619 CheckedDeleteKey();
2620 }
2621 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2622 if (SecLevel() == SecurityLevel::STRONGBOX) {
2623 // STRONGBOX devices must not support keys larger than 512 bits.
2624 size_t key_size = 520;
2625 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2626 GenerateKey(AuthorizationSetBuilder()
2627 .HmacKey(key_size)
2628 .Digest(Digest::SHA_2_256)
2629 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2630 << "HMAC key size " << key_size << " unexpectedly valid";
2631 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2632}
2633
2634/*
2635 * NewKeyGenerationTest.HmacCheckMinMacLengths
2636 *
2637 * Verifies that keymint supports all required MAC lengths and rejects all invalid lengths. This
2638 * test is probabilistic in order to keep the runtime down, but any failure prints out the
2639 * specific MAC length that failed, so reproducing a failed run will be easy.
2640 */
2641TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
2642 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
2643 if (min_mac_length < 64 || min_mac_length % 8 != 0) {
2644 // To keep this test from being very long, we only test a random fraction of
2645 // non-byte lengths. We test only ~10% of such cases. Since there are 172 of them,
2646 // we expect to run ~17 of them in each run.
2647 if (min_mac_length % 8 == 0 || random() % 10 == 0) {
2648 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2649 GenerateKey(AuthorizationSetBuilder()
2650 .HmacKey(128)
2651 .Digest(Digest::SHA_2_256)
2652 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2653 << "HMAC min mac length " << min_mac_length << " invalid.";
2654 }
2655 } else {
2656 EXPECT_EQ(ErrorCode::OK,
2657 GenerateKey(AuthorizationSetBuilder()
2658 .HmacKey(128)
2659 .Digest(Digest::SHA_2_256)
2660 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2661 << "Failed to generate HMAC key with min MAC length " << min_mac_length;
2662 CheckedDeleteKey();
2663 }
2664 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2665
2666 // Minimum MAC length must be no more than 512 bits.
2667 size_t min_mac_length = 520;
2668 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2669 GenerateKey(AuthorizationSetBuilder()
2670 .HmacKey(128)
2671 .Digest(Digest::SHA_2_256)
2672 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2673 << "HMAC min mac length " << min_mac_length << " invalid.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2674}
2675
2676/*
2677 * NewKeyGenerationTest.HmacMultipleDigests
2678 *
2679 * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms.
2680 */
2681TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2682 if (SecLevel() == SecurityLevel::STRONGBOX) {
2683 GTEST_SKIP() << "Test not applicable to StrongBox device";
2684 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2685
2686 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2687 GenerateKey(AuthorizationSetBuilder()
2688 .HmacKey(128)
2689 .Digest(Digest::SHA1)
2690 .Digest(Digest::SHA_2_256)
2691 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2692}
2693
2694/*
2695 * NewKeyGenerationTest.HmacDigestNone
2696 *
2697 * Verifies that keymint rejects HMAC key generation with no digest or Digest::NONE
2698 */
2699TEST_P(NewKeyGenerationTest, HmacDigestNone) {
2700 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2701 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH,
2702 128)));
2703
2704 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2705 GenerateKey(AuthorizationSetBuilder()
2706 .HmacKey(128)
2707 .Digest(Digest::NONE)
2708 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2709}
2710
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2711/*
2712 * NewKeyGenerationTest.AesNoAttestation
2713 *
2714 * Verifies that attestation parameters to AES keys are ignored and generateKey
2715 * will succeed.
2716 */
2717TEST_P(NewKeyGenerationTest, AesNoAttestation) {
2718 auto challenge = "hello";
2719 auto app_id = "foo";
2720
2721 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2722 .Authorization(TAG_NO_AUTH_REQUIRED)
2723 .AesEncryptionKey(128)
2724 .EcbMode()
2725 .Padding(PaddingMode::PKCS7)
2726 .AttestationChallenge(challenge)
2727 .AttestationApplicationId(app_id)));
2728
2729 ASSERT_EQ(cert_chain_.size(), 0);
2730}
2731
2732/*
2733 * NewKeyGenerationTest.TripleDesNoAttestation
2734 *
2735 * Verifies that attesting parameters to 3DES keys are ignored and generate key
2736 * will be successful. No attestation should be generated.
2737 */
2738TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
2739 auto challenge = "hello";
2740 auto app_id = "foo";
2741
2742 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2743 .TripleDesEncryptionKey(168)
2744 .BlockMode(BlockMode::ECB)
2745 .Authorization(TAG_NO_AUTH_REQUIRED)
2746 .Padding(PaddingMode::NONE)
2747 .AttestationChallenge(challenge)
2748 .AttestationApplicationId(app_id)));
2749 ASSERT_EQ(cert_chain_.size(), 0);
2750}
2751
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2752INSTANTIATE_KEYMINT_AIDL_TEST(NewKeyGenerationTest);
2753
2754typedef KeyMintAidlTestBase SigningOperationsTest;
2755
2756/*
2757 * SigningOperationsTest.RsaSuccess
2758 *
2759 * Verifies that raw RSA signature operations succeed.
2760 */
2761TEST_P(SigningOperationsTest, RsaSuccess) {
2762 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2763 .RsaSigningKey(2048, 65537)
2764 .Digest(Digest::NONE)
2765 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2766 .Authorization(TAG_NO_AUTH_REQUIRED)
2767 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2768 string message = "12345678901234567890123456789012";
2769 string signature = SignMessage(
2770 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2771 LocalVerifyMessage(message, signature,
2772 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2773}
2774
2775/*
2776 * SigningOperationsTest.RsaAllPaddingsAndDigests
2777 *
2778 * Verifies RSA signature/verification for all padding modes and digests.
2779 */
2780TEST_P(SigningOperationsTest, RsaAllPaddingsAndDigests) {
2781 auto authorizations = AuthorizationSetBuilder()
2782 .Authorization(TAG_NO_AUTH_REQUIRED)
2783 .RsaSigningKey(2048, 65537)
2784 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
2785 .Padding(PaddingMode::NONE)
2786 .Padding(PaddingMode::RSA_PSS)
2787 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2788 .SetDefaultValidity();
2789
2790 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
2791
2792 string message(128, 'a');
2793 string corrupt_message(message);
2794 ++corrupt_message[corrupt_message.size() / 2];
2795
2796 for (auto padding :
2797 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
2798 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
2799 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
2800 // Digesting only makes sense with padding.
2801 continue;
2802 }
2803
2804 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
2805 // PSS requires digesting.
2806 continue;
2807 }
2808
2809 string signature =
2810 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
2811 LocalVerifyMessage(message, signature,
2812 AuthorizationSetBuilder().Digest(digest).Padding(padding));
2813 }
2814 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2815}
2816
2817/*
2818 * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
2819 *
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2820 * Verifies that using an RSA key requires the correct app data.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2821 */
2822TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
2823 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2824 .Authorization(TAG_NO_AUTH_REQUIRED)
2825 .RsaSigningKey(2048, 65537)
2826 .Digest(Digest::NONE)
2827 .Padding(PaddingMode::NONE)
2828 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2829 .Authorization(TAG_APPLICATION_DATA, "appdata")
2830 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2831
2832 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
2833
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2834 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2835 Begin(KeyPurpose::SIGN,
2836 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2837 AbortIfNeeded();
2838 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2839 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2840 .Digest(Digest::NONE)
2841 .Padding(PaddingMode::NONE)
2842 .Authorization(TAG_APPLICATION_ID, "clientid")));
2843 AbortIfNeeded();
2844 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2845 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2846 .Digest(Digest::NONE)
2847 .Padding(PaddingMode::NONE)
2848 .Authorization(TAG_APPLICATION_DATA, "appdata")));
2849 AbortIfNeeded();
2850 EXPECT_EQ(ErrorCode::OK,
2851 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2852 .Digest(Digest::NONE)
2853 .Padding(PaddingMode::NONE)
2854 .Authorization(TAG_APPLICATION_DATA, "appdata")
2855 .Authorization(TAG_APPLICATION_ID, "clientid")));
2856 AbortIfNeeded();
2857}
2858
2859/*
2860 * SigningOperationsTest.RsaPssSha256Success
2861 *
2862 * Verifies that RSA-PSS signature operations succeed.
2863 */
2864TEST_P(SigningOperationsTest, RsaPssSha256Success) {
2865 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2866 .RsaSigningKey(2048, 65537)
2867 .Digest(Digest::SHA_2_256)
2868 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2869 .Authorization(TAG_NO_AUTH_REQUIRED)
2870 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2871 // Use large message, which won't work without digesting.
2872 string message(1024, 'a');
2873 string signature = SignMessage(
2874 message,
2875 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
2876}
2877
2878/*
2879 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
2880 *
2881 * Verifies that keymint rejects signature operations that specify a padding mode when the key
2882 * supports only unpadded operations.
2883 */
2884TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
2885 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2886 .RsaSigningKey(2048, 65537)
2887 .Digest(Digest::NONE)
2888 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2889 .Padding(PaddingMode::NONE)
2890 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2891 string message = "12345678901234567890123456789012";
2892 string signature;
2893
2894 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
2895 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2896 .Digest(Digest::NONE)
2897 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2898}
2899
2900/*
2901 * SigningOperationsTest.NoUserConfirmation
2902 *
2903 * Verifies that keymint rejects signing operations for keys with
2904 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
2905 * presented.
2906 */
2907TEST_P(SigningOperationsTest, NoUserConfirmation) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2908 if (SecLevel() == SecurityLevel::STRONGBOX) {
2909 GTEST_SKIP() << "Test not applicable to StrongBox device";
2910 }
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2911 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2912 .RsaSigningKey(1024, 65537)
2913 .Digest(Digest::NONE)
2914 .Padding(PaddingMode::NONE)
2915 .Authorization(TAG_NO_AUTH_REQUIRED)
2916 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
2917 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2918
2919 const string message = "12345678901234567890123456789012";
2920 EXPECT_EQ(ErrorCode::OK,
2921 Begin(KeyPurpose::SIGN,
2922 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2923 string signature;
2924 EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
2925}
2926
2927/*
2928 * SigningOperationsTest.RsaPkcs1Sha256Success
2929 *
2930 * Verifies that digested RSA-PKCS1 signature operations succeed.
2931 */
2932TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
2933 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2934 .RsaSigningKey(2048, 65537)
2935 .Digest(Digest::SHA_2_256)
2936 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2937 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2938 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2939 string message(1024, 'a');
2940 string signature = SignMessage(message, AuthorizationSetBuilder()
2941 .Digest(Digest::SHA_2_256)
2942 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2943}
2944
2945/*
2946 * SigningOperationsTest.RsaPkcs1NoDigestSuccess
2947 *
2948 * Verifies that undigested RSA-PKCS1 signature operations succeed.
2949 */
2950TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
2951 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2952 .RsaSigningKey(2048, 65537)
2953 .Digest(Digest::NONE)
2954 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2955 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2956 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2957 string message(53, 'a');
2958 string signature = SignMessage(message, AuthorizationSetBuilder()
2959 .Digest(Digest::NONE)
2960 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2961}
2962
2963/*
2964 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
2965 *
2966 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
2967 * given a too-long message.
2968 */
2969TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
2970 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2971 .RsaSigningKey(2048, 65537)
2972 .Digest(Digest::NONE)
2973 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2974 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2975 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2976 string message(257, 'a');
2977
2978 EXPECT_EQ(ErrorCode::OK,
2979 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2980 .Digest(Digest::NONE)
2981 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2982 string signature;
2983 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
2984}
2985
2986/*
2987 * SigningOperationsTest.RsaPssSha512TooSmallKey
2988 *
2989 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
2990 * used with a key that is too small for the message.
2991 *
2992 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the
2993 * keymint specification requires that salt_size == digest_size, so the message will be
2994 * digest_size * 2 +
2995 * 16. Such a message can only be signed by a given key if the key is at least that size. This
2996 * test uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large
2997 * for a 1024-bit key.
2998 */
2999TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]3000 if (SecLevel() == SecurityLevel::STRONGBOX) {
3001 GTEST_SKIP() << "Test not applicable to StrongBox device";
3002 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3003 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3004 .RsaSigningKey(1024, 65537)
3005 .Digest(Digest::SHA_2_512)
3006 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3007 .Padding(PaddingMode::RSA_PSS)
3008 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3009 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3010 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3011 .Digest(Digest::SHA_2_512)
3012 .Padding(PaddingMode::RSA_PSS)));
3013}
3014
3015/*
3016 * SigningOperationsTest.RsaNoPaddingTooLong
3017 *
3018 * Verifies that raw RSA signature operations fail with the correct error code when
3019 * given a too-long message.
3020 */
3021TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
3022 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3023 .RsaSigningKey(2048, 65537)
3024 .Digest(Digest::NONE)
3025 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3026 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3027 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3028 // One byte too long
3029 string message(2048 / 8 + 1, 'a');
3030 ASSERT_EQ(ErrorCode::OK,
3031 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3032 .Digest(Digest::NONE)
3033 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3034 string result;
3035 ErrorCode finish_error_code = Finish(message, &result);
3036 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3037 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3038
3039 // Very large message that should exceed the transfer buffer size of any reasonable TEE.
3040 message = string(128 * 1024, 'a');
3041 ASSERT_EQ(ErrorCode::OK,
3042 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3043 .Digest(Digest::NONE)
3044 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3045 finish_error_code = Finish(message, &result);
3046 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3047 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3048}
3049
3050/*
3051 * SigningOperationsTest.RsaAbort
3052 *
3053 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the
3054 * test, but the behavior should be algorithm and purpose-independent.
3055 */
3056TEST_P(SigningOperationsTest, RsaAbort) {
3057 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3058 .RsaSigningKey(2048, 65537)
3059 .Digest(Digest::NONE)
3060 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3061 .Padding(PaddingMode::NONE)
3062 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3063
3064 ASSERT_EQ(ErrorCode::OK,
3065 Begin(KeyPurpose::SIGN,
3066 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3067 EXPECT_EQ(ErrorCode::OK, Abort());
3068
3069 // Another abort should fail
3070 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
3071
3072 // Set to sentinel, so TearDown() doesn't try to abort again.
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]3073 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3074}
3075
3076/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3077 * SigningOperationsTest.RsaNonUniqueParams
3078 *
3079 * Verifies that an operation with multiple padding modes is rejected.
3080 */
3081TEST_P(SigningOperationsTest, RsaNonUniqueParams) {
3082 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3083 .RsaSigningKey(2048, 65537)
3084 .Digest(Digest::NONE)
3085 .Digest(Digest::SHA1)
3086 .Authorization(TAG_NO_AUTH_REQUIRED)
3087 .Padding(PaddingMode::NONE)
3088 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3089 .SetDefaultValidity()));
3090
3091 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3092 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3093 .Digest(Digest::NONE)
3094 .Padding(PaddingMode::NONE)
3095 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3096
Tommy Chiuc93c4392021-05-11 18:36:50 +0800[diff] [blame]3097 auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3098 .Digest(Digest::NONE)
3099 .Digest(Digest::SHA1)
3100 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3101 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3102
3103 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3104 Begin(KeyPurpose::SIGN,
3105 AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3106}
3107
3108/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3109 * SigningOperationsTest.RsaUnsupportedPadding
3110 *
3111 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used
3112 * with a padding mode inappropriate for RSA.
3113 */
3114TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
3115 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3116 .RsaSigningKey(2048, 65537)
3117 .Authorization(TAG_NO_AUTH_REQUIRED)
3118 .Digest(Digest::SHA_2_256 /* supported digest */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3119 .Padding(PaddingMode::PKCS7)
3120 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3121 ASSERT_EQ(
3122 ErrorCode::UNSUPPORTED_PADDING_MODE,
3123 Begin(KeyPurpose::SIGN,
3124 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3125 CheckedDeleteKey();
3126
3127 ASSERT_EQ(ErrorCode::OK,
3128 GenerateKey(
3129 AuthorizationSetBuilder()
3130 .RsaSigningKey(2048, 65537)
3131 .Authorization(TAG_NO_AUTH_REQUIRED)
3132 .Digest(Digest::SHA_2_256 /* supported digest */)
3133 .Padding(PaddingMode::RSA_OAEP) /* padding mode for encryption only */
3134 .SetDefaultValidity()));
3135 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3136 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3137 .Digest(Digest::SHA_2_256)
3138 .Padding(PaddingMode::RSA_OAEP)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3139}
3140
3141/*
3142 * SigningOperationsTest.RsaPssNoDigest
3143 *
3144 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest.
3145 */
3146TEST_P(SigningOperationsTest, RsaNoDigest) {
3147 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3148 .RsaSigningKey(2048, 65537)
3149 .Authorization(TAG_NO_AUTH_REQUIRED)
3150 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3151 .Padding(PaddingMode::RSA_PSS)
3152 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3153 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3154 Begin(KeyPurpose::SIGN,
3155 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
3156
3157 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3158 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
3159}
3160
3161/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3162 * SigningOperationsTest.RsaPssNoPadding
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3163 *
3164 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is
3165 * supported in some cases (as validated in other tests), but a mode must be specified.
3166 */
3167TEST_P(SigningOperationsTest, RsaNoPadding) {
3168 // Padding must be specified
3169 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3170 .RsaKey(2048, 65537)
3171 .Authorization(TAG_NO_AUTH_REQUIRED)
3172 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3173 .Digest(Digest::NONE)
3174 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3175 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3176 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3177}
3178
3179/*
3180 * SigningOperationsTest.RsaShortMessage
3181 *
3182 * Verifies that raw RSA signatures succeed with a message shorter than the key size.
3183 */
3184TEST_P(SigningOperationsTest, RsaTooShortMessage) {
3185 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3186 .Authorization(TAG_NO_AUTH_REQUIRED)
3187 .RsaSigningKey(2048, 65537)
3188 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3189 .Padding(PaddingMode::NONE)
3190 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3191
3192 // Barely shorter
3193 string message(2048 / 8 - 1, 'a');
3194 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3195
3196 // Much shorter
3197 message = "a";
3198 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3199}
3200
3201/*
3202 * SigningOperationsTest.RsaSignWithEncryptionKey
3203 *
3204 * Verifies that RSA encryption keys cannot be used to sign.
3205 */
3206TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
3207 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3208 .Authorization(TAG_NO_AUTH_REQUIRED)
3209 .RsaEncryptionKey(2048, 65537)
3210 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3211 .Padding(PaddingMode::NONE)
3212 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3213 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3214 Begin(KeyPurpose::SIGN,
3215 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3216}
3217
3218/*
3219 * SigningOperationsTest.RsaSignTooLargeMessage
3220 *
3221 * Verifies that attempting a raw signature of a message which is the same length as the key,
3222 * but numerically larger than the public modulus, fails with the correct error.
3223 */
3224TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
3225 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3226 .Authorization(TAG_NO_AUTH_REQUIRED)
3227 .RsaSigningKey(2048, 65537)
3228 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3229 .Padding(PaddingMode::NONE)
3230 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3231
3232 // Largest possible message will always be larger than the public modulus.
3233 string message(2048 / 8, static_cast<char>(0xff));
3234 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3235 .Authorization(TAG_NO_AUTH_REQUIRED)
3236 .Digest(Digest::NONE)
3237 .Padding(PaddingMode::NONE)));
3238 string signature;
3239 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
3240}
3241
3242/*
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3243 * SigningOperationsTest.EcdsaAllDigestsAndCurves
3244 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3245 * Verifies ECDSA signature/verification for all digests and required curves.
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3246 */
3247TEST_P(SigningOperationsTest, EcdsaAllDigestsAndCurves) {
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3248
3249 string message = "1234567890";
3250 string corrupt_message = "2234567890";
3251 for (auto curve : ValidCurves()) {
3252 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3253 // Ed25519 only allows Digest::NONE.
3254 auto digests = (curve == EcCurve::CURVE_25519)
3255 ? std::vector<Digest>(1, Digest::NONE)
3256 : ValidDigests(true /* withNone */, false /* withMD5 */);
3257
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3258 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3259 .Authorization(TAG_NO_AUTH_REQUIRED)
3260 .EcdsaSigningKey(curve)
3261 .Digest(digests)
3262 .SetDefaultValidity());
3263 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
3264 if (error != ErrorCode::OK) {
3265 continue;
3266 }
3267
3268 for (auto digest : digests) {
3269 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
3270 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
3271 LocalVerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
3272 }
3273
3274 auto rc = DeleteKey();
3275 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
3276 }
3277}
3278
3279/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3280 * SigningOperationsTest.EcdsaAllCurves
3281 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3282 * Verifies that ECDSA operations succeed with all required curves.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3283 */
3284TEST_P(SigningOperationsTest, EcdsaAllCurves) {
3285 for (auto curve : ValidCurves()) {
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3286 Digest digest = (curve == EcCurve::CURVE_25519 ? Digest::NONE : Digest::SHA_2_256);
3287 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3288 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3289 .Authorization(TAG_NO_AUTH_REQUIRED)
3290 .EcdsaSigningKey(curve)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3291 .Digest(digest)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3292 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3293 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3294 if (error != ErrorCode::OK) continue;
3295
3296 string message(1024, 'a');
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3297 SignMessage(message, AuthorizationSetBuilder().Digest(digest));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3298 CheckedDeleteKey();
3299 }
3300}
3301
3302/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3303 * SigningOperationsTest.EcdsaCurve25519
3304 *
3305 * Verifies that ECDSA operations succeed with curve25519.
3306 */
3307TEST_P(SigningOperationsTest, EcdsaCurve25519) {
3308 if (!Curve25519Supported()) {
3309 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3310 }
3311
3312 EcCurve curve = EcCurve::CURVE_25519;
3313 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3314 .Authorization(TAG_NO_AUTH_REQUIRED)
3315 .EcdsaSigningKey(curve)
3316 .Digest(Digest::NONE)
3317 .SetDefaultValidity());
3318 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3319
3320 string message(1024, 'a');
3321 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3322 CheckedDeleteKey();
3323}
3324
3325/*
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]3326 * SigningOperationsTest.EcdsaCurve25519MaxSize
3327 *
3328 * Verifies that EDDSA operations with curve25519 under the maximum message size succeed.
3329 */
3330TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSize) {
3331 if (!Curve25519Supported()) {
3332 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3333 }
3334
3335 EcCurve curve = EcCurve::CURVE_25519;
3336 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3337 .Authorization(TAG_NO_AUTH_REQUIRED)
3338 .EcdsaSigningKey(curve)
3339 .Digest(Digest::NONE)
3340 .SetDefaultValidity());
3341 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3342
3343 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3344
3345 for (size_t msg_size : {MAX_ED25519_MSG_SIZE - 1, MAX_ED25519_MSG_SIZE}) {
3346 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3347 string message(msg_size, 'a');
3348
3349 // Attempt to sign via Begin+Finish.
3350 AuthorizationSet out_params;
3351 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3352 EXPECT_TRUE(out_params.empty());
3353 string signature;
3354 auto result = Finish(message, &signature);
3355 EXPECT_EQ(result, ErrorCode::OK);
3356 LocalVerifyMessage(message, signature, params);
3357
3358 // Attempt to sign via Begin+Update+Finish
3359 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3360 EXPECT_TRUE(out_params.empty());
3361 string output;
3362 result = Update(message, &output);
3363 EXPECT_EQ(result, ErrorCode::OK);
3364 EXPECT_EQ(output.size(), 0);
3365 string signature2;
3366 EXPECT_EQ(ErrorCode::OK, Finish({}, &signature2));
3367 LocalVerifyMessage(message, signature2, params);
3368 }
3369
3370 CheckedDeleteKey();
3371}
3372
3373/*
3374 * SigningOperationsTest.EcdsaCurve25519MaxSizeFail
3375 *
3376 * Verifies that EDDSA operations with curve25519 fail when message size is too large.
3377 */
3378TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSizeFail) {
3379 if (!Curve25519Supported()) {
3380 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3381 }
3382
3383 EcCurve curve = EcCurve::CURVE_25519;
3384 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3385 .Authorization(TAG_NO_AUTH_REQUIRED)
3386 .EcdsaSigningKey(curve)
3387 .Digest(Digest::NONE)
3388 .SetDefaultValidity());
3389 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3390
3391 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3392
3393 for (size_t msg_size : {MAX_ED25519_MSG_SIZE + 1, MAX_ED25519_MSG_SIZE * 2}) {
3394 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3395 string message(msg_size, 'a');
3396
3397 // Attempt to sign via Begin+Finish.
3398 AuthorizationSet out_params;
3399 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3400 EXPECT_TRUE(out_params.empty());
3401 string signature;
3402 auto result = Finish(message, &signature);
3403 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3404
3405 // Attempt to sign via Begin+Update (but never get to Finish)
3406 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3407 EXPECT_TRUE(out_params.empty());
3408 string output;
3409 result = Update(message, &output);
3410 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3411 }
3412
3413 CheckedDeleteKey();
3414}
3415
3416/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3417 * SigningOperationsTest.EcdsaNoDigestHugeData
3418 *
3419 * Verifies that ECDSA operations support very large messages, even without digesting. This
3420 * should work because ECDSA actually only signs the leftmost L_n bits of the message, however
3421 * large it may be. Not using digesting is a bad idea, but in some cases digesting is done by
3422 * the framework.
3423 */
3424TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
3425 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3426 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3427 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3428 .Digest(Digest::NONE)
3429 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3430 string message(1 * 1024, 'a');
3431 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3432}
3433
3434/*
3435 * SigningOperationsTest.EcUseRequiresCorrectAppIdAppData
3436 *
3437 * Verifies that using an EC key requires the correct app ID/data.
3438 */
3439TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
3440 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3441 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3442 .EcdsaSigningKey(EcCurve::P_256)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3443 .Digest(Digest::NONE)
3444 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3445 .Authorization(TAG_APPLICATION_DATA, "appdata")
3446 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]3447
3448 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
3449
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3450 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3451 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3452 AbortIfNeeded();
3453 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3454 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3455 .Digest(Digest::NONE)
3456 .Authorization(TAG_APPLICATION_ID, "clientid")));
3457 AbortIfNeeded();
3458 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3459 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3460 .Digest(Digest::NONE)
3461 .Authorization(TAG_APPLICATION_DATA, "appdata")));
3462 AbortIfNeeded();
3463 EXPECT_EQ(ErrorCode::OK,
3464 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3465 .Digest(Digest::NONE)
3466 .Authorization(TAG_APPLICATION_DATA, "appdata")
3467 .Authorization(TAG_APPLICATION_ID, "clientid")));
3468 AbortIfNeeded();
3469}
3470
3471/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3472 * SigningOperationsTest.EcdsaIncompatibleDigest
3473 *
3474 * Verifies that using an EC key requires compatible digest.
3475 */
3476TEST_P(SigningOperationsTest, EcdsaIncompatibleDigest) {
3477 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3478 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3479 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3480 .Digest(Digest::NONE)
3481 .Digest(Digest::SHA1)
3482 .SetDefaultValidity()));
3483 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3484 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)));
3485 AbortIfNeeded();
3486}
3487
3488/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3489 * SigningOperationsTest.AesEcbSign
3490 *
3491 * Verifies that attempts to use AES keys to sign fail in the correct way.
3492 */
3493TEST_P(SigningOperationsTest, AesEcbSign) {
3494 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3495 .Authorization(TAG_NO_AUTH_REQUIRED)
3496 .SigningKey()
3497 .AesEncryptionKey(128)
3498 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)));
3499
3500 AuthorizationSet out_params;
3501 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3502 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params));
3503 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3504 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params));
3505}
3506
3507/*
3508 * SigningOperationsTest.HmacAllDigests
3509 *
3510 * Verifies that HMAC works with all digests.
3511 */
3512TEST_P(SigningOperationsTest, HmacAllDigests) {
3513 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
3514 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3515 .Authorization(TAG_NO_AUTH_REQUIRED)
3516 .HmacKey(128)
3517 .Digest(digest)
3518 .Authorization(TAG_MIN_MAC_LENGTH, 160)))
3519 << "Failed to create HMAC key with digest " << digest;
3520 string message = "12345678901234567890123456789012";
3521 string signature = MacMessage(message, digest, 160);
3522 EXPECT_EQ(160U / 8U, signature.size())
3523 << "Failed to sign with HMAC key with digest " << digest;
3524 CheckedDeleteKey();
3525 }
3526}
3527
3528/*
3529 * SigningOperationsTest.HmacSha256TooLargeMacLength
3530 *
3531 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the
3532 * digest size.
3533 */
3534TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
3535 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3536 .Authorization(TAG_NO_AUTH_REQUIRED)
3537 .HmacKey(128)
3538 .Digest(Digest::SHA_2_256)
3539 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
3540 AuthorizationSet output_params;
3541 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3542 AuthorizationSetBuilder()
3543 .Digest(Digest::SHA_2_256)
3544 .Authorization(TAG_MAC_LENGTH, 264),
3545 &output_params));
3546}
3547
3548/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3549 * SigningOperationsTest.HmacSha256InvalidMacLength
3550 *
3551 * Verifies that HMAC fails in the correct way when asked to generate a MAC whose length is
3552 * not a multiple of 8.
3553 */
3554TEST_P(SigningOperationsTest, HmacSha256InvalidMacLength) {
3555 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3556 .Authorization(TAG_NO_AUTH_REQUIRED)
3557 .HmacKey(128)
3558 .Digest(Digest::SHA_2_256)
3559 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
3560 AuthorizationSet output_params;
3561 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3562 AuthorizationSetBuilder()
3563 .Digest(Digest::SHA_2_256)
3564 .Authorization(TAG_MAC_LENGTH, 161),
3565 &output_params));
3566}
3567
3568/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3569 * SigningOperationsTest.HmacSha256TooSmallMacLength
3570 *
3571 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
3572 * specified minimum MAC length.
3573 */
3574TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
3575 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3576 .Authorization(TAG_NO_AUTH_REQUIRED)
3577 .HmacKey(128)
3578 .Digest(Digest::SHA_2_256)
3579 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3580 AuthorizationSet output_params;
3581 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3582 AuthorizationSetBuilder()
3583 .Digest(Digest::SHA_2_256)
3584 .Authorization(TAG_MAC_LENGTH, 120),
3585 &output_params));
3586}
3587
3588/*
3589 * SigningOperationsTest.HmacRfc4231TestCase3
3590 *
3591 * Validates against the test vectors from RFC 4231 test case 3.
3592 */
3593TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
3594 string key(20, 0xaa);
3595 string message(50, 0xdd);
3596 uint8_t sha_224_expected[] = {
3597 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
3598 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
3599 };
3600 uint8_t sha_256_expected[] = {
3601 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
3602 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
3603 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
3604 };
3605 uint8_t sha_384_expected[] = {
3606 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
3607 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
3608 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
3609 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
3610 };
3611 uint8_t sha_512_expected[] = {
3612 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
3613 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
3614 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
3615 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
3616 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
3617 };
3618
3619 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3620 if (SecLevel() != SecurityLevel::STRONGBOX) {
3621 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3622 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3623 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3624 }
3625}
3626
3627/*
3628 * SigningOperationsTest.HmacRfc4231TestCase5
3629 *
3630 * Validates against the test vectors from RFC 4231 test case 5.
3631 */
3632TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
3633 string key(20, 0x0c);
3634 string message = "Test With Truncation";
3635
3636 uint8_t sha_224_expected[] = {
3637 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
3638 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
3639 };
3640 uint8_t sha_256_expected[] = {
3641 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
3642 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
3643 };
3644 uint8_t sha_384_expected[] = {
3645 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
3646 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
3647 };
3648 uint8_t sha_512_expected[] = {
3649 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
3650 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
3651 };
3652
3653 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3654 if (SecLevel() != SecurityLevel::STRONGBOX) {
3655 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3656 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3657 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3658 }
3659}
3660
3661INSTANTIATE_KEYMINT_AIDL_TEST(SigningOperationsTest);
3662
3663typedef KeyMintAidlTestBase VerificationOperationsTest;
3664
3665/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3666 * VerificationOperationsTest.HmacSigningKeyCannotVerify
3667 *
3668 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
3669 */
3670TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
3671 string key_material = "HelloThisIsAKey";
3672
3673 vector<uint8_t> signing_key, verification_key;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3674 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3675 EXPECT_EQ(ErrorCode::OK,
3676 ImportKey(AuthorizationSetBuilder()
3677 .Authorization(TAG_NO_AUTH_REQUIRED)
3678 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3679 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3680 .Digest(Digest::SHA_2_256)
3681 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3682 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
3683 EXPECT_EQ(ErrorCode::OK,
3684 ImportKey(AuthorizationSetBuilder()
3685 .Authorization(TAG_NO_AUTH_REQUIRED)
3686 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3687 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3688 .Digest(Digest::SHA_2_256)
3689 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3690 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
3691
3692 string message = "This is a message.";
3693 string signature = SignMessage(
3694 signing_key, message,
3695 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3696
3697 // Signing key should not work.
3698 AuthorizationSet out_params;
3699 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3700 Begin(KeyPurpose::VERIFY, signing_key,
3701 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &out_params));
3702
3703 // Verification key should work.
3704 VerifyMessage(verification_key, message, signature,
3705 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
3706
3707 CheckedDeleteKey(&signing_key);
3708 CheckedDeleteKey(&verification_key);
3709}
3710
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3711/*
3712 * VerificationOperationsTest.HmacVerificationFailsForCorruptSignature
3713 *
3714 * Verifies HMAC signature verification should fails if message or signature is corrupted.
3715 */
3716TEST_P(VerificationOperationsTest, HmacVerificationFailsForCorruptSignature) {
3717 string key_material = "HelloThisIsAKey";
3718
3719 vector<uint8_t> signing_key, verification_key;
3720 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
3721 EXPECT_EQ(ErrorCode::OK,
3722 ImportKey(AuthorizationSetBuilder()
3723 .Authorization(TAG_NO_AUTH_REQUIRED)
3724 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3725 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3726 .Digest(Digest::SHA_2_256)
3727 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3728 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
3729 EXPECT_EQ(ErrorCode::OK,
3730 ImportKey(AuthorizationSetBuilder()
3731 .Authorization(TAG_NO_AUTH_REQUIRED)
3732 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3733 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3734 .Digest(Digest::SHA_2_256)
3735 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3736 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
3737
3738 string message = "This is a message.";
3739 string signature = SignMessage(
3740 signing_key, message,
3741 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3742
3743 AuthorizationSet begin_out_params;
3744 ASSERT_EQ(ErrorCode::OK,
3745 Begin(KeyPurpose::VERIFY, verification_key,
3746 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3747
3748 string corruptMessage = "This is b message."; // Corrupted message
3749 string output;
3750 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corruptMessage, signature, &output));
3751
3752 ASSERT_EQ(ErrorCode::OK,
3753 Begin(KeyPurpose::VERIFY, verification_key,
3754 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3755
3756 signature[0] += 1; // Corrupt a signature
3757 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, signature, &output));
3758
3759 CheckedDeleteKey(&signing_key);
3760 CheckedDeleteKey(&verification_key);
3761}
3762
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3763INSTANTIATE_KEYMINT_AIDL_TEST(VerificationOperationsTest);
3764
3765typedef KeyMintAidlTestBase ExportKeyTest;
3766
3767/*
3768 * ExportKeyTest.RsaUnsupportedKeyFormat
3769 *
3770 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
3771 */
3772// TODO(seleneh) add ExportKey to GenerateKey
3773// check result
3774
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame^]3775class ImportKeyTest : public NewKeyGenerationTest {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3776 public:
3777 template <TagType tag_type, Tag tag, typename ValueT>
3778 void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
3779 SCOPED_TRACE("CheckCryptoParam");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3780 for (auto& entry : key_characteristics_) {
3781 if (entry.securityLevel == SecLevel()) {
3782 EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
3783 << "Tag " << tag << " with value " << expected
3784 << " not found at security level" << entry.securityLevel;
3785 } else {
3786 EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
3787 << "Tag " << tag << " found at security level " << entry.securityLevel;
3788 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3789 }
3790 }
3791
3792 void CheckOrigin() {
3793 SCOPED_TRACE("CheckOrigin");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3794 // Origin isn't a crypto param, but it always lives with them.
3795 return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3796 }
3797};
3798
3799/*
3800 * ImportKeyTest.RsaSuccess
3801 *
3802 * Verifies that importing and using an RSA key pair works correctly.
3803 */
3804TEST_P(ImportKeyTest, RsaSuccess) {
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3805 uint32_t key_size;
3806 string key;
3807
3808 if (SecLevel() == SecurityLevel::STRONGBOX) {
3809 key_size = 2048;
3810 key = rsa_2048_key;
3811 } else {
3812 key_size = 1024;
3813 key = rsa_key;
3814 }
3815
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3816 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3817 .Authorization(TAG_NO_AUTH_REQUIRED)
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3818 .RsaSigningKey(key_size, 65537)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3819 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3820 .Padding(PaddingMode::RSA_PSS)
3821 .SetDefaultValidity(),
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3822 KeyFormat::PKCS8, key));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3823
3824 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3825 CheckCryptoParam(TAG_KEY_SIZE, key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3826 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
3827 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3828 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
3829 CheckOrigin();
3830
3831 string message(1024 / 8, 'a');
3832 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
3833 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3834 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3835}
3836
3837/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3838 * ImportKeyTest.RsaSuccessWithoutParams
3839 *
3840 * Verifies that importing and using an RSA key pair without specifying parameters
3841 * works correctly.
3842 */
3843TEST_P(ImportKeyTest, RsaSuccessWithoutParams) {
3844 uint32_t key_size;
3845 string key;
3846
3847 if (SecLevel() == SecurityLevel::STRONGBOX) {
3848 key_size = 2048;
3849 key = rsa_2048_key;
3850 } else {
3851 key_size = 1024;
3852 key = rsa_key;
3853 }
3854
3855 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3856 .Authorization(TAG_NO_AUTH_REQUIRED)
3857 .SigningKey()
3858 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
3859 .Digest(Digest::SHA_2_256)
3860 .Padding(PaddingMode::RSA_PSS)
3861 .SetDefaultValidity(),
3862 KeyFormat::PKCS8, key));
3863
3864 // Key size and public exponent are determined from the imported key material.
3865 CheckCryptoParam(TAG_KEY_SIZE, key_size);
3866 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
3867
3868 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
3869 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3870 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
3871 CheckOrigin();
3872
3873 string message(1024 / 8, 'a');
3874 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
3875 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3876 LocalVerifyMessage(message, signature, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3877}
3878
3879/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3880 * ImportKeyTest.RsaKeySizeMismatch
3881 *
3882 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
3883 * correct way.
3884 */
3885TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
3886 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
3887 ImportKey(AuthorizationSetBuilder()
3888 .RsaSigningKey(2048 /* Doesn't match key */, 65537)
3889 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3890 .Padding(PaddingMode::NONE)
3891 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3892 KeyFormat::PKCS8, rsa_key));
3893}
3894
3895/*
3896 * ImportKeyTest.RsaPublicExponentMismatch
3897 *
3898 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key
3899 * fails in the correct way.
3900 */
3901TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
3902 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
3903 ImportKey(AuthorizationSetBuilder()
3904 .RsaSigningKey(1024, 3 /* Doesn't match key */)
3905 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3906 .Padding(PaddingMode::NONE)
3907 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3908 KeyFormat::PKCS8, rsa_key));
3909}
3910
3911/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]3912 * ImportKeyTest.RsaAttestMultiPurposeFail
3913 *
3914 * Verifies that importing an RSA key pair with purpose ATTEST_KEY+SIGN fails.
3915 */
3916TEST_P(ImportKeyTest, RsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]3917 if (AidlVersion() < 2) {
3918 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
3919 // with other key purposes. However, this was not checked at the time
3920 // so we can only be strict about checking this for implementations of KeyMint
3921 // version 2 and above.
3922 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
3923 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]3924 uint32_t key_size = 2048;
3925 string key = rsa_2048_key;
3926
3927 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3928 ImportKey(AuthorizationSetBuilder()
3929 .Authorization(TAG_NO_AUTH_REQUIRED)
3930 .RsaSigningKey(key_size, 65537)
3931 .AttestKey()
3932 .Digest(Digest::SHA_2_256)
3933 .Padding(PaddingMode::RSA_PSS)
3934 .SetDefaultValidity(),
3935 KeyFormat::PKCS8, key));
3936}
3937
3938/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3939 * ImportKeyTest.EcdsaSuccess
3940 *
3941 * Verifies that importing and using an ECDSA P-256 key pair works correctly.
3942 */
3943TEST_P(ImportKeyTest, EcdsaSuccess) {
3944 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3945 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3946 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3947 .Digest(Digest::SHA_2_256)
3948 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3949 KeyFormat::PKCS8, ec_256_key));
3950
3951 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3952 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3953 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3954
3955 CheckOrigin();
3956
3957 string message(32, 'a');
3958 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3959 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3960 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3961}
3962
3963/*
3964 * ImportKeyTest.EcdsaP256RFC5915Success
3965 *
3966 * Verifies that importing and using an ECDSA P-256 key pair encoded using RFC5915 works
3967 * correctly.
3968 */
3969TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
3970 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3971 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3972 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3973 .Digest(Digest::SHA_2_256)
3974 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3975 KeyFormat::PKCS8, ec_256_key_rfc5915));
3976
3977 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3978 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3979 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3980
3981 CheckOrigin();
3982
3983 string message(32, 'a');
3984 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3985 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3986 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3987}
3988
3989/*
3990 * ImportKeyTest.EcdsaP256SEC1Success
3991 *
3992 * Verifies that importing and using an ECDSA P-256 key pair encoded using SEC1 works correctly.
3993 */
3994TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
3995 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3996 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3997 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3998 .Digest(Digest::SHA_2_256)
3999 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4000 KeyFormat::PKCS8, ec_256_key_sec1));
4001
4002 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4003 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4004 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4005
4006 CheckOrigin();
4007
4008 string message(32, 'a');
4009 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4010 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4011 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4012}
4013
4014/*
4015 * ImportKeyTest.Ecdsa521Success
4016 *
4017 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
4018 */
4019TEST_P(ImportKeyTest, Ecdsa521Success) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]4020 if (SecLevel() == SecurityLevel::STRONGBOX) {
4021 GTEST_SKIP() << "Test not applicable to StrongBox device";
4022 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4023 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4024 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4025 .EcdsaSigningKey(EcCurve::P_521)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4026 .Digest(Digest::SHA_2_256)
4027 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4028 KeyFormat::PKCS8, ec_521_key));
4029
4030 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4031 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4032 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_521);
4033 CheckOrigin();
4034
4035 string message(32, 'a');
4036 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4037 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4038 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4039}
4040
4041/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4042 * ImportKeyTest.EcdsaCurveMismatch
4043 *
4044 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in
4045 * the correct way.
4046 */
4047TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
4048 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4049 ImportKey(AuthorizationSetBuilder()
4050 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4051 .Digest(Digest::NONE)
4052 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4053 KeyFormat::PKCS8, ec_256_key));
4054}
4055
4056/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4057 * ImportKeyTest.EcdsaAttestMultiPurposeFail
4058 *
4059 * Verifies that importing and using an ECDSA P-256 key pair with purpose ATTEST_KEY+SIGN fails.
4060 */
4061TEST_P(ImportKeyTest, EcdsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]4062 if (AidlVersion() < 2) {
4063 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
4064 // with other key purposes. However, this was not checked at the time
4065 // so we can only be strict about checking this for implementations of KeyMint
4066 // version 2 and above.
4067 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
4068 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4069 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
4070 ImportKey(AuthorizationSetBuilder()
4071 .Authorization(TAG_NO_AUTH_REQUIRED)
4072 .EcdsaSigningKey(EcCurve::P_256)
4073 .AttestKey()
4074 .Digest(Digest::SHA_2_256)
4075 .SetDefaultValidity(),
4076 KeyFormat::PKCS8, ec_256_key));
4077}
4078
4079/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]4080 * ImportKeyTest.Ed25519RawSuccess
4081 *
4082 * Verifies that importing and using a raw Ed25519 private key works correctly.
4083 */
4084TEST_P(ImportKeyTest, Ed25519RawSuccess) {
4085 if (!Curve25519Supported()) {
4086 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4087 }
4088
4089 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4090 .Authorization(TAG_NO_AUTH_REQUIRED)
4091 .EcdsaSigningKey(EcCurve::CURVE_25519)
4092 .Digest(Digest::NONE)
4093 .SetDefaultValidity(),
4094 KeyFormat::RAW, ed25519_key));
4095 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4096 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4097 CheckOrigin();
4098
4099 // The returned cert should hold the correct public key.
4100 ASSERT_GT(cert_chain_.size(), 0);
4101 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4102 ASSERT_NE(kmKeyCert, nullptr);
4103 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4104 ASSERT_NE(kmPubKey.get(), nullptr);
4105 size_t kmPubKeySize = 32;
4106 uint8_t kmPubKeyData[32];
4107 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4108 ASSERT_EQ(kmPubKeySize, 32);
4109 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4110
4111 string message(32, 'a');
4112 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4113 string signature = SignMessage(message, params);
4114 LocalVerifyMessage(message, signature, params);
4115}
4116
4117/*
4118 * ImportKeyTest.Ed25519Pkcs8Success
4119 *
4120 * Verifies that importing and using a PKCS#8-encoded Ed25519 private key works correctly.
4121 */
4122TEST_P(ImportKeyTest, Ed25519Pkcs8Success) {
4123 if (!Curve25519Supported()) {
4124 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4125 }
4126
4127 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4128 .Authorization(TAG_NO_AUTH_REQUIRED)
4129 .EcdsaSigningKey(EcCurve::CURVE_25519)
4130 .Digest(Digest::NONE)
4131 .SetDefaultValidity(),
4132 KeyFormat::PKCS8, ed25519_pkcs8_key));
4133 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4134 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4135 CheckOrigin();
4136
4137 // The returned cert should hold the correct public key.
4138 ASSERT_GT(cert_chain_.size(), 0);
4139 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4140 ASSERT_NE(kmKeyCert, nullptr);
4141 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4142 ASSERT_NE(kmPubKey.get(), nullptr);
4143 size_t kmPubKeySize = 32;
4144 uint8_t kmPubKeyData[32];
4145 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4146 ASSERT_EQ(kmPubKeySize, 32);
4147 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4148
4149 string message(32, 'a');
4150 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4151 string signature = SignMessage(message, params);
4152 LocalVerifyMessage(message, signature, params);
4153}
4154
4155/*
4156 * ImportKeyTest.Ed25519CurveMismatch
4157 *
4158 * Verifies that importing an Ed25519 key pair with a curve that doesn't match the key fails in
4159 * the correct way.
4160 */
4161TEST_P(ImportKeyTest, Ed25519CurveMismatch) {
4162 if (!Curve25519Supported()) {
4163 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4164 }
4165
4166 ASSERT_NE(ErrorCode::OK,
4167 ImportKey(AuthorizationSetBuilder()
4168 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
4169 .Digest(Digest::NONE)
4170 .SetDefaultValidity(),
4171 KeyFormat::RAW, ed25519_key));
4172}
4173
4174/*
4175 * ImportKeyTest.Ed25519FormatMismatch
4176 *
4177 * Verifies that importing an Ed25519 key pair with an invalid format fails.
4178 */
4179TEST_P(ImportKeyTest, Ed25519FormatMismatch) {
4180 if (!Curve25519Supported()) {
4181 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4182 }
4183
4184 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4185 .EcdsaSigningKey(EcCurve::CURVE_25519)
4186 .Digest(Digest::NONE)
4187 .SetDefaultValidity(),
4188 KeyFormat::PKCS8, ed25519_key));
4189 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4190 .EcdsaSigningKey(EcCurve::CURVE_25519)
4191 .Digest(Digest::NONE)
4192 .SetDefaultValidity(),
4193 KeyFormat::RAW, ed25519_pkcs8_key));
4194}
4195
4196/*
4197 * ImportKeyTest.Ed25519PurposeMismatch
4198 *
4199 * Verifies that importing an Ed25519 key pair with an invalid purpose fails.
4200 */
4201TEST_P(ImportKeyTest, Ed25519PurposeMismatch) {
4202 if (!Curve25519Supported()) {
4203 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4204 }
4205
4206 // Can't have both SIGN and ATTEST_KEY
4207 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4208 .EcdsaSigningKey(EcCurve::CURVE_25519)
4209 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4210 .Digest(Digest::NONE)
4211 .SetDefaultValidity(),
4212 KeyFormat::RAW, ed25519_key));
4213 // AGREE_KEY is for X25519 (but can only tell the difference if the import key is in
4214 // PKCS#8 format and so includes an OID).
4215 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4216 .EcdsaKey(EcCurve::CURVE_25519)
4217 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4218 .Digest(Digest::NONE)
4219 .SetDefaultValidity(),
4220 KeyFormat::PKCS8, ed25519_pkcs8_key));
4221}
4222
4223/*
4224 * ImportKeyTest.X25519RawSuccess
4225 *
4226 * Verifies that importing and using a raw X25519 private key works correctly.
4227 */
4228TEST_P(ImportKeyTest, X25519RawSuccess) {
4229 if (!Curve25519Supported()) {
4230 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4231 }
4232
4233 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4234 .Authorization(TAG_NO_AUTH_REQUIRED)
4235 .EcdsaKey(EcCurve::CURVE_25519)
4236 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4237 .SetDefaultValidity(),
4238 KeyFormat::RAW, x25519_key));
4239
4240 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4241 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4242 CheckOrigin();
4243}
4244
4245/*
4246 * ImportKeyTest.X25519Pkcs8Success
4247 *
4248 * Verifies that importing and using a PKCS#8-encoded X25519 private key works correctly.
4249 */
4250TEST_P(ImportKeyTest, X25519Pkcs8Success) {
4251 if (!Curve25519Supported()) {
4252 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4253 }
4254
4255 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4256 .Authorization(TAG_NO_AUTH_REQUIRED)
4257 .EcdsaKey(EcCurve::CURVE_25519)
4258 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4259 .SetDefaultValidity(),
4260 KeyFormat::PKCS8, x25519_pkcs8_key));
4261
4262 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4263 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4264 CheckOrigin();
4265}
4266
4267/*
4268 * ImportKeyTest.X25519CurveMismatch
4269 *
4270 * Verifies that importing an X25519 key with a curve that doesn't match the key fails in
4271 * the correct way.
4272 */
4273TEST_P(ImportKeyTest, X25519CurveMismatch) {
4274 if (!Curve25519Supported()) {
4275 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4276 }
4277
4278 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4279 .EcdsaKey(EcCurve::P_224 /* Doesn't match key */)
4280 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4281 .SetDefaultValidity(),
4282 KeyFormat::RAW, x25519_key));
4283}
4284
4285/*
4286 * ImportKeyTest.X25519FormatMismatch
4287 *
4288 * Verifies that importing an X25519 key with an invalid format fails.
4289 */
4290TEST_P(ImportKeyTest, X25519FormatMismatch) {
4291 if (!Curve25519Supported()) {
4292 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4293 }
4294
4295 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4296 .EcdsaKey(EcCurve::CURVE_25519)
4297 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4298 .SetDefaultValidity(),
4299 KeyFormat::PKCS8, x25519_key));
4300 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4301 .EcdsaKey(EcCurve::CURVE_25519)
4302 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4303 .SetDefaultValidity(),
4304 KeyFormat::RAW, x25519_pkcs8_key));
4305}
4306
4307/*
4308 * ImportKeyTest.X25519PurposeMismatch
4309 *
4310 * Verifies that importing an X25519 key pair with an invalid format fails.
4311 */
4312TEST_P(ImportKeyTest, X25519PurposeMismatch) {
4313 if (!Curve25519Supported()) {
4314 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4315 }
4316
4317 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4318 .EcdsaKey(EcCurve::CURVE_25519)
4319 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4320 .SetDefaultValidity(),
4321 KeyFormat::PKCS8, x25519_pkcs8_key));
4322 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4323 .EcdsaSigningKey(EcCurve::CURVE_25519)
4324 .SetDefaultValidity(),
4325 KeyFormat::PKCS8, x25519_pkcs8_key));
4326}
4327
4328/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4329 * ImportKeyTest.AesSuccess
4330 *
4331 * Verifies that importing and using an AES key works.
4332 */
4333TEST_P(ImportKeyTest, AesSuccess) {
4334 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4335 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4336 .Authorization(TAG_NO_AUTH_REQUIRED)
4337 .AesEncryptionKey(key.size() * 8)
4338 .EcbMode()
4339 .Padding(PaddingMode::PKCS7),
4340 KeyFormat::RAW, key));
4341
4342 CheckCryptoParam(TAG_ALGORITHM, Algorithm::AES);
4343 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4344 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4345 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4346 CheckOrigin();
4347
4348 string message = "Hello World!";
4349 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4350 string ciphertext = EncryptMessage(message, params);
4351 string plaintext = DecryptMessage(ciphertext, params);
4352 EXPECT_EQ(message, plaintext);
4353}
4354
4355/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4356 * ImportKeyTest.AesFailure
4357 *
4358 * Verifies that importing an invalid AES key fails.
4359 */
4360TEST_P(ImportKeyTest, AesFailure) {
4361 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4362 uint32_t bitlen = key.size() * 8;
4363 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4364 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4365 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4366 .Authorization(TAG_NO_AUTH_REQUIRED)
4367 .AesEncryptionKey(key_size)
4368 .EcbMode()
4369 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4370 KeyFormat::RAW, key);
4371 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4372 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4373 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4374 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4375
4376 // Explicit key size matches that of the provided key, but it's not a valid size.
4377 string long_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4378 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4379 ImportKey(AuthorizationSetBuilder()
4380 .Authorization(TAG_NO_AUTH_REQUIRED)
4381 .AesEncryptionKey(long_key.size() * 8)
4382 .EcbMode()
4383 .Padding(PaddingMode::PKCS7),
4384 KeyFormat::RAW, long_key));
4385 string short_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4386 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4387 ImportKey(AuthorizationSetBuilder()
4388 .Authorization(TAG_NO_AUTH_REQUIRED)
4389 .AesEncryptionKey(short_key.size() * 8)
4390 .EcbMode()
4391 .Padding(PaddingMode::PKCS7),
4392 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4393}
4394
4395/*
4396 * ImportKeyTest.TripleDesSuccess
4397 *
4398 * Verifies that importing and using a 3DES key works.
4399 */
4400TEST_P(ImportKeyTest, TripleDesSuccess) {
4401 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
4402 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4403 .Authorization(TAG_NO_AUTH_REQUIRED)
4404 .TripleDesEncryptionKey(168)
4405 .EcbMode()
4406 .Padding(PaddingMode::PKCS7),
4407 KeyFormat::RAW, key));
4408
4409 CheckCryptoParam(TAG_ALGORITHM, Algorithm::TRIPLE_DES);
4410 CheckCryptoParam(TAG_KEY_SIZE, 168U);
4411 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4412 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4413 CheckOrigin();
4414
4415 string message = "Hello World!";
4416 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4417 string ciphertext = EncryptMessage(message, params);
4418 string plaintext = DecryptMessage(ciphertext, params);
4419 EXPECT_EQ(message, plaintext);
4420}
4421
4422/*
4423 * ImportKeyTest.TripleDesFailure
4424 *
4425 * Verifies that importing an invalid 3DES key fails.
4426 */
4427TEST_P(ImportKeyTest, TripleDesFailure) {
4428 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4429 uint32_t bitlen = key.size() * 7;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4430 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4431 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4432 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4433 .Authorization(TAG_NO_AUTH_REQUIRED)
4434 .TripleDesEncryptionKey(key_size)
4435 .EcbMode()
4436 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4437 KeyFormat::RAW, key);
4438 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4439 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4440 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4441 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4442 // Explicit key size matches that of the provided key, but it's not a valid size.
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4443 string long_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f735800");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4444 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4445 ImportKey(AuthorizationSetBuilder()
4446 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4447 .TripleDesEncryptionKey(long_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4448 .EcbMode()
4449 .Padding(PaddingMode::PKCS7),
4450 KeyFormat::RAW, long_key));
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4451 string short_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f73");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4452 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4453 ImportKey(AuthorizationSetBuilder()
4454 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4455 .TripleDesEncryptionKey(short_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4456 .EcbMode()
4457 .Padding(PaddingMode::PKCS7),
4458 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4459}
4460
4461/*
4462 * ImportKeyTest.HmacKeySuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4463 *
4464 * Verifies that importing and using an HMAC key works.
4465 */
4466TEST_P(ImportKeyTest, HmacKeySuccess) {
4467 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4468 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4469 .Authorization(TAG_NO_AUTH_REQUIRED)
4470 .HmacKey(key.size() * 8)
4471 .Digest(Digest::SHA_2_256)
4472 .Authorization(TAG_MIN_MAC_LENGTH, 256),
4473 KeyFormat::RAW, key));
4474
4475 CheckCryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
4476 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4477 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4478 CheckOrigin();
4479
4480 string message = "Hello World!";
4481 string signature = MacMessage(message, Digest::SHA_2_256, 256);
4482 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
4483}
4484
Subrahmanyaman812a9d12022-05-04 02:11:04 +0000[diff] [blame^]4485/*
4486 * ImportKeyTest.GetKeyCharacteristics
4487 *
4488 * Verifies that imported keys have the correct characteristics.
4489 */
4490TEST_P(ImportKeyTest, GetKeyCharacteristics) {
4491 vector<uint8_t> key_blob;
4492 vector<KeyCharacteristics> key_characteristics;
4493 auto base_builder = AuthorizationSetBuilder()
4494 .Padding(PaddingMode::NONE)
4495 .Authorization(TAG_NO_AUTH_REQUIRED)
4496 .SetDefaultValidity();
4497 vector<Algorithm> algorithms = {Algorithm::RSA, Algorithm::EC, Algorithm::HMAC, Algorithm::AES,
4498 Algorithm::TRIPLE_DES};
4499 ErrorCode result;
4500 string symKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98"); // 128 bits
4501 string tdesKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358"); // 192 bits
4502 for (auto alg : algorithms) {
4503 SCOPED_TRACE(testing::Message() << "Algorithm-" << alg);
4504 AuthorizationSetBuilder builder(base_builder);
4505 switch (alg) {
4506 case Algorithm::RSA:
4507 builder.RsaSigningKey(2048, 65537).Digest(Digest::NONE);
4508
4509 result = ImportKey(builder, KeyFormat::PKCS8, rsa_2048_key, &key_blob,
4510 &key_characteristics);
4511 break;
4512 case Algorithm::EC:
4513 builder.EcdsaSigningKey(EcCurve::P_256).Digest(Digest::NONE);
4514 result = ImportKey(builder, KeyFormat::PKCS8, ec_256_key, &key_blob,
4515 &key_characteristics);
4516 break;
4517 case Algorithm::HMAC:
4518 builder.HmacKey(128)
4519 .Digest(Digest::SHA_2_256)
4520 .Authorization(TAG_MIN_MAC_LENGTH, 128);
4521 result =
4522 ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
4523 break;
4524 case Algorithm::AES:
4525 builder.AesEncryptionKey(128).BlockMode(BlockMode::ECB);
4526 result =
4527 ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
4528 break;
4529 case Algorithm::TRIPLE_DES:
4530 builder.TripleDesEncryptionKey(168).BlockMode(BlockMode::ECB);
4531 result = ImportKey(builder, KeyFormat::RAW, tdesKey, &key_blob,
4532 &key_characteristics);
4533 break;
4534 default:
4535 ADD_FAILURE() << "Invalid Algorithm " << uint32_t(alg);
4536 continue;
4537 }
4538 ASSERT_EQ(ErrorCode::OK, result);
4539 CheckCharacteristics(key_blob, key_characteristics);
4540 CheckCommonParams(key_characteristics, KeyOrigin::IMPORTED);
4541 }
4542}
4543
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4544INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);
4545
4546auto wrapped_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4547 // IKeyMintDevice.aidl
4548 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4549 "020100" // INTEGER length 1 value 0x00 (version)
4550 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4551 "934bf94e2aa28a3f83c9f79297250262"
4552 "fbe3276b5a1c91159bbfa3ef8957aac8"
4553 "4b59b30b455a79c2973480823d8b3863"
4554 "c3deef4a8e243590268d80e18751a0e1"
4555 "30f67ce6a1ace9f79b95e097474febc9"
4556 "81195b1d13a69086c0863f66a7b7fdb4"
4557 "8792227b1ac5e2489febdf087ab54864"
4558 "83033a6f001ca5d1ec1e27f5c30f4cec"
4559 "2642074a39ae68aee552e196627a8e3d"
4560 "867e67a8c01b11e75f13cca0a97ab668"
4561 "b50cda07a8ecb7cd8e3dd7009c963653"
4562 "4f6f239cffe1fc8daa466f78b676c711"
4563 "9efb96bce4e69ca2a25d0b34ed9c3ff9"
4564 "99b801597d5220e307eaa5bee507fb94"
4565 "d1fa69f9e519b2de315bac92c36f2ea1"
4566 "fa1df4478c0ddedeae8c70e0233cd098"
4567 "040c" // OCTET STRING length 0x0c (initializationVector)
4568 "d796b02c370f1fa4cc0124f1"
4569 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4570 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4571 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4572 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4573 "3106" // SET length 0x06
4574 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4575 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4576 // } end SET
4577 // } end [1]
4578 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4579 "020120" // INTEGER length 1 value 0x20 (AES)
4580 // } end [2]
4581 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4582 "02020100" // INTEGER length 2 value 0x100
4583 // } end [3]
4584 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode)
4585 "3103" // SET length 0x03 {
4586 "020101" // INTEGER length 1 value 0x01 (ECB)
4587 // } end SET
4588 // } end [4]
4589 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4590 "3103" // SET length 0x03 {
4591 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4592 // } end SET
4593 // } end [5]
4594 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4595 // (noAuthRequired)
4596 "0500" // NULL
4597 // } end [503]
4598 // } end SEQUENCE (AuthorizationList)
4599 // } end SEQUENCE (KeyDescription)
4600 "0420" // OCTET STRING length 0x20 (encryptedKey)
4601 "ccd540855f833a5e1480bfd2d36faf3a"
4602 "eee15df5beabe2691bc82dde2a7aa910"
4603 "0410" // OCTET STRING length 0x10 (tag)
4604 "64c9f689c60ff6223ab6e6999e0eb6e5"
4605 // } SEQUENCE (SecureKeyWrapper)
4606);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4607
4608auto wrapped_key_masked = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4609 // IKeyMintDevice.aidl
4610 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4611 "020100" // INTEGER length 1 value 0x00 (version)
4612 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4613 "aad93ed5924f283b4bb5526fbe7a1412"
4614 "f9d9749ec30db9062b29e574a8546f33"
4615 "c88732452f5b8e6a391ee76c39ed1712"
4616 "c61d8df6213dec1cffbc17a8c6d04c7b"
4617 "30893d8daa9b2015213e219468215532"
4618 "07f8f9931c4caba23ed3bee28b36947e"
4619 "47f10e0a5c3dc51c988a628daad3e5e1"
4620 "f4005e79c2d5a96c284b4b8d7e4948f3"
4621 "31e5b85dd5a236f85579f3ea1d1b8484"
4622 "87470bdb0ab4f81a12bee42c99fe0df4"
4623 "bee3759453e69ad1d68a809ce06b949f"
4624 "7694a990429b2fe81e066ff43e56a216"
4625 "02db70757922a4bcc23ab89f1e35da77"
4626 "586775f423e519c2ea394caf48a28d0c"
4627 "8020f1dcf6b3a68ec246f615ae96dae9"
4628 "a079b1f6eb959033c1af5c125fd94168"
4629 "040c" // OCTET STRING length 0x0c (initializationVector)
4630 "6d9721d08589581ab49204a3"
4631 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4632 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4633 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4634 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4635 "3106" // SET length 0x06
4636 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4637 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4638 // } end SET
4639 // } end [1]
4640 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4641 "020120" // INTEGER length 1 value 0x20 (AES)
4642 // } end [2]
4643 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4644 "02020100" // INTEGER length 2 value 0x100
4645 // } end [3]
4646 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode
4647 "3103" // SET length 0x03 {
4648 "020101" // INTEGER length 1 value 0x01 (ECB)
4649 // } end SET
4650 // } end [4]
4651 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4652 "3103" // SET length 0x03 {
4653 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4654 // } end SET
4655 // } end [5]
4656 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4657 // (noAuthRequired)
4658 "0500" // NULL
4659 // } end [503]
4660 // } end SEQUENCE (AuthorizationList)
4661 // } end SEQUENCE (KeyDescription)
4662 "0420" // OCTET STRING length 0x20 (encryptedKey)
4663 "a61c6e247e25b3e6e69aa78eb03c2d4a"
4664 "c20d1f99a9a024a76f35c8e2cab9b68d"
4665 "0410" // OCTET STRING length 0x10 (tag)
4666 "2560c70109ae67c030f00b98b512a670"
4667 // } SEQUENCE (SecureKeyWrapper)
4668);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4669
4670auto wrapping_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4671 // RFC 5208 s5
4672 "308204be" // SEQUENCE length 0x4be (PrivateKeyInfo) {
4673 "020100" // INTEGER length 1 value 0x00 (version)
4674 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
4675 "0609" // OBJECT IDENTIFIER length 0x09 (algorithm)
4676 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (RSAES-PKCS1-v1_5 encryption scheme)
4677 "0500" // NULL (parameters)
4678 // } SEQUENCE (AlgorithmIdentifier)
4679 "048204a8" // OCTET STRING len 0x4a8 (privateKey), which contains...
4680 // RFC 8017 A.1.2
4681 "308204a4" // SEQUENCE len 0x4a4 (RSAPrivateKey) {
4682 "020100" // INTEGER length 1 value 0x00 (version)
4683 "02820101" // INTEGER length 0x0101 (modulus) value...
4684 "00aec367931d8900ce56b0067f7d70e1" // 0x10
4685 "fc653f3f34d194c1fed50018fb43db93" // 0x20
4686 "7b06e673a837313d56b1c725150a3fef" // 0x30
4687 "86acbddc41bb759c2854eae32d35841e" // 0x40
4688 "fb5c18d82bc90a1cb5c1d55adf245b02" // 0x50
4689 "911f0b7cda88c421ff0ebafe7c0d23be" // 0x60
4690 "312d7bd5921ffaea1347c157406fef71" // 0x70
4691 "8f682643e4e5d33c6703d61c0cf7ac0b" // 0x80
4692 "f4645c11f5c1374c3886427411c44979" // 0x90
4693 "6792e0bef75dec858a2123c36753e02a" // 0xa0
4694 "95a96d7c454b504de385a642e0dfc3e6" // 0xb0
4695 "0ac3a7ee4991d0d48b0172a95f9536f0" // 0xc0
4696 "2ba13cecccb92b727db5c27e5b2f5cec" // 0xd0
4697 "09600b286af5cf14c42024c61ddfe71c" // 0xe0
4698 "2a8d7458f185234cb00e01d282f10f8f" // 0xf0
4699 "c6721d2aed3f4833cca2bd8fa62821dd" // 0x100
4700 "55" // 0x101
4701 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
4702 "02820100" // INTEGER length 0x100 (privateExponent) value...
4703 "431447b6251908112b1ee76f99f3711a" // 0x10
4704 "52b6630960046c2de70de188d833f8b8" // 0x20
4705 "b91e4d785caeeeaf4f0f74414e2cda40" // 0x30
4706 "641f7fe24f14c67a88959bdb27766df9" // 0x40
4707 "e710b630a03adc683b5d2c43080e52be" // 0x50
4708 "e71e9eaeb6de297a5fea1072070d181c" // 0x60
4709 "822bccff087d63c940ba8a45f670feb2" // 0x70
4710 "9fb4484d1c95e6d2579ba02aae0a0090" // 0x80
4711 "0c3ebf490e3d2cd7ee8d0e20c536e4dc" // 0x90
4712 "5a5097272888cddd7e91f228b1c4d747" // 0xa0
4713 "4c55b8fcd618c4a957bbddd5ad7407cc" // 0xb0
4714 "312d8d98a5caf7e08f4a0d6b45bb41c6" // 0xc0
4715 "52659d5a5ba05b663737a8696281865b" // 0xd0
4716 "a20fbdd7f851e6c56e8cbe0ddbbf24dc" // 0xe0
4717 "03b2d2cb4c3d540fb0af52e034a2d066" // 0xf0
4718 "98b128e5f101e3b51a34f8d8b4f86181" // 0x100
4719 "028181" // INTEGER length 0x81 (prime1) value...
4720 "00de392e18d682c829266cc3454e1d61" // 0x10
4721 "66242f32d9a1d10577753e904ea7d08b" // 0x20
4722 "ff841be5bac82a164c5970007047b8c5" // 0x30
4723 "17db8f8f84e37bd5988561bdf503d4dc" // 0x40
4724 "2bdb38f885434ae42c355f725c9a60f9" // 0x50
4725 "1f0788e1f1a97223b524b5357fdf72e2" // 0x60
4726 "f696bab7d78e32bf92ba8e1864eab122" // 0x70
4727 "9e91346130748a6e3c124f9149d71c74" // 0x80
4728 "35"
4729 "028181" // INTEGER length 0x81 (prime2) value...
4730 "00c95387c0f9d35f137b57d0d65c397c" // 0x10
4731 "5e21cc251e47008ed62a542409c8b6b6" // 0x20
4732 "ac7f8967b3863ca645fcce49582a9aa1" // 0x30
4733 "7349db6c4a95affdae0dae612e1afac9" // 0x40
4734 "9ed39a2d934c880440aed8832f984316" // 0x50
4735 "3a47f27f392199dc1202f9a0f9bd0830" // 0x60
4736 "8007cb1e4e7f58309366a7de25f7c3c9" // 0x70
4737 "b880677c068e1be936e81288815252a8" // 0x80
4738 "a1"
4739 "028180" // INTEGER length 0x80 (exponent1) value...
4740 "57ff8ca1895080b2cae486ef0adfd791" // 0x10
4741 "fb0235c0b8b36cd6c136e52e4085f4ea" // 0x20
4742 "5a063212a4f105a3764743e53281988a" // 0x30
4743 "ba073f6e0027298e1c4378556e0efca0" // 0x40
4744 "e14ece1af76ad0b030f27af6f0ab35fb" // 0x50
4745 "73a060d8b1a0e142fa2647e93b32e36d" // 0x60
4746 "8282ae0a4de50ab7afe85500a16f43a6" // 0x70
4747 "4719d6e2b9439823719cd08bcd031781" // 0x80
4748 "028181" // INTEGER length 0x81 (exponent2) value...
4749 "00ba73b0bb28e3f81e9bd1c568713b10" // 0x10
4750 "1241acc607976c4ddccc90e65b6556ca" // 0x20
4751 "31516058f92b6e09f3b160ff0e374ec4" // 0x30
4752 "0d78ae4d4979fde6ac06a1a400c61dd3" // 0x40
4753 "1254186af30b22c10582a8a43e34fe94" // 0x50
4754 "9c5f3b9755bae7baa7b7b7a6bd03b38c" // 0x60
4755 "ef55c86885fc6c1978b9cee7ef33da50" // 0x70
4756 "7c9df6b9277cff1e6aaa5d57aca52846" // 0x80
4757 "61"
4758 "028181" // INTEGER length 0x81 (coefficient) value...
4759 "00c931617c77829dfb1270502be9195c" // 0x10
4760 "8f2830885f57dba869536811e6864236" // 0x20
4761 "d0c4736a0008a145af36b8357a7c3d13" // 0x30
4762 "9966d04c4e00934ea1aede3bb6b8ec84" // 0x40
4763 "1dc95e3f579751e2bfdfe27ae778983f" // 0x50
4764 "959356210723287b0affcc9f727044d4" // 0x60
4765 "8c373f1babde0724fa17a4fd4da0902c" // 0x70
4766 "7c9b9bf27ba61be6ad02dfddda8f4e68" // 0x80
4767 "22"
4768 // } SEQUENCE
4769 // } SEQUENCE ()
4770);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4771
4772string zero_masking_key =
4773 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
4774string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
4775
4776class ImportWrappedKeyTest : public KeyMintAidlTestBase {};
4777
4778TEST_P(ImportWrappedKeyTest, Success) {
4779 auto wrapping_key_desc = AuthorizationSetBuilder()
4780 .RsaEncryptionKey(2048, 65537)
4781 .Digest(Digest::SHA_2_256)
4782 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4783 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4784 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4785
4786 ASSERT_EQ(ErrorCode::OK,
4787 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
4788 AuthorizationSetBuilder()
4789 .Digest(Digest::SHA_2_256)
4790 .Padding(PaddingMode::RSA_OAEP)));
4791
4792 string message = "Hello World!";
4793 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4794 string ciphertext = EncryptMessage(message, params);
4795 string plaintext = DecryptMessage(ciphertext, params);
4796 EXPECT_EQ(message, plaintext);
4797}
4798
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4799/*
4800 * ImportWrappedKeyTest.SuccessSidsIgnored
4801 *
4802 * Verifies that password_sid and biometric_sid are ignored on import if the authorizations don't
4803 * include Tag:USER_SECURE_ID.
4804 */
4805TEST_P(ImportWrappedKeyTest, SuccessSidsIgnored) {
4806 auto wrapping_key_desc = AuthorizationSetBuilder()
4807 .RsaEncryptionKey(2048, 65537)
4808 .Digest(Digest::SHA_2_256)
4809 .Padding(PaddingMode::RSA_OAEP)
4810 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4811 .SetDefaultValidity();
4812
4813 int64_t password_sid = 42;
4814 int64_t biometric_sid = 24;
4815 ASSERT_EQ(ErrorCode::OK,
4816 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
4817 AuthorizationSetBuilder()
4818 .Digest(Digest::SHA_2_256)
4819 .Padding(PaddingMode::RSA_OAEP),
4820 password_sid, biometric_sid));
4821
4822 string message = "Hello World!";
4823 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4824 string ciphertext = EncryptMessage(message, params);
4825 string plaintext = DecryptMessage(ciphertext, params);
4826 EXPECT_EQ(message, plaintext);
4827}
4828
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4829TEST_P(ImportWrappedKeyTest, SuccessMasked) {
4830 auto wrapping_key_desc = AuthorizationSetBuilder()
4831 .RsaEncryptionKey(2048, 65537)
4832 .Digest(Digest::SHA_2_256)
4833 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4834 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4835 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4836
4837 ASSERT_EQ(ErrorCode::OK,
4838 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
4839 AuthorizationSetBuilder()
4840 .Digest(Digest::SHA_2_256)
4841 .Padding(PaddingMode::RSA_OAEP)));
4842}
4843
4844TEST_P(ImportWrappedKeyTest, WrongMask) {
4845 auto wrapping_key_desc = AuthorizationSetBuilder()
4846 .RsaEncryptionKey(2048, 65537)
4847 .Digest(Digest::SHA_2_256)
4848 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4849 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4850 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4851
4852 ASSERT_EQ(
4853 ErrorCode::VERIFICATION_FAILED,
4854 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
4855 AuthorizationSetBuilder()
4856 .Digest(Digest::SHA_2_256)
4857 .Padding(PaddingMode::RSA_OAEP)));
4858}
4859
4860TEST_P(ImportWrappedKeyTest, WrongPurpose) {
4861 auto wrapping_key_desc = AuthorizationSetBuilder()
4862 .RsaEncryptionKey(2048, 65537)
4863 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4864 .Padding(PaddingMode::RSA_OAEP)
4865 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4866
4867 ASSERT_EQ(
4868 ErrorCode::INCOMPATIBLE_PURPOSE,
4869 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
4870 AuthorizationSetBuilder()
4871 .Digest(Digest::SHA_2_256)
4872 .Padding(PaddingMode::RSA_OAEP)));
4873}
4874
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4875TEST_P(ImportWrappedKeyTest, WrongPaddingMode) {
4876 auto wrapping_key_desc = AuthorizationSetBuilder()
4877 .RsaEncryptionKey(2048, 65537)
4878 .Digest(Digest::SHA_2_256)
4879 .Padding(PaddingMode::RSA_PSS)
4880 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4881 .SetDefaultValidity();
4882
4883 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
4884 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
4885 AuthorizationSetBuilder()
4886 .Digest(Digest::SHA_2_256)
4887 .Padding(PaddingMode::RSA_OAEP)));
4888}
4889
4890TEST_P(ImportWrappedKeyTest, WrongDigest) {
4891 auto wrapping_key_desc = AuthorizationSetBuilder()
4892 .RsaEncryptionKey(2048, 65537)
4893 .Digest(Digest::SHA_2_512)
4894 .Padding(PaddingMode::RSA_OAEP)
4895 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4896 .SetDefaultValidity();
4897
4898 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
4899 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
4900 AuthorizationSetBuilder()
4901 .Digest(Digest::SHA_2_256)
4902 .Padding(PaddingMode::RSA_OAEP)));
4903}
4904
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4905INSTANTIATE_KEYMINT_AIDL_TEST(ImportWrappedKeyTest);
4906
4907typedef KeyMintAidlTestBase EncryptionOperationsTest;
4908
4909/*
4910 * EncryptionOperationsTest.RsaNoPaddingSuccess
4911 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4912 * Verifies that raw RSA decryption works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4913 */
4914TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]4915 for (uint64_t exponent : ValidExponents()) {
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4916 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4917 .Authorization(TAG_NO_AUTH_REQUIRED)
4918 .RsaEncryptionKey(2048, exponent)
4919 .Padding(PaddingMode::NONE)
4920 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4921
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4922 string message = string(2048 / 8, 'a');
4923 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4924 string ciphertext1 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4925 EXPECT_EQ(2048U / 8, ciphertext1.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4926
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4927 string ciphertext2 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4928 EXPECT_EQ(2048U / 8, ciphertext2.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4929
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4930 // Unpadded RSA is deterministic
4931 EXPECT_EQ(ciphertext1, ciphertext2);
4932
4933 CheckedDeleteKey();
4934 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4935}
4936
4937/*
4938 * EncryptionOperationsTest.RsaNoPaddingShortMessage
4939 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4940 * Verifies that raw RSA decryption of short messages works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4941 */
4942TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
4943 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4944 .Authorization(TAG_NO_AUTH_REQUIRED)
4945 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4946 .Padding(PaddingMode::NONE)
4947 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4948
4949 string message = "1";
4950 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
4951
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4952 string ciphertext = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4953 EXPECT_EQ(2048U / 8, ciphertext.size());
4954
4955 string expected_plaintext = string(2048U / 8 - 1, 0) + message;
4956 string plaintext = DecryptMessage(ciphertext, params);
4957
4958 EXPECT_EQ(expected_plaintext, plaintext);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4959}
4960
4961/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4962 * EncryptionOperationsTest.RsaOaepSuccess
4963 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4964 * Verifies that RSA-OAEP decryption operations work, with all digests.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4965 */
4966TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
4967 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
4968
4969 size_t key_size = 2048; // Need largish key for SHA-512 test.
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4970 ASSERT_EQ(ErrorCode::OK,
4971 GenerateKey(AuthorizationSetBuilder()
4972 .Authorization(TAG_NO_AUTH_REQUIRED)
4973 .RsaEncryptionKey(key_size, 65537)
4974 .Padding(PaddingMode::RSA_OAEP)
4975 .Digest(digests)
4976 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1)
4977 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4978
4979 string message = "Hello";
4980
4981 for (auto digest : digests) {
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4982 SCOPED_TRACE(testing::Message() << "digest-" << digest);
4983
4984 auto params = AuthorizationSetBuilder()
4985 .Digest(digest)
4986 .Padding(PaddingMode::RSA_OAEP)
4987 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1);
4988 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4989 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
4990 EXPECT_EQ(key_size / 8, ciphertext1.size());
4991
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4992 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4993 EXPECT_EQ(key_size / 8, ciphertext2.size());
4994
4995 // OAEP randomizes padding so every result should be different (with astronomically high
4996 // probability).
4997 EXPECT_NE(ciphertext1, ciphertext2);
4998
4999 string plaintext1 = DecryptMessage(ciphertext1, params);
5000 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
5001 string plaintext2 = DecryptMessage(ciphertext2, params);
5002 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
5003
5004 // Decrypting corrupted ciphertext should fail.
5005 size_t offset_to_corrupt = random() % ciphertext1.size();
5006 char corrupt_byte;
5007 do {
5008 corrupt_byte = static_cast<char>(random() % 256);
5009 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5010 ciphertext1[offset_to_corrupt] = corrupt_byte;
5011
5012 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5013 string result;
5014 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5015 EXPECT_EQ(0U, result.size());
5016 }
5017}
5018
5019/*
5020 * EncryptionOperationsTest.RsaOaepInvalidDigest
5021 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5022 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5023 * without a digest.
5024 */
5025TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
5026 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5027 .Authorization(TAG_NO_AUTH_REQUIRED)
5028 .RsaEncryptionKey(2048, 65537)
5029 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5030 .Digest(Digest::NONE)
5031 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5032
5033 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5034 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5035}
5036
5037/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5038 * EncryptionOperationsTest.RsaOaepInvalidPadding
5039 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5040 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5041 * with a padding value that is only suitable for signing/verifying.
5042 */
5043TEST_P(EncryptionOperationsTest, RsaOaepInvalidPadding) {
5044 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5045 .Authorization(TAG_NO_AUTH_REQUIRED)
5046 .RsaEncryptionKey(2048, 65537)
5047 .Padding(PaddingMode::RSA_PSS)
5048 .Digest(Digest::NONE)
5049 .SetDefaultValidity()));
5050
5051 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5052 EXPECT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE, Begin(KeyPurpose::DECRYPT, params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5053}
5054
5055/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5056 * EncryptionOperationsTest.RsaOaepDecryptWithWrongDigest
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5057 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5058 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5059 * with a different digest than was used to encrypt.
5060 */
5061TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]5062 if (SecLevel() == SecurityLevel::STRONGBOX) {
5063 GTEST_SKIP() << "Test not applicable to StrongBox device";
5064 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5065
5066 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5067 .Authorization(TAG_NO_AUTH_REQUIRED)
5068 .RsaEncryptionKey(1024, 65537)
5069 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5070 .Digest(Digest::SHA_2_224, Digest::SHA_2_256)
5071 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5072 string message = "Hello World!";
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5073 string ciphertext = LocalRsaEncryptMessage(
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5074 message,
5075 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
5076
5077 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5078 .Digest(Digest::SHA_2_256)
5079 .Padding(PaddingMode::RSA_OAEP)));
5080 string result;
5081 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
5082 EXPECT_EQ(0U, result.size());
5083}
5084
5085/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5086 * EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess
5087 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5088 * Verifies that RSA-OAEP decryption operations work, with all SHA 256 digests and all type of MGF1
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5089 * digests.
5090 */
5091TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
5092 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
5093
5094 size_t key_size = 2048; // Need largish key for SHA-512 test.
5095 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5096 .OaepMGFDigest(digests)
5097 .Authorization(TAG_NO_AUTH_REQUIRED)
5098 .RsaEncryptionKey(key_size, 65537)
5099 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5100 .Digest(Digest::SHA_2_256)
5101 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5102
5103 string message = "Hello";
5104
5105 for (auto digest : digests) {
5106 auto params = AuthorizationSetBuilder()
5107 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
5108 .Digest(Digest::SHA_2_256)
5109 .Padding(PaddingMode::RSA_OAEP);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5110 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5111 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
5112 EXPECT_EQ(key_size / 8, ciphertext1.size());
5113
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5114 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5115 EXPECT_EQ(key_size / 8, ciphertext2.size());
5116
5117 // OAEP randomizes padding so every result should be different (with astronomically high
5118 // probability).
5119 EXPECT_NE(ciphertext1, ciphertext2);
5120
5121 string plaintext1 = DecryptMessage(ciphertext1, params);
5122 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
5123 string plaintext2 = DecryptMessage(ciphertext2, params);
5124 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
5125
5126 // Decrypting corrupted ciphertext should fail.
5127 size_t offset_to_corrupt = random() % ciphertext1.size();
5128 char corrupt_byte;
5129 do {
5130 corrupt_byte = static_cast<char>(random() % 256);
5131 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5132 ciphertext1[offset_to_corrupt] = corrupt_byte;
5133
5134 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5135 string result;
5136 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5137 EXPECT_EQ(0U, result.size());
5138 }
5139}
5140
5141/*
5142 * EncryptionOperationsTest.RsaOaepWithMGFIncompatibleDigest
5143 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5144 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5145 * with incompatible MGF digest.
5146 */
5147TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
5148 ASSERT_EQ(ErrorCode::OK,
5149 GenerateKey(AuthorizationSetBuilder()
5150 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
5151 .Authorization(TAG_NO_AUTH_REQUIRED)
5152 .RsaEncryptionKey(2048, 65537)
5153 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5154 .Digest(Digest::SHA_2_256)
5155 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5156 string message = "Hello World!";
5157
5158 auto params = AuthorizationSetBuilder()
5159 .Padding(PaddingMode::RSA_OAEP)
5160 .Digest(Digest::SHA_2_256)
5161 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_224);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5162 EXPECT_EQ(ErrorCode::INCOMPATIBLE_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5163}
5164
5165/*
5166 * EncryptionOperationsTest.RsaOaepWithMGFUnsupportedDigest
5167 *
5168 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
5169 * with unsupported MGF digest.
5170 */
5171TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
5172 ASSERT_EQ(ErrorCode::OK,
5173 GenerateKey(AuthorizationSetBuilder()
5174 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
5175 .Authorization(TAG_NO_AUTH_REQUIRED)
5176 .RsaEncryptionKey(2048, 65537)
5177 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5178 .Digest(Digest::SHA_2_256)
5179 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5180 string message = "Hello World!";
5181
5182 auto params = AuthorizationSetBuilder()
5183 .Padding(PaddingMode::RSA_OAEP)
5184 .Digest(Digest::SHA_2_256)
5185 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5186 EXPECT_EQ(ErrorCode::UNSUPPORTED_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5187}
5188
5189/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5190 * EncryptionOperationsTest.RsaPkcs1Success
5191 *
5192 * Verifies that RSA PKCS encryption/decrypts works.
5193 */
5194TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
5195 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5196 .Authorization(TAG_NO_AUTH_REQUIRED)
5197 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5198 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
5199 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5200
5201 string message = "Hello World!";
5202 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5203 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5204 EXPECT_EQ(2048U / 8, ciphertext1.size());
5205
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5206 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5207 EXPECT_EQ(2048U / 8, ciphertext2.size());
5208
5209 // PKCS1 v1.5 randomizes padding so every result should be different.
5210 EXPECT_NE(ciphertext1, ciphertext2);
5211
5212 string plaintext = DecryptMessage(ciphertext1, params);
5213 EXPECT_EQ(message, plaintext);
5214
5215 // Decrypting corrupted ciphertext should fail.
5216 size_t offset_to_corrupt = random() % ciphertext1.size();
5217 char corrupt_byte;
5218 do {
5219 corrupt_byte = static_cast<char>(random() % 256);
5220 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5221 ciphertext1[offset_to_corrupt] = corrupt_byte;
5222
5223 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5224 string result;
5225 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5226 EXPECT_EQ(0U, result.size());
5227}
5228
5229/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5230 * EncryptionOperationsTest.EcdsaEncrypt
5231 *
5232 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
5233 */
5234TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
5235 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5236 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]5237 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5238 .Digest(Digest::NONE)
5239 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5240 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
5241 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5242 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5243}
5244
5245/*
5246 * EncryptionOperationsTest.HmacEncrypt
5247 *
5248 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
5249 */
5250TEST_P(EncryptionOperationsTest, HmacEncrypt) {
5251 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5252 .Authorization(TAG_NO_AUTH_REQUIRED)
5253 .HmacKey(128)
5254 .Digest(Digest::SHA_2_256)
5255 .Padding(PaddingMode::NONE)
5256 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5257 auto params = AuthorizationSetBuilder()
5258 .Digest(Digest::SHA_2_256)
5259 .Padding(PaddingMode::NONE)
5260 .Authorization(TAG_MAC_LENGTH, 128);
5261 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5262 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5263}
5264
5265/*
5266 * EncryptionOperationsTest.AesEcbRoundTripSuccess
5267 *
5268 * Verifies that AES ECB mode works.
5269 */
5270TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
5271 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5272 .Authorization(TAG_NO_AUTH_REQUIRED)
5273 .AesEncryptionKey(128)
5274 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5275 .Padding(PaddingMode::NONE)));
5276
5277 ASSERT_GT(key_blob_.size(), 0U);
5278 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5279
5280 // Two-block message.
5281 string message = "12345678901234567890123456789012";
5282 string ciphertext1 = EncryptMessage(message, params);
5283 EXPECT_EQ(message.size(), ciphertext1.size());
5284
5285 string ciphertext2 = EncryptMessage(string(message), params);
5286 EXPECT_EQ(message.size(), ciphertext2.size());
5287
5288 // ECB is deterministic.
5289 EXPECT_EQ(ciphertext1, ciphertext2);
5290
5291 string plaintext = DecryptMessage(ciphertext1, params);
5292 EXPECT_EQ(message, plaintext);
5293}
5294
5295/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5296 * EncryptionOperationsTest.AesEcbUnknownTag
5297 *
5298 * Verifies that AES ECB operations ignore unknown tags.
5299 */
5300TEST_P(EncryptionOperationsTest, AesEcbUnknownTag) {
5301 int32_t unknown_tag_value = ((7 << 28) /* TagType:BOOL */ | 150);
5302 Tag unknown_tag = static_cast<Tag>(unknown_tag_value);
5303 KeyParameter unknown_param;
5304 unknown_param.tag = unknown_tag;
5305
5306 vector<KeyCharacteristics> key_characteristics;
5307 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5308 .Authorization(TAG_NO_AUTH_REQUIRED)
5309 .AesEncryptionKey(128)
5310 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5311 .Padding(PaddingMode::NONE)
5312 .Authorization(unknown_param),
5313 &key_blob_, &key_characteristics));
5314 ASSERT_GT(key_blob_.size(), 0U);
5315
5316 // Unknown tags should not be returned in key characteristics.
5317 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
5318 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
5319 EXPECT_EQ(hw_enforced.find(unknown_tag), -1);
5320 EXPECT_EQ(sw_enforced.find(unknown_tag), -1);
5321
5322 // Encrypt without mentioning the unknown parameter.
5323 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5324 string message = "12345678901234567890123456789012";
5325 string ciphertext = EncryptMessage(message, params);
5326 EXPECT_EQ(message.size(), ciphertext.size());
5327
5328 // Decrypt including the unknown parameter.
5329 auto decrypt_params = AuthorizationSetBuilder()
5330 .BlockMode(BlockMode::ECB)
5331 .Padding(PaddingMode::NONE)
5332 .Authorization(unknown_param);
5333 string plaintext = DecryptMessage(ciphertext, decrypt_params);
5334 EXPECT_EQ(message, plaintext);
5335}
5336
5337/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5338 * EncryptionOperationsTest.AesWrongMode
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5339 *
5340 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
5341 */
5342TEST_P(EncryptionOperationsTest, AesWrongMode) {
5343 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5344 .Authorization(TAG_NO_AUTH_REQUIRED)
5345 .AesEncryptionKey(128)
5346 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5347 .Padding(PaddingMode::NONE)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5348 ASSERT_GT(key_blob_.size(), 0U);
5349
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5350 EXPECT_EQ(
5351 ErrorCode::INCOMPATIBLE_BLOCK_MODE,
5352 Begin(KeyPurpose::ENCRYPT,
5353 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
5354}
5355
5356/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5357 * EncryptionOperationsTest.AesWrongPadding
5358 *
5359 * Verifies that AES encryption fails in the correct way when an unauthorized padding is specified.
5360 */
5361TEST_P(EncryptionOperationsTest, AesWrongPadding) {
5362 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5363 .Authorization(TAG_NO_AUTH_REQUIRED)
5364 .AesEncryptionKey(128)
5365 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5366 .Padding(PaddingMode::NONE)));
5367 ASSERT_GT(key_blob_.size(), 0U);
5368
5369 EXPECT_EQ(
5370 ErrorCode::INCOMPATIBLE_PADDING_MODE,
5371 Begin(KeyPurpose::ENCRYPT,
5372 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7)));
5373}
5374
5375/*
5376 * EncryptionOperationsTest.AesInvalidParams
5377 *
5378 * Verifies that AES encryption fails in the correct way when an duplicate parameters are specified.
5379 */
5380TEST_P(EncryptionOperationsTest, AesInvalidParams) {
5381 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5382 .Authorization(TAG_NO_AUTH_REQUIRED)
5383 .AesEncryptionKey(128)
5384 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5385 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5386 .Padding(PaddingMode::NONE)
5387 .Padding(PaddingMode::PKCS7)));
5388 ASSERT_GT(key_blob_.size(), 0U);
5389
5390 auto result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5391 .BlockMode(BlockMode::CBC)
5392 .BlockMode(BlockMode::ECB)
5393 .Padding(PaddingMode::NONE));
5394 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_BLOCK_MODE ||
5395 result == ErrorCode::UNSUPPORTED_BLOCK_MODE);
5396
5397 result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5398 .BlockMode(BlockMode::ECB)
5399 .Padding(PaddingMode::NONE)
5400 .Padding(PaddingMode::PKCS7));
5401 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
5402 result == ErrorCode::UNSUPPORTED_PADDING_MODE);
5403}
5404
5405/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5406 * EncryptionOperationsTest.AesWrongPurpose
5407 *
5408 * Verifies that AES encryption fails in the correct way when an unauthorized purpose is
5409 * specified.
5410 */
5411TEST_P(EncryptionOperationsTest, AesWrongPurpose) {
5412 auto err = GenerateKey(AuthorizationSetBuilder()
5413 .Authorization(TAG_NO_AUTH_REQUIRED)
5414 .AesKey(128)
5415 .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
5416 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5417 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5418 .Padding(PaddingMode::NONE));
5419 ASSERT_EQ(ErrorCode::OK, err) << "Got " << err;
5420 ASSERT_GT(key_blob_.size(), 0U);
5421
5422 err = Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5423 .BlockMode(BlockMode::GCM)
5424 .Padding(PaddingMode::NONE)
5425 .Authorization(TAG_MAC_LENGTH, 128));
5426 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5427
5428 CheckedDeleteKey();
5429
5430 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5431 .Authorization(TAG_NO_AUTH_REQUIRED)
5432 .AesKey(128)
5433 .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
5434 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5435 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5436 .Padding(PaddingMode::NONE)));
5437
5438 err = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5439 .BlockMode(BlockMode::GCM)
5440 .Padding(PaddingMode::NONE)
5441 .Authorization(TAG_MAC_LENGTH, 128));
5442 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5443}
5444
5445/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5446 * EncryptionOperationsTest.AesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5447 *
5448 * Verifies that AES encryption fails in the correct way when provided an input that is not a
5449 * multiple of the block size and no padding is specified.
5450 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5451TEST_P(EncryptionOperationsTest, AesEcbCbcNoPaddingWrongInputSize) {
5452 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
5453 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5454 .Authorization(TAG_NO_AUTH_REQUIRED)
5455 .AesEncryptionKey(128)
5456 .Authorization(TAG_BLOCK_MODE, blockMode)
5457 .Padding(PaddingMode::NONE)));
5458 // Message is slightly shorter than two blocks.
5459 string message(16 * 2 - 1, 'a');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5460
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5461 auto params = AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
5462 AuthorizationSet out_params;
5463 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &out_params));
5464 string ciphertext;
5465 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
5466 EXPECT_EQ(0U, ciphertext.size());
5467
5468 CheckedDeleteKey();
5469 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5470}
5471
5472/*
5473 * EncryptionOperationsTest.AesEcbPkcs7Padding
5474 *
5475 * Verifies that AES PKCS7 padding works for any message length.
5476 */
5477TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
5478 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5479 .Authorization(TAG_NO_AUTH_REQUIRED)
5480 .AesEncryptionKey(128)
5481 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5482 .Padding(PaddingMode::PKCS7)));
5483
5484 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5485
5486 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5487 for (size_t i = 0; i <= 48; i++) {
5488 SCOPED_TRACE(testing::Message() << "i = " << i);
5489 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character.
5490 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5491 string ciphertext = EncryptMessage(message, params);
5492 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
5493 string plaintext = DecryptMessage(ciphertext, params);
5494 EXPECT_EQ(message, plaintext);
5495 }
5496}
5497
5498/*
5499 * EncryptionOperationsTest.AesEcbWrongPadding
5500 *
5501 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
5502 * specified.
5503 */
5504TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
5505 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5506 .Authorization(TAG_NO_AUTH_REQUIRED)
5507 .AesEncryptionKey(128)
5508 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5509 .Padding(PaddingMode::NONE)));
5510
5511 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5512
5513 // Try various message lengths; all should fail
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5514 for (size_t i = 0; i <= 48; i++) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5515 string message(i, 'a');
5516 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
5517 }
5518}
5519
5520/*
5521 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
5522 *
5523 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5524 */
5525TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
5526 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5527 .Authorization(TAG_NO_AUTH_REQUIRED)
5528 .AesEncryptionKey(128)
5529 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5530 .Padding(PaddingMode::PKCS7)));
5531
5532 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5533
5534 string message = "a";
5535 string ciphertext = EncryptMessage(message, params);
5536 EXPECT_EQ(16U, ciphertext.size());
5537 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5538
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5539 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
5540 ++ciphertext[ciphertext.size() / 2];
5541
5542 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5543 string plaintext;
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5544 ErrorCode error = Finish(ciphertext, &plaintext);
5545 if (error == ErrorCode::INVALID_ARGUMENT) {
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5546 // This is the expected error, we can exit the test now.
5547 return;
5548 } else {
5549 // Very small chance we got valid decryption, so try again.
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5550 ASSERT_EQ(error, ErrorCode::OK)
5551 << "Expected INVALID_ARGUMENT or (rarely) OK, got " << error;
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5552 }
5553 }
5554 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5555}
5556
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame]5557/*
5558 * EncryptionOperationsTest.AesEcbPkcs7CiphertextTooShort
5559 *
5560 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5561 */
5562TEST_P(EncryptionOperationsTest, AesEcbPkcs7CiphertextTooShort) {
5563 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5564 .Authorization(TAG_NO_AUTH_REQUIRED)
5565 .AesEncryptionKey(128)
5566 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5567 .Padding(PaddingMode::PKCS7)));
5568
5569 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5570
5571 string message = "a";
5572 string ciphertext = EncryptMessage(message, params);
5573 EXPECT_EQ(16U, ciphertext.size());
5574 EXPECT_NE(ciphertext, message);
5575
5576 // Shorten the ciphertext.
5577 ciphertext.resize(ciphertext.size() - 1);
5578 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5579 string plaintext;
5580 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(ciphertext, &plaintext));
5581}
5582
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5583vector<uint8_t> CopyIv(const AuthorizationSet& set) {
5584 auto iv = set.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5585 EXPECT_TRUE(iv);
5586 return iv->get();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5587}
5588
5589/*
5590 * EncryptionOperationsTest.AesCtrRoundTripSuccess
5591 *
5592 * Verifies that AES CTR mode works.
5593 */
5594TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
5595 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5596 .Authorization(TAG_NO_AUTH_REQUIRED)
5597 .AesEncryptionKey(128)
5598 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
5599 .Padding(PaddingMode::NONE)));
5600
5601 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
5602
5603 string message = "123";
5604 AuthorizationSet out_params;
5605 string ciphertext1 = EncryptMessage(message, params, &out_params);
5606 vector<uint8_t> iv1 = CopyIv(out_params);
5607 EXPECT_EQ(16U, iv1.size());
5608
5609 EXPECT_EQ(message.size(), ciphertext1.size());
5610
5611 out_params.Clear();
5612 string ciphertext2 = EncryptMessage(message, params, &out_params);
5613 vector<uint8_t> iv2 = CopyIv(out_params);
5614 EXPECT_EQ(16U, iv2.size());
5615
5616 // IVs should be random, so ciphertexts should differ.
5617 EXPECT_NE(ciphertext1, ciphertext2);
5618
5619 auto params_iv1 =
5620 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
5621 auto params_iv2 =
5622 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
5623
5624 string plaintext = DecryptMessage(ciphertext1, params_iv1);
5625 EXPECT_EQ(message, plaintext);
5626 plaintext = DecryptMessage(ciphertext2, params_iv2);
5627 EXPECT_EQ(message, plaintext);
5628
5629 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
5630 plaintext = DecryptMessage(ciphertext1, params_iv2);
5631 EXPECT_NE(message, plaintext);
5632 plaintext = DecryptMessage(ciphertext2, params_iv1);
5633 EXPECT_NE(message, plaintext);
5634}
5635
5636/*
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5637 * EncryptionOperationsTest.AesEcbIncremental
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5638 *
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5639 * Verifies that AES works for ECB block mode, when provided data in various size increments.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5640 */
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5641TEST_P(EncryptionOperationsTest, AesEcbIncremental) {
5642 CheckAesIncrementalEncryptOperation(BlockMode::ECB, 240);
5643}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5644
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5645/*
5646 * EncryptionOperationsTest.AesCbcIncremental
5647 *
5648 * Verifies that AES works for CBC block mode, when provided data in various size increments.
5649 */
5650TEST_P(EncryptionOperationsTest, AesCbcIncremental) {
5651 CheckAesIncrementalEncryptOperation(BlockMode::CBC, 240);
5652}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5653
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5654/*
5655 * EncryptionOperationsTest.AesCtrIncremental
5656 *
5657 * Verifies that AES works for CTR block mode, when provided data in various size increments.
5658 */
5659TEST_P(EncryptionOperationsTest, AesCtrIncremental) {
5660 CheckAesIncrementalEncryptOperation(BlockMode::CTR, 240);
5661}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5662
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5663/*
5664 * EncryptionOperationsTest.AesGcmIncremental
5665 *
5666 * Verifies that AES works for GCM block mode, when provided data in various size increments.
5667 */
5668TEST_P(EncryptionOperationsTest, AesGcmIncremental) {
5669 CheckAesIncrementalEncryptOperation(BlockMode::GCM, 240);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5670}
5671
5672struct AesCtrSp80038aTestVector {
5673 const char* key;
5674 const char* nonce;
5675 const char* plaintext;
5676 const char* ciphertext;
5677};
5678
5679// These test vectors are taken from
5680// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
5681static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
5682 // AES-128
5683 {
5684 "2b7e151628aed2a6abf7158809cf4f3c",
5685 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
5686 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
5687 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
5688 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
5689 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
5690 },
5691 // AES-192
5692 {
5693 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
5694 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
5695 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
5696 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
5697 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
5698 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
5699 },
5700 // AES-256
5701 {
5702 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
5703 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
5704 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
5705 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
5706 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
5707 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
5708 },
5709};
5710
5711/*
5712 * EncryptionOperationsTest.AesCtrSp80038aTestVector
5713 *
5714 * Verifies AES CTR implementation against SP800-38A test vectors.
5715 */
5716TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
5717 std::vector<uint32_t> InvalidSizes = InvalidKeySizes(Algorithm::AES);
5718 for (size_t i = 0; i < 3; i++) {
5719 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
5720 const string key = hex2str(test.key);
5721 if (std::find(InvalidSizes.begin(), InvalidSizes.end(), (key.size() * 8)) !=
5722 InvalidSizes.end())
5723 continue;
5724 const string nonce = hex2str(test.nonce);
5725 const string plaintext = hex2str(test.plaintext);
5726 const string ciphertext = hex2str(test.ciphertext);
5727 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
5728 }
5729}
5730
5731/*
5732 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
5733 *
5734 * Verifies that keymint rejects use of CTR mode with PKCS7 padding in the correct way.
5735 */
5736TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
5737 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5738 .Authorization(TAG_NO_AUTH_REQUIRED)
5739 .AesEncryptionKey(128)
5740 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
5741 .Padding(PaddingMode::PKCS7)));
5742 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
5743 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
5744}
5745
5746/*
5747 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
5748 *
5749 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
5750 */
5751TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
5752 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5753 .Authorization(TAG_NO_AUTH_REQUIRED)
5754 .AesEncryptionKey(128)
5755 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
5756 .Authorization(TAG_CALLER_NONCE)
5757 .Padding(PaddingMode::NONE)));
5758
5759 auto params = AuthorizationSetBuilder()
5760 .BlockMode(BlockMode::CTR)
5761 .Padding(PaddingMode::NONE)
5762 .Authorization(TAG_NONCE, AidlBuf(string(1, 'a')));
5763 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
5764
5765 params = AuthorizationSetBuilder()
5766 .BlockMode(BlockMode::CTR)
5767 .Padding(PaddingMode::NONE)
5768 .Authorization(TAG_NONCE, AidlBuf(string(15, 'a')));
5769 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
5770
5771 params = AuthorizationSetBuilder()
5772 .BlockMode(BlockMode::CTR)
5773 .Padding(PaddingMode::NONE)
5774 .Authorization(TAG_NONCE, AidlBuf(string(17, 'a')));
5775 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
5776}
5777
5778/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5779 * EncryptionOperationsTest.AesCbcRoundTripSuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5780 *
5781 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
5782 */
5783TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
5784 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5785 .Authorization(TAG_NO_AUTH_REQUIRED)
5786 .AesEncryptionKey(128)
5787 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5788 .Padding(PaddingMode::NONE)));
5789 // Two-block message.
5790 string message = "12345678901234567890123456789012";
5791 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5792 AuthorizationSet out_params;
5793 string ciphertext1 = EncryptMessage(message, params, &out_params);
5794 vector<uint8_t> iv1 = CopyIv(out_params);
5795 EXPECT_EQ(message.size(), ciphertext1.size());
5796
5797 out_params.Clear();
5798
5799 string ciphertext2 = EncryptMessage(message, params, &out_params);
5800 vector<uint8_t> iv2 = CopyIv(out_params);
5801 EXPECT_EQ(message.size(), ciphertext2.size());
5802
5803 // IVs should be random, so ciphertexts should differ.
5804 EXPECT_NE(ciphertext1, ciphertext2);
5805
5806 params.push_back(TAG_NONCE, iv1);
5807 string plaintext = DecryptMessage(ciphertext1, params);
5808 EXPECT_EQ(message, plaintext);
5809}
5810
5811/*
5812 * EncryptionOperationsTest.AesCallerNonce
5813 *
5814 * Verifies that AES caller-provided nonces work correctly.
5815 */
5816TEST_P(EncryptionOperationsTest, AesCallerNonce) {
5817 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5818 .Authorization(TAG_NO_AUTH_REQUIRED)
5819 .AesEncryptionKey(128)
5820 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5821 .Authorization(TAG_CALLER_NONCE)
5822 .Padding(PaddingMode::NONE)));
5823
5824 string message = "12345678901234567890123456789012";
5825
5826 // Don't specify nonce, should get a random one.
5827 AuthorizationSetBuilder params =
5828 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5829 AuthorizationSet out_params;
5830 string ciphertext = EncryptMessage(message, params, &out_params);
5831 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5832 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5833
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5834 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5835 string plaintext = DecryptMessage(ciphertext, params);
5836 EXPECT_EQ(message, plaintext);
5837
5838 // Now specify a nonce, should also work.
5839 params = AuthorizationSetBuilder()
5840 .BlockMode(BlockMode::CBC)
5841 .Padding(PaddingMode::NONE)
5842 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
5843 out_params.Clear();
5844 ciphertext = EncryptMessage(message, params, &out_params);
5845
5846 // Decrypt with correct nonce.
5847 plaintext = DecryptMessage(ciphertext, params);
5848 EXPECT_EQ(message, plaintext);
5849
5850 // Try with wrong nonce.
5851 params = AuthorizationSetBuilder()
5852 .BlockMode(BlockMode::CBC)
5853 .Padding(PaddingMode::NONE)
5854 .Authorization(TAG_NONCE, AidlBuf("aaaaaaaaaaaaaaaa"));
5855 plaintext = DecryptMessage(ciphertext, params);
5856 EXPECT_NE(message, plaintext);
5857}
5858
5859/*
5860 * EncryptionOperationsTest.AesCallerNonceProhibited
5861 *
5862 * Verifies that caller-provided nonces are not permitted when not specified in the key
5863 * authorizations.
5864 */
5865TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
5866 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5867 .Authorization(TAG_NO_AUTH_REQUIRED)
5868 .AesEncryptionKey(128)
5869 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5870 .Padding(PaddingMode::NONE)));
5871
5872 string message = "12345678901234567890123456789012";
5873
5874 // Don't specify nonce, should get a random one.
5875 AuthorizationSetBuilder params =
5876 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5877 AuthorizationSet out_params;
5878 string ciphertext = EncryptMessage(message, params, &out_params);
5879 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5880 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5881
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5882 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5883 string plaintext = DecryptMessage(ciphertext, params);
5884 EXPECT_EQ(message, plaintext);
5885
5886 // Now specify a nonce, should fail
5887 params = AuthorizationSetBuilder()
5888 .BlockMode(BlockMode::CBC)
5889 .Padding(PaddingMode::NONE)
5890 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
5891 out_params.Clear();
5892 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
5893}
5894
5895/*
5896 * EncryptionOperationsTest.AesGcmRoundTripSuccess
5897 *
5898 * Verifies that AES GCM mode works.
5899 */
5900TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
5901 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5902 .Authorization(TAG_NO_AUTH_REQUIRED)
5903 .AesEncryptionKey(128)
5904 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5905 .Padding(PaddingMode::NONE)
5906 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5907
5908 string aad = "foobar";
5909 string message = "123456789012345678901234567890123456";
5910
5911 auto begin_params = AuthorizationSetBuilder()
5912 .BlockMode(BlockMode::GCM)
5913 .Padding(PaddingMode::NONE)
5914 .Authorization(TAG_MAC_LENGTH, 128);
5915
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5916 // Encrypt
5917 AuthorizationSet begin_out_params;
5918 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
5919 << "Begin encrypt";
5920 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5921 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
5922 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5923 ASSERT_EQ(ciphertext.length(), message.length() + 16);
5924
5925 // Grab nonce
5926 begin_params.push_back(begin_out_params);
5927
5928 // Decrypt.
5929 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5930 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5931 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5932 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5933 EXPECT_EQ(message.length(), plaintext.length());
5934 EXPECT_EQ(message, plaintext);
5935}
5936
5937/*
5938 * EncryptionOperationsTest.AesGcmRoundTripWithDelaySuccess
5939 *
5940 * Verifies that AES GCM mode works, even when there's a long delay
5941 * between operations.
5942 */
5943TEST_P(EncryptionOperationsTest, AesGcmRoundTripWithDelaySuccess) {
5944 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5945 .Authorization(TAG_NO_AUTH_REQUIRED)
5946 .AesEncryptionKey(128)
5947 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5948 .Padding(PaddingMode::NONE)
5949 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5950
5951 string aad = "foobar";
5952 string message = "123456789012345678901234567890123456";
5953
5954 auto begin_params = AuthorizationSetBuilder()
5955 .BlockMode(BlockMode::GCM)
5956 .Padding(PaddingMode::NONE)
5957 .Authorization(TAG_MAC_LENGTH, 128);
5958
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5959 // Encrypt
5960 AuthorizationSet begin_out_params;
5961 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
5962 << "Begin encrypt";
5963 string ciphertext;
5964 AuthorizationSet update_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5965 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5966 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5967 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5968
5969 ASSERT_EQ(ciphertext.length(), message.length() + 16);
5970
5971 // Grab nonce
5972 begin_params.push_back(begin_out_params);
5973
5974 // Decrypt.
5975 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
5976 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5977 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5978 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5979 ASSERT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5980 sleep(5);
5981 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
5982 EXPECT_EQ(message.length(), plaintext.length());
5983 EXPECT_EQ(message, plaintext);
5984}
5985
5986/*
5987 * EncryptionOperationsTest.AesGcmDifferentNonces
5988 *
5989 * Verifies that encrypting the same data with different nonces produces different outputs.
5990 */
5991TEST_P(EncryptionOperationsTest, AesGcmDifferentNonces) {
5992 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5993 .Authorization(TAG_NO_AUTH_REQUIRED)
5994 .AesEncryptionKey(128)
5995 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5996 .Padding(PaddingMode::NONE)
5997 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5998 .Authorization(TAG_CALLER_NONCE)));
5999
6000 string aad = "foobar";
6001 string message = "123456789012345678901234567890123456";
6002 string nonce1 = "000000000000";
6003 string nonce2 = "111111111111";
6004 string nonce3 = "222222222222";
6005
6006 string ciphertext1 =
6007 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce1));
6008 string ciphertext2 =
6009 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce2));
6010 string ciphertext3 =
6011 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce3));
6012
6013 ASSERT_NE(ciphertext1, ciphertext2);
6014 ASSERT_NE(ciphertext1, ciphertext3);
6015 ASSERT_NE(ciphertext2, ciphertext3);
6016}
6017
6018/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6019 * EncryptionOperationsTest.AesGcmDifferentAutoNonces
6020 *
6021 * Verifies that encrypting the same data with KeyMint generated nonces produces different outputs.
6022 */
6023TEST_P(EncryptionOperationsTest, AesGcmDifferentAutoNonces) {
6024 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6025 .Authorization(TAG_NO_AUTH_REQUIRED)
6026 .AesEncryptionKey(128)
6027 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
6028 .Padding(PaddingMode::NONE)
6029 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6030
6031 string aad = "foobar";
6032 string message = "123456789012345678901234567890123456";
6033
6034 string ciphertext1 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6035 string ciphertext2 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6036 string ciphertext3 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
6037
6038 ASSERT_NE(ciphertext1, ciphertext2);
6039 ASSERT_NE(ciphertext1, ciphertext3);
6040 ASSERT_NE(ciphertext2, ciphertext3);
6041}
6042
6043/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6044 * EncryptionOperationsTest.AesGcmTooShortTag
6045 *
6046 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
6047 */
6048TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
6049 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6050 .Authorization(TAG_NO_AUTH_REQUIRED)
6051 .AesEncryptionKey(128)
6052 .BlockMode(BlockMode::GCM)
6053 .Padding(PaddingMode::NONE)
6054 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6055 string message = "123456789012345678901234567890123456";
6056 auto params = AuthorizationSetBuilder()
6057 .BlockMode(BlockMode::GCM)
6058 .Padding(PaddingMode::NONE)
6059 .Authorization(TAG_MAC_LENGTH, 96);
6060
6061 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
6062}
6063
6064/*
6065 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
6066 *
6067 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
6068 */
6069TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
6070 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6071 .Authorization(TAG_NO_AUTH_REQUIRED)
6072 .AesEncryptionKey(128)
6073 .BlockMode(BlockMode::GCM)
6074 .Padding(PaddingMode::NONE)
6075 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6076 string aad = "foobar";
6077 string message = "123456789012345678901234567890123456";
6078 auto params = AuthorizationSetBuilder()
6079 .BlockMode(BlockMode::GCM)
6080 .Padding(PaddingMode::NONE)
6081 .Authorization(TAG_MAC_LENGTH, 128);
6082
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6083 // Encrypt
6084 AuthorizationSet begin_out_params;
6085 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
6086 EXPECT_EQ(1U, begin_out_params.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6087 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6088
6089 AuthorizationSet finish_out_params;
6090 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6091 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6092 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6093
6094 params = AuthorizationSetBuilder()
6095 .Authorizations(begin_out_params)
6096 .BlockMode(BlockMode::GCM)
6097 .Padding(PaddingMode::NONE)
6098 .Authorization(TAG_MAC_LENGTH, 96);
6099
6100 // Decrypt.
6101 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
6102}
6103
6104/*
6105 * EncryptionOperationsTest.AesGcmCorruptKey
6106 *
6107 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
6108 */
6109TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
6110 const uint8_t nonce_bytes[] = {
6111 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
6112 };
6113 string nonce = make_string(nonce_bytes);
6114 const uint8_t ciphertext_bytes[] = {
6115 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc,
6116 0xd2, 0xcb, 0x16, 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78,
6117 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d,
6118 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 0x76, 0x5e, 0xfb,
6119 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
6120 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
6121 };
6122 string ciphertext = make_string(ciphertext_bytes);
6123
6124 auto params = AuthorizationSetBuilder()
6125 .BlockMode(BlockMode::GCM)
6126 .Padding(PaddingMode::NONE)
6127 .Authorization(TAG_MAC_LENGTH, 128)
6128 .Authorization(TAG_NONCE, nonce.data(), nonce.size());
6129
6130 auto import_params = AuthorizationSetBuilder()
6131 .Authorization(TAG_NO_AUTH_REQUIRED)
6132 .AesEncryptionKey(128)
6133 .BlockMode(BlockMode::GCM)
6134 .Padding(PaddingMode::NONE)
6135 .Authorization(TAG_CALLER_NONCE)
6136 .Authorization(TAG_MIN_MAC_LENGTH, 128);
6137
6138 // Import correct key and decrypt
6139 const uint8_t key_bytes[] = {
6140 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
6141 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
6142 };
6143 string key = make_string(key_bytes);
6144 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6145 string plaintext = DecryptMessage(ciphertext, params);
6146 CheckedDeleteKey();
6147
6148 // Corrupt key and attempt to decrypt
6149 key[0] = 0;
6150 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6151 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
6152 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
6153 CheckedDeleteKey();
6154}
6155
6156/*
6157 * EncryptionOperationsTest.AesGcmAadNoData
6158 *
6159 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
6160 * encrypt.
6161 */
6162TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
6163 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6164 .Authorization(TAG_NO_AUTH_REQUIRED)
6165 .AesEncryptionKey(128)
6166 .BlockMode(BlockMode::GCM)
6167 .Padding(PaddingMode::NONE)
6168 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6169
6170 string aad = "1234567890123456";
6171 auto params = AuthorizationSetBuilder()
6172 .BlockMode(BlockMode::GCM)
6173 .Padding(PaddingMode::NONE)
6174 .Authorization(TAG_MAC_LENGTH, 128);
6175
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6176 // Encrypt
6177 AuthorizationSet begin_out_params;
6178 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
6179 string ciphertext;
6180 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6181 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6182 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6183 EXPECT_TRUE(finish_out_params.empty());
6184
6185 // Grab nonce
6186 params.push_back(begin_out_params);
6187
6188 // Decrypt.
6189 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6190 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6191 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6192 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6193
6194 EXPECT_TRUE(finish_out_params.empty());
6195
6196 EXPECT_EQ("", plaintext);
6197}
6198
6199/*
6200 * EncryptionOperationsTest.AesGcmMultiPartAad
6201 *
6202 * Verifies that AES GCM mode works when provided additional authenticated data in multiple
6203 * chunks.
6204 */
6205TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
6206 const size_t tag_bits = 128;
6207 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6208 .Authorization(TAG_NO_AUTH_REQUIRED)
6209 .AesEncryptionKey(128)
6210 .BlockMode(BlockMode::GCM)
6211 .Padding(PaddingMode::NONE)
6212 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6213
6214 string message = "123456789012345678901234567890123456";
6215 auto begin_params = AuthorizationSetBuilder()
6216 .BlockMode(BlockMode::GCM)
6217 .Padding(PaddingMode::NONE)
6218 .Authorization(TAG_MAC_LENGTH, tag_bits);
6219 AuthorizationSet begin_out_params;
6220
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6221 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
6222
6223 // No data, AAD only.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6224 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
6225 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6226 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6227 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
6228 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6229
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6230 // Expect 128-bit (16-byte) tag appended to ciphertext.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6231 EXPECT_EQ(message.size() + (tag_bits / 8), ciphertext.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6232
6233 // Grab nonce.
6234 begin_params.push_back(begin_out_params);
6235
6236 // Decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6237 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6238 EXPECT_EQ(ErrorCode::OK, UpdateAad("foofoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6239 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6240 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6241 EXPECT_EQ(message, plaintext);
6242}
6243
6244/*
6245 * EncryptionOperationsTest.AesGcmAadOutOfOrder
6246 *
6247 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
6248 */
6249TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
6250 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6251 .Authorization(TAG_NO_AUTH_REQUIRED)
6252 .AesEncryptionKey(128)
6253 .BlockMode(BlockMode::GCM)
6254 .Padding(PaddingMode::NONE)
6255 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6256
6257 string message = "123456789012345678901234567890123456";
6258 auto begin_params = AuthorizationSetBuilder()
6259 .BlockMode(BlockMode::GCM)
6260 .Padding(PaddingMode::NONE)
6261 .Authorization(TAG_MAC_LENGTH, 128);
6262 AuthorizationSet begin_out_params;
6263
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6264 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
6265
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6266 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6267 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6268 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
6269 EXPECT_EQ(ErrorCode::INVALID_TAG, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6270
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6271 // The failure should have already cancelled the operation.
6272 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
6273
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6274 op_ = {};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6275}
6276
6277/*
6278 * EncryptionOperationsTest.AesGcmBadAad
6279 *
6280 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
6281 */
6282TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
6283 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6284 .Authorization(TAG_NO_AUTH_REQUIRED)
6285 .AesEncryptionKey(128)
6286 .BlockMode(BlockMode::GCM)
6287 .Padding(PaddingMode::NONE)
6288 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6289
6290 string message = "12345678901234567890123456789012";
6291 auto begin_params = AuthorizationSetBuilder()
6292 .BlockMode(BlockMode::GCM)
6293 .Padding(PaddingMode::NONE)
6294 .Authorization(TAG_MAC_LENGTH, 128);
6295
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6296 // Encrypt
6297 AuthorizationSet begin_out_params;
6298 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6299 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6300 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6301 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6302
6303 // Grab nonce
6304 begin_params.push_back(begin_out_params);
6305
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6306 // Decrypt.
6307 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6308 EXPECT_EQ(ErrorCode::OK, UpdateAad("barfoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6309 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6310 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6311}
6312
6313/*
6314 * EncryptionOperationsTest.AesGcmWrongNonce
6315 *
6316 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
6317 */
6318TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
6319 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6320 .Authorization(TAG_NO_AUTH_REQUIRED)
6321 .AesEncryptionKey(128)
6322 .BlockMode(BlockMode::GCM)
6323 .Padding(PaddingMode::NONE)
6324 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6325
6326 string message = "12345678901234567890123456789012";
6327 auto begin_params = AuthorizationSetBuilder()
6328 .BlockMode(BlockMode::GCM)
6329 .Padding(PaddingMode::NONE)
6330 .Authorization(TAG_MAC_LENGTH, 128);
6331
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6332 // Encrypt
6333 AuthorizationSet begin_out_params;
6334 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6335 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6336 string ciphertext;
6337 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6338 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6339
6340 // Wrong nonce
6341 begin_params.push_back(TAG_NONCE, AidlBuf("123456789012"));
6342
6343 // Decrypt.
6344 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6345 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6346 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6347 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6348
6349 // With wrong nonce, should have gotten garbage plaintext (or none).
6350 EXPECT_NE(message, plaintext);
6351}
6352
6353/*
6354 * EncryptionOperationsTest.AesGcmCorruptTag
6355 *
6356 * Verifies that AES GCM decryption fails correctly when the tag is wrong.
6357 */
6358TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
6359 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6360 .Authorization(TAG_NO_AUTH_REQUIRED)
6361 .AesEncryptionKey(128)
6362 .BlockMode(BlockMode::GCM)
6363 .Padding(PaddingMode::NONE)
6364 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6365
6366 string aad = "1234567890123456";
6367 string message = "123456789012345678901234567890123456";
6368
6369 auto params = AuthorizationSetBuilder()
6370 .BlockMode(BlockMode::GCM)
6371 .Padding(PaddingMode::NONE)
6372 .Authorization(TAG_MAC_LENGTH, 128);
6373
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6374 // Encrypt
6375 AuthorizationSet begin_out_params;
6376 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6377 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6378 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6379 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6380
6381 // Corrupt tag
6382 ++(*ciphertext.rbegin());
6383
6384 // Grab nonce
6385 params.push_back(begin_out_params);
6386
6387 // Decrypt.
6388 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6389 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6390 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6391 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6392}
6393
6394/*
6395 * EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
6396 *
6397 * Verifies that 3DES is basically functional.
6398 */
6399TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
6400 auto auths = AuthorizationSetBuilder()
6401 .TripleDesEncryptionKey(168)
6402 .BlockMode(BlockMode::ECB)
6403 .Authorization(TAG_NO_AUTH_REQUIRED)
6404 .Padding(PaddingMode::NONE);
6405
6406 ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
6407 // Two-block message.
6408 string message = "1234567890123456";
6409 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
6410 string ciphertext1 = EncryptMessage(message, inParams);
6411 EXPECT_EQ(message.size(), ciphertext1.size());
6412
6413 string ciphertext2 = EncryptMessage(string(message), inParams);
6414 EXPECT_EQ(message.size(), ciphertext2.size());
6415
6416 // ECB is deterministic.
6417 EXPECT_EQ(ciphertext1, ciphertext2);
6418
6419 string plaintext = DecryptMessage(ciphertext1, inParams);
6420 EXPECT_EQ(message, plaintext);
6421}
6422
6423/*
6424 * EncryptionOperationsTest.TripleDesEcbNotAuthorized
6425 *
6426 * Verifies that CBC keys reject ECB usage.
6427 */
6428TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
6429 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6430 .TripleDesEncryptionKey(168)
6431 .BlockMode(BlockMode::CBC)
6432 .Authorization(TAG_NO_AUTH_REQUIRED)
6433 .Padding(PaddingMode::NONE)));
6434
6435 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
6436 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
6437}
6438
6439/*
6440 * EncryptionOperationsTest.TripleDesEcbPkcs7Padding
6441 *
6442 * Tests ECB mode with PKCS#7 padding, various message sizes.
6443 */
6444TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
6445 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6446 .TripleDesEncryptionKey(168)
6447 .BlockMode(BlockMode::ECB)
6448 .Authorization(TAG_NO_AUTH_REQUIRED)
6449 .Padding(PaddingMode::PKCS7)));
6450
6451 for (size_t i = 0; i < 32; ++i) {
6452 string message(i, 'a');
6453 auto inParams =
6454 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
6455 string ciphertext = EncryptMessage(message, inParams);
6456 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
6457 string plaintext = DecryptMessage(ciphertext, inParams);
6458 EXPECT_EQ(message, plaintext);
6459 }
6460}
6461
6462/*
6463 * EncryptionOperationsTest.TripleDesEcbNoPaddingKeyWithPkcs7Padding
6464 *
6465 * Verifies that keys configured for no padding reject PKCS7 padding
6466 */
6467TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
6468 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6469 .TripleDesEncryptionKey(168)
6470 .BlockMode(BlockMode::ECB)
6471 .Authorization(TAG_NO_AUTH_REQUIRED)
6472 .Padding(PaddingMode::NONE)));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]6473 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
6474 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6475}
6476
6477/*
6478 * EncryptionOperationsTest.TripleDesEcbPkcs7PaddingCorrupted
6479 *
6480 * Verifies that corrupted padding is detected.
6481 */
6482TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
6483 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6484 .TripleDesEncryptionKey(168)
6485 .BlockMode(BlockMode::ECB)
6486 .Authorization(TAG_NO_AUTH_REQUIRED)
6487 .Padding(PaddingMode::PKCS7)));
6488
6489 string message = "a";
6490 string ciphertext = EncryptMessage(message, BlockMode::ECB, PaddingMode::PKCS7);
6491 EXPECT_EQ(8U, ciphertext.size());
6492 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6493
6494 AuthorizationSetBuilder begin_params;
6495 begin_params.push_back(TAG_BLOCK_MODE, BlockMode::ECB);
6496 begin_params.push_back(TAG_PADDING, PaddingMode::PKCS7);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]6497
6498 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
6499 ++ciphertext[ciphertext.size() / 2];
6500
6501 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
6502 string plaintext;
6503 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
6504 ErrorCode error = Finish(&plaintext);
6505 if (error == ErrorCode::INVALID_ARGUMENT) {
6506 // This is the expected error, we can exit the test now.
6507 return;
6508 } else {
6509 // Very small chance we got valid decryption, so try again.
6510 ASSERT_EQ(error, ErrorCode::OK);
6511 }
6512 }
6513 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6514}
6515
6516struct TripleDesTestVector {
6517 const char* name;
6518 const KeyPurpose purpose;
6519 const BlockMode block_mode;
6520 const PaddingMode padding_mode;
6521 const char* key;
6522 const char* iv;
6523 const char* input;
6524 const char* output;
6525};
6526
6527// These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all
6528// of the NIST vectors are multiples of the block size.
6529static const TripleDesTestVector kTripleDesTestVectors[] = {
6530 {
6531 "TECBMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
6532 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
6533 "", // IV
6534 "329d86bdf1bc5af4", // input
6535 "d946c2756d78633f", // output
6536 },
6537 {
6538 "TECBMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
6539 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
6540 "", // IV
6541 "6b1540781b01ce1997adae102dbf3c5b", // input
6542 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
6543 },
6544 {
6545 "TECBMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
6546 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
6547 "", // IV
6548 "6daad94ce08acfe7", // input
6549 "660e7d32dcc90e79", // output
6550 },
6551 {
6552 "TECBMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
6553 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
6554 "", // IV
6555 "e9653a0a1f05d31b9acd12d73aa9879d", // input
6556 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
6557 },
6558 {
6559 "TCBCMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
6560 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
6561 "43f791134c5647ba", // IV
6562 "dcc153cef81d6f24", // input
6563 "92538bd8af18d3ba", // output
6564 },
6565 {
6566 "TCBCMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
6567 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
6568 "c2e999cb6249023c", // IV
6569 "c689aee38a301bb316da75db36f110b5", // input
6570 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
6571 },
6572 {
6573 "TCBCMMT3 Encrypt 1 PKCS7 variant", KeyPurpose::ENCRYPT, BlockMode::CBC,
6574 PaddingMode::PKCS7,
6575 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
6576 "c2e999cb6249023c", // IV
6577 "c689aee38a301bb316da75db36f110b500", // input
6578 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
6579 },
6580 {
6581 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KeyPurpose::DECRYPT, BlockMode::CBC,
6582 PaddingMode::PKCS7,
6583 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
6584 "c2e999cb6249023c", // IV
6585 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
6586 "c689aee38a301bb316da75db36f110b500", // output
6587 },
6588 {
6589 "TCBCMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
6590 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
6591 "41746c7e442d3681", // IV
6592 "c53a7b0ec40600fe", // input
6593 "d4f00eb455de1034", // output
6594 },
6595 {
6596 "TCBCMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
6597 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
6598 "3982bc02c3727d45", // IV
6599 "6006f10adef52991fcc777a1238bbb65", // input
6600 "edae09288e9e3bc05746d872b48e3b29", // output
6601 },
6602};
6603
6604/*
6605 * EncryptionOperationsTest.TripleDesTestVector
6606 *
6607 * Verifies that NIST (plus a few extra) test vectors produce the correct results.
6608 */
6609TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
6610 constexpr size_t num_tests = sizeof(kTripleDesTestVectors) / sizeof(TripleDesTestVector);
6611 for (auto* test = kTripleDesTestVectors; test < kTripleDesTestVectors + num_tests; ++test) {
6612 SCOPED_TRACE(test->name);
6613 CheckTripleDesTestVector(test->purpose, test->block_mode, test->padding_mode,
6614 hex2str(test->key), hex2str(test->iv), hex2str(test->input),
6615 hex2str(test->output));
6616 }
6617}
6618
6619/*
6620 * EncryptionOperationsTest.TripleDesCbcRoundTripSuccess
6621 *
6622 * Validates CBC mode functionality.
6623 */
6624TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
6625 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6626 .TripleDesEncryptionKey(168)
6627 .BlockMode(BlockMode::CBC)
6628 .Authorization(TAG_NO_AUTH_REQUIRED)
6629 .Padding(PaddingMode::NONE)));
6630
6631 ASSERT_GT(key_blob_.size(), 0U);
6632
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]6633 // Four-block message.
6634 string message = "12345678901234561234567890123456";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6635 vector<uint8_t> iv1;
6636 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv1);
6637 EXPECT_EQ(message.size(), ciphertext1.size());
6638
6639 vector<uint8_t> iv2;
6640 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv2);
6641 EXPECT_EQ(message.size(), ciphertext2.size());
6642
6643 // IVs should be random, so ciphertexts should differ.
6644 EXPECT_NE(iv1, iv2);
6645 EXPECT_NE(ciphertext1, ciphertext2);
6646
6647 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv1);
6648 EXPECT_EQ(message, plaintext);
6649}
6650
6651/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6652 * EncryptionOperationsTest.TripleDesInvalidCallerIv
6653 *
6654 * Validates that keymint fails correctly when the user supplies an incorrect-size IV.
6655 */
6656TEST_P(EncryptionOperationsTest, TripleDesInvalidCallerIv) {
6657 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6658 .TripleDesEncryptionKey(168)
6659 .BlockMode(BlockMode::CBC)
6660 .Authorization(TAG_NO_AUTH_REQUIRED)
6661 .Authorization(TAG_CALLER_NONCE)
6662 .Padding(PaddingMode::NONE)));
6663 auto params = AuthorizationSetBuilder()
6664 .BlockMode(BlockMode::CBC)
6665 .Padding(PaddingMode::NONE)
6666 .Authorization(TAG_NONCE, AidlBuf("abcdefg"));
6667 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6668}
6669
6670/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6671 * EncryptionOperationsTest.TripleDesCallerIv
6672 *
6673 * Validates that 3DES keys can allow caller-specified IVs, and use them correctly.
6674 */
6675TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
6676 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6677 .TripleDesEncryptionKey(168)
6678 .BlockMode(BlockMode::CBC)
6679 .Authorization(TAG_NO_AUTH_REQUIRED)
6680 .Authorization(TAG_CALLER_NONCE)
6681 .Padding(PaddingMode::NONE)));
6682 string message = "1234567890123456";
6683 vector<uint8_t> iv;
6684 // Don't specify IV, should get a random one.
6685 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
6686 EXPECT_EQ(message.size(), ciphertext1.size());
6687 EXPECT_EQ(8U, iv.size());
6688
6689 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
6690 EXPECT_EQ(message, plaintext);
6691
6692 // Now specify an IV, should also work.
6693 iv = AidlBuf("abcdefgh");
6694 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, iv);
6695
6696 // Decrypt with correct IV.
6697 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, iv);
6698 EXPECT_EQ(message, plaintext);
6699
6700 // Now try with wrong IV.
6701 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, AidlBuf("aaaaaaaa"));
6702 EXPECT_NE(message, plaintext);
6703}
6704
6705/*
6706 * EncryptionOperationsTest, TripleDesCallerNonceProhibited.
6707 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6708 * Verifies that 3DES keys without TAG_CALLER_NONCE do not allow caller-specified IVs.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6709 */
6710TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
6711 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6712 .TripleDesEncryptionKey(168)
6713 .BlockMode(BlockMode::CBC)
6714 .Authorization(TAG_NO_AUTH_REQUIRED)
6715 .Padding(PaddingMode::NONE)));
6716
6717 string message = "12345678901234567890123456789012";
6718 vector<uint8_t> iv;
6719 // Don't specify nonce, should get a random one.
6720 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
6721 EXPECT_EQ(message.size(), ciphertext1.size());
6722 EXPECT_EQ(8U, iv.size());
6723
6724 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
6725 EXPECT_EQ(message, plaintext);
6726
6727 // Now specify a nonce, should fail.
6728 auto input_params = AuthorizationSetBuilder()
6729 .Authorization(TAG_NONCE, AidlBuf("abcdefgh"))
6730 .BlockMode(BlockMode::CBC)
6731 .Padding(PaddingMode::NONE);
6732 AuthorizationSet output_params;
6733 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED,
6734 Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
6735}
6736
6737/*
6738 * EncryptionOperationsTest.TripleDesCbcNotAuthorized
6739 *
6740 * Verifies that 3DES ECB-only keys do not allow CBC usage.
6741 */
6742TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
6743 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6744 .TripleDesEncryptionKey(168)
6745 .BlockMode(BlockMode::ECB)
6746 .Authorization(TAG_NO_AUTH_REQUIRED)
6747 .Padding(PaddingMode::NONE)));
6748 // Two-block message.
6749 string message = "1234567890123456";
6750 auto begin_params =
6751 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6752 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
6753}
6754
6755/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6756 * EncryptionOperationsTest.TripleDesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6757 *
6758 * Verifies that unpadded CBC operations reject inputs that are not a multiple of block size.
6759 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6760TEST_P(EncryptionOperationsTest, TripleDesEcbCbcNoPaddingWrongInputSize) {
6761 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
6762 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6763 .TripleDesEncryptionKey(168)
6764 .BlockMode(blockMode)
6765 .Authorization(TAG_NO_AUTH_REQUIRED)
6766 .Padding(PaddingMode::NONE)));
6767 // Message is slightly shorter than two blocks.
6768 string message = "123456789012345";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6769
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6770 auto begin_params =
6771 AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
6772 AuthorizationSet output_params;
6773 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &output_params));
6774 string ciphertext;
6775 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, "", &ciphertext));
6776
6777 CheckedDeleteKey();
6778 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6779}
6780
6781/*
6782 * EncryptionOperationsTest, TripleDesCbcPkcs7Padding.
6783 *
6784 * Verifies that PKCS7 padding works correctly in CBC mode.
6785 */
6786TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
6787 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6788 .TripleDesEncryptionKey(168)
6789 .BlockMode(BlockMode::CBC)
6790 .Authorization(TAG_NO_AUTH_REQUIRED)
6791 .Padding(PaddingMode::PKCS7)));
6792
6793 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]6794 for (size_t i = 0; i <= 32; i++) {
6795 SCOPED_TRACE(testing::Message() << "i = " << i);
6796 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character, albeit not for 3DES.
6797 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6798 vector<uint8_t> iv;
6799 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
6800 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
6801 string plaintext = DecryptMessage(ciphertext, BlockMode::CBC, PaddingMode::PKCS7, iv);
6802 EXPECT_EQ(message, plaintext);
6803 }
6804}
6805
6806/*
6807 * EncryptionOperationsTest.TripleDesCbcNoPaddingKeyWithPkcs7Padding
6808 *
6809 * Verifies that a key that requires PKCS7 padding cannot be used in unpadded mode.
6810 */
6811TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
6812 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6813 .TripleDesEncryptionKey(168)
6814 .BlockMode(BlockMode::CBC)
6815 .Authorization(TAG_NO_AUTH_REQUIRED)
6816 .Padding(PaddingMode::NONE)));
6817
6818 // Try various message lengths; all should fail.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]6819 for (size_t i = 0; i <= 32; i++) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6820 auto begin_params =
6821 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7);
6822 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
6823 }
6824}
6825
6826/*
6827 * EncryptionOperationsTest.TripleDesCbcPkcs7PaddingCorrupted
6828 *
6829 * Verifies that corrupted PKCS7 padding is rejected during decryption.
6830 */
6831TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
6832 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6833 .TripleDesEncryptionKey(168)
6834 .BlockMode(BlockMode::CBC)
6835 .Authorization(TAG_NO_AUTH_REQUIRED)
6836 .Padding(PaddingMode::PKCS7)));
6837
6838 string message = "a";
6839 vector<uint8_t> iv;
6840 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
6841 EXPECT_EQ(8U, ciphertext.size());
6842 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6843
6844 auto begin_params = AuthorizationSetBuilder()
6845 .BlockMode(BlockMode::CBC)
6846 .Padding(PaddingMode::PKCS7)
6847 .Authorization(TAG_NONCE, iv);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]6848
6849 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]6850 SCOPED_TRACE(testing::Message() << "i = " << i);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]6851 ++ciphertext[ciphertext.size() / 2];
6852 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
6853 string plaintext;
6854 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
6855 ErrorCode error = Finish(&plaintext);
6856 if (error == ErrorCode::INVALID_ARGUMENT) {
6857 // This is the expected error, we can exit the test now.
6858 return;
6859 } else {
6860 // Very small chance we got valid decryption, so try again.
6861 ASSERT_EQ(error, ErrorCode::OK);
6862 }
6863 }
6864 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6865}
6866
6867/*
6868 * EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding.
6869 *
6870 * Verifies that 3DES CBC works with many different input sizes.
6871 */
6872TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
6873 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6874 .TripleDesEncryptionKey(168)
6875 .BlockMode(BlockMode::CBC)
6876 .Authorization(TAG_NO_AUTH_REQUIRED)
6877 .Padding(PaddingMode::NONE)));
6878
6879 int increment = 7;
6880 string message(240, 'a');
6881 AuthorizationSet input_params =
6882 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6883 AuthorizationSet output_params;
6884 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
6885
6886 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6887 for (size_t i = 0; i < message.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6888 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6889 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
6890 EXPECT_EQ(message.size(), ciphertext.size());
6891
6892 // Move TAG_NONCE into input_params
6893 input_params = output_params;
6894 input_params.push_back(TAG_BLOCK_MODE, BlockMode::CBC);
6895 input_params.push_back(TAG_PADDING, PaddingMode::NONE);
6896 output_params.Clear();
6897
6898 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, input_params, &output_params));
6899 string plaintext;
6900 for (size_t i = 0; i < ciphertext.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6901 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6902 EXPECT_EQ(ErrorCode::OK, Finish(&plaintext));
6903 EXPECT_EQ(ciphertext.size(), plaintext.size());
6904 EXPECT_EQ(message, plaintext);
6905}
6906
6907INSTANTIATE_KEYMINT_AIDL_TEST(EncryptionOperationsTest);
6908
6909typedef KeyMintAidlTestBase MaxOperationsTest;
6910
6911/*
6912 * MaxOperationsTest.TestLimitAes
6913 *
6914 * Verifies that the max uses per boot tag works correctly with AES keys.
6915 */
6916TEST_P(MaxOperationsTest, TestLimitAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6917 if (SecLevel() == SecurityLevel::STRONGBOX) {
6918 GTEST_SKIP() << "Test not applicable to StrongBox device";
6919 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6920
6921 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6922 .Authorization(TAG_NO_AUTH_REQUIRED)
6923 .AesEncryptionKey(128)
6924 .EcbMode()
6925 .Padding(PaddingMode::NONE)
6926 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
6927
6928 string message = "1234567890123456";
6929
6930 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
6931
6932 EncryptMessage(message, params);
6933 EncryptMessage(message, params);
6934 EncryptMessage(message, params);
6935
6936 // Fourth time should fail.
6937 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
6938}
6939
6940/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6941 * MaxOperationsTest.TestLimitRsa
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6942 *
6943 * Verifies that the max uses per boot tag works correctly with RSA keys.
6944 */
6945TEST_P(MaxOperationsTest, TestLimitRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6946 if (SecLevel() == SecurityLevel::STRONGBOX) {
6947 GTEST_SKIP() << "Test not applicable to StrongBox device";
6948 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6949
6950 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6951 .Authorization(TAG_NO_AUTH_REQUIRED)
6952 .RsaSigningKey(1024, 65537)
6953 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]6954 .Authorization(TAG_MAX_USES_PER_BOOT, 3)
6955 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6956
6957 string message = "1234567890123456";
6958
6959 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
6960
6961 SignMessage(message, params);
6962 SignMessage(message, params);
6963 SignMessage(message, params);
6964
6965 // Fourth time should fail.
6966 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
6967}
6968
6969INSTANTIATE_KEYMINT_AIDL_TEST(MaxOperationsTest);
6970
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6971typedef KeyMintAidlTestBase UsageCountLimitTest;
6972
6973/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6974 * UsageCountLimitTest.TestSingleUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6975 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6976 * Verifies that the usage count limit tag = 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6977 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6978TEST_P(UsageCountLimitTest, TestSingleUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6979 if (SecLevel() == SecurityLevel::STRONGBOX) {
6980 GTEST_SKIP() << "Test not applicable to StrongBox device";
6981 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6982
6983 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6984 .Authorization(TAG_NO_AUTH_REQUIRED)
6985 .AesEncryptionKey(128)
6986 .EcbMode()
6987 .Padding(PaddingMode::NONE)
6988 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
6989
6990 // Check the usage count limit tag appears in the authorizations.
6991 AuthorizationSet auths;
6992 for (auto& entry : key_characteristics_) {
6993 auths.push_back(AuthorizationSet(entry.authorizations));
6994 }
6995 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
6996 << "key usage count limit " << 1U << " missing";
6997
6998 string message = "1234567890123456";
6999 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7000
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7001 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7002 AuthorizationSet keystore_auths =
7003 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7004
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7005 // First usage of AES key should work.
7006 EncryptMessage(message, params);
7007
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7008 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
7009 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7010 // must be invalidated from secure storage (such as RPMB partition).
7011 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
7012 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7013 // Usage count limit tag is enforced by keystore, keymint does nothing.
7014 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7015 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
7016 }
7017}
7018
7019/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7020 * UsageCountLimitTest.TestLimitedUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7021 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7022 * Verifies that the usage count limit tag > 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7023 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7024TEST_P(UsageCountLimitTest, TestLimitedUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7025 if (SecLevel() == SecurityLevel::STRONGBOX) {
7026 GTEST_SKIP() << "Test not applicable to StrongBox device";
7027 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7028
7029 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7030 .Authorization(TAG_NO_AUTH_REQUIRED)
7031 .AesEncryptionKey(128)
7032 .EcbMode()
7033 .Padding(PaddingMode::NONE)
7034 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
7035
7036 // Check the usage count limit tag appears in the authorizations.
7037 AuthorizationSet auths;
7038 for (auto& entry : key_characteristics_) {
7039 auths.push_back(AuthorizationSet(entry.authorizations));
7040 }
7041 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
7042 << "key usage count limit " << 3U << " missing";
7043
7044 string message = "1234567890123456";
7045 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
7046
7047 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7048 AuthorizationSet keystore_auths =
7049 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7050
7051 EncryptMessage(message, params);
7052 EncryptMessage(message, params);
7053 EncryptMessage(message, params);
7054
7055 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
7056 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7057 // must be invalidated from secure storage (such as RPMB partition).
7058 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
7059 } else {
7060 // Usage count limit tag is enforced by keystore, keymint does nothing.
7061 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
7062 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
7063 }
7064}
7065
7066/*
7067 * UsageCountLimitTest.TestSingleUseRsa
7068 *
7069 * Verifies that the usage count limit tag = 1 works correctly with RSA keys.
7070 */
7071TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7072 if (SecLevel() == SecurityLevel::STRONGBOX) {
7073 GTEST_SKIP() << "Test not applicable to StrongBox device";
7074 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7075
7076 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7077 .Authorization(TAG_NO_AUTH_REQUIRED)
7078 .RsaSigningKey(1024, 65537)
7079 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7080 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7081 .SetDefaultValidity()));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7082
7083 // Check the usage count limit tag appears in the authorizations.
7084 AuthorizationSet auths;
7085 for (auto& entry : key_characteristics_) {
7086 auths.push_back(AuthorizationSet(entry.authorizations));
7087 }
7088 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7089 << "key usage count limit " << 1U << " missing";
7090
7091 string message = "1234567890123456";
7092 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7093
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7094 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7095 AuthorizationSet keystore_auths =
7096 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7097
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7098 // First usage of RSA key should work.
7099 SignMessage(message, params);
7100
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7101 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
7102 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7103 // must be invalidated from secure storage (such as RPMB partition).
7104 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7105 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7106 // Usage count limit tag is enforced by keystore, keymint does nothing.
7107 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
7108 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
7109 }
7110}
7111
7112/*
7113 * UsageCountLimitTest.TestLimitUseRsa
7114 *
7115 * Verifies that the usage count limit tag > 1 works correctly with RSA keys.
7116 */
7117TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7118 if (SecLevel() == SecurityLevel::STRONGBOX) {
7119 GTEST_SKIP() << "Test not applicable to StrongBox device";
7120 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7121
7122 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7123 .Authorization(TAG_NO_AUTH_REQUIRED)
7124 .RsaSigningKey(1024, 65537)
7125 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7126 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)
7127 .SetDefaultValidity()));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7128
7129 // Check the usage count limit tag appears in the authorizations.
7130 AuthorizationSet auths;
7131 for (auto& entry : key_characteristics_) {
7132 auths.push_back(AuthorizationSet(entry.authorizations));
7133 }
7134 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
7135 << "key usage count limit " << 3U << " missing";
7136
7137 string message = "1234567890123456";
7138 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7139
7140 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7141 AuthorizationSet keystore_auths =
7142 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7143
7144 SignMessage(message, params);
7145 SignMessage(message, params);
7146 SignMessage(message, params);
7147
7148 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
7149 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7150 // must be invalidated from secure storage (such as RPMB partition).
7151 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7152 } else {
7153 // Usage count limit tag is enforced by keystore, keymint does nothing.
7154 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7155 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
7156 }
7157}
7158
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7159/*
7160 * UsageCountLimitTest.TestSingleUseKeyAndRollbackResistance
7161 *
7162 * Verifies that when rollback resistance is supported by the KeyMint implementation with
7163 * the secure hardware, the single use key with usage count limit tag = 1 must also be enforced
7164 * in hardware.
7165 */
7166TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7167 if (SecLevel() == SecurityLevel::STRONGBOX) {
7168 GTEST_SKIP() << "Test not applicable to StrongBox device";
7169 }
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7170
7171 auto error = GenerateKey(AuthorizationSetBuilder()
7172 .RsaSigningKey(2048, 65537)
7173 .Digest(Digest::NONE)
7174 .Padding(PaddingMode::NONE)
7175 .Authorization(TAG_NO_AUTH_REQUIRED)
7176 .Authorization(TAG_ROLLBACK_RESISTANCE)
7177 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7178 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7179 GTEST_SKIP() << "Rollback resistance not supported";
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7180 }
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7181
7182 // Rollback resistance is supported by KeyMint, verify it is enforced in hardware.
7183 ASSERT_EQ(ErrorCode::OK, error);
7184 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7185 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
7186 ASSERT_EQ(ErrorCode::OK, DeleteKey());
7187
7188 // The KeyMint should also enforce single use key in hardware when it supports rollback
7189 // resistance.
7190 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7191 .Authorization(TAG_NO_AUTH_REQUIRED)
7192 .RsaSigningKey(1024, 65537)
7193 .NoDigestOrPadding()
7194 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7195 .SetDefaultValidity()));
7196
7197 // Check the usage count limit tag appears in the hardware authorizations.
7198 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7199 EXPECT_TRUE(hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7200 << "key usage count limit " << 1U << " missing";
7201
7202 string message = "1234567890123456";
7203 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7204
7205 // First usage of RSA key should work.
7206 SignMessage(message, params);
7207
7208 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7209 // must be invalidated from secure storage (such as RPMB partition).
7210 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7211}
7212
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7213INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest);
7214
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7215typedef KeyMintAidlTestBase GetHardwareInfoTest;
7216
7217TEST_P(GetHardwareInfoTest, GetHardwareInfo) {
7218 // Retrieving hardware info should give the same result each time.
7219 KeyMintHardwareInfo info;
7220 ASSERT_TRUE(keyMint().getHardwareInfo(&info).isOk());
7221 KeyMintHardwareInfo info2;
7222 ASSERT_TRUE(keyMint().getHardwareInfo(&info2).isOk());
7223 EXPECT_EQ(info, info2);
7224}
7225
7226INSTANTIATE_KEYMINT_AIDL_TEST(GetHardwareInfoTest);
7227
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7228typedef KeyMintAidlTestBase AddEntropyTest;
7229
7230/*
7231 * AddEntropyTest.AddEntropy
7232 *
7233 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy
7234 * is actually added.
7235 */
7236TEST_P(AddEntropyTest, AddEntropy) {
7237 string data = "foo";
7238 EXPECT_TRUE(keyMint().addRngEntropy(vector<uint8_t>(data.begin(), data.end())).isOk());
7239}
7240
7241/*
7242 * AddEntropyTest.AddEmptyEntropy
7243 *
7244 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
7245 */
7246TEST_P(AddEntropyTest, AddEmptyEntropy) {
7247 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf()).isOk());
7248}
7249
7250/*
7251 * AddEntropyTest.AddLargeEntropy
7252 *
7253 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
7254 */
7255TEST_P(AddEntropyTest, AddLargeEntropy) {
7256 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
7257}
7258
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]7259/*
7260 * AddEntropyTest.AddTooLargeEntropy
7261 *
7262 * Verifies that the addRngEntropy method rejects more than 2KiB of data.
7263 */
7264TEST_P(AddEntropyTest, AddTooLargeEntropy) {
7265 ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a'))));
7266 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc);
7267}
7268
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7269INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);
7270
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7271typedef KeyMintAidlTestBase KeyDeletionTest;
7272
7273/**
7274 * KeyDeletionTest.DeleteKey
7275 *
7276 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
7277 * valid key blob.
7278 */
7279TEST_P(KeyDeletionTest, DeleteKey) {
7280 auto error = GenerateKey(AuthorizationSetBuilder()
7281 .RsaSigningKey(2048, 65537)
7282 .Digest(Digest::NONE)
7283 .Padding(PaddingMode::NONE)
7284 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7285 .Authorization(TAG_ROLLBACK_RESISTANCE)
7286 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7287 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7288 GTEST_SKIP() << "Rollback resistance not supported";
7289 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7290
7291 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7292 ASSERT_EQ(ErrorCode::OK, error);
7293 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7294 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7295
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7296 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7297
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7298 string message = "12345678901234567890123456789012";
7299 AuthorizationSet begin_out_params;
7300 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
7301 Begin(KeyPurpose::SIGN, key_blob_,
7302 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
7303 &begin_out_params));
7304 AbortIfNeeded();
7305 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7306}
7307
7308/**
7309 * KeyDeletionTest.DeleteInvalidKey
7310 *
7311 * This test checks that the HAL excepts invalid key blobs..
7312 */
7313TEST_P(KeyDeletionTest, DeleteInvalidKey) {
7314 // Generate key just to check if rollback protection is implemented
7315 auto error = GenerateKey(AuthorizationSetBuilder()
7316 .RsaSigningKey(2048, 65537)
7317 .Digest(Digest::NONE)
7318 .Padding(PaddingMode::NONE)
7319 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7320 .Authorization(TAG_ROLLBACK_RESISTANCE)
7321 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7322 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7323 GTEST_SKIP() << "Rollback resistance not supported";
7324 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7325
7326 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7327 ASSERT_EQ(ErrorCode::OK, error);
7328 AuthorizationSet enforced(SecLevelAuthorizations());
7329 ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7330
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7331 // Delete the key we don't care about the result at this point.
7332 DeleteKey();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7333
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7334 // Now create an invalid key blob and delete it.
7335 key_blob_ = AidlBuf("just some garbage data which is not a valid key blob");
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7336
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7337 ASSERT_EQ(ErrorCode::OK, DeleteKey());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7338}
7339
7340/**
7341 * KeyDeletionTest.DeleteAllKeys
7342 *
7343 * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
7344 *
7345 * BEWARE: This test has serious side effects. All user keys will be lost! This includes
7346 * FBE/FDE encryption keys, which means that the device will not even boot until after the
7347 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
7348 * been provisioned. Use this test only on dedicated testing devices that have no valuable
7349 * credentials stored in Keystore/Keymint.
7350 */
7351TEST_P(KeyDeletionTest, DeleteAllKeys) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7352 if (!arm_deleteAllKeys) {
7353 GTEST_SKIP() << "Option --arm_deleteAllKeys not set";
7354 return;
7355 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7356 auto error = GenerateKey(AuthorizationSetBuilder()
7357 .RsaSigningKey(2048, 65537)
7358 .Digest(Digest::NONE)
7359 .Padding(PaddingMode::NONE)
7360 .Authorization(TAG_NO_AUTH_REQUIRED)
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]7361 .Authorization(TAG_ROLLBACK_RESISTANCE)
7362 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7363 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7364 GTEST_SKIP() << "Rollback resistance not supported";
7365 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7366
7367 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7368 ASSERT_EQ(ErrorCode::OK, error);
7369 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7370 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7371
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7372 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7373
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7374 string message = "12345678901234567890123456789012";
7375 AuthorizationSet begin_out_params;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7376
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7377 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
7378 Begin(KeyPurpose::SIGN, key_blob_,
7379 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
7380 &begin_out_params));
7381 AbortIfNeeded();
7382 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7383}
7384
7385INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest);
7386
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7387typedef KeyMintAidlTestBase KeyUpgradeTest;
7388
7389/**
7390 * KeyUpgradeTest.UpgradeInvalidKey
7391 *
7392 * This test checks that the HAL excepts invalid key blobs..
7393 */
7394TEST_P(KeyUpgradeTest, UpgradeInvalidKey) {
7395 AidlBuf key_blob = AidlBuf("just some garbage data which is not a valid key blob");
7396
7397 std::vector<uint8_t> new_blob;
7398 Status result = keymint_->upgradeKey(key_blob,
7399 AuthorizationSetBuilder()
7400 .Authorization(TAG_APPLICATION_ID, "clientid")
7401 .Authorization(TAG_APPLICATION_DATA, "appdata")
7402 .vector_data(),
7403 &new_blob);
7404 ASSERT_EQ(ErrorCode::INVALID_KEY_BLOB, GetReturnErrorCode(result));
7405}
7406
7407INSTANTIATE_KEYMINT_AIDL_TEST(KeyUpgradeTest);
7408
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7409using UpgradeKeyTest = KeyMintAidlTestBase;
7410
7411/*
7412 * UpgradeKeyTest.UpgradeKey
7413 *
7414 * Verifies that calling upgrade key on an up-to-date key works (i.e. does nothing).
7415 */
7416TEST_P(UpgradeKeyTest, UpgradeKey) {
7417 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7418 .AesEncryptionKey(128)
7419 .Padding(PaddingMode::NONE)
7420 .Authorization(TAG_NO_AUTH_REQUIRED)));
7421
7422 auto result = UpgradeKey(key_blob_);
7423
7424 // Key doesn't need upgrading. Should get okay, but no new key blob.
7425 EXPECT_EQ(result, std::make_pair(ErrorCode::OK, vector<uint8_t>()));
7426}
7427
7428INSTANTIATE_KEYMINT_AIDL_TEST(UpgradeKeyTest);
7429
7430using ClearOperationsTest = KeyMintAidlTestBase;
7431
7432/*
7433 * ClearSlotsTest.TooManyOperations
7434 *
7435 * Verifies that TOO_MANY_OPERATIONS is returned after the max number of
7436 * operations are started without being finished or aborted. Also verifies
7437 * that aborting the operations clears the operations.
7438 *
7439 */
7440TEST_P(ClearOperationsTest, TooManyOperations) {
7441 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7442 .Authorization(TAG_NO_AUTH_REQUIRED)
7443 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7444 .Padding(PaddingMode::NONE)
7445 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7446
7447 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
7448 constexpr size_t max_operations = 100; // set to arbituary large number
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]7449 std::shared_ptr<IKeyMintOperation> op_handles[max_operations];
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7450 AuthorizationSet out_params;
7451 ErrorCode result;
7452 size_t i;
7453
7454 for (i = 0; i < max_operations; i++) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7455 result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7456 if (ErrorCode::OK != result) {
7457 break;
7458 }
7459 }
7460 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
7461 // Try again just in case there's a weird overflow bug
7462 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7463 Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7464 for (size_t j = 0; j < i; j++) {
7465 EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
7466 << "Aboort failed for i = " << j << std::endl;
7467 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7468 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7469 AbortIfNeeded();
7470}
7471
7472INSTANTIATE_KEYMINT_AIDL_TEST(ClearOperationsTest);
7473
7474typedef KeyMintAidlTestBase TransportLimitTest;
7475
7476/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7477 * TransportLimitTest.LargeFinishInput
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7478 *
7479 * Verifies that passing input data to finish succeeds as expected.
7480 */
7481TEST_P(TransportLimitTest, LargeFinishInput) {
7482 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7483 .Authorization(TAG_NO_AUTH_REQUIRED)
7484 .AesEncryptionKey(128)
7485 .BlockMode(BlockMode::ECB)
7486 .Padding(PaddingMode::NONE)));
7487
7488 for (int msg_size = 8 /* 256 bytes */; msg_size <= 11 /* 2 KiB */; msg_size++) {
7489 auto cipher_params =
7490 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
7491
7492 AuthorizationSet out_params;
7493 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, cipher_params, &out_params));
7494
7495 string plain_message = std::string(1 << msg_size, 'x');
7496 string encrypted_message;
7497 auto rc = Finish(plain_message, &encrypted_message);
7498
7499 EXPECT_EQ(ErrorCode::OK, rc);
7500 EXPECT_EQ(plain_message.size(), encrypted_message.size())
7501 << "Encrypt finish returned OK, but did not consume all of the given input";
7502 cipher_params.push_back(out_params);
7503
7504 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, cipher_params));
7505
7506 string decrypted_message;
7507 rc = Finish(encrypted_message, &decrypted_message);
7508 EXPECT_EQ(ErrorCode::OK, rc);
7509 EXPECT_EQ(plain_message.size(), decrypted_message.size())
7510 << "Decrypt finish returned OK, did not consume all of the given input";
7511 }
7512}
7513
7514INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
7515
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]7516static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7517 switch (curve) {
7518 case EcCurve::P_224:
7519 return NID_secp224r1;
7520 case EcCurve::P_256:
7521 return NID_X9_62_prime256v1;
7522 case EcCurve::P_384:
7523 return NID_secp384r1;
7524 case EcCurve::P_521:
7525 return NID_secp521r1;
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]7526 case EcCurve::CURVE_25519:
7527 return NID_X25519;
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7528 }
7529}
7530
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7531class KeyAgreementTest : public KeyMintAidlTestBase {
7532 protected:
7533 void GenerateLocalEcKey(EcCurve localCurve, EVP_PKEY_Ptr* localPrivKey,
7534 std::vector<uint8_t>* localPublicKey) {
7535 // Generate EC key locally (with access to private key material)
7536 if (localCurve == EcCurve::CURVE_25519) {
7537 uint8_t privKeyData[32];
7538 uint8_t pubKeyData[32];
7539 X25519_keypair(pubKeyData, privKeyData);
7540 *localPublicKey = vector<uint8_t>(pubKeyData, pubKeyData + 32);
7541 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new_raw_private_key(
7542 EVP_PKEY_X25519, nullptr, privKeyData, sizeof(privKeyData)));
7543 } else {
7544 auto ecKey = EC_KEY_Ptr(EC_KEY_new());
7545 int curveName = EcdhCurveToOpenSslCurveName(localCurve);
7546 auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
7547 ASSERT_NE(group, nullptr);
7548 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
7549 ASSERT_EQ(EC_KEY_generate_key(ecKey.get()), 1);
7550 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new());
7551 ASSERT_EQ(EVP_PKEY_set1_EC_KEY(localPrivKey->get(), ecKey.get()), 1);
7552
7553 // Get encoded form of the public part of the locally generated key...
7554 unsigned char* p = nullptr;
7555 int localPublicKeySize = i2d_PUBKEY(localPrivKey->get(), &p);
7556 ASSERT_GT(localPublicKeySize, 0);
7557 *localPublicKey =
7558 vector<uint8_t>(reinterpret_cast<const uint8_t*>(p),
7559 reinterpret_cast<const uint8_t*>(p + localPublicKeySize));
7560 OPENSSL_free(p);
7561 }
7562 }
7563
7564 void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
7565 vector<uint8_t> challenge = {0x41, 0x42};
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]7566 auto builder = AuthorizationSetBuilder()
7567 .Authorization(TAG_NO_AUTH_REQUIRED)
7568 .Authorization(TAG_EC_CURVE, curve)
7569 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
7570 .Authorization(TAG_ALGORITHM, Algorithm::EC)
7571 .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
7572 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
7573 .SetDefaultValidity();
7574 ErrorCode result = GenerateKey(builder);
7575
7576 if (SecLevel() == SecurityLevel::STRONGBOX) {
7577 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
7578 result = GenerateKeyWithSelfSignedAttestKey(
7579 AuthorizationSetBuilder()
7580 .EcdsaKey(EcCurve::P_256)
7581 .AttestKey()
7582 .SetDefaultValidity(), /* attest key params */
7583 builder, &key_blob_, &key_characteristics_, &cert_chain_);
7584 }
7585 }
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7586 ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
7587 ASSERT_GT(cert_chain_.size(), 0);
7588 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
7589 ASSERT_NE(kmKeyCert, nullptr);
7590 // Check that keyAgreement (bit 4) is set in KeyUsage
7591 EXPECT_TRUE((X509_get_key_usage(kmKeyCert.get()) & X509v3_KU_KEY_AGREEMENT) != 0);
7592 *kmPubKey = EVP_PKEY_Ptr(X509_get_pubkey(kmKeyCert.get()));
7593 ASSERT_NE(*kmPubKey, nullptr);
7594 if (dump_Attestations) {
7595 for (size_t n = 0; n < cert_chain_.size(); n++) {
7596 std::cout << bin2hex(cert_chain_[n].encodedCertificate) << std::endl;
7597 }
7598 }
7599 }
7600
7601 void CheckAgreement(EVP_PKEY_Ptr kmPubKey, EVP_PKEY_Ptr localPrivKey,
7602 const std::vector<uint8_t>& localPublicKey) {
7603 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
7604 string ZabFromKeyMintStr;
7605 ASSERT_EQ(ErrorCode::OK,
7606 Finish(string(localPublicKey.begin(), localPublicKey.end()), &ZabFromKeyMintStr));
7607 vector<uint8_t> ZabFromKeyMint(ZabFromKeyMintStr.begin(), ZabFromKeyMintStr.end());
7608 vector<uint8_t> ZabFromTest;
7609
7610 if (EVP_PKEY_id(kmPubKey.get()) == EVP_PKEY_X25519) {
7611 size_t kmPubKeySize = 32;
7612 uint8_t kmPubKeyData[32];
7613 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
7614 ASSERT_EQ(kmPubKeySize, 32);
7615
7616 uint8_t localPrivKeyData[32];
7617 size_t localPrivKeySize = 32;
7618 ASSERT_EQ(1, EVP_PKEY_get_raw_private_key(localPrivKey.get(), localPrivKeyData,
7619 &localPrivKeySize));
7620 ASSERT_EQ(localPrivKeySize, 32);
7621
7622 uint8_t sharedKey[32];
7623 ASSERT_EQ(1, X25519(sharedKey, localPrivKeyData, kmPubKeyData));
7624 ZabFromTest = std::vector<uint8_t>(sharedKey, sharedKey + 32);
7625 } else {
7626 // Perform local ECDH between the two keys so we can check if we get the same Zab..
7627 auto ctx = EVP_PKEY_CTX_Ptr(EVP_PKEY_CTX_new(localPrivKey.get(), nullptr));
7628 ASSERT_NE(ctx, nullptr);
7629 ASSERT_EQ(EVP_PKEY_derive_init(ctx.get()), 1);
7630 ASSERT_EQ(EVP_PKEY_derive_set_peer(ctx.get(), kmPubKey.get()), 1);
7631 size_t ZabFromTestLen = 0;
7632 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), nullptr, &ZabFromTestLen), 1);
7633 ZabFromTest.resize(ZabFromTestLen);
7634 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), ZabFromTest.data(), &ZabFromTestLen), 1);
7635 }
7636 EXPECT_EQ(ZabFromKeyMint, ZabFromTest);
7637 }
7638};
7639
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7640/*
7641 * KeyAgreementTest.Ecdh
7642 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7643 * Verifies that ECDH works for all required curves
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7644 */
7645TEST_P(KeyAgreementTest, Ecdh) {
7646 // Because it's possible to use this API with keys on different curves, we
7647 // check all N^2 combinations where N is the number of supported
7648 // curves.
7649 //
7650 // This is not a big deal as N is 4 so we only do 16 runs. If we end up with a
7651 // lot more curves we can be smart about things and just pick |otherCurve| so
7652 // it's not |curve| and that way we end up with only 2*N runs
7653 //
7654 for (auto curve : ValidCurves()) {
7655 for (auto localCurve : ValidCurves()) {
7656 // Generate EC key locally (with access to private key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7657 EVP_PKEY_Ptr localPrivKey;
7658 vector<uint8_t> localPublicKey;
7659 GenerateLocalEcKey(localCurve, &localPrivKey, &localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7660
7661 // Generate EC key in KeyMint (only access to public key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7662 EVP_PKEY_Ptr kmPubKey;
7663 GenerateKeyMintEcKey(curve, &kmPubKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7664
7665 // Now that we have the two keys, we ask KeyMint to perform ECDH...
7666 if (curve != localCurve) {
7667 // If the keys are using different curves KeyMint should fail with
7668 // ErrorCode:INVALID_ARGUMENT. Check that.
7669 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
7670 string ZabFromKeyMintStr;
7671 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7672 Finish(string(localPublicKey.begin(), localPublicKey.end()),
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7673 &ZabFromKeyMintStr));
7674
7675 } else {
7676 // Otherwise if the keys are using the same curve, it should work.
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7677 CheckAgreement(std::move(kmPubKey), std::move(localPrivKey), localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7678 }
7679
7680 CheckedDeleteKey();
7681 }
7682 }
7683}
7684
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7685/*
7686 * KeyAgreementTest.EcdhCurve25519
7687 *
7688 * Verifies that ECDH works for curve25519. This is also covered by the general
7689 * KeyAgreementTest.Ecdh case, but is pulled out separately here because this curve was added after
7690 * KeyMint 1.0.
7691 */
7692TEST_P(KeyAgreementTest, EcdhCurve25519) {
7693 if (!Curve25519Supported()) {
7694 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
7695 }
7696
7697 // Generate EC key in KeyMint (only access to public key material)
7698 EcCurve curve = EcCurve::CURVE_25519;
7699 EVP_PKEY_Ptr kmPubKey = nullptr;
7700 GenerateKeyMintEcKey(curve, &kmPubKey);
7701
7702 // Generate EC key on same curve locally (with access to private key material).
7703 EVP_PKEY_Ptr privKey;
7704 vector<uint8_t> encodedPublicKey;
7705 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
7706
7707 // Agree on a key between local and KeyMint and check it.
7708 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
7709
7710 CheckedDeleteKey();
7711}
7712
7713/*
7714 * KeyAgreementTest.EcdhCurve25519Imported
7715 *
7716 * Verifies that ECDH works for an imported curve25519 key.
7717 */
7718TEST_P(KeyAgreementTest, EcdhCurve25519Imported) {
7719 if (!Curve25519Supported()) {
7720 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
7721 }
7722
7723 // Import x25519 key into KeyMint.
7724 EcCurve curve = EcCurve::CURVE_25519;
7725 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
7726 .Authorization(TAG_NO_AUTH_REQUIRED)
7727 .EcdsaKey(EcCurve::CURVE_25519)
7728 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
7729 .SetDefaultValidity(),
7730 KeyFormat::PKCS8, x25519_pkcs8_key));
7731 ASSERT_GT(cert_chain_.size(), 0);
7732 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
7733 ASSERT_NE(kmKeyCert, nullptr);
7734 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
7735 ASSERT_NE(kmPubKey.get(), nullptr);
7736
7737 // Expect the import to emit corresponding public key data.
7738 size_t kmPubKeySize = 32;
7739 uint8_t kmPubKeyData[32];
7740 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
7741 ASSERT_EQ(kmPubKeySize, 32);
7742 EXPECT_EQ(bin2hex(std::vector<uint8_t>(kmPubKeyData, kmPubKeyData + 32)),
7743 bin2hex(std::vector<uint8_t>(x25519_pubkey.begin(), x25519_pubkey.end())));
7744
7745 // Generate EC key on same curve locally (with access to private key material).
7746 EVP_PKEY_Ptr privKey;
7747 vector<uint8_t> encodedPublicKey;
7748 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
7749
7750 // Agree on a key between local and KeyMint and check it.
7751 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
7752
7753 CheckedDeleteKey();
7754}
7755
7756/*
7757 * KeyAgreementTest.EcdhCurve25519InvalidSize
7758 *
7759 * Verifies that ECDH fails for curve25519 if the wrong size of public key is provided.
7760 */
7761TEST_P(KeyAgreementTest, EcdhCurve25519InvalidSize) {
7762 if (!Curve25519Supported()) {
7763 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
7764 }
7765
7766 // Generate EC key in KeyMint (only access to public key material)
7767 EcCurve curve = EcCurve::CURVE_25519;
7768 EVP_PKEY_Ptr kmPubKey = nullptr;
7769 GenerateKeyMintEcKey(curve, &kmPubKey);
7770
7771 // Generate EC key on same curve locally (with access to private key material).
7772 EVP_PKEY_Ptr privKey;
7773 vector<uint8_t> encodedPublicKey;
7774 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
7775
7776 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
7777 string ZabFromKeyMintStr;
7778 // Send in an incomplete public key.
7779 ASSERT_NE(ErrorCode::OK, Finish(string(encodedPublicKey.begin(), encodedPublicKey.end() - 1),
7780 &ZabFromKeyMintStr));
7781
7782 CheckedDeleteKey();
7783}
7784
7785/*
7786 * KeyAgreementTest.EcdhCurve25519Mismatch
7787 *
7788 * Verifies that ECDH fails between curve25519 and other curves.
7789 */
7790TEST_P(KeyAgreementTest, EcdhCurve25519Mismatch) {
7791 if (!Curve25519Supported()) {
7792 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
7793 }
7794
7795 // Generate EC key in KeyMint (only access to public key material)
7796 EcCurve curve = EcCurve::CURVE_25519;
7797 EVP_PKEY_Ptr kmPubKey = nullptr;
7798 GenerateKeyMintEcKey(curve, &kmPubKey);
7799
7800 for (auto localCurve : ValidCurves()) {
7801 if (localCurve == curve) {
7802 continue;
7803 }
7804 // Generate EC key on a different curve locally (with access to private key material).
7805 EVP_PKEY_Ptr privKey;
7806 vector<uint8_t> encodedPublicKey;
7807 GenerateLocalEcKey(localCurve, &privKey, &encodedPublicKey);
7808
7809 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
7810 string ZabFromKeyMintStr;
7811 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
7812 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
7813 &ZabFromKeyMintStr));
7814 }
7815
7816 CheckedDeleteKey();
7817}
7818
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7819INSTANTIATE_KEYMINT_AIDL_TEST(KeyAgreementTest);
7820
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7821using DestroyAttestationIdsTest = KeyMintAidlTestBase;
7822
7823// This is a problematic test, as it can render the device under test permanently unusable.
7824// Re-enable and run at your own risk.
7825TEST_P(DestroyAttestationIdsTest, DISABLED_DestroyTest) {
7826 auto result = DestroyAttestationIds();
7827 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED);
7828}
7829
7830INSTANTIATE_KEYMINT_AIDL_TEST(DestroyAttestationIdsTest);
7831
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]7832using EarlyBootKeyTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7833
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7834/*
7835 * EarlyBootKeyTest.CreateEarlyBootKeys
7836 *
7837 * Verifies that creating early boot keys succeeds, even at a later stage (after boot).
7838 */
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7839TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7840 // Early boot keys can be created after early boot.
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7841 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
7842 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
7843
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]7844 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
7845 ASSERT_GT(keyData.blob.size(), 0U);
7846 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
7847 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
7848 }
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7849 CheckedDeleteKey(&aesKeyData.blob);
7850 CheckedDeleteKey(&hmacKeyData.blob);
7851 CheckedDeleteKey(&rsaKeyData.blob);
7852 CheckedDeleteKey(&ecdsaKeyData.blob);
7853}
7854
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7855/*
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]7856 * EarlyBootKeyTest.CreateAttestedEarlyBootKey
7857 *
7858 * Verifies that creating an early boot key with attestation succeeds.
7859 */
7860TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
7861 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys(
7862 TAG_EARLY_BOOT_ONLY, ErrorCode::OK, [](AuthorizationSetBuilder* builder) {
7863 builder->AttestationChallenge("challenge");
7864 builder->AttestationApplicationId("app_id");
7865 });
7866
7867 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7868 // Strongbox may not support factory attestation. Key creation might fail with
7869 // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
7870 if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
7871 continue;
7872 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]7873 ASSERT_GT(keyData.blob.size(), 0U);
7874 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
7875 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
7876 }
7877 CheckedDeleteKey(&aesKeyData.blob);
7878 CheckedDeleteKey(&hmacKeyData.blob);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7879 if (rsaKeyData.blob.size() != 0U) {
7880 CheckedDeleteKey(&rsaKeyData.blob);
7881 }
7882 if (ecdsaKeyData.blob.size() != 0U) {
7883 CheckedDeleteKey(&ecdsaKeyData.blob);
7884 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]7885}
7886
7887/*
7888 * EarlyBootKeyTest.UseEarlyBootKeyFailure
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7889 *
7890 * Verifies that using early boot keys at a later stage fails.
7891 */
7892TEST_P(EarlyBootKeyTest, UseEarlyBootKeyFailure) {
7893 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7894 .Authorization(TAG_NO_AUTH_REQUIRED)
7895 .Authorization(TAG_EARLY_BOOT_ONLY)
7896 .HmacKey(128)
7897 .Digest(Digest::SHA_2_256)
7898 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
7899 AuthorizationSet output_params;
7900 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, Begin(KeyPurpose::SIGN, key_blob_,
7901 AuthorizationSetBuilder()
7902 .Digest(Digest::SHA_2_256)
7903 .Authorization(TAG_MAC_LENGTH, 256),
7904 &output_params));
7905}
7906
7907/*
7908 * EarlyBootKeyTest.ImportEarlyBootKeyFailure
7909 *
7910 * Verifies that importing early boot keys fails.
7911 */
7912TEST_P(EarlyBootKeyTest, ImportEarlyBootKeyFailure) {
7913 ASSERT_EQ(ErrorCode::EARLY_BOOT_ENDED, ImportKey(AuthorizationSetBuilder()
7914 .Authorization(TAG_NO_AUTH_REQUIRED)
7915 .Authorization(TAG_EARLY_BOOT_ONLY)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]7916 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7917 .Digest(Digest::SHA_2_256)
7918 .SetDefaultValidity(),
7919 KeyFormat::PKCS8, ec_256_key));
7920}
7921
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7922// This is a more comprehensive test, but it can only be run on a machine which is still in early
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7923// boot stage, which no proper Android device is by the time we can run VTS. To use this,
7924// un-disable it and modify vold to remove the call to earlyBootEnded(). Running the test will end
7925// early boot, so you'll have to reboot between runs.
7926TEST_P(EarlyBootKeyTest, DISABLED_FullTest) {
7927 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
7928 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
7929 // TAG_EARLY_BOOT_ONLY should be in hw-enforced.
7930 EXPECT_TRUE(HwEnforcedAuthorizations(aesKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
7931 EXPECT_TRUE(
7932 HwEnforcedAuthorizations(hmacKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
7933 EXPECT_TRUE(HwEnforcedAuthorizations(rsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
7934 EXPECT_TRUE(
7935 HwEnforcedAuthorizations(ecdsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
7936
7937 // Should be able to use keys, since early boot has not ended
7938 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
7939 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
7940 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
7941 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
7942
7943 // End early boot
7944 ErrorCode earlyBootResult = GetReturnErrorCode(keyMint().earlyBootEnded());
7945 EXPECT_EQ(earlyBootResult, ErrorCode::OK);
7946
7947 // Should not be able to use already-created keys.
7948 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseAesKey(aesKeyData.blob));
7949 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseHmacKey(hmacKeyData.blob));
7950 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseRsaKey(rsaKeyData.blob));
7951 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseEcdsaKey(ecdsaKeyData.blob));
7952
7953 CheckedDeleteKey(&aesKeyData.blob);
7954 CheckedDeleteKey(&hmacKeyData.blob);
7955 CheckedDeleteKey(&rsaKeyData.blob);
7956 CheckedDeleteKey(&ecdsaKeyData.blob);
7957
7958 // Should not be able to create new keys
7959 std::tie(aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData) =
7960 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::EARLY_BOOT_ENDED);
7961
7962 CheckedDeleteKey(&aesKeyData.blob);
7963 CheckedDeleteKey(&hmacKeyData.blob);
7964 CheckedDeleteKey(&rsaKeyData.blob);
7965 CheckedDeleteKey(&ecdsaKeyData.blob);
7966}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]7967
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7968INSTANTIATE_KEYMINT_AIDL_TEST(EarlyBootKeyTest);
7969
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]7970using UnlockedDeviceRequiredTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7971
7972// This may be a problematic test. It can't be run repeatedly without unlocking the device in
7973// between runs... and on most test devices there are no enrolled credentials so it can't be
7974// unlocked at all, meaning the only way to get the test to pass again on a properly-functioning
7975// device is to reboot it. For that reason, this is disabled by default. It can be used as part of
7976// a manual test process, which includes unlocking between runs, which is why it's included here.
7977// Well, that and the fact that it's the only test we can do without also making calls into the
7978// Gatekeeper HAL. We haven't written any cross-HAL tests, and don't know what all of the
7979// implications might be, so that may or may not be a solution.
7980TEST_P(UnlockedDeviceRequiredTest, DISABLED_KeysBecomeUnusable) {
7981 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
7982 CreateTestKeys(TAG_UNLOCKED_DEVICE_REQUIRED, ErrorCode::OK);
7983
7984 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
7985 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
7986 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
7987 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
7988
7989 ErrorCode rc = GetReturnErrorCode(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7990 keyMint().deviceLocked(false /* passwordOnly */, {} /* timestampToken */));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7991 ASSERT_EQ(ErrorCode::OK, rc);
7992 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseAesKey(aesKeyData.blob));
7993 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseHmacKey(hmacKeyData.blob));
7994 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseRsaKey(rsaKeyData.blob));
7995 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseEcdsaKey(ecdsaKeyData.blob));
7996
7997 CheckedDeleteKey(&aesKeyData.blob);
7998 CheckedDeleteKey(&hmacKeyData.blob);
7999 CheckedDeleteKey(&rsaKeyData.blob);
8000 CheckedDeleteKey(&ecdsaKeyData.blob);
8001}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]8002
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]8003INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
8004
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]8005} // namespace aidl::android::hardware::security::keymint::test
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8006
8007int main(int argc, char** argv) {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8008 std::cout << "Testing ";
8009 auto halInstances =
8010 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::build_params();
8011 std::cout << "HAL instances:\n";
8012 for (auto& entry : halInstances) {
8013 std::cout << " " << entry << '\n';
8014 }
8015
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8016 ::testing::InitGoogleTest(&argc, argv);
8017 for (int i = 1; i < argc; ++i) {
8018 if (argv[i][0] == '-') {
8019 if (std::string(argv[i]) == "--arm_deleteAllKeys") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8020 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
8021 arm_deleteAllKeys = true;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8022 }
8023 if (std::string(argv[i]) == "--dump_attestations") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]8024 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
8025 dump_Attestations = true;
8026 } else {
8027 std::cout << "NOT dumping attestations" << std::endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8028 }
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]8029 if (std::string(argv[i]) == "--skip_boot_pl_check") {
8030 // Allow checks of BOOT_PATCHLEVEL to be disabled, so that the tests can
8031 // be run in emulated environments that don't have the normal bootloader
8032 // interactions.
8033 aidl::android::hardware::security::keymint::test::check_boot_pl = false;
8034 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8035 }
8036 }
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]8037 return RUN_ALL_TESTS();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]8038}