Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 19c7c575f08c0c76e511959d1604887659dd3d5c / . / security / keymint / aidl / vts / functional / KeyMintTest.cpp
blob: 5dcfcaaa636ae5290412b4fdb194076794887cb8 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]17#define LOG_TAG "keymint_1_test"
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]18#include <cutils/log.h>
19
20#include <signal.h>
21#include <iostream>
22
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]23#include <openssl/ec.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]24#include <openssl/evp.h>
25#include <openssl/mem.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]26#include <openssl/x509v3.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]27
28#include <cutils/properties.h>
29
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]30#include <android/binder_manager.h>
31
32#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]33#include <aidl/android/hardware/security/keymint/KeyFormat.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]34
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]35#include <keymint_support/key_param_output.h>
36#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]37
38#include "KeyMintAidlTestBase.h"
39
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]40using aidl::android::hardware::security::keymint::AuthorizationSet;
41using aidl::android::hardware::security::keymint::KeyCharacteristics;
42using aidl::android::hardware::security::keymint::KeyFormat;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]43
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]44namespace std {
45
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]46using namespace aidl::android::hardware::security::keymint;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]47
48template <>
49struct std::equal_to<KeyCharacteristics> {
50 bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]51 if (a.securityLevel != b.securityLevel) return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]52
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]53 // this isn't very efficient. Oh, well.
54 AuthorizationSet a_auths(a.authorizations);
55 AuthorizationSet b_auths(b.authorizations);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]56
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]57 a_auths.Sort();
58 b_auths.Sort();
59
60 return a_auths == b_auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]61 }
62};
63
64} // namespace std
65
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]66namespace aidl::android::hardware::security::keymint::test {
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]67
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]68namespace {
69
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]70bool check_patchLevels = false;
71
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]72template <TagType tag_type, Tag tag, typename ValueT>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]73bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
74 ValueT expected_value) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]75 auto it = std::find_if(set.begin(), set.end(), [&](const KeyParameter& param) {
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]76 if (auto p = authorizationValue(ttag, param)) {
77 return *p == expected_value;
78 }
79 return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]80 });
81 return (it != set.end());
82}
83
84template <TagType tag_type, Tag tag>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]85bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag>) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]86 auto it = std::find_if(set.begin(), set.end(),
87 [&](const KeyParameter& param) { return param.tag == tag; });
88 return (it != set.end());
89}
90
91constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
92 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
93 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
94 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
95 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
96 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
97 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
98 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
99 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
100 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
101 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
102 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
103 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
104 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
105 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
106 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
107
108string hex2str(string a) {
109 string b;
110 size_t num = a.size() / 2;
111 b.resize(num);
112 for (size_t i = 0; i < num; i++) {
113 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
114 }
115 return b;
116}
117
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]118string rsa_key = hex2str(
119 // RFC 5208 s5
120 "30820275" // SEQUENCE length 0x275 (PrivateKeyInfo) {
121 "020100" // INTEGER length 1 value 0x00 (version)
122 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
123 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
124 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
125 "0500" // NULL (parameters)
126 // } end SEQUENCE (AlgorithmIdentifier)
127 "0482025f" // OCTET STRING length 0x25f (privateKey) holding...
128 // RFC 8017 A.1.2
129 "3082025b" // SEQUENCE length 0x25b (RSAPrivateKey) {
130 "020100" // INTEGER length 1 value 0x00 (version)
131 "028181" // INTEGER length 0x81 value (modulus) ...
132 "00c6095409047d8634812d5a218176e4"
133 "5c41d60a75b13901f234226cffe77652"
134 "1c5a77b9e389417b71c0b6a44d13afe4"
135 "e4a2805d46c9da2935adb1ff0c1f24ea"
136 "06e62b20d776430a4d435157233c6f91"
137 "6783c30e310fcbd89b85c2d567711697"
138 "85ac12bca244abda72bfb19fc44d27c8"
139 "1e1d92de284f4061edfd99280745ea6d"
140 "25"
141 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
142 "028180" // INTEGER length 0x80 (privateExponent) value...
143 "1be0f04d9cae3718691f035338308e91"
144 "564b55899ffb5084d2460e6630257e05"
145 "b3ceab02972dfabcd6ce5f6ee2589eb6"
146 "7911ed0fac16e43a444b8c861e544a05"
147 "93365772f8baf6b22fc9e3c5f1024b06"
148 "3ac080a7b2234cf8aee8f6c47bbf4fd3"
149 "ace7240290bef16c0b3f7f3cdd64ce3a"
150 "b5912cf6e32f39ab188358afcccd8081"
151 "0241" // INTEGER length 0x41 (prime1)
152 "00e4b49ef50f765d3b24dde01aceaaf1"
153 "30f2c76670a91a61ae08af497b4a82be"
154 "6dee8fcdd5e3f7ba1cfb1f0c926b88f8"
155 "8c92bfab137fba2285227b83c342ff7c"
156 "55"
157 "0241" // INTEGER length 0x41 (prime2)
158 "00ddabb5839c4c7f6bf3d4183231f005"
159 "b31aa58affdda5c79e4cce217f6bc930"
160 "dbe563d480706c24e9ebfcab28a6cdef"
161 "d324b77e1bf7251b709092c24ff501fd"
162 "91"
163 "0240" // INTEGER length 0x40 (exponent1)
164 "23d4340eda3445d8cd26c14411da6fdc"
165 "a63c1ccd4b80a98ad52b78cc8ad8beb2"
166 "842c1d280405bc2f6c1bea214a1d742a"
167 "b996b35b63a82a5e470fa88dbf823cdd"
168 "0240" // INTEGER length 0x40 (exponent2)
169 "1b7b57449ad30d1518249a5f56bb9829"
170 "4d4b6ac12ffc86940497a5a5837a6cf9"
171 "46262b494526d328c11e1126380fde04"
172 "c24f916dec250892db09a6d77cdba351"
173 "0240" // INTEGER length 0x40 (coefficient)
174 "7762cd8f4d050da56bd591adb515d24d"
175 "7ccd32cca0d05f866d583514bd7324d5"
176 "f33645e8ed8b4a1cb3cc4a1d67987399"
177 "f2a09f5b3fb68c88d5e5d90ac33492d6"
178 // } end SEQUENCE (PrivateKey)
179 // } end SEQUENCE (PrivateKeyInfo)
180);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]181
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]182/*
183 * DER-encoded PKCS#8 format RSA key. Generated using:
184 *
185 * openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
186 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]187string rsa_2048_key = hex2str(
188 // RFC 5208 s5
189 "308204BD" // SEQUENCE length 0x4bd (PrivateKeyInfo) {
190 "020100" // INTEGER length 1 value 0x00 (version)
191 "300D" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
192 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
193 "2A864886F70D010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
194 "0500" // NULL (parameters)
195 // } end SEQUENCE (AlgorithmIdentifier)
196 "048204A7" // OCTET STRING length 0x25f (privateKey) holding...
197 // RFC 8017 A.1.2
198 "308204A3" // SEQUENCE length 0x4a3 (RSAPrivateKey) {
199 "020100" // INTEGER length 1 value 0x00 (version)
200 "02820101" // INTEGER length 0x101 value (modulus) ...
201 "00BEBC342B56D443B1299F9A6A7056E8"
202 "0A897E318476A5A18029E63B2ED739A6"
203 "1791D339F58DC763D9D14911F2EDEC38"
204 "3DEE11F6319B44510E7A3ECD9B79B973"
205 "82E49500ACF8117DC89CAF0E621F7775"
206 "6554A2FD4664BFE7AB8B59AB48340DBF"
207 "A27B93B5A81F6ECDEB02D0759307128D"
208 "F3E3BAD4055C8B840216DFAA5700670E"
209 "6C5126F0962FCB70FF308F25049164CC"
210 "F76CC2DA66A7DD9A81A714C2809D6918"
211 "6133D29D84568E892B6FFBF3199BDB14"
212 "383EE224407F190358F111A949552ABA"
213 "6714227D1BD7F6B20DD0CB88F9467B71"
214 "9339F33BFF35B3870B3F62204E4286B0"
215 "948EA348B524544B5F9838F29EE643B0"
216 "79EEF8A713B220D7806924CDF7295070"
217 "C5"
218 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
219 "02820100" // INTEGER length 0x100 (privateExponent) value...
220 "69F377F35F2F584EF075353CCD1CA997"
221 "38DB3DBC7C7FF35F9366CE176DFD1B13"
222 "5AB10030344ABF5FBECF1D4659FDEF1C"
223 "0FC430834BE1BE3911951377BB3D563A"
224 "2EA9CA8F4AD9C48A8CE6FD516A735C66"
225 "2686C7B4B3C09A7B8354133E6F93F790"
226 "D59EAEB92E84C9A4339302CCE28FDF04"
227 "CCCAFA7DE3F3A827D4F6F7D38E68B0EC"
228 "6AB706645BF074A4E4090D06FB163124"
229 "365FD5EE7A20D350E9958CC30D91326E"
230 "1B292E9EF5DB408EC42DAF737D201497"
231 "04D0A678A0FB5B5446863B099228A352"
232 "D604BA8091A164D01D5AB05397C71EAD"
233 "20BE2A08FC528FE442817809C787FEE4"
234 "AB97F97B9130D022153EDC6EB6CBE7B0"
235 "F8E3473F2E901209B5DB10F93604DB01"
236 "028181" // INTEGER length 0x81 (prime1)
237 "00E83C0998214941EA4F9293F1B77E2E"
238 "99E6CF305FAF358238E126124FEAF2EB"
239 "9724B2EA7B78E6032343821A80E55D1D"
240 "88FB12D220C3F41A56142FEC85796D19"
241 "17F1E8C774F142B67D3D6E7B7E6B4383"
242 "E94DB5929089DBB346D5BDAB40CC2D96"
243 "EE0409475E175C63BF78CFD744136740"
244 "838127EA723FF3FE7FA368C1311B4A4E"
245 "05"
246 "028181" // INTEGER length 0x81 (prime2)
247 "00D240FCC0F5D7715CDE21CB2DC86EA1"
248 "46132EA3B06F61FF2AF54BF38473F59D"
249 "ADCCE32B5F4CC32DD0BA6F509347B4B5"
250 "B1B58C39F95E4798CCBB43E83D0119AC"
251 "F532F359CA743C85199F0286610E2009"
252 "97D7312917179AC9B67558773212EC96"
253 "1E8BCE7A3CC809BC5486A96E4B0E6AF3"
254 "94D94E066A0900B7B70E82A44FB30053"
255 "C1"
256 "028181" // INTEGER length 0x81 (exponent1)
257 "00AD15DA1CBD6A492B66851BA8C316D3"
258 "8AB700E2CFDDD926A658003513C54BAA"
259 "152B30021D667D20078F500F8AD3E7F3"
260 "945D74A891ED1A28EAD0FEEAEC8C14A8"
261 "E834CF46A13D1378C99D18940823CFDD"
262 "27EC5810D59339E0C34198AC638E09C8"
263 "7CBB1B634A9864AE9F4D5EB2D53514F6"
264 "7B4CAEC048C8AB849A02E397618F3271"
265 "35"
266 "028180" // INTEGER length 0x80 (exponent2)
267 "1FA2C1A5331880A92D8F3E281C617108"
268 "BF38244F16E352E69ED417C7153F9EC3"
269 "18F211839C643DCF8B4DD67CE2AC312E"
270 "95178D5D952F06B1BF779F4916924B70"
271 "F582A23F11304E02A5E7565AE22A35E7"
272 "4FECC8B6FDC93F92A1A37703E4CF0E63"
273 "783BD02EB716A7ECBBFA606B10B74D01"
274 "579522E7EF84D91FC522292108D902C1"
275 "028180" // INTEGER length 0x80 (coefficient)
276 "796FE3825F9DCC85DF22D58690065D93"
277 "898ACD65C087BEA8DA3A63BF4549B795"
278 "E2CD0E3BE08CDEBD9FCF1720D9CDC507"
279 "0D74F40DED8E1102C52152A31B6165F8"
280 "3A6722AECFCC35A493D7634664B888A0"
281 "8D3EB034F12EA28BFEE346E205D33482"
282 "7F778B16ED40872BD29FCB36536B6E93"
283 "FFB06778696B4A9D81BB0A9423E63DE5"
284 // } end SEQUENCE (PrivateKey)
285 // } end SEQUENCE (PrivateKeyInfo)
286);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]287
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]288string ec_256_key = hex2str(
289 // RFC 5208 s5
290 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
291 "020100" // INTEGER length 1 value 0 (version)
292 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
293 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
294 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
295 "0608" // OBJECT IDENTIFIER length 8 (param)
296 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
297 // } end SEQUENCE (AlgorithmIdentifier)
298 "046d" // OCTET STRING length 0x6d (privateKey) holding...
299 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
300 "020101" // INTEGER length 1 value 1 (version)
301 "0420" // OCTET STRING length 0x20 (privateKey)
302 "737c2ecd7b8d1940bf2930aa9b4ed3ff"
303 "941eed09366bc03299986481f3a4d859"
304 "a144" // TAG [1] len 0x44 (publicKey) {
305 "03420004bf85d7720d07c25461683bc6"
306 "48b4778a9a14dd8a024e3bdd8c7ddd9a"
307 "b2b528bbc7aa1b51f14ebbbb0bd0ce21"
308 "bcc41c6eb00083cf3376d11fd44949e0"
309 "b2183bfe"
310 // } end SEQUENCE (ECPrivateKey)
311 // } end SEQUENCE (PrivateKeyInfo)
312);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]313
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]314string ec_521_key = hex2str(
315 // RFC 5208 s5
316 "3081EE" // SEQUENCE length 0xee (PrivateKeyInfo) {
317 "020100" // INTEGER length 1 value 0 (version)
318 "3010" // SEQUENCE length 0x10 (AlgorithmIdentifier) {
319 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
320 "2A8648CE3D0201" // 1.2.840.10045.2.1 (ecPublicKey)
321 "0605" // OBJECT IDENTIFIER length 5 (param)
322 "2B81040023" // 1.3.132.0.35 (secp521r1)
323 // } end SEQUENCE (AlgorithmIdentifier)
324 "0481D6" // OCTET STRING length 0xd6 (privateKey) holding...
325 "3081D3" // SEQUENCE length 0xd3 (ECPrivateKey)
326 "020101" // INTEGER length 1 value 1 (version)
327 "0442" // OCTET STRING length 0x42 (privateKey)
328 "0011458C586DB5DAA92AFAB03F4FE46A"
329 "A9D9C3CE9A9B7A006A8384BEC4C78E8E"
330 "9D18D7D08B5BCFA0E53C75B064AD51C4"
331 "49BAE0258D54B94B1E885DED08ED4FB2"
332 "5CE9"
333 "A18189" // TAG [1] len 0x89 (publicKey) {
334 "03818600040149EC11C6DF0FA122C6A9"
335 "AFD9754A4FA9513A627CA329E349535A"
336 "5629875A8ADFBE27DCB932C051986377"
337 "108D054C28C6F39B6F2C9AF81802F9F3"
338 "26B842FF2E5F3C00AB7635CFB36157FC"
339 "0882D574A10D839C1A0C049DC5E0D775"
340 "E2EE50671A208431BB45E78E70BEFE93"
341 "0DB34818EE4D5C26259F5C6B8E28A652"
342 "950F9F88D7B4B2C9D9"
343 // } end SEQUENCE (ECPrivateKey)
344 // } end SEQUENCE (PrivateKeyInfo)
345);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]346
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]347string ec_256_key_rfc5915 = hex2str(
348 // RFC 5208 s5
349 "308193" // SEQUENCE length 0x93 (PrivateKeyInfo) {
350 "020100" // INTEGER length 1 value 0 (version)
351 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
352 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
353 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
354 "0608" // OBJECT IDENTIFIER length 8 (param)
355 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
356 // } end SEQUENCE (AlgorithmIdentifier)
357 "0479" // OCTET STRING length 0x79 (privateKey) holding...
358 // RFC 5915 s3
359 "3077" // SEQUENCE length 0x77 (ECPrivateKey)
360 "020101" // INTEGER length 1 value 1 (version)
361 "0420" // OCTET STRING length 0x42 (privateKey)
362 "782370a8c8ce5537baadd04dcff079c8"
363 "158cfa9c67b818b38e8d21c9fa750c1d"
364 "a00a" // TAG [0] length 0xa (parameters)
365 "0608" // OBJECT IDENTIFIER length 8
366 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
367 // } end TAG [0]
368 "a144" // TAG [1] length 0x44 (publicKey) {
369 "0342" // BIT STRING length 0x42
370 "00" // no pad bits
371 "04e2cc561ee701da0ad0ef0d176bb0c9"
372 "19d42e79c393fdc1bd6c4010d85cf2cf"
373 "8e68c905464666f98dad4f01573ba810"
374 "78b3428570a439ba3229fbc026c55068"
375 "2f"
376 // } end SEQUENCE (ECPrivateKey)
377 // } end SEQUENCE (PrivateKeyInfo)
378);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]379
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]380string ec_256_key_sec1 = hex2str(
381 // RFC 5208 s5
382 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
383 "020100" // INTEGER length 1 value 0 (version)
384 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
385 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
386 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
387 "0608" // OBJECT IDENTIFIER length 8 (param)
388 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
389 // } end SEQUENCE (AlgorithmIdentifier)
390 "046d" // OCTET STRING length 0x6d (privateKey) holding...
391 // SEC1-v2 C.4
392 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
393 "020101" // INTEGER length 1 value 0x01 (version)
394 "0420" // OCTET STRING length 0x20 (privateKey)
395 "782370a8c8ce5537baadd04dcff079c8"
396 "158cfa9c67b818b38e8d21c9fa750c1d"
397 "a144" // TAG [1] length 0x44 (publicKey) {
398 "0342" // BIT STRING length 0x42
399 "00" // no pad bits
400 "04e2cc561ee701da0ad0ef0d176bb0c9"
401 "19d42e79c393fdc1bd6c4010d85cf2cf"
402 "8e68c905464666f98dad4f01573ba810"
403 "78b3428570a439ba3229fbc026c55068"
404 "2f"
405 // } end TAG [1] (publicKey)
406 // } end SEQUENCE (PrivateKeyInfo)
407);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]408
409struct RSA_Delete {
410 void operator()(RSA* p) { RSA_free(p); }
411};
412
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]413std::string make_string(const uint8_t* data, size_t length) {
414 return std::string(reinterpret_cast<const char*>(data), length);
415}
416
417template <size_t N>
418std::string make_string(const uint8_t (&a)[N]) {
419 return make_string(a, N);
420}
421
422class AidlBuf : public vector<uint8_t> {
423 typedef vector<uint8_t> super;
424
425 public:
426 AidlBuf() {}
427 AidlBuf(const super& other) : super(other) {}
428 AidlBuf(super&& other) : super(std::move(other)) {}
429 explicit AidlBuf(const std::string& other) : AidlBuf() { *this = other; }
430
431 AidlBuf& operator=(const super& other) {
432 super::operator=(other);
433 return *this;
434 }
435
436 AidlBuf& operator=(super&& other) {
437 super::operator=(std::move(other));
438 return *this;
439 }
440
441 AidlBuf& operator=(const string& other) {
442 resize(other.size());
443 for (size_t i = 0; i < other.size(); ++i) {
444 (*this)[i] = static_cast<uint8_t>(other[i]);
445 }
446 return *this;
447 }
448
449 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
450};
451
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]452string device_suffix(const string& name) {
453 size_t pos = name.find('/');
454 if (pos == string::npos) {
455 return name;
456 }
457 return name.substr(pos + 1);
458}
459
460bool matching_rp_instance(const string& km_name,
461 std::shared_ptr<IRemotelyProvisionedComponent>* rp) {
462 string km_suffix = device_suffix(km_name);
463
464 vector<string> rp_names =
465 ::android::getAidlHalInstanceNames(IRemotelyProvisionedComponent::descriptor);
466 for (const string& rp_name : rp_names) {
467 // If the suffix of the RemotelyProvisionedComponent instance equals the suffix of the
468 // KeyMint instance, assume they match.
469 if (device_suffix(rp_name) == km_suffix && AServiceManager_isDeclared(rp_name.c_str())) {
470 ::ndk::SpAIBinder binder(AServiceManager_waitForService(rp_name.c_str()));
471 *rp = IRemotelyProvisionedComponent::fromBinder(binder);
472 return true;
473 }
474 }
475 return false;
476}
477
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]478} // namespace
479
480class NewKeyGenerationTest : public KeyMintAidlTestBase {
481 protected:
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]482 void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]483 AuthorizationSet auths = CheckCommonParams(keyCharacteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]484 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]485
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]486 // Check that some unexpected tags/values are NOT present.
487 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
488 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]489 }
490
491 void CheckSymmetricParams(const vector<KeyCharacteristics>& keyCharacteristics) {
492 AuthorizationSet auths = CheckCommonParams(keyCharacteristics);
493 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
494 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
495
496 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]497 }
498
499 AuthorizationSet CheckCommonParams(const vector<KeyCharacteristics>& keyCharacteristics) {
500 // TODO(swillden): Distinguish which params should be in which auth list.
501 AuthorizationSet auths;
502 for (auto& entry : keyCharacteristics) {
503 auths.push_back(AuthorizationSet(entry.authorizations));
504 }
505 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
506
507 // Verify that App data, ROT and auth timeout are NOT included.
508 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
509 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]510 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
511
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]512 // None of the tests specify CREATION_DATETIME so check that the KeyMint implementation
513 // never adds it.
514 EXPECT_FALSE(auths.Contains(TAG_CREATION_DATETIME));
515
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]516 // Check OS details match the original hardware info.
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]517 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]518 EXPECT_TRUE(os_ver);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]519 EXPECT_EQ(*os_ver, os_version());
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]520 auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]521 EXPECT_TRUE(os_pl);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]522 EXPECT_EQ(*os_pl, os_patch_level());
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]523
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]524 if (check_patchLevels) {
525 // Should include vendor and boot patchlevels.
526 auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
527 EXPECT_TRUE(vendor_pl);
528 EXPECT_EQ(*vendor_pl, vendor_patch_level());
529 auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
530 EXPECT_TRUE(boot_pl);
531 }
532
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]533 return auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]534 }
535};
536
537/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]538 * NewKeyGenerationTest.Aes
539 *
540 * Verifies that keymint can generate all required AES key sizes, and that the resulting keys
541 * have correct characteristics.
542 */
543TEST_P(NewKeyGenerationTest, Aes) {
544 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
545 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
546 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
547 SCOPED_TRACE(testing::Message()
548 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
549 vector<uint8_t> key_blob;
550 vector<KeyCharacteristics> key_characteristics;
551 auto builder = AuthorizationSetBuilder()
552 .AesEncryptionKey(key_size)
553 .BlockMode(block_mode)
554 .Padding(padding_mode)
555 .SetDefaultValidity();
556 if (block_mode == BlockMode::GCM) {
557 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
558 }
559 ASSERT_EQ(ErrorCode::OK, GenerateKey(builder, &key_blob, &key_characteristics));
560
561 EXPECT_GT(key_blob.size(), 0U);
562 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]563 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]564
565 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
566
567 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::AES));
568 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
569 << "Key size " << key_size << "missing";
570
571 CheckedDeleteKey(&key_blob);
572 }
573 }
574 }
575}
576
577/*
578 * NewKeyGenerationTest.AesInvalidSize
579 *
580 * Verifies that specifying an invalid key size for AES key generation returns
581 * UNSUPPORTED_KEY_SIZE.
582 */
583TEST_P(NewKeyGenerationTest, AesInvalidSize) {
584 for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
585 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
586 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
587 SCOPED_TRACE(testing::Message()
588 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
589 vector<uint8_t> key_blob;
590 vector<KeyCharacteristics> key_characteristics;
591 auto builder = AuthorizationSetBuilder()
592 .AesEncryptionKey(key_size)
593 .BlockMode(block_mode)
594 .Padding(padding_mode)
595 .SetDefaultValidity();
596 if (block_mode == BlockMode::GCM) {
597 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
598 }
599 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
600 GenerateKey(builder, &key_blob, &key_characteristics));
601 }
602 }
603 }
604
605 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
606 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
607 vector<uint8_t> key_blob;
608 vector<KeyCharacteristics> key_characteristics;
609 // No key size specified
610 auto builder = AuthorizationSetBuilder()
611 .Authorization(TAG_ALGORITHM, Algorithm::AES)
612 .BlockMode(block_mode)
613 .Padding(padding_mode)
614 .SetDefaultValidity();
615 if (block_mode == BlockMode::GCM) {
616 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
617 }
618 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
619 GenerateKey(builder, &key_blob, &key_characteristics));
620 }
621 }
622}
623
624/*
625 * NewKeyGenerationTest.AesInvalidPadding
626 *
627 * Verifies that specifying an invalid padding on AES keys gives a failure
628 * somewhere along the way.
629 */
630TEST_P(NewKeyGenerationTest, AesInvalidPadding) {
631 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
632 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
633 for (auto padding_mode : InvalidPaddingModes(Algorithm::AES, block_mode)) {
634 SCOPED_TRACE(testing::Message()
635 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]636 auto builder = AuthorizationSetBuilder()
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]637 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]638 .AesEncryptionKey(key_size)
639 .BlockMode(block_mode)
640 .Padding(padding_mode)
641 .SetDefaultValidity();
642 if (block_mode == BlockMode::GCM) {
643 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
644 }
645
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]646 auto result = GenerateKey(builder);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]647 if (result == ErrorCode::OK) {
648 // Key creation was OK but has generated a key that cannot be used.
649 auto params =
650 AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]651 if (block_mode == BlockMode::GCM) {
652 params.Authorization(TAG_MAC_LENGTH, 128);
653 }
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]654 auto result = Begin(KeyPurpose::ENCRYPT, params);
655 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]656 result == ErrorCode::INVALID_KEY_BLOB)
657 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]658 } else {
659 // The KeyMint implementation detected that the generated key
660 // is unusable.
661 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, result);
662 }
663 }
664 }
665 }
666}
667
668/*
669 * NewKeyGenerationTest.AesGcmMissingMinMac
670 *
671 * Verifies that specifying an invalid key size for AES key generation returns
672 * UNSUPPORTED_KEY_SIZE.
673 */
674TEST_P(NewKeyGenerationTest, AesGcmMissingMinMac) {
675 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
676 BlockMode block_mode = BlockMode::GCM;
677 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
678 SCOPED_TRACE(testing::Message()
679 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
680 vector<uint8_t> key_blob;
681 vector<KeyCharacteristics> key_characteristics;
682 // No MIN_MAC_LENGTH provided.
683 auto builder = AuthorizationSetBuilder()
684 .AesEncryptionKey(key_size)
685 .BlockMode(block_mode)
686 .Padding(padding_mode)
687 .SetDefaultValidity();
688 EXPECT_EQ(ErrorCode::MISSING_MIN_MAC_LENGTH,
689 GenerateKey(builder, &key_blob, &key_characteristics));
690 }
691 }
692}
693
694/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]695 * NewKeyGenerationTest.AesGcmMinMacOutOfRange
696 *
697 * Verifies that specifying an invalid min MAC size for AES key generation returns
698 * UNSUPPORTED_MIN_MAC_LENGTH.
699 */
700TEST_P(NewKeyGenerationTest, AesGcmMinMacOutOfRange) {
701 for (size_t min_mac_len : {88, 136}) {
702 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
703 BlockMode block_mode = BlockMode::GCM;
704 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
705 SCOPED_TRACE(testing::Message()
706 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
707 vector<uint8_t> key_blob;
708 vector<KeyCharacteristics> key_characteristics;
709 auto builder = AuthorizationSetBuilder()
710 .AesEncryptionKey(key_size)
711 .BlockMode(block_mode)
712 .Padding(padding_mode)
713 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_len)
714 .SetDefaultValidity();
715 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
716 GenerateKey(builder, &key_blob, &key_characteristics));
717 }
718 }
719 }
720}
721
722/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]723 * NewKeyGenerationTest.TripleDes
724 *
725 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
726 * have correct characteristics.
727 */
728TEST_P(NewKeyGenerationTest, TripleDes) {
729 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
730 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
731 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
732 SCOPED_TRACE(testing::Message()
733 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
734 vector<uint8_t> key_blob;
735 vector<KeyCharacteristics> key_characteristics;
736 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
737 .TripleDesEncryptionKey(key_size)
738 .BlockMode(block_mode)
739 .Padding(padding_mode)
740 .Authorization(TAG_NO_AUTH_REQUIRED)
741 .SetDefaultValidity(),
742 &key_blob, &key_characteristics));
743
744 EXPECT_GT(key_blob.size(), 0U);
745 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]746 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]747
748 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
749
750 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
751 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
752 << "Key size " << key_size << "missing";
753
754 CheckedDeleteKey(&key_blob);
755 }
756 }
757 }
758}
759
760/*
761 * NewKeyGenerationTest.TripleDesWithAttestation
762 *
763 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
764 * have correct characteristics.
765 *
766 * Request attestation, which doesn't help for symmetric keys (as there is no public key to
767 * put in a certificate) but which isn't an error.
768 */
769TEST_P(NewKeyGenerationTest, TripleDesWithAttestation) {
770 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
771 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
772 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
773 SCOPED_TRACE(testing::Message()
774 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
775
776 auto challenge = "hello";
777 auto app_id = "foo";
778
779 vector<uint8_t> key_blob;
780 vector<KeyCharacteristics> key_characteristics;
781 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
782 .TripleDesEncryptionKey(key_size)
783 .BlockMode(block_mode)
784 .Padding(padding_mode)
785 .Authorization(TAG_NO_AUTH_REQUIRED)
786 .AttestationChallenge(challenge)
787 .AttestationApplicationId(app_id)
788 .SetDefaultValidity(),
789 &key_blob, &key_characteristics));
790
791 EXPECT_GT(key_blob.size(), 0U);
792 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]793 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]794
795 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
796
797 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
798 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
799 << "Key size " << key_size << "missing";
800
801 CheckedDeleteKey(&key_blob);
802 }
803 }
804 }
805}
806
807/*
808 * NewKeyGenerationTest.TripleDesInvalidSize
809 *
810 * Verifies that specifying an invalid key size for 3-DES key generation returns
811 * UNSUPPORTED_KEY_SIZE.
812 */
813TEST_P(NewKeyGenerationTest, TripleDesInvalidSize) {
814 for (auto key_size : InvalidKeySizes(Algorithm::TRIPLE_DES)) {
815 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
816 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
817 SCOPED_TRACE(testing::Message()
818 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
819 vector<uint8_t> key_blob;
820 vector<KeyCharacteristics> key_characteristics;
821 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
822 GenerateKey(AuthorizationSetBuilder()
823 .TripleDesEncryptionKey(key_size)
824 .BlockMode(block_mode)
825 .Padding(padding_mode)
826 .Authorization(TAG_NO_AUTH_REQUIRED)
827 .SetDefaultValidity(),
828 &key_blob, &key_characteristics));
829 }
830 }
831 }
832
833 // Omitting the key size fails.
834 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
835 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
836 SCOPED_TRACE(testing::Message()
837 << "3DES-default-" << block_mode << "-" << padding_mode);
838 vector<uint8_t> key_blob;
839 vector<KeyCharacteristics> key_characteristics;
840 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
841 GenerateKey(AuthorizationSetBuilder()
842 .Authorization(TAG_ALGORITHM, Algorithm::TRIPLE_DES)
843 .BlockMode(block_mode)
844 .Padding(padding_mode)
845 .Authorization(TAG_NO_AUTH_REQUIRED)
846 .SetDefaultValidity(),
847 &key_blob, &key_characteristics));
848 }
849 }
850}
851
852/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]853 * NewKeyGenerationTest.Rsa
854 *
855 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
856 * have correct characteristics.
857 */
858TEST_P(NewKeyGenerationTest, Rsa) {
859 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
860 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]861 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]862 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
863 .RsaSigningKey(key_size, 65537)
864 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]865 .Padding(PaddingMode::NONE)
866 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]867 &key_blob, &key_characteristics));
868
869 ASSERT_GT(key_blob.size(), 0U);
870 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]871 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]872
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]873 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]874
875 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
876 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
877 << "Key size " << key_size << "missing";
878 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
879
880 CheckedDeleteKey(&key_blob);
881 }
882}
883
884/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]885 * NewKeyGenerationTest.RsaWithAttestation
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]886 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]887 * Verifies that keymint can generate all required RSA key sizes with attestation, and that the
888 * resulting keys have correct characteristics.
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]889 */
890TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]891 auto challenge = "hello";
892 auto app_id = "foo";
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]893
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]894 auto subject = "cert subj 2";
895 vector<uint8_t> subject_der(make_name_from_str(subject));
896
897 uint64_t serial_int = 66;
898 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
899
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]900 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]901 vector<uint8_t> key_blob;
902 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]903 ASSERT_EQ(ErrorCode::OK,
904 GenerateKey(AuthorizationSetBuilder()
905 .RsaSigningKey(key_size, 65537)
906 .Digest(Digest::NONE)
907 .Padding(PaddingMode::NONE)
908 .AttestationChallenge(challenge)
909 .AttestationApplicationId(app_id)
910 .Authorization(TAG_NO_AUTH_REQUIRED)
911 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
912 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
913 .SetDefaultValidity(),
914 &key_blob, &key_characteristics));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]915
916 ASSERT_GT(key_blob.size(), 0U);
917 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]918 CheckCharacteristics(key_blob, key_characteristics);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]919
920 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
921
922 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
923 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
924 << "Key size " << key_size << "missing";
925 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
926
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]927 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]928 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]929 ASSERT_GT(cert_chain_.size(), 0);
930
931 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
932 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
933 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
934 sw_enforced, hw_enforced, SecLevel(),
935 cert_chain_[0].encodedCertificate));
936
937 CheckedDeleteKey(&key_blob);
938 }
939}
940
941/*
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]942 * NewKeyGenerationTest.RsaWithRpkAttestation
943 *
944 * Verifies that keymint can generate all required RSA key sizes, using an attestation key
945 * that has been generated using an associate IRemotelyProvisionedComponent.
946 */
947TEST_P(NewKeyGenerationTest, RsaWithRpkAttestation) {
948 // There should be an IRemotelyProvisionedComponent instance associated with the KeyMint
949 // instance.
950 std::shared_ptr<IRemotelyProvisionedComponent> rp;
951 ASSERT_TRUE(matching_rp_instance(GetParam(), &rp))
952 << "No IRemotelyProvisionedComponent found that matches KeyMint device " << GetParam();
953
954 // Generate a P-256 keypair to use as an attestation key.
955 MacedPublicKey macedPubKey;
956 std::vector<uint8_t> privateKeyBlob;
957 auto status =
958 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
959 ASSERT_TRUE(status.isOk());
960 vector<uint8_t> coseKeyData;
961 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
962
963 AttestationKey attestation_key;
964 attestation_key.keyBlob = std::move(privateKeyBlob);
965 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
966
967 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
968 auto challenge = "hello";
969 auto app_id = "foo";
970
971 vector<uint8_t> key_blob;
972 vector<KeyCharacteristics> key_characteristics;
973 ASSERT_EQ(ErrorCode::OK,
974 GenerateKey(AuthorizationSetBuilder()
975 .RsaSigningKey(key_size, 65537)
976 .Digest(Digest::NONE)
977 .Padding(PaddingMode::NONE)
978 .AttestationChallenge(challenge)
979 .AttestationApplicationId(app_id)
980 .Authorization(TAG_NO_AUTH_REQUIRED)
981 .SetDefaultValidity(),
982 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
983
984 ASSERT_GT(key_blob.size(), 0U);
985 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]986 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]987
988 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
989
990 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
991 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
992 << "Key size " << key_size << "missing";
993 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
994
995 // Attestation by itself is not valid (last entry is not self-signed).
996 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
997
998 // The signature over the attested key should correspond to the P256 public key.
999 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1000 ASSERT_TRUE(key_cert.get());
1001 EVP_PKEY_Ptr signing_pubkey;
1002 p256_pub_key(coseKeyData, &signing_pubkey);
1003 ASSERT_TRUE(signing_pubkey.get());
1004
1005 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1006 << "Verification of attested certificate failed "
1007 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
1008
1009 CheckedDeleteKey(&key_blob);
1010 }
1011}
1012
1013/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1014 * NewKeyGenerationTest.RsaEncryptionWithAttestation
1015 *
1016 * Verifies that keymint attestation for RSA encryption keys with challenge and
1017 * app id is also successful.
1018 */
1019TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
1020 auto key_size = 2048;
1021 auto challenge = "hello";
1022 auto app_id = "foo";
1023
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1024 auto subject = "subj 2";
1025 vector<uint8_t> subject_der(make_name_from_str(subject));
1026
1027 uint64_t serial_int = 111166;
1028 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1029
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1030 vector<uint8_t> key_blob;
1031 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1032 ASSERT_EQ(ErrorCode::OK,
1033 GenerateKey(AuthorizationSetBuilder()
1034 .RsaEncryptionKey(key_size, 65537)
1035 .Padding(PaddingMode::NONE)
1036 .AttestationChallenge(challenge)
1037 .AttestationApplicationId(app_id)
1038 .Authorization(TAG_NO_AUTH_REQUIRED)
1039 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1040 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1041 .SetDefaultValidity(),
1042 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1043
1044 ASSERT_GT(key_blob.size(), 0U);
1045 AuthorizationSet auths;
1046 for (auto& entry : key_characteristics) {
1047 auths.push_back(AuthorizationSet(entry.authorizations));
1048 }
1049
1050 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
1051 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
1052
1053 // Verify that App data and ROT are NOT included.
1054 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
1055 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
1056
1057 // Check that some unexpected tags/values are NOT present.
1058 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
1059 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
1060
1061 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
1062
1063 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
1064 ASSERT_TRUE(os_ver);
1065 EXPECT_EQ(*os_ver, os_version());
1066
1067 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1068
1069 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1070 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1071 << "Key size " << key_size << "missing";
1072 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1073
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1074 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1075 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1076 ASSERT_GT(cert_chain_.size(), 0);
1077
1078 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1079 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1080 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
1081 sw_enforced, hw_enforced, SecLevel(),
1082 cert_chain_[0].encodedCertificate));
1083
1084 CheckedDeleteKey(&key_blob);
1085}
1086
1087/*
1088 * NewKeyGenerationTest.RsaWithSelfSign
1089 *
1090 * Verifies that attesting to RSA key generation is successful, and returns
1091 * self signed certificate if no challenge is provided. And signing etc
1092 * works as expected.
1093 */
1094TEST_P(NewKeyGenerationTest, RsaWithSelfSign) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1095 auto subject = "cert subj subj subj subj subj subj 22222222222222222222";
1096 vector<uint8_t> subject_der(make_name_from_str(subject));
1097
1098 uint64_t serial_int = 0;
1099 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1100
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1101 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1102 vector<uint8_t> key_blob;
1103 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1104 ASSERT_EQ(ErrorCode::OK,
1105 GenerateKey(AuthorizationSetBuilder()
1106 .RsaSigningKey(key_size, 65537)
1107 .Digest(Digest::NONE)
1108 .Padding(PaddingMode::NONE)
1109 .Authorization(TAG_NO_AUTH_REQUIRED)
1110 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1111 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1112 .SetDefaultValidity(),
1113 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1114
1115 ASSERT_GT(key_blob.size(), 0U);
1116 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1117 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1118
1119 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1120
1121 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1122 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1123 << "Key size " << key_size << "missing";
1124 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1125
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1126 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1127 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1128 ASSERT_EQ(cert_chain_.size(), 1);
1129
1130 CheckedDeleteKey(&key_blob);
1131 }
1132}
1133
1134/*
1135 * NewKeyGenerationTest.RsaWithAttestationMissAppId
1136 *
1137 * Verifies that attesting to RSA checks for missing app ID.
1138 */
1139TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
1140 auto challenge = "hello";
1141 vector<uint8_t> key_blob;
1142 vector<KeyCharacteristics> key_characteristics;
1143
1144 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
1145 GenerateKey(AuthorizationSetBuilder()
1146 .RsaSigningKey(2048, 65537)
1147 .Digest(Digest::NONE)
1148 .Padding(PaddingMode::NONE)
1149 .AttestationChallenge(challenge)
1150 .Authorization(TAG_NO_AUTH_REQUIRED)
1151 .SetDefaultValidity(),
1152 &key_blob, &key_characteristics));
1153}
1154
1155/*
1156 * NewKeyGenerationTest.RsaWithAttestationAppIdIgnored
1157 *
1158 * Verifies that attesting to RSA ignores app id if challenge is missing.
1159 */
1160TEST_P(NewKeyGenerationTest, RsaWithAttestationAppIdIgnored) {
1161 auto key_size = 2048;
1162 auto app_id = "foo";
1163
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1164 auto subject = "cert subj 2";
1165 vector<uint8_t> subject_der(make_name_from_str(subject));
1166
1167 uint64_t serial_int = 1;
1168 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1169
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1170 vector<uint8_t> key_blob;
1171 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1172 ASSERT_EQ(ErrorCode::OK,
1173 GenerateKey(AuthorizationSetBuilder()
1174 .RsaSigningKey(key_size, 65537)
1175 .Digest(Digest::NONE)
1176 .Padding(PaddingMode::NONE)
1177 .AttestationApplicationId(app_id)
1178 .Authorization(TAG_NO_AUTH_REQUIRED)
1179 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1180 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1181 .SetDefaultValidity(),
1182 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1183
1184 ASSERT_GT(key_blob.size(), 0U);
1185 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1186 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1187
1188 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1189
1190 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1191 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1192 << "Key size " << key_size << "missing";
1193 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1194
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1195 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1196 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1197 ASSERT_EQ(cert_chain_.size(), 1);
1198
1199 CheckedDeleteKey(&key_blob);
1200}
1201
1202/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1203 * NewKeyGenerationTest.LimitedUsageRsa
1204 *
1205 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1206 * resulting keys have correct characteristics.
1207 */
1208TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
1209 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1210 vector<uint8_t> key_blob;
1211 vector<KeyCharacteristics> key_characteristics;
1212 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1213 .RsaSigningKey(key_size, 65537)
1214 .Digest(Digest::NONE)
1215 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1216 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1217 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1218 &key_blob, &key_characteristics));
1219
1220 ASSERT_GT(key_blob.size(), 0U);
1221 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1222 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1223
1224 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1225
1226 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1227 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1228 << "Key size " << key_size << "missing";
1229 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1230
1231 // Check the usage count limit tag appears in the authorizations.
1232 AuthorizationSet auths;
1233 for (auto& entry : key_characteristics) {
1234 auths.push_back(AuthorizationSet(entry.authorizations));
1235 }
1236 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1237 << "key usage count limit " << 1U << " missing";
1238
1239 CheckedDeleteKey(&key_blob);
1240 }
1241}
1242
1243/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1244 * NewKeyGenerationTest.LimitedUsageRsaWithAttestation
1245 *
1246 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1247 * resulting keys have correct characteristics and attestation.
1248 */
1249TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1250 auto challenge = "hello";
1251 auto app_id = "foo";
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1252
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1253 auto subject = "cert subj 2";
1254 vector<uint8_t> subject_der(make_name_from_str(subject));
1255
1256 uint64_t serial_int = 66;
1257 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1258
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1259 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1260 vector<uint8_t> key_blob;
1261 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1262 ASSERT_EQ(ErrorCode::OK,
1263 GenerateKey(AuthorizationSetBuilder()
1264 .RsaSigningKey(key_size, 65537)
1265 .Digest(Digest::NONE)
1266 .Padding(PaddingMode::NONE)
1267 .AttestationChallenge(challenge)
1268 .AttestationApplicationId(app_id)
1269 .Authorization(TAG_NO_AUTH_REQUIRED)
1270 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1271 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1272 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1273 .SetDefaultValidity(),
1274 &key_blob, &key_characteristics));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1275
1276 ASSERT_GT(key_blob.size(), 0U);
1277 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1278 CheckCharacteristics(key_blob, key_characteristics);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1279
1280 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1281
1282 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1283 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1284 << "Key size " << key_size << "missing";
1285 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1286
1287 // Check the usage count limit tag appears in the authorizations.
1288 AuthorizationSet auths;
1289 for (auto& entry : key_characteristics) {
1290 auths.push_back(AuthorizationSet(entry.authorizations));
1291 }
1292 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1293 << "key usage count limit " << 1U << " missing";
1294
1295 // Check the usage count limit tag also appears in the attestation.
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1296 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1297 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1298 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1299
1300 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1301 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1302 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
1303 sw_enforced, hw_enforced, SecLevel(),
1304 cert_chain_[0].encodedCertificate));
1305
1306 CheckedDeleteKey(&key_blob);
1307 }
1308}
1309
1310/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1311 * NewKeyGenerationTest.NoInvalidRsaSizes
1312 *
1313 * Verifies that keymint cannot generate any RSA key sizes that are designated as invalid.
1314 */
1315TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
1316 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
1317 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1318 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1319 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1320 GenerateKey(AuthorizationSetBuilder()
1321 .RsaSigningKey(key_size, 65537)
1322 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1323 .Padding(PaddingMode::NONE)
1324 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1325 &key_blob, &key_characteristics));
1326 }
1327}
1328
1329/*
1330 * NewKeyGenerationTest.RsaNoDefaultSize
1331 *
1332 * Verifies that failing to specify a key size for RSA key generation returns
1333 * UNSUPPORTED_KEY_SIZE.
1334 */
1335TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
1336 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1337 GenerateKey(AuthorizationSetBuilder()
1338 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
1339 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1340 .SigningKey()
1341 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1342}
1343
1344/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1345 * NewKeyGenerationTest.RsaMissingParams
1346 *
1347 * Verifies that omitting optional tags works.
1348 */
1349TEST_P(NewKeyGenerationTest, RsaMissingParams) {
1350 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1351 ASSERT_EQ(ErrorCode::OK,
1352 GenerateKey(
1353 AuthorizationSetBuilder().RsaKey(key_size, 65537).SetDefaultValidity()));
1354 CheckedDeleteKey();
1355 }
1356}
1357
1358/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1359 * NewKeyGenerationTest.Ecdsa
1360 *
1361 * Verifies that keymint can generate all required EC key sizes, and that the resulting keys
1362 * have correct characteristics.
1363 */
1364TEST_P(NewKeyGenerationTest, Ecdsa) {
1365 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
1366 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1367 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1368 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1369 .EcdsaSigningKey(key_size)
1370 .Digest(Digest::NONE)
1371 .SetDefaultValidity(),
1372 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1373 ASSERT_GT(key_blob.size(), 0U);
1374 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1375 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1376
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1377 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1378
1379 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1380 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1381 << "Key size " << key_size << "missing";
1382
1383 CheckedDeleteKey(&key_blob);
1384 }
1385}
1386
1387/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1388 * NewKeyGenerationTest.EcdsaAttestation
1389 *
1390 * Verifies that for all Ecdsa key sizes, if challenge and app id is provided,
1391 * an attestation will be generated.
1392 */
1393TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
1394 auto challenge = "hello";
1395 auto app_id = "foo";
1396
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1397 auto subject = "cert subj 2";
1398 vector<uint8_t> subject_der(make_name_from_str(subject));
1399
1400 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1401 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1402
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1403 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
1404 vector<uint8_t> key_blob;
1405 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1406 ASSERT_EQ(ErrorCode::OK,
1407 GenerateKey(AuthorizationSetBuilder()
1408 .Authorization(TAG_NO_AUTH_REQUIRED)
1409 .EcdsaSigningKey(key_size)
1410 .Digest(Digest::NONE)
1411 .AttestationChallenge(challenge)
1412 .AttestationApplicationId(app_id)
1413 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1414 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1415 .SetDefaultValidity(),
1416 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1417 ASSERT_GT(key_blob.size(), 0U);
1418 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1419 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1420
1421 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1422
1423 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1424 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1425 << "Key size " << key_size << "missing";
1426
1427 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1428 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1429 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1430
1431 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1432 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1433 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
1434 sw_enforced, hw_enforced, SecLevel(),
1435 cert_chain_[0].encodedCertificate));
1436
1437 CheckedDeleteKey(&key_blob);
1438 }
1439}
1440
1441/*
1442 * NewKeyGenerationTest.EcdsaSelfSignAttestation
1443 *
1444 * Verifies that if no challenge is provided to an Ecdsa key generation, then
1445 * the key will generate a self signed attestation.
1446 */
1447TEST_P(NewKeyGenerationTest, EcdsaSelfSignAttestation) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1448 auto subject = "cert subj 2";
1449 vector<uint8_t> subject_der(make_name_from_str(subject));
1450
1451 uint64_t serial_int = 0x123456FFF1234;
1452 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1453
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1454 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
1455 vector<uint8_t> key_blob;
1456 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1457 ASSERT_EQ(ErrorCode::OK,
1458 GenerateKey(AuthorizationSetBuilder()
1459 .EcdsaSigningKey(key_size)
1460 .Digest(Digest::NONE)
1461 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1462 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1463 .SetDefaultValidity(),
1464 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1465 ASSERT_GT(key_blob.size(), 0U);
1466 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1467 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1468
1469 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1470
1471 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1472 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1473 << "Key size " << key_size << "missing";
1474
1475 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1476 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1477 ASSERT_EQ(cert_chain_.size(), 1);
1478
1479 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1480 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1481
1482 CheckedDeleteKey(&key_blob);
1483 }
1484}
1485
1486/*
1487 * NewKeyGenerationTest.EcdsaAttestationRequireAppId
1488 *
1489 * Verifies that if attestation challenge is provided to Ecdsa key generation, then
1490 * app id must also be provided or else it will fail.
1491 */
1492TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
1493 auto challenge = "hello";
1494 vector<uint8_t> key_blob;
1495 vector<KeyCharacteristics> key_characteristics;
1496
1497 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
1498 GenerateKey(AuthorizationSetBuilder()
1499 .EcdsaSigningKey(EcCurve::P_256)
1500 .Digest(Digest::NONE)
1501 .AttestationChallenge(challenge)
1502 .SetDefaultValidity(),
1503 &key_blob, &key_characteristics));
1504}
1505
1506/*
1507 * NewKeyGenerationTest.EcdsaIgnoreAppId
1508 *
1509 * Verifies that if no challenge is provided to the Ecdsa key generation, then
1510 * any appid will be ignored, and keymint will generate a self sign certificate.
1511 */
1512TEST_P(NewKeyGenerationTest, EcdsaIgnoreAppId) {
1513 auto app_id = "foo";
1514
1515 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
1516 vector<uint8_t> key_blob;
1517 vector<KeyCharacteristics> key_characteristics;
1518 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1519 .EcdsaSigningKey(key_size)
1520 .Digest(Digest::NONE)
1521 .AttestationApplicationId(app_id)
1522 .SetDefaultValidity(),
1523 &key_blob, &key_characteristics));
1524
1525 ASSERT_GT(key_blob.size(), 0U);
1526 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1527 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1528
1529 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1530
1531 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1532 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1533 << "Key size " << key_size << "missing";
1534
1535 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1536 ASSERT_EQ(cert_chain_.size(), 1);
1537
1538 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1539 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1540
1541 CheckedDeleteKey(&key_blob);
1542 }
1543}
1544
1545/*
1546 * NewKeyGenerationTest.AttestationApplicationIDLengthProperlyEncoded
1547 *
1548 * Verifies that the Attestation Application ID software enforced tag has a proper length encoding.
1549 * Some implementations break strict encoding rules by encoding a length between 127 and 256 in one
1550 * byte. Proper DER encoding specifies that for lengths greater than 127, one byte should be used
1551 * to specify how many following bytes will be used to encode the length.
1552 */
1553TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
1554 auto challenge = "hello";
1555 auto key_size = 256;
1556 std::vector<uint32_t> app_id_lengths{143, 258};
1557
1558 for (uint32_t length : app_id_lengths) {
1559 const string app_id(length, 'a');
1560 vector<uint8_t> key_blob;
1561 vector<KeyCharacteristics> key_characteristics;
1562 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1563 .Authorization(TAG_NO_AUTH_REQUIRED)
1564 .EcdsaSigningKey(key_size)
1565 .Digest(Digest::NONE)
1566 .AttestationChallenge(challenge)
1567 .AttestationApplicationId(app_id)
1568 .SetDefaultValidity(),
1569 &key_blob, &key_characteristics));
1570 ASSERT_GT(key_blob.size(), 0U);
1571 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1572 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1573
1574 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1575
1576 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1577 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1578 << "Key size " << key_size << "missing";
1579
1580 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1581 ASSERT_GT(cert_chain_.size(), 0);
1582
1583 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1584 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1585 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
1586 sw_enforced, hw_enforced, SecLevel(),
1587 cert_chain_[0].encodedCertificate));
1588
1589 CheckedDeleteKey(&key_blob);
1590 }
1591}
1592
1593/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1594 * NewKeyGenerationTest.LimitedUsageEcdsa
1595 *
1596 * Verifies that KeyMint can generate all required EC key sizes with limited usage, and that the
1597 * resulting keys have correct characteristics.
1598 */
1599TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
1600 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
1601 vector<uint8_t> key_blob;
1602 vector<KeyCharacteristics> key_characteristics;
1603 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1604 .EcdsaSigningKey(key_size)
1605 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1606 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1607 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1608 &key_blob, &key_characteristics));
1609
1610 ASSERT_GT(key_blob.size(), 0U);
1611 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1612 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1613
1614 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1615
1616 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1617 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1618 << "Key size " << key_size << "missing";
1619
1620 // Check the usage count limit tag appears in the authorizations.
1621 AuthorizationSet auths;
1622 for (auto& entry : key_characteristics) {
1623 auths.push_back(AuthorizationSet(entry.authorizations));
1624 }
1625 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1626 << "key usage count limit " << 1U << " missing";
1627
1628 CheckedDeleteKey(&key_blob);
1629 }
1630}
1631
1632/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1633 * NewKeyGenerationTest.EcdsaDefaultSize
1634 *
1635 * Verifies that failing to specify a key size for EC key generation returns
1636 * UNSUPPORTED_KEY_SIZE.
1637 */
1638TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
1639 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1640 GenerateKey(AuthorizationSetBuilder()
1641 .Authorization(TAG_ALGORITHM, Algorithm::EC)
1642 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1643 .Digest(Digest::NONE)
1644 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1645}
1646
1647/*
1648 * NewKeyGenerationTest.EcdsaInvalidSize
1649 *
1650 * Verifies that specifying an invalid key size for EC key generation returns
1651 * UNSUPPORTED_KEY_SIZE.
1652 */
1653TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) {
1654 for (auto key_size : InvalidKeySizes(Algorithm::EC)) {
1655 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1656 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1657 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
1658 .EcdsaSigningKey(key_size)
1659 .Digest(Digest::NONE)
1660 .SetDefaultValidity(),
1661 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1662 }
1663
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1664 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
1665 .EcdsaSigningKey(190)
1666 .Digest(Digest::NONE)
1667 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1668}
1669
1670/*
1671 * NewKeyGenerationTest.EcdsaMismatchKeySize
1672 *
1673 * Verifies that specifying mismatched key size and curve for EC key generation returns
1674 * INVALID_ARGUMENT.
1675 */
1676TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
1677 if (SecLevel() == SecurityLevel::STRONGBOX) return;
1678
1679 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT,
1680 GenerateKey(AuthorizationSetBuilder()
1681 .EcdsaSigningKey(224)
1682 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1683 .Digest(Digest::NONE)
1684 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1685}
1686
1687/*
1688 * NewKeyGenerationTest.EcdsaAllValidSizes
1689 *
1690 * Verifies that keymint supports all required EC key sizes.
1691 */
1692TEST_P(NewKeyGenerationTest, EcdsaAllValidSizes) {
1693 auto valid_sizes = ValidKeySizes(Algorithm::EC);
1694 for (size_t size : valid_sizes) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1695 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1696 .EcdsaSigningKey(size)
1697 .Digest(Digest::NONE)
1698 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1699 << "Failed to generate size: " << size;
1700 CheckedDeleteKey();
1701 }
1702}
1703
1704/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1705 * NewKeyGenerationTest.EcdsaAllValidCurves
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1706 *
1707 * Verifies that keymint does not support any curve designated as unsupported.
1708 */
1709TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
1710 Digest digest;
1711 if (SecLevel() == SecurityLevel::STRONGBOX) {
1712 digest = Digest::SHA_2_256;
1713 } else {
1714 digest = Digest::SHA_2_512;
1715 }
1716 for (auto curve : ValidCurves()) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1717 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1718 .EcdsaSigningKey(curve)
1719 .Digest(digest)
1720 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1721 << "Failed to generate key on curve: " << curve;
1722 CheckedDeleteKey();
1723 }
1724}
1725
1726/*
1727 * NewKeyGenerationTest.Hmac
1728 *
1729 * Verifies that keymint supports all required digests, and that the resulting keys have correct
1730 * characteristics.
1731 */
1732TEST_P(NewKeyGenerationTest, Hmac) {
1733 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
1734 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1735 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1736 constexpr size_t key_size = 128;
1737 ASSERT_EQ(ErrorCode::OK,
1738 GenerateKey(
1739 AuthorizationSetBuilder().HmacKey(key_size).Digest(digest).Authorization(
1740 TAG_MIN_MAC_LENGTH, 128),
1741 &key_blob, &key_characteristics));
1742
1743 ASSERT_GT(key_blob.size(), 0U);
1744 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1745 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1746
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1747 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1748 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
1749 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1750 << "Key size " << key_size << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1751
1752 CheckedDeleteKey(&key_blob);
1753 }
1754}
1755
1756/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1757 * NewKeyGenerationTest.HmacNoAttestation
1758 *
1759 * Verifies that for Hmac key generation, no attestation will be generated even if challenge
1760 * and app id are provided.
1761 */
1762TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
1763 auto challenge = "hello";
1764 auto app_id = "foo";
1765
1766 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
1767 vector<uint8_t> key_blob;
1768 vector<KeyCharacteristics> key_characteristics;
1769 constexpr size_t key_size = 128;
1770 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1771 .HmacKey(key_size)
1772 .Digest(digest)
1773 .AttestationChallenge(challenge)
1774 .AttestationApplicationId(app_id)
1775 .Authorization(TAG_MIN_MAC_LENGTH, 128),
1776 &key_blob, &key_characteristics));
1777
1778 ASSERT_GT(key_blob.size(), 0U);
1779 ASSERT_EQ(cert_chain_.size(), 0);
1780 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1781 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1782
1783 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1784 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
1785 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1786 << "Key size " << key_size << "missing";
1787
1788 CheckedDeleteKey(&key_blob);
1789 }
1790}
1791
1792/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1793 * NewKeyGenerationTest.LimitedUsageHmac
1794 *
1795 * Verifies that KeyMint supports all required digests with limited usage Hmac, and that the
1796 * resulting keys have correct characteristics.
1797 */
1798TEST_P(NewKeyGenerationTest, LimitedUsageHmac) {
1799 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
1800 vector<uint8_t> key_blob;
1801 vector<KeyCharacteristics> key_characteristics;
1802 constexpr size_t key_size = 128;
1803 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1804 .HmacKey(key_size)
1805 .Digest(digest)
1806 .Authorization(TAG_MIN_MAC_LENGTH, 128)
1807 .Authorization(TAG_USAGE_COUNT_LIMIT, 1),
1808 &key_blob, &key_characteristics));
1809
1810 ASSERT_GT(key_blob.size(), 0U);
1811 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1812 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1813
1814 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1815 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
1816 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1817 << "Key size " << key_size << "missing";
1818
1819 // Check the usage count limit tag appears in the authorizations.
1820 AuthorizationSet auths;
1821 for (auto& entry : key_characteristics) {
1822 auths.push_back(AuthorizationSet(entry.authorizations));
1823 }
1824 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1825 << "key usage count limit " << 1U << " missing";
1826
1827 CheckedDeleteKey(&key_blob);
1828 }
1829}
1830
1831/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1832 * NewKeyGenerationTest.HmacCheckKeySizes
1833 *
1834 * Verifies that keymint supports all key sizes, and rejects all invalid key sizes.
1835 */
1836TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
1837 for (size_t key_size = 0; key_size <= 512; ++key_size) {
1838 if (key_size < 64 || key_size % 8 != 0) {
1839 // To keep this test from being very slow, we only test a random fraction of
1840 // non-byte key sizes. We test only ~10% of such cases. Since there are 392 of
1841 // them, we expect to run ~40 of them in each run.
1842 if (key_size % 8 == 0 || random() % 10 == 0) {
1843 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1844 GenerateKey(AuthorizationSetBuilder()
1845 .HmacKey(key_size)
1846 .Digest(Digest::SHA_2_256)
1847 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
1848 << "HMAC key size " << key_size << " invalid";
1849 }
1850 } else {
1851 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1852 .HmacKey(key_size)
1853 .Digest(Digest::SHA_2_256)
1854 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
1855 << "Failed to generate HMAC key of size " << key_size;
1856 CheckedDeleteKey();
1857 }
1858 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1859 if (SecLevel() == SecurityLevel::STRONGBOX) {
1860 // STRONGBOX devices must not support keys larger than 512 bits.
1861 size_t key_size = 520;
1862 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1863 GenerateKey(AuthorizationSetBuilder()
1864 .HmacKey(key_size)
1865 .Digest(Digest::SHA_2_256)
1866 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
1867 << "HMAC key size " << key_size << " unexpectedly valid";
1868 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1869}
1870
1871/*
1872 * NewKeyGenerationTest.HmacCheckMinMacLengths
1873 *
1874 * Verifies that keymint supports all required MAC lengths and rejects all invalid lengths. This
1875 * test is probabilistic in order to keep the runtime down, but any failure prints out the
1876 * specific MAC length that failed, so reproducing a failed run will be easy.
1877 */
1878TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
1879 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
1880 if (min_mac_length < 64 || min_mac_length % 8 != 0) {
1881 // To keep this test from being very long, we only test a random fraction of
1882 // non-byte lengths. We test only ~10% of such cases. Since there are 172 of them,
1883 // we expect to run ~17 of them in each run.
1884 if (min_mac_length % 8 == 0 || random() % 10 == 0) {
1885 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
1886 GenerateKey(AuthorizationSetBuilder()
1887 .HmacKey(128)
1888 .Digest(Digest::SHA_2_256)
1889 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
1890 << "HMAC min mac length " << min_mac_length << " invalid.";
1891 }
1892 } else {
1893 EXPECT_EQ(ErrorCode::OK,
1894 GenerateKey(AuthorizationSetBuilder()
1895 .HmacKey(128)
1896 .Digest(Digest::SHA_2_256)
1897 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
1898 << "Failed to generate HMAC key with min MAC length " << min_mac_length;
1899 CheckedDeleteKey();
1900 }
1901 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1902
1903 // Minimum MAC length must be no more than 512 bits.
1904 size_t min_mac_length = 520;
1905 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
1906 GenerateKey(AuthorizationSetBuilder()
1907 .HmacKey(128)
1908 .Digest(Digest::SHA_2_256)
1909 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
1910 << "HMAC min mac length " << min_mac_length << " invalid.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1911}
1912
1913/*
1914 * NewKeyGenerationTest.HmacMultipleDigests
1915 *
1916 * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms.
1917 */
1918TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
1919 if (SecLevel() == SecurityLevel::STRONGBOX) return;
1920
1921 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
1922 GenerateKey(AuthorizationSetBuilder()
1923 .HmacKey(128)
1924 .Digest(Digest::SHA1)
1925 .Digest(Digest::SHA_2_256)
1926 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1927}
1928
1929/*
1930 * NewKeyGenerationTest.HmacDigestNone
1931 *
1932 * Verifies that keymint rejects HMAC key generation with no digest or Digest::NONE
1933 */
1934TEST_P(NewKeyGenerationTest, HmacDigestNone) {
1935 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
1936 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH,
1937 128)));
1938
1939 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
1940 GenerateKey(AuthorizationSetBuilder()
1941 .HmacKey(128)
1942 .Digest(Digest::NONE)
1943 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1944}
1945
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1946/*
1947 * NewKeyGenerationTest.AesNoAttestation
1948 *
1949 * Verifies that attestation parameters to AES keys are ignored and generateKey
1950 * will succeed.
1951 */
1952TEST_P(NewKeyGenerationTest, AesNoAttestation) {
1953 auto challenge = "hello";
1954 auto app_id = "foo";
1955
1956 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1957 .Authorization(TAG_NO_AUTH_REQUIRED)
1958 .AesEncryptionKey(128)
1959 .EcbMode()
1960 .Padding(PaddingMode::PKCS7)
1961 .AttestationChallenge(challenge)
1962 .AttestationApplicationId(app_id)));
1963
1964 ASSERT_EQ(cert_chain_.size(), 0);
1965}
1966
1967/*
1968 * NewKeyGenerationTest.TripleDesNoAttestation
1969 *
1970 * Verifies that attesting parameters to 3DES keys are ignored and generate key
1971 * will be successful. No attestation should be generated.
1972 */
1973TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
1974 auto challenge = "hello";
1975 auto app_id = "foo";
1976
1977 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1978 .TripleDesEncryptionKey(168)
1979 .BlockMode(BlockMode::ECB)
1980 .Authorization(TAG_NO_AUTH_REQUIRED)
1981 .Padding(PaddingMode::NONE)
1982 .AttestationChallenge(challenge)
1983 .AttestationApplicationId(app_id)));
1984 ASSERT_EQ(cert_chain_.size(), 0);
1985}
1986
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1987INSTANTIATE_KEYMINT_AIDL_TEST(NewKeyGenerationTest);
1988
1989typedef KeyMintAidlTestBase SigningOperationsTest;
1990
1991/*
1992 * SigningOperationsTest.RsaSuccess
1993 *
1994 * Verifies that raw RSA signature operations succeed.
1995 */
1996TEST_P(SigningOperationsTest, RsaSuccess) {
1997 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1998 .RsaSigningKey(2048, 65537)
1999 .Digest(Digest::NONE)
2000 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2001 .Authorization(TAG_NO_AUTH_REQUIRED)
2002 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2003 string message = "12345678901234567890123456789012";
2004 string signature = SignMessage(
2005 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2006 LocalVerifyMessage(message, signature,
2007 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2008}
2009
2010/*
2011 * SigningOperationsTest.RsaAllPaddingsAndDigests
2012 *
2013 * Verifies RSA signature/verification for all padding modes and digests.
2014 */
2015TEST_P(SigningOperationsTest, RsaAllPaddingsAndDigests) {
2016 auto authorizations = AuthorizationSetBuilder()
2017 .Authorization(TAG_NO_AUTH_REQUIRED)
2018 .RsaSigningKey(2048, 65537)
2019 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
2020 .Padding(PaddingMode::NONE)
2021 .Padding(PaddingMode::RSA_PSS)
2022 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2023 .SetDefaultValidity();
2024
2025 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
2026
2027 string message(128, 'a');
2028 string corrupt_message(message);
2029 ++corrupt_message[corrupt_message.size() / 2];
2030
2031 for (auto padding :
2032 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
2033 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
2034 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
2035 // Digesting only makes sense with padding.
2036 continue;
2037 }
2038
2039 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
2040 // PSS requires digesting.
2041 continue;
2042 }
2043
2044 string signature =
2045 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
2046 LocalVerifyMessage(message, signature,
2047 AuthorizationSetBuilder().Digest(digest).Padding(padding));
2048 }
2049 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2050}
2051
2052/*
2053 * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
2054 *
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2055 * Verifies that using an RSA key requires the correct app data.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2056 */
2057TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
2058 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2059 .Authorization(TAG_NO_AUTH_REQUIRED)
2060 .RsaSigningKey(2048, 65537)
2061 .Digest(Digest::NONE)
2062 .Padding(PaddingMode::NONE)
2063 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2064 .Authorization(TAG_APPLICATION_DATA, "appdata")
2065 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2066
2067 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
2068
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2069 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2070 Begin(KeyPurpose::SIGN,
2071 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2072 AbortIfNeeded();
2073 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2074 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2075 .Digest(Digest::NONE)
2076 .Padding(PaddingMode::NONE)
2077 .Authorization(TAG_APPLICATION_ID, "clientid")));
2078 AbortIfNeeded();
2079 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2080 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2081 .Digest(Digest::NONE)
2082 .Padding(PaddingMode::NONE)
2083 .Authorization(TAG_APPLICATION_DATA, "appdata")));
2084 AbortIfNeeded();
2085 EXPECT_EQ(ErrorCode::OK,
2086 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2087 .Digest(Digest::NONE)
2088 .Padding(PaddingMode::NONE)
2089 .Authorization(TAG_APPLICATION_DATA, "appdata")
2090 .Authorization(TAG_APPLICATION_ID, "clientid")));
2091 AbortIfNeeded();
2092}
2093
2094/*
2095 * SigningOperationsTest.RsaPssSha256Success
2096 *
2097 * Verifies that RSA-PSS signature operations succeed.
2098 */
2099TEST_P(SigningOperationsTest, RsaPssSha256Success) {
2100 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2101 .RsaSigningKey(2048, 65537)
2102 .Digest(Digest::SHA_2_256)
2103 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2104 .Authorization(TAG_NO_AUTH_REQUIRED)
2105 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2106 // Use large message, which won't work without digesting.
2107 string message(1024, 'a');
2108 string signature = SignMessage(
2109 message,
2110 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
2111}
2112
2113/*
2114 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
2115 *
2116 * Verifies that keymint rejects signature operations that specify a padding mode when the key
2117 * supports only unpadded operations.
2118 */
2119TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
2120 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2121 .RsaSigningKey(2048, 65537)
2122 .Digest(Digest::NONE)
2123 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2124 .Padding(PaddingMode::NONE)
2125 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2126 string message = "12345678901234567890123456789012";
2127 string signature;
2128
2129 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
2130 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2131 .Digest(Digest::NONE)
2132 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2133}
2134
2135/*
2136 * SigningOperationsTest.NoUserConfirmation
2137 *
2138 * Verifies that keymint rejects signing operations for keys with
2139 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
2140 * presented.
2141 */
2142TEST_P(SigningOperationsTest, NoUserConfirmation) {
2143 if (SecLevel() == SecurityLevel::STRONGBOX) return;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2144 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2145 .RsaSigningKey(1024, 65537)
2146 .Digest(Digest::NONE)
2147 .Padding(PaddingMode::NONE)
2148 .Authorization(TAG_NO_AUTH_REQUIRED)
2149 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
2150 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2151
2152 const string message = "12345678901234567890123456789012";
2153 EXPECT_EQ(ErrorCode::OK,
2154 Begin(KeyPurpose::SIGN,
2155 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2156 string signature;
2157 EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
2158}
2159
2160/*
2161 * SigningOperationsTest.RsaPkcs1Sha256Success
2162 *
2163 * Verifies that digested RSA-PKCS1 signature operations succeed.
2164 */
2165TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
2166 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2167 .RsaSigningKey(2048, 65537)
2168 .Digest(Digest::SHA_2_256)
2169 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2170 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2171 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2172 string message(1024, 'a');
2173 string signature = SignMessage(message, AuthorizationSetBuilder()
2174 .Digest(Digest::SHA_2_256)
2175 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2176}
2177
2178/*
2179 * SigningOperationsTest.RsaPkcs1NoDigestSuccess
2180 *
2181 * Verifies that undigested RSA-PKCS1 signature operations succeed.
2182 */
2183TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
2184 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2185 .RsaSigningKey(2048, 65537)
2186 .Digest(Digest::NONE)
2187 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2188 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2189 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2190 string message(53, 'a');
2191 string signature = SignMessage(message, AuthorizationSetBuilder()
2192 .Digest(Digest::NONE)
2193 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2194}
2195
2196/*
2197 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
2198 *
2199 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
2200 * given a too-long message.
2201 */
2202TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
2203 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2204 .RsaSigningKey(2048, 65537)
2205 .Digest(Digest::NONE)
2206 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2207 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2208 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2209 string message(257, 'a');
2210
2211 EXPECT_EQ(ErrorCode::OK,
2212 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2213 .Digest(Digest::NONE)
2214 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2215 string signature;
2216 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
2217}
2218
2219/*
2220 * SigningOperationsTest.RsaPssSha512TooSmallKey
2221 *
2222 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
2223 * used with a key that is too small for the message.
2224 *
2225 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the
2226 * keymint specification requires that salt_size == digest_size, so the message will be
2227 * digest_size * 2 +
2228 * 16. Such a message can only be signed by a given key if the key is at least that size. This
2229 * test uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large
2230 * for a 1024-bit key.
2231 */
2232TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
2233 if (SecLevel() == SecurityLevel::STRONGBOX) return;
2234 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2235 .RsaSigningKey(1024, 65537)
2236 .Digest(Digest::SHA_2_512)
2237 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2238 .Padding(PaddingMode::RSA_PSS)
2239 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2240 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
2241 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2242 .Digest(Digest::SHA_2_512)
2243 .Padding(PaddingMode::RSA_PSS)));
2244}
2245
2246/*
2247 * SigningOperationsTest.RsaNoPaddingTooLong
2248 *
2249 * Verifies that raw RSA signature operations fail with the correct error code when
2250 * given a too-long message.
2251 */
2252TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
2253 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2254 .RsaSigningKey(2048, 65537)
2255 .Digest(Digest::NONE)
2256 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2257 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2258 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2259 // One byte too long
2260 string message(2048 / 8 + 1, 'a');
2261 ASSERT_EQ(ErrorCode::OK,
2262 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2263 .Digest(Digest::NONE)
2264 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2265 string result;
2266 ErrorCode finish_error_code = Finish(message, &result);
2267 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
2268 finish_error_code == ErrorCode::INVALID_ARGUMENT);
2269
2270 // Very large message that should exceed the transfer buffer size of any reasonable TEE.
2271 message = string(128 * 1024, 'a');
2272 ASSERT_EQ(ErrorCode::OK,
2273 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2274 .Digest(Digest::NONE)
2275 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2276 finish_error_code = Finish(message, &result);
2277 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
2278 finish_error_code == ErrorCode::INVALID_ARGUMENT);
2279}
2280
2281/*
2282 * SigningOperationsTest.RsaAbort
2283 *
2284 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the
2285 * test, but the behavior should be algorithm and purpose-independent.
2286 */
2287TEST_P(SigningOperationsTest, RsaAbort) {
2288 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2289 .RsaSigningKey(2048, 65537)
2290 .Digest(Digest::NONE)
2291 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2292 .Padding(PaddingMode::NONE)
2293 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2294
2295 ASSERT_EQ(ErrorCode::OK,
2296 Begin(KeyPurpose::SIGN,
2297 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2298 EXPECT_EQ(ErrorCode::OK, Abort());
2299
2300 // Another abort should fail
2301 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
2302
2303 // Set to sentinel, so TearDown() doesn't try to abort again.
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]2304 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2305}
2306
2307/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2308 * SigningOperationsTest.RsaNonUniqueParams
2309 *
2310 * Verifies that an operation with multiple padding modes is rejected.
2311 */
2312TEST_P(SigningOperationsTest, RsaNonUniqueParams) {
2313 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2314 .RsaSigningKey(2048, 65537)
2315 .Digest(Digest::NONE)
2316 .Digest(Digest::SHA1)
2317 .Authorization(TAG_NO_AUTH_REQUIRED)
2318 .Padding(PaddingMode::NONE)
2319 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2320 .SetDefaultValidity()));
2321
2322 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
2323 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2324 .Digest(Digest::NONE)
2325 .Padding(PaddingMode::NONE)
2326 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2327
Tommy Chiuc93c4392021-05-11 18:36:50 +0800[diff] [blame]2328 auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2329 .Digest(Digest::NONE)
2330 .Digest(Digest::SHA1)
2331 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2332 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2333
2334 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2335 Begin(KeyPurpose::SIGN,
2336 AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2337}
2338
2339/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2340 * SigningOperationsTest.RsaUnsupportedPadding
2341 *
2342 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used
2343 * with a padding mode inappropriate for RSA.
2344 */
2345TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
2346 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2347 .RsaSigningKey(2048, 65537)
2348 .Authorization(TAG_NO_AUTH_REQUIRED)
2349 .Digest(Digest::SHA_2_256 /* supported digest */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2350 .Padding(PaddingMode::PKCS7)
2351 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2352 ASSERT_EQ(
2353 ErrorCode::UNSUPPORTED_PADDING_MODE,
2354 Begin(KeyPurpose::SIGN,
2355 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2356 CheckedDeleteKey();
2357
2358 ASSERT_EQ(ErrorCode::OK,
2359 GenerateKey(
2360 AuthorizationSetBuilder()
2361 .RsaSigningKey(2048, 65537)
2362 .Authorization(TAG_NO_AUTH_REQUIRED)
2363 .Digest(Digest::SHA_2_256 /* supported digest */)
2364 .Padding(PaddingMode::RSA_OAEP) /* padding mode for encryption only */
2365 .SetDefaultValidity()));
2366 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
2367 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2368 .Digest(Digest::SHA_2_256)
2369 .Padding(PaddingMode::RSA_OAEP)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2370}
2371
2372/*
2373 * SigningOperationsTest.RsaPssNoDigest
2374 *
2375 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest.
2376 */
2377TEST_P(SigningOperationsTest, RsaNoDigest) {
2378 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2379 .RsaSigningKey(2048, 65537)
2380 .Authorization(TAG_NO_AUTH_REQUIRED)
2381 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2382 .Padding(PaddingMode::RSA_PSS)
2383 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2384 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
2385 Begin(KeyPurpose::SIGN,
2386 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
2387
2388 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2389 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
2390}
2391
2392/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]2393 * SigningOperationsTest.RsaPssNoPadding
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2394 *
2395 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is
2396 * supported in some cases (as validated in other tests), but a mode must be specified.
2397 */
2398TEST_P(SigningOperationsTest, RsaNoPadding) {
2399 // Padding must be specified
2400 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2401 .RsaKey(2048, 65537)
2402 .Authorization(TAG_NO_AUTH_REQUIRED)
2403 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2404 .Digest(Digest::NONE)
2405 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2406 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
2407 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
2408}
2409
2410/*
2411 * SigningOperationsTest.RsaShortMessage
2412 *
2413 * Verifies that raw RSA signatures succeed with a message shorter than the key size.
2414 */
2415TEST_P(SigningOperationsTest, RsaTooShortMessage) {
2416 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2417 .Authorization(TAG_NO_AUTH_REQUIRED)
2418 .RsaSigningKey(2048, 65537)
2419 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2420 .Padding(PaddingMode::NONE)
2421 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2422
2423 // Barely shorter
2424 string message(2048 / 8 - 1, 'a');
2425 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2426
2427 // Much shorter
2428 message = "a";
2429 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2430}
2431
2432/*
2433 * SigningOperationsTest.RsaSignWithEncryptionKey
2434 *
2435 * Verifies that RSA encryption keys cannot be used to sign.
2436 */
2437TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
2438 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2439 .Authorization(TAG_NO_AUTH_REQUIRED)
2440 .RsaEncryptionKey(2048, 65537)
2441 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2442 .Padding(PaddingMode::NONE)
2443 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2444 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
2445 Begin(KeyPurpose::SIGN,
2446 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2447}
2448
2449/*
2450 * SigningOperationsTest.RsaSignTooLargeMessage
2451 *
2452 * Verifies that attempting a raw signature of a message which is the same length as the key,
2453 * but numerically larger than the public modulus, fails with the correct error.
2454 */
2455TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
2456 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2457 .Authorization(TAG_NO_AUTH_REQUIRED)
2458 .RsaSigningKey(2048, 65537)
2459 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2460 .Padding(PaddingMode::NONE)
2461 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2462
2463 // Largest possible message will always be larger than the public modulus.
2464 string message(2048 / 8, static_cast<char>(0xff));
2465 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2466 .Authorization(TAG_NO_AUTH_REQUIRED)
2467 .Digest(Digest::NONE)
2468 .Padding(PaddingMode::NONE)));
2469 string signature;
2470 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
2471}
2472
2473/*
2474 * SigningOperationsTest.EcdsaAllSizesAndHashes
2475 *
2476 * Verifies that ECDSA operations succeed with all possible key sizes and hashes.
2477 */
2478TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) {
2479 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
2480 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
2481 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
2482 .Authorization(TAG_NO_AUTH_REQUIRED)
2483 .EcdsaSigningKey(key_size)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2484 .Digest(digest)
2485 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2486 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with size " << key_size
2487 << " and digest " << digest;
2488 if (error != ErrorCode::OK) continue;
2489
2490 string message(1024, 'a');
2491 if (digest == Digest::NONE) message.resize(key_size / 8);
2492 SignMessage(message, AuthorizationSetBuilder().Digest(digest));
2493 CheckedDeleteKey();
2494 }
2495 }
2496}
2497
2498/*
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2499 * SigningOperationsTest.EcdsaAllDigestsAndCurves
2500 *
2501 * Verifies ECDSA signature/verification for all digests and curves.
2502 */
2503TEST_P(SigningOperationsTest, EcdsaAllDigestsAndCurves) {
2504 auto digests = ValidDigests(true /* withNone */, false /* withMD5 */);
2505
2506 string message = "1234567890";
2507 string corrupt_message = "2234567890";
2508 for (auto curve : ValidCurves()) {
2509 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
2510 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
2511 .Authorization(TAG_NO_AUTH_REQUIRED)
2512 .EcdsaSigningKey(curve)
2513 .Digest(digests)
2514 .SetDefaultValidity());
2515 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
2516 if (error != ErrorCode::OK) {
2517 continue;
2518 }
2519
2520 for (auto digest : digests) {
2521 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
2522 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
2523 LocalVerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
2524 }
2525
2526 auto rc = DeleteKey();
2527 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
2528 }
2529}
2530
2531/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2532 * SigningOperationsTest.EcdsaAllCurves
2533 *
2534 * Verifies that ECDSA operations succeed with all possible curves.
2535 */
2536TEST_P(SigningOperationsTest, EcdsaAllCurves) {
2537 for (auto curve : ValidCurves()) {
2538 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
2539 .Authorization(TAG_NO_AUTH_REQUIRED)
2540 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2541 .Digest(Digest::SHA_2_256)
2542 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2543 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
2544 if (error != ErrorCode::OK) continue;
2545
2546 string message(1024, 'a');
2547 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
2548 CheckedDeleteKey();
2549 }
2550}
2551
2552/*
2553 * SigningOperationsTest.EcdsaNoDigestHugeData
2554 *
2555 * Verifies that ECDSA operations support very large messages, even without digesting. This
2556 * should work because ECDSA actually only signs the leftmost L_n bits of the message, however
2557 * large it may be. Not using digesting is a bad idea, but in some cases digesting is done by
2558 * the framework.
2559 */
2560TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
2561 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2562 .Authorization(TAG_NO_AUTH_REQUIRED)
2563 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2564 .Digest(Digest::NONE)
2565 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2566 string message(1 * 1024, 'a');
2567 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
2568}
2569
2570/*
2571 * SigningOperationsTest.EcUseRequiresCorrectAppIdAppData
2572 *
2573 * Verifies that using an EC key requires the correct app ID/data.
2574 */
2575TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
2576 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2577 .Authorization(TAG_NO_AUTH_REQUIRED)
2578 .EcdsaSigningKey(256)
2579 .Digest(Digest::NONE)
2580 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2581 .Authorization(TAG_APPLICATION_DATA, "appdata")
2582 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2583
2584 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
2585
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2586 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2587 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
2588 AbortIfNeeded();
2589 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2590 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2591 .Digest(Digest::NONE)
2592 .Authorization(TAG_APPLICATION_ID, "clientid")));
2593 AbortIfNeeded();
2594 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2595 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2596 .Digest(Digest::NONE)
2597 .Authorization(TAG_APPLICATION_DATA, "appdata")));
2598 AbortIfNeeded();
2599 EXPECT_EQ(ErrorCode::OK,
2600 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2601 .Digest(Digest::NONE)
2602 .Authorization(TAG_APPLICATION_DATA, "appdata")
2603 .Authorization(TAG_APPLICATION_ID, "clientid")));
2604 AbortIfNeeded();
2605}
2606
2607/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2608 * SigningOperationsTest.EcdsaIncompatibleDigest
2609 *
2610 * Verifies that using an EC key requires compatible digest.
2611 */
2612TEST_P(SigningOperationsTest, EcdsaIncompatibleDigest) {
2613 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2614 .Authorization(TAG_NO_AUTH_REQUIRED)
2615 .EcdsaSigningKey(256)
2616 .Digest(Digest::NONE)
2617 .Digest(Digest::SHA1)
2618 .SetDefaultValidity()));
2619 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
2620 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)));
2621 AbortIfNeeded();
2622}
2623
2624/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2625 * SigningOperationsTest.AesEcbSign
2626 *
2627 * Verifies that attempts to use AES keys to sign fail in the correct way.
2628 */
2629TEST_P(SigningOperationsTest, AesEcbSign) {
2630 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2631 .Authorization(TAG_NO_AUTH_REQUIRED)
2632 .SigningKey()
2633 .AesEncryptionKey(128)
2634 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)));
2635
2636 AuthorizationSet out_params;
2637 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
2638 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params));
2639 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
2640 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params));
2641}
2642
2643/*
2644 * SigningOperationsTest.HmacAllDigests
2645 *
2646 * Verifies that HMAC works with all digests.
2647 */
2648TEST_P(SigningOperationsTest, HmacAllDigests) {
2649 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
2650 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2651 .Authorization(TAG_NO_AUTH_REQUIRED)
2652 .HmacKey(128)
2653 .Digest(digest)
2654 .Authorization(TAG_MIN_MAC_LENGTH, 160)))
2655 << "Failed to create HMAC key with digest " << digest;
2656 string message = "12345678901234567890123456789012";
2657 string signature = MacMessage(message, digest, 160);
2658 EXPECT_EQ(160U / 8U, signature.size())
2659 << "Failed to sign with HMAC key with digest " << digest;
2660 CheckedDeleteKey();
2661 }
2662}
2663
2664/*
2665 * SigningOperationsTest.HmacSha256TooLargeMacLength
2666 *
2667 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the
2668 * digest size.
2669 */
2670TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
2671 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2672 .Authorization(TAG_NO_AUTH_REQUIRED)
2673 .HmacKey(128)
2674 .Digest(Digest::SHA_2_256)
2675 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
2676 AuthorizationSet output_params;
2677 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
2678 AuthorizationSetBuilder()
2679 .Digest(Digest::SHA_2_256)
2680 .Authorization(TAG_MAC_LENGTH, 264),
2681 &output_params));
2682}
2683
2684/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2685 * SigningOperationsTest.HmacSha256InvalidMacLength
2686 *
2687 * Verifies that HMAC fails in the correct way when asked to generate a MAC whose length is
2688 * not a multiple of 8.
2689 */
2690TEST_P(SigningOperationsTest, HmacSha256InvalidMacLength) {
2691 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2692 .Authorization(TAG_NO_AUTH_REQUIRED)
2693 .HmacKey(128)
2694 .Digest(Digest::SHA_2_256)
2695 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
2696 AuthorizationSet output_params;
2697 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
2698 AuthorizationSetBuilder()
2699 .Digest(Digest::SHA_2_256)
2700 .Authorization(TAG_MAC_LENGTH, 161),
2701 &output_params));
2702}
2703
2704/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2705 * SigningOperationsTest.HmacSha256TooSmallMacLength
2706 *
2707 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
2708 * specified minimum MAC length.
2709 */
2710TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
2711 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2712 .Authorization(TAG_NO_AUTH_REQUIRED)
2713 .HmacKey(128)
2714 .Digest(Digest::SHA_2_256)
2715 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2716 AuthorizationSet output_params;
2717 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
2718 AuthorizationSetBuilder()
2719 .Digest(Digest::SHA_2_256)
2720 .Authorization(TAG_MAC_LENGTH, 120),
2721 &output_params));
2722}
2723
2724/*
2725 * SigningOperationsTest.HmacRfc4231TestCase3
2726 *
2727 * Validates against the test vectors from RFC 4231 test case 3.
2728 */
2729TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
2730 string key(20, 0xaa);
2731 string message(50, 0xdd);
2732 uint8_t sha_224_expected[] = {
2733 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
2734 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
2735 };
2736 uint8_t sha_256_expected[] = {
2737 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
2738 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
2739 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
2740 };
2741 uint8_t sha_384_expected[] = {
2742 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
2743 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
2744 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
2745 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
2746 };
2747 uint8_t sha_512_expected[] = {
2748 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
2749 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
2750 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
2751 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
2752 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
2753 };
2754
2755 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
2756 if (SecLevel() != SecurityLevel::STRONGBOX) {
2757 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
2758 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
2759 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
2760 }
2761}
2762
2763/*
2764 * SigningOperationsTest.HmacRfc4231TestCase5
2765 *
2766 * Validates against the test vectors from RFC 4231 test case 5.
2767 */
2768TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
2769 string key(20, 0x0c);
2770 string message = "Test With Truncation";
2771
2772 uint8_t sha_224_expected[] = {
2773 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
2774 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
2775 };
2776 uint8_t sha_256_expected[] = {
2777 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
2778 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
2779 };
2780 uint8_t sha_384_expected[] = {
2781 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
2782 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
2783 };
2784 uint8_t sha_512_expected[] = {
2785 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
2786 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
2787 };
2788
2789 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
2790 if (SecLevel() != SecurityLevel::STRONGBOX) {
2791 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
2792 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
2793 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
2794 }
2795}
2796
2797INSTANTIATE_KEYMINT_AIDL_TEST(SigningOperationsTest);
2798
2799typedef KeyMintAidlTestBase VerificationOperationsTest;
2800
2801/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2802 * VerificationOperationsTest.HmacSigningKeyCannotVerify
2803 *
2804 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
2805 */
2806TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
2807 string key_material = "HelloThisIsAKey";
2808
2809 vector<uint8_t> signing_key, verification_key;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2810 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2811 EXPECT_EQ(ErrorCode::OK,
2812 ImportKey(AuthorizationSetBuilder()
2813 .Authorization(TAG_NO_AUTH_REQUIRED)
2814 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
2815 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
2816 .Digest(Digest::SHA_2_256)
2817 .Authorization(TAG_MIN_MAC_LENGTH, 160),
2818 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
2819 EXPECT_EQ(ErrorCode::OK,
2820 ImportKey(AuthorizationSetBuilder()
2821 .Authorization(TAG_NO_AUTH_REQUIRED)
2822 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
2823 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
2824 .Digest(Digest::SHA_2_256)
2825 .Authorization(TAG_MIN_MAC_LENGTH, 160),
2826 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
2827
2828 string message = "This is a message.";
2829 string signature = SignMessage(
2830 signing_key, message,
2831 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
2832
2833 // Signing key should not work.
2834 AuthorizationSet out_params;
2835 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
2836 Begin(KeyPurpose::VERIFY, signing_key,
2837 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &out_params));
2838
2839 // Verification key should work.
2840 VerifyMessage(verification_key, message, signature,
2841 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
2842
2843 CheckedDeleteKey(&signing_key);
2844 CheckedDeleteKey(&verification_key);
2845}
2846
2847INSTANTIATE_KEYMINT_AIDL_TEST(VerificationOperationsTest);
2848
2849typedef KeyMintAidlTestBase ExportKeyTest;
2850
2851/*
2852 * ExportKeyTest.RsaUnsupportedKeyFormat
2853 *
2854 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
2855 */
2856// TODO(seleneh) add ExportKey to GenerateKey
2857// check result
2858
2859class ImportKeyTest : public KeyMintAidlTestBase {
2860 public:
2861 template <TagType tag_type, Tag tag, typename ValueT>
2862 void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
2863 SCOPED_TRACE("CheckCryptoParam");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2864 for (auto& entry : key_characteristics_) {
2865 if (entry.securityLevel == SecLevel()) {
2866 EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
2867 << "Tag " << tag << " with value " << expected
2868 << " not found at security level" << entry.securityLevel;
2869 } else {
2870 EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
2871 << "Tag " << tag << " found at security level " << entry.securityLevel;
2872 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2873 }
2874 }
2875
2876 void CheckOrigin() {
2877 SCOPED_TRACE("CheckOrigin");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2878 // Origin isn't a crypto param, but it always lives with them.
2879 return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2880 }
2881};
2882
2883/*
2884 * ImportKeyTest.RsaSuccess
2885 *
2886 * Verifies that importing and using an RSA key pair works correctly.
2887 */
2888TEST_P(ImportKeyTest, RsaSuccess) {
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]2889 uint32_t key_size;
2890 string key;
2891
2892 if (SecLevel() == SecurityLevel::STRONGBOX) {
2893 key_size = 2048;
2894 key = rsa_2048_key;
2895 } else {
2896 key_size = 1024;
2897 key = rsa_key;
2898 }
2899
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2900 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
2901 .Authorization(TAG_NO_AUTH_REQUIRED)
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]2902 .RsaSigningKey(key_size, 65537)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2903 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2904 .Padding(PaddingMode::RSA_PSS)
2905 .SetDefaultValidity(),
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]2906 KeyFormat::PKCS8, key));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2907
2908 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]2909 CheckCryptoParam(TAG_KEY_SIZE, key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2910 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
2911 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
2912 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
2913 CheckOrigin();
2914
2915 string message(1024 / 8, 'a');
2916 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
2917 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2918 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2919}
2920
2921/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2922 * ImportKeyTest.RsaSuccessWithoutParams
2923 *
2924 * Verifies that importing and using an RSA key pair without specifying parameters
2925 * works correctly.
2926 */
2927TEST_P(ImportKeyTest, RsaSuccessWithoutParams) {
2928 uint32_t key_size;
2929 string key;
2930
2931 if (SecLevel() == SecurityLevel::STRONGBOX) {
2932 key_size = 2048;
2933 key = rsa_2048_key;
2934 } else {
2935 key_size = 1024;
2936 key = rsa_key;
2937 }
2938
2939 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
2940 .Authorization(TAG_NO_AUTH_REQUIRED)
2941 .SigningKey()
2942 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
2943 .Digest(Digest::SHA_2_256)
2944 .Padding(PaddingMode::RSA_PSS)
2945 .SetDefaultValidity(),
2946 KeyFormat::PKCS8, key));
2947
2948 // Key size and public exponent are determined from the imported key material.
2949 CheckCryptoParam(TAG_KEY_SIZE, key_size);
2950 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
2951
2952 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
2953 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
2954 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
2955 CheckOrigin();
2956
2957 string message(1024 / 8, 'a');
2958 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
2959 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2960 LocalVerifyMessage(message, signature, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2961}
2962
2963/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2964 * ImportKeyTest.RsaKeySizeMismatch
2965 *
2966 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
2967 * correct way.
2968 */
2969TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
2970 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
2971 ImportKey(AuthorizationSetBuilder()
2972 .RsaSigningKey(2048 /* Doesn't match key */, 65537)
2973 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2974 .Padding(PaddingMode::NONE)
2975 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2976 KeyFormat::PKCS8, rsa_key));
2977}
2978
2979/*
2980 * ImportKeyTest.RsaPublicExponentMismatch
2981 *
2982 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key
2983 * fails in the correct way.
2984 */
2985TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
2986 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
2987 ImportKey(AuthorizationSetBuilder()
2988 .RsaSigningKey(1024, 3 /* Doesn't match key */)
2989 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2990 .Padding(PaddingMode::NONE)
2991 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2992 KeyFormat::PKCS8, rsa_key));
2993}
2994
2995/*
2996 * ImportKeyTest.EcdsaSuccess
2997 *
2998 * Verifies that importing and using an ECDSA P-256 key pair works correctly.
2999 */
3000TEST_P(ImportKeyTest, EcdsaSuccess) {
3001 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3002 .Authorization(TAG_NO_AUTH_REQUIRED)
3003 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3004 .Digest(Digest::SHA_2_256)
3005 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3006 KeyFormat::PKCS8, ec_256_key));
3007
3008 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
3009 CheckCryptoParam(TAG_KEY_SIZE, 256U);
3010 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3011 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3012
3013 CheckOrigin();
3014
3015 string message(32, 'a');
3016 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3017 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3018 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3019}
3020
3021/*
3022 * ImportKeyTest.EcdsaP256RFC5915Success
3023 *
3024 * Verifies that importing and using an ECDSA P-256 key pair encoded using RFC5915 works
3025 * correctly.
3026 */
3027TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
3028 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3029 .Authorization(TAG_NO_AUTH_REQUIRED)
3030 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3031 .Digest(Digest::SHA_2_256)
3032 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3033 KeyFormat::PKCS8, ec_256_key_rfc5915));
3034
3035 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
3036 CheckCryptoParam(TAG_KEY_SIZE, 256U);
3037 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3038 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3039
3040 CheckOrigin();
3041
3042 string message(32, 'a');
3043 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3044 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3045 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3046}
3047
3048/*
3049 * ImportKeyTest.EcdsaP256SEC1Success
3050 *
3051 * Verifies that importing and using an ECDSA P-256 key pair encoded using SEC1 works correctly.
3052 */
3053TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
3054 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3055 .Authorization(TAG_NO_AUTH_REQUIRED)
3056 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3057 .Digest(Digest::SHA_2_256)
3058 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3059 KeyFormat::PKCS8, ec_256_key_sec1));
3060
3061 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
3062 CheckCryptoParam(TAG_KEY_SIZE, 256U);
3063 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3064 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3065
3066 CheckOrigin();
3067
3068 string message(32, 'a');
3069 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3070 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3071 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3072}
3073
3074/*
3075 * ImportKeyTest.Ecdsa521Success
3076 *
3077 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
3078 */
3079TEST_P(ImportKeyTest, Ecdsa521Success) {
3080 if (SecLevel() == SecurityLevel::STRONGBOX) return;
3081 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3082 .Authorization(TAG_NO_AUTH_REQUIRED)
3083 .EcdsaSigningKey(521)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3084 .Digest(Digest::SHA_2_256)
3085 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3086 KeyFormat::PKCS8, ec_521_key));
3087
3088 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
3089 CheckCryptoParam(TAG_KEY_SIZE, 521U);
3090 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3091 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_521);
3092 CheckOrigin();
3093
3094 string message(32, 'a');
3095 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3096 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3097 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3098}
3099
3100/*
3101 * ImportKeyTest.EcdsaSizeMismatch
3102 *
3103 * Verifies that importing an ECDSA key pair with a size that doesn't match the key fails in the
3104 * correct way.
3105 */
3106TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
3107 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
3108 ImportKey(AuthorizationSetBuilder()
3109 .EcdsaSigningKey(224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3110 .Digest(Digest::NONE)
3111 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3112 KeyFormat::PKCS8, ec_256_key));
3113}
3114
3115/*
3116 * ImportKeyTest.EcdsaCurveMismatch
3117 *
3118 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in
3119 * the correct way.
3120 */
3121TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
3122 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
3123 ImportKey(AuthorizationSetBuilder()
3124 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3125 .Digest(Digest::NONE)
3126 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3127 KeyFormat::PKCS8, ec_256_key));
3128}
3129
3130/*
3131 * ImportKeyTest.AesSuccess
3132 *
3133 * Verifies that importing and using an AES key works.
3134 */
3135TEST_P(ImportKeyTest, AesSuccess) {
3136 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3137 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3138 .Authorization(TAG_NO_AUTH_REQUIRED)
3139 .AesEncryptionKey(key.size() * 8)
3140 .EcbMode()
3141 .Padding(PaddingMode::PKCS7),
3142 KeyFormat::RAW, key));
3143
3144 CheckCryptoParam(TAG_ALGORITHM, Algorithm::AES);
3145 CheckCryptoParam(TAG_KEY_SIZE, 128U);
3146 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
3147 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
3148 CheckOrigin();
3149
3150 string message = "Hello World!";
3151 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3152 string ciphertext = EncryptMessage(message, params);
3153 string plaintext = DecryptMessage(ciphertext, params);
3154 EXPECT_EQ(message, plaintext);
3155}
3156
3157/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3158 * ImportKeyTest.AesFailure
3159 *
3160 * Verifies that importing an invalid AES key fails.
3161 */
3162TEST_P(ImportKeyTest, AesFailure) {
3163 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3164 uint32_t bitlen = key.size() * 8;
3165 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3166 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]3167 auto result = ImportKey(AuthorizationSetBuilder()
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3168 .Authorization(TAG_NO_AUTH_REQUIRED)
3169 .AesEncryptionKey(key_size)
3170 .EcbMode()
3171 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]3172 KeyFormat::RAW, key);
3173 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3174 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
3175 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3176 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3177
3178 // Explicit key size matches that of the provided key, but it's not a valid size.
3179 string long_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3180 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
3181 ImportKey(AuthorizationSetBuilder()
3182 .Authorization(TAG_NO_AUTH_REQUIRED)
3183 .AesEncryptionKey(long_key.size() * 8)
3184 .EcbMode()
3185 .Padding(PaddingMode::PKCS7),
3186 KeyFormat::RAW, long_key));
3187 string short_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3188 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
3189 ImportKey(AuthorizationSetBuilder()
3190 .Authorization(TAG_NO_AUTH_REQUIRED)
3191 .AesEncryptionKey(short_key.size() * 8)
3192 .EcbMode()
3193 .Padding(PaddingMode::PKCS7),
3194 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3195}
3196
3197/*
3198 * ImportKeyTest.TripleDesSuccess
3199 *
3200 * Verifies that importing and using a 3DES key works.
3201 */
3202TEST_P(ImportKeyTest, TripleDesSuccess) {
3203 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
3204 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3205 .Authorization(TAG_NO_AUTH_REQUIRED)
3206 .TripleDesEncryptionKey(168)
3207 .EcbMode()
3208 .Padding(PaddingMode::PKCS7),
3209 KeyFormat::RAW, key));
3210
3211 CheckCryptoParam(TAG_ALGORITHM, Algorithm::TRIPLE_DES);
3212 CheckCryptoParam(TAG_KEY_SIZE, 168U);
3213 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
3214 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
3215 CheckOrigin();
3216
3217 string message = "Hello World!";
3218 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3219 string ciphertext = EncryptMessage(message, params);
3220 string plaintext = DecryptMessage(ciphertext, params);
3221 EXPECT_EQ(message, plaintext);
3222}
3223
3224/*
3225 * ImportKeyTest.TripleDesFailure
3226 *
3227 * Verifies that importing an invalid 3DES key fails.
3228 */
3229TEST_P(ImportKeyTest, TripleDesFailure) {
3230 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3231 uint32_t bitlen = key.size() * 7;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3232 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3233 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]3234 auto result = ImportKey(AuthorizationSetBuilder()
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3235 .Authorization(TAG_NO_AUTH_REQUIRED)
3236 .TripleDesEncryptionKey(key_size)
3237 .EcbMode()
3238 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]3239 KeyFormat::RAW, key);
3240 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3241 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
3242 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3243 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3244 // Explicit key size matches that of the provided key, but it's not a valid size.
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3245 string long_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f735800");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3246 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
3247 ImportKey(AuthorizationSetBuilder()
3248 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3249 .TripleDesEncryptionKey(long_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3250 .EcbMode()
3251 .Padding(PaddingMode::PKCS7),
3252 KeyFormat::RAW, long_key));
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3253 string short_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f73");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3254 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
3255 ImportKey(AuthorizationSetBuilder()
3256 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]3257 .TripleDesEncryptionKey(short_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]3258 .EcbMode()
3259 .Padding(PaddingMode::PKCS7),
3260 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3261}
3262
3263/*
3264 * ImportKeyTest.HmacKeySuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3265 *
3266 * Verifies that importing and using an HMAC key works.
3267 */
3268TEST_P(ImportKeyTest, HmacKeySuccess) {
3269 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3270 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3271 .Authorization(TAG_NO_AUTH_REQUIRED)
3272 .HmacKey(key.size() * 8)
3273 .Digest(Digest::SHA_2_256)
3274 .Authorization(TAG_MIN_MAC_LENGTH, 256),
3275 KeyFormat::RAW, key));
3276
3277 CheckCryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
3278 CheckCryptoParam(TAG_KEY_SIZE, 128U);
3279 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3280 CheckOrigin();
3281
3282 string message = "Hello World!";
3283 string signature = MacMessage(message, Digest::SHA_2_256, 256);
3284 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
3285}
3286
3287INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);
3288
3289auto wrapped_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3290 // IKeyMintDevice.aidl
3291 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
3292 "020100" // INTEGER length 1 value 0x00 (version)
3293 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
3294 "934bf94e2aa28a3f83c9f79297250262"
3295 "fbe3276b5a1c91159bbfa3ef8957aac8"
3296 "4b59b30b455a79c2973480823d8b3863"
3297 "c3deef4a8e243590268d80e18751a0e1"
3298 "30f67ce6a1ace9f79b95e097474febc9"
3299 "81195b1d13a69086c0863f66a7b7fdb4"
3300 "8792227b1ac5e2489febdf087ab54864"
3301 "83033a6f001ca5d1ec1e27f5c30f4cec"
3302 "2642074a39ae68aee552e196627a8e3d"
3303 "867e67a8c01b11e75f13cca0a97ab668"
3304 "b50cda07a8ecb7cd8e3dd7009c963653"
3305 "4f6f239cffe1fc8daa466f78b676c711"
3306 "9efb96bce4e69ca2a25d0b34ed9c3ff9"
3307 "99b801597d5220e307eaa5bee507fb94"
3308 "d1fa69f9e519b2de315bac92c36f2ea1"
3309 "fa1df4478c0ddedeae8c70e0233cd098"
3310 "040c" // OCTET STRING length 0x0c (initializationVector)
3311 "d796b02c370f1fa4cc0124f1"
3312 "302e" // SEQUENCE length 0x2e (KeyDescription) {
3313 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
3314 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
3315 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
3316 "3106" // SET length 0x06
3317 "020100" // INTEGER length 1 value 0x00 (Encrypt)
3318 "020101" // INTEGER length 1 value 0x01 (Decrypt)
3319 // } end SET
3320 // } end [1]
3321 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
3322 "020120" // INTEGER length 1 value 0x20 (AES)
3323 // } end [2]
3324 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
3325 "02020100" // INTEGER length 2 value 0x100
3326 // } end [3]
3327 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode)
3328 "3103" // SET length 0x03 {
3329 "020101" // INTEGER length 1 value 0x01 (ECB)
3330 // } end SET
3331 // } end [4]
3332 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
3333 "3103" // SET length 0x03 {
3334 "020140" // INTEGER length 1 value 0x40 (PKCS7)
3335 // } end SET
3336 // } end [5]
3337 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
3338 // (noAuthRequired)
3339 "0500" // NULL
3340 // } end [503]
3341 // } end SEQUENCE (AuthorizationList)
3342 // } end SEQUENCE (KeyDescription)
3343 "0420" // OCTET STRING length 0x20 (encryptedKey)
3344 "ccd540855f833a5e1480bfd2d36faf3a"
3345 "eee15df5beabe2691bc82dde2a7aa910"
3346 "0410" // OCTET STRING length 0x10 (tag)
3347 "64c9f689c60ff6223ab6e6999e0eb6e5"
3348 // } SEQUENCE (SecureKeyWrapper)
3349);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3350
3351auto wrapped_key_masked = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3352 // IKeyMintDevice.aidl
3353 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
3354 "020100" // INTEGER length 1 value 0x00 (version)
3355 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
3356 "aad93ed5924f283b4bb5526fbe7a1412"
3357 "f9d9749ec30db9062b29e574a8546f33"
3358 "c88732452f5b8e6a391ee76c39ed1712"
3359 "c61d8df6213dec1cffbc17a8c6d04c7b"
3360 "30893d8daa9b2015213e219468215532"
3361 "07f8f9931c4caba23ed3bee28b36947e"
3362 "47f10e0a5c3dc51c988a628daad3e5e1"
3363 "f4005e79c2d5a96c284b4b8d7e4948f3"
3364 "31e5b85dd5a236f85579f3ea1d1b8484"
3365 "87470bdb0ab4f81a12bee42c99fe0df4"
3366 "bee3759453e69ad1d68a809ce06b949f"
3367 "7694a990429b2fe81e066ff43e56a216"
3368 "02db70757922a4bcc23ab89f1e35da77"
3369 "586775f423e519c2ea394caf48a28d0c"
3370 "8020f1dcf6b3a68ec246f615ae96dae9"
3371 "a079b1f6eb959033c1af5c125fd94168"
3372 "040c" // OCTET STRING length 0x0c (initializationVector)
3373 "6d9721d08589581ab49204a3"
3374 "302e" // SEQUENCE length 0x2e (KeyDescription) {
3375 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
3376 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
3377 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
3378 "3106" // SET length 0x06
3379 "020100" // INTEGER length 1 value 0x00 (Encrypt)
3380 "020101" // INTEGER length 1 value 0x01 (Decrypt)
3381 // } end SET
3382 // } end [1]
3383 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
3384 "020120" // INTEGER length 1 value 0x20 (AES)
3385 // } end [2]
3386 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
3387 "02020100" // INTEGER length 2 value 0x100
3388 // } end [3]
3389 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode
3390 "3103" // SET length 0x03 {
3391 "020101" // INTEGER length 1 value 0x01 (ECB)
3392 // } end SET
3393 // } end [4]
3394 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
3395 "3103" // SET length 0x03 {
3396 "020140" // INTEGER length 1 value 0x40 (PKCS7)
3397 // } end SET
3398 // } end [5]
3399 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
3400 // (noAuthRequired)
3401 "0500" // NULL
3402 // } end [503]
3403 // } end SEQUENCE (AuthorizationList)
3404 // } end SEQUENCE (KeyDescription)
3405 "0420" // OCTET STRING length 0x20 (encryptedKey)
3406 "a61c6e247e25b3e6e69aa78eb03c2d4a"
3407 "c20d1f99a9a024a76f35c8e2cab9b68d"
3408 "0410" // OCTET STRING length 0x10 (tag)
3409 "2560c70109ae67c030f00b98b512a670"
3410 // } SEQUENCE (SecureKeyWrapper)
3411);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3412
3413auto wrapping_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3414 // RFC 5208 s5
3415 "308204be" // SEQUENCE length 0x4be (PrivateKeyInfo) {
3416 "020100" // INTEGER length 1 value 0x00 (version)
3417 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
3418 "0609" // OBJECT IDENTIFIER length 0x09 (algorithm)
3419 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (RSAES-PKCS1-v1_5 encryption scheme)
3420 "0500" // NULL (parameters)
3421 // } SEQUENCE (AlgorithmIdentifier)
3422 "048204a8" // OCTET STRING len 0x4a8 (privateKey), which contains...
3423 // RFC 8017 A.1.2
3424 "308204a4" // SEQUENCE len 0x4a4 (RSAPrivateKey) {
3425 "020100" // INTEGER length 1 value 0x00 (version)
3426 "02820101" // INTEGER length 0x0101 (modulus) value...
3427 "00aec367931d8900ce56b0067f7d70e1" // 0x10
3428 "fc653f3f34d194c1fed50018fb43db93" // 0x20
3429 "7b06e673a837313d56b1c725150a3fef" // 0x30
3430 "86acbddc41bb759c2854eae32d35841e" // 0x40
3431 "fb5c18d82bc90a1cb5c1d55adf245b02" // 0x50
3432 "911f0b7cda88c421ff0ebafe7c0d23be" // 0x60
3433 "312d7bd5921ffaea1347c157406fef71" // 0x70
3434 "8f682643e4e5d33c6703d61c0cf7ac0b" // 0x80
3435 "f4645c11f5c1374c3886427411c44979" // 0x90
3436 "6792e0bef75dec858a2123c36753e02a" // 0xa0
3437 "95a96d7c454b504de385a642e0dfc3e6" // 0xb0
3438 "0ac3a7ee4991d0d48b0172a95f9536f0" // 0xc0
3439 "2ba13cecccb92b727db5c27e5b2f5cec" // 0xd0
3440 "09600b286af5cf14c42024c61ddfe71c" // 0xe0
3441 "2a8d7458f185234cb00e01d282f10f8f" // 0xf0
3442 "c6721d2aed3f4833cca2bd8fa62821dd" // 0x100
3443 "55" // 0x101
3444 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
3445 "02820100" // INTEGER length 0x100 (privateExponent) value...
3446 "431447b6251908112b1ee76f99f3711a" // 0x10
3447 "52b6630960046c2de70de188d833f8b8" // 0x20
3448 "b91e4d785caeeeaf4f0f74414e2cda40" // 0x30
3449 "641f7fe24f14c67a88959bdb27766df9" // 0x40
3450 "e710b630a03adc683b5d2c43080e52be" // 0x50
3451 "e71e9eaeb6de297a5fea1072070d181c" // 0x60
3452 "822bccff087d63c940ba8a45f670feb2" // 0x70
3453 "9fb4484d1c95e6d2579ba02aae0a0090" // 0x80
3454 "0c3ebf490e3d2cd7ee8d0e20c536e4dc" // 0x90
3455 "5a5097272888cddd7e91f228b1c4d747" // 0xa0
3456 "4c55b8fcd618c4a957bbddd5ad7407cc" // 0xb0
3457 "312d8d98a5caf7e08f4a0d6b45bb41c6" // 0xc0
3458 "52659d5a5ba05b663737a8696281865b" // 0xd0
3459 "a20fbdd7f851e6c56e8cbe0ddbbf24dc" // 0xe0
3460 "03b2d2cb4c3d540fb0af52e034a2d066" // 0xf0
3461 "98b128e5f101e3b51a34f8d8b4f86181" // 0x100
3462 "028181" // INTEGER length 0x81 (prime1) value...
3463 "00de392e18d682c829266cc3454e1d61" // 0x10
3464 "66242f32d9a1d10577753e904ea7d08b" // 0x20
3465 "ff841be5bac82a164c5970007047b8c5" // 0x30
3466 "17db8f8f84e37bd5988561bdf503d4dc" // 0x40
3467 "2bdb38f885434ae42c355f725c9a60f9" // 0x50
3468 "1f0788e1f1a97223b524b5357fdf72e2" // 0x60
3469 "f696bab7d78e32bf92ba8e1864eab122" // 0x70
3470 "9e91346130748a6e3c124f9149d71c74" // 0x80
3471 "35"
3472 "028181" // INTEGER length 0x81 (prime2) value...
3473 "00c95387c0f9d35f137b57d0d65c397c" // 0x10
3474 "5e21cc251e47008ed62a542409c8b6b6" // 0x20
3475 "ac7f8967b3863ca645fcce49582a9aa1" // 0x30
3476 "7349db6c4a95affdae0dae612e1afac9" // 0x40
3477 "9ed39a2d934c880440aed8832f984316" // 0x50
3478 "3a47f27f392199dc1202f9a0f9bd0830" // 0x60
3479 "8007cb1e4e7f58309366a7de25f7c3c9" // 0x70
3480 "b880677c068e1be936e81288815252a8" // 0x80
3481 "a1"
3482 "028180" // INTEGER length 0x80 (exponent1) value...
3483 "57ff8ca1895080b2cae486ef0adfd791" // 0x10
3484 "fb0235c0b8b36cd6c136e52e4085f4ea" // 0x20
3485 "5a063212a4f105a3764743e53281988a" // 0x30
3486 "ba073f6e0027298e1c4378556e0efca0" // 0x40
3487 "e14ece1af76ad0b030f27af6f0ab35fb" // 0x50
3488 "73a060d8b1a0e142fa2647e93b32e36d" // 0x60
3489 "8282ae0a4de50ab7afe85500a16f43a6" // 0x70
3490 "4719d6e2b9439823719cd08bcd031781" // 0x80
3491 "028181" // INTEGER length 0x81 (exponent2) value...
3492 "00ba73b0bb28e3f81e9bd1c568713b10" // 0x10
3493 "1241acc607976c4ddccc90e65b6556ca" // 0x20
3494 "31516058f92b6e09f3b160ff0e374ec4" // 0x30
3495 "0d78ae4d4979fde6ac06a1a400c61dd3" // 0x40
3496 "1254186af30b22c10582a8a43e34fe94" // 0x50
3497 "9c5f3b9755bae7baa7b7b7a6bd03b38c" // 0x60
3498 "ef55c86885fc6c1978b9cee7ef33da50" // 0x70
3499 "7c9df6b9277cff1e6aaa5d57aca52846" // 0x80
3500 "61"
3501 "028181" // INTEGER length 0x81 (coefficient) value...
3502 "00c931617c77829dfb1270502be9195c" // 0x10
3503 "8f2830885f57dba869536811e6864236" // 0x20
3504 "d0c4736a0008a145af36b8357a7c3d13" // 0x30
3505 "9966d04c4e00934ea1aede3bb6b8ec84" // 0x40
3506 "1dc95e3f579751e2bfdfe27ae778983f" // 0x50
3507 "959356210723287b0affcc9f727044d4" // 0x60
3508 "8c373f1babde0724fa17a4fd4da0902c" // 0x70
3509 "7c9b9bf27ba61be6ad02dfddda8f4e68" // 0x80
3510 "22"
3511 // } SEQUENCE
3512 // } SEQUENCE ()
3513);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3514
3515string zero_masking_key =
3516 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
3517string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
3518
3519class ImportWrappedKeyTest : public KeyMintAidlTestBase {};
3520
3521TEST_P(ImportWrappedKeyTest, Success) {
3522 auto wrapping_key_desc = AuthorizationSetBuilder()
3523 .RsaEncryptionKey(2048, 65537)
3524 .Digest(Digest::SHA_2_256)
3525 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3526 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3527 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3528
3529 ASSERT_EQ(ErrorCode::OK,
3530 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
3531 AuthorizationSetBuilder()
3532 .Digest(Digest::SHA_2_256)
3533 .Padding(PaddingMode::RSA_OAEP)));
3534
3535 string message = "Hello World!";
3536 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3537 string ciphertext = EncryptMessage(message, params);
3538 string plaintext = DecryptMessage(ciphertext, params);
3539 EXPECT_EQ(message, plaintext);
3540}
3541
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3542/*
3543 * ImportWrappedKeyTest.SuccessSidsIgnored
3544 *
3545 * Verifies that password_sid and biometric_sid are ignored on import if the authorizations don't
3546 * include Tag:USER_SECURE_ID.
3547 */
3548TEST_P(ImportWrappedKeyTest, SuccessSidsIgnored) {
3549 auto wrapping_key_desc = AuthorizationSetBuilder()
3550 .RsaEncryptionKey(2048, 65537)
3551 .Digest(Digest::SHA_2_256)
3552 .Padding(PaddingMode::RSA_OAEP)
3553 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3554 .SetDefaultValidity();
3555
3556 int64_t password_sid = 42;
3557 int64_t biometric_sid = 24;
3558 ASSERT_EQ(ErrorCode::OK,
3559 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
3560 AuthorizationSetBuilder()
3561 .Digest(Digest::SHA_2_256)
3562 .Padding(PaddingMode::RSA_OAEP),
3563 password_sid, biometric_sid));
3564
3565 string message = "Hello World!";
3566 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3567 string ciphertext = EncryptMessage(message, params);
3568 string plaintext = DecryptMessage(ciphertext, params);
3569 EXPECT_EQ(message, plaintext);
3570}
3571
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3572TEST_P(ImportWrappedKeyTest, SuccessMasked) {
3573 auto wrapping_key_desc = AuthorizationSetBuilder()
3574 .RsaEncryptionKey(2048, 65537)
3575 .Digest(Digest::SHA_2_256)
3576 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3577 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3578 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3579
3580 ASSERT_EQ(ErrorCode::OK,
3581 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
3582 AuthorizationSetBuilder()
3583 .Digest(Digest::SHA_2_256)
3584 .Padding(PaddingMode::RSA_OAEP)));
3585}
3586
3587TEST_P(ImportWrappedKeyTest, WrongMask) {
3588 auto wrapping_key_desc = AuthorizationSetBuilder()
3589 .RsaEncryptionKey(2048, 65537)
3590 .Digest(Digest::SHA_2_256)
3591 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3592 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3593 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3594
3595 ASSERT_EQ(
3596 ErrorCode::VERIFICATION_FAILED,
3597 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
3598 AuthorizationSetBuilder()
3599 .Digest(Digest::SHA_2_256)
3600 .Padding(PaddingMode::RSA_OAEP)));
3601}
3602
3603TEST_P(ImportWrappedKeyTest, WrongPurpose) {
3604 auto wrapping_key_desc = AuthorizationSetBuilder()
3605 .RsaEncryptionKey(2048, 65537)
3606 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3607 .Padding(PaddingMode::RSA_OAEP)
3608 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3609
3610 ASSERT_EQ(
3611 ErrorCode::INCOMPATIBLE_PURPOSE,
3612 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
3613 AuthorizationSetBuilder()
3614 .Digest(Digest::SHA_2_256)
3615 .Padding(PaddingMode::RSA_OAEP)));
3616}
3617
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3618TEST_P(ImportWrappedKeyTest, WrongPaddingMode) {
3619 auto wrapping_key_desc = AuthorizationSetBuilder()
3620 .RsaEncryptionKey(2048, 65537)
3621 .Digest(Digest::SHA_2_256)
3622 .Padding(PaddingMode::RSA_PSS)
3623 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3624 .SetDefaultValidity();
3625
3626 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
3627 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
3628 AuthorizationSetBuilder()
3629 .Digest(Digest::SHA_2_256)
3630 .Padding(PaddingMode::RSA_OAEP)));
3631}
3632
3633TEST_P(ImportWrappedKeyTest, WrongDigest) {
3634 auto wrapping_key_desc = AuthorizationSetBuilder()
3635 .RsaEncryptionKey(2048, 65537)
3636 .Digest(Digest::SHA_2_512)
3637 .Padding(PaddingMode::RSA_OAEP)
3638 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
3639 .SetDefaultValidity();
3640
3641 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3642 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
3643 AuthorizationSetBuilder()
3644 .Digest(Digest::SHA_2_256)
3645 .Padding(PaddingMode::RSA_OAEP)));
3646}
3647
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3648INSTANTIATE_KEYMINT_AIDL_TEST(ImportWrappedKeyTest);
3649
3650typedef KeyMintAidlTestBase EncryptionOperationsTest;
3651
3652/*
3653 * EncryptionOperationsTest.RsaNoPaddingSuccess
3654 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3655 * Verifies that raw RSA decryption works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3656 */
3657TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3658 for (uint64_t exponent : {3, 65537}) {
3659 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3660 .Authorization(TAG_NO_AUTH_REQUIRED)
3661 .RsaEncryptionKey(2048, exponent)
3662 .Padding(PaddingMode::NONE)
3663 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3664
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3665 string message = string(2048 / 8, 'a');
3666 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3667 string ciphertext1 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3668 EXPECT_EQ(2048U / 8, ciphertext1.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3669
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3670 string ciphertext2 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3671 EXPECT_EQ(2048U / 8, ciphertext2.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3672
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3673 // Unpadded RSA is deterministic
3674 EXPECT_EQ(ciphertext1, ciphertext2);
3675
3676 CheckedDeleteKey();
3677 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3678}
3679
3680/*
3681 * EncryptionOperationsTest.RsaNoPaddingShortMessage
3682 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3683 * Verifies that raw RSA decryption of short messages works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3684 */
3685TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
3686 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3687 .Authorization(TAG_NO_AUTH_REQUIRED)
3688 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3689 .Padding(PaddingMode::NONE)
3690 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3691
3692 string message = "1";
3693 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
3694
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3695 string ciphertext = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3696 EXPECT_EQ(2048U / 8, ciphertext.size());
3697
3698 string expected_plaintext = string(2048U / 8 - 1, 0) + message;
3699 string plaintext = DecryptMessage(ciphertext, params);
3700
3701 EXPECT_EQ(expected_plaintext, plaintext);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3702}
3703
3704/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3705 * EncryptionOperationsTest.RsaOaepSuccess
3706 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3707 * Verifies that RSA-OAEP decryption operations work, with all digests.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3708 */
3709TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
3710 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
3711
3712 size_t key_size = 2048; // Need largish key for SHA-512 test.
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3713 ASSERT_EQ(ErrorCode::OK,
3714 GenerateKey(AuthorizationSetBuilder()
3715 .Authorization(TAG_NO_AUTH_REQUIRED)
3716 .RsaEncryptionKey(key_size, 65537)
3717 .Padding(PaddingMode::RSA_OAEP)
3718 .Digest(digests)
3719 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1)
3720 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3721
3722 string message = "Hello";
3723
3724 for (auto digest : digests) {
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3725 SCOPED_TRACE(testing::Message() << "digest-" << digest);
3726
3727 auto params = AuthorizationSetBuilder()
3728 .Digest(digest)
3729 .Padding(PaddingMode::RSA_OAEP)
3730 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1);
3731 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3732 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
3733 EXPECT_EQ(key_size / 8, ciphertext1.size());
3734
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3735 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3736 EXPECT_EQ(key_size / 8, ciphertext2.size());
3737
3738 // OAEP randomizes padding so every result should be different (with astronomically high
3739 // probability).
3740 EXPECT_NE(ciphertext1, ciphertext2);
3741
3742 string plaintext1 = DecryptMessage(ciphertext1, params);
3743 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
3744 string plaintext2 = DecryptMessage(ciphertext2, params);
3745 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
3746
3747 // Decrypting corrupted ciphertext should fail.
3748 size_t offset_to_corrupt = random() % ciphertext1.size();
3749 char corrupt_byte;
3750 do {
3751 corrupt_byte = static_cast<char>(random() % 256);
3752 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
3753 ciphertext1[offset_to_corrupt] = corrupt_byte;
3754
3755 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
3756 string result;
3757 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
3758 EXPECT_EQ(0U, result.size());
3759 }
3760}
3761
3762/*
3763 * EncryptionOperationsTest.RsaOaepInvalidDigest
3764 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3765 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3766 * without a digest.
3767 */
3768TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
3769 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3770 .Authorization(TAG_NO_AUTH_REQUIRED)
3771 .RsaEncryptionKey(2048, 65537)
3772 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3773 .Digest(Digest::NONE)
3774 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3775
3776 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3777 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3778}
3779
3780/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3781 * EncryptionOperationsTest.RsaOaepInvalidPadding
3782 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3783 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3784 * with a padding value that is only suitable for signing/verifying.
3785 */
3786TEST_P(EncryptionOperationsTest, RsaOaepInvalidPadding) {
3787 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3788 .Authorization(TAG_NO_AUTH_REQUIRED)
3789 .RsaEncryptionKey(2048, 65537)
3790 .Padding(PaddingMode::RSA_PSS)
3791 .Digest(Digest::NONE)
3792 .SetDefaultValidity()));
3793
3794 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3795 EXPECT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE, Begin(KeyPurpose::DECRYPT, params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3796}
3797
3798/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3799 * EncryptionOperationsTest.RsaOaepDecryptWithWrongDigest
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3800 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3801 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3802 * with a different digest than was used to encrypt.
3803 */
3804TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
3805 if (SecLevel() == SecurityLevel::STRONGBOX) return;
3806
3807 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3808 .Authorization(TAG_NO_AUTH_REQUIRED)
3809 .RsaEncryptionKey(1024, 65537)
3810 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3811 .Digest(Digest::SHA_2_224, Digest::SHA_2_256)
3812 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3813 string message = "Hello World!";
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3814 string ciphertext = LocalRsaEncryptMessage(
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3815 message,
3816 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
3817
3818 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
3819 .Digest(Digest::SHA_2_256)
3820 .Padding(PaddingMode::RSA_OAEP)));
3821 string result;
3822 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
3823 EXPECT_EQ(0U, result.size());
3824}
3825
3826/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3827 * EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess
3828 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3829 * Verifies that RSA-OAEP decryption operations work, with all SHA 256 digests and all type of MGF1
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3830 * digests.
3831 */
3832TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
3833 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
3834
3835 size_t key_size = 2048; // Need largish key for SHA-512 test.
3836 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3837 .OaepMGFDigest(digests)
3838 .Authorization(TAG_NO_AUTH_REQUIRED)
3839 .RsaEncryptionKey(key_size, 65537)
3840 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3841 .Digest(Digest::SHA_2_256)
3842 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3843
3844 string message = "Hello";
3845
3846 for (auto digest : digests) {
3847 auto params = AuthorizationSetBuilder()
3848 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
3849 .Digest(Digest::SHA_2_256)
3850 .Padding(PaddingMode::RSA_OAEP);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3851 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3852 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
3853 EXPECT_EQ(key_size / 8, ciphertext1.size());
3854
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3855 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3856 EXPECT_EQ(key_size / 8, ciphertext2.size());
3857
3858 // OAEP randomizes padding so every result should be different (with astronomically high
3859 // probability).
3860 EXPECT_NE(ciphertext1, ciphertext2);
3861
3862 string plaintext1 = DecryptMessage(ciphertext1, params);
3863 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
3864 string plaintext2 = DecryptMessage(ciphertext2, params);
3865 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
3866
3867 // Decrypting corrupted ciphertext should fail.
3868 size_t offset_to_corrupt = random() % ciphertext1.size();
3869 char corrupt_byte;
3870 do {
3871 corrupt_byte = static_cast<char>(random() % 256);
3872 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
3873 ciphertext1[offset_to_corrupt] = corrupt_byte;
3874
3875 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
3876 string result;
3877 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
3878 EXPECT_EQ(0U, result.size());
3879 }
3880}
3881
3882/*
3883 * EncryptionOperationsTest.RsaOaepWithMGFIncompatibleDigest
3884 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3885 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3886 * with incompatible MGF digest.
3887 */
3888TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
3889 ASSERT_EQ(ErrorCode::OK,
3890 GenerateKey(AuthorizationSetBuilder()
3891 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
3892 .Authorization(TAG_NO_AUTH_REQUIRED)
3893 .RsaEncryptionKey(2048, 65537)
3894 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3895 .Digest(Digest::SHA_2_256)
3896 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3897 string message = "Hello World!";
3898
3899 auto params = AuthorizationSetBuilder()
3900 .Padding(PaddingMode::RSA_OAEP)
3901 .Digest(Digest::SHA_2_256)
3902 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_224);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3903 EXPECT_EQ(ErrorCode::INCOMPATIBLE_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3904}
3905
3906/*
3907 * EncryptionOperationsTest.RsaOaepWithMGFUnsupportedDigest
3908 *
3909 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
3910 * with unsupported MGF digest.
3911 */
3912TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
3913 ASSERT_EQ(ErrorCode::OK,
3914 GenerateKey(AuthorizationSetBuilder()
3915 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
3916 .Authorization(TAG_NO_AUTH_REQUIRED)
3917 .RsaEncryptionKey(2048, 65537)
3918 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3919 .Digest(Digest::SHA_2_256)
3920 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3921 string message = "Hello World!";
3922
3923 auto params = AuthorizationSetBuilder()
3924 .Padding(PaddingMode::RSA_OAEP)
3925 .Digest(Digest::SHA_2_256)
3926 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3927 EXPECT_EQ(ErrorCode::UNSUPPORTED_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]3928}
3929
3930/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3931 * EncryptionOperationsTest.RsaPkcs1Success
3932 *
3933 * Verifies that RSA PKCS encryption/decrypts works.
3934 */
3935TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
3936 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3937 .Authorization(TAG_NO_AUTH_REQUIRED)
3938 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3939 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
3940 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3941
3942 string message = "Hello World!";
3943 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3944 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3945 EXPECT_EQ(2048U / 8, ciphertext1.size());
3946
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]3947 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3948 EXPECT_EQ(2048U / 8, ciphertext2.size());
3949
3950 // PKCS1 v1.5 randomizes padding so every result should be different.
3951 EXPECT_NE(ciphertext1, ciphertext2);
3952
3953 string plaintext = DecryptMessage(ciphertext1, params);
3954 EXPECT_EQ(message, plaintext);
3955
3956 // Decrypting corrupted ciphertext should fail.
3957 size_t offset_to_corrupt = random() % ciphertext1.size();
3958 char corrupt_byte;
3959 do {
3960 corrupt_byte = static_cast<char>(random() % 256);
3961 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
3962 ciphertext1[offset_to_corrupt] = corrupt_byte;
3963
3964 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
3965 string result;
3966 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
3967 EXPECT_EQ(0U, result.size());
3968}
3969
3970/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3971 * EncryptionOperationsTest.EcdsaEncrypt
3972 *
3973 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
3974 */
3975TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
3976 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3977 .Authorization(TAG_NO_AUTH_REQUIRED)
3978 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3979 .Digest(Digest::NONE)
3980 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3981 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3982 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
3983 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
3984}
3985
3986/*
3987 * EncryptionOperationsTest.HmacEncrypt
3988 *
3989 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
3990 */
3991TEST_P(EncryptionOperationsTest, HmacEncrypt) {
3992 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3993 .Authorization(TAG_NO_AUTH_REQUIRED)
3994 .HmacKey(128)
3995 .Digest(Digest::SHA_2_256)
3996 .Padding(PaddingMode::NONE)
3997 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3998 auto params = AuthorizationSetBuilder()
3999 .Digest(Digest::SHA_2_256)
4000 .Padding(PaddingMode::NONE)
4001 .Authorization(TAG_MAC_LENGTH, 128);
4002 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
4003 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
4004}
4005
4006/*
4007 * EncryptionOperationsTest.AesEcbRoundTripSuccess
4008 *
4009 * Verifies that AES ECB mode works.
4010 */
4011TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
4012 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4013 .Authorization(TAG_NO_AUTH_REQUIRED)
4014 .AesEncryptionKey(128)
4015 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4016 .Padding(PaddingMode::NONE)));
4017
4018 ASSERT_GT(key_blob_.size(), 0U);
4019 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
4020
4021 // Two-block message.
4022 string message = "12345678901234567890123456789012";
4023 string ciphertext1 = EncryptMessage(message, params);
4024 EXPECT_EQ(message.size(), ciphertext1.size());
4025
4026 string ciphertext2 = EncryptMessage(string(message), params);
4027 EXPECT_EQ(message.size(), ciphertext2.size());
4028
4029 // ECB is deterministic.
4030 EXPECT_EQ(ciphertext1, ciphertext2);
4031
4032 string plaintext = DecryptMessage(ciphertext1, params);
4033 EXPECT_EQ(message, plaintext);
4034}
4035
4036/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4037 * EncryptionOperationsTest.AesEcbUnknownTag
4038 *
4039 * Verifies that AES ECB operations ignore unknown tags.
4040 */
4041TEST_P(EncryptionOperationsTest, AesEcbUnknownTag) {
4042 int32_t unknown_tag_value = ((7 << 28) /* TagType:BOOL */ | 150);
4043 Tag unknown_tag = static_cast<Tag>(unknown_tag_value);
4044 KeyParameter unknown_param;
4045 unknown_param.tag = unknown_tag;
4046
4047 vector<KeyCharacteristics> key_characteristics;
4048 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4049 .Authorization(TAG_NO_AUTH_REQUIRED)
4050 .AesEncryptionKey(128)
4051 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4052 .Padding(PaddingMode::NONE)
4053 .Authorization(unknown_param),
4054 &key_blob_, &key_characteristics));
4055 ASSERT_GT(key_blob_.size(), 0U);
4056
4057 // Unknown tags should not be returned in key characteristics.
4058 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
4059 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
4060 EXPECT_EQ(hw_enforced.find(unknown_tag), -1);
4061 EXPECT_EQ(sw_enforced.find(unknown_tag), -1);
4062
4063 // Encrypt without mentioning the unknown parameter.
4064 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
4065 string message = "12345678901234567890123456789012";
4066 string ciphertext = EncryptMessage(message, params);
4067 EXPECT_EQ(message.size(), ciphertext.size());
4068
4069 // Decrypt including the unknown parameter.
4070 auto decrypt_params = AuthorizationSetBuilder()
4071 .BlockMode(BlockMode::ECB)
4072 .Padding(PaddingMode::NONE)
4073 .Authorization(unknown_param);
4074 string plaintext = DecryptMessage(ciphertext, decrypt_params);
4075 EXPECT_EQ(message, plaintext);
4076}
4077
4078/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4079 * EncryptionOperationsTest.AesWrongMode
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4080 *
4081 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
4082 */
4083TEST_P(EncryptionOperationsTest, AesWrongMode) {
4084 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4085 .Authorization(TAG_NO_AUTH_REQUIRED)
4086 .AesEncryptionKey(128)
4087 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4088 .Padding(PaddingMode::NONE)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4089 ASSERT_GT(key_blob_.size(), 0U);
4090
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4091 EXPECT_EQ(
4092 ErrorCode::INCOMPATIBLE_BLOCK_MODE,
4093 Begin(KeyPurpose::ENCRYPT,
4094 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
4095}
4096
4097/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4098 * EncryptionOperationsTest.AesWrongPadding
4099 *
4100 * Verifies that AES encryption fails in the correct way when an unauthorized padding is specified.
4101 */
4102TEST_P(EncryptionOperationsTest, AesWrongPadding) {
4103 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4104 .Authorization(TAG_NO_AUTH_REQUIRED)
4105 .AesEncryptionKey(128)
4106 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4107 .Padding(PaddingMode::NONE)));
4108 ASSERT_GT(key_blob_.size(), 0U);
4109
4110 EXPECT_EQ(
4111 ErrorCode::INCOMPATIBLE_PADDING_MODE,
4112 Begin(KeyPurpose::ENCRYPT,
4113 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7)));
4114}
4115
4116/*
4117 * EncryptionOperationsTest.AesInvalidParams
4118 *
4119 * Verifies that AES encryption fails in the correct way when an duplicate parameters are specified.
4120 */
4121TEST_P(EncryptionOperationsTest, AesInvalidParams) {
4122 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4123 .Authorization(TAG_NO_AUTH_REQUIRED)
4124 .AesEncryptionKey(128)
4125 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4126 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4127 .Padding(PaddingMode::NONE)
4128 .Padding(PaddingMode::PKCS7)));
4129 ASSERT_GT(key_blob_.size(), 0U);
4130
4131 auto result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
4132 .BlockMode(BlockMode::CBC)
4133 .BlockMode(BlockMode::ECB)
4134 .Padding(PaddingMode::NONE));
4135 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_BLOCK_MODE ||
4136 result == ErrorCode::UNSUPPORTED_BLOCK_MODE);
4137
4138 result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
4139 .BlockMode(BlockMode::ECB)
4140 .Padding(PaddingMode::NONE)
4141 .Padding(PaddingMode::PKCS7));
4142 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
4143 result == ErrorCode::UNSUPPORTED_PADDING_MODE);
4144}
4145
4146/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4147 * EncryptionOperationsTest.AesWrongPurpose
4148 *
4149 * Verifies that AES encryption fails in the correct way when an unauthorized purpose is
4150 * specified.
4151 */
4152TEST_P(EncryptionOperationsTest, AesWrongPurpose) {
4153 auto err = GenerateKey(AuthorizationSetBuilder()
4154 .Authorization(TAG_NO_AUTH_REQUIRED)
4155 .AesKey(128)
4156 .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
4157 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4158 .Authorization(TAG_MIN_MAC_LENGTH, 128)
4159 .Padding(PaddingMode::NONE));
4160 ASSERT_EQ(ErrorCode::OK, err) << "Got " << err;
4161 ASSERT_GT(key_blob_.size(), 0U);
4162
4163 err = Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
4164 .BlockMode(BlockMode::GCM)
4165 .Padding(PaddingMode::NONE)
4166 .Authorization(TAG_MAC_LENGTH, 128));
4167 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
4168
4169 CheckedDeleteKey();
4170
4171 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4172 .Authorization(TAG_NO_AUTH_REQUIRED)
4173 .AesKey(128)
4174 .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
4175 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4176 .Authorization(TAG_MIN_MAC_LENGTH, 128)
4177 .Padding(PaddingMode::NONE)));
4178
4179 err = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
4180 .BlockMode(BlockMode::GCM)
4181 .Padding(PaddingMode::NONE)
4182 .Authorization(TAG_MAC_LENGTH, 128));
4183 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
4184}
4185
4186/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4187 * EncryptionOperationsTest.AesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4188 *
4189 * Verifies that AES encryption fails in the correct way when provided an input that is not a
4190 * multiple of the block size and no padding is specified.
4191 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4192TEST_P(EncryptionOperationsTest, AesEcbCbcNoPaddingWrongInputSize) {
4193 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
4194 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4195 .Authorization(TAG_NO_AUTH_REQUIRED)
4196 .AesEncryptionKey(128)
4197 .Authorization(TAG_BLOCK_MODE, blockMode)
4198 .Padding(PaddingMode::NONE)));
4199 // Message is slightly shorter than two blocks.
4200 string message(16 * 2 - 1, 'a');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4201
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4202 auto params = AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
4203 AuthorizationSet out_params;
4204 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &out_params));
4205 string ciphertext;
4206 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
4207 EXPECT_EQ(0U, ciphertext.size());
4208
4209 CheckedDeleteKey();
4210 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4211}
4212
4213/*
4214 * EncryptionOperationsTest.AesEcbPkcs7Padding
4215 *
4216 * Verifies that AES PKCS7 padding works for any message length.
4217 */
4218TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
4219 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4220 .Authorization(TAG_NO_AUTH_REQUIRED)
4221 .AesEncryptionKey(128)
4222 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4223 .Padding(PaddingMode::PKCS7)));
4224
4225 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4226
4227 // Try various message lengths; all should work.
4228 for (size_t i = 0; i < 32; ++i) {
4229 string message(i, 'a');
4230 string ciphertext = EncryptMessage(message, params);
4231 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
4232 string plaintext = DecryptMessage(ciphertext, params);
4233 EXPECT_EQ(message, plaintext);
4234 }
4235}
4236
4237/*
4238 * EncryptionOperationsTest.AesEcbWrongPadding
4239 *
4240 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
4241 * specified.
4242 */
4243TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
4244 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4245 .Authorization(TAG_NO_AUTH_REQUIRED)
4246 .AesEncryptionKey(128)
4247 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4248 .Padding(PaddingMode::NONE)));
4249
4250 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4251
4252 // Try various message lengths; all should fail
4253 for (size_t i = 0; i < 32; ++i) {
4254 string message(i, 'a');
4255 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
4256 }
4257}
4258
4259/*
4260 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
4261 *
4262 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
4263 */
4264TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
4265 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4266 .Authorization(TAG_NO_AUTH_REQUIRED)
4267 .AesEncryptionKey(128)
4268 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
4269 .Padding(PaddingMode::PKCS7)));
4270
4271 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4272
4273 string message = "a";
4274 string ciphertext = EncryptMessage(message, params);
4275 EXPECT_EQ(16U, ciphertext.size());
4276 EXPECT_NE(ciphertext, message);
4277 ++ciphertext[ciphertext.size() / 2];
4278
4279 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
4280 string plaintext;
4281 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &plaintext));
4282}
4283
4284vector<uint8_t> CopyIv(const AuthorizationSet& set) {
4285 auto iv = set.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4286 EXPECT_TRUE(iv);
4287 return iv->get();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4288}
4289
4290/*
4291 * EncryptionOperationsTest.AesCtrRoundTripSuccess
4292 *
4293 * Verifies that AES CTR mode works.
4294 */
4295TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
4296 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4297 .Authorization(TAG_NO_AUTH_REQUIRED)
4298 .AesEncryptionKey(128)
4299 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
4300 .Padding(PaddingMode::NONE)));
4301
4302 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
4303
4304 string message = "123";
4305 AuthorizationSet out_params;
4306 string ciphertext1 = EncryptMessage(message, params, &out_params);
4307 vector<uint8_t> iv1 = CopyIv(out_params);
4308 EXPECT_EQ(16U, iv1.size());
4309
4310 EXPECT_EQ(message.size(), ciphertext1.size());
4311
4312 out_params.Clear();
4313 string ciphertext2 = EncryptMessage(message, params, &out_params);
4314 vector<uint8_t> iv2 = CopyIv(out_params);
4315 EXPECT_EQ(16U, iv2.size());
4316
4317 // IVs should be random, so ciphertexts should differ.
4318 EXPECT_NE(ciphertext1, ciphertext2);
4319
4320 auto params_iv1 =
4321 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
4322 auto params_iv2 =
4323 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
4324
4325 string plaintext = DecryptMessage(ciphertext1, params_iv1);
4326 EXPECT_EQ(message, plaintext);
4327 plaintext = DecryptMessage(ciphertext2, params_iv2);
4328 EXPECT_EQ(message, plaintext);
4329
4330 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
4331 plaintext = DecryptMessage(ciphertext1, params_iv2);
4332 EXPECT_NE(message, plaintext);
4333 plaintext = DecryptMessage(ciphertext2, params_iv1);
4334 EXPECT_NE(message, plaintext);
4335}
4336
4337/*
4338 * EncryptionOperationsTest.AesIncremental
4339 *
4340 * Verifies that AES works, all modes, when provided data in various size increments.
4341 */
4342TEST_P(EncryptionOperationsTest, AesIncremental) {
4343 auto block_modes = {
4344 BlockMode::ECB,
4345 BlockMode::CBC,
4346 BlockMode::CTR,
4347 BlockMode::GCM,
4348 };
4349
4350 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4351 .Authorization(TAG_NO_AUTH_REQUIRED)
4352 .AesEncryptionKey(128)
4353 .BlockMode(block_modes)
4354 .Padding(PaddingMode::NONE)
4355 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4356
4357 for (int increment = 1; increment <= 240; ++increment) {
4358 for (auto block_mode : block_modes) {
4359 string message(240, 'a');
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4360 auto params =
4361 AuthorizationSetBuilder().BlockMode(block_mode).Padding(PaddingMode::NONE);
4362 if (block_mode == BlockMode::GCM) {
4363 params.Authorization(TAG_MAC_LENGTH, 128) /* for GCM */;
4364 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4365
4366 AuthorizationSet output_params;
4367 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &output_params));
4368
4369 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4370 string to_send;
4371 for (size_t i = 0; i < message.size(); i += increment) {
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4372 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4373 }
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4374 EXPECT_EQ(ErrorCode::OK, Finish(to_send, &ciphertext))
4375 << "Error sending " << to_send << " with block mode " << block_mode;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4376
4377 switch (block_mode) {
4378 case BlockMode::GCM:
4379 EXPECT_EQ(message.size() + 16, ciphertext.size());
4380 break;
4381 case BlockMode::CTR:
4382 EXPECT_EQ(message.size(), ciphertext.size());
4383 break;
4384 case BlockMode::CBC:
4385 case BlockMode::ECB:
4386 EXPECT_EQ(message.size() + message.size() % 16, ciphertext.size());
4387 break;
4388 }
4389
4390 auto iv = output_params.GetTagValue(TAG_NONCE);
4391 switch (block_mode) {
4392 case BlockMode::CBC:
4393 case BlockMode::GCM:
4394 case BlockMode::CTR:
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4395 ASSERT_TRUE(iv) << "No IV for block mode " << block_mode;
4396 EXPECT_EQ(block_mode == BlockMode::GCM ? 12U : 16U, iv->get().size());
4397 params.push_back(TAG_NONCE, iv->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4398 break;
4399
4400 case BlockMode::ECB:
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4401 EXPECT_FALSE(iv) << "ECB mode should not generate IV";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4402 break;
4403 }
4404
4405 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params))
4406 << "Decrypt begin() failed for block mode " << block_mode;
4407
4408 string plaintext;
4409 for (size_t i = 0; i < ciphertext.size(); i += increment) {
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4410 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4411 }
4412 ErrorCode error = Finish(to_send, &plaintext);
4413 ASSERT_EQ(ErrorCode::OK, error) << "Decryption failed for block mode " << block_mode
4414 << " and increment " << increment;
4415 if (error == ErrorCode::OK) {
4416 ASSERT_EQ(message, plaintext) << "Decryption didn't match for block mode "
4417 << block_mode << " and increment " << increment;
4418 }
4419 }
4420 }
4421}
4422
4423struct AesCtrSp80038aTestVector {
4424 const char* key;
4425 const char* nonce;
4426 const char* plaintext;
4427 const char* ciphertext;
4428};
4429
4430// These test vectors are taken from
4431// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
4432static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
4433 // AES-128
4434 {
4435 "2b7e151628aed2a6abf7158809cf4f3c",
4436 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
4437 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
4438 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
4439 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
4440 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
4441 },
4442 // AES-192
4443 {
4444 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
4445 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
4446 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
4447 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
4448 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
4449 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
4450 },
4451 // AES-256
4452 {
4453 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
4454 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
4455 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
4456 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
4457 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
4458 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
4459 },
4460};
4461
4462/*
4463 * EncryptionOperationsTest.AesCtrSp80038aTestVector
4464 *
4465 * Verifies AES CTR implementation against SP800-38A test vectors.
4466 */
4467TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
4468 std::vector<uint32_t> InvalidSizes = InvalidKeySizes(Algorithm::AES);
4469 for (size_t i = 0; i < 3; i++) {
4470 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
4471 const string key = hex2str(test.key);
4472 if (std::find(InvalidSizes.begin(), InvalidSizes.end(), (key.size() * 8)) !=
4473 InvalidSizes.end())
4474 continue;
4475 const string nonce = hex2str(test.nonce);
4476 const string plaintext = hex2str(test.plaintext);
4477 const string ciphertext = hex2str(test.ciphertext);
4478 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
4479 }
4480}
4481
4482/*
4483 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
4484 *
4485 * Verifies that keymint rejects use of CTR mode with PKCS7 padding in the correct way.
4486 */
4487TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
4488 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4489 .Authorization(TAG_NO_AUTH_REQUIRED)
4490 .AesEncryptionKey(128)
4491 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
4492 .Padding(PaddingMode::PKCS7)));
4493 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
4494 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
4495}
4496
4497/*
4498 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
4499 *
4500 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
4501 */
4502TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
4503 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4504 .Authorization(TAG_NO_AUTH_REQUIRED)
4505 .AesEncryptionKey(128)
4506 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
4507 .Authorization(TAG_CALLER_NONCE)
4508 .Padding(PaddingMode::NONE)));
4509
4510 auto params = AuthorizationSetBuilder()
4511 .BlockMode(BlockMode::CTR)
4512 .Padding(PaddingMode::NONE)
4513 .Authorization(TAG_NONCE, AidlBuf(string(1, 'a')));
4514 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
4515
4516 params = AuthorizationSetBuilder()
4517 .BlockMode(BlockMode::CTR)
4518 .Padding(PaddingMode::NONE)
4519 .Authorization(TAG_NONCE, AidlBuf(string(15, 'a')));
4520 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
4521
4522 params = AuthorizationSetBuilder()
4523 .BlockMode(BlockMode::CTR)
4524 .Padding(PaddingMode::NONE)
4525 .Authorization(TAG_NONCE, AidlBuf(string(17, 'a')));
4526 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
4527}
4528
4529/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4530 * EncryptionOperationsTest.AesCbcRoundTripSuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4531 *
4532 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
4533 */
4534TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
4535 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4536 .Authorization(TAG_NO_AUTH_REQUIRED)
4537 .AesEncryptionKey(128)
4538 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4539 .Padding(PaddingMode::NONE)));
4540 // Two-block message.
4541 string message = "12345678901234567890123456789012";
4542 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
4543 AuthorizationSet out_params;
4544 string ciphertext1 = EncryptMessage(message, params, &out_params);
4545 vector<uint8_t> iv1 = CopyIv(out_params);
4546 EXPECT_EQ(message.size(), ciphertext1.size());
4547
4548 out_params.Clear();
4549
4550 string ciphertext2 = EncryptMessage(message, params, &out_params);
4551 vector<uint8_t> iv2 = CopyIv(out_params);
4552 EXPECT_EQ(message.size(), ciphertext2.size());
4553
4554 // IVs should be random, so ciphertexts should differ.
4555 EXPECT_NE(ciphertext1, ciphertext2);
4556
4557 params.push_back(TAG_NONCE, iv1);
4558 string plaintext = DecryptMessage(ciphertext1, params);
4559 EXPECT_EQ(message, plaintext);
4560}
4561
4562/*
4563 * EncryptionOperationsTest.AesCallerNonce
4564 *
4565 * Verifies that AES caller-provided nonces work correctly.
4566 */
4567TEST_P(EncryptionOperationsTest, AesCallerNonce) {
4568 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4569 .Authorization(TAG_NO_AUTH_REQUIRED)
4570 .AesEncryptionKey(128)
4571 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4572 .Authorization(TAG_CALLER_NONCE)
4573 .Padding(PaddingMode::NONE)));
4574
4575 string message = "12345678901234567890123456789012";
4576
4577 // Don't specify nonce, should get a random one.
4578 AuthorizationSetBuilder params =
4579 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
4580 AuthorizationSet out_params;
4581 string ciphertext = EncryptMessage(message, params, &out_params);
4582 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4583 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4584
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4585 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4586 string plaintext = DecryptMessage(ciphertext, params);
4587 EXPECT_EQ(message, plaintext);
4588
4589 // Now specify a nonce, should also work.
4590 params = AuthorizationSetBuilder()
4591 .BlockMode(BlockMode::CBC)
4592 .Padding(PaddingMode::NONE)
4593 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
4594 out_params.Clear();
4595 ciphertext = EncryptMessage(message, params, &out_params);
4596
4597 // Decrypt with correct nonce.
4598 plaintext = DecryptMessage(ciphertext, params);
4599 EXPECT_EQ(message, plaintext);
4600
4601 // Try with wrong nonce.
4602 params = AuthorizationSetBuilder()
4603 .BlockMode(BlockMode::CBC)
4604 .Padding(PaddingMode::NONE)
4605 .Authorization(TAG_NONCE, AidlBuf("aaaaaaaaaaaaaaaa"));
4606 plaintext = DecryptMessage(ciphertext, params);
4607 EXPECT_NE(message, plaintext);
4608}
4609
4610/*
4611 * EncryptionOperationsTest.AesCallerNonceProhibited
4612 *
4613 * Verifies that caller-provided nonces are not permitted when not specified in the key
4614 * authorizations.
4615 */
4616TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
4617 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4618 .Authorization(TAG_NO_AUTH_REQUIRED)
4619 .AesEncryptionKey(128)
4620 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
4621 .Padding(PaddingMode::NONE)));
4622
4623 string message = "12345678901234567890123456789012";
4624
4625 // Don't specify nonce, should get a random one.
4626 AuthorizationSetBuilder params =
4627 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
4628 AuthorizationSet out_params;
4629 string ciphertext = EncryptMessage(message, params, &out_params);
4630 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4631 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4632
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4633 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4634 string plaintext = DecryptMessage(ciphertext, params);
4635 EXPECT_EQ(message, plaintext);
4636
4637 // Now specify a nonce, should fail
4638 params = AuthorizationSetBuilder()
4639 .BlockMode(BlockMode::CBC)
4640 .Padding(PaddingMode::NONE)
4641 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
4642 out_params.Clear();
4643 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
4644}
4645
4646/*
4647 * EncryptionOperationsTest.AesGcmRoundTripSuccess
4648 *
4649 * Verifies that AES GCM mode works.
4650 */
4651TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
4652 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4653 .Authorization(TAG_NO_AUTH_REQUIRED)
4654 .AesEncryptionKey(128)
4655 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4656 .Padding(PaddingMode::NONE)
4657 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4658
4659 string aad = "foobar";
4660 string message = "123456789012345678901234567890123456";
4661
4662 auto begin_params = AuthorizationSetBuilder()
4663 .BlockMode(BlockMode::GCM)
4664 .Padding(PaddingMode::NONE)
4665 .Authorization(TAG_MAC_LENGTH, 128);
4666
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4667 // Encrypt
4668 AuthorizationSet begin_out_params;
4669 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
4670 << "Begin encrypt";
4671 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4672 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
4673 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4674 ASSERT_EQ(ciphertext.length(), message.length() + 16);
4675
4676 // Grab nonce
4677 begin_params.push_back(begin_out_params);
4678
4679 // Decrypt.
4680 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4681 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4682 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4683 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4684 EXPECT_EQ(message.length(), plaintext.length());
4685 EXPECT_EQ(message, plaintext);
4686}
4687
4688/*
4689 * EncryptionOperationsTest.AesGcmRoundTripWithDelaySuccess
4690 *
4691 * Verifies that AES GCM mode works, even when there's a long delay
4692 * between operations.
4693 */
4694TEST_P(EncryptionOperationsTest, AesGcmRoundTripWithDelaySuccess) {
4695 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4696 .Authorization(TAG_NO_AUTH_REQUIRED)
4697 .AesEncryptionKey(128)
4698 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4699 .Padding(PaddingMode::NONE)
4700 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4701
4702 string aad = "foobar";
4703 string message = "123456789012345678901234567890123456";
4704
4705 auto begin_params = AuthorizationSetBuilder()
4706 .BlockMode(BlockMode::GCM)
4707 .Padding(PaddingMode::NONE)
4708 .Authorization(TAG_MAC_LENGTH, 128);
4709
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4710 // Encrypt
4711 AuthorizationSet begin_out_params;
4712 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
4713 << "Begin encrypt";
4714 string ciphertext;
4715 AuthorizationSet update_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4716 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4717 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4718 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4719
4720 ASSERT_EQ(ciphertext.length(), message.length() + 16);
4721
4722 // Grab nonce
4723 begin_params.push_back(begin_out_params);
4724
4725 // Decrypt.
4726 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
4727 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4728 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4729 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4730 ASSERT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4731 sleep(5);
4732 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
4733 EXPECT_EQ(message.length(), plaintext.length());
4734 EXPECT_EQ(message, plaintext);
4735}
4736
4737/*
4738 * EncryptionOperationsTest.AesGcmDifferentNonces
4739 *
4740 * Verifies that encrypting the same data with different nonces produces different outputs.
4741 */
4742TEST_P(EncryptionOperationsTest, AesGcmDifferentNonces) {
4743 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4744 .Authorization(TAG_NO_AUTH_REQUIRED)
4745 .AesEncryptionKey(128)
4746 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4747 .Padding(PaddingMode::NONE)
4748 .Authorization(TAG_MIN_MAC_LENGTH, 128)
4749 .Authorization(TAG_CALLER_NONCE)));
4750
4751 string aad = "foobar";
4752 string message = "123456789012345678901234567890123456";
4753 string nonce1 = "000000000000";
4754 string nonce2 = "111111111111";
4755 string nonce3 = "222222222222";
4756
4757 string ciphertext1 =
4758 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce1));
4759 string ciphertext2 =
4760 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce2));
4761 string ciphertext3 =
4762 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce3));
4763
4764 ASSERT_NE(ciphertext1, ciphertext2);
4765 ASSERT_NE(ciphertext1, ciphertext3);
4766 ASSERT_NE(ciphertext2, ciphertext3);
4767}
4768
4769/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4770 * EncryptionOperationsTest.AesGcmDifferentAutoNonces
4771 *
4772 * Verifies that encrypting the same data with KeyMint generated nonces produces different outputs.
4773 */
4774TEST_P(EncryptionOperationsTest, AesGcmDifferentAutoNonces) {
4775 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4776 .Authorization(TAG_NO_AUTH_REQUIRED)
4777 .AesEncryptionKey(128)
4778 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
4779 .Padding(PaddingMode::NONE)
4780 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4781
4782 string aad = "foobar";
4783 string message = "123456789012345678901234567890123456";
4784
4785 string ciphertext1 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
4786 string ciphertext2 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
4787 string ciphertext3 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
4788
4789 ASSERT_NE(ciphertext1, ciphertext2);
4790 ASSERT_NE(ciphertext1, ciphertext3);
4791 ASSERT_NE(ciphertext2, ciphertext3);
4792}
4793
4794/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4795 * EncryptionOperationsTest.AesGcmTooShortTag
4796 *
4797 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
4798 */
4799TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
4800 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4801 .Authorization(TAG_NO_AUTH_REQUIRED)
4802 .AesEncryptionKey(128)
4803 .BlockMode(BlockMode::GCM)
4804 .Padding(PaddingMode::NONE)
4805 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4806 string message = "123456789012345678901234567890123456";
4807 auto params = AuthorizationSetBuilder()
4808 .BlockMode(BlockMode::GCM)
4809 .Padding(PaddingMode::NONE)
4810 .Authorization(TAG_MAC_LENGTH, 96);
4811
4812 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
4813}
4814
4815/*
4816 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
4817 *
4818 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
4819 */
4820TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
4821 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4822 .Authorization(TAG_NO_AUTH_REQUIRED)
4823 .AesEncryptionKey(128)
4824 .BlockMode(BlockMode::GCM)
4825 .Padding(PaddingMode::NONE)
4826 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4827 string aad = "foobar";
4828 string message = "123456789012345678901234567890123456";
4829 auto params = AuthorizationSetBuilder()
4830 .BlockMode(BlockMode::GCM)
4831 .Padding(PaddingMode::NONE)
4832 .Authorization(TAG_MAC_LENGTH, 128);
4833
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4834 // Encrypt
4835 AuthorizationSet begin_out_params;
4836 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
4837 EXPECT_EQ(1U, begin_out_params.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]4838 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4839
4840 AuthorizationSet finish_out_params;
4841 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4842 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
4843 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4844
4845 params = AuthorizationSetBuilder()
4846 .Authorizations(begin_out_params)
4847 .BlockMode(BlockMode::GCM)
4848 .Padding(PaddingMode::NONE)
4849 .Authorization(TAG_MAC_LENGTH, 96);
4850
4851 // Decrypt.
4852 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
4853}
4854
4855/*
4856 * EncryptionOperationsTest.AesGcmCorruptKey
4857 *
4858 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
4859 */
4860TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
4861 const uint8_t nonce_bytes[] = {
4862 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
4863 };
4864 string nonce = make_string(nonce_bytes);
4865 const uint8_t ciphertext_bytes[] = {
4866 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc,
4867 0xd2, 0xcb, 0x16, 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78,
4868 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d,
4869 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 0x76, 0x5e, 0xfb,
4870 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
4871 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
4872 };
4873 string ciphertext = make_string(ciphertext_bytes);
4874
4875 auto params = AuthorizationSetBuilder()
4876 .BlockMode(BlockMode::GCM)
4877 .Padding(PaddingMode::NONE)
4878 .Authorization(TAG_MAC_LENGTH, 128)
4879 .Authorization(TAG_NONCE, nonce.data(), nonce.size());
4880
4881 auto import_params = AuthorizationSetBuilder()
4882 .Authorization(TAG_NO_AUTH_REQUIRED)
4883 .AesEncryptionKey(128)
4884 .BlockMode(BlockMode::GCM)
4885 .Padding(PaddingMode::NONE)
4886 .Authorization(TAG_CALLER_NONCE)
4887 .Authorization(TAG_MIN_MAC_LENGTH, 128);
4888
4889 // Import correct key and decrypt
4890 const uint8_t key_bytes[] = {
4891 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
4892 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
4893 };
4894 string key = make_string(key_bytes);
4895 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
4896 string plaintext = DecryptMessage(ciphertext, params);
4897 CheckedDeleteKey();
4898
4899 // Corrupt key and attempt to decrypt
4900 key[0] = 0;
4901 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
4902 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
4903 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
4904 CheckedDeleteKey();
4905}
4906
4907/*
4908 * EncryptionOperationsTest.AesGcmAadNoData
4909 *
4910 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
4911 * encrypt.
4912 */
4913TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
4914 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4915 .Authorization(TAG_NO_AUTH_REQUIRED)
4916 .AesEncryptionKey(128)
4917 .BlockMode(BlockMode::GCM)
4918 .Padding(PaddingMode::NONE)
4919 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4920
4921 string aad = "1234567890123456";
4922 auto params = AuthorizationSetBuilder()
4923 .BlockMode(BlockMode::GCM)
4924 .Padding(PaddingMode::NONE)
4925 .Authorization(TAG_MAC_LENGTH, 128);
4926
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4927 // Encrypt
4928 AuthorizationSet begin_out_params;
4929 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
4930 string ciphertext;
4931 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4932 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
4933 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4934 EXPECT_TRUE(finish_out_params.empty());
4935
4936 // Grab nonce
4937 params.push_back(begin_out_params);
4938
4939 // Decrypt.
4940 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4941 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4942 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4943 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4944
4945 EXPECT_TRUE(finish_out_params.empty());
4946
4947 EXPECT_EQ("", plaintext);
4948}
4949
4950/*
4951 * EncryptionOperationsTest.AesGcmMultiPartAad
4952 *
4953 * Verifies that AES GCM mode works when provided additional authenticated data in multiple
4954 * chunks.
4955 */
4956TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
4957 const size_t tag_bits = 128;
4958 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4959 .Authorization(TAG_NO_AUTH_REQUIRED)
4960 .AesEncryptionKey(128)
4961 .BlockMode(BlockMode::GCM)
4962 .Padding(PaddingMode::NONE)
4963 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4964
4965 string message = "123456789012345678901234567890123456";
4966 auto begin_params = AuthorizationSetBuilder()
4967 .BlockMode(BlockMode::GCM)
4968 .Padding(PaddingMode::NONE)
4969 .Authorization(TAG_MAC_LENGTH, tag_bits);
4970 AuthorizationSet begin_out_params;
4971
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4972 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
4973
4974 // No data, AAD only.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4975 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
4976 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4977 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4978 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
4979 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4980
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4981 // Expect 128-bit (16-byte) tag appended to ciphertext.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4982 EXPECT_EQ(message.size() + (tag_bits / 8), ciphertext.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4983
4984 // Grab nonce.
4985 begin_params.push_back(begin_out_params);
4986
4987 // Decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4988 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4989 EXPECT_EQ(ErrorCode::OK, UpdateAad("foofoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4990 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]4991 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4992 EXPECT_EQ(message, plaintext);
4993}
4994
4995/*
4996 * EncryptionOperationsTest.AesGcmAadOutOfOrder
4997 *
4998 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
4999 */
5000TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
5001 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5002 .Authorization(TAG_NO_AUTH_REQUIRED)
5003 .AesEncryptionKey(128)
5004 .BlockMode(BlockMode::GCM)
5005 .Padding(PaddingMode::NONE)
5006 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5007
5008 string message = "123456789012345678901234567890123456";
5009 auto begin_params = AuthorizationSetBuilder()
5010 .BlockMode(BlockMode::GCM)
5011 .Padding(PaddingMode::NONE)
5012 .Authorization(TAG_MAC_LENGTH, 128);
5013 AuthorizationSet begin_out_params;
5014
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5015 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
5016
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5017 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5018 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5019 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
5020 EXPECT_EQ(ErrorCode::INVALID_TAG, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5021
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5022 // The failure should have already cancelled the operation.
5023 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
5024
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5025 op_ = {};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5026}
5027
5028/*
5029 * EncryptionOperationsTest.AesGcmBadAad
5030 *
5031 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
5032 */
5033TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
5034 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5035 .Authorization(TAG_NO_AUTH_REQUIRED)
5036 .AesEncryptionKey(128)
5037 .BlockMode(BlockMode::GCM)
5038 .Padding(PaddingMode::NONE)
5039 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5040
5041 string message = "12345678901234567890123456789012";
5042 auto begin_params = AuthorizationSetBuilder()
5043 .BlockMode(BlockMode::GCM)
5044 .Padding(PaddingMode::NONE)
5045 .Authorization(TAG_MAC_LENGTH, 128);
5046
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5047 // Encrypt
5048 AuthorizationSet begin_out_params;
5049 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5050 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5051 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5052 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5053
5054 // Grab nonce
5055 begin_params.push_back(begin_out_params);
5056
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5057 // Decrypt.
5058 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5059 EXPECT_EQ(ErrorCode::OK, UpdateAad("barfoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5060 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5061 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5062}
5063
5064/*
5065 * EncryptionOperationsTest.AesGcmWrongNonce
5066 *
5067 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
5068 */
5069TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
5070 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5071 .Authorization(TAG_NO_AUTH_REQUIRED)
5072 .AesEncryptionKey(128)
5073 .BlockMode(BlockMode::GCM)
5074 .Padding(PaddingMode::NONE)
5075 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5076
5077 string message = "12345678901234567890123456789012";
5078 auto begin_params = AuthorizationSetBuilder()
5079 .BlockMode(BlockMode::GCM)
5080 .Padding(PaddingMode::NONE)
5081 .Authorization(TAG_MAC_LENGTH, 128);
5082
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5083 // Encrypt
5084 AuthorizationSet begin_out_params;
5085 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5086 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5087 string ciphertext;
5088 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5089 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5090
5091 // Wrong nonce
5092 begin_params.push_back(TAG_NONCE, AidlBuf("123456789012"));
5093
5094 // Decrypt.
5095 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5096 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5097 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5098 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5099
5100 // With wrong nonce, should have gotten garbage plaintext (or none).
5101 EXPECT_NE(message, plaintext);
5102}
5103
5104/*
5105 * EncryptionOperationsTest.AesGcmCorruptTag
5106 *
5107 * Verifies that AES GCM decryption fails correctly when the tag is wrong.
5108 */
5109TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
5110 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5111 .Authorization(TAG_NO_AUTH_REQUIRED)
5112 .AesEncryptionKey(128)
5113 .BlockMode(BlockMode::GCM)
5114 .Padding(PaddingMode::NONE)
5115 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5116
5117 string aad = "1234567890123456";
5118 string message = "123456789012345678901234567890123456";
5119
5120 auto params = AuthorizationSetBuilder()
5121 .BlockMode(BlockMode::GCM)
5122 .Padding(PaddingMode::NONE)
5123 .Authorization(TAG_MAC_LENGTH, 128);
5124
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5125 // Encrypt
5126 AuthorizationSet begin_out_params;
5127 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5128 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5129 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5130 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5131
5132 // Corrupt tag
5133 ++(*ciphertext.rbegin());
5134
5135 // Grab nonce
5136 params.push_back(begin_out_params);
5137
5138 // Decrypt.
5139 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5140 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5141 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5142 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5143}
5144
5145/*
5146 * EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
5147 *
5148 * Verifies that 3DES is basically functional.
5149 */
5150TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
5151 auto auths = AuthorizationSetBuilder()
5152 .TripleDesEncryptionKey(168)
5153 .BlockMode(BlockMode::ECB)
5154 .Authorization(TAG_NO_AUTH_REQUIRED)
5155 .Padding(PaddingMode::NONE);
5156
5157 ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
5158 // Two-block message.
5159 string message = "1234567890123456";
5160 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5161 string ciphertext1 = EncryptMessage(message, inParams);
5162 EXPECT_EQ(message.size(), ciphertext1.size());
5163
5164 string ciphertext2 = EncryptMessage(string(message), inParams);
5165 EXPECT_EQ(message.size(), ciphertext2.size());
5166
5167 // ECB is deterministic.
5168 EXPECT_EQ(ciphertext1, ciphertext2);
5169
5170 string plaintext = DecryptMessage(ciphertext1, inParams);
5171 EXPECT_EQ(message, plaintext);
5172}
5173
5174/*
5175 * EncryptionOperationsTest.TripleDesEcbNotAuthorized
5176 *
5177 * Verifies that CBC keys reject ECB usage.
5178 */
5179TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
5180 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5181 .TripleDesEncryptionKey(168)
5182 .BlockMode(BlockMode::CBC)
5183 .Authorization(TAG_NO_AUTH_REQUIRED)
5184 .Padding(PaddingMode::NONE)));
5185
5186 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5187 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
5188}
5189
5190/*
5191 * EncryptionOperationsTest.TripleDesEcbPkcs7Padding
5192 *
5193 * Tests ECB mode with PKCS#7 padding, various message sizes.
5194 */
5195TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
5196 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5197 .TripleDesEncryptionKey(168)
5198 .BlockMode(BlockMode::ECB)
5199 .Authorization(TAG_NO_AUTH_REQUIRED)
5200 .Padding(PaddingMode::PKCS7)));
5201
5202 for (size_t i = 0; i < 32; ++i) {
5203 string message(i, 'a');
5204 auto inParams =
5205 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5206 string ciphertext = EncryptMessage(message, inParams);
5207 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
5208 string plaintext = DecryptMessage(ciphertext, inParams);
5209 EXPECT_EQ(message, plaintext);
5210 }
5211}
5212
5213/*
5214 * EncryptionOperationsTest.TripleDesEcbNoPaddingKeyWithPkcs7Padding
5215 *
5216 * Verifies that keys configured for no padding reject PKCS7 padding
5217 */
5218TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
5219 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5220 .TripleDesEncryptionKey(168)
5221 .BlockMode(BlockMode::ECB)
5222 .Authorization(TAG_NO_AUTH_REQUIRED)
5223 .Padding(PaddingMode::NONE)));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5224 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5225 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5226}
5227
5228/*
5229 * EncryptionOperationsTest.TripleDesEcbPkcs7PaddingCorrupted
5230 *
5231 * Verifies that corrupted padding is detected.
5232 */
5233TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
5234 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5235 .TripleDesEncryptionKey(168)
5236 .BlockMode(BlockMode::ECB)
5237 .Authorization(TAG_NO_AUTH_REQUIRED)
5238 .Padding(PaddingMode::PKCS7)));
5239
5240 string message = "a";
5241 string ciphertext = EncryptMessage(message, BlockMode::ECB, PaddingMode::PKCS7);
5242 EXPECT_EQ(8U, ciphertext.size());
5243 EXPECT_NE(ciphertext, message);
5244 ++ciphertext[ciphertext.size() / 2];
5245
5246 AuthorizationSetBuilder begin_params;
5247 begin_params.push_back(TAG_BLOCK_MODE, BlockMode::ECB);
5248 begin_params.push_back(TAG_PADDING, PaddingMode::PKCS7);
5249 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
5250 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5251 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5252 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(&plaintext));
5253}
5254
5255struct TripleDesTestVector {
5256 const char* name;
5257 const KeyPurpose purpose;
5258 const BlockMode block_mode;
5259 const PaddingMode padding_mode;
5260 const char* key;
5261 const char* iv;
5262 const char* input;
5263 const char* output;
5264};
5265
5266// These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all
5267// of the NIST vectors are multiples of the block size.
5268static const TripleDesTestVector kTripleDesTestVectors[] = {
5269 {
5270 "TECBMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
5271 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
5272 "", // IV
5273 "329d86bdf1bc5af4", // input
5274 "d946c2756d78633f", // output
5275 },
5276 {
5277 "TECBMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
5278 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
5279 "", // IV
5280 "6b1540781b01ce1997adae102dbf3c5b", // input
5281 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
5282 },
5283 {
5284 "TECBMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
5285 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
5286 "", // IV
5287 "6daad94ce08acfe7", // input
5288 "660e7d32dcc90e79", // output
5289 },
5290 {
5291 "TECBMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
5292 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
5293 "", // IV
5294 "e9653a0a1f05d31b9acd12d73aa9879d", // input
5295 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
5296 },
5297 {
5298 "TCBCMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
5299 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
5300 "43f791134c5647ba", // IV
5301 "dcc153cef81d6f24", // input
5302 "92538bd8af18d3ba", // output
5303 },
5304 {
5305 "TCBCMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
5306 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
5307 "c2e999cb6249023c", // IV
5308 "c689aee38a301bb316da75db36f110b5", // input
5309 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
5310 },
5311 {
5312 "TCBCMMT3 Encrypt 1 PKCS7 variant", KeyPurpose::ENCRYPT, BlockMode::CBC,
5313 PaddingMode::PKCS7,
5314 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
5315 "c2e999cb6249023c", // IV
5316 "c689aee38a301bb316da75db36f110b500", // input
5317 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
5318 },
5319 {
5320 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KeyPurpose::DECRYPT, BlockMode::CBC,
5321 PaddingMode::PKCS7,
5322 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
5323 "c2e999cb6249023c", // IV
5324 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
5325 "c689aee38a301bb316da75db36f110b500", // output
5326 },
5327 {
5328 "TCBCMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
5329 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
5330 "41746c7e442d3681", // IV
5331 "c53a7b0ec40600fe", // input
5332 "d4f00eb455de1034", // output
5333 },
5334 {
5335 "TCBCMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
5336 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
5337 "3982bc02c3727d45", // IV
5338 "6006f10adef52991fcc777a1238bbb65", // input
5339 "edae09288e9e3bc05746d872b48e3b29", // output
5340 },
5341};
5342
5343/*
5344 * EncryptionOperationsTest.TripleDesTestVector
5345 *
5346 * Verifies that NIST (plus a few extra) test vectors produce the correct results.
5347 */
5348TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
5349 constexpr size_t num_tests = sizeof(kTripleDesTestVectors) / sizeof(TripleDesTestVector);
5350 for (auto* test = kTripleDesTestVectors; test < kTripleDesTestVectors + num_tests; ++test) {
5351 SCOPED_TRACE(test->name);
5352 CheckTripleDesTestVector(test->purpose, test->block_mode, test->padding_mode,
5353 hex2str(test->key), hex2str(test->iv), hex2str(test->input),
5354 hex2str(test->output));
5355 }
5356}
5357
5358/*
5359 * EncryptionOperationsTest.TripleDesCbcRoundTripSuccess
5360 *
5361 * Validates CBC mode functionality.
5362 */
5363TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
5364 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5365 .TripleDesEncryptionKey(168)
5366 .BlockMode(BlockMode::CBC)
5367 .Authorization(TAG_NO_AUTH_REQUIRED)
5368 .Padding(PaddingMode::NONE)));
5369
5370 ASSERT_GT(key_blob_.size(), 0U);
5371
5372 // Two-block message.
5373 string message = "1234567890123456";
5374 vector<uint8_t> iv1;
5375 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv1);
5376 EXPECT_EQ(message.size(), ciphertext1.size());
5377
5378 vector<uint8_t> iv2;
5379 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv2);
5380 EXPECT_EQ(message.size(), ciphertext2.size());
5381
5382 // IVs should be random, so ciphertexts should differ.
5383 EXPECT_NE(iv1, iv2);
5384 EXPECT_NE(ciphertext1, ciphertext2);
5385
5386 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv1);
5387 EXPECT_EQ(message, plaintext);
5388}
5389
5390/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5391 * EncryptionOperationsTest.TripleDesInvalidCallerIv
5392 *
5393 * Validates that keymint fails correctly when the user supplies an incorrect-size IV.
5394 */
5395TEST_P(EncryptionOperationsTest, TripleDesInvalidCallerIv) {
5396 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5397 .TripleDesEncryptionKey(168)
5398 .BlockMode(BlockMode::CBC)
5399 .Authorization(TAG_NO_AUTH_REQUIRED)
5400 .Authorization(TAG_CALLER_NONCE)
5401 .Padding(PaddingMode::NONE)));
5402 auto params = AuthorizationSetBuilder()
5403 .BlockMode(BlockMode::CBC)
5404 .Padding(PaddingMode::NONE)
5405 .Authorization(TAG_NONCE, AidlBuf("abcdefg"));
5406 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
5407}
5408
5409/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5410 * EncryptionOperationsTest.TripleDesCallerIv
5411 *
5412 * Validates that 3DES keys can allow caller-specified IVs, and use them correctly.
5413 */
5414TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
5415 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5416 .TripleDesEncryptionKey(168)
5417 .BlockMode(BlockMode::CBC)
5418 .Authorization(TAG_NO_AUTH_REQUIRED)
5419 .Authorization(TAG_CALLER_NONCE)
5420 .Padding(PaddingMode::NONE)));
5421 string message = "1234567890123456";
5422 vector<uint8_t> iv;
5423 // Don't specify IV, should get a random one.
5424 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
5425 EXPECT_EQ(message.size(), ciphertext1.size());
5426 EXPECT_EQ(8U, iv.size());
5427
5428 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
5429 EXPECT_EQ(message, plaintext);
5430
5431 // Now specify an IV, should also work.
5432 iv = AidlBuf("abcdefgh");
5433 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, iv);
5434
5435 // Decrypt with correct IV.
5436 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, iv);
5437 EXPECT_EQ(message, plaintext);
5438
5439 // Now try with wrong IV.
5440 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, AidlBuf("aaaaaaaa"));
5441 EXPECT_NE(message, plaintext);
5442}
5443
5444/*
5445 * EncryptionOperationsTest, TripleDesCallerNonceProhibited.
5446 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5447 * Verifies that 3DES keys without TAG_CALLER_NONCE do not allow caller-specified IVs.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5448 */
5449TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
5450 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5451 .TripleDesEncryptionKey(168)
5452 .BlockMode(BlockMode::CBC)
5453 .Authorization(TAG_NO_AUTH_REQUIRED)
5454 .Padding(PaddingMode::NONE)));
5455
5456 string message = "12345678901234567890123456789012";
5457 vector<uint8_t> iv;
5458 // Don't specify nonce, should get a random one.
5459 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
5460 EXPECT_EQ(message.size(), ciphertext1.size());
5461 EXPECT_EQ(8U, iv.size());
5462
5463 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
5464 EXPECT_EQ(message, plaintext);
5465
5466 // Now specify a nonce, should fail.
5467 auto input_params = AuthorizationSetBuilder()
5468 .Authorization(TAG_NONCE, AidlBuf("abcdefgh"))
5469 .BlockMode(BlockMode::CBC)
5470 .Padding(PaddingMode::NONE);
5471 AuthorizationSet output_params;
5472 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED,
5473 Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
5474}
5475
5476/*
5477 * EncryptionOperationsTest.TripleDesCbcNotAuthorized
5478 *
5479 * Verifies that 3DES ECB-only keys do not allow CBC usage.
5480 */
5481TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
5482 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5483 .TripleDesEncryptionKey(168)
5484 .BlockMode(BlockMode::ECB)
5485 .Authorization(TAG_NO_AUTH_REQUIRED)
5486 .Padding(PaddingMode::NONE)));
5487 // Two-block message.
5488 string message = "1234567890123456";
5489 auto begin_params =
5490 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5491 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
5492}
5493
5494/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5495 * EncryptionOperationsTest.TripleDesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5496 *
5497 * Verifies that unpadded CBC operations reject inputs that are not a multiple of block size.
5498 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5499TEST_P(EncryptionOperationsTest, TripleDesEcbCbcNoPaddingWrongInputSize) {
5500 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
5501 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5502 .TripleDesEncryptionKey(168)
5503 .BlockMode(blockMode)
5504 .Authorization(TAG_NO_AUTH_REQUIRED)
5505 .Padding(PaddingMode::NONE)));
5506 // Message is slightly shorter than two blocks.
5507 string message = "123456789012345";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5508
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5509 auto begin_params =
5510 AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
5511 AuthorizationSet output_params;
5512 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &output_params));
5513 string ciphertext;
5514 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, "", &ciphertext));
5515
5516 CheckedDeleteKey();
5517 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5518}
5519
5520/*
5521 * EncryptionOperationsTest, TripleDesCbcPkcs7Padding.
5522 *
5523 * Verifies that PKCS7 padding works correctly in CBC mode.
5524 */
5525TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
5526 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5527 .TripleDesEncryptionKey(168)
5528 .BlockMode(BlockMode::CBC)
5529 .Authorization(TAG_NO_AUTH_REQUIRED)
5530 .Padding(PaddingMode::PKCS7)));
5531
5532 // Try various message lengths; all should work.
5533 for (size_t i = 0; i < 32; ++i) {
5534 string message(i, 'a');
5535 vector<uint8_t> iv;
5536 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
5537 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
5538 string plaintext = DecryptMessage(ciphertext, BlockMode::CBC, PaddingMode::PKCS7, iv);
5539 EXPECT_EQ(message, plaintext);
5540 }
5541}
5542
5543/*
5544 * EncryptionOperationsTest.TripleDesCbcNoPaddingKeyWithPkcs7Padding
5545 *
5546 * Verifies that a key that requires PKCS7 padding cannot be used in unpadded mode.
5547 */
5548TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
5549 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5550 .TripleDesEncryptionKey(168)
5551 .BlockMode(BlockMode::CBC)
5552 .Authorization(TAG_NO_AUTH_REQUIRED)
5553 .Padding(PaddingMode::NONE)));
5554
5555 // Try various message lengths; all should fail.
5556 for (size_t i = 0; i < 32; ++i) {
5557 auto begin_params =
5558 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7);
5559 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
5560 }
5561}
5562
5563/*
5564 * EncryptionOperationsTest.TripleDesCbcPkcs7PaddingCorrupted
5565 *
5566 * Verifies that corrupted PKCS7 padding is rejected during decryption.
5567 */
5568TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
5569 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5570 .TripleDesEncryptionKey(168)
5571 .BlockMode(BlockMode::CBC)
5572 .Authorization(TAG_NO_AUTH_REQUIRED)
5573 .Padding(PaddingMode::PKCS7)));
5574
5575 string message = "a";
5576 vector<uint8_t> iv;
5577 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
5578 EXPECT_EQ(8U, ciphertext.size());
5579 EXPECT_NE(ciphertext, message);
5580 ++ciphertext[ciphertext.size() / 2];
5581
5582 auto begin_params = AuthorizationSetBuilder()
5583 .BlockMode(BlockMode::CBC)
5584 .Padding(PaddingMode::PKCS7)
5585 .Authorization(TAG_NONCE, iv);
5586 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
5587 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5588 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5589 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(&plaintext));
5590}
5591
5592/*
5593 * EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding.
5594 *
5595 * Verifies that 3DES CBC works with many different input sizes.
5596 */
5597TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
5598 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5599 .TripleDesEncryptionKey(168)
5600 .BlockMode(BlockMode::CBC)
5601 .Authorization(TAG_NO_AUTH_REQUIRED)
5602 .Padding(PaddingMode::NONE)));
5603
5604 int increment = 7;
5605 string message(240, 'a');
5606 AuthorizationSet input_params =
5607 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5608 AuthorizationSet output_params;
5609 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
5610
5611 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5612 for (size_t i = 0; i < message.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5613 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5614 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
5615 EXPECT_EQ(message.size(), ciphertext.size());
5616
5617 // Move TAG_NONCE into input_params
5618 input_params = output_params;
5619 input_params.push_back(TAG_BLOCK_MODE, BlockMode::CBC);
5620 input_params.push_back(TAG_PADDING, PaddingMode::NONE);
5621 output_params.Clear();
5622
5623 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, input_params, &output_params));
5624 string plaintext;
5625 for (size_t i = 0; i < ciphertext.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5626 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5627 EXPECT_EQ(ErrorCode::OK, Finish(&plaintext));
5628 EXPECT_EQ(ciphertext.size(), plaintext.size());
5629 EXPECT_EQ(message, plaintext);
5630}
5631
5632INSTANTIATE_KEYMINT_AIDL_TEST(EncryptionOperationsTest);
5633
5634typedef KeyMintAidlTestBase MaxOperationsTest;
5635
5636/*
5637 * MaxOperationsTest.TestLimitAes
5638 *
5639 * Verifies that the max uses per boot tag works correctly with AES keys.
5640 */
5641TEST_P(MaxOperationsTest, TestLimitAes) {
5642 if (SecLevel() == SecurityLevel::STRONGBOX) return;
5643
5644 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5645 .Authorization(TAG_NO_AUTH_REQUIRED)
5646 .AesEncryptionKey(128)
5647 .EcbMode()
5648 .Padding(PaddingMode::NONE)
5649 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
5650
5651 string message = "1234567890123456";
5652
5653 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
5654
5655 EncryptMessage(message, params);
5656 EncryptMessage(message, params);
5657 EncryptMessage(message, params);
5658
5659 // Fourth time should fail.
5660 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
5661}
5662
5663/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5664 * MaxOperationsTest.TestLimitRsa
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5665 *
5666 * Verifies that the max uses per boot tag works correctly with RSA keys.
5667 */
5668TEST_P(MaxOperationsTest, TestLimitRsa) {
5669 if (SecLevel() == SecurityLevel::STRONGBOX) return;
5670
5671 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5672 .Authorization(TAG_NO_AUTH_REQUIRED)
5673 .RsaSigningKey(1024, 65537)
5674 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5675 .Authorization(TAG_MAX_USES_PER_BOOT, 3)
5676 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5677
5678 string message = "1234567890123456";
5679
5680 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
5681
5682 SignMessage(message, params);
5683 SignMessage(message, params);
5684 SignMessage(message, params);
5685
5686 // Fourth time should fail.
5687 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
5688}
5689
5690INSTANTIATE_KEYMINT_AIDL_TEST(MaxOperationsTest);
5691
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5692typedef KeyMintAidlTestBase UsageCountLimitTest;
5693
5694/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5695 * UsageCountLimitTest.TestSingleUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5696 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5697 * Verifies that the usage count limit tag = 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5698 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5699TEST_P(UsageCountLimitTest, TestSingleUseAes) {
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5700 if (SecLevel() == SecurityLevel::STRONGBOX) return;
5701
5702 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5703 .Authorization(TAG_NO_AUTH_REQUIRED)
5704 .AesEncryptionKey(128)
5705 .EcbMode()
5706 .Padding(PaddingMode::NONE)
5707 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
5708
5709 // Check the usage count limit tag appears in the authorizations.
5710 AuthorizationSet auths;
5711 for (auto& entry : key_characteristics_) {
5712 auths.push_back(AuthorizationSet(entry.authorizations));
5713 }
5714 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
5715 << "key usage count limit " << 1U << " missing";
5716
5717 string message = "1234567890123456";
5718 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
5719
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5720 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
5721 AuthorizationSet keystore_auths =
5722 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
5723
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5724 // First usage of AES key should work.
5725 EncryptMessage(message, params);
5726
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5727 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
5728 // Usage count limit tag is enforced by hardware. After using the key, the key blob
5729 // must be invalidated from secure storage (such as RPMB partition).
5730 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
5731 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5732 // Usage count limit tag is enforced by keystore, keymint does nothing.
5733 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5734 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
5735 }
5736}
5737
5738/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5739 * UsageCountLimitTest.TestLimitedUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5740 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5741 * Verifies that the usage count limit tag > 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5742 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5743TEST_P(UsageCountLimitTest, TestLimitedUseAes) {
5744 if (SecLevel() == SecurityLevel::STRONGBOX) return;
5745
5746 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5747 .Authorization(TAG_NO_AUTH_REQUIRED)
5748 .AesEncryptionKey(128)
5749 .EcbMode()
5750 .Padding(PaddingMode::NONE)
5751 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
5752
5753 // Check the usage count limit tag appears in the authorizations.
5754 AuthorizationSet auths;
5755 for (auto& entry : key_characteristics_) {
5756 auths.push_back(AuthorizationSet(entry.authorizations));
5757 }
5758 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
5759 << "key usage count limit " << 3U << " missing";
5760
5761 string message = "1234567890123456";
5762 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
5763
5764 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
5765 AuthorizationSet keystore_auths =
5766 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
5767
5768 EncryptMessage(message, params);
5769 EncryptMessage(message, params);
5770 EncryptMessage(message, params);
5771
5772 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
5773 // Usage count limit tag is enforced by hardware. After using the key, the key blob
5774 // must be invalidated from secure storage (such as RPMB partition).
5775 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
5776 } else {
5777 // Usage count limit tag is enforced by keystore, keymint does nothing.
5778 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
5779 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
5780 }
5781}
5782
5783/*
5784 * UsageCountLimitTest.TestSingleUseRsa
5785 *
5786 * Verifies that the usage count limit tag = 1 works correctly with RSA keys.
5787 */
5788TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5789 if (SecLevel() == SecurityLevel::STRONGBOX) return;
5790
5791 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5792 .Authorization(TAG_NO_AUTH_REQUIRED)
5793 .RsaSigningKey(1024, 65537)
5794 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5795 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
5796 .SetDefaultValidity()));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5797
5798 // Check the usage count limit tag appears in the authorizations.
5799 AuthorizationSet auths;
5800 for (auto& entry : key_characteristics_) {
5801 auths.push_back(AuthorizationSet(entry.authorizations));
5802 }
5803 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
5804 << "key usage count limit " << 1U << " missing";
5805
5806 string message = "1234567890123456";
5807 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
5808
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5809 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
5810 AuthorizationSet keystore_auths =
5811 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
5812
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5813 // First usage of RSA key should work.
5814 SignMessage(message, params);
5815
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5816 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
5817 // Usage count limit tag is enforced by hardware. After using the key, the key blob
5818 // must be invalidated from secure storage (such as RPMB partition).
5819 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
5820 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5821 // Usage count limit tag is enforced by keystore, keymint does nothing.
5822 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
5823 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
5824 }
5825}
5826
5827/*
5828 * UsageCountLimitTest.TestLimitUseRsa
5829 *
5830 * Verifies that the usage count limit tag > 1 works correctly with RSA keys.
5831 */
5832TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
5833 if (SecLevel() == SecurityLevel::STRONGBOX) return;
5834
5835 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5836 .Authorization(TAG_NO_AUTH_REQUIRED)
5837 .RsaSigningKey(1024, 65537)
5838 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5839 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)
5840 .SetDefaultValidity()));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]5841
5842 // Check the usage count limit tag appears in the authorizations.
5843 AuthorizationSet auths;
5844 for (auto& entry : key_characteristics_) {
5845 auths.push_back(AuthorizationSet(entry.authorizations));
5846 }
5847 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
5848 << "key usage count limit " << 3U << " missing";
5849
5850 string message = "1234567890123456";
5851 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
5852
5853 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
5854 AuthorizationSet keystore_auths =
5855 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
5856
5857 SignMessage(message, params);
5858 SignMessage(message, params);
5859 SignMessage(message, params);
5860
5861 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
5862 // Usage count limit tag is enforced by hardware. After using the key, the key blob
5863 // must be invalidated from secure storage (such as RPMB partition).
5864 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
5865 } else {
5866 // Usage count limit tag is enforced by keystore, keymint does nothing.
5867 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5868 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
5869 }
5870}
5871
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]5872/*
5873 * UsageCountLimitTest.TestSingleUseKeyAndRollbackResistance
5874 *
5875 * Verifies that when rollback resistance is supported by the KeyMint implementation with
5876 * the secure hardware, the single use key with usage count limit tag = 1 must also be enforced
5877 * in hardware.
5878 */
5879TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) {
5880 if (SecLevel() == SecurityLevel::STRONGBOX) return;
5881
5882 auto error = GenerateKey(AuthorizationSetBuilder()
5883 .RsaSigningKey(2048, 65537)
5884 .Digest(Digest::NONE)
5885 .Padding(PaddingMode::NONE)
5886 .Authorization(TAG_NO_AUTH_REQUIRED)
5887 .Authorization(TAG_ROLLBACK_RESISTANCE)
5888 .SetDefaultValidity());
5889 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
5890
5891 if (error == ErrorCode::OK) {
5892 // Rollback resistance is supported by KeyMint, verify it is enforced in hardware.
5893 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
5894 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
5895 ASSERT_EQ(ErrorCode::OK, DeleteKey());
5896
5897 // The KeyMint should also enforce single use key in hardware when it supports rollback
5898 // resistance.
5899 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5900 .Authorization(TAG_NO_AUTH_REQUIRED)
5901 .RsaSigningKey(1024, 65537)
5902 .NoDigestOrPadding()
5903 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
5904 .SetDefaultValidity()));
5905
5906 // Check the usage count limit tag appears in the hardware authorizations.
5907 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
5908 EXPECT_TRUE(hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
5909 << "key usage count limit " << 1U << " missing";
5910
5911 string message = "1234567890123456";
5912 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
5913
5914 // First usage of RSA key should work.
5915 SignMessage(message, params);
5916
5917 // Usage count limit tag is enforced by hardware. After using the key, the key blob
5918 // must be invalidated from secure storage (such as RPMB partition).
5919 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
5920 }
5921}
5922
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]5923INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest);
5924
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5925typedef KeyMintAidlTestBase GetHardwareInfoTest;
5926
5927TEST_P(GetHardwareInfoTest, GetHardwareInfo) {
5928 // Retrieving hardware info should give the same result each time.
5929 KeyMintHardwareInfo info;
5930 ASSERT_TRUE(keyMint().getHardwareInfo(&info).isOk());
5931 KeyMintHardwareInfo info2;
5932 ASSERT_TRUE(keyMint().getHardwareInfo(&info2).isOk());
5933 EXPECT_EQ(info, info2);
5934}
5935
5936INSTANTIATE_KEYMINT_AIDL_TEST(GetHardwareInfoTest);
5937
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5938typedef KeyMintAidlTestBase AddEntropyTest;
5939
5940/*
5941 * AddEntropyTest.AddEntropy
5942 *
5943 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy
5944 * is actually added.
5945 */
5946TEST_P(AddEntropyTest, AddEntropy) {
5947 string data = "foo";
5948 EXPECT_TRUE(keyMint().addRngEntropy(vector<uint8_t>(data.begin(), data.end())).isOk());
5949}
5950
5951/*
5952 * AddEntropyTest.AddEmptyEntropy
5953 *
5954 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
5955 */
5956TEST_P(AddEntropyTest, AddEmptyEntropy) {
5957 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf()).isOk());
5958}
5959
5960/*
5961 * AddEntropyTest.AddLargeEntropy
5962 *
5963 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
5964 */
5965TEST_P(AddEntropyTest, AddLargeEntropy) {
5966 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
5967}
5968
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]5969/*
5970 * AddEntropyTest.AddTooLargeEntropy
5971 *
5972 * Verifies that the addRngEntropy method rejects more than 2KiB of data.
5973 */
5974TEST_P(AddEntropyTest, AddTooLargeEntropy) {
5975 ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a'))));
5976 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc);
5977}
5978
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5979INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);
5980
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5981typedef KeyMintAidlTestBase KeyDeletionTest;
5982
5983/**
5984 * KeyDeletionTest.DeleteKey
5985 *
5986 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
5987 * valid key blob.
5988 */
5989TEST_P(KeyDeletionTest, DeleteKey) {
5990 auto error = GenerateKey(AuthorizationSetBuilder()
5991 .RsaSigningKey(2048, 65537)
5992 .Digest(Digest::NONE)
5993 .Padding(PaddingMode::NONE)
5994 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]5995 .Authorization(TAG_ROLLBACK_RESISTANCE)
5996 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5997 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
5998
5999 // Delete must work if rollback protection is implemented
6000 if (error == ErrorCode::OK) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]6001 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6002 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
6003
6004 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
6005
6006 string message = "12345678901234567890123456789012";
6007 AuthorizationSet begin_out_params;
6008 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
6009 Begin(KeyPurpose::SIGN, key_blob_,
6010 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
6011 &begin_out_params));
6012 AbortIfNeeded();
6013 key_blob_ = AidlBuf();
6014 }
6015}
6016
6017/**
6018 * KeyDeletionTest.DeleteInvalidKey
6019 *
6020 * This test checks that the HAL excepts invalid key blobs..
6021 */
6022TEST_P(KeyDeletionTest, DeleteInvalidKey) {
6023 // Generate key just to check if rollback protection is implemented
6024 auto error = GenerateKey(AuthorizationSetBuilder()
6025 .RsaSigningKey(2048, 65537)
6026 .Digest(Digest::NONE)
6027 .Padding(PaddingMode::NONE)
6028 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]6029 .Authorization(TAG_ROLLBACK_RESISTANCE)
6030 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6031 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
6032
6033 // Delete must work if rollback protection is implemented
6034 if (error == ErrorCode::OK) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]6035 AuthorizationSet enforced(SecLevelAuthorizations());
6036 ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6037
6038 // Delete the key we don't care about the result at this point.
6039 DeleteKey();
6040
6041 // Now create an invalid key blob and delete it.
6042 key_blob_ = AidlBuf("just some garbage data which is not a valid key blob");
6043
6044 ASSERT_EQ(ErrorCode::OK, DeleteKey());
6045 }
6046}
6047
6048/**
6049 * KeyDeletionTest.DeleteAllKeys
6050 *
6051 * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
6052 *
6053 * BEWARE: This test has serious side effects. All user keys will be lost! This includes
6054 * FBE/FDE encryption keys, which means that the device will not even boot until after the
6055 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
6056 * been provisioned. Use this test only on dedicated testing devices that have no valuable
6057 * credentials stored in Keystore/Keymint.
6058 */
6059TEST_P(KeyDeletionTest, DeleteAllKeys) {
6060 if (!arm_deleteAllKeys) return;
6061 auto error = GenerateKey(AuthorizationSetBuilder()
6062 .RsaSigningKey(2048, 65537)
6063 .Digest(Digest::NONE)
6064 .Padding(PaddingMode::NONE)
6065 .Authorization(TAG_NO_AUTH_REQUIRED)
6066 .Authorization(TAG_ROLLBACK_RESISTANCE));
6067 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
6068
6069 // Delete must work if rollback protection is implemented
6070 if (error == ErrorCode::OK) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]6071 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6072 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
6073
6074 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
6075
6076 string message = "12345678901234567890123456789012";
6077 AuthorizationSet begin_out_params;
6078
6079 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
6080 Begin(KeyPurpose::SIGN, key_blob_,
6081 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
6082 &begin_out_params));
6083 AbortIfNeeded();
6084 key_blob_ = AidlBuf();
6085 }
6086}
6087
6088INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest);
6089
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6090typedef KeyMintAidlTestBase KeyUpgradeTest;
6091
6092/**
6093 * KeyUpgradeTest.UpgradeInvalidKey
6094 *
6095 * This test checks that the HAL excepts invalid key blobs..
6096 */
6097TEST_P(KeyUpgradeTest, UpgradeInvalidKey) {
6098 AidlBuf key_blob = AidlBuf("just some garbage data which is not a valid key blob");
6099
6100 std::vector<uint8_t> new_blob;
6101 Status result = keymint_->upgradeKey(key_blob,
6102 AuthorizationSetBuilder()
6103 .Authorization(TAG_APPLICATION_ID, "clientid")
6104 .Authorization(TAG_APPLICATION_DATA, "appdata")
6105 .vector_data(),
6106 &new_blob);
6107 ASSERT_EQ(ErrorCode::INVALID_KEY_BLOB, GetReturnErrorCode(result));
6108}
6109
6110INSTANTIATE_KEYMINT_AIDL_TEST(KeyUpgradeTest);
6111
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6112using UpgradeKeyTest = KeyMintAidlTestBase;
6113
6114/*
6115 * UpgradeKeyTest.UpgradeKey
6116 *
6117 * Verifies that calling upgrade key on an up-to-date key works (i.e. does nothing).
6118 */
6119TEST_P(UpgradeKeyTest, UpgradeKey) {
6120 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6121 .AesEncryptionKey(128)
6122 .Padding(PaddingMode::NONE)
6123 .Authorization(TAG_NO_AUTH_REQUIRED)));
6124
6125 auto result = UpgradeKey(key_blob_);
6126
6127 // Key doesn't need upgrading. Should get okay, but no new key blob.
6128 EXPECT_EQ(result, std::make_pair(ErrorCode::OK, vector<uint8_t>()));
6129}
6130
6131INSTANTIATE_KEYMINT_AIDL_TEST(UpgradeKeyTest);
6132
6133using ClearOperationsTest = KeyMintAidlTestBase;
6134
6135/*
6136 * ClearSlotsTest.TooManyOperations
6137 *
6138 * Verifies that TOO_MANY_OPERATIONS is returned after the max number of
6139 * operations are started without being finished or aborted. Also verifies
6140 * that aborting the operations clears the operations.
6141 *
6142 */
6143TEST_P(ClearOperationsTest, TooManyOperations) {
6144 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6145 .Authorization(TAG_NO_AUTH_REQUIRED)
6146 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]6147 .Padding(PaddingMode::NONE)
6148 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6149
6150 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
6151 constexpr size_t max_operations = 100; // set to arbituary large number
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]6152 std::shared_ptr<IKeyMintOperation> op_handles[max_operations];
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6153 AuthorizationSet out_params;
6154 ErrorCode result;
6155 size_t i;
6156
6157 for (i = 0; i < max_operations; i++) {
6158 result = Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params, op_handles[i]);
6159 if (ErrorCode::OK != result) {
6160 break;
6161 }
6162 }
6163 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
6164 // Try again just in case there's a weird overflow bug
6165 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
6166 Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
6167 for (size_t j = 0; j < i; j++) {
6168 EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
6169 << "Aboort failed for i = " << j << std::endl;
6170 }
6171 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
6172 AbortIfNeeded();
6173}
6174
6175INSTANTIATE_KEYMINT_AIDL_TEST(ClearOperationsTest);
6176
6177typedef KeyMintAidlTestBase TransportLimitTest;
6178
6179/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]6180 * TransportLimitTest.LargeFinishInput
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6181 *
6182 * Verifies that passing input data to finish succeeds as expected.
6183 */
6184TEST_P(TransportLimitTest, LargeFinishInput) {
6185 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6186 .Authorization(TAG_NO_AUTH_REQUIRED)
6187 .AesEncryptionKey(128)
6188 .BlockMode(BlockMode::ECB)
6189 .Padding(PaddingMode::NONE)));
6190
6191 for (int msg_size = 8 /* 256 bytes */; msg_size <= 11 /* 2 KiB */; msg_size++) {
6192 auto cipher_params =
6193 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
6194
6195 AuthorizationSet out_params;
6196 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, cipher_params, &out_params));
6197
6198 string plain_message = std::string(1 << msg_size, 'x');
6199 string encrypted_message;
6200 auto rc = Finish(plain_message, &encrypted_message);
6201
6202 EXPECT_EQ(ErrorCode::OK, rc);
6203 EXPECT_EQ(plain_message.size(), encrypted_message.size())
6204 << "Encrypt finish returned OK, but did not consume all of the given input";
6205 cipher_params.push_back(out_params);
6206
6207 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, cipher_params));
6208
6209 string decrypted_message;
6210 rc = Finish(encrypted_message, &decrypted_message);
6211 EXPECT_EQ(ErrorCode::OK, rc);
6212 EXPECT_EQ(plain_message.size(), decrypted_message.size())
6213 << "Decrypt finish returned OK, did not consume all of the given input";
6214 }
6215}
6216
6217INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
6218
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]6219typedef KeyMintAidlTestBase KeyAgreementTest;
6220
6221int CurveToOpenSslCurveName(EcCurve curve) {
6222 switch (curve) {
6223 case EcCurve::P_224:
6224 return NID_secp224r1;
6225 case EcCurve::P_256:
6226 return NID_X9_62_prime256v1;
6227 case EcCurve::P_384:
6228 return NID_secp384r1;
6229 case EcCurve::P_521:
6230 return NID_secp521r1;
6231 }
6232}
6233
6234/*
6235 * KeyAgreementTest.Ecdh
6236 *
6237 * Verifies that ECDH works for all curves
6238 */
6239TEST_P(KeyAgreementTest, Ecdh) {
6240 // Because it's possible to use this API with keys on different curves, we
6241 // check all N^2 combinations where N is the number of supported
6242 // curves.
6243 //
6244 // This is not a big deal as N is 4 so we only do 16 runs. If we end up with a
6245 // lot more curves we can be smart about things and just pick |otherCurve| so
6246 // it's not |curve| and that way we end up with only 2*N runs
6247 //
6248 for (auto curve : ValidCurves()) {
6249 for (auto localCurve : ValidCurves()) {
6250 // Generate EC key locally (with access to private key material)
6251 auto ecKey = EC_KEY_Ptr(EC_KEY_new());
6252 int curveName = CurveToOpenSslCurveName(localCurve);
6253 auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
6254 ASSERT_NE(group, nullptr);
6255 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
6256 ASSERT_EQ(EC_KEY_generate_key(ecKey.get()), 1);
6257 auto pkey = EVP_PKEY_Ptr(EVP_PKEY_new());
6258 ASSERT_EQ(EVP_PKEY_set1_EC_KEY(pkey.get(), ecKey.get()), 1);
6259
6260 // Get encoded form of the public part of the locally generated key...
6261 unsigned char* p = nullptr;
6262 int encodedPublicKeySize = i2d_PUBKEY(pkey.get(), &p);
6263 ASSERT_GT(encodedPublicKeySize, 0);
6264 vector<uint8_t> encodedPublicKey(
6265 reinterpret_cast<const uint8_t*>(p),
6266 reinterpret_cast<const uint8_t*>(p + encodedPublicKeySize));
6267 OPENSSL_free(p);
6268
6269 // Generate EC key in KeyMint (only access to public key material)
6270 vector<uint8_t> challenge = {0x41, 0x42};
6271 EXPECT_EQ(
6272 ErrorCode::OK,
6273 GenerateKey(AuthorizationSetBuilder()
6274 .Authorization(TAG_NO_AUTH_REQUIRED)
6275 .Authorization(TAG_EC_CURVE, curve)
6276 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
6277 .Authorization(TAG_ALGORITHM, Algorithm::EC)
6278 .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]6279 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
6280 .SetDefaultValidity()))
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]6281 << "Failed to generate key";
6282 ASSERT_GT(cert_chain_.size(), 0);
6283 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
6284 ASSERT_NE(kmKeyCert, nullptr);
6285 // Check that keyAgreement (bit 4) is set in KeyUsage
6286 EXPECT_TRUE((X509_get_key_usage(kmKeyCert.get()) & X509v3_KU_KEY_AGREEMENT) != 0);
6287 auto kmPkey = EVP_PKEY_Ptr(X509_get_pubkey(kmKeyCert.get()));
6288 ASSERT_NE(kmPkey, nullptr);
6289 if (dump_Attestations) {
6290 for (size_t n = 0; n < cert_chain_.size(); n++) {
6291 std::cout << bin2hex(cert_chain_[n].encodedCertificate) << std::endl;
6292 }
6293 }
6294
6295 // Now that we have the two keys, we ask KeyMint to perform ECDH...
6296 if (curve != localCurve) {
6297 // If the keys are using different curves KeyMint should fail with
6298 // ErrorCode:INVALID_ARGUMENT. Check that.
6299 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
6300 string ZabFromKeyMintStr;
6301 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
6302 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
6303 &ZabFromKeyMintStr));
6304
6305 } else {
6306 // Otherwise if the keys are using the same curve, it should work.
6307 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
6308 string ZabFromKeyMintStr;
6309 EXPECT_EQ(ErrorCode::OK,
6310 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
6311 &ZabFromKeyMintStr));
6312 vector<uint8_t> ZabFromKeyMint(ZabFromKeyMintStr.begin(), ZabFromKeyMintStr.end());
6313
6314 // Perform local ECDH between the two keys so we can check if we get the same Zab..
6315 auto ctx = EVP_PKEY_CTX_Ptr(EVP_PKEY_CTX_new(pkey.get(), nullptr));
6316 ASSERT_NE(ctx, nullptr);
6317 ASSERT_EQ(EVP_PKEY_derive_init(ctx.get()), 1);
6318 ASSERT_EQ(EVP_PKEY_derive_set_peer(ctx.get(), kmPkey.get()), 1);
6319 size_t ZabFromTestLen = 0;
6320 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), nullptr, &ZabFromTestLen), 1);
6321 vector<uint8_t> ZabFromTest;
6322 ZabFromTest.resize(ZabFromTestLen);
6323 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), ZabFromTest.data(), &ZabFromTestLen), 1);
6324
6325 EXPECT_EQ(ZabFromKeyMint, ZabFromTest);
6326 }
6327
6328 CheckedDeleteKey();
6329 }
6330 }
6331}
6332
6333INSTANTIATE_KEYMINT_AIDL_TEST(KeyAgreementTest);
6334
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6335using DestroyAttestationIdsTest = KeyMintAidlTestBase;
6336
6337// This is a problematic test, as it can render the device under test permanently unusable.
6338// Re-enable and run at your own risk.
6339TEST_P(DestroyAttestationIdsTest, DISABLED_DestroyTest) {
6340 auto result = DestroyAttestationIds();
6341 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED);
6342}
6343
6344INSTANTIATE_KEYMINT_AIDL_TEST(DestroyAttestationIdsTest);
6345
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]6346using EarlyBootKeyTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6347
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]6348/*
6349 * EarlyBootKeyTest.CreateEarlyBootKeys
6350 *
6351 * Verifies that creating early boot keys succeeds, even at a later stage (after boot).
6352 */
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6353TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]6354 // Early boot keys can be created after early boot.
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6355 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
6356 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
6357
6358 CheckedDeleteKey(&aesKeyData.blob);
6359 CheckedDeleteKey(&hmacKeyData.blob);
6360 CheckedDeleteKey(&rsaKeyData.blob);
6361 CheckedDeleteKey(&ecdsaKeyData.blob);
6362}
6363
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]6364/*
6365 * EarlyBootKeyTest.UsetEarlyBootKeyFailure
6366 *
6367 * Verifies that using early boot keys at a later stage fails.
6368 */
6369TEST_P(EarlyBootKeyTest, UseEarlyBootKeyFailure) {
6370 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6371 .Authorization(TAG_NO_AUTH_REQUIRED)
6372 .Authorization(TAG_EARLY_BOOT_ONLY)
6373 .HmacKey(128)
6374 .Digest(Digest::SHA_2_256)
6375 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
6376 AuthorizationSet output_params;
6377 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, Begin(KeyPurpose::SIGN, key_blob_,
6378 AuthorizationSetBuilder()
6379 .Digest(Digest::SHA_2_256)
6380 .Authorization(TAG_MAC_LENGTH, 256),
6381 &output_params));
6382}
6383
6384/*
6385 * EarlyBootKeyTest.ImportEarlyBootKeyFailure
6386 *
6387 * Verifies that importing early boot keys fails.
6388 */
6389TEST_P(EarlyBootKeyTest, ImportEarlyBootKeyFailure) {
6390 ASSERT_EQ(ErrorCode::EARLY_BOOT_ENDED, ImportKey(AuthorizationSetBuilder()
6391 .Authorization(TAG_NO_AUTH_REQUIRED)
6392 .Authorization(TAG_EARLY_BOOT_ONLY)
6393 .EcdsaSigningKey(256)
6394 .Digest(Digest::SHA_2_256)
6395 .SetDefaultValidity(),
6396 KeyFormat::PKCS8, ec_256_key));
6397}
6398
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6399// This is a more comprehensive test, but it can only be run on a machine which is still in early
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6400// boot stage, which no proper Android device is by the time we can run VTS. To use this,
6401// un-disable it and modify vold to remove the call to earlyBootEnded(). Running the test will end
6402// early boot, so you'll have to reboot between runs.
6403TEST_P(EarlyBootKeyTest, DISABLED_FullTest) {
6404 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
6405 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
6406 // TAG_EARLY_BOOT_ONLY should be in hw-enforced.
6407 EXPECT_TRUE(HwEnforcedAuthorizations(aesKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
6408 EXPECT_TRUE(
6409 HwEnforcedAuthorizations(hmacKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
6410 EXPECT_TRUE(HwEnforcedAuthorizations(rsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
6411 EXPECT_TRUE(
6412 HwEnforcedAuthorizations(ecdsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
6413
6414 // Should be able to use keys, since early boot has not ended
6415 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
6416 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
6417 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
6418 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
6419
6420 // End early boot
6421 ErrorCode earlyBootResult = GetReturnErrorCode(keyMint().earlyBootEnded());
6422 EXPECT_EQ(earlyBootResult, ErrorCode::OK);
6423
6424 // Should not be able to use already-created keys.
6425 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseAesKey(aesKeyData.blob));
6426 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseHmacKey(hmacKeyData.blob));
6427 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseRsaKey(rsaKeyData.blob));
6428 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseEcdsaKey(ecdsaKeyData.blob));
6429
6430 CheckedDeleteKey(&aesKeyData.blob);
6431 CheckedDeleteKey(&hmacKeyData.blob);
6432 CheckedDeleteKey(&rsaKeyData.blob);
6433 CheckedDeleteKey(&ecdsaKeyData.blob);
6434
6435 // Should not be able to create new keys
6436 std::tie(aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData) =
6437 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::EARLY_BOOT_ENDED);
6438
6439 CheckedDeleteKey(&aesKeyData.blob);
6440 CheckedDeleteKey(&hmacKeyData.blob);
6441 CheckedDeleteKey(&rsaKeyData.blob);
6442 CheckedDeleteKey(&ecdsaKeyData.blob);
6443}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]6444
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6445INSTANTIATE_KEYMINT_AIDL_TEST(EarlyBootKeyTest);
6446
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]6447using UnlockedDeviceRequiredTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6448
6449// This may be a problematic test. It can't be run repeatedly without unlocking the device in
6450// between runs... and on most test devices there are no enrolled credentials so it can't be
6451// unlocked at all, meaning the only way to get the test to pass again on a properly-functioning
6452// device is to reboot it. For that reason, this is disabled by default. It can be used as part of
6453// a manual test process, which includes unlocking between runs, which is why it's included here.
6454// Well, that and the fact that it's the only test we can do without also making calls into the
6455// Gatekeeper HAL. We haven't written any cross-HAL tests, and don't know what all of the
6456// implications might be, so that may or may not be a solution.
6457TEST_P(UnlockedDeviceRequiredTest, DISABLED_KeysBecomeUnusable) {
6458 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
6459 CreateTestKeys(TAG_UNLOCKED_DEVICE_REQUIRED, ErrorCode::OK);
6460
6461 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
6462 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
6463 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
6464 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
6465
6466 ErrorCode rc = GetReturnErrorCode(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6467 keyMint().deviceLocked(false /* passwordOnly */, {} /* timestampToken */));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6468 ASSERT_EQ(ErrorCode::OK, rc);
6469 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseAesKey(aesKeyData.blob));
6470 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseHmacKey(hmacKeyData.blob));
6471 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseRsaKey(rsaKeyData.blob));
6472 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseEcdsaKey(ecdsaKeyData.blob));
6473
6474 CheckedDeleteKey(&aesKeyData.blob);
6475 CheckedDeleteKey(&hmacKeyData.blob);
6476 CheckedDeleteKey(&rsaKeyData.blob);
6477 CheckedDeleteKey(&ecdsaKeyData.blob);
6478}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]6479
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]6480INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
6481
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]6482} // namespace aidl::android::hardware::security::keymint::test
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6483
6484int main(int argc, char** argv) {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]6485 std::cout << "Testing ";
6486 auto halInstances =
6487 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::build_params();
6488 std::cout << "HAL instances:\n";
6489 for (auto& entry : halInstances) {
6490 std::cout << " " << entry << '\n';
6491 }
6492
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6493 ::testing::InitGoogleTest(&argc, argv);
6494 for (int i = 1; i < argc; ++i) {
6495 if (argv[i][0] == '-') {
6496 if (std::string(argv[i]) == "--arm_deleteAllKeys") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]6497 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
6498 arm_deleteAllKeys = true;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6499 }
6500 if (std::string(argv[i]) == "--dump_attestations") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]6501 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
6502 dump_Attestations = true;
6503 } else {
6504 std::cout << "NOT dumping attestations" << std::endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6505 }
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]6506 // TODO(drysdale): Remove this flag when available KeyMint devices comply with spec
6507 if (std::string(argv[i]) == "--check_patchLevels") {
6508 aidl::android::hardware::security::keymint::test::check_patchLevels = true;
6509 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6510 }
6511 }
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]6512 return RUN_ALL_TESTS();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6513}