Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / b809329dc7eafbee0a94059506fd189fc38ea73c / . / security / keymint / aidl / vts / functional / KeyMintTest.cpp
blob: 384c13542b0cbd48b07d0f9083d26468e034c650 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]17#define LOG_TAG "keymint_1_test"
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]18#include <cutils/log.h>
19
20#include <signal.h>
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]21
22#include <algorithm>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]23#include <iostream>
24
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]25#include <openssl/curve25519.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]26#include <openssl/ec.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]27#include <openssl/evp.h>
28#include <openssl/mem.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]29#include <openssl/x509v3.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]30
31#include <cutils/properties.h>
32
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]33#include <android/binder_manager.h>
34
35#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]36#include <aidl/android/hardware/security/keymint/KeyFormat.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]37
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]38#include <keymint_support/key_param_output.h>
39#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]40
41#include "KeyMintAidlTestBase.h"
42
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]43using aidl::android::hardware::security::keymint::AuthorizationSet;
44using aidl::android::hardware::security::keymint::KeyCharacteristics;
45using aidl::android::hardware::security::keymint::KeyFormat;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]46
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]47namespace std {
48
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]49using namespace aidl::android::hardware::security::keymint;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]50
51template <>
52struct std::equal_to<KeyCharacteristics> {
53 bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]54 if (a.securityLevel != b.securityLevel) return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]55
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]56 // this isn't very efficient. Oh, well.
57 AuthorizationSet a_auths(a.authorizations);
58 AuthorizationSet b_auths(b.authorizations);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]59
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]60 a_auths.Sort();
61 b_auths.Sort();
62
63 return a_auths == b_auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]64 }
65};
66
67} // namespace std
68
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]69namespace aidl::android::hardware::security::keymint::test {
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]70
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]71namespace {
72
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]73// Maximum supported Ed25519 message size.
74const size_t MAX_ED25519_MSG_SIZE = 16 * 1024;
75
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]76// Whether to check that BOOT_PATCHLEVEL is populated.
77bool check_boot_pl = true;
78
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]79// The maximum number of times we'll attempt to verify that corruption
David Drysdale4c1f6ac2021-11-25 16:08:29 +0000[diff] [blame]80// of an encrypted blob results in an error. Retries are necessary as there
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]81// is a small (roughly 1/256) chance that corrupting ciphertext still results
82// in valid PKCS7 padding.
83constexpr size_t kMaxPaddingCorruptionRetries = 8;
84
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]85template <TagType tag_type, Tag tag, typename ValueT>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]86bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
87 ValueT expected_value) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]88 auto it = std::find_if(set.begin(), set.end(), [&](const KeyParameter& param) {
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]89 if (auto p = authorizationValue(ttag, param)) {
90 return *p == expected_value;
91 }
92 return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]93 });
94 return (it != set.end());
95}
96
97template <TagType tag_type, Tag tag>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]98bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag>) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]99 auto it = std::find_if(set.begin(), set.end(),
100 [&](const KeyParameter& param) { return param.tag == tag; });
101 return (it != set.end());
102}
103
104constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
105 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
106 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
107 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
108 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
109 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
110 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
111 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
112 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
113 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
114 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
115 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
116 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
117 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
118 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
119 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
120
121string hex2str(string a) {
122 string b;
123 size_t num = a.size() / 2;
124 b.resize(num);
125 for (size_t i = 0; i < num; i++) {
126 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
127 }
128 return b;
129}
130
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]131string rsa_key = hex2str(
132 // RFC 5208 s5
133 "30820275" // SEQUENCE length 0x275 (PrivateKeyInfo) {
134 "020100" // INTEGER length 1 value 0x00 (version)
135 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
136 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
137 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
138 "0500" // NULL (parameters)
139 // } end SEQUENCE (AlgorithmIdentifier)
140 "0482025f" // OCTET STRING length 0x25f (privateKey) holding...
141 // RFC 8017 A.1.2
142 "3082025b" // SEQUENCE length 0x25b (RSAPrivateKey) {
143 "020100" // INTEGER length 1 value 0x00 (version)
144 "028181" // INTEGER length 0x81 value (modulus) ...
145 "00c6095409047d8634812d5a218176e4"
146 "5c41d60a75b13901f234226cffe77652"
147 "1c5a77b9e389417b71c0b6a44d13afe4"
148 "e4a2805d46c9da2935adb1ff0c1f24ea"
149 "06e62b20d776430a4d435157233c6f91"
150 "6783c30e310fcbd89b85c2d567711697"
151 "85ac12bca244abda72bfb19fc44d27c8"
152 "1e1d92de284f4061edfd99280745ea6d"
153 "25"
154 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
155 "028180" // INTEGER length 0x80 (privateExponent) value...
156 "1be0f04d9cae3718691f035338308e91"
157 "564b55899ffb5084d2460e6630257e05"
158 "b3ceab02972dfabcd6ce5f6ee2589eb6"
159 "7911ed0fac16e43a444b8c861e544a05"
160 "93365772f8baf6b22fc9e3c5f1024b06"
161 "3ac080a7b2234cf8aee8f6c47bbf4fd3"
162 "ace7240290bef16c0b3f7f3cdd64ce3a"
163 "b5912cf6e32f39ab188358afcccd8081"
164 "0241" // INTEGER length 0x41 (prime1)
165 "00e4b49ef50f765d3b24dde01aceaaf1"
166 "30f2c76670a91a61ae08af497b4a82be"
167 "6dee8fcdd5e3f7ba1cfb1f0c926b88f8"
168 "8c92bfab137fba2285227b83c342ff7c"
169 "55"
170 "0241" // INTEGER length 0x41 (prime2)
171 "00ddabb5839c4c7f6bf3d4183231f005"
172 "b31aa58affdda5c79e4cce217f6bc930"
173 "dbe563d480706c24e9ebfcab28a6cdef"
174 "d324b77e1bf7251b709092c24ff501fd"
175 "91"
176 "0240" // INTEGER length 0x40 (exponent1)
177 "23d4340eda3445d8cd26c14411da6fdc"
178 "a63c1ccd4b80a98ad52b78cc8ad8beb2"
179 "842c1d280405bc2f6c1bea214a1d742a"
180 "b996b35b63a82a5e470fa88dbf823cdd"
181 "0240" // INTEGER length 0x40 (exponent2)
182 "1b7b57449ad30d1518249a5f56bb9829"
183 "4d4b6ac12ffc86940497a5a5837a6cf9"
184 "46262b494526d328c11e1126380fde04"
185 "c24f916dec250892db09a6d77cdba351"
186 "0240" // INTEGER length 0x40 (coefficient)
187 "7762cd8f4d050da56bd591adb515d24d"
188 "7ccd32cca0d05f866d583514bd7324d5"
189 "f33645e8ed8b4a1cb3cc4a1d67987399"
190 "f2a09f5b3fb68c88d5e5d90ac33492d6"
191 // } end SEQUENCE (PrivateKey)
192 // } end SEQUENCE (PrivateKeyInfo)
193);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]194
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]195/*
196 * DER-encoded PKCS#8 format RSA key. Generated using:
197 *
198 * openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | hexdump -e '30/1 "%02X" "\n"'
199 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]200string rsa_2048_key = hex2str(
201 // RFC 5208 s5
202 "308204BD" // SEQUENCE length 0x4bd (PrivateKeyInfo) {
203 "020100" // INTEGER length 1 value 0x00 (version)
204 "300D" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
205 "0609" // OBJECT IDENTIFIER length 9 (algorithm)
206 "2A864886F70D010101" // 1.2.840.113549.1.1.1 (rsaEncryption)
207 "0500" // NULL (parameters)
208 // } end SEQUENCE (AlgorithmIdentifier)
209 "048204A7" // OCTET STRING length 0x25f (privateKey) holding...
210 // RFC 8017 A.1.2
211 "308204A3" // SEQUENCE length 0x4a3 (RSAPrivateKey) {
212 "020100" // INTEGER length 1 value 0x00 (version)
213 "02820101" // INTEGER length 0x101 value (modulus) ...
214 "00BEBC342B56D443B1299F9A6A7056E8"
215 "0A897E318476A5A18029E63B2ED739A6"
216 "1791D339F58DC763D9D14911F2EDEC38"
217 "3DEE11F6319B44510E7A3ECD9B79B973"
218 "82E49500ACF8117DC89CAF0E621F7775"
219 "6554A2FD4664BFE7AB8B59AB48340DBF"
220 "A27B93B5A81F6ECDEB02D0759307128D"
221 "F3E3BAD4055C8B840216DFAA5700670E"
222 "6C5126F0962FCB70FF308F25049164CC"
223 "F76CC2DA66A7DD9A81A714C2809D6918"
224 "6133D29D84568E892B6FFBF3199BDB14"
225 "383EE224407F190358F111A949552ABA"
226 "6714227D1BD7F6B20DD0CB88F9467B71"
227 "9339F33BFF35B3870B3F62204E4286B0"
228 "948EA348B524544B5F9838F29EE643B0"
229 "79EEF8A713B220D7806924CDF7295070"
230 "C5"
231 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
232 "02820100" // INTEGER length 0x100 (privateExponent) value...
233 "69F377F35F2F584EF075353CCD1CA997"
234 "38DB3DBC7C7FF35F9366CE176DFD1B13"
235 "5AB10030344ABF5FBECF1D4659FDEF1C"
236 "0FC430834BE1BE3911951377BB3D563A"
237 "2EA9CA8F4AD9C48A8CE6FD516A735C66"
238 "2686C7B4B3C09A7B8354133E6F93F790"
239 "D59EAEB92E84C9A4339302CCE28FDF04"
240 "CCCAFA7DE3F3A827D4F6F7D38E68B0EC"
241 "6AB706645BF074A4E4090D06FB163124"
242 "365FD5EE7A20D350E9958CC30D91326E"
243 "1B292E9EF5DB408EC42DAF737D201497"
244 "04D0A678A0FB5B5446863B099228A352"
245 "D604BA8091A164D01D5AB05397C71EAD"
246 "20BE2A08FC528FE442817809C787FEE4"
247 "AB97F97B9130D022153EDC6EB6CBE7B0"
248 "F8E3473F2E901209B5DB10F93604DB01"
249 "028181" // INTEGER length 0x81 (prime1)
250 "00E83C0998214941EA4F9293F1B77E2E"
251 "99E6CF305FAF358238E126124FEAF2EB"
252 "9724B2EA7B78E6032343821A80E55D1D"
253 "88FB12D220C3F41A56142FEC85796D19"
254 "17F1E8C774F142B67D3D6E7B7E6B4383"
255 "E94DB5929089DBB346D5BDAB40CC2D96"
256 "EE0409475E175C63BF78CFD744136740"
257 "838127EA723FF3FE7FA368C1311B4A4E"
258 "05"
259 "028181" // INTEGER length 0x81 (prime2)
260 "00D240FCC0F5D7715CDE21CB2DC86EA1"
261 "46132EA3B06F61FF2AF54BF38473F59D"
262 "ADCCE32B5F4CC32DD0BA6F509347B4B5"
263 "B1B58C39F95E4798CCBB43E83D0119AC"
264 "F532F359CA743C85199F0286610E2009"
265 "97D7312917179AC9B67558773212EC96"
266 "1E8BCE7A3CC809BC5486A96E4B0E6AF3"
267 "94D94E066A0900B7B70E82A44FB30053"
268 "C1"
269 "028181" // INTEGER length 0x81 (exponent1)
270 "00AD15DA1CBD6A492B66851BA8C316D3"
271 "8AB700E2CFDDD926A658003513C54BAA"
272 "152B30021D667D20078F500F8AD3E7F3"
273 "945D74A891ED1A28EAD0FEEAEC8C14A8"
274 "E834CF46A13D1378C99D18940823CFDD"
275 "27EC5810D59339E0C34198AC638E09C8"
276 "7CBB1B634A9864AE9F4D5EB2D53514F6"
277 "7B4CAEC048C8AB849A02E397618F3271"
278 "35"
279 "028180" // INTEGER length 0x80 (exponent2)
280 "1FA2C1A5331880A92D8F3E281C617108"
281 "BF38244F16E352E69ED417C7153F9EC3"
282 "18F211839C643DCF8B4DD67CE2AC312E"
283 "95178D5D952F06B1BF779F4916924B70"
284 "F582A23F11304E02A5E7565AE22A35E7"
285 "4FECC8B6FDC93F92A1A37703E4CF0E63"
286 "783BD02EB716A7ECBBFA606B10B74D01"
287 "579522E7EF84D91FC522292108D902C1"
288 "028180" // INTEGER length 0x80 (coefficient)
289 "796FE3825F9DCC85DF22D58690065D93"
290 "898ACD65C087BEA8DA3A63BF4549B795"
291 "E2CD0E3BE08CDEBD9FCF1720D9CDC507"
292 "0D74F40DED8E1102C52152A31B6165F8"
293 "3A6722AECFCC35A493D7634664B888A0"
294 "8D3EB034F12EA28BFEE346E205D33482"
295 "7F778B16ED40872BD29FCB36536B6E93"
296 "FFB06778696B4A9D81BB0A9423E63DE5"
297 // } end SEQUENCE (PrivateKey)
298 // } end SEQUENCE (PrivateKeyInfo)
299);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]300
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]301string ec_256_key = hex2str(
302 // RFC 5208 s5
303 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
304 "020100" // INTEGER length 1 value 0 (version)
305 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
306 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
307 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
308 "0608" // OBJECT IDENTIFIER length 8 (param)
309 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
310 // } end SEQUENCE (AlgorithmIdentifier)
311 "046d" // OCTET STRING length 0x6d (privateKey) holding...
312 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
313 "020101" // INTEGER length 1 value 1 (version)
314 "0420" // OCTET STRING length 0x20 (privateKey)
315 "737c2ecd7b8d1940bf2930aa9b4ed3ff"
316 "941eed09366bc03299986481f3a4d859"
317 "a144" // TAG [1] len 0x44 (publicKey) {
318 "03420004bf85d7720d07c25461683bc6"
319 "48b4778a9a14dd8a024e3bdd8c7ddd9a"
320 "b2b528bbc7aa1b51f14ebbbb0bd0ce21"
321 "bcc41c6eb00083cf3376d11fd44949e0"
322 "b2183bfe"
323 // } end SEQUENCE (ECPrivateKey)
324 // } end SEQUENCE (PrivateKeyInfo)
325);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]326
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]327string ec_521_key = hex2str(
328 // RFC 5208 s5
329 "3081EE" // SEQUENCE length 0xee (PrivateKeyInfo) {
330 "020100" // INTEGER length 1 value 0 (version)
331 "3010" // SEQUENCE length 0x10 (AlgorithmIdentifier) {
332 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
333 "2A8648CE3D0201" // 1.2.840.10045.2.1 (ecPublicKey)
334 "0605" // OBJECT IDENTIFIER length 5 (param)
335 "2B81040023" // 1.3.132.0.35 (secp521r1)
336 // } end SEQUENCE (AlgorithmIdentifier)
337 "0481D6" // OCTET STRING length 0xd6 (privateKey) holding...
338 "3081D3" // SEQUENCE length 0xd3 (ECPrivateKey)
339 "020101" // INTEGER length 1 value 1 (version)
340 "0442" // OCTET STRING length 0x42 (privateKey)
341 "0011458C586DB5DAA92AFAB03F4FE46A"
342 "A9D9C3CE9A9B7A006A8384BEC4C78E8E"
343 "9D18D7D08B5BCFA0E53C75B064AD51C4"
344 "49BAE0258D54B94B1E885DED08ED4FB2"
345 "5CE9"
346 "A18189" // TAG [1] len 0x89 (publicKey) {
347 "03818600040149EC11C6DF0FA122C6A9"
348 "AFD9754A4FA9513A627CA329E349535A"
349 "5629875A8ADFBE27DCB932C051986377"
350 "108D054C28C6F39B6F2C9AF81802F9F3"
351 "26B842FF2E5F3C00AB7635CFB36157FC"
352 "0882D574A10D839C1A0C049DC5E0D775"
353 "E2EE50671A208431BB45E78E70BEFE93"
354 "0DB34818EE4D5C26259F5C6B8E28A652"
355 "950F9F88D7B4B2C9D9"
356 // } end SEQUENCE (ECPrivateKey)
357 // } end SEQUENCE (PrivateKeyInfo)
358);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]359
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]360string ec_256_key_rfc5915 = hex2str(
361 // RFC 5208 s5
362 "308193" // SEQUENCE length 0x93 (PrivateKeyInfo) {
363 "020100" // INTEGER length 1 value 0 (version)
364 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
365 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
366 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
367 "0608" // OBJECT IDENTIFIER length 8 (param)
368 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
369 // } end SEQUENCE (AlgorithmIdentifier)
370 "0479" // OCTET STRING length 0x79 (privateKey) holding...
371 // RFC 5915 s3
372 "3077" // SEQUENCE length 0x77 (ECPrivateKey)
373 "020101" // INTEGER length 1 value 1 (version)
374 "0420" // OCTET STRING length 0x42 (privateKey)
375 "782370a8c8ce5537baadd04dcff079c8"
376 "158cfa9c67b818b38e8d21c9fa750c1d"
377 "a00a" // TAG [0] length 0xa (parameters)
378 "0608" // OBJECT IDENTIFIER length 8
379 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
380 // } end TAG [0]
381 "a144" // TAG [1] length 0x44 (publicKey) {
382 "0342" // BIT STRING length 0x42
383 "00" // no pad bits
384 "04e2cc561ee701da0ad0ef0d176bb0c9"
385 "19d42e79c393fdc1bd6c4010d85cf2cf"
386 "8e68c905464666f98dad4f01573ba810"
387 "78b3428570a439ba3229fbc026c55068"
388 "2f"
389 // } end SEQUENCE (ECPrivateKey)
390 // } end SEQUENCE (PrivateKeyInfo)
391);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]392
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]393string ec_256_key_sec1 = hex2str(
394 // RFC 5208 s5
395 "308187" // SEQUENCE length 0x87 (PrivateKeyInfo) {
396 "020100" // INTEGER length 1 value 0 (version)
397 "3013" // SEQUENCE length 0x13 (AlgorithmIdentifier) {
398 "0607" // OBJECT IDENTIFIER length 7 (algorithm)
399 "2a8648ce3d0201" // 1.2.840.10045.2.1 (ecPublicKey)
400 "0608" // OBJECT IDENTIFIER length 8 (param)
401 "2a8648ce3d030107" // 1.2.840.10045.3.1.7 (secp256r1)
402 // } end SEQUENCE (AlgorithmIdentifier)
403 "046d" // OCTET STRING length 0x6d (privateKey) holding...
404 // SEC1-v2 C.4
405 "306b" // SEQUENCE length 0x6b (ECPrivateKey)
406 "020101" // INTEGER length 1 value 0x01 (version)
407 "0420" // OCTET STRING length 0x20 (privateKey)
408 "782370a8c8ce5537baadd04dcff079c8"
409 "158cfa9c67b818b38e8d21c9fa750c1d"
410 "a144" // TAG [1] length 0x44 (publicKey) {
411 "0342" // BIT STRING length 0x42
412 "00" // no pad bits
413 "04e2cc561ee701da0ad0ef0d176bb0c9"
414 "19d42e79c393fdc1bd6c4010d85cf2cf"
415 "8e68c905464666f98dad4f01573ba810"
416 "78b3428570a439ba3229fbc026c55068"
417 "2f"
418 // } end TAG [1] (publicKey)
419 // } end SEQUENCE (PrivateKeyInfo)
420);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]421
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]422/**
423 * Ed25519 key pair generated as follows:
424 * ```
425 * % openssl req -x509 -newkey ED25519 -days 700 -nodes \
426 * -keyout ed25519_priv.key -out ed25519.pem * -subj "/CN=fake.ed25519.com"
427 * Generating a ED25519 private key writing new private key to
428 * 'ed25519_priv.key'
429 * -----
430 * % cat ed25519_priv.key
431 * -----BEGIN PRIVATE KEY-----
432 * MC4CAQAwBQYDK2VwBCIEIKl3A5quNywcj1P+0XI9SBalFPIvO52NxceMLRH6dVmR
433 * -----END PRIVATE KEY-----
434 * % der2ascii -pem -i ed25519_priv.key
435 * SEQUENCE {
436 * INTEGER { 0 }
437 * SEQUENCE {
438 * # ed25519
439 * OBJECT_IDENTIFIER { 1.3.101.112 }
440 * }
441 * OCTET_STRING {
442 * OCTET_STRING { `a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991` }
443 * }
444 * }
445 * % cat ed25519.pem
446 * -----BEGIN CERTIFICATE-----
447 * MIIBSjCB/aADAgECAhR0Jron3eKcdgqyecv/eEfGWAzn8DAFBgMrZXAwGzEZMBcG
448 * A1UEAwwQZmFrZS5lZDI1NTE5LmNvbTAeFw0yMTEwMjAwODI3NDJaFw0yMzA5MjAw
449 * ODI3NDJaMBsxGTAXBgNVBAMMEGZha2UuZWQyNTUxOS5jb20wKjAFBgMrZXADIQDv
450 * uwHz+3TaQ69D2digxlz0fFfsZg0rPqgQae3jBPRWkaNTMFEwHQYDVR0OBBYEFN9O
451 * od30SY4JTs66ZR403UPya+iXMB8GA1UdIwQYMBaAFN9Ood30SY4JTs66ZR403UPy
452 * a+iXMA8GA1UdEwEB/wQFMAMBAf8wBQYDK2VwA0EAKjVrYQjuE/gEL2j/ABpDbFjV
453 * Ilg5tJ6MN/P3psAv3Cs7f0X1lFqdlt15nJ/6aj2cmGCwNRXt5wcyYDKNu+v2Dw==
454 * -----END CERTIFICATE-----
455 * % openssl x509 -in ed25519.pem -text -noout
456 * Certificate:
457 * Data:
458 * Version: 3 (0x2)
459 * Serial Number:
460 * 74:26:ba:27:dd:e2:9c:76:0a:b2:79:cb:ff:78:47:c6:58:0c:e7:f0
461 * Signature Algorithm: ED25519
462 * Issuer: CN = fake.ed25519.com
463 * Validity
464 * Not Before: Oct 20 08:27:42 2021 GMT
465 * Not After : Sep 20 08:27:42 2023 GMT
466 * Subject: CN = fake.ed25519.com
467 * Subject Public Key Info:
468 * Public Key Algorithm: ED25519
469 * ED25519 Public-Key:
470 * pub:
471 * ef:bb:01:f3:fb:74:da:43:af:43:d9:d8:a0:c6:5c:
472 * f4:7c:57:ec:66:0d:2b:3e:a8:10:69:ed:e3:04:f4:
473 * 56:91
474 * X509v3 extensions:
475 * X509v3 Subject Key Identifier:
476 * DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
477 * X509v3 Authority Key Identifier:
478 * keyid:DF:4E:A1:DD:F4:49:8E:09:4E:CE:BA:65:1E:34:DD:43:F2:6B:E8:97
479 *
480 * X509v3 Basic Constraints: critical
481 * CA:TRUE
482 * Signature Algorithm: ED25519
483 * 2a:35:6b:61:08:ee:13:f8:04:2f:68:ff:00:1a:43:6c:58:d5:
484 * 22:58:39:b4:9e:8c:37:f3:f7:a6:c0:2f:dc:2b:3b:7f:45:f5:
485 * 94:5a:9d:96:dd:79:9c:9f:fa:6a:3d:9c:98:60:b0:35:15:ed:
486 * e7:07:32:60:32:8d:bb:eb:f6:0f
487 * ```
488 */
489string ed25519_key = hex2str("a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991");
490string ed25519_pkcs8_key = hex2str(
491 // RFC 5208 s5
492 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
493 "0201" // INTEGER length 1 (Version)
494 "00" // version 0
495 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
496 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
497 "2b6570" // 1.3.101.112 (id-Ed125519 RFC 8410 s3)
498 // } end SEQUENCE (AlgorithmIdentifier)
499 "0422" // OCTET STRING length 0x22 (PrivateKey)
500 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
501 "a977039aae372c1c8f53fed1723d4816a514f22f3b9d8dc5c78c2d11fa755991"
502 // } end SEQUENCE (PrivateKeyInfo)
503);
504string ed25519_pubkey = hex2str("efbb01f3fb74da43af43d9d8a0c65cf47c57ec660d2b3ea81069ede304f45691");
505
506/**
507 * X25519 key pair generated as follows:
508 * ```
509 * % openssl genpkey -algorithm X25519 > x25519_priv.key
510 * % cat x25519_priv.key
511 * -----BEGIN PRIVATE KEY-----
512 * MC4CAQAwBQYDK2VuBCIEIGgPwF3NLwQx/Sfwr2nfJvXitwlDNh3Skzh+TISN/y1C
513 * -----END PRIVATE KEY-----
514 * % der2ascii -pem -i x25519_priv.key
515 * SEQUENCE {
516 * INTEGER { 0 }
517 * SEQUENCE {
518 * # x25519
519 * OBJECT_IDENTIFIER { 1.3.101.110 }
520 * }
521 * OCTET_STRING {
522 * OCTET_STRING { `680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42` }
523 * }
524 * }
525 * ```
526 */
527
528string x25519_key = hex2str("680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
529string x25519_pkcs8_key = hex2str(
530 // RFC 5208 s5
531 "302e" // SEQUENCE length 0x2e (PrivateKeyInfo) {
532 "0201" // INTEGER length 1 (Version)
533 "00" // version 0
534 "3005" // SEQUENCE length 05 (AlgorithmIdentifier) {
535 "0603" // OBJECT IDENTIFIER length 3 (algorithm)
536 "2b656e" // 1.3.101.110 (id-X125519 RFC 8410 s3)
537 "0422" // OCTET STRING length 0x22 (PrivateKey)
538 "0420" // OCTET STRING length 0x20 (RFC 8410 s7)
539 "680fc05dcd2f0431fd27f0af69df26f5e2b70943361dd293387e4c848dff2d42");
540string x25519_pubkey = hex2str("be46925a857f17831d6d454b9d3d36a4a30166edf80eb82b684661c3e258f768");
541
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]542struct RSA_Delete {
543 void operator()(RSA* p) { RSA_free(p); }
544};
545
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]546std::string make_string(const uint8_t* data, size_t length) {
547 return std::string(reinterpret_cast<const char*>(data), length);
548}
549
550template <size_t N>
551std::string make_string(const uint8_t (&a)[N]) {
552 return make_string(a, N);
553}
554
555class AidlBuf : public vector<uint8_t> {
556 typedef vector<uint8_t> super;
557
558 public:
559 AidlBuf() {}
560 AidlBuf(const super& other) : super(other) {}
561 AidlBuf(super&& other) : super(std::move(other)) {}
562 explicit AidlBuf(const std::string& other) : AidlBuf() { *this = other; }
563
564 AidlBuf& operator=(const super& other) {
565 super::operator=(other);
566 return *this;
567 }
568
569 AidlBuf& operator=(super&& other) {
570 super::operator=(std::move(other));
571 return *this;
572 }
573
574 AidlBuf& operator=(const string& other) {
575 resize(other.size());
576 for (size_t i = 0; i < other.size(); ++i) {
577 (*this)[i] = static_cast<uint8_t>(other[i]);
578 }
579 return *this;
580 }
581
582 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
583};
584
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]585string device_suffix(const string& name) {
586 size_t pos = name.find('/');
587 if (pos == string::npos) {
588 return name;
589 }
590 return name.substr(pos + 1);
591}
592
593bool matching_rp_instance(const string& km_name,
594 std::shared_ptr<IRemotelyProvisionedComponent>* rp) {
595 string km_suffix = device_suffix(km_name);
596
597 vector<string> rp_names =
598 ::android::getAidlHalInstanceNames(IRemotelyProvisionedComponent::descriptor);
599 for (const string& rp_name : rp_names) {
600 // If the suffix of the RemotelyProvisionedComponent instance equals the suffix of the
601 // KeyMint instance, assume they match.
602 if (device_suffix(rp_name) == km_suffix && AServiceManager_isDeclared(rp_name.c_str())) {
603 ::ndk::SpAIBinder binder(AServiceManager_waitForService(rp_name.c_str()));
604 *rp = IRemotelyProvisionedComponent::fromBinder(binder);
605 return true;
606 }
607 }
608 return false;
609}
610
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]611} // namespace
612
613class NewKeyGenerationTest : public KeyMintAidlTestBase {
614 protected:
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]615 void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]616 AuthorizationSet auths = CheckCommonParams(keyCharacteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]617 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]618
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]619 // Check that some unexpected tags/values are NOT present.
620 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
621 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]622 }
623
624 void CheckSymmetricParams(const vector<KeyCharacteristics>& keyCharacteristics) {
625 AuthorizationSet auths = CheckCommonParams(keyCharacteristics);
626 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
627 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
628
629 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]630 }
631
632 AuthorizationSet CheckCommonParams(const vector<KeyCharacteristics>& keyCharacteristics) {
633 // TODO(swillden): Distinguish which params should be in which auth list.
634 AuthorizationSet auths;
635 for (auto& entry : keyCharacteristics) {
636 auths.push_back(AuthorizationSet(entry.authorizations));
637 }
638 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
639
640 // Verify that App data, ROT and auth timeout are NOT included.
641 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
642 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]643 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
644
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]645 // None of the tests specify CREATION_DATETIME so check that the KeyMint implementation
646 // never adds it.
647 EXPECT_FALSE(auths.Contains(TAG_CREATION_DATETIME));
648
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]649 // Check OS details match the original hardware info.
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]650 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]651 EXPECT_TRUE(os_ver);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]652 EXPECT_EQ(*os_ver, os_version());
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]653 auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]654 EXPECT_TRUE(os_pl);
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]655 EXPECT_EQ(*os_pl, os_patch_level());
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]656
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]657 // Should include vendor patchlevel.
David Drysdalef5bfa002021-09-27 17:30:41 +0100[diff] [blame]658 auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
659 EXPECT_TRUE(vendor_pl);
660 EXPECT_EQ(*vendor_pl, vendor_patch_level());
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]661
662 // Should include boot patchlevel (but there are some test scenarios where this is not
663 // possible).
664 if (check_boot_pl) {
665 auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
666 EXPECT_TRUE(boot_pl);
667 }
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]668
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]669 return auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]670 }
671};
672
673/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]674 * NewKeyGenerationTest.Aes
675 *
676 * Verifies that keymint can generate all required AES key sizes, and that the resulting keys
677 * have correct characteristics.
678 */
679TEST_P(NewKeyGenerationTest, Aes) {
680 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
681 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
682 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
683 SCOPED_TRACE(testing::Message()
684 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
685 vector<uint8_t> key_blob;
686 vector<KeyCharacteristics> key_characteristics;
687 auto builder = AuthorizationSetBuilder()
688 .AesEncryptionKey(key_size)
689 .BlockMode(block_mode)
690 .Padding(padding_mode)
691 .SetDefaultValidity();
692 if (block_mode == BlockMode::GCM) {
693 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
694 }
695 ASSERT_EQ(ErrorCode::OK, GenerateKey(builder, &key_blob, &key_characteristics));
696
697 EXPECT_GT(key_blob.size(), 0U);
698 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]699 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]700
701 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
702
703 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::AES));
704 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
705 << "Key size " << key_size << "missing";
706
707 CheckedDeleteKey(&key_blob);
708 }
709 }
710 }
711}
712
713/*
714 * NewKeyGenerationTest.AesInvalidSize
715 *
716 * Verifies that specifying an invalid key size for AES key generation returns
717 * UNSUPPORTED_KEY_SIZE.
718 */
719TEST_P(NewKeyGenerationTest, AesInvalidSize) {
720 for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
721 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
722 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
723 SCOPED_TRACE(testing::Message()
724 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
725 vector<uint8_t> key_blob;
726 vector<KeyCharacteristics> key_characteristics;
727 auto builder = AuthorizationSetBuilder()
728 .AesEncryptionKey(key_size)
729 .BlockMode(block_mode)
730 .Padding(padding_mode)
731 .SetDefaultValidity();
732 if (block_mode == BlockMode::GCM) {
733 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
734 }
735 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
736 GenerateKey(builder, &key_blob, &key_characteristics));
737 }
738 }
739 }
740
741 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
742 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
743 vector<uint8_t> key_blob;
744 vector<KeyCharacteristics> key_characteristics;
745 // No key size specified
746 auto builder = AuthorizationSetBuilder()
747 .Authorization(TAG_ALGORITHM, Algorithm::AES)
748 .BlockMode(block_mode)
749 .Padding(padding_mode)
750 .SetDefaultValidity();
751 if (block_mode == BlockMode::GCM) {
752 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
753 }
754 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
755 GenerateKey(builder, &key_blob, &key_characteristics));
756 }
757 }
758}
759
760/*
761 * NewKeyGenerationTest.AesInvalidPadding
762 *
763 * Verifies that specifying an invalid padding on AES keys gives a failure
764 * somewhere along the way.
765 */
766TEST_P(NewKeyGenerationTest, AesInvalidPadding) {
767 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
768 for (auto block_mode : ValidBlockModes(Algorithm::AES)) {
769 for (auto padding_mode : InvalidPaddingModes(Algorithm::AES, block_mode)) {
770 SCOPED_TRACE(testing::Message()
771 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]772 auto builder = AuthorizationSetBuilder()
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]773 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]774 .AesEncryptionKey(key_size)
775 .BlockMode(block_mode)
776 .Padding(padding_mode)
777 .SetDefaultValidity();
778 if (block_mode == BlockMode::GCM) {
779 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
780 }
781
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]782 auto result = GenerateKey(builder);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]783 if (result == ErrorCode::OK) {
784 // Key creation was OK but has generated a key that cannot be used.
785 auto params =
786 AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]787 if (block_mode == BlockMode::GCM) {
788 params.Authorization(TAG_MAC_LENGTH, 128);
789 }
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]790 auto result = Begin(KeyPurpose::ENCRYPT, params);
791 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]792 result == ErrorCode::INVALID_KEY_BLOB)
793 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]794 } else {
795 // The KeyMint implementation detected that the generated key
796 // is unusable.
797 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, result);
798 }
799 }
800 }
801 }
802}
803
804/*
805 * NewKeyGenerationTest.AesGcmMissingMinMac
806 *
807 * Verifies that specifying an invalid key size for AES key generation returns
808 * UNSUPPORTED_KEY_SIZE.
809 */
810TEST_P(NewKeyGenerationTest, AesGcmMissingMinMac) {
811 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
812 BlockMode block_mode = BlockMode::GCM;
813 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
814 SCOPED_TRACE(testing::Message()
815 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
816 vector<uint8_t> key_blob;
817 vector<KeyCharacteristics> key_characteristics;
818 // No MIN_MAC_LENGTH provided.
819 auto builder = AuthorizationSetBuilder()
820 .AesEncryptionKey(key_size)
821 .BlockMode(block_mode)
822 .Padding(padding_mode)
823 .SetDefaultValidity();
824 EXPECT_EQ(ErrorCode::MISSING_MIN_MAC_LENGTH,
825 GenerateKey(builder, &key_blob, &key_characteristics));
826 }
827 }
828}
829
830/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]831 * NewKeyGenerationTest.AesGcmMinMacOutOfRange
832 *
833 * Verifies that specifying an invalid min MAC size for AES key generation returns
834 * UNSUPPORTED_MIN_MAC_LENGTH.
835 */
836TEST_P(NewKeyGenerationTest, AesGcmMinMacOutOfRange) {
837 for (size_t min_mac_len : {88, 136}) {
838 for (auto key_size : ValidKeySizes(Algorithm::AES)) {
839 BlockMode block_mode = BlockMode::GCM;
840 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
841 SCOPED_TRACE(testing::Message()
842 << "AES-" << key_size << "-" << block_mode << "-" << padding_mode);
843 vector<uint8_t> key_blob;
844 vector<KeyCharacteristics> key_characteristics;
845 auto builder = AuthorizationSetBuilder()
846 .AesEncryptionKey(key_size)
847 .BlockMode(block_mode)
848 .Padding(padding_mode)
849 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_len)
850 .SetDefaultValidity();
851 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
852 GenerateKey(builder, &key_blob, &key_characteristics));
853 }
854 }
855 }
856}
857
858/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]859 * NewKeyGenerationTest.TripleDes
860 *
861 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
862 * have correct characteristics.
863 */
864TEST_P(NewKeyGenerationTest, TripleDes) {
865 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
866 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
867 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
868 SCOPED_TRACE(testing::Message()
869 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
870 vector<uint8_t> key_blob;
871 vector<KeyCharacteristics> key_characteristics;
872 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
873 .TripleDesEncryptionKey(key_size)
874 .BlockMode(block_mode)
875 .Padding(padding_mode)
876 .Authorization(TAG_NO_AUTH_REQUIRED)
877 .SetDefaultValidity(),
878 &key_blob, &key_characteristics));
879
880 EXPECT_GT(key_blob.size(), 0U);
881 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]882 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]883
884 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
885
886 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
887 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
888 << "Key size " << key_size << "missing";
889
890 CheckedDeleteKey(&key_blob);
891 }
892 }
893 }
894}
895
896/*
897 * NewKeyGenerationTest.TripleDesWithAttestation
898 *
899 * Verifies that keymint can generate all required 3DES key sizes, and that the resulting keys
900 * have correct characteristics.
901 *
902 * Request attestation, which doesn't help for symmetric keys (as there is no public key to
903 * put in a certificate) but which isn't an error.
904 */
905TEST_P(NewKeyGenerationTest, TripleDesWithAttestation) {
906 for (auto key_size : ValidKeySizes(Algorithm::TRIPLE_DES)) {
907 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
908 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
909 SCOPED_TRACE(testing::Message()
910 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
911
912 auto challenge = "hello";
913 auto app_id = "foo";
914
915 vector<uint8_t> key_blob;
916 vector<KeyCharacteristics> key_characteristics;
917 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
918 .TripleDesEncryptionKey(key_size)
919 .BlockMode(block_mode)
920 .Padding(padding_mode)
921 .Authorization(TAG_NO_AUTH_REQUIRED)
922 .AttestationChallenge(challenge)
923 .AttestationApplicationId(app_id)
924 .SetDefaultValidity(),
925 &key_blob, &key_characteristics));
926
927 EXPECT_GT(key_blob.size(), 0U);
928 CheckSymmetricParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]929 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]930
931 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
932
933 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::TRIPLE_DES));
934 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
935 << "Key size " << key_size << "missing";
936
937 CheckedDeleteKey(&key_blob);
938 }
939 }
940 }
941}
942
943/*
944 * NewKeyGenerationTest.TripleDesInvalidSize
945 *
946 * Verifies that specifying an invalid key size for 3-DES key generation returns
947 * UNSUPPORTED_KEY_SIZE.
948 */
949TEST_P(NewKeyGenerationTest, TripleDesInvalidSize) {
950 for (auto key_size : InvalidKeySizes(Algorithm::TRIPLE_DES)) {
951 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
952 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
953 SCOPED_TRACE(testing::Message()
954 << "3DES-" << key_size << "-" << block_mode << "-" << padding_mode);
955 vector<uint8_t> key_blob;
956 vector<KeyCharacteristics> key_characteristics;
957 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
958 GenerateKey(AuthorizationSetBuilder()
959 .TripleDesEncryptionKey(key_size)
960 .BlockMode(block_mode)
961 .Padding(padding_mode)
962 .Authorization(TAG_NO_AUTH_REQUIRED)
963 .SetDefaultValidity(),
964 &key_blob, &key_characteristics));
965 }
966 }
967 }
968
969 // Omitting the key size fails.
970 for (auto block_mode : ValidBlockModes(Algorithm::TRIPLE_DES)) {
971 for (auto padding_mode : ValidPaddingModes(Algorithm::AES, block_mode)) {
972 SCOPED_TRACE(testing::Message()
973 << "3DES-default-" << block_mode << "-" << padding_mode);
974 vector<uint8_t> key_blob;
975 vector<KeyCharacteristics> key_characteristics;
976 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
977 GenerateKey(AuthorizationSetBuilder()
978 .Authorization(TAG_ALGORITHM, Algorithm::TRIPLE_DES)
979 .BlockMode(block_mode)
980 .Padding(padding_mode)
981 .Authorization(TAG_NO_AUTH_REQUIRED)
982 .SetDefaultValidity(),
983 &key_blob, &key_characteristics));
984 }
985 }
986}
987
988/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]989 * NewKeyGenerationTest.Rsa
990 *
991 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
992 * have correct characteristics.
993 */
994TEST_P(NewKeyGenerationTest, Rsa) {
995 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
996 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]997 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]998 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
999 .RsaSigningKey(key_size, 65537)
1000 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1001 .Padding(PaddingMode::NONE)
1002 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1003 &key_blob, &key_characteristics));
1004
1005 ASSERT_GT(key_blob.size(), 0U);
1006 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1007 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1008
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1009 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1010
1011 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1012 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1013 << "Key size " << key_size << "missing";
1014 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1015
1016 CheckedDeleteKey(&key_blob);
1017 }
1018}
1019
1020/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1021 * NewKeyGenerationTest.RsaWithMissingValidity
1022 *
1023 * Verifies that keymint returns an error while generating asymmetric key
1024 * without providing NOT_BEFORE and NOT_AFTER parameters.
1025 */
1026TEST_P(NewKeyGenerationTest, RsaWithMissingValidity) {
1027 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1028 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1029 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1030
1031 vector<uint8_t> key_blob;
1032 vector<KeyCharacteristics> key_characteristics;
1033 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1034 GenerateKey(AuthorizationSetBuilder()
1035 .RsaSigningKey(2048, 65537)
1036 .Digest(Digest::NONE)
1037 .Padding(PaddingMode::NONE)
1038 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1039 kUndefinedExpirationDateTime),
1040 &key_blob, &key_characteristics));
1041
1042 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1043 GenerateKey(AuthorizationSetBuilder()
1044 .RsaSigningKey(2048, 65537)
1045 .Digest(Digest::NONE)
1046 .Padding(PaddingMode::NONE)
1047 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1048 &key_blob, &key_characteristics));
1049}
1050
1051/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1052 * NewKeyGenerationTest.RsaWithAttestation
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1053 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1054 * Verifies that keymint can generate all required RSA key sizes with attestation, and that the
1055 * resulting keys have correct characteristics.
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1056 */
1057TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1058 auto challenge = "hello";
1059 auto app_id = "foo";
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1060
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1061 auto subject = "cert subj 2";
1062 vector<uint8_t> subject_der(make_name_from_str(subject));
1063
1064 uint64_t serial_int = 66;
1065 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1066
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1067 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1068 vector<uint8_t> key_blob;
1069 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1070 auto builder = AuthorizationSetBuilder()
1071 .RsaSigningKey(key_size, 65537)
1072 .Digest(Digest::NONE)
1073 .Padding(PaddingMode::NONE)
1074 .AttestationChallenge(challenge)
1075 .AttestationApplicationId(app_id)
1076 .Authorization(TAG_NO_AUTH_REQUIRED)
1077 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1078 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1079 .SetDefaultValidity();
1080
1081 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1082 // Strongbox may not support factory provisioned attestation key.
1083 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1084 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1085 result = GenerateKeyWithSelfSignedAttestKey(
1086 AuthorizationSetBuilder()
1087 .RsaKey(key_size, 65537)
1088 .AttestKey()
1089 .SetDefaultValidity(), /* attest key params */
1090 builder, &key_blob, &key_characteristics);
1091 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1092 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1093 ASSERT_EQ(ErrorCode::OK, result);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1094 ASSERT_GT(key_blob.size(), 0U);
1095 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1096 CheckCharacteristics(key_blob, key_characteristics);
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1097
1098 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1099
1100 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1101 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1102 << "Key size " << key_size << "missing";
1103 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1104
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1105 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1106 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1107 ASSERT_GT(cert_chain_.size(), 0);
1108
1109 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1110 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1111 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]1112 sw_enforced, hw_enforced, SecLevel(),
1113 cert_chain_[0].encodedCertificate));
1114
1115 CheckedDeleteKey(&key_blob);
1116 }
1117}
1118
1119/*
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1120 * NewKeyGenerationTest.RsaWithRpkAttestation
1121 *
1122 * Verifies that keymint can generate all required RSA key sizes, using an attestation key
1123 * that has been generated using an associate IRemotelyProvisionedComponent.
David Drysdale0fce69d2021-04-13 17:22:13 +0100[diff] [blame]1124 *
1125 * This test is disabled because the KeyMint specification does not require that implementations
1126 * of the first version of KeyMint have to also implement IRemotelyProvisionedComponent.
1127 * However, the test is kept in the code because KeyMint v2 will impose this requirement.
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1128 */
David Drysdale0fce69d2021-04-13 17:22:13 +0100[diff] [blame]1129TEST_P(NewKeyGenerationTest, DISABLED_RsaWithRpkAttestation) {
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1130 // There should be an IRemotelyProvisionedComponent instance associated with the KeyMint
1131 // instance.
1132 std::shared_ptr<IRemotelyProvisionedComponent> rp;
1133 ASSERT_TRUE(matching_rp_instance(GetParam(), &rp))
1134 << "No IRemotelyProvisionedComponent found that matches KeyMint device " << GetParam();
1135
1136 // Generate a P-256 keypair to use as an attestation key.
1137 MacedPublicKey macedPubKey;
1138 std::vector<uint8_t> privateKeyBlob;
1139 auto status =
1140 rp->generateEcdsaP256KeyPair(/* testMode= */ false, &macedPubKey, &privateKeyBlob);
1141 ASSERT_TRUE(status.isOk());
1142 vector<uint8_t> coseKeyData;
1143 check_maced_pubkey(macedPubKey, /* testMode= */ false, &coseKeyData);
1144
1145 AttestationKey attestation_key;
1146 attestation_key.keyBlob = std::move(privateKeyBlob);
1147 attestation_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
1148
1149 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1150 auto challenge = "hello";
1151 auto app_id = "foo";
1152
1153 vector<uint8_t> key_blob;
1154 vector<KeyCharacteristics> key_characteristics;
1155 ASSERT_EQ(ErrorCode::OK,
1156 GenerateKey(AuthorizationSetBuilder()
1157 .RsaSigningKey(key_size, 65537)
1158 .Digest(Digest::NONE)
1159 .Padding(PaddingMode::NONE)
1160 .AttestationChallenge(challenge)
1161 .AttestationApplicationId(app_id)
1162 .Authorization(TAG_NO_AUTH_REQUIRED)
1163 .SetDefaultValidity(),
1164 attestation_key, &key_blob, &key_characteristics, &cert_chain_));
1165
1166 ASSERT_GT(key_blob.size(), 0U);
1167 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1168 CheckCharacteristics(key_blob, key_characteristics);
David Drysdale4dc01072021-04-01 12:17:35 +0100[diff] [blame]1169
1170 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1171
1172 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1173 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1174 << "Key size " << key_size << "missing";
1175 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1176
1177 // Attestation by itself is not valid (last entry is not self-signed).
1178 EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_));
1179
1180 // The signature over the attested key should correspond to the P256 public key.
1181 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1182 ASSERT_TRUE(key_cert.get());
1183 EVP_PKEY_Ptr signing_pubkey;
1184 p256_pub_key(coseKeyData, &signing_pubkey);
1185 ASSERT_TRUE(signing_pubkey.get());
1186
1187 ASSERT_TRUE(X509_verify(key_cert.get(), signing_pubkey.get()))
1188 << "Verification of attested certificate failed "
1189 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
1190
1191 CheckedDeleteKey(&key_blob);
1192 }
1193}
1194
1195/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1196 * NewKeyGenerationTest.RsaEncryptionWithAttestation
1197 *
1198 * Verifies that keymint attestation for RSA encryption keys with challenge and
1199 * app id is also successful.
1200 */
1201TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
1202 auto key_size = 2048;
1203 auto challenge = "hello";
1204 auto app_id = "foo";
1205
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1206 auto subject = "subj 2";
1207 vector<uint8_t> subject_der(make_name_from_str(subject));
1208
1209 uint64_t serial_int = 111166;
1210 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1211
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1212 vector<uint8_t> key_blob;
1213 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1214 auto builder = AuthorizationSetBuilder()
1215 .RsaEncryptionKey(key_size, 65537)
1216 .Padding(PaddingMode::NONE)
1217 .AttestationChallenge(challenge)
1218 .AttestationApplicationId(app_id)
1219 .Authorization(TAG_NO_AUTH_REQUIRED)
1220 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1221 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1222 .SetDefaultValidity();
1223
1224 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1225 // Strongbox may not support factory provisioned attestation key.
1226 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1227 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1228 result = GenerateKeyWithSelfSignedAttestKey(
1229 AuthorizationSetBuilder()
1230 .RsaKey(key_size, 65537)
1231 .AttestKey()
1232 .SetDefaultValidity(), /* attest key params */
1233 builder, &key_blob, &key_characteristics);
1234 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1235 }
1236 ASSERT_EQ(ErrorCode::OK, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1237
1238 ASSERT_GT(key_blob.size(), 0U);
1239 AuthorizationSet auths;
1240 for (auto& entry : key_characteristics) {
1241 auths.push_back(AuthorizationSet(entry.authorizations));
1242 }
1243
1244 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
1245 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
1246
1247 // Verify that App data and ROT are NOT included.
1248 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
1249 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
1250
1251 // Check that some unexpected tags/values are NOT present.
1252 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
1253 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
1254
1255 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
1256
1257 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
1258 ASSERT_TRUE(os_ver);
1259 EXPECT_EQ(*os_ver, os_version());
1260
1261 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1262
1263 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1264 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1265 << "Key size " << key_size << "missing";
1266 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1267
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1268 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1269 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1270 ASSERT_GT(cert_chain_.size(), 0);
1271
1272 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1273 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1274 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1275 sw_enforced, hw_enforced, SecLevel(),
1276 cert_chain_[0].encodedCertificate));
1277
1278 CheckedDeleteKey(&key_blob);
1279}
1280
1281/*
1282 * NewKeyGenerationTest.RsaWithSelfSign
1283 *
1284 * Verifies that attesting to RSA key generation is successful, and returns
1285 * self signed certificate if no challenge is provided. And signing etc
1286 * works as expected.
1287 */
1288TEST_P(NewKeyGenerationTest, RsaWithSelfSign) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1289 auto subject = "cert subj subj subj subj subj subj 22222222222222222222";
1290 vector<uint8_t> subject_der(make_name_from_str(subject));
1291
1292 uint64_t serial_int = 0;
1293 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1294
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1295 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1296 vector<uint8_t> key_blob;
1297 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1298 ASSERT_EQ(ErrorCode::OK,
1299 GenerateKey(AuthorizationSetBuilder()
1300 .RsaSigningKey(key_size, 65537)
1301 .Digest(Digest::NONE)
1302 .Padding(PaddingMode::NONE)
1303 .Authorization(TAG_NO_AUTH_REQUIRED)
1304 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1305 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1306 .SetDefaultValidity(),
1307 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1308
1309 ASSERT_GT(key_blob.size(), 0U);
1310 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1311 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1312
1313 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1314
1315 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1316 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1317 << "Key size " << key_size << "missing";
1318 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1319
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1320 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1321 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1322 ASSERT_EQ(cert_chain_.size(), 1);
1323
1324 CheckedDeleteKey(&key_blob);
1325 }
1326}
1327
1328/*
1329 * NewKeyGenerationTest.RsaWithAttestationMissAppId
1330 *
1331 * Verifies that attesting to RSA checks for missing app ID.
1332 */
1333TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
1334 auto challenge = "hello";
1335 vector<uint8_t> key_blob;
1336 vector<KeyCharacteristics> key_characteristics;
1337
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1338 auto builder = AuthorizationSetBuilder()
1339 .RsaSigningKey(2048, 65537)
1340 .Digest(Digest::NONE)
1341 .Padding(PaddingMode::NONE)
1342 .AttestationChallenge(challenge)
1343 .Authorization(TAG_NO_AUTH_REQUIRED)
1344 .SetDefaultValidity();
1345
1346 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1347 // Strongbox may not support factory provisioned attestation key.
1348 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1349 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1350 result = GenerateKeyWithSelfSignedAttestKey(
1351 AuthorizationSetBuilder()
1352 .RsaKey(2048, 65537)
1353 .AttestKey()
1354 .SetDefaultValidity(), /* attest key params */
1355 builder, &key_blob, &key_characteristics);
1356 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1357 }
1358 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1359}
1360
1361/*
1362 * NewKeyGenerationTest.RsaWithAttestationAppIdIgnored
1363 *
1364 * Verifies that attesting to RSA ignores app id if challenge is missing.
1365 */
1366TEST_P(NewKeyGenerationTest, RsaWithAttestationAppIdIgnored) {
1367 auto key_size = 2048;
1368 auto app_id = "foo";
1369
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1370 auto subject = "cert subj 2";
1371 vector<uint8_t> subject_der(make_name_from_str(subject));
1372
1373 uint64_t serial_int = 1;
1374 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1375
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1376 vector<uint8_t> key_blob;
1377 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1378 ASSERT_EQ(ErrorCode::OK,
1379 GenerateKey(AuthorizationSetBuilder()
1380 .RsaSigningKey(key_size, 65537)
1381 .Digest(Digest::NONE)
1382 .Padding(PaddingMode::NONE)
1383 .AttestationApplicationId(app_id)
1384 .Authorization(TAG_NO_AUTH_REQUIRED)
1385 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1386 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1387 .SetDefaultValidity(),
1388 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1389
1390 ASSERT_GT(key_blob.size(), 0U);
1391 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1392 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1393
1394 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1395
1396 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1397 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1398 << "Key size " << key_size << "missing";
1399 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1400
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1401 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1402 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1403 ASSERT_EQ(cert_chain_.size(), 1);
1404
1405 CheckedDeleteKey(&key_blob);
1406}
1407
1408/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1409 * NewKeyGenerationTest.LimitedUsageRsa
1410 *
1411 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1412 * resulting keys have correct characteristics.
1413 */
1414TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
1415 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1416 vector<uint8_t> key_blob;
1417 vector<KeyCharacteristics> key_characteristics;
1418 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1419 .RsaSigningKey(key_size, 65537)
1420 .Digest(Digest::NONE)
1421 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1422 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1423 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1424 &key_blob, &key_characteristics));
1425
1426 ASSERT_GT(key_blob.size(), 0U);
1427 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1428 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]1429
1430 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1431
1432 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1433 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1434 << "Key size " << key_size << "missing";
1435 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1436
1437 // Check the usage count limit tag appears in the authorizations.
1438 AuthorizationSet auths;
1439 for (auto& entry : key_characteristics) {
1440 auths.push_back(AuthorizationSet(entry.authorizations));
1441 }
1442 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1443 << "key usage count limit " << 1U << " missing";
1444
1445 CheckedDeleteKey(&key_blob);
1446 }
1447}
1448
1449/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1450 * NewKeyGenerationTest.LimitedUsageRsaWithAttestation
1451 *
1452 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
1453 * resulting keys have correct characteristics and attestation.
1454 */
1455TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1456 auto challenge = "hello";
1457 auto app_id = "foo";
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1458
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1459 auto subject = "cert subj 2";
1460 vector<uint8_t> subject_der(make_name_from_str(subject));
1461
1462 uint64_t serial_int = 66;
1463 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1464
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1465 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1466 vector<uint8_t> key_blob;
1467 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1468 auto builder = AuthorizationSetBuilder()
1469 .RsaSigningKey(key_size, 65537)
1470 .Digest(Digest::NONE)
1471 .Padding(PaddingMode::NONE)
1472 .AttestationChallenge(challenge)
1473 .AttestationApplicationId(app_id)
1474 .Authorization(TAG_NO_AUTH_REQUIRED)
1475 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
1476 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1477 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1478 .SetDefaultValidity();
1479
1480 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1481 // Strongbox may not support factory provisioned attestation key.
1482 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1483 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1484 result = GenerateKeyWithSelfSignedAttestKey(
1485 AuthorizationSetBuilder()
1486 .RsaKey(key_size, 65537)
1487 .AttestKey()
1488 .SetDefaultValidity(), /* attest key params */
1489 builder, &key_blob, &key_characteristics);
1490 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1491 }
1492 ASSERT_EQ(ErrorCode::OK, result);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1493
1494 ASSERT_GT(key_blob.size(), 0U);
1495 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1496 CheckCharacteristics(key_blob, key_characteristics);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1497
1498 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1499
1500 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
1501 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
1502 << "Key size " << key_size << "missing";
1503 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
1504
1505 // Check the usage count limit tag appears in the authorizations.
1506 AuthorizationSet auths;
1507 for (auto& entry : key_characteristics) {
1508 auths.push_back(AuthorizationSet(entry.authorizations));
1509 }
1510 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
1511 << "key usage count limit " << 1U << " missing";
1512
1513 // Check the usage count limit tag also appears in the attestation.
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]1514 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1515 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1516 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1517
1518 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1519 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1520 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]1521 sw_enforced, hw_enforced, SecLevel(),
1522 cert_chain_[0].encodedCertificate));
1523
1524 CheckedDeleteKey(&key_blob);
1525 }
1526}
1527
1528/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1529 * NewKeyGenerationTest.NoInvalidRsaSizes
1530 *
1531 * Verifies that keymint cannot generate any RSA key sizes that are designated as invalid.
1532 */
1533TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
1534 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
1535 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1536 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1537 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1538 GenerateKey(AuthorizationSetBuilder()
1539 .RsaSigningKey(key_size, 65537)
1540 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1541 .Padding(PaddingMode::NONE)
1542 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1543 &key_blob, &key_characteristics));
1544 }
1545}
1546
1547/*
1548 * NewKeyGenerationTest.RsaNoDefaultSize
1549 *
1550 * Verifies that failing to specify a key size for RSA key generation returns
1551 * UNSUPPORTED_KEY_SIZE.
1552 */
1553TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
1554 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1555 GenerateKey(AuthorizationSetBuilder()
1556 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
1557 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1558 .SigningKey()
1559 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1560}
1561
1562/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]1563 * NewKeyGenerationTest.RsaMissingParams
1564 *
1565 * Verifies that omitting optional tags works.
1566 */
1567TEST_P(NewKeyGenerationTest, RsaMissingParams) {
1568 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
1569 ASSERT_EQ(ErrorCode::OK,
1570 GenerateKey(
1571 AuthorizationSetBuilder().RsaKey(key_size, 65537).SetDefaultValidity()));
1572 CheckedDeleteKey();
1573 }
1574}
1575
1576/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1577 * NewKeyGenerationTest.Ecdsa
1578 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1579 * Verifies that keymint can generate all required EC curves, and that the resulting keys
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1580 * have correct characteristics.
1581 */
1582TEST_P(NewKeyGenerationTest, Ecdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1583 for (auto curve : ValidCurves()) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1584 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1585 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1586 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1587 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1588 .Digest(Digest::NONE)
1589 .SetDefaultValidity(),
1590 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1591 ASSERT_GT(key_blob.size(), 0U);
1592 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1593 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1594
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1595 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1596
1597 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1598 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1599
1600 CheckedDeleteKey(&key_blob);
1601 }
1602}
1603
1604/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1605 * NewKeyGenerationTest.EcdsaCurve25519
1606 *
1607 * Verifies that keymint can generate a curve25519 key, and that the resulting key
1608 * has correct characteristics.
1609 */
1610TEST_P(NewKeyGenerationTest, EcdsaCurve25519) {
1611 if (!Curve25519Supported()) {
1612 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1613 }
1614
1615 EcCurve curve = EcCurve::CURVE_25519;
1616 vector<uint8_t> key_blob;
1617 vector<KeyCharacteristics> key_characteristics;
1618 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1619 .EcdsaSigningKey(curve)
1620 .Digest(Digest::NONE)
1621 .SetDefaultValidity(),
1622 &key_blob, &key_characteristics);
1623 ASSERT_EQ(result, ErrorCode::OK);
1624 ASSERT_GT(key_blob.size(), 0U);
1625
1626 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1627 ASSERT_GT(cert_chain_.size(), 0);
1628
1629 CheckBaseParams(key_characteristics);
1630 CheckCharacteristics(key_blob, key_characteristics);
1631
1632 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1633
1634 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1635 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1636
1637 CheckedDeleteKey(&key_blob);
1638}
1639
1640/*
1641 * NewKeyGenerationTest.EcCurve25519MultiPurposeFail
1642 *
1643 * Verifies that KeyMint rejects an attempt to generate a curve 25519 key for both
1644 * SIGN and AGREE_KEY.
1645 */
1646TEST_P(NewKeyGenerationTest, EcdsaCurve25519MultiPurposeFail) {
1647 if (!Curve25519Supported()) {
1648 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1649 }
1650
1651 EcCurve curve = EcCurve::CURVE_25519;
1652 vector<uint8_t> key_blob;
1653 vector<KeyCharacteristics> key_characteristics;
1654 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1655 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
1656 .EcdsaSigningKey(curve)
1657 .Digest(Digest::NONE)
1658 .SetDefaultValidity(),
1659 &key_blob, &key_characteristics);
1660 ASSERT_EQ(result, ErrorCode::INCOMPATIBLE_PURPOSE);
1661}
1662
1663/*
Prashant Patil6c1adf02021-11-22 06:21:21 +0000[diff] [blame]1664 * NewKeyGenerationTest.EcdsaWithMissingValidity
1665 *
1666 * Verifies that keymint returns an error while generating asymmetric key
1667 * without providing NOT_BEFORE and NOT_AFTER parameters.
1668 */
1669TEST_P(NewKeyGenerationTest, EcdsaWithMissingValidity) {
1670 // Per RFC 5280 4.1.2.5, an undefined expiration (not-after) field should be set to
1671 // GeneralizedTime 999912312359559, which is 253402300799000 ms from Jan 1, 1970.
1672 constexpr uint64_t kUndefinedExpirationDateTime = 253402300799000;
1673
1674 vector<uint8_t> key_blob;
1675 vector<KeyCharacteristics> key_characteristics;
1676 ASSERT_EQ(ErrorCode::MISSING_NOT_BEFORE,
1677 GenerateKey(AuthorizationSetBuilder()
1678 .EcdsaSigningKey(EcCurve::P_256)
1679 .Digest(Digest::NONE)
1680 .Authorization(TAG_CERTIFICATE_NOT_AFTER,
1681 kUndefinedExpirationDateTime),
1682 &key_blob, &key_characteristics));
1683
1684 ASSERT_EQ(ErrorCode::MISSING_NOT_AFTER,
1685 GenerateKey(AuthorizationSetBuilder()
1686 .EcdsaSigningKey(EcCurve::P_256)
1687 .Digest(Digest::NONE)
1688 .Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0),
1689 &key_blob, &key_characteristics));
1690}
1691
1692/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1693 * NewKeyGenerationTest.EcdsaAttestation
1694 *
1695 * Verifies that for all Ecdsa key sizes, if challenge and app id is provided,
1696 * an attestation will be generated.
1697 */
1698TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
1699 auto challenge = "hello";
1700 auto app_id = "foo";
1701
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1702 auto subject = "cert subj 2";
1703 vector<uint8_t> subject_der(make_name_from_str(subject));
1704
1705 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1706 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1707
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1708 for (auto curve : ValidCurves()) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1709 vector<uint8_t> key_blob;
1710 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1711 auto builder = AuthorizationSetBuilder()
1712 .Authorization(TAG_NO_AUTH_REQUIRED)
1713 .EcdsaSigningKey(curve)
1714 .Digest(Digest::NONE)
1715 .AttestationChallenge(challenge)
1716 .AttestationApplicationId(app_id)
1717 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1718 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1719 .SetDefaultValidity();
1720
1721 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1722 // Strongbox may not support factory provisioned attestation key.
1723 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1724 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1725 result = GenerateKeyWithSelfSignedAttestKey(
1726 AuthorizationSetBuilder()
1727 .EcdsaKey(curve)
1728 .AttestKey()
1729 .SetDefaultValidity(), /* attest key params */
1730 builder, &key_blob, &key_characteristics);
1731 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1732 }
1733 ASSERT_EQ(ErrorCode::OK, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1734 ASSERT_GT(key_blob.size(), 0U);
1735 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]1736 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1737
1738 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1739
1740 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1741 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1742
1743 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1744 ASSERT_GT(cert_chain_.size(), 0);
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]1745 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1746
1747 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1748 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1749 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]1750 sw_enforced, hw_enforced, SecLevel(),
1751 cert_chain_[0].encodedCertificate));
1752
1753 CheckedDeleteKey(&key_blob);
1754 }
1755}
1756
1757/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]1758 * NewKeyGenerationTest.EcdsaAttestationCurve25519
1759 *
1760 * Verifies that for a curve 25519 key, if challenge and app id is provided,
1761 * an attestation will be generated.
1762 */
1763TEST_P(NewKeyGenerationTest, EcdsaAttestationCurve25519) {
1764 if (!Curve25519Supported()) {
1765 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
1766 }
1767
1768 EcCurve curve = EcCurve::CURVE_25519;
1769 auto challenge = "hello";
1770 auto app_id = "foo";
1771
1772 auto subject = "cert subj 2";
1773 vector<uint8_t> subject_der(make_name_from_str(subject));
1774
1775 uint64_t serial_int = 0xFFFFFFFFFFFFFFFF;
1776 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1777
1778 vector<uint8_t> key_blob;
1779 vector<KeyCharacteristics> key_characteristics;
1780 ErrorCode result = GenerateKey(AuthorizationSetBuilder()
1781 .Authorization(TAG_NO_AUTH_REQUIRED)
1782 .EcdsaSigningKey(curve)
1783 .Digest(Digest::NONE)
1784 .AttestationChallenge(challenge)
1785 .AttestationApplicationId(app_id)
1786 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1787 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1788 .SetDefaultValidity(),
1789 &key_blob, &key_characteristics);
1790 ASSERT_EQ(ErrorCode::OK, result);
1791 ASSERT_GT(key_blob.size(), 0U);
1792 CheckBaseParams(key_characteristics);
1793 CheckCharacteristics(key_blob, key_characteristics);
1794
1795 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
1796
1797 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1798 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
1799
1800 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1801 ASSERT_GT(cert_chain_.size(), 0);
1802 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
1803
1804 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1805 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
1806 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
1807 sw_enforced, hw_enforced, SecLevel(),
1808 cert_chain_[0].encodedCertificate));
1809
1810 CheckedDeleteKey(&key_blob);
1811}
1812
1813/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1814 * NewKeyGenerationTest.EcdsaAttestationTags
1815 *
1816 * Verifies that creation of an attested ECDSA key includes various tags in the
1817 * attestation extension.
1818 */
1819TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
1820 auto challenge = "hello";
1821 auto app_id = "foo";
1822 auto subject = "cert subj 2";
1823 vector<uint8_t> subject_der(make_name_from_str(subject));
1824 uint64_t serial_int = 0x1010;
1825 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1826 const AuthorizationSetBuilder base_builder =
1827 AuthorizationSetBuilder()
1828 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1829 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1830 .Digest(Digest::NONE)
1831 .AttestationChallenge(challenge)
1832 .AttestationApplicationId(app_id)
1833 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1834 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1835 .SetDefaultValidity();
1836
1837 // Various tags that map to fields in the attestation extension ASN.1 schema.
1838 auto extra_tags = AuthorizationSetBuilder()
1839 .Authorization(TAG_ROLLBACK_RESISTANCE)
1840 .Authorization(TAG_EARLY_BOOT_ONLY)
1841 .Authorization(TAG_ACTIVE_DATETIME, 1619621648000)
1842 .Authorization(TAG_ORIGINATION_EXPIRE_DATETIME, 1619621648000)
1843 .Authorization(TAG_USAGE_EXPIRE_DATETIME, 1619621999000)
1844 .Authorization(TAG_USAGE_COUNT_LIMIT, 42)
1845 .Authorization(TAG_AUTH_TIMEOUT, 100000)
1846 .Authorization(TAG_ALLOW_WHILE_ON_BODY)
1847 .Authorization(TAG_TRUSTED_USER_PRESENCE_REQUIRED)
1848 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
1849 .Authorization(TAG_UNLOCKED_DEVICE_REQUIRED)
1850 .Authorization(TAG_CREATION_DATETIME, 1619621648000);
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1851
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1852 for (const KeyParameter& tag : extra_tags) {
1853 SCOPED_TRACE(testing::Message() << "tag-" << tag);
1854 vector<uint8_t> key_blob;
1855 vector<KeyCharacteristics> key_characteristics;
1856 AuthorizationSetBuilder builder = base_builder;
1857 builder.push_back(tag);
1858 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
1859 if (result == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE &&
1860 tag.tag == TAG_ROLLBACK_RESISTANCE) {
1861 continue;
1862 }
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]1863 if (result == ErrorCode::UNSUPPORTED_TAG && tag.tag == TAG_TRUSTED_USER_PRESENCE_REQUIRED) {
1864 // Tag not required to be supported by all KeyMint implementations.
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1865 continue;
1866 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1867 // Strongbox may not support factory provisioned attestation key.
1868 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1869 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1870 result = GenerateKeyWithSelfSignedAttestKey(
1871 AuthorizationSetBuilder()
1872 .EcdsaKey(EcCurve::P_256)
1873 .AttestKey()
1874 .SetDefaultValidity(), /* attest key params */
1875 builder, &key_blob, &key_characteristics);
1876 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1877 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1878 ASSERT_EQ(result, ErrorCode::OK);
1879 ASSERT_GT(key_blob.size(), 0U);
1880
1881 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1882 ASSERT_GT(cert_chain_.size(), 0);
1883 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
1884
1885 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
1886 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
Seth Mooreb393b082021-07-12 14:18:28 -0700[diff] [blame]1887 // Some tags are optional, so don't require them to be in the enforcements.
1888 if (tag.tag != TAG_ATTESTATION_APPLICATION_ID && tag.tag != TAG_ALLOW_WHILE_ON_BODY) {
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1889 EXPECT_TRUE(hw_enforced.Contains(tag.tag) || sw_enforced.Contains(tag.tag))
1890 << tag << " not in hw:" << hw_enforced << " nor sw:" << sw_enforced;
1891 }
1892
1893 // Verifying the attestation record will check for the specific tag because
1894 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]1895 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
1896 hw_enforced, SecLevel(),
1897 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1898
1899 CheckedDeleteKey(&key_blob);
1900 }
1901
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1902 // Collection of invalid attestation ID tags.
1903 auto invalid_tags =
1904 AuthorizationSetBuilder()
1905 .Authorization(TAG_ATTESTATION_ID_BRAND, "bogus-brand")
1906 .Authorization(TAG_ATTESTATION_ID_DEVICE, "devious-device")
1907 .Authorization(TAG_ATTESTATION_ID_PRODUCT, "punctured-product")
1908 .Authorization(TAG_ATTESTATION_ID_SERIAL, "suspicious-serial")
1909 .Authorization(TAG_ATTESTATION_ID_IMEI, "invalid-imei")
1910 .Authorization(TAG_ATTESTATION_ID_MEID, "mismatching-meid")
1911 .Authorization(TAG_ATTESTATION_ID_MANUFACTURER, "malformed-manufacturer")
1912 .Authorization(TAG_ATTESTATION_ID_MODEL, "malicious-model");
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1913 for (const KeyParameter& tag : invalid_tags) {
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1914 SCOPED_TRACE(testing::Message() << "-incorrect-tag-" << tag);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1915 vector<uint8_t> key_blob;
1916 vector<KeyCharacteristics> key_characteristics;
1917 AuthorizationSetBuilder builder =
1918 AuthorizationSetBuilder()
1919 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]1920 .EcdsaSigningKey(EcCurve::P_256)
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1921 .Digest(Digest::NONE)
1922 .AttestationChallenge(challenge)
1923 .AttestationApplicationId(app_id)
1924 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1925 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1926 .SetDefaultValidity();
1927 builder.push_back(tag);
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]1928
1929 auto error = GenerateKey(builder, &key_blob, &key_characteristics);
1930 // Strongbox may not support factory provisioned attestation key.
1931 if (SecLevel() == SecurityLevel::STRONGBOX) {
1932 if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
1933 error = GenerateKeyWithSelfSignedAttestKey(
1934 AuthorizationSetBuilder()
1935 .EcdsaKey(EcCurve::P_256)
1936 .AttestKey()
1937 .SetDefaultValidity(), /* attest key params */
1938 builder, &key_blob, &key_characteristics);
1939 }
1940 }
1941 ASSERT_EQ(error, ErrorCode::CANNOT_ATTEST_IDS);
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]1942 }
1943}
1944
1945/*
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1946 * NewKeyGenerationTest.EcdsaAttestationIdTags
1947 *
1948 * Verifies that creation of an attested ECDSA key includes various ID tags in the
1949 * attestation extension.
1950 */
1951TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
1952 auto challenge = "hello";
1953 auto app_id = "foo";
1954 auto subject = "cert subj 2";
1955 vector<uint8_t> subject_der(make_name_from_str(subject));
1956 uint64_t serial_int = 0x1010;
1957 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
1958 const AuthorizationSetBuilder base_builder =
1959 AuthorizationSetBuilder()
1960 .Authorization(TAG_NO_AUTH_REQUIRED)
1961 .EcdsaSigningKey(EcCurve::P_256)
1962 .Digest(Digest::NONE)
1963 .AttestationChallenge(challenge)
1964 .AttestationApplicationId(app_id)
1965 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
1966 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
1967 .SetDefaultValidity();
1968
1969 // Various ATTESTATION_ID_* tags that map to fields in the attestation extension ASN.1 schema.
1970 auto extra_tags = AuthorizationSetBuilder();
1971 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_BRAND, "ro.product.brand");
1972 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_DEVICE, "ro.product.device");
1973 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_PRODUCT, "ro.product.name");
1974 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_SERIAL, "ro.serial");
1975 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_MANUFACTURER, "ro.product.manufacturer");
1976 add_tag_from_prop(&extra_tags, TAG_ATTESTATION_ID_MODEL, "ro.product.model");
1977
1978 for (const KeyParameter& tag : extra_tags) {
1979 SCOPED_TRACE(testing::Message() << "tag-" << tag);
1980 vector<uint8_t> key_blob;
1981 vector<KeyCharacteristics> key_characteristics;
1982 AuthorizationSetBuilder builder = base_builder;
1983 builder.push_back(tag);
1984 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]1985 // Strongbox may not support factory provisioned attestation key.
1986 if (SecLevel() == SecurityLevel::STRONGBOX) {
1987 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
1988 }
Prashant Patil88ad1892022-03-15 16:31:02 +0000[diff] [blame]1989 if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
1990 // ID attestation was optional till api level 32, from api level 33 it is mandatory.
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]1991 continue;
1992 }
1993 ASSERT_EQ(result, ErrorCode::OK);
1994 ASSERT_GT(key_blob.size(), 0U);
1995
1996 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
1997 ASSERT_GT(cert_chain_.size(), 0);
1998 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
1999
2000 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2001 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
2002
2003 // The attested key characteristics will not contain APPLICATION_ID_* fields (their
2004 // spec definitions all have "Must never appear in KeyCharacteristics"), but the
2005 // attestation extension should contain them, so make sure the extra tag is added.
2006 hw_enforced.push_back(tag);
2007
2008 // Verifying the attestation record will check for the specific tag because
2009 // it's included in the authorizations.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2010 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2011 hw_enforced, SecLevel(),
2012 cert_chain_[0].encodedCertificate));
David Drysdalec53b7d92021-10-11 12:35:58 +0100[diff] [blame]2013
2014 CheckedDeleteKey(&key_blob);
2015 }
2016}
2017
2018/*
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2019 * NewKeyGenerationTest.EcdsaAttestationUniqueId
2020 *
2021 * Verifies that creation of an attested ECDSA key with a UNIQUE_ID included.
2022 */
2023TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
2024 auto get_unique_id = [this](const std::string& app_id, uint64_t datetime,
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2025 vector<uint8_t>* unique_id, bool reset = false) {
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2026 auto challenge = "hello";
2027 auto subject = "cert subj 2";
2028 vector<uint8_t> subject_der(make_name_from_str(subject));
2029 uint64_t serial_int = 0x1010;
2030 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2031 AuthorizationSetBuilder builder =
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2032 AuthorizationSetBuilder()
2033 .Authorization(TAG_NO_AUTH_REQUIRED)
2034 .Authorization(TAG_INCLUDE_UNIQUE_ID)
2035 .EcdsaSigningKey(EcCurve::P_256)
2036 .Digest(Digest::NONE)
2037 .AttestationChallenge(challenge)
2038 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2039 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2040 .AttestationApplicationId(app_id)
2041 .Authorization(TAG_CREATION_DATETIME, datetime)
2042 .SetDefaultValidity();
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2043 if (reset) {
2044 builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
2045 }
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2046 auto result = GenerateKey(builder);
2047 if (SecLevel() == SecurityLevel::STRONGBOX) {
2048 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2049 result = GenerateKeyWithSelfSignedAttestKey(
2050 AuthorizationSetBuilder()
2051 .EcdsaKey(EcCurve::P_256)
2052 .AttestKey()
2053 .SetDefaultValidity(), /* attest key params */
2054 builder, &key_blob_, &key_characteristics_, &cert_chain_);
2055 }
2056 }
2057 ASSERT_EQ(ErrorCode::OK, result);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2058 ASSERT_GT(key_blob_.size(), 0U);
2059
2060 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2061 ASSERT_GT(cert_chain_.size(), 0);
2062 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2063
2064 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics_);
2065 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics_);
2066
2067 // Check that the unique ID field in the extension is non-empty.
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2068 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, sw_enforced,
2069 hw_enforced, SecLevel(),
2070 cert_chain_[0].encodedCertificate, unique_id));
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2071 EXPECT_GT(unique_id->size(), 0);
2072 CheckedDeleteKey();
2073 };
2074
2075 // Generate unique ID
2076 auto app_id = "foo";
2077 uint64_t cert_date = 1619621648000; // Wed Apr 28 14:54:08 2021 in ms since epoch
2078 vector<uint8_t> unique_id;
2079 get_unique_id(app_id, cert_date, &unique_id);
2080
2081 // Generating a new key with the same parameters should give the same unique ID.
2082 vector<uint8_t> unique_id2;
2083 get_unique_id(app_id, cert_date, &unique_id2);
2084 EXPECT_EQ(unique_id, unique_id2);
2085
2086 // Generating a new key with a slightly different date should give the same unique ID.
2087 uint64_t rounded_date = cert_date / 2592000000LLU;
2088 uint64_t min_date = rounded_date * 2592000000LLU;
2089 uint64_t max_date = ((rounded_date + 1) * 2592000000LLU) - 1;
2090
2091 vector<uint8_t> unique_id3;
2092 get_unique_id(app_id, min_date, &unique_id3);
2093 EXPECT_EQ(unique_id, unique_id3);
2094
2095 vector<uint8_t> unique_id4;
2096 get_unique_id(app_id, max_date, &unique_id4);
2097 EXPECT_EQ(unique_id, unique_id4);
2098
2099 // A different attestation application ID should yield a different unique ID.
2100 auto app_id2 = "different_foo";
2101 vector<uint8_t> unique_id5;
2102 get_unique_id(app_id2, cert_date, &unique_id5);
2103 EXPECT_NE(unique_id, unique_id5);
2104
2105 // A radically different date should yield a different unique ID.
2106 vector<uint8_t> unique_id6;
2107 get_unique_id(app_id, 1611621648000, &unique_id6);
2108 EXPECT_NE(unique_id, unique_id6);
2109
2110 vector<uint8_t> unique_id7;
2111 get_unique_id(app_id, max_date + 1, &unique_id7);
2112 EXPECT_NE(unique_id, unique_id7);
2113
2114 vector<uint8_t> unique_id8;
2115 get_unique_id(app_id, min_date - 1, &unique_id8);
2116 EXPECT_NE(unique_id, unique_id8);
David Drysdale13f2a402021-11-01 11:40:08 +0000[diff] [blame]2117
2118 // Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
2119 vector<uint8_t> unique_id9;
2120 get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
2121 EXPECT_NE(unique_id, unique_id9);
David Drysdale565ccc72021-10-11 12:49:50 +0100[diff] [blame]2122}
2123
2124/*
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2125 * NewKeyGenerationTest.EcdsaAttestationTagNoApplicationId
2126 *
2127 * Verifies that creation of an attested ECDSA key does not include APPLICATION_ID.
2128 */
2129TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
2130 auto challenge = "hello";
2131 auto attest_app_id = "foo";
2132 auto subject = "cert subj 2";
2133 vector<uint8_t> subject_der(make_name_from_str(subject));
2134 uint64_t serial_int = 0x1010;
2135 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2136
2137 // Earlier versions of the attestation extension schema included a slot:
2138 // applicationId [601] EXPLICIT OCTET_STRING OPTIONAL,
2139 // This should never have been included, and should never be filled in.
2140 // Generate an attested key that include APPLICATION_ID and APPLICATION_DATA,
2141 // to confirm that this field never makes it into the attestation extension.
2142 vector<uint8_t> key_blob;
2143 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2144 auto builder = AuthorizationSetBuilder()
2145 .Authorization(TAG_NO_AUTH_REQUIRED)
2146 .EcdsaSigningKey(EcCurve::P_256)
2147 .Digest(Digest::NONE)
2148 .AttestationChallenge(challenge)
2149 .AttestationApplicationId(attest_app_id)
2150 .Authorization(TAG_APPLICATION_ID, "client_id")
2151 .Authorization(TAG_APPLICATION_DATA, "appdata")
2152 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2153 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2154 .SetDefaultValidity();
2155
2156 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2157 // Strongbox may not support factory provisioned attestation key.
2158 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2159 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2160 result = GenerateKeyWithSelfSignedAttestKey(
2161 AuthorizationSetBuilder()
2162 .EcdsaKey(EcCurve::P_256)
2163 .AttestKey()
2164 .SetDefaultValidity(), /* attest key params */
2165 builder, &key_blob, &key_characteristics);
2166 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2167 }
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2168 ASSERT_EQ(result, ErrorCode::OK);
2169 ASSERT_GT(key_blob.size(), 0U);
2170
2171 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2172 ASSERT_GT(cert_chain_.size(), 0);
2173 verify_subject_and_serial(cert_chain_[0], serial_int, subject, /* self_signed = */ false);
2174
2175 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2176 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2177 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, attest_app_id, sw_enforced,
2178 hw_enforced, SecLevel(),
2179 cert_chain_[0].encodedCertificate));
David Drysdale37af4b32021-05-14 16:46:59 +0100[diff] [blame]2180
2181 // Check that the app id is not in the cert.
2182 string app_id = "clientid";
2183 std::vector<uint8_t> needle(reinterpret_cast<const uint8_t*>(app_id.data()),
2184 reinterpret_cast<const uint8_t*>(app_id.data()) + app_id.size());
2185 ASSERT_EQ(std::search(cert_chain_[0].encodedCertificate.begin(),
2186 cert_chain_[0].encodedCertificate.end(), needle.begin(), needle.end()),
2187 cert_chain_[0].encodedCertificate.end());
2188
2189 CheckedDeleteKey(&key_blob);
2190}
2191
2192/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2193 * NewKeyGenerationTest.EcdsaSelfSignAttestation
2194 *
2195 * Verifies that if no challenge is provided to an Ecdsa key generation, then
2196 * the key will generate a self signed attestation.
2197 */
2198TEST_P(NewKeyGenerationTest, EcdsaSelfSignAttestation) {
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2199 auto subject = "cert subj 2";
2200 vector<uint8_t> subject_der(make_name_from_str(subject));
2201
2202 uint64_t serial_int = 0x123456FFF1234;
2203 vector<uint8_t> serial_blob(build_serial_blob(serial_int));
2204
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2205 for (auto curve : ValidCurves()) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2206 vector<uint8_t> key_blob;
2207 vector<KeyCharacteristics> key_characteristics;
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2208 ASSERT_EQ(ErrorCode::OK,
2209 GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2210 .EcdsaSigningKey(curve)
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2211 .Digest(Digest::NONE)
2212 .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
2213 .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
2214 .SetDefaultValidity(),
2215 &key_blob, &key_characteristics));
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2216 ASSERT_GT(key_blob.size(), 0U);
2217 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2218 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2219
2220 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2221
2222 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2223 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2224
2225 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Selene Huang6e46f142021-04-20 19:20:11 -0700[diff] [blame]2226 verify_subject_and_serial(cert_chain_[0], serial_int, subject, false);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2227 ASSERT_EQ(cert_chain_.size(), 1);
2228
2229 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2230 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
2231
2232 CheckedDeleteKey(&key_blob);
2233 }
2234}
2235
2236/*
2237 * NewKeyGenerationTest.EcdsaAttestationRequireAppId
2238 *
2239 * Verifies that if attestation challenge is provided to Ecdsa key generation, then
2240 * app id must also be provided or else it will fail.
2241 */
2242TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
2243 auto challenge = "hello";
2244 vector<uint8_t> key_blob;
2245 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2246 auto builder = AuthorizationSetBuilder()
2247 .EcdsaSigningKey(EcCurve::P_256)
2248 .Digest(Digest::NONE)
2249 .AttestationChallenge(challenge)
2250 .SetDefaultValidity();
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2251
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2252 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2253 // Strongbox may not support factory provisioned attestation key.
2254 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2255 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2256 result = GenerateKeyWithSelfSignedAttestKey(
2257 AuthorizationSetBuilder()
2258 .EcdsaKey(EcCurve::P_256)
2259 .AttestKey()
2260 .SetDefaultValidity(), /* attest key params */
2261 builder, &key_blob, &key_characteristics);
2262 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2263 }
2264 ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2265}
2266
2267/*
2268 * NewKeyGenerationTest.EcdsaIgnoreAppId
2269 *
2270 * Verifies that if no challenge is provided to the Ecdsa key generation, then
2271 * any appid will be ignored, and keymint will generate a self sign certificate.
2272 */
2273TEST_P(NewKeyGenerationTest, EcdsaIgnoreAppId) {
2274 auto app_id = "foo";
2275
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2276 for (auto curve : ValidCurves()) {
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2277 vector<uint8_t> key_blob;
2278 vector<KeyCharacteristics> key_characteristics;
2279 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2280 .EcdsaSigningKey(curve)
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2281 .Digest(Digest::NONE)
2282 .AttestationApplicationId(app_id)
2283 .SetDefaultValidity(),
2284 &key_blob, &key_characteristics));
2285
2286 ASSERT_GT(key_blob.size(), 0U);
2287 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2288 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2289
2290 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2291
2292 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2293 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2294
2295 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2296 ASSERT_EQ(cert_chain_.size(), 1);
2297
2298 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2299 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
2300
2301 CheckedDeleteKey(&key_blob);
2302 }
2303}
2304
2305/*
2306 * NewKeyGenerationTest.AttestationApplicationIDLengthProperlyEncoded
2307 *
2308 * Verifies that the Attestation Application ID software enforced tag has a proper length encoding.
2309 * Some implementations break strict encoding rules by encoding a length between 127 and 256 in one
2310 * byte. Proper DER encoding specifies that for lengths greater than 127, one byte should be used
2311 * to specify how many following bytes will be used to encode the length.
2312 */
2313TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
2314 auto challenge = "hello";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2315 std::vector<uint32_t> app_id_lengths{143, 258};
2316
2317 for (uint32_t length : app_id_lengths) {
2318 const string app_id(length, 'a');
2319 vector<uint8_t> key_blob;
2320 vector<KeyCharacteristics> key_characteristics;
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2321 auto builder = AuthorizationSetBuilder()
2322 .Authorization(TAG_NO_AUTH_REQUIRED)
2323 .EcdsaSigningKey(EcCurve::P_256)
2324 .Digest(Digest::NONE)
2325 .AttestationChallenge(challenge)
2326 .AttestationApplicationId(app_id)
2327 .SetDefaultValidity();
2328
2329 auto result = GenerateKey(builder, &key_blob, &key_characteristics);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2330 // Strongbox may not support factory provisioned attestation key.
2331 if (SecLevel() == SecurityLevel::STRONGBOX) {
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]2332 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
2333 result = GenerateKeyWithSelfSignedAttestKey(
2334 AuthorizationSetBuilder()
2335 .EcdsaKey(EcCurve::P_256)
2336 .AttestKey()
2337 .SetDefaultValidity(), /* attest key params */
2338 builder, &key_blob, &key_characteristics);
2339 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]2340 }
2341 ASSERT_EQ(ErrorCode::OK, result);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2342 ASSERT_GT(key_blob.size(), 0U);
2343 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2344 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2345
2346 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2347
2348 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2349 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, EcCurve::P_256)) << "Curve P256 missing";
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2350
2351 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
2352 ASSERT_GT(cert_chain_.size(), 0);
2353
2354 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
2355 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
David Drysdale7dff4fc2021-12-10 10:10:52 +0000[diff] [blame]2356 EXPECT_TRUE(verify_attestation_record(AidlVersion(), challenge, app_id, //
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2357 sw_enforced, hw_enforced, SecLevel(),
2358 cert_chain_[0].encodedCertificate));
2359
2360 CheckedDeleteKey(&key_blob);
2361 }
2362}
2363
2364/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2365 * NewKeyGenerationTest.LimitedUsageEcdsa
2366 *
2367 * Verifies that KeyMint can generate all required EC key sizes with limited usage, and that the
2368 * resulting keys have correct characteristics.
2369 */
2370TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2371 for (auto curve : ValidCurves()) {
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2372 vector<uint8_t> key_blob;
2373 vector<KeyCharacteristics> key_characteristics;
2374 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2375 .EcdsaSigningKey(curve)
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2376 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2377 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
2378 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2379 &key_blob, &key_characteristics));
2380
2381 ASSERT_GT(key_blob.size(), 0U);
2382 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2383 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2384
2385 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2386
2387 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2388 EXPECT_TRUE(crypto_params.Contains(TAG_EC_CURVE, curve)) << "Curve " << curve << "missing";
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2389
2390 // Check the usage count limit tag appears in the authorizations.
2391 AuthorizationSet auths;
2392 for (auto& entry : key_characteristics) {
2393 auths.push_back(AuthorizationSet(entry.authorizations));
2394 }
2395 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2396 << "key usage count limit " << 1U << " missing";
2397
2398 CheckedDeleteKey(&key_blob);
2399 }
2400}
2401
2402/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2403 * NewKeyGenerationTest.EcdsaDefaultSize
2404 *
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2405 * Verifies that failing to specify a curve for EC key generation returns
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2406 * UNSUPPORTED_KEY_SIZE.
2407 */
2408TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
2409 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2410 GenerateKey(AuthorizationSetBuilder()
2411 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2412 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2413 .Digest(Digest::NONE)
2414 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2415}
2416
2417/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2418 * NewKeyGenerationTest.EcdsaInvalidCurve
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2419 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2420 * Verifies that specifying an invalid curve for EC key generation returns
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2421 * UNSUPPORTED_KEY_SIZE.
2422 */
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2423TEST_P(NewKeyGenerationTest, EcdsaInvalidCurve) {
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2424 for (auto curve : InvalidCurves()) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2425 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2426 vector<KeyCharacteristics> key_characteristics;
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]2427 auto result = GenerateKey(AuthorizationSetBuilder()
2428 .EcdsaSigningKey(curve)
2429 .Digest(Digest::NONE)
2430 .SetDefaultValidity(),
2431 &key_blob, &key_characteristics);
2432 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_KEY_SIZE ||
2433 result == ErrorCode::UNSUPPORTED_EC_CURVE);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2434 }
2435
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2436 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2437 GenerateKey(AuthorizationSetBuilder()
2438 .Authorization(TAG_ALGORITHM, Algorithm::EC)
2439 .Authorization(TAG_KEY_SIZE, 190)
2440 .SigningKey()
2441 .Digest(Digest::NONE)
2442 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2443}
2444
2445/*
2446 * NewKeyGenerationTest.EcdsaMismatchKeySize
2447 *
2448 * Verifies that specifying mismatched key size and curve for EC key generation returns
2449 * INVALID_ARGUMENT.
2450 */
2451TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2452 if (SecLevel() == SecurityLevel::STRONGBOX) {
2453 GTEST_SKIP() << "Test not applicable to StrongBox device";
2454 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2455
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2456 auto result = GenerateKey(AuthorizationSetBuilder()
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2457 .Authorization(TAG_ALGORITHM, Algorithm::EC)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2458 .Authorization(TAG_KEY_SIZE, 224)
2459 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2460 .SigningKey()
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]2461 .Digest(Digest::NONE)
2462 .SetDefaultValidity());
David Drysdaleff819282021-08-18 16:45:50 +0100[diff] [blame]2463 ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2464}
2465
2466/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2467 * NewKeyGenerationTest.EcdsaAllValidCurves
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2468 *
2469 * Verifies that keymint does not support any curve designated as unsupported.
2470 */
2471TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
2472 Digest digest;
2473 if (SecLevel() == SecurityLevel::STRONGBOX) {
2474 digest = Digest::SHA_2_256;
2475 } else {
2476 digest = Digest::SHA_2_512;
2477 }
2478 for (auto curve : ValidCurves()) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2479 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2480 .EcdsaSigningKey(curve)
2481 .Digest(digest)
2482 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2483 << "Failed to generate key on curve: " << curve;
2484 CheckedDeleteKey();
2485 }
2486}
2487
2488/*
2489 * NewKeyGenerationTest.Hmac
2490 *
2491 * Verifies that keymint supports all required digests, and that the resulting keys have correct
2492 * characteristics.
2493 */
2494TEST_P(NewKeyGenerationTest, Hmac) {
2495 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
2496 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2497 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2498 constexpr size_t key_size = 128;
2499 ASSERT_EQ(ErrorCode::OK,
2500 GenerateKey(
2501 AuthorizationSetBuilder().HmacKey(key_size).Digest(digest).Authorization(
2502 TAG_MIN_MAC_LENGTH, 128),
2503 &key_blob, &key_characteristics));
2504
2505 ASSERT_GT(key_blob.size(), 0U);
2506 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2507 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2508
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2509 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2510 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2511 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2512 << "Key size " << key_size << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2513
2514 CheckedDeleteKey(&key_blob);
2515 }
2516}
2517
2518/*
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2519 * NewKeyGenerationTest.HmacNoAttestation
2520 *
2521 * Verifies that for Hmac key generation, no attestation will be generated even if challenge
2522 * and app id are provided.
2523 */
2524TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
2525 auto challenge = "hello";
2526 auto app_id = "foo";
2527
2528 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
2529 vector<uint8_t> key_blob;
2530 vector<KeyCharacteristics> key_characteristics;
2531 constexpr size_t key_size = 128;
2532 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2533 .HmacKey(key_size)
2534 .Digest(digest)
2535 .AttestationChallenge(challenge)
2536 .AttestationApplicationId(app_id)
2537 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2538 &key_blob, &key_characteristics));
2539
2540 ASSERT_GT(key_blob.size(), 0U);
2541 ASSERT_EQ(cert_chain_.size(), 0);
2542 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2543 CheckCharacteristics(key_blob, key_characteristics);
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2544
2545 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2546 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2547 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2548 << "Key size " << key_size << "missing";
2549
2550 CheckedDeleteKey(&key_blob);
2551 }
2552}
2553
2554/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2555 * NewKeyGenerationTest.LimitedUsageHmac
2556 *
2557 * Verifies that KeyMint supports all required digests with limited usage Hmac, and that the
2558 * resulting keys have correct characteristics.
2559 */
2560TEST_P(NewKeyGenerationTest, LimitedUsageHmac) {
2561 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
2562 vector<uint8_t> key_blob;
2563 vector<KeyCharacteristics> key_characteristics;
2564 constexpr size_t key_size = 128;
2565 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2566 .HmacKey(key_size)
2567 .Digest(digest)
2568 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2569 .Authorization(TAG_USAGE_COUNT_LIMIT, 1),
2570 &key_blob, &key_characteristics));
2571
2572 ASSERT_GT(key_blob.size(), 0U);
2573 CheckBaseParams(key_characteristics);
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2574 CheckCharacteristics(key_blob, key_characteristics);
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]2575
2576 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
2577 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
2578 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
2579 << "Key size " << key_size << "missing";
2580
2581 // Check the usage count limit tag appears in the authorizations.
2582 AuthorizationSet auths;
2583 for (auto& entry : key_characteristics) {
2584 auths.push_back(AuthorizationSet(entry.authorizations));
2585 }
2586 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
2587 << "key usage count limit " << 1U << " missing";
2588
2589 CheckedDeleteKey(&key_blob);
2590 }
2591}
2592
2593/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2594 * NewKeyGenerationTest.HmacCheckKeySizes
2595 *
2596 * Verifies that keymint supports all key sizes, and rejects all invalid key sizes.
2597 */
2598TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
2599 for (size_t key_size = 0; key_size <= 512; ++key_size) {
2600 if (key_size < 64 || key_size % 8 != 0) {
2601 // To keep this test from being very slow, we only test a random fraction of
2602 // non-byte key sizes. We test only ~10% of such cases. Since there are 392 of
2603 // them, we expect to run ~40 of them in each run.
2604 if (key_size % 8 == 0 || random() % 10 == 0) {
2605 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2606 GenerateKey(AuthorizationSetBuilder()
2607 .HmacKey(key_size)
2608 .Digest(Digest::SHA_2_256)
2609 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2610 << "HMAC key size " << key_size << " invalid";
2611 }
2612 } else {
2613 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2614 .HmacKey(key_size)
2615 .Digest(Digest::SHA_2_256)
2616 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2617 << "Failed to generate HMAC key of size " << key_size;
2618 CheckedDeleteKey();
2619 }
2620 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2621 if (SecLevel() == SecurityLevel::STRONGBOX) {
2622 // STRONGBOX devices must not support keys larger than 512 bits.
2623 size_t key_size = 520;
2624 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
2625 GenerateKey(AuthorizationSetBuilder()
2626 .HmacKey(key_size)
2627 .Digest(Digest::SHA_2_256)
2628 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
2629 << "HMAC key size " << key_size << " unexpectedly valid";
2630 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2631}
2632
2633/*
2634 * NewKeyGenerationTest.HmacCheckMinMacLengths
2635 *
2636 * Verifies that keymint supports all required MAC lengths and rejects all invalid lengths. This
2637 * test is probabilistic in order to keep the runtime down, but any failure prints out the
2638 * specific MAC length that failed, so reproducing a failed run will be easy.
2639 */
2640TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
2641 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
2642 if (min_mac_length < 64 || min_mac_length % 8 != 0) {
2643 // To keep this test from being very long, we only test a random fraction of
2644 // non-byte lengths. We test only ~10% of such cases. Since there are 172 of them,
2645 // we expect to run ~17 of them in each run.
2646 if (min_mac_length % 8 == 0 || random() % 10 == 0) {
2647 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2648 GenerateKey(AuthorizationSetBuilder()
2649 .HmacKey(128)
2650 .Digest(Digest::SHA_2_256)
2651 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2652 << "HMAC min mac length " << min_mac_length << " invalid.";
2653 }
2654 } else {
2655 EXPECT_EQ(ErrorCode::OK,
2656 GenerateKey(AuthorizationSetBuilder()
2657 .HmacKey(128)
2658 .Digest(Digest::SHA_2_256)
2659 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2660 << "Failed to generate HMAC key with min MAC length " << min_mac_length;
2661 CheckedDeleteKey();
2662 }
2663 }
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]2664
2665 // Minimum MAC length must be no more than 512 bits.
2666 size_t min_mac_length = 520;
2667 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
2668 GenerateKey(AuthorizationSetBuilder()
2669 .HmacKey(128)
2670 .Digest(Digest::SHA_2_256)
2671 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
2672 << "HMAC min mac length " << min_mac_length << " invalid.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2673}
2674
2675/*
2676 * NewKeyGenerationTest.HmacMultipleDigests
2677 *
2678 * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms.
2679 */
2680TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2681 if (SecLevel() == SecurityLevel::STRONGBOX) {
2682 GTEST_SKIP() << "Test not applicable to StrongBox device";
2683 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2684
2685 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2686 GenerateKey(AuthorizationSetBuilder()
2687 .HmacKey(128)
2688 .Digest(Digest::SHA1)
2689 .Digest(Digest::SHA_2_256)
2690 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2691}
2692
2693/*
2694 * NewKeyGenerationTest.HmacDigestNone
2695 *
2696 * Verifies that keymint rejects HMAC key generation with no digest or Digest::NONE
2697 */
2698TEST_P(NewKeyGenerationTest, HmacDigestNone) {
2699 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2700 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH,
2701 128)));
2702
2703 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
2704 GenerateKey(AuthorizationSetBuilder()
2705 .HmacKey(128)
2706 .Digest(Digest::NONE)
2707 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2708}
2709
Selene Huang4f64c222021-04-13 19:54:36 -0700[diff] [blame]2710/*
2711 * NewKeyGenerationTest.AesNoAttestation
2712 *
2713 * Verifies that attestation parameters to AES keys are ignored and generateKey
2714 * will succeed.
2715 */
2716TEST_P(NewKeyGenerationTest, AesNoAttestation) {
2717 auto challenge = "hello";
2718 auto app_id = "foo";
2719
2720 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2721 .Authorization(TAG_NO_AUTH_REQUIRED)
2722 .AesEncryptionKey(128)
2723 .EcbMode()
2724 .Padding(PaddingMode::PKCS7)
2725 .AttestationChallenge(challenge)
2726 .AttestationApplicationId(app_id)));
2727
2728 ASSERT_EQ(cert_chain_.size(), 0);
2729}
2730
2731/*
2732 * NewKeyGenerationTest.TripleDesNoAttestation
2733 *
2734 * Verifies that attesting parameters to 3DES keys are ignored and generate key
2735 * will be successful. No attestation should be generated.
2736 */
2737TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
2738 auto challenge = "hello";
2739 auto app_id = "foo";
2740
2741 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2742 .TripleDesEncryptionKey(168)
2743 .BlockMode(BlockMode::ECB)
2744 .Authorization(TAG_NO_AUTH_REQUIRED)
2745 .Padding(PaddingMode::NONE)
2746 .AttestationChallenge(challenge)
2747 .AttestationApplicationId(app_id)));
2748 ASSERT_EQ(cert_chain_.size(), 0);
2749}
2750
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2751INSTANTIATE_KEYMINT_AIDL_TEST(NewKeyGenerationTest);
2752
2753typedef KeyMintAidlTestBase SigningOperationsTest;
2754
2755/*
2756 * SigningOperationsTest.RsaSuccess
2757 *
2758 * Verifies that raw RSA signature operations succeed.
2759 */
2760TEST_P(SigningOperationsTest, RsaSuccess) {
2761 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2762 .RsaSigningKey(2048, 65537)
2763 .Digest(Digest::NONE)
2764 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2765 .Authorization(TAG_NO_AUTH_REQUIRED)
2766 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2767 string message = "12345678901234567890123456789012";
2768 string signature = SignMessage(
2769 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]2770 LocalVerifyMessage(message, signature,
2771 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2772}
2773
2774/*
2775 * SigningOperationsTest.RsaAllPaddingsAndDigests
2776 *
2777 * Verifies RSA signature/verification for all padding modes and digests.
2778 */
2779TEST_P(SigningOperationsTest, RsaAllPaddingsAndDigests) {
2780 auto authorizations = AuthorizationSetBuilder()
2781 .Authorization(TAG_NO_AUTH_REQUIRED)
2782 .RsaSigningKey(2048, 65537)
2783 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
2784 .Padding(PaddingMode::NONE)
2785 .Padding(PaddingMode::RSA_PSS)
2786 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2787 .SetDefaultValidity();
2788
2789 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
2790
2791 string message(128, 'a');
2792 string corrupt_message(message);
2793 ++corrupt_message[corrupt_message.size() / 2];
2794
2795 for (auto padding :
2796 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
2797 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
2798 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
2799 // Digesting only makes sense with padding.
2800 continue;
2801 }
2802
2803 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
2804 // PSS requires digesting.
2805 continue;
2806 }
2807
2808 string signature =
2809 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
2810 LocalVerifyMessage(message, signature,
2811 AuthorizationSetBuilder().Digest(digest).Padding(padding));
2812 }
2813 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2814}
2815
2816/*
2817 * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
2818 *
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]2819 * Verifies that using an RSA key requires the correct app data.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2820 */
2821TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
2822 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2823 .Authorization(TAG_NO_AUTH_REQUIRED)
2824 .RsaSigningKey(2048, 65537)
2825 .Digest(Digest::NONE)
2826 .Padding(PaddingMode::NONE)
2827 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2828 .Authorization(TAG_APPLICATION_DATA, "appdata")
2829 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]2830
2831 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
2832
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2833 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2834 Begin(KeyPurpose::SIGN,
2835 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2836 AbortIfNeeded();
2837 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2838 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2839 .Digest(Digest::NONE)
2840 .Padding(PaddingMode::NONE)
2841 .Authorization(TAG_APPLICATION_ID, "clientid")));
2842 AbortIfNeeded();
2843 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2844 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2845 .Digest(Digest::NONE)
2846 .Padding(PaddingMode::NONE)
2847 .Authorization(TAG_APPLICATION_DATA, "appdata")));
2848 AbortIfNeeded();
2849 EXPECT_EQ(ErrorCode::OK,
2850 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2851 .Digest(Digest::NONE)
2852 .Padding(PaddingMode::NONE)
2853 .Authorization(TAG_APPLICATION_DATA, "appdata")
2854 .Authorization(TAG_APPLICATION_ID, "clientid")));
2855 AbortIfNeeded();
2856}
2857
2858/*
2859 * SigningOperationsTest.RsaPssSha256Success
2860 *
2861 * Verifies that RSA-PSS signature operations succeed.
2862 */
2863TEST_P(SigningOperationsTest, RsaPssSha256Success) {
2864 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2865 .RsaSigningKey(2048, 65537)
2866 .Digest(Digest::SHA_2_256)
2867 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2868 .Authorization(TAG_NO_AUTH_REQUIRED)
2869 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2870 // Use large message, which won't work without digesting.
2871 string message(1024, 'a');
2872 string signature = SignMessage(
2873 message,
2874 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
2875}
2876
2877/*
2878 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
2879 *
2880 * Verifies that keymint rejects signature operations that specify a padding mode when the key
2881 * supports only unpadded operations.
2882 */
2883TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
2884 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2885 .RsaSigningKey(2048, 65537)
2886 .Digest(Digest::NONE)
2887 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2888 .Padding(PaddingMode::NONE)
2889 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2890 string message = "12345678901234567890123456789012";
2891 string signature;
2892
2893 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
2894 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2895 .Digest(Digest::NONE)
2896 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2897}
2898
2899/*
2900 * SigningOperationsTest.NoUserConfirmation
2901 *
2902 * Verifies that keymint rejects signing operations for keys with
2903 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
2904 * presented.
2905 */
2906TEST_P(SigningOperationsTest, NoUserConfirmation) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2907 if (SecLevel() == SecurityLevel::STRONGBOX) {
2908 GTEST_SKIP() << "Test not applicable to StrongBox device";
2909 }
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2910 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2911 .RsaSigningKey(1024, 65537)
2912 .Digest(Digest::NONE)
2913 .Padding(PaddingMode::NONE)
2914 .Authorization(TAG_NO_AUTH_REQUIRED)
2915 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
2916 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2917
2918 const string message = "12345678901234567890123456789012";
2919 EXPECT_EQ(ErrorCode::OK,
2920 Begin(KeyPurpose::SIGN,
2921 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
2922 string signature;
2923 EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
2924}
2925
2926/*
2927 * SigningOperationsTest.RsaPkcs1Sha256Success
2928 *
2929 * Verifies that digested RSA-PKCS1 signature operations succeed.
2930 */
2931TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
2932 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2933 .RsaSigningKey(2048, 65537)
2934 .Digest(Digest::SHA_2_256)
2935 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2936 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2937 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2938 string message(1024, 'a');
2939 string signature = SignMessage(message, AuthorizationSetBuilder()
2940 .Digest(Digest::SHA_2_256)
2941 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2942}
2943
2944/*
2945 * SigningOperationsTest.RsaPkcs1NoDigestSuccess
2946 *
2947 * Verifies that undigested RSA-PKCS1 signature operations succeed.
2948 */
2949TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
2950 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2951 .RsaSigningKey(2048, 65537)
2952 .Digest(Digest::NONE)
2953 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2954 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2955 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2956 string message(53, 'a');
2957 string signature = SignMessage(message, AuthorizationSetBuilder()
2958 .Digest(Digest::NONE)
2959 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
2960}
2961
2962/*
2963 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
2964 *
2965 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
2966 * given a too-long message.
2967 */
2968TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
2969 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2970 .RsaSigningKey(2048, 65537)
2971 .Digest(Digest::NONE)
2972 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2973 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
2974 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2975 string message(257, 'a');
2976
2977 EXPECT_EQ(ErrorCode::OK,
2978 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
2979 .Digest(Digest::NONE)
2980 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2981 string signature;
2982 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
2983}
2984
2985/*
2986 * SigningOperationsTest.RsaPssSha512TooSmallKey
2987 *
2988 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
2989 * used with a key that is too small for the message.
2990 *
2991 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the
2992 * keymint specification requires that salt_size == digest_size, so the message will be
2993 * digest_size * 2 +
2994 * 16. Such a message can only be signed by a given key if the key is at least that size. This
2995 * test uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large
2996 * for a 1024-bit key.
2997 */
2998TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]2999 if (SecLevel() == SecurityLevel::STRONGBOX) {
3000 GTEST_SKIP() << "Test not applicable to StrongBox device";
3001 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3002 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3003 .RsaSigningKey(1024, 65537)
3004 .Digest(Digest::SHA_2_512)
3005 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3006 .Padding(PaddingMode::RSA_PSS)
3007 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3008 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3009 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3010 .Digest(Digest::SHA_2_512)
3011 .Padding(PaddingMode::RSA_PSS)));
3012}
3013
3014/*
3015 * SigningOperationsTest.RsaNoPaddingTooLong
3016 *
3017 * Verifies that raw RSA signature operations fail with the correct error code when
3018 * given a too-long message.
3019 */
3020TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
3021 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3022 .RsaSigningKey(2048, 65537)
3023 .Digest(Digest::NONE)
3024 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3025 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3026 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3027 // One byte too long
3028 string message(2048 / 8 + 1, 'a');
3029 ASSERT_EQ(ErrorCode::OK,
3030 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3031 .Digest(Digest::NONE)
3032 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3033 string result;
3034 ErrorCode finish_error_code = Finish(message, &result);
3035 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3036 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3037
3038 // Very large message that should exceed the transfer buffer size of any reasonable TEE.
3039 message = string(128 * 1024, 'a');
3040 ASSERT_EQ(ErrorCode::OK,
3041 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3042 .Digest(Digest::NONE)
3043 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3044 finish_error_code = Finish(message, &result);
3045 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
3046 finish_error_code == ErrorCode::INVALID_ARGUMENT);
3047}
3048
3049/*
3050 * SigningOperationsTest.RsaAbort
3051 *
3052 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the
3053 * test, but the behavior should be algorithm and purpose-independent.
3054 */
3055TEST_P(SigningOperationsTest, RsaAbort) {
3056 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3057 .RsaSigningKey(2048, 65537)
3058 .Digest(Digest::NONE)
3059 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3060 .Padding(PaddingMode::NONE)
3061 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3062
3063 ASSERT_EQ(ErrorCode::OK,
3064 Begin(KeyPurpose::SIGN,
3065 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3066 EXPECT_EQ(ErrorCode::OK, Abort());
3067
3068 // Another abort should fail
3069 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
3070
3071 // Set to sentinel, so TearDown() doesn't try to abort again.
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]3072 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3073}
3074
3075/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3076 * SigningOperationsTest.RsaNonUniqueParams
3077 *
3078 * Verifies that an operation with multiple padding modes is rejected.
3079 */
3080TEST_P(SigningOperationsTest, RsaNonUniqueParams) {
3081 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3082 .RsaSigningKey(2048, 65537)
3083 .Digest(Digest::NONE)
3084 .Digest(Digest::SHA1)
3085 .Authorization(TAG_NO_AUTH_REQUIRED)
3086 .Padding(PaddingMode::NONE)
3087 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
3088 .SetDefaultValidity()));
3089
3090 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3091 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3092 .Digest(Digest::NONE)
3093 .Padding(PaddingMode::NONE)
3094 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3095
Tommy Chiuc93c4392021-05-11 18:36:50 +0800[diff] [blame]3096 auto result = Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3097 .Digest(Digest::NONE)
3098 .Digest(Digest::SHA1)
3099 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
3100 ASSERT_TRUE(result == ErrorCode::UNSUPPORTED_DIGEST || result == ErrorCode::INVALID_ARGUMENT);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3101
3102 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3103 Begin(KeyPurpose::SIGN,
3104 AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
3105}
3106
3107/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3108 * SigningOperationsTest.RsaUnsupportedPadding
3109 *
3110 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used
3111 * with a padding mode inappropriate for RSA.
3112 */
3113TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
3114 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3115 .RsaSigningKey(2048, 65537)
3116 .Authorization(TAG_NO_AUTH_REQUIRED)
3117 .Digest(Digest::SHA_2_256 /* supported digest */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3118 .Padding(PaddingMode::PKCS7)
3119 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3120 ASSERT_EQ(
3121 ErrorCode::UNSUPPORTED_PADDING_MODE,
3122 Begin(KeyPurpose::SIGN,
3123 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3124 CheckedDeleteKey();
3125
3126 ASSERT_EQ(ErrorCode::OK,
3127 GenerateKey(
3128 AuthorizationSetBuilder()
3129 .RsaSigningKey(2048, 65537)
3130 .Authorization(TAG_NO_AUTH_REQUIRED)
3131 .Digest(Digest::SHA_2_256 /* supported digest */)
3132 .Padding(PaddingMode::RSA_OAEP) /* padding mode for encryption only */
3133 .SetDefaultValidity()));
3134 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3135 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3136 .Digest(Digest::SHA_2_256)
3137 .Padding(PaddingMode::RSA_OAEP)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3138}
3139
3140/*
3141 * SigningOperationsTest.RsaPssNoDigest
3142 *
3143 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest.
3144 */
3145TEST_P(SigningOperationsTest, RsaNoDigest) {
3146 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3147 .RsaSigningKey(2048, 65537)
3148 .Authorization(TAG_NO_AUTH_REQUIRED)
3149 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3150 .Padding(PaddingMode::RSA_PSS)
3151 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3152 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3153 Begin(KeyPurpose::SIGN,
3154 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
3155
3156 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
3157 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
3158}
3159
3160/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]3161 * SigningOperationsTest.RsaPssNoPadding
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3162 *
3163 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is
3164 * supported in some cases (as validated in other tests), but a mode must be specified.
3165 */
3166TEST_P(SigningOperationsTest, RsaNoPadding) {
3167 // Padding must be specified
3168 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3169 .RsaKey(2048, 65537)
3170 .Authorization(TAG_NO_AUTH_REQUIRED)
3171 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3172 .Digest(Digest::NONE)
3173 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3174 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
3175 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3176}
3177
3178/*
3179 * SigningOperationsTest.RsaShortMessage
3180 *
3181 * Verifies that raw RSA signatures succeed with a message shorter than the key size.
3182 */
3183TEST_P(SigningOperationsTest, RsaTooShortMessage) {
3184 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3185 .Authorization(TAG_NO_AUTH_REQUIRED)
3186 .RsaSigningKey(2048, 65537)
3187 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3188 .Padding(PaddingMode::NONE)
3189 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3190
3191 // Barely shorter
3192 string message(2048 / 8 - 1, 'a');
3193 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3194
3195 // Much shorter
3196 message = "a";
3197 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
3198}
3199
3200/*
3201 * SigningOperationsTest.RsaSignWithEncryptionKey
3202 *
3203 * Verifies that RSA encryption keys cannot be used to sign.
3204 */
3205TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
3206 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3207 .Authorization(TAG_NO_AUTH_REQUIRED)
3208 .RsaEncryptionKey(2048, 65537)
3209 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3210 .Padding(PaddingMode::NONE)
3211 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3212 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3213 Begin(KeyPurpose::SIGN,
3214 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
3215}
3216
3217/*
3218 * SigningOperationsTest.RsaSignTooLargeMessage
3219 *
3220 * Verifies that attempting a raw signature of a message which is the same length as the key,
3221 * but numerically larger than the public modulus, fails with the correct error.
3222 */
3223TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
3224 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3225 .Authorization(TAG_NO_AUTH_REQUIRED)
3226 .RsaSigningKey(2048, 65537)
3227 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3228 .Padding(PaddingMode::NONE)
3229 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3230
3231 // Largest possible message will always be larger than the public modulus.
3232 string message(2048 / 8, static_cast<char>(0xff));
3233 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3234 .Authorization(TAG_NO_AUTH_REQUIRED)
3235 .Digest(Digest::NONE)
3236 .Padding(PaddingMode::NONE)));
3237 string signature;
3238 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
3239}
3240
3241/*
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3242 * SigningOperationsTest.EcdsaAllDigestsAndCurves
3243 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3244 * Verifies ECDSA signature/verification for all digests and required curves.
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3245 */
3246TEST_P(SigningOperationsTest, EcdsaAllDigestsAndCurves) {
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3247
3248 string message = "1234567890";
3249 string corrupt_message = "2234567890";
3250 for (auto curve : ValidCurves()) {
3251 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3252 // Ed25519 only allows Digest::NONE.
3253 auto digests = (curve == EcCurve::CURVE_25519)
3254 ? std::vector<Digest>(1, Digest::NONE)
3255 : ValidDigests(true /* withNone */, false /* withMD5 */);
3256
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3257 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3258 .Authorization(TAG_NO_AUTH_REQUIRED)
3259 .EcdsaSigningKey(curve)
3260 .Digest(digests)
3261 .SetDefaultValidity());
3262 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
3263 if (error != ErrorCode::OK) {
3264 continue;
3265 }
3266
3267 for (auto digest : digests) {
3268 SCOPED_TRACE(testing::Message() << "Digest::" << digest);
3269 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
3270 LocalVerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
3271 }
3272
3273 auto rc = DeleteKey();
3274 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
3275 }
3276}
3277
3278/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3279 * SigningOperationsTest.EcdsaAllCurves
3280 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3281 * Verifies that ECDSA operations succeed with all required curves.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3282 */
3283TEST_P(SigningOperationsTest, EcdsaAllCurves) {
3284 for (auto curve : ValidCurves()) {
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3285 Digest digest = (curve == EcCurve::CURVE_25519 ? Digest::NONE : Digest::SHA_2_256);
3286 SCOPED_TRACE(testing::Message() << "Curve::" << curve);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3287 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3288 .Authorization(TAG_NO_AUTH_REQUIRED)
3289 .EcdsaSigningKey(curve)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3290 .Digest(digest)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3291 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3292 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3293 if (error != ErrorCode::OK) continue;
3294
3295 string message(1024, 'a');
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3296 SignMessage(message, AuthorizationSetBuilder().Digest(digest));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3297 CheckedDeleteKey();
3298 }
3299}
3300
3301/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]3302 * SigningOperationsTest.EcdsaCurve25519
3303 *
3304 * Verifies that ECDSA operations succeed with curve25519.
3305 */
3306TEST_P(SigningOperationsTest, EcdsaCurve25519) {
3307 if (!Curve25519Supported()) {
3308 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3309 }
3310
3311 EcCurve curve = EcCurve::CURVE_25519;
3312 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3313 .Authorization(TAG_NO_AUTH_REQUIRED)
3314 .EcdsaSigningKey(curve)
3315 .Digest(Digest::NONE)
3316 .SetDefaultValidity());
3317 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3318
3319 string message(1024, 'a');
3320 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3321 CheckedDeleteKey();
3322}
3323
3324/*
David Drysdalefeab5d92022-01-06 15:46:23 +0000[diff] [blame]3325 * SigningOperationsTest.EcdsaCurve25519MaxSize
3326 *
3327 * Verifies that EDDSA operations with curve25519 under the maximum message size succeed.
3328 */
3329TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSize) {
3330 if (!Curve25519Supported()) {
3331 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3332 }
3333
3334 EcCurve curve = EcCurve::CURVE_25519;
3335 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3336 .Authorization(TAG_NO_AUTH_REQUIRED)
3337 .EcdsaSigningKey(curve)
3338 .Digest(Digest::NONE)
3339 .SetDefaultValidity());
3340 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3341
3342 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3343
3344 for (size_t msg_size : {MAX_ED25519_MSG_SIZE - 1, MAX_ED25519_MSG_SIZE}) {
3345 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3346 string message(msg_size, 'a');
3347
3348 // Attempt to sign via Begin+Finish.
3349 AuthorizationSet out_params;
3350 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3351 EXPECT_TRUE(out_params.empty());
3352 string signature;
3353 auto result = Finish(message, &signature);
3354 EXPECT_EQ(result, ErrorCode::OK);
3355 LocalVerifyMessage(message, signature, params);
3356
3357 // Attempt to sign via Begin+Update+Finish
3358 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3359 EXPECT_TRUE(out_params.empty());
3360 string output;
3361 result = Update(message, &output);
3362 EXPECT_EQ(result, ErrorCode::OK);
3363 EXPECT_EQ(output.size(), 0);
3364 string signature2;
3365 EXPECT_EQ(ErrorCode::OK, Finish({}, &signature2));
3366 LocalVerifyMessage(message, signature2, params);
3367 }
3368
3369 CheckedDeleteKey();
3370}
3371
3372/*
3373 * SigningOperationsTest.EcdsaCurve25519MaxSizeFail
3374 *
3375 * Verifies that EDDSA operations with curve25519 fail when message size is too large.
3376 */
3377TEST_P(SigningOperationsTest, EcdsaCurve25519MaxSizeFail) {
3378 if (!Curve25519Supported()) {
3379 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
3380 }
3381
3382 EcCurve curve = EcCurve::CURVE_25519;
3383 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
3384 .Authorization(TAG_NO_AUTH_REQUIRED)
3385 .EcdsaSigningKey(curve)
3386 .Digest(Digest::NONE)
3387 .SetDefaultValidity());
3388 ASSERT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
3389
3390 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
3391
3392 for (size_t msg_size : {MAX_ED25519_MSG_SIZE + 1, MAX_ED25519_MSG_SIZE * 2}) {
3393 SCOPED_TRACE(testing::Message() << "-msg-size=" << msg_size);
3394 string message(msg_size, 'a');
3395
3396 // Attempt to sign via Begin+Finish.
3397 AuthorizationSet out_params;
3398 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3399 EXPECT_TRUE(out_params.empty());
3400 string signature;
3401 auto result = Finish(message, &signature);
3402 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3403
3404 // Attempt to sign via Begin+Update (but never get to Finish)
3405 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_, params, &out_params));
3406 EXPECT_TRUE(out_params.empty());
3407 string output;
3408 result = Update(message, &output);
3409 EXPECT_EQ(result, ErrorCode::INVALID_INPUT_LENGTH);
3410 }
3411
3412 CheckedDeleteKey();
3413}
3414
3415/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3416 * SigningOperationsTest.EcdsaNoDigestHugeData
3417 *
3418 * Verifies that ECDSA operations support very large messages, even without digesting. This
3419 * should work because ECDSA actually only signs the leftmost L_n bits of the message, however
3420 * large it may be. Not using digesting is a bad idea, but in some cases digesting is done by
3421 * the framework.
3422 */
3423TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
3424 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3425 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3426 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3427 .Digest(Digest::NONE)
3428 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3429 string message(1 * 1024, 'a');
3430 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
3431}
3432
3433/*
3434 * SigningOperationsTest.EcUseRequiresCorrectAppIdAppData
3435 *
3436 * Verifies that using an EC key requires the correct app ID/data.
3437 */
3438TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
3439 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3440 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3441 .EcdsaSigningKey(EcCurve::P_256)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3442 .Digest(Digest::NONE)
3443 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3444 .Authorization(TAG_APPLICATION_DATA, "appdata")
3445 .SetDefaultValidity()));
David Drysdale300b5552021-05-20 12:05:26 +0100[diff] [blame]3446
3447 CheckAppIdCharacteristics(key_blob_, "clientid", "appdata", key_characteristics_);
3448
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3449 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3450 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
3451 AbortIfNeeded();
3452 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3453 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3454 .Digest(Digest::NONE)
3455 .Authorization(TAG_APPLICATION_ID, "clientid")));
3456 AbortIfNeeded();
3457 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
3458 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3459 .Digest(Digest::NONE)
3460 .Authorization(TAG_APPLICATION_DATA, "appdata")));
3461 AbortIfNeeded();
3462 EXPECT_EQ(ErrorCode::OK,
3463 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
3464 .Digest(Digest::NONE)
3465 .Authorization(TAG_APPLICATION_DATA, "appdata")
3466 .Authorization(TAG_APPLICATION_ID, "clientid")));
3467 AbortIfNeeded();
3468}
3469
3470/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3471 * SigningOperationsTest.EcdsaIncompatibleDigest
3472 *
3473 * Verifies that using an EC key requires compatible digest.
3474 */
3475TEST_P(SigningOperationsTest, EcdsaIncompatibleDigest) {
3476 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3477 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3478 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3479 .Digest(Digest::NONE)
3480 .Digest(Digest::SHA1)
3481 .SetDefaultValidity()));
3482 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
3483 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::SHA_2_256)));
3484 AbortIfNeeded();
3485}
3486
3487/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3488 * SigningOperationsTest.AesEcbSign
3489 *
3490 * Verifies that attempts to use AES keys to sign fail in the correct way.
3491 */
3492TEST_P(SigningOperationsTest, AesEcbSign) {
3493 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3494 .Authorization(TAG_NO_AUTH_REQUIRED)
3495 .SigningKey()
3496 .AesEncryptionKey(128)
3497 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)));
3498
3499 AuthorizationSet out_params;
3500 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3501 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params));
3502 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
3503 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params));
3504}
3505
3506/*
3507 * SigningOperationsTest.HmacAllDigests
3508 *
3509 * Verifies that HMAC works with all digests.
3510 */
3511TEST_P(SigningOperationsTest, HmacAllDigests) {
3512 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
3513 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3514 .Authorization(TAG_NO_AUTH_REQUIRED)
3515 .HmacKey(128)
3516 .Digest(digest)
3517 .Authorization(TAG_MIN_MAC_LENGTH, 160)))
3518 << "Failed to create HMAC key with digest " << digest;
3519 string message = "12345678901234567890123456789012";
3520 string signature = MacMessage(message, digest, 160);
3521 EXPECT_EQ(160U / 8U, signature.size())
3522 << "Failed to sign with HMAC key with digest " << digest;
3523 CheckedDeleteKey();
3524 }
3525}
3526
3527/*
3528 * SigningOperationsTest.HmacSha256TooLargeMacLength
3529 *
3530 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the
3531 * digest size.
3532 */
3533TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
3534 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3535 .Authorization(TAG_NO_AUTH_REQUIRED)
3536 .HmacKey(128)
3537 .Digest(Digest::SHA_2_256)
3538 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
3539 AuthorizationSet output_params;
3540 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3541 AuthorizationSetBuilder()
3542 .Digest(Digest::SHA_2_256)
3543 .Authorization(TAG_MAC_LENGTH, 264),
3544 &output_params));
3545}
3546
3547/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3548 * SigningOperationsTest.HmacSha256InvalidMacLength
3549 *
3550 * Verifies that HMAC fails in the correct way when asked to generate a MAC whose length is
3551 * not a multiple of 8.
3552 */
3553TEST_P(SigningOperationsTest, HmacSha256InvalidMacLength) {
3554 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3555 .Authorization(TAG_NO_AUTH_REQUIRED)
3556 .HmacKey(128)
3557 .Digest(Digest::SHA_2_256)
3558 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
3559 AuthorizationSet output_params;
3560 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3561 AuthorizationSetBuilder()
3562 .Digest(Digest::SHA_2_256)
3563 .Authorization(TAG_MAC_LENGTH, 161),
3564 &output_params));
3565}
3566
3567/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3568 * SigningOperationsTest.HmacSha256TooSmallMacLength
3569 *
3570 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
3571 * specified minimum MAC length.
3572 */
3573TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
3574 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3575 .Authorization(TAG_NO_AUTH_REQUIRED)
3576 .HmacKey(128)
3577 .Digest(Digest::SHA_2_256)
3578 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3579 AuthorizationSet output_params;
3580 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
3581 AuthorizationSetBuilder()
3582 .Digest(Digest::SHA_2_256)
3583 .Authorization(TAG_MAC_LENGTH, 120),
3584 &output_params));
3585}
3586
3587/*
3588 * SigningOperationsTest.HmacRfc4231TestCase3
3589 *
3590 * Validates against the test vectors from RFC 4231 test case 3.
3591 */
3592TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
3593 string key(20, 0xaa);
3594 string message(50, 0xdd);
3595 uint8_t sha_224_expected[] = {
3596 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
3597 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
3598 };
3599 uint8_t sha_256_expected[] = {
3600 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
3601 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
3602 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
3603 };
3604 uint8_t sha_384_expected[] = {
3605 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
3606 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
3607 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
3608 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
3609 };
3610 uint8_t sha_512_expected[] = {
3611 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
3612 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
3613 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
3614 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
3615 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
3616 };
3617
3618 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3619 if (SecLevel() != SecurityLevel::STRONGBOX) {
3620 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3621 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3622 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3623 }
3624}
3625
3626/*
3627 * SigningOperationsTest.HmacRfc4231TestCase5
3628 *
3629 * Validates against the test vectors from RFC 4231 test case 5.
3630 */
3631TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
3632 string key(20, 0x0c);
3633 string message = "Test With Truncation";
3634
3635 uint8_t sha_224_expected[] = {
3636 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
3637 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
3638 };
3639 uint8_t sha_256_expected[] = {
3640 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
3641 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
3642 };
3643 uint8_t sha_384_expected[] = {
3644 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
3645 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
3646 };
3647 uint8_t sha_512_expected[] = {
3648 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
3649 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
3650 };
3651
3652 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
3653 if (SecLevel() != SecurityLevel::STRONGBOX) {
3654 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
3655 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
3656 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
3657 }
3658}
3659
3660INSTANTIATE_KEYMINT_AIDL_TEST(SigningOperationsTest);
3661
3662typedef KeyMintAidlTestBase VerificationOperationsTest;
3663
3664/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3665 * VerificationOperationsTest.HmacSigningKeyCannotVerify
3666 *
3667 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
3668 */
3669TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
3670 string key_material = "HelloThisIsAKey";
3671
3672 vector<uint8_t> signing_key, verification_key;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3673 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3674 EXPECT_EQ(ErrorCode::OK,
3675 ImportKey(AuthorizationSetBuilder()
3676 .Authorization(TAG_NO_AUTH_REQUIRED)
3677 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3678 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3679 .Digest(Digest::SHA_2_256)
3680 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3681 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
3682 EXPECT_EQ(ErrorCode::OK,
3683 ImportKey(AuthorizationSetBuilder()
3684 .Authorization(TAG_NO_AUTH_REQUIRED)
3685 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3686 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3687 .Digest(Digest::SHA_2_256)
3688 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3689 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
3690
3691 string message = "This is a message.";
3692 string signature = SignMessage(
3693 signing_key, message,
3694 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3695
3696 // Signing key should not work.
3697 AuthorizationSet out_params;
3698 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3699 Begin(KeyPurpose::VERIFY, signing_key,
3700 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &out_params));
3701
3702 // Verification key should work.
3703 VerifyMessage(verification_key, message, signature,
3704 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
3705
3706 CheckedDeleteKey(&signing_key);
3707 CheckedDeleteKey(&verification_key);
3708}
3709
Prashant Patildec9fdc2021-12-08 15:25:47 +0000[diff] [blame]3710/*
3711 * VerificationOperationsTest.HmacVerificationFailsForCorruptSignature
3712 *
3713 * Verifies HMAC signature verification should fails if message or signature is corrupted.
3714 */
3715TEST_P(VerificationOperationsTest, HmacVerificationFailsForCorruptSignature) {
3716 string key_material = "HelloThisIsAKey";
3717
3718 vector<uint8_t> signing_key, verification_key;
3719 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
3720 EXPECT_EQ(ErrorCode::OK,
3721 ImportKey(AuthorizationSetBuilder()
3722 .Authorization(TAG_NO_AUTH_REQUIRED)
3723 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3724 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
3725 .Digest(Digest::SHA_2_256)
3726 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3727 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
3728 EXPECT_EQ(ErrorCode::OK,
3729 ImportKey(AuthorizationSetBuilder()
3730 .Authorization(TAG_NO_AUTH_REQUIRED)
3731 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
3732 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
3733 .Digest(Digest::SHA_2_256)
3734 .Authorization(TAG_MIN_MAC_LENGTH, 160),
3735 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
3736
3737 string message = "This is a message.";
3738 string signature = SignMessage(
3739 signing_key, message,
3740 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
3741
3742 AuthorizationSet begin_out_params;
3743 ASSERT_EQ(ErrorCode::OK,
3744 Begin(KeyPurpose::VERIFY, verification_key,
3745 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3746
3747 string corruptMessage = "This is b message."; // Corrupted message
3748 string output;
3749 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corruptMessage, signature, &output));
3750
3751 ASSERT_EQ(ErrorCode::OK,
3752 Begin(KeyPurpose::VERIFY, verification_key,
3753 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &begin_out_params));
3754
3755 signature[0] += 1; // Corrupt a signature
3756 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, signature, &output));
3757
3758 CheckedDeleteKey(&signing_key);
3759 CheckedDeleteKey(&verification_key);
3760}
3761
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3762INSTANTIATE_KEYMINT_AIDL_TEST(VerificationOperationsTest);
3763
3764typedef KeyMintAidlTestBase ExportKeyTest;
3765
3766/*
3767 * ExportKeyTest.RsaUnsupportedKeyFormat
3768 *
3769 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
3770 */
3771// TODO(seleneh) add ExportKey to GenerateKey
3772// check result
3773
3774class ImportKeyTest : public KeyMintAidlTestBase {
3775 public:
3776 template <TagType tag_type, Tag tag, typename ValueT>
3777 void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
3778 SCOPED_TRACE("CheckCryptoParam");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3779 for (auto& entry : key_characteristics_) {
3780 if (entry.securityLevel == SecLevel()) {
3781 EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
3782 << "Tag " << tag << " with value " << expected
3783 << " not found at security level" << entry.securityLevel;
3784 } else {
3785 EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
3786 << "Tag " << tag << " found at security level " << entry.securityLevel;
3787 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3788 }
3789 }
3790
3791 void CheckOrigin() {
3792 SCOPED_TRACE("CheckOrigin");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]3793 // Origin isn't a crypto param, but it always lives with them.
3794 return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3795 }
3796};
3797
3798/*
3799 * ImportKeyTest.RsaSuccess
3800 *
3801 * Verifies that importing and using an RSA key pair works correctly.
3802 */
3803TEST_P(ImportKeyTest, RsaSuccess) {
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3804 uint32_t key_size;
3805 string key;
3806
3807 if (SecLevel() == SecurityLevel::STRONGBOX) {
3808 key_size = 2048;
3809 key = rsa_2048_key;
3810 } else {
3811 key_size = 1024;
3812 key = rsa_key;
3813 }
3814
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3815 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3816 .Authorization(TAG_NO_AUTH_REQUIRED)
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3817 .RsaSigningKey(key_size, 65537)
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3818 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3819 .Padding(PaddingMode::RSA_PSS)
3820 .SetDefaultValidity(),
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3821 KeyFormat::PKCS8, key));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3822
3823 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
Selene Huange5727e62021-04-13 22:41:20 -0700[diff] [blame]3824 CheckCryptoParam(TAG_KEY_SIZE, key_size);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3825 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
3826 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3827 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
3828 CheckOrigin();
3829
3830 string message(1024 / 8, 'a');
3831 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
3832 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3833 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3834}
3835
3836/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3837 * ImportKeyTest.RsaSuccessWithoutParams
3838 *
3839 * Verifies that importing and using an RSA key pair without specifying parameters
3840 * works correctly.
3841 */
3842TEST_P(ImportKeyTest, RsaSuccessWithoutParams) {
3843 uint32_t key_size;
3844 string key;
3845
3846 if (SecLevel() == SecurityLevel::STRONGBOX) {
3847 key_size = 2048;
3848 key = rsa_2048_key;
3849 } else {
3850 key_size = 1024;
3851 key = rsa_key;
3852 }
3853
3854 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3855 .Authorization(TAG_NO_AUTH_REQUIRED)
3856 .SigningKey()
3857 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
3858 .Digest(Digest::SHA_2_256)
3859 .Padding(PaddingMode::RSA_PSS)
3860 .SetDefaultValidity(),
3861 KeyFormat::PKCS8, key));
3862
3863 // Key size and public exponent are determined from the imported key material.
3864 CheckCryptoParam(TAG_KEY_SIZE, key_size);
3865 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
3866
3867 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
3868 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3869 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
3870 CheckOrigin();
3871
3872 string message(1024 / 8, 'a');
3873 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
3874 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3875 LocalVerifyMessage(message, signature, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]3876}
3877
3878/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3879 * ImportKeyTest.RsaKeySizeMismatch
3880 *
3881 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
3882 * correct way.
3883 */
3884TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
3885 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
3886 ImportKey(AuthorizationSetBuilder()
3887 .RsaSigningKey(2048 /* Doesn't match key */, 65537)
3888 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3889 .Padding(PaddingMode::NONE)
3890 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3891 KeyFormat::PKCS8, rsa_key));
3892}
3893
3894/*
3895 * ImportKeyTest.RsaPublicExponentMismatch
3896 *
3897 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key
3898 * fails in the correct way.
3899 */
3900TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
3901 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
3902 ImportKey(AuthorizationSetBuilder()
3903 .RsaSigningKey(1024, 3 /* Doesn't match key */)
3904 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3905 .Padding(PaddingMode::NONE)
3906 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3907 KeyFormat::PKCS8, rsa_key));
3908}
3909
3910/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]3911 * ImportKeyTest.RsaAttestMultiPurposeFail
3912 *
3913 * Verifies that importing an RSA key pair with purpose ATTEST_KEY+SIGN fails.
3914 */
3915TEST_P(ImportKeyTest, RsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]3916 if (AidlVersion() < 2) {
3917 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
3918 // with other key purposes. However, this was not checked at the time
3919 // so we can only be strict about checking this for implementations of KeyMint
3920 // version 2 and above.
3921 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
3922 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]3923 uint32_t key_size = 2048;
3924 string key = rsa_2048_key;
3925
3926 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
3927 ImportKey(AuthorizationSetBuilder()
3928 .Authorization(TAG_NO_AUTH_REQUIRED)
3929 .RsaSigningKey(key_size, 65537)
3930 .AttestKey()
3931 .Digest(Digest::SHA_2_256)
3932 .Padding(PaddingMode::RSA_PSS)
3933 .SetDefaultValidity(),
3934 KeyFormat::PKCS8, key));
3935}
3936
3937/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3938 * ImportKeyTest.EcdsaSuccess
3939 *
3940 * Verifies that importing and using an ECDSA P-256 key pair works correctly.
3941 */
3942TEST_P(ImportKeyTest, EcdsaSuccess) {
3943 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3944 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3945 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3946 .Digest(Digest::SHA_2_256)
3947 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3948 KeyFormat::PKCS8, ec_256_key));
3949
3950 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3951 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3952 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3953
3954 CheckOrigin();
3955
3956 string message(32, 'a');
3957 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3958 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3959 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3960}
3961
3962/*
3963 * ImportKeyTest.EcdsaP256RFC5915Success
3964 *
3965 * Verifies that importing and using an ECDSA P-256 key pair encoded using RFC5915 works
3966 * correctly.
3967 */
3968TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
3969 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3970 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3971 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3972 .Digest(Digest::SHA_2_256)
3973 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3974 KeyFormat::PKCS8, ec_256_key_rfc5915));
3975
3976 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3977 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
3978 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
3979
3980 CheckOrigin();
3981
3982 string message(32, 'a');
3983 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
3984 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]3985 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3986}
3987
3988/*
3989 * ImportKeyTest.EcdsaP256SEC1Success
3990 *
3991 * Verifies that importing and using an ECDSA P-256 key pair encoded using SEC1 works correctly.
3992 */
3993TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
3994 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
3995 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]3996 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]3997 .Digest(Digest::SHA_2_256)
3998 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3999 KeyFormat::PKCS8, ec_256_key_sec1));
4000
4001 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4002 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4003 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
4004
4005 CheckOrigin();
4006
4007 string message(32, 'a');
4008 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4009 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4010 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4011}
4012
4013/*
4014 * ImportKeyTest.Ecdsa521Success
4015 *
4016 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
4017 */
4018TEST_P(ImportKeyTest, Ecdsa521Success) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]4019 if (SecLevel() == SecurityLevel::STRONGBOX) {
4020 GTEST_SKIP() << "Test not applicable to StrongBox device";
4021 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4022 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4023 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]4024 .EcdsaSigningKey(EcCurve::P_521)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4025 .Digest(Digest::SHA_2_256)
4026 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4027 KeyFormat::PKCS8, ec_521_key));
4028
4029 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4030 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4031 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_521);
4032 CheckOrigin();
4033
4034 string message(32, 'a');
4035 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
4036 string signature = SignMessage(message, params);
David Drysdaledf8f52e2021-05-06 08:10:58 +0100[diff] [blame]4037 LocalVerifyMessage(message, signature, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4038}
4039
4040/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4041 * ImportKeyTest.EcdsaCurveMismatch
4042 *
4043 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in
4044 * the correct way.
4045 */
4046TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
4047 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
4048 ImportKey(AuthorizationSetBuilder()
4049 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4050 .Digest(Digest::NONE)
4051 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4052 KeyFormat::PKCS8, ec_256_key));
4053}
4054
4055/*
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4056 * ImportKeyTest.EcdsaAttestMultiPurposeFail
4057 *
4058 * Verifies that importing and using an ECDSA P-256 key pair with purpose ATTEST_KEY+SIGN fails.
4059 */
4060TEST_P(ImportKeyTest, EcdsaAttestMultiPurposeFail) {
David Drysdale50a66b82022-03-21 15:21:32 +0000[diff] [blame]4061 if (AidlVersion() < 2) {
4062 // The KeyMint v1 spec required that KeyPurpose::ATTEST_KEY not be combined
4063 // with other key purposes. However, this was not checked at the time
4064 // so we can only be strict about checking this for implementations of KeyMint
4065 // version 2 and above.
4066 GTEST_SKIP() << "Single-purpose for KeyPurpose::ATTEST_KEY only strict since KeyMint v2";
4067 }
David Drysdalee60248c2021-10-04 12:54:13 +0100[diff] [blame]4068 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
4069 ImportKey(AuthorizationSetBuilder()
4070 .Authorization(TAG_NO_AUTH_REQUIRED)
4071 .EcdsaSigningKey(EcCurve::P_256)
4072 .AttestKey()
4073 .Digest(Digest::SHA_2_256)
4074 .SetDefaultValidity(),
4075 KeyFormat::PKCS8, ec_256_key));
4076}
4077
4078/*
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]4079 * ImportKeyTest.Ed25519RawSuccess
4080 *
4081 * Verifies that importing and using a raw Ed25519 private key works correctly.
4082 */
4083TEST_P(ImportKeyTest, Ed25519RawSuccess) {
4084 if (!Curve25519Supported()) {
4085 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4086 }
4087
4088 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4089 .Authorization(TAG_NO_AUTH_REQUIRED)
4090 .EcdsaSigningKey(EcCurve::CURVE_25519)
4091 .Digest(Digest::NONE)
4092 .SetDefaultValidity(),
4093 KeyFormat::RAW, ed25519_key));
4094 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4095 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4096 CheckOrigin();
4097
4098 // The returned cert should hold the correct public key.
4099 ASSERT_GT(cert_chain_.size(), 0);
4100 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4101 ASSERT_NE(kmKeyCert, nullptr);
4102 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4103 ASSERT_NE(kmPubKey.get(), nullptr);
4104 size_t kmPubKeySize = 32;
4105 uint8_t kmPubKeyData[32];
4106 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4107 ASSERT_EQ(kmPubKeySize, 32);
4108 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4109
4110 string message(32, 'a');
4111 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4112 string signature = SignMessage(message, params);
4113 LocalVerifyMessage(message, signature, params);
4114}
4115
4116/*
4117 * ImportKeyTest.Ed25519Pkcs8Success
4118 *
4119 * Verifies that importing and using a PKCS#8-encoded Ed25519 private key works correctly.
4120 */
4121TEST_P(ImportKeyTest, Ed25519Pkcs8Success) {
4122 if (!Curve25519Supported()) {
4123 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4124 }
4125
4126 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4127 .Authorization(TAG_NO_AUTH_REQUIRED)
4128 .EcdsaSigningKey(EcCurve::CURVE_25519)
4129 .Digest(Digest::NONE)
4130 .SetDefaultValidity(),
4131 KeyFormat::PKCS8, ed25519_pkcs8_key));
4132 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4133 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4134 CheckOrigin();
4135
4136 // The returned cert should hold the correct public key.
4137 ASSERT_GT(cert_chain_.size(), 0);
4138 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4139 ASSERT_NE(kmKeyCert, nullptr);
4140 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
4141 ASSERT_NE(kmPubKey.get(), nullptr);
4142 size_t kmPubKeySize = 32;
4143 uint8_t kmPubKeyData[32];
4144 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
4145 ASSERT_EQ(kmPubKeySize, 32);
4146 EXPECT_EQ(string(kmPubKeyData, kmPubKeyData + 32), ed25519_pubkey);
4147
4148 string message(32, 'a');
4149 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
4150 string signature = SignMessage(message, params);
4151 LocalVerifyMessage(message, signature, params);
4152}
4153
4154/*
4155 * ImportKeyTest.Ed25519CurveMismatch
4156 *
4157 * Verifies that importing an Ed25519 key pair with a curve that doesn't match the key fails in
4158 * the correct way.
4159 */
4160TEST_P(ImportKeyTest, Ed25519CurveMismatch) {
4161 if (!Curve25519Supported()) {
4162 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4163 }
4164
4165 ASSERT_NE(ErrorCode::OK,
4166 ImportKey(AuthorizationSetBuilder()
4167 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
4168 .Digest(Digest::NONE)
4169 .SetDefaultValidity(),
4170 KeyFormat::RAW, ed25519_key));
4171}
4172
4173/*
4174 * ImportKeyTest.Ed25519FormatMismatch
4175 *
4176 * Verifies that importing an Ed25519 key pair with an invalid format fails.
4177 */
4178TEST_P(ImportKeyTest, Ed25519FormatMismatch) {
4179 if (!Curve25519Supported()) {
4180 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4181 }
4182
4183 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4184 .EcdsaSigningKey(EcCurve::CURVE_25519)
4185 .Digest(Digest::NONE)
4186 .SetDefaultValidity(),
4187 KeyFormat::PKCS8, ed25519_key));
4188 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4189 .EcdsaSigningKey(EcCurve::CURVE_25519)
4190 .Digest(Digest::NONE)
4191 .SetDefaultValidity(),
4192 KeyFormat::RAW, ed25519_pkcs8_key));
4193}
4194
4195/*
4196 * ImportKeyTest.Ed25519PurposeMismatch
4197 *
4198 * Verifies that importing an Ed25519 key pair with an invalid purpose fails.
4199 */
4200TEST_P(ImportKeyTest, Ed25519PurposeMismatch) {
4201 if (!Curve25519Supported()) {
4202 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4203 }
4204
4205 // Can't have both SIGN and ATTEST_KEY
4206 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4207 .EcdsaSigningKey(EcCurve::CURVE_25519)
4208 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4209 .Digest(Digest::NONE)
4210 .SetDefaultValidity(),
4211 KeyFormat::RAW, ed25519_key));
4212 // AGREE_KEY is for X25519 (but can only tell the difference if the import key is in
4213 // PKCS#8 format and so includes an OID).
4214 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4215 .EcdsaKey(EcCurve::CURVE_25519)
4216 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4217 .Digest(Digest::NONE)
4218 .SetDefaultValidity(),
4219 KeyFormat::PKCS8, ed25519_pkcs8_key));
4220}
4221
4222/*
4223 * ImportKeyTest.X25519RawSuccess
4224 *
4225 * Verifies that importing and using a raw X25519 private key works correctly.
4226 */
4227TEST_P(ImportKeyTest, X25519RawSuccess) {
4228 if (!Curve25519Supported()) {
4229 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4230 }
4231
4232 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4233 .Authorization(TAG_NO_AUTH_REQUIRED)
4234 .EcdsaKey(EcCurve::CURVE_25519)
4235 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4236 .SetDefaultValidity(),
4237 KeyFormat::RAW, x25519_key));
4238
4239 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4240 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4241 CheckOrigin();
4242}
4243
4244/*
4245 * ImportKeyTest.X25519Pkcs8Success
4246 *
4247 * Verifies that importing and using a PKCS#8-encoded X25519 private key works correctly.
4248 */
4249TEST_P(ImportKeyTest, X25519Pkcs8Success) {
4250 if (!Curve25519Supported()) {
4251 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4252 }
4253
4254 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4255 .Authorization(TAG_NO_AUTH_REQUIRED)
4256 .EcdsaKey(EcCurve::CURVE_25519)
4257 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4258 .SetDefaultValidity(),
4259 KeyFormat::PKCS8, x25519_pkcs8_key));
4260
4261 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
4262 CheckCryptoParam(TAG_EC_CURVE, EcCurve::CURVE_25519);
4263 CheckOrigin();
4264}
4265
4266/*
4267 * ImportKeyTest.X25519CurveMismatch
4268 *
4269 * Verifies that importing an X25519 key with a curve that doesn't match the key fails in
4270 * the correct way.
4271 */
4272TEST_P(ImportKeyTest, X25519CurveMismatch) {
4273 if (!Curve25519Supported()) {
4274 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4275 }
4276
4277 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4278 .EcdsaKey(EcCurve::P_224 /* Doesn't match key */)
4279 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4280 .SetDefaultValidity(),
4281 KeyFormat::RAW, x25519_key));
4282}
4283
4284/*
4285 * ImportKeyTest.X25519FormatMismatch
4286 *
4287 * Verifies that importing an X25519 key with an invalid format fails.
4288 */
4289TEST_P(ImportKeyTest, X25519FormatMismatch) {
4290 if (!Curve25519Supported()) {
4291 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4292 }
4293
4294 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4295 .EcdsaKey(EcCurve::CURVE_25519)
4296 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4297 .SetDefaultValidity(),
4298 KeyFormat::PKCS8, x25519_key));
4299 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4300 .EcdsaKey(EcCurve::CURVE_25519)
4301 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4302 .SetDefaultValidity(),
4303 KeyFormat::RAW, x25519_pkcs8_key));
4304}
4305
4306/*
4307 * ImportKeyTest.X25519PurposeMismatch
4308 *
4309 * Verifies that importing an X25519 key pair with an invalid format fails.
4310 */
4311TEST_P(ImportKeyTest, X25519PurposeMismatch) {
4312 if (!Curve25519Supported()) {
4313 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
4314 }
4315
4316 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4317 .EcdsaKey(EcCurve::CURVE_25519)
4318 .Authorization(TAG_PURPOSE, KeyPurpose::ATTEST_KEY)
4319 .SetDefaultValidity(),
4320 KeyFormat::PKCS8, x25519_pkcs8_key));
4321 ASSERT_NE(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4322 .EcdsaSigningKey(EcCurve::CURVE_25519)
4323 .SetDefaultValidity(),
4324 KeyFormat::PKCS8, x25519_pkcs8_key));
4325}
4326
4327/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4328 * ImportKeyTest.AesSuccess
4329 *
4330 * Verifies that importing and using an AES key works.
4331 */
4332TEST_P(ImportKeyTest, AesSuccess) {
4333 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4334 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4335 .Authorization(TAG_NO_AUTH_REQUIRED)
4336 .AesEncryptionKey(key.size() * 8)
4337 .EcbMode()
4338 .Padding(PaddingMode::PKCS7),
4339 KeyFormat::RAW, key));
4340
4341 CheckCryptoParam(TAG_ALGORITHM, Algorithm::AES);
4342 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4343 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4344 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4345 CheckOrigin();
4346
4347 string message = "Hello World!";
4348 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4349 string ciphertext = EncryptMessage(message, params);
4350 string plaintext = DecryptMessage(ciphertext, params);
4351 EXPECT_EQ(message, plaintext);
4352}
4353
4354/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4355 * ImportKeyTest.AesFailure
4356 *
4357 * Verifies that importing an invalid AES key fails.
4358 */
4359TEST_P(ImportKeyTest, AesFailure) {
4360 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4361 uint32_t bitlen = key.size() * 8;
4362 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4363 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4364 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4365 .Authorization(TAG_NO_AUTH_REQUIRED)
4366 .AesEncryptionKey(key_size)
4367 .EcbMode()
4368 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4369 KeyFormat::RAW, key);
4370 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4371 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4372 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4373 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4374
4375 // Explicit key size matches that of the provided key, but it's not a valid size.
4376 string long_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4377 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4378 ImportKey(AuthorizationSetBuilder()
4379 .Authorization(TAG_NO_AUTH_REQUIRED)
4380 .AesEncryptionKey(long_key.size() * 8)
4381 .EcbMode()
4382 .Padding(PaddingMode::PKCS7),
4383 KeyFormat::RAW, long_key));
4384 string short_key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4385 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4386 ImportKey(AuthorizationSetBuilder()
4387 .Authorization(TAG_NO_AUTH_REQUIRED)
4388 .AesEncryptionKey(short_key.size() * 8)
4389 .EcbMode()
4390 .Padding(PaddingMode::PKCS7),
4391 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4392}
4393
4394/*
4395 * ImportKeyTest.TripleDesSuccess
4396 *
4397 * Verifies that importing and using a 3DES key works.
4398 */
4399TEST_P(ImportKeyTest, TripleDesSuccess) {
4400 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
4401 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4402 .Authorization(TAG_NO_AUTH_REQUIRED)
4403 .TripleDesEncryptionKey(168)
4404 .EcbMode()
4405 .Padding(PaddingMode::PKCS7),
4406 KeyFormat::RAW, key));
4407
4408 CheckCryptoParam(TAG_ALGORITHM, Algorithm::TRIPLE_DES);
4409 CheckCryptoParam(TAG_KEY_SIZE, 168U);
4410 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
4411 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
4412 CheckOrigin();
4413
4414 string message = "Hello World!";
4415 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4416 string ciphertext = EncryptMessage(message, params);
4417 string plaintext = DecryptMessage(ciphertext, params);
4418 EXPECT_EQ(message, plaintext);
4419}
4420
4421/*
4422 * ImportKeyTest.TripleDesFailure
4423 *
4424 * Verifies that importing an invalid 3DES key fails.
4425 */
4426TEST_P(ImportKeyTest, TripleDesFailure) {
4427 string key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358");
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4428 uint32_t bitlen = key.size() * 7;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4429 for (uint32_t key_size : {bitlen - 1, bitlen + 1, bitlen - 8, bitlen + 8}) {
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4430 // Explicit key size doesn't match that of the provided key.
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4431 auto result = ImportKey(AuthorizationSetBuilder()
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]4432 .Authorization(TAG_NO_AUTH_REQUIRED)
4433 .TripleDesEncryptionKey(key_size)
4434 .EcbMode()
4435 .Padding(PaddingMode::PKCS7),
Tommy Chiu3950b452021-05-03 22:01:46 +0800[diff] [blame]4436 KeyFormat::RAW, key);
4437 ASSERT_TRUE(result == ErrorCode::IMPORT_PARAMETER_MISMATCH ||
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4438 result == ErrorCode::UNSUPPORTED_KEY_SIZE)
4439 << "unexpected result: " << result;
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4440 }
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4441 // Explicit key size matches that of the provided key, but it's not a valid size.
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4442 string long_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f735800");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4443 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4444 ImportKey(AuthorizationSetBuilder()
4445 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4446 .TripleDesEncryptionKey(long_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4447 .EcbMode()
4448 .Padding(PaddingMode::PKCS7),
4449 KeyFormat::RAW, long_key));
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4450 string short_key = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f73");
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4451 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
4452 ImportKey(AuthorizationSetBuilder()
4453 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdale2a73db32021-05-10 10:58:58 +0100[diff] [blame]4454 .TripleDesEncryptionKey(short_key.size() * 7)
David Drysdalec9bc2f72021-05-04 10:47:58 +0100[diff] [blame]4455 .EcbMode()
4456 .Padding(PaddingMode::PKCS7),
4457 KeyFormat::RAW, short_key));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4458}
4459
4460/*
4461 * ImportKeyTest.HmacKeySuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4462 *
4463 * Verifies that importing and using an HMAC key works.
4464 */
4465TEST_P(ImportKeyTest, HmacKeySuccess) {
4466 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
4467 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
4468 .Authorization(TAG_NO_AUTH_REQUIRED)
4469 .HmacKey(key.size() * 8)
4470 .Digest(Digest::SHA_2_256)
4471 .Authorization(TAG_MIN_MAC_LENGTH, 256),
4472 KeyFormat::RAW, key));
4473
4474 CheckCryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
4475 CheckCryptoParam(TAG_KEY_SIZE, 128U);
4476 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
4477 CheckOrigin();
4478
4479 string message = "Hello World!";
4480 string signature = MacMessage(message, Digest::SHA_2_256, 256);
4481 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
4482}
4483
4484INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);
4485
4486auto wrapped_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4487 // IKeyMintDevice.aidl
4488 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4489 "020100" // INTEGER length 1 value 0x00 (version)
4490 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4491 "934bf94e2aa28a3f83c9f79297250262"
4492 "fbe3276b5a1c91159bbfa3ef8957aac8"
4493 "4b59b30b455a79c2973480823d8b3863"
4494 "c3deef4a8e243590268d80e18751a0e1"
4495 "30f67ce6a1ace9f79b95e097474febc9"
4496 "81195b1d13a69086c0863f66a7b7fdb4"
4497 "8792227b1ac5e2489febdf087ab54864"
4498 "83033a6f001ca5d1ec1e27f5c30f4cec"
4499 "2642074a39ae68aee552e196627a8e3d"
4500 "867e67a8c01b11e75f13cca0a97ab668"
4501 "b50cda07a8ecb7cd8e3dd7009c963653"
4502 "4f6f239cffe1fc8daa466f78b676c711"
4503 "9efb96bce4e69ca2a25d0b34ed9c3ff9"
4504 "99b801597d5220e307eaa5bee507fb94"
4505 "d1fa69f9e519b2de315bac92c36f2ea1"
4506 "fa1df4478c0ddedeae8c70e0233cd098"
4507 "040c" // OCTET STRING length 0x0c (initializationVector)
4508 "d796b02c370f1fa4cc0124f1"
4509 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4510 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4511 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4512 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4513 "3106" // SET length 0x06
4514 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4515 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4516 // } end SET
4517 // } end [1]
4518 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4519 "020120" // INTEGER length 1 value 0x20 (AES)
4520 // } end [2]
4521 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4522 "02020100" // INTEGER length 2 value 0x100
4523 // } end [3]
4524 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode)
4525 "3103" // SET length 0x03 {
4526 "020101" // INTEGER length 1 value 0x01 (ECB)
4527 // } end SET
4528 // } end [4]
4529 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4530 "3103" // SET length 0x03 {
4531 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4532 // } end SET
4533 // } end [5]
4534 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4535 // (noAuthRequired)
4536 "0500" // NULL
4537 // } end [503]
4538 // } end SEQUENCE (AuthorizationList)
4539 // } end SEQUENCE (KeyDescription)
4540 "0420" // OCTET STRING length 0x20 (encryptedKey)
4541 "ccd540855f833a5e1480bfd2d36faf3a"
4542 "eee15df5beabe2691bc82dde2a7aa910"
4543 "0410" // OCTET STRING length 0x10 (tag)
4544 "64c9f689c60ff6223ab6e6999e0eb6e5"
4545 // } SEQUENCE (SecureKeyWrapper)
4546);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4547
4548auto wrapped_key_masked = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4549 // IKeyMintDevice.aidl
4550 "30820179" // SEQUENCE length 0x179 (SecureKeyWrapper) {
4551 "020100" // INTEGER length 1 value 0x00 (version)
4552 "04820100" // OCTET STRING length 0x100 (encryptedTransportKey)
4553 "aad93ed5924f283b4bb5526fbe7a1412"
4554 "f9d9749ec30db9062b29e574a8546f33"
4555 "c88732452f5b8e6a391ee76c39ed1712"
4556 "c61d8df6213dec1cffbc17a8c6d04c7b"
4557 "30893d8daa9b2015213e219468215532"
4558 "07f8f9931c4caba23ed3bee28b36947e"
4559 "47f10e0a5c3dc51c988a628daad3e5e1"
4560 "f4005e79c2d5a96c284b4b8d7e4948f3"
4561 "31e5b85dd5a236f85579f3ea1d1b8484"
4562 "87470bdb0ab4f81a12bee42c99fe0df4"
4563 "bee3759453e69ad1d68a809ce06b949f"
4564 "7694a990429b2fe81e066ff43e56a216"
4565 "02db70757922a4bcc23ab89f1e35da77"
4566 "586775f423e519c2ea394caf48a28d0c"
4567 "8020f1dcf6b3a68ec246f615ae96dae9"
4568 "a079b1f6eb959033c1af5c125fd94168"
4569 "040c" // OCTET STRING length 0x0c (initializationVector)
4570 "6d9721d08589581ab49204a3"
4571 "302e" // SEQUENCE length 0x2e (KeyDescription) {
4572 "020103" // INTEGER length 1 value 0x03 (keyFormat = RAW)
4573 "3029" // SEQUENCE length 0x29 (AuthorizationList) {
4574 "a108" // [1] context-specific constructed tag=1 length 0x08 { (purpose)
4575 "3106" // SET length 0x06
4576 "020100" // INTEGER length 1 value 0x00 (Encrypt)
4577 "020101" // INTEGER length 1 value 0x01 (Decrypt)
4578 // } end SET
4579 // } end [1]
4580 "a203" // [2] context-specific constructed tag=2 length 0x02 { (algorithm)
4581 "020120" // INTEGER length 1 value 0x20 (AES)
4582 // } end [2]
4583 "a304" // [3] context-specific constructed tag=3 length 0x04 { (keySize)
4584 "02020100" // INTEGER length 2 value 0x100
4585 // } end [3]
4586 "a405" // [4] context-specific constructed tag=4 length 0x05 { (blockMode
4587 "3103" // SET length 0x03 {
4588 "020101" // INTEGER length 1 value 0x01 (ECB)
4589 // } end SET
4590 // } end [4]
4591 "a605" // [6] context-specific constructed tag=6 length 0x05 { (padding)
4592 "3103" // SET length 0x03 {
4593 "020140" // INTEGER length 1 value 0x40 (PKCS7)
4594 // } end SET
4595 // } end [5]
4596 "bf837702" // [503] context-specific constructed tag=503=0x1F7 length 0x02 {
4597 // (noAuthRequired)
4598 "0500" // NULL
4599 // } end [503]
4600 // } end SEQUENCE (AuthorizationList)
4601 // } end SEQUENCE (KeyDescription)
4602 "0420" // OCTET STRING length 0x20 (encryptedKey)
4603 "a61c6e247e25b3e6e69aa78eb03c2d4a"
4604 "c20d1f99a9a024a76f35c8e2cab9b68d"
4605 "0410" // OCTET STRING length 0x10 (tag)
4606 "2560c70109ae67c030f00b98b512a670"
4607 // } SEQUENCE (SecureKeyWrapper)
4608);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4609
4610auto wrapping_key = hex2str(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4611 // RFC 5208 s5
4612 "308204be" // SEQUENCE length 0x4be (PrivateKeyInfo) {
4613 "020100" // INTEGER length 1 value 0x00 (version)
4614 "300d" // SEQUENCE length 0x0d (AlgorithmIdentifier) {
4615 "0609" // OBJECT IDENTIFIER length 0x09 (algorithm)
4616 "2a864886f70d010101" // 1.2.840.113549.1.1.1 (RSAES-PKCS1-v1_5 encryption scheme)
4617 "0500" // NULL (parameters)
4618 // } SEQUENCE (AlgorithmIdentifier)
4619 "048204a8" // OCTET STRING len 0x4a8 (privateKey), which contains...
4620 // RFC 8017 A.1.2
4621 "308204a4" // SEQUENCE len 0x4a4 (RSAPrivateKey) {
4622 "020100" // INTEGER length 1 value 0x00 (version)
4623 "02820101" // INTEGER length 0x0101 (modulus) value...
4624 "00aec367931d8900ce56b0067f7d70e1" // 0x10
4625 "fc653f3f34d194c1fed50018fb43db93" // 0x20
4626 "7b06e673a837313d56b1c725150a3fef" // 0x30
4627 "86acbddc41bb759c2854eae32d35841e" // 0x40
4628 "fb5c18d82bc90a1cb5c1d55adf245b02" // 0x50
4629 "911f0b7cda88c421ff0ebafe7c0d23be" // 0x60
4630 "312d7bd5921ffaea1347c157406fef71" // 0x70
4631 "8f682643e4e5d33c6703d61c0cf7ac0b" // 0x80
4632 "f4645c11f5c1374c3886427411c44979" // 0x90
4633 "6792e0bef75dec858a2123c36753e02a" // 0xa0
4634 "95a96d7c454b504de385a642e0dfc3e6" // 0xb0
4635 "0ac3a7ee4991d0d48b0172a95f9536f0" // 0xc0
4636 "2ba13cecccb92b727db5c27e5b2f5cec" // 0xd0
4637 "09600b286af5cf14c42024c61ddfe71c" // 0xe0
4638 "2a8d7458f185234cb00e01d282f10f8f" // 0xf0
4639 "c6721d2aed3f4833cca2bd8fa62821dd" // 0x100
4640 "55" // 0x101
4641 "0203010001" // INTEGER length 3 value 0x10001 (publicExponent)
4642 "02820100" // INTEGER length 0x100 (privateExponent) value...
4643 "431447b6251908112b1ee76f99f3711a" // 0x10
4644 "52b6630960046c2de70de188d833f8b8" // 0x20
4645 "b91e4d785caeeeaf4f0f74414e2cda40" // 0x30
4646 "641f7fe24f14c67a88959bdb27766df9" // 0x40
4647 "e710b630a03adc683b5d2c43080e52be" // 0x50
4648 "e71e9eaeb6de297a5fea1072070d181c" // 0x60
4649 "822bccff087d63c940ba8a45f670feb2" // 0x70
4650 "9fb4484d1c95e6d2579ba02aae0a0090" // 0x80
4651 "0c3ebf490e3d2cd7ee8d0e20c536e4dc" // 0x90
4652 "5a5097272888cddd7e91f228b1c4d747" // 0xa0
4653 "4c55b8fcd618c4a957bbddd5ad7407cc" // 0xb0
4654 "312d8d98a5caf7e08f4a0d6b45bb41c6" // 0xc0
4655 "52659d5a5ba05b663737a8696281865b" // 0xd0
4656 "a20fbdd7f851e6c56e8cbe0ddbbf24dc" // 0xe0
4657 "03b2d2cb4c3d540fb0af52e034a2d066" // 0xf0
4658 "98b128e5f101e3b51a34f8d8b4f86181" // 0x100
4659 "028181" // INTEGER length 0x81 (prime1) value...
4660 "00de392e18d682c829266cc3454e1d61" // 0x10
4661 "66242f32d9a1d10577753e904ea7d08b" // 0x20
4662 "ff841be5bac82a164c5970007047b8c5" // 0x30
4663 "17db8f8f84e37bd5988561bdf503d4dc" // 0x40
4664 "2bdb38f885434ae42c355f725c9a60f9" // 0x50
4665 "1f0788e1f1a97223b524b5357fdf72e2" // 0x60
4666 "f696bab7d78e32bf92ba8e1864eab122" // 0x70
4667 "9e91346130748a6e3c124f9149d71c74" // 0x80
4668 "35"
4669 "028181" // INTEGER length 0x81 (prime2) value...
4670 "00c95387c0f9d35f137b57d0d65c397c" // 0x10
4671 "5e21cc251e47008ed62a542409c8b6b6" // 0x20
4672 "ac7f8967b3863ca645fcce49582a9aa1" // 0x30
4673 "7349db6c4a95affdae0dae612e1afac9" // 0x40
4674 "9ed39a2d934c880440aed8832f984316" // 0x50
4675 "3a47f27f392199dc1202f9a0f9bd0830" // 0x60
4676 "8007cb1e4e7f58309366a7de25f7c3c9" // 0x70
4677 "b880677c068e1be936e81288815252a8" // 0x80
4678 "a1"
4679 "028180" // INTEGER length 0x80 (exponent1) value...
4680 "57ff8ca1895080b2cae486ef0adfd791" // 0x10
4681 "fb0235c0b8b36cd6c136e52e4085f4ea" // 0x20
4682 "5a063212a4f105a3764743e53281988a" // 0x30
4683 "ba073f6e0027298e1c4378556e0efca0" // 0x40
4684 "e14ece1af76ad0b030f27af6f0ab35fb" // 0x50
4685 "73a060d8b1a0e142fa2647e93b32e36d" // 0x60
4686 "8282ae0a4de50ab7afe85500a16f43a6" // 0x70
4687 "4719d6e2b9439823719cd08bcd031781" // 0x80
4688 "028181" // INTEGER length 0x81 (exponent2) value...
4689 "00ba73b0bb28e3f81e9bd1c568713b10" // 0x10
4690 "1241acc607976c4ddccc90e65b6556ca" // 0x20
4691 "31516058f92b6e09f3b160ff0e374ec4" // 0x30
4692 "0d78ae4d4979fde6ac06a1a400c61dd3" // 0x40
4693 "1254186af30b22c10582a8a43e34fe94" // 0x50
4694 "9c5f3b9755bae7baa7b7b7a6bd03b38c" // 0x60
4695 "ef55c86885fc6c1978b9cee7ef33da50" // 0x70
4696 "7c9df6b9277cff1e6aaa5d57aca52846" // 0x80
4697 "61"
4698 "028181" // INTEGER length 0x81 (coefficient) value...
4699 "00c931617c77829dfb1270502be9195c" // 0x10
4700 "8f2830885f57dba869536811e6864236" // 0x20
4701 "d0c4736a0008a145af36b8357a7c3d13" // 0x30
4702 "9966d04c4e00934ea1aede3bb6b8ec84" // 0x40
4703 "1dc95e3f579751e2bfdfe27ae778983f" // 0x50
4704 "959356210723287b0affcc9f727044d4" // 0x60
4705 "8c373f1babde0724fa17a4fd4da0902c" // 0x70
4706 "7c9b9bf27ba61be6ad02dfddda8f4e68" // 0x80
4707 "22"
4708 // } SEQUENCE
4709 // } SEQUENCE ()
4710);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4711
4712string zero_masking_key =
4713 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
4714string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
4715
4716class ImportWrappedKeyTest : public KeyMintAidlTestBase {};
4717
4718TEST_P(ImportWrappedKeyTest, Success) {
4719 auto wrapping_key_desc = AuthorizationSetBuilder()
4720 .RsaEncryptionKey(2048, 65537)
4721 .Digest(Digest::SHA_2_256)
4722 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4723 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4724 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4725
4726 ASSERT_EQ(ErrorCode::OK,
4727 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
4728 AuthorizationSetBuilder()
4729 .Digest(Digest::SHA_2_256)
4730 .Padding(PaddingMode::RSA_OAEP)));
4731
4732 string message = "Hello World!";
4733 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4734 string ciphertext = EncryptMessage(message, params);
4735 string plaintext = DecryptMessage(ciphertext, params);
4736 EXPECT_EQ(message, plaintext);
4737}
4738
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4739/*
4740 * ImportWrappedKeyTest.SuccessSidsIgnored
4741 *
4742 * Verifies that password_sid and biometric_sid are ignored on import if the authorizations don't
4743 * include Tag:USER_SECURE_ID.
4744 */
4745TEST_P(ImportWrappedKeyTest, SuccessSidsIgnored) {
4746 auto wrapping_key_desc = AuthorizationSetBuilder()
4747 .RsaEncryptionKey(2048, 65537)
4748 .Digest(Digest::SHA_2_256)
4749 .Padding(PaddingMode::RSA_OAEP)
4750 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4751 .SetDefaultValidity();
4752
4753 int64_t password_sid = 42;
4754 int64_t biometric_sid = 24;
4755 ASSERT_EQ(ErrorCode::OK,
4756 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
4757 AuthorizationSetBuilder()
4758 .Digest(Digest::SHA_2_256)
4759 .Padding(PaddingMode::RSA_OAEP),
4760 password_sid, biometric_sid));
4761
4762 string message = "Hello World!";
4763 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
4764 string ciphertext = EncryptMessage(message, params);
4765 string plaintext = DecryptMessage(ciphertext, params);
4766 EXPECT_EQ(message, plaintext);
4767}
4768
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4769TEST_P(ImportWrappedKeyTest, SuccessMasked) {
4770 auto wrapping_key_desc = AuthorizationSetBuilder()
4771 .RsaEncryptionKey(2048, 65537)
4772 .Digest(Digest::SHA_2_256)
4773 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4774 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4775 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4776
4777 ASSERT_EQ(ErrorCode::OK,
4778 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
4779 AuthorizationSetBuilder()
4780 .Digest(Digest::SHA_2_256)
4781 .Padding(PaddingMode::RSA_OAEP)));
4782}
4783
4784TEST_P(ImportWrappedKeyTest, WrongMask) {
4785 auto wrapping_key_desc = AuthorizationSetBuilder()
4786 .RsaEncryptionKey(2048, 65537)
4787 .Digest(Digest::SHA_2_256)
4788 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4789 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4790 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4791
4792 ASSERT_EQ(
4793 ErrorCode::VERIFICATION_FAILED,
4794 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
4795 AuthorizationSetBuilder()
4796 .Digest(Digest::SHA_2_256)
4797 .Padding(PaddingMode::RSA_OAEP)));
4798}
4799
4800TEST_P(ImportWrappedKeyTest, WrongPurpose) {
4801 auto wrapping_key_desc = AuthorizationSetBuilder()
4802 .RsaEncryptionKey(2048, 65537)
4803 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4804 .Padding(PaddingMode::RSA_OAEP)
4805 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4806
4807 ASSERT_EQ(
4808 ErrorCode::INCOMPATIBLE_PURPOSE,
4809 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
4810 AuthorizationSetBuilder()
4811 .Digest(Digest::SHA_2_256)
4812 .Padding(PaddingMode::RSA_OAEP)));
4813}
4814
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4815TEST_P(ImportWrappedKeyTest, WrongPaddingMode) {
4816 auto wrapping_key_desc = AuthorizationSetBuilder()
4817 .RsaEncryptionKey(2048, 65537)
4818 .Digest(Digest::SHA_2_256)
4819 .Padding(PaddingMode::RSA_PSS)
4820 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4821 .SetDefaultValidity();
4822
4823 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
4824 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
4825 AuthorizationSetBuilder()
4826 .Digest(Digest::SHA_2_256)
4827 .Padding(PaddingMode::RSA_OAEP)));
4828}
4829
4830TEST_P(ImportWrappedKeyTest, WrongDigest) {
4831 auto wrapping_key_desc = AuthorizationSetBuilder()
4832 .RsaEncryptionKey(2048, 65537)
4833 .Digest(Digest::SHA_2_512)
4834 .Padding(PaddingMode::RSA_OAEP)
4835 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
4836 .SetDefaultValidity();
4837
4838 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
4839 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
4840 AuthorizationSetBuilder()
4841 .Digest(Digest::SHA_2_256)
4842 .Padding(PaddingMode::RSA_OAEP)));
4843}
4844
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4845INSTANTIATE_KEYMINT_AIDL_TEST(ImportWrappedKeyTest);
4846
4847typedef KeyMintAidlTestBase EncryptionOperationsTest;
4848
4849/*
4850 * EncryptionOperationsTest.RsaNoPaddingSuccess
4851 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4852 * Verifies that raw RSA decryption works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4853 */
4854TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]4855 for (uint64_t exponent : ValidExponents()) {
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4856 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4857 .Authorization(TAG_NO_AUTH_REQUIRED)
4858 .RsaEncryptionKey(2048, exponent)
4859 .Padding(PaddingMode::NONE)
4860 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4861
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4862 string message = string(2048 / 8, 'a');
4863 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4864 string ciphertext1 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4865 EXPECT_EQ(2048U / 8, ciphertext1.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4866
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4867 string ciphertext2 = LocalRsaEncryptMessage(message, params);
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4868 EXPECT_EQ(2048U / 8, ciphertext2.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4869
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4870 // Unpadded RSA is deterministic
4871 EXPECT_EQ(ciphertext1, ciphertext2);
4872
4873 CheckedDeleteKey();
4874 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4875}
4876
4877/*
4878 * EncryptionOperationsTest.RsaNoPaddingShortMessage
4879 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4880 * Verifies that raw RSA decryption of short messages works.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4881 */
4882TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
4883 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4884 .Authorization(TAG_NO_AUTH_REQUIRED)
4885 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4886 .Padding(PaddingMode::NONE)
4887 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4888
4889 string message = "1";
4890 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
4891
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4892 string ciphertext = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4893 EXPECT_EQ(2048U / 8, ciphertext.size());
4894
4895 string expected_plaintext = string(2048U / 8 - 1, 0) + message;
4896 string plaintext = DecryptMessage(ciphertext, params);
4897
4898 EXPECT_EQ(expected_plaintext, plaintext);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4899}
4900
4901/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4902 * EncryptionOperationsTest.RsaOaepSuccess
4903 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4904 * Verifies that RSA-OAEP decryption operations work, with all digests.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4905 */
4906TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
4907 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
4908
4909 size_t key_size = 2048; // Need largish key for SHA-512 test.
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4910 ASSERT_EQ(ErrorCode::OK,
4911 GenerateKey(AuthorizationSetBuilder()
4912 .Authorization(TAG_NO_AUTH_REQUIRED)
4913 .RsaEncryptionKey(key_size, 65537)
4914 .Padding(PaddingMode::RSA_OAEP)
4915 .Digest(digests)
4916 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1)
4917 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4918
4919 string message = "Hello";
4920
4921 for (auto digest : digests) {
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4922 SCOPED_TRACE(testing::Message() << "digest-" << digest);
4923
4924 auto params = AuthorizationSetBuilder()
4925 .Digest(digest)
4926 .Padding(PaddingMode::RSA_OAEP)
4927 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA1);
4928 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4929 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
4930 EXPECT_EQ(key_size / 8, ciphertext1.size());
4931
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4932 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4933 EXPECT_EQ(key_size / 8, ciphertext2.size());
4934
4935 // OAEP randomizes padding so every result should be different (with astronomically high
4936 // probability).
4937 EXPECT_NE(ciphertext1, ciphertext2);
4938
4939 string plaintext1 = DecryptMessage(ciphertext1, params);
4940 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
4941 string plaintext2 = DecryptMessage(ciphertext2, params);
4942 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
4943
4944 // Decrypting corrupted ciphertext should fail.
4945 size_t offset_to_corrupt = random() % ciphertext1.size();
4946 char corrupt_byte;
4947 do {
4948 corrupt_byte = static_cast<char>(random() % 256);
4949 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
4950 ciphertext1[offset_to_corrupt] = corrupt_byte;
4951
4952 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
4953 string result;
4954 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
4955 EXPECT_EQ(0U, result.size());
4956 }
4957}
4958
4959/*
4960 * EncryptionOperationsTest.RsaOaepInvalidDigest
4961 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4962 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4963 * without a digest.
4964 */
4965TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
4966 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4967 .Authorization(TAG_NO_AUTH_REQUIRED)
4968 .RsaEncryptionKey(2048, 65537)
4969 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4970 .Digest(Digest::NONE)
4971 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4972
4973 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4974 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4975}
4976
4977/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4978 * EncryptionOperationsTest.RsaOaepInvalidPadding
4979 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4980 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4981 * with a padding value that is only suitable for signing/verifying.
4982 */
4983TEST_P(EncryptionOperationsTest, RsaOaepInvalidPadding) {
4984 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4985 .Authorization(TAG_NO_AUTH_REQUIRED)
4986 .RsaEncryptionKey(2048, 65537)
4987 .Padding(PaddingMode::RSA_PSS)
4988 .Digest(Digest::NONE)
4989 .SetDefaultValidity()));
4990
4991 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS).Digest(Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4992 EXPECT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE, Begin(KeyPurpose::DECRYPT, params));
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]4993}
4994
4995/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]4996 * EncryptionOperationsTest.RsaOaepDecryptWithWrongDigest
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4997 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]4998 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4999 * with a different digest than was used to encrypt.
5000 */
5001TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]5002 if (SecLevel() == SecurityLevel::STRONGBOX) {
5003 GTEST_SKIP() << "Test not applicable to StrongBox device";
5004 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5005
5006 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5007 .Authorization(TAG_NO_AUTH_REQUIRED)
5008 .RsaEncryptionKey(1024, 65537)
5009 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5010 .Digest(Digest::SHA_2_224, Digest::SHA_2_256)
5011 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5012 string message = "Hello World!";
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5013 string ciphertext = LocalRsaEncryptMessage(
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5014 message,
5015 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
5016
5017 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5018 .Digest(Digest::SHA_2_256)
5019 .Padding(PaddingMode::RSA_OAEP)));
5020 string result;
5021 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
5022 EXPECT_EQ(0U, result.size());
5023}
5024
5025/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5026 * EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess
5027 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5028 * Verifies that RSA-OAEP decryption operations work, with all SHA 256 digests and all type of MGF1
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5029 * digests.
5030 */
5031TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
5032 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
5033
5034 size_t key_size = 2048; // Need largish key for SHA-512 test.
5035 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5036 .OaepMGFDigest(digests)
5037 .Authorization(TAG_NO_AUTH_REQUIRED)
5038 .RsaEncryptionKey(key_size, 65537)
5039 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5040 .Digest(Digest::SHA_2_256)
5041 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5042
5043 string message = "Hello";
5044
5045 for (auto digest : digests) {
5046 auto params = AuthorizationSetBuilder()
5047 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
5048 .Digest(Digest::SHA_2_256)
5049 .Padding(PaddingMode::RSA_OAEP);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5050 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5051 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
5052 EXPECT_EQ(key_size / 8, ciphertext1.size());
5053
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5054 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5055 EXPECT_EQ(key_size / 8, ciphertext2.size());
5056
5057 // OAEP randomizes padding so every result should be different (with astronomically high
5058 // probability).
5059 EXPECT_NE(ciphertext1, ciphertext2);
5060
5061 string plaintext1 = DecryptMessage(ciphertext1, params);
5062 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
5063 string plaintext2 = DecryptMessage(ciphertext2, params);
5064 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
5065
5066 // Decrypting corrupted ciphertext should fail.
5067 size_t offset_to_corrupt = random() % ciphertext1.size();
5068 char corrupt_byte;
5069 do {
5070 corrupt_byte = static_cast<char>(random() % 256);
5071 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5072 ciphertext1[offset_to_corrupt] = corrupt_byte;
5073
5074 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5075 string result;
5076 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5077 EXPECT_EQ(0U, result.size());
5078 }
5079}
5080
5081/*
5082 * EncryptionOperationsTest.RsaOaepWithMGFIncompatibleDigest
5083 *
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5084 * Verifies that RSA-OAEP decryption operations fail in the correct way when asked to operate
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5085 * with incompatible MGF digest.
5086 */
5087TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
5088 ASSERT_EQ(ErrorCode::OK,
5089 GenerateKey(AuthorizationSetBuilder()
5090 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
5091 .Authorization(TAG_NO_AUTH_REQUIRED)
5092 .RsaEncryptionKey(2048, 65537)
5093 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5094 .Digest(Digest::SHA_2_256)
5095 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5096 string message = "Hello World!";
5097
5098 auto params = AuthorizationSetBuilder()
5099 .Padding(PaddingMode::RSA_OAEP)
5100 .Digest(Digest::SHA_2_256)
5101 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_224);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5102 EXPECT_EQ(ErrorCode::INCOMPATIBLE_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5103}
5104
5105/*
5106 * EncryptionOperationsTest.RsaOaepWithMGFUnsupportedDigest
5107 *
5108 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
5109 * with unsupported MGF digest.
5110 */
5111TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
5112 ASSERT_EQ(ErrorCode::OK,
5113 GenerateKey(AuthorizationSetBuilder()
5114 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
5115 .Authorization(TAG_NO_AUTH_REQUIRED)
5116 .RsaEncryptionKey(2048, 65537)
5117 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5118 .Digest(Digest::SHA_2_256)
5119 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5120 string message = "Hello World!";
5121
5122 auto params = AuthorizationSetBuilder()
5123 .Padding(PaddingMode::RSA_OAEP)
5124 .Digest(Digest::SHA_2_256)
5125 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::NONE);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5126 EXPECT_EQ(ErrorCode::UNSUPPORTED_MGF_DIGEST, Begin(KeyPurpose::DECRYPT, params));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]5127}
5128
5129/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5130 * EncryptionOperationsTest.RsaPkcs1Success
5131 *
5132 * Verifies that RSA PKCS encryption/decrypts works.
5133 */
5134TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
5135 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5136 .Authorization(TAG_NO_AUTH_REQUIRED)
5137 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5138 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
5139 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5140
5141 string message = "Hello World!";
5142 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5143 string ciphertext1 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5144 EXPECT_EQ(2048U / 8, ciphertext1.size());
5145
David Drysdale59cae642021-05-12 13:52:03 +0100[diff] [blame]5146 string ciphertext2 = LocalRsaEncryptMessage(message, params);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5147 EXPECT_EQ(2048U / 8, ciphertext2.size());
5148
5149 // PKCS1 v1.5 randomizes padding so every result should be different.
5150 EXPECT_NE(ciphertext1, ciphertext2);
5151
5152 string plaintext = DecryptMessage(ciphertext1, params);
5153 EXPECT_EQ(message, plaintext);
5154
5155 // Decrypting corrupted ciphertext should fail.
5156 size_t offset_to_corrupt = random() % ciphertext1.size();
5157 char corrupt_byte;
5158 do {
5159 corrupt_byte = static_cast<char>(random() % 256);
5160 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
5161 ciphertext1[offset_to_corrupt] = corrupt_byte;
5162
5163 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5164 string result;
5165 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
5166 EXPECT_EQ(0U, result.size());
5167}
5168
5169/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5170 * EncryptionOperationsTest.EcdsaEncrypt
5171 *
5172 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
5173 */
5174TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
5175 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5176 .Authorization(TAG_NO_AUTH_REQUIRED)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]5177 .EcdsaSigningKey(EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]5178 .Digest(Digest::NONE)
5179 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5180 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
5181 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5182 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5183}
5184
5185/*
5186 * EncryptionOperationsTest.HmacEncrypt
5187 *
5188 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
5189 */
5190TEST_P(EncryptionOperationsTest, HmacEncrypt) {
5191 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5192 .Authorization(TAG_NO_AUTH_REQUIRED)
5193 .HmacKey(128)
5194 .Digest(Digest::SHA_2_256)
5195 .Padding(PaddingMode::NONE)
5196 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5197 auto params = AuthorizationSetBuilder()
5198 .Digest(Digest::SHA_2_256)
5199 .Padding(PaddingMode::NONE)
5200 .Authorization(TAG_MAC_LENGTH, 128);
5201 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
5202 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
5203}
5204
5205/*
5206 * EncryptionOperationsTest.AesEcbRoundTripSuccess
5207 *
5208 * Verifies that AES ECB mode works.
5209 */
5210TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
5211 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5212 .Authorization(TAG_NO_AUTH_REQUIRED)
5213 .AesEncryptionKey(128)
5214 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5215 .Padding(PaddingMode::NONE)));
5216
5217 ASSERT_GT(key_blob_.size(), 0U);
5218 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5219
5220 // Two-block message.
5221 string message = "12345678901234567890123456789012";
5222 string ciphertext1 = EncryptMessage(message, params);
5223 EXPECT_EQ(message.size(), ciphertext1.size());
5224
5225 string ciphertext2 = EncryptMessage(string(message), params);
5226 EXPECT_EQ(message.size(), ciphertext2.size());
5227
5228 // ECB is deterministic.
5229 EXPECT_EQ(ciphertext1, ciphertext2);
5230
5231 string plaintext = DecryptMessage(ciphertext1, params);
5232 EXPECT_EQ(message, plaintext);
5233}
5234
5235/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5236 * EncryptionOperationsTest.AesEcbUnknownTag
5237 *
5238 * Verifies that AES ECB operations ignore unknown tags.
5239 */
5240TEST_P(EncryptionOperationsTest, AesEcbUnknownTag) {
5241 int32_t unknown_tag_value = ((7 << 28) /* TagType:BOOL */ | 150);
5242 Tag unknown_tag = static_cast<Tag>(unknown_tag_value);
5243 KeyParameter unknown_param;
5244 unknown_param.tag = unknown_tag;
5245
5246 vector<KeyCharacteristics> key_characteristics;
5247 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5248 .Authorization(TAG_NO_AUTH_REQUIRED)
5249 .AesEncryptionKey(128)
5250 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5251 .Padding(PaddingMode::NONE)
5252 .Authorization(unknown_param),
5253 &key_blob_, &key_characteristics));
5254 ASSERT_GT(key_blob_.size(), 0U);
5255
5256 // Unknown tags should not be returned in key characteristics.
5257 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
5258 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
5259 EXPECT_EQ(hw_enforced.find(unknown_tag), -1);
5260 EXPECT_EQ(sw_enforced.find(unknown_tag), -1);
5261
5262 // Encrypt without mentioning the unknown parameter.
5263 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
5264 string message = "12345678901234567890123456789012";
5265 string ciphertext = EncryptMessage(message, params);
5266 EXPECT_EQ(message.size(), ciphertext.size());
5267
5268 // Decrypt including the unknown parameter.
5269 auto decrypt_params = AuthorizationSetBuilder()
5270 .BlockMode(BlockMode::ECB)
5271 .Padding(PaddingMode::NONE)
5272 .Authorization(unknown_param);
5273 string plaintext = DecryptMessage(ciphertext, decrypt_params);
5274 EXPECT_EQ(message, plaintext);
5275}
5276
5277/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5278 * EncryptionOperationsTest.AesWrongMode
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5279 *
5280 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
5281 */
5282TEST_P(EncryptionOperationsTest, AesWrongMode) {
5283 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5284 .Authorization(TAG_NO_AUTH_REQUIRED)
5285 .AesEncryptionKey(128)
5286 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5287 .Padding(PaddingMode::NONE)));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5288 ASSERT_GT(key_blob_.size(), 0U);
5289
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5290 EXPECT_EQ(
5291 ErrorCode::INCOMPATIBLE_BLOCK_MODE,
5292 Begin(KeyPurpose::ENCRYPT,
5293 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
5294}
5295
5296/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5297 * EncryptionOperationsTest.AesWrongPadding
5298 *
5299 * Verifies that AES encryption fails in the correct way when an unauthorized padding is specified.
5300 */
5301TEST_P(EncryptionOperationsTest, AesWrongPadding) {
5302 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5303 .Authorization(TAG_NO_AUTH_REQUIRED)
5304 .AesEncryptionKey(128)
5305 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5306 .Padding(PaddingMode::NONE)));
5307 ASSERT_GT(key_blob_.size(), 0U);
5308
5309 EXPECT_EQ(
5310 ErrorCode::INCOMPATIBLE_PADDING_MODE,
5311 Begin(KeyPurpose::ENCRYPT,
5312 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7)));
5313}
5314
5315/*
5316 * EncryptionOperationsTest.AesInvalidParams
5317 *
5318 * Verifies that AES encryption fails in the correct way when an duplicate parameters are specified.
5319 */
5320TEST_P(EncryptionOperationsTest, AesInvalidParams) {
5321 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5322 .Authorization(TAG_NO_AUTH_REQUIRED)
5323 .AesEncryptionKey(128)
5324 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5325 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5326 .Padding(PaddingMode::NONE)
5327 .Padding(PaddingMode::PKCS7)));
5328 ASSERT_GT(key_blob_.size(), 0U);
5329
5330 auto result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5331 .BlockMode(BlockMode::CBC)
5332 .BlockMode(BlockMode::ECB)
5333 .Padding(PaddingMode::NONE));
5334 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_BLOCK_MODE ||
5335 result == ErrorCode::UNSUPPORTED_BLOCK_MODE);
5336
5337 result = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5338 .BlockMode(BlockMode::ECB)
5339 .Padding(PaddingMode::NONE)
5340 .Padding(PaddingMode::PKCS7));
5341 EXPECT_TRUE(result == ErrorCode::INCOMPATIBLE_PADDING_MODE ||
5342 result == ErrorCode::UNSUPPORTED_PADDING_MODE);
5343}
5344
5345/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5346 * EncryptionOperationsTest.AesWrongPurpose
5347 *
5348 * Verifies that AES encryption fails in the correct way when an unauthorized purpose is
5349 * specified.
5350 */
5351TEST_P(EncryptionOperationsTest, AesWrongPurpose) {
5352 auto err = GenerateKey(AuthorizationSetBuilder()
5353 .Authorization(TAG_NO_AUTH_REQUIRED)
5354 .AesKey(128)
5355 .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
5356 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5357 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5358 .Padding(PaddingMode::NONE));
5359 ASSERT_EQ(ErrorCode::OK, err) << "Got " << err;
5360 ASSERT_GT(key_blob_.size(), 0U);
5361
5362 err = Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
5363 .BlockMode(BlockMode::GCM)
5364 .Padding(PaddingMode::NONE)
5365 .Authorization(TAG_MAC_LENGTH, 128));
5366 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5367
5368 CheckedDeleteKey();
5369
5370 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5371 .Authorization(TAG_NO_AUTH_REQUIRED)
5372 .AesKey(128)
5373 .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
5374 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5375 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5376 .Padding(PaddingMode::NONE)));
5377
5378 err = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
5379 .BlockMode(BlockMode::GCM)
5380 .Padding(PaddingMode::NONE)
5381 .Authorization(TAG_MAC_LENGTH, 128));
5382 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
5383}
5384
5385/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5386 * EncryptionOperationsTest.AesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5387 *
5388 * Verifies that AES encryption fails in the correct way when provided an input that is not a
5389 * multiple of the block size and no padding is specified.
5390 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5391TEST_P(EncryptionOperationsTest, AesEcbCbcNoPaddingWrongInputSize) {
5392 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
5393 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5394 .Authorization(TAG_NO_AUTH_REQUIRED)
5395 .AesEncryptionKey(128)
5396 .Authorization(TAG_BLOCK_MODE, blockMode)
5397 .Padding(PaddingMode::NONE)));
5398 // Message is slightly shorter than two blocks.
5399 string message(16 * 2 - 1, 'a');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5400
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5401 auto params = AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
5402 AuthorizationSet out_params;
5403 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &out_params));
5404 string ciphertext;
5405 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
5406 EXPECT_EQ(0U, ciphertext.size());
5407
5408 CheckedDeleteKey();
5409 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5410}
5411
5412/*
5413 * EncryptionOperationsTest.AesEcbPkcs7Padding
5414 *
5415 * Verifies that AES PKCS7 padding works for any message length.
5416 */
5417TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
5418 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5419 .Authorization(TAG_NO_AUTH_REQUIRED)
5420 .AesEncryptionKey(128)
5421 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5422 .Padding(PaddingMode::PKCS7)));
5423
5424 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5425
5426 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5427 for (size_t i = 0; i <= 48; i++) {
5428 SCOPED_TRACE(testing::Message() << "i = " << i);
5429 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character.
5430 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5431 string ciphertext = EncryptMessage(message, params);
5432 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
5433 string plaintext = DecryptMessage(ciphertext, params);
5434 EXPECT_EQ(message, plaintext);
5435 }
5436}
5437
5438/*
5439 * EncryptionOperationsTest.AesEcbWrongPadding
5440 *
5441 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
5442 * specified.
5443 */
5444TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
5445 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5446 .Authorization(TAG_NO_AUTH_REQUIRED)
5447 .AesEncryptionKey(128)
5448 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5449 .Padding(PaddingMode::NONE)));
5450
5451 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5452
5453 // Try various message lengths; all should fail
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]5454 for (size_t i = 0; i <= 48; i++) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5455 string message(i, 'a');
5456 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
5457 }
5458}
5459
5460/*
5461 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
5462 *
5463 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5464 */
5465TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
5466 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5467 .Authorization(TAG_NO_AUTH_REQUIRED)
5468 .AesEncryptionKey(128)
5469 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5470 .Padding(PaddingMode::PKCS7)));
5471
5472 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5473
5474 string message = "a";
5475 string ciphertext = EncryptMessage(message, params);
5476 EXPECT_EQ(16U, ciphertext.size());
5477 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5478
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5479 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
5480 ++ciphertext[ciphertext.size() / 2];
5481
5482 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5483 string plaintext;
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame^]5484 ErrorCode error = Finish(ciphertext, &plaintext);
5485 if (error == ErrorCode::INVALID_ARGUMENT) {
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5486 // This is the expected error, we can exit the test now.
5487 return;
5488 } else {
5489 // Very small chance we got valid decryption, so try again.
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame^]5490 ASSERT_EQ(error, ErrorCode::OK)
5491 << "Expected INVALID_ARGUMENT or (rarely) OK, got " << error;
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]5492 }
5493 }
5494 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5495}
5496
David Drysdaleb8093292022-04-08 12:22:35 +0100[diff] [blame^]5497/*
5498 * EncryptionOperationsTest.AesEcbPkcs7CiphertextTooShort
5499 *
5500 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
5501 */
5502TEST_P(EncryptionOperationsTest, AesEcbPkcs7CiphertextTooShort) {
5503 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5504 .Authorization(TAG_NO_AUTH_REQUIRED)
5505 .AesEncryptionKey(128)
5506 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
5507 .Padding(PaddingMode::PKCS7)));
5508
5509 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
5510
5511 string message = "a";
5512 string ciphertext = EncryptMessage(message, params);
5513 EXPECT_EQ(16U, ciphertext.size());
5514 EXPECT_NE(ciphertext, message);
5515
5516 // Shorten the ciphertext.
5517 ciphertext.resize(ciphertext.size() - 1);
5518 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
5519 string plaintext;
5520 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(ciphertext, &plaintext));
5521}
5522
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5523vector<uint8_t> CopyIv(const AuthorizationSet& set) {
5524 auto iv = set.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5525 EXPECT_TRUE(iv);
5526 return iv->get();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5527}
5528
5529/*
5530 * EncryptionOperationsTest.AesCtrRoundTripSuccess
5531 *
5532 * Verifies that AES CTR mode works.
5533 */
5534TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
5535 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5536 .Authorization(TAG_NO_AUTH_REQUIRED)
5537 .AesEncryptionKey(128)
5538 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
5539 .Padding(PaddingMode::NONE)));
5540
5541 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
5542
5543 string message = "123";
5544 AuthorizationSet out_params;
5545 string ciphertext1 = EncryptMessage(message, params, &out_params);
5546 vector<uint8_t> iv1 = CopyIv(out_params);
5547 EXPECT_EQ(16U, iv1.size());
5548
5549 EXPECT_EQ(message.size(), ciphertext1.size());
5550
5551 out_params.Clear();
5552 string ciphertext2 = EncryptMessage(message, params, &out_params);
5553 vector<uint8_t> iv2 = CopyIv(out_params);
5554 EXPECT_EQ(16U, iv2.size());
5555
5556 // IVs should be random, so ciphertexts should differ.
5557 EXPECT_NE(ciphertext1, ciphertext2);
5558
5559 auto params_iv1 =
5560 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
5561 auto params_iv2 =
5562 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
5563
5564 string plaintext = DecryptMessage(ciphertext1, params_iv1);
5565 EXPECT_EQ(message, plaintext);
5566 plaintext = DecryptMessage(ciphertext2, params_iv2);
5567 EXPECT_EQ(message, plaintext);
5568
5569 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
5570 plaintext = DecryptMessage(ciphertext1, params_iv2);
5571 EXPECT_NE(message, plaintext);
5572 plaintext = DecryptMessage(ciphertext2, params_iv1);
5573 EXPECT_NE(message, plaintext);
5574}
5575
5576/*
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5577 * EncryptionOperationsTest.AesEcbIncremental
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5578 *
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5579 * Verifies that AES works for ECB block mode, when provided data in various size increments.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5580 */
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5581TEST_P(EncryptionOperationsTest, AesEcbIncremental) {
5582 CheckAesIncrementalEncryptOperation(BlockMode::ECB, 240);
5583}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5584
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5585/*
5586 * EncryptionOperationsTest.AesCbcIncremental
5587 *
5588 * Verifies that AES works for CBC block mode, when provided data in various size increments.
5589 */
5590TEST_P(EncryptionOperationsTest, AesCbcIncremental) {
5591 CheckAesIncrementalEncryptOperation(BlockMode::CBC, 240);
5592}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5593
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5594/*
5595 * EncryptionOperationsTest.AesCtrIncremental
5596 *
5597 * Verifies that AES works for CTR block mode, when provided data in various size increments.
5598 */
5599TEST_P(EncryptionOperationsTest, AesCtrIncremental) {
5600 CheckAesIncrementalEncryptOperation(BlockMode::CTR, 240);
5601}
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5602
anil.hiranniah19a4ca12022-03-03 17:39:30 +0530[diff] [blame]5603/*
5604 * EncryptionOperationsTest.AesGcmIncremental
5605 *
5606 * Verifies that AES works for GCM block mode, when provided data in various size increments.
5607 */
5608TEST_P(EncryptionOperationsTest, AesGcmIncremental) {
5609 CheckAesIncrementalEncryptOperation(BlockMode::GCM, 240);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5610}
5611
5612struct AesCtrSp80038aTestVector {
5613 const char* key;
5614 const char* nonce;
5615 const char* plaintext;
5616 const char* ciphertext;
5617};
5618
5619// These test vectors are taken from
5620// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
5621static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
5622 // AES-128
5623 {
5624 "2b7e151628aed2a6abf7158809cf4f3c",
5625 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
5626 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
5627 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
5628 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
5629 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
5630 },
5631 // AES-192
5632 {
5633 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
5634 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
5635 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
5636 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
5637 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
5638 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
5639 },
5640 // AES-256
5641 {
5642 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
5643 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
5644 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
5645 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
5646 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
5647 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
5648 },
5649};
5650
5651/*
5652 * EncryptionOperationsTest.AesCtrSp80038aTestVector
5653 *
5654 * Verifies AES CTR implementation against SP800-38A test vectors.
5655 */
5656TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
5657 std::vector<uint32_t> InvalidSizes = InvalidKeySizes(Algorithm::AES);
5658 for (size_t i = 0; i < 3; i++) {
5659 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
5660 const string key = hex2str(test.key);
5661 if (std::find(InvalidSizes.begin(), InvalidSizes.end(), (key.size() * 8)) !=
5662 InvalidSizes.end())
5663 continue;
5664 const string nonce = hex2str(test.nonce);
5665 const string plaintext = hex2str(test.plaintext);
5666 const string ciphertext = hex2str(test.ciphertext);
5667 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
5668 }
5669}
5670
5671/*
5672 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
5673 *
5674 * Verifies that keymint rejects use of CTR mode with PKCS7 padding in the correct way.
5675 */
5676TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
5677 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5678 .Authorization(TAG_NO_AUTH_REQUIRED)
5679 .AesEncryptionKey(128)
5680 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
5681 .Padding(PaddingMode::PKCS7)));
5682 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
5683 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
5684}
5685
5686/*
5687 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
5688 *
5689 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
5690 */
5691TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
5692 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5693 .Authorization(TAG_NO_AUTH_REQUIRED)
5694 .AesEncryptionKey(128)
5695 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
5696 .Authorization(TAG_CALLER_NONCE)
5697 .Padding(PaddingMode::NONE)));
5698
5699 auto params = AuthorizationSetBuilder()
5700 .BlockMode(BlockMode::CTR)
5701 .Padding(PaddingMode::NONE)
5702 .Authorization(TAG_NONCE, AidlBuf(string(1, 'a')));
5703 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
5704
5705 params = AuthorizationSetBuilder()
5706 .BlockMode(BlockMode::CTR)
5707 .Padding(PaddingMode::NONE)
5708 .Authorization(TAG_NONCE, AidlBuf(string(15, 'a')));
5709 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
5710
5711 params = AuthorizationSetBuilder()
5712 .BlockMode(BlockMode::CTR)
5713 .Padding(PaddingMode::NONE)
5714 .Authorization(TAG_NONCE, AidlBuf(string(17, 'a')));
5715 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
5716}
5717
5718/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]5719 * EncryptionOperationsTest.AesCbcRoundTripSuccess
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5720 *
5721 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
5722 */
5723TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
5724 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5725 .Authorization(TAG_NO_AUTH_REQUIRED)
5726 .AesEncryptionKey(128)
5727 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5728 .Padding(PaddingMode::NONE)));
5729 // Two-block message.
5730 string message = "12345678901234567890123456789012";
5731 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5732 AuthorizationSet out_params;
5733 string ciphertext1 = EncryptMessage(message, params, &out_params);
5734 vector<uint8_t> iv1 = CopyIv(out_params);
5735 EXPECT_EQ(message.size(), ciphertext1.size());
5736
5737 out_params.Clear();
5738
5739 string ciphertext2 = EncryptMessage(message, params, &out_params);
5740 vector<uint8_t> iv2 = CopyIv(out_params);
5741 EXPECT_EQ(message.size(), ciphertext2.size());
5742
5743 // IVs should be random, so ciphertexts should differ.
5744 EXPECT_NE(ciphertext1, ciphertext2);
5745
5746 params.push_back(TAG_NONCE, iv1);
5747 string plaintext = DecryptMessage(ciphertext1, params);
5748 EXPECT_EQ(message, plaintext);
5749}
5750
5751/*
5752 * EncryptionOperationsTest.AesCallerNonce
5753 *
5754 * Verifies that AES caller-provided nonces work correctly.
5755 */
5756TEST_P(EncryptionOperationsTest, AesCallerNonce) {
5757 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5758 .Authorization(TAG_NO_AUTH_REQUIRED)
5759 .AesEncryptionKey(128)
5760 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5761 .Authorization(TAG_CALLER_NONCE)
5762 .Padding(PaddingMode::NONE)));
5763
5764 string message = "12345678901234567890123456789012";
5765
5766 // Don't specify nonce, should get a random one.
5767 AuthorizationSetBuilder params =
5768 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5769 AuthorizationSet out_params;
5770 string ciphertext = EncryptMessage(message, params, &out_params);
5771 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5772 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5773
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5774 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5775 string plaintext = DecryptMessage(ciphertext, params);
5776 EXPECT_EQ(message, plaintext);
5777
5778 // Now specify a nonce, should also work.
5779 params = AuthorizationSetBuilder()
5780 .BlockMode(BlockMode::CBC)
5781 .Padding(PaddingMode::NONE)
5782 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
5783 out_params.Clear();
5784 ciphertext = EncryptMessage(message, params, &out_params);
5785
5786 // Decrypt with correct nonce.
5787 plaintext = DecryptMessage(ciphertext, params);
5788 EXPECT_EQ(message, plaintext);
5789
5790 // Try with wrong nonce.
5791 params = AuthorizationSetBuilder()
5792 .BlockMode(BlockMode::CBC)
5793 .Padding(PaddingMode::NONE)
5794 .Authorization(TAG_NONCE, AidlBuf("aaaaaaaaaaaaaaaa"));
5795 plaintext = DecryptMessage(ciphertext, params);
5796 EXPECT_NE(message, plaintext);
5797}
5798
5799/*
5800 * EncryptionOperationsTest.AesCallerNonceProhibited
5801 *
5802 * Verifies that caller-provided nonces are not permitted when not specified in the key
5803 * authorizations.
5804 */
5805TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
5806 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5807 .Authorization(TAG_NO_AUTH_REQUIRED)
5808 .AesEncryptionKey(128)
5809 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
5810 .Padding(PaddingMode::NONE)));
5811
5812 string message = "12345678901234567890123456789012";
5813
5814 // Don't specify nonce, should get a random one.
5815 AuthorizationSetBuilder params =
5816 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
5817 AuthorizationSet out_params;
5818 string ciphertext = EncryptMessage(message, params, &out_params);
5819 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5820 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5821
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]5822 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5823 string plaintext = DecryptMessage(ciphertext, params);
5824 EXPECT_EQ(message, plaintext);
5825
5826 // Now specify a nonce, should fail
5827 params = AuthorizationSetBuilder()
5828 .BlockMode(BlockMode::CBC)
5829 .Padding(PaddingMode::NONE)
5830 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
5831 out_params.Clear();
5832 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
5833}
5834
5835/*
5836 * EncryptionOperationsTest.AesGcmRoundTripSuccess
5837 *
5838 * Verifies that AES GCM mode works.
5839 */
5840TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
5841 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5842 .Authorization(TAG_NO_AUTH_REQUIRED)
5843 .AesEncryptionKey(128)
5844 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5845 .Padding(PaddingMode::NONE)
5846 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5847
5848 string aad = "foobar";
5849 string message = "123456789012345678901234567890123456";
5850
5851 auto begin_params = AuthorizationSetBuilder()
5852 .BlockMode(BlockMode::GCM)
5853 .Padding(PaddingMode::NONE)
5854 .Authorization(TAG_MAC_LENGTH, 128);
5855
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5856 // Encrypt
5857 AuthorizationSet begin_out_params;
5858 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
5859 << "Begin encrypt";
5860 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5861 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
5862 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5863 ASSERT_EQ(ciphertext.length(), message.length() + 16);
5864
5865 // Grab nonce
5866 begin_params.push_back(begin_out_params);
5867
5868 // Decrypt.
5869 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5870 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5871 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5872 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5873 EXPECT_EQ(message.length(), plaintext.length());
5874 EXPECT_EQ(message, plaintext);
5875}
5876
5877/*
5878 * EncryptionOperationsTest.AesGcmRoundTripWithDelaySuccess
5879 *
5880 * Verifies that AES GCM mode works, even when there's a long delay
5881 * between operations.
5882 */
5883TEST_P(EncryptionOperationsTest, AesGcmRoundTripWithDelaySuccess) {
5884 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5885 .Authorization(TAG_NO_AUTH_REQUIRED)
5886 .AesEncryptionKey(128)
5887 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5888 .Padding(PaddingMode::NONE)
5889 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5890
5891 string aad = "foobar";
5892 string message = "123456789012345678901234567890123456";
5893
5894 auto begin_params = AuthorizationSetBuilder()
5895 .BlockMode(BlockMode::GCM)
5896 .Padding(PaddingMode::NONE)
5897 .Authorization(TAG_MAC_LENGTH, 128);
5898
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5899 // Encrypt
5900 AuthorizationSet begin_out_params;
5901 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
5902 << "Begin encrypt";
5903 string ciphertext;
5904 AuthorizationSet update_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5905 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5906 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5907 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5908
5909 ASSERT_EQ(ciphertext.length(), message.length() + 16);
5910
5911 // Grab nonce
5912 begin_params.push_back(begin_out_params);
5913
5914 // Decrypt.
5915 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
5916 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5917 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5918 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]5919 ASSERT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5920 sleep(5);
5921 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
5922 EXPECT_EQ(message.length(), plaintext.length());
5923 EXPECT_EQ(message, plaintext);
5924}
5925
5926/*
5927 * EncryptionOperationsTest.AesGcmDifferentNonces
5928 *
5929 * Verifies that encrypting the same data with different nonces produces different outputs.
5930 */
5931TEST_P(EncryptionOperationsTest, AesGcmDifferentNonces) {
5932 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5933 .Authorization(TAG_NO_AUTH_REQUIRED)
5934 .AesEncryptionKey(128)
5935 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5936 .Padding(PaddingMode::NONE)
5937 .Authorization(TAG_MIN_MAC_LENGTH, 128)
5938 .Authorization(TAG_CALLER_NONCE)));
5939
5940 string aad = "foobar";
5941 string message = "123456789012345678901234567890123456";
5942 string nonce1 = "000000000000";
5943 string nonce2 = "111111111111";
5944 string nonce3 = "222222222222";
5945
5946 string ciphertext1 =
5947 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce1));
5948 string ciphertext2 =
5949 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce2));
5950 string ciphertext3 =
5951 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce3));
5952
5953 ASSERT_NE(ciphertext1, ciphertext2);
5954 ASSERT_NE(ciphertext1, ciphertext3);
5955 ASSERT_NE(ciphertext2, ciphertext3);
5956}
5957
5958/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]5959 * EncryptionOperationsTest.AesGcmDifferentAutoNonces
5960 *
5961 * Verifies that encrypting the same data with KeyMint generated nonces produces different outputs.
5962 */
5963TEST_P(EncryptionOperationsTest, AesGcmDifferentAutoNonces) {
5964 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5965 .Authorization(TAG_NO_AUTH_REQUIRED)
5966 .AesEncryptionKey(128)
5967 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
5968 .Padding(PaddingMode::NONE)
5969 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5970
5971 string aad = "foobar";
5972 string message = "123456789012345678901234567890123456";
5973
5974 string ciphertext1 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
5975 string ciphertext2 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
5976 string ciphertext3 = EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128);
5977
5978 ASSERT_NE(ciphertext1, ciphertext2);
5979 ASSERT_NE(ciphertext1, ciphertext3);
5980 ASSERT_NE(ciphertext2, ciphertext3);
5981}
5982
5983/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]5984 * EncryptionOperationsTest.AesGcmTooShortTag
5985 *
5986 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
5987 */
5988TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
5989 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
5990 .Authorization(TAG_NO_AUTH_REQUIRED)
5991 .AesEncryptionKey(128)
5992 .BlockMode(BlockMode::GCM)
5993 .Padding(PaddingMode::NONE)
5994 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
5995 string message = "123456789012345678901234567890123456";
5996 auto params = AuthorizationSetBuilder()
5997 .BlockMode(BlockMode::GCM)
5998 .Padding(PaddingMode::NONE)
5999 .Authorization(TAG_MAC_LENGTH, 96);
6000
6001 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
6002}
6003
6004/*
6005 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
6006 *
6007 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
6008 */
6009TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
6010 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6011 .Authorization(TAG_NO_AUTH_REQUIRED)
6012 .AesEncryptionKey(128)
6013 .BlockMode(BlockMode::GCM)
6014 .Padding(PaddingMode::NONE)
6015 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6016 string aad = "foobar";
6017 string message = "123456789012345678901234567890123456";
6018 auto params = AuthorizationSetBuilder()
6019 .BlockMode(BlockMode::GCM)
6020 .Padding(PaddingMode::NONE)
6021 .Authorization(TAG_MAC_LENGTH, 128);
6022
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6023 // Encrypt
6024 AuthorizationSet begin_out_params;
6025 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
6026 EXPECT_EQ(1U, begin_out_params.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]6027 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6028
6029 AuthorizationSet finish_out_params;
6030 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6031 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6032 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6033
6034 params = AuthorizationSetBuilder()
6035 .Authorizations(begin_out_params)
6036 .BlockMode(BlockMode::GCM)
6037 .Padding(PaddingMode::NONE)
6038 .Authorization(TAG_MAC_LENGTH, 96);
6039
6040 // Decrypt.
6041 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
6042}
6043
6044/*
6045 * EncryptionOperationsTest.AesGcmCorruptKey
6046 *
6047 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
6048 */
6049TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
6050 const uint8_t nonce_bytes[] = {
6051 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
6052 };
6053 string nonce = make_string(nonce_bytes);
6054 const uint8_t ciphertext_bytes[] = {
6055 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc,
6056 0xd2, 0xcb, 0x16, 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78,
6057 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d,
6058 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 0x76, 0x5e, 0xfb,
6059 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
6060 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
6061 };
6062 string ciphertext = make_string(ciphertext_bytes);
6063
6064 auto params = AuthorizationSetBuilder()
6065 .BlockMode(BlockMode::GCM)
6066 .Padding(PaddingMode::NONE)
6067 .Authorization(TAG_MAC_LENGTH, 128)
6068 .Authorization(TAG_NONCE, nonce.data(), nonce.size());
6069
6070 auto import_params = AuthorizationSetBuilder()
6071 .Authorization(TAG_NO_AUTH_REQUIRED)
6072 .AesEncryptionKey(128)
6073 .BlockMode(BlockMode::GCM)
6074 .Padding(PaddingMode::NONE)
6075 .Authorization(TAG_CALLER_NONCE)
6076 .Authorization(TAG_MIN_MAC_LENGTH, 128);
6077
6078 // Import correct key and decrypt
6079 const uint8_t key_bytes[] = {
6080 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
6081 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
6082 };
6083 string key = make_string(key_bytes);
6084 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6085 string plaintext = DecryptMessage(ciphertext, params);
6086 CheckedDeleteKey();
6087
6088 // Corrupt key and attempt to decrypt
6089 key[0] = 0;
6090 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
6091 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
6092 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
6093 CheckedDeleteKey();
6094}
6095
6096/*
6097 * EncryptionOperationsTest.AesGcmAadNoData
6098 *
6099 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
6100 * encrypt.
6101 */
6102TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
6103 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6104 .Authorization(TAG_NO_AUTH_REQUIRED)
6105 .AesEncryptionKey(128)
6106 .BlockMode(BlockMode::GCM)
6107 .Padding(PaddingMode::NONE)
6108 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6109
6110 string aad = "1234567890123456";
6111 auto params = AuthorizationSetBuilder()
6112 .BlockMode(BlockMode::GCM)
6113 .Padding(PaddingMode::NONE)
6114 .Authorization(TAG_MAC_LENGTH, 128);
6115
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6116 // Encrypt
6117 AuthorizationSet begin_out_params;
6118 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
6119 string ciphertext;
6120 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6121 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
6122 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6123 EXPECT_TRUE(finish_out_params.empty());
6124
6125 // Grab nonce
6126 params.push_back(begin_out_params);
6127
6128 // Decrypt.
6129 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6130 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6131 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6132 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6133
6134 EXPECT_TRUE(finish_out_params.empty());
6135
6136 EXPECT_EQ("", plaintext);
6137}
6138
6139/*
6140 * EncryptionOperationsTest.AesGcmMultiPartAad
6141 *
6142 * Verifies that AES GCM mode works when provided additional authenticated data in multiple
6143 * chunks.
6144 */
6145TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
6146 const size_t tag_bits = 128;
6147 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6148 .Authorization(TAG_NO_AUTH_REQUIRED)
6149 .AesEncryptionKey(128)
6150 .BlockMode(BlockMode::GCM)
6151 .Padding(PaddingMode::NONE)
6152 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6153
6154 string message = "123456789012345678901234567890123456";
6155 auto begin_params = AuthorizationSetBuilder()
6156 .BlockMode(BlockMode::GCM)
6157 .Padding(PaddingMode::NONE)
6158 .Authorization(TAG_MAC_LENGTH, tag_bits);
6159 AuthorizationSet begin_out_params;
6160
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6161 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
6162
6163 // No data, AAD only.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6164 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
6165 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6166 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6167 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
6168 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6169
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6170 // Expect 128-bit (16-byte) tag appended to ciphertext.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6171 EXPECT_EQ(message.size() + (tag_bits / 8), ciphertext.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6172
6173 // Grab nonce.
6174 begin_params.push_back(begin_out_params);
6175
6176 // Decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6177 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6178 EXPECT_EQ(ErrorCode::OK, UpdateAad("foofoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6179 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6180 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6181 EXPECT_EQ(message, plaintext);
6182}
6183
6184/*
6185 * EncryptionOperationsTest.AesGcmAadOutOfOrder
6186 *
6187 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
6188 */
6189TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
6190 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6191 .Authorization(TAG_NO_AUTH_REQUIRED)
6192 .AesEncryptionKey(128)
6193 .BlockMode(BlockMode::GCM)
6194 .Padding(PaddingMode::NONE)
6195 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6196
6197 string message = "123456789012345678901234567890123456";
6198 auto begin_params = AuthorizationSetBuilder()
6199 .BlockMode(BlockMode::GCM)
6200 .Padding(PaddingMode::NONE)
6201 .Authorization(TAG_MAC_LENGTH, 128);
6202 AuthorizationSet begin_out_params;
6203
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6204 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
6205
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6206 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6207 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6208 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
6209 EXPECT_EQ(ErrorCode::INVALID_TAG, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6210
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6211 // The failure should have already cancelled the operation.
6212 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
6213
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6214 op_ = {};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6215}
6216
6217/*
6218 * EncryptionOperationsTest.AesGcmBadAad
6219 *
6220 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
6221 */
6222TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
6223 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6224 .Authorization(TAG_NO_AUTH_REQUIRED)
6225 .AesEncryptionKey(128)
6226 .BlockMode(BlockMode::GCM)
6227 .Padding(PaddingMode::NONE)
6228 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6229
6230 string message = "12345678901234567890123456789012";
6231 auto begin_params = AuthorizationSetBuilder()
6232 .BlockMode(BlockMode::GCM)
6233 .Padding(PaddingMode::NONE)
6234 .Authorization(TAG_MAC_LENGTH, 128);
6235
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6236 // Encrypt
6237 AuthorizationSet begin_out_params;
6238 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6239 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6240 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6241 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6242
6243 // Grab nonce
6244 begin_params.push_back(begin_out_params);
6245
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6246 // Decrypt.
6247 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6248 EXPECT_EQ(ErrorCode::OK, UpdateAad("barfoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6249 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6250 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6251}
6252
6253/*
6254 * EncryptionOperationsTest.AesGcmWrongNonce
6255 *
6256 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
6257 */
6258TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
6259 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6260 .Authorization(TAG_NO_AUTH_REQUIRED)
6261 .AesEncryptionKey(128)
6262 .BlockMode(BlockMode::GCM)
6263 .Padding(PaddingMode::NONE)
6264 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6265
6266 string message = "12345678901234567890123456789012";
6267 auto begin_params = AuthorizationSetBuilder()
6268 .BlockMode(BlockMode::GCM)
6269 .Padding(PaddingMode::NONE)
6270 .Authorization(TAG_MAC_LENGTH, 128);
6271
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6272 // Encrypt
6273 AuthorizationSet begin_out_params;
6274 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6275 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6276 string ciphertext;
6277 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6278 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6279
6280 // Wrong nonce
6281 begin_params.push_back(TAG_NONCE, AidlBuf("123456789012"));
6282
6283 // Decrypt.
6284 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6285 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6286 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6287 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6288
6289 // With wrong nonce, should have gotten garbage plaintext (or none).
6290 EXPECT_NE(message, plaintext);
6291}
6292
6293/*
6294 * EncryptionOperationsTest.AesGcmCorruptTag
6295 *
6296 * Verifies that AES GCM decryption fails correctly when the tag is wrong.
6297 */
6298TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
6299 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6300 .Authorization(TAG_NO_AUTH_REQUIRED)
6301 .AesEncryptionKey(128)
6302 .BlockMode(BlockMode::GCM)
6303 .Padding(PaddingMode::NONE)
6304 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
6305
6306 string aad = "1234567890123456";
6307 string message = "123456789012345678901234567890123456";
6308
6309 auto params = AuthorizationSetBuilder()
6310 .BlockMode(BlockMode::GCM)
6311 .Padding(PaddingMode::NONE)
6312 .Authorization(TAG_MAC_LENGTH, 128);
6313
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6314 // Encrypt
6315 AuthorizationSet begin_out_params;
6316 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6317 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6318 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6319 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6320
6321 // Corrupt tag
6322 ++(*ciphertext.rbegin());
6323
6324 // Grab nonce
6325 params.push_back(begin_out_params);
6326
6327 // Decrypt.
6328 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6329 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6330 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6331 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6332}
6333
6334/*
6335 * EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
6336 *
6337 * Verifies that 3DES is basically functional.
6338 */
6339TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
6340 auto auths = AuthorizationSetBuilder()
6341 .TripleDesEncryptionKey(168)
6342 .BlockMode(BlockMode::ECB)
6343 .Authorization(TAG_NO_AUTH_REQUIRED)
6344 .Padding(PaddingMode::NONE);
6345
6346 ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
6347 // Two-block message.
6348 string message = "1234567890123456";
6349 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
6350 string ciphertext1 = EncryptMessage(message, inParams);
6351 EXPECT_EQ(message.size(), ciphertext1.size());
6352
6353 string ciphertext2 = EncryptMessage(string(message), inParams);
6354 EXPECT_EQ(message.size(), ciphertext2.size());
6355
6356 // ECB is deterministic.
6357 EXPECT_EQ(ciphertext1, ciphertext2);
6358
6359 string plaintext = DecryptMessage(ciphertext1, inParams);
6360 EXPECT_EQ(message, plaintext);
6361}
6362
6363/*
6364 * EncryptionOperationsTest.TripleDesEcbNotAuthorized
6365 *
6366 * Verifies that CBC keys reject ECB usage.
6367 */
6368TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
6369 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6370 .TripleDesEncryptionKey(168)
6371 .BlockMode(BlockMode::CBC)
6372 .Authorization(TAG_NO_AUTH_REQUIRED)
6373 .Padding(PaddingMode::NONE)));
6374
6375 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
6376 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
6377}
6378
6379/*
6380 * EncryptionOperationsTest.TripleDesEcbPkcs7Padding
6381 *
6382 * Tests ECB mode with PKCS#7 padding, various message sizes.
6383 */
6384TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
6385 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6386 .TripleDesEncryptionKey(168)
6387 .BlockMode(BlockMode::ECB)
6388 .Authorization(TAG_NO_AUTH_REQUIRED)
6389 .Padding(PaddingMode::PKCS7)));
6390
6391 for (size_t i = 0; i < 32; ++i) {
6392 string message(i, 'a');
6393 auto inParams =
6394 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
6395 string ciphertext = EncryptMessage(message, inParams);
6396 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
6397 string plaintext = DecryptMessage(ciphertext, inParams);
6398 EXPECT_EQ(message, plaintext);
6399 }
6400}
6401
6402/*
6403 * EncryptionOperationsTest.TripleDesEcbNoPaddingKeyWithPkcs7Padding
6404 *
6405 * Verifies that keys configured for no padding reject PKCS7 padding
6406 */
6407TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
6408 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6409 .TripleDesEncryptionKey(168)
6410 .BlockMode(BlockMode::ECB)
6411 .Authorization(TAG_NO_AUTH_REQUIRED)
6412 .Padding(PaddingMode::NONE)));
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]6413 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
6414 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6415}
6416
6417/*
6418 * EncryptionOperationsTest.TripleDesEcbPkcs7PaddingCorrupted
6419 *
6420 * Verifies that corrupted padding is detected.
6421 */
6422TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
6423 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6424 .TripleDesEncryptionKey(168)
6425 .BlockMode(BlockMode::ECB)
6426 .Authorization(TAG_NO_AUTH_REQUIRED)
6427 .Padding(PaddingMode::PKCS7)));
6428
6429 string message = "a";
6430 string ciphertext = EncryptMessage(message, BlockMode::ECB, PaddingMode::PKCS7);
6431 EXPECT_EQ(8U, ciphertext.size());
6432 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6433
6434 AuthorizationSetBuilder begin_params;
6435 begin_params.push_back(TAG_BLOCK_MODE, BlockMode::ECB);
6436 begin_params.push_back(TAG_PADDING, PaddingMode::PKCS7);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]6437
6438 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
6439 ++ciphertext[ciphertext.size() / 2];
6440
6441 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
6442 string plaintext;
6443 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
6444 ErrorCode error = Finish(&plaintext);
6445 if (error == ErrorCode::INVALID_ARGUMENT) {
6446 // This is the expected error, we can exit the test now.
6447 return;
6448 } else {
6449 // Very small chance we got valid decryption, so try again.
6450 ASSERT_EQ(error, ErrorCode::OK);
6451 }
6452 }
6453 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6454}
6455
6456struct TripleDesTestVector {
6457 const char* name;
6458 const KeyPurpose purpose;
6459 const BlockMode block_mode;
6460 const PaddingMode padding_mode;
6461 const char* key;
6462 const char* iv;
6463 const char* input;
6464 const char* output;
6465};
6466
6467// These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all
6468// of the NIST vectors are multiples of the block size.
6469static const TripleDesTestVector kTripleDesTestVectors[] = {
6470 {
6471 "TECBMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
6472 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
6473 "", // IV
6474 "329d86bdf1bc5af4", // input
6475 "d946c2756d78633f", // output
6476 },
6477 {
6478 "TECBMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
6479 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
6480 "", // IV
6481 "6b1540781b01ce1997adae102dbf3c5b", // input
6482 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
6483 },
6484 {
6485 "TECBMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
6486 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
6487 "", // IV
6488 "6daad94ce08acfe7", // input
6489 "660e7d32dcc90e79", // output
6490 },
6491 {
6492 "TECBMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
6493 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
6494 "", // IV
6495 "e9653a0a1f05d31b9acd12d73aa9879d", // input
6496 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
6497 },
6498 {
6499 "TCBCMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
6500 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
6501 "43f791134c5647ba", // IV
6502 "dcc153cef81d6f24", // input
6503 "92538bd8af18d3ba", // output
6504 },
6505 {
6506 "TCBCMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
6507 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
6508 "c2e999cb6249023c", // IV
6509 "c689aee38a301bb316da75db36f110b5", // input
6510 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
6511 },
6512 {
6513 "TCBCMMT3 Encrypt 1 PKCS7 variant", KeyPurpose::ENCRYPT, BlockMode::CBC,
6514 PaddingMode::PKCS7,
6515 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
6516 "c2e999cb6249023c", // IV
6517 "c689aee38a301bb316da75db36f110b500", // input
6518 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
6519 },
6520 {
6521 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KeyPurpose::DECRYPT, BlockMode::CBC,
6522 PaddingMode::PKCS7,
6523 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
6524 "c2e999cb6249023c", // IV
6525 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
6526 "c689aee38a301bb316da75db36f110b500", // output
6527 },
6528 {
6529 "TCBCMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
6530 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
6531 "41746c7e442d3681", // IV
6532 "c53a7b0ec40600fe", // input
6533 "d4f00eb455de1034", // output
6534 },
6535 {
6536 "TCBCMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
6537 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
6538 "3982bc02c3727d45", // IV
6539 "6006f10adef52991fcc777a1238bbb65", // input
6540 "edae09288e9e3bc05746d872b48e3b29", // output
6541 },
6542};
6543
6544/*
6545 * EncryptionOperationsTest.TripleDesTestVector
6546 *
6547 * Verifies that NIST (plus a few extra) test vectors produce the correct results.
6548 */
6549TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
6550 constexpr size_t num_tests = sizeof(kTripleDesTestVectors) / sizeof(TripleDesTestVector);
6551 for (auto* test = kTripleDesTestVectors; test < kTripleDesTestVectors + num_tests; ++test) {
6552 SCOPED_TRACE(test->name);
6553 CheckTripleDesTestVector(test->purpose, test->block_mode, test->padding_mode,
6554 hex2str(test->key), hex2str(test->iv), hex2str(test->input),
6555 hex2str(test->output));
6556 }
6557}
6558
6559/*
6560 * EncryptionOperationsTest.TripleDesCbcRoundTripSuccess
6561 *
6562 * Validates CBC mode functionality.
6563 */
6564TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
6565 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6566 .TripleDesEncryptionKey(168)
6567 .BlockMode(BlockMode::CBC)
6568 .Authorization(TAG_NO_AUTH_REQUIRED)
6569 .Padding(PaddingMode::NONE)));
6570
6571 ASSERT_GT(key_blob_.size(), 0U);
6572
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]6573 // Four-block message.
6574 string message = "12345678901234561234567890123456";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6575 vector<uint8_t> iv1;
6576 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv1);
6577 EXPECT_EQ(message.size(), ciphertext1.size());
6578
6579 vector<uint8_t> iv2;
6580 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv2);
6581 EXPECT_EQ(message.size(), ciphertext2.size());
6582
6583 // IVs should be random, so ciphertexts should differ.
6584 EXPECT_NE(iv1, iv2);
6585 EXPECT_NE(ciphertext1, ciphertext2);
6586
6587 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv1);
6588 EXPECT_EQ(message, plaintext);
6589}
6590
6591/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6592 * EncryptionOperationsTest.TripleDesInvalidCallerIv
6593 *
6594 * Validates that keymint fails correctly when the user supplies an incorrect-size IV.
6595 */
6596TEST_P(EncryptionOperationsTest, TripleDesInvalidCallerIv) {
6597 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6598 .TripleDesEncryptionKey(168)
6599 .BlockMode(BlockMode::CBC)
6600 .Authorization(TAG_NO_AUTH_REQUIRED)
6601 .Authorization(TAG_CALLER_NONCE)
6602 .Padding(PaddingMode::NONE)));
6603 auto params = AuthorizationSetBuilder()
6604 .BlockMode(BlockMode::CBC)
6605 .Padding(PaddingMode::NONE)
6606 .Authorization(TAG_NONCE, AidlBuf("abcdefg"));
6607 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
6608}
6609
6610/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6611 * EncryptionOperationsTest.TripleDesCallerIv
6612 *
6613 * Validates that 3DES keys can allow caller-specified IVs, and use them correctly.
6614 */
6615TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
6616 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6617 .TripleDesEncryptionKey(168)
6618 .BlockMode(BlockMode::CBC)
6619 .Authorization(TAG_NO_AUTH_REQUIRED)
6620 .Authorization(TAG_CALLER_NONCE)
6621 .Padding(PaddingMode::NONE)));
6622 string message = "1234567890123456";
6623 vector<uint8_t> iv;
6624 // Don't specify IV, should get a random one.
6625 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
6626 EXPECT_EQ(message.size(), ciphertext1.size());
6627 EXPECT_EQ(8U, iv.size());
6628
6629 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
6630 EXPECT_EQ(message, plaintext);
6631
6632 // Now specify an IV, should also work.
6633 iv = AidlBuf("abcdefgh");
6634 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, iv);
6635
6636 // Decrypt with correct IV.
6637 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, iv);
6638 EXPECT_EQ(message, plaintext);
6639
6640 // Now try with wrong IV.
6641 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, AidlBuf("aaaaaaaa"));
6642 EXPECT_NE(message, plaintext);
6643}
6644
6645/*
6646 * EncryptionOperationsTest, TripleDesCallerNonceProhibited.
6647 *
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6648 * Verifies that 3DES keys without TAG_CALLER_NONCE do not allow caller-specified IVs.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6649 */
6650TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
6651 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6652 .TripleDesEncryptionKey(168)
6653 .BlockMode(BlockMode::CBC)
6654 .Authorization(TAG_NO_AUTH_REQUIRED)
6655 .Padding(PaddingMode::NONE)));
6656
6657 string message = "12345678901234567890123456789012";
6658 vector<uint8_t> iv;
6659 // Don't specify nonce, should get a random one.
6660 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
6661 EXPECT_EQ(message.size(), ciphertext1.size());
6662 EXPECT_EQ(8U, iv.size());
6663
6664 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
6665 EXPECT_EQ(message, plaintext);
6666
6667 // Now specify a nonce, should fail.
6668 auto input_params = AuthorizationSetBuilder()
6669 .Authorization(TAG_NONCE, AidlBuf("abcdefgh"))
6670 .BlockMode(BlockMode::CBC)
6671 .Padding(PaddingMode::NONE);
6672 AuthorizationSet output_params;
6673 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED,
6674 Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
6675}
6676
6677/*
6678 * EncryptionOperationsTest.TripleDesCbcNotAuthorized
6679 *
6680 * Verifies that 3DES ECB-only keys do not allow CBC usage.
6681 */
6682TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
6683 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6684 .TripleDesEncryptionKey(168)
6685 .BlockMode(BlockMode::ECB)
6686 .Authorization(TAG_NO_AUTH_REQUIRED)
6687 .Padding(PaddingMode::NONE)));
6688 // Two-block message.
6689 string message = "1234567890123456";
6690 auto begin_params =
6691 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6692 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
6693}
6694
6695/*
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6696 * EncryptionOperationsTest.TripleDesEcbCbcNoPaddingWrongInputSize
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6697 *
6698 * Verifies that unpadded CBC operations reject inputs that are not a multiple of block size.
6699 */
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6700TEST_P(EncryptionOperationsTest, TripleDesEcbCbcNoPaddingWrongInputSize) {
6701 for (BlockMode blockMode : {BlockMode::ECB, BlockMode::CBC}) {
6702 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6703 .TripleDesEncryptionKey(168)
6704 .BlockMode(blockMode)
6705 .Authorization(TAG_NO_AUTH_REQUIRED)
6706 .Padding(PaddingMode::NONE)));
6707 // Message is slightly shorter than two blocks.
6708 string message = "123456789012345";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6709
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]6710 auto begin_params =
6711 AuthorizationSetBuilder().BlockMode(blockMode).Padding(PaddingMode::NONE);
6712 AuthorizationSet output_params;
6713 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &output_params));
6714 string ciphertext;
6715 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, "", &ciphertext));
6716
6717 CheckedDeleteKey();
6718 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6719}
6720
6721/*
6722 * EncryptionOperationsTest, TripleDesCbcPkcs7Padding.
6723 *
6724 * Verifies that PKCS7 padding works correctly in CBC mode.
6725 */
6726TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
6727 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6728 .TripleDesEncryptionKey(168)
6729 .BlockMode(BlockMode::CBC)
6730 .Authorization(TAG_NO_AUTH_REQUIRED)
6731 .Padding(PaddingMode::PKCS7)));
6732
6733 // Try various message lengths; all should work.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]6734 for (size_t i = 0; i <= 32; i++) {
6735 SCOPED_TRACE(testing::Message() << "i = " << i);
6736 // Edge case: '\t' (0x09) is also a valid PKCS7 padding character, albeit not for 3DES.
6737 string message(i, '\t');
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6738 vector<uint8_t> iv;
6739 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
6740 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
6741 string plaintext = DecryptMessage(ciphertext, BlockMode::CBC, PaddingMode::PKCS7, iv);
6742 EXPECT_EQ(message, plaintext);
6743 }
6744}
6745
6746/*
6747 * EncryptionOperationsTest.TripleDesCbcNoPaddingKeyWithPkcs7Padding
6748 *
6749 * Verifies that a key that requires PKCS7 padding cannot be used in unpadded mode.
6750 */
6751TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
6752 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6753 .TripleDesEncryptionKey(168)
6754 .BlockMode(BlockMode::CBC)
6755 .Authorization(TAG_NO_AUTH_REQUIRED)
6756 .Padding(PaddingMode::NONE)));
6757
6758 // Try various message lengths; all should fail.
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]6759 for (size_t i = 0; i <= 32; i++) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6760 auto begin_params =
6761 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7);
6762 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
6763 }
6764}
6765
6766/*
6767 * EncryptionOperationsTest.TripleDesCbcPkcs7PaddingCorrupted
6768 *
6769 * Verifies that corrupted PKCS7 padding is rejected during decryption.
6770 */
6771TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
6772 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6773 .TripleDesEncryptionKey(168)
6774 .BlockMode(BlockMode::CBC)
6775 .Authorization(TAG_NO_AUTH_REQUIRED)
6776 .Padding(PaddingMode::PKCS7)));
6777
6778 string message = "a";
6779 vector<uint8_t> iv;
6780 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
6781 EXPECT_EQ(8U, ciphertext.size());
6782 EXPECT_NE(ciphertext, message);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6783
6784 auto begin_params = AuthorizationSetBuilder()
6785 .BlockMode(BlockMode::CBC)
6786 .Padding(PaddingMode::PKCS7)
6787 .Authorization(TAG_NONCE, iv);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]6788
6789 for (size_t i = 0; i < kMaxPaddingCorruptionRetries; ++i) {
Brian J Murray734c8412022-01-13 14:55:30 -0800[diff] [blame]6790 SCOPED_TRACE(testing::Message() << "i = " << i);
Seth Moore7a55ae32021-06-23 14:28:11 -0700[diff] [blame]6791 ++ciphertext[ciphertext.size() / 2];
6792 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
6793 string plaintext;
6794 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
6795 ErrorCode error = Finish(&plaintext);
6796 if (error == ErrorCode::INVALID_ARGUMENT) {
6797 // This is the expected error, we can exit the test now.
6798 return;
6799 } else {
6800 // Very small chance we got valid decryption, so try again.
6801 ASSERT_EQ(error, ErrorCode::OK);
6802 }
6803 }
6804 FAIL() << "Corrupt ciphertext should have failed to decrypt by now.";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6805}
6806
6807/*
6808 * EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding.
6809 *
6810 * Verifies that 3DES CBC works with many different input sizes.
6811 */
6812TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
6813 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6814 .TripleDesEncryptionKey(168)
6815 .BlockMode(BlockMode::CBC)
6816 .Authorization(TAG_NO_AUTH_REQUIRED)
6817 .Padding(PaddingMode::NONE)));
6818
6819 int increment = 7;
6820 string message(240, 'a');
6821 AuthorizationSet input_params =
6822 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
6823 AuthorizationSet output_params;
6824 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
6825
6826 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6827 for (size_t i = 0; i < message.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6828 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6829 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
6830 EXPECT_EQ(message.size(), ciphertext.size());
6831
6832 // Move TAG_NONCE into input_params
6833 input_params = output_params;
6834 input_params.push_back(TAG_BLOCK_MODE, BlockMode::CBC);
6835 input_params.push_back(TAG_PADDING, PaddingMode::NONE);
6836 output_params.Clear();
6837
6838 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, input_params, &output_params));
6839 string plaintext;
6840 for (size_t i = 0; i < ciphertext.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]6841 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6842 EXPECT_EQ(ErrorCode::OK, Finish(&plaintext));
6843 EXPECT_EQ(ciphertext.size(), plaintext.size());
6844 EXPECT_EQ(message, plaintext);
6845}
6846
6847INSTANTIATE_KEYMINT_AIDL_TEST(EncryptionOperationsTest);
6848
6849typedef KeyMintAidlTestBase MaxOperationsTest;
6850
6851/*
6852 * MaxOperationsTest.TestLimitAes
6853 *
6854 * Verifies that the max uses per boot tag works correctly with AES keys.
6855 */
6856TEST_P(MaxOperationsTest, TestLimitAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6857 if (SecLevel() == SecurityLevel::STRONGBOX) {
6858 GTEST_SKIP() << "Test not applicable to StrongBox device";
6859 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6860
6861 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6862 .Authorization(TAG_NO_AUTH_REQUIRED)
6863 .AesEncryptionKey(128)
6864 .EcbMode()
6865 .Padding(PaddingMode::NONE)
6866 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
6867
6868 string message = "1234567890123456";
6869
6870 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
6871
6872 EncryptMessage(message, params);
6873 EncryptMessage(message, params);
6874 EncryptMessage(message, params);
6875
6876 // Fourth time should fail.
6877 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
6878}
6879
6880/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6881 * MaxOperationsTest.TestLimitRsa
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6882 *
6883 * Verifies that the max uses per boot tag works correctly with RSA keys.
6884 */
6885TEST_P(MaxOperationsTest, TestLimitRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6886 if (SecLevel() == SecurityLevel::STRONGBOX) {
6887 GTEST_SKIP() << "Test not applicable to StrongBox device";
6888 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6889
6890 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6891 .Authorization(TAG_NO_AUTH_REQUIRED)
6892 .RsaSigningKey(1024, 65537)
6893 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]6894 .Authorization(TAG_MAX_USES_PER_BOOT, 3)
6895 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]6896
6897 string message = "1234567890123456";
6898
6899 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
6900
6901 SignMessage(message, params);
6902 SignMessage(message, params);
6903 SignMessage(message, params);
6904
6905 // Fourth time should fail.
6906 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
6907}
6908
6909INSTANTIATE_KEYMINT_AIDL_TEST(MaxOperationsTest);
6910
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6911typedef KeyMintAidlTestBase UsageCountLimitTest;
6912
6913/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6914 * UsageCountLimitTest.TestSingleUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6915 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6916 * Verifies that the usage count limit tag = 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6917 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6918TEST_P(UsageCountLimitTest, TestSingleUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6919 if (SecLevel() == SecurityLevel::STRONGBOX) {
6920 GTEST_SKIP() << "Test not applicable to StrongBox device";
6921 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6922
6923 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6924 .Authorization(TAG_NO_AUTH_REQUIRED)
6925 .AesEncryptionKey(128)
6926 .EcbMode()
6927 .Padding(PaddingMode::NONE)
6928 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
6929
6930 // Check the usage count limit tag appears in the authorizations.
6931 AuthorizationSet auths;
6932 for (auto& entry : key_characteristics_) {
6933 auths.push_back(AuthorizationSet(entry.authorizations));
6934 }
6935 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
6936 << "key usage count limit " << 1U << " missing";
6937
6938 string message = "1234567890123456";
6939 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
6940
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6941 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
6942 AuthorizationSet keystore_auths =
6943 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
6944
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6945 // First usage of AES key should work.
6946 EncryptMessage(message, params);
6947
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6948 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
6949 // Usage count limit tag is enforced by hardware. After using the key, the key blob
6950 // must be invalidated from secure storage (such as RPMB partition).
6951 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
6952 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6953 // Usage count limit tag is enforced by keystore, keymint does nothing.
6954 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6955 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
6956 }
6957}
6958
6959/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6960 * UsageCountLimitTest.TestLimitedUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6961 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6962 * Verifies that the usage count limit tag > 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]6963 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6964TEST_P(UsageCountLimitTest, TestLimitedUseAes) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]6965 if (SecLevel() == SecurityLevel::STRONGBOX) {
6966 GTEST_SKIP() << "Test not applicable to StrongBox device";
6967 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]6968
6969 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
6970 .Authorization(TAG_NO_AUTH_REQUIRED)
6971 .AesEncryptionKey(128)
6972 .EcbMode()
6973 .Padding(PaddingMode::NONE)
6974 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
6975
6976 // Check the usage count limit tag appears in the authorizations.
6977 AuthorizationSet auths;
6978 for (auto& entry : key_characteristics_) {
6979 auths.push_back(AuthorizationSet(entry.authorizations));
6980 }
6981 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
6982 << "key usage count limit " << 3U << " missing";
6983
6984 string message = "1234567890123456";
6985 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
6986
6987 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
6988 AuthorizationSet keystore_auths =
6989 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
6990
6991 EncryptMessage(message, params);
6992 EncryptMessage(message, params);
6993 EncryptMessage(message, params);
6994
6995 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
6996 // Usage count limit tag is enforced by hardware. After using the key, the key blob
6997 // must be invalidated from secure storage (such as RPMB partition).
6998 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
6999 } else {
7000 // Usage count limit tag is enforced by keystore, keymint does nothing.
7001 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
7002 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
7003 }
7004}
7005
7006/*
7007 * UsageCountLimitTest.TestSingleUseRsa
7008 *
7009 * Verifies that the usage count limit tag = 1 works correctly with RSA keys.
7010 */
7011TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7012 if (SecLevel() == SecurityLevel::STRONGBOX) {
7013 GTEST_SKIP() << "Test not applicable to StrongBox device";
7014 }
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7015
7016 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7017 .Authorization(TAG_NO_AUTH_REQUIRED)
7018 .RsaSigningKey(1024, 65537)
7019 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7020 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7021 .SetDefaultValidity()));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7022
7023 // Check the usage count limit tag appears in the authorizations.
7024 AuthorizationSet auths;
7025 for (auto& entry : key_characteristics_) {
7026 auths.push_back(AuthorizationSet(entry.authorizations));
7027 }
7028 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7029 << "key usage count limit " << 1U << " missing";
7030
7031 string message = "1234567890123456";
7032 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7033
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7034 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7035 AuthorizationSet keystore_auths =
7036 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7037
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7038 // First usage of RSA key should work.
7039 SignMessage(message, params);
7040
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7041 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
7042 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7043 // must be invalidated from secure storage (such as RPMB partition).
7044 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7045 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7046 // Usage count limit tag is enforced by keystore, keymint does nothing.
7047 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
7048 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
7049 }
7050}
7051
7052/*
7053 * UsageCountLimitTest.TestLimitUseRsa
7054 *
7055 * Verifies that the usage count limit tag > 1 works correctly with RSA keys.
7056 */
7057TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7058 if (SecLevel() == SecurityLevel::STRONGBOX) {
7059 GTEST_SKIP() << "Test not applicable to StrongBox device";
7060 }
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7061
7062 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7063 .Authorization(TAG_NO_AUTH_REQUIRED)
7064 .RsaSigningKey(1024, 65537)
7065 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7066 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)
7067 .SetDefaultValidity()));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]7068
7069 // Check the usage count limit tag appears in the authorizations.
7070 AuthorizationSet auths;
7071 for (auto& entry : key_characteristics_) {
7072 auths.push_back(AuthorizationSet(entry.authorizations));
7073 }
7074 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
7075 << "key usage count limit " << 3U << " missing";
7076
7077 string message = "1234567890123456";
7078 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7079
7080 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7081 AuthorizationSet keystore_auths =
7082 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
7083
7084 SignMessage(message, params);
7085 SignMessage(message, params);
7086 SignMessage(message, params);
7087
7088 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
7089 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7090 // must be invalidated from secure storage (such as RPMB partition).
7091 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
7092 } else {
7093 // Usage count limit tag is enforced by keystore, keymint does nothing.
7094 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7095 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
7096 }
7097}
7098
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7099/*
7100 * UsageCountLimitTest.TestSingleUseKeyAndRollbackResistance
7101 *
7102 * Verifies that when rollback resistance is supported by the KeyMint implementation with
7103 * the secure hardware, the single use key with usage count limit tag = 1 must also be enforced
7104 * in hardware.
7105 */
7106TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7107 if (SecLevel() == SecurityLevel::STRONGBOX) {
7108 GTEST_SKIP() << "Test not applicable to StrongBox device";
7109 }
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7110
7111 auto error = GenerateKey(AuthorizationSetBuilder()
7112 .RsaSigningKey(2048, 65537)
7113 .Digest(Digest::NONE)
7114 .Padding(PaddingMode::NONE)
7115 .Authorization(TAG_NO_AUTH_REQUIRED)
7116 .Authorization(TAG_ROLLBACK_RESISTANCE)
7117 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7118 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7119 GTEST_SKIP() << "Rollback resistance not supported";
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7120 }
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7121
7122 // Rollback resistance is supported by KeyMint, verify it is enforced in hardware.
7123 ASSERT_EQ(ErrorCode::OK, error);
7124 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7125 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
7126 ASSERT_EQ(ErrorCode::OK, DeleteKey());
7127
7128 // The KeyMint should also enforce single use key in hardware when it supports rollback
7129 // resistance.
7130 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7131 .Authorization(TAG_NO_AUTH_REQUIRED)
7132 .RsaSigningKey(1024, 65537)
7133 .NoDigestOrPadding()
7134 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
7135 .SetDefaultValidity()));
7136
7137 // Check the usage count limit tag appears in the hardware authorizations.
7138 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
7139 EXPECT_TRUE(hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
7140 << "key usage count limit " << 1U << " missing";
7141
7142 string message = "1234567890123456";
7143 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
7144
7145 // First usage of RSA key should work.
7146 SignMessage(message, params);
7147
7148 // Usage count limit tag is enforced by hardware. After using the key, the key blob
7149 // must be invalidated from secure storage (such as RPMB partition).
7150 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7151}
7152
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]7153INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest);
7154
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7155typedef KeyMintAidlTestBase GetHardwareInfoTest;
7156
7157TEST_P(GetHardwareInfoTest, GetHardwareInfo) {
7158 // Retrieving hardware info should give the same result each time.
7159 KeyMintHardwareInfo info;
7160 ASSERT_TRUE(keyMint().getHardwareInfo(&info).isOk());
7161 KeyMintHardwareInfo info2;
7162 ASSERT_TRUE(keyMint().getHardwareInfo(&info2).isOk());
7163 EXPECT_EQ(info, info2);
7164}
7165
7166INSTANTIATE_KEYMINT_AIDL_TEST(GetHardwareInfoTest);
7167
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7168typedef KeyMintAidlTestBase AddEntropyTest;
7169
7170/*
7171 * AddEntropyTest.AddEntropy
7172 *
7173 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy
7174 * is actually added.
7175 */
7176TEST_P(AddEntropyTest, AddEntropy) {
7177 string data = "foo";
7178 EXPECT_TRUE(keyMint().addRngEntropy(vector<uint8_t>(data.begin(), data.end())).isOk());
7179}
7180
7181/*
7182 * AddEntropyTest.AddEmptyEntropy
7183 *
7184 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
7185 */
7186TEST_P(AddEntropyTest, AddEmptyEntropy) {
7187 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf()).isOk());
7188}
7189
7190/*
7191 * AddEntropyTest.AddLargeEntropy
7192 *
7193 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
7194 */
7195TEST_P(AddEntropyTest, AddLargeEntropy) {
7196 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
7197}
7198
David Drysdalebb3d85e2021-04-13 11:15:51 +0100[diff] [blame]7199/*
7200 * AddEntropyTest.AddTooLargeEntropy
7201 *
7202 * Verifies that the addRngEntropy method rejects more than 2KiB of data.
7203 */
7204TEST_P(AddEntropyTest, AddTooLargeEntropy) {
7205 ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a'))));
7206 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc);
7207}
7208
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7209INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);
7210
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7211typedef KeyMintAidlTestBase KeyDeletionTest;
7212
7213/**
7214 * KeyDeletionTest.DeleteKey
7215 *
7216 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
7217 * valid key blob.
7218 */
7219TEST_P(KeyDeletionTest, DeleteKey) {
7220 auto error = GenerateKey(AuthorizationSetBuilder()
7221 .RsaSigningKey(2048, 65537)
7222 .Digest(Digest::NONE)
7223 .Padding(PaddingMode::NONE)
7224 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7225 .Authorization(TAG_ROLLBACK_RESISTANCE)
7226 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7227 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7228 GTEST_SKIP() << "Rollback resistance not supported";
7229 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7230
7231 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7232 ASSERT_EQ(ErrorCode::OK, error);
7233 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7234 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7235
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7236 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7237
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7238 string message = "12345678901234567890123456789012";
7239 AuthorizationSet begin_out_params;
7240 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
7241 Begin(KeyPurpose::SIGN, key_blob_,
7242 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
7243 &begin_out_params));
7244 AbortIfNeeded();
7245 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7246}
7247
7248/**
7249 * KeyDeletionTest.DeleteInvalidKey
7250 *
7251 * This test checks that the HAL excepts invalid key blobs..
7252 */
7253TEST_P(KeyDeletionTest, DeleteInvalidKey) {
7254 // Generate key just to check if rollback protection is implemented
7255 auto error = GenerateKey(AuthorizationSetBuilder()
7256 .RsaSigningKey(2048, 65537)
7257 .Digest(Digest::NONE)
7258 .Padding(PaddingMode::NONE)
7259 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]7260 .Authorization(TAG_ROLLBACK_RESISTANCE)
7261 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7262 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7263 GTEST_SKIP() << "Rollback resistance not supported";
7264 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7265
7266 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7267 ASSERT_EQ(ErrorCode::OK, error);
7268 AuthorizationSet enforced(SecLevelAuthorizations());
7269 ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7270
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7271 // Delete the key we don't care about the result at this point.
7272 DeleteKey();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7273
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7274 // Now create an invalid key blob and delete it.
7275 key_blob_ = AidlBuf("just some garbage data which is not a valid key blob");
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7276
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7277 ASSERT_EQ(ErrorCode::OK, DeleteKey());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7278}
7279
7280/**
7281 * KeyDeletionTest.DeleteAllKeys
7282 *
7283 * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
7284 *
7285 * BEWARE: This test has serious side effects. All user keys will be lost! This includes
7286 * FBE/FDE encryption keys, which means that the device will not even boot until after the
7287 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
7288 * been provisioned. Use this test only on dedicated testing devices that have no valuable
7289 * credentials stored in Keystore/Keymint.
7290 */
7291TEST_P(KeyDeletionTest, DeleteAllKeys) {
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7292 if (!arm_deleteAllKeys) {
7293 GTEST_SKIP() << "Option --arm_deleteAllKeys not set";
7294 return;
7295 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7296 auto error = GenerateKey(AuthorizationSetBuilder()
7297 .RsaSigningKey(2048, 65537)
7298 .Digest(Digest::NONE)
7299 .Padding(PaddingMode::NONE)
7300 .Authorization(TAG_NO_AUTH_REQUIRED)
Shawn Willden9a7410e2021-08-02 12:28:42 -0600[diff] [blame]7301 .Authorization(TAG_ROLLBACK_RESISTANCE)
7302 .SetDefaultValidity());
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7303 if (error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE) {
7304 GTEST_SKIP() << "Rollback resistance not supported";
7305 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7306
7307 // Delete must work if rollback protection is implemented
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7308 ASSERT_EQ(ErrorCode::OK, error);
7309 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
7310 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7311
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7312 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7313
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7314 string message = "12345678901234567890123456789012";
7315 AuthorizationSet begin_out_params;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7316
David Drysdale513bf122021-10-06 11:53:13 +0100[diff] [blame]7317 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
7318 Begin(KeyPurpose::SIGN, key_blob_,
7319 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
7320 &begin_out_params));
7321 AbortIfNeeded();
7322 key_blob_ = AidlBuf();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7323}
7324
7325INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest);
7326
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7327typedef KeyMintAidlTestBase KeyUpgradeTest;
7328
7329/**
7330 * KeyUpgradeTest.UpgradeInvalidKey
7331 *
7332 * This test checks that the HAL excepts invalid key blobs..
7333 */
7334TEST_P(KeyUpgradeTest, UpgradeInvalidKey) {
7335 AidlBuf key_blob = AidlBuf("just some garbage data which is not a valid key blob");
7336
7337 std::vector<uint8_t> new_blob;
7338 Status result = keymint_->upgradeKey(key_blob,
7339 AuthorizationSetBuilder()
7340 .Authorization(TAG_APPLICATION_ID, "clientid")
7341 .Authorization(TAG_APPLICATION_DATA, "appdata")
7342 .vector_data(),
7343 &new_blob);
7344 ASSERT_EQ(ErrorCode::INVALID_KEY_BLOB, GetReturnErrorCode(result));
7345}
7346
7347INSTANTIATE_KEYMINT_AIDL_TEST(KeyUpgradeTest);
7348
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7349using UpgradeKeyTest = KeyMintAidlTestBase;
7350
7351/*
7352 * UpgradeKeyTest.UpgradeKey
7353 *
7354 * Verifies that calling upgrade key on an up-to-date key works (i.e. does nothing).
7355 */
7356TEST_P(UpgradeKeyTest, UpgradeKey) {
7357 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7358 .AesEncryptionKey(128)
7359 .Padding(PaddingMode::NONE)
7360 .Authorization(TAG_NO_AUTH_REQUIRED)));
7361
7362 auto result = UpgradeKey(key_blob_);
7363
7364 // Key doesn't need upgrading. Should get okay, but no new key blob.
7365 EXPECT_EQ(result, std::make_pair(ErrorCode::OK, vector<uint8_t>()));
7366}
7367
7368INSTANTIATE_KEYMINT_AIDL_TEST(UpgradeKeyTest);
7369
7370using ClearOperationsTest = KeyMintAidlTestBase;
7371
7372/*
7373 * ClearSlotsTest.TooManyOperations
7374 *
7375 * Verifies that TOO_MANY_OPERATIONS is returned after the max number of
7376 * operations are started without being finished or aborted. Also verifies
7377 * that aborting the operations clears the operations.
7378 *
7379 */
7380TEST_P(ClearOperationsTest, TooManyOperations) {
7381 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7382 .Authorization(TAG_NO_AUTH_REQUIRED)
7383 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]7384 .Padding(PaddingMode::NONE)
7385 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7386
7387 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
7388 constexpr size_t max_operations = 100; // set to arbituary large number
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]7389 std::shared_ptr<IKeyMintOperation> op_handles[max_operations];
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7390 AuthorizationSet out_params;
7391 ErrorCode result;
7392 size_t i;
7393
7394 for (i = 0; i < max_operations; i++) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7395 result = Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params, op_handles[i]);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7396 if (ErrorCode::OK != result) {
7397 break;
7398 }
7399 }
7400 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
7401 // Try again just in case there's a weird overflow bug
7402 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7403 Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7404 for (size_t j = 0; j < i; j++) {
7405 EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
7406 << "Aboort failed for i = " << j << std::endl;
7407 }
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7408 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, key_blob_, params, &out_params));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7409 AbortIfNeeded();
7410}
7411
7412INSTANTIATE_KEYMINT_AIDL_TEST(ClearOperationsTest);
7413
7414typedef KeyMintAidlTestBase TransportLimitTest;
7415
7416/*
David Drysdale7de9feb2021-03-05 14:56:19 +0000[diff] [blame]7417 * TransportLimitTest.LargeFinishInput
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7418 *
7419 * Verifies that passing input data to finish succeeds as expected.
7420 */
7421TEST_P(TransportLimitTest, LargeFinishInput) {
7422 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7423 .Authorization(TAG_NO_AUTH_REQUIRED)
7424 .AesEncryptionKey(128)
7425 .BlockMode(BlockMode::ECB)
7426 .Padding(PaddingMode::NONE)));
7427
7428 for (int msg_size = 8 /* 256 bytes */; msg_size <= 11 /* 2 KiB */; msg_size++) {
7429 auto cipher_params =
7430 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
7431
7432 AuthorizationSet out_params;
7433 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, cipher_params, &out_params));
7434
7435 string plain_message = std::string(1 << msg_size, 'x');
7436 string encrypted_message;
7437 auto rc = Finish(plain_message, &encrypted_message);
7438
7439 EXPECT_EQ(ErrorCode::OK, rc);
7440 EXPECT_EQ(plain_message.size(), encrypted_message.size())
7441 << "Encrypt finish returned OK, but did not consume all of the given input";
7442 cipher_params.push_back(out_params);
7443
7444 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, cipher_params));
7445
7446 string decrypted_message;
7447 rc = Finish(encrypted_message, &decrypted_message);
7448 EXPECT_EQ(ErrorCode::OK, rc);
7449 EXPECT_EQ(plain_message.size(), decrypted_message.size())
7450 << "Decrypt finish returned OK, did not consume all of the given input";
7451 }
7452}
7453
7454INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
7455
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]7456static int EcdhCurveToOpenSslCurveName(EcCurve curve) {
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7457 switch (curve) {
7458 case EcCurve::P_224:
7459 return NID_secp224r1;
7460 case EcCurve::P_256:
7461 return NID_X9_62_prime256v1;
7462 case EcCurve::P_384:
7463 return NID_secp384r1;
7464 case EcCurve::P_521:
7465 return NID_secp521r1;
Seth Moored79a0ec2021-12-13 20:03:33 +0000[diff] [blame]7466 case EcCurve::CURVE_25519:
7467 return NID_X25519;
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7468 }
7469}
7470
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7471class KeyAgreementTest : public KeyMintAidlTestBase {
7472 protected:
7473 void GenerateLocalEcKey(EcCurve localCurve, EVP_PKEY_Ptr* localPrivKey,
7474 std::vector<uint8_t>* localPublicKey) {
7475 // Generate EC key locally (with access to private key material)
7476 if (localCurve == EcCurve::CURVE_25519) {
7477 uint8_t privKeyData[32];
7478 uint8_t pubKeyData[32];
7479 X25519_keypair(pubKeyData, privKeyData);
7480 *localPublicKey = vector<uint8_t>(pubKeyData, pubKeyData + 32);
7481 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new_raw_private_key(
7482 EVP_PKEY_X25519, nullptr, privKeyData, sizeof(privKeyData)));
7483 } else {
7484 auto ecKey = EC_KEY_Ptr(EC_KEY_new());
7485 int curveName = EcdhCurveToOpenSslCurveName(localCurve);
7486 auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
7487 ASSERT_NE(group, nullptr);
7488 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
7489 ASSERT_EQ(EC_KEY_generate_key(ecKey.get()), 1);
7490 *localPrivKey = EVP_PKEY_Ptr(EVP_PKEY_new());
7491 ASSERT_EQ(EVP_PKEY_set1_EC_KEY(localPrivKey->get(), ecKey.get()), 1);
7492
7493 // Get encoded form of the public part of the locally generated key...
7494 unsigned char* p = nullptr;
7495 int localPublicKeySize = i2d_PUBKEY(localPrivKey->get(), &p);
7496 ASSERT_GT(localPublicKeySize, 0);
7497 *localPublicKey =
7498 vector<uint8_t>(reinterpret_cast<const uint8_t*>(p),
7499 reinterpret_cast<const uint8_t*>(p + localPublicKeySize));
7500 OPENSSL_free(p);
7501 }
7502 }
7503
7504 void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
7505 vector<uint8_t> challenge = {0x41, 0x42};
subrahmanyaman7d9bc462022-03-16 01:40:39 +0000[diff] [blame]7506 auto builder = AuthorizationSetBuilder()
7507 .Authorization(TAG_NO_AUTH_REQUIRED)
7508 .Authorization(TAG_EC_CURVE, curve)
7509 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
7510 .Authorization(TAG_ALGORITHM, Algorithm::EC)
7511 .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
7512 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
7513 .SetDefaultValidity();
7514 ErrorCode result = GenerateKey(builder);
7515
7516 if (SecLevel() == SecurityLevel::STRONGBOX) {
7517 if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
7518 result = GenerateKeyWithSelfSignedAttestKey(
7519 AuthorizationSetBuilder()
7520 .EcdsaKey(EcCurve::P_256)
7521 .AttestKey()
7522 .SetDefaultValidity(), /* attest key params */
7523 builder, &key_blob_, &key_characteristics_, &cert_chain_);
7524 }
7525 }
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7526 ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
7527 ASSERT_GT(cert_chain_.size(), 0);
7528 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
7529 ASSERT_NE(kmKeyCert, nullptr);
7530 // Check that keyAgreement (bit 4) is set in KeyUsage
7531 EXPECT_TRUE((X509_get_key_usage(kmKeyCert.get()) & X509v3_KU_KEY_AGREEMENT) != 0);
7532 *kmPubKey = EVP_PKEY_Ptr(X509_get_pubkey(kmKeyCert.get()));
7533 ASSERT_NE(*kmPubKey, nullptr);
7534 if (dump_Attestations) {
7535 for (size_t n = 0; n < cert_chain_.size(); n++) {
7536 std::cout << bin2hex(cert_chain_[n].encodedCertificate) << std::endl;
7537 }
7538 }
7539 }
7540
7541 void CheckAgreement(EVP_PKEY_Ptr kmPubKey, EVP_PKEY_Ptr localPrivKey,
7542 const std::vector<uint8_t>& localPublicKey) {
7543 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
7544 string ZabFromKeyMintStr;
7545 ASSERT_EQ(ErrorCode::OK,
7546 Finish(string(localPublicKey.begin(), localPublicKey.end()), &ZabFromKeyMintStr));
7547 vector<uint8_t> ZabFromKeyMint(ZabFromKeyMintStr.begin(), ZabFromKeyMintStr.end());
7548 vector<uint8_t> ZabFromTest;
7549
7550 if (EVP_PKEY_id(kmPubKey.get()) == EVP_PKEY_X25519) {
7551 size_t kmPubKeySize = 32;
7552 uint8_t kmPubKeyData[32];
7553 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
7554 ASSERT_EQ(kmPubKeySize, 32);
7555
7556 uint8_t localPrivKeyData[32];
7557 size_t localPrivKeySize = 32;
7558 ASSERT_EQ(1, EVP_PKEY_get_raw_private_key(localPrivKey.get(), localPrivKeyData,
7559 &localPrivKeySize));
7560 ASSERT_EQ(localPrivKeySize, 32);
7561
7562 uint8_t sharedKey[32];
7563 ASSERT_EQ(1, X25519(sharedKey, localPrivKeyData, kmPubKeyData));
7564 ZabFromTest = std::vector<uint8_t>(sharedKey, sharedKey + 32);
7565 } else {
7566 // Perform local ECDH between the two keys so we can check if we get the same Zab..
7567 auto ctx = EVP_PKEY_CTX_Ptr(EVP_PKEY_CTX_new(localPrivKey.get(), nullptr));
7568 ASSERT_NE(ctx, nullptr);
7569 ASSERT_EQ(EVP_PKEY_derive_init(ctx.get()), 1);
7570 ASSERT_EQ(EVP_PKEY_derive_set_peer(ctx.get(), kmPubKey.get()), 1);
7571 size_t ZabFromTestLen = 0;
7572 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), nullptr, &ZabFromTestLen), 1);
7573 ZabFromTest.resize(ZabFromTestLen);
7574 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), ZabFromTest.data(), &ZabFromTestLen), 1);
7575 }
7576 EXPECT_EQ(ZabFromKeyMint, ZabFromTest);
7577 }
7578};
7579
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7580/*
7581 * KeyAgreementTest.Ecdh
7582 *
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7583 * Verifies that ECDH works for all required curves
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7584 */
7585TEST_P(KeyAgreementTest, Ecdh) {
7586 // Because it's possible to use this API with keys on different curves, we
7587 // check all N^2 combinations where N is the number of supported
7588 // curves.
7589 //
7590 // This is not a big deal as N is 4 so we only do 16 runs. If we end up with a
7591 // lot more curves we can be smart about things and just pick |otherCurve| so
7592 // it's not |curve| and that way we end up with only 2*N runs
7593 //
7594 for (auto curve : ValidCurves()) {
7595 for (auto localCurve : ValidCurves()) {
7596 // Generate EC key locally (with access to private key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7597 EVP_PKEY_Ptr localPrivKey;
7598 vector<uint8_t> localPublicKey;
7599 GenerateLocalEcKey(localCurve, &localPrivKey, &localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7600
7601 // Generate EC key in KeyMint (only access to public key material)
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7602 EVP_PKEY_Ptr kmPubKey;
7603 GenerateKeyMintEcKey(curve, &kmPubKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7604
7605 // Now that we have the two keys, we ask KeyMint to perform ECDH...
7606 if (curve != localCurve) {
7607 // If the keys are using different curves KeyMint should fail with
7608 // ErrorCode:INVALID_ARGUMENT. Check that.
7609 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
7610 string ZabFromKeyMintStr;
7611 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7612 Finish(string(localPublicKey.begin(), localPublicKey.end()),
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7613 &ZabFromKeyMintStr));
7614
7615 } else {
7616 // Otherwise if the keys are using the same curve, it should work.
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7617 CheckAgreement(std::move(kmPubKey), std::move(localPrivKey), localPublicKey);
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7618 }
7619
7620 CheckedDeleteKey();
7621 }
7622 }
7623}
7624
David Drysdale42fe1892021-10-14 14:43:46 +0100[diff] [blame]7625/*
7626 * KeyAgreementTest.EcdhCurve25519
7627 *
7628 * Verifies that ECDH works for curve25519. This is also covered by the general
7629 * KeyAgreementTest.Ecdh case, but is pulled out separately here because this curve was added after
7630 * KeyMint 1.0.
7631 */
7632TEST_P(KeyAgreementTest, EcdhCurve25519) {
7633 if (!Curve25519Supported()) {
7634 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
7635 }
7636
7637 // Generate EC key in KeyMint (only access to public key material)
7638 EcCurve curve = EcCurve::CURVE_25519;
7639 EVP_PKEY_Ptr kmPubKey = nullptr;
7640 GenerateKeyMintEcKey(curve, &kmPubKey);
7641
7642 // Generate EC key on same curve locally (with access to private key material).
7643 EVP_PKEY_Ptr privKey;
7644 vector<uint8_t> encodedPublicKey;
7645 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
7646
7647 // Agree on a key between local and KeyMint and check it.
7648 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
7649
7650 CheckedDeleteKey();
7651}
7652
7653/*
7654 * KeyAgreementTest.EcdhCurve25519Imported
7655 *
7656 * Verifies that ECDH works for an imported curve25519 key.
7657 */
7658TEST_P(KeyAgreementTest, EcdhCurve25519Imported) {
7659 if (!Curve25519Supported()) {
7660 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
7661 }
7662
7663 // Import x25519 key into KeyMint.
7664 EcCurve curve = EcCurve::CURVE_25519;
7665 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
7666 .Authorization(TAG_NO_AUTH_REQUIRED)
7667 .EcdsaKey(EcCurve::CURVE_25519)
7668 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
7669 .SetDefaultValidity(),
7670 KeyFormat::PKCS8, x25519_pkcs8_key));
7671 ASSERT_GT(cert_chain_.size(), 0);
7672 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
7673 ASSERT_NE(kmKeyCert, nullptr);
7674 EVP_PKEY_Ptr kmPubKey(X509_get_pubkey(kmKeyCert.get()));
7675 ASSERT_NE(kmPubKey.get(), nullptr);
7676
7677 // Expect the import to emit corresponding public key data.
7678 size_t kmPubKeySize = 32;
7679 uint8_t kmPubKeyData[32];
7680 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(kmPubKey.get(), kmPubKeyData, &kmPubKeySize));
7681 ASSERT_EQ(kmPubKeySize, 32);
7682 EXPECT_EQ(bin2hex(std::vector<uint8_t>(kmPubKeyData, kmPubKeyData + 32)),
7683 bin2hex(std::vector<uint8_t>(x25519_pubkey.begin(), x25519_pubkey.end())));
7684
7685 // Generate EC key on same curve locally (with access to private key material).
7686 EVP_PKEY_Ptr privKey;
7687 vector<uint8_t> encodedPublicKey;
7688 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
7689
7690 // Agree on a key between local and KeyMint and check it.
7691 CheckAgreement(std::move(kmPubKey), std::move(privKey), encodedPublicKey);
7692
7693 CheckedDeleteKey();
7694}
7695
7696/*
7697 * KeyAgreementTest.EcdhCurve25519InvalidSize
7698 *
7699 * Verifies that ECDH fails for curve25519 if the wrong size of public key is provided.
7700 */
7701TEST_P(KeyAgreementTest, EcdhCurve25519InvalidSize) {
7702 if (!Curve25519Supported()) {
7703 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
7704 }
7705
7706 // Generate EC key in KeyMint (only access to public key material)
7707 EcCurve curve = EcCurve::CURVE_25519;
7708 EVP_PKEY_Ptr kmPubKey = nullptr;
7709 GenerateKeyMintEcKey(curve, &kmPubKey);
7710
7711 // Generate EC key on same curve locally (with access to private key material).
7712 EVP_PKEY_Ptr privKey;
7713 vector<uint8_t> encodedPublicKey;
7714 GenerateLocalEcKey(curve, &privKey, &encodedPublicKey);
7715
7716 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
7717 string ZabFromKeyMintStr;
7718 // Send in an incomplete public key.
7719 ASSERT_NE(ErrorCode::OK, Finish(string(encodedPublicKey.begin(), encodedPublicKey.end() - 1),
7720 &ZabFromKeyMintStr));
7721
7722 CheckedDeleteKey();
7723}
7724
7725/*
7726 * KeyAgreementTest.EcdhCurve25519Mismatch
7727 *
7728 * Verifies that ECDH fails between curve25519 and other curves.
7729 */
7730TEST_P(KeyAgreementTest, EcdhCurve25519Mismatch) {
7731 if (!Curve25519Supported()) {
7732 GTEST_SKIP() << "Test not applicable to device that is not expected to support curve 25519";
7733 }
7734
7735 // Generate EC key in KeyMint (only access to public key material)
7736 EcCurve curve = EcCurve::CURVE_25519;
7737 EVP_PKEY_Ptr kmPubKey = nullptr;
7738 GenerateKeyMintEcKey(curve, &kmPubKey);
7739
7740 for (auto localCurve : ValidCurves()) {
7741 if (localCurve == curve) {
7742 continue;
7743 }
7744 // Generate EC key on a different curve locally (with access to private key material).
7745 EVP_PKEY_Ptr privKey;
7746 vector<uint8_t> encodedPublicKey;
7747 GenerateLocalEcKey(localCurve, &privKey, &encodedPublicKey);
7748
7749 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
7750 string ZabFromKeyMintStr;
7751 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
7752 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
7753 &ZabFromKeyMintStr));
7754 }
7755
7756 CheckedDeleteKey();
7757}
7758
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]7759INSTANTIATE_KEYMINT_AIDL_TEST(KeyAgreementTest);
7760
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7761using DestroyAttestationIdsTest = KeyMintAidlTestBase;
7762
7763// This is a problematic test, as it can render the device under test permanently unusable.
7764// Re-enable and run at your own risk.
7765TEST_P(DestroyAttestationIdsTest, DISABLED_DestroyTest) {
7766 auto result = DestroyAttestationIds();
7767 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED);
7768}
7769
7770INSTANTIATE_KEYMINT_AIDL_TEST(DestroyAttestationIdsTest);
7771
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]7772using EarlyBootKeyTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7773
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7774/*
7775 * EarlyBootKeyTest.CreateEarlyBootKeys
7776 *
7777 * Verifies that creating early boot keys succeeds, even at a later stage (after boot).
7778 */
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7779TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7780 // Early boot keys can be created after early boot.
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7781 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
7782 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
7783
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]7784 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
7785 ASSERT_GT(keyData.blob.size(), 0U);
7786 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
7787 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
7788 }
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7789 CheckedDeleteKey(&aesKeyData.blob);
7790 CheckedDeleteKey(&hmacKeyData.blob);
7791 CheckedDeleteKey(&rsaKeyData.blob);
7792 CheckedDeleteKey(&ecdsaKeyData.blob);
7793}
7794
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7795/*
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]7796 * EarlyBootKeyTest.CreateAttestedEarlyBootKey
7797 *
7798 * Verifies that creating an early boot key with attestation succeeds.
7799 */
7800TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
7801 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys(
7802 TAG_EARLY_BOOT_ONLY, ErrorCode::OK, [](AuthorizationSetBuilder* builder) {
7803 builder->AttestationChallenge("challenge");
7804 builder->AttestationApplicationId("app_id");
7805 });
7806
7807 for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7808 // Strongbox may not support factory attestation. Key creation might fail with
7809 // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
7810 if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
7811 continue;
7812 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]7813 ASSERT_GT(keyData.blob.size(), 0U);
7814 AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
7815 EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
7816 }
7817 CheckedDeleteKey(&aesKeyData.blob);
7818 CheckedDeleteKey(&hmacKeyData.blob);
subrahmanyaman05642492022-02-05 07:10:56 +0000[diff] [blame]7819 if (rsaKeyData.blob.size() != 0U) {
7820 CheckedDeleteKey(&rsaKeyData.blob);
7821 }
7822 if (ecdsaKeyData.blob.size() != 0U) {
7823 CheckedDeleteKey(&ecdsaKeyData.blob);
7824 }
David Drysdaleadfe6112021-05-27 12:00:53 +0100[diff] [blame]7825}
7826
7827/*
7828 * EarlyBootKeyTest.UseEarlyBootKeyFailure
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7829 *
7830 * Verifies that using early boot keys at a later stage fails.
7831 */
7832TEST_P(EarlyBootKeyTest, UseEarlyBootKeyFailure) {
7833 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
7834 .Authorization(TAG_NO_AUTH_REQUIRED)
7835 .Authorization(TAG_EARLY_BOOT_ONLY)
7836 .HmacKey(128)
7837 .Digest(Digest::SHA_2_256)
7838 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
7839 AuthorizationSet output_params;
7840 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, Begin(KeyPurpose::SIGN, key_blob_,
7841 AuthorizationSetBuilder()
7842 .Digest(Digest::SHA_2_256)
7843 .Authorization(TAG_MAC_LENGTH, 256),
7844 &output_params));
7845}
7846
7847/*
7848 * EarlyBootKeyTest.ImportEarlyBootKeyFailure
7849 *
7850 * Verifies that importing early boot keys fails.
7851 */
7852TEST_P(EarlyBootKeyTest, ImportEarlyBootKeyFailure) {
7853 ASSERT_EQ(ErrorCode::EARLY_BOOT_ENDED, ImportKey(AuthorizationSetBuilder()
7854 .Authorization(TAG_NO_AUTH_REQUIRED)
7855 .Authorization(TAG_EARLY_BOOT_ONLY)
David Drysdaledf09e542021-06-08 15:46:11 +0100[diff] [blame]7856 .EcdsaSigningKey(EcCurve::P_256)
David Drysdaledb0dcf52021-05-18 11:43:31 +0100[diff] [blame]7857 .Digest(Digest::SHA_2_256)
7858 .SetDefaultValidity(),
7859 KeyFormat::PKCS8, ec_256_key));
7860}
7861
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7862// This is a more comprehensive test, but it can only be run on a machine which is still in early
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7863// boot stage, which no proper Android device is by the time we can run VTS. To use this,
7864// un-disable it and modify vold to remove the call to earlyBootEnded(). Running the test will end
7865// early boot, so you'll have to reboot between runs.
7866TEST_P(EarlyBootKeyTest, DISABLED_FullTest) {
7867 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
7868 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
7869 // TAG_EARLY_BOOT_ONLY should be in hw-enforced.
7870 EXPECT_TRUE(HwEnforcedAuthorizations(aesKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
7871 EXPECT_TRUE(
7872 HwEnforcedAuthorizations(hmacKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
7873 EXPECT_TRUE(HwEnforcedAuthorizations(rsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
7874 EXPECT_TRUE(
7875 HwEnforcedAuthorizations(ecdsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
7876
7877 // Should be able to use keys, since early boot has not ended
7878 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
7879 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
7880 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
7881 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
7882
7883 // End early boot
7884 ErrorCode earlyBootResult = GetReturnErrorCode(keyMint().earlyBootEnded());
7885 EXPECT_EQ(earlyBootResult, ErrorCode::OK);
7886
7887 // Should not be able to use already-created keys.
7888 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseAesKey(aesKeyData.blob));
7889 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseHmacKey(hmacKeyData.blob));
7890 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseRsaKey(rsaKeyData.blob));
7891 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseEcdsaKey(ecdsaKeyData.blob));
7892
7893 CheckedDeleteKey(&aesKeyData.blob);
7894 CheckedDeleteKey(&hmacKeyData.blob);
7895 CheckedDeleteKey(&rsaKeyData.blob);
7896 CheckedDeleteKey(&ecdsaKeyData.blob);
7897
7898 // Should not be able to create new keys
7899 std::tie(aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData) =
7900 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::EARLY_BOOT_ENDED);
7901
7902 CheckedDeleteKey(&aesKeyData.blob);
7903 CheckedDeleteKey(&hmacKeyData.blob);
7904 CheckedDeleteKey(&rsaKeyData.blob);
7905 CheckedDeleteKey(&ecdsaKeyData.blob);
7906}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]7907
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7908INSTANTIATE_KEYMINT_AIDL_TEST(EarlyBootKeyTest);
7909
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]7910using UnlockedDeviceRequiredTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7911
7912// This may be a problematic test. It can't be run repeatedly without unlocking the device in
7913// between runs... and on most test devices there are no enrolled credentials so it can't be
7914// unlocked at all, meaning the only way to get the test to pass again on a properly-functioning
7915// device is to reboot it. For that reason, this is disabled by default. It can be used as part of
7916// a manual test process, which includes unlocking between runs, which is why it's included here.
7917// Well, that and the fact that it's the only test we can do without also making calls into the
7918// Gatekeeper HAL. We haven't written any cross-HAL tests, and don't know what all of the
7919// implications might be, so that may or may not be a solution.
7920TEST_P(UnlockedDeviceRequiredTest, DISABLED_KeysBecomeUnusable) {
7921 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
7922 CreateTestKeys(TAG_UNLOCKED_DEVICE_REQUIRED, ErrorCode::OK);
7923
7924 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
7925 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
7926 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
7927 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
7928
7929 ErrorCode rc = GetReturnErrorCode(
David Drysdaled2cc8c22021-04-15 13:29:45 +0100[diff] [blame]7930 keyMint().deviceLocked(false /* passwordOnly */, {} /* timestampToken */));
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7931 ASSERT_EQ(ErrorCode::OK, rc);
7932 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseAesKey(aesKeyData.blob));
7933 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseHmacKey(hmacKeyData.blob));
7934 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseRsaKey(rsaKeyData.blob));
7935 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseEcdsaKey(ecdsaKeyData.blob));
7936
7937 CheckedDeleteKey(&aesKeyData.blob);
7938 CheckedDeleteKey(&hmacKeyData.blob);
7939 CheckedDeleteKey(&rsaKeyData.blob);
7940 CheckedDeleteKey(&ecdsaKeyData.blob);
7941}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame]7942
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]7943INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
7944
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]7945} // namespace aidl::android::hardware::security::keymint::test
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7946
7947int main(int argc, char** argv) {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]7948 std::cout << "Testing ";
7949 auto halInstances =
7950 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::build_params();
7951 std::cout << "HAL instances:\n";
7952 for (auto& entry : halInstances) {
7953 std::cout << " " << entry << '\n';
7954 }
7955
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7956 ::testing::InitGoogleTest(&argc, argv);
7957 for (int i = 1; i < argc; ++i) {
7958 if (argv[i][0] == '-') {
7959 if (std::string(argv[i]) == "--arm_deleteAllKeys") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]7960 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
7961 arm_deleteAllKeys = true;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7962 }
7963 if (std::string(argv[i]) == "--dump_attestations") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]7964 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
7965 dump_Attestations = true;
7966 } else {
7967 std::cout << "NOT dumping attestations" << std::endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7968 }
David Drysdaledbbbe2e2021-12-02 07:44:23 +0000[diff] [blame]7969 if (std::string(argv[i]) == "--skip_boot_pl_check") {
7970 // Allow checks of BOOT_PATCHLEVEL to be disabled, so that the tests can
7971 // be run in emulated environments that don't have the normal bootloader
7972 // interactions.
7973 aidl::android::hardware::security::keymint::test::check_boot_pl = false;
7974 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7975 }
7976 }
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]7977 return RUN_ALL_TESTS();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]7978}