Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / d659c7c1818ea4e41c70de0ff39939e8da8a532c / . / security / keymint / aidl / vts / functional / KeyMintTest.cpp
blob: 7ecfa3723fd5c2652babe7363790f0cd2192edd9 [file] [log] [blame]
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]17#define LOG_TAG "keymint_1_test"
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]18#include <cutils/log.h>
19
20#include <signal.h>
21#include <iostream>
22
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]23#include <openssl/ec.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]24#include <openssl/evp.h>
25#include <openssl/mem.h>
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]26#include <openssl/x509v3.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]27
28#include <cutils/properties.h>
29
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]30#include <aidl/android/hardware/security/keymint/KeyFormat.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]31
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]32#include <keymint_support/key_param_output.h>
33#include <keymint_support/openssl_utils.h>
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]34
35#include "KeyMintAidlTestBase.h"
36
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]37using aidl::android::hardware::security::keymint::AuthorizationSet;
38using aidl::android::hardware::security::keymint::KeyCharacteristics;
39using aidl::android::hardware::security::keymint::KeyFormat;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]40
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]41namespace std {
42
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]43using namespace aidl::android::hardware::security::keymint;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]44
45template <>
46struct std::equal_to<KeyCharacteristics> {
47 bool operator()(const KeyCharacteristics& a, const KeyCharacteristics& b) const {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]48 if (a.securityLevel != b.securityLevel) return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]49
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]50 // this isn't very efficient. Oh, well.
51 AuthorizationSet a_auths(a.authorizations);
52 AuthorizationSet b_auths(b.authorizations);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]53
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]54 a_auths.Sort();
55 b_auths.Sort();
56
57 return a_auths == b_auths;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]58 }
59};
60
61} // namespace std
62
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]63namespace aidl::android::hardware::security::keymint::test {
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]64
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]65namespace {
66
67template <TagType tag_type, Tag tag, typename ValueT>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]68bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
69 ValueT expected_value) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]70 auto it = std::find_if(set.begin(), set.end(), [&](const KeyParameter& param) {
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]71 if (auto p = authorizationValue(ttag, param)) {
72 return *p == expected_value;
73 }
74 return false;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]75 });
76 return (it != set.end());
77}
78
79template <TagType tag_type, Tag tag>
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]80bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag>) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]81 auto it = std::find_if(set.begin(), set.end(),
82 [&](const KeyParameter& param) { return param.tag == tag; });
83 return (it != set.end());
84}
85
86constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
87 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
88 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
89 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, // '0'..'9'
90 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
91 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
92 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
93 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
94 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
95 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
96 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
97 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
98 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
99 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
100 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, //
101 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
102
103string hex2str(string a) {
104 string b;
105 size_t num = a.size() / 2;
106 b.resize(num);
107 for (size_t i = 0; i < num; i++) {
108 b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
109 }
110 return b;
111}
112
113string rsa_key =
114 hex2str("30820275020100300d06092a864886f70d01010105000482025f3082025b"
115 "02010002818100c6095409047d8634812d5a218176e45c41d60a75b13901"
116 "f234226cffe776521c5a77b9e389417b71c0b6a44d13afe4e4a2805d46c9"
117 "da2935adb1ff0c1f24ea06e62b20d776430a4d435157233c6f916783c30e"
118 "310fcbd89b85c2d56771169785ac12bca244abda72bfb19fc44d27c81e1d"
119 "92de284f4061edfd99280745ea6d2502030100010281801be0f04d9cae37"
120 "18691f035338308e91564b55899ffb5084d2460e6630257e05b3ceab0297"
121 "2dfabcd6ce5f6ee2589eb67911ed0fac16e43a444b8c861e544a05933657"
122 "72f8baf6b22fc9e3c5f1024b063ac080a7b2234cf8aee8f6c47bbf4fd3ac"
123 "e7240290bef16c0b3f7f3cdd64ce3ab5912cf6e32f39ab188358afcccd80"
124 "81024100e4b49ef50f765d3b24dde01aceaaf130f2c76670a91a61ae08af"
125 "497b4a82be6dee8fcdd5e3f7ba1cfb1f0c926b88f88c92bfab137fba2285"
126 "227b83c342ff7c55024100ddabb5839c4c7f6bf3d4183231f005b31aa58a"
127 "ffdda5c79e4cce217f6bc930dbe563d480706c24e9ebfcab28a6cdefd324"
128 "b77e1bf7251b709092c24ff501fd91024023d4340eda3445d8cd26c14411"
129 "da6fdca63c1ccd4b80a98ad52b78cc8ad8beb2842c1d280405bc2f6c1bea"
130 "214a1d742ab996b35b63a82a5e470fa88dbf823cdd02401b7b57449ad30d"
131 "1518249a5f56bb98294d4b6ac12ffc86940497a5a5837a6cf946262b4945"
132 "26d328c11e1126380fde04c24f916dec250892db09a6d77cdba351024077"
133 "62cd8f4d050da56bd591adb515d24d7ccd32cca0d05f866d583514bd7324"
134 "d5f33645e8ed8b4a1cb3cc4a1d67987399f2a09f5b3fb68c88d5e5d90ac3"
135 "3492d6");
136
137string ec_256_key =
138 hex2str("308187020100301306072a8648ce3d020106082a8648ce3d030107046d30"
139 "6b0201010420737c2ecd7b8d1940bf2930aa9b4ed3ff941eed09366bc032"
140 "99986481f3a4d859a14403420004bf85d7720d07c25461683bc648b4778a"
141 "9a14dd8a024e3bdd8c7ddd9ab2b528bbc7aa1b51f14ebbbb0bd0ce21bcc4"
142 "1c6eb00083cf3376d11fd44949e0b2183bfe");
143
144string ec_521_key =
145 hex2str("3081EE020100301006072A8648CE3D020106052B810400230481D63081D3"
146 "02010104420011458C586DB5DAA92AFAB03F4FE46AA9D9C3CE9A9B7A006A"
147 "8384BEC4C78E8E9D18D7D08B5BCFA0E53C75B064AD51C449BAE0258D54B9"
148 "4B1E885DED08ED4FB25CE9A1818903818600040149EC11C6DF0FA122C6A9"
149 "AFD9754A4FA9513A627CA329E349535A5629875A8ADFBE27DCB932C05198"
150 "6377108D054C28C6F39B6F2C9AF81802F9F326B842FF2E5F3C00AB7635CF"
151 "B36157FC0882D574A10D839C1A0C049DC5E0D775E2EE50671A208431BB45"
152 "E78E70BEFE930DB34818EE4D5C26259F5C6B8E28A652950F9F88D7B4B2C9"
153 "D9");
154
155string ec_256_key_rfc5915 =
156 hex2str("308193020100301306072a8648ce3d020106082a8648ce3d030107047930"
157 "770201010420782370a8c8ce5537baadd04dcff079c8158cfa9c67b818b3"
158 "8e8d21c9fa750c1da00a06082a8648ce3d030107a14403420004e2cc561e"
159 "e701da0ad0ef0d176bb0c919d42e79c393fdc1bd6c4010d85cf2cf8e68c9"
160 "05464666f98dad4f01573ba81078b3428570a439ba3229fbc026c550682f");
161
162string ec_256_key_sec1 =
163 hex2str("308187020100301306072a8648ce3d020106082a8648ce3d030107046d30"
164 "6b0201010420782370a8c8ce5537baadd04dcff079c8158cfa9c67b818b3"
165 "8e8d21c9fa750c1da14403420004e2cc561ee701da0ad0ef0d176bb0c919"
166 "d42e79c393fdc1bd6c4010d85cf2cf8e68c905464666f98dad4f01573ba8"
167 "1078b3428570a439ba3229fbc026c550682f");
168
169struct RSA_Delete {
170 void operator()(RSA* p) { RSA_free(p); }
171};
172
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]173std::string make_string(const uint8_t* data, size_t length) {
174 return std::string(reinterpret_cast<const char*>(data), length);
175}
176
177template <size_t N>
178std::string make_string(const uint8_t (&a)[N]) {
179 return make_string(a, N);
180}
181
182class AidlBuf : public vector<uint8_t> {
183 typedef vector<uint8_t> super;
184
185 public:
186 AidlBuf() {}
187 AidlBuf(const super& other) : super(other) {}
188 AidlBuf(super&& other) : super(std::move(other)) {}
189 explicit AidlBuf(const std::string& other) : AidlBuf() { *this = other; }
190
191 AidlBuf& operator=(const super& other) {
192 super::operator=(other);
193 return *this;
194 }
195
196 AidlBuf& operator=(super&& other) {
197 super::operator=(std::move(other));
198 return *this;
199 }
200
201 AidlBuf& operator=(const string& other) {
202 resize(other.size());
203 for (size_t i = 0; i < other.size(); ++i) {
204 (*this)[i] = static_cast<uint8_t>(other[i]);
205 }
206 return *this;
207 }
208
209 string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
210};
211
212} // namespace
213
214class NewKeyGenerationTest : public KeyMintAidlTestBase {
215 protected:
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]216 void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]217 // TODO(swillden): Distinguish which params should be in which auth list.
218
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]219 AuthorizationSet auths;
220 for (auto& entry : keyCharacteristics) {
221 auths.push_back(AuthorizationSet(entry.authorizations));
222 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]223
224 EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
225 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
226 EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
227
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]228 // Verify that App data and ROT are NOT included.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]229 EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]230 EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
231
232 // Check that some unexpected tags/values are NOT present.
233 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
234 EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
235 EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301U));
236
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]237 auto os_ver = auths.GetTagValue(TAG_OS_VERSION);
238 ASSERT_TRUE(os_ver);
239 EXPECT_EQ(*os_ver, os_version());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]240
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]241 auto os_pl = auths.GetTagValue(TAG_OS_PATCHLEVEL);
242 ASSERT_TRUE(os_pl);
243 EXPECT_EQ(*os_pl, os_patch_level());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]244 }
245};
246
247/*
248 * NewKeyGenerationTest.Rsa
249 *
250 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
251 * have correct characteristics.
252 */
253TEST_P(NewKeyGenerationTest, Rsa) {
254 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
255 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]256 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]257 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
258 .RsaSigningKey(key_size, 65537)
259 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]260 .Padding(PaddingMode::NONE)
261 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]262 &key_blob, &key_characteristics));
263
264 ASSERT_GT(key_blob.size(), 0U);
265 CheckBaseParams(key_characteristics);
266
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]267 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]268
269 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
270 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
271 << "Key size " << key_size << "missing";
272 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
273
274 CheckedDeleteKey(&key_blob);
275 }
276}
277
278/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]279 * NewKeyGenerationTest.RsaWithAttestation
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]280 *
281 * Verifies that keymint can generate all required RSA key sizes, and that the resulting keys
282 * have correct characteristics.
283 */
284TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
285 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
286 auto challenge = "hello";
287 auto app_id = "foo";
288
289 vector<uint8_t> key_blob;
290 vector<KeyCharacteristics> key_characteristics;
291 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
292 .RsaSigningKey(key_size, 65537)
293 .Digest(Digest::NONE)
294 .Padding(PaddingMode::NONE)
295 .AttestationChallenge(challenge)
296 .AttestationApplicationId(app_id)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]297 .Authorization(TAG_NO_AUTH_REQUIRED)
298 .SetDefaultValidity(),
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]299 &key_blob, &key_characteristics));
300
301 ASSERT_GT(key_blob.size(), 0U);
302 CheckBaseParams(key_characteristics);
303
304 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
305
306 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
307 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
308 << "Key size " << key_size << "missing";
309 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
310
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]311 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Shawn Willden0e80b5d2020-12-17 09:07:27 -0700[diff] [blame]312 ASSERT_GT(cert_chain_.size(), 0);
313
314 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
315 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
316 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
317 sw_enforced, hw_enforced, SecLevel(),
318 cert_chain_[0].encodedCertificate));
319
320 CheckedDeleteKey(&key_blob);
321 }
322}
323
324/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]325 * NewKeyGenerationTest.LimitedUsageRsa
326 *
327 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
328 * resulting keys have correct characteristics.
329 */
330TEST_P(NewKeyGenerationTest, LimitedUsageRsa) {
331 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
332 vector<uint8_t> key_blob;
333 vector<KeyCharacteristics> key_characteristics;
334 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
335 .RsaSigningKey(key_size, 65537)
336 .Digest(Digest::NONE)
337 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]338 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
339 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]340 &key_blob, &key_characteristics));
341
342 ASSERT_GT(key_blob.size(), 0U);
343 CheckBaseParams(key_characteristics);
344
345 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
346
347 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
348 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
349 << "Key size " << key_size << "missing";
350 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
351
352 // Check the usage count limit tag appears in the authorizations.
353 AuthorizationSet auths;
354 for (auto& entry : key_characteristics) {
355 auths.push_back(AuthorizationSet(entry.authorizations));
356 }
357 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
358 << "key usage count limit " << 1U << " missing";
359
360 CheckedDeleteKey(&key_blob);
361 }
362}
363
364/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]365 * NewKeyGenerationTest.LimitedUsageRsaWithAttestation
366 *
367 * Verifies that KeyMint can generate all required RSA key sizes with limited usage, and that the
368 * resulting keys have correct characteristics and attestation.
369 */
370TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
371 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
372 auto challenge = "hello";
373 auto app_id = "foo";
374
375 vector<uint8_t> key_blob;
376 vector<KeyCharacteristics> key_characteristics;
377 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
378 .RsaSigningKey(key_size, 65537)
379 .Digest(Digest::NONE)
380 .Padding(PaddingMode::NONE)
381 .AttestationChallenge(challenge)
382 .AttestationApplicationId(app_id)
383 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]384 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
385 .SetDefaultValidity(),
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]386 &key_blob, &key_characteristics));
387
388 ASSERT_GT(key_blob.size(), 0U);
389 CheckBaseParams(key_characteristics);
390
391 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
392
393 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::RSA));
394 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
395 << "Key size " << key_size << "missing";
396 EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 65537U));
397
398 // Check the usage count limit tag appears in the authorizations.
399 AuthorizationSet auths;
400 for (auto& entry : key_characteristics) {
401 auths.push_back(AuthorizationSet(entry.authorizations));
402 }
403 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
404 << "key usage count limit " << 1U << " missing";
405
406 // Check the usage count limit tag also appears in the attestation.
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]407 EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]408 ASSERT_GT(cert_chain_.size(), 0);
409
410 AuthorizationSet hw_enforced = HwEnforcedAuthorizations(key_characteristics);
411 AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);
412 EXPECT_TRUE(verify_attestation_record(challenge, app_id, //
413 sw_enforced, hw_enforced, SecLevel(),
414 cert_chain_[0].encodedCertificate));
415
416 CheckedDeleteKey(&key_blob);
417 }
418}
419
420/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]421 * NewKeyGenerationTest.NoInvalidRsaSizes
422 *
423 * Verifies that keymint cannot generate any RSA key sizes that are designated as invalid.
424 */
425TEST_P(NewKeyGenerationTest, NoInvalidRsaSizes) {
426 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
427 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]428 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]429 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
430 GenerateKey(AuthorizationSetBuilder()
431 .RsaSigningKey(key_size, 65537)
432 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]433 .Padding(PaddingMode::NONE)
434 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]435 &key_blob, &key_characteristics));
436 }
437}
438
439/*
440 * NewKeyGenerationTest.RsaNoDefaultSize
441 *
442 * Verifies that failing to specify a key size for RSA key generation returns
443 * UNSUPPORTED_KEY_SIZE.
444 */
445TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
446 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
447 GenerateKey(AuthorizationSetBuilder()
448 .Authorization(TAG_ALGORITHM, Algorithm::RSA)
449 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3U)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]450 .SigningKey()
451 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]452}
453
454/*
455 * NewKeyGenerationTest.Ecdsa
456 *
457 * Verifies that keymint can generate all required EC key sizes, and that the resulting keys
458 * have correct characteristics.
459 */
460TEST_P(NewKeyGenerationTest, Ecdsa) {
461 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
462 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]463 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]464 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
465 .EcdsaSigningKey(key_size)
466 .Digest(Digest::NONE)
467 .SetDefaultValidity(),
468 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]469 ASSERT_GT(key_blob.size(), 0U);
470 CheckBaseParams(key_characteristics);
471
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]472 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]473
474 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
475 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
476 << "Key size " << key_size << "missing";
477
478 CheckedDeleteKey(&key_blob);
479 }
480}
481
482/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]483 * NewKeyGenerationTest.LimitedUsageEcdsa
484 *
485 * Verifies that KeyMint can generate all required EC key sizes with limited usage, and that the
486 * resulting keys have correct characteristics.
487 */
488TEST_P(NewKeyGenerationTest, LimitedUsageEcdsa) {
489 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
490 vector<uint8_t> key_blob;
491 vector<KeyCharacteristics> key_characteristics;
492 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
493 .EcdsaSigningKey(key_size)
494 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]495 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
496 .SetDefaultValidity(),
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]497 &key_blob, &key_characteristics));
498
499 ASSERT_GT(key_blob.size(), 0U);
500 CheckBaseParams(key_characteristics);
501
502 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
503
504 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
505 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
506 << "Key size " << key_size << "missing";
507
508 // Check the usage count limit tag appears in the authorizations.
509 AuthorizationSet auths;
510 for (auto& entry : key_characteristics) {
511 auths.push_back(AuthorizationSet(entry.authorizations));
512 }
513 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
514 << "key usage count limit " << 1U << " missing";
515
516 CheckedDeleteKey(&key_blob);
517 }
518}
519
520/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]521 * NewKeyGenerationTest.EcdsaDefaultSize
522 *
523 * Verifies that failing to specify a key size for EC key generation returns
524 * UNSUPPORTED_KEY_SIZE.
525 */
526TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
527 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
528 GenerateKey(AuthorizationSetBuilder()
529 .Authorization(TAG_ALGORITHM, Algorithm::EC)
530 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]531 .Digest(Digest::NONE)
532 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]533}
534
535/*
536 * NewKeyGenerationTest.EcdsaInvalidSize
537 *
538 * Verifies that specifying an invalid key size for EC key generation returns
539 * UNSUPPORTED_KEY_SIZE.
540 */
541TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) {
542 for (auto key_size : InvalidKeySizes(Algorithm::EC)) {
543 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]544 vector<KeyCharacteristics> key_characteristics;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]545 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
546 .EcdsaSigningKey(key_size)
547 .Digest(Digest::NONE)
548 .SetDefaultValidity(),
549 &key_blob, &key_characteristics));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]550 }
551
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]552 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
553 .EcdsaSigningKey(190)
554 .Digest(Digest::NONE)
555 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]556}
557
558/*
559 * NewKeyGenerationTest.EcdsaMismatchKeySize
560 *
561 * Verifies that specifying mismatched key size and curve for EC key generation returns
562 * INVALID_ARGUMENT.
563 */
564TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
565 if (SecLevel() == SecurityLevel::STRONGBOX) return;
566
567 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT,
568 GenerateKey(AuthorizationSetBuilder()
569 .EcdsaSigningKey(224)
570 .Authorization(TAG_EC_CURVE, EcCurve::P_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]571 .Digest(Digest::NONE)
572 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]573}
574
575/*
576 * NewKeyGenerationTest.EcdsaAllValidSizes
577 *
578 * Verifies that keymint supports all required EC key sizes.
579 */
580TEST_P(NewKeyGenerationTest, EcdsaAllValidSizes) {
581 auto valid_sizes = ValidKeySizes(Algorithm::EC);
582 for (size_t size : valid_sizes) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]583 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
584 .EcdsaSigningKey(size)
585 .Digest(Digest::NONE)
586 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]587 << "Failed to generate size: " << size;
588 CheckedDeleteKey();
589 }
590}
591
592/*
593 * NewKeyGenerationTest.EcdsaInvalidCurves
594 *
595 * Verifies that keymint does not support any curve designated as unsupported.
596 */
597TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
598 Digest digest;
599 if (SecLevel() == SecurityLevel::STRONGBOX) {
600 digest = Digest::SHA_2_256;
601 } else {
602 digest = Digest::SHA_2_512;
603 }
604 for (auto curve : ValidCurves()) {
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]605 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
606 .EcdsaSigningKey(curve)
607 .Digest(digest)
608 .SetDefaultValidity()))
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]609 << "Failed to generate key on curve: " << curve;
610 CheckedDeleteKey();
611 }
612}
613
614/*
615 * NewKeyGenerationTest.Hmac
616 *
617 * Verifies that keymint supports all required digests, and that the resulting keys have correct
618 * characteristics.
619 */
620TEST_P(NewKeyGenerationTest, Hmac) {
621 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
622 vector<uint8_t> key_blob;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]623 vector<KeyCharacteristics> key_characteristics;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]624 constexpr size_t key_size = 128;
625 ASSERT_EQ(ErrorCode::OK,
626 GenerateKey(
627 AuthorizationSetBuilder().HmacKey(key_size).Digest(digest).Authorization(
628 TAG_MIN_MAC_LENGTH, 128),
629 &key_blob, &key_characteristics));
630
631 ASSERT_GT(key_blob.size(), 0U);
632 CheckBaseParams(key_characteristics);
633
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]634 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
635 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
636 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
637 << "Key size " << key_size << "missing";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]638
639 CheckedDeleteKey(&key_blob);
640 }
641}
642
643/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]644 * NewKeyGenerationTest.LimitedUsageHmac
645 *
646 * Verifies that KeyMint supports all required digests with limited usage Hmac, and that the
647 * resulting keys have correct characteristics.
648 */
649TEST_P(NewKeyGenerationTest, LimitedUsageHmac) {
650 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
651 vector<uint8_t> key_blob;
652 vector<KeyCharacteristics> key_characteristics;
653 constexpr size_t key_size = 128;
654 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
655 .HmacKey(key_size)
656 .Digest(digest)
657 .Authorization(TAG_MIN_MAC_LENGTH, 128)
658 .Authorization(TAG_USAGE_COUNT_LIMIT, 1),
659 &key_blob, &key_characteristics));
660
661 ASSERT_GT(key_blob.size(), 0U);
662 CheckBaseParams(key_characteristics);
663
664 AuthorizationSet crypto_params = SecLevelAuthorizations(key_characteristics);
665 EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::HMAC));
666 EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size))
667 << "Key size " << key_size << "missing";
668
669 // Check the usage count limit tag appears in the authorizations.
670 AuthorizationSet auths;
671 for (auto& entry : key_characteristics) {
672 auths.push_back(AuthorizationSet(entry.authorizations));
673 }
674 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
675 << "key usage count limit " << 1U << " missing";
676
677 CheckedDeleteKey(&key_blob);
678 }
679}
680
681/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]682 * NewKeyGenerationTest.HmacCheckKeySizes
683 *
684 * Verifies that keymint supports all key sizes, and rejects all invalid key sizes.
685 */
686TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
687 for (size_t key_size = 0; key_size <= 512; ++key_size) {
688 if (key_size < 64 || key_size % 8 != 0) {
689 // To keep this test from being very slow, we only test a random fraction of
690 // non-byte key sizes. We test only ~10% of such cases. Since there are 392 of
691 // them, we expect to run ~40 of them in each run.
692 if (key_size % 8 == 0 || random() % 10 == 0) {
693 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
694 GenerateKey(AuthorizationSetBuilder()
695 .HmacKey(key_size)
696 .Digest(Digest::SHA_2_256)
697 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
698 << "HMAC key size " << key_size << " invalid";
699 }
700 } else {
701 EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
702 .HmacKey(key_size)
703 .Digest(Digest::SHA_2_256)
704 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
705 << "Failed to generate HMAC key of size " << key_size;
706 CheckedDeleteKey();
707 }
708 }
709}
710
711/*
712 * NewKeyGenerationTest.HmacCheckMinMacLengths
713 *
714 * Verifies that keymint supports all required MAC lengths and rejects all invalid lengths. This
715 * test is probabilistic in order to keep the runtime down, but any failure prints out the
716 * specific MAC length that failed, so reproducing a failed run will be easy.
717 */
718TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
719 for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
720 if (min_mac_length < 64 || min_mac_length % 8 != 0) {
721 // To keep this test from being very long, we only test a random fraction of
722 // non-byte lengths. We test only ~10% of such cases. Since there are 172 of them,
723 // we expect to run ~17 of them in each run.
724 if (min_mac_length % 8 == 0 || random() % 10 == 0) {
725 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
726 GenerateKey(AuthorizationSetBuilder()
727 .HmacKey(128)
728 .Digest(Digest::SHA_2_256)
729 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
730 << "HMAC min mac length " << min_mac_length << " invalid.";
731 }
732 } else {
733 EXPECT_EQ(ErrorCode::OK,
734 GenerateKey(AuthorizationSetBuilder()
735 .HmacKey(128)
736 .Digest(Digest::SHA_2_256)
737 .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
738 << "Failed to generate HMAC key with min MAC length " << min_mac_length;
739 CheckedDeleteKey();
740 }
741 }
742}
743
744/*
745 * NewKeyGenerationTest.HmacMultipleDigests
746 *
747 * Verifies that keymint rejects HMAC key generation with multiple specified digest algorithms.
748 */
749TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
750 if (SecLevel() == SecurityLevel::STRONGBOX) return;
751
752 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
753 GenerateKey(AuthorizationSetBuilder()
754 .HmacKey(128)
755 .Digest(Digest::SHA1)
756 .Digest(Digest::SHA_2_256)
757 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
758}
759
760/*
761 * NewKeyGenerationTest.HmacDigestNone
762 *
763 * Verifies that keymint rejects HMAC key generation with no digest or Digest::NONE
764 */
765TEST_P(NewKeyGenerationTest, HmacDigestNone) {
766 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
767 GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH,
768 128)));
769
770 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
771 GenerateKey(AuthorizationSetBuilder()
772 .HmacKey(128)
773 .Digest(Digest::NONE)
774 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
775}
776
777INSTANTIATE_KEYMINT_AIDL_TEST(NewKeyGenerationTest);
778
779typedef KeyMintAidlTestBase SigningOperationsTest;
780
781/*
782 * SigningOperationsTest.RsaSuccess
783 *
784 * Verifies that raw RSA signature operations succeed.
785 */
786TEST_P(SigningOperationsTest, RsaSuccess) {
787 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
788 .RsaSigningKey(2048, 65537)
789 .Digest(Digest::NONE)
790 .Padding(PaddingMode::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]791 .Authorization(TAG_NO_AUTH_REQUIRED)
792 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]793 string message = "12345678901234567890123456789012";
794 string signature = SignMessage(
795 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
796}
797
798/*
799 * SigningOperationsTest.RsaUseRequiresCorrectAppIdAppData
800 *
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]801 * Verifies that using an RSA key requires the correct app data.
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]802 */
803TEST_P(SigningOperationsTest, RsaUseRequiresCorrectAppIdAppData) {
804 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
805 .Authorization(TAG_NO_AUTH_REQUIRED)
806 .RsaSigningKey(2048, 65537)
807 .Digest(Digest::NONE)
808 .Padding(PaddingMode::NONE)
809 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]810 .Authorization(TAG_APPLICATION_DATA, "appdata")
811 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]812 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
813 Begin(KeyPurpose::SIGN,
814 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
815 AbortIfNeeded();
816 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
817 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
818 .Digest(Digest::NONE)
819 .Padding(PaddingMode::NONE)
820 .Authorization(TAG_APPLICATION_ID, "clientid")));
821 AbortIfNeeded();
822 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
823 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
824 .Digest(Digest::NONE)
825 .Padding(PaddingMode::NONE)
826 .Authorization(TAG_APPLICATION_DATA, "appdata")));
827 AbortIfNeeded();
828 EXPECT_EQ(ErrorCode::OK,
829 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
830 .Digest(Digest::NONE)
831 .Padding(PaddingMode::NONE)
832 .Authorization(TAG_APPLICATION_DATA, "appdata")
833 .Authorization(TAG_APPLICATION_ID, "clientid")));
834 AbortIfNeeded();
835}
836
837/*
838 * SigningOperationsTest.RsaPssSha256Success
839 *
840 * Verifies that RSA-PSS signature operations succeed.
841 */
842TEST_P(SigningOperationsTest, RsaPssSha256Success) {
843 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
844 .RsaSigningKey(2048, 65537)
845 .Digest(Digest::SHA_2_256)
846 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]847 .Authorization(TAG_NO_AUTH_REQUIRED)
848 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]849 // Use large message, which won't work without digesting.
850 string message(1024, 'a');
851 string signature = SignMessage(
852 message,
853 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
854}
855
856/*
857 * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
858 *
859 * Verifies that keymint rejects signature operations that specify a padding mode when the key
860 * supports only unpadded operations.
861 */
862TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
863 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
864 .RsaSigningKey(2048, 65537)
865 .Digest(Digest::NONE)
866 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]867 .Padding(PaddingMode::NONE)
868 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]869 string message = "12345678901234567890123456789012";
870 string signature;
871
872 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
873 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
874 .Digest(Digest::NONE)
875 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
876}
877
878/*
879 * SigningOperationsTest.NoUserConfirmation
880 *
881 * Verifies that keymint rejects signing operations for keys with
882 * TRUSTED_CONFIRMATION_REQUIRED and no valid confirmation token
883 * presented.
884 */
885TEST_P(SigningOperationsTest, NoUserConfirmation) {
886 if (SecLevel() == SecurityLevel::STRONGBOX) return;
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]887 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
888 .RsaSigningKey(1024, 65537)
889 .Digest(Digest::NONE)
890 .Padding(PaddingMode::NONE)
891 .Authorization(TAG_NO_AUTH_REQUIRED)
892 .Authorization(TAG_TRUSTED_CONFIRMATION_REQUIRED)
893 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]894
895 const string message = "12345678901234567890123456789012";
896 EXPECT_EQ(ErrorCode::OK,
897 Begin(KeyPurpose::SIGN,
898 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
899 string signature;
900 EXPECT_EQ(ErrorCode::NO_USER_CONFIRMATION, Finish(message, &signature));
901}
902
903/*
904 * SigningOperationsTest.RsaPkcs1Sha256Success
905 *
906 * Verifies that digested RSA-PKCS1 signature operations succeed.
907 */
908TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
909 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
910 .RsaSigningKey(2048, 65537)
911 .Digest(Digest::SHA_2_256)
912 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]913 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
914 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]915 string message(1024, 'a');
916 string signature = SignMessage(message, AuthorizationSetBuilder()
917 .Digest(Digest::SHA_2_256)
918 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
919}
920
921/*
922 * SigningOperationsTest.RsaPkcs1NoDigestSuccess
923 *
924 * Verifies that undigested RSA-PKCS1 signature operations succeed.
925 */
926TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
927 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
928 .RsaSigningKey(2048, 65537)
929 .Digest(Digest::NONE)
930 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]931 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
932 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]933 string message(53, 'a');
934 string signature = SignMessage(message, AuthorizationSetBuilder()
935 .Digest(Digest::NONE)
936 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
937}
938
939/*
940 * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
941 *
942 * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
943 * given a too-long message.
944 */
945TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
946 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
947 .RsaSigningKey(2048, 65537)
948 .Digest(Digest::NONE)
949 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]950 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
951 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]952 string message(257, 'a');
953
954 EXPECT_EQ(ErrorCode::OK,
955 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
956 .Digest(Digest::NONE)
957 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
958 string signature;
959 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
960}
961
962/*
963 * SigningOperationsTest.RsaPssSha512TooSmallKey
964 *
965 * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
966 * used with a key that is too small for the message.
967 *
968 * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the
969 * keymint specification requires that salt_size == digest_size, so the message will be
970 * digest_size * 2 +
971 * 16. Such a message can only be signed by a given key if the key is at least that size. This
972 * test uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large
973 * for a 1024-bit key.
974 */
975TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
976 if (SecLevel() == SecurityLevel::STRONGBOX) return;
977 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
978 .RsaSigningKey(1024, 65537)
979 .Digest(Digest::SHA_2_512)
980 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]981 .Padding(PaddingMode::RSA_PSS)
982 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]983 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
984 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
985 .Digest(Digest::SHA_2_512)
986 .Padding(PaddingMode::RSA_PSS)));
987}
988
989/*
990 * SigningOperationsTest.RsaNoPaddingTooLong
991 *
992 * Verifies that raw RSA signature operations fail with the correct error code when
993 * given a too-long message.
994 */
995TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
996 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
997 .RsaSigningKey(2048, 65537)
998 .Digest(Digest::NONE)
999 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1000 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
1001 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1002 // One byte too long
1003 string message(2048 / 8 + 1, 'a');
1004 ASSERT_EQ(ErrorCode::OK,
1005 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1006 .Digest(Digest::NONE)
1007 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1008 string result;
1009 ErrorCode finish_error_code = Finish(message, &result);
1010 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
1011 finish_error_code == ErrorCode::INVALID_ARGUMENT);
1012
1013 // Very large message that should exceed the transfer buffer size of any reasonable TEE.
1014 message = string(128 * 1024, 'a');
1015 ASSERT_EQ(ErrorCode::OK,
1016 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1017 .Digest(Digest::NONE)
1018 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1019 finish_error_code = Finish(message, &result);
1020 EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
1021 finish_error_code == ErrorCode::INVALID_ARGUMENT);
1022}
1023
1024/*
1025 * SigningOperationsTest.RsaAbort
1026 *
1027 * Verifies that operations can be aborted correctly. Uses an RSA signing operation for the
1028 * test, but the behavior should be algorithm and purpose-independent.
1029 */
1030TEST_P(SigningOperationsTest, RsaAbort) {
1031 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1032 .RsaSigningKey(2048, 65537)
1033 .Digest(Digest::NONE)
1034 .Authorization(TAG_NO_AUTH_REQUIRED)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1035 .Padding(PaddingMode::NONE)
1036 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1037
1038 ASSERT_EQ(ErrorCode::OK,
1039 Begin(KeyPurpose::SIGN,
1040 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
1041 EXPECT_EQ(ErrorCode::OK, Abort());
1042
1043 // Another abort should fail
1044 EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort());
1045
1046 // Set to sentinel, so TearDown() doesn't try to abort again.
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]1047 op_.reset();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1048}
1049
1050/*
1051 * SigningOperationsTest.RsaUnsupportedPadding
1052 *
1053 * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used
1054 * with a padding mode inappropriate for RSA.
1055 */
1056TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
1057 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1058 .RsaSigningKey(2048, 65537)
1059 .Authorization(TAG_NO_AUTH_REQUIRED)
1060 .Digest(Digest::SHA_2_256 /* supported digest */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1061 .Padding(PaddingMode::PKCS7)
1062 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1063 ASSERT_EQ(
1064 ErrorCode::UNSUPPORTED_PADDING_MODE,
1065 Begin(KeyPurpose::SIGN,
1066 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
1067}
1068
1069/*
1070 * SigningOperationsTest.RsaPssNoDigest
1071 *
1072 * Verifies that RSA PSS operations fail when no digest is used. PSS requires a digest.
1073 */
1074TEST_P(SigningOperationsTest, RsaNoDigest) {
1075 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1076 .RsaSigningKey(2048, 65537)
1077 .Authorization(TAG_NO_AUTH_REQUIRED)
1078 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1079 .Padding(PaddingMode::RSA_PSS)
1080 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1081 ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
1082 Begin(KeyPurpose::SIGN,
1083 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
1084
1085 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
1086 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
1087}
1088
1089/*
1090 * SigningOperationsTest.RsaPssNoDigest
1091 *
1092 * Verifies that RSA operations fail when no padding mode is specified. PaddingMode::NONE is
1093 * supported in some cases (as validated in other tests), but a mode must be specified.
1094 */
1095TEST_P(SigningOperationsTest, RsaNoPadding) {
1096 // Padding must be specified
1097 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1098 .RsaKey(2048, 65537)
1099 .Authorization(TAG_NO_AUTH_REQUIRED)
1100 .SigningKey()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1101 .Digest(Digest::NONE)
1102 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1103 ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
1104 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
1105}
1106
1107/*
1108 * SigningOperationsTest.RsaShortMessage
1109 *
1110 * Verifies that raw RSA signatures succeed with a message shorter than the key size.
1111 */
1112TEST_P(SigningOperationsTest, RsaTooShortMessage) {
1113 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1114 .Authorization(TAG_NO_AUTH_REQUIRED)
1115 .RsaSigningKey(2048, 65537)
1116 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1117 .Padding(PaddingMode::NONE)
1118 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1119
1120 // Barely shorter
1121 string message(2048 / 8 - 1, 'a');
1122 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1123
1124 // Much shorter
1125 message = "a";
1126 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1127}
1128
1129/*
1130 * SigningOperationsTest.RsaSignWithEncryptionKey
1131 *
1132 * Verifies that RSA encryption keys cannot be used to sign.
1133 */
1134TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
1135 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1136 .Authorization(TAG_NO_AUTH_REQUIRED)
1137 .RsaEncryptionKey(2048, 65537)
1138 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1139 .Padding(PaddingMode::NONE)
1140 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1141 ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
1142 Begin(KeyPurpose::SIGN,
1143 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
1144}
1145
1146/*
1147 * SigningOperationsTest.RsaSignTooLargeMessage
1148 *
1149 * Verifies that attempting a raw signature of a message which is the same length as the key,
1150 * but numerically larger than the public modulus, fails with the correct error.
1151 */
1152TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
1153 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1154 .Authorization(TAG_NO_AUTH_REQUIRED)
1155 .RsaSigningKey(2048, 65537)
1156 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1157 .Padding(PaddingMode::NONE)
1158 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1159
1160 // Largest possible message will always be larger than the public modulus.
1161 string message(2048 / 8, static_cast<char>(0xff));
1162 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1163 .Authorization(TAG_NO_AUTH_REQUIRED)
1164 .Digest(Digest::NONE)
1165 .Padding(PaddingMode::NONE)));
1166 string signature;
1167 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
1168}
1169
1170/*
1171 * SigningOperationsTest.EcdsaAllSizesAndHashes
1172 *
1173 * Verifies that ECDSA operations succeed with all possible key sizes and hashes.
1174 */
1175TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) {
1176 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
1177 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
1178 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1179 .Authorization(TAG_NO_AUTH_REQUIRED)
1180 .EcdsaSigningKey(key_size)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1181 .Digest(digest)
1182 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1183 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with size " << key_size
1184 << " and digest " << digest;
1185 if (error != ErrorCode::OK) continue;
1186
1187 string message(1024, 'a');
1188 if (digest == Digest::NONE) message.resize(key_size / 8);
1189 SignMessage(message, AuthorizationSetBuilder().Digest(digest));
1190 CheckedDeleteKey();
1191 }
1192 }
1193}
1194
1195/*
1196 * SigningOperationsTest.EcdsaAllCurves
1197 *
1198 * Verifies that ECDSA operations succeed with all possible curves.
1199 */
1200TEST_P(SigningOperationsTest, EcdsaAllCurves) {
1201 for (auto curve : ValidCurves()) {
1202 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1203 .Authorization(TAG_NO_AUTH_REQUIRED)
1204 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1205 .Digest(Digest::SHA_2_256)
1206 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1207 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
1208 if (error != ErrorCode::OK) continue;
1209
1210 string message(1024, 'a');
1211 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
1212 CheckedDeleteKey();
1213 }
1214}
1215
1216/*
1217 * SigningOperationsTest.EcdsaNoDigestHugeData
1218 *
1219 * Verifies that ECDSA operations support very large messages, even without digesting. This
1220 * should work because ECDSA actually only signs the leftmost L_n bits of the message, however
1221 * large it may be. Not using digesting is a bad idea, but in some cases digesting is done by
1222 * the framework.
1223 */
1224TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
1225 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1226 .Authorization(TAG_NO_AUTH_REQUIRED)
1227 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1228 .Digest(Digest::NONE)
1229 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1230 string message(1 * 1024, 'a');
1231 SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
1232}
1233
1234/*
1235 * SigningOperationsTest.EcUseRequiresCorrectAppIdAppData
1236 *
1237 * Verifies that using an EC key requires the correct app ID/data.
1238 */
1239TEST_P(SigningOperationsTest, EcUseRequiresCorrectAppIdAppData) {
1240 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1241 .Authorization(TAG_NO_AUTH_REQUIRED)
1242 .EcdsaSigningKey(256)
1243 .Digest(Digest::NONE)
1244 .Authorization(TAG_APPLICATION_ID, "clientid")
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1245 .Authorization(TAG_APPLICATION_DATA, "appdata")
1246 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1247 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
1248 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
1249 AbortIfNeeded();
1250 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
1251 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1252 .Digest(Digest::NONE)
1253 .Authorization(TAG_APPLICATION_ID, "clientid")));
1254 AbortIfNeeded();
1255 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
1256 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1257 .Digest(Digest::NONE)
1258 .Authorization(TAG_APPLICATION_DATA, "appdata")));
1259 AbortIfNeeded();
1260 EXPECT_EQ(ErrorCode::OK,
1261 Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1262 .Digest(Digest::NONE)
1263 .Authorization(TAG_APPLICATION_DATA, "appdata")
1264 .Authorization(TAG_APPLICATION_ID, "clientid")));
1265 AbortIfNeeded();
1266}
1267
1268/*
1269 * SigningOperationsTest.AesEcbSign
1270 *
1271 * Verifies that attempts to use AES keys to sign fail in the correct way.
1272 */
1273TEST_P(SigningOperationsTest, AesEcbSign) {
1274 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1275 .Authorization(TAG_NO_AUTH_REQUIRED)
1276 .SigningKey()
1277 .AesEncryptionKey(128)
1278 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)));
1279
1280 AuthorizationSet out_params;
1281 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
1282 Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params));
1283 EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
1284 Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params));
1285}
1286
1287/*
1288 * SigningOperationsTest.HmacAllDigests
1289 *
1290 * Verifies that HMAC works with all digests.
1291 */
1292TEST_P(SigningOperationsTest, HmacAllDigests) {
1293 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
1294 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1295 .Authorization(TAG_NO_AUTH_REQUIRED)
1296 .HmacKey(128)
1297 .Digest(digest)
1298 .Authorization(TAG_MIN_MAC_LENGTH, 160)))
1299 << "Failed to create HMAC key with digest " << digest;
1300 string message = "12345678901234567890123456789012";
1301 string signature = MacMessage(message, digest, 160);
1302 EXPECT_EQ(160U / 8U, signature.size())
1303 << "Failed to sign with HMAC key with digest " << digest;
1304 CheckedDeleteKey();
1305 }
1306}
1307
1308/*
1309 * SigningOperationsTest.HmacSha256TooLargeMacLength
1310 *
1311 * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the
1312 * digest size.
1313 */
1314TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
1315 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1316 .Authorization(TAG_NO_AUTH_REQUIRED)
1317 .HmacKey(128)
1318 .Digest(Digest::SHA_2_256)
1319 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
1320 AuthorizationSet output_params;
1321 EXPECT_EQ(ErrorCode::UNSUPPORTED_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
1322 AuthorizationSetBuilder()
1323 .Digest(Digest::SHA_2_256)
1324 .Authorization(TAG_MAC_LENGTH, 264),
1325 &output_params));
1326}
1327
1328/*
1329 * SigningOperationsTest.HmacSha256TooSmallMacLength
1330 *
1331 * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
1332 * specified minimum MAC length.
1333 */
1334TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
1335 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1336 .Authorization(TAG_NO_AUTH_REQUIRED)
1337 .HmacKey(128)
1338 .Digest(Digest::SHA_2_256)
1339 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1340 AuthorizationSet output_params;
1341 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::SIGN, key_blob_,
1342 AuthorizationSetBuilder()
1343 .Digest(Digest::SHA_2_256)
1344 .Authorization(TAG_MAC_LENGTH, 120),
1345 &output_params));
1346}
1347
1348/*
1349 * SigningOperationsTest.HmacRfc4231TestCase3
1350 *
1351 * Validates against the test vectors from RFC 4231 test case 3.
1352 */
1353TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
1354 string key(20, 0xaa);
1355 string message(50, 0xdd);
1356 uint8_t sha_224_expected[] = {
1357 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
1358 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
1359 };
1360 uint8_t sha_256_expected[] = {
1361 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
1362 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
1363 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
1364 };
1365 uint8_t sha_384_expected[] = {
1366 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
1367 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
1368 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
1369 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
1370 };
1371 uint8_t sha_512_expected[] = {
1372 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
1373 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
1374 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
1375 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
1376 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
1377 };
1378
1379 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
1380 if (SecLevel() != SecurityLevel::STRONGBOX) {
1381 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
1382 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
1383 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
1384 }
1385}
1386
1387/*
1388 * SigningOperationsTest.HmacRfc4231TestCase5
1389 *
1390 * Validates against the test vectors from RFC 4231 test case 5.
1391 */
1392TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
1393 string key(20, 0x0c);
1394 string message = "Test With Truncation";
1395
1396 uint8_t sha_224_expected[] = {
1397 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
1398 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
1399 };
1400 uint8_t sha_256_expected[] = {
1401 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
1402 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
1403 };
1404 uint8_t sha_384_expected[] = {
1405 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
1406 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
1407 };
1408 uint8_t sha_512_expected[] = {
1409 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
1410 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
1411 };
1412
1413 CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
1414 if (SecLevel() != SecurityLevel::STRONGBOX) {
1415 CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
1416 CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
1417 CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
1418 }
1419}
1420
1421INSTANTIATE_KEYMINT_AIDL_TEST(SigningOperationsTest);
1422
1423typedef KeyMintAidlTestBase VerificationOperationsTest;
1424
1425/*
1426 * VerificationOperationsTest.RsaSuccess
1427 *
1428 * Verifies that a simple RSA signature/verification sequence succeeds.
1429 */
1430TEST_P(VerificationOperationsTest, RsaSuccess) {
1431 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1432 .Authorization(TAG_NO_AUTH_REQUIRED)
1433 .RsaSigningKey(2048, 65537)
1434 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1435 .Padding(PaddingMode::NONE)
1436 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1437 string message = "12345678901234567890123456789012";
1438 string signature = SignMessage(
1439 message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1440 VerifyMessage(message, signature,
1441 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1442}
1443
1444/*
1445 * VerificationOperationsTest.RsaSuccess
1446 *
1447 * Verifies RSA signature/verification for all padding modes and digests.
1448 */
1449TEST_P(VerificationOperationsTest, RsaAllPaddingsAndDigests) {
1450 auto authorizations = AuthorizationSetBuilder()
1451 .Authorization(TAG_NO_AUTH_REQUIRED)
1452 .RsaSigningKey(2048, 65537)
1453 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
1454 .Padding(PaddingMode::NONE)
1455 .Padding(PaddingMode::RSA_PSS)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1456 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
1457 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1458
1459 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
1460
1461 string message(128, 'a');
1462 string corrupt_message(message);
1463 ++corrupt_message[corrupt_message.size() / 2];
1464
1465 for (auto padding :
1466 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
1467 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
1468 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
1469 // Digesting only makes sense with padding.
1470 continue;
1471 }
1472
1473 if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
1474 // PSS requires digesting.
1475 continue;
1476 }
1477
1478 string signature =
1479 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
1480 VerifyMessage(message, signature,
1481 AuthorizationSetBuilder().Digest(digest).Padding(padding));
1482
1483 /* TODO(seleneh) add exportkey tests back later when we have decided on
1484 * the new api.
1485 if (digest != Digest::NONE) {
1486 // Verify with OpenSSL.
1487 vector<uint8_t> pubkey;
1488 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey));
1489
1490 const uint8_t* p = pubkey.data();
1491 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr, &p, pubkey.size()));
1492 ASSERT_TRUE(pkey.get());
1493
1494 EVP_MD_CTX digest_ctx;
1495 EVP_MD_CTX_init(&digest_ctx);
1496 EVP_PKEY_CTX* pkey_ctx;
1497 const EVP_MD* md = openssl_digest(digest);
1498 ASSERT_NE(md, nullptr);
1499 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md,
1500 nullptr, pkey.get()));
1501
1502 switch (padding) {
1503 case PaddingMode::RSA_PSS:
1504 EXPECT_GT(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx,
1505 RSA_PKCS1_PSS_PADDING), 0); EXPECT_GT(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx,
1506 EVP_MD_size(md)), 0); break; case PaddingMode::RSA_PKCS1_1_5_SIGN:
1507 // PKCS1 is the default; don't need to set anything.
1508 break;
1509 default:
1510 FAIL();
1511 break;
1512 }
1513
1514 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(),
1515 message.size())); EXPECT_EQ(1, EVP_DigestVerifyFinal(&digest_ctx,
1516 reinterpret_cast<const
1517 uint8_t*>(signature.data()), signature.size())); EVP_MD_CTX_cleanup(&digest_ctx);
1518 }
1519 */
1520
1521 // Corrupt signature shouldn't verify.
1522 string corrupt_signature(signature);
1523 ++corrupt_signature[corrupt_signature.size() / 2];
1524
1525 EXPECT_EQ(ErrorCode::OK,
1526 Begin(KeyPurpose::VERIFY,
1527 AuthorizationSetBuilder().Digest(digest).Padding(padding)));
1528 string result;
1529 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result));
1530
1531 // Corrupt message shouldn't verify
1532 EXPECT_EQ(ErrorCode::OK,
1533 Begin(KeyPurpose::VERIFY,
1534 AuthorizationSetBuilder().Digest(digest).Padding(padding)));
1535 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result));
1536 }
1537 }
1538}
1539
1540/*
1541 * VerificationOperationsTest.RsaSuccess
1542 *
1543 * Verifies ECDSA signature/verification for all digests and curves.
1544 */
1545TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndCurves) {
1546 auto digests = ValidDigests(true /* withNone */, false /* withMD5 */);
1547
1548 string message = "1234567890";
1549 string corrupt_message = "2234567890";
1550 for (auto curve : ValidCurves()) {
1551 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1552 .Authorization(TAG_NO_AUTH_REQUIRED)
1553 .EcdsaSigningKey(curve)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1554 .Digest(digests)
1555 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1556 EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
1557 if (error != ErrorCode::OK) {
1558 continue;
1559 }
1560
1561 for (auto digest : digests) {
1562 string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
1563 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
1564
1565 /* TODO(seleneh) add exportkey tests back later when we have decided on
1566 * the new api.
1567
1568 // Verify with OpenSSL
1569 if (digest != Digest::NONE) {
1570 vector<uint8_t> pubkey;
1571 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey))
1572 << curve << ' ' << digest;
1573
1574 const uint8_t* p = pubkey.data();
1575 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr, &p, pubkey.size()));
1576 ASSERT_TRUE(pkey.get());
1577
1578 EVP_MD_CTX digest_ctx;
1579 EVP_MD_CTX_init(&digest_ctx);
1580 EVP_PKEY_CTX* pkey_ctx;
1581 const EVP_MD* md = openssl_digest(digest);
1582
1583 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md,
1584 nullptr, pkey.get()))
1585 << curve << ' ' << digest;
1586
1587 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(),
1588 message.size()))
1589 << curve << ' ' << digest;
1590
1591 EXPECT_EQ(1,
1592 EVP_DigestVerifyFinal(&digest_ctx,
1593 reinterpret_cast<const
1594 uint8_t*>(signature.data()), signature.size()))
1595 << curve << ' ' << digest;
1596
1597 EVP_MD_CTX_cleanup(&digest_ctx);
1598 }
1599 */
1600 // Corrupt signature shouldn't verify.
1601 string corrupt_signature(signature);
1602 ++corrupt_signature[corrupt_signature.size() / 2];
1603
1604 EXPECT_EQ(ErrorCode::OK,
1605 Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest)))
1606 << curve << ' ' << digest;
1607
1608 string result;
1609 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result))
1610 << curve << ' ' << digest;
1611
1612 // Corrupt message shouldn't verify
1613 EXPECT_EQ(ErrorCode::OK,
1614 Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest)))
1615 << curve << ' ' << digest;
1616
1617 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result))
1618 << curve << ' ' << digest;
1619 }
1620
1621 auto rc = DeleteKey();
1622 ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
1623 }
1624}
1625
1626/*
1627 * VerificationOperationsTest.HmacSigningKeyCannotVerify
1628 *
1629 * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
1630 */
1631TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
1632 string key_material = "HelloThisIsAKey";
1633
1634 vector<uint8_t> signing_key, verification_key;
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1635 vector<KeyCharacteristics> signing_key_chars, verification_key_chars;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1636 EXPECT_EQ(ErrorCode::OK,
1637 ImportKey(AuthorizationSetBuilder()
1638 .Authorization(TAG_NO_AUTH_REQUIRED)
1639 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
1640 .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
1641 .Digest(Digest::SHA_2_256)
1642 .Authorization(TAG_MIN_MAC_LENGTH, 160),
1643 KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
1644 EXPECT_EQ(ErrorCode::OK,
1645 ImportKey(AuthorizationSetBuilder()
1646 .Authorization(TAG_NO_AUTH_REQUIRED)
1647 .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
1648 .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
1649 .Digest(Digest::SHA_2_256)
1650 .Authorization(TAG_MIN_MAC_LENGTH, 160),
1651 KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
1652
1653 string message = "This is a message.";
1654 string signature = SignMessage(
1655 signing_key, message,
1656 AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
1657
1658 // Signing key should not work.
1659 AuthorizationSet out_params;
1660 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
1661 Begin(KeyPurpose::VERIFY, signing_key,
1662 AuthorizationSetBuilder().Digest(Digest::SHA_2_256), &out_params));
1663
1664 // Verification key should work.
1665 VerifyMessage(verification_key, message, signature,
1666 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
1667
1668 CheckedDeleteKey(&signing_key);
1669 CheckedDeleteKey(&verification_key);
1670}
1671
1672INSTANTIATE_KEYMINT_AIDL_TEST(VerificationOperationsTest);
1673
1674typedef KeyMintAidlTestBase ExportKeyTest;
1675
1676/*
1677 * ExportKeyTest.RsaUnsupportedKeyFormat
1678 *
1679 * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
1680 */
1681// TODO(seleneh) add ExportKey to GenerateKey
1682// check result
1683
1684class ImportKeyTest : public KeyMintAidlTestBase {
1685 public:
1686 template <TagType tag_type, Tag tag, typename ValueT>
1687 void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
1688 SCOPED_TRACE("CheckCryptoParam");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1689 for (auto& entry : key_characteristics_) {
1690 if (entry.securityLevel == SecLevel()) {
1691 EXPECT_TRUE(contains(entry.authorizations, ttag, expected))
1692 << "Tag " << tag << " with value " << expected
1693 << " not found at security level" << entry.securityLevel;
1694 } else {
1695 EXPECT_FALSE(contains(entry.authorizations, ttag, expected))
1696 << "Tag " << tag << " found at security level " << entry.securityLevel;
1697 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1698 }
1699 }
1700
1701 void CheckOrigin() {
1702 SCOPED_TRACE("CheckOrigin");
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]1703 // Origin isn't a crypto param, but it always lives with them.
1704 return CheckCryptoParam(TAG_ORIGIN, KeyOrigin::IMPORTED);
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1705 }
1706};
1707
1708/*
1709 * ImportKeyTest.RsaSuccess
1710 *
1711 * Verifies that importing and using an RSA key pair works correctly.
1712 */
1713TEST_P(ImportKeyTest, RsaSuccess) {
1714 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1715 .Authorization(TAG_NO_AUTH_REQUIRED)
1716 .RsaSigningKey(1024, 65537)
1717 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1718 .Padding(PaddingMode::RSA_PSS)
1719 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1720 KeyFormat::PKCS8, rsa_key));
1721
1722 CheckCryptoParam(TAG_ALGORITHM, Algorithm::RSA);
1723 CheckCryptoParam(TAG_KEY_SIZE, 1024U);
1724 CheckCryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
1725 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1726 CheckCryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
1727 CheckOrigin();
1728
1729 string message(1024 / 8, 'a');
1730 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
1731 string signature = SignMessage(message, params);
1732 VerifyMessage(message, signature, params);
1733}
1734
1735/*
1736 * ImportKeyTest.RsaKeySizeMismatch
1737 *
1738 * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
1739 * correct way.
1740 */
1741TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
1742 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
1743 ImportKey(AuthorizationSetBuilder()
1744 .RsaSigningKey(2048 /* Doesn't match key */, 65537)
1745 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1746 .Padding(PaddingMode::NONE)
1747 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1748 KeyFormat::PKCS8, rsa_key));
1749}
1750
1751/*
1752 * ImportKeyTest.RsaPublicExponentMismatch
1753 *
1754 * Verifies that importing an RSA key pair with a public exponent that doesn't match the key
1755 * fails in the correct way.
1756 */
1757TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
1758 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
1759 ImportKey(AuthorizationSetBuilder()
1760 .RsaSigningKey(1024, 3 /* Doesn't match key */)
1761 .Digest(Digest::NONE)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1762 .Padding(PaddingMode::NONE)
1763 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1764 KeyFormat::PKCS8, rsa_key));
1765}
1766
1767/*
1768 * ImportKeyTest.EcdsaSuccess
1769 *
1770 * Verifies that importing and using an ECDSA P-256 key pair works correctly.
1771 */
1772TEST_P(ImportKeyTest, EcdsaSuccess) {
1773 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1774 .Authorization(TAG_NO_AUTH_REQUIRED)
1775 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1776 .Digest(Digest::SHA_2_256)
1777 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1778 KeyFormat::PKCS8, ec_256_key));
1779
1780 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
1781 CheckCryptoParam(TAG_KEY_SIZE, 256U);
1782 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1783 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
1784
1785 CheckOrigin();
1786
1787 string message(32, 'a');
1788 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
1789 string signature = SignMessage(message, params);
1790 VerifyMessage(message, signature, params);
1791}
1792
1793/*
1794 * ImportKeyTest.EcdsaP256RFC5915Success
1795 *
1796 * Verifies that importing and using an ECDSA P-256 key pair encoded using RFC5915 works
1797 * correctly.
1798 */
1799TEST_P(ImportKeyTest, EcdsaP256RFC5915Success) {
1800 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1801 .Authorization(TAG_NO_AUTH_REQUIRED)
1802 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1803 .Digest(Digest::SHA_2_256)
1804 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1805 KeyFormat::PKCS8, ec_256_key_rfc5915));
1806
1807 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
1808 CheckCryptoParam(TAG_KEY_SIZE, 256U);
1809 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1810 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
1811
1812 CheckOrigin();
1813
1814 string message(32, 'a');
1815 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
1816 string signature = SignMessage(message, params);
1817 VerifyMessage(message, signature, params);
1818}
1819
1820/*
1821 * ImportKeyTest.EcdsaP256SEC1Success
1822 *
1823 * Verifies that importing and using an ECDSA P-256 key pair encoded using SEC1 works correctly.
1824 */
1825TEST_P(ImportKeyTest, EcdsaP256SEC1Success) {
1826 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1827 .Authorization(TAG_NO_AUTH_REQUIRED)
1828 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1829 .Digest(Digest::SHA_2_256)
1830 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1831 KeyFormat::PKCS8, ec_256_key_sec1));
1832
1833 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
1834 CheckCryptoParam(TAG_KEY_SIZE, 256U);
1835 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1836 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_256);
1837
1838 CheckOrigin();
1839
1840 string message(32, 'a');
1841 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
1842 string signature = SignMessage(message, params);
1843 VerifyMessage(message, signature, params);
1844}
1845
1846/*
1847 * ImportKeyTest.Ecdsa521Success
1848 *
1849 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
1850 */
1851TEST_P(ImportKeyTest, Ecdsa521Success) {
1852 if (SecLevel() == SecurityLevel::STRONGBOX) return;
1853 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1854 .Authorization(TAG_NO_AUTH_REQUIRED)
1855 .EcdsaSigningKey(521)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1856 .Digest(Digest::SHA_2_256)
1857 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1858 KeyFormat::PKCS8, ec_521_key));
1859
1860 CheckCryptoParam(TAG_ALGORITHM, Algorithm::EC);
1861 CheckCryptoParam(TAG_KEY_SIZE, 521U);
1862 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1863 CheckCryptoParam(TAG_EC_CURVE, EcCurve::P_521);
1864 CheckOrigin();
1865
1866 string message(32, 'a');
1867 auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
1868 string signature = SignMessage(message, params);
1869 VerifyMessage(message, signature, params);
1870}
1871
1872/*
1873 * ImportKeyTest.EcdsaSizeMismatch
1874 *
1875 * Verifies that importing an ECDSA key pair with a size that doesn't match the key fails in the
1876 * correct way.
1877 */
1878TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
1879 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
1880 ImportKey(AuthorizationSetBuilder()
1881 .EcdsaSigningKey(224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1882 .Digest(Digest::NONE)
1883 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1884 KeyFormat::PKCS8, ec_256_key));
1885}
1886
1887/*
1888 * ImportKeyTest.EcdsaCurveMismatch
1889 *
1890 * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in
1891 * the correct way.
1892 */
1893TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
1894 ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
1895 ImportKey(AuthorizationSetBuilder()
1896 .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]1897 .Digest(Digest::NONE)
1898 .SetDefaultValidity(),
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]1899 KeyFormat::PKCS8, ec_256_key));
1900}
1901
1902/*
1903 * ImportKeyTest.AesSuccess
1904 *
1905 * Verifies that importing and using an AES key works.
1906 */
1907TEST_P(ImportKeyTest, AesSuccess) {
1908 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1909 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1910 .Authorization(TAG_NO_AUTH_REQUIRED)
1911 .AesEncryptionKey(key.size() * 8)
1912 .EcbMode()
1913 .Padding(PaddingMode::PKCS7),
1914 KeyFormat::RAW, key));
1915
1916 CheckCryptoParam(TAG_ALGORITHM, Algorithm::AES);
1917 CheckCryptoParam(TAG_KEY_SIZE, 128U);
1918 CheckCryptoParam(TAG_PADDING, PaddingMode::PKCS7);
1919 CheckCryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
1920 CheckOrigin();
1921
1922 string message = "Hello World!";
1923 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
1924 string ciphertext = EncryptMessage(message, params);
1925 string plaintext = DecryptMessage(ciphertext, params);
1926 EXPECT_EQ(message, plaintext);
1927}
1928
1929/*
1930 * ImportKeyTest.AesSuccess
1931 *
1932 * Verifies that importing and using an HMAC key works.
1933 */
1934TEST_P(ImportKeyTest, HmacKeySuccess) {
1935 string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1936 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1937 .Authorization(TAG_NO_AUTH_REQUIRED)
1938 .HmacKey(key.size() * 8)
1939 .Digest(Digest::SHA_2_256)
1940 .Authorization(TAG_MIN_MAC_LENGTH, 256),
1941 KeyFormat::RAW, key));
1942
1943 CheckCryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
1944 CheckCryptoParam(TAG_KEY_SIZE, 128U);
1945 CheckCryptoParam(TAG_DIGEST, Digest::SHA_2_256);
1946 CheckOrigin();
1947
1948 string message = "Hello World!";
1949 string signature = MacMessage(message, Digest::SHA_2_256, 256);
1950 VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
1951}
1952
1953INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);
1954
1955auto wrapped_key = hex2str(
1956 "3082017902010004820100934bf94e2aa28a3f83c9f79297250262fbe3276b5a1c91159bbfa3ef8957aac8"
1957 "4b59b30b455a79c2973480823d8b3863c3deef4a8e243590268d80e18751a0e130f67ce6a1ace9f79b95e0"
1958 "97474febc981195b1d13a69086c0863f66a7b7fdb48792227b1ac5e2489febdf087ab5486483033a6f001c"
1959 "a5d1ec1e27f5c30f4cec2642074a39ae68aee552e196627a8e3d867e67a8c01b11e75f13cca0a97ab668b5"
1960 "0cda07a8ecb7cd8e3dd7009c9636534f6f239cffe1fc8daa466f78b676c7119efb96bce4e69ca2a25d0b34"
1961 "ed9c3ff999b801597d5220e307eaa5bee507fb94d1fa69f9e519b2de315bac92c36f2ea1fa1df4478c0dde"
1962 "deae8c70e0233cd098040cd796b02c370f1fa4cc0124f1302e0201033029a1083106020100020101a20302"
1963 "0120a30402020100a4053103020101a6053103020140bf83770205000420ccd540855f833a5e1480bfd2d3"
1964 "6faf3aeee15df5beabe2691bc82dde2a7aa910041064c9f689c60ff6223ab6e6999e0eb6e5");
1965
1966auto wrapped_key_masked = hex2str(
1967 "3082017902010004820100aad93ed5924f283b4bb5526fbe7a1412f9d9749ec30db9062b29e574a8546f33"
1968 "c88732452f5b8e6a391ee76c39ed1712c61d8df6213dec1cffbc17a8c6d04c7b30893d8daa9b2015213e21"
1969 "946821553207f8f9931c4caba23ed3bee28b36947e47f10e0a5c3dc51c988a628daad3e5e1f4005e79c2d5"
1970 "a96c284b4b8d7e4948f331e5b85dd5a236f85579f3ea1d1b848487470bdb0ab4f81a12bee42c99fe0df4be"
1971 "e3759453e69ad1d68a809ce06b949f7694a990429b2fe81e066ff43e56a21602db70757922a4bcc23ab89f"
1972 "1e35da77586775f423e519c2ea394caf48a28d0c8020f1dcf6b3a68ec246f615ae96dae9a079b1f6eb9590"
1973 "33c1af5c125fd94168040c6d9721d08589581ab49204a3302e0201033029a1083106020100020101a20302"
1974 "0120a30402020100a4053103020101a6053103020140bf83770205000420a61c6e247e25b3e6e69aa78eb0"
1975 "3c2d4ac20d1f99a9a024a76f35c8e2cab9b68d04102560c70109ae67c030f00b98b512a670");
1976
1977auto wrapping_key = hex2str(
1978 "308204be020100300d06092a864886f70d0101010500048204a8308204a40201000282010100aec367931d"
1979 "8900ce56b0067f7d70e1fc653f3f34d194c1fed50018fb43db937b06e673a837313d56b1c725150a3fef86"
1980 "acbddc41bb759c2854eae32d35841efb5c18d82bc90a1cb5c1d55adf245b02911f0b7cda88c421ff0ebafe"
1981 "7c0d23be312d7bd5921ffaea1347c157406fef718f682643e4e5d33c6703d61c0cf7ac0bf4645c11f5c137"
1982 "4c3886427411c449796792e0bef75dec858a2123c36753e02a95a96d7c454b504de385a642e0dfc3e60ac3"
1983 "a7ee4991d0d48b0172a95f9536f02ba13cecccb92b727db5c27e5b2f5cec09600b286af5cf14c42024c61d"
1984 "dfe71c2a8d7458f185234cb00e01d282f10f8fc6721d2aed3f4833cca2bd8fa62821dd5502030100010282"
1985 "0100431447b6251908112b1ee76f99f3711a52b6630960046c2de70de188d833f8b8b91e4d785caeeeaf4f"
1986 "0f74414e2cda40641f7fe24f14c67a88959bdb27766df9e710b630a03adc683b5d2c43080e52bee71e9eae"
1987 "b6de297a5fea1072070d181c822bccff087d63c940ba8a45f670feb29fb4484d1c95e6d2579ba02aae0a00"
1988 "900c3ebf490e3d2cd7ee8d0e20c536e4dc5a5097272888cddd7e91f228b1c4d7474c55b8fcd618c4a957bb"
1989 "ddd5ad7407cc312d8d98a5caf7e08f4a0d6b45bb41c652659d5a5ba05b663737a8696281865ba20fbdd7f8"
1990 "51e6c56e8cbe0ddbbf24dc03b2d2cb4c3d540fb0af52e034a2d06698b128e5f101e3b51a34f8d8b4f86181"
1991 "02818100de392e18d682c829266cc3454e1d6166242f32d9a1d10577753e904ea7d08bff841be5bac82a16"
1992 "4c5970007047b8c517db8f8f84e37bd5988561bdf503d4dc2bdb38f885434ae42c355f725c9a60f91f0788"
1993 "e1f1a97223b524b5357fdf72e2f696bab7d78e32bf92ba8e1864eab1229e91346130748a6e3c124f9149d7"
1994 "1c743502818100c95387c0f9d35f137b57d0d65c397c5e21cc251e47008ed62a542409c8b6b6ac7f8967b3"
1995 "863ca645fcce49582a9aa17349db6c4a95affdae0dae612e1afac99ed39a2d934c880440aed8832f984316"
1996 "3a47f27f392199dc1202f9a0f9bd08308007cb1e4e7f58309366a7de25f7c3c9b880677c068e1be936e812"
1997 "88815252a8a102818057ff8ca1895080b2cae486ef0adfd791fb0235c0b8b36cd6c136e52e4085f4ea5a06"
1998 "3212a4f105a3764743e53281988aba073f6e0027298e1c4378556e0efca0e14ece1af76ad0b030f27af6f0"
1999 "ab35fb73a060d8b1a0e142fa2647e93b32e36d8282ae0a4de50ab7afe85500a16f43a64719d6e2b9439823"
2000 "719cd08bcd03178102818100ba73b0bb28e3f81e9bd1c568713b101241acc607976c4ddccc90e65b6556ca"
2001 "31516058f92b6e09f3b160ff0e374ec40d78ae4d4979fde6ac06a1a400c61dd31254186af30b22c10582a8"
2002 "a43e34fe949c5f3b9755bae7baa7b7b7a6bd03b38cef55c86885fc6c1978b9cee7ef33da507c9df6b9277c"
2003 "ff1e6aaa5d57aca528466102818100c931617c77829dfb1270502be9195c8f2830885f57dba869536811e6"
2004 "864236d0c4736a0008a145af36b8357a7c3d139966d04c4e00934ea1aede3bb6b8ec841dc95e3f579751e2"
2005 "bfdfe27ae778983f959356210723287b0affcc9f727044d48c373f1babde0724fa17a4fd4da0902c7c9b9b"
2006 "f27ba61be6ad02dfddda8f4e6822");
2007
2008string zero_masking_key =
2009 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
2010string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
2011
2012class ImportWrappedKeyTest : public KeyMintAidlTestBase {};
2013
2014TEST_P(ImportWrappedKeyTest, Success) {
2015 auto wrapping_key_desc = AuthorizationSetBuilder()
2016 .RsaEncryptionKey(2048, 65537)
2017 .Digest(Digest::SHA_2_256)
2018 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2019 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
2020 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2021
2022 ASSERT_EQ(ErrorCode::OK,
2023 ImportWrappedKey(wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
2024 AuthorizationSetBuilder()
2025 .Digest(Digest::SHA_2_256)
2026 .Padding(PaddingMode::RSA_OAEP)));
2027
2028 string message = "Hello World!";
2029 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2030 string ciphertext = EncryptMessage(message, params);
2031 string plaintext = DecryptMessage(ciphertext, params);
2032 EXPECT_EQ(message, plaintext);
2033}
2034
2035TEST_P(ImportWrappedKeyTest, SuccessMasked) {
2036 auto wrapping_key_desc = AuthorizationSetBuilder()
2037 .RsaEncryptionKey(2048, 65537)
2038 .Digest(Digest::SHA_2_256)
2039 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2040 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
2041 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2042
2043 ASSERT_EQ(ErrorCode::OK,
2044 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
2045 AuthorizationSetBuilder()
2046 .Digest(Digest::SHA_2_256)
2047 .Padding(PaddingMode::RSA_OAEP)));
2048}
2049
2050TEST_P(ImportWrappedKeyTest, WrongMask) {
2051 auto wrapping_key_desc = AuthorizationSetBuilder()
2052 .RsaEncryptionKey(2048, 65537)
2053 .Digest(Digest::SHA_2_256)
2054 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2055 .Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY)
2056 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2057
2058 ASSERT_EQ(
2059 ErrorCode::VERIFICATION_FAILED,
2060 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
2061 AuthorizationSetBuilder()
2062 .Digest(Digest::SHA_2_256)
2063 .Padding(PaddingMode::RSA_OAEP)));
2064}
2065
2066TEST_P(ImportWrappedKeyTest, WrongPurpose) {
2067 auto wrapping_key_desc = AuthorizationSetBuilder()
2068 .RsaEncryptionKey(2048, 65537)
2069 .Digest(Digest::SHA_2_256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2070 .Padding(PaddingMode::RSA_OAEP)
2071 .SetDefaultValidity();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2072
2073 ASSERT_EQ(
2074 ErrorCode::INCOMPATIBLE_PURPOSE,
2075 ImportWrappedKey(wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
2076 AuthorizationSetBuilder()
2077 .Digest(Digest::SHA_2_256)
2078 .Padding(PaddingMode::RSA_OAEP)));
2079}
2080
2081INSTANTIATE_KEYMINT_AIDL_TEST(ImportWrappedKeyTest);
2082
2083typedef KeyMintAidlTestBase EncryptionOperationsTest;
2084
2085/*
2086 * EncryptionOperationsTest.RsaNoPaddingSuccess
2087 *
2088 * Verifies that raw RSA encryption works.
2089 */
2090TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
2091 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2092 .Authorization(TAG_NO_AUTH_REQUIRED)
2093 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2094 .Padding(PaddingMode::NONE)
2095 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2096
2097 string message = string(2048 / 8, 'a');
2098 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2099 string ciphertext1 = EncryptMessage(message, params);
2100 EXPECT_EQ(2048U / 8, ciphertext1.size());
2101
2102 string ciphertext2 = EncryptMessage(message, params);
2103 EXPECT_EQ(2048U / 8, ciphertext2.size());
2104
2105 // Unpadded RSA is deterministic
2106 EXPECT_EQ(ciphertext1, ciphertext2);
2107}
2108
2109/*
2110 * EncryptionOperationsTest.RsaNoPaddingShortMessage
2111 *
2112 * Verifies that raw RSA encryption of short messages works.
2113 */
2114TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
2115 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2116 .Authorization(TAG_NO_AUTH_REQUIRED)
2117 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2118 .Padding(PaddingMode::NONE)
2119 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2120
2121 string message = "1";
2122 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2123
2124 string ciphertext = EncryptMessage(message, params);
2125 EXPECT_EQ(2048U / 8, ciphertext.size());
2126
2127 string expected_plaintext = string(2048U / 8 - 1, 0) + message;
2128 string plaintext = DecryptMessage(ciphertext, params);
2129
2130 EXPECT_EQ(expected_plaintext, plaintext);
2131
2132 // Degenerate case, encrypting a numeric 1 yields 0x00..01 as the ciphertext.
2133 message = static_cast<char>(1);
2134 ciphertext = EncryptMessage(message, params);
2135 EXPECT_EQ(2048U / 8, ciphertext.size());
2136 EXPECT_EQ(ciphertext, string(2048U / 8 - 1, 0) + message);
2137}
2138
2139/*
2140 * EncryptionOperationsTest.RsaNoPaddingTooLong
2141 *
2142 * Verifies that raw RSA encryption of too-long messages fails in the expected way.
2143 */
2144TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) {
2145 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2146 .Authorization(TAG_NO_AUTH_REQUIRED)
2147 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2148 .Padding(PaddingMode::NONE)
2149 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2150
2151 string message(2048 / 8 + 1, 'a');
2152
2153 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2154 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2155
2156 string result;
2157 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));
2158}
2159
2160/*
2161 * EncryptionOperationsTest.RsaNoPaddingTooLarge
2162 *
2163 * Verifies that raw RSA encryption of too-large (numerically) messages fails in the expected
2164 * way.
2165 */
2166// TODO(seleneh) add RsaNoPaddingTooLarge test back after decided and implemented new
2167// version of ExportKey inside generateKey
2168
2169/*
2170 * EncryptionOperationsTest.RsaOaepSuccess
2171 *
2172 * Verifies that RSA-OAEP encryption operations work, with all digests.
2173 */
2174TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
2175 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
2176
2177 size_t key_size = 2048; // Need largish key for SHA-512 test.
2178 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2179 .Authorization(TAG_NO_AUTH_REQUIRED)
2180 .RsaEncryptionKey(key_size, 65537)
2181 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2182 .Digest(digests)
2183 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2184
2185 string message = "Hello";
2186
2187 for (auto digest : digests) {
2188 auto params = AuthorizationSetBuilder().Digest(digest).Padding(PaddingMode::RSA_OAEP);
2189 string ciphertext1 = EncryptMessage(message, params);
2190 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
2191 EXPECT_EQ(key_size / 8, ciphertext1.size());
2192
2193 string ciphertext2 = EncryptMessage(message, params);
2194 EXPECT_EQ(key_size / 8, ciphertext2.size());
2195
2196 // OAEP randomizes padding so every result should be different (with astronomically high
2197 // probability).
2198 EXPECT_NE(ciphertext1, ciphertext2);
2199
2200 string plaintext1 = DecryptMessage(ciphertext1, params);
2201 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
2202 string plaintext2 = DecryptMessage(ciphertext2, params);
2203 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
2204
2205 // Decrypting corrupted ciphertext should fail.
2206 size_t offset_to_corrupt = random() % ciphertext1.size();
2207 char corrupt_byte;
2208 do {
2209 corrupt_byte = static_cast<char>(random() % 256);
2210 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
2211 ciphertext1[offset_to_corrupt] = corrupt_byte;
2212
2213 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2214 string result;
2215 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
2216 EXPECT_EQ(0U, result.size());
2217 }
2218}
2219
2220/*
2221 * EncryptionOperationsTest.RsaOaepInvalidDigest
2222 *
2223 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
2224 * without a digest.
2225 */
2226TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
2227 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2228 .Authorization(TAG_NO_AUTH_REQUIRED)
2229 .RsaEncryptionKey(2048, 65537)
2230 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2231 .Digest(Digest::NONE)
2232 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2233 string message = "Hello World!";
2234
2235 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
2236 EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::ENCRYPT, params));
2237}
2238
2239/*
2240 * EncryptionOperationsTest.RsaOaepInvalidDigest
2241 *
2242 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to decrypt
2243 * with a different digest than was used to encrypt.
2244 */
2245TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
2246 if (SecLevel() == SecurityLevel::STRONGBOX) return;
2247
2248 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2249 .Authorization(TAG_NO_AUTH_REQUIRED)
2250 .RsaEncryptionKey(1024, 65537)
2251 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2252 .Digest(Digest::SHA_2_224, Digest::SHA_2_256)
2253 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2254 string message = "Hello World!";
2255 string ciphertext = EncryptMessage(
2256 message,
2257 AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
2258
2259 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
2260 .Digest(Digest::SHA_2_256)
2261 .Padding(PaddingMode::RSA_OAEP)));
2262 string result;
2263 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
2264 EXPECT_EQ(0U, result.size());
2265}
2266
2267/*
2268 * EncryptionOperationsTest.RsaOaepTooLarge
2269 *
2270 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to encrypt a
2271 * too-large message.
2272 */
2273TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) {
2274 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2275 .Authorization(TAG_NO_AUTH_REQUIRED)
2276 .RsaEncryptionKey(2048, 65537)
2277 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2278 .Digest(Digest::SHA_2_256)
2279 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2280 constexpr size_t digest_size = 256 /* SHA_2_256 */ / 8;
2281 constexpr size_t oaep_overhead = 2 * digest_size + 2;
2282 string message(2048 / 8 - oaep_overhead + 1, 'a');
2283 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
2284 .Padding(PaddingMode::RSA_OAEP)
2285 .Digest(Digest::SHA_2_256)));
2286 string result;
2287 ErrorCode error = Finish(message, &result);
2288 EXPECT_TRUE(error == ErrorCode::INVALID_INPUT_LENGTH || error == ErrorCode::INVALID_ARGUMENT);
2289 EXPECT_EQ(0U, result.size());
2290}
2291
2292/*
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]2293 * EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess
2294 *
2295 * Verifies that RSA-OAEP encryption operations work, with all SHA 256 digests and all type of MGF1
2296 * digests.
2297 */
2298TEST_P(EncryptionOperationsTest, RsaOaepWithMGFDigestSuccess) {
2299 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
2300
2301 size_t key_size = 2048; // Need largish key for SHA-512 test.
2302 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2303 .OaepMGFDigest(digests)
2304 .Authorization(TAG_NO_AUTH_REQUIRED)
2305 .RsaEncryptionKey(key_size, 65537)
2306 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2307 .Digest(Digest::SHA_2_256)
2308 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]2309
2310 string message = "Hello";
2311
2312 for (auto digest : digests) {
2313 auto params = AuthorizationSetBuilder()
2314 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, digest)
2315 .Digest(Digest::SHA_2_256)
2316 .Padding(PaddingMode::RSA_OAEP);
2317 string ciphertext1 = EncryptMessage(message, params);
2318 if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
2319 EXPECT_EQ(key_size / 8, ciphertext1.size());
2320
2321 string ciphertext2 = EncryptMessage(message, params);
2322 EXPECT_EQ(key_size / 8, ciphertext2.size());
2323
2324 // OAEP randomizes padding so every result should be different (with astronomically high
2325 // probability).
2326 EXPECT_NE(ciphertext1, ciphertext2);
2327
2328 string plaintext1 = DecryptMessage(ciphertext1, params);
2329 EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
2330 string plaintext2 = DecryptMessage(ciphertext2, params);
2331 EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
2332
2333 // Decrypting corrupted ciphertext should fail.
2334 size_t offset_to_corrupt = random() % ciphertext1.size();
2335 char corrupt_byte;
2336 do {
2337 corrupt_byte = static_cast<char>(random() % 256);
2338 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
2339 ciphertext1[offset_to_corrupt] = corrupt_byte;
2340
2341 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2342 string result;
2343 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
2344 EXPECT_EQ(0U, result.size());
2345 }
2346}
2347
2348/*
2349 * EncryptionOperationsTest.RsaOaepWithMGFIncompatibleDigest
2350 *
2351 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
2352 * with incompatible MGF digest.
2353 */
2354TEST_P(EncryptionOperationsTest, RsaOaepWithMGFIncompatibleDigest) {
2355 ASSERT_EQ(ErrorCode::OK,
2356 GenerateKey(AuthorizationSetBuilder()
2357 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
2358 .Authorization(TAG_NO_AUTH_REQUIRED)
2359 .RsaEncryptionKey(2048, 65537)
2360 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2361 .Digest(Digest::SHA_2_256)
2362 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]2363 string message = "Hello World!";
2364
2365 auto params = AuthorizationSetBuilder()
2366 .Padding(PaddingMode::RSA_OAEP)
2367 .Digest(Digest::SHA_2_256)
2368 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_224);
2369 EXPECT_EQ(ErrorCode::INCOMPATIBLE_MGF_DIGEST, Begin(KeyPurpose::ENCRYPT, params));
2370}
2371
2372/*
2373 * EncryptionOperationsTest.RsaOaepWithMGFUnsupportedDigest
2374 *
2375 * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
2376 * with unsupported MGF digest.
2377 */
2378TEST_P(EncryptionOperationsTest, RsaOaepWithMGFUnsupportedDigest) {
2379 ASSERT_EQ(ErrorCode::OK,
2380 GenerateKey(AuthorizationSetBuilder()
2381 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::SHA_2_256)
2382 .Authorization(TAG_NO_AUTH_REQUIRED)
2383 .RsaEncryptionKey(2048, 65537)
2384 .Padding(PaddingMode::RSA_OAEP)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2385 .Digest(Digest::SHA_2_256)
2386 .SetDefaultValidity()));
Chirag Pathak8b7455a2020-12-21 18:42:52 -0500[diff] [blame]2387 string message = "Hello World!";
2388
2389 auto params = AuthorizationSetBuilder()
2390 .Padding(PaddingMode::RSA_OAEP)
2391 .Digest(Digest::SHA_2_256)
2392 .Authorization(TAG_RSA_OAEP_MGF_DIGEST, Digest::NONE);
2393 EXPECT_EQ(ErrorCode::UNSUPPORTED_MGF_DIGEST, Begin(KeyPurpose::ENCRYPT, params));
2394}
2395
2396/*
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2397 * EncryptionOperationsTest.RsaPkcs1Success
2398 *
2399 * Verifies that RSA PKCS encryption/decrypts works.
2400 */
2401TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
2402 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2403 .Authorization(TAG_NO_AUTH_REQUIRED)
2404 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2405 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
2406 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2407
2408 string message = "Hello World!";
2409 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
2410 string ciphertext1 = EncryptMessage(message, params);
2411 EXPECT_EQ(2048U / 8, ciphertext1.size());
2412
2413 string ciphertext2 = EncryptMessage(message, params);
2414 EXPECT_EQ(2048U / 8, ciphertext2.size());
2415
2416 // PKCS1 v1.5 randomizes padding so every result should be different.
2417 EXPECT_NE(ciphertext1, ciphertext2);
2418
2419 string plaintext = DecryptMessage(ciphertext1, params);
2420 EXPECT_EQ(message, plaintext);
2421
2422 // Decrypting corrupted ciphertext should fail.
2423 size_t offset_to_corrupt = random() % ciphertext1.size();
2424 char corrupt_byte;
2425 do {
2426 corrupt_byte = static_cast<char>(random() % 256);
2427 } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
2428 ciphertext1[offset_to_corrupt] = corrupt_byte;
2429
2430 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2431 string result;
2432 EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
2433 EXPECT_EQ(0U, result.size());
2434}
2435
2436/*
2437 * EncryptionOperationsTest.RsaPkcs1TooLarge
2438 *
2439 * Verifies that RSA PKCS encryption fails in the correct way when the mssage is too large.
2440 */
2441TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) {
2442 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2443 .Authorization(TAG_NO_AUTH_REQUIRED)
2444 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2445 .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)
2446 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2447 string message(2048 / 8 - 10, 'a');
2448
2449 auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
2450 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2451 string result;
2452 ErrorCode error = Finish(message, &result);
2453 EXPECT_TRUE(error == ErrorCode::INVALID_INPUT_LENGTH || error == ErrorCode::INVALID_ARGUMENT);
2454 EXPECT_EQ(0U, result.size());
2455}
2456
2457/*
2458 * EncryptionOperationsTest.EcdsaEncrypt
2459 *
2460 * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
2461 */
2462TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
2463 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2464 .Authorization(TAG_NO_AUTH_REQUIRED)
2465 .EcdsaSigningKey(256)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]2466 .Digest(Digest::NONE)
2467 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2468 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
2469 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
2470 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
2471}
2472
2473/*
2474 * EncryptionOperationsTest.HmacEncrypt
2475 *
2476 * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
2477 */
2478TEST_P(EncryptionOperationsTest, HmacEncrypt) {
2479 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2480 .Authorization(TAG_NO_AUTH_REQUIRED)
2481 .HmacKey(128)
2482 .Digest(Digest::SHA_2_256)
2483 .Padding(PaddingMode::NONE)
2484 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2485 auto params = AuthorizationSetBuilder()
2486 .Digest(Digest::SHA_2_256)
2487 .Padding(PaddingMode::NONE)
2488 .Authorization(TAG_MAC_LENGTH, 128);
2489 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
2490 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params));
2491}
2492
2493/*
2494 * EncryptionOperationsTest.AesEcbRoundTripSuccess
2495 *
2496 * Verifies that AES ECB mode works.
2497 */
2498TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
2499 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2500 .Authorization(TAG_NO_AUTH_REQUIRED)
2501 .AesEncryptionKey(128)
2502 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2503 .Padding(PaddingMode::NONE)));
2504
2505 ASSERT_GT(key_blob_.size(), 0U);
2506 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
2507
2508 // Two-block message.
2509 string message = "12345678901234567890123456789012";
2510 string ciphertext1 = EncryptMessage(message, params);
2511 EXPECT_EQ(message.size(), ciphertext1.size());
2512
2513 string ciphertext2 = EncryptMessage(string(message), params);
2514 EXPECT_EQ(message.size(), ciphertext2.size());
2515
2516 // ECB is deterministic.
2517 EXPECT_EQ(ciphertext1, ciphertext2);
2518
2519 string plaintext = DecryptMessage(ciphertext1, params);
2520 EXPECT_EQ(message, plaintext);
2521}
2522
2523/*
2524 * EncryptionOperationsTest.AesEcbRoundTripSuccess
2525 *
2526 * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
2527 */
2528TEST_P(EncryptionOperationsTest, AesWrongMode) {
2529 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2530 .Authorization(TAG_NO_AUTH_REQUIRED)
2531 .AesEncryptionKey(128)
2532 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
2533 .Padding(PaddingMode::NONE)));
2534
2535 ASSERT_GT(key_blob_.size(), 0U);
2536
2537 // Two-block message.
2538 string message = "12345678901234567890123456789012";
2539 EXPECT_EQ(
2540 ErrorCode::INCOMPATIBLE_BLOCK_MODE,
2541 Begin(KeyPurpose::ENCRYPT,
2542 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
2543}
2544
2545/*
2546 * EncryptionOperationsTest.AesWrongPurpose
2547 *
2548 * Verifies that AES encryption fails in the correct way when an unauthorized purpose is
2549 * specified.
2550 */
2551TEST_P(EncryptionOperationsTest, AesWrongPurpose) {
2552 auto err = GenerateKey(AuthorizationSetBuilder()
2553 .Authorization(TAG_NO_AUTH_REQUIRED)
2554 .AesKey(128)
2555 .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
2556 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
2557 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2558 .Padding(PaddingMode::NONE));
2559 ASSERT_EQ(ErrorCode::OK, err) << "Got " << err;
2560 ASSERT_GT(key_blob_.size(), 0U);
2561
2562 err = Begin(KeyPurpose::DECRYPT, AuthorizationSetBuilder()
2563 .BlockMode(BlockMode::GCM)
2564 .Padding(PaddingMode::NONE)
2565 .Authorization(TAG_MAC_LENGTH, 128));
2566 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
2567
2568 CheckedDeleteKey();
2569
2570 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2571 .Authorization(TAG_NO_AUTH_REQUIRED)
2572 .AesKey(128)
2573 .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
2574 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
2575 .Authorization(TAG_MIN_MAC_LENGTH, 128)
2576 .Padding(PaddingMode::NONE)));
2577
2578 err = Begin(KeyPurpose::ENCRYPT, AuthorizationSetBuilder()
2579 .BlockMode(BlockMode::GCM)
2580 .Padding(PaddingMode::NONE)
2581 .Authorization(TAG_MAC_LENGTH, 128));
2582 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE, err) << "Got " << err;
2583}
2584
2585/*
2586 * EncryptionOperationsTest.AesEcbNoPaddingWrongInputSize
2587 *
2588 * Verifies that AES encryption fails in the correct way when provided an input that is not a
2589 * multiple of the block size and no padding is specified.
2590 */
2591TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) {
2592 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2593 .Authorization(TAG_NO_AUTH_REQUIRED)
2594 .AesEncryptionKey(128)
2595 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2596 .Padding(PaddingMode::NONE)));
2597 // Message is slightly shorter than two blocks.
2598 string message(16 * 2 - 1, 'a');
2599
2600 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
2601 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2602 string ciphertext;
2603 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
2604 EXPECT_EQ(0U, ciphertext.size());
2605}
2606
2607/*
2608 * EncryptionOperationsTest.AesEcbPkcs7Padding
2609 *
2610 * Verifies that AES PKCS7 padding works for any message length.
2611 */
2612TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
2613 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2614 .Authorization(TAG_NO_AUTH_REQUIRED)
2615 .AesEncryptionKey(128)
2616 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2617 .Padding(PaddingMode::PKCS7)));
2618
2619 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2620
2621 // Try various message lengths; all should work.
2622 for (size_t i = 0; i < 32; ++i) {
2623 string message(i, 'a');
2624 string ciphertext = EncryptMessage(message, params);
2625 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2626 string plaintext = DecryptMessage(ciphertext, params);
2627 EXPECT_EQ(message, plaintext);
2628 }
2629}
2630
2631/*
2632 * EncryptionOperationsTest.AesEcbWrongPadding
2633 *
2634 * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
2635 * specified.
2636 */
2637TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
2638 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2639 .Authorization(TAG_NO_AUTH_REQUIRED)
2640 .AesEncryptionKey(128)
2641 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2642 .Padding(PaddingMode::NONE)));
2643
2644 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2645
2646 // Try various message lengths; all should fail
2647 for (size_t i = 0; i < 32; ++i) {
2648 string message(i, 'a');
2649 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
2650 }
2651}
2652
2653/*
2654 * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
2655 *
2656 * Verifies that AES decryption fails in the correct way when the padding is corrupted.
2657 */
2658TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
2659 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2660 .Authorization(TAG_NO_AUTH_REQUIRED)
2661 .AesEncryptionKey(128)
2662 .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2663 .Padding(PaddingMode::PKCS7)));
2664
2665 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2666
2667 string message = "a";
2668 string ciphertext = EncryptMessage(message, params);
2669 EXPECT_EQ(16U, ciphertext.size());
2670 EXPECT_NE(ciphertext, message);
2671 ++ciphertext[ciphertext.size() / 2];
2672
2673 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2674 string plaintext;
2675 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &plaintext));
2676}
2677
2678vector<uint8_t> CopyIv(const AuthorizationSet& set) {
2679 auto iv = set.GetTagValue(TAG_NONCE);
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]2680 EXPECT_TRUE(iv);
2681 return iv->get();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2682}
2683
2684/*
2685 * EncryptionOperationsTest.AesCtrRoundTripSuccess
2686 *
2687 * Verifies that AES CTR mode works.
2688 */
2689TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
2690 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2691 .Authorization(TAG_NO_AUTH_REQUIRED)
2692 .AesEncryptionKey(128)
2693 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
2694 .Padding(PaddingMode::NONE)));
2695
2696 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
2697
2698 string message = "123";
2699 AuthorizationSet out_params;
2700 string ciphertext1 = EncryptMessage(message, params, &out_params);
2701 vector<uint8_t> iv1 = CopyIv(out_params);
2702 EXPECT_EQ(16U, iv1.size());
2703
2704 EXPECT_EQ(message.size(), ciphertext1.size());
2705
2706 out_params.Clear();
2707 string ciphertext2 = EncryptMessage(message, params, &out_params);
2708 vector<uint8_t> iv2 = CopyIv(out_params);
2709 EXPECT_EQ(16U, iv2.size());
2710
2711 // IVs should be random, so ciphertexts should differ.
2712 EXPECT_NE(ciphertext1, ciphertext2);
2713
2714 auto params_iv1 =
2715 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
2716 auto params_iv2 =
2717 AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
2718
2719 string plaintext = DecryptMessage(ciphertext1, params_iv1);
2720 EXPECT_EQ(message, plaintext);
2721 plaintext = DecryptMessage(ciphertext2, params_iv2);
2722 EXPECT_EQ(message, plaintext);
2723
2724 // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
2725 plaintext = DecryptMessage(ciphertext1, params_iv2);
2726 EXPECT_NE(message, plaintext);
2727 plaintext = DecryptMessage(ciphertext2, params_iv1);
2728 EXPECT_NE(message, plaintext);
2729}
2730
2731/*
2732 * EncryptionOperationsTest.AesIncremental
2733 *
2734 * Verifies that AES works, all modes, when provided data in various size increments.
2735 */
2736TEST_P(EncryptionOperationsTest, AesIncremental) {
2737 auto block_modes = {
2738 BlockMode::ECB,
2739 BlockMode::CBC,
2740 BlockMode::CTR,
2741 BlockMode::GCM,
2742 };
2743
2744 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2745 .Authorization(TAG_NO_AUTH_REQUIRED)
2746 .AesEncryptionKey(128)
2747 .BlockMode(block_modes)
2748 .Padding(PaddingMode::NONE)
2749 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2750
2751 for (int increment = 1; increment <= 240; ++increment) {
2752 for (auto block_mode : block_modes) {
2753 string message(240, 'a');
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]2754 auto params =
2755 AuthorizationSetBuilder().BlockMode(block_mode).Padding(PaddingMode::NONE);
2756 if (block_mode == BlockMode::GCM) {
2757 params.Authorization(TAG_MAC_LENGTH, 128) /* for GCM */;
2758 }
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2759
2760 AuthorizationSet output_params;
2761 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &output_params));
2762
2763 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2764 string to_send;
2765 for (size_t i = 0; i < message.size(); i += increment) {
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]2766 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2767 }
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]2768 EXPECT_EQ(ErrorCode::OK, Finish(to_send, &ciphertext))
2769 << "Error sending " << to_send << " with block mode " << block_mode;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2770
2771 switch (block_mode) {
2772 case BlockMode::GCM:
2773 EXPECT_EQ(message.size() + 16, ciphertext.size());
2774 break;
2775 case BlockMode::CTR:
2776 EXPECT_EQ(message.size(), ciphertext.size());
2777 break;
2778 case BlockMode::CBC:
2779 case BlockMode::ECB:
2780 EXPECT_EQ(message.size() + message.size() % 16, ciphertext.size());
2781 break;
2782 }
2783
2784 auto iv = output_params.GetTagValue(TAG_NONCE);
2785 switch (block_mode) {
2786 case BlockMode::CBC:
2787 case BlockMode::GCM:
2788 case BlockMode::CTR:
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]2789 ASSERT_TRUE(iv) << "No IV for block mode " << block_mode;
2790 EXPECT_EQ(block_mode == BlockMode::GCM ? 12U : 16U, iv->get().size());
2791 params.push_back(TAG_NONCE, iv->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2792 break;
2793
2794 case BlockMode::ECB:
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]2795 EXPECT_FALSE(iv) << "ECB mode should not generate IV";
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2796 break;
2797 }
2798
2799 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params))
2800 << "Decrypt begin() failed for block mode " << block_mode;
2801
2802 string plaintext;
2803 for (size_t i = 0; i < ciphertext.size(); i += increment) {
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]2804 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2805 }
2806 ErrorCode error = Finish(to_send, &plaintext);
2807 ASSERT_EQ(ErrorCode::OK, error) << "Decryption failed for block mode " << block_mode
2808 << " and increment " << increment;
2809 if (error == ErrorCode::OK) {
2810 ASSERT_EQ(message, plaintext) << "Decryption didn't match for block mode "
2811 << block_mode << " and increment " << increment;
2812 }
2813 }
2814 }
2815}
2816
2817struct AesCtrSp80038aTestVector {
2818 const char* key;
2819 const char* nonce;
2820 const char* plaintext;
2821 const char* ciphertext;
2822};
2823
2824// These test vectors are taken from
2825// http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
2826static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
2827 // AES-128
2828 {
2829 "2b7e151628aed2a6abf7158809cf4f3c",
2830 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2831 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2832 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2833 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
2834 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
2835 },
2836 // AES-192
2837 {
2838 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
2839 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2840 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2841 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2842 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
2843 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
2844 },
2845 // AES-256
2846 {
2847 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
2848 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2849 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2850 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2851 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
2852 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
2853 },
2854};
2855
2856/*
2857 * EncryptionOperationsTest.AesCtrSp80038aTestVector
2858 *
2859 * Verifies AES CTR implementation against SP800-38A test vectors.
2860 */
2861TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
2862 std::vector<uint32_t> InvalidSizes = InvalidKeySizes(Algorithm::AES);
2863 for (size_t i = 0; i < 3; i++) {
2864 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
2865 const string key = hex2str(test.key);
2866 if (std::find(InvalidSizes.begin(), InvalidSizes.end(), (key.size() * 8)) !=
2867 InvalidSizes.end())
2868 continue;
2869 const string nonce = hex2str(test.nonce);
2870 const string plaintext = hex2str(test.plaintext);
2871 const string ciphertext = hex2str(test.ciphertext);
2872 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
2873 }
2874}
2875
2876/*
2877 * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
2878 *
2879 * Verifies that keymint rejects use of CTR mode with PKCS7 padding in the correct way.
2880 */
2881TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
2882 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2883 .Authorization(TAG_NO_AUTH_REQUIRED)
2884 .AesEncryptionKey(128)
2885 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
2886 .Padding(PaddingMode::PKCS7)));
2887 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
2888 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
2889}
2890
2891/*
2892 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
2893 *
2894 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
2895 */
2896TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
2897 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2898 .Authorization(TAG_NO_AUTH_REQUIRED)
2899 .AesEncryptionKey(128)
2900 .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
2901 .Authorization(TAG_CALLER_NONCE)
2902 .Padding(PaddingMode::NONE)));
2903
2904 auto params = AuthorizationSetBuilder()
2905 .BlockMode(BlockMode::CTR)
2906 .Padding(PaddingMode::NONE)
2907 .Authorization(TAG_NONCE, AidlBuf(string(1, 'a')));
2908 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
2909
2910 params = AuthorizationSetBuilder()
2911 .BlockMode(BlockMode::CTR)
2912 .Padding(PaddingMode::NONE)
2913 .Authorization(TAG_NONCE, AidlBuf(string(15, 'a')));
2914 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
2915
2916 params = AuthorizationSetBuilder()
2917 .BlockMode(BlockMode::CTR)
2918 .Padding(PaddingMode::NONE)
2919 .Authorization(TAG_NONCE, AidlBuf(string(17, 'a')));
2920 EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
2921}
2922
2923/*
2924 * EncryptionOperationsTest.AesCtrInvalidCallerNonce
2925 *
2926 * Verifies that keymint fails correctly when the user supplies an incorrect-size nonce.
2927 */
2928TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
2929 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2930 .Authorization(TAG_NO_AUTH_REQUIRED)
2931 .AesEncryptionKey(128)
2932 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
2933 .Padding(PaddingMode::NONE)));
2934 // Two-block message.
2935 string message = "12345678901234567890123456789012";
2936 auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
2937 AuthorizationSet out_params;
2938 string ciphertext1 = EncryptMessage(message, params, &out_params);
2939 vector<uint8_t> iv1 = CopyIv(out_params);
2940 EXPECT_EQ(message.size(), ciphertext1.size());
2941
2942 out_params.Clear();
2943
2944 string ciphertext2 = EncryptMessage(message, params, &out_params);
2945 vector<uint8_t> iv2 = CopyIv(out_params);
2946 EXPECT_EQ(message.size(), ciphertext2.size());
2947
2948 // IVs should be random, so ciphertexts should differ.
2949 EXPECT_NE(ciphertext1, ciphertext2);
2950
2951 params.push_back(TAG_NONCE, iv1);
2952 string plaintext = DecryptMessage(ciphertext1, params);
2953 EXPECT_EQ(message, plaintext);
2954}
2955
2956/*
2957 * EncryptionOperationsTest.AesCallerNonce
2958 *
2959 * Verifies that AES caller-provided nonces work correctly.
2960 */
2961TEST_P(EncryptionOperationsTest, AesCallerNonce) {
2962 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2963 .Authorization(TAG_NO_AUTH_REQUIRED)
2964 .AesEncryptionKey(128)
2965 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
2966 .Authorization(TAG_CALLER_NONCE)
2967 .Padding(PaddingMode::NONE)));
2968
2969 string message = "12345678901234567890123456789012";
2970
2971 // Don't specify nonce, should get a random one.
2972 AuthorizationSetBuilder params =
2973 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
2974 AuthorizationSet out_params;
2975 string ciphertext = EncryptMessage(message, params, &out_params);
2976 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]2977 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2978
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]2979 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]2980 string plaintext = DecryptMessage(ciphertext, params);
2981 EXPECT_EQ(message, plaintext);
2982
2983 // Now specify a nonce, should also work.
2984 params = AuthorizationSetBuilder()
2985 .BlockMode(BlockMode::CBC)
2986 .Padding(PaddingMode::NONE)
2987 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
2988 out_params.Clear();
2989 ciphertext = EncryptMessage(message, params, &out_params);
2990
2991 // Decrypt with correct nonce.
2992 plaintext = DecryptMessage(ciphertext, params);
2993 EXPECT_EQ(message, plaintext);
2994
2995 // Try with wrong nonce.
2996 params = AuthorizationSetBuilder()
2997 .BlockMode(BlockMode::CBC)
2998 .Padding(PaddingMode::NONE)
2999 .Authorization(TAG_NONCE, AidlBuf("aaaaaaaaaaaaaaaa"));
3000 plaintext = DecryptMessage(ciphertext, params);
3001 EXPECT_NE(message, plaintext);
3002}
3003
3004/*
3005 * EncryptionOperationsTest.AesCallerNonceProhibited
3006 *
3007 * Verifies that caller-provided nonces are not permitted when not specified in the key
3008 * authorizations.
3009 */
3010TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
3011 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3012 .Authorization(TAG_NO_AUTH_REQUIRED)
3013 .AesEncryptionKey(128)
3014 .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
3015 .Padding(PaddingMode::NONE)));
3016
3017 string message = "12345678901234567890123456789012";
3018
3019 // Don't specify nonce, should get a random one.
3020 AuthorizationSetBuilder params =
3021 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3022 AuthorizationSet out_params;
3023 string ciphertext = EncryptMessage(message, params, &out_params);
3024 EXPECT_EQ(message.size(), ciphertext.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]3025 EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE)->get().size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3026
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]3027 params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE)->get());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3028 string plaintext = DecryptMessage(ciphertext, params);
3029 EXPECT_EQ(message, plaintext);
3030
3031 // Now specify a nonce, should fail
3032 params = AuthorizationSetBuilder()
3033 .BlockMode(BlockMode::CBC)
3034 .Padding(PaddingMode::NONE)
3035 .Authorization(TAG_NONCE, AidlBuf("abcdefghijklmnop"));
3036 out_params.Clear();
3037 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
3038}
3039
3040/*
3041 * EncryptionOperationsTest.AesGcmRoundTripSuccess
3042 *
3043 * Verifies that AES GCM mode works.
3044 */
3045TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
3046 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3047 .Authorization(TAG_NO_AUTH_REQUIRED)
3048 .AesEncryptionKey(128)
3049 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
3050 .Padding(PaddingMode::NONE)
3051 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3052
3053 string aad = "foobar";
3054 string message = "123456789012345678901234567890123456";
3055
3056 auto begin_params = AuthorizationSetBuilder()
3057 .BlockMode(BlockMode::GCM)
3058 .Padding(PaddingMode::NONE)
3059 .Authorization(TAG_MAC_LENGTH, 128);
3060
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3061 // Encrypt
3062 AuthorizationSet begin_out_params;
3063 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
3064 << "Begin encrypt";
3065 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3066 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
3067 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3068 ASSERT_EQ(ciphertext.length(), message.length() + 16);
3069
3070 // Grab nonce
3071 begin_params.push_back(begin_out_params);
3072
3073 // Decrypt.
3074 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3075 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3076 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3077 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3078 EXPECT_EQ(message.length(), plaintext.length());
3079 EXPECT_EQ(message, plaintext);
3080}
3081
3082/*
3083 * EncryptionOperationsTest.AesGcmRoundTripWithDelaySuccess
3084 *
3085 * Verifies that AES GCM mode works, even when there's a long delay
3086 * between operations.
3087 */
3088TEST_P(EncryptionOperationsTest, AesGcmRoundTripWithDelaySuccess) {
3089 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3090 .Authorization(TAG_NO_AUTH_REQUIRED)
3091 .AesEncryptionKey(128)
3092 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
3093 .Padding(PaddingMode::NONE)
3094 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3095
3096 string aad = "foobar";
3097 string message = "123456789012345678901234567890123456";
3098
3099 auto begin_params = AuthorizationSetBuilder()
3100 .BlockMode(BlockMode::GCM)
3101 .Padding(PaddingMode::NONE)
3102 .Authorization(TAG_MAC_LENGTH, 128);
3103
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3104 // Encrypt
3105 AuthorizationSet begin_out_params;
3106 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
3107 << "Begin encrypt";
3108 string ciphertext;
3109 AuthorizationSet update_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3110 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3111 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3112 ASSERT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3113
3114 ASSERT_EQ(ciphertext.length(), message.length() + 16);
3115
3116 // Grab nonce
3117 begin_params.push_back(begin_out_params);
3118
3119 // Decrypt.
3120 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
3121 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3122 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3123 sleep(5);
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3124 ASSERT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3125 sleep(5);
3126 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
3127 EXPECT_EQ(message.length(), plaintext.length());
3128 EXPECT_EQ(message, plaintext);
3129}
3130
3131/*
3132 * EncryptionOperationsTest.AesGcmDifferentNonces
3133 *
3134 * Verifies that encrypting the same data with different nonces produces different outputs.
3135 */
3136TEST_P(EncryptionOperationsTest, AesGcmDifferentNonces) {
3137 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3138 .Authorization(TAG_NO_AUTH_REQUIRED)
3139 .AesEncryptionKey(128)
3140 .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
3141 .Padding(PaddingMode::NONE)
3142 .Authorization(TAG_MIN_MAC_LENGTH, 128)
3143 .Authorization(TAG_CALLER_NONCE)));
3144
3145 string aad = "foobar";
3146 string message = "123456789012345678901234567890123456";
3147 string nonce1 = "000000000000";
3148 string nonce2 = "111111111111";
3149 string nonce3 = "222222222222";
3150
3151 string ciphertext1 =
3152 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce1));
3153 string ciphertext2 =
3154 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce2));
3155 string ciphertext3 =
3156 EncryptMessage(message, BlockMode::GCM, PaddingMode::NONE, 128, AidlBuf(nonce3));
3157
3158 ASSERT_NE(ciphertext1, ciphertext2);
3159 ASSERT_NE(ciphertext1, ciphertext3);
3160 ASSERT_NE(ciphertext2, ciphertext3);
3161}
3162
3163/*
3164 * EncryptionOperationsTest.AesGcmTooShortTag
3165 *
3166 * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
3167 */
3168TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
3169 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3170 .Authorization(TAG_NO_AUTH_REQUIRED)
3171 .AesEncryptionKey(128)
3172 .BlockMode(BlockMode::GCM)
3173 .Padding(PaddingMode::NONE)
3174 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3175 string message = "123456789012345678901234567890123456";
3176 auto params = AuthorizationSetBuilder()
3177 .BlockMode(BlockMode::GCM)
3178 .Padding(PaddingMode::NONE)
3179 .Authorization(TAG_MAC_LENGTH, 96);
3180
3181 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
3182}
3183
3184/*
3185 * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
3186 *
3187 * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
3188 */
3189TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
3190 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3191 .Authorization(TAG_NO_AUTH_REQUIRED)
3192 .AesEncryptionKey(128)
3193 .BlockMode(BlockMode::GCM)
3194 .Padding(PaddingMode::NONE)
3195 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3196 string aad = "foobar";
3197 string message = "123456789012345678901234567890123456";
3198 auto params = AuthorizationSetBuilder()
3199 .BlockMode(BlockMode::GCM)
3200 .Padding(PaddingMode::NONE)
3201 .Authorization(TAG_MAC_LENGTH, 128);
3202
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3203 // Encrypt
3204 AuthorizationSet begin_out_params;
3205 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
3206 EXPECT_EQ(1U, begin_out_params.size());
Janis Danisevskis5ba09332020-12-17 10:05:15 -0800[diff] [blame]3207 ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3208
3209 AuthorizationSet finish_out_params;
3210 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3211 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
3212 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3213
3214 params = AuthorizationSetBuilder()
3215 .Authorizations(begin_out_params)
3216 .BlockMode(BlockMode::GCM)
3217 .Padding(PaddingMode::NONE)
3218 .Authorization(TAG_MAC_LENGTH, 96);
3219
3220 // Decrypt.
3221 EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
3222}
3223
3224/*
3225 * EncryptionOperationsTest.AesGcmCorruptKey
3226 *
3227 * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
3228 */
3229TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
3230 const uint8_t nonce_bytes[] = {
3231 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
3232 };
3233 string nonce = make_string(nonce_bytes);
3234 const uint8_t ciphertext_bytes[] = {
3235 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc,
3236 0xd2, 0xcb, 0x16, 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78,
3237 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d,
3238 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 0x76, 0x5e, 0xfb,
3239 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
3240 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
3241 };
3242 string ciphertext = make_string(ciphertext_bytes);
3243
3244 auto params = AuthorizationSetBuilder()
3245 .BlockMode(BlockMode::GCM)
3246 .Padding(PaddingMode::NONE)
3247 .Authorization(TAG_MAC_LENGTH, 128)
3248 .Authorization(TAG_NONCE, nonce.data(), nonce.size());
3249
3250 auto import_params = AuthorizationSetBuilder()
3251 .Authorization(TAG_NO_AUTH_REQUIRED)
3252 .AesEncryptionKey(128)
3253 .BlockMode(BlockMode::GCM)
3254 .Padding(PaddingMode::NONE)
3255 .Authorization(TAG_CALLER_NONCE)
3256 .Authorization(TAG_MIN_MAC_LENGTH, 128);
3257
3258 // Import correct key and decrypt
3259 const uint8_t key_bytes[] = {
3260 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
3261 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
3262 };
3263 string key = make_string(key_bytes);
3264 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
3265 string plaintext = DecryptMessage(ciphertext, params);
3266 CheckedDeleteKey();
3267
3268 // Corrupt key and attempt to decrypt
3269 key[0] = 0;
3270 ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
3271 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
3272 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
3273 CheckedDeleteKey();
3274}
3275
3276/*
3277 * EncryptionOperationsTest.AesGcmAadNoData
3278 *
3279 * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
3280 * encrypt.
3281 */
3282TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
3283 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3284 .Authorization(TAG_NO_AUTH_REQUIRED)
3285 .AesEncryptionKey(128)
3286 .BlockMode(BlockMode::GCM)
3287 .Padding(PaddingMode::NONE)
3288 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3289
3290 string aad = "1234567890123456";
3291 auto params = AuthorizationSetBuilder()
3292 .BlockMode(BlockMode::GCM)
3293 .Padding(PaddingMode::NONE)
3294 .Authorization(TAG_MAC_LENGTH, 128);
3295
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3296 // Encrypt
3297 AuthorizationSet begin_out_params;
3298 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
3299 string ciphertext;
3300 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3301 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
3302 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3303 EXPECT_TRUE(finish_out_params.empty());
3304
3305 // Grab nonce
3306 params.push_back(begin_out_params);
3307
3308 // Decrypt.
3309 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3310 ASSERT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3311 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3312 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3313
3314 EXPECT_TRUE(finish_out_params.empty());
3315
3316 EXPECT_EQ("", plaintext);
3317}
3318
3319/*
3320 * EncryptionOperationsTest.AesGcmMultiPartAad
3321 *
3322 * Verifies that AES GCM mode works when provided additional authenticated data in multiple
3323 * chunks.
3324 */
3325TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
3326 const size_t tag_bits = 128;
3327 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3328 .Authorization(TAG_NO_AUTH_REQUIRED)
3329 .AesEncryptionKey(128)
3330 .BlockMode(BlockMode::GCM)
3331 .Padding(PaddingMode::NONE)
3332 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3333
3334 string message = "123456789012345678901234567890123456";
3335 auto begin_params = AuthorizationSetBuilder()
3336 .BlockMode(BlockMode::GCM)
3337 .Padding(PaddingMode::NONE)
3338 .Authorization(TAG_MAC_LENGTH, tag_bits);
3339 AuthorizationSet begin_out_params;
3340
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3341 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
3342
3343 // No data, AAD only.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3344 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
3345 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3346 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3347 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
3348 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3349
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3350 // Expect 128-bit (16-byte) tag appended to ciphertext.
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3351 EXPECT_EQ(message.size() + (tag_bits / 8), ciphertext.size());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3352
3353 // Grab nonce.
3354 begin_params.push_back(begin_out_params);
3355
3356 // Decrypt
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3357 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3358 EXPECT_EQ(ErrorCode::OK, UpdateAad("foofoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3359 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3360 EXPECT_EQ(ErrorCode::OK, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3361 EXPECT_EQ(message, plaintext);
3362}
3363
3364/*
3365 * EncryptionOperationsTest.AesGcmAadOutOfOrder
3366 *
3367 * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
3368 */
3369TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
3370 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3371 .Authorization(TAG_NO_AUTH_REQUIRED)
3372 .AesEncryptionKey(128)
3373 .BlockMode(BlockMode::GCM)
3374 .Padding(PaddingMode::NONE)
3375 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3376
3377 string message = "123456789012345678901234567890123456";
3378 auto begin_params = AuthorizationSetBuilder()
3379 .BlockMode(BlockMode::GCM)
3380 .Padding(PaddingMode::NONE)
3381 .Authorization(TAG_MAC_LENGTH, 128);
3382 AuthorizationSet begin_out_params;
3383
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3384 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
3385
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3386 EXPECT_EQ(ErrorCode::OK, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3387 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3388 EXPECT_EQ(ErrorCode::OK, Update(message, &ciphertext));
3389 EXPECT_EQ(ErrorCode::INVALID_TAG, UpdateAad("foo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3390
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3391 op_ = {};
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3392}
3393
3394/*
3395 * EncryptionOperationsTest.AesGcmBadAad
3396 *
3397 * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
3398 */
3399TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
3400 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3401 .Authorization(TAG_NO_AUTH_REQUIRED)
3402 .AesEncryptionKey(128)
3403 .BlockMode(BlockMode::GCM)
3404 .Padding(PaddingMode::NONE)
3405 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3406
3407 string message = "12345678901234567890123456789012";
3408 auto begin_params = AuthorizationSetBuilder()
3409 .BlockMode(BlockMode::GCM)
3410 .Padding(PaddingMode::NONE)
3411 .Authorization(TAG_MAC_LENGTH, 128);
3412
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3413 // Encrypt
3414 AuthorizationSet begin_out_params;
3415 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3416 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3417 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3418 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3419
3420 // Grab nonce
3421 begin_params.push_back(begin_out_params);
3422
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3423 // Decrypt.
3424 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3425 EXPECT_EQ(ErrorCode::OK, UpdateAad("barfoo"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3426 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3427 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3428}
3429
3430/*
3431 * EncryptionOperationsTest.AesGcmWrongNonce
3432 *
3433 * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
3434 */
3435TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
3436 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3437 .Authorization(TAG_NO_AUTH_REQUIRED)
3438 .AesEncryptionKey(128)
3439 .BlockMode(BlockMode::GCM)
3440 .Padding(PaddingMode::NONE)
3441 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3442
3443 string message = "12345678901234567890123456789012";
3444 auto begin_params = AuthorizationSetBuilder()
3445 .BlockMode(BlockMode::GCM)
3446 .Padding(PaddingMode::NONE)
3447 .Authorization(TAG_MAC_LENGTH, 128);
3448
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3449 // Encrypt
3450 AuthorizationSet begin_out_params;
3451 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3452 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3453 string ciphertext;
3454 AuthorizationSet finish_out_params;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3455 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3456
3457 // Wrong nonce
3458 begin_params.push_back(TAG_NONCE, AidlBuf("123456789012"));
3459
3460 // Decrypt.
3461 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3462 EXPECT_EQ(ErrorCode::OK, UpdateAad("foobar"));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3463 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3464 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3465
3466 // With wrong nonce, should have gotten garbage plaintext (or none).
3467 EXPECT_NE(message, plaintext);
3468}
3469
3470/*
3471 * EncryptionOperationsTest.AesGcmCorruptTag
3472 *
3473 * Verifies that AES GCM decryption fails correctly when the tag is wrong.
3474 */
3475TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
3476 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3477 .Authorization(TAG_NO_AUTH_REQUIRED)
3478 .AesEncryptionKey(128)
3479 .BlockMode(BlockMode::GCM)
3480 .Padding(PaddingMode::NONE)
3481 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3482
3483 string aad = "1234567890123456";
3484 string message = "123456789012345678901234567890123456";
3485
3486 auto params = AuthorizationSetBuilder()
3487 .BlockMode(BlockMode::GCM)
3488 .Padding(PaddingMode::NONE)
3489 .Authorization(TAG_MAC_LENGTH, 128);
3490
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3491 // Encrypt
3492 AuthorizationSet begin_out_params;
3493 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3494 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3495 string ciphertext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3496 EXPECT_EQ(ErrorCode::OK, Finish(message, &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3497
3498 // Corrupt tag
3499 ++(*ciphertext.rbegin());
3500
3501 // Grab nonce
3502 params.push_back(begin_out_params);
3503
3504 // Decrypt.
3505 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3506 EXPECT_EQ(ErrorCode::OK, UpdateAad(aad));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3507 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3508 EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3509}
3510
3511/*
3512 * EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
3513 *
3514 * Verifies that 3DES is basically functional.
3515 */
3516TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
3517 auto auths = AuthorizationSetBuilder()
3518 .TripleDesEncryptionKey(168)
3519 .BlockMode(BlockMode::ECB)
3520 .Authorization(TAG_NO_AUTH_REQUIRED)
3521 .Padding(PaddingMode::NONE);
3522
3523 ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
3524 // Two-block message.
3525 string message = "1234567890123456";
3526 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
3527 string ciphertext1 = EncryptMessage(message, inParams);
3528 EXPECT_EQ(message.size(), ciphertext1.size());
3529
3530 string ciphertext2 = EncryptMessage(string(message), inParams);
3531 EXPECT_EQ(message.size(), ciphertext2.size());
3532
3533 // ECB is deterministic.
3534 EXPECT_EQ(ciphertext1, ciphertext2);
3535
3536 string plaintext = DecryptMessage(ciphertext1, inParams);
3537 EXPECT_EQ(message, plaintext);
3538}
3539
3540/*
3541 * EncryptionOperationsTest.TripleDesEcbNotAuthorized
3542 *
3543 * Verifies that CBC keys reject ECB usage.
3544 */
3545TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
3546 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3547 .TripleDesEncryptionKey(168)
3548 .BlockMode(BlockMode::CBC)
3549 .Authorization(TAG_NO_AUTH_REQUIRED)
3550 .Padding(PaddingMode::NONE)));
3551
3552 auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
3553 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
3554}
3555
3556/*
3557 * EncryptionOperationsTest.TripleDesEcbPkcs7Padding
3558 *
3559 * Tests ECB mode with PKCS#7 padding, various message sizes.
3560 */
3561TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
3562 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3563 .TripleDesEncryptionKey(168)
3564 .BlockMode(BlockMode::ECB)
3565 .Authorization(TAG_NO_AUTH_REQUIRED)
3566 .Padding(PaddingMode::PKCS7)));
3567
3568 for (size_t i = 0; i < 32; ++i) {
3569 string message(i, 'a');
3570 auto inParams =
3571 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3572 string ciphertext = EncryptMessage(message, inParams);
3573 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
3574 string plaintext = DecryptMessage(ciphertext, inParams);
3575 EXPECT_EQ(message, plaintext);
3576 }
3577}
3578
3579/*
3580 * EncryptionOperationsTest.TripleDesEcbNoPaddingKeyWithPkcs7Padding
3581 *
3582 * Verifies that keys configured for no padding reject PKCS7 padding
3583 */
3584TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
3585 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3586 .TripleDesEncryptionKey(168)
3587 .BlockMode(BlockMode::ECB)
3588 .Authorization(TAG_NO_AUTH_REQUIRED)
3589 .Padding(PaddingMode::NONE)));
3590 for (size_t i = 0; i < 32; ++i) {
3591 auto inParams =
3592 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
3593 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, inParams));
3594 }
3595}
3596
3597/*
3598 * EncryptionOperationsTest.TripleDesEcbPkcs7PaddingCorrupted
3599 *
3600 * Verifies that corrupted padding is detected.
3601 */
3602TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
3603 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3604 .TripleDesEncryptionKey(168)
3605 .BlockMode(BlockMode::ECB)
3606 .Authorization(TAG_NO_AUTH_REQUIRED)
3607 .Padding(PaddingMode::PKCS7)));
3608
3609 string message = "a";
3610 string ciphertext = EncryptMessage(message, BlockMode::ECB, PaddingMode::PKCS7);
3611 EXPECT_EQ(8U, ciphertext.size());
3612 EXPECT_NE(ciphertext, message);
3613 ++ciphertext[ciphertext.size() / 2];
3614
3615 AuthorizationSetBuilder begin_params;
3616 begin_params.push_back(TAG_BLOCK_MODE, BlockMode::ECB);
3617 begin_params.push_back(TAG_PADDING, PaddingMode::PKCS7);
3618 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
3619 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3620 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3621 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(&plaintext));
3622}
3623
3624struct TripleDesTestVector {
3625 const char* name;
3626 const KeyPurpose purpose;
3627 const BlockMode block_mode;
3628 const PaddingMode padding_mode;
3629 const char* key;
3630 const char* iv;
3631 const char* input;
3632 const char* output;
3633};
3634
3635// These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all
3636// of the NIST vectors are multiples of the block size.
3637static const TripleDesTestVector kTripleDesTestVectors[] = {
3638 {
3639 "TECBMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
3640 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
3641 "", // IV
3642 "329d86bdf1bc5af4", // input
3643 "d946c2756d78633f", // output
3644 },
3645 {
3646 "TECBMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::ECB, PaddingMode::NONE,
3647 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
3648 "", // IV
3649 "6b1540781b01ce1997adae102dbf3c5b", // input
3650 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
3651 },
3652 {
3653 "TECBMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
3654 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
3655 "", // IV
3656 "6daad94ce08acfe7", // input
3657 "660e7d32dcc90e79", // output
3658 },
3659 {
3660 "TECBMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::ECB, PaddingMode::NONE,
3661 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
3662 "", // IV
3663 "e9653a0a1f05d31b9acd12d73aa9879d", // input
3664 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
3665 },
3666 {
3667 "TCBCMMT3 Encrypt 0", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
3668 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
3669 "43f791134c5647ba", // IV
3670 "dcc153cef81d6f24", // input
3671 "92538bd8af18d3ba", // output
3672 },
3673 {
3674 "TCBCMMT3 Encrypt 1", KeyPurpose::ENCRYPT, BlockMode::CBC, PaddingMode::NONE,
3675 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
3676 "c2e999cb6249023c", // IV
3677 "c689aee38a301bb316da75db36f110b5", // input
3678 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
3679 },
3680 {
3681 "TCBCMMT3 Encrypt 1 PKCS7 variant", KeyPurpose::ENCRYPT, BlockMode::CBC,
3682 PaddingMode::PKCS7,
3683 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
3684 "c2e999cb6249023c", // IV
3685 "c689aee38a301bb316da75db36f110b500", // input
3686 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
3687 },
3688 {
3689 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KeyPurpose::DECRYPT, BlockMode::CBC,
3690 PaddingMode::PKCS7,
3691 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
3692 "c2e999cb6249023c", // IV
3693 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
3694 "c689aee38a301bb316da75db36f110b500", // output
3695 },
3696 {
3697 "TCBCMMT3 Decrypt 0", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
3698 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
3699 "41746c7e442d3681", // IV
3700 "c53a7b0ec40600fe", // input
3701 "d4f00eb455de1034", // output
3702 },
3703 {
3704 "TCBCMMT3 Decrypt 1", KeyPurpose::DECRYPT, BlockMode::CBC, PaddingMode::NONE,
3705 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
3706 "3982bc02c3727d45", // IV
3707 "6006f10adef52991fcc777a1238bbb65", // input
3708 "edae09288e9e3bc05746d872b48e3b29", // output
3709 },
3710};
3711
3712/*
3713 * EncryptionOperationsTest.TripleDesTestVector
3714 *
3715 * Verifies that NIST (plus a few extra) test vectors produce the correct results.
3716 */
3717TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
3718 constexpr size_t num_tests = sizeof(kTripleDesTestVectors) / sizeof(TripleDesTestVector);
3719 for (auto* test = kTripleDesTestVectors; test < kTripleDesTestVectors + num_tests; ++test) {
3720 SCOPED_TRACE(test->name);
3721 CheckTripleDesTestVector(test->purpose, test->block_mode, test->padding_mode,
3722 hex2str(test->key), hex2str(test->iv), hex2str(test->input),
3723 hex2str(test->output));
3724 }
3725}
3726
3727/*
3728 * EncryptionOperationsTest.TripleDesCbcRoundTripSuccess
3729 *
3730 * Validates CBC mode functionality.
3731 */
3732TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
3733 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3734 .TripleDesEncryptionKey(168)
3735 .BlockMode(BlockMode::CBC)
3736 .Authorization(TAG_NO_AUTH_REQUIRED)
3737 .Padding(PaddingMode::NONE)));
3738
3739 ASSERT_GT(key_blob_.size(), 0U);
3740
3741 // Two-block message.
3742 string message = "1234567890123456";
3743 vector<uint8_t> iv1;
3744 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv1);
3745 EXPECT_EQ(message.size(), ciphertext1.size());
3746
3747 vector<uint8_t> iv2;
3748 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv2);
3749 EXPECT_EQ(message.size(), ciphertext2.size());
3750
3751 // IVs should be random, so ciphertexts should differ.
3752 EXPECT_NE(iv1, iv2);
3753 EXPECT_NE(ciphertext1, ciphertext2);
3754
3755 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv1);
3756 EXPECT_EQ(message, plaintext);
3757}
3758
3759/*
3760 * EncryptionOperationsTest.TripleDesCallerIv
3761 *
3762 * Validates that 3DES keys can allow caller-specified IVs, and use them correctly.
3763 */
3764TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
3765 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3766 .TripleDesEncryptionKey(168)
3767 .BlockMode(BlockMode::CBC)
3768 .Authorization(TAG_NO_AUTH_REQUIRED)
3769 .Authorization(TAG_CALLER_NONCE)
3770 .Padding(PaddingMode::NONE)));
3771 string message = "1234567890123456";
3772 vector<uint8_t> iv;
3773 // Don't specify IV, should get a random one.
3774 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
3775 EXPECT_EQ(message.size(), ciphertext1.size());
3776 EXPECT_EQ(8U, iv.size());
3777
3778 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
3779 EXPECT_EQ(message, plaintext);
3780
3781 // Now specify an IV, should also work.
3782 iv = AidlBuf("abcdefgh");
3783 string ciphertext2 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, iv);
3784
3785 // Decrypt with correct IV.
3786 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, iv);
3787 EXPECT_EQ(message, plaintext);
3788
3789 // Now try with wrong IV.
3790 plaintext = DecryptMessage(ciphertext2, BlockMode::CBC, PaddingMode::NONE, AidlBuf("aaaaaaaa"));
3791 EXPECT_NE(message, plaintext);
3792}
3793
3794/*
3795 * EncryptionOperationsTest, TripleDesCallerNonceProhibited.
3796 *
3797 * Verifies that 3DES keys without TAG_CALLER_NONCE do not allow caller-specified IVS.
3798 */
3799TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
3800 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3801 .TripleDesEncryptionKey(168)
3802 .BlockMode(BlockMode::CBC)
3803 .Authorization(TAG_NO_AUTH_REQUIRED)
3804 .Padding(PaddingMode::NONE)));
3805
3806 string message = "12345678901234567890123456789012";
3807 vector<uint8_t> iv;
3808 // Don't specify nonce, should get a random one.
3809 string ciphertext1 = EncryptMessage(message, BlockMode::CBC, PaddingMode::NONE, &iv);
3810 EXPECT_EQ(message.size(), ciphertext1.size());
3811 EXPECT_EQ(8U, iv.size());
3812
3813 string plaintext = DecryptMessage(ciphertext1, BlockMode::CBC, PaddingMode::NONE, iv);
3814 EXPECT_EQ(message, plaintext);
3815
3816 // Now specify a nonce, should fail.
3817 auto input_params = AuthorizationSetBuilder()
3818 .Authorization(TAG_NONCE, AidlBuf("abcdefgh"))
3819 .BlockMode(BlockMode::CBC)
3820 .Padding(PaddingMode::NONE);
3821 AuthorizationSet output_params;
3822 EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED,
3823 Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
3824}
3825
3826/*
3827 * EncryptionOperationsTest.TripleDesCbcNotAuthorized
3828 *
3829 * Verifies that 3DES ECB-only keys do not allow CBC usage.
3830 */
3831TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
3832 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3833 .TripleDesEncryptionKey(168)
3834 .BlockMode(BlockMode::ECB)
3835 .Authorization(TAG_NO_AUTH_REQUIRED)
3836 .Padding(PaddingMode::NONE)));
3837 // Two-block message.
3838 string message = "1234567890123456";
3839 auto begin_params =
3840 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3841 EXPECT_EQ(ErrorCode::INCOMPATIBLE_BLOCK_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
3842}
3843
3844/*
3845 * EncryptionOperationsTest.TripleDesCbcNoPaddingWrongInputSize
3846 *
3847 * Verifies that unpadded CBC operations reject inputs that are not a multiple of block size.
3848 */
3849TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingWrongInputSize) {
3850 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3851 .TripleDesEncryptionKey(168)
3852 .BlockMode(BlockMode::CBC)
3853 .Authorization(TAG_NO_AUTH_REQUIRED)
3854 .Padding(PaddingMode::NONE)));
3855 // Message is slightly shorter than two blocks.
3856 string message = "123456789012345";
3857
3858 auto begin_params =
3859 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3860 AuthorizationSet output_params;
3861 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &output_params));
3862 string ciphertext;
3863 EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, "", &ciphertext));
3864}
3865
3866/*
3867 * EncryptionOperationsTest, TripleDesCbcPkcs7Padding.
3868 *
3869 * Verifies that PKCS7 padding works correctly in CBC mode.
3870 */
3871TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
3872 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3873 .TripleDesEncryptionKey(168)
3874 .BlockMode(BlockMode::CBC)
3875 .Authorization(TAG_NO_AUTH_REQUIRED)
3876 .Padding(PaddingMode::PKCS7)));
3877
3878 // Try various message lengths; all should work.
3879 for (size_t i = 0; i < 32; ++i) {
3880 string message(i, 'a');
3881 vector<uint8_t> iv;
3882 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
3883 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
3884 string plaintext = DecryptMessage(ciphertext, BlockMode::CBC, PaddingMode::PKCS7, iv);
3885 EXPECT_EQ(message, plaintext);
3886 }
3887}
3888
3889/*
3890 * EncryptionOperationsTest.TripleDesCbcNoPaddingKeyWithPkcs7Padding
3891 *
3892 * Verifies that a key that requires PKCS7 padding cannot be used in unpadded mode.
3893 */
3894TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
3895 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3896 .TripleDesEncryptionKey(168)
3897 .BlockMode(BlockMode::CBC)
3898 .Authorization(TAG_NO_AUTH_REQUIRED)
3899 .Padding(PaddingMode::NONE)));
3900
3901 // Try various message lengths; all should fail.
3902 for (size_t i = 0; i < 32; ++i) {
3903 auto begin_params =
3904 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::PKCS7);
3905 EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, begin_params));
3906 }
3907}
3908
3909/*
3910 * EncryptionOperationsTest.TripleDesCbcPkcs7PaddingCorrupted
3911 *
3912 * Verifies that corrupted PKCS7 padding is rejected during decryption.
3913 */
3914TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
3915 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3916 .TripleDesEncryptionKey(168)
3917 .BlockMode(BlockMode::CBC)
3918 .Authorization(TAG_NO_AUTH_REQUIRED)
3919 .Padding(PaddingMode::PKCS7)));
3920
3921 string message = "a";
3922 vector<uint8_t> iv;
3923 string ciphertext = EncryptMessage(message, BlockMode::CBC, PaddingMode::PKCS7, &iv);
3924 EXPECT_EQ(8U, ciphertext.size());
3925 EXPECT_NE(ciphertext, message);
3926 ++ciphertext[ciphertext.size() / 2];
3927
3928 auto begin_params = AuthorizationSetBuilder()
3929 .BlockMode(BlockMode::CBC)
3930 .Padding(PaddingMode::PKCS7)
3931 .Authorization(TAG_NONCE, iv);
3932 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
3933 string plaintext;
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3934 EXPECT_EQ(ErrorCode::OK, Update(ciphertext, &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3935 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(&plaintext));
3936}
3937
3938/*
3939 * EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding.
3940 *
3941 * Verifies that 3DES CBC works with many different input sizes.
3942 */
3943TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
3944 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3945 .TripleDesEncryptionKey(168)
3946 .BlockMode(BlockMode::CBC)
3947 .Authorization(TAG_NO_AUTH_REQUIRED)
3948 .Padding(PaddingMode::NONE)));
3949
3950 int increment = 7;
3951 string message(240, 'a');
3952 AuthorizationSet input_params =
3953 AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3954 AuthorizationSet output_params;
3955 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, input_params, &output_params));
3956
3957 string ciphertext;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3958 for (size_t i = 0; i < message.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3959 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3960 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
3961 EXPECT_EQ(message.size(), ciphertext.size());
3962
3963 // Move TAG_NONCE into input_params
3964 input_params = output_params;
3965 input_params.push_back(TAG_BLOCK_MODE, BlockMode::CBC);
3966 input_params.push_back(TAG_PADDING, PaddingMode::NONE);
3967 output_params.Clear();
3968
3969 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, input_params, &output_params));
3970 string plaintext;
3971 for (size_t i = 0; i < ciphertext.size(); i += increment)
Shawn Willden92d79c02021-02-19 07:31:55 -0700[diff] [blame]3972 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]3973 EXPECT_EQ(ErrorCode::OK, Finish(&plaintext));
3974 EXPECT_EQ(ciphertext.size(), plaintext.size());
3975 EXPECT_EQ(message, plaintext);
3976}
3977
3978INSTANTIATE_KEYMINT_AIDL_TEST(EncryptionOperationsTest);
3979
3980typedef KeyMintAidlTestBase MaxOperationsTest;
3981
3982/*
3983 * MaxOperationsTest.TestLimitAes
3984 *
3985 * Verifies that the max uses per boot tag works correctly with AES keys.
3986 */
3987TEST_P(MaxOperationsTest, TestLimitAes) {
3988 if (SecLevel() == SecurityLevel::STRONGBOX) return;
3989
3990 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3991 .Authorization(TAG_NO_AUTH_REQUIRED)
3992 .AesEncryptionKey(128)
3993 .EcbMode()
3994 .Padding(PaddingMode::NONE)
3995 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3996
3997 string message = "1234567890123456";
3998
3999 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
4000
4001 EncryptMessage(message, params);
4002 EncryptMessage(message, params);
4003 EncryptMessage(message, params);
4004
4005 // Fourth time should fail.
4006 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
4007}
4008
4009/*
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4010 * MaxOperationsTest.TestLimitRsa
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4011 *
4012 * Verifies that the max uses per boot tag works correctly with RSA keys.
4013 */
4014TEST_P(MaxOperationsTest, TestLimitRsa) {
4015 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4016
4017 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4018 .Authorization(TAG_NO_AUTH_REQUIRED)
4019 .RsaSigningKey(1024, 65537)
4020 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4021 .Authorization(TAG_MAX_USES_PER_BOOT, 3)
4022 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4023
4024 string message = "1234567890123456";
4025
4026 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
4027
4028 SignMessage(message, params);
4029 SignMessage(message, params);
4030 SignMessage(message, params);
4031
4032 // Fourth time should fail.
4033 EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
4034}
4035
4036INSTANTIATE_KEYMINT_AIDL_TEST(MaxOperationsTest);
4037
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4038typedef KeyMintAidlTestBase UsageCountLimitTest;
4039
4040/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4041 * UsageCountLimitTest.TestSingleUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4042 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4043 * Verifies that the usage count limit tag = 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4044 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4045TEST_P(UsageCountLimitTest, TestSingleUseAes) {
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4046 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4047
4048 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4049 .Authorization(TAG_NO_AUTH_REQUIRED)
4050 .AesEncryptionKey(128)
4051 .EcbMode()
4052 .Padding(PaddingMode::NONE)
4053 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)));
4054
4055 // Check the usage count limit tag appears in the authorizations.
4056 AuthorizationSet auths;
4057 for (auto& entry : key_characteristics_) {
4058 auths.push_back(AuthorizationSet(entry.authorizations));
4059 }
4060 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
4061 << "key usage count limit " << 1U << " missing";
4062
4063 string message = "1234567890123456";
4064 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
4065
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4066 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4067 AuthorizationSet keystore_auths =
4068 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
4069
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4070 // First usage of AES key should work.
4071 EncryptMessage(message, params);
4072
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4073 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
4074 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4075 // must be invalidated from secure storage (such as RPMB partition).
4076 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
4077 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4078 // Usage count limit tag is enforced by keystore, keymint does nothing.
4079 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4080 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
4081 }
4082}
4083
4084/*
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4085 * UsageCountLimitTest.TestLimitedUseAes
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4086 *
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4087 * Verifies that the usage count limit tag > 1 works correctly with AES keys.
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4088 */
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4089TEST_P(UsageCountLimitTest, TestLimitedUseAes) {
4090 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4091
4092 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4093 .Authorization(TAG_NO_AUTH_REQUIRED)
4094 .AesEncryptionKey(128)
4095 .EcbMode()
4096 .Padding(PaddingMode::NONE)
4097 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)));
4098
4099 // Check the usage count limit tag appears in the authorizations.
4100 AuthorizationSet auths;
4101 for (auto& entry : key_characteristics_) {
4102 auths.push_back(AuthorizationSet(entry.authorizations));
4103 }
4104 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
4105 << "key usage count limit " << 3U << " missing";
4106
4107 string message = "1234567890123456";
4108 auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
4109
4110 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4111 AuthorizationSet keystore_auths =
4112 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
4113
4114 EncryptMessage(message, params);
4115 EncryptMessage(message, params);
4116 EncryptMessage(message, params);
4117
4118 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
4119 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4120 // must be invalidated from secure storage (such as RPMB partition).
4121 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::ENCRYPT, params));
4122 } else {
4123 // Usage count limit tag is enforced by keystore, keymint does nothing.
4124 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
4125 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
4126 }
4127}
4128
4129/*
4130 * UsageCountLimitTest.TestSingleUseRsa
4131 *
4132 * Verifies that the usage count limit tag = 1 works correctly with RSA keys.
4133 */
4134TEST_P(UsageCountLimitTest, TestSingleUseRsa) {
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4135 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4136
4137 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4138 .Authorization(TAG_NO_AUTH_REQUIRED)
4139 .RsaSigningKey(1024, 65537)
4140 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4141 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
4142 .SetDefaultValidity()));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4143
4144 // Check the usage count limit tag appears in the authorizations.
4145 AuthorizationSet auths;
4146 for (auto& entry : key_characteristics_) {
4147 auths.push_back(AuthorizationSet(entry.authorizations));
4148 }
4149 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
4150 << "key usage count limit " << 1U << " missing";
4151
4152 string message = "1234567890123456";
4153 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
4154
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4155 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4156 AuthorizationSet keystore_auths =
4157 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
4158
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4159 // First usage of RSA key should work.
4160 SignMessage(message, params);
4161
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4162 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U)) {
4163 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4164 // must be invalidated from secure storage (such as RPMB partition).
4165 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
4166 } else {
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4167 // Usage count limit tag is enforced by keystore, keymint does nothing.
4168 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U));
4169 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
4170 }
4171}
4172
4173/*
4174 * UsageCountLimitTest.TestLimitUseRsa
4175 *
4176 * Verifies that the usage count limit tag > 1 works correctly with RSA keys.
4177 */
4178TEST_P(UsageCountLimitTest, TestLimitUseRsa) {
4179 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4180
4181 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4182 .Authorization(TAG_NO_AUTH_REQUIRED)
4183 .RsaSigningKey(1024, 65537)
4184 .NoDigestOrPadding()
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4185 .Authorization(TAG_USAGE_COUNT_LIMIT, 3)
4186 .SetDefaultValidity()));
Qi Wubeefae42021-01-28 23:16:37 +0800[diff] [blame]4187
4188 // Check the usage count limit tag appears in the authorizations.
4189 AuthorizationSet auths;
4190 for (auto& entry : key_characteristics_) {
4191 auths.push_back(AuthorizationSet(entry.authorizations));
4192 }
4193 EXPECT_TRUE(auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U))
4194 << "key usage count limit " << 3U << " missing";
4195
4196 string message = "1234567890123456";
4197 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
4198
4199 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4200 AuthorizationSet keystore_auths =
4201 SecLevelAuthorizations(key_characteristics_, SecurityLevel::KEYSTORE);
4202
4203 SignMessage(message, params);
4204 SignMessage(message, params);
4205 SignMessage(message, params);
4206
4207 if (hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U)) {
4208 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4209 // must be invalidated from secure storage (such as RPMB partition).
4210 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
4211 } else {
4212 // Usage count limit tag is enforced by keystore, keymint does nothing.
4213 EXPECT_TRUE(keystore_auths.Contains(TAG_USAGE_COUNT_LIMIT, 3U));
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4214 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, params));
4215 }
4216}
4217
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]4218/*
4219 * UsageCountLimitTest.TestSingleUseKeyAndRollbackResistance
4220 *
4221 * Verifies that when rollback resistance is supported by the KeyMint implementation with
4222 * the secure hardware, the single use key with usage count limit tag = 1 must also be enforced
4223 * in hardware.
4224 */
4225TEST_P(UsageCountLimitTest, TestSingleUseKeyAndRollbackResistance) {
4226 if (SecLevel() == SecurityLevel::STRONGBOX) return;
4227
4228 auto error = GenerateKey(AuthorizationSetBuilder()
4229 .RsaSigningKey(2048, 65537)
4230 .Digest(Digest::NONE)
4231 .Padding(PaddingMode::NONE)
4232 .Authorization(TAG_NO_AUTH_REQUIRED)
4233 .Authorization(TAG_ROLLBACK_RESISTANCE)
4234 .SetDefaultValidity());
4235 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
4236
4237 if (error == ErrorCode::OK) {
4238 // Rollback resistance is supported by KeyMint, verify it is enforced in hardware.
4239 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
4240 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
4241 ASSERT_EQ(ErrorCode::OK, DeleteKey());
4242
4243 // The KeyMint should also enforce single use key in hardware when it supports rollback
4244 // resistance.
4245 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4246 .Authorization(TAG_NO_AUTH_REQUIRED)
4247 .RsaSigningKey(1024, 65537)
4248 .NoDigestOrPadding()
4249 .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
4250 .SetDefaultValidity()));
4251
4252 // Check the usage count limit tag appears in the hardware authorizations.
4253 AuthorizationSet hardware_auths = HwEnforcedAuthorizations(key_characteristics_);
4254 EXPECT_TRUE(hardware_auths.Contains(TAG_USAGE_COUNT_LIMIT, 1U))
4255 << "key usage count limit " << 1U << " missing";
4256
4257 string message = "1234567890123456";
4258 auto params = AuthorizationSetBuilder().NoDigestOrPadding();
4259
4260 // First usage of RSA key should work.
4261 SignMessage(message, params);
4262
4263 // Usage count limit tag is enforced by hardware. After using the key, the key blob
4264 // must be invalidated from secure storage (such as RPMB partition).
4265 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, Begin(KeyPurpose::SIGN, params));
4266 }
4267}
4268
Qi Wud22ec842020-11-26 13:27:53 +0800[diff] [blame]4269INSTANTIATE_KEYMINT_AIDL_TEST(UsageCountLimitTest);
4270
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4271typedef KeyMintAidlTestBase AddEntropyTest;
4272
4273/*
4274 * AddEntropyTest.AddEntropy
4275 *
4276 * Verifies that the addRngEntropy method doesn't blow up. There's no way to test that entropy
4277 * is actually added.
4278 */
4279TEST_P(AddEntropyTest, AddEntropy) {
4280 string data = "foo";
4281 EXPECT_TRUE(keyMint().addRngEntropy(vector<uint8_t>(data.begin(), data.end())).isOk());
4282}
4283
4284/*
4285 * AddEntropyTest.AddEmptyEntropy
4286 *
4287 * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
4288 */
4289TEST_P(AddEntropyTest, AddEmptyEntropy) {
4290 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf()).isOk());
4291}
4292
4293/*
4294 * AddEntropyTest.AddLargeEntropy
4295 *
4296 * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
4297 */
4298TEST_P(AddEntropyTest, AddLargeEntropy) {
4299 EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
4300}
4301
4302INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);
4303
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4304typedef KeyMintAidlTestBase KeyDeletionTest;
4305
4306/**
4307 * KeyDeletionTest.DeleteKey
4308 *
4309 * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
4310 * valid key blob.
4311 */
4312TEST_P(KeyDeletionTest, DeleteKey) {
4313 auto error = GenerateKey(AuthorizationSetBuilder()
4314 .RsaSigningKey(2048, 65537)
4315 .Digest(Digest::NONE)
4316 .Padding(PaddingMode::NONE)
4317 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]4318 .Authorization(TAG_ROLLBACK_RESISTANCE)
4319 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4320 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
4321
4322 // Delete must work if rollback protection is implemented
4323 if (error == ErrorCode::OK) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]4324 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4325 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
4326
4327 ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
4328
4329 string message = "12345678901234567890123456789012";
4330 AuthorizationSet begin_out_params;
4331 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
4332 Begin(KeyPurpose::SIGN, key_blob_,
4333 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
4334 &begin_out_params));
4335 AbortIfNeeded();
4336 key_blob_ = AidlBuf();
4337 }
4338}
4339
4340/**
4341 * KeyDeletionTest.DeleteInvalidKey
4342 *
4343 * This test checks that the HAL excepts invalid key blobs..
4344 */
4345TEST_P(KeyDeletionTest, DeleteInvalidKey) {
4346 // Generate key just to check if rollback protection is implemented
4347 auto error = GenerateKey(AuthorizationSetBuilder()
4348 .RsaSigningKey(2048, 65537)
4349 .Digest(Digest::NONE)
4350 .Padding(PaddingMode::NONE)
4351 .Authorization(TAG_NO_AUTH_REQUIRED)
Qi Wu8e727f72021-02-11 02:49:33 +0800[diff] [blame]4352 .Authorization(TAG_ROLLBACK_RESISTANCE)
4353 .SetDefaultValidity());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4354 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
4355
4356 // Delete must work if rollback protection is implemented
4357 if (error == ErrorCode::OK) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]4358 AuthorizationSet enforced(SecLevelAuthorizations());
4359 ASSERT_TRUE(enforced.Contains(TAG_ROLLBACK_RESISTANCE));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4360
4361 // Delete the key we don't care about the result at this point.
4362 DeleteKey();
4363
4364 // Now create an invalid key blob and delete it.
4365 key_blob_ = AidlBuf("just some garbage data which is not a valid key blob");
4366
4367 ASSERT_EQ(ErrorCode::OK, DeleteKey());
4368 }
4369}
4370
4371/**
4372 * KeyDeletionTest.DeleteAllKeys
4373 *
4374 * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
4375 *
4376 * BEWARE: This test has serious side effects. All user keys will be lost! This includes
4377 * FBE/FDE encryption keys, which means that the device will not even boot until after the
4378 * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
4379 * been provisioned. Use this test only on dedicated testing devices that have no valuable
4380 * credentials stored in Keystore/Keymint.
4381 */
4382TEST_P(KeyDeletionTest, DeleteAllKeys) {
4383 if (!arm_deleteAllKeys) return;
4384 auto error = GenerateKey(AuthorizationSetBuilder()
4385 .RsaSigningKey(2048, 65537)
4386 .Digest(Digest::NONE)
4387 .Padding(PaddingMode::NONE)
4388 .Authorization(TAG_NO_AUTH_REQUIRED)
4389 .Authorization(TAG_ROLLBACK_RESISTANCE));
4390 ASSERT_TRUE(error == ErrorCode::ROLLBACK_RESISTANCE_UNAVAILABLE || error == ErrorCode::OK);
4391
4392 // Delete must work if rollback protection is implemented
4393 if (error == ErrorCode::OK) {
Shawn Willden7f424372021-01-10 18:06:50 -0700[diff] [blame]4394 AuthorizationSet hardwareEnforced(SecLevelAuthorizations());
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4395 ASSERT_TRUE(hardwareEnforced.Contains(TAG_ROLLBACK_RESISTANCE));
4396
4397 ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
4398
4399 string message = "12345678901234567890123456789012";
4400 AuthorizationSet begin_out_params;
4401
4402 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
4403 Begin(KeyPurpose::SIGN, key_blob_,
4404 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE),
4405 &begin_out_params));
4406 AbortIfNeeded();
4407 key_blob_ = AidlBuf();
4408 }
4409}
4410
4411INSTANTIATE_KEYMINT_AIDL_TEST(KeyDeletionTest);
4412
4413using UpgradeKeyTest = KeyMintAidlTestBase;
4414
4415/*
4416 * UpgradeKeyTest.UpgradeKey
4417 *
4418 * Verifies that calling upgrade key on an up-to-date key works (i.e. does nothing).
4419 */
4420TEST_P(UpgradeKeyTest, UpgradeKey) {
4421 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4422 .AesEncryptionKey(128)
4423 .Padding(PaddingMode::NONE)
4424 .Authorization(TAG_NO_AUTH_REQUIRED)));
4425
4426 auto result = UpgradeKey(key_blob_);
4427
4428 // Key doesn't need upgrading. Should get okay, but no new key blob.
4429 EXPECT_EQ(result, std::make_pair(ErrorCode::OK, vector<uint8_t>()));
4430}
4431
4432INSTANTIATE_KEYMINT_AIDL_TEST(UpgradeKeyTest);
4433
4434using ClearOperationsTest = KeyMintAidlTestBase;
4435
4436/*
4437 * ClearSlotsTest.TooManyOperations
4438 *
4439 * Verifies that TOO_MANY_OPERATIONS is returned after the max number of
4440 * operations are started without being finished or aborted. Also verifies
4441 * that aborting the operations clears the operations.
4442 *
4443 */
4444TEST_P(ClearOperationsTest, TooManyOperations) {
4445 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4446 .Authorization(TAG_NO_AUTH_REQUIRED)
4447 .RsaEncryptionKey(2048, 65537)
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4448 .Padding(PaddingMode::NONE)
4449 .SetDefaultValidity()));
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4450
4451 auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
4452 constexpr size_t max_operations = 100; // set to arbituary large number
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]4453 std::shared_ptr<IKeyMintOperation> op_handles[max_operations];
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4454 AuthorizationSet out_params;
4455 ErrorCode result;
4456 size_t i;
4457
4458 for (i = 0; i < max_operations; i++) {
4459 result = Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params, op_handles[i]);
4460 if (ErrorCode::OK != result) {
4461 break;
4462 }
4463 }
4464 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS, result);
4465 // Try again just in case there's a weird overflow bug
4466 EXPECT_EQ(ErrorCode::TOO_MANY_OPERATIONS,
4467 Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
4468 for (size_t j = 0; j < i; j++) {
4469 EXPECT_EQ(ErrorCode::OK, Abort(op_handles[j]))
4470 << "Aboort failed for i = " << j << std::endl;
4471 }
4472 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, key_blob_, params, &out_params));
4473 AbortIfNeeded();
4474}
4475
4476INSTANTIATE_KEYMINT_AIDL_TEST(ClearOperationsTest);
4477
4478typedef KeyMintAidlTestBase TransportLimitTest;
4479
4480/*
4481 * TransportLimitTest.FinishInput
4482 *
4483 * Verifies that passing input data to finish succeeds as expected.
4484 */
4485TEST_P(TransportLimitTest, LargeFinishInput) {
4486 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4487 .Authorization(TAG_NO_AUTH_REQUIRED)
4488 .AesEncryptionKey(128)
4489 .BlockMode(BlockMode::ECB)
4490 .Padding(PaddingMode::NONE)));
4491
4492 for (int msg_size = 8 /* 256 bytes */; msg_size <= 11 /* 2 KiB */; msg_size++) {
4493 auto cipher_params =
4494 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
4495
4496 AuthorizationSet out_params;
4497 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, cipher_params, &out_params));
4498
4499 string plain_message = std::string(1 << msg_size, 'x');
4500 string encrypted_message;
4501 auto rc = Finish(plain_message, &encrypted_message);
4502
4503 EXPECT_EQ(ErrorCode::OK, rc);
4504 EXPECT_EQ(plain_message.size(), encrypted_message.size())
4505 << "Encrypt finish returned OK, but did not consume all of the given input";
4506 cipher_params.push_back(out_params);
4507
4508 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, cipher_params));
4509
4510 string decrypted_message;
4511 rc = Finish(encrypted_message, &decrypted_message);
4512 EXPECT_EQ(ErrorCode::OK, rc);
4513 EXPECT_EQ(plain_message.size(), decrypted_message.size())
4514 << "Decrypt finish returned OK, did not consume all of the given input";
4515 }
4516}
4517
4518INSTANTIATE_KEYMINT_AIDL_TEST(TransportLimitTest);
4519
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]4520typedef KeyMintAidlTestBase KeyAgreementTest;
4521
4522int CurveToOpenSslCurveName(EcCurve curve) {
4523 switch (curve) {
4524 case EcCurve::P_224:
4525 return NID_secp224r1;
4526 case EcCurve::P_256:
4527 return NID_X9_62_prime256v1;
4528 case EcCurve::P_384:
4529 return NID_secp384r1;
4530 case EcCurve::P_521:
4531 return NID_secp521r1;
4532 }
4533}
4534
4535/*
4536 * KeyAgreementTest.Ecdh
4537 *
4538 * Verifies that ECDH works for all curves
4539 */
4540TEST_P(KeyAgreementTest, Ecdh) {
4541 // Because it's possible to use this API with keys on different curves, we
4542 // check all N^2 combinations where N is the number of supported
4543 // curves.
4544 //
4545 // This is not a big deal as N is 4 so we only do 16 runs. If we end up with a
4546 // lot more curves we can be smart about things and just pick |otherCurve| so
4547 // it's not |curve| and that way we end up with only 2*N runs
4548 //
4549 for (auto curve : ValidCurves()) {
4550 for (auto localCurve : ValidCurves()) {
4551 // Generate EC key locally (with access to private key material)
4552 auto ecKey = EC_KEY_Ptr(EC_KEY_new());
4553 int curveName = CurveToOpenSslCurveName(localCurve);
4554 auto group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(curveName));
4555 ASSERT_NE(group, nullptr);
4556 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
4557 ASSERT_EQ(EC_KEY_generate_key(ecKey.get()), 1);
4558 auto pkey = EVP_PKEY_Ptr(EVP_PKEY_new());
4559 ASSERT_EQ(EVP_PKEY_set1_EC_KEY(pkey.get(), ecKey.get()), 1);
4560
4561 // Get encoded form of the public part of the locally generated key...
4562 unsigned char* p = nullptr;
4563 int encodedPublicKeySize = i2d_PUBKEY(pkey.get(), &p);
4564 ASSERT_GT(encodedPublicKeySize, 0);
4565 vector<uint8_t> encodedPublicKey(
4566 reinterpret_cast<const uint8_t*>(p),
4567 reinterpret_cast<const uint8_t*>(p + encodedPublicKeySize));
4568 OPENSSL_free(p);
4569
4570 // Generate EC key in KeyMint (only access to public key material)
4571 vector<uint8_t> challenge = {0x41, 0x42};
4572 EXPECT_EQ(
4573 ErrorCode::OK,
4574 GenerateKey(AuthorizationSetBuilder()
4575 .Authorization(TAG_NO_AUTH_REQUIRED)
4576 .Authorization(TAG_EC_CURVE, curve)
4577 .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
4578 .Authorization(TAG_ALGORITHM, Algorithm::EC)
4579 .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
Janis Danisevskis164bb872021-02-09 11:30:25 -0800[diff] [blame]4580 .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
4581 .SetDefaultValidity()))
David Zeuthene0c40892021-01-08 12:54:11 -0500[diff] [blame]4582 << "Failed to generate key";
4583 ASSERT_GT(cert_chain_.size(), 0);
4584 X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
4585 ASSERT_NE(kmKeyCert, nullptr);
4586 // Check that keyAgreement (bit 4) is set in KeyUsage
4587 EXPECT_TRUE((X509_get_key_usage(kmKeyCert.get()) & X509v3_KU_KEY_AGREEMENT) != 0);
4588 auto kmPkey = EVP_PKEY_Ptr(X509_get_pubkey(kmKeyCert.get()));
4589 ASSERT_NE(kmPkey, nullptr);
4590 if (dump_Attestations) {
4591 for (size_t n = 0; n < cert_chain_.size(); n++) {
4592 std::cout << bin2hex(cert_chain_[n].encodedCertificate) << std::endl;
4593 }
4594 }
4595
4596 // Now that we have the two keys, we ask KeyMint to perform ECDH...
4597 if (curve != localCurve) {
4598 // If the keys are using different curves KeyMint should fail with
4599 // ErrorCode:INVALID_ARGUMENT. Check that.
4600 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
4601 string ZabFromKeyMintStr;
4602 EXPECT_EQ(ErrorCode::INVALID_ARGUMENT,
4603 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
4604 &ZabFromKeyMintStr));
4605
4606 } else {
4607 // Otherwise if the keys are using the same curve, it should work.
4608 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::AGREE_KEY, AuthorizationSetBuilder()));
4609 string ZabFromKeyMintStr;
4610 EXPECT_EQ(ErrorCode::OK,
4611 Finish(string(encodedPublicKey.begin(), encodedPublicKey.end()),
4612 &ZabFromKeyMintStr));
4613 vector<uint8_t> ZabFromKeyMint(ZabFromKeyMintStr.begin(), ZabFromKeyMintStr.end());
4614
4615 // Perform local ECDH between the two keys so we can check if we get the same Zab..
4616 auto ctx = EVP_PKEY_CTX_Ptr(EVP_PKEY_CTX_new(pkey.get(), nullptr));
4617 ASSERT_NE(ctx, nullptr);
4618 ASSERT_EQ(EVP_PKEY_derive_init(ctx.get()), 1);
4619 ASSERT_EQ(EVP_PKEY_derive_set_peer(ctx.get(), kmPkey.get()), 1);
4620 size_t ZabFromTestLen = 0;
4621 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), nullptr, &ZabFromTestLen), 1);
4622 vector<uint8_t> ZabFromTest;
4623 ZabFromTest.resize(ZabFromTestLen);
4624 ASSERT_EQ(EVP_PKEY_derive(ctx.get(), ZabFromTest.data(), &ZabFromTestLen), 1);
4625
4626 EXPECT_EQ(ZabFromKeyMint, ZabFromTest);
4627 }
4628
4629 CheckedDeleteKey();
4630 }
4631 }
4632}
4633
4634INSTANTIATE_KEYMINT_AIDL_TEST(KeyAgreementTest);
4635
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame^]4636using EarlyBootKeyTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]4637
4638TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
4639 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
4640 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
4641
4642 CheckedDeleteKey(&aesKeyData.blob);
4643 CheckedDeleteKey(&hmacKeyData.blob);
4644 CheckedDeleteKey(&rsaKeyData.blob);
4645 CheckedDeleteKey(&ecdsaKeyData.blob);
4646}
4647
4648// This is a more comprenhensive test, but it can only be run on a machine which is still in early
4649// boot stage, which no proper Android device is by the time we can run VTS. To use this,
4650// un-disable it and modify vold to remove the call to earlyBootEnded(). Running the test will end
4651// early boot, so you'll have to reboot between runs.
4652TEST_P(EarlyBootKeyTest, DISABLED_FullTest) {
4653 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
4654 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
4655 // TAG_EARLY_BOOT_ONLY should be in hw-enforced.
4656 EXPECT_TRUE(HwEnforcedAuthorizations(aesKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
4657 EXPECT_TRUE(
4658 HwEnforcedAuthorizations(hmacKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
4659 EXPECT_TRUE(HwEnforcedAuthorizations(rsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
4660 EXPECT_TRUE(
4661 HwEnforcedAuthorizations(ecdsaKeyData.characteristics).Contains(TAG_EARLY_BOOT_ONLY));
4662
4663 // Should be able to use keys, since early boot has not ended
4664 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
4665 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
4666 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
4667 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
4668
4669 // End early boot
4670 ErrorCode earlyBootResult = GetReturnErrorCode(keyMint().earlyBootEnded());
4671 EXPECT_EQ(earlyBootResult, ErrorCode::OK);
4672
4673 // Should not be able to use already-created keys.
4674 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseAesKey(aesKeyData.blob));
4675 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseHmacKey(hmacKeyData.blob));
4676 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseRsaKey(rsaKeyData.blob));
4677 EXPECT_EQ(ErrorCode::EARLY_BOOT_ENDED, UseEcdsaKey(ecdsaKeyData.blob));
4678
4679 CheckedDeleteKey(&aesKeyData.blob);
4680 CheckedDeleteKey(&hmacKeyData.blob);
4681 CheckedDeleteKey(&rsaKeyData.blob);
4682 CheckedDeleteKey(&ecdsaKeyData.blob);
4683
4684 // Should not be able to create new keys
4685 std::tie(aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData) =
4686 CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::EARLY_BOOT_ENDED);
4687
4688 CheckedDeleteKey(&aesKeyData.blob);
4689 CheckedDeleteKey(&hmacKeyData.blob);
4690 CheckedDeleteKey(&rsaKeyData.blob);
4691 CheckedDeleteKey(&ecdsaKeyData.blob);
4692}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame^]4693
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]4694INSTANTIATE_KEYMINT_AIDL_TEST(EarlyBootKeyTest);
4695
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame^]4696using UnlockedDeviceRequiredTest = KeyMintAidlTestBase;
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]4697
4698// This may be a problematic test. It can't be run repeatedly without unlocking the device in
4699// between runs... and on most test devices there are no enrolled credentials so it can't be
4700// unlocked at all, meaning the only way to get the test to pass again on a properly-functioning
4701// device is to reboot it. For that reason, this is disabled by default. It can be used as part of
4702// a manual test process, which includes unlocking between runs, which is why it's included here.
4703// Well, that and the fact that it's the only test we can do without also making calls into the
4704// Gatekeeper HAL. We haven't written any cross-HAL tests, and don't know what all of the
4705// implications might be, so that may or may not be a solution.
4706TEST_P(UnlockedDeviceRequiredTest, DISABLED_KeysBecomeUnusable) {
4707 auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
4708 CreateTestKeys(TAG_UNLOCKED_DEVICE_REQUIRED, ErrorCode::OK);
4709
4710 EXPECT_EQ(ErrorCode::OK, UseAesKey(aesKeyData.blob));
4711 EXPECT_EQ(ErrorCode::OK, UseHmacKey(hmacKeyData.blob));
4712 EXPECT_EQ(ErrorCode::OK, UseRsaKey(rsaKeyData.blob));
4713 EXPECT_EQ(ErrorCode::OK, UseEcdsaKey(ecdsaKeyData.blob));
4714
4715 ErrorCode rc = GetReturnErrorCode(
4716 keyMint().deviceLocked(false /* passwordOnly */, {} /* verificationToken */));
4717 ASSERT_EQ(ErrorCode::OK, rc);
4718 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseAesKey(aesKeyData.blob));
4719 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseHmacKey(hmacKeyData.blob));
4720 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseRsaKey(rsaKeyData.blob));
4721 EXPECT_EQ(ErrorCode::DEVICE_LOCKED, UseEcdsaKey(ecdsaKeyData.blob));
4722
4723 CheckedDeleteKey(&aesKeyData.blob);
4724 CheckedDeleteKey(&hmacKeyData.blob);
4725 CheckedDeleteKey(&rsaKeyData.blob);
4726 CheckedDeleteKey(&ecdsaKeyData.blob);
4727}
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame^]4728
Chirag Pathak9ea6a0a2021-02-01 23:54:27 +0000[diff] [blame]4729INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
4730
Shawn Willdend659c7c2021-02-19 14:51:51 -0700[diff] [blame^]4731using PerformOperationTest = KeyMintAidlTestBase;
4732
4733TEST_P(PerformOperationTest, RequireUnimplemented) {
4734 vector<uint8_t> response;
4735 auto result = keymint_->performOperation({} /* request */, &response);
4736 ASSERT_EQ(GetReturnErrorCode(result), ErrorCode::UNIMPLEMENTED);
4737}
4738
4739INSTANTIATE_KEYMINT_AIDL_TEST(PerformOperationTest);
4740
Janis Danisevskis24c04702020-12-16 18:28:39 -0800[diff] [blame]4741} // namespace aidl::android::hardware::security::keymint::test
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4742
4743int main(int argc, char** argv) {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]4744 std::cout << "Testing ";
4745 auto halInstances =
4746 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::build_params();
4747 std::cout << "HAL instances:\n";
4748 for (auto& entry : halInstances) {
4749 std::cout << " " << entry << '\n';
4750 }
4751
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4752 ::testing::InitGoogleTest(&argc, argv);
4753 for (int i = 1; i < argc; ++i) {
4754 if (argv[i][0] == '-') {
4755 if (std::string(argv[i]) == "--arm_deleteAllKeys") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]4756 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
4757 arm_deleteAllKeys = true;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4758 }
4759 if (std::string(argv[i]) == "--dump_attestations") {
Shawn Willden7c130392020-12-21 09:58:22 -0700[diff] [blame]4760 aidl::android::hardware::security::keymint::test::KeyMintAidlTestBase::
4761 dump_Attestations = true;
4762 } else {
4763 std::cout << "NOT dumping attestations" << std::endl;
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4764 }
4765 }
4766 }
Shawn Willden08a7e432020-12-11 13:05:27 +0000[diff] [blame]4767 return RUN_ALL_TESTS();
Selene Huang31ab4042020-04-29 04:22:39 -0700[diff] [blame]4768}