1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include "KeymasterHidlTest.h" 18 19 #include <chrono> 20 #include <vector> 21 22 #include <android-base/logging.h> 23 #include <android/hidl/manager/1.0/IServiceManager.h> 24 25 #include <keymasterV4_0/key_param_output.h> 26 27 namespace android { 28 namespace hardware { 29 namespace keymaster { 30 namespace V4_0 { 31 32 ::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) { 33 if (set.size() == 0) 34 os << "(Empty)" << ::std::endl; 35 else { 36 os << "\n"; 37 for (size_t i = 0; i < set.size(); ++i) os << set[i] << ::std::endl; 38 } 39 return os; 40 } 41 42 namespace test { 43 44 sp<IKeymasterDevice> KeymasterHidlTest::keymaster_; 45 std::vector<sp<IKeymasterDevice>> KeymasterHidlTest::all_keymasters_; 46 uint32_t KeymasterHidlTest::os_version_; 47 uint32_t KeymasterHidlTest::os_patch_level_; 48 SecurityLevel KeymasterHidlTest::securityLevel_; 49 hidl_string KeymasterHidlTest::name_; 50 hidl_string KeymasterHidlTest::author_; 51 52 void KeymasterHidlTest::SetUpTestCase() { 53 string service_name = KeymasterHidlEnvironment::Instance()->getServiceName<IKeymasterDevice>(); 54 keymaster_ = ::testing::VtsHalHidlTargetTestBase::getService<IKeymasterDevice>(service_name); 55 ASSERT_NE(keymaster_, nullptr); 56 57 ASSERT_TRUE(keymaster_ 58 ->getHardwareInfo([&](SecurityLevel securityLevel, const hidl_string& name, 59 const hidl_string& author) { 60 securityLevel_ = securityLevel; 61 name_ = name; 62 author_ = author; 63 }) 64 .isOk()); 65 66 os_version_ = ::keymaster::GetOsVersion(); 67 os_patch_level_ = ::keymaster::GetOsPatchlevel(); 68 69 auto service_manager = android::hidl::manager::V1_0::IServiceManager::getService(); 70 ASSERT_NE(nullptr, service_manager.get()); 71 72 all_keymasters_.push_back(keymaster_); 73 service_manager->listByInterface( 74 IKeymasterDevice::descriptor, [&](const hidl_vec<hidl_string>& names) { 75 for (auto& name : names) { 76 if (name == service_name) continue; 77 auto keymaster = 78 ::testing::VtsHalHidlTargetTestBase::getService<IKeymasterDevice>(name); 79 ASSERT_NE(keymaster, nullptr); 80 all_keymasters_.push_back(keymaster); 81 } 82 }); 83 } 84 85 ErrorCode KeymasterHidlTest::GenerateKey(const AuthorizationSet& key_desc, HidlBuf* key_blob, 86 KeyCharacteristics* key_characteristics) { 87 EXPECT_NE(key_blob, nullptr) << "Key blob pointer must not be null. Test bug"; 88 EXPECT_EQ(0U, key_blob->size()) << "Key blob not empty before generating key. Test bug."; 89 EXPECT_NE(key_characteristics, nullptr) 90 << "Previous characteristics not deleted before generating key. Test bug."; 91 92 ErrorCode error; 93 EXPECT_TRUE(keymaster_ 94 ->generateKey(key_desc.hidl_data(), 95 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob, 96 const KeyCharacteristics& hidl_key_characteristics) { 97 error = hidl_error; 98 *key_blob = hidl_key_blob; 99 *key_characteristics = hidl_key_characteristics; 100 }) 101 .isOk()); 102 // On error, blob & characteristics should be empty. 103 if (error != ErrorCode::OK) { 104 EXPECT_EQ(0U, key_blob->size()); 105 EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() + 106 key_characteristics->hardwareEnforced.size())); 107 } 108 return error; 109 } 110 111 ErrorCode KeymasterHidlTest::GenerateKey(const AuthorizationSet& key_desc) { 112 return GenerateKey(key_desc, &key_blob_, &key_characteristics_); 113 } 114 115 ErrorCode KeymasterHidlTest::ImportKey(const AuthorizationSet& key_desc, KeyFormat format, 116 const string& key_material, HidlBuf* key_blob, 117 KeyCharacteristics* key_characteristics) { 118 ErrorCode error; 119 EXPECT_TRUE(keymaster_ 120 ->importKey(key_desc.hidl_data(), format, HidlBuf(key_material), 121 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob, 122 const KeyCharacteristics& hidl_key_characteristics) { 123 error = hidl_error; 124 *key_blob = hidl_key_blob; 125 *key_characteristics = hidl_key_characteristics; 126 }) 127 .isOk()); 128 // On error, blob & characteristics should be empty. 129 if (error != ErrorCode::OK) { 130 EXPECT_EQ(0U, key_blob->size()); 131 EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() + 132 key_characteristics->hardwareEnforced.size())); 133 } 134 return error; 135 } 136 137 ErrorCode KeymasterHidlTest::ImportKey(const AuthorizationSet& key_desc, KeyFormat format, 138 const string& key_material) { 139 return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_); 140 } 141 142 ErrorCode KeymasterHidlTest::ImportWrappedKey(string wrapped_key, string wrapping_key, 143 const AuthorizationSet& wrapping_key_desc, 144 string masking_key, 145 const AuthorizationSet& unwrapping_params) { 146 ErrorCode error; 147 ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key); 148 EXPECT_TRUE(keymaster_ 149 ->importWrappedKey(HidlBuf(wrapped_key), key_blob_, HidlBuf(masking_key), 150 unwrapping_params.hidl_data(), 0 /* passwordSid */, 151 0 /* biometricSid */, 152 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob, 153 const KeyCharacteristics& hidl_key_characteristics) { 154 error = hidl_error; 155 key_blob_ = hidl_key_blob; 156 key_characteristics_ = hidl_key_characteristics; 157 }) 158 .isOk()); 159 return error; 160 } 161 162 ErrorCode KeymasterHidlTest::ExportKey(KeyFormat format, const HidlBuf& key_blob, 163 const HidlBuf& client_id, const HidlBuf& app_data, 164 HidlBuf* key_material) { 165 ErrorCode error; 166 EXPECT_TRUE(keymaster_ 167 ->exportKey(format, key_blob, client_id, app_data, 168 [&](ErrorCode hidl_error_code, const HidlBuf& hidl_key_material) { 169 error = hidl_error_code; 170 *key_material = hidl_key_material; 171 }) 172 .isOk()); 173 // On error, blob should be empty. 174 if (error != ErrorCode::OK) { 175 EXPECT_EQ(0U, key_material->size()); 176 } 177 return error; 178 } 179 180 ErrorCode KeymasterHidlTest::ExportKey(KeyFormat format, HidlBuf* key_material) { 181 HidlBuf client_id, app_data; 182 return ExportKey(format, key_blob_, client_id, app_data, key_material); 183 } 184 185 ErrorCode KeymasterHidlTest::DeleteKey(HidlBuf* key_blob, bool keep_key_blob) { 186 auto rc = keymaster_->deleteKey(*key_blob); 187 if (!keep_key_blob) *key_blob = HidlBuf(); 188 if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR; 189 return rc; 190 } 191 192 ErrorCode KeymasterHidlTest::DeleteKey(bool keep_key_blob) { 193 return DeleteKey(&key_blob_, keep_key_blob); 194 } 195 196 ErrorCode KeymasterHidlTest::DeleteAllKeys() { 197 ErrorCode error = keymaster_->deleteAllKeys(); 198 return error; 199 } 200 201 void KeymasterHidlTest::CheckedDeleteKey(HidlBuf* key_blob, bool keep_key_blob) { 202 auto rc = DeleteKey(key_blob, keep_key_blob); 203 EXPECT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED); 204 } 205 206 void KeymasterHidlTest::CheckedDeleteKey() { 207 CheckedDeleteKey(&key_blob_); 208 } 209 210 void KeymasterHidlTest::CheckCreationDateTime( 211 const AuthorizationSet& sw_enforced, 212 std::chrono::time_point<std::chrono::system_clock> creation) { 213 for (int i = 0; i < sw_enforced.size(); i++) { 214 if (sw_enforced[i].tag == TAG_CREATION_DATETIME) { 215 std::chrono::time_point<std::chrono::system_clock> now = 216 std::chrono::system_clock::now(); 217 std::chrono::time_point<std::chrono::system_clock> reported_time{ 218 std::chrono::milliseconds(sw_enforced[i].f.dateTime)}; 219 // The test is flaky for EC keys, so a buffer time of 120 seconds will be added. 220 EXPECT_LE(creation - 120s, reported_time); 221 EXPECT_LE(reported_time, now + 1s); 222 } 223 } 224 } 225 226 void KeymasterHidlTest::CheckGetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id, 227 const HidlBuf& app_data, 228 KeyCharacteristics* key_characteristics) { 229 HidlBuf empty_buf = {}; 230 EXPECT_EQ(ErrorCode::OK, 231 GetCharacteristics(key_blob, client_id, app_data, key_characteristics)); 232 EXPECT_GT(key_characteristics->hardwareEnforced.size(), 0); 233 EXPECT_GT(key_characteristics->softwareEnforced.size(), 0); 234 235 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, 236 GetCharacteristics(key_blob, empty_buf, app_data, key_characteristics)); 237 EXPECT_EQ(key_characteristics->hardwareEnforced.size(), 0); 238 EXPECT_EQ(key_characteristics->softwareEnforced.size(), 0); 239 240 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, 241 GetCharacteristics(key_blob, client_id, empty_buf, key_characteristics)); 242 EXPECT_EQ(key_characteristics->hardwareEnforced.size(), 0); 243 EXPECT_EQ(key_characteristics->softwareEnforced.size(), 0); 244 245 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, 246 GetCharacteristics(key_blob, empty_buf, empty_buf, key_characteristics)); 247 EXPECT_EQ(key_characteristics->hardwareEnforced.size(), 0); 248 EXPECT_EQ(key_characteristics->softwareEnforced.size(), 0); 249 } 250 251 ErrorCode KeymasterHidlTest::GetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id, 252 const HidlBuf& app_data, 253 KeyCharacteristics* key_characteristics) { 254 ErrorCode error = ErrorCode::UNKNOWN_ERROR; 255 EXPECT_TRUE( 256 keymaster_ 257 ->getKeyCharacteristics( 258 key_blob, client_id, app_data, 259 [&](ErrorCode hidl_error, const KeyCharacteristics& hidl_key_characteristics) { 260 error = hidl_error, *key_characteristics = hidl_key_characteristics; 261 }) 262 .isOk()); 263 return error; 264 } 265 266 ErrorCode KeymasterHidlTest::GetCharacteristics(const HidlBuf& key_blob, 267 KeyCharacteristics* key_characteristics) { 268 HidlBuf client_id, app_data; 269 return GetCharacteristics(key_blob, client_id, app_data, key_characteristics); 270 } 271 272 ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const HidlBuf& key_blob, 273 const AuthorizationSet& in_params, AuthorizationSet* out_params, 274 OperationHandle* op_handle) { 275 SCOPED_TRACE("Begin"); 276 ErrorCode error; 277 OperationHandle saved_handle = *op_handle; 278 EXPECT_TRUE(keymaster_ 279 ->begin(purpose, key_blob, in_params.hidl_data(), HardwareAuthToken(), 280 [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params, 281 uint64_t hidl_op_handle) { 282 error = hidl_error; 283 *out_params = hidl_out_params; 284 *op_handle = hidl_op_handle; 285 }) 286 .isOk()); 287 if (error != ErrorCode::OK) { 288 // Some implementations may modify *op_handle on error. 289 *op_handle = saved_handle; 290 } 291 return error; 292 } 293 294 ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const AuthorizationSet& in_params, 295 AuthorizationSet* out_params) { 296 SCOPED_TRACE("Begin"); 297 EXPECT_EQ(kOpHandleSentinel, op_handle_); 298 return Begin(purpose, key_blob_, in_params, out_params, &op_handle_); 299 } 300 301 ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const AuthorizationSet& in_params) { 302 SCOPED_TRACE("Begin"); 303 AuthorizationSet out_params; 304 ErrorCode error = Begin(purpose, in_params, &out_params); 305 EXPECT_TRUE(out_params.empty()); 306 return error; 307 } 308 309 ErrorCode KeymasterHidlTest::Update(OperationHandle op_handle, const AuthorizationSet& in_params, 310 const string& input, AuthorizationSet* out_params, 311 string* output, size_t* input_consumed) { 312 SCOPED_TRACE("Update"); 313 ErrorCode error; 314 EXPECT_TRUE(keymaster_ 315 ->update(op_handle, in_params.hidl_data(), HidlBuf(input), HardwareAuthToken(), 316 VerificationToken(), 317 [&](ErrorCode hidl_error, uint32_t hidl_input_consumed, 318 const hidl_vec<KeyParameter>& hidl_out_params, 319 const HidlBuf& hidl_output) { 320 error = hidl_error; 321 out_params->push_back(AuthorizationSet(hidl_out_params)); 322 output->append(hidl_output.to_string()); 323 *input_consumed = hidl_input_consumed; 324 }) 325 .isOk()); 326 return error; 327 } 328 329 ErrorCode KeymasterHidlTest::Update(const string& input, string* out, size_t* input_consumed) { 330 SCOPED_TRACE("Update"); 331 AuthorizationSet out_params; 332 ErrorCode error = Update(op_handle_, AuthorizationSet() /* in_params */, input, &out_params, 333 out, input_consumed); 334 EXPECT_TRUE(out_params.empty()); 335 return error; 336 } 337 338 ErrorCode KeymasterHidlTest::Finish(OperationHandle op_handle, const AuthorizationSet& in_params, 339 const string& input, const string& signature, 340 AuthorizationSet* out_params, string* output) { 341 SCOPED_TRACE("Finish"); 342 ErrorCode error; 343 EXPECT_TRUE( 344 keymaster_ 345 ->finish(op_handle, in_params.hidl_data(), HidlBuf(input), HidlBuf(signature), 346 HardwareAuthToken(), VerificationToken(), 347 [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params, 348 const HidlBuf& hidl_output) { 349 error = hidl_error; 350 *out_params = hidl_out_params; 351 output->append(hidl_output.to_string()); 352 }) 353 .isOk()); 354 op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort(). 355 return error; 356 } 357 358 ErrorCode KeymasterHidlTest::Finish(const string& message, string* output) { 359 SCOPED_TRACE("Finish"); 360 AuthorizationSet out_params; 361 string finish_output; 362 ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, 363 "" /* signature */, &out_params, output); 364 if (error != ErrorCode::OK) { 365 return error; 366 } 367 EXPECT_EQ(0U, out_params.size()); 368 return error; 369 } 370 371 ErrorCode KeymasterHidlTest::Finish(const string& message, const string& signature, 372 string* output) { 373 SCOPED_TRACE("Finish"); 374 AuthorizationSet out_params; 375 ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, signature, 376 &out_params, output); 377 op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort(). 378 if (error != ErrorCode::OK) { 379 return error; 380 } 381 EXPECT_EQ(0U, out_params.size()); 382 return error; 383 } 384 385 ErrorCode KeymasterHidlTest::Abort(OperationHandle op_handle) { 386 SCOPED_TRACE("Abort"); 387 auto retval = keymaster_->abort(op_handle); 388 EXPECT_TRUE(retval.isOk()); 389 return retval; 390 } 391 392 void KeymasterHidlTest::AbortIfNeeded() { 393 SCOPED_TRACE("AbortIfNeeded"); 394 if (op_handle_ != kOpHandleSentinel) { 395 EXPECT_EQ(ErrorCode::OK, Abort(op_handle_)); 396 op_handle_ = kOpHandleSentinel; 397 } 398 } 399 400 ErrorCode KeymasterHidlTest::AttestKey(const HidlBuf& key_blob, 401 const AuthorizationSet& attest_params, 402 hidl_vec<hidl_vec<uint8_t>>* cert_chain) { 403 SCOPED_TRACE("AttestKey"); 404 ErrorCode error; 405 auto rc = keymaster_->attestKey( 406 key_blob, attest_params.hidl_data(), 407 [&](ErrorCode hidl_error, const hidl_vec<hidl_vec<uint8_t>>& hidl_cert_chain) { 408 error = hidl_error; 409 *cert_chain = hidl_cert_chain; 410 }); 411 412 EXPECT_TRUE(rc.isOk()) << rc.description(); 413 if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR; 414 415 return error; 416 } 417 418 ErrorCode KeymasterHidlTest::AttestKey(const AuthorizationSet& attest_params, 419 hidl_vec<hidl_vec<uint8_t>>* cert_chain) { 420 SCOPED_TRACE("AttestKey"); 421 return AttestKey(key_blob_, attest_params, cert_chain); 422 } 423 424 string KeymasterHidlTest::ProcessMessage(const HidlBuf& key_blob, KeyPurpose operation, 425 const string& message, const AuthorizationSet& in_params, 426 AuthorizationSet* out_params) { 427 SCOPED_TRACE("ProcessMessage"); 428 AuthorizationSet begin_out_params; 429 EXPECT_EQ(ErrorCode::OK, Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_)); 430 431 string output; 432 size_t consumed = 0; 433 AuthorizationSet update_params; 434 AuthorizationSet update_out_params; 435 EXPECT_EQ(ErrorCode::OK, 436 Update(op_handle_, update_params, message, &update_out_params, &output, &consumed)); 437 438 string unused; 439 AuthorizationSet finish_params; 440 AuthorizationSet finish_out_params; 441 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), unused, 442 &finish_out_params, &output)); 443 op_handle_ = kOpHandleSentinel; 444 445 out_params->push_back(begin_out_params); 446 out_params->push_back(finish_out_params); 447 return output; 448 } 449 450 string KeymasterHidlTest::SignMessage(const HidlBuf& key_blob, const string& message, 451 const AuthorizationSet& params) { 452 SCOPED_TRACE("SignMessage"); 453 AuthorizationSet out_params; 454 string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params); 455 EXPECT_TRUE(out_params.empty()); 456 return signature; 457 } 458 459 string KeymasterHidlTest::SignMessage(const string& message, const AuthorizationSet& params) { 460 SCOPED_TRACE("SignMessage"); 461 return SignMessage(key_blob_, message, params); 462 } 463 464 string KeymasterHidlTest::MacMessage(const string& message, Digest digest, size_t mac_length) { 465 SCOPED_TRACE("MacMessage"); 466 return SignMessage( 467 key_blob_, message, 468 AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length)); 469 } 470 471 void KeymasterHidlTest::CheckHmacTestVector(const string& key, const string& message, Digest digest, 472 const string& expected_mac) { 473 SCOPED_TRACE("CheckHmacTestVector"); 474 ASSERT_EQ(ErrorCode::OK, 475 ImportKey(AuthorizationSetBuilder() 476 .Authorization(TAG_NO_AUTH_REQUIRED) 477 .HmacKey(key.size() * 8) 478 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8) 479 .Digest(digest), 480 KeyFormat::RAW, key)); 481 string signature = MacMessage(message, digest, expected_mac.size() * 8); 482 EXPECT_EQ(expected_mac, signature) 483 << "Test vector didn't match for key of size " << key.size() << " message of size " 484 << message.size() << " and digest " << digest; 485 CheckedDeleteKey(); 486 } 487 488 void KeymasterHidlTest::CheckAesCtrTestVector(const string& key, const string& nonce, 489 const string& message, 490 const string& expected_ciphertext) { 491 SCOPED_TRACE("CheckAesCtrTestVector"); 492 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() 493 .Authorization(TAG_NO_AUTH_REQUIRED) 494 .AesEncryptionKey(key.size() * 8) 495 .BlockMode(BlockMode::CTR) 496 .Authorization(TAG_CALLER_NONCE) 497 .Padding(PaddingMode::NONE), 498 KeyFormat::RAW, key)); 499 500 auto params = AuthorizationSetBuilder() 501 .Authorization(TAG_NONCE, nonce.data(), nonce.size()) 502 .BlockMode(BlockMode::CTR) 503 .Padding(PaddingMode::NONE); 504 AuthorizationSet out_params; 505 string ciphertext = EncryptMessage(key_blob_, message, params, &out_params); 506 EXPECT_EQ(expected_ciphertext, ciphertext); 507 } 508 509 void KeymasterHidlTest::CheckTripleDesTestVector(KeyPurpose purpose, BlockMode block_mode, 510 PaddingMode padding_mode, const string& key, 511 const string& iv, const string& input, 512 const string& expected_output) { 513 auto authset = AuthorizationSetBuilder() 514 .TripleDesEncryptionKey(key.size() * 7) 515 .BlockMode(block_mode) 516 .Authorization(TAG_NO_AUTH_REQUIRED) 517 .Padding(padding_mode); 518 if (iv.size()) authset.Authorization(TAG_CALLER_NONCE); 519 ASSERT_EQ(ErrorCode::OK, ImportKey(authset, KeyFormat::RAW, key)); 520 auto begin_params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode); 521 if (iv.size()) begin_params.Authorization(TAG_NONCE, iv.data(), iv.size()); 522 AuthorizationSet output_params; 523 string output = ProcessMessage(key_blob_, purpose, input, begin_params, &output_params); 524 EXPECT_EQ(expected_output, output); 525 } 526 527 void KeymasterHidlTest::VerifyMessage(const HidlBuf& key_blob, const string& message, 528 const string& signature, const AuthorizationSet& params) { 529 SCOPED_TRACE("VerifyMessage"); 530 AuthorizationSet begin_out_params; 531 ASSERT_EQ(ErrorCode::OK, 532 Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_)); 533 534 string output; 535 AuthorizationSet update_params; 536 AuthorizationSet update_out_params; 537 size_t consumed; 538 ASSERT_EQ(ErrorCode::OK, 539 Update(op_handle_, update_params, message, &update_out_params, &output, &consumed)); 540 EXPECT_TRUE(output.empty()); 541 EXPECT_GT(consumed, 0U); 542 543 string unused; 544 AuthorizationSet finish_params; 545 AuthorizationSet finish_out_params; 546 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), signature, 547 &finish_out_params, &output)); 548 op_handle_ = kOpHandleSentinel; 549 EXPECT_TRUE(output.empty()); 550 } 551 552 void KeymasterHidlTest::VerifyMessage(const string& message, const string& signature, 553 const AuthorizationSet& params) { 554 SCOPED_TRACE("VerifyMessage"); 555 VerifyMessage(key_blob_, message, signature, params); 556 } 557 558 string KeymasterHidlTest::EncryptMessage(const HidlBuf& key_blob, const string& message, 559 const AuthorizationSet& in_params, 560 AuthorizationSet* out_params) { 561 SCOPED_TRACE("EncryptMessage"); 562 return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params); 563 } 564 565 string KeymasterHidlTest::EncryptMessage(const string& message, const AuthorizationSet& params, 566 AuthorizationSet* out_params) { 567 SCOPED_TRACE("EncryptMessage"); 568 return EncryptMessage(key_blob_, message, params, out_params); 569 } 570 571 string KeymasterHidlTest::EncryptMessage(const string& message, const AuthorizationSet& params) { 572 SCOPED_TRACE("EncryptMessage"); 573 AuthorizationSet out_params; 574 string ciphertext = EncryptMessage(message, params, &out_params); 575 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params; 576 return ciphertext; 577 } 578 579 string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode, 580 PaddingMode padding) { 581 SCOPED_TRACE("EncryptMessage"); 582 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding); 583 AuthorizationSet out_params; 584 string ciphertext = EncryptMessage(message, params, &out_params); 585 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params; 586 return ciphertext; 587 } 588 589 string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode, 590 PaddingMode padding, HidlBuf* iv_out) { 591 SCOPED_TRACE("EncryptMessage"); 592 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding); 593 AuthorizationSet out_params; 594 string ciphertext = EncryptMessage(message, params, &out_params); 595 EXPECT_EQ(1U, out_params.size()); 596 auto ivVal = out_params.GetTagValue(TAG_NONCE); 597 EXPECT_TRUE(ivVal.isOk()); 598 if (ivVal.isOk()) *iv_out = ivVal.value(); 599 return ciphertext; 600 } 601 602 string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode, 603 PaddingMode padding, const HidlBuf& iv_in) { 604 SCOPED_TRACE("EncryptMessage"); 605 auto params = AuthorizationSetBuilder() 606 .BlockMode(block_mode) 607 .Padding(padding) 608 .Authorization(TAG_NONCE, iv_in); 609 AuthorizationSet out_params; 610 string ciphertext = EncryptMessage(message, params, &out_params); 611 return ciphertext; 612 } 613 614 string KeymasterHidlTest::DecryptMessage(const HidlBuf& key_blob, const string& ciphertext, 615 const AuthorizationSet& params) { 616 SCOPED_TRACE("DecryptMessage"); 617 AuthorizationSet out_params; 618 string plaintext = 619 ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params); 620 EXPECT_TRUE(out_params.empty()); 621 return plaintext; 622 } 623 624 string KeymasterHidlTest::DecryptMessage(const string& ciphertext, const AuthorizationSet& params) { 625 SCOPED_TRACE("DecryptMessage"); 626 return DecryptMessage(key_blob_, ciphertext, params); 627 } 628 629 string KeymasterHidlTest::DecryptMessage(const string& ciphertext, BlockMode block_mode, 630 PaddingMode padding_mode, const HidlBuf& iv) { 631 SCOPED_TRACE("DecryptMessage"); 632 auto params = AuthorizationSetBuilder() 633 .BlockMode(block_mode) 634 .Padding(padding_mode) 635 .Authorization(TAG_NONCE, iv); 636 return DecryptMessage(key_blob_, ciphertext, params); 637 } 638 639 std::pair<ErrorCode, HidlBuf> KeymasterHidlTest::UpgradeKey(const HidlBuf& key_blob) { 640 std::pair<ErrorCode, HidlBuf> retval; 641 keymaster_->upgradeKey(key_blob, hidl_vec<KeyParameter>(), 642 [&](ErrorCode error, const hidl_vec<uint8_t>& upgraded_blob) { 643 retval = std::tie(error, upgraded_blob); 644 }); 645 return retval; 646 } 647 std::vector<uint32_t> KeymasterHidlTest::ValidKeySizes(Algorithm algorithm) { 648 switch (algorithm) { 649 case Algorithm::RSA: 650 switch (SecLevel()) { 651 case SecurityLevel::TRUSTED_ENVIRONMENT: 652 return {2048, 3072, 4096}; 653 case SecurityLevel::STRONGBOX: 654 return {2048}; 655 default: 656 CHECK(false) << "Invalid security level " << uint32_t(SecLevel()); 657 break; 658 } 659 break; 660 case Algorithm::EC: 661 switch (SecLevel()) { 662 case SecurityLevel::TRUSTED_ENVIRONMENT: 663 return {224, 256, 384, 521}; 664 case SecurityLevel::STRONGBOX: 665 return {256}; 666 default: 667 CHECK(false) << "Invalid security level " << uint32_t(SecLevel()); 668 break; 669 } 670 break; 671 case Algorithm::AES: 672 return {128, 256}; 673 case Algorithm::TRIPLE_DES: 674 return {168}; 675 case Algorithm::HMAC: { 676 std::vector<uint32_t> retval((512 - 64) / 8 + 1); 677 uint32_t size = 64 - 8; 678 std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); }); 679 return retval; 680 } 681 default: 682 CHECK(false) << "Invalid Algorithm: " << algorithm; 683 return {}; 684 } 685 CHECK(false) << "Should be impossible to get here"; 686 return {}; 687 } 688 std::vector<uint32_t> KeymasterHidlTest::InvalidKeySizes(Algorithm algorithm) { 689 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {}; 690 CHECK(SecLevel() == SecurityLevel::STRONGBOX); 691 switch (algorithm) { 692 case Algorithm::RSA: 693 return {3072, 4096}; 694 case Algorithm::EC: 695 return {224, 384, 521}; 696 case Algorithm::AES: 697 return {192}; 698 default: 699 return {}; 700 } 701 } 702 703 std::vector<EcCurve> KeymasterHidlTest::ValidCurves() { 704 if (securityLevel_ == SecurityLevel::STRONGBOX) { 705 return {EcCurve::P_256}; 706 } else { 707 return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}; 708 } 709 } 710 711 std::vector<EcCurve> KeymasterHidlTest::InvalidCurves() { 712 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {}; 713 CHECK(SecLevel() == SecurityLevel::STRONGBOX); 714 return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521}; 715 } 716 717 std::vector<Digest> KeymasterHidlTest::ValidDigests(bool withNone, bool withMD5) { 718 switch (SecLevel()) { 719 case SecurityLevel::TRUSTED_ENVIRONMENT: 720 if (withNone) { 721 if (withMD5) 722 return {Digest::NONE, Digest::MD5, Digest::SHA1, 723 Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, 724 Digest::SHA_2_512}; 725 else 726 return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224, 727 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; 728 } else { 729 if (withMD5) 730 return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, 731 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; 732 else 733 return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, 734 Digest::SHA_2_512}; 735 } 736 break; 737 case SecurityLevel::STRONGBOX: 738 if (withNone) 739 return {Digest::NONE, Digest::SHA_2_256}; 740 else 741 return {Digest::SHA_2_256}; 742 break; 743 default: 744 CHECK(false) << "Invalid security level " << uint32_t(SecLevel()); 745 break; 746 } 747 CHECK(false) << "Should be impossible to get here"; 748 return {}; 749 } 750 751 std::vector<Digest> KeymasterHidlTest::InvalidDigests() { 752 return {}; 753 } 754 755 } // namespace test 756 } // namespace V4_0 757 } // namespace keymaster 758 } // namespace hardware 759 } // namespace android 760
