1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <fstream> 18 #include <string> 19 #include <vector> 20 21 #include <hardware/keymaster0.h> 22 #include <keymaster/key_factory.h> 23 #include <keymaster/soft_keymaster_context.h> 24 #include <keymaster/soft_keymaster_device.h> 25 #include <keymaster/softkeymaster.h> 26 27 #include "android_keymaster_test_utils.h" 28 #include "keymaster0_engine.h" 29 #include "openssl_utils.h" 30 31 using std::ifstream; 32 using std::istreambuf_iterator; 33 using std::string; 34 using std::vector; 35 using std::unique_ptr; 36 37 extern "C" { 38 int __android_log_print(int prio, const char* tag, const char* fmt); 39 int __android_log_print(int prio, const char* tag, const char* fmt) { 40 (void)prio, (void)tag, (void)fmt; 41 return 0; 42 } 43 } // extern "C" 44 45 namespace keymaster { 46 namespace test { 47 48 StdoutLogger logger; 49 50 template <typename T> vector<T> make_vector(const T* array, size_t len) { 51 return vector<T>(array, array + len); 52 } 53 54 class TestKeymasterEnforcement : public KeymasterEnforcement { 55 public: 56 TestKeymasterEnforcement() : KeymasterEnforcement(3, 3) {} 57 58 virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; } 59 virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; } 60 virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */, 61 uint32_t /* timeout */) const { 62 return false; 63 } 64 virtual uint32_t get_current_time() const { return 0; } 65 virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; } 66 }; 67 68 class TestKeymasterContext : public SoftKeymasterContext { 69 public: 70 TestKeymasterContext(keymaster0_device_t* keymaster0 = nullptr) 71 : SoftKeymasterContext(keymaster0) {} 72 73 KeymasterEnforcement* enforcement_policy() override { return &test_policy_; } 74 75 private: 76 TestKeymasterEnforcement test_policy_; 77 }; 78 79 class SoftKeymasterTestInstanceCreator : public Keymaster1TestInstanceCreator { 80 public: 81 keymaster1_device_t* CreateDevice() const override { 82 std::cerr << "Creating software-only device" << std::endl; 83 SoftKeymasterDevice* device = new SoftKeymasterDevice(new TestKeymasterContext); 84 return device->keymaster_device(); 85 } 86 87 bool algorithm_in_hardware(keymaster_algorithm_t) const override { return false; } 88 int keymaster0_calls() const override { return 0; } 89 }; 90 91 class Keymaster0AdapterTestInstanceCreator : public Keymaster1TestInstanceCreator { 92 public: 93 Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {} 94 95 keymaster1_device_t* CreateDevice() const { 96 std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_ 97 << ")." << std::endl; 98 hw_device_t* softkeymaster_device; 99 EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER, 100 &softkeymaster_device)); 101 // Make the software device pretend to be hardware 102 keymaster0_device_t* keymaster0_device = 103 reinterpret_cast<keymaster0_device_t*>(softkeymaster_device); 104 keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY; 105 106 if (!support_ec_) { 107 // Make the software device pretend not to support EC 108 keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC; 109 } 110 111 counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device); 112 113 SoftKeymasterDevice* keymaster = 114 new SoftKeymasterDevice(new TestKeymasterContext(counting_keymaster0_device_)); 115 return keymaster->keymaster_device(); 116 } 117 118 bool algorithm_in_hardware(keymaster_algorithm_t algorithm) const override { 119 switch (algorithm) { 120 case KM_ALGORITHM_RSA: 121 return true; 122 case KM_ALGORITHM_EC: 123 return support_ec_; 124 default: 125 return false; 126 } 127 } 128 int keymaster0_calls() const override { return counting_keymaster0_device_->count(); } 129 130 private: 131 mutable Keymaster0CountingWrapper* counting_keymaster0_device_; 132 bool support_ec_; 133 }; 134 135 static auto test_params = testing::Values( 136 InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator), 137 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 138 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */))); 139 140 typedef Keymaster1Test CheckSupported; 141 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, CheckSupported, test_params); 142 143 TEST_P(CheckSupported, SupportedAlgorithms) { 144 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 145 device()->get_supported_algorithms(device(), NULL, NULL)); 146 147 size_t len; 148 keymaster_algorithm_t* algorithms; 149 EXPECT_EQ(KM_ERROR_OK, device()->get_supported_algorithms(device(), &algorithms, &len)); 150 EXPECT_TRUE(ResponseContains( 151 {KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_AES, KM_ALGORITHM_HMAC}, algorithms, len)); 152 free(algorithms); 153 154 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 155 } 156 157 TEST_P(CheckSupported, SupportedBlockModes) { 158 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 159 device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 160 NULL, NULL)); 161 162 size_t len; 163 keymaster_block_mode_t* modes; 164 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, 165 KM_PURPOSE_ENCRYPT, &modes, &len)); 166 EXPECT_EQ(0U, len); 167 free(modes); 168 169 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 170 device()->get_supported_block_modes(device(), KM_ALGORITHM_EC, KM_PURPOSE_ENCRYPT, 171 &modes, &len)); 172 173 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_AES, 174 KM_PURPOSE_ENCRYPT, &modes, &len)); 175 EXPECT_TRUE(ResponseContains({KM_MODE_ECB, KM_MODE_CBC, KM_MODE_CTR, KM_MODE_GCM}, modes, len)); 176 free(modes); 177 178 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 179 } 180 181 TEST_P(CheckSupported, SupportedPaddingModes) { 182 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 183 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT, 184 NULL, NULL)); 185 186 size_t len; 187 keymaster_padding_t* modes; 188 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 189 KM_PURPOSE_SIGN, &modes, &len)); 190 EXPECT_TRUE( 191 ResponseContains({KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS}, modes, len)); 192 free(modes); 193 194 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, 195 KM_PURPOSE_ENCRYPT, &modes, &len)); 196 EXPECT_TRUE( 197 ResponseContains({KM_PAD_NONE, KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT}, modes, len)); 198 free(modes); 199 200 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_EC, 201 KM_PURPOSE_SIGN, &modes, &len)); 202 EXPECT_EQ(0U, len); 203 free(modes); 204 205 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 206 device()->get_supported_padding_modes(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, 207 &modes, &len)); 208 209 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 210 } 211 212 TEST_P(CheckSupported, SupportedDigests) { 213 EXPECT_EQ( 214 KM_ERROR_OUTPUT_PARAMETER_NULL, 215 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, NULL, NULL)); 216 217 size_t len; 218 keymaster_digest_t* digests; 219 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_RSA, 220 KM_PURPOSE_SIGN, &digests, &len)); 221 EXPECT_TRUE( 222 ResponseContains({KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 223 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}, 224 digests, len)); 225 free(digests); 226 227 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC, 228 KM_PURPOSE_SIGN, &digests, &len)); 229 EXPECT_TRUE(ResponseContains({KM_DIGEST_NONE, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 230 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512}, 231 digests, len)); 232 free(digests); 233 234 EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, 235 device()->get_supported_digests(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, &digests, 236 &len)); 237 238 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_HMAC, 239 KM_PURPOSE_SIGN, &digests, &len)); 240 EXPECT_TRUE(ResponseContains({KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, 241 KM_DIGEST_SHA_2_512, KM_DIGEST_SHA1}, 242 digests, len)); 243 free(digests); 244 245 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 246 } 247 248 TEST_P(CheckSupported, SupportedImportFormats) { 249 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 250 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 251 252 size_t len; 253 keymaster_key_format_t* formats; 254 ASSERT_EQ(KM_ERROR_OK, 255 device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 256 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_PKCS8, formats, len)); 257 free(formats); 258 259 ASSERT_EQ(KM_ERROR_OK, 260 device()->get_supported_import_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 261 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 262 free(formats); 263 264 ASSERT_EQ(KM_ERROR_OK, 265 device()->get_supported_import_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 266 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len)); 267 free(formats); 268 269 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 270 } 271 272 TEST_P(CheckSupported, SupportedExportFormats) { 273 EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL, 274 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, NULL, NULL)); 275 276 size_t len; 277 keymaster_key_format_t* formats; 278 ASSERT_EQ(KM_ERROR_OK, 279 device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, &formats, &len)); 280 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 281 free(formats); 282 283 ASSERT_EQ(KM_ERROR_OK, 284 device()->get_supported_export_formats(device(), KM_ALGORITHM_EC, &formats, &len)); 285 EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len)); 286 free(formats); 287 288 ASSERT_EQ(KM_ERROR_OK, 289 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 290 EXPECT_EQ(0U, len); 291 free(formats); 292 293 ASSERT_EQ(KM_ERROR_OK, 294 device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len)); 295 EXPECT_EQ(0U, len); 296 free(formats); 297 298 ASSERT_EQ(KM_ERROR_OK, 299 device()->get_supported_export_formats(device(), KM_ALGORITHM_HMAC, &formats, &len)); 300 EXPECT_EQ(0U, len); 301 free(formats); 302 303 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 304 } 305 306 class NewKeyGeneration : public Keymaster1Test { 307 protected: 308 void CheckBaseParams() { 309 AuthorizationSet auths = sw_enforced(); 310 EXPECT_GT(auths.SerializedSize(), 12U); 311 312 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN)); 313 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY)); 314 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7)); 315 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)); 316 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300)); 317 318 // Verify that App ID, App data and ROT are NOT included. 319 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST)); 320 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID)); 321 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA)); 322 323 // Just for giggles, check that some unexpected tags/values are NOT present. 324 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT)); 325 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT)); 326 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301)); 327 328 // Now check that unspecified, defaulted tags are correct. 329 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME)); 330 } 331 }; 332 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params); 333 334 TEST_P(NewKeyGeneration, Rsa) { 335 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 336 .RsaSigningKey(256, 3) 337 .Digest(KM_DIGEST_NONE) 338 .Padding(KM_PAD_NONE))); 339 CheckBaseParams(); 340 341 // Check specified tags are all present, and in the right set. 342 AuthorizationSet crypto_params; 343 AuthorizationSet non_crypto_params; 344 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) { 345 EXPECT_NE(0U, hw_enforced().size()); 346 EXPECT_NE(0U, sw_enforced().size()); 347 crypto_params.push_back(hw_enforced()); 348 non_crypto_params.push_back(sw_enforced()); 349 } else { 350 EXPECT_EQ(0U, hw_enforced().size()); 351 EXPECT_NE(0U, sw_enforced().size()); 352 crypto_params.push_back(sw_enforced()); 353 } 354 355 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 356 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 357 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256)); 358 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256)); 359 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 360 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 361 362 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 363 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 364 } 365 366 TEST_P(NewKeyGeneration, RsaDefaultSize) { 367 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 368 GenerateKey(AuthorizationSetBuilder() 369 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 370 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3) 371 .SigningKey())); 372 373 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 374 } 375 376 TEST_P(NewKeyGeneration, Ecdsa) { 377 ASSERT_EQ(KM_ERROR_OK, 378 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 379 CheckBaseParams(); 380 381 // Check specified tags are all present, and in the right set. 382 AuthorizationSet crypto_params; 383 AuthorizationSet non_crypto_params; 384 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) { 385 EXPECT_NE(0U, hw_enforced().size()); 386 EXPECT_NE(0U, sw_enforced().size()); 387 crypto_params.push_back(hw_enforced()); 388 non_crypto_params.push_back(sw_enforced()); 389 } else { 390 EXPECT_EQ(0U, hw_enforced().size()); 391 EXPECT_NE(0U, sw_enforced().size()); 392 crypto_params.push_back(sw_enforced()); 393 } 394 395 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 396 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 397 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224)); 398 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224)); 399 400 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 401 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 402 } 403 404 TEST_P(NewKeyGeneration, EcdsaDefaultSize) { 405 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 406 GenerateKey(AuthorizationSetBuilder() 407 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) 408 .SigningKey() 409 .Digest(KM_DIGEST_NONE))); 410 411 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 412 } 413 414 TEST_P(NewKeyGeneration, EcdsaInvalidSize) { 415 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 416 ASSERT_EQ( 417 KM_ERROR_UNKNOWN_ERROR, 418 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 419 else 420 ASSERT_EQ( 421 KM_ERROR_UNSUPPORTED_KEY_SIZE, 422 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 423 424 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 425 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 426 } 427 428 TEST_P(NewKeyGeneration, EcdsaAllValidSizes) { 429 size_t valid_sizes[] = {224, 256, 384, 521}; 430 for (size_t size : valid_sizes) { 431 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest( 432 KM_DIGEST_NONE))) 433 << "Failed to generate size: " << size; 434 } 435 436 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 437 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 438 } 439 440 TEST_P(NewKeyGeneration, HmacSha256) { 441 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 442 .HmacKey(128) 443 .Digest(KM_DIGEST_SHA_2_256) 444 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 445 446 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 447 } 448 449 TEST_P(NewKeyGeneration, HmacMultipleDigests) { 450 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, 451 GenerateKey(AuthorizationSetBuilder() 452 .HmacKey(128) 453 .Digest(KM_DIGEST_SHA1) 454 .Digest(KM_DIGEST_SHA_2_256) 455 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 456 457 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 458 } 459 460 TEST_P(NewKeyGeneration, HmacDigestNone) { 461 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, 462 GenerateKey(AuthorizationSetBuilder() 463 .HmacKey(128) 464 .Digest(KM_DIGEST_NONE) 465 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 466 467 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 468 } 469 470 TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) { 471 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 472 GenerateKey(AuthorizationSetBuilder() 473 .HmacKey(128) 474 .Digest(KM_DIGEST_SHA_2_256) 475 .Authorization(TAG_MIN_MAC_LENGTH, 48))); 476 477 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 478 } 479 480 TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) { 481 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 482 GenerateKey(AuthorizationSetBuilder() 483 .HmacKey(128) 484 .Digest(KM_DIGEST_SHA_2_256) 485 .Authorization(TAG_MIN_MAC_LENGTH, 130))); 486 487 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 488 } 489 490 TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) { 491 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 492 GenerateKey(AuthorizationSetBuilder() 493 .HmacKey(128) 494 .Digest(KM_DIGEST_SHA_2_256) 495 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 496 497 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 498 } 499 500 typedef Keymaster1Test GetKeyCharacteristics; 501 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params); 502 503 TEST_P(GetKeyCharacteristics, SimpleRsa) { 504 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 505 .RsaSigningKey(256, 3) 506 .Digest(KM_DIGEST_NONE) 507 .Padding(KM_PAD_NONE))); 508 AuthorizationSet original(sw_enforced()); 509 510 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics()); 511 EXPECT_EQ(original, sw_enforced()); 512 513 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 514 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 515 } 516 517 typedef Keymaster1Test SigningOperationsTest; 518 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params); 519 520 TEST_P(SigningOperationsTest, RsaSuccess) { 521 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 522 .RsaSigningKey(256, 3) 523 .Digest(KM_DIGEST_NONE) 524 .Padding(KM_PAD_NONE))); 525 string message = "12345678901234567890123456789012"; 526 string signature; 527 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 528 529 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 530 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 531 } 532 533 TEST_P(SigningOperationsTest, RsaPssSha256Success) { 534 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 535 .RsaSigningKey(512, 3) 536 .Digest(KM_DIGEST_SHA_2_256) 537 .Padding(KM_PAD_RSA_PSS))); 538 // Use large message, which won't work without digesting. 539 string message(1024, 'a'); 540 string signature; 541 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 542 543 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 544 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 545 } 546 547 TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { 548 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 549 .RsaSigningKey(512, 3) 550 .Digest(KM_DIGEST_NONE) 551 .Padding(KM_PAD_NONE))); 552 string message = "12345678901234567890123456789012"; 553 string signature; 554 555 AuthorizationSet begin_params(client_params()); 556 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 557 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 558 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 559 } 560 561 TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) { 562 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 563 .RsaSigningKey(512, 3) 564 .Digest(KM_DIGEST_SHA_2_256) 565 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 566 string message(1024, 'a'); 567 string signature; 568 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 569 570 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 571 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 572 } 573 574 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) { 575 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 576 .RsaSigningKey(512, 3) 577 .Digest(KM_DIGEST_NONE) 578 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 579 string message(53, 'a'); 580 string signature; 581 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN); 582 583 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 584 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 585 } 586 587 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) { 588 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 589 .RsaSigningKey(512, 3) 590 .Digest(KM_DIGEST_NONE) 591 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 592 string message(54, 'a'); 593 594 AuthorizationSet begin_params(client_params()); 595 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 596 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 597 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 598 string result; 599 size_t input_consumed; 600 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 601 string signature; 602 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature)); 603 604 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 605 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 606 } 607 608 TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) { 609 // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so 610 // verify that nine bytes larger than hash won't work. 611 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 612 .RsaSigningKey(256 + 9 * 8, 3) 613 .Digest(KM_DIGEST_SHA_2_256) 614 .Padding(KM_PAD_RSA_PSS))); 615 string message(1024, 'a'); 616 string signature; 617 618 AuthorizationSet begin_params(client_params()); 619 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 620 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 621 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 622 } 623 624 TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) { 625 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 626 .RsaSigningKey(256, 3) 627 .Digest(KM_DIGEST_NONE) 628 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 629 string message(64 * 1024, 'a'); 630 string signature; 631 AuthorizationSet begin_params(client_params()); 632 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 633 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 634 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 635 string result; 636 size_t input_consumed; 637 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 638 639 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 640 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 641 } 642 643 TEST_P(SigningOperationsTest, RsaAbort) { 644 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 645 .RsaSigningKey(256, 3) 646 .Digest(KM_DIGEST_NONE) 647 .Padding(KM_PAD_NONE))); 648 AuthorizationSet begin_params(client_params()); 649 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 650 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 651 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 652 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 653 // Another abort should fail 654 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation()); 655 656 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 657 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 658 } 659 660 TEST_P(SigningOperationsTest, RsaUnsupportedPadding) { 661 GenerateKey(AuthorizationSetBuilder() 662 .RsaSigningKey(256, 3) 663 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */) 664 .Padding(KM_PAD_PKCS7)); 665 AuthorizationSet begin_params(client_params()); 666 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 667 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 668 669 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 670 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 671 } 672 673 TEST_P(SigningOperationsTest, RsaNoDigest) { 674 // PSS requires a digest. 675 GenerateKey(AuthorizationSetBuilder() 676 .RsaSigningKey(256, 3) 677 .Digest(KM_DIGEST_NONE) 678 .Padding(KM_PAD_RSA_PSS)); 679 AuthorizationSet begin_params(client_params()); 680 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 681 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 682 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 683 684 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 685 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 686 } 687 688 TEST_P(SigningOperationsTest, RsaNoPadding) { 689 // Padding must be specified 690 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest( 691 KM_DIGEST_NONE))); 692 AuthorizationSet begin_params(client_params()); 693 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 694 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 695 696 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 697 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 698 } 699 700 TEST_P(SigningOperationsTest, RsaTooShortMessage) { 701 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 702 .RsaSigningKey(256, 3) 703 .Digest(KM_DIGEST_NONE) 704 .Padding(KM_PAD_NONE))); 705 string message = "1234567890123456789012345678901"; 706 string signature; 707 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 708 709 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 710 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 711 } 712 713 TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) { 714 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 715 .RsaEncryptionKey(256, 3) 716 .Digest(KM_DIGEST_NONE) 717 .Padding(KM_PAD_NONE))); 718 AuthorizationSet begin_params(client_params()); 719 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 720 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 721 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 722 723 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 724 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 725 } 726 727 TEST_P(SigningOperationsTest, EcdsaSuccess) { 728 ASSERT_EQ(KM_ERROR_OK, 729 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 730 string message(224 / 8, 'a'); 731 string signature; 732 SignMessage(message, &signature, KM_DIGEST_NONE); 733 734 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 735 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 736 } 737 738 TEST_P(SigningOperationsTest, EcdsaSha256Success) { 739 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( 740 KM_DIGEST_SHA_2_256))); 741 string message(1024, 'a'); 742 string signature; 743 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 744 745 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 746 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 747 } 748 749 TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) { 750 ASSERT_EQ(KM_ERROR_OK, 751 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 752 string message(64 * 1024, 'a'); 753 string signature; 754 AuthorizationSet begin_params(client_params()); 755 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 756 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 757 string result; 758 size_t input_consumed; 759 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 760 761 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 762 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 763 } 764 765 TEST_P(SigningOperationsTest, EcsdaAllSizesAndHashes) { 766 size_t len; 767 keymaster_digest_t* digest_arr; 768 ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC, 769 KM_PURPOSE_SIGN, &digest_arr, &len)); 770 vector<int> key_sizes = {224, 256, 384, 521}; 771 vector<keymaster_digest_t> digests = make_vector(digest_arr, len); 772 free(digest_arr); 773 774 for (int key_size : key_sizes) { 775 for (keymaster_digest_t digest : digests) { 776 ASSERT_EQ( 777 KM_ERROR_OK, 778 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest))); 779 780 string message(1024, 'a'); 781 string signature; 782 if (digest == KM_DIGEST_NONE) 783 message.resize(key_size / 8); 784 SignMessage(message, &signature, digest); 785 } 786 } 787 788 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 789 EXPECT_EQ(digests.size() * key_sizes.size() * 3, 790 static_cast<size_t>(GetParam()->keymaster0_calls())); 791 } 792 793 TEST_P(SigningOperationsTest, AesEcbSign) { 794 ASSERT_EQ(KM_ERROR_OK, 795 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization( 796 TAG_BLOCK_MODE, KM_MODE_ECB))); 797 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); 798 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); 799 800 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 801 } 802 803 TEST_P(SigningOperationsTest, HmacSha1Success) { 804 GenerateKey(AuthorizationSetBuilder() 805 .HmacKey(128) 806 .Digest(KM_DIGEST_SHA1) 807 .Authorization(TAG_MIN_MAC_LENGTH, 160)); 808 string message = "12345678901234567890123456789012"; 809 string signature; 810 MacMessage(message, &signature, 160); 811 ASSERT_EQ(20U, signature.size()); 812 813 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 814 } 815 816 TEST_P(SigningOperationsTest, HmacSha224Success) { 817 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 818 .HmacKey(128) 819 .Digest(KM_DIGEST_SHA_2_224) 820 .Authorization(TAG_MIN_MAC_LENGTH, 160))); 821 string message = "12345678901234567890123456789012"; 822 string signature; 823 MacMessage(message, &signature, 224); 824 ASSERT_EQ(28U, signature.size()); 825 826 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 827 } 828 829 TEST_P(SigningOperationsTest, HmacSha256Success) { 830 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 831 .HmacKey(128) 832 .Digest(KM_DIGEST_SHA_2_256) 833 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 834 string message = "12345678901234567890123456789012"; 835 string signature; 836 MacMessage(message, &signature, 256); 837 ASSERT_EQ(32U, signature.size()); 838 839 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 840 } 841 842 TEST_P(SigningOperationsTest, HmacSha384Success) { 843 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 844 .HmacKey(128) 845 .Digest(KM_DIGEST_SHA_2_384) 846 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 847 848 string message = "12345678901234567890123456789012"; 849 string signature; 850 MacMessage(message, &signature, 384); 851 ASSERT_EQ(48U, signature.size()); 852 853 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 854 } 855 856 TEST_P(SigningOperationsTest, HmacSha512Success) { 857 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 858 .HmacKey(128) 859 .Digest(KM_DIGEST_SHA_2_512) 860 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 861 string message = "12345678901234567890123456789012"; 862 string signature; 863 MacMessage(message, &signature, 512); 864 ASSERT_EQ(64U, signature.size()); 865 866 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 867 } 868 869 TEST_P(SigningOperationsTest, HmacLengthInKey) { 870 // TODO(swillden): unified API should generate an error on key generation. 871 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 872 .HmacKey(128) 873 .Digest(KM_DIGEST_SHA_2_512) 874 .Authorization(TAG_MIN_MAC_LENGTH, 512))); 875 string message = "12345678901234567890123456789012"; 876 string signature; 877 MacMessage(message, &signature, 512); 878 ASSERT_EQ(64U, signature.size()); 879 880 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 881 } 882 883 TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) { 884 uint8_t key_data[] = { 885 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 886 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 887 }; 888 string message = "Hi There"; 889 uint8_t sha_224_expected[] = { 890 0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d, 891 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22, 892 }; 893 uint8_t sha_256_expected[] = { 894 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 895 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 896 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7, 897 }; 898 uint8_t sha_384_expected[] = { 899 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4, 900 0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6, 901 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9, 902 0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6, 903 }; 904 uint8_t sha_512_expected[] = { 905 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 906 0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0, 907 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 908 0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e, 909 0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54, 910 }; 911 912 string key = make_string(key_data); 913 914 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 915 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 916 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 917 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 918 919 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 920 } 921 922 TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) { 923 string key = "Jefe"; 924 string message = "what do ya want for nothing?"; 925 uint8_t sha_224_expected[] = { 926 0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e, 927 0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44, 928 }; 929 uint8_t sha_256_expected[] = { 930 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 931 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 932 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43, 933 }; 934 uint8_t sha_384_expected[] = { 935 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2, 936 0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47, 937 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca, 938 0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49, 939 }; 940 uint8_t sha_512_expected[] = { 941 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b, 942 0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27, 943 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99, 944 0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3, 945 0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37, 946 }; 947 948 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 949 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 950 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 951 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 952 953 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 954 } 955 956 TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) { 957 string key(20, 0xaa); 958 string message(50, 0xdd); 959 uint8_t sha_224_expected[] = { 960 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a, 961 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea, 962 }; 963 uint8_t sha_256_expected[] = { 964 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 965 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 966 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe, 967 }; 968 uint8_t sha_384_expected[] = { 969 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0, 970 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb, 971 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d, 972 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27, 973 }; 974 uint8_t sha_512_expected[] = { 975 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c, 976 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8, 977 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 978 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37, 979 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb, 980 }; 981 982 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 983 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 984 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 985 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 986 987 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 988 } 989 990 TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) { 991 uint8_t key_data[25] = { 992 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 993 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 994 }; 995 string key = make_string(key_data); 996 string message(50, 0xcd); 997 uint8_t sha_224_expected[] = { 998 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82, 999 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a, 1000 }; 1001 uint8_t sha_256_expected[] = { 1002 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 1003 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 1004 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b, 1005 }; 1006 uint8_t sha_384_expected[] = { 1007 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62, 1008 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c, 1009 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23, 1010 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb, 1011 }; 1012 uint8_t sha_512_expected[] = { 1013 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6, 1014 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f, 1015 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, 1016 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41, 1017 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd, 1018 }; 1019 1020 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1021 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1022 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1023 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1024 1025 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1026 } 1027 1028 TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) { 1029 string key(20, 0x0c); 1030 string message = "Test With Truncation"; 1031 1032 uint8_t sha_224_expected[] = { 1033 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37, 1034 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8, 1035 }; 1036 uint8_t sha_256_expected[] = { 1037 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 1038 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b, 1039 }; 1040 uint8_t sha_384_expected[] = { 1041 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23, 1042 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97, 1043 }; 1044 uint8_t sha_512_expected[] = { 1045 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53, 1046 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6, 1047 }; 1048 1049 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1050 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1051 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1052 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1053 1054 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1055 } 1056 1057 TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) { 1058 string key(131, 0xaa); 1059 string message = "Test Using Larger Than Block-Size Key - Hash Key First"; 1060 1061 uint8_t sha_224_expected[] = { 1062 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d, 1063 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e, 1064 }; 1065 uint8_t sha_256_expected[] = { 1066 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 1067 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 1068 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, 1069 }; 1070 uint8_t sha_384_expected[] = { 1071 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a, 1072 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f, 1073 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab, 1074 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52, 1075 }; 1076 uint8_t sha_512_expected[] = { 1077 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd, 1078 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b, 1079 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 1080 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73, 1081 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98, 1082 }; 1083 1084 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1085 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1086 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1087 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1088 1089 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1090 } 1091 1092 TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) { 1093 string key(131, 0xaa); 1094 string message = "This is a test using a larger than block-size key and a larger than " 1095 "block-size data. The key needs to be hashed before being used by the HMAC " 1096 "algorithm."; 1097 1098 uint8_t sha_224_expected[] = { 1099 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3, 1100 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1, 1101 }; 1102 uint8_t sha_256_expected[] = { 1103 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 1104 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 1105 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2, 1106 }; 1107 uint8_t sha_384_expected[] = { 1108 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25, 1109 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a, 1110 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31, 1111 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e, 1112 }; 1113 uint8_t sha_512_expected[] = { 1114 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 1115 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5, 1116 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 1117 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb, 1118 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58, 1119 }; 1120 1121 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1122 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1123 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1124 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1125 1126 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1127 } 1128 1129 TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) { 1130 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1131 .HmacKey(128) 1132 .Digest(KM_DIGEST_SHA_2_256) 1133 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 1134 AuthorizationSet begin_params(client_params()); 1135 begin_params.push_back(TAG_MAC_LENGTH, 264); 1136 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1137 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH, 1138 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 1139 1140 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1141 } 1142 1143 TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) { 1144 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1145 .HmacKey(128) 1146 .Digest(KM_DIGEST_SHA_2_256) 1147 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 1148 AuthorizationSet begin_params(client_params()); 1149 begin_params.push_back(TAG_MAC_LENGTH, 120); 1150 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1151 ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH, 1152 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 1153 1154 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1155 } 1156 1157 // TODO(swillden): Add more verification failure tests. 1158 1159 typedef Keymaster1Test VerificationOperationsTest; 1160 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params); 1161 1162 TEST_P(VerificationOperationsTest, RsaSuccess) { 1163 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1164 .RsaSigningKey(256, 3) 1165 .Digest(KM_DIGEST_NONE) 1166 .Padding(KM_PAD_NONE))); 1167 string message = "12345678901234567890123456789012"; 1168 string signature; 1169 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1170 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1171 1172 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1173 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1174 } 1175 1176 TEST_P(VerificationOperationsTest, RsaPssSha256Success) { 1177 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1178 .RsaSigningKey(512, 3) 1179 .Digest(KM_DIGEST_SHA_2_256) 1180 .Padding(KM_PAD_RSA_PSS))); 1181 // Use large message, which won't work without digesting. 1182 string message(1024, 'a'); 1183 string signature; 1184 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1185 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1186 1187 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1188 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1189 } 1190 1191 TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) { 1192 GenerateKey(AuthorizationSetBuilder() 1193 .RsaSigningKey(512, 3) 1194 .Digest(KM_DIGEST_SHA_2_256) 1195 .Padding(KM_PAD_RSA_PSS)); 1196 string message(1024, 'a'); 1197 string signature; 1198 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1199 ++signature[signature.size() / 2]; 1200 1201 AuthorizationSet begin_params(client_params()); 1202 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1203 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1204 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1205 1206 string result; 1207 size_t input_consumed; 1208 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1209 EXPECT_EQ(message.size(), input_consumed); 1210 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1211 1212 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1213 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1214 } 1215 1216 TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) { 1217 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1218 .RsaSigningKey(512, 3) 1219 .Digest(KM_DIGEST_SHA_2_256) 1220 .Padding(KM_PAD_RSA_PSS))); 1221 // Use large message, which won't work without digesting. 1222 string message(1024, 'a'); 1223 string signature; 1224 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1225 ++message[message.size() / 2]; 1226 1227 AuthorizationSet begin_params(client_params()); 1228 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1229 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1230 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1231 1232 string result; 1233 size_t input_consumed; 1234 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1235 EXPECT_EQ(message.size(), input_consumed); 1236 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1237 1238 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1239 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1240 } 1241 1242 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) { 1243 GenerateKey(AuthorizationSetBuilder() 1244 .RsaSigningKey(512, 3) 1245 .Digest(KM_DIGEST_SHA_2_256) 1246 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1247 string message(1024, 'a'); 1248 string signature; 1249 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1250 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1251 1252 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1253 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1254 } 1255 1256 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) { 1257 GenerateKey(AuthorizationSetBuilder() 1258 .RsaSigningKey(512, 3) 1259 .Digest(KM_DIGEST_SHA_2_256) 1260 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1261 string message(1024, 'a'); 1262 string signature; 1263 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1264 ++signature[signature.size() / 2]; 1265 1266 AuthorizationSet begin_params(client_params()); 1267 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1268 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1269 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1270 1271 string result; 1272 size_t input_consumed; 1273 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1274 EXPECT_EQ(message.size(), input_consumed); 1275 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1276 1277 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1278 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1279 } 1280 1281 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) { 1282 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1283 .RsaSigningKey(512, 3) 1284 .Digest(KM_DIGEST_SHA_2_256) 1285 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 1286 // Use large message, which won't work without digesting. 1287 string message(1024, 'a'); 1288 string signature; 1289 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1290 ++message[message.size() / 2]; 1291 1292 AuthorizationSet begin_params(client_params()); 1293 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1294 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1295 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1296 1297 string result; 1298 size_t input_consumed; 1299 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1300 EXPECT_EQ(message.size(), input_consumed); 1301 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1302 1303 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1304 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1305 } 1306 1307 TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) { 1308 // Get all supported digests and padding modes. 1309 size_t digests_len; 1310 keymaster_digest_t* digests; 1311 ASSERT_EQ(KM_ERROR_OK, 1312 device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, &digests, 1313 &digests_len)); 1314 1315 size_t padding_modes_len; 1316 keymaster_padding_t* padding_modes; 1317 ASSERT_EQ(KM_ERROR_OK, 1318 device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, 1319 &padding_modes, &padding_modes_len)); 1320 1321 // Try them. 1322 int trial_count = 0; 1323 for (keymaster_padding_t padding_mode : make_vector(padding_modes, padding_modes_len)) { 1324 for (keymaster_digest_t digest : make_vector(digests, digests_len)) { 1325 if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE) 1326 // Digesting requires padding 1327 continue; 1328 1329 // Compute key & message size that will work. 1330 size_t key_bits = 0; 1331 size_t message_len = 1000; 1332 1333 if (digest == KM_DIGEST_NONE) { 1334 key_bits = 256; 1335 switch (padding_mode) { 1336 case KM_PAD_NONE: 1337 // Match key size. 1338 message_len = key_bits / 8; 1339 break; 1340 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1341 message_len = key_bits / 8 - 11; 1342 break; 1343 case KM_PAD_RSA_PSS: 1344 // PSS requires a digest. 1345 continue; 1346 default: 1347 FAIL() << "Missing padding"; 1348 break; 1349 } 1350 } else { 1351 size_t digest_bits; 1352 switch (digest) { 1353 case KM_DIGEST_MD5: 1354 digest_bits = 128; 1355 break; 1356 case KM_DIGEST_SHA1: 1357 digest_bits = 160; 1358 break; 1359 case KM_DIGEST_SHA_2_224: 1360 digest_bits = 224; 1361 break; 1362 case KM_DIGEST_SHA_2_256: 1363 digest_bits = 256; 1364 break; 1365 case KM_DIGEST_SHA_2_384: 1366 digest_bits = 384; 1367 break; 1368 case KM_DIGEST_SHA_2_512: 1369 digest_bits = 512; 1370 break; 1371 default: 1372 FAIL() << "Missing digest"; 1373 } 1374 1375 switch (padding_mode) { 1376 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1377 key_bits = digest_bits + 8 * (11 + 19); 1378 break; 1379 case KM_PAD_RSA_PSS: 1380 key_bits = digest_bits + 22 * 8; 1381 break; 1382 default: 1383 FAIL() << "Missing padding"; 1384 break; 1385 } 1386 } 1387 1388 GenerateKey(AuthorizationSetBuilder() 1389 .RsaSigningKey(key_bits, 3) 1390 .Digest(digest) 1391 .Padding(padding_mode)); 1392 string message(message_len, 'a'); 1393 string signature; 1394 SignMessage(message, &signature, digest, padding_mode); 1395 VerifyMessage(message, signature, digest, padding_mode); 1396 ++trial_count; 1397 } 1398 } 1399 1400 free(padding_modes); 1401 free(digests); 1402 1403 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1404 EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls()); 1405 } 1406 1407 TEST_P(VerificationOperationsTest, EcdsaSuccess) { 1408 ASSERT_EQ(KM_ERROR_OK, 1409 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1410 string message = "12345678901234567890123456789012"; 1411 string signature; 1412 SignMessage(message, &signature, KM_DIGEST_NONE); 1413 VerifyMessage(message, signature, KM_DIGEST_NONE); 1414 1415 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1416 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1417 } 1418 1419 TEST_P(VerificationOperationsTest, EcdsaTooShort) { 1420 ASSERT_EQ(KM_ERROR_OK, 1421 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1422 string message = "12345678901234567890"; 1423 string signature; 1424 SignMessage(message, &signature, KM_DIGEST_NONE); 1425 VerifyMessage(message, signature, KM_DIGEST_NONE); 1426 1427 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1428 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1429 } 1430 1431 TEST_P(VerificationOperationsTest, EcdsaTooLong) { 1432 ASSERT_EQ(KM_ERROR_OK, 1433 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1434 string message = "1234567890123456789012345678901234"; 1435 string signature; 1436 1437 AuthorizationSet begin_params(client_params()); 1438 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1439 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 1440 string output; 1441 size_t input_consumed; 1442 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &output, &input_consumed)); 1443 1444 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1445 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1446 } 1447 1448 TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) { 1449 ASSERT_EQ(KM_ERROR_OK, 1450 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE))); 1451 1452 string message(66, 'a'); 1453 string signature; 1454 SignMessage(message, &signature, KM_DIGEST_NONE); 1455 VerifyMessage(message, signature, KM_DIGEST_NONE); 1456 1457 // Modifying low-order bits doesn't matter, because they didn't get signed. Ugh. 1458 message[65] ^= 7; 1459 VerifyMessage(message, signature, KM_DIGEST_NONE); 1460 1461 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1462 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 1463 } 1464 1465 TEST_P(VerificationOperationsTest, EcdsaSha256Success) { 1466 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1467 .EcdsaSigningKey(256) 1468 .Digest(KM_DIGEST_SHA_2_256) 1469 .Digest(KM_DIGEST_NONE))); 1470 string message = "12345678901234567890123456789012"; 1471 string signature; 1472 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 1473 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1474 1475 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1476 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1477 1478 // Just for giggles, try verifying with the wrong digest. 1479 AuthorizationSet begin_params(client_params()); 1480 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1481 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1482 1483 string result; 1484 size_t input_consumed; 1485 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1486 EXPECT_EQ(message.size(), input_consumed); 1487 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result)); 1488 } 1489 1490 TEST_P(VerificationOperationsTest, HmacSha1Success) { 1491 GenerateKey(AuthorizationSetBuilder() 1492 .HmacKey(128) 1493 .Digest(KM_DIGEST_SHA1) 1494 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1495 string message = "123456789012345678901234567890123456789012345678"; 1496 string signature; 1497 MacMessage(message, &signature, 160); 1498 VerifyMac(message, signature); 1499 1500 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1501 } 1502 1503 TEST_P(VerificationOperationsTest, HmacSha224Success) { 1504 GenerateKey(AuthorizationSetBuilder() 1505 .HmacKey(128) 1506 .Digest(KM_DIGEST_SHA_2_224) 1507 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1508 string message = "123456789012345678901234567890123456789012345678"; 1509 string signature; 1510 MacMessage(message, &signature, 224); 1511 VerifyMac(message, signature); 1512 1513 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1514 } 1515 1516 TEST_P(VerificationOperationsTest, HmacSha256Success) { 1517 GenerateKey(AuthorizationSetBuilder() 1518 .HmacKey(128) 1519 .Digest(KM_DIGEST_SHA_2_256) 1520 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1521 string message = "123456789012345678901234567890123456789012345678"; 1522 string signature; 1523 MacMessage(message, &signature, 256); 1524 VerifyMac(message, signature); 1525 1526 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1527 } 1528 1529 TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) { 1530 GenerateKey(AuthorizationSetBuilder() 1531 .HmacKey(128) 1532 .Digest(KM_DIGEST_SHA_2_256) 1533 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1534 string message = "123456789012345678901234567890123456789012345678"; 1535 string signature; 1536 MacMessage(message, &signature, 256); 1537 1538 // Shorten to 128 bits, should still work. 1539 signature.resize(128 / 8); 1540 VerifyMac(message, signature); 1541 1542 // Drop one more byte. 1543 signature.resize(signature.length() - 1); 1544 1545 AuthorizationSet begin_params(client_params()); 1546 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1547 string result; 1548 size_t input_consumed; 1549 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1550 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(signature, &result)); 1551 1552 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1553 } 1554 1555 TEST_P(VerificationOperationsTest, HmacSha384Success) { 1556 GenerateKey(AuthorizationSetBuilder() 1557 .HmacKey(128) 1558 .Digest(KM_DIGEST_SHA_2_384) 1559 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1560 string message = "123456789012345678901234567890123456789012345678"; 1561 string signature; 1562 MacMessage(message, &signature, 384); 1563 VerifyMac(message, signature); 1564 1565 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1566 } 1567 1568 TEST_P(VerificationOperationsTest, HmacSha512Success) { 1569 GenerateKey(AuthorizationSetBuilder() 1570 .HmacKey(128) 1571 .Digest(KM_DIGEST_SHA_2_512) 1572 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1573 string message = "123456789012345678901234567890123456789012345678"; 1574 string signature; 1575 MacMessage(message, &signature, 512); 1576 VerifyMac(message, signature); 1577 1578 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1579 } 1580 1581 typedef Keymaster1Test ExportKeyTest; 1582 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params); 1583 1584 TEST_P(ExportKeyTest, RsaSuccess) { 1585 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1586 .RsaSigningKey(256, 3) 1587 .Digest(KM_DIGEST_NONE) 1588 .Padding(KM_PAD_NONE))); 1589 string export_data; 1590 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1591 EXPECT_GT(export_data.length(), 0U); 1592 1593 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1594 1595 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1596 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1597 } 1598 1599 TEST_P(ExportKeyTest, EcdsaSuccess) { 1600 ASSERT_EQ(KM_ERROR_OK, 1601 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 1602 string export_data; 1603 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1604 EXPECT_GT(export_data.length(), 0U); 1605 1606 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1607 1608 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1609 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1610 } 1611 1612 TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) { 1613 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1614 .RsaSigningKey(256, 3) 1615 .Digest(KM_DIGEST_NONE) 1616 .Padding(KM_PAD_NONE))); 1617 string export_data; 1618 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1619 1620 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1621 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1622 } 1623 1624 TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) { 1625 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1626 .RsaSigningKey(256, 3) 1627 .Digest(KM_DIGEST_NONE) 1628 .Padding(KM_PAD_NONE))); 1629 corrupt_key_blob(); 1630 string export_data; 1631 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1632 1633 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1634 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1635 } 1636 1637 TEST_P(ExportKeyTest, AesKeyExportFails) { 1638 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128))); 1639 string export_data; 1640 1641 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1642 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1643 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data)); 1644 1645 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1646 } 1647 1648 static string read_file(const string& file_name) { 1649 ifstream file_stream(file_name, std::ios::binary); 1650 istreambuf_iterator<char> file_begin(file_stream); 1651 istreambuf_iterator<char> file_end; 1652 return string(file_begin, file_end); 1653 } 1654 1655 typedef Keymaster1Test ImportKeyTest; 1656 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params); 1657 1658 TEST_P(ImportKeyTest, RsaSuccess) { 1659 string pk8_key = read_file("rsa_privkey_pk8.der"); 1660 ASSERT_EQ(633U, pk8_key.size()); 1661 1662 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1663 .RsaSigningKey(1024, 65537) 1664 .Digest(KM_DIGEST_NONE) 1665 .Padding(KM_PAD_NONE), 1666 KM_KEY_FORMAT_PKCS8, pk8_key)); 1667 1668 // Check values derived from the key. 1669 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1670 : sw_enforced(), 1671 TAG_ALGORITHM, KM_ALGORITHM_RSA)); 1672 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1673 : sw_enforced(), 1674 TAG_KEY_SIZE, 1024)); 1675 EXPECT_TRUE(contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1676 : sw_enforced(), 1677 TAG_RSA_PUBLIC_EXPONENT, 65537U)); 1678 1679 // And values provided by AndroidKeymaster 1680 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1681 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN)); 1682 else 1683 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1684 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1685 1686 string message(1024 / 8, 'a'); 1687 string signature; 1688 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1689 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1690 1691 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1692 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1693 } 1694 1695 TEST_P(ImportKeyTest, OldApiRsaSuccess) { 1696 string pk8_key = read_file("rsa_privkey_pk8.der"); 1697 ASSERT_EQ(633U, pk8_key.size()); 1698 1699 // NOTE: This will break when the keymaster0 APIs are removed from keymaster1. But at that 1700 // point softkeymaster will no longer support keymaster0 APIs anyway. 1701 uint8_t* key_blob; 1702 size_t key_blob_length; 1703 ASSERT_EQ(0, 1704 device()->import_keypair(device(), reinterpret_cast<const uint8_t*>(pk8_key.data()), 1705 pk8_key.size(), &key_blob, &key_blob_length)); 1706 set_key_blob(key_blob, key_blob_length); 1707 1708 string message(1024 / 8, 'a'); 1709 AuthorizationSet begin_params; // Don't use client data. 1710 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1711 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1712 AuthorizationSet update_params; 1713 AuthorizationSet output_params; 1714 string signature = 1715 ProcessMessage(KM_PURPOSE_SIGN, message, begin_params, update_params, &output_params); 1716 ProcessMessage(KM_PURPOSE_VERIFY, message, signature, begin_params, update_params, 1717 &output_params); 1718 1719 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1720 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1721 } 1722 1723 TEST_P(ImportKeyTest, RsaKeySizeMismatch) { 1724 string pk8_key = read_file("rsa_privkey_pk8.der"); 1725 ASSERT_EQ(633U, pk8_key.size()); 1726 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1727 ImportKey(AuthorizationSetBuilder() 1728 .RsaSigningKey(2048 /* Doesn't match key */, 3) 1729 .Digest(KM_DIGEST_NONE) 1730 .Padding(KM_PAD_NONE), 1731 KM_KEY_FORMAT_PKCS8, pk8_key)); 1732 1733 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1734 } 1735 1736 TEST_P(ImportKeyTest, RsaPublicExponenMismatch) { 1737 string pk8_key = read_file("rsa_privkey_pk8.der"); 1738 ASSERT_EQ(633U, pk8_key.size()); 1739 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1740 ImportKey(AuthorizationSetBuilder() 1741 .RsaSigningKey(256, 3 /* Doesnt' match key */) 1742 .Digest(KM_DIGEST_NONE) 1743 .Padding(KM_PAD_NONE), 1744 KM_KEY_FORMAT_PKCS8, pk8_key)); 1745 1746 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1747 } 1748 1749 TEST_P(ImportKeyTest, EcdsaSuccess) { 1750 string pk8_key = read_file("ec_privkey_pk8.der"); 1751 ASSERT_EQ(138U, pk8_key.size()); 1752 1753 ASSERT_EQ(KM_ERROR_OK, 1754 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1755 KM_KEY_FORMAT_PKCS8, pk8_key)); 1756 1757 // Check values derived from the key. 1758 EXPECT_TRUE( 1759 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1760 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1761 EXPECT_TRUE( 1762 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1763 TAG_KEY_SIZE, 256)); 1764 1765 // And values provided by AndroidKeymaster 1766 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1767 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN)); 1768 else 1769 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1770 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1771 1772 string message(32, 'a'); 1773 string signature; 1774 SignMessage(message, &signature, KM_DIGEST_NONE); 1775 VerifyMessage(message, signature, KM_DIGEST_NONE); 1776 1777 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1778 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1779 } 1780 1781 TEST_P(ImportKeyTest, EcdsaSizeSpecified) { 1782 string pk8_key = read_file("ec_privkey_pk8.der"); 1783 ASSERT_EQ(138U, pk8_key.size()); 1784 1785 ASSERT_EQ(KM_ERROR_OK, 1786 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1787 KM_KEY_FORMAT_PKCS8, pk8_key)); 1788 1789 // Check values derived from the key. 1790 EXPECT_TRUE( 1791 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1792 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1793 EXPECT_TRUE( 1794 contains(GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC) ? hw_enforced() : sw_enforced(), 1795 TAG_KEY_SIZE, 256)); 1796 1797 // And values provided by AndroidKeymaster 1798 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1799 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN)); 1800 else 1801 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1802 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1803 1804 string message(32, 'a'); 1805 string signature; 1806 SignMessage(message, &signature, KM_DIGEST_NONE); 1807 VerifyMessage(message, signature, KM_DIGEST_NONE); 1808 1809 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 1810 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1811 } 1812 1813 TEST_P(ImportKeyTest, EcdsaSizeMismatch) { 1814 string pk8_key = read_file("ec_privkey_pk8.der"); 1815 ASSERT_EQ(138U, pk8_key.size()); 1816 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1817 ImportKey(AuthorizationSetBuilder() 1818 .EcdsaSigningKey(224 /* Doesn't match key */) 1819 .Digest(KM_DIGEST_NONE), 1820 KM_KEY_FORMAT_PKCS8, pk8_key)); 1821 1822 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1823 } 1824 1825 TEST_P(ImportKeyTest, AesKeySuccess) { 1826 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1827 string key(key_data, sizeof(key_data)); 1828 ASSERT_EQ(KM_ERROR_OK, 1829 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization( 1830 TAG_PADDING, KM_PAD_PKCS7), 1831 KM_KEY_FORMAT_RAW, key)); 1832 1833 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1834 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1835 1836 string message = "Hello World!"; 1837 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1838 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 1839 EXPECT_EQ(message, plaintext); 1840 1841 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1842 } 1843 1844 TEST_P(ImportKeyTest, HmacSha256KeySuccess) { 1845 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1846 string key(key_data, sizeof(key_data)); 1847 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1848 .HmacKey(sizeof(key_data) * 8) 1849 .Digest(KM_DIGEST_SHA_2_256) 1850 .Authorization(TAG_MIN_MAC_LENGTH, 256), 1851 KM_KEY_FORMAT_RAW, key)); 1852 1853 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1854 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1855 1856 string message = "Hello World!"; 1857 string signature; 1858 MacMessage(message, &signature, 256); 1859 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1860 1861 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1862 } 1863 1864 typedef Keymaster1Test EncryptionOperationsTest; 1865 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params); 1866 1867 TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { 1868 ASSERT_EQ(KM_ERROR_OK, 1869 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1870 1871 string message = "12345678901234567890123456789012"; 1872 string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE); 1873 EXPECT_EQ(256U / 8, ciphertext1.size()); 1874 1875 string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE); 1876 EXPECT_EQ(256U / 8, ciphertext2.size()); 1877 1878 // Unpadded RSA is deterministic 1879 EXPECT_EQ(ciphertext1, ciphertext2); 1880 1881 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1882 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1883 } 1884 1885 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) { 1886 ASSERT_EQ(KM_ERROR_OK, 1887 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1888 1889 string message = "1"; 1890 1891 string ciphertext = EncryptMessage(message, KM_PAD_NONE); 1892 EXPECT_EQ(256U / 8, ciphertext.size()); 1893 1894 string expected_plaintext = string(256 / 8 - 1, 0) + message; 1895 string plaintext = DecryptMessage(ciphertext, KM_PAD_NONE); 1896 1897 EXPECT_EQ(expected_plaintext, plaintext); 1898 1899 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1900 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1901 } 1902 1903 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) { 1904 ASSERT_EQ(KM_ERROR_OK, 1905 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1906 1907 string message = "123456789012345678901234567890123"; 1908 1909 AuthorizationSet begin_params(client_params()); 1910 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1911 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1912 1913 string result; 1914 size_t input_consumed; 1915 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 1916 1917 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1918 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1919 } 1920 1921 TEST_P(EncryptionOperationsTest, RsaNoPaddingLargerThanModulus) { 1922 ASSERT_EQ(KM_ERROR_OK, 1923 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 1924 1925 string exported; 1926 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &exported)); 1927 1928 const uint8_t* p = reinterpret_cast<const uint8_t*>(exported.data()); 1929 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( 1930 d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size())); 1931 unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(pkey.get())); 1932 1933 size_t modulus_len = BN_num_bytes(rsa->n); 1934 ASSERT_EQ(256U / 8, modulus_len); 1935 unique_ptr<uint8_t> modulus_buf(new uint8_t[modulus_len]); 1936 BN_bn2bin(rsa->n, modulus_buf.get()); 1937 1938 // The modulus is too big to encrypt. 1939 string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); 1940 1941 AuthorizationSet begin_params(client_params()); 1942 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 1943 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1944 1945 string result; 1946 size_t input_consumed; 1947 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1948 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result)); 1949 1950 // One smaller than the modulus is okay. 1951 BN_sub(rsa->n, rsa->n, BN_value_one()); 1952 modulus_len = BN_num_bytes(rsa->n); 1953 ASSERT_EQ(256U / 8, modulus_len); 1954 BN_bn2bin(rsa->n, modulus_buf.get()); 1955 message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); 1956 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 1957 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 1958 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result)); 1959 1960 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1961 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1962 } 1963 1964 TEST_P(EncryptionOperationsTest, RsaOaepSuccess) { 1965 size_t key_size = 768; 1966 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1967 .RsaEncryptionKey(key_size, 3) 1968 .Padding(KM_PAD_RSA_OAEP) 1969 .Digest(KM_DIGEST_SHA_2_256))); 1970 1971 string message = "Hello"; 1972 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1973 EXPECT_EQ(key_size / 8, ciphertext1.size()); 1974 1975 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1976 EXPECT_EQ(key_size / 8, ciphertext2.size()); 1977 1978 // OAEP randomizes padding so every result should be different. 1979 EXPECT_NE(ciphertext1, ciphertext2); 1980 1981 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1982 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 1983 } 1984 1985 TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) { 1986 size_t key_size = 768; 1987 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1988 .RsaEncryptionKey(key_size, 3) 1989 .Padding(KM_PAD_RSA_OAEP) 1990 .Digest(KM_DIGEST_SHA_2_256))); 1991 string message = "Hello World!"; 1992 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1993 EXPECT_EQ(key_size / 8, ciphertext.size()); 1994 1995 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 1996 EXPECT_EQ(message, plaintext); 1997 1998 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 1999 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2000 } 2001 2002 TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) { 2003 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2004 .RsaEncryptionKey(512, 3) 2005 .Padding(KM_PAD_RSA_OAEP) 2006 .Digest(KM_DIGEST_NONE))); 2007 string message = "Hello World!"; 2008 2009 AuthorizationSet begin_params(client_params()); 2010 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2011 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 2012 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2013 2014 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2015 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2016 } 2017 2018 TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) { 2019 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2020 .RsaEncryptionKey(512, 3) 2021 .Padding(KM_PAD_RSA_OAEP) 2022 .Digest(KM_DIGEST_SHA_2_256))); 2023 string message = "Hello World!"; 2024 // Works because encryption is a public key operation. 2025 EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP); 2026 2027 AuthorizationSet begin_params(client_params()); 2028 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2029 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); 2030 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2031 2032 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2033 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2034 } 2035 2036 TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) { 2037 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2038 .RsaEncryptionKey(768, 3) 2039 .Padding(KM_PAD_RSA_OAEP) 2040 .Digest(KM_DIGEST_SHA_2_256) 2041 .Digest(KM_DIGEST_SHA_2_384))); 2042 string message = "Hello World!"; 2043 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2044 2045 string result; 2046 size_t input_consumed; 2047 AuthorizationSet begin_params(client_params()); 2048 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2049 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384); 2050 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2051 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2052 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2053 EXPECT_EQ(0U, result.size()); 2054 2055 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2056 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2057 } 2058 2059 TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) { 2060 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2061 .RsaEncryptionKey(512, 3) 2062 .Padding(KM_PAD_RSA_OAEP) 2063 .Digest(KM_DIGEST_SHA1))); 2064 string message = "12345678901234567890123"; 2065 string result; 2066 size_t input_consumed; 2067 2068 AuthorizationSet begin_params(client_params()); 2069 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2070 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); 2071 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2072 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2073 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 2074 EXPECT_EQ(0U, result.size()); 2075 2076 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2077 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2078 } 2079 2080 TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) { 2081 size_t key_size = 768; 2082 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2083 .RsaEncryptionKey(768, 3) 2084 .Padding(KM_PAD_RSA_OAEP) 2085 .Digest(KM_DIGEST_SHA_2_256))); 2086 string message = "Hello World!"; 2087 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2088 EXPECT_EQ(key_size / 8, ciphertext.size()); 2089 2090 // Corrupt the ciphertext 2091 ciphertext[key_size / 8 / 2]++; 2092 2093 string result; 2094 size_t input_consumed; 2095 AuthorizationSet begin_params(client_params()); 2096 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2097 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 2098 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2099 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2100 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2101 EXPECT_EQ(0U, result.size()); 2102 2103 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2104 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2105 } 2106 2107 TEST_P(EncryptionOperationsTest, RsaPkcs1Success) { 2108 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2109 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2110 string message = "Hello World!"; 2111 string ciphertext1 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2112 EXPECT_EQ(512U / 8, ciphertext1.size()); 2113 2114 string ciphertext2 = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2115 EXPECT_EQ(512U / 8, ciphertext2.size()); 2116 2117 // PKCS1 v1.5 randomizes padding so every result should be different. 2118 EXPECT_NE(ciphertext1, ciphertext2); 2119 2120 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2121 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2122 } 2123 2124 TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) { 2125 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2126 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2127 string message = "Hello World!"; 2128 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2129 EXPECT_EQ(512U / 8, ciphertext.size()); 2130 2131 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2132 EXPECT_EQ(message, plaintext); 2133 2134 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2135 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2136 } 2137 2138 TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) { 2139 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2140 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2141 string message = "123456789012345678901234567890123456789012345678901234"; 2142 string result; 2143 size_t input_consumed; 2144 2145 AuthorizationSet begin_params(client_params()); 2146 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2147 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2148 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2149 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result)); 2150 EXPECT_EQ(0U, result.size()); 2151 2152 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2153 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2154 } 2155 2156 TEST_P(EncryptionOperationsTest, RsaPkcs1InvalidDigest) { 2157 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2158 .RsaEncryptionKey(512, 3) 2159 .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT) 2160 .Digest(KM_DIGEST_NONE))); 2161 string message = "Hello World!"; 2162 string result; 2163 2164 AuthorizationSet begin_params(client_params()); 2165 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2166 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); // Any digest is invalid 2167 EXPECT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2168 2169 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2170 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2171 } 2172 2173 TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) { 2174 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2175 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2176 string message = "Hello World!"; 2177 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2178 EXPECT_EQ(512U / 8, ciphertext.size()); 2179 2180 // Corrupt the ciphertext 2181 ciphertext[512 / 8 / 2]++; 2182 2183 string result; 2184 size_t input_consumed; 2185 AuthorizationSet begin_params(client_params()); 2186 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2187 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2188 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2189 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2190 EXPECT_EQ(0U, result.size()); 2191 2192 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2193 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2194 } 2195 2196 TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) { 2197 ASSERT_EQ(KM_ERROR_OK, 2198 GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE))); 2199 2200 AuthorizationSet begin_params(client_params()); 2201 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2202 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2203 2204 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_RSA)) 2205 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2206 } 2207 2208 TEST_P(EncryptionOperationsTest, EcdsaEncrypt) { 2209 ASSERT_EQ(KM_ERROR_OK, 2210 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 2211 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2212 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2213 2214 if (GetParam()->algorithm_in_hardware(KM_ALGORITHM_EC)) 2215 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2216 } 2217 2218 TEST_P(EncryptionOperationsTest, HmacEncrypt) { 2219 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2220 .HmacKey(128) 2221 .Digest(KM_DIGEST_SHA_2_256) 2222 .Padding(KM_PAD_NONE) 2223 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2224 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2225 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2226 2227 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2228 } 2229 2230 TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) { 2231 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2232 .AesEncryptionKey(128) 2233 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2234 .Padding(KM_PAD_NONE))); 2235 // Two-block message. 2236 string message = "12345678901234567890123456789012"; 2237 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2238 EXPECT_EQ(message.size(), ciphertext1.size()); 2239 2240 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE); 2241 EXPECT_EQ(message.size(), ciphertext2.size()); 2242 2243 // ECB is deterministic. 2244 EXPECT_EQ(ciphertext1, ciphertext2); 2245 2246 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE); 2247 EXPECT_EQ(message, plaintext); 2248 2249 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2250 } 2251 2252 TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) { 2253 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2254 .AesEncryptionKey(128) 2255 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2256 .Padding(KM_PAD_NONE))); 2257 // Two-block message. 2258 string message = "12345678901234567890123456789012"; 2259 AuthorizationSet begin_params(client_params()); 2260 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2261 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2262 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2263 2264 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2265 } 2266 2267 TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) { 2268 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2269 .AesEncryptionKey(128) 2270 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2271 .Padding(KM_PAD_NONE))); 2272 // Message is slightly shorter than two blocks. 2273 string message = "1234567890123456789012345678901"; 2274 2275 AuthorizationSet begin_params(client_params()); 2276 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2277 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2278 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2279 string ciphertext; 2280 size_t input_consumed; 2281 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &ciphertext, &input_consumed)); 2282 EXPECT_EQ(message.size(), input_consumed); 2283 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&ciphertext)); 2284 2285 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2286 } 2287 2288 TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) { 2289 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2290 .AesEncryptionKey(128) 2291 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2292 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2293 2294 // Try various message lengths; all should work. 2295 for (size_t i = 0; i < 32; ++i) { 2296 string message(i, 'a'); 2297 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2298 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2299 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 2300 EXPECT_EQ(message, plaintext); 2301 } 2302 2303 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2304 } 2305 2306 TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) { 2307 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2308 .AesEncryptionKey(128) 2309 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2310 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2311 2312 // Try various message lengths; all should fail. 2313 for (size_t i = 0; i < 32; ++i) { 2314 AuthorizationSet begin_params(client_params()); 2315 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2316 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 2317 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, 2318 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2319 } 2320 2321 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2322 } 2323 2324 TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) { 2325 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2326 .AesEncryptionKey(128) 2327 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2328 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2329 2330 string message = "a"; 2331 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2332 EXPECT_EQ(16U, ciphertext.size()); 2333 EXPECT_NE(ciphertext, message); 2334 ++ciphertext[ciphertext.size() / 2]; 2335 2336 AuthorizationSet begin_params(client_params()); 2337 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2338 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 2339 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2340 string plaintext; 2341 size_t input_consumed; 2342 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); 2343 EXPECT_EQ(ciphertext.size(), input_consumed); 2344 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); 2345 2346 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2347 } 2348 2349 TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) { 2350 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2351 .AesEncryptionKey(128) 2352 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2353 .Padding(KM_PAD_NONE))); 2354 string message = "123"; 2355 string iv1; 2356 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1); 2357 EXPECT_EQ(message.size(), ciphertext1.size()); 2358 EXPECT_EQ(16U, iv1.size()); 2359 2360 string iv2; 2361 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2); 2362 EXPECT_EQ(message.size(), ciphertext2.size()); 2363 EXPECT_EQ(16U, iv2.size()); 2364 2365 // IVs should be random, so ciphertexts should differ. 2366 EXPECT_NE(iv1, iv2); 2367 EXPECT_NE(ciphertext1, ciphertext2); 2368 2369 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1); 2370 EXPECT_EQ(message, plaintext); 2371 2372 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2373 } 2374 2375 TEST_P(EncryptionOperationsTest, AesCtrIncremental) { 2376 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2377 .AesEncryptionKey(128) 2378 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2379 .Padding(KM_PAD_NONE))); 2380 2381 int increment = 15; 2382 string message(239, 'a'); 2383 AuthorizationSet input_params(client_params()); 2384 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2385 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2386 AuthorizationSet output_params; 2387 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2388 2389 string ciphertext; 2390 size_t input_consumed; 2391 for (size_t i = 0; i < message.size(); i += increment) 2392 EXPECT_EQ(KM_ERROR_OK, 2393 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2394 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2395 EXPECT_EQ(message.size(), ciphertext.size()); 2396 2397 // Move TAG_NONCE into input_params 2398 input_params.Reinitialize(output_params); 2399 input_params.push_back(client_params()); 2400 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2401 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2402 output_params.Clear(); 2403 2404 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2405 string plaintext; 2406 for (size_t i = 0; i < ciphertext.size(); i += increment) 2407 EXPECT_EQ(KM_ERROR_OK, 2408 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2409 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2410 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2411 EXPECT_EQ(message, plaintext); 2412 2413 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2414 } 2415 2416 struct AesCtrSp80038aTestVector { 2417 const char* key; 2418 const char* nonce; 2419 const char* plaintext; 2420 const char* ciphertext; 2421 }; 2422 2423 // These test vectors are taken from 2424 // http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5. 2425 static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = { 2426 // AES-128 2427 { 2428 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2429 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2430 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2431 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff" 2432 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee", 2433 }, 2434 // AES-192 2435 { 2436 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2437 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2438 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2439 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94" 2440 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050", 2441 }, 2442 // AES-256 2443 { 2444 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", 2445 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2446 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2447 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2448 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5" 2449 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6", 2450 }, 2451 }; 2452 2453 TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) { 2454 for (size_t i = 0; i < 3; i++) { 2455 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]); 2456 const string key = hex2str(test.key); 2457 const string nonce = hex2str(test.nonce); 2458 const string plaintext = hex2str(test.plaintext); 2459 const string ciphertext = hex2str(test.ciphertext); 2460 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext); 2461 } 2462 2463 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2464 } 2465 2466 TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) { 2467 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2468 .AesEncryptionKey(128) 2469 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2470 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2471 AuthorizationSet begin_params(client_params()); 2472 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2473 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2474 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2475 2476 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2477 } 2478 2479 TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) { 2480 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2481 .AesEncryptionKey(128) 2482 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2483 .Authorization(TAG_CALLER_NONCE) 2484 .Padding(KM_PAD_NONE))); 2485 2486 AuthorizationSet input_params(client_params()); 2487 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2488 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2489 input_params.push_back(TAG_NONCE, "123", 3); 2490 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params)); 2491 2492 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2493 } 2494 2495 TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) { 2496 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2497 .AesEncryptionKey(128) 2498 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2499 .Padding(KM_PAD_NONE))); 2500 // Two-block message. 2501 string message = "12345678901234567890123456789012"; 2502 string iv1; 2503 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2504 EXPECT_EQ(message.size(), ciphertext1.size()); 2505 2506 string iv2; 2507 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2); 2508 EXPECT_EQ(message.size(), ciphertext2.size()); 2509 2510 // IVs should be random, so ciphertexts should differ. 2511 EXPECT_NE(iv1, iv2); 2512 EXPECT_NE(ciphertext1, ciphertext2); 2513 2514 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2515 EXPECT_EQ(message, plaintext); 2516 2517 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2518 } 2519 2520 TEST_P(EncryptionOperationsTest, AesCallerNonce) { 2521 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2522 .AesEncryptionKey(128) 2523 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2524 .Authorization(TAG_CALLER_NONCE) 2525 .Padding(KM_PAD_NONE))); 2526 string message = "12345678901234567890123456789012"; 2527 string iv1; 2528 // Don't specify nonce, should get a random one. 2529 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2530 EXPECT_EQ(message.size(), ciphertext1.size()); 2531 EXPECT_EQ(16U, iv1.size()); 2532 2533 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2534 EXPECT_EQ(message, plaintext); 2535 2536 // Now specify a nonce, should also work. 2537 AuthorizationSet input_params(client_params()); 2538 AuthorizationSet update_params; 2539 AuthorizationSet output_params; 2540 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2541 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2542 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2543 string ciphertext2 = 2544 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params); 2545 2546 // Decrypt with correct nonce. 2547 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2548 &output_params); 2549 EXPECT_EQ(message, plaintext); 2550 2551 // Now try with wrong nonce. 2552 input_params.Reinitialize(client_params()); 2553 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2554 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2555 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16); 2556 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2557 &output_params); 2558 EXPECT_NE(message, plaintext); 2559 2560 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2561 } 2562 2563 TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) { 2564 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2565 .AesEncryptionKey(128) 2566 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2567 .Padding(KM_PAD_NONE))); 2568 2569 string message = "12345678901234567890123456789012"; 2570 string iv1; 2571 // Don't specify nonce, should get a random one. 2572 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2573 EXPECT_EQ(message.size(), ciphertext1.size()); 2574 EXPECT_EQ(16U, iv1.size()); 2575 2576 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2577 EXPECT_EQ(message, plaintext); 2578 2579 // Now specify a nonce, should fail. 2580 AuthorizationSet input_params(client_params()); 2581 AuthorizationSet update_params; 2582 AuthorizationSet output_params; 2583 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2584 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2585 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2586 2587 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, 2588 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2589 2590 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2591 } 2592 2593 TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) { 2594 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2595 .AesEncryptionKey(128) 2596 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2597 .Padding(KM_PAD_NONE))); 2598 2599 int increment = 15; 2600 string message(240, 'a'); 2601 AuthorizationSet input_params(client_params()); 2602 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2603 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2604 AuthorizationSet output_params; 2605 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2606 2607 string ciphertext; 2608 size_t input_consumed; 2609 for (size_t i = 0; i < message.size(); i += increment) 2610 EXPECT_EQ(KM_ERROR_OK, 2611 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2612 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2613 EXPECT_EQ(message.size(), ciphertext.size()); 2614 2615 // Move TAG_NONCE into input_params 2616 input_params.Reinitialize(output_params); 2617 input_params.push_back(client_params()); 2618 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2619 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2620 output_params.Clear(); 2621 2622 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2623 string plaintext; 2624 for (size_t i = 0; i < ciphertext.size(); i += increment) 2625 EXPECT_EQ(KM_ERROR_OK, 2626 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2627 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2628 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2629 EXPECT_EQ(message, plaintext); 2630 2631 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2632 } 2633 2634 TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) { 2635 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2636 .AesEncryptionKey(128) 2637 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2638 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2639 2640 // Try various message lengths; all should work. 2641 for (size_t i = 0; i < 32; ++i) { 2642 string message(i, 'a'); 2643 string iv; 2644 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); 2645 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2646 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv); 2647 EXPECT_EQ(message, plaintext); 2648 } 2649 2650 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2651 } 2652 2653 TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) { 2654 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2655 .AesEncryptionKey(128) 2656 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2657 .Authorization(TAG_PADDING, KM_PAD_NONE) 2658 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2659 string aad = "foobar"; 2660 string message = "123456789012345678901234567890123456"; 2661 AuthorizationSet begin_params(client_params()); 2662 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2663 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2664 begin_params.push_back(TAG_MAC_LENGTH, 128); 2665 2666 AuthorizationSet update_params; 2667 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2668 2669 // Encrypt 2670 AuthorizationSet begin_out_params; 2671 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2672 string ciphertext; 2673 size_t input_consumed; 2674 AuthorizationSet update_out_params; 2675 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2676 &input_consumed)); 2677 EXPECT_EQ(message.size(), input_consumed); 2678 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2679 2680 // Grab nonce 2681 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2682 begin_params.push_back(begin_out_params); 2683 2684 // Decrypt. 2685 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2686 string plaintext; 2687 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2688 &plaintext, &input_consumed)); 2689 EXPECT_EQ(ciphertext.size(), input_consumed); 2690 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2691 2692 EXPECT_EQ(message, plaintext); 2693 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2694 } 2695 2696 TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) { 2697 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2698 .AesEncryptionKey(128) 2699 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2700 .Authorization(TAG_PADDING, KM_PAD_NONE) 2701 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2702 string aad = "foobar"; 2703 string message = "123456789012345678901234567890123456"; 2704 AuthorizationSet begin_params(client_params()); 2705 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2706 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2707 begin_params.push_back(TAG_MAC_LENGTH, 96); 2708 2709 AuthorizationSet update_params; 2710 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2711 2712 AuthorizationSet begin_out_params; 2713 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, 2714 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2715 2716 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2717 } 2718 2719 TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) { 2720 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2721 .AesEncryptionKey(128) 2722 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2723 .Authorization(TAG_PADDING, KM_PAD_NONE) 2724 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2725 string aad = "foobar"; 2726 string message = "123456789012345678901234567890123456"; 2727 AuthorizationSet begin_params(client_params()); 2728 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2729 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2730 begin_params.push_back(TAG_MAC_LENGTH, 128); 2731 2732 AuthorizationSet update_params; 2733 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2734 2735 // Encrypt 2736 AuthorizationSet begin_out_params; 2737 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2738 string ciphertext; 2739 size_t input_consumed; 2740 AuthorizationSet update_out_params; 2741 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2742 &input_consumed)); 2743 EXPECT_EQ(message.size(), input_consumed); 2744 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2745 2746 // Grab nonce 2747 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2748 begin_params.Reinitialize(client_params()); 2749 begin_params.push_back(begin_out_params); 2750 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2751 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2752 begin_params.push_back(TAG_MAC_LENGTH, 96); 2753 2754 // Decrypt. 2755 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2756 2757 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2758 } 2759 2760 TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) { 2761 uint8_t nonce[] = { 2762 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f, 2763 }; 2764 uint8_t ciphertext[] = { 2765 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16, 2766 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 2767 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 2768 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd, 2769 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0, 2770 }; 2771 string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext)); 2772 2773 AuthorizationSet begin_params(client_params()); 2774 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2775 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2776 begin_params.push_back(TAG_MAC_LENGTH, 128); 2777 begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce)); 2778 2779 string plaintext; 2780 size_t input_consumed; 2781 2782 // Import correct key and decrypt 2783 uint8_t good_key[] = { 2784 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 2785 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 2786 }; 2787 string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key)); 2788 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 2789 .AesEncryptionKey(128) 2790 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2791 .Authorization(TAG_PADDING, KM_PAD_NONE) 2792 .Authorization(TAG_CALLER_NONCE) 2793 .Authorization(TAG_MIN_MAC_LENGTH, 128), 2794 KM_KEY_FORMAT_RAW, good_key_str)); 2795 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2796 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 2797 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2798 2799 // Import bad key and decrypt 2800 uint8_t bad_key[] = { 2801 0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 2802 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 2803 }; 2804 string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key)); 2805 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 2806 .AesEncryptionKey(128) 2807 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2808 .Authorization(TAG_PADDING, KM_PAD_NONE) 2809 .Authorization(TAG_MIN_MAC_LENGTH, 128), 2810 KM_KEY_FORMAT_RAW, bad_key_str)); 2811 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2812 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 2813 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 2814 2815 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2816 } 2817 2818 TEST_P(EncryptionOperationsTest, AesGcmAadNoData) { 2819 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2820 .AesEncryptionKey(128) 2821 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2822 .Authorization(TAG_PADDING, KM_PAD_NONE) 2823 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2824 string aad = "123456789012345678"; 2825 string empty_message; 2826 AuthorizationSet begin_params(client_params()); 2827 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2828 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2829 begin_params.push_back(TAG_MAC_LENGTH, 128); 2830 2831 AuthorizationSet update_params; 2832 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2833 2834 // Encrypt 2835 AuthorizationSet begin_out_params; 2836 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2837 string ciphertext; 2838 size_t input_consumed; 2839 AuthorizationSet update_out_params; 2840 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params, 2841 &ciphertext, &input_consumed)); 2842 EXPECT_EQ(0U, input_consumed); 2843 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2844 2845 // Grab nonce 2846 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2847 begin_params.push_back(begin_out_params); 2848 2849 // Decrypt. 2850 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2851 string plaintext; 2852 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2853 &plaintext, &input_consumed)); 2854 EXPECT_EQ(ciphertext.size(), input_consumed); 2855 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2856 2857 EXPECT_EQ(empty_message, plaintext); 2858 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2859 } 2860 2861 TEST_P(EncryptionOperationsTest, AesGcmIncremental) { 2862 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2863 .AesEncryptionKey(128) 2864 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2865 .Authorization(TAG_PADDING, KM_PAD_NONE) 2866 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2867 AuthorizationSet begin_params(client_params()); 2868 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2869 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2870 begin_params.push_back(TAG_MAC_LENGTH, 128); 2871 2872 AuthorizationSet update_params; 2873 update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1); 2874 2875 // Encrypt 2876 AuthorizationSet begin_out_params; 2877 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2878 string ciphertext; 2879 size_t input_consumed; 2880 AuthorizationSet update_out_params; 2881 2882 // Send AAD, incrementally 2883 for (int i = 0; i < 1000; ++i) { 2884 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext, 2885 &input_consumed)); 2886 EXPECT_EQ(0U, input_consumed); 2887 EXPECT_EQ(0U, ciphertext.size()); 2888 } 2889 2890 // Now send data, incrementally, no data. 2891 AuthorizationSet empty_params; 2892 for (int i = 0; i < 1000; ++i) { 2893 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext, 2894 &input_consumed)); 2895 EXPECT_EQ(1U, input_consumed); 2896 } 2897 EXPECT_EQ(1000U, ciphertext.size()); 2898 2899 // And finish. 2900 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2901 EXPECT_EQ(1016U, ciphertext.size()); 2902 2903 // Grab nonce 2904 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2905 begin_params.push_back(begin_out_params); 2906 2907 // Decrypt. 2908 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2909 string plaintext; 2910 2911 // Send AAD, incrementally, no data 2912 for (int i = 0; i < 1000; ++i) { 2913 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext, 2914 &input_consumed)); 2915 EXPECT_EQ(0U, input_consumed); 2916 EXPECT_EQ(0U, plaintext.size()); 2917 } 2918 2919 // Now send data, incrementally. 2920 for (size_t i = 0; i < ciphertext.length(); ++i) { 2921 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1), 2922 &update_out_params, &plaintext, &input_consumed)); 2923 EXPECT_EQ(1U, input_consumed); 2924 } 2925 EXPECT_EQ(1000U, plaintext.size()); 2926 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2927 2928 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2929 } 2930 2931 TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) { 2932 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2933 .AesEncryptionKey(128) 2934 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2935 .Authorization(TAG_PADDING, KM_PAD_NONE) 2936 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2937 string message = "123456789012345678901234567890123456"; 2938 AuthorizationSet begin_params(client_params()); 2939 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2940 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2941 begin_params.push_back(TAG_MAC_LENGTH, 128); 2942 AuthorizationSet begin_out_params; 2943 2944 AuthorizationSet update_params; 2945 update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3); 2946 2947 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2948 2949 // No data, AAD only. 2950 string ciphertext; 2951 size_t input_consumed; 2952 AuthorizationSet update_out_params; 2953 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params, 2954 &ciphertext, &input_consumed)); 2955 EXPECT_EQ(0U, input_consumed); 2956 2957 // AAD and data. 2958 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2959 &input_consumed)); 2960 EXPECT_EQ(message.size(), input_consumed); 2961 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2962 2963 // Grab nonce. 2964 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2965 begin_params.push_back(begin_out_params); 2966 2967 // Decrypt 2968 update_params.Clear(); 2969 update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6); 2970 2971 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2972 string plaintext; 2973 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2974 &plaintext, &input_consumed)); 2975 EXPECT_EQ(ciphertext.size(), input_consumed); 2976 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2977 2978 EXPECT_EQ(message, plaintext); 2979 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2980 } 2981 2982 TEST_P(EncryptionOperationsTest, AesGcmBadAad) { 2983 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2984 .AesEncryptionKey(128) 2985 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2986 .Authorization(TAG_PADDING, KM_PAD_NONE) 2987 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2988 string message = "12345678901234567890123456789012"; 2989 AuthorizationSet begin_params(client_params()); 2990 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2991 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2992 begin_params.push_back(TAG_MAC_LENGTH, 128); 2993 2994 AuthorizationSet update_params; 2995 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 2996 2997 AuthorizationSet finish_params; 2998 AuthorizationSet finish_out_params; 2999 3000 // Encrypt 3001 AuthorizationSet begin_out_params; 3002 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3003 AuthorizationSet update_out_params; 3004 string ciphertext; 3005 size_t input_consumed; 3006 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3007 &input_consumed)); 3008 EXPECT_EQ(message.size(), input_consumed); 3009 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3010 3011 // Grab nonce 3012 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3013 begin_params.push_back(begin_out_params); 3014 3015 update_params.Clear(); 3016 update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6); 3017 3018 // Decrypt. 3019 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3020 string plaintext; 3021 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3022 &plaintext, &input_consumed)); 3023 EXPECT_EQ(ciphertext.size(), input_consumed); 3024 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3025 3026 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3027 } 3028 3029 TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) { 3030 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3031 .AesEncryptionKey(128) 3032 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3033 .Authorization(TAG_PADDING, KM_PAD_NONE) 3034 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3035 string message = "12345678901234567890123456789012"; 3036 AuthorizationSet begin_params(client_params()); 3037 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3038 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3039 begin_params.push_back(TAG_MAC_LENGTH, 128); 3040 3041 AuthorizationSet update_params; 3042 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 3043 3044 // Encrypt 3045 AuthorizationSet begin_out_params; 3046 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3047 AuthorizationSet update_out_params; 3048 string ciphertext; 3049 size_t input_consumed; 3050 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3051 &input_consumed)); 3052 EXPECT_EQ(message.size(), input_consumed); 3053 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3054 3055 begin_params.push_back(TAG_NONCE, "123456789012", 12); 3056 3057 // Decrypt 3058 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3059 string plaintext; 3060 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3061 &plaintext, &input_consumed)); 3062 EXPECT_EQ(ciphertext.size(), input_consumed); 3063 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3064 3065 // With wrong nonce, should have gotten garbage plaintext. 3066 EXPECT_NE(message, plaintext); 3067 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3068 } 3069 3070 TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) { 3071 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3072 .AesEncryptionKey(128) 3073 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3074 .Authorization(TAG_PADDING, KM_PAD_NONE) 3075 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3076 string aad = "foobar"; 3077 string message = "123456789012345678901234567890123456"; 3078 AuthorizationSet begin_params(client_params()); 3079 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3080 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3081 begin_params.push_back(TAG_MAC_LENGTH, 128); 3082 AuthorizationSet begin_out_params; 3083 3084 AuthorizationSet update_params; 3085 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 3086 3087 // Encrypt 3088 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3089 AuthorizationSet update_out_params; 3090 string ciphertext; 3091 size_t input_consumed; 3092 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3093 &input_consumed)); 3094 EXPECT_EQ(message.size(), input_consumed); 3095 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3096 3097 // Corrupt tag 3098 (*ciphertext.rbegin())++; 3099 3100 // Grab nonce. 3101 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3102 begin_params.push_back(begin_out_params); 3103 3104 // Decrypt. 3105 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3106 string plaintext; 3107 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3108 &plaintext, &input_consumed)); 3109 EXPECT_EQ(ciphertext.size(), input_consumed); 3110 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3111 3112 EXPECT_EQ(message, plaintext); 3113 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3114 } 3115 3116 typedef Keymaster1Test MaxOperationsTest; 3117 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params); 3118 3119 TEST_P(MaxOperationsTest, TestLimit) { 3120 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3121 .AesEncryptionKey(128) 3122 .EcbMode() 3123 .Authorization(TAG_PADDING, KM_PAD_NONE) 3124 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3125 3126 string message = "1234567890123456"; 3127 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3128 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3129 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3130 3131 // Fourth time should fail. 3132 AuthorizationSet begin_params(client_params()); 3133 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3134 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3135 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3136 3137 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3138 } 3139 3140 TEST_P(MaxOperationsTest, TestAbort) { 3141 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3142 .AesEncryptionKey(128) 3143 .EcbMode() 3144 .Authorization(TAG_PADDING, KM_PAD_NONE) 3145 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3146 3147 string message = "1234567890123456"; 3148 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3149 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3150 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3151 3152 // Fourth time should fail. 3153 AuthorizationSet begin_params(client_params()); 3154 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3155 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3156 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3157 3158 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3159 } 3160 3161 typedef Keymaster1Test AddEntropyTest; 3162 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params); 3163 3164 TEST_P(AddEntropyTest, AddEntropy) { 3165 // There's no obvious way to test that entropy is actually added, but we can test that the API 3166 // doesn't blow up or return an error. 3167 EXPECT_EQ(KM_ERROR_OK, 3168 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3)); 3169 3170 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3171 } 3172 3173 typedef Keymaster1Test Keymaster0AdapterTest; 3174 INSTANTIATE_TEST_CASE_P( 3175 AndroidKeymasterTest, Keymaster0AdapterTest, 3176 ::testing::Values( 3177 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)), 3178 InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)))); 3179 3180 TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1RsaBlob) { 3181 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 3182 // key data. 3183 string km1_sw = read_file("km1_sw_rsa_512.blob"); 3184 EXPECT_EQ(486U, km1_sw.length()); 3185 3186 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3187 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3188 set_key_blob(key_data, km1_sw.length()); 3189 3190 string message(64, 'a'); 3191 string signature; 3192 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3193 3194 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3195 } 3196 3197 TEST_P(Keymaster0AdapterTest, UnversionedSoftwareKeymaster1RsaBlob) { 3198 // Load and use an old-style Keymaster1 software key blob, without the version byte. These 3199 // blobs contain OCB-encrypted key data. 3200 string km1_sw = read_file("km1_sw_rsa_512_unversioned.blob"); 3201 EXPECT_EQ(477U, km1_sw.length()); 3202 3203 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3204 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3205 set_key_blob(key_data, km1_sw.length()); 3206 3207 string message(64, 'a'); 3208 string signature; 3209 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3210 3211 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3212 } 3213 3214 TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster1EcdsaBlob) { 3215 // Load and use an old-style Keymaster1 software key blob. These blobs contain OCB-encrypted 3216 // key data. 3217 string km1_sw = read_file("km1_sw_ecdsa_256.blob"); 3218 EXPECT_EQ(270U, km1_sw.length()); 3219 3220 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km1_sw.length())); 3221 memcpy(key_data, km1_sw.data(), km1_sw.length()); 3222 set_key_blob(key_data, km1_sw.length()); 3223 3224 string message(32, static_cast<char>(0xFF)); 3225 string signature; 3226 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3227 3228 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3229 } 3230 3231 struct Malloc_Delete { 3232 void operator()(void* p) { free(p); } 3233 }; 3234 3235 TEST_P(Keymaster0AdapterTest, OldSoftwareKeymaster0RsaBlob) { 3236 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3237 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3238 EXPECT_EQ(333U, km0_sw.length()); 3239 3240 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3241 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3242 set_key_blob(key_data, km0_sw.length()); 3243 3244 string message(64, 'a'); 3245 string signature; 3246 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3247 3248 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3249 } 3250 3251 TEST_P(Keymaster0AdapterTest, OldSwKeymaster0RsaBlobGetCharacteristics) { 3252 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3253 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3254 EXPECT_EQ(333U, km0_sw.length()); 3255 3256 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3257 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3258 set_key_blob(key_data, km0_sw.length()); 3259 3260 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 3261 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3262 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 3263 EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3264 EXPECT_TRUE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3265 EXPECT_TRUE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3266 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 3267 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 3268 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 3269 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 3270 3271 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3272 } 3273 3274 TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlob) { 3275 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3276 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3277 EXPECT_EQ(333U, km0_sw.length()); 3278 3279 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 3280 // be recognized as a software key. Do the same here to pretend this is a hardware key. 3281 EXPECT_EQ('P', km0_sw[0]); 3282 km0_sw[0] = 'Q'; 3283 3284 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3285 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3286 set_key_blob(key_data, km0_sw.length()); 3287 3288 string message(64, 'a'); 3289 string signature; 3290 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 3291 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 3292 3293 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 3294 } 3295 3296 TEST_P(Keymaster0AdapterTest, OldHwKeymaster0RsaBlobGetCharacteristics) { 3297 // Load and use an old softkeymaster blob. These blobs contain PKCS#8 key data. 3298 string km0_sw = read_file("km0_sw_rsa_512.blob"); 3299 EXPECT_EQ(333U, km0_sw.length()); 3300 3301 // The keymaster0 wrapper swaps the old softkeymaster leading 'P' for a 'Q' to make the key not 3302 // be recognized as a software key. Do the same here to pretend this is a hardware key. 3303 EXPECT_EQ('P', km0_sw[0]); 3304 km0_sw[0] = 'Q'; 3305 3306 uint8_t* key_data = reinterpret_cast<uint8_t*>(malloc(km0_sw.length())); 3307 memcpy(key_data, km0_sw.data(), km0_sw.length()); 3308 set_key_blob(key_data, km0_sw.length()); 3309 3310 EXPECT_EQ(KM_ERROR_OK, GetCharacteristics()); 3311 EXPECT_TRUE(contains(hw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3312 EXPECT_TRUE(contains(hw_enforced(), TAG_KEY_SIZE, 512)); 3313 EXPECT_TRUE(contains(hw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3314 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3315 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_MD5)); 3316 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA1)); 3317 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_224)); 3318 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_256)); 3319 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_384)); 3320 EXPECT_TRUE(contains(hw_enforced(), TAG_DIGEST, KM_DIGEST_SHA_2_512)); 3321 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3322 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT)); 3323 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN)); 3324 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_OAEP)); 3325 EXPECT_TRUE(contains(hw_enforced(), TAG_PADDING, KM_PAD_RSA_PSS)); 3326 EXPECT_EQ(15U, hw_enforced().size()); 3327 3328 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_SIGN)); 3329 EXPECT_TRUE(contains(sw_enforced(), TAG_PURPOSE, KM_PURPOSE_VERIFY)); 3330 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_ALL_USERS)); 3331 EXPECT_TRUE(sw_enforced().GetTagValue(TAG_NO_AUTH_REQUIRED)); 3332 3333 EXPECT_FALSE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA)); 3334 EXPECT_FALSE(contains(sw_enforced(), TAG_KEY_SIZE, 512)); 3335 EXPECT_FALSE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 3)); 3336 EXPECT_FALSE(contains(sw_enforced(), TAG_DIGEST, KM_DIGEST_NONE)); 3337 EXPECT_FALSE(contains(sw_enforced(), TAG_PADDING, KM_PAD_NONE)); 3338 3339 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 3340 } 3341 3342 } // namespace test 3343 } // namespace keymaster 3344
