Home | History | Annotate | Download | only in functional
      1 /*
      2  * Copyright (C) 2016 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #define LOG_TAG "keymaster_hidl_hal_test"
     18 #include <cutils/log.h>
     19 
     20 #include <iostream>
     21 
     22 #include <openssl/evp.h>
     23 #include <openssl/x509.h>
     24 
     25 #include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
     26 #include <android/hardware/keymaster/3.0/types.h>
     27 
     28 #include <cutils/properties.h>
     29 
     30 #include <keymaster/keymaster_configuration.h>
     31 
     32 #include "authorization_set.h"
     33 #include "key_param_output.h"
     34 
     35 #include <VtsHalHidlTargetTestBase.h>
     36 
     37 #include "attestation_record.h"
     38 #include "openssl_utils.h"
     39 
     40 using ::android::sp;
     41 
     42 using ::std::string;
     43 
     44 // This service_name will be passed to getService when retrieving the keymaster service to test.  To
     45 // change it from "default" specify the selected service name on the command line.  The first
     46 // non-gtest argument will be used as the service name.
     47 string service_name = "default";
     48 
     49 static bool arm_deleteAllKeys = false;
     50 
     51 namespace android {
     52 namespace hardware {
     53 
     54 template <typename T> bool operator==(const hidl_vec<T>& a, const hidl_vec<T>& b) {
     55     if (a.size() != b.size()) {
     56         return false;
     57     }
     58     for (size_t i = 0; i < a.size(); ++i) {
     59         if (a[i] != b[i]) {
     60             return false;
     61         }
     62     }
     63     return true;
     64 }
     65 
     66 namespace keymaster {
     67 namespace V3_0 {
     68 
     69 bool operator==(const KeyParameter& a, const KeyParameter& b) {
     70     if (a.tag != b.tag) {
     71         return false;
     72     }
     73 
     74     switch (a.tag) {
     75 
     76     /* Boolean tags */
     77     case Tag::INVALID:
     78     case Tag::CALLER_NONCE:
     79     case Tag::INCLUDE_UNIQUE_ID:
     80     case Tag::ECIES_SINGLE_HASH_MODE:
     81     case Tag::BOOTLOADER_ONLY:
     82     case Tag::NO_AUTH_REQUIRED:
     83     case Tag::ALLOW_WHILE_ON_BODY:
     84     case Tag::EXPORTABLE:
     85     case Tag::ALL_APPLICATIONS:
     86     case Tag::ROLLBACK_RESISTANT:
     87     case Tag::RESET_SINCE_ID_ROTATION:
     88         return true;
     89 
     90     /* Integer tags */
     91     case Tag::KEY_SIZE:
     92     case Tag::MIN_MAC_LENGTH:
     93     case Tag::MIN_SECONDS_BETWEEN_OPS:
     94     case Tag::MAX_USES_PER_BOOT:
     95     case Tag::ALL_USERS:
     96     case Tag::USER_ID:
     97     case Tag::OS_VERSION:
     98     case Tag::OS_PATCHLEVEL:
     99     case Tag::MAC_LENGTH:
    100     case Tag::AUTH_TIMEOUT:
    101         return a.f.integer == b.f.integer;
    102 
    103     /* Long integer tags */
    104     case Tag::RSA_PUBLIC_EXPONENT:
    105     case Tag::USER_SECURE_ID:
    106         return a.f.longInteger == b.f.longInteger;
    107 
    108     /* Date-time tags */
    109     case Tag::ACTIVE_DATETIME:
    110     case Tag::ORIGINATION_EXPIRE_DATETIME:
    111     case Tag::USAGE_EXPIRE_DATETIME:
    112     case Tag::CREATION_DATETIME:
    113         return a.f.dateTime == b.f.dateTime;
    114 
    115     /* Bytes tags */
    116     case Tag::APPLICATION_ID:
    117     case Tag::APPLICATION_DATA:
    118     case Tag::ROOT_OF_TRUST:
    119     case Tag::UNIQUE_ID:
    120     case Tag::ATTESTATION_CHALLENGE:
    121     case Tag::ATTESTATION_APPLICATION_ID:
    122     case Tag::ATTESTATION_ID_BRAND:
    123     case Tag::ATTESTATION_ID_DEVICE:
    124     case Tag::ATTESTATION_ID_PRODUCT:
    125     case Tag::ATTESTATION_ID_SERIAL:
    126     case Tag::ATTESTATION_ID_IMEI:
    127     case Tag::ATTESTATION_ID_MEID:
    128     case Tag::ATTESTATION_ID_MANUFACTURER:
    129     case Tag::ATTESTATION_ID_MODEL:
    130     case Tag::ASSOCIATED_DATA:
    131     case Tag::NONCE:
    132     case Tag::AUTH_TOKEN:
    133         return a.blob == b.blob;
    134 
    135     /* Enum tags */
    136     case Tag::PURPOSE:
    137         return a.f.purpose == b.f.purpose;
    138     case Tag::ALGORITHM:
    139         return a.f.algorithm == b.f.algorithm;
    140     case Tag::BLOCK_MODE:
    141         return a.f.blockMode == b.f.blockMode;
    142     case Tag::DIGEST:
    143         return a.f.digest == b.f.digest;
    144     case Tag::PADDING:
    145         return a.f.paddingMode == b.f.paddingMode;
    146     case Tag::EC_CURVE:
    147         return a.f.ecCurve == b.f.ecCurve;
    148     case Tag::BLOB_USAGE_REQUIREMENTS:
    149         return a.f.keyBlobUsageRequirements == b.f.keyBlobUsageRequirements;
    150     case Tag::USER_AUTH_TYPE:
    151         return a.f.integer == b.f.integer;
    152     case Tag::ORIGIN:
    153         return a.f.origin == b.f.origin;
    154 
    155     /* Unsupported tags */
    156     case Tag::KDF:
    157         return false;
    158     }
    159 }
    160 
    161 bool operator==(const AuthorizationSet& a, const AuthorizationSet& b) {
    162     return a.size() == b.size() && std::equal(a.begin(), a.end(), b.begin());
    163 }
    164 
    165 bool operator==(const KeyCharacteristics& a, const KeyCharacteristics& b) {
    166     // This isn't very efficient. Oh, well.
    167     AuthorizationSet a_sw(a.softwareEnforced);
    168     AuthorizationSet b_sw(b.softwareEnforced);
    169     AuthorizationSet a_tee(b.teeEnforced);
    170     AuthorizationSet b_tee(b.teeEnforced);
    171 
    172     a_sw.Sort();
    173     b_sw.Sort();
    174     a_tee.Sort();
    175     b_tee.Sort();
    176 
    177     return a_sw == b_sw && a_tee == b_sw;
    178 }
    179 
    180 ::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) {
    181     if (set.size() == 0)
    182         os << "(Empty)" << ::std::endl;
    183     else {
    184         os << "\n";
    185         for (size_t i = 0; i < set.size(); ++i)
    186             os << set[i] << ::std::endl;
    187     }
    188     return os;
    189 }
    190 
    191 namespace test {
    192 namespace {
    193 
    194 template <TagType tag_type, Tag tag, typename ValueT>
    195 bool contains(hidl_vec<KeyParameter>& set, TypedTag<tag_type, tag> ttag, ValueT expected_value) {
    196     size_t count = std::count_if(set.begin(), set.end(), [&](const KeyParameter& param) {
    197         return param.tag == tag && accessTagValue(ttag, param) == expected_value;
    198     });
    199     return count == 1;
    200 }
    201 
    202 template <TagType tag_type, Tag tag>
    203 bool contains(hidl_vec<KeyParameter>& set, TypedTag<tag_type, tag>) {
    204     size_t count = std::count_if(set.begin(), set.end(),
    205                                  [&](const KeyParameter& param) { return param.tag == tag; });
    206     return count > 0;
    207 }
    208 
    209 constexpr char hex_value[256] = {0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    210                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    211                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    212                                  0, 1,  2,  3,  4,  5,  6,  7, 8, 9, 0, 0, 0, 0, 0, 0,  // '0'..'9'
    213                                  0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0,  // 'A'..'F'
    214                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    215                                  0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0,  // 'a'..'f'
    216                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    217                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    218                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    219                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    220                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    221                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    222                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    223                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
    224                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0};
    225 
    226 string hex2str(string a) {
    227     string b;
    228     size_t num = a.size() / 2;
    229     b.resize(num);
    230     for (size_t i = 0; i < num; i++) {
    231         b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
    232     }
    233     return b;
    234 }
    235 
    236 string rsa_key = hex2str(
    237     "30820275020100300d06092a864886f70d01010105000482025f3082025b"
    238     "02010002818100c6095409047d8634812d5a218176e45c41d60a75b13901"
    239     "f234226cffe776521c5a77b9e389417b71c0b6a44d13afe4e4a2805d46c9"
    240     "da2935adb1ff0c1f24ea06e62b20d776430a4d435157233c6f916783c30e"
    241     "310fcbd89b85c2d56771169785ac12bca244abda72bfb19fc44d27c81e1d"
    242     "92de284f4061edfd99280745ea6d2502030100010281801be0f04d9cae37"
    243     "18691f035338308e91564b55899ffb5084d2460e6630257e05b3ceab0297"
    244     "2dfabcd6ce5f6ee2589eb67911ed0fac16e43a444b8c861e544a05933657"
    245     "72f8baf6b22fc9e3c5f1024b063ac080a7b2234cf8aee8f6c47bbf4fd3ac"
    246     "e7240290bef16c0b3f7f3cdd64ce3ab5912cf6e32f39ab188358afcccd80"
    247     "81024100e4b49ef50f765d3b24dde01aceaaf130f2c76670a91a61ae08af"
    248     "497b4a82be6dee8fcdd5e3f7ba1cfb1f0c926b88f88c92bfab137fba2285"
    249     "227b83c342ff7c55024100ddabb5839c4c7f6bf3d4183231f005b31aa58a"
    250     "ffdda5c79e4cce217f6bc930dbe563d480706c24e9ebfcab28a6cdefd324"
    251     "b77e1bf7251b709092c24ff501fd91024023d4340eda3445d8cd26c14411"
    252     "da6fdca63c1ccd4b80a98ad52b78cc8ad8beb2842c1d280405bc2f6c1bea"
    253     "214a1d742ab996b35b63a82a5e470fa88dbf823cdd02401b7b57449ad30d"
    254     "1518249a5f56bb98294d4b6ac12ffc86940497a5a5837a6cf946262b4945"
    255     "26d328c11e1126380fde04c24f916dec250892db09a6d77cdba351024077"
    256     "62cd8f4d050da56bd591adb515d24d7ccd32cca0d05f866d583514bd7324"
    257     "d5f33645e8ed8b4a1cb3cc4a1d67987399f2a09f5b3fb68c88d5e5d90ac3"
    258     "3492d6");
    259 
    260 string ec_256_key = hex2str(
    261     "308187020100301306072a8648ce3d020106082a8648ce3d030107046d30"
    262     "6b0201010420737c2ecd7b8d1940bf2930aa9b4ed3ff941eed09366bc032"
    263     "99986481f3a4d859a14403420004bf85d7720d07c25461683bc648b4778a"
    264     "9a14dd8a024e3bdd8c7ddd9ab2b528bbc7aa1b51f14ebbbb0bd0ce21bcc4"
    265     "1c6eb00083cf3376d11fd44949e0b2183bfe");
    266 
    267 string ec_521_key = hex2str(
    268     "3081EE020100301006072A8648CE3D020106052B810400230481D63081D3"
    269     "02010104420011458C586DB5DAA92AFAB03F4FE46AA9D9C3CE9A9B7A006A"
    270     "8384BEC4C78E8E9D18D7D08B5BCFA0E53C75B064AD51C449BAE0258D54B9"
    271     "4B1E885DED08ED4FB25CE9A1818903818600040149EC11C6DF0FA122C6A9"
    272     "AFD9754A4FA9513A627CA329E349535A5629875A8ADFBE27DCB932C05198"
    273     "6377108D054C28C6F39B6F2C9AF81802F9F326B842FF2E5F3C00AB7635CF"
    274     "B36157FC0882D574A10D839C1A0C049DC5E0D775E2EE50671A208431BB45"
    275     "E78E70BEFE930DB34818EE4D5C26259F5C6B8E28A652950F9F88D7B4B2C9"
    276     "D9");
    277 
    278 struct RSA_Delete {
    279     void operator()(RSA* p) { RSA_free(p); }
    280 };
    281 
    282 X509* parse_cert_blob(const hidl_vec<uint8_t>& blob) {
    283     const uint8_t* p = blob.data();
    284     return d2i_X509(nullptr, &p, blob.size());
    285 }
    286 
    287 bool verify_chain(const hidl_vec<hidl_vec<uint8_t>>& chain) {
    288     for (size_t i = 0; i < chain.size() - 1; ++i) {
    289         auto& key_cert_blob = chain[i];
    290         auto& signing_cert_blob = chain[i + 1];
    291 
    292         X509_Ptr key_cert(parse_cert_blob(key_cert_blob));
    293         X509_Ptr signing_cert(parse_cert_blob(signing_cert_blob));
    294         EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get());
    295         if (!key_cert.get() || !signing_cert.get()) return false;
    296 
    297         EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
    298         EXPECT_TRUE(!!signing_pubkey.get());
    299         if (!signing_pubkey.get()) return false;
    300 
    301         EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get()))
    302             << "Verification of certificate " << i << " failed";
    303     }
    304 
    305     return true;
    306 }
    307 
    308 // Extract attestation record from cert. Returned object is still part of cert; don't free it
    309 // separately.
    310 ASN1_OCTET_STRING* get_attestation_record(X509* certificate) {
    311     ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */));
    312     EXPECT_TRUE(!!oid.get());
    313     if (!oid.get()) return nullptr;
    314 
    315     int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */);
    316     EXPECT_NE(-1, location);
    317     if (location == -1) return nullptr;
    318 
    319     X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location);
    320     EXPECT_TRUE(!!attest_rec_ext);
    321     if (!attest_rec_ext) return nullptr;
    322 
    323     ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext);
    324     EXPECT_TRUE(!!attest_rec);
    325     return attest_rec;
    326 }
    327 
    328 bool tag_in_list(const KeyParameter& entry) {
    329     // Attestations don't contain everything in key authorization lists, so we need to filter
    330     // the key lists to produce the lists that we expect to match the attestations.
    331     auto tag_list = {
    332         Tag::USER_ID, Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS,
    333         Tag::EC_CURVE /* Tag::EC_CURVE will be included by KM2 implementations */,
    334     };
    335     return std::find(tag_list.begin(), tag_list.end(), entry.tag) != tag_list.end();
    336 }
    337 
    338 AuthorizationSet filter_tags(const AuthorizationSet& set) {
    339     AuthorizationSet filtered;
    340     std::remove_copy_if(set.begin(), set.end(), std::back_inserter(filtered), tag_in_list);
    341     return filtered;
    342 }
    343 
    344 std::string make_string(const uint8_t* data, size_t length) {
    345     return std::string(reinterpret_cast<const char*>(data), length);
    346 }
    347 
    348 template <size_t N> std::string make_string(const uint8_t (&a)[N]) {
    349     return make_string(a, N);
    350 }
    351 
    352 class HidlBuf : public hidl_vec<uint8_t> {
    353     typedef hidl_vec<uint8_t> super;
    354 
    355   public:
    356     HidlBuf() {}
    357     HidlBuf(const super& other) : super(other) {}
    358     HidlBuf(super&& other) : super(std::move(other)) {}
    359     explicit HidlBuf(const std::string& other) : HidlBuf() { *this = other; }
    360 
    361     HidlBuf& operator=(const super& other) {
    362         super::operator=(other);
    363         return *this;
    364     }
    365 
    366     HidlBuf& operator=(super&& other) {
    367         super::operator=(std::move(other));
    368         return *this;
    369     }
    370 
    371     HidlBuf& operator=(const string& other) {
    372         resize(other.size());
    373         for (size_t i = 0; i < other.size(); ++i) {
    374             (*this)[i] = static_cast<uint8_t>(other[i]);
    375         }
    376         return *this;
    377     }
    378 
    379     string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
    380 };
    381 
    382 constexpr uint64_t kOpHandleSentinel = 0xFFFFFFFFFFFFFFFF;
    383 
    384 }  // namespace
    385 
    386 class KeymasterHidlTest : public ::testing::VtsHalHidlTargetTestBase {
    387   public:
    388     void TearDown() override {
    389         if (key_blob_.size()) {
    390             CheckedDeleteKey();
    391         }
    392         AbortIfNeeded();
    393     }
    394 
    395     // SetUpTestCase runs only once per test case, not once per test.
    396     static void SetUpTestCase() {
    397         keymaster_ = IKeymasterDevice::getService(service_name);
    398         ASSERT_NE(keymaster_, nullptr);
    399 
    400         ASSERT_TRUE(
    401             keymaster_
    402                 ->getHardwareFeatures([&](bool isSecure, bool supportsEc, bool supportsSymmetric,
    403                                           bool supportsAttestation, bool supportsAllDigests,
    404                                           const hidl_string& name, const hidl_string& author) {
    405                     is_secure_ = isSecure;
    406                     supports_ec_ = supportsEc;
    407                     supports_symmetric_ = supportsSymmetric;
    408                     supports_attestation_ = supportsAttestation;
    409                     supports_all_digests_ = supportsAllDigests;
    410                     name_ = name;
    411                     author_ = author;
    412                 })
    413                 .isOk());
    414 
    415         os_version_ = ::keymaster::GetOsVersion();
    416         os_patch_level_ = ::keymaster::GetOsPatchlevel();
    417     }
    418 
    419     static void TearDownTestCase() { keymaster_.clear(); }
    420 
    421     static IKeymasterDevice& keymaster() { return *keymaster_; }
    422     static uint32_t os_version() { return os_version_; }
    423     static uint32_t os_patch_level() { return os_patch_level_; }
    424 
    425     AuthorizationSet UserAuths() { return AuthorizationSetBuilder().Authorization(TAG_USER_ID, 7); }
    426 
    427     ErrorCode GenerateKey(const AuthorizationSet& key_desc, HidlBuf* key_blob,
    428                           KeyCharacteristics* key_characteristics) {
    429         EXPECT_NE(key_blob, nullptr);
    430         EXPECT_NE(key_characteristics, nullptr);
    431         EXPECT_EQ(0U, key_blob->size());
    432 
    433         ErrorCode error;
    434         EXPECT_TRUE(keymaster_
    435                         ->generateKey(key_desc.hidl_data(),
    436                                       [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
    437                                           const KeyCharacteristics& hidl_key_characteristics) {
    438                                           error = hidl_error;
    439                                           *key_blob = hidl_key_blob;
    440                                           *key_characteristics = hidl_key_characteristics;
    441                                       })
    442                         .isOk());
    443         // On error, blob & characteristics should be empty.
    444         if (error != ErrorCode::OK) {
    445             EXPECT_EQ(0U, key_blob->size());
    446             EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() +
    447                            key_characteristics->teeEnforced.size()));
    448         }
    449         return error;
    450     }
    451 
    452     ErrorCode GenerateKey(const AuthorizationSet& key_desc) {
    453         return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
    454     }
    455 
    456     ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
    457                         const string& key_material, HidlBuf* key_blob,
    458                         KeyCharacteristics* key_characteristics) {
    459         ErrorCode error;
    460         EXPECT_TRUE(keymaster_
    461                         ->importKey(key_desc.hidl_data(), format, HidlBuf(key_material),
    462                                     [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
    463                                         const KeyCharacteristics& hidl_key_characteristics) {
    464                                         error = hidl_error;
    465                                         *key_blob = hidl_key_blob;
    466                                         *key_characteristics = hidl_key_characteristics;
    467                                     })
    468                         .isOk());
    469         // On error, blob & characteristics should be empty.
    470         if (error != ErrorCode::OK) {
    471             EXPECT_EQ(0U, key_blob->size());
    472             EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() +
    473                            key_characteristics->teeEnforced.size()));
    474         }
    475         return error;
    476     }
    477 
    478     ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
    479                         const string& key_material) {
    480         return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_);
    481     }
    482 
    483     ErrorCode ExportKey(KeyFormat format, const HidlBuf& key_blob, const HidlBuf& client_id,
    484                         const HidlBuf& app_data, HidlBuf* key_material) {
    485         ErrorCode error;
    486         EXPECT_TRUE(
    487             keymaster_
    488                 ->exportKey(format, key_blob, client_id, app_data,
    489                             [&](ErrorCode hidl_error_code, const HidlBuf& hidl_key_material) {
    490                                 error = hidl_error_code;
    491                                 *key_material = hidl_key_material;
    492                             })
    493                 .isOk());
    494         // On error, blob should be empty.
    495         if (error != ErrorCode::OK) {
    496             EXPECT_EQ(0U, key_material->size());
    497         }
    498         return error;
    499     }
    500 
    501     ErrorCode ExportKey(KeyFormat format, HidlBuf* key_material) {
    502         HidlBuf client_id, app_data;
    503         return ExportKey(format, key_blob_, client_id, app_data, key_material);
    504     }
    505 
    506     ErrorCode DeleteKey(HidlBuf* key_blob, bool keep_key_blob = false) {
    507         ErrorCode error = keymaster_->deleteKey(*key_blob);
    508         if (!keep_key_blob) *key_blob = HidlBuf();
    509         return error;
    510     }
    511 
    512     ErrorCode DeleteKey(bool keep_key_blob = false) {
    513         return DeleteKey(&key_blob_, keep_key_blob);
    514     }
    515 
    516     ErrorCode DeleteAllKeys() {
    517         ErrorCode error = keymaster_->deleteAllKeys();
    518         return error;
    519     }
    520 
    521     void CheckedDeleteKey(HidlBuf* key_blob, bool keep_key_blob = false) {
    522         auto rc = DeleteKey(key_blob, keep_key_blob);
    523         EXPECT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
    524     }
    525 
    526     void CheckedDeleteKey() { CheckedDeleteKey(&key_blob_); }
    527 
    528     ErrorCode GetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id,
    529                                  const HidlBuf& app_data, KeyCharacteristics* key_characteristics) {
    530         ErrorCode error;
    531         keymaster_->getKeyCharacteristics(
    532             key_blob, client_id, app_data,
    533             [&](ErrorCode hidl_error, const KeyCharacteristics& hidl_key_characteristics) {
    534                 error = hidl_error, *key_characteristics = hidl_key_characteristics;
    535             });
    536         return error;
    537     }
    538 
    539     ErrorCode GetCharacteristics(const HidlBuf& key_blob, KeyCharacteristics* key_characteristics) {
    540         HidlBuf client_id, app_data;
    541         return GetCharacteristics(key_blob, client_id, app_data, key_characteristics);
    542     }
    543 
    544     ErrorCode Begin(KeyPurpose purpose, const HidlBuf& key_blob, const AuthorizationSet& in_params,
    545                     AuthorizationSet* out_params, OperationHandle* op_handle) {
    546         SCOPED_TRACE("Begin");
    547         ErrorCode error;
    548         OperationHandle saved_handle = *op_handle;
    549         EXPECT_TRUE(
    550             keymaster_
    551                 ->begin(purpose, key_blob, in_params.hidl_data(),
    552                         [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params,
    553                             uint64_t hidl_op_handle) {
    554                             error = hidl_error;
    555                             *out_params = hidl_out_params;
    556                             *op_handle = hidl_op_handle;
    557                         })
    558                 .isOk());
    559         if (error != ErrorCode::OK) {
    560             // Some implementations may modify *op_handle on error.
    561             *op_handle = saved_handle;
    562         }
    563         return error;
    564     }
    565 
    566     ErrorCode Begin(KeyPurpose purpose, const AuthorizationSet& in_params,
    567                     AuthorizationSet* out_params) {
    568         SCOPED_TRACE("Begin");
    569         EXPECT_EQ(kOpHandleSentinel, op_handle_);
    570         return Begin(purpose, key_blob_, in_params, out_params, &op_handle_);
    571     }
    572 
    573     ErrorCode Begin(KeyPurpose purpose, const AuthorizationSet& in_params) {
    574         SCOPED_TRACE("Begin");
    575         AuthorizationSet out_params;
    576         ErrorCode error = Begin(purpose, in_params, &out_params);
    577         EXPECT_TRUE(out_params.empty());
    578         return error;
    579     }
    580 
    581     ErrorCode Update(OperationHandle op_handle, const AuthorizationSet& in_params,
    582                      const string& input, AuthorizationSet* out_params, string* output,
    583                      size_t* input_consumed) {
    584         SCOPED_TRACE("Update");
    585         ErrorCode error;
    586         EXPECT_TRUE(keymaster_
    587                         ->update(op_handle, in_params.hidl_data(), HidlBuf(input),
    588                                  [&](ErrorCode hidl_error, uint32_t hidl_input_consumed,
    589                                      const hidl_vec<KeyParameter>& hidl_out_params,
    590                                      const HidlBuf& hidl_output) {
    591                                      error = hidl_error;
    592                                      out_params->push_back(AuthorizationSet(hidl_out_params));
    593                                      output->append(hidl_output.to_string());
    594                                      *input_consumed = hidl_input_consumed;
    595                                  })
    596                         .isOk());
    597         return error;
    598     }
    599 
    600     ErrorCode Update(const string& input, string* out, size_t* input_consumed) {
    601         SCOPED_TRACE("Update");
    602         AuthorizationSet out_params;
    603         ErrorCode error = Update(op_handle_, AuthorizationSet() /* in_params */, input, &out_params,
    604                                  out, input_consumed);
    605         EXPECT_TRUE(out_params.empty());
    606         return error;
    607     }
    608 
    609     ErrorCode Finish(OperationHandle op_handle, const AuthorizationSet& in_params,
    610                      const string& input, const string& signature, AuthorizationSet* out_params,
    611                      string* output) {
    612         SCOPED_TRACE("Finish");
    613         ErrorCode error;
    614         EXPECT_TRUE(
    615             keymaster_
    616                 ->finish(op_handle, in_params.hidl_data(), HidlBuf(input), HidlBuf(signature),
    617                          [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params,
    618                              const HidlBuf& hidl_output) {
    619                              error = hidl_error;
    620                              *out_params = hidl_out_params;
    621                              output->append(hidl_output.to_string());
    622                          })
    623                 .isOk());
    624         op_handle_ = kOpHandleSentinel;  // So dtor doesn't Abort().
    625         return error;
    626     }
    627 
    628     ErrorCode Finish(const string& message, string* output) {
    629         SCOPED_TRACE("Finish");
    630         AuthorizationSet out_params;
    631         string finish_output;
    632         ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message,
    633                                  "" /* signature */, &out_params, output);
    634         if (error != ErrorCode::OK) {
    635             return error;
    636         }
    637         EXPECT_EQ(0U, out_params.size());
    638         return error;
    639     }
    640 
    641     ErrorCode Finish(const string& message, const string& signature, string* output) {
    642         SCOPED_TRACE("Finish");
    643         AuthorizationSet out_params;
    644         ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, signature,
    645                                  &out_params, output);
    646         op_handle_ = kOpHandleSentinel;  // So dtor doesn't Abort().
    647         if (error != ErrorCode::OK) {
    648             return error;
    649         }
    650         EXPECT_EQ(0U, out_params.size());
    651         return error;
    652     }
    653 
    654     ErrorCode Abort(OperationHandle op_handle) {
    655         SCOPED_TRACE("Abort");
    656         auto retval = keymaster_->abort(op_handle);
    657         EXPECT_TRUE(retval.isOk());
    658         return retval;
    659     }
    660 
    661     void AbortIfNeeded() {
    662         SCOPED_TRACE("AbortIfNeeded");
    663         if (op_handle_ != kOpHandleSentinel) {
    664             EXPECT_EQ(ErrorCode::OK, Abort(op_handle_));
    665             op_handle_ = kOpHandleSentinel;
    666         }
    667     }
    668 
    669     ErrorCode AttestKey(const HidlBuf& key_blob, const AuthorizationSet& attest_params,
    670                         hidl_vec<hidl_vec<uint8_t>>* cert_chain) {
    671         SCOPED_TRACE("AttestKey");
    672         ErrorCode error;
    673         keymaster_->attestKey(
    674             key_blob, attest_params.hidl_data(),
    675             [&](ErrorCode hidl_error, const hidl_vec<hidl_vec<uint8_t>>& hidl_cert_chain) {
    676                 error = hidl_error;
    677                 *cert_chain = hidl_cert_chain;
    678             });
    679         return error;
    680     }
    681 
    682     ErrorCode AttestKey(const AuthorizationSet& attest_params,
    683                         hidl_vec<hidl_vec<uint8_t>>* cert_chain) {
    684         SCOPED_TRACE("AttestKey");
    685         return AttestKey(key_blob_, attest_params, cert_chain);
    686     }
    687 
    688     string ProcessMessage(const HidlBuf& key_blob, KeyPurpose operation, const string& message,
    689                           const AuthorizationSet& in_params, AuthorizationSet* out_params) {
    690         SCOPED_TRACE("ProcessMessage");
    691         AuthorizationSet begin_out_params;
    692         EXPECT_EQ(ErrorCode::OK,
    693                   Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_));
    694 
    695         string unused;
    696         AuthorizationSet finish_params;
    697         AuthorizationSet finish_out_params;
    698         string output;
    699         EXPECT_EQ(ErrorCode::OK,
    700                   Finish(op_handle_, finish_params, message, unused, &finish_out_params, &output));
    701         op_handle_ = kOpHandleSentinel;
    702 
    703         out_params->push_back(begin_out_params);
    704         out_params->push_back(finish_out_params);
    705         return output;
    706     }
    707 
    708     string SignMessage(const HidlBuf& key_blob, const string& message,
    709                        const AuthorizationSet& params) {
    710         SCOPED_TRACE("SignMessage");
    711         AuthorizationSet out_params;
    712         string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params);
    713         EXPECT_TRUE(out_params.empty());
    714         return signature;
    715     }
    716 
    717     string SignMessage(const string& message, const AuthorizationSet& params) {
    718         SCOPED_TRACE("SignMessage");
    719         return SignMessage(key_blob_, message, params);
    720     }
    721 
    722     string MacMessage(const string& message, Digest digest, size_t mac_length) {
    723         SCOPED_TRACE("MacMessage");
    724         return SignMessage(
    725             key_blob_, message,
    726             AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length));
    727     }
    728 
    729     void CheckHmacTestVector(const string& key, const string& message, Digest digest,
    730                              const string& expected_mac) {
    731         SCOPED_TRACE("CheckHmacTestVector");
    732         ASSERT_EQ(ErrorCode::OK,
    733                   ImportKey(AuthorizationSetBuilder()
    734                                 .Authorization(TAG_NO_AUTH_REQUIRED)
    735                                 .HmacKey(key.size() * 8)
    736                                 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8)
    737                                 .Digest(digest),
    738                             KeyFormat::RAW, key));
    739         string signature = MacMessage(message, digest, expected_mac.size() * 8);
    740         EXPECT_EQ(expected_mac, signature) << "Test vector didn't match for digest " << (int)digest;
    741         CheckedDeleteKey();
    742     }
    743 
    744     void CheckAesCtrTestVector(const string& key, const string& nonce, const string& message,
    745                                const string& expected_ciphertext) {
    746         SCOPED_TRACE("CheckAesCtrTestVector");
    747         ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
    748                                                .Authorization(TAG_NO_AUTH_REQUIRED)
    749                                                .AesEncryptionKey(key.size() * 8)
    750                                                .BlockMode(BlockMode::CTR)
    751                                                .Authorization(TAG_CALLER_NONCE)
    752                                                .Padding(PaddingMode::NONE),
    753                                            KeyFormat::RAW, key));
    754 
    755         auto params = AuthorizationSetBuilder()
    756                           .Authorization(TAG_NONCE, nonce.data(), nonce.size())
    757                           .BlockMode(BlockMode::CTR)
    758                           .Padding(PaddingMode::NONE);
    759         AuthorizationSet out_params;
    760         string ciphertext = EncryptMessage(key_blob_, message, params, &out_params);
    761         EXPECT_EQ(expected_ciphertext, ciphertext);
    762     }
    763 
    764     void VerifyMessage(const HidlBuf& key_blob, const string& message, const string& signature,
    765                        const AuthorizationSet& params) {
    766         SCOPED_TRACE("VerifyMessage");
    767         AuthorizationSet begin_out_params;
    768         ASSERT_EQ(ErrorCode::OK,
    769                   Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_));
    770 
    771         string unused;
    772         AuthorizationSet finish_params;
    773         AuthorizationSet finish_out_params;
    774         string output;
    775         EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, signature,
    776                                         &finish_out_params, &output));
    777         op_handle_ = kOpHandleSentinel;
    778         EXPECT_TRUE(output.empty());
    779     }
    780 
    781     void VerifyMessage(const string& message, const string& signature,
    782                        const AuthorizationSet& params) {
    783         SCOPED_TRACE("VerifyMessage");
    784         VerifyMessage(key_blob_, message, signature, params);
    785     }
    786 
    787     string EncryptMessage(const HidlBuf& key_blob, const string& message,
    788                           const AuthorizationSet& in_params, AuthorizationSet* out_params) {
    789         SCOPED_TRACE("EncryptMessage");
    790         return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params);
    791     }
    792 
    793     string EncryptMessage(const string& message, const AuthorizationSet& params,
    794                           AuthorizationSet* out_params) {
    795         SCOPED_TRACE("EncryptMessage");
    796         return EncryptMessage(key_blob_, message, params, out_params);
    797     }
    798 
    799     string EncryptMessage(const string& message, const AuthorizationSet& params) {
    800         SCOPED_TRACE("EncryptMessage");
    801         AuthorizationSet out_params;
    802         string ciphertext = EncryptMessage(message, params, &out_params);
    803         EXPECT_TRUE(out_params.empty())
    804             << "Output params should be empty. Contained: " << out_params;
    805         return ciphertext;
    806     }
    807 
    808     string DecryptMessage(const HidlBuf& key_blob, const string& ciphertext,
    809                           const AuthorizationSet& params) {
    810         SCOPED_TRACE("DecryptMessage");
    811         AuthorizationSet out_params;
    812         string plaintext =
    813             ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params);
    814         EXPECT_TRUE(out_params.empty());
    815         return plaintext;
    816     }
    817 
    818     string DecryptMessage(const string& ciphertext, const AuthorizationSet& params) {
    819         SCOPED_TRACE("DecryptMessage");
    820         return DecryptMessage(key_blob_, ciphertext, params);
    821     }
    822 
    823     template <TagType tag_type, Tag tag, typename ValueT>
    824     void CheckKm0CryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
    825         SCOPED_TRACE("CheckKm0CryptoParam");
    826         if (is_secure_) {
    827             EXPECT_TRUE(contains(key_characteristics_.teeEnforced, ttag, expected));
    828             EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag));
    829         } else {
    830             EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected));
    831             EXPECT_FALSE(contains(key_characteristics_.teeEnforced, ttag));
    832         }
    833     }
    834 
    835     template <TagType tag_type, Tag tag, typename ValueT>
    836     void CheckKm1CryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
    837         SCOPED_TRACE("CheckKm1CryptoParam");
    838         if (is_secure_ && supports_symmetric_) {
    839             EXPECT_TRUE(contains(key_characteristics_.teeEnforced, ttag, expected));
    840             EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag));
    841         } else {
    842             EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected));
    843             EXPECT_FALSE(contains(key_characteristics_.teeEnforced, ttag));
    844         }
    845     }
    846 
    847     template <TagType tag_type, Tag tag, typename ValueT>
    848     void CheckKm2CryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
    849         SCOPED_TRACE("CheckKm2CryptoParam");
    850         if (supports_attestation_) {
    851             EXPECT_TRUE(contains(key_characteristics_.teeEnforced, ttag, expected));
    852             EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag));
    853         } else if (!supports_symmetric_ /* KM version < 1 or SW */) {
    854             EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected));
    855             EXPECT_FALSE(contains(key_characteristics_.teeEnforced, ttag));
    856         }
    857     }
    858 
    859     void CheckOrigin() {
    860         SCOPED_TRACE("CheckOrigin");
    861         if (is_secure_ && supports_symmetric_) {
    862             EXPECT_TRUE(
    863                 contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));
    864         } else if (is_secure_) {
    865             EXPECT_TRUE(contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN));
    866         } else {
    867             EXPECT_TRUE(
    868                 contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));
    869         }
    870     }
    871 
    872     static bool IsSecure() { return is_secure_; }
    873     static bool SupportsEc() { return supports_ec_; }
    874     static bool SupportsSymmetric() { return supports_symmetric_; }
    875     static bool SupportsAllDigests() { return supports_all_digests_; }
    876     static bool SupportsAttestation() { return supports_attestation_; }
    877 
    878     static bool Km2Profile() {
    879         return SupportsAttestation() && SupportsAllDigests() && SupportsSymmetric() &&
    880                SupportsEc() && IsSecure();
    881     }
    882 
    883     static bool Km1Profile() {
    884         return !SupportsAttestation() && SupportsSymmetric() && SupportsEc() && IsSecure();
    885     }
    886 
    887     static bool Km0Profile() {
    888         return !SupportsAttestation() && !SupportsAllDigests() && !SupportsSymmetric() &&
    889                IsSecure();
    890     }
    891 
    892     static bool SwOnlyProfile() {
    893         return !SupportsAttestation() && !SupportsAllDigests() && !SupportsSymmetric() &&
    894                !SupportsEc() && !IsSecure();
    895     }
    896 
    897     HidlBuf key_blob_;
    898     KeyCharacteristics key_characteristics_;
    899     OperationHandle op_handle_ = kOpHandleSentinel;
    900 
    901   private:
    902     static sp<IKeymasterDevice> keymaster_;
    903     static uint32_t os_version_;
    904     static uint32_t os_patch_level_;
    905 
    906     static bool is_secure_;
    907     static bool supports_ec_;
    908     static bool supports_symmetric_;
    909     static bool supports_attestation_;
    910     static bool supports_all_digests_;
    911     static hidl_string name_;
    912     static hidl_string author_;
    913 };
    914 
    915 bool verify_attestation_record(const string& challenge, const string& app_id,
    916                                AuthorizationSet expected_sw_enforced,
    917                                AuthorizationSet expected_tee_enforced,
    918                                const hidl_vec<uint8_t>& attestation_cert) {
    919     X509_Ptr cert(parse_cert_blob(attestation_cert));
    920     EXPECT_TRUE(!!cert.get());
    921     if (!cert.get()) return false;
    922 
    923     ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());
    924     EXPECT_TRUE(!!attest_rec);
    925     if (!attest_rec) return false;
    926 
    927     AuthorizationSet att_sw_enforced;
    928     AuthorizationSet att_tee_enforced;
    929     uint32_t att_attestation_version;
    930     uint32_t att_keymaster_version;
    931     SecurityLevel att_attestation_security_level;
    932     SecurityLevel att_keymaster_security_level;
    933     HidlBuf att_challenge;
    934     HidlBuf att_unique_id;
    935     HidlBuf att_app_id;
    936     EXPECT_EQ(ErrorCode::OK,
    937               parse_attestation_record(attest_rec->data,                 //
    938                                        attest_rec->length,               //
    939                                        &att_attestation_version,         //
    940                                        &att_attestation_security_level,  //
    941                                        &att_keymaster_version,           //
    942                                        &att_keymaster_security_level,    //
    943                                        &att_challenge,                   //
    944                                        &att_sw_enforced,                 //
    945                                        &att_tee_enforced,                //
    946                                        &att_unique_id));
    947 
    948     EXPECT_TRUE(att_attestation_version == 1 || att_attestation_version == 2);
    949 
    950     expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID,
    951                                    HidlBuf(app_id));
    952 
    953     if (!KeymasterHidlTest::IsSecure()) {
    954         // SW is KM2
    955         EXPECT_EQ(att_keymaster_version, 2U);
    956     }
    957 
    958     if (KeymasterHidlTest::SupportsSymmetric()) {
    959         EXPECT_GE(att_keymaster_version, 1U);
    960     }
    961 
    962     if (KeymasterHidlTest::SupportsAttestation()) {
    963         EXPECT_GE(att_keymaster_version, 2U);
    964     }
    965 
    966     EXPECT_EQ(KeymasterHidlTest::IsSecure() ? SecurityLevel::TRUSTED_ENVIRONMENT
    967                                             : SecurityLevel::SOFTWARE,
    968               att_keymaster_security_level);
    969     EXPECT_EQ(KeymasterHidlTest::SupportsAttestation() ? SecurityLevel::TRUSTED_ENVIRONMENT
    970                                                        : SecurityLevel::SOFTWARE,
    971               att_attestation_security_level);
    972 
    973     EXPECT_EQ(challenge.length(), att_challenge.size());
    974     EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data(), challenge.length()));
    975 
    976     att_sw_enforced.Sort();
    977     expected_sw_enforced.Sort();
    978     EXPECT_EQ(filter_tags(expected_sw_enforced), filter_tags(att_sw_enforced));
    979 
    980     att_tee_enforced.Sort();
    981     expected_tee_enforced.Sort();
    982     EXPECT_EQ(filter_tags(expected_tee_enforced), filter_tags(att_tee_enforced));
    983 
    984     return true;
    985 }
    986 
    987 sp<IKeymasterDevice> KeymasterHidlTest::keymaster_;
    988 uint32_t KeymasterHidlTest::os_version_;
    989 uint32_t KeymasterHidlTest::os_patch_level_;
    990 bool KeymasterHidlTest::is_secure_;
    991 bool KeymasterHidlTest::supports_ec_;
    992 bool KeymasterHidlTest::supports_symmetric_;
    993 bool KeymasterHidlTest::supports_all_digests_;
    994 bool KeymasterHidlTest::supports_attestation_;
    995 hidl_string KeymasterHidlTest::name_;
    996 hidl_string KeymasterHidlTest::author_;
    997 
    998 typedef KeymasterHidlTest KeymasterVersionTest;
    999 
   1000 /*
   1001  * KeymasterVersionTest.SensibleFeatures:
   1002  *
   1003  * Queries keymaster to find the set of features it supports. Fails if the combination doesn't
   1004  * correspond to any well-defined keymaster version.
   1005  */
   1006 TEST_F(KeymasterVersionTest, SensibleFeatures) {
   1007     EXPECT_TRUE(Km2Profile() || Km1Profile() || Km0Profile() || SwOnlyProfile())
   1008         << "Keymaster feature set doesn't fit any reasonable profile.  Reported features:"
   1009         << "SupportsAttestation [" << SupportsAttestation() << "], "
   1010         << "SupportsSymmetric [" << SupportsSymmetric() << "], "
   1011         << "SupportsAllDigests [" << SupportsAllDigests() << "], "
   1012         << "SupportsEc [" << SupportsEc() << "], "
   1013         << "IsSecure [" << IsSecure() << "]";
   1014 }
   1015 
   1016 class NewKeyGenerationTest : public KeymasterHidlTest {
   1017   protected:
   1018     void CheckBaseParams(const KeyCharacteristics& keyCharacteristics) {
   1019         // TODO(swillden): Distinguish which params should be in which auth list.
   1020 
   1021         AuthorizationSet auths(keyCharacteristics.teeEnforced);
   1022         auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced));
   1023 
   1024         EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
   1025 
   1026         EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
   1027         EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
   1028         EXPECT_TRUE(auths.Contains(TAG_USER_ID, 7))
   1029             << "User ID should be 7, was " << auths.GetTagValue(TAG_USER_ID);
   1030 
   1031         // Verify that App ID, App data and ROT are NOT included.
   1032         EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
   1033         EXPECT_FALSE(auths.Contains(TAG_APPLICATION_ID));
   1034         EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
   1035 
   1036         // Check that some unexpected tags/values are NOT present.
   1037         EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
   1038         EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
   1039         EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301));
   1040 
   1041         // Now check that unspecified, defaulted tags are correct.
   1042         EXPECT_TRUE(auths.Contains(TAG_CREATION_DATETIME));
   1043 
   1044         if (SupportsAttestation()) {
   1045             EXPECT_TRUE(auths.Contains(TAG_OS_VERSION, os_version()))
   1046                 << "OS version is " << os_version() << " key reported "
   1047                 << auths.GetTagValue(TAG_OS_VERSION);
   1048             EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, os_patch_level()))
   1049                 << "OS patch level is " << os_patch_level() << " key reported "
   1050                 << auths.GetTagValue(TAG_OS_PATCHLEVEL);
   1051         }
   1052     }
   1053 };
   1054 
   1055 /*
   1056  * NewKeyGenerationTest.Rsa
   1057  *
   1058  * Verifies that keymaster can generate all required RSA key sizes, and that the resulting keys have
   1059  * correct characteristics.
   1060  */
   1061 TEST_F(NewKeyGenerationTest, Rsa) {
   1062     for (auto key_size : {1024, 2048, 3072, 4096}) {
   1063         HidlBuf key_blob;
   1064         KeyCharacteristics key_characteristics;
   1065         ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1066                                                  .RsaSigningKey(key_size, 3)
   1067                                                  .Digest(Digest::NONE)
   1068                                                  .Padding(PaddingMode::NONE)
   1069                                                  .Authorizations(UserAuths()),
   1070                                              &key_blob, &key_characteristics));
   1071 
   1072         ASSERT_GT(key_blob.size(), 0U);
   1073         CheckBaseParams(key_characteristics);
   1074 
   1075         AuthorizationSet crypto_params;
   1076         if (IsSecure()) {
   1077             crypto_params = key_characteristics.teeEnforced;
   1078         } else {
   1079             crypto_params = key_characteristics.softwareEnforced;
   1080         }
   1081 
   1082         EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, KM_ALGORITHM_RSA));
   1083         EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size));
   1084         EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 3));
   1085 
   1086         CheckedDeleteKey(&key_blob);
   1087     }
   1088 }
   1089 
   1090 /*
   1091  * NewKeyGenerationTest.RsaNoDefaultSize
   1092  *
   1093  * Verifies that failing to specify a key size for RSA key generation returns UNSUPPORTED_KEY_SIZE.
   1094  */
   1095 TEST_F(NewKeyGenerationTest, RsaNoDefaultSize) {
   1096     ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
   1097               GenerateKey(AuthorizationSetBuilder()
   1098                               .Authorization(TAG_ALGORITHM, Algorithm::RSA)
   1099                               .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
   1100                               .SigningKey()));
   1101 }
   1102 
   1103 /*
   1104  * NewKeyGenerationTest.Ecdsa
   1105  *
   1106  * Verifies that keymaster can generate all required EC key sizes, and that the resulting keys have
   1107  * correct characteristics.
   1108  */
   1109 TEST_F(NewKeyGenerationTest, Ecdsa) {
   1110     for (auto key_size : {224, 256, 384, 521}) {
   1111         HidlBuf key_blob;
   1112         KeyCharacteristics key_characteristics;
   1113         ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1114                                                  .EcdsaSigningKey(key_size)
   1115                                                  .Digest(Digest::NONE)
   1116                                                  .Authorizations(UserAuths()),
   1117                                              &key_blob, &key_characteristics));
   1118         ASSERT_GT(key_blob.size(), 0U);
   1119         CheckBaseParams(key_characteristics);
   1120 
   1121         AuthorizationSet crypto_params;
   1122         if (IsSecure()) {
   1123             crypto_params = key_characteristics.teeEnforced;
   1124         } else {
   1125             crypto_params = key_characteristics.softwareEnforced;
   1126         }
   1127 
   1128         EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
   1129         EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size));
   1130 
   1131         CheckedDeleteKey(&key_blob);
   1132     }
   1133 }
   1134 
   1135 /*
   1136  * NewKeyGenerationTest.EcdsaDefaultSize
   1137  *
   1138  * Verifies that failing to specify a key size for EC key generation returns UNSUPPORTED_KEY_SIZE.
   1139  */
   1140 TEST_F(NewKeyGenerationTest, EcdsaDefaultSize) {
   1141     ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
   1142               GenerateKey(AuthorizationSetBuilder()
   1143                               .Authorization(TAG_ALGORITHM, Algorithm::EC)
   1144                               .SigningKey()
   1145                               .Digest(Digest::NONE)));
   1146 }
   1147 
   1148 /*
   1149  * NewKeyGenerationTest.EcdsaInvalidSize
   1150  *
   1151  * Verifies that failing to specify an invalid key size for EC key generation returns
   1152  * UNSUPPORTED_KEY_SIZE.
   1153  */
   1154 TEST_F(NewKeyGenerationTest, EcdsaInvalidSize) {
   1155     ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
   1156               GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(Digest::NONE)));
   1157 }
   1158 
   1159 /*
   1160  * NewKeyGenerationTest.EcdsaMismatchKeySize
   1161  *
   1162  * Verifies that specifying mismatched key size and curve for EC key generation returns
   1163  * INVALID_ARGUMENT.
   1164  */
   1165 TEST_F(NewKeyGenerationTest, EcdsaMismatchKeySize) {
   1166     ASSERT_EQ(ErrorCode::INVALID_ARGUMENT,
   1167               GenerateKey(AuthorizationSetBuilder()
   1168                               .EcdsaSigningKey(224)
   1169                               .Authorization(TAG_EC_CURVE, EcCurve::P_256)
   1170                               .Digest(Digest::NONE)))
   1171         << "(Possibly b/36233343)";
   1172 }
   1173 
   1174 TEST_F(NewKeyGenerationTest, EcdsaAllValidSizes) {
   1175     size_t valid_sizes[] = {224, 256, 384, 521};
   1176     for (size_t size : valid_sizes) {
   1177         EXPECT_EQ(ErrorCode::OK,
   1178                   GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(Digest::NONE)))
   1179             << "Failed to generate size: " << size;
   1180         CheckedDeleteKey();
   1181     }
   1182 }
   1183 
   1184 /*
   1185  * NewKeyGenerationTest.EcdsaAllValidCurves
   1186  *
   1187  * Verifies that keymaster supports all required EC curves.
   1188  */
   1189 TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) {
   1190     EcCurve curves[] = {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521};
   1191     for (auto curve : curves) {
   1192         EXPECT_EQ(
   1193             ErrorCode::OK,
   1194             GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(Digest::SHA_2_512)))
   1195             << "Failed to generate key on curve: " << curve;
   1196         CheckedDeleteKey();
   1197     }
   1198 }
   1199 
   1200 /*
   1201  * NewKeyGenerationTest.Hmac
   1202  *
   1203  * Verifies that keymaster supports all required digests, and that the resulting keys have correct
   1204  * characteristics.
   1205  */
   1206 TEST_F(NewKeyGenerationTest, Hmac) {
   1207     for (auto digest : {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256,
   1208                         Digest::SHA_2_384, Digest::SHA_2_512}) {
   1209         HidlBuf key_blob;
   1210         KeyCharacteristics key_characteristics;
   1211         constexpr size_t key_size = 128;
   1212         ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1213                                                  .HmacKey(key_size)
   1214                                                  .Digest(digest)
   1215                                                  .Authorization(TAG_MIN_MAC_LENGTH, 128)
   1216                                                  .Authorizations(UserAuths()),
   1217                                              &key_blob, &key_characteristics));
   1218 
   1219         ASSERT_GT(key_blob.size(), 0U);
   1220         CheckBaseParams(key_characteristics);
   1221 
   1222         AuthorizationSet teeEnforced = key_characteristics.teeEnforced;
   1223         AuthorizationSet softwareEnforced = key_characteristics.softwareEnforced;
   1224         if (SupportsAttestation() || SupportsAllDigests()) {
   1225             // Either KM2, which must support all, or KM1 that claims full support
   1226             EXPECT_TRUE(teeEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
   1227             EXPECT_TRUE(teeEnforced.Contains(TAG_KEY_SIZE, key_size));
   1228         } else if (SupportsSymmetric()) {
   1229             if (digest == Digest::SHA1 || digest == Digest::SHA_2_256) {
   1230                 // KM1 must support SHA1 and SHA256 in hardware
   1231                 EXPECT_TRUE(teeEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
   1232                 EXPECT_TRUE(teeEnforced.Contains(TAG_KEY_SIZE, key_size));
   1233             } else {
   1234                 // Othere digests may or may not be supported
   1235                 EXPECT_TRUE(teeEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC) ||
   1236                             softwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
   1237                 EXPECT_TRUE(teeEnforced.Contains(TAG_KEY_SIZE, key_size) ||
   1238                             softwareEnforced.Contains(TAG_KEY_SIZE, key_size));
   1239             }
   1240         } else {
   1241             // KM0 and SW KM do all digests in SW.
   1242             EXPECT_TRUE(softwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
   1243             EXPECT_TRUE(softwareEnforced.Contains(TAG_KEY_SIZE, key_size));
   1244         }
   1245 
   1246         CheckedDeleteKey(&key_blob);
   1247     }
   1248 }
   1249 
   1250 /*
   1251  * NewKeyGenerationTest.HmacCheckKeySizes
   1252  *
   1253  * Verifies that keymaster supports all key sizes, and rejects all invalid key sizes.
   1254  */
   1255 TEST_F(NewKeyGenerationTest, HmacCheckKeySizes) {
   1256     for (size_t key_size = 0; key_size <= 512; ++key_size) {
   1257         if (key_size < 64 || key_size % 8 != 0) {
   1258             // To keep this test from being very slow, we only test a random fraction of non-byte
   1259             // key sizes.  We test only ~10% of such cases. Since there are 392 of them, we expect
   1260             // to run ~40 of them in each run.
   1261             if (key_size % 8 == 0 || random() % 10 == 0) {
   1262                 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
   1263                           GenerateKey(AuthorizationSetBuilder()
   1264                                           .HmacKey(key_size)
   1265                                           .Digest(Digest::SHA_2_256)
   1266                                           .Authorization(TAG_MIN_MAC_LENGTH, 256)))
   1267                     << "HMAC key size " << key_size << " invalid (Possibly b/33462346)";
   1268             }
   1269         } else {
   1270             EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1271                                                      .HmacKey(key_size)
   1272                                                      .Digest(Digest::SHA_2_256)
   1273                                                      .Authorization(TAG_MIN_MAC_LENGTH, 256)));
   1274             CheckedDeleteKey();
   1275         }
   1276     }
   1277 }
   1278 
   1279 /*
   1280  * NewKeyGenerationTest.HmacCheckMinMacLengths
   1281  *
   1282  * Verifies that keymaster supports all required MAC lengths and rejects all invalid lengths.  This
   1283  * test is probabilistic in order to keep the runtime down, but any failure prints out the specific
   1284  * MAC length that failed, so reproducing a failed run will be easy.
   1285  */
   1286 TEST_F(NewKeyGenerationTest, HmacCheckMinMacLengths) {
   1287     for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
   1288         if (min_mac_length < 64 || min_mac_length % 8 != 0) {
   1289             // To keep this test from being very long, we only test a random fraction of non-byte
   1290             // lengths.  We test only ~10% of such cases. Since there are 172 of them, we expect to
   1291             // run ~17 of them in each run.
   1292             if (min_mac_length % 8 == 0 || random() % 10 == 0) {
   1293                 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
   1294                           GenerateKey(AuthorizationSetBuilder()
   1295                                           .HmacKey(128)
   1296                                           .Digest(Digest::SHA_2_256)
   1297                                           .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
   1298                     << "HMAC min mac length " << min_mac_length << " invalid.";
   1299             }
   1300         } else {
   1301             EXPECT_EQ(ErrorCode::OK,
   1302                       GenerateKey(AuthorizationSetBuilder()
   1303                                       .HmacKey(128)
   1304                                       .Digest(Digest::SHA_2_256)
   1305                                       .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)));
   1306             CheckedDeleteKey();
   1307         }
   1308     }
   1309 }
   1310 
   1311 /*
   1312  * NewKeyGenerationTest.HmacMultipleDigests
   1313  *
   1314  * Verifies that keymaster rejects HMAC key generation with multiple specified digest algorithms.
   1315  */
   1316 TEST_F(NewKeyGenerationTest, HmacMultipleDigests) {
   1317     ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
   1318               GenerateKey(AuthorizationSetBuilder()
   1319                               .HmacKey(128)
   1320                               .Digest(Digest::SHA1)
   1321                               .Digest(Digest::SHA_2_256)
   1322                               .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   1323 }
   1324 
   1325 /*
   1326  * NewKeyGenerationTest.HmacDigestNone
   1327  *
   1328  * Verifies that keymaster rejects HMAC key generation with no digest or Digest::NONE
   1329  */
   1330 TEST_F(NewKeyGenerationTest, HmacDigestNone) {
   1331     ASSERT_EQ(
   1332         ErrorCode::UNSUPPORTED_DIGEST,
   1333         GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH, 128)));
   1334 
   1335     ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
   1336               GenerateKey(AuthorizationSetBuilder()
   1337                               .HmacKey(128)
   1338                               .Digest(Digest::NONE)
   1339                               .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   1340 }
   1341 
   1342 typedef KeymasterHidlTest GetKeyCharacteristicsTest;
   1343 
   1344 /*
   1345  * GetKeyCharacteristicsTest.HmacDigestNone
   1346  *
   1347  * Verifies that getKeyCharacteristics functions, and that generated and retrieved key
   1348  * characteristics match.
   1349  */
   1350 TEST_F(GetKeyCharacteristicsTest, SimpleRsa) {
   1351     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1352                                              .RsaSigningKey(1024, 3)
   1353                                              .Digest(Digest::NONE)
   1354                                              .Padding(PaddingMode::NONE)));
   1355 
   1356     KeyCharacteristics retrieved_chars;
   1357     ASSERT_EQ(ErrorCode::OK, GetCharacteristics(key_blob_, &retrieved_chars));
   1358 
   1359     AuthorizationSet gen_sw = key_characteristics_.softwareEnforced;
   1360     AuthorizationSet gen_tee = key_characteristics_.teeEnforced;
   1361     AuthorizationSet retrieved_sw = retrieved_chars.softwareEnforced;
   1362     AuthorizationSet retrieved_tee = retrieved_chars.teeEnforced;
   1363 
   1364     EXPECT_EQ(gen_sw, retrieved_sw);
   1365     EXPECT_EQ(gen_tee, retrieved_tee);
   1366 }
   1367 
   1368 typedef KeymasterHidlTest SigningOperationsTest;
   1369 
   1370 /*
   1371  * SigningOperationsTest.RsaSuccess
   1372  *
   1373  * Verifies that raw RSA signature operations succeed.
   1374  */
   1375 TEST_F(SigningOperationsTest, RsaSuccess) {
   1376     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1377                                              .RsaSigningKey(1024, 3)
   1378                                              .Digest(Digest::NONE)
   1379                                              .Padding(PaddingMode::NONE)
   1380                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
   1381     string message = "12345678901234567890123456789012";
   1382     string signature = SignMessage(
   1383         message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
   1384 }
   1385 
   1386 /*
   1387  * SigningOperationsTest.RsaPssSha256Success
   1388  *
   1389  * Verifies that RSA-PSS signature operations succeed.
   1390  */
   1391 TEST_F(SigningOperationsTest, RsaPssSha256Success) {
   1392     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1393                                              .RsaSigningKey(1024, 3)
   1394                                              .Digest(Digest::SHA_2_256)
   1395                                              .Padding(PaddingMode::RSA_PSS)
   1396                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
   1397     // Use large message, which won't work without digesting.
   1398     string message(1024, 'a');
   1399     string signature = SignMessage(
   1400         message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
   1401 }
   1402 
   1403 /*
   1404  * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
   1405  *
   1406  * Verifies that keymaster rejects signature operations that specify a padding mode when the key
   1407  * supports only unpadded operations.
   1408  */
   1409 TEST_F(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
   1410     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1411                                              .RsaSigningKey(1024, 3)
   1412                                              .Digest(Digest::NONE)
   1413                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1414                                              .Padding(PaddingMode::NONE)));
   1415     string message = "12345678901234567890123456789012";
   1416     string signature;
   1417 
   1418     EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
   1419               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
   1420                                           .Digest(Digest::NONE)
   1421                                           .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
   1422 }
   1423 
   1424 /*
   1425  * SigningOperationsTest.RsaPkcs1Sha256Success
   1426  *
   1427  * Verifies that digested RSA-PKCS1 signature operations succeed.
   1428  */
   1429 TEST_F(SigningOperationsTest, RsaPkcs1Sha256Success) {
   1430     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1431                                              .RsaSigningKey(1024, 3)
   1432                                              .Digest(Digest::SHA_2_256)
   1433                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1434                                              .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
   1435     string message(1024, 'a');
   1436     string signature = SignMessage(message, AuthorizationSetBuilder()
   1437                                                 .Digest(Digest::SHA_2_256)
   1438                                                 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
   1439 }
   1440 
   1441 /*
   1442  * SigningOperationsTest.RsaPkcs1NoDigestSuccess
   1443  *
   1444  * Verifies that undigested RSA-PKCS1 signature operations succeed.
   1445  */
   1446 TEST_F(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
   1447     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1448                                              .RsaSigningKey(1024, 3)
   1449                                              .Digest(Digest::NONE)
   1450                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1451                                              .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
   1452     string message(53, 'a');
   1453     string signature = SignMessage(
   1454         message,
   1455         AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
   1456 }
   1457 
   1458 /*
   1459  * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
   1460  *
   1461  * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
   1462  * given a too-long message.
   1463  */
   1464 TEST_F(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
   1465     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1466                                              .RsaSigningKey(1024, 3)
   1467                                              .Digest(Digest::NONE)
   1468                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1469                                              .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
   1470     string message(129, 'a');
   1471 
   1472     EXPECT_EQ(ErrorCode::OK,
   1473               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
   1474                                           .Digest(Digest::NONE)
   1475                                           .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
   1476     string signature;
   1477     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
   1478 }
   1479 
   1480 /*
   1481  * SigningOperationsTest.RsaPssSha512TooSmallKey
   1482  *
   1483  * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
   1484  * used with a key that is too small for the message.
   1485  *
   1486  * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the keymaster
   1487  * specification requires that salt_size == digest_size, so the message will be digest_size * 2 +
   1488  * 16. Such a message can only be signed by a given key if the key is at least that size. This test
   1489  * uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large for a
   1490  * 1024-bit key.
   1491  */
   1492 TEST_F(SigningOperationsTest, RsaPssSha512TooSmallKey) {
   1493     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1494                                              .RsaSigningKey(1024, 3)
   1495                                              .Digest(Digest::SHA_2_512)
   1496                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1497                                              .Padding(PaddingMode::RSA_PSS)));
   1498     EXPECT_EQ(
   1499         ErrorCode::INCOMPATIBLE_DIGEST,
   1500         Begin(KeyPurpose::SIGN,
   1501               AuthorizationSetBuilder().Digest(Digest::SHA_2_512).Padding(PaddingMode::RSA_PSS)))
   1502         << "(Possibly b/33346750)";
   1503 }
   1504 
   1505 /*
   1506  * SigningOperationsTest.RsaNoPaddingTooLong
   1507  *
   1508  * Verifies that raw RSA signature operations fail with the correct error code when
   1509  * given a too-long message.
   1510  */
   1511 TEST_F(SigningOperationsTest, RsaNoPaddingTooLong) {
   1512     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1513                                              .RsaSigningKey(1024, 3)
   1514                                              .Digest(Digest::NONE)
   1515                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1516                                              .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
   1517     // One byte too long
   1518     string message(1024 / 8 + 1, 'a');
   1519     ASSERT_EQ(ErrorCode::OK,
   1520               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
   1521                                           .Digest(Digest::NONE)
   1522                                           .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
   1523     string result;
   1524     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));
   1525 
   1526     // Very large message that should exceed the transfer buffer size of any reasonable TEE.
   1527     message = string(128 * 1024, 'a');
   1528     ASSERT_EQ(ErrorCode::OK,
   1529               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
   1530                                           .Digest(Digest::NONE)
   1531                                           .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
   1532     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));
   1533 }
   1534 
   1535 /*
   1536  * SigningOperationsTest.RsaAbort
   1537  *
   1538  * Verifies that operations can be aborted correctly.  Uses an RSA signing operation for the test,
   1539  * but the behavior should be algorithm and purpose-independent.
   1540  */
   1541 TEST_F(SigningOperationsTest, RsaAbort) {
   1542     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1543                                              .RsaSigningKey(1024, 3)
   1544                                              .Digest(Digest::NONE)
   1545                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1546                                              .Padding(PaddingMode::NONE)));
   1547 
   1548     ASSERT_EQ(ErrorCode::OK,
   1549               Begin(KeyPurpose::SIGN,
   1550                     AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
   1551     EXPECT_EQ(ErrorCode::OK, Abort(op_handle_));
   1552 
   1553     // Another abort should fail
   1554     EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort(op_handle_));
   1555 
   1556     // Set to sentinel, so TearDown() doesn't try to abort again.
   1557     op_handle_ = kOpHandleSentinel;
   1558 }
   1559 
   1560 /*
   1561  * SigningOperationsTest.RsaUnsupportedPadding
   1562  *
   1563  * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used with a
   1564  * padding mode inappropriate for RSA.
   1565  */
   1566 TEST_F(SigningOperationsTest, RsaUnsupportedPadding) {
   1567     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1568                                              .RsaSigningKey(1024, 3)
   1569                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1570                                              .Digest(Digest::SHA_2_256 /* supported digest */)
   1571                                              .Padding(PaddingMode::PKCS7)));
   1572     ASSERT_EQ(
   1573         ErrorCode::UNSUPPORTED_PADDING_MODE,
   1574         Begin(KeyPurpose::SIGN,
   1575               AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
   1576 }
   1577 
   1578 /*
   1579  * SigningOperationsTest.RsaPssNoDigest
   1580  *
   1581  * Verifies that RSA PSS operations fail when no digest is used.  PSS requires a digest.
   1582  */
   1583 TEST_F(SigningOperationsTest, RsaNoDigest) {
   1584     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1585                                              .RsaSigningKey(1024, 3)
   1586                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1587                                              .Digest(Digest::NONE)
   1588                                              .Padding(PaddingMode::RSA_PSS)));
   1589     ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
   1590               Begin(KeyPurpose::SIGN,
   1591                     AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
   1592 
   1593     ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
   1594               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
   1595 }
   1596 
   1597 /*
   1598  * SigningOperationsTest.RsaPssNoDigest
   1599  *
   1600  * Verifies that RSA operations fail when no padding mode is specified.  PaddingMode::NONE is
   1601  * supported in some cases (as validated in other tests), but a mode must be specified.
   1602  */
   1603 TEST_F(SigningOperationsTest, RsaNoPadding) {
   1604     // Padding must be specified
   1605     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1606                                              .RsaKey(1024, 3)
   1607                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1608                                              .SigningKey()
   1609                                              .Digest(Digest::NONE)));
   1610     ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
   1611               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
   1612 }
   1613 
   1614 /*
   1615  * SigningOperationsTest.RsaShortMessage
   1616  *
   1617  * Verifies that raw RSA signatures succeed with a message shorter than the key size.
   1618  */
   1619 TEST_F(SigningOperationsTest, RsaTooShortMessage) {
   1620     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1621                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1622                                              .RsaSigningKey(1024, 3)
   1623                                              .Digest(Digest::NONE)
   1624                                              .Padding(PaddingMode::NONE)));
   1625 
   1626     // Barely shorter
   1627     string message(1024 / 8 - 1, 'a');
   1628     SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
   1629 
   1630     // Much shorter
   1631     message = "a";
   1632     SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
   1633 }
   1634 
   1635 /*
   1636  * SigningOperationsTest.RsaSignWithEncryptionKey
   1637  *
   1638  * Verifies that RSA encryption keys cannot be used to sign.
   1639  */
   1640 TEST_F(SigningOperationsTest, RsaSignWithEncryptionKey) {
   1641     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1642                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1643                                              .RsaEncryptionKey(1024, 3)
   1644                                              .Digest(Digest::NONE)
   1645                                              .Padding(PaddingMode::NONE)));
   1646     ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
   1647               Begin(KeyPurpose::SIGN,
   1648                     AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
   1649 }
   1650 
   1651 /*
   1652  * SigningOperationsTest.RsaSignTooLargeMessage
   1653  *
   1654  * Verifies that attempting a raw signature of a message which is the same length as the key, but
   1655  * numerically larger than the public modulus, fails with the correct error.
   1656  */
   1657 TEST_F(SigningOperationsTest, RsaSignTooLargeMessage) {
   1658     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1659                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1660                                              .RsaSigningKey(1024, 3)
   1661                                              .Digest(Digest::NONE)
   1662                                              .Padding(PaddingMode::NONE)));
   1663 
   1664     // Largest possible message will always be larger than the public modulus.
   1665     string message(1024 / 8, static_cast<char>(0xff));
   1666     ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
   1667                                                          .Authorization(TAG_NO_AUTH_REQUIRED)
   1668                                                          .Digest(Digest::NONE)
   1669                                                          .Padding(PaddingMode::NONE)));
   1670     string signature;
   1671     ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
   1672 }
   1673 
   1674 /*
   1675  * SigningOperationsTest.EcdsaAllSizesAndHashes
   1676  *
   1677  * Verifies that ECDSA operations succeed with all possible key sizes and hashes.
   1678  */
   1679 TEST_F(SigningOperationsTest, EcdsaAllSizesAndHashes) {
   1680     for (auto key_size : {224, 256, 384, 521}) {
   1681         for (auto digest : {
   1682                  Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
   1683                  Digest::SHA_2_512,
   1684              }) {
   1685             ErrorCode error = GenerateKey(AuthorizationSetBuilder()
   1686                                               .Authorization(TAG_NO_AUTH_REQUIRED)
   1687                                               .EcdsaSigningKey(key_size)
   1688                                               .Digest(digest));
   1689             EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with size " << key_size
   1690                                             << " and digest " << digest;
   1691             if (error != ErrorCode::OK) continue;
   1692 
   1693             string message(1024, 'a');
   1694             if (digest == Digest::NONE) message.resize(key_size / 8);
   1695             SignMessage(message, AuthorizationSetBuilder().Digest(digest));
   1696             CheckedDeleteKey();
   1697         }
   1698     }
   1699 }
   1700 
   1701 /*
   1702  * SigningOperationsTest.EcdsaAllCurves
   1703  *
   1704  * Verifies that ECDSA operations succeed with all possible curves.
   1705  */
   1706 TEST_F(SigningOperationsTest, EcdsaAllCurves) {
   1707     for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) {
   1708         ErrorCode error = GenerateKey(AuthorizationSetBuilder()
   1709                                           .Authorization(TAG_NO_AUTH_REQUIRED)
   1710                                           .EcdsaSigningKey(curve)
   1711                                           .Digest(Digest::SHA_2_256));
   1712         EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
   1713         if (error != ErrorCode::OK) continue;
   1714 
   1715         string message(1024, 'a');
   1716         SignMessage(message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
   1717         CheckedDeleteKey();
   1718     }
   1719 }
   1720 
   1721 /*
   1722  * SigningOperationsTest.EcdsaNoDigestHugeData
   1723  *
   1724  * Verifies that ECDSA operations support very large messages, even without digesting.  This should
   1725  * work because ECDSA actually only signs the leftmost L_n bits of the message, however large it may
   1726  * be.  Not using digesting is a bad idea, but in some cases digesting is done by the framework.
   1727  */
   1728 TEST_F(SigningOperationsTest, EcdsaNoDigestHugeData) {
   1729     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1730                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1731                                              .EcdsaSigningKey(224)
   1732                                              .Digest(Digest::NONE)));
   1733     string message(64 * 1024, 'a');
   1734     SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
   1735 }
   1736 
   1737 /*
   1738  * SigningOperationsTest.AesEcbSign
   1739  *
   1740  * Verifies that attempts to use AES keys to sign fail in the correct way.
   1741  */
   1742 TEST_F(SigningOperationsTest, AesEcbSign) {
   1743     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1744                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1745                                              .SigningKey()
   1746                                              .AesEncryptionKey(128)
   1747                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)))
   1748         << "(Possibly b/36252957)";
   1749 
   1750     AuthorizationSet out_params;
   1751     EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
   1752               Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params))
   1753         << "(Possibly b/36233187)";
   1754 
   1755     EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
   1756               Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params))
   1757         << "(Possibly b/36233187)";
   1758 }
   1759 
   1760 /*
   1761  * SigningOperationsTest.HmacAllDigests
   1762  *
   1763  * Verifies that HMAC works with all digests.
   1764  */
   1765 TEST_F(SigningOperationsTest, HmacAllDigests) {
   1766     for (auto digest : {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
   1767                         Digest::SHA_2_512}) {
   1768         ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1769                                                  .Authorization(TAG_NO_AUTH_REQUIRED)
   1770                                                  .HmacKey(128)
   1771                                                  .Digest(digest)
   1772                                                  .Authorization(TAG_MIN_MAC_LENGTH, 160)))
   1773             << "Failed to create HMAC key with digest " << digest;
   1774         string message = "12345678901234567890123456789012";
   1775         string signature = MacMessage(message, digest, 160);
   1776         EXPECT_EQ(160U / 8U, signature.size())
   1777             << "Failed to sign with HMAC key with digest " << digest;
   1778         CheckedDeleteKey();
   1779     }
   1780 }
   1781 
   1782 /*
   1783  * SigningOperationsTest.HmacSha256TooLargeMacLength
   1784  *
   1785  * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the digest
   1786  * size.
   1787  */
   1788 TEST_F(SigningOperationsTest, HmacSha256TooLargeMacLength) {
   1789     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1790                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1791                                              .HmacKey(128)
   1792                                              .Digest(Digest::SHA_2_256)
   1793                                              .Authorization(TAG_MIN_MAC_LENGTH, 256)));
   1794     AuthorizationSet output_params;
   1795     EXPECT_EQ(
   1796         ErrorCode::UNSUPPORTED_MAC_LENGTH,
   1797         Begin(
   1798             KeyPurpose::SIGN, key_blob_,
   1799             AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 264),
   1800             &output_params, &op_handle_));
   1801 }
   1802 
   1803 /*
   1804  * SigningOperationsTest.HmacSha256TooSmallMacLength
   1805  *
   1806  * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
   1807  * specified minimum MAC length.
   1808  */
   1809 TEST_F(SigningOperationsTest, HmacSha256TooSmallMacLength) {
   1810     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1811                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1812                                              .HmacKey(128)
   1813                                              .Digest(Digest::SHA_2_256)
   1814                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   1815     AuthorizationSet output_params;
   1816     EXPECT_EQ(
   1817         ErrorCode::INVALID_MAC_LENGTH,
   1818         Begin(
   1819             KeyPurpose::SIGN, key_blob_,
   1820             AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 120),
   1821             &output_params, &op_handle_));
   1822 }
   1823 
   1824 /*
   1825  * SigningOperationsTest.HmacRfc4231TestCase3
   1826  *
   1827  * Validates against the test vectors from RFC 4231 test case 3.
   1828  */
   1829 TEST_F(SigningOperationsTest, HmacRfc4231TestCase3) {
   1830     string key(20, 0xaa);
   1831     string message(50, 0xdd);
   1832     uint8_t sha_224_expected[] = {
   1833         0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
   1834         0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
   1835     };
   1836     uint8_t sha_256_expected[] = {
   1837         0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
   1838         0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
   1839         0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
   1840     };
   1841     uint8_t sha_384_expected[] = {
   1842         0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
   1843         0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
   1844         0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
   1845         0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
   1846     };
   1847     uint8_t sha_512_expected[] = {
   1848         0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
   1849         0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
   1850         0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
   1851         0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
   1852         0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
   1853     };
   1854 
   1855     CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
   1856     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
   1857     CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
   1858     CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
   1859 }
   1860 
   1861 /*
   1862  * SigningOperationsTest.HmacRfc4231TestCase5
   1863  *
   1864  * Validates against the test vectors from RFC 4231 test case 5.
   1865  */
   1866 TEST_F(SigningOperationsTest, HmacRfc4231TestCase5) {
   1867     string key(20, 0x0c);
   1868     string message = "Test With Truncation";
   1869 
   1870     uint8_t sha_224_expected[] = {
   1871         0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
   1872         0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
   1873     };
   1874     uint8_t sha_256_expected[] = {
   1875         0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
   1876         0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
   1877     };
   1878     uint8_t sha_384_expected[] = {
   1879         0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
   1880         0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
   1881     };
   1882     uint8_t sha_512_expected[] = {
   1883         0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
   1884         0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
   1885     };
   1886 
   1887     CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
   1888     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
   1889     CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
   1890     CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
   1891 }
   1892 
   1893 /*
   1894  * SigningOperationsTest.HmacRfc4231TestCase6
   1895  *
   1896  * Validates against the test vectors from RFC 4231 test case 6.
   1897  */
   1898 TEST_F(SigningOperationsTest, HmacRfc4231TestCase6) {
   1899     string key(131, 0xaa);
   1900     string message = "Test Using Larger Than Block-Size Key - Hash Key First";
   1901 
   1902     uint8_t sha_224_expected[] = {
   1903         0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d,
   1904         0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e,
   1905     };
   1906     uint8_t sha_256_expected[] = {
   1907         0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26,
   1908         0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28,
   1909         0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54,
   1910     };
   1911     uint8_t sha_384_expected[] = {
   1912         0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a,
   1913         0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
   1914         0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab,
   1915         0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52,
   1916     };
   1917     uint8_t sha_512_expected[] = {
   1918         0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd,
   1919         0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b,
   1920         0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25,
   1921         0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73,
   1922         0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,
   1923     };
   1924 
   1925     CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
   1926     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
   1927     CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
   1928     CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
   1929 }
   1930 
   1931 /*
   1932  * SigningOperationsTest.HmacRfc4231TestCase7
   1933  *
   1934  * Validates against the test vectors from RFC 4231 test case 7.
   1935  */
   1936 TEST_F(SigningOperationsTest, HmacRfc4231TestCase7) {
   1937     string key(131, 0xaa);
   1938     string message = "This is a test using a larger than block-size key and a larger than "
   1939                      "block-size data. The key needs to be hashed before being used by the HMAC "
   1940                      "algorithm.";
   1941 
   1942     uint8_t sha_224_expected[] = {
   1943         0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3,
   1944         0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1,
   1945     };
   1946     uint8_t sha_256_expected[] = {
   1947         0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f,
   1948         0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07,
   1949         0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2,
   1950     };
   1951     uint8_t sha_384_expected[] = {
   1952         0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25,
   1953         0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
   1954         0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31,
   1955         0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e,
   1956     };
   1957     uint8_t sha_512_expected[] = {
   1958         0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e,
   1959         0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5,
   1960         0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82,
   1961         0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb,
   1962         0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,
   1963     };
   1964 
   1965     CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
   1966     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
   1967     CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
   1968     CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
   1969 }
   1970 
   1971 typedef KeymasterHidlTest VerificationOperationsTest;
   1972 
   1973 /*
   1974  * VerificationOperationsTest.RsaSuccess
   1975  *
   1976  * Verifies that a simple RSA signature/verification sequence succeeds.
   1977  */
   1978 TEST_F(VerificationOperationsTest, RsaSuccess) {
   1979     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   1980                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   1981                                              .RsaSigningKey(1024, 3)
   1982                                              .Digest(Digest::NONE)
   1983                                              .Padding(PaddingMode::NONE)));
   1984     string message = "12345678901234567890123456789012";
   1985     string signature = SignMessage(
   1986         message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
   1987     VerifyMessage(message, signature,
   1988                   AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
   1989 }
   1990 
   1991 /*
   1992  * VerificationOperationsTest.RsaSuccess
   1993  *
   1994  * Verifies RSA signature/verification for all padding modes and digests.
   1995  */
   1996 TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) {
   1997     ASSERT_EQ(ErrorCode::OK,
   1998               GenerateKey(AuthorizationSetBuilder()
   1999                               .Authorization(TAG_NO_AUTH_REQUIRED)
   2000                               .RsaSigningKey(2048, 3)
   2001                               .Digest(Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
   2002                                       Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512)
   2003                               .Padding(PaddingMode::NONE)
   2004                               .Padding(PaddingMode::RSA_PSS)
   2005                               .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
   2006 
   2007     string message(128, 'a');
   2008     string corrupt_message(message);
   2009     ++corrupt_message[corrupt_message.size() / 2];
   2010 
   2011     for (auto padding :
   2012          {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
   2013 
   2014         for (auto digest : {Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
   2015                             Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}) {
   2016             if (padding == PaddingMode::NONE && digest != Digest::NONE) {
   2017                 // Digesting only makes sense with padding.
   2018                 continue;
   2019             }
   2020 
   2021             if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
   2022                 // PSS requires digesting.
   2023                 continue;
   2024             }
   2025 
   2026             string signature =
   2027                 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
   2028             VerifyMessage(message, signature,
   2029                           AuthorizationSetBuilder().Digest(digest).Padding(padding));
   2030 
   2031             if (digest != Digest::NONE) {
   2032                 // Verify with OpenSSL.
   2033                 HidlBuf pubkey;
   2034                 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey));
   2035 
   2036                 const uint8_t* p = pubkey.data();
   2037                 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
   2038                 ASSERT_TRUE(pkey.get());
   2039 
   2040                 EVP_MD_CTX digest_ctx;
   2041                 EVP_MD_CTX_init(&digest_ctx);
   2042                 EVP_PKEY_CTX* pkey_ctx;
   2043                 const EVP_MD* md = openssl_digest(digest);
   2044                 ASSERT_NE(md, nullptr);
   2045                 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md, nullptr /* engine */,
   2046                                                   pkey.get()));
   2047 
   2048                 switch (padding) {
   2049                 case PaddingMode::RSA_PSS:
   2050                     EXPECT_GT(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING), 0);
   2051                     EXPECT_GT(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, EVP_MD_size(md)), 0);
   2052                     break;
   2053                 case PaddingMode::RSA_PKCS1_1_5_SIGN:
   2054                     // PKCS1 is the default; don't need to set anything.
   2055                     break;
   2056                 default:
   2057                     FAIL();
   2058                     break;
   2059                 }
   2060 
   2061                 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
   2062                 EXPECT_EQ(1, EVP_DigestVerifyFinal(
   2063                                  &digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
   2064                                  signature.size()));
   2065                 EVP_MD_CTX_cleanup(&digest_ctx);
   2066             }
   2067 
   2068             // Corrupt signature shouldn't verify.
   2069             string corrupt_signature(signature);
   2070             ++corrupt_signature[corrupt_signature.size() / 2];
   2071 
   2072             EXPECT_EQ(ErrorCode::OK,
   2073                       Begin(KeyPurpose::VERIFY,
   2074                             AuthorizationSetBuilder().Digest(digest).Padding(padding)));
   2075             string result;
   2076             EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result));
   2077 
   2078             // Corrupt message shouldn't verify
   2079             EXPECT_EQ(ErrorCode::OK,
   2080                       Begin(KeyPurpose::VERIFY,
   2081                             AuthorizationSetBuilder().Digest(digest).Padding(padding)));
   2082             EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result));
   2083         }
   2084     }
   2085 }
   2086 
   2087 /*
   2088  * VerificationOperationsTest.RsaSuccess
   2089  *
   2090  * Verifies ECDSA signature/verification for all digests and curves.
   2091  */
   2092 TEST_F(VerificationOperationsTest, EcdsaAllDigestsAndCurves) {
   2093     auto digests = {
   2094         Digest::NONE,      Digest::SHA1,      Digest::SHA_2_224,
   2095         Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512,
   2096     };
   2097 
   2098     string message = "1234567890";
   2099     string corrupt_message = "2234567890";
   2100     for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) {
   2101         ErrorCode error = GenerateKey(AuthorizationSetBuilder()
   2102                                           .Authorization(TAG_NO_AUTH_REQUIRED)
   2103                                           .EcdsaSigningKey(curve)
   2104                                           .Digest(digests));
   2105         EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
   2106         if (error != ErrorCode::OK) {
   2107             continue;
   2108         }
   2109 
   2110         for (auto digest : digests) {
   2111             string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
   2112             VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
   2113 
   2114             // Verify with OpenSSL
   2115             if (digest != Digest::NONE) {
   2116                 HidlBuf pubkey;
   2117                 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey))
   2118                     << curve << ' ' << digest;
   2119 
   2120                 const uint8_t* p = pubkey.data();
   2121                 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
   2122                 ASSERT_TRUE(pkey.get());
   2123 
   2124                 EVP_MD_CTX digest_ctx;
   2125                 EVP_MD_CTX_init(&digest_ctx);
   2126                 EVP_PKEY_CTX* pkey_ctx;
   2127                 const EVP_MD* md = openssl_digest(digest);
   2128 
   2129                 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md, nullptr /* engine */,
   2130                                                   pkey.get()))
   2131                     << curve << ' ' << digest;
   2132 
   2133                 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()))
   2134                     << curve << ' ' << digest;
   2135 
   2136                 EXPECT_EQ(1, EVP_DigestVerifyFinal(
   2137                                  &digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
   2138                                  signature.size()))
   2139                     << curve << ' ' << digest;
   2140 
   2141                 EVP_MD_CTX_cleanup(&digest_ctx);
   2142             }
   2143 
   2144             // Corrupt signature shouldn't verify.
   2145             string corrupt_signature(signature);
   2146             ++corrupt_signature[corrupt_signature.size() / 2];
   2147 
   2148             EXPECT_EQ(ErrorCode::OK,
   2149                       Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest)))
   2150                 << curve << ' ' << digest;
   2151 
   2152             string result;
   2153             EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result))
   2154                 << curve << ' ' << digest;
   2155 
   2156             // Corrupt message shouldn't verify
   2157             EXPECT_EQ(ErrorCode::OK,
   2158                       Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest)))
   2159                 << curve << ' ' << digest;
   2160 
   2161             EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result))
   2162                 << curve << ' ' << digest;
   2163         }
   2164 
   2165         auto rc = DeleteKey();
   2166         ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
   2167     }
   2168 }
   2169 
   2170 /*
   2171  * VerificationOperationsTest.HmacSigningKeyCannotVerify
   2172  *
   2173  * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
   2174  */
   2175 TEST_F(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
   2176     string key_material = "HelloThisIsAKey";
   2177 
   2178     HidlBuf signing_key, verification_key;
   2179     KeyCharacteristics signing_key_chars, verification_key_chars;
   2180     EXPECT_EQ(ErrorCode::OK,
   2181               ImportKey(AuthorizationSetBuilder()
   2182                             .Authorization(TAG_NO_AUTH_REQUIRED)
   2183                             .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
   2184                             .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
   2185                             .Digest(Digest::SHA1)
   2186                             .Authorization(TAG_MIN_MAC_LENGTH, 160),
   2187                         KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
   2188     EXPECT_EQ(ErrorCode::OK,
   2189               ImportKey(AuthorizationSetBuilder()
   2190                             .Authorization(TAG_NO_AUTH_REQUIRED)
   2191                             .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
   2192                             .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
   2193                             .Digest(Digest::SHA1)
   2194                             .Authorization(TAG_MIN_MAC_LENGTH, 160),
   2195                         KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
   2196 
   2197     string message = "This is a message.";
   2198     string signature = SignMessage(
   2199         signing_key, message,
   2200         AuthorizationSetBuilder().Digest(Digest::SHA1).Authorization(TAG_MAC_LENGTH, 160));
   2201 
   2202     // Signing key should not work.
   2203     AuthorizationSet out_params;
   2204     EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
   2205               Begin(KeyPurpose::VERIFY, signing_key, AuthorizationSetBuilder().Digest(Digest::SHA1),
   2206                     &out_params, &op_handle_));
   2207 
   2208     // Verification key should work.
   2209     VerifyMessage(verification_key, message, signature,
   2210                   AuthorizationSetBuilder().Digest(Digest::SHA1));
   2211 
   2212     CheckedDeleteKey(&signing_key);
   2213     CheckedDeleteKey(&verification_key);
   2214 }
   2215 
   2216 typedef KeymasterHidlTest ExportKeyTest;
   2217 
   2218 /*
   2219  * ExportKeyTest.RsaUnsupportedKeyFormat
   2220  *
   2221  * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
   2222  */
   2223 TEST_F(ExportKeyTest, RsaUnsupportedKeyFormat) {
   2224     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2225                                              .RsaSigningKey(1024, 3)
   2226                                              .Digest(Digest::NONE)
   2227                                              .Padding(PaddingMode::NONE)));
   2228     HidlBuf export_data;
   2229     ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::PKCS8, &export_data));
   2230 }
   2231 
   2232 /*
   2233  * ExportKeyTest.RsaCorruptedKeyBlob
   2234  *
   2235  * Verifies that attempting to export RSA keys from corrupted key blobs fails.  This is essentially
   2236  * a poor-man's key blob fuzzer.
   2237  */
   2238 // Disabled due to b/33385206
   2239 TEST_F(ExportKeyTest, DISABLED_RsaCorruptedKeyBlob) {
   2240     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2241                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2242                                              .RsaSigningKey(1024, 3)
   2243                                              .Digest(Digest::NONE)
   2244                                              .Padding(PaddingMode::NONE)));
   2245     for (size_t i = 0; i < key_blob_.size(); ++i) {
   2246         HidlBuf corrupted(key_blob_);
   2247         ++corrupted[i];
   2248 
   2249         HidlBuf export_data;
   2250         EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
   2251                   ExportKey(KeyFormat::X509, corrupted, HidlBuf(), HidlBuf(), &export_data))
   2252             << "Blob corrupted at offset " << i << " erroneously accepted as valid";
   2253     }
   2254 }
   2255 
   2256 /*
   2257  * ExportKeyTest.RsaCorruptedKeyBlob
   2258  *
   2259  * Verifies that attempting to export ECDSA keys from corrupted key blobs fails.  This is
   2260  * essentially a poor-man's key blob fuzzer.
   2261  */
   2262 // Disabled due to b/33385206
   2263 TEST_F(ExportKeyTest, DISABLED_EcCorruptedKeyBlob) {
   2264     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2265                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2266                                              .EcdsaSigningKey(EcCurve::P_256)
   2267                                              .Digest(Digest::NONE)));
   2268     for (size_t i = 0; i < key_blob_.size(); ++i) {
   2269         HidlBuf corrupted(key_blob_);
   2270         ++corrupted[i];
   2271 
   2272         HidlBuf export_data;
   2273         EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
   2274                   ExportKey(KeyFormat::X509, corrupted, HidlBuf(), HidlBuf(), &export_data))
   2275             << "Blob corrupted at offset " << i << " erroneously accepted as valid";
   2276     }
   2277 }
   2278 
   2279 /*
   2280  * ExportKeyTest.AesKeyUnexportable
   2281  *
   2282  * Verifies that attempting to export AES keys fails in the expected way.
   2283  */
   2284 TEST_F(ExportKeyTest, AesKeyUnexportable) {
   2285     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2286                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2287                                              .AesEncryptionKey(128)
   2288                                              .EcbMode()
   2289                                              .Padding(PaddingMode::NONE)));
   2290 
   2291     HidlBuf export_data;
   2292     EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::X509, &export_data));
   2293     EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::PKCS8, &export_data));
   2294     EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::RAW, &export_data));
   2295 }
   2296 typedef KeymasterHidlTest ImportKeyTest;
   2297 
   2298 /*
   2299  * ImportKeyTest.RsaSuccess
   2300  *
   2301  * Verifies that importing and using an RSA key pair works correctly.
   2302  */
   2303 TEST_F(ImportKeyTest, RsaSuccess) {
   2304     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
   2305                                            .Authorization(TAG_NO_AUTH_REQUIRED)
   2306                                            .RsaSigningKey(1024, 65537)
   2307                                            .Digest(Digest::SHA_2_256)
   2308                                            .Padding(PaddingMode::RSA_PSS),
   2309                                        KeyFormat::PKCS8, rsa_key));
   2310 
   2311     CheckKm0CryptoParam(TAG_ALGORITHM, Algorithm::RSA);
   2312     CheckKm0CryptoParam(TAG_KEY_SIZE, 1024U);
   2313     CheckKm0CryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
   2314     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
   2315     CheckKm1CryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
   2316     CheckOrigin();
   2317 
   2318     string message(1024 / 8, 'a');
   2319     auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
   2320     string signature = SignMessage(message, params);
   2321     VerifyMessage(message, signature, params);
   2322 }
   2323 
   2324 /*
   2325  * ImportKeyTest.RsaKeySizeMismatch
   2326  *
   2327  * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
   2328  * correct way.
   2329  */
   2330 TEST_F(ImportKeyTest, RsaKeySizeMismatch) {
   2331     ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
   2332               ImportKey(AuthorizationSetBuilder()
   2333                             .RsaSigningKey(2048 /* Doesn't match key */, 65537)
   2334                             .Digest(Digest::NONE)
   2335                             .Padding(PaddingMode::NONE),
   2336                         KeyFormat::PKCS8, rsa_key));
   2337 }
   2338 
   2339 /*
   2340  * ImportKeyTest.RsaPublicExponentMismatch
   2341  *
   2342  * Verifies that importing an RSA key pair with a public exponent that doesn't match the key fails
   2343  * in the correct way.
   2344  */
   2345 TEST_F(ImportKeyTest, RsaPublicExponentMismatch) {
   2346     ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
   2347               ImportKey(AuthorizationSetBuilder()
   2348                             .RsaSigningKey(1024, 3 /* Doesn't match key */)
   2349                             .Digest(Digest::NONE)
   2350                             .Padding(PaddingMode::NONE),
   2351                         KeyFormat::PKCS8, rsa_key));
   2352 }
   2353 
   2354 /*
   2355  * ImportKeyTest.EcdsaSuccess
   2356  *
   2357  * Verifies that importing and using an ECDSA P-256 key pair works correctly.
   2358  */
   2359 TEST_F(ImportKeyTest, EcdsaSuccess) {
   2360     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
   2361                                            .Authorization(TAG_NO_AUTH_REQUIRED)
   2362                                            .EcdsaSigningKey(256)
   2363                                            .Digest(Digest::SHA_2_256),
   2364                                        KeyFormat::PKCS8, ec_256_key))
   2365         << "(Possibly b/33945114)";
   2366 
   2367     CheckKm0CryptoParam(TAG_ALGORITHM, Algorithm::EC);
   2368     CheckKm0CryptoParam(TAG_KEY_SIZE, 256U);
   2369     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
   2370     CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_256);
   2371 
   2372     CheckOrigin();
   2373 
   2374     string message(32, 'a');
   2375     auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
   2376     string signature = SignMessage(message, params);
   2377     VerifyMessage(message, signature, params);
   2378 }
   2379 
   2380 /*
   2381  * ImportKeyTest.Ecdsa521Success
   2382  *
   2383  * Verifies that importing and using an ECDSA P-521 key pair works correctly.
   2384  */
   2385 TEST_F(ImportKeyTest, Ecdsa521Success) {
   2386     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
   2387                                            .Authorization(TAG_NO_AUTH_REQUIRED)
   2388                                            .EcdsaSigningKey(521)
   2389                                            .Digest(Digest::SHA_2_256),
   2390                                        KeyFormat::PKCS8, ec_521_key))
   2391         << "(Possibly b/33945114)";
   2392 
   2393     CheckKm0CryptoParam(TAG_ALGORITHM, Algorithm::EC);
   2394     CheckKm0CryptoParam(TAG_KEY_SIZE, 521U);
   2395     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
   2396     CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_521);
   2397 
   2398     CheckOrigin();
   2399 
   2400     string message(32, 'a');
   2401     auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
   2402     string signature = SignMessage(message, params);
   2403     VerifyMessage(message, signature, params);
   2404 }
   2405 
   2406 /*
   2407  * ImportKeyTest.EcdsaSizeMismatch
   2408  *
   2409  * Verifies that importing an ECDSA key pair with a size that doesn't match the key fails in the
   2410  * correct way.
   2411  */
   2412 TEST_F(ImportKeyTest, EcdsaSizeMismatch) {
   2413     ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
   2414               ImportKey(AuthorizationSetBuilder()
   2415                             .EcdsaSigningKey(224 /* Doesn't match key */)
   2416                             .Digest(Digest::NONE),
   2417                         KeyFormat::PKCS8, ec_256_key));
   2418 }
   2419 
   2420 /*
   2421  * ImportKeyTest.EcdsaCurveMismatch
   2422  *
   2423  * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in the
   2424  * correct way.
   2425  */
   2426 TEST_F(ImportKeyTest, EcdsaCurveMismatch) {
   2427     if (SupportsSymmetric() && !SupportsAttestation()) {
   2428         // KM1 hardware doesn't know about curves
   2429         return;
   2430     }
   2431 
   2432     ASSERT_EQ(
   2433         ErrorCode::IMPORT_PARAMETER_MISMATCH,
   2434         ImportKey(AuthorizationSetBuilder()
   2435                       .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
   2436                       .Digest(Digest::NONE),
   2437                   KeyFormat::PKCS8, ec_256_key))
   2438         << "(Possibly b/36233241)";
   2439 }
   2440 
   2441 /*
   2442  * ImportKeyTest.AesSuccess
   2443  *
   2444  * Verifies that importing and using an AES key works.
   2445  */
   2446 TEST_F(ImportKeyTest, AesSuccess) {
   2447     string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
   2448     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
   2449                                            .Authorization(TAG_NO_AUTH_REQUIRED)
   2450                                            .AesEncryptionKey(key.size() * 8)
   2451                                            .EcbMode()
   2452                                            .Padding(PaddingMode::PKCS7),
   2453                                        KeyFormat::RAW, key));
   2454 
   2455     CheckKm1CryptoParam(TAG_ALGORITHM, Algorithm::AES);
   2456     CheckKm1CryptoParam(TAG_KEY_SIZE, 128U);
   2457     CheckKm1CryptoParam(TAG_PADDING, PaddingMode::PKCS7);
   2458     CheckKm1CryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
   2459     CheckOrigin();
   2460 
   2461     string message = "Hello World!";
   2462     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
   2463     string ciphertext = EncryptMessage(message, params);
   2464     string plaintext = DecryptMessage(ciphertext, params);
   2465     EXPECT_EQ(message, plaintext);
   2466 }
   2467 
   2468 /*
   2469  * ImportKeyTest.AesSuccess
   2470  *
   2471  * Verifies that importing and using an HMAC key works.
   2472  */
   2473 TEST_F(ImportKeyTest, HmacKeySuccess) {
   2474     string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
   2475     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
   2476                                            .Authorization(TAG_NO_AUTH_REQUIRED)
   2477                                            .HmacKey(key.size() * 8)
   2478                                            .Digest(Digest::SHA_2_256)
   2479                                            .Authorization(TAG_MIN_MAC_LENGTH, 256),
   2480                                        KeyFormat::RAW, key));
   2481 
   2482     CheckKm1CryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
   2483     CheckKm1CryptoParam(TAG_KEY_SIZE, 128U);
   2484     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
   2485     CheckOrigin();
   2486 
   2487     string message = "Hello World!";
   2488     string signature = MacMessage(message, Digest::SHA_2_256, 256);
   2489     VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
   2490 }
   2491 
   2492 typedef KeymasterHidlTest EncryptionOperationsTest;
   2493 
   2494 /*
   2495  * EncryptionOperationsTest.RsaNoPaddingSuccess
   2496  *
   2497  * Verifies that raw RSA encryption works.
   2498  */
   2499 TEST_F(EncryptionOperationsTest, RsaNoPaddingSuccess) {
   2500     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2501                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2502                                              .RsaEncryptionKey(1024, 3)
   2503                                              .Padding(PaddingMode::NONE)));
   2504 
   2505     string message = string(1024 / 8, 'a');
   2506     auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
   2507     string ciphertext1 = EncryptMessage(message, params);
   2508     EXPECT_EQ(1024U / 8, ciphertext1.size());
   2509 
   2510     string ciphertext2 = EncryptMessage(message, params);
   2511     EXPECT_EQ(1024U / 8, ciphertext2.size());
   2512 
   2513     // Unpadded RSA is deterministic
   2514     EXPECT_EQ(ciphertext1, ciphertext2);
   2515 }
   2516 
   2517 /*
   2518  * EncryptionOperationsTest.RsaNoPaddingShortMessage
   2519  *
   2520  * Verifies that raw RSA encryption of short messages works.
   2521  */
   2522 TEST_F(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
   2523     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2524                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2525                                              .RsaEncryptionKey(1024, 3)
   2526                                              .Padding(PaddingMode::NONE)));
   2527 
   2528     string message = "1";
   2529     auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
   2530 
   2531     string ciphertext = EncryptMessage(message, params);
   2532     EXPECT_EQ(1024U / 8, ciphertext.size());
   2533 
   2534     string expected_plaintext = string(1024 / 8 - 1, 0) + message;
   2535     string plaintext = DecryptMessage(ciphertext, params);
   2536 
   2537     EXPECT_EQ(expected_plaintext, plaintext);
   2538 
   2539     // Degenerate case, encrypting a numeric 1 yields 0x00..01 as the ciphertext.
   2540     message = static_cast<char>(1);
   2541     ciphertext = EncryptMessage(message, params);
   2542     EXPECT_EQ(1024U / 8, ciphertext.size());
   2543     EXPECT_EQ(ciphertext, string(1024 / 8 - 1, 0) + message);
   2544 }
   2545 
   2546 /*
   2547  * EncryptionOperationsTest.RsaNoPaddingTooLong
   2548  *
   2549  * Verifies that raw RSA encryption of too-long messages fails in the expected way.
   2550  */
   2551 TEST_F(EncryptionOperationsTest, RsaNoPaddingTooLong) {
   2552     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2553                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2554                                              .RsaEncryptionKey(1024, 3)
   2555                                              .Padding(PaddingMode::NONE)));
   2556 
   2557     string message(1024 / 8 + 1, 'a');
   2558 
   2559     auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
   2560     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
   2561 
   2562     string result;
   2563     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));
   2564 }
   2565 
   2566 /*
   2567  * EncryptionOperationsTest.RsaNoPaddingTooLong
   2568  *
   2569  * Verifies that raw RSA encryption of too-large (numerically) messages fails in the expected way.
   2570  */
   2571 TEST_F(EncryptionOperationsTest, RsaNoPaddingTooLarge) {
   2572     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2573                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2574                                              .RsaEncryptionKey(1024, 3)
   2575                                              .Padding(PaddingMode::NONE)));
   2576 
   2577     HidlBuf exported;
   2578     ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &exported));
   2579 
   2580     const uint8_t* p = exported.data();
   2581     EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size()));
   2582     RSA_Ptr rsa(EVP_PKEY_get1_RSA(pkey.get()));
   2583 
   2584     size_t modulus_len = BN_num_bytes(rsa->n);
   2585     ASSERT_EQ(1024U / 8, modulus_len);
   2586     std::unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]);
   2587     BN_bn2bin(rsa->n, modulus_buf.get());
   2588 
   2589     // The modulus is too big to encrypt.
   2590     string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
   2591 
   2592     auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
   2593     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
   2594 
   2595     string result;
   2596     EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &result));
   2597 
   2598     // One smaller than the modulus is okay.
   2599     BN_sub(rsa->n, rsa->n, BN_value_one());
   2600     modulus_len = BN_num_bytes(rsa->n);
   2601     ASSERT_EQ(1024U / 8, modulus_len);
   2602     BN_bn2bin(rsa->n, modulus_buf.get());
   2603     message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
   2604     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
   2605     EXPECT_EQ(ErrorCode::OK, Finish(message, &result));
   2606 }
   2607 
   2608 /*
   2609  * EncryptionOperationsTest.RsaOaepSuccess
   2610  *
   2611  * Verifies that RSA-OAEP encryption operations work, with all digests.
   2612  */
   2613 TEST_F(EncryptionOperationsTest, RsaOaepSuccess) {
   2614     auto digests = {Digest::MD5,       Digest::SHA1,      Digest::SHA_2_224,
   2615                     Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
   2616 
   2617     size_t key_size = 2048;  // Need largish key for SHA-512 test.
   2618     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2619                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2620                                              .RsaEncryptionKey(key_size, 3)
   2621                                              .Padding(PaddingMode::RSA_OAEP)
   2622                                              .Digest(digests)));
   2623 
   2624     string message = "Hello";
   2625 
   2626     for (auto digest : digests) {
   2627         auto params = AuthorizationSetBuilder().Digest(digest).Padding(PaddingMode::RSA_OAEP);
   2628         string ciphertext1 = EncryptMessage(message, params);
   2629         if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
   2630         EXPECT_EQ(key_size / 8, ciphertext1.size());
   2631 
   2632         string ciphertext2 = EncryptMessage(message, params);
   2633         EXPECT_EQ(key_size / 8, ciphertext2.size());
   2634 
   2635         // OAEP randomizes padding so every result should be different (with astronomically high
   2636         // probability).
   2637         EXPECT_NE(ciphertext1, ciphertext2);
   2638 
   2639         string plaintext1 = DecryptMessage(ciphertext1, params);
   2640         EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
   2641         string plaintext2 = DecryptMessage(ciphertext2, params);
   2642         EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
   2643 
   2644         // Decrypting corrupted ciphertext should fail.
   2645         size_t offset_to_corrupt = random() % ciphertext1.size();
   2646         char corrupt_byte;
   2647         do {
   2648             corrupt_byte = static_cast<char>(random() % 256);
   2649         } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
   2650         ciphertext1[offset_to_corrupt] = corrupt_byte;
   2651 
   2652         EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
   2653         string result;
   2654         EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
   2655         EXPECT_EQ(0U, result.size());
   2656     }
   2657 }
   2658 
   2659 /*
   2660  * EncryptionOperationsTest.RsaOaepInvalidDigest
   2661  *
   2662  * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
   2663  * without a digest.
   2664  */
   2665 TEST_F(EncryptionOperationsTest, RsaOaepInvalidDigest) {
   2666     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2667                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2668                                              .RsaEncryptionKey(1024, 3)
   2669                                              .Padding(PaddingMode::RSA_OAEP)
   2670                                              .Digest(Digest::NONE)));
   2671     string message = "Hello World!";
   2672 
   2673     auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
   2674     EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::ENCRYPT, params));
   2675 }
   2676 
   2677 /*
   2678  * EncryptionOperationsTest.RsaOaepInvalidDigest
   2679  *
   2680  * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to decrypt with a
   2681  * different digest than was used to encrypt.
   2682  */
   2683 TEST_F(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
   2684     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2685                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2686                                              .RsaEncryptionKey(1024, 3)
   2687                                              .Padding(PaddingMode::RSA_OAEP)
   2688                                              .Digest(Digest::SHA_2_256, Digest::SHA_2_224)));
   2689     string message = "Hello World!";
   2690     string ciphertext = EncryptMessage(
   2691         message,
   2692         AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
   2693 
   2694     EXPECT_EQ(
   2695         ErrorCode::OK,
   2696         Begin(KeyPurpose::DECRYPT,
   2697               AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP)));
   2698     string result;
   2699     EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
   2700     EXPECT_EQ(0U, result.size());
   2701 }
   2702 
   2703 /*
   2704  * EncryptionOperationsTest.RsaOaepTooLarge
   2705  *
   2706  * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to encrypt a
   2707  * too-large message.
   2708  */
   2709 TEST_F(EncryptionOperationsTest, RsaOaepTooLarge) {
   2710     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2711                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2712                                              .RsaEncryptionKey(1024, 3)
   2713                                              .Padding(PaddingMode::RSA_OAEP)
   2714                                              .Digest(Digest::SHA1)));
   2715     constexpr size_t digest_size = 160 /* SHA1 */ / 8;
   2716     constexpr size_t oaep_overhead = 2 * digest_size + 2;
   2717     string message(1024 / 8 - oaep_overhead + 1, 'a');
   2718     EXPECT_EQ(ErrorCode::OK,
   2719               Begin(KeyPurpose::ENCRYPT,
   2720                     AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::SHA1)));
   2721     string result;
   2722     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));
   2723     EXPECT_EQ(0U, result.size());
   2724 }
   2725 
   2726 /*
   2727  * EncryptionOperationsTest.RsaPkcs1Success
   2728  *
   2729  * Verifies that RSA PKCS encryption/decrypts works.
   2730  */
   2731 TEST_F(EncryptionOperationsTest, RsaPkcs1Success) {
   2732     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2733                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2734                                              .RsaEncryptionKey(1024, 3)
   2735                                              .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)));
   2736 
   2737     string message = "Hello World!";
   2738     auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
   2739     string ciphertext1 = EncryptMessage(message, params);
   2740     EXPECT_EQ(1024U / 8, ciphertext1.size());
   2741 
   2742     string ciphertext2 = EncryptMessage(message, params);
   2743     EXPECT_EQ(1024U / 8, ciphertext2.size());
   2744 
   2745     // PKCS1 v1.5 randomizes padding so every result should be different.
   2746     EXPECT_NE(ciphertext1, ciphertext2);
   2747 
   2748     string plaintext = DecryptMessage(ciphertext1, params);
   2749     EXPECT_EQ(message, plaintext);
   2750 
   2751     // Decrypting corrupted ciphertext should fail.
   2752     size_t offset_to_corrupt = random() % ciphertext1.size();
   2753     char corrupt_byte;
   2754     do {
   2755         corrupt_byte = static_cast<char>(random() % 256);
   2756     } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
   2757     ciphertext1[offset_to_corrupt] = corrupt_byte;
   2758 
   2759     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
   2760     string result;
   2761     EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
   2762     EXPECT_EQ(0U, result.size());
   2763 }
   2764 
   2765 /*
   2766  * EncryptionOperationsTest.RsaPkcs1TooLarge
   2767  *
   2768  * Verifies that RSA PKCS encryption fails in the correct way when the mssage is too large.
   2769  */
   2770 TEST_F(EncryptionOperationsTest, RsaPkcs1TooLarge) {
   2771     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2772                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2773                                              .RsaEncryptionKey(1024, 3)
   2774                                              .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)));
   2775     string message(1024 / 8 - 10, 'a');
   2776 
   2777     auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
   2778     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
   2779     string result;
   2780     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));
   2781     EXPECT_EQ(0U, result.size());
   2782 }
   2783 
   2784 /*
   2785  * EncryptionOperationsTest.EcdsaEncrypt
   2786  *
   2787  * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
   2788  */
   2789 TEST_F(EncryptionOperationsTest, EcdsaEncrypt) {
   2790     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2791                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2792                                              .EcdsaSigningKey(224)
   2793                                              .Digest(Digest::NONE)));
   2794     auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
   2795     ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params))
   2796         << "(Possibly b/33543625)";
   2797     ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params))
   2798         << "(Possibly b/33543625)";
   2799 }
   2800 
   2801 /*
   2802  * EncryptionOperationsTest.HmacEncrypt
   2803  *
   2804  * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
   2805  */
   2806 TEST_F(EncryptionOperationsTest, HmacEncrypt) {
   2807     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2808                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2809                                              .HmacKey(128)
   2810                                              .Digest(Digest::SHA_2_256)
   2811                                              .Padding(PaddingMode::NONE)
   2812                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   2813     auto params = AuthorizationSetBuilder()
   2814                       .Digest(Digest::SHA_2_256)
   2815                       .Padding(PaddingMode::NONE)
   2816                       .Authorization(TAG_MAC_LENGTH, 128);
   2817     ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params))
   2818         << "(Possibly b/33543625)";
   2819     ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params))
   2820         << "(Possibly b/33543625)";
   2821 }
   2822 
   2823 /*
   2824  * EncryptionOperationsTest.AesEcbRoundTripSuccess
   2825  *
   2826  * Verifies that AES ECB mode works.
   2827  */
   2828 TEST_F(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
   2829     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2830                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2831                                              .AesEncryptionKey(128)
   2832                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
   2833                                              .Padding(PaddingMode::NONE)));
   2834 
   2835     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
   2836 
   2837     // Two-block message.
   2838     string message = "12345678901234567890123456789012";
   2839     string ciphertext1 = EncryptMessage(message, params);
   2840     EXPECT_EQ(message.size(), ciphertext1.size());
   2841 
   2842     string ciphertext2 = EncryptMessage(string(message), params);
   2843     EXPECT_EQ(message.size(), ciphertext2.size());
   2844 
   2845     // ECB is deterministic.
   2846     EXPECT_EQ(ciphertext1, ciphertext2);
   2847 
   2848     string plaintext = DecryptMessage(ciphertext1, params);
   2849     EXPECT_EQ(message, plaintext);
   2850 }
   2851 
   2852 /*
   2853  * EncryptionOperationsTest.AesEcbRoundTripSuccess
   2854  *
   2855  * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
   2856  */
   2857 TEST_F(EncryptionOperationsTest, AesWrongMode) {
   2858     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2859                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2860                                              .AesEncryptionKey(128)
   2861                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
   2862                                              .Padding(PaddingMode::NONE)));
   2863     // Two-block message.
   2864     string message = "12345678901234567890123456789012";
   2865     EXPECT_EQ(
   2866         ErrorCode::INCOMPATIBLE_BLOCK_MODE,
   2867         Begin(KeyPurpose::ENCRYPT,
   2868               AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
   2869 }
   2870 
   2871 /*
   2872  * EncryptionOperationsTest.AesEcbNoPaddingWrongInputSize
   2873  *
   2874  * Verifies that AES encryption fails in the correct way when provided an input that is not a
   2875  * multiple of the block size and no padding is specified.
   2876  */
   2877 TEST_F(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) {
   2878     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2879                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2880                                              .AesEncryptionKey(128)
   2881                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
   2882                                              .Padding(PaddingMode::NONE)));
   2883     // Message is slightly shorter than two blocks.
   2884     string message(16 * 2 - 1, 'a');
   2885 
   2886     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
   2887     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
   2888     string ciphertext;
   2889     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
   2890     EXPECT_EQ(0U, ciphertext.size());
   2891 }
   2892 
   2893 /*
   2894  * EncryptionOperationsTest.AesEcbPkcs7Padding
   2895  *
   2896  * Verifies that AES PKCS7 padding works for any message length.
   2897  */
   2898 TEST_F(EncryptionOperationsTest, AesEcbPkcs7Padding) {
   2899     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2900                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2901                                              .AesEncryptionKey(128)
   2902                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
   2903                                              .Padding(PaddingMode::PKCS7)));
   2904 
   2905     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
   2906 
   2907     // Try various message lengths; all should work.
   2908     for (size_t i = 0; i < 32; ++i) {
   2909         string message(i, 'a');
   2910         string ciphertext = EncryptMessage(message, params);
   2911         EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
   2912         string plaintext = DecryptMessage(ciphertext, params);
   2913         EXPECT_EQ(message, plaintext);
   2914     }
   2915 }
   2916 
   2917 /*
   2918  * EncryptionOperationsTest.AesEcbWrongPadding
   2919  *
   2920  * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
   2921  * specified.
   2922  */
   2923 TEST_F(EncryptionOperationsTest, AesEcbWrongPadding) {
   2924     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2925                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2926                                              .AesEncryptionKey(128)
   2927                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
   2928                                              .Padding(PaddingMode::NONE)));
   2929 
   2930     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
   2931 
   2932     // Try various message lengths; all should fail
   2933     for (size_t i = 0; i < 32; ++i) {
   2934         string message(i, 'a');
   2935         EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
   2936     }
   2937 }
   2938 
   2939 /*
   2940  * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
   2941  *
   2942  * Verifies that AES decryption fails in the correct way when the padding is corrupted.
   2943  */
   2944 TEST_F(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
   2945     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2946                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2947                                              .AesEncryptionKey(128)
   2948                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
   2949                                              .Padding(PaddingMode::PKCS7)));
   2950 
   2951     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
   2952 
   2953     string message = "a";
   2954     string ciphertext = EncryptMessage(message, params);
   2955     EXPECT_EQ(16U, ciphertext.size());
   2956     EXPECT_NE(ciphertext, message);
   2957     ++ciphertext[ciphertext.size() / 2];
   2958 
   2959     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
   2960     string plaintext;
   2961     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &plaintext));
   2962 }
   2963 
   2964 HidlBuf CopyIv(const AuthorizationSet& set) {
   2965     auto iv = set.GetTagValue(TAG_NONCE);
   2966     EXPECT_TRUE(iv.isOk());
   2967     return iv.value();
   2968 }
   2969 
   2970 /*
   2971  * EncryptionOperationsTest.AesCtrRoundTripSuccess
   2972  *
   2973  * Verifies that AES CTR mode works.
   2974  */
   2975 TEST_F(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
   2976     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   2977                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   2978                                              .AesEncryptionKey(128)
   2979                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
   2980                                              .Padding(PaddingMode::NONE)));
   2981 
   2982     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
   2983 
   2984     string message = "123";
   2985     AuthorizationSet out_params;
   2986     string ciphertext1 = EncryptMessage(message, params, &out_params);
   2987     HidlBuf iv1 = CopyIv(out_params);
   2988     EXPECT_EQ(16U, iv1.size());
   2989 
   2990     EXPECT_EQ(message.size(), ciphertext1.size());
   2991 
   2992     out_params.Clear();
   2993     string ciphertext2 = EncryptMessage(message, params, &out_params);
   2994     HidlBuf iv2 = CopyIv(out_params);
   2995     EXPECT_EQ(16U, iv2.size());
   2996 
   2997     // IVs should be random, so ciphertexts should differ.
   2998     EXPECT_NE(ciphertext1, ciphertext2);
   2999 
   3000     auto params_iv1 =
   3001         AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
   3002     auto params_iv2 =
   3003         AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
   3004 
   3005     string plaintext = DecryptMessage(ciphertext1, params_iv1);
   3006     EXPECT_EQ(message, plaintext);
   3007     plaintext = DecryptMessage(ciphertext2, params_iv2);
   3008     EXPECT_EQ(message, plaintext);
   3009 
   3010     // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
   3011     plaintext = DecryptMessage(ciphertext1, params_iv2);
   3012     EXPECT_NE(message, plaintext);
   3013     plaintext = DecryptMessage(ciphertext2, params_iv1);
   3014     EXPECT_NE(message, plaintext);
   3015 }
   3016 
   3017 /*
   3018  * EncryptionOperationsTest.AesIncremental
   3019  *
   3020  * Verifies that AES works, all modes, when provided data in various size increments.
   3021  */
   3022 TEST_F(EncryptionOperationsTest, AesIncremental) {
   3023     auto block_modes = {
   3024         BlockMode::ECB, BlockMode::CBC, BlockMode::CTR, BlockMode::GCM,
   3025     };
   3026 
   3027     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3028                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3029                                              .AesEncryptionKey(128)
   3030                                              .BlockMode(block_modes)
   3031                                              .Padding(PaddingMode::NONE)
   3032                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3033 
   3034     for (int increment = 1; increment <= 240; ++increment) {
   3035         for (auto block_mode : block_modes) {
   3036             string message(240, 'a');
   3037             auto params = AuthorizationSetBuilder()
   3038                               .BlockMode(block_mode)
   3039                               .Padding(PaddingMode::NONE)
   3040                               .Authorization(TAG_MAC_LENGTH, 128) /* for GCM */;
   3041 
   3042             AuthorizationSet output_params;
   3043             EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &output_params));
   3044 
   3045             string ciphertext;
   3046             size_t input_consumed;
   3047             string to_send;
   3048             for (size_t i = 0; i < message.size(); i += increment) {
   3049                 to_send.append(message.substr(i, increment));
   3050                 EXPECT_EQ(ErrorCode::OK, Update(to_send, &ciphertext, &input_consumed));
   3051                 to_send = to_send.substr(input_consumed);
   3052 
   3053                 switch (block_mode) {
   3054                 case BlockMode::ECB:
   3055                 case BlockMode::CBC:
   3056                     // Implementations must take as many blocks as possible, leaving less than
   3057                     // a block.
   3058                     EXPECT_LE(to_send.length(), 16U);
   3059                     break;
   3060                 case BlockMode::GCM:
   3061                 case BlockMode::CTR:
   3062                     // Implementations must always take all the data.
   3063                     EXPECT_EQ(0U, to_send.length());
   3064                     break;
   3065                 }
   3066             }
   3067             EXPECT_EQ(ErrorCode::OK, Finish(to_send, &ciphertext)) << "Error sending " << to_send;
   3068 
   3069             switch (block_mode) {
   3070             case BlockMode::GCM:
   3071                 EXPECT_EQ(message.size() + 16, ciphertext.size());
   3072                 break;
   3073             case BlockMode::CTR:
   3074                 EXPECT_EQ(message.size(), ciphertext.size());
   3075                 break;
   3076             case BlockMode::CBC:
   3077             case BlockMode::ECB:
   3078                 EXPECT_EQ(message.size() + message.size() % 16, ciphertext.size());
   3079                 break;
   3080             }
   3081 
   3082             auto iv = output_params.GetTagValue(TAG_NONCE);
   3083             switch (block_mode) {
   3084             case BlockMode::CBC:
   3085             case BlockMode::GCM:
   3086             case BlockMode::CTR:
   3087                 ASSERT_TRUE(iv.isOk()) << "No IV for block mode " << block_mode;
   3088                 EXPECT_EQ(block_mode == BlockMode::GCM ? 12U : 16U, iv.value().size());
   3089                 params.push_back(TAG_NONCE, iv.value());
   3090                 break;
   3091 
   3092             case BlockMode::ECB:
   3093                 EXPECT_FALSE(iv.isOk()) << "ECB mode should not generate IV";
   3094                 break;
   3095             }
   3096 
   3097             EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params))
   3098                 << "Decrypt begin() failed for block mode " << block_mode;
   3099 
   3100             string plaintext;
   3101             for (size_t i = 0; i < ciphertext.size(); i += increment) {
   3102                 to_send.append(ciphertext.substr(i, increment));
   3103                 EXPECT_EQ(ErrorCode::OK, Update(to_send, &plaintext, &input_consumed));
   3104                 to_send = to_send.substr(input_consumed);
   3105             }
   3106             ErrorCode error = Finish(to_send, &plaintext);
   3107             ASSERT_EQ(ErrorCode::OK, error)
   3108                 << "Decryption failed for block mode " << block_mode << " and increment "
   3109                 << increment << " (Possibly b/33584622)";
   3110             if (error == ErrorCode::OK) {
   3111                 ASSERT_EQ(message, plaintext) << "Decryption didn't match for block mode "
   3112                                               << block_mode << " and increment " << increment;
   3113             }
   3114         }
   3115     }
   3116 }
   3117 
   3118 struct AesCtrSp80038aTestVector {
   3119     const char* key;
   3120     const char* nonce;
   3121     const char* plaintext;
   3122     const char* ciphertext;
   3123 };
   3124 
   3125 // These test vectors are taken from
   3126 // http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
   3127 static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
   3128     // AES-128
   3129     {
   3130         "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
   3131         "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
   3132         "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
   3133         "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
   3134         "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
   3135     },
   3136     // AES-192
   3137     {
   3138         "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
   3139         "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
   3140         "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
   3141         "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
   3142         "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
   3143     },
   3144     // AES-256
   3145     {
   3146         "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
   3147         "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
   3148         "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
   3149         "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
   3150         "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
   3151         "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
   3152     },
   3153 };
   3154 
   3155 /*
   3156  * EncryptionOperationsTest.AesCtrSp80038aTestVector
   3157  *
   3158  * Verifies AES CTR implementation against SP800-38A test vectors.
   3159  */
   3160 TEST_F(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
   3161     for (size_t i = 0; i < 3; i++) {
   3162         const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
   3163         const string key = hex2str(test.key);
   3164         const string nonce = hex2str(test.nonce);
   3165         const string plaintext = hex2str(test.plaintext);
   3166         const string ciphertext = hex2str(test.ciphertext);
   3167         CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
   3168     }
   3169 }
   3170 
   3171 /*
   3172  * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
   3173  *
   3174  * Verifies that keymaster rejects use of CTR mode with PKCS7 padding in the correct way.
   3175  */
   3176 TEST_F(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
   3177     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3178                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3179                                              .AesEncryptionKey(128)
   3180                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
   3181                                              .Padding(PaddingMode::PKCS7)));
   3182     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
   3183     EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
   3184 }
   3185 
   3186 /*
   3187  * EncryptionOperationsTest.AesCtrInvalidCallerNonce
   3188  *
   3189  * Verifies that keymaster fails correctly when the user supplies an incorrect-size nonce.
   3190  */
   3191 TEST_F(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
   3192     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3193                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3194                                              .AesEncryptionKey(128)
   3195                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
   3196                                              .Authorization(TAG_CALLER_NONCE)
   3197                                              .Padding(PaddingMode::NONE)));
   3198 
   3199     auto params = AuthorizationSetBuilder()
   3200                       .BlockMode(BlockMode::CTR)
   3201                       .Padding(PaddingMode::NONE)
   3202                       .Authorization(TAG_NONCE, HidlBuf(string(1, 'a')));
   3203     EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
   3204 
   3205     params = AuthorizationSetBuilder()
   3206                  .BlockMode(BlockMode::CTR)
   3207                  .Padding(PaddingMode::NONE)
   3208                  .Authorization(TAG_NONCE, HidlBuf(string(15, 'a')));
   3209     EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
   3210 
   3211     params = AuthorizationSetBuilder()
   3212                  .BlockMode(BlockMode::CTR)
   3213                  .Padding(PaddingMode::NONE)
   3214                  .Authorization(TAG_NONCE, HidlBuf(string(17, 'a')));
   3215     EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
   3216 }
   3217 
   3218 /*
   3219  * EncryptionOperationsTest.AesCtrInvalidCallerNonce
   3220  *
   3221  * Verifies that keymaster fails correctly when the user supplies an incorrect-size nonce.
   3222  */
   3223 TEST_F(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
   3224     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3225                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3226                                              .AesEncryptionKey(128)
   3227                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
   3228                                              .Padding(PaddingMode::NONE)));
   3229     // Two-block message.
   3230     string message = "12345678901234567890123456789012";
   3231     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
   3232     AuthorizationSet out_params;
   3233     string ciphertext1 = EncryptMessage(message, params, &out_params);
   3234     HidlBuf iv1 = CopyIv(out_params);
   3235     EXPECT_EQ(message.size(), ciphertext1.size());
   3236 
   3237     out_params.Clear();
   3238 
   3239     string ciphertext2 = EncryptMessage(message, params, &out_params);
   3240     HidlBuf iv2 = CopyIv(out_params);
   3241     EXPECT_EQ(message.size(), ciphertext2.size());
   3242 
   3243     // IVs should be random, so ciphertexts should differ.
   3244     EXPECT_NE(ciphertext1, ciphertext2);
   3245 
   3246     params.push_back(TAG_NONCE, iv1);
   3247     string plaintext = DecryptMessage(ciphertext1, params);
   3248     EXPECT_EQ(message, plaintext);
   3249 }
   3250 
   3251 /*
   3252  * EncryptionOperationsTest.AesCallerNonce
   3253  *
   3254  * Verifies that AES caller-provided nonces work correctly.
   3255  */
   3256 TEST_F(EncryptionOperationsTest, AesCallerNonce) {
   3257     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3258                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3259                                              .AesEncryptionKey(128)
   3260                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
   3261                                              .Authorization(TAG_CALLER_NONCE)
   3262                                              .Padding(PaddingMode::NONE)));
   3263 
   3264     string message = "12345678901234567890123456789012";
   3265 
   3266     // Don't specify nonce, should get a random one.
   3267     AuthorizationSetBuilder params =
   3268         AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
   3269     AuthorizationSet out_params;
   3270     string ciphertext = EncryptMessage(message, params, &out_params);
   3271     EXPECT_EQ(message.size(), ciphertext.size());
   3272     EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE).value().size());
   3273 
   3274     params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE).value());
   3275     string plaintext = DecryptMessage(ciphertext, params);
   3276     EXPECT_EQ(message, plaintext);
   3277 
   3278     // Now specify a nonce, should also work.
   3279     params = AuthorizationSetBuilder()
   3280                  .BlockMode(BlockMode::CBC)
   3281                  .Padding(PaddingMode::NONE)
   3282                  .Authorization(TAG_NONCE, HidlBuf("abcdefghijklmnop"));
   3283     out_params.Clear();
   3284     ciphertext = EncryptMessage(message, params, &out_params);
   3285 
   3286     // Decrypt with correct nonce.
   3287     plaintext = DecryptMessage(ciphertext, params);
   3288     EXPECT_EQ(message, plaintext);
   3289 
   3290     // Try with wrong nonce.
   3291     params = AuthorizationSetBuilder()
   3292                  .BlockMode(BlockMode::CBC)
   3293                  .Padding(PaddingMode::NONE)
   3294                  .Authorization(TAG_NONCE, HidlBuf("aaaaaaaaaaaaaaaa"));
   3295     plaintext = DecryptMessage(ciphertext, params);
   3296     EXPECT_NE(message, plaintext);
   3297 }
   3298 
   3299 /*
   3300  * EncryptionOperationsTest.AesCallerNonceProhibited
   3301  *
   3302  * Verifies that caller-provided nonces are not permitted when not specified in the key
   3303  * authorizations.
   3304  */
   3305 TEST_F(EncryptionOperationsTest, AesCallerNonceProhibited) {
   3306     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3307                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3308                                              .AesEncryptionKey(128)
   3309                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
   3310                                              .Padding(PaddingMode::NONE)));
   3311 
   3312     string message = "12345678901234567890123456789012";
   3313 
   3314     // Don't specify nonce, should get a random one.
   3315     AuthorizationSetBuilder params =
   3316         AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
   3317     AuthorizationSet out_params;
   3318     string ciphertext = EncryptMessage(message, params, &out_params);
   3319     EXPECT_EQ(message.size(), ciphertext.size());
   3320     EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE).value().size());
   3321 
   3322     params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE).value());
   3323     string plaintext = DecryptMessage(ciphertext, params);
   3324     EXPECT_EQ(message, plaintext);
   3325 
   3326     // Now specify a nonce, should fail
   3327     params = AuthorizationSetBuilder()
   3328                  .BlockMode(BlockMode::CBC)
   3329                  .Padding(PaddingMode::NONE)
   3330                  .Authorization(TAG_NONCE, HidlBuf("abcdefghijklmnop"));
   3331     out_params.Clear();
   3332     EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
   3333 }
   3334 
   3335 /*
   3336  * EncryptionOperationsTest.AesGcmRoundTripSuccess
   3337  *
   3338  * Verifies that AES GCM mode works.
   3339  */
   3340 TEST_F(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
   3341     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3342                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3343                                              .AesEncryptionKey(128)
   3344                                              .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
   3345                                              .Padding(PaddingMode::NONE)
   3346                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3347 
   3348     string aad = "foobar";
   3349     string message = "123456789012345678901234567890123456";
   3350 
   3351     auto begin_params = AuthorizationSetBuilder()
   3352                             .BlockMode(BlockMode::GCM)
   3353                             .Padding(PaddingMode::NONE)
   3354                             .Authorization(TAG_MAC_LENGTH, 128);
   3355 
   3356     auto update_params =
   3357         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
   3358 
   3359     // Encrypt
   3360     AuthorizationSet begin_out_params;
   3361     ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
   3362         << "Begin encrypt";
   3363     string ciphertext;
   3364     AuthorizationSet update_out_params;
   3365     ASSERT_EQ(ErrorCode::OK,
   3366               Finish(op_handle_, update_params, message, "", &update_out_params, &ciphertext));
   3367 
   3368     // Grab nonce
   3369     begin_params.push_back(begin_out_params);
   3370 
   3371     // Decrypt.
   3372     ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
   3373     string plaintext;
   3374     size_t input_consumed;
   3375     ASSERT_EQ(ErrorCode::OK, Update(op_handle_, update_params, ciphertext, &update_out_params,
   3376                                     &plaintext, &input_consumed));
   3377     EXPECT_EQ(ciphertext.size(), input_consumed);
   3378     EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
   3379 
   3380     EXPECT_EQ(message, plaintext);
   3381 }
   3382 
   3383 /*
   3384  * EncryptionOperationsTest.AesGcmTooShortTag
   3385  *
   3386  * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
   3387  */
   3388 TEST_F(EncryptionOperationsTest, AesGcmTooShortTag) {
   3389     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3390                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3391                                              .AesEncryptionKey(128)
   3392                                              .BlockMode(BlockMode::GCM)
   3393                                              .Padding(PaddingMode::NONE)
   3394                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3395     string message = "123456789012345678901234567890123456";
   3396     auto params = AuthorizationSetBuilder()
   3397                       .BlockMode(BlockMode::GCM)
   3398                       .Padding(PaddingMode::NONE)
   3399                       .Authorization(TAG_MAC_LENGTH, 96);
   3400 
   3401     EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
   3402 }
   3403 
   3404 /*
   3405  * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
   3406  *
   3407  * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
   3408  */
   3409 TEST_F(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
   3410     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3411                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3412                                              .AesEncryptionKey(128)
   3413                                              .BlockMode(BlockMode::GCM)
   3414                                              .Padding(PaddingMode::NONE)
   3415                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3416     string aad = "foobar";
   3417     string message = "123456789012345678901234567890123456";
   3418     auto params = AuthorizationSetBuilder()
   3419                       .BlockMode(BlockMode::GCM)
   3420                       .Padding(PaddingMode::NONE)
   3421                       .Authorization(TAG_MAC_LENGTH, 128);
   3422 
   3423     auto finish_params =
   3424         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
   3425 
   3426     // Encrypt
   3427     AuthorizationSet begin_out_params;
   3428     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
   3429     EXPECT_EQ(1U, begin_out_params.size());
   3430     ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE).isOk());
   3431 
   3432     AuthorizationSet finish_out_params;
   3433     string ciphertext;
   3434     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */,
   3435                                     &finish_out_params, &ciphertext));
   3436 
   3437     params = AuthorizationSetBuilder()
   3438                  .Authorizations(begin_out_params)
   3439                  .BlockMode(BlockMode::GCM)
   3440                  .Padding(PaddingMode::NONE)
   3441                  .Authorization(TAG_MAC_LENGTH, 96);
   3442 
   3443     // Decrypt.
   3444     EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
   3445 }
   3446 
   3447 /*
   3448  * EncryptionOperationsTest.AesGcmCorruptKey
   3449  *
   3450  * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
   3451  */
   3452 TEST_F(EncryptionOperationsTest, AesGcmCorruptKey) {
   3453     const uint8_t nonce_bytes[] = {
   3454         0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
   3455     };
   3456     string nonce = make_string(nonce_bytes);
   3457     const uint8_t ciphertext_bytes[] = {
   3458         0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16,
   3459         0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a,
   3460         0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76,
   3461         0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
   3462         0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
   3463     };
   3464     string ciphertext = make_string(ciphertext_bytes);
   3465 
   3466     auto params = AuthorizationSetBuilder()
   3467                       .BlockMode(BlockMode::GCM)
   3468                       .Padding(PaddingMode::NONE)
   3469                       .Authorization(TAG_MAC_LENGTH, 128)
   3470                       .Authorization(TAG_NONCE, nonce.data(), nonce.size());
   3471 
   3472     auto import_params = AuthorizationSetBuilder()
   3473                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3474                              .AesEncryptionKey(128)
   3475                              .BlockMode(BlockMode::GCM)
   3476                              .Padding(PaddingMode::NONE)
   3477                              .Authorization(TAG_CALLER_NONCE)
   3478                              .Authorization(TAG_MIN_MAC_LENGTH, 128);
   3479 
   3480     // Import correct key and decrypt
   3481     const uint8_t key_bytes[] = {
   3482         0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
   3483         0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
   3484     };
   3485     string key = make_string(key_bytes);
   3486     ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
   3487     string plaintext = DecryptMessage(ciphertext, params);
   3488     CheckedDeleteKey();
   3489 
   3490     // Corrupt key and attempt to decrypt
   3491     key[0] = 0;
   3492     ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
   3493     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
   3494     EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
   3495     CheckedDeleteKey();
   3496 }
   3497 
   3498 /*
   3499  * EncryptionOperationsTest.AesGcmAadNoData
   3500  *
   3501  * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
   3502  * encrypt.
   3503  */
   3504 TEST_F(EncryptionOperationsTest, AesGcmAadNoData) {
   3505     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3506                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3507                                              .AesEncryptionKey(128)
   3508                                              .BlockMode(BlockMode::GCM)
   3509                                              .Padding(PaddingMode::NONE)
   3510                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3511 
   3512     string aad = "1234567890123456";
   3513     auto params = AuthorizationSetBuilder()
   3514                       .BlockMode(BlockMode::GCM)
   3515                       .Padding(PaddingMode::NONE)
   3516                       .Authorization(TAG_MAC_LENGTH, 128);
   3517 
   3518     auto finish_params =
   3519         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
   3520 
   3521     // Encrypt
   3522     AuthorizationSet begin_out_params;
   3523     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
   3524     string ciphertext;
   3525     AuthorizationSet finish_out_params;
   3526     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, "" /* input */, "" /* signature */,
   3527                                     &finish_out_params, &ciphertext));
   3528     EXPECT_TRUE(finish_out_params.empty());
   3529 
   3530     // Grab nonce
   3531     params.push_back(begin_out_params);
   3532 
   3533     // Decrypt.
   3534     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
   3535     string plaintext;
   3536     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, ciphertext, "" /* signature */,
   3537                                     &finish_out_params, &plaintext))
   3538         << "(Possibly b/33615032)";
   3539 
   3540     EXPECT_TRUE(finish_out_params.empty());
   3541 
   3542     EXPECT_EQ("", plaintext);
   3543 }
   3544 
   3545 /*
   3546  * EncryptionOperationsTest.AesGcmMultiPartAad
   3547  *
   3548  * Verifies that AES GCM mode works when provided additional authenticated data in multiple chunks.
   3549  */
   3550 TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) {
   3551     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3552                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3553                                              .AesEncryptionKey(128)
   3554                                              .BlockMode(BlockMode::GCM)
   3555                                              .Padding(PaddingMode::NONE)
   3556                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3557 
   3558     string message = "123456789012345678901234567890123456";
   3559     auto begin_params = AuthorizationSetBuilder()
   3560                             .BlockMode(BlockMode::GCM)
   3561                             .Padding(PaddingMode::NONE)
   3562                             .Authorization(TAG_MAC_LENGTH, 128);
   3563     AuthorizationSet begin_out_params;
   3564 
   3565     auto update_params =
   3566         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foo", (size_t)3);
   3567 
   3568     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
   3569 
   3570     // No data, AAD only.
   3571     string ciphertext;
   3572     size_t input_consumed;
   3573     AuthorizationSet update_out_params;
   3574     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, "" /* input */, &update_out_params,
   3575                                     &ciphertext, &input_consumed));
   3576     EXPECT_EQ(0U, input_consumed);
   3577     EXPECT_EQ(0U, ciphertext.size());
   3578     EXPECT_TRUE(update_out_params.empty());
   3579 
   3580     // AAD and data.
   3581     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params,
   3582                                     &ciphertext, &input_consumed));
   3583     EXPECT_EQ(message.size(), input_consumed);
   3584     EXPECT_EQ(message.size(), ciphertext.size());
   3585     EXPECT_TRUE(update_out_params.empty());
   3586 
   3587     EXPECT_EQ(ErrorCode::OK, Finish("" /* input */, &ciphertext));
   3588 
   3589     // Grab nonce.
   3590     begin_params.push_back(begin_out_params);
   3591 
   3592     // Decrypt
   3593     update_params =
   3594         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foofoo", (size_t)6);
   3595 
   3596     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
   3597     string plaintext;
   3598     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, update_params, ciphertext, "" /* signature */,
   3599                                     &update_out_params, &plaintext));
   3600     EXPECT_TRUE(update_out_params.empty());
   3601     EXPECT_EQ(message, plaintext);
   3602 }
   3603 
   3604 /*
   3605  * EncryptionOperationsTest.AesGcmAadOutOfOrder
   3606  *
   3607  * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
   3608  */
   3609 TEST_F(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
   3610     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3611                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3612                                              .AesEncryptionKey(128)
   3613                                              .BlockMode(BlockMode::GCM)
   3614                                              .Padding(PaddingMode::NONE)
   3615                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3616 
   3617     string message = "123456789012345678901234567890123456";
   3618     auto begin_params = AuthorizationSetBuilder()
   3619                             .BlockMode(BlockMode::GCM)
   3620                             .Padding(PaddingMode::NONE)
   3621                             .Authorization(TAG_MAC_LENGTH, 128);
   3622     AuthorizationSet begin_out_params;
   3623 
   3624     auto update_params =
   3625         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foo", (size_t)3);
   3626 
   3627     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
   3628 
   3629     // No data, AAD only.
   3630     string ciphertext;
   3631     size_t input_consumed;
   3632     AuthorizationSet update_out_params;
   3633     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, "" /* input */, &update_out_params,
   3634                                     &ciphertext, &input_consumed));
   3635     EXPECT_EQ(0U, input_consumed);
   3636     EXPECT_EQ(0U, ciphertext.size());
   3637     EXPECT_TRUE(update_out_params.empty());
   3638 
   3639     // AAD and data.
   3640     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params,
   3641                                     &ciphertext, &input_consumed));
   3642     EXPECT_EQ(message.size(), input_consumed);
   3643     EXPECT_EQ(message.size(), ciphertext.size());
   3644     EXPECT_TRUE(update_out_params.empty());
   3645 
   3646     // More AAD
   3647     EXPECT_EQ(ErrorCode::INVALID_TAG, Update(op_handle_, update_params, "", &update_out_params,
   3648                                              &ciphertext, &input_consumed));
   3649 
   3650     op_handle_ = kOpHandleSentinel;
   3651 }
   3652 
   3653 /*
   3654  * EncryptionOperationsTest.AesGcmBadAad
   3655  *
   3656  * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
   3657  */
   3658 TEST_F(EncryptionOperationsTest, AesGcmBadAad) {
   3659     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3660                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3661                                              .AesEncryptionKey(128)
   3662                                              .BlockMode(BlockMode::GCM)
   3663                                              .Padding(PaddingMode::NONE)
   3664                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3665 
   3666     string message = "12345678901234567890123456789012";
   3667     auto begin_params = AuthorizationSetBuilder()
   3668                             .BlockMode(BlockMode::GCM)
   3669                             .Padding(PaddingMode::NONE)
   3670                             .Authorization(TAG_MAC_LENGTH, 128);
   3671 
   3672     auto finish_params =
   3673         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foobar", (size_t)6);
   3674 
   3675     // Encrypt
   3676     AuthorizationSet begin_out_params;
   3677     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
   3678     string ciphertext;
   3679     AuthorizationSet finish_out_params;
   3680     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */,
   3681                                     &finish_out_params, &ciphertext));
   3682 
   3683     // Grab nonce
   3684     begin_params.push_back(begin_out_params);
   3685 
   3686     finish_params = AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA,
   3687                                                             "barfoo" /* Wrong AAD */, (size_t)6);
   3688 
   3689     // Decrypt.
   3690     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
   3691     string plaintext;
   3692     EXPECT_EQ(ErrorCode::VERIFICATION_FAILED,
   3693               Finish(op_handle_, finish_params, ciphertext, "" /* signature */, &finish_out_params,
   3694                      &plaintext));
   3695 }
   3696 
   3697 /*
   3698  * EncryptionOperationsTest.AesGcmWrongNonce
   3699  *
   3700  * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
   3701  */
   3702 TEST_F(EncryptionOperationsTest, AesGcmWrongNonce) {
   3703     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3704                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3705                                              .AesEncryptionKey(128)
   3706                                              .BlockMode(BlockMode::GCM)
   3707                                              .Padding(PaddingMode::NONE)
   3708                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3709 
   3710     string message = "12345678901234567890123456789012";
   3711     auto begin_params = AuthorizationSetBuilder()
   3712                             .BlockMode(BlockMode::GCM)
   3713                             .Padding(PaddingMode::NONE)
   3714                             .Authorization(TAG_MAC_LENGTH, 128);
   3715 
   3716     auto finish_params =
   3717         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foobar", (size_t)6);
   3718 
   3719     // Encrypt
   3720     AuthorizationSet begin_out_params;
   3721     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
   3722     string ciphertext;
   3723     AuthorizationSet finish_out_params;
   3724     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */,
   3725                                     &finish_out_params, &ciphertext));
   3726 
   3727     // Wrong nonce
   3728     begin_params.push_back(TAG_NONCE, HidlBuf("123456789012"));
   3729 
   3730     // Decrypt.
   3731     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
   3732     string plaintext;
   3733     EXPECT_EQ(ErrorCode::VERIFICATION_FAILED,
   3734               Finish(op_handle_, finish_params, ciphertext, "" /* signature */, &finish_out_params,
   3735                      &plaintext));
   3736 
   3737     // With wrong nonce, should have gotten garbage plaintext (or none).
   3738     EXPECT_NE(message, plaintext);
   3739 }
   3740 
   3741 /*
   3742  * EncryptionOperationsTest.AesGcmCorruptTag
   3743  *
   3744  * Verifies that AES GCM decryption fails correctly when the tag is wrong.
   3745  */
   3746 TEST_F(EncryptionOperationsTest, AesGcmCorruptTag) {
   3747     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3748                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3749                                              .AesEncryptionKey(128)
   3750                                              .BlockMode(BlockMode::GCM)
   3751                                              .Padding(PaddingMode::NONE)
   3752                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   3753 
   3754     string aad = "1234567890123456";
   3755     string message = "123456789012345678901234567890123456";
   3756 
   3757     auto params = AuthorizationSetBuilder()
   3758                       .BlockMode(BlockMode::GCM)
   3759                       .Padding(PaddingMode::NONE)
   3760                       .Authorization(TAG_MAC_LENGTH, 128);
   3761 
   3762     auto finish_params =
   3763         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
   3764 
   3765     // Encrypt
   3766     AuthorizationSet begin_out_params;
   3767     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
   3768     string ciphertext;
   3769     AuthorizationSet finish_out_params;
   3770     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */,
   3771                                     &finish_out_params, &ciphertext));
   3772     EXPECT_TRUE(finish_out_params.empty());
   3773 
   3774     // Corrupt tag
   3775     ++(*ciphertext.rbegin());
   3776 
   3777     // Grab nonce
   3778     params.push_back(begin_out_params);
   3779 
   3780     // Decrypt.
   3781     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
   3782     string plaintext;
   3783     EXPECT_EQ(ErrorCode::VERIFICATION_FAILED,
   3784               Finish(op_handle_, finish_params, ciphertext, "" /* signature */, &finish_out_params,
   3785                      &plaintext));
   3786     EXPECT_TRUE(finish_out_params.empty());
   3787 }
   3788 
   3789 typedef KeymasterHidlTest MaxOperationsTest;
   3790 
   3791 /*
   3792  * MaxOperationsTest.TestLimitAes
   3793  *
   3794  * Verifies that the max uses per boot tag works correctly with AES keys.
   3795  */
   3796 TEST_F(MaxOperationsTest, TestLimitAes) {
   3797     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3798                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3799                                              .AesEncryptionKey(128)
   3800                                              .EcbMode()
   3801                                              .Padding(PaddingMode::NONE)
   3802                                              .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
   3803 
   3804     string message = "1234567890123456";
   3805 
   3806     auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
   3807 
   3808     EncryptMessage(message, params);
   3809     EncryptMessage(message, params);
   3810     EncryptMessage(message, params);
   3811 
   3812     // Fourth time should fail.
   3813     EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
   3814 }
   3815 
   3816 /*
   3817  * MaxOperationsTest.TestLimitAes
   3818  *
   3819  * Verifies that the max uses per boot tag works correctly with RSA keys.
   3820  */
   3821 TEST_F(MaxOperationsTest, TestLimitRsa) {
   3822     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3823                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3824                                              .RsaSigningKey(1024, 3)
   3825                                              .NoDigestOrPadding()
   3826                                              .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
   3827 
   3828     string message = "1234567890123456";
   3829 
   3830     auto params = AuthorizationSetBuilder().NoDigestOrPadding();
   3831 
   3832     SignMessage(message, params);
   3833     SignMessage(message, params);
   3834     SignMessage(message, params);
   3835 
   3836     // Fourth time should fail.
   3837     EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
   3838 }
   3839 
   3840 typedef KeymasterHidlTest AddEntropyTest;
   3841 
   3842 /*
   3843  * AddEntropyTest.AddEntropy
   3844  *
   3845  * Verifies that the addRngEntropy method doesn't blow up.  There's no way to test that entropy is
   3846  * actually added.
   3847  */
   3848 TEST_F(AddEntropyTest, AddEntropy) {
   3849     EXPECT_EQ(ErrorCode::OK, keymaster().addRngEntropy(HidlBuf("foo")));
   3850 }
   3851 
   3852 /*
   3853  * AddEntropyTest.AddEmptyEntropy
   3854  *
   3855  * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
   3856  */
   3857 TEST_F(AddEntropyTest, AddEmptyEntropy) {
   3858     EXPECT_EQ(ErrorCode::OK, keymaster().addRngEntropy(HidlBuf()));
   3859 }
   3860 
   3861 /*
   3862  * AddEntropyTest.AddLargeEntropy
   3863  *
   3864  * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
   3865  */
   3866 TEST_F(AddEntropyTest, AddLargeEntropy) {
   3867     EXPECT_EQ(ErrorCode::OK, keymaster().addRngEntropy(HidlBuf(string(16 * 1024, 'a'))));
   3868 }
   3869 
   3870 typedef KeymasterHidlTest AttestationTest;
   3871 
   3872 /*
   3873  * AttestationTest.RsaAttestation
   3874  *
   3875  * Verifies that attesting to RSA keys works and generates the expected output.
   3876  */
   3877 TEST_F(AttestationTest, RsaAttestation) {
   3878     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3879                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3880                                              .RsaSigningKey(1024, 3)
   3881                                              .Digest(Digest::NONE)
   3882                                              .Padding(PaddingMode::NONE)
   3883                                              .Authorization(TAG_INCLUDE_UNIQUE_ID)));
   3884 
   3885     hidl_vec<hidl_vec<uint8_t>> cert_chain;
   3886     EXPECT_EQ(
   3887         ErrorCode::OK,
   3888         AttestKey(
   3889             AuthorizationSetBuilder()
   3890                 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
   3891                 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
   3892             &cert_chain));
   3893     EXPECT_GE(cert_chain.size(), 2U);
   3894     EXPECT_TRUE(verify_chain(cert_chain));
   3895     EXPECT_TRUE(
   3896         verify_attestation_record("challenge", "foo",                     //
   3897                                   key_characteristics_.softwareEnforced,  //
   3898                                   key_characteristics_.teeEnforced,       //
   3899                                   cert_chain[0]));
   3900 }
   3901 
   3902 /*
   3903  * AttestationTest.RsaAttestationRequiresAppId
   3904  *
   3905  * Verifies that attesting to RSA requires app ID.
   3906  */
   3907 TEST_F(AttestationTest, RsaAttestationRequiresAppId) {
   3908     ASSERT_EQ(ErrorCode::OK,
   3909               GenerateKey(AuthorizationSetBuilder()
   3910                               .Authorization(TAG_NO_AUTH_REQUIRED)
   3911                               .RsaSigningKey(1024, 3)
   3912                               .Digest(Digest::NONE)
   3913                               .Padding(PaddingMode::NONE)
   3914                               .Authorization(TAG_INCLUDE_UNIQUE_ID)));
   3915 
   3916     hidl_vec<hidl_vec<uint8_t>> cert_chain;
   3917     EXPECT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
   3918               AttestKey(AuthorizationSetBuilder().Authorization(
   3919                             TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")),
   3920                         &cert_chain));
   3921 }
   3922 
   3923 /*
   3924  * AttestationTest.EcAttestation
   3925  *
   3926  * Verifies that attesting to EC keys works and generates the expected output.
   3927  */
   3928 TEST_F(AttestationTest, EcAttestation) {
   3929     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   3930                                              .Authorization(TAG_NO_AUTH_REQUIRED)
   3931                                              .EcdsaSigningKey(EcCurve::P_256)
   3932                                              .Digest(Digest::SHA_2_256)
   3933                                              .Authorization(TAG_INCLUDE_UNIQUE_ID)));
   3934 
   3935     hidl_vec<hidl_vec<uint8_t>> cert_chain;
   3936     EXPECT_EQ(
   3937         ErrorCode::OK,
   3938         AttestKey(
   3939             AuthorizationSetBuilder()
   3940                 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
   3941                 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
   3942             &cert_chain));
   3943     EXPECT_GE(cert_chain.size(), 2U);
   3944     EXPECT_TRUE(verify_chain(cert_chain));
   3945 
   3946     EXPECT_TRUE(
   3947         verify_attestation_record("challenge", "foo",                     //
   3948                                   key_characteristics_.softwareEnforced,  //
   3949                                   key_characteristics_.teeEnforced,       //
   3950                                   cert_chain[0]));
   3951 }
   3952 
   3953 /*
   3954  * AttestationTest.EcAttestationRequiresAttestationAppId
   3955  *
   3956  * Verifies that attesting to EC keys requires app ID
   3957  */
   3958 TEST_F(AttestationTest, EcAttestationRequiresAttestationAppId) {
   3959     ASSERT_EQ(ErrorCode::OK,
   3960               GenerateKey(AuthorizationSetBuilder()
   3961                               .Authorization(TAG_NO_AUTH_REQUIRED)
   3962                               .EcdsaSigningKey(EcCurve::P_256)
   3963                               .Digest(Digest::SHA_2_256)
   3964                               .Authorization(TAG_INCLUDE_UNIQUE_ID)));
   3965 
   3966     hidl_vec<hidl_vec<uint8_t>> cert_chain;
   3967     EXPECT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
   3968               AttestKey(AuthorizationSetBuilder().Authorization(
   3969                             TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")),
   3970                         &cert_chain));
   3971 }
   3972 
   3973 /*
   3974  * AttestationTest.AesAttestation
   3975  *
   3976  * Verifies that attesting to AES keys fails in the expected way.
   3977  */
   3978 TEST_F(AttestationTest, AesAttestation) {
   3979     ASSERT_EQ(ErrorCode::OK,
   3980               GenerateKey(AuthorizationSetBuilder()
   3981                               .Authorization(TAG_NO_AUTH_REQUIRED)
   3982                               .AesEncryptionKey(128)
   3983                               .EcbMode()
   3984                               .Padding(PaddingMode::PKCS7)));
   3985 
   3986     hidl_vec<hidl_vec<uint8_t>> cert_chain;
   3987     EXPECT_EQ(
   3988         ErrorCode::INCOMPATIBLE_ALGORITHM,
   3989         AttestKey(
   3990             AuthorizationSetBuilder()
   3991                 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
   3992                 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
   3993             &cert_chain));
   3994 }
   3995 
   3996 /*
   3997  * AttestationTest.HmacAttestation
   3998  *
   3999  * Verifies that attesting to HMAC keys fails in the expected way.
   4000  */
   4001 TEST_F(AttestationTest, HmacAttestation) {
   4002     ASSERT_EQ(ErrorCode::OK,
   4003               GenerateKey(AuthorizationSetBuilder()
   4004                               .Authorization(TAG_NO_AUTH_REQUIRED)
   4005                               .HmacKey(128)
   4006                               .EcbMode()
   4007                               .Digest(Digest::SHA_2_256)
   4008                               .Authorization(TAG_MIN_MAC_LENGTH, 128)));
   4009 
   4010     hidl_vec<hidl_vec<uint8_t>> cert_chain;
   4011     EXPECT_EQ(
   4012         ErrorCode::INCOMPATIBLE_ALGORITHM,
   4013         AttestKey(
   4014             AuthorizationSetBuilder()
   4015                 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
   4016                 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
   4017             &cert_chain));
   4018 }
   4019 
   4020 typedef KeymasterHidlTest KeyDeletionTest;
   4021 
   4022 /**
   4023  * KeyDeletionTest.DeleteKey
   4024  *
   4025  * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
   4026  * valid key blob.
   4027  */
   4028 TEST_F(KeyDeletionTest, DeleteKey) {
   4029     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   4030                                              .RsaSigningKey(1024, 3)
   4031                                              .Digest(Digest::NONE)
   4032                                              .Padding(PaddingMode::NONE)
   4033                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
   4034 
   4035     // Delete must work if rollback protection is implemented
   4036     AuthorizationSet teeEnforced(key_characteristics_.teeEnforced);
   4037     bool rollback_protected = teeEnforced.Contains(TAG_ROLLBACK_RESISTANT);
   4038 
   4039     if (rollback_protected) {
   4040         ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
   4041     } else {
   4042         auto delete_result = DeleteKey(true /* keep key blob */);
   4043         ASSERT_TRUE(delete_result == ErrorCode::OK | delete_result == ErrorCode::UNIMPLEMENTED);
   4044     }
   4045 
   4046     string message = "12345678901234567890123456789012";
   4047     AuthorizationSet begin_out_params;
   4048 
   4049     if (rollback_protected) {
   4050         EXPECT_EQ(
   4051             ErrorCode::INVALID_KEY_BLOB,
   4052             Begin(KeyPurpose::SIGN, key_blob_, AuthorizationSetBuilder()
   4053                                                    .Digest(Digest::NONE)
   4054                                                    .Padding(PaddingMode::NONE),
   4055                   &begin_out_params, &op_handle_))
   4056             << " (Possibly b/37623742)";
   4057     } else {
   4058         EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_,
   4059                                        AuthorizationSetBuilder()
   4060                                            .Digest(Digest::NONE)
   4061                                            .Padding(PaddingMode::NONE),
   4062                                        &begin_out_params, &op_handle_));
   4063     }
   4064     AbortIfNeeded();
   4065     key_blob_ = HidlBuf();
   4066 }
   4067 
   4068 /**
   4069  * KeyDeletionTest.DeleteInvalidKey
   4070  *
   4071  * This test checks that the HAL excepts invalid key blobs.
   4072  */
   4073 TEST_F(KeyDeletionTest, DeleteInvalidKey) {
   4074     // Generate key just to check if rollback protection is implemented
   4075     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   4076                                              .RsaSigningKey(1024, 3)
   4077                                              .Digest(Digest::NONE)
   4078                                              .Padding(PaddingMode::NONE)
   4079                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
   4080 
   4081     // Delete must work if rollback protection is implemented
   4082     AuthorizationSet teeEnforced(key_characteristics_.teeEnforced);
   4083     bool rollback_protected = teeEnforced.Contains(TAG_ROLLBACK_RESISTANT);
   4084 
   4085     // Delete the key we don't care about the result at this point.
   4086     DeleteKey();
   4087 
   4088     // Now create an invalid key blob and delete it.
   4089     key_blob_ = HidlBuf("just some garbage data which is not a valid key blob");
   4090 
   4091     if (rollback_protected) {
   4092         ASSERT_EQ(ErrorCode::OK, DeleteKey());
   4093     } else {
   4094         auto delete_result = DeleteKey();
   4095         ASSERT_TRUE(delete_result == ErrorCode::OK | delete_result == ErrorCode::UNIMPLEMENTED);
   4096     }
   4097 }
   4098 
   4099 /**
   4100  * KeyDeletionTest.DeleteAllKeys
   4101  *
   4102  * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
   4103  *
   4104  * BEWARE: This test has serious side effects. All user keys will be lost! This includes
   4105  * FBE/FDE encryption keys, which means that the device will not even boot until after the
   4106  * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
   4107  * been provisioned. Use this test only on dedicated testing devices that have no valuable
   4108  * credentials stored in Keystore/Keymaster.
   4109  */
   4110 TEST_F(KeyDeletionTest, DeleteAllKeys) {
   4111     if (!arm_deleteAllKeys) return;
   4112     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
   4113                                              .RsaSigningKey(1024, 3)
   4114                                              .Digest(Digest::NONE)
   4115                                              .Padding(PaddingMode::NONE)
   4116                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
   4117 
   4118     // Delete must work if rollback protection is implemented
   4119     AuthorizationSet teeEnforced(key_characteristics_.teeEnforced);
   4120     bool rollback_protected = teeEnforced.Contains(TAG_ROLLBACK_RESISTANT);
   4121 
   4122     ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
   4123 
   4124     string message = "12345678901234567890123456789012";
   4125     AuthorizationSet begin_out_params;
   4126 
   4127     if (rollback_protected) {
   4128         EXPECT_EQ(
   4129             ErrorCode::INVALID_KEY_BLOB,
   4130             Begin(KeyPurpose::SIGN, key_blob_, AuthorizationSetBuilder()
   4131                                                    .Digest(Digest::NONE)
   4132                                                    .Padding(PaddingMode::NONE),
   4133                   &begin_out_params, &op_handle_));
   4134     } else {
   4135         EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_,
   4136                                        AuthorizationSetBuilder()
   4137                                            .Digest(Digest::NONE)
   4138                                            .Padding(PaddingMode::NONE),
   4139                                        &begin_out_params, &op_handle_));
   4140     }
   4141     AbortIfNeeded();
   4142     key_blob_ = HidlBuf();
   4143 }
   4144 
   4145 }  // namespace test
   4146 }  // namespace V3_0
   4147 }  // namespace keymaster
   4148 }  // namespace hardware
   4149 }  // namespace android
   4150 
   4151 int main(int argc, char** argv) {
   4152     ::testing::InitGoogleTest(&argc, argv);
   4153     std::vector<std::string> positional_args;
   4154     for (int i = 1; i < argc; ++i) {
   4155         if (argv[i][0] == '-') {
   4156             if (std::string(argv[i]) == "--arm_deleteAllKeys") {
   4157                 arm_deleteAllKeys = true;
   4158             }
   4159         } else {
   4160             positional_args.push_back(argv[i]);
   4161         }
   4162     }
   4163     if (positional_args.size()) {
   4164         ALOGI("Running keymaster VTS against service \"%s\"", positional_args[0].c_str());
   4165         service_name = positional_args[0];
   4166     }
   4167     int status = RUN_ALL_TESTS();
   4168     ALOGI("Test result = %d", status);
   4169     return status;
   4170 }
   4171