1 /* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.keystore.cts; 18 19 import android.security.GateKeeper; 20 import android.security.keystore.KeyProperties; 21 import android.security.keystore.KeyProtection; 22 import android.test.MoreAsserts; 23 24 import junit.framework.TestCase; 25 26 import java.util.Arrays; 27 import java.util.Date; 28 29 public class KeyProtectionTest extends TestCase { 30 public void testDefaults() { 31 // Set only the mandatory parameters and assert values returned by getters. 32 33 KeyProtection spec = new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT) 34 .build(); 35 36 assertEquals(KeyProperties.PURPOSE_ENCRYPT, spec.getPurposes()); 37 MoreAsserts.assertEmpty(Arrays.asList(spec.getBlockModes())); 38 assertFalse(spec.isDigestsSpecified()); 39 try { 40 spec.getDigests(); 41 fail(); 42 } catch (IllegalStateException expected) {} 43 MoreAsserts.assertEmpty(Arrays.asList(spec.getEncryptionPaddings())); 44 assertNull(spec.getKeyValidityStart()); 45 assertNull(spec.getKeyValidityForOriginationEnd()); 46 assertNull(spec.getKeyValidityForConsumptionEnd()); 47 assertTrue(spec.isRandomizedEncryptionRequired()); 48 MoreAsserts.assertEmpty(Arrays.asList(spec.getSignaturePaddings())); 49 assertFalse(spec.isUserAuthenticationRequired()); 50 assertEquals(-1, spec.getUserAuthenticationValidityDurationSeconds()); 51 assertEquals(GateKeeper.INVALID_SECURE_USER_ID, spec.getBoundToSpecificSecureUserId()); 52 assertFalse(spec.isUnlockedDeviceRequired()); 53 } 54 55 public void testSettersReflectedInGetters() { 56 // Set all parameters to non-default values and then assert that getters reflect that. 57 58 Date keyValidityStartDate = new Date(System.currentTimeMillis() - 2222222); 59 Date keyValidityEndDateForOrigination = new Date(System.currentTimeMillis() + 11111111); 60 Date keyValidityEndDateForConsumption = new Date(System.currentTimeMillis() + 33333333); 61 62 KeyProtection spec = new KeyProtection.Builder( 63 KeyProperties.PURPOSE_DECRYPT | KeyProperties.PURPOSE_VERIFY) 64 .setBlockModes(KeyProperties.BLOCK_MODE_GCM, KeyProperties.BLOCK_MODE_CTR) 65 .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512) 66 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1, 67 KeyProperties.ENCRYPTION_PADDING_PKCS7) 68 .setKeyValidityStart(keyValidityStartDate) 69 .setKeyValidityForOriginationEnd(keyValidityEndDateForOrigination) 70 .setKeyValidityForConsumptionEnd(keyValidityEndDateForConsumption) 71 .setRandomizedEncryptionRequired(false) 72 .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1, 73 KeyProperties.SIGNATURE_PADDING_RSA_PSS) 74 .setUserAuthenticationRequired(true) 75 .setUserAuthenticationValidityDurationSeconds(123456) 76 .setBoundToSpecificSecureUserId(654321) 77 .setUnlockedDeviceRequired(true) 78 .build(); 79 80 assertEquals( 81 KeyProperties.PURPOSE_DECRYPT| KeyProperties.PURPOSE_VERIFY, spec.getPurposes()); 82 MoreAsserts.assertContentsInOrder(Arrays.asList(spec.getBlockModes()), 83 KeyProperties.BLOCK_MODE_GCM, KeyProperties.BLOCK_MODE_CTR); 84 assertTrue(spec.isDigestsSpecified()); 85 MoreAsserts.assertContentsInOrder(Arrays.asList(spec.getDigests()), 86 KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512); 87 MoreAsserts.assertContentsInOrder(Arrays.asList(spec.getEncryptionPaddings()), 88 KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1, KeyProperties.ENCRYPTION_PADDING_PKCS7); 89 assertEquals(keyValidityStartDate, spec.getKeyValidityStart()); 90 assertEquals(keyValidityEndDateForOrigination, spec.getKeyValidityForOriginationEnd()); 91 assertEquals(keyValidityEndDateForConsumption, spec.getKeyValidityForConsumptionEnd()); 92 assertFalse(spec.isRandomizedEncryptionRequired()); 93 MoreAsserts.assertContentsInOrder(Arrays.asList(spec.getSignaturePaddings()), 94 KeyProperties.SIGNATURE_PADDING_RSA_PKCS1, KeyProperties.SIGNATURE_PADDING_RSA_PSS); 95 assertTrue(spec.isUserAuthenticationRequired()); 96 assertEquals(123456, spec.getUserAuthenticationValidityDurationSeconds()); 97 assertEquals(654321, spec.getBoundToSpecificSecureUserId()); 98 assertTrue(spec.isUnlockedDeviceRequired()); 99 } 100 101 public void testSetKeyValidityEndDateAppliesToBothEndDates() { 102 Date date = new Date(System.currentTimeMillis() + 555555); 103 KeyProtection spec = new KeyProtection.Builder( 104 KeyProperties.PURPOSE_SIGN) 105 .setKeyValidityEnd(date) 106 .build(); 107 assertEquals(date, spec.getKeyValidityForOriginationEnd()); 108 assertEquals(date, spec.getKeyValidityForConsumptionEnd()); 109 } 110 111 public void testSetUserAuthenticationValidityDurationSecondsValidityCheck() { 112 KeyProtection.Builder builder = new KeyProtection.Builder(0); 113 try { 114 builder.setUserAuthenticationValidityDurationSeconds(-2); 115 fail(); 116 } catch (IllegalArgumentException expected) {} 117 118 try { 119 builder.setUserAuthenticationValidityDurationSeconds(-100); 120 fail(); 121 } catch (IllegalArgumentException expected) {} 122 123 try { 124 builder.setUserAuthenticationValidityDurationSeconds(Integer.MIN_VALUE); 125 fail(); 126 } catch (IllegalArgumentException expected) {} 127 128 builder.setUserAuthenticationValidityDurationSeconds(-1); 129 builder.setUserAuthenticationValidityDurationSeconds(0); 130 builder.setUserAuthenticationValidityDurationSeconds(1); 131 builder.setUserAuthenticationValidityDurationSeconds(Integer.MAX_VALUE); 132 133 try { 134 builder.setUserAuthenticationValidityDurationSeconds(-2); 135 fail(); 136 } catch (IllegalArgumentException expected) {} 137 } 138 139 public void testImmutabilityViaSetterParams() { 140 // Assert that all mutable parameters provided to setters are copied to ensure that values 141 // returned by getters never change. 142 String[] blockModes = 143 new String[] {KeyProperties.BLOCK_MODE_GCM, KeyProperties.BLOCK_MODE_CBC}; 144 String[] originalBlockModes = blockModes.clone(); 145 Date keyValidityStartDate = new Date(System.currentTimeMillis() - 2222222); 146 Date originalKeyValidityStartDate = new Date(keyValidityStartDate.getTime()); 147 Date keyValidityEndDateForOrigination = new Date(System.currentTimeMillis() + 11111111); 148 Date originalKeyValidityEndDateForOrigination = 149 new Date(keyValidityEndDateForOrigination.getTime()); 150 Date keyValidityEndDateForConsumption = new Date(System.currentTimeMillis() + 33333333); 151 Date originalKeyValidityEndDateForConsumption = 152 new Date(keyValidityEndDateForConsumption.getTime()); 153 String[] digests = new String[] {KeyProperties.DIGEST_MD5, KeyProperties.DIGEST_SHA512}; 154 String[] originalDigests = digests.clone(); 155 String[] encryptionPaddings = new String[] { 156 KeyProperties.ENCRYPTION_PADDING_RSA_OAEP, KeyProperties.ENCRYPTION_PADDING_PKCS7}; 157 String[] originalEncryptionPaddings = encryptionPaddings.clone(); 158 String[] signaturePaddings = new String[] { 159 KeyProperties.SIGNATURE_PADDING_RSA_PSS, KeyProperties.SIGNATURE_PADDING_RSA_PKCS1}; 160 String[] originalSignaturePaddings = signaturePaddings.clone(); 161 162 KeyProtection spec = new KeyProtection.Builder( 163 KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_ENCRYPT) 164 .setBlockModes(blockModes) 165 .setDigests(digests) 166 .setEncryptionPaddings(encryptionPaddings) 167 .setKeyValidityStart(keyValidityStartDate) 168 .setKeyValidityForOriginationEnd(keyValidityEndDateForOrigination) 169 .setKeyValidityForConsumptionEnd(keyValidityEndDateForConsumption) 170 .setSignaturePaddings(signaturePaddings) 171 .build(); 172 173 assertEquals(Arrays.asList(originalBlockModes), Arrays.asList(spec.getBlockModes())); 174 blockModes[0] = null; 175 assertEquals(Arrays.asList(originalBlockModes), Arrays.asList(spec.getBlockModes())); 176 177 assertEquals(Arrays.asList(originalDigests), Arrays.asList(spec.getDigests())); 178 digests[1] = null; 179 assertEquals(Arrays.asList(originalDigests), Arrays.asList(spec.getDigests())); 180 181 assertEquals(Arrays.asList(originalEncryptionPaddings), 182 Arrays.asList(spec.getEncryptionPaddings())); 183 encryptionPaddings[0] = null; 184 assertEquals(Arrays.asList(originalEncryptionPaddings), 185 Arrays.asList(spec.getEncryptionPaddings())); 186 187 assertEquals(originalKeyValidityStartDate, spec.getKeyValidityStart()); 188 keyValidityStartDate.setTime(1234567890L); 189 assertEquals(originalKeyValidityStartDate, spec.getKeyValidityStart()); 190 191 assertEquals(originalKeyValidityEndDateForOrigination, 192 spec.getKeyValidityForOriginationEnd()); 193 keyValidityEndDateForOrigination.setTime(1234567890L); 194 assertEquals(originalKeyValidityEndDateForOrigination, 195 spec.getKeyValidityForOriginationEnd()); 196 197 assertEquals(originalKeyValidityEndDateForConsumption, 198 spec.getKeyValidityForConsumptionEnd()); 199 keyValidityEndDateForConsumption.setTime(1234567890L); 200 assertEquals(originalKeyValidityEndDateForConsumption, 201 spec.getKeyValidityForConsumptionEnd()); 202 203 assertEquals(Arrays.asList(originalSignaturePaddings), 204 Arrays.asList(spec.getSignaturePaddings())); 205 signaturePaddings[1] = null; 206 assertEquals(Arrays.asList(originalSignaturePaddings), 207 Arrays.asList(spec.getSignaturePaddings())); 208 } 209 210 public void testImmutabilityViaGetterReturnValues() { 211 // Assert that none of the mutable return values from getters modify the state of the spec. 212 213 KeyProtection spec = new KeyProtection.Builder( 214 KeyProperties.PURPOSE_SIGN | KeyProperties.PURPOSE_ENCRYPT) 215 .setBlockModes(KeyProperties.BLOCK_MODE_GCM, KeyProperties.BLOCK_MODE_CBC) 216 .setDigests(KeyProperties.DIGEST_MD5, KeyProperties.DIGEST_SHA512) 217 .setEncryptionPaddings( 218 KeyProperties.ENCRYPTION_PADDING_RSA_OAEP, 219 KeyProperties.ENCRYPTION_PADDING_PKCS7) 220 .setKeyValidityStart(new Date(System.currentTimeMillis() - 2222222)) 221 .setKeyValidityForOriginationEnd(new Date(System.currentTimeMillis() + 11111111)) 222 .setKeyValidityForConsumptionEnd(new Date(System.currentTimeMillis() + 33333333)) 223 .setSignaturePaddings( 224 KeyProperties.SIGNATURE_PADDING_RSA_PSS, 225 KeyProperties.SIGNATURE_PADDING_RSA_PKCS1) 226 .build(); 227 228 String[] originalBlockModes = spec.getBlockModes().clone(); 229 spec.getBlockModes()[0] = null; 230 assertEquals(Arrays.asList(originalBlockModes), Arrays.asList(spec.getBlockModes())); 231 232 String[] originalDigests = spec.getDigests().clone(); 233 spec.getDigests()[0] = null; 234 assertEquals(Arrays.asList(originalDigests), Arrays.asList(spec.getDigests())); 235 236 String[] originalEncryptionPaddings = spec.getEncryptionPaddings().clone(); 237 spec.getEncryptionPaddings()[0] = null; 238 assertEquals(Arrays.asList(originalEncryptionPaddings), 239 Arrays.asList(spec.getEncryptionPaddings())); 240 241 Date originalKeyValidityStartDate = (Date) spec.getKeyValidityStart().clone(); 242 spec.getKeyValidityStart().setTime(1234567890L); 243 assertEquals(originalKeyValidityStartDate, spec.getKeyValidityStart()); 244 245 Date originalKeyValidityEndDateForOrigination = 246 (Date) spec.getKeyValidityForOriginationEnd().clone(); 247 spec.getKeyValidityForOriginationEnd().setTime(1234567890L); 248 assertEquals(originalKeyValidityEndDateForOrigination, 249 spec.getKeyValidityForOriginationEnd()); 250 251 Date originalKeyValidityEndDateForConsumption = 252 (Date) spec.getKeyValidityForConsumptionEnd().clone(); 253 spec.getKeyValidityForConsumptionEnd().setTime(1234567890L); 254 assertEquals(originalKeyValidityEndDateForConsumption, 255 spec.getKeyValidityForConsumptionEnd()); 256 257 String[] originalSignaturePaddings = spec.getSignaturePaddings().clone(); 258 spec.getSignaturePaddings()[0] = null; 259 assertEquals(Arrays.asList(originalSignaturePaddings), 260 Arrays.asList(spec.getSignaturePaddings())); 261 } 262 } 263