1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <fstream> 18 #include <memory> 19 #include <string> 20 #include <vector> 21 22 #include <openssl/evp.h> 23 #include <openssl/x509.h> 24 25 #include <hardware/keymaster0.h> 26 27 #include <keymaster/android_keymaster.h> 28 #include <keymaster/attestation_record.h> 29 #include <keymaster/contexts/pure_soft_keymaster_context.h> 30 #include <keymaster/contexts/soft_keymaster_context.h> 31 #include <keymaster/key_factory.h> 32 #include <keymaster/km_openssl/hmac_key.h> 33 #include <keymaster/km_openssl/openssl_utils.h> 34 #include <keymaster/km_openssl/soft_keymaster_enforcement.h> 35 #include <keymaster/legacy_support/keymaster0_engine.h> 36 #include <keymaster/soft_keymaster_device.h> 37 38 #include "android_keymaster_test_utils.h" 39 40 using std::ifstream; 41 using std::istreambuf_iterator; 42 using std::ofstream; 43 using std::string; 44 using std::unique_ptr; 45 using std::vector; 46 47 extern "C" { 48 int __android_log_print(int prio, const char* tag, const char* fmt); 49 int __android_log_print(int prio, const char* tag, const char* fmt) { 50 (void)prio, (void)tag, (void)fmt; 51 return 0; 52 } 53 } // extern "C" 54 55 namespace { 56 57 // For some reason std::make_unique isn't available. Define make_unique. 58 template <typename T, typename... Args> std::unique_ptr<T> make_unique(Args&&... args) { 59 return std::unique_ptr<T>(new T(std::forward<Args>(args)...)); 60 } 61 62 } // namespace 63 64 namespace keymaster { 65 namespace test { 66 67 const uint32_t kOsVersion = 060000; 68 const uint32_t kOsPatchLevel = 201603; 69 70 StdoutLogger logger; 71 72 template <typename T> vector<T> make_vector(const T* array, size_t len) { 73 return vector<T>(array, array + len); 74 } 75 76 /** 77 * KeymasterEnforcement class for use in testing. It's permissive in the sense that it doesn't 78 * check cryptoperiods, but restrictive in the sense that the clock never advances (so rate-limited 79 * keys will only work once). 80 */ 81 class TestKeymasterEnforcement : public SoftKeymasterEnforcement { 82 public: 83 TestKeymasterEnforcement() : SoftKeymasterEnforcement(3, 3) {} 84 85 virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; } 86 virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; } 87 virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */, 88 uint32_t /* timeout */) const { 89 return false; 90 } 91 virtual uint32_t get_current_time() const { return 0; } 92 virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; } 93 }; 94 95 /** 96 * Variant of SoftKeymasterContext that provides a TestKeymasterEnforcement. 97 */ 98 class TestKeymasterContext : public SoftKeymasterContext { 99 public: 100 TestKeymasterContext() {} 101 explicit TestKeymasterContext(const string& root_of_trust) 102 : SoftKeymasterContext(root_of_trust) {} 103 104 KeymasterEnforcement* enforcement_policy() override { return &test_policy_; } 105 106 private: 107 TestKeymasterEnforcement test_policy_; 108 }; 109 110 /** 111 * Test instance creator that builds a pure software keymaster2 implementation. 112 */ 113 class SoftKeymasterTestInstanceCreator : public Keymaster2TestInstanceCreator { 114 public: 115 keymaster2_device_t* CreateDevice() const override { 116 std::cerr << "Creating software-only device" << std::endl; 117 context_ = new TestKeymasterContext; 118 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_); 119 AuthorizationSet version_info(AuthorizationSetBuilder() 120 .Authorization(TAG_OS_VERSION, kOsVersion) 121 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel)); 122 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info); 123 return device->keymaster2_device(); 124 } 125 126 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; } 127 int keymaster0_calls() const override { return 0; } 128 bool is_keymaster1_hw() const override { return false; } 129 KeymasterContext* keymaster_context() const override { return context_; } 130 string name() const override { return "Soft Keymaster2"; } 131 132 private: 133 mutable TestKeymasterContext* context_; 134 }; 135 136 /** 137 * Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1 138 * instance, with minimal digest support. 139 */ 140 class Sha256OnlyKeymaster1TestInstanceCreator : public Keymaster2TestInstanceCreator { 141 keymaster2_device_t* CreateDevice() const override { 142 std::cerr << "Creating keymaster1-backed device that supports only SHA256"; 143 144 // fake_device doesn't leak because device (below) takes ownership of it. 145 keymaster1_device_t* fake_device = make_device_sha256_only( 146 (new SoftKeymasterDevice(new TestKeymasterContext("PseudoHW")))->keymaster_device()); 147 148 // device doesn't leak; it's cleaned up by device->keymaster_device()->common.close(). 149 context_ = new TestKeymasterContext; 150 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_); 151 device->SetHardwareDevice(fake_device); 152 153 AuthorizationSet version_info(AuthorizationSetBuilder() 154 .Authorization(TAG_OS_VERSION, kOsVersion) 155 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel)); 156 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info); 157 return device->keymaster2_device(); 158 } 159 160 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; } 161 int keymaster0_calls() const override { return 0; } 162 int minimal_digest_set() const override { return true; } 163 bool is_keymaster1_hw() const override { return true; } 164 KeymasterContext* keymaster_context() const override { return context_; } 165 string name() const override { return "Wrapped fake keymaster1 w/minimal digests"; } 166 167 private: 168 mutable TestKeymasterContext* context_; 169 }; 170 171 /** 172 * Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1 173 * instance, with full digest support 174 */ 175 class Keymaster1TestInstanceCreator : public Keymaster2TestInstanceCreator { 176 keymaster2_device_t* CreateDevice() const override { 177 std::cerr << "Creating keymaster1-backed device"; 178 179 // fake_device doesn't leak because device (below) takes ownership of it. 180 keymaster1_device_t* fake_device = 181 (new SoftKeymasterDevice(new TestKeymasterContext("PseudoHW")))->keymaster_device(); 182 183 // device doesn't leak; it's cleaned up by device->keymaster_device()->common.close(). 184 context_ = new TestKeymasterContext; 185 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_); 186 device->SetHardwareDevice(fake_device); 187 188 AuthorizationSet version_info(AuthorizationSetBuilder() 189 .Authorization(TAG_OS_VERSION, kOsVersion) 190 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel)); 191 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info); 192 return device->keymaster2_device(); 193 } 194 195 bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; } 196 int keymaster0_calls() const override { return 0; } 197 int minimal_digest_set() const override { return false; } 198 bool is_keymaster1_hw() const override { return true; } 199 KeymasterContext* keymaster_context() const override { return context_; } 200 string name() const override { return "Wrapped fake keymaster1 w/full digests"; } 201 202 private: 203 mutable TestKeymasterContext* context_; 204 }; 205 206 static auto test_params = testing::Values( 207 InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator), 208 InstanceCreatorPtr(new Keymaster1TestInstanceCreator), 209 InstanceCreatorPtr(new Sha256OnlyKeymaster1TestInstanceCreator)); 210 211 class NewKeyGeneration : public Keymaster2Test { 212 protected: 213 void CheckBaseParams() { 214 AuthorizationSet auths = sw_enforced(); 215 EXPECT_GT(auths.SerializedSize(), 12U); 216 217 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN)); 218 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY)); 219 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7)); 220 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)); 221 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300)); 222 223 // Verify that App ID, App data and ROT are NOT included. 224 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST)); 225 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID)); 226 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA)); 227 228 // Just for giggles, check that some unexpected tags/values are NOT present. 229 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT)); 230 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT)); 231 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301)); 232 233 // Now check that unspecified, defaulted tags are correct. 234 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME)); 235 if (GetParam()->is_keymaster1_hw()) { 236 // If the underlying (faked) HW is KM1, it will not have version info. 237 EXPECT_FALSE(auths.Contains(TAG_OS_VERSION)); 238 EXPECT_FALSE(auths.Contains(TAG_OS_PATCHLEVEL)); 239 } else { 240 // In all othe cases; SoftKeymasterDevice keys, or keymaster0 keys wrapped by 241 // SoftKeymasterDevice, version information will be present and up to date. 242 EXPECT_TRUE(contains(auths, TAG_OS_VERSION, kOsVersion)); 243 EXPECT_TRUE(contains(auths, TAG_OS_PATCHLEVEL, kOsPatchLevel)); 244 } 245 } 246 }; 247 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params); 248 249 TEST_P(NewKeyGeneration, Rsa) { 250 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 251 .RsaSigningKey(256, 3) 252 .Digest(KM_DIGEST_NONE) 253 .Padding(KM_PAD_NONE))); 254 CheckBaseParams(); 255 256 // Check specified tags are all present, and in the right set. 257 AuthorizationSet crypto_params; 258 AuthorizationSet non_crypto_params; 259 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) { 260 EXPECT_NE(0U, hw_enforced().size()); 261 EXPECT_NE(0U, sw_enforced().size()); 262 crypto_params.push_back(hw_enforced()); 263 non_crypto_params.push_back(sw_enforced()); 264 } else { 265 EXPECT_EQ(0U, hw_enforced().size()); 266 EXPECT_NE(0U, sw_enforced().size()); 267 crypto_params.push_back(sw_enforced()); 268 } 269 270 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 271 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA)); 272 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256)); 273 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256)); 274 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 275 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3)); 276 277 EXPECT_EQ(KM_ERROR_OK, DeleteKey()); 278 279 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 280 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 281 } 282 283 TEST_P(NewKeyGeneration, RsaDefaultSize) { 284 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 285 GenerateKey(AuthorizationSetBuilder() 286 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA) 287 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3) 288 .SigningKey())); 289 290 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 291 } 292 293 TEST_P(NewKeyGeneration, Ecdsa) { 294 ASSERT_EQ(KM_ERROR_OK, 295 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 296 CheckBaseParams(); 297 298 // Check specified tags are all present, and in the right set. 299 AuthorizationSet crypto_params; 300 AuthorizationSet non_crypto_params; 301 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) { 302 EXPECT_NE(0U, hw_enforced().size()); 303 EXPECT_NE(0U, sw_enforced().size()); 304 crypto_params.push_back(hw_enforced()); 305 non_crypto_params.push_back(sw_enforced()); 306 } else { 307 EXPECT_EQ(0U, hw_enforced().size()); 308 EXPECT_NE(0U, sw_enforced().size()); 309 crypto_params.push_back(sw_enforced()); 310 } 311 312 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 313 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC)); 314 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224)); 315 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224)); 316 317 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 318 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 319 } 320 321 TEST_P(NewKeyGeneration, EcdsaDefaultSize) { 322 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 323 GenerateKey(AuthorizationSetBuilder() 324 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC) 325 .SigningKey() 326 .Digest(KM_DIGEST_NONE))); 327 328 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 329 } 330 331 TEST_P(NewKeyGeneration, EcdsaInvalidSize) { 332 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 333 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE))); 334 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 335 } 336 337 TEST_P(NewKeyGeneration, EcdsaMismatchKeySize) { 338 ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT, 339 GenerateKey(AuthorizationSetBuilder() 340 .EcdsaSigningKey(224) 341 .Authorization(TAG_EC_CURVE, KM_EC_CURVE_P_256) 342 .Digest(KM_DIGEST_NONE))); 343 } 344 345 TEST_P(NewKeyGeneration, EcdsaAllValidSizes) { 346 size_t valid_sizes[] = {224, 256, 384, 521}; 347 for (size_t size : valid_sizes) { 348 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest( 349 KM_DIGEST_NONE))) 350 << "Failed to generate size: " << size; 351 } 352 353 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 354 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 355 } 356 357 TEST_P(NewKeyGeneration, HmacSha256) { 358 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 359 .HmacKey(128) 360 .Digest(KM_DIGEST_SHA_2_256) 361 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 362 363 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 364 } 365 366 TEST_P(NewKeyGeneration, CheckKeySizes) { 367 for (size_t key_size = 0; key_size <= kMaxHmacKeyLengthBits + 10; ++key_size) { 368 if (key_size < kMinHmacKeyLengthBits || key_size > kMaxHmacKeyLengthBits || 369 key_size % 8 != 0) { 370 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE, 371 GenerateKey(AuthorizationSetBuilder() 372 .HmacKey(key_size) 373 .Digest(KM_DIGEST_SHA_2_256) 374 .Authorization(TAG_MIN_MAC_LENGTH, 256))) 375 << "HMAC key size " << key_size << " invalid."; 376 } else { 377 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 378 .HmacKey(key_size) 379 .Digest(KM_DIGEST_SHA_2_256) 380 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 381 } 382 } 383 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 384 } 385 386 TEST_P(NewKeyGeneration, HmacMultipleDigests) { 387 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, 388 GenerateKey(AuthorizationSetBuilder() 389 .HmacKey(128) 390 .Digest(KM_DIGEST_SHA1) 391 .Digest(KM_DIGEST_SHA_2_256) 392 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 393 394 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 395 } 396 397 TEST_P(NewKeyGeneration, HmacDigestNone) { 398 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST, 399 GenerateKey(AuthorizationSetBuilder() 400 .HmacKey(128) 401 .Digest(KM_DIGEST_NONE) 402 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 403 404 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 405 } 406 407 TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) { 408 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 409 GenerateKey(AuthorizationSetBuilder() 410 .HmacKey(128) 411 .Digest(KM_DIGEST_SHA_2_256) 412 .Authorization(TAG_MIN_MAC_LENGTH, 48))); 413 414 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 415 } 416 417 TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) { 418 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 419 GenerateKey(AuthorizationSetBuilder() 420 .HmacKey(128) 421 .Digest(KM_DIGEST_SHA_2_256) 422 .Authorization(TAG_MIN_MAC_LENGTH, 130))); 423 424 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 425 } 426 427 TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) { 428 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH, 429 GenerateKey(AuthorizationSetBuilder() 430 .HmacKey(128) 431 .Digest(KM_DIGEST_SHA_2_256) 432 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 433 434 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 435 } 436 437 typedef Keymaster2Test GetKeyCharacteristics; 438 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params); 439 440 TEST_P(GetKeyCharacteristics, SimpleRsa) { 441 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 442 .RsaSigningKey(256, 3) 443 .Digest(KM_DIGEST_NONE) 444 .Padding(KM_PAD_NONE))); 445 AuthorizationSet original(sw_enforced()); 446 447 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics()); 448 EXPECT_EQ(original, sw_enforced()); 449 450 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 451 EXPECT_EQ(1, GetParam()->keymaster0_calls()); 452 } 453 454 typedef Keymaster2Test SigningOperationsTest; 455 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params); 456 457 TEST_P(SigningOperationsTest, RsaSuccess) { 458 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 459 .RsaSigningKey(256, 3) 460 .Digest(KM_DIGEST_NONE) 461 .Padding(KM_PAD_NONE))); 462 string message = "12345678901234567890123456789012"; 463 string signature; 464 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 465 466 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 467 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 468 } 469 470 TEST_P(SigningOperationsTest, RsaPssSha256Success) { 471 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 472 .RsaSigningKey(768, 3) 473 .Digest(KM_DIGEST_SHA_2_256) 474 .Padding(KM_PAD_RSA_PSS))); 475 // Use large message, which won't work without digesting. 476 string message(1024, 'a'); 477 string signature; 478 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 479 480 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 481 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 482 } 483 484 TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { 485 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 486 .RsaSigningKey(512, 3) 487 .Digest(KM_DIGEST_NONE) 488 .Padding(KM_PAD_NONE))); 489 string message = "12345678901234567890123456789012"; 490 string signature; 491 492 AuthorizationSet begin_params(client_params()); 493 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 494 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 495 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 496 497 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 498 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 499 } 500 501 TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) { 502 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 503 .RsaSigningKey(512, 3) 504 .Digest(KM_DIGEST_SHA_2_256) 505 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 506 string message(1024, 'a'); 507 string signature; 508 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 509 510 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 511 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 512 } 513 514 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) { 515 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 516 .RsaSigningKey(512, 3) 517 .Digest(KM_DIGEST_NONE) 518 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 519 string message(53, 'a'); 520 string signature; 521 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN); 522 523 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 524 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 525 } 526 527 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) { 528 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 529 .RsaSigningKey(512, 3) 530 .Digest(KM_DIGEST_NONE) 531 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 532 string message(54, 'a'); 533 534 AuthorizationSet begin_params(client_params()); 535 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 536 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 537 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 538 string result; 539 string signature; 540 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(message, "", &signature)); 541 542 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 543 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 544 } 545 546 TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) { 547 // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so 548 // verify that nine bytes larger than hash won't work. 549 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 550 .RsaSigningKey(256 + 9 * 8, 3) 551 .Digest(KM_DIGEST_SHA_2_256) 552 .Padding(KM_PAD_RSA_PSS))); 553 string message(1024, 'a'); 554 string signature; 555 556 AuthorizationSet begin_params(client_params()); 557 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 558 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 559 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 560 } 561 562 TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) { 563 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 564 .RsaSigningKey(256, 3) 565 .Digest(KM_DIGEST_NONE) 566 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 567 string message(64 * 1024, 'a'); 568 string signature; 569 AuthorizationSet begin_params(client_params()); 570 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 571 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 572 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 573 string result; 574 size_t input_consumed; 575 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 576 577 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 578 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 579 } 580 581 TEST_P(SigningOperationsTest, RsaAbort) { 582 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 583 .RsaSigningKey(256, 3) 584 .Digest(KM_DIGEST_NONE) 585 .Padding(KM_PAD_NONE))); 586 AuthorizationSet begin_params(client_params()); 587 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 588 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 589 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 590 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 591 // Another abort should fail 592 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation()); 593 594 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 595 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 596 } 597 598 TEST_P(SigningOperationsTest, RsaUnsupportedPadding) { 599 GenerateKey(AuthorizationSetBuilder() 600 .RsaSigningKey(256, 3) 601 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */) 602 .Padding(KM_PAD_PKCS7)); 603 AuthorizationSet begin_params(client_params()); 604 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 605 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 606 607 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 608 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 609 } 610 611 TEST_P(SigningOperationsTest, RsaNoDigest) { 612 // PSS requires a digest. 613 GenerateKey(AuthorizationSetBuilder() 614 .RsaSigningKey(256, 3) 615 .Digest(KM_DIGEST_NONE) 616 .Padding(KM_PAD_RSA_PSS)); 617 AuthorizationSet begin_params(client_params()); 618 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 619 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 620 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 621 622 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 623 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 624 } 625 626 TEST_P(SigningOperationsTest, RsaNoPadding) { 627 // Padding must be specified 628 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest( 629 KM_DIGEST_NONE))); 630 AuthorizationSet begin_params(client_params()); 631 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 632 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 633 634 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 635 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 636 } 637 638 TEST_P(SigningOperationsTest, RsaTooShortMessage) { 639 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 640 .RsaSigningKey(256, 3) 641 .Digest(KM_DIGEST_NONE) 642 .Padding(KM_PAD_NONE))); 643 string message = "1234567890123456789012345678901"; 644 string signature; 645 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 646 647 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 648 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 649 } 650 651 TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) { 652 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 653 .RsaEncryptionKey(256, 3) 654 .Digest(KM_DIGEST_NONE) 655 .Padding(KM_PAD_NONE))); 656 AuthorizationSet begin_params(client_params()); 657 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 658 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 659 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 660 661 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 662 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 663 } 664 665 TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) { 666 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 667 .RsaSigningKey(256, 3) 668 .Digest(KM_DIGEST_NONE) 669 .Padding(KM_PAD_NONE))); 670 string message(256 / 8, static_cast<char>(0xff)); 671 string signature; 672 AuthorizationSet begin_params(client_params()); 673 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 674 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 675 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 676 string result; 677 size_t input_consumed; 678 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 679 ASSERT_EQ(message.size(), input_consumed); 680 string output; 681 ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&output)); 682 683 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 684 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 685 } 686 687 TEST_P(SigningOperationsTest, EcdsaSuccess) { 688 ASSERT_EQ(KM_ERROR_OK, 689 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 690 string message(224 / 8, 'a'); 691 string signature; 692 SignMessage(message, &signature, KM_DIGEST_NONE); 693 694 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 695 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 696 } 697 698 TEST_P(SigningOperationsTest, EcdsaSha256Success) { 699 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( 700 KM_DIGEST_SHA_2_256))); 701 string message(1024, 'a'); 702 string signature; 703 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 704 705 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 706 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 707 } 708 709 TEST_P(SigningOperationsTest, EcdsaSha384Success) { 710 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest( 711 KM_DIGEST_SHA_2_384))); 712 string message(1024, 'a'); 713 string signature; 714 SignMessage(message, &signature, KM_DIGEST_SHA_2_384); 715 716 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 717 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 718 } 719 720 TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) { 721 ASSERT_EQ(KM_ERROR_OK, 722 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 723 string message(64 * 1024, 'a'); 724 string signature; 725 AuthorizationSet begin_params(client_params()); 726 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 727 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 728 string result; 729 size_t input_consumed; 730 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 731 732 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 733 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 734 } 735 736 TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) { 737 vector<int> key_sizes = {224, 256, 384, 521}; 738 vector<keymaster_digest_t> digests = { 739 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, 740 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, 741 }; 742 743 for (int key_size : key_sizes) { 744 for (keymaster_digest_t digest : digests) { 745 ASSERT_EQ( 746 KM_ERROR_OK, 747 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest))); 748 749 string message(1024, 'a'); 750 string signature; 751 if (digest == KM_DIGEST_NONE) 752 message.resize(key_size / 8); 753 SignMessage(message, &signature, digest); 754 } 755 } 756 757 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 758 EXPECT_EQ(digests.size() * key_sizes.size() * 3, 759 static_cast<size_t>(GetParam()->keymaster0_calls())); 760 } 761 762 TEST_P(SigningOperationsTest, AesEcbSign) { 763 ASSERT_EQ(KM_ERROR_OK, 764 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization( 765 TAG_BLOCK_MODE, KM_MODE_ECB))); 766 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN)); 767 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY)); 768 769 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 770 } 771 772 TEST_P(SigningOperationsTest, HmacSha1Success) { 773 GenerateKey(AuthorizationSetBuilder() 774 .HmacKey(128) 775 .Digest(KM_DIGEST_SHA1) 776 .Authorization(TAG_MIN_MAC_LENGTH, 160)); 777 string message = "12345678901234567890123456789012"; 778 string signature; 779 MacMessage(message, &signature, 160); 780 ASSERT_EQ(20U, signature.size()); 781 782 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 783 } 784 785 TEST_P(SigningOperationsTest, HmacSha224Success) { 786 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 787 .HmacKey(128) 788 .Digest(KM_DIGEST_SHA_2_224) 789 .Authorization(TAG_MIN_MAC_LENGTH, 160))); 790 string message = "12345678901234567890123456789012"; 791 string signature; 792 MacMessage(message, &signature, 224); 793 ASSERT_EQ(28U, signature.size()); 794 795 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 796 } 797 798 TEST_P(SigningOperationsTest, HmacSha256Success) { 799 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 800 .HmacKey(128) 801 .Digest(KM_DIGEST_SHA_2_256) 802 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 803 string message = "12345678901234567890123456789012"; 804 string signature; 805 MacMessage(message, &signature, 256); 806 ASSERT_EQ(32U, signature.size()); 807 808 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 809 } 810 811 TEST_P(SigningOperationsTest, HmacSha384Success) { 812 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 813 .HmacKey(128) 814 .Digest(KM_DIGEST_SHA_2_384) 815 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 816 817 string message = "12345678901234567890123456789012"; 818 string signature; 819 MacMessage(message, &signature, 384); 820 ASSERT_EQ(48U, signature.size()); 821 822 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 823 } 824 825 TEST_P(SigningOperationsTest, HmacSha512Success) { 826 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 827 .HmacKey(128) 828 .Digest(KM_DIGEST_SHA_2_512) 829 .Authorization(TAG_MIN_MAC_LENGTH, 384))); 830 string message = "12345678901234567890123456789012"; 831 string signature; 832 MacMessage(message, &signature, 512); 833 ASSERT_EQ(64U, signature.size()); 834 835 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 836 } 837 838 TEST_P(SigningOperationsTest, HmacLengthInKey) { 839 // TODO(swillden): unified API should generate an error on key generation. 840 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 841 .HmacKey(128) 842 .Digest(KM_DIGEST_SHA_2_256) 843 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 844 string message = "12345678901234567890123456789012"; 845 string signature; 846 MacMessage(message, &signature, 160); 847 ASSERT_EQ(20U, signature.size()); 848 849 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 850 } 851 852 TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) { 853 string key(20, 0xaa); 854 string message(50, 0xdd); 855 uint8_t sha_224_expected[] = { 856 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a, 857 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea, 858 }; 859 uint8_t sha_256_expected[] = { 860 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 861 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 862 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe, 863 }; 864 uint8_t sha_384_expected[] = { 865 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0, 866 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb, 867 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d, 868 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27, 869 }; 870 uint8_t sha_512_expected[] = { 871 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c, 872 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8, 873 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 874 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37, 875 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb, 876 }; 877 878 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 879 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 880 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 881 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 882 883 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 884 } 885 886 TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) { 887 uint8_t key_data[25] = { 888 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 889 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 890 }; 891 string key = make_string(key_data); 892 string message(50, 0xcd); 893 uint8_t sha_224_expected[] = { 894 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82, 895 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a, 896 }; 897 uint8_t sha_256_expected[] = { 898 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 899 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 900 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b, 901 }; 902 uint8_t sha_384_expected[] = { 903 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62, 904 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c, 905 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23, 906 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb, 907 }; 908 uint8_t sha_512_expected[] = { 909 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6, 910 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f, 911 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, 912 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41, 913 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd, 914 }; 915 916 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 917 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 918 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 919 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 920 921 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 922 } 923 924 TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) { 925 string key(20, 0x0c); 926 string message = "Test With Truncation"; 927 928 uint8_t sha_224_expected[] = { 929 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37, 930 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8, 931 }; 932 uint8_t sha_256_expected[] = { 933 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0, 934 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b, 935 }; 936 uint8_t sha_384_expected[] = { 937 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23, 938 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97, 939 }; 940 uint8_t sha_512_expected[] = { 941 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53, 942 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6, 943 }; 944 945 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 946 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 947 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 948 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 949 950 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 951 } 952 953 TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) { 954 string key(131, 0xaa); 955 string message = "Test Using Larger Than Block-Size Key - Hash Key First"; 956 957 uint8_t sha_224_expected[] = { 958 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d, 959 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e, 960 }; 961 uint8_t sha_256_expected[] = { 962 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 963 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 964 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, 965 }; 966 uint8_t sha_384_expected[] = { 967 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a, 968 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f, 969 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab, 970 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52, 971 }; 972 uint8_t sha_512_expected[] = { 973 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd, 974 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b, 975 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 976 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73, 977 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98, 978 }; 979 980 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 981 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 982 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 983 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 984 985 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 986 } 987 988 TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) { 989 string key(131, 0xaa); 990 string message = "This is a test using a larger than block-size key and a larger than " 991 "block-size data. The key needs to be hashed before being used by the HMAC " 992 "algorithm."; 993 994 uint8_t sha_224_expected[] = { 995 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3, 996 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1, 997 }; 998 uint8_t sha_256_expected[] = { 999 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 1000 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 1001 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2, 1002 }; 1003 uint8_t sha_384_expected[] = { 1004 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25, 1005 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a, 1006 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31, 1007 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e, 1008 }; 1009 uint8_t sha_512_expected[] = { 1010 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 1011 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5, 1012 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 1013 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb, 1014 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58, 1015 }; 1016 1017 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected)); 1018 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected)); 1019 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected)); 1020 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected)); 1021 1022 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1023 } 1024 1025 TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) { 1026 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1027 .HmacKey(128) 1028 .Digest(KM_DIGEST_SHA_2_256) 1029 .Authorization(TAG_MIN_MAC_LENGTH, 256))); 1030 AuthorizationSet begin_params(client_params()); 1031 begin_params.push_back(TAG_MAC_LENGTH, 264); 1032 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1033 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH, 1034 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 1035 1036 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1037 } 1038 1039 TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) { 1040 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1041 .HmacKey(128) 1042 .Digest(KM_DIGEST_SHA_2_256) 1043 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 1044 AuthorizationSet begin_params(client_params()); 1045 begin_params.push_back(TAG_MAC_LENGTH, 120); 1046 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1047 ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH, 1048 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */)); 1049 1050 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1051 } 1052 1053 // TODO(swillden): Add more verification failure tests. 1054 1055 typedef Keymaster2Test VerificationOperationsTest; 1056 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params); 1057 1058 TEST_P(VerificationOperationsTest, RsaSuccess) { 1059 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1060 .RsaSigningKey(256, 3) 1061 .Digest(KM_DIGEST_NONE) 1062 .Padding(KM_PAD_NONE))); 1063 string message = "12345678901234567890123456789012"; 1064 string signature; 1065 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1066 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1067 1068 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1069 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1070 } 1071 1072 TEST_P(VerificationOperationsTest, RsaPssSha256Success) { 1073 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1074 .RsaSigningKey(768, 3) 1075 .Digest(KM_DIGEST_SHA_2_256) 1076 .Padding(KM_PAD_RSA_PSS))); 1077 // Use large message, which won't work without digesting. 1078 string message(1024, 'a'); 1079 string signature; 1080 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1081 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1082 1083 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1084 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1085 } 1086 1087 TEST_P(VerificationOperationsTest, RsaPssSha224Success) { 1088 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1089 .RsaSigningKey(512, 3) 1090 .Digest(KM_DIGEST_SHA_2_224) 1091 .Padding(KM_PAD_RSA_PSS))); 1092 // Use large message, which won't work without digesting. 1093 string message(1024, 'a'); 1094 string signature; 1095 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS); 1096 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS); 1097 1098 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1099 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1100 1101 // Verify with OpenSSL. 1102 string pubkey; 1103 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey)); 1104 1105 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data()); 1106 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( 1107 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size())); 1108 ASSERT_TRUE(pkey.get()); 1109 1110 EVP_MD_CTX digest_ctx; 1111 EVP_MD_CTX_init(&digest_ctx); 1112 EVP_PKEY_CTX* pkey_ctx; 1113 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */, 1114 pkey.get())); 1115 EXPECT_EQ(1, EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)); 1116 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size())); 1117 EXPECT_EQ(1, 1118 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()), 1119 signature.size())); 1120 EVP_MD_CTX_cleanup(&digest_ctx); 1121 } 1122 1123 TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) { 1124 GenerateKey(AuthorizationSetBuilder() 1125 .RsaSigningKey(768, 3) 1126 .Digest(KM_DIGEST_SHA_2_256) 1127 .Padding(KM_PAD_RSA_PSS)); 1128 string message(1024, 'a'); 1129 string signature; 1130 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1131 ++signature[signature.size() / 2]; 1132 1133 AuthorizationSet begin_params(client_params()); 1134 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1135 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1136 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1137 1138 string result; 1139 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result)); 1140 1141 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1142 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1143 } 1144 1145 TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) { 1146 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1147 .RsaSigningKey(768, 3) 1148 .Digest(KM_DIGEST_SHA_2_256) 1149 .Padding(KM_PAD_RSA_PSS))); 1150 // Use large message, which won't work without digesting. 1151 string message(1024, 'a'); 1152 string signature; 1153 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS); 1154 ++message[message.size() / 2]; 1155 1156 AuthorizationSet begin_params(client_params()); 1157 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1158 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS); 1159 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1160 1161 string result; 1162 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result)); 1163 1164 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1165 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1166 } 1167 1168 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) { 1169 GenerateKey(AuthorizationSetBuilder() 1170 .RsaSigningKey(512, 3) 1171 .Digest(KM_DIGEST_SHA_2_256) 1172 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1173 string message(1024, 'a'); 1174 string signature; 1175 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1176 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1177 1178 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1179 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1180 } 1181 1182 TEST_P(VerificationOperationsTest, RsaPks1Sha224Success) { 1183 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1184 .RsaSigningKey(512, 3) 1185 .Digest(KM_DIGEST_SHA_2_224) 1186 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 1187 // Use large message, which won't work without digesting. 1188 string message(1024, 'a'); 1189 string signature; 1190 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN); 1191 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN); 1192 1193 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1194 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1195 1196 // Verify with OpenSSL. 1197 string pubkey; 1198 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey)); 1199 1200 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data()); 1201 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( 1202 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size())); 1203 ASSERT_TRUE(pkey.get()); 1204 1205 EVP_MD_CTX digest_ctx; 1206 EVP_MD_CTX_init(&digest_ctx); 1207 EVP_PKEY_CTX* pkey_ctx; 1208 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */, 1209 pkey.get())); 1210 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size())); 1211 EXPECT_EQ(1, 1212 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()), 1213 signature.size())); 1214 EVP_MD_CTX_cleanup(&digest_ctx); 1215 } 1216 1217 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) { 1218 GenerateKey(AuthorizationSetBuilder() 1219 .RsaSigningKey(512, 3) 1220 .Digest(KM_DIGEST_SHA_2_256) 1221 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)); 1222 string message(1024, 'a'); 1223 string signature; 1224 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1225 ++signature[signature.size() / 2]; 1226 1227 AuthorizationSet begin_params(client_params()); 1228 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1229 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1230 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1231 1232 string result; 1233 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result)); 1234 1235 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1236 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1237 } 1238 1239 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) { 1240 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1241 .RsaSigningKey(512, 3) 1242 .Digest(KM_DIGEST_SHA_2_256) 1243 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN))); 1244 // Use large message, which won't work without digesting. 1245 string message(1024, 'a'); 1246 string signature; 1247 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN); 1248 ++message[message.size() / 2]; 1249 1250 AuthorizationSet begin_params(client_params()); 1251 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 1252 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN); 1253 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1254 1255 string result; 1256 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result)); 1257 1258 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1259 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1260 } 1261 1262 TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) { 1263 vector<keymaster_digest_t> digests = { 1264 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 1265 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, 1266 }; 1267 1268 vector<keymaster_padding_t> padding_modes{ 1269 KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS, 1270 }; 1271 1272 int trial_count = 0; 1273 for (keymaster_padding_t padding_mode : padding_modes) { 1274 for (keymaster_digest_t digest : digests) { 1275 if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE) 1276 // Digesting requires padding 1277 continue; 1278 1279 // Compute key & message size that will work. 1280 size_t key_bits = 0; 1281 size_t message_len = 1000; 1282 1283 if (digest == KM_DIGEST_NONE) { 1284 key_bits = 256; 1285 switch (padding_mode) { 1286 case KM_PAD_NONE: 1287 // Match key size. 1288 message_len = key_bits / 8; 1289 break; 1290 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1291 message_len = key_bits / 8 - 11; 1292 break; 1293 case KM_PAD_RSA_PSS: 1294 // PSS requires a digest. 1295 continue; 1296 default: 1297 FAIL() << "Missing padding"; 1298 break; 1299 } 1300 } else { 1301 size_t digest_bits; 1302 switch (digest) { 1303 case KM_DIGEST_MD5: 1304 digest_bits = 128; 1305 break; 1306 case KM_DIGEST_SHA1: 1307 digest_bits = 160; 1308 break; 1309 case KM_DIGEST_SHA_2_224: 1310 digest_bits = 224; 1311 break; 1312 case KM_DIGEST_SHA_2_256: 1313 digest_bits = 256; 1314 break; 1315 case KM_DIGEST_SHA_2_384: 1316 digest_bits = 384; 1317 break; 1318 case KM_DIGEST_SHA_2_512: 1319 digest_bits = 512; 1320 break; 1321 default: 1322 FAIL() << "Missing digest"; 1323 } 1324 1325 switch (padding_mode) { 1326 case KM_PAD_RSA_PKCS1_1_5_SIGN: 1327 key_bits = digest_bits + 8 * (11 + 19); 1328 break; 1329 case KM_PAD_RSA_PSS: 1330 key_bits = digest_bits * 2 + 2 * 8; 1331 break; 1332 default: 1333 FAIL() << "Missing padding"; 1334 break; 1335 } 1336 } 1337 1338 // Round up to the nearest multiple of 128. 1339 key_bits = (key_bits + 127) / 128 * 128; 1340 1341 GenerateKey(AuthorizationSetBuilder() 1342 .RsaSigningKey(key_bits, 3) 1343 .Digest(digest) 1344 .Padding(padding_mode)); 1345 string message(message_len, 'a'); 1346 string signature; 1347 SignMessage(message, &signature, digest, padding_mode); 1348 VerifyMessage(message, signature, digest, padding_mode); 1349 ++trial_count; 1350 } 1351 } 1352 1353 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1354 EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls()); 1355 } 1356 1357 TEST_P(VerificationOperationsTest, EcdsaSuccess) { 1358 ASSERT_EQ(KM_ERROR_OK, 1359 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1360 string message = "12345678901234567890123456789012"; 1361 string signature; 1362 SignMessage(message, &signature, KM_DIGEST_NONE); 1363 VerifyMessage(message, signature, KM_DIGEST_NONE); 1364 1365 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1366 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1367 } 1368 1369 TEST_P(VerificationOperationsTest, EcdsaTooShort) { 1370 ASSERT_EQ(KM_ERROR_OK, 1371 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE))); 1372 string message = "12345678901234567890"; 1373 string signature; 1374 SignMessage(message, &signature, KM_DIGEST_NONE); 1375 VerifyMessage(message, signature, KM_DIGEST_NONE); 1376 1377 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1378 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1379 } 1380 1381 TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) { 1382 ASSERT_EQ(KM_ERROR_OK, 1383 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE))); 1384 1385 string message(66, 'a'); 1386 string signature; 1387 SignMessage(message, &signature, KM_DIGEST_NONE); 1388 VerifyMessage(message, signature, KM_DIGEST_NONE); 1389 1390 // Modifying low-order bits doesn't matter, because they didn't get signed. Ugh. 1391 message[65] ^= 7; 1392 VerifyMessage(message, signature, KM_DIGEST_NONE); 1393 1394 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1395 EXPECT_EQ(5, GetParam()->keymaster0_calls()); 1396 } 1397 1398 TEST_P(VerificationOperationsTest, EcdsaSha256Success) { 1399 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1400 .EcdsaSigningKey(256) 1401 .Digest(KM_DIGEST_SHA_2_256) 1402 .Digest(KM_DIGEST_NONE))); 1403 string message = "12345678901234567890123456789012"; 1404 string signature; 1405 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 1406 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 1407 1408 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1409 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1410 1411 // Just for giggles, try verifying with the wrong digest. 1412 AuthorizationSet begin_params(client_params()); 1413 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1414 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1415 1416 string result; 1417 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result)); 1418 } 1419 1420 TEST_P(VerificationOperationsTest, EcdsaSha224Success) { 1421 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest( 1422 KM_DIGEST_SHA_2_224))); 1423 1424 string message = "12345678901234567890123456789012"; 1425 string signature; 1426 SignMessage(message, &signature, KM_DIGEST_SHA_2_224); 1427 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224); 1428 1429 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1430 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1431 1432 // Just for giggles, try verifying with the wrong digest. 1433 AuthorizationSet begin_params(client_params()); 1434 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 1435 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1436 1437 string result; 1438 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result)); 1439 } 1440 1441 TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndKeySizes) { 1442 keymaster_digest_t digests[] = { 1443 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, 1444 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, 1445 }; 1446 size_t key_sizes[] = {224, 256, 384, 521}; 1447 1448 string message = "1234567890"; 1449 string signature; 1450 1451 for (auto key_size : key_sizes) { 1452 SCOPED_TRACE(testing::Message() << "Key size: " << key_size); 1453 AuthorizationSetBuilder builder; 1454 builder.EcdsaSigningKey(key_size); 1455 for (auto digest : digests) 1456 builder.Digest(digest); 1457 ASSERT_EQ(KM_ERROR_OK, GenerateKey(builder)); 1458 1459 for (auto digest : digests) { 1460 SCOPED_TRACE(testing::Message() << "Digest: " << digest); 1461 SignMessage(message, &signature, digest); 1462 VerifyMessage(message, signature, digest); 1463 } 1464 } 1465 1466 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1467 EXPECT_EQ(static_cast<int>(array_length(key_sizes) * (1 + 3 * array_length(digests))), 1468 GetParam()->keymaster0_calls()); 1469 } 1470 1471 TEST_P(VerificationOperationsTest, HmacSha1Success) { 1472 GenerateKey(AuthorizationSetBuilder() 1473 .HmacKey(128) 1474 .Digest(KM_DIGEST_SHA1) 1475 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1476 string message = "123456789012345678901234567890123456789012345678"; 1477 string signature; 1478 MacMessage(message, &signature, 160); 1479 VerifyMac(message, signature); 1480 1481 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1482 } 1483 1484 TEST_P(VerificationOperationsTest, HmacSha224Success) { 1485 GenerateKey(AuthorizationSetBuilder() 1486 .HmacKey(128) 1487 .Digest(KM_DIGEST_SHA_2_224) 1488 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1489 string message = "123456789012345678901234567890123456789012345678"; 1490 string signature; 1491 MacMessage(message, &signature, 224); 1492 VerifyMac(message, signature); 1493 1494 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1495 } 1496 1497 TEST_P(VerificationOperationsTest, HmacSha256Success) { 1498 GenerateKey(AuthorizationSetBuilder() 1499 .HmacKey(128) 1500 .Digest(KM_DIGEST_SHA_2_256) 1501 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1502 string message = "123456789012345678901234567890123456789012345678"; 1503 string signature; 1504 MacMessage(message, &signature, 256); 1505 VerifyMac(message, signature); 1506 1507 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1508 } 1509 1510 TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) { 1511 GenerateKey(AuthorizationSetBuilder() 1512 .HmacKey(128) 1513 .Digest(KM_DIGEST_SHA_2_256) 1514 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1515 string message = "123456789012345678901234567890123456789012345678"; 1516 string signature; 1517 MacMessage(message, &signature, 256); 1518 1519 // Shorten to 128 bits, should still work. 1520 signature.resize(128 / 8); 1521 VerifyMac(message, signature); 1522 1523 // Drop one more byte. 1524 signature.resize(signature.length() - 1); 1525 1526 AuthorizationSet begin_params(client_params()); 1527 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params)); 1528 string result; 1529 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(message, signature, &result)); 1530 1531 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1532 } 1533 1534 TEST_P(VerificationOperationsTest, HmacSha384Success) { 1535 GenerateKey(AuthorizationSetBuilder() 1536 .HmacKey(128) 1537 .Digest(KM_DIGEST_SHA_2_384) 1538 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1539 string message = "123456789012345678901234567890123456789012345678"; 1540 string signature; 1541 MacMessage(message, &signature, 384); 1542 VerifyMac(message, signature); 1543 1544 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1545 } 1546 1547 TEST_P(VerificationOperationsTest, HmacSha512Success) { 1548 GenerateKey(AuthorizationSetBuilder() 1549 .HmacKey(128) 1550 .Digest(KM_DIGEST_SHA_2_512) 1551 .Authorization(TAG_MIN_MAC_LENGTH, 128)); 1552 string message = "123456789012345678901234567890123456789012345678"; 1553 string signature; 1554 MacMessage(message, &signature, 512); 1555 VerifyMac(message, signature); 1556 1557 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1558 } 1559 1560 typedef Keymaster2Test ExportKeyTest; 1561 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params); 1562 1563 TEST_P(ExportKeyTest, RsaSuccess) { 1564 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1565 .RsaSigningKey(256, 3) 1566 .Digest(KM_DIGEST_NONE) 1567 .Padding(KM_PAD_NONE))); 1568 string export_data; 1569 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1570 EXPECT_GT(export_data.length(), 0U); 1571 1572 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1573 1574 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1575 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1576 } 1577 1578 TEST_P(ExportKeyTest, EcdsaSuccess) { 1579 ASSERT_EQ(KM_ERROR_OK, 1580 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 1581 string export_data; 1582 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1583 EXPECT_GT(export_data.length(), 0U); 1584 1585 // TODO(swillden): Verify that the exported key is actually usable to verify signatures. 1586 1587 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1588 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1589 } 1590 1591 TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) { 1592 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1593 .RsaSigningKey(256, 3) 1594 .Digest(KM_DIGEST_NONE) 1595 .Padding(KM_PAD_NONE))); 1596 string export_data; 1597 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1598 1599 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1600 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1601 } 1602 1603 TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) { 1604 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 1605 .RsaSigningKey(256, 3) 1606 .Digest(KM_DIGEST_NONE) 1607 .Padding(KM_PAD_NONE))); 1608 corrupt_key_blob(); 1609 string export_data; 1610 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1611 1612 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1613 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 1614 } 1615 1616 TEST_P(ExportKeyTest, AesKeyExportFails) { 1617 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128))); 1618 string export_data; 1619 1620 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data)); 1621 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data)); 1622 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data)); 1623 1624 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1625 } 1626 1627 static string read_file(const string& file_name) { 1628 ifstream file_stream(file_name, std::ios::binary); 1629 istreambuf_iterator<char> file_begin(file_stream); 1630 istreambuf_iterator<char> file_end; 1631 return string(file_begin, file_end); 1632 } 1633 1634 typedef Keymaster2Test ImportKeyTest; 1635 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params); 1636 1637 TEST_P(ImportKeyTest, RsaSuccess) { 1638 string pk8_key = read_file("rsa_privkey_pk8.der"); 1639 ASSERT_EQ(633U, pk8_key.size()); 1640 1641 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1642 .RsaSigningKey(1024, 65537) 1643 .Digest(KM_DIGEST_NONE) 1644 .Padding(KM_PAD_NONE), 1645 KM_KEY_FORMAT_PKCS8, pk8_key)); 1646 1647 // Check values derived from the key. 1648 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1649 : sw_enforced(), 1650 TAG_ALGORITHM, KM_ALGORITHM_RSA)); 1651 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1652 : sw_enforced(), 1653 TAG_KEY_SIZE, 1024)); 1654 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced() 1655 : sw_enforced(), 1656 TAG_RSA_PUBLIC_EXPONENT, 65537U)); 1657 1658 // And values provided by AndroidKeymaster 1659 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1660 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN)); 1661 else 1662 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1663 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1664 1665 string message(1024 / 8, 'a'); 1666 string signature; 1667 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE); 1668 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE); 1669 1670 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 1671 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1672 } 1673 1674 TEST_P(ImportKeyTest, RsaKeySizeMismatch) { 1675 string pk8_key = read_file("rsa_privkey_pk8.der"); 1676 ASSERT_EQ(633U, pk8_key.size()); 1677 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1678 ImportKey(AuthorizationSetBuilder() 1679 .RsaSigningKey(2048 /* Doesn't match key */, 3) 1680 .Digest(KM_DIGEST_NONE) 1681 .Padding(KM_PAD_NONE), 1682 KM_KEY_FORMAT_PKCS8, pk8_key)); 1683 1684 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1685 } 1686 1687 TEST_P(ImportKeyTest, RsaPublicExponenMismatch) { 1688 string pk8_key = read_file("rsa_privkey_pk8.der"); 1689 ASSERT_EQ(633U, pk8_key.size()); 1690 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1691 ImportKey(AuthorizationSetBuilder() 1692 .RsaSigningKey(256, 3 /* Doesnt' match key */) 1693 .Digest(KM_DIGEST_NONE) 1694 .Padding(KM_PAD_NONE), 1695 KM_KEY_FORMAT_PKCS8, pk8_key)); 1696 1697 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1698 } 1699 1700 TEST_P(ImportKeyTest, EcdsaSuccess) { 1701 string pk8_key = read_file("ec_privkey_pk8.der"); 1702 ASSERT_EQ(138U, pk8_key.size()); 1703 1704 ASSERT_EQ(KM_ERROR_OK, 1705 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1706 KM_KEY_FORMAT_PKCS8, pk8_key)); 1707 1708 // Check values derived from the key. 1709 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced() 1710 : sw_enforced(), 1711 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1712 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced() 1713 : sw_enforced(), 1714 TAG_KEY_SIZE, 256)); 1715 1716 // And values provided by AndroidKeymaster 1717 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1718 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN)); 1719 else 1720 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1721 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1722 1723 string message(32, 'a'); 1724 string signature; 1725 SignMessage(message, &signature, KM_DIGEST_NONE); 1726 VerifyMessage(message, signature, KM_DIGEST_NONE); 1727 1728 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1729 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1730 } 1731 1732 TEST_P(ImportKeyTest, EcdsaSizeSpecified) { 1733 string pk8_key = read_file("ec_privkey_pk8.der"); 1734 ASSERT_EQ(138U, pk8_key.size()); 1735 1736 ASSERT_EQ(KM_ERROR_OK, 1737 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE), 1738 KM_KEY_FORMAT_PKCS8, pk8_key)); 1739 1740 // Check values derived from the key. 1741 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced() 1742 : sw_enforced(), 1743 TAG_ALGORITHM, KM_ALGORITHM_EC)); 1744 EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced() 1745 : sw_enforced(), 1746 TAG_KEY_SIZE, 256)); 1747 1748 // And values provided by AndroidKeymaster 1749 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1750 EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN)); 1751 else 1752 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1753 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1754 1755 string message(32, 'a'); 1756 string signature; 1757 SignMessage(message, &signature, KM_DIGEST_NONE); 1758 VerifyMessage(message, signature, KM_DIGEST_NONE); 1759 1760 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 1761 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 1762 } 1763 1764 TEST_P(ImportKeyTest, EcdsaSizeMismatch) { 1765 string pk8_key = read_file("ec_privkey_pk8.der"); 1766 ASSERT_EQ(138U, pk8_key.size()); 1767 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH, 1768 ImportKey(AuthorizationSetBuilder() 1769 .EcdsaSigningKey(224 /* Doesn't match key */) 1770 .Digest(KM_DIGEST_NONE), 1771 KM_KEY_FORMAT_PKCS8, pk8_key)); 1772 1773 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1774 } 1775 1776 TEST_P(ImportKeyTest, AesKeySuccess) { 1777 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1778 string key(key_data, sizeof(key_data)); 1779 ASSERT_EQ(KM_ERROR_OK, 1780 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization( 1781 TAG_PADDING, KM_PAD_PKCS7), 1782 KM_KEY_FORMAT_RAW, key)); 1783 1784 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1785 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1786 1787 string message = "Hello World!"; 1788 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 1789 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 1790 EXPECT_EQ(message, plaintext); 1791 1792 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1793 } 1794 1795 TEST_P(ImportKeyTest, HmacSha256KeySuccess) { 1796 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; 1797 string key(key_data, sizeof(key_data)); 1798 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 1799 .HmacKey(sizeof(key_data) * 8) 1800 .Digest(KM_DIGEST_SHA_2_256) 1801 .Authorization(TAG_MIN_MAC_LENGTH, 256), 1802 KM_KEY_FORMAT_RAW, key)); 1803 1804 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED)); 1805 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME)); 1806 1807 string message = "Hello World!"; 1808 string signature; 1809 MacMessage(message, &signature, 256); 1810 VerifyMac(message, signature); 1811 1812 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 1813 } 1814 1815 string wrapped_key = hex2str( 1816 "3082017302010004820100A2B7988012A043CE83E762A4E4D3C86D578B2E1EA5E04138353114A816951308E3222AFA" 1817 "D86CA141C581198E65BC56D9EEDC5B555713BE2C20948DD076AB4980305871317F89DD3A7A67FBBB7AACF6941C06B2" 1818 "65396D894A6DCC7B9FB152FFA8CBF44FF8063748795F3FB506DF8718535289E759075A13A5DDC83EF8470549AA7794" 1819 "3AFBACF6CF82DCE3751E05BFE05F30B998D73E23611E6EAEFC2A497E097A895C4242607B472AE8F19DA77A9A5A4786" 1820 "75541FC813C9213B5CE8C2E598BFBBCD1B369E3D7AEC0274F9B79118D8AA5FBB7634EBD3C4C2AF3B5DA483DF2CFDF1" 1821 "E68A3BFC7B6C0D503AF88E82C9EE841A278B144FF8D39F2DB2ACE9415C120190040CD796B02C370F1FA4CC0124F130" 1822 "280201033023A1083106020100020101A203020120A30402020100A4053103020101A60531030201400420CCD54085" 1823 "5F833A5E1480BFD2D36FAF3AEEE15DF5BEABE2691BC82DDE2A7AA91004107CB81BDDCD09E8F4DF575726279F3229"); 1824 1825 string wrapped_key_masked = hex2str( 1826 "30820173020100048201008CBEE0DC600215FFC85FC26B57DD2331DDF5D3E106C0A68BFEF167AFD428041D9B7C3316" 1827 "110BBB914A86FC24D4EF5C6A4673C9B3CC914C7806453650753B5130C4FE72264A52C1A270286032513F24EB3E033A" 1828 "BCC26A9D6AEFD0D0AD3E922E4E737ECDAD3C4DF2ABDB416378E67381BE0391175EC8F05FDFBC3794B7D0D88298010F" 1829 "E9B6F788BC049D874575D2D4C33DB582B113694738A9151BBC7603D3556B26FEC0279EE1C1CA44D6F7F91F4C424912" 1830 "7F9CC3232DE8B0AEFFD5AFAD4C3D5B846FD26873315606F6457BC19447FD7C6431550D6E6592A0555E61C7A021D149" 1831 "BCEE7A858DD6D4A8E230C6015EEDF0A58F4CAA8A6D0E3A1E3794CAEE7854CE92040C6D9721D08589581AB49204A330" 1832 "280201033023A1083106020100020101A203020120A30402020100A4053103020101A60531030201400420A61C6E24" 1833 "7E25B3E6E69AA78EB03C2D4AC20D1F99A9A024A76F35C8E2CAB9B68D04101FF7A0E793B9EE4AECEBB9AC4C545254"); 1834 1835 string wrapping_key = hex2str( 1836 "308204be020100300d06092a864886f70d0101010500048204a8308204a40201000282010100aec367931d8900ce56" 1837 "b0067f7d70e1fc653f3f34d194c1fed50018fb43db937b06e673a837313d56b1c725150a3fef86acbddc41bb759c28" 1838 "54eae32d35841efb5c18d82bc90a1cb5c1d55adf245b02911f0b7cda88c421ff0ebafe7c0d23be312d7bd5921ffaea" 1839 "1347c157406fef718f682643e4e5d33c6703d61c0cf7ac0bf4645c11f5c1374c3886427411c449796792e0bef75dec" 1840 "858a2123c36753e02a95a96d7c454b504de385a642e0dfc3e60ac3a7ee4991d0d48b0172a95f9536f02ba13cecccb9" 1841 "2b727db5c27e5b2f5cec09600b286af5cf14c42024c61ddfe71c2a8d7458f185234cb00e01d282f10f8fc6721d2aed" 1842 "3f4833cca2bd8fa62821dd55020301000102820100431447b6251908112b1ee76f99f3711a52b6630960046c2de70d" 1843 "e188d833f8b8b91e4d785caeeeaf4f0f74414e2cda40641f7fe24f14c67a88959bdb27766df9e710b630a03adc683b" 1844 "5d2c43080e52bee71e9eaeb6de297a5fea1072070d181c822bccff087d63c940ba8a45f670feb29fb4484d1c95e6d2" 1845 "579ba02aae0a00900c3ebf490e3d2cd7ee8d0e20c536e4dc5a5097272888cddd7e91f228b1c4d7474c55b8fcd618c4" 1846 "a957bbddd5ad7407cc312d8d98a5caf7e08f4a0d6b45bb41c652659d5a5ba05b663737a8696281865ba20fbdd7f851" 1847 "e6c56e8cbe0ddbbf24dc03b2d2cb4c3d540fb0af52e034a2d06698b128e5f101e3b51a34f8d8b4f8618102818100de" 1848 "392e18d682c829266cc3454e1d6166242f32d9a1d10577753e904ea7d08bff841be5bac82a164c5970007047b8c517" 1849 "db8f8f84e37bd5988561bdf503d4dc2bdb38f885434ae42c355f725c9a60f91f0788e1f1a97223b524b5357fdf72e2" 1850 "f696bab7d78e32bf92ba8e1864eab1229e91346130748a6e3c124f9149d71c743502818100c95387c0f9d35f137b57" 1851 "d0d65c397c5e21cc251e47008ed62a542409c8b6b6ac7f8967b3863ca645fcce49582a9aa17349db6c4a95affdae0d" 1852 "ae612e1afac99ed39a2d934c880440aed8832f9843163a47f27f392199dc1202f9a0f9bd08308007cb1e4e7f583093" 1853 "66a7de25f7c3c9b880677c068e1be936e81288815252a8a102818057ff8ca1895080b2cae486ef0adfd791fb0235c0" 1854 "b8b36cd6c136e52e4085f4ea5a063212a4f105a3764743e53281988aba073f6e0027298e1c4378556e0efca0e14ece" 1855 "1af76ad0b030f27af6f0ab35fb73a060d8b1a0e142fa2647e93b32e36d8282ae0a4de50ab7afe85500a16f43a64719" 1856 "d6e2b9439823719cd08bcd03178102818100ba73b0bb28e3f81e9bd1c568713b101241acc607976c4ddccc90e65b65" 1857 "56ca31516058f92b6e09f3b160ff0e374ec40d78ae4d4979fde6ac06a1a400c61dd31254186af30b22c10582a8a43e" 1858 "34fe949c5f3b9755bae7baa7b7b7a6bd03b38cef55c86885fc6c1978b9cee7ef33da507c9df6b9277cff1e6aaa5d57" 1859 "aca528466102818100c931617c77829dfb1270502be9195c8f2830885f57dba869536811e6864236d0c4736a0008a1" 1860 "45af36b8357a7c3d139966d04c4e00934ea1aede3bb6b8ec841dc95e3f579751e2bfdfe27ae778983f959356210723" 1861 "287b0affcc9f727044d48c373f1babde0724fa17a4fd4da0902c7c9b9bf27ba61be6ad02dfddda8f4e6822"); 1862 1863 string zero_masking_key = 1864 hex2str("0000000000000000000000000000000000000000000000000000000000000000"); 1865 string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC"); 1866 1867 class ImportWrappedKeyTest : public testing::Test { 1868 public: 1869 ImportWrappedKeyTest() : keymaster_(new PureSoftKeymasterContext(), 16) {} 1870 1871 protected: 1872 void SetUp() override { 1873 ConfigureRequest configReq; 1874 configReq.os_version = kOsVersion; 1875 configReq.os_patchlevel = kOsPatchLevel; 1876 ConfigureResponse configRsp; 1877 keymaster_.Configure(configReq, &configRsp); 1878 EXPECT_EQ(KM_ERROR_OK, configRsp.error); 1879 } 1880 1881 keymaster_error_t BeginOperation(keymaster_purpose_t purpose, 1882 const AuthorizationSet& input_set) { 1883 BeginOperationRequest req; 1884 req.purpose = purpose; 1885 req.SetKeyMaterial(blob_); 1886 req.additional_params = input_set; 1887 1888 BeginOperationResponse rsp; 1889 keymaster_.BeginOperation(req, &rsp); 1890 op_handle_ = rsp.op_handle; 1891 1892 return rsp.error; 1893 } 1894 1895 keymaster_error_t FinishOperation(const string& input, string* output) { 1896 FinishOperationRequest req; 1897 req.op_handle = op_handle_; 1898 req.input.Reinitialize(input.data(), input.size()); 1899 1900 FinishOperationResponse rsp; 1901 keymaster_.FinishOperation(req, &rsp); 1902 1903 if (output) { 1904 *output = string(reinterpret_cast<const char*>(rsp.output.peek_read()), 1905 rsp.output.available_read()); 1906 } 1907 1908 return rsp.error; 1909 } 1910 1911 string ProcessMessage(keymaster_purpose_t purpose, const string& message, 1912 const AuthorizationSet& begin_params) { 1913 EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, begin_params)); 1914 1915 string result; 1916 EXPECT_EQ(KM_ERROR_OK, FinishOperation(message, &result)); 1917 return result; 1918 } 1919 1920 AndroidKeymaster keymaster_; 1921 KeymasterKeyBlob blob_; 1922 uint64_t op_handle_; 1923 }; 1924 1925 TEST_F(ImportWrappedKeyTest, GoldenKeySuccess) { 1926 ImportKeyRequest import_request; 1927 1928 auto import_params = AuthorizationSetBuilder() 1929 .RsaEncryptionKey(2048, 65537) 1930 .Digest(KM_DIGEST_SHA1) 1931 .Padding(KM_PAD_RSA_OAEP) 1932 .Authorization(TAG_PURPOSE, KM_PURPOSE_WRAP) 1933 .build(); 1934 import_request.key_description.Reinitialize(import_params); 1935 import_request.SetKeyMaterial(reinterpret_cast<const uint8_t*>(wrapping_key.c_str()), 1936 wrapping_key.size()); 1937 import_request.key_format = KM_KEY_FORMAT_PKCS8; 1938 ImportKeyResponse import_response; 1939 keymaster_.ImportKey(import_request, &import_response); 1940 ASSERT_EQ(import_response.error, KM_ERROR_OK); 1941 1942 ImportWrappedKeyRequest request; 1943 KeymasterKeyBlob wrapped_key_blob(reinterpret_cast<const uint8_t*>(wrapped_key.c_str()), 1944 wrapped_key.size()); 1945 request.SetKeyMaterial(wrapped_key_blob, import_response.key_blob); 1946 request.SetMaskingKeyMaterial(reinterpret_cast<const uint8_t*>(zero_masking_key.c_str()), 1947 zero_masking_key.size()); 1948 ImportWrappedKeyResponse response; 1949 1950 keymaster_.ImportWrappedKey(request, &response); 1951 1952 EXPECT_EQ(response.error, KM_ERROR_OK); 1953 // Check that the tags from the wrapped auth list were imported correctly 1954 ASSERT_EQ(response.key_blob.key_material_size > 0, true); 1955 ASSERT_EQ(response.unenforced.Contains(TAG_ALGORITHM), true); 1956 ASSERT_EQ(response.unenforced.Contains(TAG_KEY_SIZE), true); 1957 ASSERT_EQ(response.unenforced.Contains(TAG_PURPOSE), true); 1958 ASSERT_EQ(response.unenforced.Contains(TAG_BLOCK_MODE), true); 1959 1960 blob_ = move(response.key_blob); 1961 1962 string message = "Hello World!"; 1963 auto params = AuthorizationSetBuilder().BlockMode(KM_MODE_ECB).Padding(KM_PAD_PKCS7).build(); 1964 string ciphertext = ProcessMessage(KM_PURPOSE_ENCRYPT, message, params); 1965 string plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, params); 1966 1967 EXPECT_EQ(message, plaintext); 1968 } 1969 1970 TEST_F(ImportWrappedKeyTest, SuccessMaskingKey) { 1971 ImportKeyRequest import_request; 1972 1973 auto import_params = AuthorizationSetBuilder() 1974 .RsaEncryptionKey(2048, 65537) 1975 .Digest(KM_DIGEST_SHA1) 1976 .Padding(KM_PAD_RSA_OAEP) 1977 .Authorization(TAG_PURPOSE, KM_PURPOSE_WRAP) 1978 .build(); 1979 import_request.key_description.Reinitialize(import_params); 1980 import_request.SetKeyMaterial(reinterpret_cast<const uint8_t*>(wrapping_key.c_str()), 1981 wrapping_key.size()); 1982 1983 import_request.key_format = KM_KEY_FORMAT_PKCS8; 1984 ImportKeyResponse import_response; 1985 keymaster_.ImportKey(import_request, &import_response); 1986 EXPECT_EQ(import_response.error, KM_ERROR_OK); 1987 1988 if (import_response.error != KM_ERROR_OK) return; 1989 1990 ImportWrappedKeyRequest request; 1991 KeymasterKeyBlob wrapped_key_blob(reinterpret_cast<const uint8_t*>(wrapped_key_masked.c_str()), 1992 wrapped_key_masked.size()); 1993 request.SetKeyMaterial(wrapped_key_blob, import_response.key_blob); 1994 request.SetMaskingKeyMaterial(reinterpret_cast<const uint8_t*>(masking_key.c_str()), 1995 masking_key.size()); 1996 ImportWrappedKeyResponse response; 1997 1998 keymaster_.ImportWrappedKey(request, &response); 1999 EXPECT_EQ(response.error, KM_ERROR_OK); 2000 } 2001 2002 TEST_F(ImportWrappedKeyTest, WrongMaskingKey) { 2003 ImportKeyRequest import_request; 2004 2005 auto import_params = AuthorizationSetBuilder() 2006 .RsaEncryptionKey(2048, 65537) 2007 .Digest(KM_DIGEST_SHA1) 2008 .Padding(KM_PAD_RSA_OAEP) 2009 .Authorization(TAG_PURPOSE, KM_PURPOSE_WRAP) 2010 .build(); 2011 import_request.key_description.Reinitialize(import_params); 2012 import_request.SetKeyMaterial(reinterpret_cast<const uint8_t*>(wrapping_key.c_str()), 2013 wrapping_key.size()); 2014 2015 import_request.key_format = KM_KEY_FORMAT_PKCS8; 2016 ImportKeyResponse import_response; 2017 keymaster_.ImportKey(import_request, &import_response); 2018 EXPECT_EQ(import_response.error, KM_ERROR_OK); 2019 2020 if (import_response.error != KM_ERROR_OK) return; 2021 2022 ImportWrappedKeyRequest request; 2023 KeymasterKeyBlob wrapped_key_blob(reinterpret_cast<const uint8_t*>(wrapped_key_masked.c_str()), 2024 wrapped_key_masked.size()); 2025 request.SetKeyMaterial(wrapped_key_blob, import_response.key_blob); 2026 request.SetMaskingKeyMaterial(reinterpret_cast<const uint8_t*>(zero_masking_key.c_str()), 2027 zero_masking_key.size()); 2028 ImportWrappedKeyResponse response; 2029 2030 keymaster_.ImportWrappedKey(request, &response); 2031 EXPECT_EQ(response.error, KM_ERROR_VERIFICATION_FAILED); 2032 } 2033 2034 TEST_F(ImportWrappedKeyTest, WrongPurpose) { 2035 ImportKeyRequest import_request; 2036 2037 auto import_params = AuthorizationSetBuilder() 2038 .RsaEncryptionKey(2048, 65537) 2039 .Digest(KM_DIGEST_SHA1) 2040 .Padding(KM_PAD_RSA_OAEP) 2041 .build(); 2042 import_request.key_description.Reinitialize(import_params); 2043 import_request.SetKeyMaterial(reinterpret_cast<const uint8_t*>(wrapping_key.c_str()), 2044 wrapping_key.size()); 2045 import_request.key_format = KM_KEY_FORMAT_PKCS8; 2046 ImportKeyResponse import_response; 2047 keymaster_.ImportKey(import_request, &import_response); 2048 EXPECT_EQ(import_response.error, KM_ERROR_OK); 2049 2050 if (import_response.error != KM_ERROR_OK) return; 2051 2052 ImportWrappedKeyRequest request; 2053 KeymasterKeyBlob wrapped_key_blob(reinterpret_cast<const uint8_t*>(wrapped_key.c_str()), 2054 wrapped_key.size()); 2055 request.SetKeyMaterial(wrapped_key_blob, import_response.key_blob); 2056 ImportWrappedKeyResponse response; 2057 2058 keymaster_.ImportWrappedKey(request, &response); 2059 EXPECT_EQ(response.error, KM_ERROR_INCOMPATIBLE_PURPOSE); 2060 } 2061 2062 typedef Keymaster2Test EncryptionOperationsTest; 2063 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params); 2064 2065 TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) { 2066 ASSERT_EQ(KM_ERROR_OK, 2067 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 2068 2069 string message = "12345678901234567890123456789012"; 2070 string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE); 2071 EXPECT_EQ(256U / 8, ciphertext1.size()); 2072 2073 string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE); 2074 EXPECT_EQ(256U / 8, ciphertext2.size()); 2075 2076 // Unpadded RSA is deterministic 2077 EXPECT_EQ(ciphertext1, ciphertext2); 2078 2079 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2080 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2081 } 2082 2083 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) { 2084 ASSERT_EQ(KM_ERROR_OK, 2085 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 2086 2087 string message = "1"; 2088 2089 string ciphertext = EncryptMessage(message, KM_PAD_NONE); 2090 EXPECT_EQ(256U / 8, ciphertext.size()); 2091 2092 string expected_plaintext = string(256 / 8 - 1, 0) + message; 2093 string plaintext = DecryptMessage(ciphertext, KM_PAD_NONE); 2094 2095 EXPECT_EQ(expected_plaintext, plaintext); 2096 2097 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2098 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2099 } 2100 2101 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) { 2102 ASSERT_EQ(KM_ERROR_OK, 2103 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 2104 2105 string message = "123456789012345678901234567890123"; 2106 2107 AuthorizationSet begin_params(client_params()); 2108 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2109 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2110 2111 string result; 2112 size_t input_consumed; 2113 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed)); 2114 2115 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2116 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2117 } 2118 2119 TEST_P(EncryptionOperationsTest, RsaNoPaddingLargerThanModulus) { 2120 ASSERT_EQ(KM_ERROR_OK, 2121 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 2122 2123 string exported; 2124 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &exported)); 2125 2126 const uint8_t* p = reinterpret_cast<const uint8_t*>(exported.data()); 2127 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey( 2128 d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size())); 2129 unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(pkey.get())); 2130 2131 size_t modulus_len = BN_num_bytes(rsa->n); 2132 ASSERT_EQ(256U / 8, modulus_len); 2133 unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]); 2134 BN_bn2bin(rsa->n, modulus_buf.get()); 2135 2136 // The modulus is too big to encrypt. 2137 string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); 2138 2139 AuthorizationSet begin_params(client_params()); 2140 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2141 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2142 2143 string result; 2144 size_t input_consumed; 2145 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2146 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result)); 2147 2148 // One smaller than the modulus is okay. 2149 BN_sub(rsa->n, rsa->n, BN_value_one()); 2150 modulus_len = BN_num_bytes(rsa->n); 2151 ASSERT_EQ(256U / 8, modulus_len); 2152 BN_bn2bin(rsa->n, modulus_buf.get()); 2153 message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len); 2154 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2155 EXPECT_EQ(KM_ERROR_OK, FinishOperation(message, "", &result)); 2156 2157 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2158 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2159 } 2160 2161 TEST_P(EncryptionOperationsTest, RsaOaepSuccess) { 2162 size_t key_size = 768; 2163 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2164 .RsaEncryptionKey(key_size, 3) 2165 .Padding(KM_PAD_RSA_OAEP) 2166 .Digest(KM_DIGEST_SHA_2_256))); 2167 2168 string message = "Hello"; 2169 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2170 EXPECT_EQ(key_size / 8, ciphertext1.size()); 2171 2172 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2173 EXPECT_EQ(key_size / 8, ciphertext2.size()); 2174 2175 // OAEP randomizes padding so every result should be different. 2176 EXPECT_NE(ciphertext1, ciphertext2); 2177 2178 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2179 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2180 } 2181 2182 TEST_P(EncryptionOperationsTest, RsaOaepSha224Success) { 2183 size_t key_size = 768; 2184 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2185 .RsaEncryptionKey(key_size, 3) 2186 .Padding(KM_PAD_RSA_OAEP) 2187 .Digest(KM_DIGEST_SHA_2_224))); 2188 2189 string message = "Hello"; 2190 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); 2191 EXPECT_EQ(key_size / 8, ciphertext1.size()); 2192 2193 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); 2194 EXPECT_EQ(key_size / 8, ciphertext2.size()); 2195 2196 // OAEP randomizes padding so every result should be different. 2197 EXPECT_NE(ciphertext1, ciphertext2); 2198 2199 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2200 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2201 } 2202 2203 TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) { 2204 size_t key_size = 768; 2205 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2206 .RsaEncryptionKey(key_size, 3) 2207 .Padding(KM_PAD_RSA_OAEP) 2208 .Digest(KM_DIGEST_SHA_2_256))); 2209 string message = "Hello World!"; 2210 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2211 EXPECT_EQ(key_size / 8, ciphertext.size()); 2212 2213 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2214 EXPECT_EQ(message, plaintext); 2215 2216 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2217 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2218 } 2219 2220 TEST_P(EncryptionOperationsTest, RsaOaepSha224RoundTrip) { 2221 size_t key_size = 768; 2222 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2223 .RsaEncryptionKey(key_size, 3) 2224 .Padding(KM_PAD_RSA_OAEP) 2225 .Digest(KM_DIGEST_SHA_2_224))); 2226 string message = "Hello World!"; 2227 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); 2228 EXPECT_EQ(key_size / 8, ciphertext.size()); 2229 2230 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP); 2231 EXPECT_EQ(message, plaintext); 2232 2233 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2234 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2235 } 2236 2237 TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) { 2238 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2239 .RsaEncryptionKey(512, 3) 2240 .Padding(KM_PAD_RSA_OAEP) 2241 .Digest(KM_DIGEST_NONE))); 2242 string message = "Hello World!"; 2243 2244 AuthorizationSet begin_params(client_params()); 2245 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2246 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE); 2247 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2248 2249 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2250 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2251 } 2252 2253 TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) { 2254 if (GetParam()->minimal_digest_set()) 2255 // We don't have two supported digests, so we can't try authorizing one and using another. 2256 return; 2257 2258 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2259 .RsaEncryptionKey(512, 3) 2260 .Padding(KM_PAD_RSA_OAEP) 2261 .Digest(KM_DIGEST_SHA_2_256))); 2262 string message = "Hello World!"; 2263 // Works because encryption is a public key operation. 2264 EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP); 2265 2266 AuthorizationSet begin_params(client_params()); 2267 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2268 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); 2269 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2270 2271 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2272 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2273 } 2274 2275 TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) { 2276 if (GetParam()->minimal_digest_set()) 2277 // We don't have two supported digests, so we can't try encrypting with one and decrypting 2278 // with another. 2279 return; 2280 2281 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2282 .RsaEncryptionKey(768, 3) 2283 .Padding(KM_PAD_RSA_OAEP) 2284 .Digest(KM_DIGEST_SHA_2_256) 2285 .Digest(KM_DIGEST_SHA_2_384))); 2286 string message = "Hello World!"; 2287 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2288 2289 string result; 2290 size_t input_consumed; 2291 AuthorizationSet begin_params(client_params()); 2292 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2293 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384); 2294 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2295 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2296 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2297 EXPECT_EQ(0U, result.size()); 2298 2299 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2300 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2301 } 2302 2303 TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) { 2304 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2305 .RsaEncryptionKey(512, 3) 2306 .Padding(KM_PAD_RSA_OAEP) 2307 .Digest(KM_DIGEST_SHA1))); 2308 string message = "12345678901234567890123"; 2309 string result; 2310 size_t input_consumed; 2311 2312 AuthorizationSet begin_params(client_params()); 2313 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2314 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1); 2315 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2316 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2317 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result)); 2318 EXPECT_EQ(0U, result.size()); 2319 2320 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2321 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2322 } 2323 2324 TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) { 2325 size_t key_size = 768; 2326 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2327 .RsaEncryptionKey(768, 3) 2328 .Padding(KM_PAD_RSA_OAEP) 2329 .Digest(KM_DIGEST_SHA_2_256))); 2330 string message = "Hello World!"; 2331 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP); 2332 EXPECT_EQ(key_size / 8, ciphertext.size()); 2333 2334 // Corrupt the ciphertext 2335 ciphertext[key_size / 8 / 2]++; 2336 2337 string result; 2338 size_t input_consumed; 2339 AuthorizationSet begin_params(client_params()); 2340 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP); 2341 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 2342 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2343 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2344 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2345 EXPECT_EQ(0U, result.size()); 2346 2347 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2348 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2349 } 2350 2351 TEST_P(EncryptionOperationsTest, RsaPkcs1Success) { 2352 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2353 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2354 string message = "Hello World!"; 2355 string ciphertext1 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2356 EXPECT_EQ(512U / 8, ciphertext1.size()); 2357 2358 string ciphertext2 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2359 EXPECT_EQ(512U / 8, ciphertext2.size()); 2360 2361 // PKCS1 v1.5 randomizes padding so every result should be different. 2362 EXPECT_NE(ciphertext1, ciphertext2); 2363 2364 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2365 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2366 } 2367 2368 TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) { 2369 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2370 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2371 string message = "Hello World!"; 2372 string ciphertext = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2373 EXPECT_EQ(512U / 8, ciphertext.size()); 2374 2375 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2376 EXPECT_EQ(message, plaintext); 2377 2378 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2379 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2380 } 2381 2382 TEST_P(EncryptionOperationsTest, RsaRoundTripAllCombinations) { 2383 size_t key_size = 2048; 2384 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2385 .RsaEncryptionKey(key_size, 3) 2386 .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT) 2387 .Padding(KM_PAD_RSA_OAEP) 2388 .Digest(KM_DIGEST_NONE) 2389 .Digest(KM_DIGEST_MD5) 2390 .Digest(KM_DIGEST_SHA1) 2391 .Digest(KM_DIGEST_SHA_2_224) 2392 .Digest(KM_DIGEST_SHA_2_256) 2393 .Digest(KM_DIGEST_SHA_2_384) 2394 .Digest(KM_DIGEST_SHA_2_512))); 2395 2396 string message = "Hello World!"; 2397 2398 keymaster_padding_t padding_modes[] = {KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT}; 2399 keymaster_digest_t digests[] = { 2400 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, 2401 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512, 2402 }; 2403 2404 for (auto padding : padding_modes) 2405 for (auto digest : digests) { 2406 if (padding == KM_PAD_RSA_OAEP && digest == KM_DIGEST_NONE) 2407 // OAEP requires a digest. 2408 continue; 2409 2410 string ciphertext = EncryptMessage(message, digest, padding); 2411 EXPECT_EQ(key_size / 8, ciphertext.size()); 2412 2413 string plaintext = DecryptMessage(ciphertext, digest, padding); 2414 EXPECT_EQ(message, plaintext); 2415 } 2416 2417 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2418 EXPECT_EQ(40, GetParam()->keymaster0_calls()); 2419 } 2420 2421 TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) { 2422 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2423 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2424 string message = "123456789012345678901234567890123456789012345678901234"; 2425 string result; 2426 size_t input_consumed; 2427 2428 AuthorizationSet begin_params(client_params()); 2429 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2430 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2431 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed)); 2432 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result)); 2433 EXPECT_EQ(0U, result.size()); 2434 2435 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2436 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2437 } 2438 2439 TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) { 2440 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding( 2441 KM_PAD_RSA_PKCS1_1_5_ENCRYPT))); 2442 string message = "Hello World!"; 2443 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2444 EXPECT_EQ(512U / 8, ciphertext.size()); 2445 2446 // Corrupt the ciphertext 2447 ciphertext[512 / 8 / 2]++; 2448 2449 string result; 2450 size_t input_consumed; 2451 AuthorizationSet begin_params(client_params()); 2452 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT); 2453 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2454 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed)); 2455 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result)); 2456 EXPECT_EQ(0U, result.size()); 2457 2458 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2459 EXPECT_EQ(4, GetParam()->keymaster0_calls()); 2460 } 2461 2462 TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) { 2463 ASSERT_EQ(KM_ERROR_OK, 2464 GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE))); 2465 2466 AuthorizationSet begin_params(client_params()); 2467 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2468 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2469 2470 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 2471 EXPECT_EQ(2, GetParam()->keymaster0_calls()); 2472 } 2473 2474 TEST_P(EncryptionOperationsTest, EcdsaEncrypt) { 2475 ASSERT_EQ(KM_ERROR_OK, 2476 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE))); 2477 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2478 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2479 2480 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 2481 EXPECT_EQ(3, GetParam()->keymaster0_calls()); 2482 } 2483 2484 TEST_P(EncryptionOperationsTest, HmacEncrypt) { 2485 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2486 .HmacKey(128) 2487 .Digest(KM_DIGEST_SHA_2_256) 2488 .Padding(KM_PAD_NONE) 2489 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2490 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT)); 2491 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT)); 2492 2493 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2494 } 2495 2496 TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) { 2497 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2498 .AesEncryptionKey(128) 2499 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2500 .Padding(KM_PAD_NONE))); 2501 // Two-block message. 2502 string message = "12345678901234567890123456789012"; 2503 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 2504 EXPECT_EQ(message.size(), ciphertext1.size()); 2505 2506 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE); 2507 EXPECT_EQ(message.size(), ciphertext2.size()); 2508 2509 // ECB is deterministic. 2510 EXPECT_EQ(ciphertext1, ciphertext2); 2511 2512 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE); 2513 EXPECT_EQ(message, plaintext); 2514 2515 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2516 } 2517 2518 TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) { 2519 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2520 .AesEncryptionKey(128) 2521 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2522 .Padding(KM_PAD_NONE))); 2523 // Two-block message. 2524 string message = "12345678901234567890123456789012"; 2525 AuthorizationSet begin_params(client_params()); 2526 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2527 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2528 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2529 2530 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2531 } 2532 2533 TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) { 2534 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2535 .AesEncryptionKey(128) 2536 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2537 .Padding(KM_PAD_NONE))); 2538 // Message is slightly shorter than two blocks. 2539 string message = "1234567890123456789012345678901"; 2540 2541 AuthorizationSet begin_params(client_params()); 2542 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2543 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2544 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2545 string ciphertext; 2546 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(message, "", &ciphertext)); 2547 2548 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2549 } 2550 2551 TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) { 2552 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2553 .AesEncryptionKey(128) 2554 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2555 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2556 2557 // Try various message lengths; all should work. 2558 for (size_t i = 0; i < 32; ++i) { 2559 string message(i, 'a'); 2560 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2561 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2562 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 2563 EXPECT_EQ(message, plaintext); 2564 } 2565 2566 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2567 } 2568 2569 TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) { 2570 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2571 .AesEncryptionKey(128) 2572 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2573 .Authorization(TAG_PADDING, KM_PAD_NONE))); 2574 2575 // Try various message lengths; all should fail. 2576 for (size_t i = 0; i < 32; ++i) { 2577 AuthorizationSet begin_params(client_params()); 2578 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2579 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 2580 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, 2581 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2582 } 2583 2584 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2585 } 2586 2587 TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) { 2588 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2589 .AesEncryptionKey(128) 2590 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 2591 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2592 2593 string message = "a"; 2594 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 2595 EXPECT_EQ(16U, ciphertext.size()); 2596 EXPECT_NE(ciphertext, message); 2597 ++ciphertext[ciphertext.size() / 2]; 2598 2599 AuthorizationSet begin_params(client_params()); 2600 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 2601 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 2602 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2603 string plaintext; 2604 size_t input_consumed; 2605 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); 2606 EXPECT_EQ(ciphertext.size(), input_consumed); 2607 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); 2608 2609 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2610 } 2611 2612 TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) { 2613 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2614 .AesEncryptionKey(128) 2615 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2616 .Padding(KM_PAD_NONE))); 2617 string message = "123"; 2618 string iv1; 2619 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1); 2620 EXPECT_EQ(message.size(), ciphertext1.size()); 2621 EXPECT_EQ(16U, iv1.size()); 2622 2623 string iv2; 2624 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2); 2625 EXPECT_EQ(message.size(), ciphertext2.size()); 2626 EXPECT_EQ(16U, iv2.size()); 2627 2628 // IVs should be random, so ciphertexts should differ. 2629 EXPECT_NE(iv1, iv2); 2630 EXPECT_NE(ciphertext1, ciphertext2); 2631 2632 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1); 2633 EXPECT_EQ(message, plaintext); 2634 2635 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2636 } 2637 2638 TEST_P(EncryptionOperationsTest, AesCtrIncremental) { 2639 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2640 .AesEncryptionKey(128) 2641 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2642 .Padding(KM_PAD_NONE))); 2643 2644 int increment = 15; 2645 string message(239, 'a'); 2646 AuthorizationSet input_params(client_params()); 2647 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2648 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2649 AuthorizationSet output_params; 2650 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2651 2652 string ciphertext; 2653 size_t input_consumed; 2654 for (size_t i = 0; i < message.size(); i += increment) 2655 EXPECT_EQ(KM_ERROR_OK, 2656 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2657 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2658 EXPECT_EQ(message.size(), ciphertext.size()); 2659 2660 // Move TAG_NONCE into input_params 2661 input_params.Reinitialize(output_params); 2662 input_params.push_back(client_params()); 2663 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2664 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2665 output_params.Clear(); 2666 2667 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2668 string plaintext; 2669 for (size_t i = 0; i < ciphertext.size(); i += increment) 2670 EXPECT_EQ(KM_ERROR_OK, 2671 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2672 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2673 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2674 EXPECT_EQ(message, plaintext); 2675 2676 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2677 } 2678 2679 struct AesCtrSp80038aTestVector { 2680 const char* key; 2681 const char* nonce; 2682 const char* plaintext; 2683 const char* ciphertext; 2684 }; 2685 2686 // These test vectors are taken from 2687 // http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5. 2688 static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = { 2689 // AES-128 2690 { 2691 "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2692 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2693 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2694 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff" 2695 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee", 2696 }, 2697 // AES-192 2698 { 2699 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2700 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2701 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2702 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94" 2703 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050", 2704 }, 2705 // AES-256 2706 { 2707 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", 2708 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff", 2709 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51" 2710 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710", 2711 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5" 2712 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6", 2713 }, 2714 }; 2715 2716 TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) { 2717 for (size_t i = 0; i < 3; i++) { 2718 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]); 2719 const string key = hex2str(test.key); 2720 const string nonce = hex2str(test.nonce); 2721 const string plaintext = hex2str(test.plaintext); 2722 const string ciphertext = hex2str(test.ciphertext); 2723 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext); 2724 } 2725 2726 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2727 } 2728 2729 TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) { 2730 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2731 .AesEncryptionKey(128) 2732 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2733 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2734 AuthorizationSet begin_params(client_params()); 2735 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2736 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2737 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 2738 2739 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2740 } 2741 2742 TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) { 2743 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2744 .AesEncryptionKey(128) 2745 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR) 2746 .Authorization(TAG_CALLER_NONCE) 2747 .Padding(KM_PAD_NONE))); 2748 2749 AuthorizationSet input_params(client_params()); 2750 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR); 2751 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2752 input_params.push_back(TAG_NONCE, "123", 3); 2753 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params)); 2754 2755 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2756 } 2757 2758 TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) { 2759 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2760 .AesEncryptionKey(128) 2761 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2762 .Padding(KM_PAD_NONE))); 2763 // Two-block message. 2764 string message = "12345678901234567890123456789012"; 2765 string iv1; 2766 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2767 EXPECT_EQ(message.size(), ciphertext1.size()); 2768 2769 string iv2; 2770 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2); 2771 EXPECT_EQ(message.size(), ciphertext2.size()); 2772 2773 // IVs should be random, so ciphertexts should differ. 2774 EXPECT_NE(iv1, iv2); 2775 EXPECT_NE(ciphertext1, ciphertext2); 2776 2777 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2778 EXPECT_EQ(message, plaintext); 2779 2780 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2781 } 2782 2783 TEST_P(EncryptionOperationsTest, AesCallerNonce) { 2784 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2785 .AesEncryptionKey(128) 2786 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2787 .Authorization(TAG_CALLER_NONCE) 2788 .Padding(KM_PAD_NONE))); 2789 string message = "12345678901234567890123456789012"; 2790 string iv1; 2791 // Don't specify nonce, should get a random one. 2792 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2793 EXPECT_EQ(message.size(), ciphertext1.size()); 2794 EXPECT_EQ(16U, iv1.size()); 2795 2796 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2797 EXPECT_EQ(message, plaintext); 2798 2799 // Now specify a nonce, should also work. 2800 AuthorizationSet input_params(client_params()); 2801 AuthorizationSet update_params; 2802 AuthorizationSet output_params; 2803 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2804 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2805 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2806 string ciphertext2 = 2807 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params); 2808 2809 // Decrypt with correct nonce. 2810 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2811 &output_params); 2812 EXPECT_EQ(message, plaintext); 2813 2814 // Now try with wrong nonce. 2815 input_params.Reinitialize(client_params()); 2816 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2817 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2818 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16); 2819 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 2820 &output_params); 2821 EXPECT_NE(message, plaintext); 2822 2823 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2824 } 2825 2826 TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) { 2827 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2828 .AesEncryptionKey(128) 2829 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2830 .Padding(KM_PAD_NONE))); 2831 2832 string message = "12345678901234567890123456789012"; 2833 string iv1; 2834 // Don't specify nonce, should get a random one. 2835 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 2836 EXPECT_EQ(message.size(), ciphertext1.size()); 2837 EXPECT_EQ(16U, iv1.size()); 2838 2839 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 2840 EXPECT_EQ(message, plaintext); 2841 2842 // Now specify a nonce, should fail. 2843 AuthorizationSet input_params(client_params()); 2844 AuthorizationSet update_params; 2845 AuthorizationSet output_params; 2846 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16); 2847 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2848 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2849 2850 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, 2851 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2852 2853 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2854 } 2855 2856 TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) { 2857 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2858 .AesEncryptionKey(128) 2859 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2860 .Padding(KM_PAD_NONE))); 2861 2862 int increment = 15; 2863 string message(240, 'a'); 2864 AuthorizationSet input_params(client_params()); 2865 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2866 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2867 AuthorizationSet output_params; 2868 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 2869 2870 string ciphertext; 2871 size_t input_consumed; 2872 for (size_t i = 0; i < message.size(); i += increment) 2873 EXPECT_EQ(KM_ERROR_OK, 2874 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 2875 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2876 EXPECT_EQ(message.size(), ciphertext.size()); 2877 2878 // Move TAG_NONCE into input_params 2879 input_params.Reinitialize(output_params); 2880 input_params.push_back(client_params()); 2881 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 2882 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 2883 output_params.Clear(); 2884 2885 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 2886 string plaintext; 2887 for (size_t i = 0; i < ciphertext.size(); i += increment) 2888 EXPECT_EQ(KM_ERROR_OK, 2889 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 2890 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2891 EXPECT_EQ(ciphertext.size(), plaintext.size()); 2892 EXPECT_EQ(message, plaintext); 2893 2894 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2895 } 2896 2897 TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) { 2898 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2899 .AesEncryptionKey(128) 2900 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 2901 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 2902 2903 // Try various message lengths; all should work. 2904 for (size_t i = 0; i < 32; ++i) { 2905 string message(i, 'a'); 2906 string iv; 2907 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); 2908 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size()); 2909 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv); 2910 EXPECT_EQ(message, plaintext); 2911 } 2912 2913 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2914 } 2915 2916 TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) { 2917 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2918 .AesEncryptionKey(128) 2919 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2920 .Authorization(TAG_PADDING, KM_PAD_NONE) 2921 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2922 string aad = "foobar"; 2923 string message = "123456789012345678901234567890123456"; 2924 AuthorizationSet begin_params(client_params()); 2925 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2926 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2927 begin_params.push_back(TAG_MAC_LENGTH, 128); 2928 2929 AuthorizationSet update_params; 2930 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2931 2932 // Encrypt 2933 AuthorizationSet begin_out_params; 2934 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2935 string ciphertext; 2936 size_t input_consumed; 2937 AuthorizationSet update_out_params; 2938 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 2939 &input_consumed)); 2940 EXPECT_EQ(message.size(), input_consumed); 2941 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 2942 2943 // Grab nonce 2944 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 2945 begin_params.push_back(begin_out_params); 2946 2947 // Decrypt. 2948 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 2949 string plaintext; 2950 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 2951 &plaintext, &input_consumed)); 2952 EXPECT_EQ(ciphertext.size(), input_consumed); 2953 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 2954 2955 EXPECT_EQ(message, plaintext); 2956 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2957 } 2958 2959 TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) { 2960 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2961 .AesEncryptionKey(128) 2962 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2963 .Authorization(TAG_PADDING, KM_PAD_NONE) 2964 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2965 string aad = "foobar"; 2966 string message = "123456789012345678901234567890123456"; 2967 AuthorizationSet begin_params(client_params()); 2968 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2969 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2970 begin_params.push_back(TAG_MAC_LENGTH, 96); 2971 2972 AuthorizationSet update_params; 2973 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2974 2975 AuthorizationSet begin_out_params; 2976 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, 2977 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 2978 2979 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 2980 } 2981 2982 TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) { 2983 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 2984 .AesEncryptionKey(128) 2985 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 2986 .Authorization(TAG_PADDING, KM_PAD_NONE) 2987 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 2988 string aad = "foobar"; 2989 string message = "123456789012345678901234567890123456"; 2990 AuthorizationSet begin_params(client_params()); 2991 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 2992 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 2993 begin_params.push_back(TAG_MAC_LENGTH, 128); 2994 2995 AuthorizationSet update_params; 2996 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 2997 2998 // Encrypt 2999 AuthorizationSet begin_out_params; 3000 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3001 string ciphertext; 3002 size_t input_consumed; 3003 AuthorizationSet update_out_params; 3004 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3005 &input_consumed)); 3006 EXPECT_EQ(message.size(), input_consumed); 3007 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3008 3009 // Grab nonce 3010 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3011 begin_params.Reinitialize(client_params()); 3012 begin_params.push_back(begin_out_params); 3013 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3014 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3015 begin_params.push_back(TAG_MAC_LENGTH, 96); 3016 3017 // Decrypt. 3018 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3019 3020 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3021 } 3022 3023 TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) { 3024 uint8_t nonce[] = { 3025 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f, 3026 }; 3027 uint8_t ciphertext[] = { 3028 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16, 3029 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a, 3030 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76, 3031 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd, 3032 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0, 3033 }; 3034 string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext)); 3035 3036 AuthorizationSet begin_params(client_params()); 3037 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3038 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3039 begin_params.push_back(TAG_MAC_LENGTH, 128); 3040 begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce)); 3041 3042 string plaintext; 3043 size_t input_consumed; 3044 3045 // Import correct key and decrypt 3046 uint8_t good_key[] = { 3047 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 3048 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 3049 }; 3050 string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key)); 3051 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 3052 .AesEncryptionKey(128) 3053 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3054 .Authorization(TAG_PADDING, KM_PAD_NONE) 3055 .Authorization(TAG_CALLER_NONCE) 3056 .Authorization(TAG_MIN_MAC_LENGTH, 128), 3057 KM_KEY_FORMAT_RAW, good_key_str)); 3058 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3059 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 3060 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 3061 3062 // Import bad key and decrypt 3063 uint8_t bad_key[] = { 3064 0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d, 3065 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb, 3066 }; 3067 string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key)); 3068 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder() 3069 .AesEncryptionKey(128) 3070 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3071 .Authorization(TAG_PADDING, KM_PAD_NONE) 3072 .Authorization(TAG_MIN_MAC_LENGTH, 128), 3073 KM_KEY_FORMAT_RAW, bad_key_str)); 3074 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3075 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed)); 3076 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3077 3078 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3079 } 3080 3081 TEST_P(EncryptionOperationsTest, AesGcmAadNoData) { 3082 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3083 .AesEncryptionKey(128) 3084 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3085 .Authorization(TAG_PADDING, KM_PAD_NONE) 3086 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3087 string aad = "123456789012345678"; 3088 string empty_message; 3089 AuthorizationSet begin_params(client_params()); 3090 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3091 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3092 begin_params.push_back(TAG_MAC_LENGTH, 128); 3093 3094 AuthorizationSet update_params; 3095 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 3096 3097 // Encrypt 3098 AuthorizationSet begin_out_params; 3099 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3100 string ciphertext; 3101 size_t input_consumed; 3102 AuthorizationSet update_out_params; 3103 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params, 3104 &ciphertext, &input_consumed)); 3105 EXPECT_EQ(0U, input_consumed); 3106 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3107 3108 // Grab nonce 3109 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3110 begin_params.push_back(begin_out_params); 3111 3112 // Decrypt. 3113 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3114 string plaintext; 3115 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3116 &plaintext, &input_consumed)); 3117 EXPECT_EQ(ciphertext.size(), input_consumed); 3118 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 3119 3120 EXPECT_EQ(empty_message, plaintext); 3121 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3122 } 3123 3124 TEST_P(EncryptionOperationsTest, AesGcmIncremental) { 3125 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3126 .AesEncryptionKey(128) 3127 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3128 .Authorization(TAG_PADDING, KM_PAD_NONE) 3129 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3130 AuthorizationSet begin_params(client_params()); 3131 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3132 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3133 begin_params.push_back(TAG_MAC_LENGTH, 128); 3134 3135 AuthorizationSet update_params; 3136 update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1); 3137 3138 // Encrypt 3139 AuthorizationSet begin_out_params; 3140 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3141 string ciphertext; 3142 size_t input_consumed; 3143 AuthorizationSet update_out_params; 3144 3145 // Send AAD, incrementally 3146 for (int i = 0; i < 1000; ++i) { 3147 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext, 3148 &input_consumed)); 3149 EXPECT_EQ(0U, input_consumed); 3150 EXPECT_EQ(0U, ciphertext.size()); 3151 } 3152 3153 // Now send data, incrementally, no data. 3154 AuthorizationSet empty_params; 3155 for (int i = 0; i < 1000; ++i) { 3156 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext, 3157 &input_consumed)); 3158 EXPECT_EQ(1U, input_consumed); 3159 } 3160 EXPECT_EQ(1000U, ciphertext.size()); 3161 3162 // And finish. 3163 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3164 EXPECT_EQ(1016U, ciphertext.size()); 3165 3166 // Grab nonce 3167 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3168 begin_params.push_back(begin_out_params); 3169 3170 // Decrypt. 3171 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3172 string plaintext; 3173 3174 // Send AAD, incrementally, no data 3175 for (int i = 0; i < 1000; ++i) { 3176 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext, 3177 &input_consumed)); 3178 EXPECT_EQ(0U, input_consumed); 3179 EXPECT_EQ(0U, plaintext.size()); 3180 } 3181 3182 // Now send data, incrementally. 3183 for (size_t i = 0; i < ciphertext.length(); ++i) { 3184 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1), 3185 &update_out_params, &plaintext, &input_consumed)); 3186 EXPECT_EQ(1U, input_consumed); 3187 } 3188 EXPECT_EQ(1000U, plaintext.size()); 3189 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 3190 3191 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3192 } 3193 3194 TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) { 3195 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3196 .AesEncryptionKey(128) 3197 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3198 .Authorization(TAG_PADDING, KM_PAD_NONE) 3199 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3200 string message = "123456789012345678901234567890123456"; 3201 AuthorizationSet begin_params(client_params()); 3202 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3203 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3204 begin_params.push_back(TAG_MAC_LENGTH, 128); 3205 AuthorizationSet begin_out_params; 3206 3207 AuthorizationSet update_params; 3208 update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3); 3209 3210 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3211 3212 // No data, AAD only. 3213 string ciphertext; 3214 size_t input_consumed; 3215 AuthorizationSet update_out_params; 3216 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params, 3217 &ciphertext, &input_consumed)); 3218 EXPECT_EQ(0U, input_consumed); 3219 3220 // AAD and data. 3221 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3222 &input_consumed)); 3223 EXPECT_EQ(message.size(), input_consumed); 3224 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3225 3226 // Grab nonce. 3227 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3228 begin_params.push_back(begin_out_params); 3229 3230 // Decrypt 3231 update_params.Clear(); 3232 update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6); 3233 3234 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3235 string plaintext; 3236 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3237 &plaintext, &input_consumed)); 3238 EXPECT_EQ(ciphertext.size(), input_consumed); 3239 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 3240 3241 EXPECT_EQ(message, plaintext); 3242 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3243 } 3244 3245 TEST_P(EncryptionOperationsTest, AesGcmBadAad) { 3246 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3247 .AesEncryptionKey(128) 3248 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3249 .Authorization(TAG_PADDING, KM_PAD_NONE) 3250 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3251 string message = "12345678901234567890123456789012"; 3252 AuthorizationSet begin_params(client_params()); 3253 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3254 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3255 begin_params.push_back(TAG_MAC_LENGTH, 128); 3256 3257 AuthorizationSet update_params; 3258 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 3259 3260 AuthorizationSet finish_params; 3261 AuthorizationSet finish_out_params; 3262 3263 // Encrypt 3264 AuthorizationSet begin_out_params; 3265 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3266 AuthorizationSet update_out_params; 3267 string ciphertext; 3268 size_t input_consumed; 3269 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3270 &input_consumed)); 3271 EXPECT_EQ(message.size(), input_consumed); 3272 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3273 3274 // Grab nonce 3275 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3276 begin_params.push_back(begin_out_params); 3277 3278 update_params.Clear(); 3279 update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6); 3280 3281 // Decrypt. 3282 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3283 string plaintext; 3284 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3285 &plaintext, &input_consumed)); 3286 EXPECT_EQ(ciphertext.size(), input_consumed); 3287 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3288 3289 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3290 } 3291 3292 TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) { 3293 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3294 .AesEncryptionKey(128) 3295 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3296 .Authorization(TAG_PADDING, KM_PAD_NONE) 3297 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3298 string message = "12345678901234567890123456789012"; 3299 AuthorizationSet begin_params(client_params()); 3300 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3301 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3302 begin_params.push_back(TAG_MAC_LENGTH, 128); 3303 3304 AuthorizationSet update_params; 3305 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6); 3306 3307 // Encrypt 3308 AuthorizationSet begin_out_params; 3309 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3310 AuthorizationSet update_out_params; 3311 string ciphertext; 3312 size_t input_consumed; 3313 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3314 &input_consumed)); 3315 EXPECT_EQ(message.size(), input_consumed); 3316 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3317 3318 begin_params.push_back(TAG_NONCE, "123456789012", 12); 3319 3320 // Decrypt 3321 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3322 string plaintext; 3323 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3324 &plaintext, &input_consumed)); 3325 EXPECT_EQ(ciphertext.size(), input_consumed); 3326 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3327 3328 // With wrong nonce, should have gotten garbage plaintext. 3329 EXPECT_NE(message, plaintext); 3330 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3331 } 3332 3333 TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) { 3334 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3335 .AesEncryptionKey(128) 3336 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM) 3337 .Authorization(TAG_PADDING, KM_PAD_NONE) 3338 .Authorization(TAG_MIN_MAC_LENGTH, 128))); 3339 string aad = "foobar"; 3340 string message = "123456789012345678901234567890123456"; 3341 AuthorizationSet begin_params(client_params()); 3342 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM); 3343 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3344 begin_params.push_back(TAG_MAC_LENGTH, 128); 3345 AuthorizationSet begin_out_params; 3346 3347 AuthorizationSet update_params; 3348 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size()); 3349 3350 // Encrypt 3351 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params)); 3352 AuthorizationSet update_out_params; 3353 string ciphertext; 3354 size_t input_consumed; 3355 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext, 3356 &input_consumed)); 3357 EXPECT_EQ(message.size(), input_consumed); 3358 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3359 3360 // Corrupt tag 3361 (*ciphertext.rbegin())++; 3362 3363 // Grab nonce. 3364 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE)); 3365 begin_params.push_back(begin_out_params); 3366 3367 // Decrypt. 3368 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params)); 3369 string plaintext; 3370 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params, 3371 &plaintext, &input_consumed)); 3372 EXPECT_EQ(ciphertext.size(), input_consumed); 3373 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext)); 3374 3375 EXPECT_EQ(message, plaintext); 3376 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3377 } 3378 3379 TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) { 3380 auto auths = AuthorizationSetBuilder() 3381 .TripleDesEncryptionKey(112) 3382 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 3383 .Padding(KM_PAD_NONE); 3384 3385 ASSERT_EQ(KM_ERROR_OK, GenerateKey(auths)); 3386 // Two-block message. 3387 string message = "1234567890123456"; 3388 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3389 EXPECT_EQ(message.size(), ciphertext1.size()); 3390 3391 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE); 3392 EXPECT_EQ(message.size(), ciphertext2.size()); 3393 3394 // ECB is deterministic. 3395 EXPECT_EQ(ciphertext1, ciphertext2); 3396 3397 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE); 3398 EXPECT_EQ(message, plaintext); 3399 } 3400 3401 TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) { 3402 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3403 .TripleDesEncryptionKey(112) 3404 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 3405 .Padding(KM_PAD_NONE))); 3406 // Two-block message. 3407 string message = "1234567890123456"; 3408 AuthorizationSet begin_params(client_params()); 3409 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3410 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3411 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3412 } 3413 3414 TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingWrongInputSize) { 3415 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3416 .TripleDesEncryptionKey(112) 3417 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 3418 .Padding(KM_PAD_NONE))); 3419 // Message is slightly shorter than two blocks. 3420 string message = "123456789012345"; 3421 3422 AuthorizationSet begin_params(client_params()); 3423 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3424 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3425 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3426 string ciphertext; 3427 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(message, "", &ciphertext)); 3428 } 3429 3430 TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) { 3431 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3432 .TripleDesEncryptionKey(112) 3433 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 3434 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 3435 3436 // Try various message lengths; all should work. 3437 for (size_t i = 0; i < 32; ++i) { 3438 string message(i, 'a'); 3439 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 3440 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size()); 3441 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7); 3442 EXPECT_EQ(message, plaintext); 3443 } 3444 } 3445 3446 TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) { 3447 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3448 .TripleDesEncryptionKey(112) 3449 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 3450 .Authorization(TAG_PADDING, KM_PAD_NONE))); 3451 3452 // Try various message lengths; all should fail. 3453 for (size_t i = 0; i < 32; ++i) { 3454 AuthorizationSet begin_params(client_params()); 3455 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3456 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 3457 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, 3458 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3459 } 3460 } 3461 3462 TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) { 3463 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3464 .TripleDesEncryptionKey(112) 3465 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 3466 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 3467 3468 string message = "a"; 3469 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7); 3470 EXPECT_EQ(8U, ciphertext.size()); 3471 EXPECT_NE(ciphertext, message); 3472 ++ciphertext[ciphertext.size() / 2]; 3473 3474 AuthorizationSet begin_params(client_params()); 3475 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3476 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 3477 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3478 string plaintext; 3479 size_t input_consumed; 3480 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); 3481 EXPECT_EQ(ciphertext.size(), input_consumed); 3482 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); 3483 } 3484 3485 struct TripleDesTestVector { 3486 const char* name; 3487 const keymaster_purpose_t purpose; 3488 const keymaster_block_mode_t block_mode; 3489 const keymaster_padding_t padding_mode; 3490 const char* key; 3491 const char* iv; 3492 const char* input; 3493 const char* output; 3494 }; 3495 3496 // These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all of 3497 // the NIST vectors are multiples of the block size. 3498 static const TripleDesTestVector kTripleDesTestVectors[] = { 3499 { 3500 "TECBMMT2 Encrypt 0", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_NONE, 3501 "ad192fd064b5579e7a4fb3c8f794f22a", // key 3502 "", // IV 3503 "13bad542f3652d67", // input 3504 "908e543cf2cb254f", // output 3505 }, 3506 { 3507 "TECBMMT2 Encrypt 0 PKCS7", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_PKCS7, 3508 "ad192fd064b5579e7a4fb3c8f794f22a", // key 3509 "", // IV 3510 "13bad542f3652d6700", // input 3511 "908e543cf2cb254fc40165289a89008c", // output 3512 }, 3513 { 3514 "TECBMMT2 Encrypt 0 PKCS7 decrypted", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_PKCS7, 3515 "ad192fd064b5579e7a4fb3c8f794f22a", // key 3516 "", // IV 3517 "908e543cf2cb254fc40165289a89008c", // input 3518 "13bad542f3652d6700", // output 3519 }, 3520 { 3521 "TECBMMT2 Encrypt 1", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_NONE, 3522 "259df16e7af804fe83b90e9bf7c7e557", // key 3523 "", // IV 3524 "a4619c433bbd6787c07c81728f9ac9fa", // input 3525 "9e06de155c483c6bcfd834dbc8bd5830", // output 3526 }, 3527 { 3528 "TECBMMT2 Decrypt 0", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_NONE, 3529 "b32ff42092024adf2076b9d3d9f19e6d", // key 3530 "", // IV 3531 "2f3f2a49bba807a5", // input 3532 "2249973fa135fb52", // output 3533 }, 3534 { 3535 "TECBMMT2 Decrypt 1", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_NONE, 3536 "023dfbe6621aa17cc219eae9cdecd923", // key 3537 "", // IV 3538 "54045dc71d8d565b227ec19f06fef912", // input 3539 "9b071622181e6412de6066429401410d", // output 3540 }, 3541 { 3542 "TECBMMT3 Encrypt 0", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_NONE, 3543 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key 3544 "", // IV 3545 "329d86bdf1bc5af4", // input 3546 "d946c2756d78633f", // output 3547 }, 3548 { 3549 "TECBMMT3 Encrypt 1", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_NONE, 3550 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key 3551 "", // IV 3552 "6b1540781b01ce1997adae102dbf3c5b", // input 3553 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output 3554 }, 3555 { 3556 "TECBMMT3 Decrypt 0", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_NONE, 3557 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key 3558 "", // IV 3559 "6daad94ce08acfe7", // input 3560 "660e7d32dcc90e79", // output 3561 }, 3562 { 3563 "TECBMMT3 Decrypt 1", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_NONE, 3564 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key 3565 "", // IV 3566 "e9653a0a1f05d31b9acd12d73aa9879d", // input 3567 "9b2ae9d998efe62f1b592e7e1df8ff38", // output 3568 }, 3569 { 3570 "TCBCMMT2 Encrypt 0", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_NONE, 3571 "34a41a8c293176c1b30732ecfe38ae8a", // key 3572 "f55b4855228bd0b4", // IV 3573 "7dd880d2a9ab411c", // input 3574 "c91892948b6cadb4", // output 3575 }, 3576 { 3577 "TCBCMMT2 Encrypt 1", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_NONE, 3578 "70a88fa1dfb9942fa77f40157ffef2ad", // key 3579 "ece08ce2fdc6ce80", // IV 3580 "bc225304d5a3a5c9918fc5006cbc40cc", // input 3581 "27f67dc87af7ddb4b68f63fa7c2d454a", // output 3582 }, 3583 { 3584 "TCBCMMT2 Decrypt 0", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_NONE, 3585 "4ff47fda89209bda8c85f7fe80192007", // key 3586 "d5bc4891dabe48b9", // IV 3587 "7e154b28c353adef", // input 3588 "712b961ea9a1d0af", // output 3589 }, 3590 { 3591 "TCBCMMT2 Decrypt 1", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_NONE, 3592 "464092cdbf736d38fb1fe6a12a94ae0e", // key 3593 "5423455f00023b01", // IV 3594 "3f6050b74ed64416bc23d53b0469ed7a", // input 3595 "9cbe7d1b5cdd1864c3095ba810575960", // output 3596 }, 3597 { 3598 "TCBCMMT3 Encrypt 0", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_NONE, 3599 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key 3600 "43f791134c5647ba", // IV 3601 "dcc153cef81d6f24", // input 3602 "92538bd8af18d3ba", // output 3603 }, 3604 { 3605 "TCBCMMT3 Encrypt 1", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_NONE, 3606 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key 3607 "c2e999cb6249023c", // IV 3608 "c689aee38a301bb316da75db36f110b5", // input 3609 "e9afaba5ec75ea1bbe65506655bb4ecb", // output 3610 }, 3611 { 3612 "TCBCMMT3 Encrypt 1 PKCS7 variant", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_PKCS7, 3613 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key 3614 "c2e999cb6249023c", // IV 3615 "c689aee38a301bb316da75db36f110b500", // input 3616 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output 3617 }, 3618 { 3619 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_PKCS7, 3620 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key 3621 "c2e999cb6249023c", // IV 3622 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input 3623 "c689aee38a301bb316da75db36f110b500", // output 3624 }, 3625 { 3626 "TCBCMMT3 Decrypt 0", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_NONE, 3627 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key 3628 "41746c7e442d3681", // IV 3629 "c53a7b0ec40600fe", // input 3630 "d4f00eb455de1034", // output 3631 }, 3632 { 3633 "TCBCMMT3 Decrypt 1", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_NONE, 3634 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key 3635 "3982bc02c3727d45", // IV 3636 "6006f10adef52991fcc777a1238bbb65", // input 3637 "edae09288e9e3bc05746d872b48e3b29", // output 3638 }, 3639 }; 3640 3641 TEST_P(EncryptionOperationsTest, TripleDesTestVector) { 3642 for (auto& test : array_range(kTripleDesTestVectors)) { 3643 SCOPED_TRACE(test.name); 3644 CheckTripleDesTestVector(test.purpose, test.block_mode, test.padding_mode, 3645 hex2str(test.key), hex2str(test.iv), hex2str(test.input), 3646 hex2str(test.output)); 3647 } 3648 } 3649 3650 TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) { 3651 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3652 .TripleDesEncryptionKey(112) 3653 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 3654 .Padding(KM_PAD_NONE))); 3655 // Two-block message. 3656 string message = "1234567890123456"; 3657 string iv1; 3658 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 3659 EXPECT_EQ(message.size(), ciphertext1.size()); 3660 3661 string iv2; 3662 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2); 3663 EXPECT_EQ(message.size(), ciphertext2.size()); 3664 3665 // IVs should be random, so ciphertexts should differ. 3666 EXPECT_NE(iv1, iv2); 3667 EXPECT_NE(ciphertext1, ciphertext2); 3668 3669 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 3670 EXPECT_EQ(message, plaintext); 3671 3672 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3673 } 3674 3675 TEST_P(EncryptionOperationsTest, TripleDesCallerIv) { 3676 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3677 .TripleDesEncryptionKey(112) 3678 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 3679 .Authorization(TAG_CALLER_NONCE) 3680 .Padding(KM_PAD_NONE))); 3681 string message = "1234567890123456"; 3682 string iv1; 3683 // Don't specify IV, should get a random one. 3684 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 3685 EXPECT_EQ(message.size(), ciphertext1.size()); 3686 EXPECT_EQ(8U, iv1.size()); 3687 3688 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 3689 EXPECT_EQ(message, plaintext); 3690 3691 // Now specify an IV, should also work. 3692 AuthorizationSet input_params(client_params()); 3693 AuthorizationSet update_params; 3694 AuthorizationSet output_params; 3695 input_params.push_back(TAG_NONCE, "abcdefgh", 8); 3696 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 3697 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 3698 string ciphertext2 = 3699 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params); 3700 3701 // Decrypt with correct IV. 3702 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 3703 &output_params); 3704 EXPECT_EQ(message, plaintext); 3705 3706 // Now try with wrong IV. 3707 input_params.Reinitialize(client_params()); 3708 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 3709 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 3710 input_params.push_back(TAG_NONCE, "aaaaaaaa", 8); 3711 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params, 3712 &output_params); 3713 EXPECT_NE(message, plaintext); 3714 } 3715 3716 TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) { 3717 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3718 .TripleDesEncryptionKey(112) 3719 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 3720 .Padding(KM_PAD_NONE))); 3721 3722 string message = "12345678901234567890123456789012"; 3723 string iv1; 3724 // Don't specify nonce, should get a random one. 3725 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1); 3726 EXPECT_EQ(message.size(), ciphertext1.size()); 3727 EXPECT_EQ(8U, iv1.size()); 3728 3729 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1); 3730 EXPECT_EQ(message, plaintext); 3731 3732 // Now specify a nonce, should fail. 3733 AuthorizationSet input_params(client_params()); 3734 AuthorizationSet update_params; 3735 AuthorizationSet output_params; 3736 input_params.push_back(TAG_NONCE, "abcdefgh", 8); 3737 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 3738 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 3739 3740 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED, 3741 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 3742 } 3743 3744 TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) { 3745 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3746 .TripleDesEncryptionKey(112) 3747 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 3748 .Padding(KM_PAD_NONE))); 3749 // Two-block message. 3750 string message = "1234567890123456"; 3751 AuthorizationSet begin_params(client_params()); 3752 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 3753 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3754 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3755 } 3756 3757 TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingWrongInputSize) { 3758 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3759 .TripleDesEncryptionKey(112) 3760 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 3761 .Padding(KM_PAD_NONE))); 3762 // Message is slightly shorter than two blocks. 3763 string message = "123456789012345"; 3764 3765 AuthorizationSet begin_params(client_params()); 3766 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 3767 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3768 AuthorizationSet output_params; 3769 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &output_params)); 3770 string ciphertext; 3771 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(message, "", &ciphertext)); 3772 } 3773 3774 TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) { 3775 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3776 .TripleDesEncryptionKey(112) 3777 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 3778 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 3779 3780 // Try various message lengths; all should work. 3781 for (size_t i = 0; i < 32; ++i) { 3782 string message(i, 'a'); 3783 string iv; 3784 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); 3785 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size()); 3786 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv); 3787 EXPECT_EQ(message, plaintext); 3788 } 3789 } 3790 3791 TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) { 3792 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3793 .TripleDesEncryptionKey(112) 3794 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 3795 .Authorization(TAG_PADDING, KM_PAD_NONE))); 3796 3797 // Try various message lengths; all should fail. 3798 for (size_t i = 0; i < 32; ++i) { 3799 AuthorizationSet begin_params(client_params()); 3800 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 3801 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 3802 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, 3803 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3804 } 3805 } 3806 3807 TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) { 3808 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3809 .TripleDesEncryptionKey(112) 3810 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 3811 .Authorization(TAG_PADDING, KM_PAD_PKCS7))); 3812 3813 string message = "a"; 3814 string iv; 3815 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv); 3816 EXPECT_EQ(8U, ciphertext.size()); 3817 EXPECT_NE(ciphertext, message); 3818 ++ciphertext[ciphertext.size() / 2]; 3819 3820 AuthorizationSet begin_params(client_params()); 3821 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 3822 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7); 3823 begin_params.push_back(TAG_NONCE, iv.data(), iv.size()); 3824 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params)); 3825 string plaintext; 3826 size_t input_consumed; 3827 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed)); 3828 EXPECT_EQ(ciphertext.size(), input_consumed); 3829 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext)); 3830 } 3831 3832 TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) { 3833 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3834 .TripleDesEncryptionKey(112) 3835 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC) 3836 .Padding(KM_PAD_NONE))); 3837 3838 int increment = 7; 3839 string message(240, 'a'); 3840 AuthorizationSet input_params(client_params()); 3841 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 3842 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 3843 AuthorizationSet output_params; 3844 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params)); 3845 3846 string ciphertext; 3847 size_t input_consumed; 3848 for (size_t i = 0; i < message.size(); i += increment) 3849 EXPECT_EQ(KM_ERROR_OK, 3850 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed)); 3851 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext)); 3852 EXPECT_EQ(message.size(), ciphertext.size()); 3853 3854 // Move TAG_NONCE into input_params 3855 input_params.Reinitialize(output_params); 3856 input_params.push_back(client_params()); 3857 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC); 3858 input_params.push_back(TAG_PADDING, KM_PAD_NONE); 3859 output_params.Clear(); 3860 3861 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params)); 3862 string plaintext; 3863 for (size_t i = 0; i < ciphertext.size(); i += increment) 3864 EXPECT_EQ(KM_ERROR_OK, 3865 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed)); 3866 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext)); 3867 EXPECT_EQ(ciphertext.size(), plaintext.size()); 3868 EXPECT_EQ(message, plaintext); 3869 3870 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3871 } 3872 3873 typedef Keymaster2Test MaxOperationsTest; 3874 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params); 3875 3876 TEST_P(MaxOperationsTest, TestLimit) { 3877 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3878 .AesEncryptionKey(128) 3879 .EcbMode() 3880 .Authorization(TAG_PADDING, KM_PAD_NONE) 3881 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3882 3883 string message = "1234567890123456"; 3884 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3885 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3886 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3887 3888 // Fourth time should fail. 3889 AuthorizationSet begin_params(client_params()); 3890 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3891 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3892 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3893 3894 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3895 } 3896 3897 TEST_P(MaxOperationsTest, TestAbort) { 3898 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 3899 .AesEncryptionKey(128) 3900 .EcbMode() 3901 .Authorization(TAG_PADDING, KM_PAD_NONE) 3902 .Authorization(TAG_MAX_USES_PER_BOOT, 3))); 3903 3904 string message = "1234567890123456"; 3905 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3906 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3907 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 3908 3909 // Fourth time should fail. 3910 AuthorizationSet begin_params(client_params()); 3911 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 3912 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 3913 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 3914 3915 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3916 } 3917 3918 typedef Keymaster2Test AddEntropyTest; 3919 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params); 3920 3921 TEST_P(AddEntropyTest, AddEntropy) { 3922 // There's no obvious way to test that entropy is actually added, but we can test that the API 3923 // doesn't blow up or return an error. 3924 EXPECT_EQ(KM_ERROR_OK, 3925 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3)); 3926 3927 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 3928 } 3929 3930 typedef Keymaster2Test AttestationTest; 3931 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AttestationTest, test_params); 3932 3933 static X509* parse_cert_blob(const keymaster_blob_t& blob) { 3934 const uint8_t* p = blob.data; 3935 return d2i_X509(nullptr, &p, blob.data_length); 3936 } 3937 3938 static bool verify_chain(const keymaster_cert_chain_t& chain) { 3939 for (size_t i = 0; i < chain.entry_count - 1; ++i) { 3940 keymaster_blob_t& key_cert_blob = chain.entries[i]; 3941 keymaster_blob_t& signing_cert_blob = chain.entries[i + 1]; 3942 3943 X509_Ptr key_cert(parse_cert_blob(key_cert_blob)); 3944 X509_Ptr signing_cert(parse_cert_blob(signing_cert_blob)); 3945 EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get()); 3946 if (!key_cert.get() || !signing_cert.get()) 3947 return false; 3948 3949 EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get())); 3950 EXPECT_TRUE(!!signing_pubkey.get()); 3951 if (!signing_pubkey.get()) 3952 return false; 3953 3954 EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get())) 3955 << "Verification of certificate " << i << " failed"; 3956 } 3957 3958 return true; 3959 } 3960 3961 // Extract attestation record from cert. Returned object is still part of cert; don't free it 3962 // separately. 3963 static ASN1_OCTET_STRING* get_attestation_record(X509* certificate) { 3964 ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */)); 3965 EXPECT_TRUE(!!oid.get()); 3966 if (!oid.get()) 3967 return nullptr; 3968 3969 int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */); 3970 EXPECT_NE(-1, location); 3971 if (location == -1) 3972 return nullptr; 3973 3974 X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location); 3975 EXPECT_TRUE(!!attest_rec_ext); 3976 if (!attest_rec_ext) 3977 return nullptr; 3978 3979 ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext); 3980 EXPECT_TRUE(!!attest_rec); 3981 return attest_rec; 3982 } 3983 3984 static bool verify_attestation_record(const string& challenge, 3985 AuthorizationSet expected_sw_enforced, 3986 AuthorizationSet expected_tee_enforced, 3987 uint32_t expected_keymaster_version, 3988 keymaster_security_level_t expected_keymaster_security_level, 3989 const keymaster_blob_t& attestation_cert) { 3990 3991 X509_Ptr cert(parse_cert_blob(attestation_cert)); 3992 EXPECT_TRUE(!!cert.get()); 3993 if (!cert.get()) 3994 return false; 3995 3996 ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get()); 3997 EXPECT_TRUE(!!attest_rec); 3998 if (!attest_rec) 3999 return false; 4000 4001 AuthorizationSet att_sw_enforced; 4002 AuthorizationSet att_tee_enforced; 4003 uint32_t att_attestation_version; 4004 uint32_t att_keymaster_version; 4005 keymaster_security_level_t att_attestation_security_level; 4006 keymaster_security_level_t att_keymaster_security_level; 4007 keymaster_blob_t att_challenge = {}; 4008 keymaster_blob_t att_unique_id = {}; 4009 EXPECT_EQ(KM_ERROR_OK, parse_attestation_record( 4010 attest_rec->data, attest_rec->length, &att_attestation_version, 4011 &att_attestation_security_level, &att_keymaster_version, 4012 &att_keymaster_security_level, &att_challenge, &att_sw_enforced, 4013 &att_tee_enforced, &att_unique_id)); 4014 4015 EXPECT_EQ(2U, att_attestation_version); 4016 EXPECT_EQ(KM_SECURITY_LEVEL_SOFTWARE, att_attestation_security_level); 4017 EXPECT_EQ(expected_keymaster_version, att_keymaster_version); 4018 EXPECT_EQ(expected_keymaster_security_level, att_keymaster_security_level); 4019 4020 EXPECT_EQ(challenge.length(), att_challenge.data_length); 4021 EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data, challenge.length())); 4022 4023 // Add TAG_USER_ID to the relevant attestation list, because user IDs are not included in 4024 // attestations, since they're meaningless off-device. 4025 uint32_t user_id; 4026 if (expected_sw_enforced.GetTagValue(TAG_USER_ID, &user_id)) 4027 att_sw_enforced.push_back(TAG_USER_ID, user_id); 4028 if (expected_tee_enforced.GetTagValue(TAG_USER_ID, &user_id)) 4029 att_tee_enforced.push_back(TAG_USER_ID, user_id); 4030 4031 // Add TAG_INCLUDE_UNIQUE_ID to the relevant attestation list, because that tag is not included 4032 // in the attestation. 4033 if (expected_sw_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) 4034 att_sw_enforced.push_back(TAG_INCLUDE_UNIQUE_ID); 4035 if (expected_tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID)) 4036 att_tee_enforced.push_back(TAG_INCLUDE_UNIQUE_ID); 4037 4038 att_sw_enforced.Sort(); 4039 expected_sw_enforced.Sort(); 4040 EXPECT_EQ(expected_sw_enforced, att_sw_enforced); 4041 4042 att_tee_enforced.Sort(); 4043 expected_tee_enforced.Sort(); 4044 EXPECT_EQ(expected_tee_enforced, att_tee_enforced); 4045 4046 delete[] att_challenge.data; 4047 delete[] att_unique_id.data; 4048 4049 return true; 4050 } 4051 4052 TEST_P(AttestationTest, RsaAttestation) { 4053 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 4054 .RsaSigningKey(256, 3) 4055 .Digest(KM_DIGEST_NONE) 4056 .Padding(KM_PAD_NONE) 4057 .Authorization(TAG_INCLUDE_UNIQUE_ID))); 4058 4059 keymaster_cert_chain_t cert_chain; 4060 EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", "attest_app_id", &cert_chain)); 4061 ASSERT_EQ(3U, cert_chain.entry_count); 4062 EXPECT_TRUE(verify_chain(cert_chain)); 4063 4064 uint32_t expected_keymaster_version; 4065 keymaster_security_level_t expected_keymaster_security_level; 4066 // TODO(swillden): Add a test KM1 that claims to be hardware. 4067 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) { 4068 expected_keymaster_version = 0; 4069 expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT; 4070 } else { 4071 expected_keymaster_version = 3; 4072 expected_keymaster_security_level = KM_SECURITY_LEVEL_SOFTWARE; 4073 } 4074 4075 EXPECT_TRUE(verify_attestation_record( 4076 "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version, 4077 expected_keymaster_security_level, cert_chain.entries[0])); 4078 4079 keymaster_free_cert_chain(&cert_chain); 4080 } 4081 4082 TEST_P(AttestationTest, EcAttestation) { 4083 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest( 4084 KM_DIGEST_SHA_2_256))); 4085 4086 uint32_t expected_keymaster_version; 4087 keymaster_security_level_t expected_keymaster_security_level; 4088 // TODO(swillden): Add a test KM1 that claims to be hardware. 4089 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) { 4090 expected_keymaster_version = 0; 4091 expected_keymaster_security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT; 4092 } else { 4093 expected_keymaster_version = 3; 4094 expected_keymaster_security_level = KM_SECURITY_LEVEL_SOFTWARE; 4095 } 4096 4097 keymaster_cert_chain_t cert_chain; 4098 EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", "attest_app_id", &cert_chain)); 4099 ASSERT_EQ(3U, cert_chain.entry_count); 4100 EXPECT_TRUE(verify_chain(cert_chain)); 4101 EXPECT_TRUE(verify_attestation_record( 4102 "challenge", sw_enforced(), hw_enforced(), expected_keymaster_version, 4103 expected_keymaster_security_level, cert_chain.entries[0])); 4104 4105 keymaster_free_cert_chain(&cert_chain); 4106 } 4107 4108 typedef Keymaster2Test KeyUpgradeTest; 4109 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, KeyUpgradeTest, test_params); 4110 4111 TEST_P(KeyUpgradeTest, AesVersionUpgrade) { 4112 GetParam()->keymaster_context()->SetSystemVersion(1, 1); 4113 4114 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder() 4115 .AesEncryptionKey(128) 4116 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB) 4117 .Padding(KM_PAD_NONE))); 4118 4119 // Key should operate fine. 4120 string message = "1234567890123456"; 4121 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 4122 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE)); 4123 4124 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE. 4125 GetParam()->keymaster_context()->SetSystemVersion(1, 2); 4126 AuthorizationSet begin_params(client_params()); 4127 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB); 4128 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 4129 if (GetParam()->is_keymaster1_hw()) { 4130 // Keymaster1 hardware can't support version binding. The key will work regardless 4131 // of system version. Just abort the remainder of the test. 4132 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 4133 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 4134 return; 4135 } 4136 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 4137 4138 // Getting characteristics should also fail 4139 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics()); 4140 4141 // Upgrade key. 4142 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params())); 4143 4144 // Key should work again 4145 ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE); 4146 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE)); 4147 4148 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB. 4149 GetParam()->keymaster_context()->SetSystemVersion(1, 1); 4150 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 4151 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics()); 4152 4153 // Upgrade should fail 4154 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params())); 4155 4156 EXPECT_EQ(0, GetParam()->keymaster0_calls()); 4157 } 4158 4159 TEST_P(KeyUpgradeTest, RsaVersionUpgrade) { 4160 GetParam()->keymaster_context()->SetSystemVersion(1, 1); 4161 4162 ASSERT_EQ(KM_ERROR_OK, 4163 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE))); 4164 4165 // Key should operate fine. 4166 string message = "12345678901234567890123456789012"; 4167 string ciphertext = EncryptMessage(message, KM_PAD_NONE); 4168 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE)); 4169 4170 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE. 4171 GetParam()->keymaster_context()->SetSystemVersion(1, 2); 4172 AuthorizationSet begin_params(client_params()); 4173 begin_params.push_back(TAG_PADDING, KM_PAD_NONE); 4174 if (GetParam()->is_keymaster1_hw()) { 4175 // Keymaster1 hardware can't support version binding. The key will work regardless 4176 // of system version. Just abort the remainder of the test. 4177 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 4178 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 4179 return; 4180 } 4181 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 4182 4183 // Getting characteristics should also fail 4184 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics()); 4185 4186 // Upgrade key. 4187 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params())); 4188 4189 // Key should work again 4190 ciphertext = EncryptMessage(message, KM_PAD_NONE); 4191 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE)); 4192 4193 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB. 4194 GetParam()->keymaster_context()->SetSystemVersion(1, 1); 4195 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 4196 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics()); 4197 4198 // Upgrade should fail 4199 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params())); 4200 4201 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) 4202 EXPECT_EQ(7, GetParam()->keymaster0_calls()); 4203 } 4204 4205 TEST_P(KeyUpgradeTest, EcVersionUpgrade) { 4206 GetParam()->keymaster_context()->SetSystemVersion(1, 1); 4207 4208 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest( 4209 KM_DIGEST_SHA_2_256))); 4210 4211 // Key should operate fine. 4212 string message = "1234567890123456"; 4213 string signature; 4214 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 4215 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 4216 4217 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE. 4218 GetParam()->keymaster_context()->SetSystemVersion(1, 2); 4219 AuthorizationSet begin_params(client_params()); 4220 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256); 4221 if (GetParam()->is_keymaster1_hw()) { 4222 // Keymaster1 hardware can't support version binding. The key will work regardless 4223 // of system version. Just abort the remainder of the test. 4224 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 4225 EXPECT_EQ(KM_ERROR_OK, AbortOperation()); 4226 return; 4227 } 4228 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_SIGN, begin_params)); 4229 4230 // Getting characteristics should also fail 4231 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics()); 4232 4233 // Upgrade key. 4234 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params())); 4235 4236 // Key should work again 4237 SignMessage(message, &signature, KM_DIGEST_SHA_2_256); 4238 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256); 4239 4240 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB. 4241 GetParam()->keymaster_context()->SetSystemVersion(1, 1); 4242 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params)); 4243 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics()); 4244 4245 // Upgrade should fail 4246 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params())); 4247 4248 if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) 4249 EXPECT_EQ(7, GetParam()->keymaster0_calls()); 4250 } 4251 4252 TEST(SoftKeymasterWrapperTest, CheckKeymaster2Device) { 4253 // Make a good fake device, and wrap it. 4254 SoftKeymasterDevice* good_fake(new SoftKeymasterDevice(new TestKeymasterContext)); 4255 4256 // Wrap it and check it. 4257 SoftKeymasterDevice* good_fake_wrapper(new SoftKeymasterDevice(new TestKeymasterContext)); 4258 good_fake_wrapper->SetHardwareDevice(good_fake->keymaster_device()); 4259 EXPECT_TRUE(good_fake_wrapper->Keymaster1DeviceIsGood()); 4260 4261 // Close and clean up wrapper and wrapped 4262 good_fake_wrapper->keymaster_device()->common.close(good_fake_wrapper->hw_device()); 4263 4264 // Make a "bad" (doesn't support all digests) device; 4265 keymaster1_device_t* sha256_only_fake = make_device_sha256_only( 4266 (new SoftKeymasterDevice(new TestKeymasterContext("256")))->keymaster_device()); 4267 4268 // Wrap it and check it. 4269 SoftKeymasterDevice* sha256_only_fake_wrapper( 4270 (new SoftKeymasterDevice(new TestKeymasterContext))); 4271 sha256_only_fake_wrapper->SetHardwareDevice(sha256_only_fake); 4272 EXPECT_FALSE(sha256_only_fake_wrapper->Keymaster1DeviceIsGood()); 4273 4274 // Close and clean up wrapper and wrapped 4275 sha256_only_fake_wrapper->keymaster_device()->common.close( 4276 sha256_only_fake_wrapper->hw_device()); 4277 } 4278 4279 class HmacKeySharingTest : public ::testing::Test { 4280 protected: 4281 using KeymasterVec = std::vector<std::unique_ptr<AndroidKeymaster>>; 4282 using ParamsVec = std::vector<HmacSharingParameters>; 4283 using ByteString = std::basic_string<uint8_t>; 4284 using NonceVec = std::vector<ByteString>; 4285 using ResponseVec = std::vector<ComputeSharedHmacResponse>; 4286 4287 KeymasterVec CreateKeymasters(size_t count) { 4288 KeymasterVec keymasters; 4289 for (size_t i = 0; i < count; ++i) { 4290 keymasters.push_back(make_unique<AndroidKeymaster>(new TestKeymasterContext, 16)); 4291 } 4292 return keymasters; 4293 } 4294 4295 ParamsVec GetHmacSharingParameters(const KeymasterVec& keymasters) { 4296 ParamsVec paramsVec; 4297 for (auto& keymaster : keymasters) { 4298 auto result = keymaster->GetHmacSharingParameters(); 4299 EXPECT_EQ(KM_ERROR_OK, result.error); 4300 if (result.error == KM_ERROR_OK) paramsVec.push_back(move(result.params)); 4301 } 4302 return paramsVec; 4303 } 4304 4305 template <size_t N> ByteString ToByteString(const uint8_t (&a)[N]) { return ByteString(a, N); } 4306 4307 ByteString ToByteString(const keymaster_blob_t& b) { return ByteString(b.data, b.data_length); } 4308 4309 NonceVec CopyNonces(const ParamsVec& paramsVec) { 4310 NonceVec nonces; 4311 for (auto& param : paramsVec) { 4312 nonces.push_back(ToByteString(param.nonce)); 4313 } 4314 return nonces; 4315 } 4316 4317 ResponseVec ComputeSharedHmac(const KeymasterVec& keymasters, const ParamsVec& paramsVec) { 4318 ComputeSharedHmacRequest req; 4319 req.params_array.params_array = const_cast<HmacSharingParameters*>(paramsVec.data()); 4320 auto prevent_deletion_of_paramsVec_data = 4321 finally([&]() { req.params_array.params_array = nullptr; }); 4322 req.params_array.num_params = paramsVec.size(); 4323 4324 ResponseVec responses; 4325 for (auto& keymaster : keymasters) { 4326 responses.push_back(keymaster->ComputeSharedHmac(req)); 4327 } 4328 4329 return responses; 4330 } 4331 4332 bool VerifyResponses(const ByteString& expected, const ResponseVec& responses) { 4333 for (auto& response : responses) { 4334 EXPECT_EQ(KM_ERROR_OK, response.error); 4335 auto this_sharing_check = ToByteString(response.sharing_check); 4336 EXPECT_EQ(expected, this_sharing_check) << "Sharing check values should match."; 4337 if (response.error != KM_ERROR_OK || expected != this_sharing_check) { 4338 return false; 4339 } 4340 } 4341 return true; 4342 } 4343 }; 4344 4345 TEST_F(HmacKeySharingTest, GetParametersIdempotency) { 4346 AndroidKeymaster keymaster(new TestKeymasterContext, 16); 4347 4348 ParamsVec paramsVec; 4349 4350 auto result1 = keymaster.GetHmacSharingParameters(); 4351 EXPECT_EQ(KM_ERROR_OK, result1.error); 4352 paramsVec.push_back(std::move(result1.params)); 4353 4354 auto result2 = keymaster.GetHmacSharingParameters(); 4355 EXPECT_EQ(KM_ERROR_OK, result2.error); 4356 paramsVec.push_back(std::move(result2.params)); 4357 4358 ASSERT_EQ(ToByteString(paramsVec[0].seed), ToByteString(paramsVec[1].seed)) 4359 << "A given keymaster should always return the same seed."; 4360 EXPECT_EQ(ToByteString(paramsVec[0].nonce), ToByteString(paramsVec[1].nonce)) 4361 << "A given keymaster should always return the same nonce until restart."; 4362 } 4363 4364 TEST_F(HmacKeySharingTest, ComputeSharedHmac) { 4365 // ComputeSharedHmac should work with any number of participants; we just test 1 through 4. 4366 for (size_t keymaster_count = 1; keymaster_count <= 4; ++keymaster_count) { 4367 SCOPED_TRACE(testing::Message() << keymaster_count << " keymaster instances"); 4368 4369 auto keymasters = CreateKeymasters(keymaster_count); 4370 auto params = GetHmacSharingParameters(keymasters); 4371 ASSERT_EQ(keymaster_count, params.size()) 4372 << "One or more keymasters failed to provide parameters."; 4373 4374 auto nonces = CopyNonces(params); 4375 EXPECT_EQ(keymaster_count, nonces.size()) << "We should have a nonce per keymaster."; 4376 std::sort(nonces.begin(), nonces.end()); 4377 std::unique(nonces.begin(), nonces.end()); 4378 EXPECT_EQ(keymaster_count, nonces.size()) << "Nonces should all be unique."; 4379 4380 auto responses = ComputeSharedHmac(keymasters, params); 4381 ASSERT_EQ(keymaster_count, responses.size()); 4382 4383 ASSERT_TRUE(VerifyResponses(ToByteString(responses[0].sharing_check), responses)); 4384 } 4385 } 4386 4387 TEST_F(HmacKeySharingTest, ComputeSharedHmacTwice) { 4388 for (size_t keymaster_count = 1; keymaster_count <= 4; ++keymaster_count) { 4389 SCOPED_TRACE(testing::Message() << keymaster_count << " keymaster instances"); 4390 4391 auto keymasters = CreateKeymasters(keymaster_count); 4392 auto params = GetHmacSharingParameters(keymasters); 4393 ASSERT_EQ(keymaster_count, params.size()) 4394 << "One or more keymasters failed to provide parameters."; 4395 4396 auto responses = ComputeSharedHmac(keymasters, params); 4397 ASSERT_EQ(keymaster_count, responses.size()); 4398 4399 ByteString sharing_check_value = ToByteString(responses[0].sharing_check); 4400 ASSERT_TRUE(VerifyResponses(sharing_check_value, responses)); 4401 4402 params = GetHmacSharingParameters(keymasters); 4403 ASSERT_EQ(keymaster_count, params.size()) 4404 << "One or more keymasters failed to provide parameters."; 4405 responses = ComputeSharedHmac(keymasters, params); 4406 4407 // Verify against first check value; we should get the same one every time, because each 4408 // keymaster instance returns the same seed every time, and the same nonce until restart. 4409 ASSERT_TRUE(VerifyResponses(sharing_check_value, responses)); 4410 } 4411 } 4412 4413 TEST_F(HmacKeySharingTest, ComputeSharedHmacCorruptNonce) { 4414 constexpr size_t keymaster_count = 4; 4415 auto keymasters = CreateKeymasters(keymaster_count); 4416 4417 auto params = GetHmacSharingParameters(keymasters); 4418 ASSERT_EQ(keymaster_count, params.size()) 4419 << "One or more keymasters failed to provide parameters."; 4420 4421 // All should be well in the normal case 4422 auto responses = ComputeSharedHmac(keymasters, params); 4423 ASSERT_EQ(keymaster_count, responses.size()); 4424 ByteString sharing_check_value = ToByteString(responses[0].sharing_check); 4425 ASSERT_TRUE(VerifyResponses(sharing_check_value, responses)); 4426 4427 // Pick a random param, a random byte within the param's nonce, and a random bit within 4428 // the byte. Flip that bit. 4429 size_t param_to_tweak = rand() % params.size(); 4430 uint8_t byte_to_tweak = rand() % sizeof(params[param_to_tweak].nonce); 4431 uint8_t bit_to_tweak = rand() % 8; 4432 params[param_to_tweak].nonce[byte_to_tweak] ^= (1 << bit_to_tweak); 4433 4434 responses = ComputeSharedHmac(keymasters, params); 4435 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, responses[param_to_tweak].error) 4436 << "Keymaster that provided tweaked response should fail to compute HMAC key"; 4437 for (size_t i = 0; i < responses.size(); ++i) { 4438 if (i != param_to_tweak) { 4439 EXPECT_EQ(KM_ERROR_OK, responses[i].error) << "Others should succeed"; 4440 EXPECT_NE(sharing_check_value, ToByteString(responses[i].sharing_check)) 4441 << "Others should calculate a different HMAC key, due to the tweaked nonce."; 4442 } 4443 } 4444 } 4445 4446 TEST_F(HmacKeySharingTest, ComputeSharedHmacCorruptSeed) { 4447 constexpr size_t keymaster_count = 4; 4448 auto keymasters = CreateKeymasters(keymaster_count); 4449 4450 auto params = GetHmacSharingParameters(keymasters); 4451 ASSERT_EQ(keymaster_count, params.size()) 4452 << "One or more keymasters failed to provide parameters."; 4453 4454 // All should be well in the normal case 4455 auto responses = ComputeSharedHmac(keymasters, params); 4456 ASSERT_EQ(keymaster_count, responses.size()); 4457 ByteString sharing_check_value = ToByteString(responses[0].sharing_check); 4458 ASSERT_TRUE(VerifyResponses(sharing_check_value, responses)); 4459 4460 // Pick a random param and modify the seed. 4461 auto param_to_tweak = rand() & params.size(); 4462 constexpr uint8_t wrong_seed_value[] = {0xF, 0x0, 0x0}; 4463 params[param_to_tweak].SetSeed({wrong_seed_value, sizeof(wrong_seed_value)}); 4464 auto prevent_deletion_of_wrong_seed = 4465 finally([&]() { params[param_to_tweak].seed.data = nullptr; }); 4466 4467 responses = ComputeSharedHmac(keymasters, params); 4468 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, responses[param_to_tweak].error) 4469 << "Keymaster that provided tweaked response should fail to compute HMAC key"; 4470 for (size_t i = 0; i < responses.size(); ++i) { 4471 if (i != param_to_tweak) { 4472 EXPECT_EQ(KM_ERROR_OK, responses[i].error) << "Others should succeed"; 4473 EXPECT_NE(sharing_check_value, ToByteString(responses[i].sharing_check)) 4474 << "Others should calculate a different HMAC key, due to the tweaked seed."; 4475 } 4476 } 4477 } 4478 4479 } // namespace test 4480 } // namespace keymaster 4481
