blob: f0ae2f1c3beca7f6da76a3b8abb973e05f7af731 [file] [log] [blame]
/*
* Copyright (C) 2014 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <fstream>
#include <string>
#include <vector>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <hardware/keymaster0.h>
#include <keymaster/key_factory.h>
#include <keymaster/soft_keymaster_context.h>
#include <keymaster/soft_keymaster_device.h>
#include <keymaster/softkeymaster.h>
#include "android_keymaster_test_utils.h"
#include "keymaster0_engine.h"
#include "openssl_utils.h"
using std::ifstream;
using std::istreambuf_iterator;
using std::string;
using std::vector;
using std::unique_ptr;
extern "C" {
int __android_log_print(int prio, const char* tag, const char* fmt);
int __android_log_print(int prio, const char* tag, const char* fmt) {
(void)prio, (void)tag, (void)fmt;
return 0;
}
} // extern "C"
namespace keymaster {
namespace test {
StdoutLogger logger;
template <typename T> vector<T> make_vector(const T* array, size_t len) {
return vector<T>(array, array + len);
}
/**
* KeymasterEnforcement class for use in testing. It's permissive in the sense that it doesn't
* check cryptoperiods, but restrictive in the sense that the clock never advances (so rate-limited
* keys will only work once).
*/
class TestKeymasterEnforcement : public KeymasterEnforcement {
public:
TestKeymasterEnforcement() : KeymasterEnforcement(3, 3) {}
virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; }
virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; }
virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */,
uint32_t /* timeout */) const {
return false;
}
virtual uint32_t get_current_time() const { return 0; }
virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; }
};
/**
* Variant of SoftKeymasterContext that provides a TestKeymasterEnforcement.
*/
class TestKeymasterContext : public SoftKeymasterContext {
public:
TestKeymasterContext() {}
TestKeymasterContext(const string& root_of_trust) : SoftKeymasterContext(root_of_trust) {}
KeymasterEnforcement* enforcement_policy() override { return &test_policy_; }
private:
TestKeymasterEnforcement test_policy_;
};
/**
* Test instance creator that builds a pure software keymaster1 implementations.
*/
class SoftKeymasterTestInstanceCreator : public Keymaster1TestInstanceCreator {
public:
keymaster1_device_t* CreateDevice() const override {
std::cerr << "Creating software-only device" << std::endl;
SoftKeymasterDevice* device = new SoftKeymasterDevice(new TestKeymasterContext);
return device->keymaster_device();
}
bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; }
int keymaster0_calls() const override { return 0; }
};
/**
* Test instance creator that builds keymaster1 instances which wrap a faked hardware keymaster0
* instance, with or without EC support.
*/
class Keymaster0AdapterTestInstanceCreator : public Keymaster1TestInstanceCreator {
public:
Keymaster0AdapterTestInstanceCreator(bool support_ec) : support_ec_(support_ec) {}
keymaster1_device_t* CreateDevice() const {
std::cerr << "Creating keymaster0-backed device (with ec: " << std::boolalpha << support_ec_
<< ")." << std::endl;
hw_device_t* softkeymaster_device;
EXPECT_EQ(0, openssl_open(&softkeymaster_module.common, KEYSTORE_KEYMASTER,
&softkeymaster_device));
// Make the software device pretend to be hardware
keymaster0_device_t* keymaster0_device =
reinterpret_cast<keymaster0_device_t*>(softkeymaster_device);
keymaster0_device->flags &= ~KEYMASTER_SOFTWARE_ONLY;
if (!support_ec_) {
// Make the software device pretend not to support EC
keymaster0_device->flags &= ~KEYMASTER_SUPPORTS_EC;
}
counting_keymaster0_device_ = new Keymaster0CountingWrapper(keymaster0_device);
SoftKeymasterDevice* keymaster = new SoftKeymasterDevice(new TestKeymasterContext);
keymaster->SetHardwareDevice(counting_keymaster0_device_);
return keymaster->keymaster_device();
}
bool algorithm_in_km0_hardware(keymaster_algorithm_t algorithm) const override {
switch (algorithm) {
case KM_ALGORITHM_RSA:
return true;
case KM_ALGORITHM_EC:
return support_ec_;
default:
return false;
}
}
int keymaster0_calls() const override { return counting_keymaster0_device_->count(); }
private:
mutable Keymaster0CountingWrapper* counting_keymaster0_device_;
bool support_ec_;
};
/**
* Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1
* instance, with minimal digest support.
*/
class Sha256OnlyKeymaster1TestInstanceCreator : public Keymaster1TestInstanceCreator {
keymaster1_device_t* CreateDevice() const {
std::cerr << "Creating keymaster1-backed device that supports only SHA256";
// fake_device doesn't leak because device (below) takes ownership of it.
keymaster1_device_t* fake_device = make_device_sha256_only(
(new SoftKeymasterDevice(new TestKeymasterContext("PseudoHW")))->keymaster_device());
// device doesn't leak; it's cleaned up by device->keymaster_device()->common.close().
SoftKeymasterDevice* device = new SoftKeymasterDevice(new TestKeymasterContext);
device->SetHardwareDevice(fake_device);
return device->keymaster_device();
}
bool algorithm_in_km0_hardware(keymaster_algorithm_t) const override { return false; }
int keymaster0_calls() const override { return 0; }
int minimal_digest_set() const override { return true; }
};
static auto test_params = testing::Values(
InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator),
InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(true /* support_ec */)),
InstanceCreatorPtr(new Keymaster0AdapterTestInstanceCreator(false /* support_ec */)),
InstanceCreatorPtr(new Sha256OnlyKeymaster1TestInstanceCreator));
typedef Keymaster1Test CheckSupported;
INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, CheckSupported, test_params);
TEST_P(CheckSupported, SupportedAlgorithms) {
EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL,
device()->get_supported_algorithms(device(), NULL, NULL));
size_t len;
keymaster_algorithm_t* algorithms;
EXPECT_EQ(KM_ERROR_OK, device()->get_supported_algorithms(device(), &algorithms, &len));
EXPECT_TRUE(ResponseContains(
{KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_AES, KM_ALGORITHM_HMAC}, algorithms, len));
free(algorithms);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(CheckSupported, SupportedBlockModes) {
EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL,
device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT,
NULL, NULL));
size_t len;
keymaster_block_mode_t* modes;
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_RSA,
KM_PURPOSE_ENCRYPT, &modes, &len));
EXPECT_EQ(0U, len);
free(modes);
EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE,
device()->get_supported_block_modes(device(), KM_ALGORITHM_EC, KM_PURPOSE_ENCRYPT,
&modes, &len));
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_block_modes(device(), KM_ALGORITHM_AES,
KM_PURPOSE_ENCRYPT, &modes, &len));
EXPECT_TRUE(ResponseContains({KM_MODE_ECB, KM_MODE_CBC, KM_MODE_CTR, KM_MODE_GCM}, modes, len));
free(modes);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(CheckSupported, SupportedPaddingModes) {
EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL,
device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA, KM_PURPOSE_ENCRYPT,
NULL, NULL));
size_t len;
keymaster_padding_t* modes;
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA,
KM_PURPOSE_SIGN, &modes, &len));
EXPECT_TRUE(
ResponseContains({KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS}, modes, len));
free(modes);
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_RSA,
KM_PURPOSE_ENCRYPT, &modes, &len));
EXPECT_TRUE(
ResponseContains({KM_PAD_NONE, KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT}, modes, len));
free(modes);
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_padding_modes(device(), KM_ALGORITHM_EC,
KM_PURPOSE_SIGN, &modes, &len));
EXPECT_EQ(0U, len);
free(modes);
EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE,
device()->get_supported_padding_modes(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN,
&modes, &len));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(CheckSupported, SupportedDigests) {
EXPECT_EQ(
KM_ERROR_OUTPUT_PARAMETER_NULL,
device()->get_supported_digests(device(), KM_ALGORITHM_RSA, KM_PURPOSE_SIGN, NULL, NULL));
size_t len;
keymaster_digest_t* digests;
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_RSA,
KM_PURPOSE_SIGN, &digests, &len));
if (GetParam()->minimal_digest_set()) {
EXPECT_TRUE(ResponseContains({KM_DIGEST_NONE, KM_DIGEST_SHA_2_256}, digests, len));
} else {
EXPECT_TRUE(
ResponseContains({KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512},
digests, len));
}
free(digests);
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_RSA,
KM_PURPOSE_ENCRYPT, &digests, &len));
if (GetParam()->minimal_digest_set()) {
EXPECT_TRUE(ResponseContains({KM_DIGEST_NONE, KM_DIGEST_SHA_2_256}, digests, len));
} else {
EXPECT_TRUE(
ResponseContains({KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512},
digests, len));
}
free(digests);
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC,
KM_PURPOSE_SIGN, &digests, &len));
if (GetParam()->minimal_digest_set()) {
EXPECT_TRUE(ResponseContains({KM_DIGEST_NONE, KM_DIGEST_SHA_2_256}, digests, len));
} else {
EXPECT_TRUE(
ResponseContains({KM_DIGEST_NONE, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512},
digests, len));
}
free(digests);
EXPECT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE,
device()->get_supported_digests(device(), KM_ALGORITHM_AES, KM_PURPOSE_SIGN, &digests,
&len));
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_HMAC,
KM_PURPOSE_SIGN, &digests, &len));
if (GetParam()->minimal_digest_set()) {
EXPECT_TRUE(ResponseContains({KM_DIGEST_SHA_2_256}, digests, len));
} else {
EXPECT_TRUE(ResponseContains({KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384,
KM_DIGEST_SHA_2_512, KM_DIGEST_SHA1},
digests, len));
}
free(digests);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(CheckSupported, SupportedImportFormats) {
EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL,
device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, NULL, NULL));
size_t len;
keymaster_key_format_t* formats;
ASSERT_EQ(KM_ERROR_OK,
device()->get_supported_import_formats(device(), KM_ALGORITHM_RSA, &formats, &len));
EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_PKCS8, formats, len));
free(formats);
ASSERT_EQ(KM_ERROR_OK,
device()->get_supported_import_formats(device(), KM_ALGORITHM_AES, &formats, &len));
EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len));
free(formats);
ASSERT_EQ(KM_ERROR_OK,
device()->get_supported_import_formats(device(), KM_ALGORITHM_HMAC, &formats, &len));
EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_RAW, formats, len));
free(formats);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(CheckSupported, SupportedExportFormats) {
EXPECT_EQ(KM_ERROR_OUTPUT_PARAMETER_NULL,
device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, NULL, NULL));
size_t len;
keymaster_key_format_t* formats;
ASSERT_EQ(KM_ERROR_OK,
device()->get_supported_export_formats(device(), KM_ALGORITHM_RSA, &formats, &len));
EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len));
free(formats);
ASSERT_EQ(KM_ERROR_OK,
device()->get_supported_export_formats(device(), KM_ALGORITHM_EC, &formats, &len));
EXPECT_TRUE(ResponseContains(KM_KEY_FORMAT_X509, formats, len));
free(formats);
ASSERT_EQ(KM_ERROR_OK,
device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len));
EXPECT_EQ(0U, len);
free(formats);
ASSERT_EQ(KM_ERROR_OK,
device()->get_supported_export_formats(device(), KM_ALGORITHM_AES, &formats, &len));
EXPECT_EQ(0U, len);
free(formats);
ASSERT_EQ(KM_ERROR_OK,
device()->get_supported_export_formats(device(), KM_ALGORITHM_HMAC, &formats, &len));
EXPECT_EQ(0U, len);
free(formats);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
class NewKeyGeneration : public Keymaster1Test {
protected:
void CheckBaseParams() {
AuthorizationSet auths = sw_enforced();
EXPECT_GT(auths.SerializedSize(), 12U);
EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN));
EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY));
EXPECT_TRUE(contains(auths, TAG_USER_ID, 7));
EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300));
// Verify that App ID, App data and ROT are NOT included.
EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST));
EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID));
EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA));
// Just for giggles, check that some unexpected tags/values are NOT present.
EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT));
EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT));
EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301));
// Now check that unspecified, defaulted tags are correct.
EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME));
}
};
INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params);
TEST_P(NewKeyGeneration, Rsa) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
CheckBaseParams();
// Check specified tags are all present, and in the right set.
AuthorizationSet crypto_params;
AuthorizationSet non_crypto_params;
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA)) {
EXPECT_NE(0U, hw_enforced().size());
EXPECT_NE(0U, sw_enforced().size());
crypto_params.push_back(hw_enforced());
non_crypto_params.push_back(sw_enforced());
} else {
EXPECT_EQ(0U, hw_enforced().size());
EXPECT_NE(0U, sw_enforced().size());
crypto_params.push_back(sw_enforced());
}
EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256));
EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256));
EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(1, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, RsaDefaultSize) {
ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
.Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
.SigningKey()));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, Ecdsa) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
CheckBaseParams();
// Check specified tags are all present, and in the right set.
AuthorizationSet crypto_params;
AuthorizationSet non_crypto_params;
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC)) {
EXPECT_NE(0U, hw_enforced().size());
EXPECT_NE(0U, sw_enforced().size());
crypto_params.push_back(hw_enforced());
non_crypto_params.push_back(sw_enforced());
} else {
EXPECT_EQ(0U, hw_enforced().size());
EXPECT_NE(0U, sw_enforced().size());
crypto_params.push_back(sw_enforced());
}
EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224));
EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(1, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, EcdsaDefaultSize) {
ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC)
.SigningKey()
.Digest(KM_DIGEST_NONE)));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, EcdsaInvalidSize) {
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
ASSERT_EQ(
KM_ERROR_UNKNOWN_ERROR,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE)));
else
ASSERT_EQ(
KM_ERROR_UNSUPPORTED_KEY_SIZE,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE)));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(1, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, EcdsaAllValidSizes) {
size_t valid_sizes[] = {224, 256, 384, 521};
for (size_t size : valid_sizes) {
EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(
KM_DIGEST_NONE)))
<< "Failed to generate size: " << size;
}
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, HmacSha256) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 256)));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, HmacMultipleDigests) {
ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA1)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 128)));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, HmacDigestNone) {
ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_NONE)
.Authorization(TAG_MIN_MAC_LENGTH, 128)));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) {
ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 48)));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) {
ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 130)));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) {
ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 384)));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
typedef Keymaster1Test GetKeyCharacteristics;
INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params);
TEST_P(GetKeyCharacteristics, SimpleRsa) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
AuthorizationSet original(sw_enforced());
ASSERT_EQ(KM_ERROR_OK, GetCharacteristics());
EXPECT_EQ(original, sw_enforced());
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(1, GetParam()->keymaster0_calls());
}
typedef Keymaster1Test SigningOperationsTest;
INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params);
TEST_P(SigningOperationsTest, RsaSuccess) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
string message = "12345678901234567890123456789012";
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaPssSha256Success) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Padding(KM_PAD_RSA_PSS)));
// Use large message, which won't work without digesting.
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
string message = "12345678901234567890123456789012";
string signature;
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
string message(53, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
string message(54, 'a');
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
string signature;
EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&signature));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) {
// Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so
// verify that nine bytes larger than hash won't work.
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256 + 9 * 8, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Padding(KM_PAD_RSA_PSS)));
string message(1024, 'a');
string signature;
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
}
TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
string message(64 * 1024, 'a');
string signature;
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaAbort) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
EXPECT_EQ(KM_ERROR_OK, AbortOperation());
// Another abort should fail
EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation());
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_SHA_2_256 /* supported digest */)
.Padding(KM_PAD_PKCS7));
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaNoDigest) {
// PSS requires a digest.
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_RSA_PSS));
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaNoPadding) {
// Padding must be specified
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest(
KM_DIGEST_NONE)));
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaTooShortMessage) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
string message = "1234567890123456789012345678901";
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, EcdsaSuccess) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
string message(224 / 8, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, EcdsaSha256Success) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
KM_DIGEST_SHA_2_256)));
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, EcdsaSha384Success) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
KM_DIGEST_SHA_2_384)));
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_384);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
string message(64 * 1024, 'a');
string signature;
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, EcsdaAllSizesAndHashes) {
size_t len;
keymaster_digest_t* digest_arr;
ASSERT_EQ(KM_ERROR_OK, device()->get_supported_digests(device(), KM_ALGORITHM_EC,
KM_PURPOSE_SIGN, &digest_arr, &len));
vector<int> key_sizes = {224, 256, 384, 521};
vector<keymaster_digest_t> digests = make_vector(digest_arr, len);
free(digest_arr);
for (int key_size : key_sizes) {
for (keymaster_digest_t digest : digests) {
ASSERT_EQ(
KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest)));
string message(1024, 'a');
string signature;
if (digest == KM_DIGEST_NONE)
message.resize(key_size / 8);
SignMessage(message, &signature, digest);
}
}
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(digests.size() * key_sizes.size() * 3,
static_cast<size_t>(GetParam()->keymaster0_calls()));
}
TEST_P(SigningOperationsTest, AesEcbSign) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization(
TAG_BLOCK_MODE, KM_MODE_ECB)));
ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN));
ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacSha1Success) {
if (GetParam()->minimal_digest_set())
// Can't emulate other digests for HMAC.
return;
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA1)
.Authorization(TAG_MIN_MAC_LENGTH, 160));
string message = "12345678901234567890123456789012";
string signature;
MacMessage(message, &signature, 160);
ASSERT_EQ(20U, signature.size());
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacSha224Success) {
if (GetParam()->minimal_digest_set())
// Can't emulate other digests for HMAC.
return;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_224)
.Authorization(TAG_MIN_MAC_LENGTH, 160)));
string message = "12345678901234567890123456789012";
string signature;
MacMessage(message, &signature, 224);
ASSERT_EQ(28U, signature.size());
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacSha256Success) {
if (GetParam()->minimal_digest_set())
// Can't emulate other digests for HMAC.
return;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 256)));
string message = "12345678901234567890123456789012";
string signature;
MacMessage(message, &signature, 256);
ASSERT_EQ(32U, signature.size());
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacSha384Success) {
if (GetParam()->minimal_digest_set())
// Can't emulate other digests for HMAC.
return;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_384)
.Authorization(TAG_MIN_MAC_LENGTH, 384)));
string message = "12345678901234567890123456789012";
string signature;
MacMessage(message, &signature, 384);
ASSERT_EQ(48U, signature.size());
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacSha512Success) {
if (GetParam()->minimal_digest_set())
// Can't emulate other digests for HMAC.
return;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_512)
.Authorization(TAG_MIN_MAC_LENGTH, 384)));
string message = "12345678901234567890123456789012";
string signature;
MacMessage(message, &signature, 512);
ASSERT_EQ(64U, signature.size());
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacLengthInKey) {
// TODO(swillden): unified API should generate an error on key generation.
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 128)));
string message = "12345678901234567890123456789012";
string signature;
MacMessage(message, &signature, 160);
ASSERT_EQ(20U, signature.size());
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacRfc4231TestCase1) {
uint8_t key_data[] = {
0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
};
string message = "Hi There";
uint8_t sha_224_expected[] = {
0x89, 0x6f, 0xb1, 0x12, 0x8a, 0xbb, 0xdf, 0x19, 0x68, 0x32, 0x10, 0x7c, 0xd4, 0x9d,
0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68, 0x4b, 0x22,
};
uint8_t sha_256_expected[] = {
0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf,
0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83,
0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7,
};
uint8_t sha_384_expected[] = {
0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62, 0x6b, 0x08, 0x25, 0xf4,
0xab, 0x46, 0x90, 0x7f, 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6,
0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c, 0xfa, 0xea, 0x9e, 0xa9,
0x07, 0x6e, 0xde, 0x7f, 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6,
};
uint8_t sha_512_expected[] = {
0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d, 0x4f, 0xf0, 0xb4, 0x24, 0x1a,
0x1d, 0x6c, 0xb0, 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78, 0x7a, 0xd0,
0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde, 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7,
0x02, 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4, 0xbe, 0x9d, 0x91, 0x4e,
0xeb, 0x61, 0xf1, 0x70, 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54,
};
string key = make_string(key_data);
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
if (!GetParam()->minimal_digest_set()) {
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
}
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacRfc4231TestCase2) {
string key = "Jefe";
string message = "what do ya want for nothing?";
uint8_t sha_224_expected[] = {
0xa3, 0x0e, 0x01, 0x09, 0x8b, 0xc6, 0xdb, 0xbf, 0x45, 0x69, 0x0f, 0x3a, 0x7e, 0x9e,
0x6d, 0x0f, 0x8b, 0xbe, 0xa2, 0xa3, 0x9e, 0x61, 0x48, 0x00, 0x8f, 0xd0, 0x5e, 0x44,
};
uint8_t sha_256_expected[] = {
0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24,
0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27,
0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43,
};
uint8_t sha_384_expected[] = {
0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31, 0x61, 0x7f, 0x78, 0xd2,
0xb5, 0x8a, 0x6b, 0x1b, 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47,
0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e, 0x8e, 0x22, 0x40, 0xca,
0x5e, 0x69, 0xe2, 0xc7, 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49,
};
uint8_t sha_512_expected[] = {
0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2, 0xe3, 0x95, 0xfb, 0xe7, 0x3b,
0x56, 0xe0, 0xa3, 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6, 0x10, 0x27,
0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54, 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99,
0x4a, 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd, 0xca, 0xea, 0xb1, 0xa3,
0x4d, 0x4a, 0x6b, 0x4b, 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37,
};
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
if (!GetParam()->minimal_digest_set()) {
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
}
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
string key(20, 0xaa);
string message(50, 0xdd);
uint8_t sha_224_expected[] = {
0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
};
uint8_t sha_256_expected[] = {
0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
};
uint8_t sha_384_expected[] = {
0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
};
uint8_t sha_512_expected[] = {
0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
};
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
if (!GetParam()->minimal_digest_set()) {
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
}
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) {
uint8_t key_data[25] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
};
string key = make_string(key_data);
string message(50, 0xcd);
uint8_t sha_224_expected[] = {
0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82,
0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a,
};
uint8_t sha_256_expected[] = {
0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81,
0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78,
0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b,
};
uint8_t sha_384_expected[] = {
0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62,
0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c,
0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23,
0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb,
};
uint8_t sha_512_expected[] = {
0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6,
0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f,
0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e,
0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41,
0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd,
};
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
if (!GetParam()->minimal_digest_set()) {
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
}
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
string key(20, 0x0c);
string message = "Test With Truncation";
uint8_t sha_224_expected[] = {
0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
};
uint8_t sha_256_expected[] = {
0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
};
uint8_t sha_384_expected[] = {
0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
};
uint8_t sha_512_expected[] = {
0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
};
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
if (!GetParam()->minimal_digest_set()) {
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
}
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) {
string key(131, 0xaa);
string message = "Test Using Larger Than Block-Size Key - Hash Key First";
uint8_t sha_224_expected[] = {
0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d,
0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e,
};
uint8_t sha_256_expected[] = {
0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26,
0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28,
0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54,
};
uint8_t sha_384_expected[] = {
0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a,
0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab,
0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52,
};
uint8_t sha_512_expected[] = {
0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd,
0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b,
0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25,
0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73,
0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,
};
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
if (!GetParam()->minimal_digest_set()) {
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
}
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) {
string key(131, 0xaa);
string message = "This is a test using a larger than block-size key and a larger than "
"block-size data. The key needs to be hashed before being used by the HMAC "
"algorithm.";
uint8_t sha_224_expected[] = {
0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3,
0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1,
};
uint8_t sha_256_expected[] = {
0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f,
0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07,
0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2,
};
uint8_t sha_384_expected[] = {
0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25,
0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31,
0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e,
};
uint8_t sha_512_expected[] = {
0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e,
0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5,
0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82,
0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb,
0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,
};
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
if (!GetParam()->minimal_digest_set()) {
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
}
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 256)));
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_MAC_LENGTH, 264);
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH,
BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 128)));
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_MAC_LENGTH, 120);
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH,
BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
// TODO(swillden): Add more verification failure tests.
typedef Keymaster1Test VerificationOperationsTest;
INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params);
TEST_P(VerificationOperationsTest, RsaSuccess) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
string message = "12345678901234567890123456789012";
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, RsaPssSha256Success) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Padding(KM_PAD_RSA_PSS)));
// Use large message, which won't work without digesting.
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, RsaPssSha224Success) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_224)
.Padding(KM_PAD_RSA_PSS)));
// Use large message, which won't work without digesting.
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
// Verify with OpenSSL.
string pubkey;
EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
ASSERT_TRUE(pkey.get());
EVP_MD_CTX digest_ctx;
EVP_MD_CTX_init(&digest_ctx);
EVP_PKEY_CTX* pkey_ctx;
EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
pkey.get()));
EXPECT_EQ(1, EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING));
EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
EXPECT_EQ(1,
EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
signature.size()));
EVP_MD_CTX_cleanup(&digest_ctx);
}
TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) {
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Padding(KM_PAD_RSA_PSS));
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
++signature[signature.size() / 2];
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(message.size(), input_consumed);
EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Padding(KM_PAD_RSA_PSS)));
// Use large message, which won't work without digesting.
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
++message[message.size() / 2];
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(message.size(), input_consumed);
EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) {
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, RsaPks1Sha224Success) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_224)
.Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
// Use large message, which won't work without digesting.
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
// Verify with OpenSSL.
string pubkey;
EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
ASSERT_TRUE(pkey.get());
EVP_MD_CTX digest_ctx;
EVP_MD_CTX_init(&digest_ctx);
EVP_PKEY_CTX* pkey_ctx;
EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
pkey.get()));
EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
EXPECT_EQ(1,
EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
signature.size()));
EVP_MD_CTX_cleanup(&digest_ctx);
}
TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) {
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
++signature[signature.size() / 2];
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(message.size(), input_consumed);
EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(512, 3)
.Digest(KM_DIGEST_SHA_2_256)
.Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
// Use large message, which won't work without digesting.
string message(1024, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
++message[message.size() / 2];
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(message.size(), input_consumed);
EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) {
vector<keymaster_digest_t> digests = {
KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
};
vector<keymaster_padding_t> padding_modes{
KM_PAD_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN, KM_PAD_RSA_PSS,
};
int trial_count = 0;
for (keymaster_padding_t padding_mode : padding_modes) {
for (keymaster_digest_t digest : digests) {
if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE)
// Digesting requires padding
continue;
// Compute key & message size that will work.
size_t key_bits = 0;
size_t message_len = 1000;
if (digest == KM_DIGEST_NONE) {
key_bits = 256;
switch (padding_mode) {
case KM_PAD_NONE:
// Match key size.
message_len = key_bits / 8;
break;
case KM_PAD_RSA_PKCS1_1_5_SIGN:
message_len = key_bits / 8 - 11;
break;
case KM_PAD_RSA_PSS:
// PSS requires a digest.
continue;
default:
FAIL() << "Missing padding";
break;
}
} else {
size_t digest_bits;
switch (digest) {
case KM_DIGEST_MD5:
digest_bits = 128;
break;
case KM_DIGEST_SHA1:
digest_bits = 160;
break;
case KM_DIGEST_SHA_2_224:
digest_bits = 224;
break;
case KM_DIGEST_SHA_2_256:
digest_bits = 256;
break;
case KM_DIGEST_SHA_2_384:
digest_bits = 384;
break;
case KM_DIGEST_SHA_2_512:
digest_bits = 512;
break;
default:
FAIL() << "Missing digest";
}
switch (padding_mode) {
case KM_PAD_RSA_PKCS1_1_5_SIGN:
key_bits = digest_bits + 8 * (11 + 19);
break;
case KM_PAD_RSA_PSS:
key_bits = digest_bits + 22 * 8;
break;
default:
FAIL() << "Missing padding";
break;
}
}
GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(key_bits, 3)
.Digest(digest)
.Padding(padding_mode));
string message(message_len, 'a');
string signature;
SignMessage(message, &signature, digest, padding_mode);
VerifyMessage(message, signature, digest, padding_mode);
++trial_count;
}
}
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(trial_count * 4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, EcdsaSuccess) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
string message = "12345678901234567890123456789012";
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE);
VerifyMessage(message, signature, KM_DIGEST_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, EcdsaTooShort) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
string message = "12345678901234567890";
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE);
VerifyMessage(message, signature, KM_DIGEST_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE)));
string message(66, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE);
VerifyMessage(message, signature, KM_DIGEST_NONE);
// Modifying low-order bits doesn't matter, because they didn't get signed. Ugh.
message[65] ^= 7;
VerifyMessage(message, signature, KM_DIGEST_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(5, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, EcdsaSha256Success) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(256)
.Digest(KM_DIGEST_SHA_2_256)
.Digest(KM_DIGEST_NONE)));
string message = "12345678901234567890123456789012";
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
// Just for giggles, try verifying with the wrong digest.
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(message.size(), input_consumed);
EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
}
TEST_P(VerificationOperationsTest, EcdsaSha224Success) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
KM_DIGEST_SHA_2_224)));
string message = "12345678901234567890123456789012";
string signature;
SignMessage(message, &signature, KM_DIGEST_SHA_2_224);
VerifyMessage(message, signature, KM_DIGEST_SHA_2_224);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
// Just for giggles, try verifying with the wrong digest.
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(message.size(), input_consumed);
EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(signature, &result));
}
TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndKeySizes) {
keymaster_digest_t digests[] = {
KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256,
KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
};
size_t key_sizes[] = {224, 256, 384, 521};
string message = "1234567890";
string signature;
for (auto key_size : key_sizes) {
AuthorizationSetBuilder builder;
builder.EcdsaSigningKey(key_size);
for (auto digest : digests)
builder.Digest(digest);
ASSERT_EQ(KM_ERROR_OK, GenerateKey(builder));
for (auto digest : digests) {
SignMessage(message, &signature, digest);
VerifyMessage(message, signature, digest);
}
}
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(static_cast<int>(array_length(key_sizes) * (1 + 3 * array_length(digests))),
GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, HmacSha1Success) {
if (GetParam()->minimal_digest_set())
// Can't emulate missing digests for HMAC.
return;
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA1)
.Authorization(TAG_MIN_MAC_LENGTH, 128));
string message = "123456789012345678901234567890123456789012345678";
string signature;
MacMessage(message, &signature, 160);
VerifyMac(message, signature);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, HmacSha224Success) {
if (GetParam()->minimal_digest_set())
// Can't emulate missing digests for HMAC.
return;
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_224)
.Authorization(TAG_MIN_MAC_LENGTH, 128));
string message = "123456789012345678901234567890123456789012345678";
string signature;
MacMessage(message, &signature, 224);
VerifyMac(message, signature);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, HmacSha256Success) {
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 128));
string message = "123456789012345678901234567890123456789012345678";
string signature;
MacMessage(message, &signature, 256);
VerifyMac(message, signature);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) {
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 128));
string message = "123456789012345678901234567890123456789012345678";
string signature;
MacMessage(message, &signature, 256);
// Shorten to 128 bits, should still work.
signature.resize(128 / 8);
VerifyMac(message, signature);
// Drop one more byte.
signature.resize(signature.length() - 1);
AuthorizationSet begin_params(client_params());
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(signature, &result));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, HmacSha384Success) {
if (GetParam()->minimal_digest_set())
// Can't emulate missing digests for HMAC.
return;
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_384)
.Authorization(TAG_MIN_MAC_LENGTH, 128));
string message = "123456789012345678901234567890123456789012345678";
string signature;
MacMessage(message, &signature, 384);
VerifyMac(message, signature);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(VerificationOperationsTest, HmacSha512Success) {
if (GetParam()->minimal_digest_set())
// Can't emulate missing digests for HMAC.
return;
GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Digest(KM_DIGEST_SHA_2_512)
.Authorization(TAG_MIN_MAC_LENGTH, 128));
string message = "123456789012345678901234567890123456789012345678";
string signature;
MacMessage(message, &signature, 512);
VerifyMac(message, signature);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
typedef Keymaster1Test ExportKeyTest;
INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params);
TEST_P(ExportKeyTest, RsaSuccess) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
string export_data;
ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
EXPECT_GT(export_data.length(), 0U);
// TODO(swillden): Verify that the exported key is actually usable to verify signatures.
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(ExportKeyTest, EcdsaSuccess) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
string export_data;
ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
EXPECT_GT(export_data.length(), 0U);
// TODO(swillden): Verify that the exported key is actually usable to verify signatures.
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
string export_data;
ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE)));
corrupt_key_blob();
string export_data;
ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(ExportKeyTest, AesKeyExportFails) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128)));
string export_data;
EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data));
EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
static string read_file(const string& file_name) {
ifstream file_stream(file_name, std::ios::binary);
istreambuf_iterator<char> file_begin(file_stream);
istreambuf_iterator<char> file_end;
return string(file_begin, file_end);
}
typedef Keymaster1Test ImportKeyTest;
INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params);
TEST_P(ImportKeyTest, RsaSuccess) {
string pk8_key = read_file("rsa_privkey_pk8.der");
ASSERT_EQ(633U, pk8_key.size());
ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
.RsaSigningKey(1024, 65537)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE),
KM_KEY_FORMAT_PKCS8, pk8_key));
// Check values derived from the key.
EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced()
: sw_enforced(),
TAG_ALGORITHM, KM_ALGORITHM_RSA));
EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced()
: sw_enforced(),
TAG_KEY_SIZE, 1024));
EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA) ? hw_enforced()
: sw_enforced(),
TAG_RSA_PUBLIC_EXPONENT, 65537U));
// And values provided by AndroidKeymaster
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN));
else
EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
string message(1024 / 8, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
string pk8_key = read_file("rsa_privkey_pk8.der");
ASSERT_EQ(633U, pk8_key.size());
ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
ImportKey(AuthorizationSetBuilder()
.RsaSigningKey(2048 /* Doesn't match key */, 3)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE),
KM_KEY_FORMAT_PKCS8, pk8_key));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(ImportKeyTest, RsaPublicExponenMismatch) {
string pk8_key = read_file("rsa_privkey_pk8.der");
ASSERT_EQ(633U, pk8_key.size());
ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
ImportKey(AuthorizationSetBuilder()
.RsaSigningKey(256, 3 /* Doesnt' match key */)
.Digest(KM_DIGEST_NONE)
.Padding(KM_PAD_NONE),
KM_KEY_FORMAT_PKCS8, pk8_key));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(ImportKeyTest, EcdsaSuccess) {
string pk8_key = read_file("ec_privkey_pk8.der");
ASSERT_EQ(138U, pk8_key.size());
ASSERT_EQ(KM_ERROR_OK,
ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
KM_KEY_FORMAT_PKCS8, pk8_key));
// Check values derived from the key.
EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
: sw_enforced(),
TAG_ALGORITHM, KM_ALGORITHM_EC));
EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
: sw_enforced(),
TAG_KEY_SIZE, 256));
// And values provided by AndroidKeymaster
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN));
else
EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
string message(32, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE);
VerifyMessage(message, signature, KM_DIGEST_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(ImportKeyTest, EcdsaSizeSpecified) {
string pk8_key = read_file("ec_privkey_pk8.der");
ASSERT_EQ(138U, pk8_key.size());
ASSERT_EQ(KM_ERROR_OK,
ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
KM_KEY_FORMAT_PKCS8, pk8_key));
// Check values derived from the key.
EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
: sw_enforced(),
TAG_ALGORITHM, KM_ALGORITHM_EC));
EXPECT_TRUE(contains(GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC) ? hw_enforced()
: sw_enforced(),
TAG_KEY_SIZE, 256));
// And values provided by AndroidKeymaster
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_TRUE(contains(hw_enforced(), TAG_ORIGIN, KM_ORIGIN_UNKNOWN));
else
EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
string message(32, 'a');
string signature;
SignMessage(message, &signature, KM_DIGEST_NONE);
VerifyMessage(message, signature, KM_DIGEST_NONE);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_EC))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
string pk8_key = read_file("ec_privkey_pk8.der");
ASSERT_EQ(138U, pk8_key.size());
ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
ImportKey(AuthorizationSetBuilder()
.EcdsaSigningKey(224 /* Doesn't match key */)
.Digest(KM_DIGEST_NONE),
KM_KEY_FORMAT_PKCS8, pk8_key));
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(ImportKeyTest, AesKeySuccess) {
char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
string key(key_data, sizeof(key_data));
ASSERT_EQ(KM_ERROR_OK,
ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization(
TAG_PADDING, KM_PAD_PKCS7),
KM_KEY_FORMAT_RAW, key));
EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
string message = "Hello World!";
string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
EXPECT_EQ(message, plaintext);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
TEST_P(ImportKeyTest, HmacSha256KeySuccess) {
char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
string key(key_data, sizeof(key_data));
ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
.HmacKey(sizeof(key_data) * 8)
.Digest(KM_DIGEST_SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 256),
KM_KEY_FORMAT_RAW, key));
EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
string message = "Hello World!";
string signature;
MacMessage(message, &signature, 256);
VerifyMac(message, signature);
EXPECT_EQ(0, GetParam()->keymaster0_calls());
}
typedef Keymaster1Test EncryptionOperationsTest;
INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params);
TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
string message = "12345678901234567890123456789012";
string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE);
EXPECT_EQ(256U / 8, ciphertext1.size());
string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE);
EXPECT_EQ(256U / 8, ciphertext2.size());
// Unpadded RSA is deterministic
EXPECT_EQ(ciphertext1, ciphertext2);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
string message = "1";
string ciphertext = EncryptMessage(message, KM_PAD_NONE);
EXPECT_EQ(256U / 8, ciphertext.size());
string expected_plaintext = string(256 / 8 - 1, 0) + message;
string plaintext = DecryptMessage(ciphertext, KM_PAD_NONE);
EXPECT_EQ(expected_plaintext, plaintext);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
string message = "123456789012345678901234567890123";
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaNoPaddingLargerThanModulus) {
ASSERT_EQ(KM_ERROR_OK,
GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
string exported;
ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &exported));
const uint8_t* p = reinterpret_cast<const uint8_t*>(exported.data());
unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size()));
unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(pkey.get()));
size_t modulus_len = BN_num_bytes(rsa->n);
ASSERT_EQ(256U / 8, modulus_len);
unique_ptr<uint8_t> modulus_buf(new uint8_t[modulus_len]);
BN_bn2bin(rsa->n, modulus_buf.get());
// The modulus is too big to encrypt.
string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
string result;
size_t input_consumed;
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result));
// One smaller than the modulus is okay.
BN_sub(rsa->n, rsa->n, BN_value_one());
modulus_len = BN_num_bytes(rsa->n);
ASSERT_EQ(256U / 8, modulus_len);
BN_bn2bin(rsa->n, modulus_buf.get());
message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
size_t key_size = 768;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(key_size, 3)
.Padding(KM_PAD_RSA_OAEP)
.Digest(KM_DIGEST_SHA_2_256)));
string message = "Hello";
string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
EXPECT_EQ(key_size / 8, ciphertext1.size());
string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
EXPECT_EQ(key_size / 8, ciphertext2.size());
// OAEP randomizes padding so every result should be different.
EXPECT_NE(ciphertext1, ciphertext2);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaOaepSha224Success) {
size_t key_size = 768;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(key_size, 3)
.Padding(KM_PAD_RSA_OAEP)
.Digest(KM_DIGEST_SHA_2_224)));
string message = "Hello";
string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
EXPECT_EQ(key_size / 8, ciphertext1.size());
string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
EXPECT_EQ(key_size / 8, ciphertext2.size());
// OAEP randomizes padding so every result should be different.
EXPECT_NE(ciphertext1, ciphertext2);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) {
size_t key_size = 768;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(key_size, 3)
.Padding(KM_PAD_RSA_OAEP)
.Digest(KM_DIGEST_SHA_2_256)));
string message = "Hello World!";
string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
EXPECT_EQ(key_size / 8, ciphertext.size());
string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
EXPECT_EQ(message, plaintext);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaOaepSha224RoundTrip) {
size_t key_size = 768;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(key_size, 3)
.Padding(KM_PAD_RSA_OAEP)
.Digest(KM_DIGEST_SHA_2_224)));
string message = "Hello World!";
string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
EXPECT_EQ(key_size / 8, ciphertext.size());
string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
EXPECT_EQ(message, plaintext);
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(512, 3)
.Padding(KM_PAD_RSA_OAEP)
.Digest(KM_DIGEST_NONE)));
string message = "Hello World!";
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) {
if (GetParam()->minimal_digest_set())
// We don't have two supported digests, so we can't try authorizing one and using another.
return;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(512, 3)
.Padding(KM_PAD_RSA_OAEP)
.Digest(KM_DIGEST_SHA_2_256)));
string message = "Hello World!";
// Works because encryption is a public key operation.
EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP);
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(3, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
if (GetParam()->minimal_digest_set())
// We don't have two supported digests, so we can't try encrypting with one and decrypting
// with another.
return;
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(768, 3)
.Padding(KM_PAD_RSA_OAEP)
.Digest(KM_DIGEST_SHA_2_256)
.Digest(KM_DIGEST_SHA_2_384)));
string message = "Hello World!";
string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
string result;
size_t input_consumed;
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
EXPECT_EQ(0U, result.size());
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(4, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) {
ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
.RsaEncryptionKey(512, 3)
.Padding(KM_PAD_RSA_OAEP)
.Digest(KM_DIGEST_SHA1)));
string message = "12345678901234567890123";
string result;
size_t input_consumed;
AuthorizationSet begin_params(client_params());
begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result));
EXPECT_EQ(0U, result.size());
if (GetParam()->algorithm_in_km0_hardware(KM_ALGORITHM_RSA))
EXPECT_EQ(2, GetParam()->keymaster0_calls());
}
TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) {
size_t key_size =