• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2013 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.keystore.cts;
18 
19 import android.app.KeyguardManager;
20 import android.content.Context;
21 import android.content.pm.PackageManager;
22 import android.security.KeyPairGeneratorSpec;
23 import android.security.KeyStoreParameter;
24 import android.security.keystore.KeyProperties;
25 import android.security.keystore.KeyProtection;
26 import android.test.AndroidTestCase;
27 import android.test.MoreAsserts;
28 import android.test.suitebuilder.annotation.LargeTest;
29 import android.util.Log;
30 
31 import android.keystore.cts.R;
32 
33 import java.io.ByteArrayInputStream;
34 import java.io.ByteArrayOutputStream;
35 import java.io.OutputStream;
36 import java.math.BigInteger;
37 import java.security.AlgorithmParameters;
38 import java.security.Key;
39 import java.security.KeyFactory;
40 import java.security.KeyPairGenerator;
41 import java.security.KeyStore;
42 import java.security.KeyStore.Entry;
43 import java.security.KeyStore.PrivateKeyEntry;
44 import java.security.KeyStore.TrustedCertificateEntry;
45 import java.security.KeyStoreException;
46 import java.security.PrivateKey;
47 import java.security.PublicKey;
48 import java.security.Signature;
49 import java.security.cert.Certificate;
50 import java.security.cert.CertificateFactory;
51 import java.security.interfaces.ECKey;
52 import java.security.interfaces.RSAKey;
53 import java.security.spec.PKCS8EncodedKeySpec;
54 import java.util.ArrayList;
55 import java.util.Arrays;
56 import java.util.Calendar;
57 import java.util.Collection;
58 import java.util.Date;
59 import java.util.Enumeration;
60 import java.util.HashSet;
61 import java.util.Iterator;
62 import java.util.Set;
63 
64 import javax.crypto.BadPaddingException;
65 import javax.crypto.Cipher;
66 import javax.crypto.IllegalBlockSizeException;
67 import javax.crypto.Mac;
68 import javax.crypto.SecretKey;
69 import javax.security.auth.x500.X500Principal;
70 
71 public class AndroidKeyStoreTest extends AndroidTestCase {
72     private static final String TAG = AndroidKeyStoreTest.class.getSimpleName();
73 
74     private KeyStore mKeyStore;
75 
76     private static final String TEST_ALIAS_1 = "test1";
77 
78     private static final String TEST_ALIAS_2 = "test2";
79 
80     private static final String TEST_ALIAS_3 = "test3";
81 
82     private long mMaxTestDurationMillis;
83 
84     /*
85      * The keys and certificates below are generated with:
86      *
87      * openssl req -new -x509 -days 3650 -extensions v3_ca -keyout cakey.pem -out cacert.pem
88      * openssl req -newkey rsa:1024 -keyout userkey.pem -nodes -days 3650 -out userkey.req
89      * mkdir -p demoCA/newcerts
90      * touch demoCA/index.txt
91      * echo "01" > demoCA/serial
92      * openssl ca -out usercert.pem -in userkey.req -cert cacert.pem -keyfile cakey.pem -days 3650
93      */
94 
95     /**
96      * Generated from above and converted with:
97      *
98      * openssl x509 -outform d -in cacert.pem | xxd -i | sed 's/0x/(byte) 0x/g'
99      */
100     private static final byte[] FAKE_RSA_CA_1 = {
101             (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0xce, (byte) 0x30, (byte) 0x82,
102             (byte) 0x02, (byte) 0x37, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01,
103             (byte) 0x02, (byte) 0x02, (byte) 0x09, (byte) 0x00, (byte) 0xe1, (byte) 0x6a,
104             (byte) 0xa2, (byte) 0xf4, (byte) 0x2e, (byte) 0x55, (byte) 0x48, (byte) 0x0a,
105             (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86,
106             (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01,
107             (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x30, (byte) 0x4f, (byte) 0x31,
108             (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
109             (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53,
110             (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03,
111             (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43,
112             (byte) 0x41, (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06,
113             (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d,
114             (byte) 0x4d, (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61,
115             (byte) 0x69, (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65,
116             (byte) 0x77, (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06,
117             (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12,
118             (byte) 0x41, (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69,
119             (byte) 0x64, (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74,
120             (byte) 0x20, (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73,
121             (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32,
122             (byte) 0x30, (byte) 0x38, (byte) 0x31, (byte) 0x34, (byte) 0x31, (byte) 0x36,
123             (byte) 0x35, (byte) 0x35, (byte) 0x34, (byte) 0x34, (byte) 0x5a, (byte) 0x17,
124             (byte) 0x0d, (byte) 0x32, (byte) 0x32, (byte) 0x30, (byte) 0x38, (byte) 0x31,
125             (byte) 0x32, (byte) 0x31, (byte) 0x36, (byte) 0x35, (byte) 0x35, (byte) 0x34,
126             (byte) 0x34, (byte) 0x5a, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b,
127             (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
128             (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31,
129             (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
130             (byte) 0x04, (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41,
131             (byte) 0x31, (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03,
132             (byte) 0x55, (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d,
133             (byte) 0x6f, (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69,
134             (byte) 0x6e, (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77,
135             (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03,
136             (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41,
137             (byte) 0x6e, (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64,
138             (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20,
139             (byte) 0x43, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x30,
140             (byte) 0x81, (byte) 0x9f, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09,
141             (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d,
142             (byte) 0x01, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03,
143             (byte) 0x81, (byte) 0x8d, (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89,
144             (byte) 0x02, (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0xa3, (byte) 0x72,
145             (byte) 0xab, (byte) 0xd0, (byte) 0xe4, (byte) 0xad, (byte) 0x2f, (byte) 0xe7,
146             (byte) 0xe2, (byte) 0x79, (byte) 0x07, (byte) 0x36, (byte) 0x3d, (byte) 0x0c,
147             (byte) 0x8d, (byte) 0x42, (byte) 0x9a, (byte) 0x0a, (byte) 0x33, (byte) 0x64,
148             (byte) 0xb3, (byte) 0xcd, (byte) 0xb2, (byte) 0xd7, (byte) 0x3a, (byte) 0x42,
149             (byte) 0x06, (byte) 0x77, (byte) 0x45, (byte) 0x29, (byte) 0xe9, (byte) 0xcb,
150             (byte) 0xb7, (byte) 0x4a, (byte) 0xd6, (byte) 0xee, (byte) 0xad, (byte) 0x01,
151             (byte) 0x91, (byte) 0x9b, (byte) 0x0c, (byte) 0x59, (byte) 0xa1, (byte) 0x03,
152             (byte) 0xfa, (byte) 0xf0, (byte) 0x5a, (byte) 0x7c, (byte) 0x4f, (byte) 0xf7,
153             (byte) 0x8d, (byte) 0x36, (byte) 0x0f, (byte) 0x1f, (byte) 0x45, (byte) 0x7d,
154             (byte) 0x1b, (byte) 0x31, (byte) 0xa1, (byte) 0x35, (byte) 0x0b, (byte) 0x00,
155             (byte) 0xed, (byte) 0x7a, (byte) 0xb6, (byte) 0xc8, (byte) 0x4e, (byte) 0xa9,
156             (byte) 0x86, (byte) 0x4c, (byte) 0x7b, (byte) 0x99, (byte) 0x57, (byte) 0x41,
157             (byte) 0x12, (byte) 0xef, (byte) 0x6b, (byte) 0xbc, (byte) 0x3d, (byte) 0x60,
158             (byte) 0xf2, (byte) 0x99, (byte) 0x1a, (byte) 0xcd, (byte) 0xed, (byte) 0x56,
159             (byte) 0xa4, (byte) 0xe5, (byte) 0x36, (byte) 0x9f, (byte) 0x24, (byte) 0x1f,
160             (byte) 0xdc, (byte) 0x89, (byte) 0x40, (byte) 0xc8, (byte) 0x99, (byte) 0x92,
161             (byte) 0xab, (byte) 0x4a, (byte) 0xb5, (byte) 0x61, (byte) 0x45, (byte) 0x62,
162             (byte) 0xff, (byte) 0xa3, (byte) 0x45, (byte) 0x65, (byte) 0xaf, (byte) 0xf6,
163             (byte) 0x27, (byte) 0x30, (byte) 0x51, (byte) 0x0e, (byte) 0x0e, (byte) 0xeb,
164             (byte) 0x79, (byte) 0x0c, (byte) 0xbe, (byte) 0xb3, (byte) 0x0a, (byte) 0x6f,
165             (byte) 0x29, (byte) 0x06, (byte) 0xdc, (byte) 0x2f, (byte) 0x6b, (byte) 0x51,
166             (byte) 0x02, (byte) 0x03, (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3,
167             (byte) 0x81, (byte) 0xb1, (byte) 0x30, (byte) 0x81, (byte) 0xae, (byte) 0x30,
168             (byte) 0x1d, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e,
169             (byte) 0x04, (byte) 0x16, (byte) 0x04, (byte) 0x14, (byte) 0x33, (byte) 0x05,
170             (byte) 0xee, (byte) 0xfe, (byte) 0x6f, (byte) 0x60, (byte) 0xc7, (byte) 0xf9,
171             (byte) 0xa9, (byte) 0xd2, (byte) 0x73, (byte) 0x5c, (byte) 0x8f, (byte) 0x6d,
172             (byte) 0xa2, (byte) 0x2f, (byte) 0x97, (byte) 0x8e, (byte) 0x5d, (byte) 0x51,
173             (byte) 0x30, (byte) 0x7f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d,
174             (byte) 0x23, (byte) 0x04, (byte) 0x78, (byte) 0x30, (byte) 0x76, (byte) 0x80,
175             (byte) 0x14, (byte) 0x33, (byte) 0x05, (byte) 0xee, (byte) 0xfe, (byte) 0x6f,
176             (byte) 0x60, (byte) 0xc7, (byte) 0xf9, (byte) 0xa9, (byte) 0xd2, (byte) 0x73,
177             (byte) 0x5c, (byte) 0x8f, (byte) 0x6d, (byte) 0xa2, (byte) 0x2f, (byte) 0x97,
178             (byte) 0x8e, (byte) 0x5d, (byte) 0x51, (byte) 0xa1, (byte) 0x53, (byte) 0xa4,
179             (byte) 0x51, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, (byte) 0x30,
180             (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06,
181             (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b,
182             (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
183             (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31,
184             (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, (byte) 0x55,
185             (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, (byte) 0x6f,
186             (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, (byte) 0x6e,
187             (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, (byte) 0x31,
188             (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55,
189             (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e,
190             (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20,
191             (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43,
192             (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x82, (byte) 0x09,
193             (byte) 0x00, (byte) 0xe1, (byte) 0x6a, (byte) 0xa2, (byte) 0xf4, (byte) 0x2e,
194             (byte) 0x55, (byte) 0x48, (byte) 0x0a, (byte) 0x30, (byte) 0x0c, (byte) 0x06,
195             (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x05,
196             (byte) 0x30, (byte) 0x03, (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x30,
197             (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48,
198             (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05,
199             (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x81, (byte) 0x00,
200             (byte) 0x8c, (byte) 0x30, (byte) 0x42, (byte) 0xfa, (byte) 0xeb, (byte) 0x1a,
201             (byte) 0x26, (byte) 0xeb, (byte) 0xda, (byte) 0x56, (byte) 0x32, (byte) 0xf2,
202             (byte) 0x9d, (byte) 0xa5, (byte) 0x24, (byte) 0xd8, (byte) 0x3a, (byte) 0xda,
203             (byte) 0x30, (byte) 0xa6, (byte) 0x8b, (byte) 0x46, (byte) 0xfe, (byte) 0xfe,
204             (byte) 0xdb, (byte) 0xf1, (byte) 0xe6, (byte) 0xe1, (byte) 0x7c, (byte) 0x1b,
205             (byte) 0xe7, (byte) 0x77, (byte) 0x00, (byte) 0xa1, (byte) 0x1c, (byte) 0x19,
206             (byte) 0x17, (byte) 0x73, (byte) 0xb0, (byte) 0xf0, (byte) 0x9d, (byte) 0xf3,
207             (byte) 0x4f, (byte) 0xb6, (byte) 0xbc, (byte) 0xc7, (byte) 0x47, (byte) 0x85,
208             (byte) 0x2a, (byte) 0x4a, (byte) 0xa1, (byte) 0xa5, (byte) 0x58, (byte) 0xf5,
209             (byte) 0xc5, (byte) 0x1a, (byte) 0x51, (byte) 0xb1, (byte) 0x04, (byte) 0x80,
210             (byte) 0xee, (byte) 0x3a, (byte) 0xec, (byte) 0x2f, (byte) 0xe1, (byte) 0xfd,
211             (byte) 0x58, (byte) 0xeb, (byte) 0xed, (byte) 0x82, (byte) 0x9e, (byte) 0x38,
212             (byte) 0xa3, (byte) 0x24, (byte) 0x75, (byte) 0xf7, (byte) 0x3e, (byte) 0xc2,
213             (byte) 0xc5, (byte) 0x27, (byte) 0xeb, (byte) 0x6f, (byte) 0x7b, (byte) 0x50,
214             (byte) 0xda, (byte) 0x43, (byte) 0xdc, (byte) 0x3b, (byte) 0x0b, (byte) 0x6f,
215             (byte) 0x78, (byte) 0x8f, (byte) 0xb0, (byte) 0x66, (byte) 0xe1, (byte) 0x12,
216             (byte) 0x87, (byte) 0x5f, (byte) 0x97, (byte) 0x7b, (byte) 0xca, (byte) 0x14,
217             (byte) 0x79, (byte) 0xf7, (byte) 0xe8, (byte) 0x6c, (byte) 0x72, (byte) 0xdb,
218             (byte) 0x91, (byte) 0x65, (byte) 0x17, (byte) 0x54, (byte) 0xe0, (byte) 0x74,
219             (byte) 0x1d, (byte) 0xac, (byte) 0x47, (byte) 0x04, (byte) 0x12, (byte) 0xe0,
220             (byte) 0xc3, (byte) 0x66, (byte) 0x19, (byte) 0x05, (byte) 0x2e, (byte) 0x7e,
221             (byte) 0xf1, (byte) 0x61
222     };
223 
224     /**
225      * Generated from above and converted with:
226      *
227      * openssl pkcs8 -topk8 -outform d -in userkey.pem -nocrypt | xxd -i | sed 's/0x/(byte) 0x/g'
228      */
229     private static final byte[] FAKE_RSA_KEY_1 = new byte[] {
230             (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x78, (byte) 0x02, (byte) 0x01,
231             (byte) 0x00, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a,
232             (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01,
233             (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x04, (byte) 0x82,
234             (byte) 0x02, (byte) 0x62, (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x5e,
235             (byte) 0x02, (byte) 0x01, (byte) 0x00, (byte) 0x02, (byte) 0x81, (byte) 0x81,
236             (byte) 0x00, (byte) 0xce, (byte) 0x29, (byte) 0xeb, (byte) 0xf6, (byte) 0x5b,
237             (byte) 0x25, (byte) 0xdc, (byte) 0xa1, (byte) 0xa6, (byte) 0x2c, (byte) 0x66,
238             (byte) 0xcb, (byte) 0x20, (byte) 0x90, (byte) 0x27, (byte) 0x86, (byte) 0x8a,
239             (byte) 0x44, (byte) 0x71, (byte) 0x50, (byte) 0xda, (byte) 0xd3, (byte) 0x02,
240             (byte) 0x77, (byte) 0x55, (byte) 0xe9, (byte) 0xe8, (byte) 0x08, (byte) 0xf3,
241             (byte) 0x36, (byte) 0x9a, (byte) 0xae, (byte) 0xab, (byte) 0x04, (byte) 0x6d,
242             (byte) 0x00, (byte) 0x99, (byte) 0xbf, (byte) 0x7d, (byte) 0x0f, (byte) 0x67,
243             (byte) 0x8b, (byte) 0x1d, (byte) 0xd4, (byte) 0x2b, (byte) 0x7c, (byte) 0xcb,
244             (byte) 0xcd, (byte) 0x33, (byte) 0xc7, (byte) 0x84, (byte) 0x30, (byte) 0xe2,
245             (byte) 0x45, (byte) 0x21, (byte) 0xb3, (byte) 0x75, (byte) 0xf5, (byte) 0x79,
246             (byte) 0x02, (byte) 0xda, (byte) 0x50, (byte) 0xa3, (byte) 0x8b, (byte) 0xce,
247             (byte) 0xc3, (byte) 0x8e, (byte) 0x0f, (byte) 0x25, (byte) 0xeb, (byte) 0x08,
248             (byte) 0x2c, (byte) 0xdd, (byte) 0x1c, (byte) 0xcf, (byte) 0xff, (byte) 0x3b,
249             (byte) 0xde, (byte) 0xb6, (byte) 0xaa, (byte) 0x2a, (byte) 0xa9, (byte) 0xc4,
250             (byte) 0x8a, (byte) 0x24, (byte) 0x24, (byte) 0xe6, (byte) 0x29, (byte) 0x0d,
251             (byte) 0x98, (byte) 0x4c, (byte) 0x32, (byte) 0xa1, (byte) 0x7b, (byte) 0x23,
252             (byte) 0x2b, (byte) 0x42, (byte) 0x30, (byte) 0xee, (byte) 0x78, (byte) 0x08,
253             (byte) 0x47, (byte) 0xad, (byte) 0xf2, (byte) 0x96, (byte) 0xd5, (byte) 0xf1,
254             (byte) 0x62, (byte) 0x42, (byte) 0x2d, (byte) 0x35, (byte) 0x19, (byte) 0xb4,
255             (byte) 0x3c, (byte) 0xc9, (byte) 0xc3, (byte) 0x5f, (byte) 0x03, (byte) 0x16,
256             (byte) 0x3a, (byte) 0x23, (byte) 0xac, (byte) 0xcb, (byte) 0xce, (byte) 0x9e,
257             (byte) 0x51, (byte) 0x2e, (byte) 0x6d, (byte) 0x02, (byte) 0x03, (byte) 0x01,
258             (byte) 0x00, (byte) 0x01, (byte) 0x02, (byte) 0x81, (byte) 0x80, (byte) 0x16,
259             (byte) 0x59, (byte) 0xc3, (byte) 0x24, (byte) 0x1d, (byte) 0x33, (byte) 0x98,
260             (byte) 0x9c, (byte) 0xc9, (byte) 0xc8, (byte) 0x2c, (byte) 0x88, (byte) 0xbf,
261             (byte) 0x0a, (byte) 0x01, (byte) 0xce, (byte) 0xfb, (byte) 0x34, (byte) 0x7a,
262             (byte) 0x58, (byte) 0x7a, (byte) 0xb0, (byte) 0xbf, (byte) 0xa6, (byte) 0xb2,
263             (byte) 0x60, (byte) 0xbe, (byte) 0x70, (byte) 0x21, (byte) 0xf5, (byte) 0xfc,
264             (byte) 0x85, (byte) 0x0d, (byte) 0x33, (byte) 0x58, (byte) 0xa1, (byte) 0xe5,
265             (byte) 0x09, (byte) 0x36, (byte) 0x84, (byte) 0xb2, (byte) 0x04, (byte) 0x0a,
266             (byte) 0x02, (byte) 0xd3, (byte) 0x88, (byte) 0x1f, (byte) 0x0c, (byte) 0x2b,
267             (byte) 0x1d, (byte) 0xe9, (byte) 0x3d, (byte) 0xe7, (byte) 0x79, (byte) 0xf9,
268             (byte) 0x32, (byte) 0x5c, (byte) 0x8a, (byte) 0x75, (byte) 0x49, (byte) 0x12,
269             (byte) 0xe4, (byte) 0x05, (byte) 0x26, (byte) 0xd4, (byte) 0x2e, (byte) 0x9e,
270             (byte) 0x1f, (byte) 0xcc, (byte) 0x54, (byte) 0xad, (byte) 0x33, (byte) 0x8d,
271             (byte) 0x99, (byte) 0x00, (byte) 0xdc, (byte) 0xf5, (byte) 0xb4, (byte) 0xa2,
272             (byte) 0x2f, (byte) 0xba, (byte) 0xe5, (byte) 0x62, (byte) 0x30, (byte) 0x6d,
273             (byte) 0xe6, (byte) 0x3d, (byte) 0xeb, (byte) 0x24, (byte) 0xc2, (byte) 0xdc,
274             (byte) 0x5f, (byte) 0xb7, (byte) 0x16, (byte) 0x35, (byte) 0xa3, (byte) 0x98,
275             (byte) 0x98, (byte) 0xa8, (byte) 0xef, (byte) 0xe8, (byte) 0xc4, (byte) 0x96,
276             (byte) 0x6d, (byte) 0x38, (byte) 0xab, (byte) 0x26, (byte) 0x6d, (byte) 0x30,
277             (byte) 0xc2, (byte) 0xa0, (byte) 0x44, (byte) 0xe4, (byte) 0xff, (byte) 0x7e,
278             (byte) 0xbe, (byte) 0x7c, (byte) 0x33, (byte) 0xa5, (byte) 0x10, (byte) 0xad,
279             (byte) 0xd7, (byte) 0x1e, (byte) 0x13, (byte) 0x20, (byte) 0xb3, (byte) 0x1f,
280             (byte) 0x41, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xf1, (byte) 0x89,
281             (byte) 0x07, (byte) 0x0f, (byte) 0xe8, (byte) 0xcf, (byte) 0xab, (byte) 0x13,
282             (byte) 0x2a, (byte) 0x8f, (byte) 0x88, (byte) 0x80, (byte) 0x11, (byte) 0x9a,
283             (byte) 0x79, (byte) 0xb6, (byte) 0x59, (byte) 0x3a, (byte) 0x50, (byte) 0x6e,
284             (byte) 0x57, (byte) 0x37, (byte) 0xab, (byte) 0x2a, (byte) 0xd2, (byte) 0xaa,
285             (byte) 0xd9, (byte) 0x72, (byte) 0x73, (byte) 0xff, (byte) 0x8b, (byte) 0x47,
286             (byte) 0x76, (byte) 0xdd, (byte) 0xdc, (byte) 0xf5, (byte) 0x97, (byte) 0x44,
287             (byte) 0x3a, (byte) 0x78, (byte) 0xbe, (byte) 0x17, (byte) 0xb4, (byte) 0x22,
288             (byte) 0x6f, (byte) 0xe5, (byte) 0x23, (byte) 0x70, (byte) 0x1d, (byte) 0x10,
289             (byte) 0x5d, (byte) 0xba, (byte) 0x16, (byte) 0x81, (byte) 0xf1, (byte) 0x45,
290             (byte) 0xce, (byte) 0x30, (byte) 0xb4, (byte) 0xab, (byte) 0x80, (byte) 0xe4,
291             (byte) 0x98, (byte) 0x31, (byte) 0x02, (byte) 0x41, (byte) 0x00, (byte) 0xda,
292             (byte) 0x82, (byte) 0x9d, (byte) 0x3f, (byte) 0xca, (byte) 0x2f, (byte) 0xe1,
293             (byte) 0xd4, (byte) 0x86, (byte) 0x77, (byte) 0x48, (byte) 0xa6, (byte) 0xab,
294             (byte) 0xab, (byte) 0x1c, (byte) 0x42, (byte) 0x5c, (byte) 0xd5, (byte) 0xc7,
295             (byte) 0x46, (byte) 0x59, (byte) 0x91, (byte) 0x3f, (byte) 0xfc, (byte) 0xcc,
296             (byte) 0xec, (byte) 0xc2, (byte) 0x40, (byte) 0x12, (byte) 0x2c, (byte) 0x8d,
297             (byte) 0x1f, (byte) 0xa2, (byte) 0x18, (byte) 0x88, (byte) 0xee, (byte) 0x82,
298             (byte) 0x4a, (byte) 0x5a, (byte) 0x5e, (byte) 0x88, (byte) 0x20, (byte) 0xe3,
299             (byte) 0x7b, (byte) 0xe0, (byte) 0xd8, (byte) 0x3a, (byte) 0x52, (byte) 0x9a,
300             (byte) 0x26, (byte) 0x6a, (byte) 0x04, (byte) 0xec, (byte) 0xe8, (byte) 0xb9,
301             (byte) 0x48, (byte) 0x40, (byte) 0xe1, (byte) 0xe1, (byte) 0x83, (byte) 0xa6,
302             (byte) 0x67, (byte) 0xa6, (byte) 0xfd, (byte) 0x02, (byte) 0x41, (byte) 0x00,
303             (byte) 0x89, (byte) 0x72, (byte) 0x3e, (byte) 0xb0, (byte) 0x90, (byte) 0xfd,
304             (byte) 0x4c, (byte) 0x0e, (byte) 0xd6, (byte) 0x13, (byte) 0x63, (byte) 0xcb,
305             (byte) 0xed, (byte) 0x38, (byte) 0x88, (byte) 0xb6, (byte) 0x79, (byte) 0xc4,
306             (byte) 0x33, (byte) 0x6c, (byte) 0xf6, (byte) 0xf8, (byte) 0xd8, (byte) 0xd0,
307             (byte) 0xbf, (byte) 0x9d, (byte) 0x35, (byte) 0xac, (byte) 0x69, (byte) 0xd2,
308             (byte) 0x2b, (byte) 0xc1, (byte) 0xf9, (byte) 0x24, (byte) 0x7b, (byte) 0xce,
309             (byte) 0xcd, (byte) 0xcb, (byte) 0xa7, (byte) 0xb2, (byte) 0x7a, (byte) 0x0a,
310             (byte) 0x27, (byte) 0x19, (byte) 0xc9, (byte) 0xaf, (byte) 0x0d, (byte) 0x21,
311             (byte) 0x89, (byte) 0x88, (byte) 0x7c, (byte) 0xad, (byte) 0x9e, (byte) 0x8d,
312             (byte) 0x47, (byte) 0x6d, (byte) 0x3f, (byte) 0xce, (byte) 0x7b, (byte) 0xa1,
313             (byte) 0x74, (byte) 0xf1, (byte) 0xa0, (byte) 0xa1, (byte) 0x02, (byte) 0x41,
314             (byte) 0x00, (byte) 0xd9, (byte) 0xa8, (byte) 0xf5, (byte) 0xfe, (byte) 0xce,
315             (byte) 0xe6, (byte) 0x77, (byte) 0x6b, (byte) 0xfe, (byte) 0x2d, (byte) 0xe0,
316             (byte) 0x1e, (byte) 0xb6, (byte) 0x2e, (byte) 0x12, (byte) 0x4e, (byte) 0x40,
317             (byte) 0xaf, (byte) 0x6a, (byte) 0x7b, (byte) 0x37, (byte) 0x49, (byte) 0x2a,
318             (byte) 0x96, (byte) 0x25, (byte) 0x83, (byte) 0x49, (byte) 0xd4, (byte) 0x0c,
319             (byte) 0xc6, (byte) 0x78, (byte) 0x25, (byte) 0x24, (byte) 0x90, (byte) 0x90,
320             (byte) 0x06, (byte) 0x15, (byte) 0x9e, (byte) 0xfe, (byte) 0xf9, (byte) 0xdf,
321             (byte) 0x5b, (byte) 0xf3, (byte) 0x7e, (byte) 0x38, (byte) 0x70, (byte) 0xeb,
322             (byte) 0x57, (byte) 0xd0, (byte) 0xd9, (byte) 0xa7, (byte) 0x0e, (byte) 0x14,
323             (byte) 0xf7, (byte) 0x95, (byte) 0x68, (byte) 0xd5, (byte) 0xc8, (byte) 0xab,
324             (byte) 0x9d, (byte) 0x3a, (byte) 0x2b, (byte) 0x51, (byte) 0xf9, (byte) 0x02,
325             (byte) 0x41, (byte) 0x00, (byte) 0x96, (byte) 0xdf, (byte) 0xe9, (byte) 0x67,
326             (byte) 0x6c, (byte) 0xdc, (byte) 0x90, (byte) 0x14, (byte) 0xb4, (byte) 0x1d,
327             (byte) 0x22, (byte) 0x33, (byte) 0x4a, (byte) 0x31, (byte) 0xc1, (byte) 0x9d,
328             (byte) 0x2e, (byte) 0xff, (byte) 0x9a, (byte) 0x2a, (byte) 0x95, (byte) 0x4b,
329             (byte) 0x27, (byte) 0x74, (byte) 0xcb, (byte) 0x21, (byte) 0xc3, (byte) 0xd2,
330             (byte) 0x0b, (byte) 0xb2, (byte) 0x46, (byte) 0x87, (byte) 0xf8, (byte) 0x28,
331             (byte) 0x01, (byte) 0x8b, (byte) 0xd8, (byte) 0xb9, (byte) 0x4b, (byte) 0xcd,
332             (byte) 0x9a, (byte) 0x96, (byte) 0x41, (byte) 0x0e, (byte) 0x36, (byte) 0x6d,
333             (byte) 0x40, (byte) 0x42, (byte) 0xbc, (byte) 0xd9, (byte) 0xd3, (byte) 0x7b,
334             (byte) 0xbc, (byte) 0xa7, (byte) 0x92, (byte) 0x90, (byte) 0xdd, (byte) 0xa1,
335             (byte) 0x9c, (byte) 0xce, (byte) 0xa1, (byte) 0x87, (byte) 0x11, (byte) 0x51
336     };
337 
338     /**
339      * Generated from above and converted with:
340      *
341      * openssl x509 -outform d -in usercert.pem | xxd -i | sed 's/0x/(byte) 0x/g'
342      */
343     private static final byte[] FAKE_RSA_USER_1 = new byte[] {
344             (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x95, (byte) 0x30, (byte) 0x82,
345             (byte) 0x01, (byte) 0xfe, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01,
346             (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x0d,
347             (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86,
348             (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05,
349             (byte) 0x00, (byte) 0x30, (byte) 0x4f, (byte) 0x31, (byte) 0x0b, (byte) 0x30,
350             (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06,
351             (byte) 0x13, (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b,
352             (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
353             (byte) 0x08, (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31,
354             (byte) 0x16, (byte) 0x30, (byte) 0x14, (byte) 0x06, (byte) 0x03, (byte) 0x55,
355             (byte) 0x04, (byte) 0x07, (byte) 0x13, (byte) 0x0d, (byte) 0x4d, (byte) 0x6f,
356             (byte) 0x75, (byte) 0x6e, (byte) 0x74, (byte) 0x61, (byte) 0x69, (byte) 0x6e,
357             (byte) 0x20, (byte) 0x56, (byte) 0x69, (byte) 0x65, (byte) 0x77, (byte) 0x31,
358             (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55,
359             (byte) 0x04, (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e,
360             (byte) 0x64, (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20,
361             (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43,
362             (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x30, (byte) 0x1e,
363             (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32, (byte) 0x30, (byte) 0x38,
364             (byte) 0x31, (byte) 0x34, (byte) 0x32, (byte) 0x33, (byte) 0x32, (byte) 0x35,
365             (byte) 0x34, (byte) 0x38, (byte) 0x5a, (byte) 0x17, (byte) 0x0d, (byte) 0x32,
366             (byte) 0x32, (byte) 0x30, (byte) 0x38, (byte) 0x31, (byte) 0x32, (byte) 0x32,
367             (byte) 0x33, (byte) 0x32, (byte) 0x35, (byte) 0x34, (byte) 0x38, (byte) 0x5a,
368             (byte) 0x30, (byte) 0x55, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09,
369             (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13,
370             (byte) 0x02, (byte) 0x55, (byte) 0x53, (byte) 0x31, (byte) 0x0b, (byte) 0x30,
371             (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x08,
372             (byte) 0x13, (byte) 0x02, (byte) 0x43, (byte) 0x41, (byte) 0x31, (byte) 0x1b,
373             (byte) 0x30, (byte) 0x19, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
374             (byte) 0x0a, (byte) 0x13, (byte) 0x12, (byte) 0x41, (byte) 0x6e, (byte) 0x64,
375             (byte) 0x72, (byte) 0x6f, (byte) 0x69, (byte) 0x64, (byte) 0x20, (byte) 0x54,
376             (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x43, (byte) 0x61,
377             (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x31, (byte) 0x1c, (byte) 0x30,
378             (byte) 0x1a, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03,
379             (byte) 0x13, (byte) 0x13, (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x76,
380             (byte) 0x65, (byte) 0x72, (byte) 0x31, (byte) 0x2e, (byte) 0x65, (byte) 0x78,
381             (byte) 0x61, (byte) 0x6d, (byte) 0x70, (byte) 0x6c, (byte) 0x65, (byte) 0x2e,
382             (byte) 0x63, (byte) 0x6f, (byte) 0x6d, (byte) 0x30, (byte) 0x81, (byte) 0x9f,
383             (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86,
384             (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01,
385             (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x8d,
386             (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89, (byte) 0x02, (byte) 0x81,
387             (byte) 0x81, (byte) 0x00, (byte) 0xce, (byte) 0x29, (byte) 0xeb, (byte) 0xf6,
388             (byte) 0x5b, (byte) 0x25, (byte) 0xdc, (byte) 0xa1, (byte) 0xa6, (byte) 0x2c,
389             (byte) 0x66, (byte) 0xcb, (byte) 0x20, (byte) 0x90, (byte) 0x27, (byte) 0x86,
390             (byte) 0x8a, (byte) 0x44, (byte) 0x71, (byte) 0x50, (byte) 0xda, (byte) 0xd3,
391             (byte) 0x02, (byte) 0x77, (byte) 0x55, (byte) 0xe9, (byte) 0xe8, (byte) 0x08,
392             (byte) 0xf3, (byte) 0x36, (byte) 0x9a, (byte) 0xae, (byte) 0xab, (byte) 0x04,
393             (byte) 0x6d, (byte) 0x00, (byte) 0x99, (byte) 0xbf, (byte) 0x7d, (byte) 0x0f,
394             (byte) 0x67, (byte) 0x8b, (byte) 0x1d, (byte) 0xd4, (byte) 0x2b, (byte) 0x7c,
395             (byte) 0xcb, (byte) 0xcd, (byte) 0x33, (byte) 0xc7, (byte) 0x84, (byte) 0x30,
396             (byte) 0xe2, (byte) 0x45, (byte) 0x21, (byte) 0xb3, (byte) 0x75, (byte) 0xf5,
397             (byte) 0x79, (byte) 0x02, (byte) 0xda, (byte) 0x50, (byte) 0xa3, (byte) 0x8b,
398             (byte) 0xce, (byte) 0xc3, (byte) 0x8e, (byte) 0x0f, (byte) 0x25, (byte) 0xeb,
399             (byte) 0x08, (byte) 0x2c, (byte) 0xdd, (byte) 0x1c, (byte) 0xcf, (byte) 0xff,
400             (byte) 0x3b, (byte) 0xde, (byte) 0xb6, (byte) 0xaa, (byte) 0x2a, (byte) 0xa9,
401             (byte) 0xc4, (byte) 0x8a, (byte) 0x24, (byte) 0x24, (byte) 0xe6, (byte) 0x29,
402             (byte) 0x0d, (byte) 0x98, (byte) 0x4c, (byte) 0x32, (byte) 0xa1, (byte) 0x7b,
403             (byte) 0x23, (byte) 0x2b, (byte) 0x42, (byte) 0x30, (byte) 0xee, (byte) 0x78,
404             (byte) 0x08, (byte) 0x47, (byte) 0xad, (byte) 0xf2, (byte) 0x96, (byte) 0xd5,
405             (byte) 0xf1, (byte) 0x62, (byte) 0x42, (byte) 0x2d, (byte) 0x35, (byte) 0x19,
406             (byte) 0xb4, (byte) 0x3c, (byte) 0xc9, (byte) 0xc3, (byte) 0x5f, (byte) 0x03,
407             (byte) 0x16, (byte) 0x3a, (byte) 0x23, (byte) 0xac, (byte) 0xcb, (byte) 0xce,
408             (byte) 0x9e, (byte) 0x51, (byte) 0x2e, (byte) 0x6d, (byte) 0x02, (byte) 0x03,
409             (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3, (byte) 0x7b, (byte) 0x30,
410             (byte) 0x79, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
411             (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x02, (byte) 0x30, (byte) 0x00,
412             (byte) 0x30, (byte) 0x2c, (byte) 0x06, (byte) 0x09, (byte) 0x60, (byte) 0x86,
413             (byte) 0x48, (byte) 0x01, (byte) 0x86, (byte) 0xf8, (byte) 0x42, (byte) 0x01,
414             (byte) 0x0d, (byte) 0x04, (byte) 0x1f, (byte) 0x16, (byte) 0x1d, (byte) 0x4f,
415             (byte) 0x70, (byte) 0x65, (byte) 0x6e, (byte) 0x53, (byte) 0x53, (byte) 0x4c,
416             (byte) 0x20, (byte) 0x47, (byte) 0x65, (byte) 0x6e, (byte) 0x65, (byte) 0x72,
417             (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x64, (byte) 0x20, (byte) 0x43,
418             (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69,
419             (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x30, (byte) 0x1d,
420             (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04,
421             (byte) 0x16, (byte) 0x04, (byte) 0x14, (byte) 0x32, (byte) 0xa1, (byte) 0x1e,
422             (byte) 0x6b, (byte) 0x69, (byte) 0x04, (byte) 0xfe, (byte) 0xb3, (byte) 0xcd,
423             (byte) 0xf8, (byte) 0xbb, (byte) 0x14, (byte) 0xcd, (byte) 0xff, (byte) 0xd4,
424             (byte) 0x16, (byte) 0xc3, (byte) 0xab, (byte) 0x44, (byte) 0x2f, (byte) 0x30,
425             (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23,
426             (byte) 0x04, (byte) 0x18, (byte) 0x30, (byte) 0x16, (byte) 0x80, (byte) 0x14,
427             (byte) 0x33, (byte) 0x05, (byte) 0xee, (byte) 0xfe, (byte) 0x6f, (byte) 0x60,
428             (byte) 0xc7, (byte) 0xf9, (byte) 0xa9, (byte) 0xd2, (byte) 0x73, (byte) 0x5c,
429             (byte) 0x8f, (byte) 0x6d, (byte) 0xa2, (byte) 0x2f, (byte) 0x97, (byte) 0x8e,
430             (byte) 0x5d, (byte) 0x51, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09,
431             (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d,
432             (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03,
433             (byte) 0x81, (byte) 0x81, (byte) 0x00, (byte) 0x46, (byte) 0x42, (byte) 0xef,
434             (byte) 0x56, (byte) 0x89, (byte) 0x78, (byte) 0x90, (byte) 0x38, (byte) 0x24,
435             (byte) 0x9f, (byte) 0x8c, (byte) 0x7a, (byte) 0xce, (byte) 0x7a, (byte) 0xa5,
436             (byte) 0xb5, (byte) 0x1e, (byte) 0x74, (byte) 0x96, (byte) 0x34, (byte) 0x49,
437             (byte) 0x8b, (byte) 0xed, (byte) 0x44, (byte) 0xb3, (byte) 0xc9, (byte) 0x05,
438             (byte) 0xd7, (byte) 0x48, (byte) 0x55, (byte) 0x52, (byte) 0x59, (byte) 0x15,
439             (byte) 0x0b, (byte) 0xaa, (byte) 0x16, (byte) 0x86, (byte) 0xd2, (byte) 0x8e,
440             (byte) 0x16, (byte) 0x99, (byte) 0xe8, (byte) 0x5f, (byte) 0x11, (byte) 0x71,
441             (byte) 0x42, (byte) 0x55, (byte) 0xd1, (byte) 0xc4, (byte) 0x6f, (byte) 0x2e,
442             (byte) 0xa9, (byte) 0x64, (byte) 0x6f, (byte) 0xd8, (byte) 0xfd, (byte) 0x43,
443             (byte) 0x13, (byte) 0x24, (byte) 0xaa, (byte) 0x67, (byte) 0xe6, (byte) 0xf5,
444             (byte) 0xca, (byte) 0x80, (byte) 0x5e, (byte) 0x3a, (byte) 0x3e, (byte) 0xcc,
445             (byte) 0x4f, (byte) 0xba, (byte) 0x87, (byte) 0xe6, (byte) 0xae, (byte) 0xbf,
446             (byte) 0x8f, (byte) 0xd5, (byte) 0x28, (byte) 0x38, (byte) 0x58, (byte) 0x30,
447             (byte) 0x24, (byte) 0xf6, (byte) 0x53, (byte) 0x5b, (byte) 0x41, (byte) 0x53,
448             (byte) 0xe6, (byte) 0x45, (byte) 0xbc, (byte) 0xbe, (byte) 0xe6, (byte) 0xbb,
449             (byte) 0x5d, (byte) 0xd8, (byte) 0xa7, (byte) 0xf9, (byte) 0x64, (byte) 0x99,
450             (byte) 0x04, (byte) 0x43, (byte) 0x75, (byte) 0xd7, (byte) 0x2d, (byte) 0x32,
451             (byte) 0x0a, (byte) 0x94, (byte) 0xaf, (byte) 0x06, (byte) 0x34, (byte) 0xae,
452             (byte) 0x46, (byte) 0xbd, (byte) 0xda, (byte) 0x00, (byte) 0x0e, (byte) 0x25,
453             (byte) 0xc2, (byte) 0xf7, (byte) 0xc9, (byte) 0xc3, (byte) 0x65, (byte) 0xd2,
454             (byte) 0x08, (byte) 0x41, (byte) 0x0a, (byte) 0xf3, (byte) 0x72
455     };
456 
457     /*
458      * The keys and certificates below are generated with:
459      *
460      * openssl req -new -x509 -days 3650 -extensions v3_ca -keyout cakey.pem -out cacert.pem
461      * openssl ecparam -name prime256v1 -out ecparam.pem
462      * openssl req -newkey ec:ecparam.pem -keyout userkey.pem -nodes -days 3650 -out userkey.req
463      * mkdir -p demoCA/newcerts
464      * touch demoCA/index.txt
465      * echo "01" > demoCA/serial
466      * openssl ca -out usercert.pem -in userkey.req -cert cacert.pem -keyfile cakey.pem -days 3650
467      */
468 
469     /**
470      * Generated from above and converted with:
471      *
472      * openssl x509 -outform d -in cacert.pem | xxd -i | sed 's/0x/(byte) 0x/g'
473      */
474     private static final byte[] FAKE_EC_CA_1 = {
475             (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x58, (byte) 0x30, (byte) 0x82,
476             (byte) 0x01, (byte) 0xc1, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01,
477             (byte) 0x02, (byte) 0x02, (byte) 0x09, (byte) 0x00, (byte) 0xe1, (byte) 0xb2,
478             (byte) 0x8c, (byte) 0x04, (byte) 0x95, (byte) 0xeb, (byte) 0x10, (byte) 0xcb,
479             (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86,
480             (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01,
481             (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x30, (byte) 0x45, (byte) 0x31,
482             (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55,
483             (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55,
484             (byte) 0x31, (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03,
485             (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53,
486             (byte) 0x6f, (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74,
487             (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30,
488             (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a,
489             (byte) 0x0c, (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65,
490             (byte) 0x72, (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57,
491             (byte) 0x69, (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73,
492             (byte) 0x20, (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c,
493             (byte) 0x74, (byte) 0x64, (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d,
494             (byte) 0x31, (byte) 0x33, (byte) 0x30, (byte) 0x38, (byte) 0x32, (byte) 0x37,
495             (byte) 0x31, (byte) 0x36, (byte) 0x32, (byte) 0x38, (byte) 0x32, (byte) 0x38,
496             (byte) 0x5a, (byte) 0x17, (byte) 0x0d, (byte) 0x32, (byte) 0x33, (byte) 0x30,
497             (byte) 0x38, (byte) 0x32, (byte) 0x35, (byte) 0x31, (byte) 0x36, (byte) 0x32,
498             (byte) 0x38, (byte) 0x32, (byte) 0x38, (byte) 0x5a, (byte) 0x30, (byte) 0x45,
499             (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03,
500             (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41,
501             (byte) 0x55, (byte) 0x31, (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06,
502             (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a,
503             (byte) 0x53, (byte) 0x6f, (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53,
504             (byte) 0x74, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21,
505             (byte) 0x30, (byte) 0x1f, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
506             (byte) 0x0a, (byte) 0x0c, (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74,
507             (byte) 0x65, (byte) 0x72, (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20,
508             (byte) 0x57, (byte) 0x69, (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74,
509             (byte) 0x73, (byte) 0x20, (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20,
510             (byte) 0x4c, (byte) 0x74, (byte) 0x64, (byte) 0x30, (byte) 0x81, (byte) 0x9f,
511             (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86,
512             (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01,
513             (byte) 0x01, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x8d,
514             (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x89, (byte) 0x02, (byte) 0x81,
515             (byte) 0x81, (byte) 0x00, (byte) 0xb5, (byte) 0xf6, (byte) 0x08, (byte) 0x0f,
516             (byte) 0xc4, (byte) 0x4d, (byte) 0xe4, (byte) 0x0d, (byte) 0x34, (byte) 0x1d,
517             (byte) 0xe2, (byte) 0x23, (byte) 0x18, (byte) 0x63, (byte) 0x03, (byte) 0xf7,
518             (byte) 0x14, (byte) 0x0e, (byte) 0x98, (byte) 0xcd, (byte) 0x45, (byte) 0x1f,
519             (byte) 0xfe, (byte) 0xfb, (byte) 0x09, (byte) 0x3f, (byte) 0x5d, (byte) 0x36,
520             (byte) 0x3b, (byte) 0x0f, (byte) 0xf9, (byte) 0x5e, (byte) 0x86, (byte) 0x56,
521             (byte) 0x64, (byte) 0xd7, (byte) 0x3f, (byte) 0xae, (byte) 0x33, (byte) 0x09,
522             (byte) 0xd3, (byte) 0xdd, (byte) 0x06, (byte) 0x17, (byte) 0x26, (byte) 0xdc,
523             (byte) 0xa2, (byte) 0x8c, (byte) 0x3c, (byte) 0x65, (byte) 0xed, (byte) 0x03,
524             (byte) 0x82, (byte) 0x78, (byte) 0x9b, (byte) 0xee, (byte) 0xe3, (byte) 0x98,
525             (byte) 0x58, (byte) 0xe1, (byte) 0xf1, (byte) 0xa0, (byte) 0x85, (byte) 0xae,
526             (byte) 0x63, (byte) 0x84, (byte) 0x41, (byte) 0x46, (byte) 0xa7, (byte) 0x4f,
527             (byte) 0xdc, (byte) 0xbb, (byte) 0x1c, (byte) 0x6e, (byte) 0xec, (byte) 0x7b,
528             (byte) 0xd5, (byte) 0xab, (byte) 0x3d, (byte) 0x6a, (byte) 0x05, (byte) 0x58,
529             (byte) 0x0f, (byte) 0x9b, (byte) 0x6a, (byte) 0x67, (byte) 0x4b, (byte) 0xe9,
530             (byte) 0x2a, (byte) 0x6d, (byte) 0x96, (byte) 0x11, (byte) 0x53, (byte) 0x95,
531             (byte) 0x78, (byte) 0xaa, (byte) 0xd1, (byte) 0x91, (byte) 0x4a, (byte) 0xf8,
532             (byte) 0x54, (byte) 0x52, (byte) 0x6d, (byte) 0xb9, (byte) 0xca, (byte) 0x74,
533             (byte) 0x81, (byte) 0xf8, (byte) 0x99, (byte) 0x64, (byte) 0xd1, (byte) 0x4f,
534             (byte) 0x01, (byte) 0x38, (byte) 0x4f, (byte) 0x08, (byte) 0x5c, (byte) 0x31,
535             (byte) 0xcb, (byte) 0x7c, (byte) 0x5c, (byte) 0x78, (byte) 0x5d, (byte) 0x47,
536             (byte) 0xd9, (byte) 0xf0, (byte) 0x1a, (byte) 0xeb, (byte) 0x02, (byte) 0x03,
537             (byte) 0x01, (byte) 0x00, (byte) 0x01, (byte) 0xa3, (byte) 0x50, (byte) 0x30,
538             (byte) 0x4e, (byte) 0x30, (byte) 0x1d, (byte) 0x06, (byte) 0x03, (byte) 0x55,
539             (byte) 0x1d, (byte) 0x0e, (byte) 0x04, (byte) 0x16, (byte) 0x04, (byte) 0x14,
540             (byte) 0x5f, (byte) 0x5b, (byte) 0x5e, (byte) 0xac, (byte) 0x29, (byte) 0xfa,
541             (byte) 0xa1, (byte) 0x9f, (byte) 0x9e, (byte) 0xad, (byte) 0x46, (byte) 0xe1,
542             (byte) 0xbc, (byte) 0x20, (byte) 0x72, (byte) 0xcf, (byte) 0x4a, (byte) 0xd4,
543             (byte) 0xfa, (byte) 0xe3, (byte) 0x30, (byte) 0x1f, (byte) 0x06, (byte) 0x03,
544             (byte) 0x55, (byte) 0x1d, (byte) 0x23, (byte) 0x04, (byte) 0x18, (byte) 0x30,
545             (byte) 0x16, (byte) 0x80, (byte) 0x14, (byte) 0x5f, (byte) 0x5b, (byte) 0x5e,
546             (byte) 0xac, (byte) 0x29, (byte) 0xfa, (byte) 0xa1, (byte) 0x9f, (byte) 0x9e,
547             (byte) 0xad, (byte) 0x46, (byte) 0xe1, (byte) 0xbc, (byte) 0x20, (byte) 0x72,
548             (byte) 0xcf, (byte) 0x4a, (byte) 0xd4, (byte) 0xfa, (byte) 0xe3, (byte) 0x30,
549             (byte) 0x0c, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13,
550             (byte) 0x04, (byte) 0x05, (byte) 0x30, (byte) 0x03, (byte) 0x01, (byte) 0x01,
551             (byte) 0xff, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a,
552             (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01,
553             (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81,
554             (byte) 0x81, (byte) 0x00, (byte) 0xa1, (byte) 0x4a, (byte) 0xe6, (byte) 0xfc,
555             (byte) 0x7f, (byte) 0x17, (byte) 0xaa, (byte) 0x65, (byte) 0x4a, (byte) 0x34,
556             (byte) 0xde, (byte) 0x69, (byte) 0x67, (byte) 0x54, (byte) 0x4d, (byte) 0xa2,
557             (byte) 0xc2, (byte) 0x98, (byte) 0x02, (byte) 0x43, (byte) 0x6a, (byte) 0x0e,
558             (byte) 0x0b, (byte) 0x7f, (byte) 0xa4, (byte) 0x46, (byte) 0xaf, (byte) 0xa4,
559             (byte) 0x65, (byte) 0xa0, (byte) 0xdb, (byte) 0xf1, (byte) 0x5b, (byte) 0xd5,
560             (byte) 0x09, (byte) 0xbc, (byte) 0xee, (byte) 0x37, (byte) 0x51, (byte) 0x19,
561             (byte) 0x36, (byte) 0xc0, (byte) 0x90, (byte) 0xd3, (byte) 0x5f, (byte) 0xf3,
562             (byte) 0x4f, (byte) 0xb9, (byte) 0x08, (byte) 0x45, (byte) 0x0e, (byte) 0x01,
563             (byte) 0x8a, (byte) 0x95, (byte) 0xef, (byte) 0x92, (byte) 0x95, (byte) 0x33,
564             (byte) 0x78, (byte) 0xdd, (byte) 0x90, (byte) 0xbb, (byte) 0xf3, (byte) 0x06,
565             (byte) 0x75, (byte) 0xd0, (byte) 0x66, (byte) 0xe6, (byte) 0xd0, (byte) 0x18,
566             (byte) 0x6e, (byte) 0xeb, (byte) 0x1c, (byte) 0x52, (byte) 0xc3, (byte) 0x2e,
567             (byte) 0x57, (byte) 0x7d, (byte) 0xa9, (byte) 0x03, (byte) 0xdb, (byte) 0xf4,
568             (byte) 0x57, (byte) 0x5f, (byte) 0x6c, (byte) 0x7e, (byte) 0x00, (byte) 0x0d,
569             (byte) 0x8f, (byte) 0xe8, (byte) 0x91, (byte) 0xf7, (byte) 0xae, (byte) 0x24,
570             (byte) 0x35, (byte) 0x07, (byte) 0xb5, (byte) 0x48, (byte) 0x2d, (byte) 0x36,
571             (byte) 0x30, (byte) 0x5d, (byte) 0xe9, (byte) 0x49, (byte) 0x2d, (byte) 0xd1,
572             (byte) 0x5d, (byte) 0xc5, (byte) 0xf4, (byte) 0x33, (byte) 0x77, (byte) 0x3c,
573             (byte) 0x71, (byte) 0xad, (byte) 0x90, (byte) 0x65, (byte) 0xa9, (byte) 0xc1,
574             (byte) 0x0b, (byte) 0x5c, (byte) 0x62, (byte) 0x55, (byte) 0x50, (byte) 0x6f,
575             (byte) 0x9b, (byte) 0xc9, (byte) 0x0d, (byte) 0xee
576     };
577 
578     /**
579      * Generated from above and converted with:
580      *
581      * openssl pkcs8 -topk8 -outform d -in userkey.pem -nocrypt | xxd -i | sed 's/0x/(byte) 0x/g'
582      */
583     private static final byte[] FAKE_EC_KEY_1 = new byte[] {
584             (byte) 0x30, (byte) 0x81, (byte) 0x87, (byte) 0x02, (byte) 0x01, (byte) 0x00,
585             (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x07, (byte) 0x2a, (byte) 0x86,
586             (byte) 0x48, (byte) 0xce, (byte) 0x3d, (byte) 0x02, (byte) 0x01, (byte) 0x06,
587             (byte) 0x08, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x3d,
588             (byte) 0x03, (byte) 0x01, (byte) 0x07, (byte) 0x04, (byte) 0x6d, (byte) 0x30,
589             (byte) 0x6b, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x04, (byte) 0x20,
590             (byte) 0x3a, (byte) 0x8a, (byte) 0x02, (byte) 0xdc, (byte) 0xde, (byte) 0x70,
591             (byte) 0x84, (byte) 0x45, (byte) 0x34, (byte) 0xaf, (byte) 0xbd, (byte) 0xd5,
592             (byte) 0x02, (byte) 0x17, (byte) 0x69, (byte) 0x90, (byte) 0x65, (byte) 0x1e,
593             (byte) 0x87, (byte) 0xf1, (byte) 0x3d, (byte) 0x17, (byte) 0xb6, (byte) 0xf4,
594             (byte) 0x31, (byte) 0x94, (byte) 0x86, (byte) 0x76, (byte) 0x55, (byte) 0xf7,
595             (byte) 0xcc, (byte) 0xba, (byte) 0xa1, (byte) 0x44, (byte) 0x03, (byte) 0x42,
596             (byte) 0x00, (byte) 0x04, (byte) 0xd9, (byte) 0xcf, (byte) 0xe7, (byte) 0x9b,
597             (byte) 0x23, (byte) 0xc8, (byte) 0xa3, (byte) 0xb8, (byte) 0x33, (byte) 0x14,
598             (byte) 0xa4, (byte) 0x4d, (byte) 0x75, (byte) 0x90, (byte) 0xf3, (byte) 0xcd,
599             (byte) 0x43, (byte) 0xe5, (byte) 0x1b, (byte) 0x05, (byte) 0x1d, (byte) 0xf3,
600             (byte) 0xd0, (byte) 0xa3, (byte) 0xb7, (byte) 0x32, (byte) 0x5f, (byte) 0x79,
601             (byte) 0xdc, (byte) 0x88, (byte) 0xb8, (byte) 0x4d, (byte) 0xb3, (byte) 0xd1,
602             (byte) 0x6d, (byte) 0xf7, (byte) 0x75, (byte) 0xf3, (byte) 0xbf, (byte) 0x50,
603             (byte) 0xa1, (byte) 0xbc, (byte) 0x03, (byte) 0x64, (byte) 0x22, (byte) 0xe6,
604             (byte) 0x1a, (byte) 0xa1, (byte) 0xe1, (byte) 0x06, (byte) 0x68, (byte) 0x3b,
605             (byte) 0xbc, (byte) 0x9f, (byte) 0xd3, (byte) 0xae, (byte) 0x77, (byte) 0x5e,
606             (byte) 0x88, (byte) 0x0c, (byte) 0x5e, (byte) 0x0c, (byte) 0xb2, (byte) 0x38
607     };
608 
609     /**
610      * Generated from above and converted with:
611      *
612      * openssl x509 -outform d -in usercert.pem | xxd -i | sed 's/0x/(byte) 0x/g'
613      */
614     private static final byte[] FAKE_EC_USER_1 = new byte[] {
615             (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x51, (byte) 0x30, (byte) 0x82,
616             (byte) 0x01, (byte) 0xba, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01,
617             (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x0d,
618             (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86,
619             (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05,
620             (byte) 0x00, (byte) 0x30, (byte) 0x45, (byte) 0x31, (byte) 0x0b, (byte) 0x30,
621             (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06,
622             (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55, (byte) 0x31, (byte) 0x13,
623             (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
624             (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53, (byte) 0x6f, (byte) 0x6d,
625             (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74, (byte) 0x61, (byte) 0x74,
626             (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30, (byte) 0x1f, (byte) 0x06,
627             (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x0c, (byte) 0x18,
628             (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x6e,
629             (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57, (byte) 0x69, (byte) 0x64,
630             (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x20, (byte) 0x50,
631             (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c, (byte) 0x74, (byte) 0x64,
632             (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x33,
633             (byte) 0x30, (byte) 0x38, (byte) 0x32, (byte) 0x37, (byte) 0x31, (byte) 0x36,
634             (byte) 0x33, (byte) 0x30, (byte) 0x30, (byte) 0x38, (byte) 0x5a, (byte) 0x17,
635             (byte) 0x0d, (byte) 0x32, (byte) 0x33, (byte) 0x30, (byte) 0x38, (byte) 0x32,
636             (byte) 0x35, (byte) 0x31, (byte) 0x36, (byte) 0x33, (byte) 0x30, (byte) 0x30,
637             (byte) 0x38, (byte) 0x5a, (byte) 0x30, (byte) 0x62, (byte) 0x31, (byte) 0x0b,
638             (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04,
639             (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x55, (byte) 0x31,
640             (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55,
641             (byte) 0x04, (byte) 0x08, (byte) 0x0c, (byte) 0x0a, (byte) 0x53, (byte) 0x6f,
642             (byte) 0x6d, (byte) 0x65, (byte) 0x2d, (byte) 0x53, (byte) 0x74, (byte) 0x61,
643             (byte) 0x74, (byte) 0x65, (byte) 0x31, (byte) 0x21, (byte) 0x30, (byte) 0x1f,
644             (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0a, (byte) 0x0c,
645             (byte) 0x18, (byte) 0x49, (byte) 0x6e, (byte) 0x74, (byte) 0x65, (byte) 0x72,
646             (byte) 0x6e, (byte) 0x65, (byte) 0x74, (byte) 0x20, (byte) 0x57, (byte) 0x69,
647             (byte) 0x64, (byte) 0x67, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x20,
648             (byte) 0x50, (byte) 0x74, (byte) 0x79, (byte) 0x20, (byte) 0x4c, (byte) 0x74,
649             (byte) 0x64, (byte) 0x31, (byte) 0x1b, (byte) 0x30, (byte) 0x19, (byte) 0x06,
650             (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03, (byte) 0x0c, (byte) 0x12,
651             (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x76, (byte) 0x65, (byte) 0x72,
652             (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x61, (byte) 0x6d, (byte) 0x70,
653             (byte) 0x6c, (byte) 0x65, (byte) 0x2e, (byte) 0x63, (byte) 0x6f, (byte) 0x6d,
654             (byte) 0x30, (byte) 0x59, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x07,
655             (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x3d, (byte) 0x02,
656             (byte) 0x01, (byte) 0x06, (byte) 0x08, (byte) 0x2a, (byte) 0x86, (byte) 0x48,
657             (byte) 0xce, (byte) 0x3d, (byte) 0x03, (byte) 0x01, (byte) 0x07, (byte) 0x03,
658             (byte) 0x42, (byte) 0x00, (byte) 0x04, (byte) 0xd9, (byte) 0xcf, (byte) 0xe7,
659             (byte) 0x9b, (byte) 0x23, (byte) 0xc8, (byte) 0xa3, (byte) 0xb8, (byte) 0x33,
660             (byte) 0x14, (byte) 0xa4, (byte) 0x4d, (byte) 0x75, (byte) 0x90, (byte) 0xf3,
661             (byte) 0xcd, (byte) 0x43, (byte) 0xe5, (byte) 0x1b, (byte) 0x05, (byte) 0x1d,
662             (byte) 0xf3, (byte) 0xd0, (byte) 0xa3, (byte) 0xb7, (byte) 0x32, (byte) 0x5f,
663             (byte) 0x79, (byte) 0xdc, (byte) 0x88, (byte) 0xb8, (byte) 0x4d, (byte) 0xb3,
664             (byte) 0xd1, (byte) 0x6d, (byte) 0xf7, (byte) 0x75, (byte) 0xf3, (byte) 0xbf,
665             (byte) 0x50, (byte) 0xa1, (byte) 0xbc, (byte) 0x03, (byte) 0x64, (byte) 0x22,
666             (byte) 0xe6, (byte) 0x1a, (byte) 0xa1, (byte) 0xe1, (byte) 0x06, (byte) 0x68,
667             (byte) 0x3b, (byte) 0xbc, (byte) 0x9f, (byte) 0xd3, (byte) 0xae, (byte) 0x77,
668             (byte) 0x5e, (byte) 0x88, (byte) 0x0c, (byte) 0x5e, (byte) 0x0c, (byte) 0xb2,
669             (byte) 0x38, (byte) 0xa3, (byte) 0x7b, (byte) 0x30, (byte) 0x79, (byte) 0x30,
670             (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13,
671             (byte) 0x04, (byte) 0x02, (byte) 0x30, (byte) 0x00, (byte) 0x30, (byte) 0x2c,
672             (byte) 0x06, (byte) 0x09, (byte) 0x60, (byte) 0x86, (byte) 0x48, (byte) 0x01,
673             (byte) 0x86, (byte) 0xf8, (byte) 0x42, (byte) 0x01, (byte) 0x0d, (byte) 0x04,
674             (byte) 0x1f, (byte) 0x16, (byte) 0x1d, (byte) 0x4f, (byte) 0x70, (byte) 0x65,
675             (byte) 0x6e, (byte) 0x53, (byte) 0x53, (byte) 0x4c, (byte) 0x20, (byte) 0x47,
676             (byte) 0x65, (byte) 0x6e, (byte) 0x65, (byte) 0x72, (byte) 0x61, (byte) 0x74,
677             (byte) 0x65, (byte) 0x64, (byte) 0x20, (byte) 0x43, (byte) 0x65, (byte) 0x72,
678             (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x63, (byte) 0x61,
679             (byte) 0x74, (byte) 0x65, (byte) 0x30, (byte) 0x1d, (byte) 0x06, (byte) 0x03,
680             (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04, (byte) 0x16, (byte) 0x04,
681             (byte) 0x14, (byte) 0xd5, (byte) 0xc4, (byte) 0x72, (byte) 0xbd, (byte) 0xd2,
682             (byte) 0x4e, (byte) 0x90, (byte) 0x1b, (byte) 0x14, (byte) 0x32, (byte) 0xdb,
683             (byte) 0x03, (byte) 0xae, (byte) 0xfa, (byte) 0x27, (byte) 0x7d, (byte) 0x8d,
684             (byte) 0xe4, (byte) 0x80, (byte) 0x58, (byte) 0x30, (byte) 0x1f, (byte) 0x06,
685             (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23, (byte) 0x04, (byte) 0x18,
686             (byte) 0x30, (byte) 0x16, (byte) 0x80, (byte) 0x14, (byte) 0x5f, (byte) 0x5b,
687             (byte) 0x5e, (byte) 0xac, (byte) 0x29, (byte) 0xfa, (byte) 0xa1, (byte) 0x9f,
688             (byte) 0x9e, (byte) 0xad, (byte) 0x46, (byte) 0xe1, (byte) 0xbc, (byte) 0x20,
689             (byte) 0x72, (byte) 0xcf, (byte) 0x4a, (byte) 0xd4, (byte) 0xfa, (byte) 0xe3,
690             (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86,
691             (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01,
692             (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0x81,
693             (byte) 0x00, (byte) 0x43, (byte) 0x99, (byte) 0x9f, (byte) 0x67, (byte) 0x08,
694             (byte) 0x43, (byte) 0xd5, (byte) 0x6b, (byte) 0x6f, (byte) 0xd7, (byte) 0x05,
695             (byte) 0xd6, (byte) 0x75, (byte) 0x34, (byte) 0x30, (byte) 0xca, (byte) 0x20,
696             (byte) 0x47, (byte) 0x61, (byte) 0xa1, (byte) 0x89, (byte) 0xb6, (byte) 0xf1,
697             (byte) 0x49, (byte) 0x7b, (byte) 0xd9, (byte) 0xb9, (byte) 0xe8, (byte) 0x1e,
698             (byte) 0x29, (byte) 0x74, (byte) 0x0a, (byte) 0x67, (byte) 0xc0, (byte) 0x7d,
699             (byte) 0xb8, (byte) 0xe6, (byte) 0x39, (byte) 0xa8, (byte) 0x5e, (byte) 0xc3,
700             (byte) 0xb0, (byte) 0xa1, (byte) 0x30, (byte) 0x6a, (byte) 0x1f, (byte) 0x1d,
701             (byte) 0xfc, (byte) 0x11, (byte) 0x59, (byte) 0x0b, (byte) 0xb9, (byte) 0xad,
702             (byte) 0x3a, (byte) 0x4e, (byte) 0x50, (byte) 0x0a, (byte) 0x61, (byte) 0xdb,
703             (byte) 0x75, (byte) 0x6b, (byte) 0xe5, (byte) 0x3f, (byte) 0x8d, (byte) 0xde,
704             (byte) 0x28, (byte) 0x68, (byte) 0xb1, (byte) 0x29, (byte) 0x9a, (byte) 0x18,
705             (byte) 0x8a, (byte) 0xfc, (byte) 0x3f, (byte) 0x13, (byte) 0x93, (byte) 0x29,
706             (byte) 0xed, (byte) 0x22, (byte) 0x7c, (byte) 0xb4, (byte) 0x50, (byte) 0xd5,
707             (byte) 0x4d, (byte) 0x32, (byte) 0x4d, (byte) 0x42, (byte) 0x2b, (byte) 0x29,
708             (byte) 0x97, (byte) 0x86, (byte) 0xc0, (byte) 0x01, (byte) 0x00, (byte) 0x25,
709             (byte) 0xf6, (byte) 0xd3, (byte) 0x2a, (byte) 0xd8, (byte) 0xda, (byte) 0x13,
710             (byte) 0x94, (byte) 0x12, (byte) 0x78, (byte) 0x14, (byte) 0x0b, (byte) 0x51,
711             (byte) 0xc0, (byte) 0x45, (byte) 0xb4, (byte) 0x02, (byte) 0x37, (byte) 0x98,
712             (byte) 0x42, (byte) 0x3c, (byte) 0xcb, (byte) 0x2e, (byte) 0xe4, (byte) 0x38,
713             (byte) 0x69, (byte) 0x1b, (byte) 0x72, (byte) 0xf0, (byte) 0xaa, (byte) 0x89,
714             (byte) 0x7e, (byte) 0xde, (byte) 0xb2
715     };
716 
717     /**
718      * The amount of time to allow before and after expected time for variance
719      * in timing tests.
720      */
721     private static final long SLOP_TIME_MILLIS = 15000L;
722 
723     @Override
setUp()724     protected void setUp() throws Exception {
725         super.setUp();
726 
727         // Wipe any existing entries in the KeyStore
728         KeyStore ksTemp = KeyStore.getInstance("AndroidKeyStore");
729         ksTemp.load(null, null);
730         Enumeration<String> aliases = ksTemp.aliases();
731         while (aliases.hasMoreElements()) {
732             String alias = aliases.nextElement();
733             ksTemp.deleteEntry(alias);
734         }
735 
736         // Get a new instance because some tests need it uninitialized
737         mKeyStore = KeyStore.getInstance("AndroidKeyStore");
738 
739         // Use a longer timeout on watches, which are generally less performant.
740         mMaxTestDurationMillis =
741                 getContext().getPackageManager().hasSystemFeature(PackageManager.FEATURE_WATCH)
742                         ? LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_WATCH_MILLIS
743                         : LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_MILLIS;
744     }
745 
746     @Override
tearDown()747     protected void tearDown() throws Exception {
748         try {
749             KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
750             keyStore.load(null, null);
751             Enumeration<String> aliases = keyStore.aliases();
752             while (aliases.hasMoreElements()) {
753                 String alias = aliases.nextElement();
754                 keyStore.deleteEntry(alias);
755             }
756         } finally {
757             super.tearDown();
758         }
759     }
760 
generatePrivateKey(String keyType, byte[] fakeKey1)761     private PrivateKey generatePrivateKey(String keyType, byte[] fakeKey1) throws Exception {
762         KeyFactory kf = KeyFactory.getInstance(keyType);
763         return kf.generatePrivate(new PKCS8EncodedKeySpec(fakeKey1));
764     }
765 
generateCertificate(byte[] fakeUser1)766     private Certificate generateCertificate(byte[] fakeUser1) throws Exception {
767         CertificateFactory cf = CertificateFactory.getInstance("X.509");
768         return cf.generateCertificate(new ByteArrayInputStream(fakeUser1));
769     }
770 
makeUserEcKey1()771     private PrivateKeyEntry makeUserEcKey1() throws Exception {
772         return new KeyStore.PrivateKeyEntry(generatePrivateKey("EC", FAKE_EC_KEY_1),
773                 new Certificate[] {
774                         generateCertificate(FAKE_EC_USER_1), generateCertificate(FAKE_EC_CA_1)
775                 });
776     }
777 
makeUserRsaKey1()778     private PrivateKeyEntry makeUserRsaKey1() throws Exception {
779         return new KeyStore.PrivateKeyEntry(generatePrivateKey("RSA", FAKE_RSA_KEY_1),
780                 new Certificate[] {
781                         generateCertificate(FAKE_RSA_USER_1), generateCertificate(FAKE_RSA_CA_1)
782                 });
783     }
784 
makeCa1()785     private Entry makeCa1() throws Exception {
786         return new KeyStore.TrustedCertificateEntry(generateCertificate(FAKE_RSA_CA_1));
787     }
788 
assertAliases(final String[] expectedAliases)789     private void assertAliases(final String[] expectedAliases) throws KeyStoreException {
790         final Enumeration<String> aliases = mKeyStore.aliases();
791         int count = 0;
792 
793         final Set<String> expectedSet = new HashSet<String>();
794         expectedSet.addAll(Arrays.asList(expectedAliases));
795 
796         while (aliases.hasMoreElements()) {
797             count++;
798             final String alias = aliases.nextElement();
799             assertTrue("The alias should be in the expected set", expectedSet.contains(alias));
800             expectedSet.remove(alias);
801         }
802         assertTrue("The expected set and actual set should be exactly equal", expectedSet.isEmpty());
803         assertEquals("There should be the correct number of keystore entries",
804                 expectedAliases.length, count);
805     }
806 
testKeyStore_Aliases_Unencrypted_Success()807     public void testKeyStore_Aliases_Unencrypted_Success() throws Exception {
808         mKeyStore.load(null, null);
809 
810         assertAliases(new String[] {});
811 
812         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
813 
814         assertAliases(new String[] { TEST_ALIAS_1 });
815 
816         mKeyStore.setEntry(TEST_ALIAS_2, makeCa1(), null);
817 
818         assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2 });
819     }
820 
testKeyStore_Aliases_NotInitialized_Unencrypted_Failure()821     public void testKeyStore_Aliases_NotInitialized_Unencrypted_Failure() throws Exception {
822         try {
823             mKeyStore.aliases();
824             fail("KeyStore should throw exception when not initialized");
825         } catch (KeyStoreException success) {
826         }
827     }
828 
testKeyStore_ContainsAliases_PrivateAndCA_Unencrypted_Success()829     public void testKeyStore_ContainsAliases_PrivateAndCA_Unencrypted_Success() throws Exception {
830         mKeyStore.load(null, null);
831 
832         assertAliases(new String[] {});
833 
834         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
835 
836         assertTrue("Should contain generated private key", mKeyStore.containsAlias(TEST_ALIAS_1));
837 
838         mKeyStore.setEntry(TEST_ALIAS_2, makeCa1(), null);
839 
840         assertTrue("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_2));
841 
842         assertFalse("Should not contain unadded certificate alias",
843                 mKeyStore.containsAlias(TEST_ALIAS_3));
844     }
845 
testKeyStore_ContainsAliases_CAOnly_Unencrypted_Success()846     public void testKeyStore_ContainsAliases_CAOnly_Unencrypted_Success() throws Exception {
847         mKeyStore.load(null, null);
848 
849         mKeyStore.setEntry(TEST_ALIAS_2, makeCa1(), null);
850 
851         assertTrue("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_2));
852     }
853 
testKeyStore_ContainsAliases_NonExistent_Unencrypted_Failure()854     public void testKeyStore_ContainsAliases_NonExistent_Unencrypted_Failure() throws Exception {
855         mKeyStore.load(null, null);
856 
857         assertFalse("Should contain added CA certificate", mKeyStore.containsAlias(TEST_ALIAS_1));
858     }
859 
testKeyStore_DeleteEntry_Unencrypted_Success()860     public void testKeyStore_DeleteEntry_Unencrypted_Success() throws Exception {
861         mKeyStore.load(null, null);
862 
863         // TEST_ALIAS_1
864         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
865 
866         // TEST_ALIAS_2
867         mKeyStore.setCertificateEntry(TEST_ALIAS_2, generateCertificate(FAKE_RSA_CA_1));
868 
869         // TEST_ALIAS_3
870         mKeyStore.setCertificateEntry(TEST_ALIAS_3, generateCertificate(FAKE_RSA_CA_1));
871 
872         assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2, TEST_ALIAS_3 });
873 
874         mKeyStore.deleteEntry(TEST_ALIAS_1);
875 
876         assertAliases(new String[] { TEST_ALIAS_2, TEST_ALIAS_3 });
877 
878         mKeyStore.deleteEntry(TEST_ALIAS_3);
879 
880         assertAliases(new String[] { TEST_ALIAS_2 });
881 
882         mKeyStore.deleteEntry(TEST_ALIAS_2);
883 
884         assertAliases(new String[] { });
885     }
886 
testKeyStore_DeleteEntry_EmptyStore_Unencrypted_Success()887     public void testKeyStore_DeleteEntry_EmptyStore_Unencrypted_Success() throws Exception {
888         mKeyStore.load(null, null);
889 
890         // Should not throw when a non-existent entry is requested for delete.
891         mKeyStore.deleteEntry(TEST_ALIAS_1);
892     }
893 
testKeyStore_DeleteEntry_NonExistent_Unencrypted_Success()894     public void testKeyStore_DeleteEntry_NonExistent_Unencrypted_Success() throws Exception {
895         mKeyStore.load(null, null);
896 
897         // TEST_ALIAS_1
898         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
899 
900         // Should not throw when a non-existent entry is requested for delete.
901         mKeyStore.deleteEntry(TEST_ALIAS_2);
902     }
903 
testKeyStore_GetCertificate_Single_Unencrypted_Success()904     public void testKeyStore_GetCertificate_Single_Unencrypted_Success() throws Exception {
905         mKeyStore.load(null, null);
906 
907         mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1));
908 
909         assertAliases(new String[] { TEST_ALIAS_1 });
910 
911         assertNull("Certificate should not exist in keystore",
912                 mKeyStore.getCertificate(TEST_ALIAS_2));
913 
914         Certificate retrieved = mKeyStore.getCertificate(TEST_ALIAS_1);
915 
916         assertNotNull("Retrieved certificate should not be null", retrieved);
917 
918         CertificateFactory f = CertificateFactory.getInstance("X.509");
919         Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
920 
921         assertEquals("Actual and retrieved certificates should be the same", actual, retrieved);
922     }
923 
testKeyStore_GetCertificate_NonExist_Unencrypted_Failure()924     public void testKeyStore_GetCertificate_NonExist_Unencrypted_Failure() throws Exception {
925         mKeyStore.load(null, null);
926 
927         assertNull("Certificate should not exist in keystore",
928                 mKeyStore.getCertificate(TEST_ALIAS_1));
929     }
930 
testKeyStore_GetCertificateAlias_CAEntry_Unencrypted_Success()931     public void testKeyStore_GetCertificateAlias_CAEntry_Unencrypted_Success() throws Exception {
932         mKeyStore.load(null, null);
933 
934         Certificate cert = generateCertificate(FAKE_RSA_CA_1);
935         mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert);
936 
937         assertEquals("Stored certificate alias should be found", TEST_ALIAS_1,
938                 mKeyStore.getCertificateAlias(cert));
939     }
940 
testKeyStore_GetCertificateAlias_PrivateKeyEntry_Unencrypted_Success()941     public void testKeyStore_GetCertificateAlias_PrivateKeyEntry_Unencrypted_Success()
942             throws Exception {
943         mKeyStore.load(null, null);
944 
945         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
946 
947         CertificateFactory f = CertificateFactory.getInstance("X.509");
948         Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
949 
950         assertEquals("Stored certificate alias should be found", TEST_ALIAS_1,
951                 mKeyStore.getCertificateAlias(actual));
952     }
953 
testKeyStore_GetCertificateAlias_CAEntry_WithPrivateKeyUsingCA_Unencrypted_Success()954     public void testKeyStore_GetCertificateAlias_CAEntry_WithPrivateKeyUsingCA_Unencrypted_Success()
955             throws Exception {
956         mKeyStore.load(null, null);
957 
958         Certificate actual = generateCertificate(FAKE_RSA_CA_1);
959 
960         // Insert TrustedCertificateEntry with CA name
961         mKeyStore.setCertificateEntry(TEST_ALIAS_2, actual);
962 
963         // Insert PrivateKeyEntry that uses the same CA
964         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
965 
966         assertEquals("Stored certificate alias should be found", TEST_ALIAS_2,
967                 mKeyStore.getCertificateAlias(actual));
968     }
969 
testKeyStore_GetCertificateAlias_NonExist_Empty_Unencrypted_Failure()970     public void testKeyStore_GetCertificateAlias_NonExist_Empty_Unencrypted_Failure()
971             throws Exception {
972         mKeyStore.load(null, null);
973 
974         CertificateFactory f = CertificateFactory.getInstance("X.509");
975         Certificate actual = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
976 
977         assertNull("Stored certificate alias should not be found",
978                 mKeyStore.getCertificateAlias(actual));
979     }
980 
testKeyStore_GetCertificateAlias_NonExist_Unencrypted_Failure()981     public void testKeyStore_GetCertificateAlias_NonExist_Unencrypted_Failure() throws Exception {
982         mKeyStore.load(null, null);
983 
984         Certificate ca = generateCertificate(FAKE_RSA_CA_1);
985 
986         // Insert TrustedCertificateEntry with CA name
987         mKeyStore.setCertificateEntry(TEST_ALIAS_1, ca);
988 
989         Certificate userCert = generateCertificate(FAKE_RSA_USER_1);
990 
991         assertNull("Stored certificate alias should be found",
992                 mKeyStore.getCertificateAlias(userCert));
993     }
994 
testKeyStore_GetCertificateChain_SingleLength_Unencrypted_Success()995     public void testKeyStore_GetCertificateChain_SingleLength_Unencrypted_Success() throws Exception {
996         mKeyStore.load(null, null);
997 
998         // TEST_ALIAS_1
999         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1000 
1001         Certificate[] expected = new Certificate[2];
1002         expected[0] = generateCertificate(FAKE_RSA_USER_1);
1003         expected[1] = generateCertificate(FAKE_RSA_CA_1);
1004 
1005         Certificate[] actual = mKeyStore.getCertificateChain(TEST_ALIAS_1);
1006 
1007         assertNotNull("Returned certificate chain should not be null", actual);
1008         assertEquals("Returned certificate chain should be correct size", expected.length,
1009                 actual.length);
1010         assertEquals("First certificate should be user certificate", expected[0], actual[0]);
1011         assertEquals("Second certificate should be CA certificate", expected[1], actual[1]);
1012 
1013         // Negative test when keystore is populated.
1014         assertNull("Stored certificate alias should not be found",
1015                 mKeyStore.getCertificateChain(TEST_ALIAS_2));
1016     }
1017 
testKeyStore_GetCertificateChain_NonExist_Unencrypted_Failure()1018     public void testKeyStore_GetCertificateChain_NonExist_Unencrypted_Failure() throws Exception {
1019         mKeyStore.load(null, null);
1020 
1021         assertNull("Stored certificate alias should not be found",
1022                 mKeyStore.getCertificateChain(TEST_ALIAS_1));
1023     }
1024 
testKeyStore_GetCreationDate_PrivateKeyEntry_Unencrypted_Success()1025     public void testKeyStore_GetCreationDate_PrivateKeyEntry_Unencrypted_Success() throws Exception {
1026         mKeyStore.load(null, null);
1027 
1028         // TEST_ALIAS_1
1029         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1030 
1031         Date now = new Date();
1032         Date actual = mKeyStore.getCreationDate(TEST_ALIAS_1);
1033 
1034         Date expectedAfter = new Date(now.getTime() - SLOP_TIME_MILLIS);
1035         Date expectedBefore = new Date(now.getTime() + SLOP_TIME_MILLIS);
1036 
1037         assertTrue("Time should be close to current time", actual.before(expectedBefore));
1038         assertTrue("Time should be close to current time", actual.after(expectedAfter));
1039     }
1040 
testKeyStore_GetCreationDate_CAEntry_Unencrypted_Success()1041     public void testKeyStore_GetCreationDate_CAEntry_Unencrypted_Success() throws Exception {
1042         mKeyStore.load(null, null);
1043 
1044         // Insert TrustedCertificateEntry with CA name
1045         mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1));
1046 
1047         Date now = new Date();
1048         Date actual = mKeyStore.getCreationDate(TEST_ALIAS_1);
1049         assertNotNull("Certificate should be found", actual);
1050 
1051         Date expectedAfter = new Date(now.getTime() - SLOP_TIME_MILLIS);
1052         Date expectedBefore = new Date(now.getTime() + SLOP_TIME_MILLIS);
1053 
1054         assertTrue("Time should be close to current time", actual.before(expectedBefore));
1055         assertTrue("Time should be close to current time", actual.after(expectedAfter));
1056     }
1057 
testKeyStore_GetEntry_NullParams_Unencrypted_Success()1058     public void testKeyStore_GetEntry_NullParams_Unencrypted_Success() throws Exception {
1059         mKeyStore.load(null, null);
1060 
1061         // TEST_ALIAS_1
1062         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1063 
1064         Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1065         assertNotNull("Entry should exist", entry);
1066 
1067         assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry);
1068 
1069         PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
1070 
1071         assertPrivateKeyEntryEquals(keyEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, FAKE_RSA_CA_1);
1072     }
1073 
testKeyStore_GetEntry_EC_NullParams_Unencrypted_Success()1074     public void testKeyStore_GetEntry_EC_NullParams_Unencrypted_Success() throws Exception {
1075         mKeyStore.load(null, null);
1076 
1077         // TEST_ALIAS_1
1078         mKeyStore.setEntry(TEST_ALIAS_1, makeUserEcKey1(), null);
1079 
1080         Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1081         assertNotNull("Entry should exist", entry);
1082 
1083         assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry);
1084 
1085         PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
1086 
1087         assertPrivateKeyEntryEquals(keyEntry, "EC", FAKE_EC_KEY_1, FAKE_EC_USER_1, FAKE_EC_CA_1);
1088     }
1089 
testKeyStore_GetEntry_RSA_NullParams_Unencrypted_Success()1090     public void testKeyStore_GetEntry_RSA_NullParams_Unencrypted_Success() throws Exception {
1091         mKeyStore.load(null, null);
1092 
1093         // TEST_ALIAS_1
1094         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1095 
1096         Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1097         assertNotNull("Entry should exist", entry);
1098 
1099         assertTrue("Should be a PrivateKeyEntry", entry instanceof PrivateKeyEntry);
1100 
1101         PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
1102 
1103         assertPrivateKeyEntryEquals(keyEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1,
1104                 FAKE_RSA_CA_1);
1105     }
1106 
1107     @SuppressWarnings("unchecked")
assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, String keyType, byte[] key, byte[] cert, byte[] ca)1108     private void assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, String keyType, byte[] key,
1109             byte[] cert, byte[] ca) throws Exception {
1110         KeyFactory keyFact = KeyFactory.getInstance(keyType);
1111         PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(key));
1112 
1113         CertificateFactory certFact = CertificateFactory.getInstance("X.509");
1114         Certificate expectedCert = certFact.generateCertificate(new ByteArrayInputStream(cert));
1115 
1116         final Collection<Certificate> expectedChain;
1117         if (ca != null) {
1118             expectedChain = (Collection<Certificate>) certFact
1119                     .generateCertificates(new ByteArrayInputStream(ca));
1120         } else {
1121             expectedChain = null;
1122         }
1123 
1124         assertPrivateKeyEntryEquals(keyEntry, expectedKey, expectedCert, expectedChain);
1125     }
1126 
assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, PrivateKey expectedKey, Certificate expectedCert, Collection<Certificate> expectedChain)1127     private void assertPrivateKeyEntryEquals(PrivateKeyEntry keyEntry, PrivateKey expectedKey,
1128             Certificate expectedCert, Collection<Certificate> expectedChain) throws Exception {
1129         final PrivateKey privKey = keyEntry.getPrivateKey();
1130         final PublicKey pubKey = keyEntry.getCertificate().getPublicKey();
1131 
1132         if (expectedKey instanceof ECKey) {
1133             assertTrue("Returned PrivateKey " + privKey.getClass() + " should be instanceof ECKey",
1134                     privKey instanceof ECKey);
1135             assertEquals("Returned PrivateKey should be what we inserted",
1136                     ((ECKey) expectedKey).getParams().getCurve(),
1137                     ((ECKey) privKey).getParams().getCurve());
1138         } else if (expectedKey instanceof RSAKey) {
1139             assertTrue("Returned PrivateKey " + privKey.getClass() + " should be instanceof RSAKey",
1140                     privKey instanceof RSAKey);
1141             assertEquals("Returned PrivateKey should be what we inserted",
1142                     ((RSAKey) expectedKey).getModulus(),
1143                     ((RSAKey) privKey).getModulus());
1144         }
1145 
1146         assertNull("getFormat() should return null", privKey.getFormat());
1147         assertNull("getEncoded() should return null", privKey.getEncoded());
1148 
1149         assertEquals("Public keys should be in X.509 format", "X.509", pubKey.getFormat());
1150         assertNotNull("Public keys should be encodable", pubKey.getEncoded());
1151 
1152         assertEquals("Returned Certificate should be what we inserted", expectedCert,
1153                 keyEntry.getCertificate());
1154 
1155         Certificate[] actualChain = keyEntry.getCertificateChain();
1156 
1157         assertEquals("First certificate in chain should be user cert", expectedCert, actualChain[0]);
1158 
1159         if (expectedChain == null) {
1160             assertEquals("Certificate chain should not include CAs", 1, actualChain.length);
1161         } else {
1162             assertEquals("Chains should be the same size", expectedChain.size() + 1,
1163                     actualChain.length);
1164             int i = 1;
1165             final Iterator<Certificate> it = expectedChain.iterator();
1166             while (it.hasNext() && i < actualChain.length) {
1167                 assertEquals("CA chain certificate should equal what we put in", it.next(),
1168                         actualChain[i++]);
1169             }
1170         }
1171     }
1172 
testKeyStore_GetEntry_Nonexistent_NullParams_Unencrypted_Failure()1173     public void testKeyStore_GetEntry_Nonexistent_NullParams_Unencrypted_Failure() throws Exception {
1174         mKeyStore.load(null, null);
1175 
1176         assertNull("A non-existent entry should return null",
1177                 mKeyStore.getEntry(TEST_ALIAS_1, null));
1178     }
1179 
testKeyStore_GetKey_NoPassword_Unencrypted_Success()1180     public void testKeyStore_GetKey_NoPassword_Unencrypted_Success() throws Exception {
1181         mKeyStore.load(null, null);
1182 
1183         // TEST_ALIAS_1
1184         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1185 
1186         Key key = mKeyStore.getKey(TEST_ALIAS_1, null);
1187         assertNotNull("Key should exist", key);
1188 
1189         assertTrue("Should be a PrivateKey", key instanceof PrivateKey);
1190         assertTrue("Should be a RSAKey", key instanceof RSAKey);
1191 
1192         RSAKey actualKey = (RSAKey) key;
1193 
1194         KeyFactory keyFact = KeyFactory.getInstance("RSA");
1195         PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1196 
1197         assertEquals("Inserted key should be same as retrieved key",
1198                 ((RSAKey) expectedKey).getModulus(), actualKey.getModulus());
1199     }
1200 
testKeyStore_GetKey_Certificate_Unencrypted_Failure()1201     public void testKeyStore_GetKey_Certificate_Unencrypted_Failure() throws Exception {
1202         mKeyStore.load(null, null);
1203 
1204         // Insert TrustedCertificateEntry with CA name
1205         mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1));
1206 
1207         assertNull("Certificate entries should return null", mKeyStore.getKey(TEST_ALIAS_1, null));
1208     }
1209 
testKeyStore_GetKey_NonExistent_Unencrypted_Failure()1210     public void testKeyStore_GetKey_NonExistent_Unencrypted_Failure() throws Exception {
1211         mKeyStore.load(null, null);
1212 
1213         assertNull("A non-existent entry should return null", mKeyStore.getKey(TEST_ALIAS_1, null));
1214     }
1215 
testKeyStore_GetProvider_Unencrypted_Success()1216     public void testKeyStore_GetProvider_Unencrypted_Success() throws Exception {
1217         assertEquals("AndroidKeyStore", mKeyStore.getProvider().getName());
1218     }
1219 
testKeyStore_GetType_Unencrypted_Success()1220     public void testKeyStore_GetType_Unencrypted_Success() throws Exception {
1221         assertEquals("AndroidKeyStore", mKeyStore.getType());
1222     }
1223 
testKeyStore_IsCertificateEntry_CA_Unencrypted_Success()1224     public void testKeyStore_IsCertificateEntry_CA_Unencrypted_Success() throws Exception {
1225         mKeyStore.load(null, null);
1226 
1227         // Insert TrustedCertificateEntry with CA name
1228         mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1));
1229 
1230         assertTrue("Should return true for CA certificate",
1231                 mKeyStore.isCertificateEntry(TEST_ALIAS_1));
1232     }
1233 
testKeyStore_IsCertificateEntry_PrivateKey_Unencrypted_Failure()1234     public void testKeyStore_IsCertificateEntry_PrivateKey_Unencrypted_Failure() throws Exception {
1235         mKeyStore.load(null, null);
1236 
1237         // TEST_ALIAS_1
1238         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1239 
1240         assertFalse("Should return false for PrivateKeyEntry",
1241                 mKeyStore.isCertificateEntry(TEST_ALIAS_1));
1242     }
1243 
testKeyStore_IsCertificateEntry_NonExist_Unencrypted_Failure()1244     public void testKeyStore_IsCertificateEntry_NonExist_Unencrypted_Failure() throws Exception {
1245         mKeyStore.load(null, null);
1246 
1247         assertFalse("Should return false for non-existent entry",
1248                 mKeyStore.isCertificateEntry(TEST_ALIAS_1));
1249     }
1250 
testKeyStore_IsKeyEntry_PrivateKey_Unencrypted_Success()1251     public void testKeyStore_IsKeyEntry_PrivateKey_Unencrypted_Success() throws Exception {
1252         mKeyStore.load(null, null);
1253 
1254         // TEST_ALIAS_1
1255         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1256 
1257         assertTrue("Should return true for PrivateKeyEntry", mKeyStore.isKeyEntry(TEST_ALIAS_1));
1258     }
1259 
testKeyStore_IsKeyEntry_CA_Unencrypted_Failure()1260     public void testKeyStore_IsKeyEntry_CA_Unencrypted_Failure() throws Exception {
1261         mKeyStore.load(null, null);
1262 
1263         mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1));
1264 
1265         assertFalse("Should return false for CA certificate", mKeyStore.isKeyEntry(TEST_ALIAS_1));
1266     }
1267 
testKeyStore_IsKeyEntry_NonExist_Unencrypted_Failure()1268     public void testKeyStore_IsKeyEntry_NonExist_Unencrypted_Failure() throws Exception {
1269         mKeyStore.load(null, null);
1270 
1271         assertFalse("Should return false for non-existent entry",
1272                 mKeyStore.isKeyEntry(TEST_ALIAS_1));
1273     }
1274 
testKeyStore_SetCertificate_CA_Unencrypted_Success()1275     public void testKeyStore_SetCertificate_CA_Unencrypted_Success() throws Exception {
1276         final Certificate actual = generateCertificate(FAKE_RSA_CA_1);
1277 
1278         mKeyStore.load(null, null);
1279 
1280         mKeyStore.setCertificateEntry(TEST_ALIAS_1, actual);
1281         assertAliases(new String[] { TEST_ALIAS_1 });
1282 
1283         Certificate retrieved = mKeyStore.getCertificate(TEST_ALIAS_1);
1284 
1285         assertEquals("Retrieved certificate should be the same as the one inserted", actual,
1286                 retrieved);
1287     }
1288 
testKeyStore_SetCertificate_CAExists_Overwrite_Unencrypted_Success()1289     public void testKeyStore_SetCertificate_CAExists_Overwrite_Unencrypted_Success()
1290             throws Exception {
1291         mKeyStore.load(null, null);
1292 
1293         mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1));
1294 
1295         assertAliases(new String[] { TEST_ALIAS_1 });
1296 
1297         final Certificate cert = generateCertificate(FAKE_RSA_CA_1);
1298 
1299         // TODO have separate FAKE_CA for second test
1300         mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert);
1301 
1302         assertAliases(new String[] { TEST_ALIAS_1 });
1303     }
1304 
testKeyStore_SetCertificate_PrivateKeyExists_Unencrypted_Failure()1305     public void testKeyStore_SetCertificate_PrivateKeyExists_Unencrypted_Failure() throws Exception {
1306         mKeyStore.load(null, null);
1307 
1308         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1309 
1310         assertAliases(new String[] { TEST_ALIAS_1 });
1311 
1312         final Certificate cert = generateCertificate(FAKE_RSA_CA_1);
1313 
1314         try {
1315             mKeyStore.setCertificateEntry(TEST_ALIAS_1, cert);
1316             fail("Should throw when trying to overwrite a PrivateKey entry with a Certificate");
1317         } catch (KeyStoreException success) {
1318         }
1319     }
1320 
testKeyStore_SetEntry_PrivateKeyEntry_Unencrypted_Success()1321     public void testKeyStore_SetEntry_PrivateKeyEntry_Unencrypted_Success() throws Exception {
1322         mKeyStore.load(null, null);
1323 
1324         KeyFactory keyFact = KeyFactory.getInstance("RSA");
1325         PrivateKey expectedKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1326 
1327         final CertificateFactory f = CertificateFactory.getInstance("X.509");
1328 
1329         final Certificate[] expectedChain = new Certificate[2];
1330         expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1331         expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1332 
1333         PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain);
1334 
1335         mKeyStore.setEntry(TEST_ALIAS_1, expected, null);
1336 
1337         Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1338         assertNotNull("Retrieved entry should exist", actualEntry);
1339 
1340         assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1341                 actualEntry instanceof PrivateKeyEntry);
1342 
1343         PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
1344 
1345         assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, FAKE_RSA_CA_1);
1346     }
1347 
testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success()1348     public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success()
1349             throws Exception {
1350         mKeyStore.load(null, null);
1351 
1352         final KeyFactory keyFact = KeyFactory.getInstance("RSA");
1353         final CertificateFactory f = CertificateFactory.getInstance("X.509");
1354 
1355         // Start with PrivateKeyEntry
1356         {
1357             PrivateKey expectedKey = keyFact
1358                     .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1359 
1360             final Certificate[] expectedChain = new Certificate[2];
1361             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1362             expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1363 
1364             PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain);
1365 
1366             mKeyStore.setEntry(TEST_ALIAS_1, expected, null);
1367 
1368             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1369             assertNotNull("Retrieved entry should exist", actualEntry);
1370 
1371             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1372                     actualEntry instanceof PrivateKeyEntry);
1373 
1374             PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
1375 
1376             assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1,
1377                     FAKE_RSA_CA_1);
1378         }
1379 
1380         // TODO make entirely new test vector for the overwrite
1381         // Replace with PrivateKeyEntry
1382         {
1383             PrivateKey expectedKey = keyFact
1384                     .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1385 
1386             final Certificate[] expectedChain = new Certificate[2];
1387             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1388             expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1389 
1390             PrivateKeyEntry expected = new PrivateKeyEntry(expectedKey, expectedChain);
1391 
1392             mKeyStore.setEntry(TEST_ALIAS_1, expected, null);
1393 
1394             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1395             assertNotNull("Retrieved entry should exist", actualEntry);
1396 
1397             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1398                     actualEntry instanceof PrivateKeyEntry);
1399 
1400             PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
1401 
1402             assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1,
1403                     FAKE_RSA_CA_1);
1404         }
1405     }
1406 
testKeyStore_SetEntry_CAEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success()1407     public void testKeyStore_SetEntry_CAEntry_Overwrites_PrivateKeyEntry_Unencrypted_Success()
1408             throws Exception {
1409         mKeyStore.load(null, null);
1410 
1411         final CertificateFactory f = CertificateFactory.getInstance("X.509");
1412 
1413         // Start with TrustedCertificateEntry
1414         {
1415             final Certificate caCert = f
1416                     .generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1417 
1418             TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert);
1419             mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null);
1420 
1421             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1422             assertNotNull("Retrieved entry should exist", actualEntry);
1423             assertTrue("Retrieved entry should be of type TrustedCertificateEntry",
1424                     actualEntry instanceof TrustedCertificateEntry);
1425             TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry;
1426             assertEquals("Stored and retrieved certificates should be the same",
1427                     expectedCertEntry.getTrustedCertificate(),
1428                     actualCertEntry.getTrustedCertificate());
1429         }
1430 
1431         // Replace with PrivateKeyEntry
1432         {
1433             KeyFactory keyFact = KeyFactory.getInstance("RSA");
1434             PrivateKey expectedKey = keyFact
1435                     .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1436             final Certificate[] expectedChain = new Certificate[2];
1437             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1438             expectedChain[1] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1439 
1440             PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain);
1441 
1442             mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null);
1443 
1444             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1445             assertNotNull("Retrieved entry should exist", actualEntry);
1446             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1447                     actualEntry instanceof PrivateKeyEntry);
1448 
1449             PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry;
1450             assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1,
1451                     FAKE_RSA_CA_1);
1452         }
1453     }
1454 
testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_CAEntry_Unencrypted_Success()1455     public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_CAEntry_Unencrypted_Success()
1456             throws Exception {
1457         mKeyStore.load(null, null);
1458 
1459         final CertificateFactory f = CertificateFactory.getInstance("X.509");
1460 
1461         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1462 
1463         // Start with PrivateKeyEntry
1464         {
1465             KeyFactory keyFact = KeyFactory.getInstance("RSA");
1466             PrivateKey expectedKey = keyFact
1467                     .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1468             final Certificate[] expectedChain = new Certificate[2];
1469             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1470             expectedChain[1] = caCert;
1471 
1472             PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain);
1473 
1474             mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null);
1475 
1476             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1477             assertNotNull("Retrieved entry should exist", actualEntry);
1478             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1479                     actualEntry instanceof PrivateKeyEntry);
1480 
1481             PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry;
1482             assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1,
1483                     FAKE_RSA_CA_1);
1484         }
1485 
1486         // Replace with TrustedCertificateEntry
1487         {
1488             TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert);
1489             mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null);
1490 
1491             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1492             assertNotNull("Retrieved entry should exist", actualEntry);
1493             assertTrue("Retrieved entry should be of type TrustedCertificateEntry",
1494                     actualEntry instanceof TrustedCertificateEntry);
1495             TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry;
1496             assertEquals("Stored and retrieved certificates should be the same",
1497                     expectedCertEntry.getTrustedCertificate(),
1498                     actualCertEntry.getTrustedCertificate());
1499         }
1500     }
1501 
testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_ShortPrivateKeyEntry_Unencrypted_Success()1502     public void testKeyStore_SetEntry_PrivateKeyEntry_Overwrites_ShortPrivateKeyEntry_Unencrypted_Success()
1503             throws Exception {
1504         mKeyStore.load(null, null);
1505 
1506         final CertificateFactory f = CertificateFactory.getInstance("X.509");
1507 
1508         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1509 
1510         // Start with PrivateKeyEntry
1511         {
1512             KeyFactory keyFact = KeyFactory.getInstance("RSA");
1513             PrivateKey expectedKey = keyFact
1514                     .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1515             final Certificate[] expectedChain = new Certificate[2];
1516             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1517             expectedChain[1] = caCert;
1518 
1519             PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain);
1520 
1521             mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null);
1522 
1523             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1524             assertNotNull("Retrieved entry should exist", actualEntry);
1525             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1526                     actualEntry instanceof PrivateKeyEntry);
1527 
1528             PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry;
1529             assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1,
1530                     FAKE_RSA_CA_1);
1531         }
1532 
1533         // Replace with PrivateKeyEntry that has no chain
1534         {
1535             KeyFactory keyFact = KeyFactory.getInstance("RSA");
1536             PrivateKey expectedKey = keyFact
1537                     .generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1538             final Certificate[] expectedChain = new Certificate[1];
1539             expectedChain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1540 
1541             PrivateKeyEntry expectedPrivEntry = new PrivateKeyEntry(expectedKey, expectedChain);
1542 
1543             mKeyStore.setEntry(TEST_ALIAS_1, expectedPrivEntry, null);
1544 
1545             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1546             assertNotNull("Retrieved entry should exist", actualEntry);
1547             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1548                     actualEntry instanceof PrivateKeyEntry);
1549 
1550             PrivateKeyEntry actualPrivEntry = (PrivateKeyEntry) actualEntry;
1551             assertPrivateKeyEntryEquals(actualPrivEntry, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1,
1552                     null);
1553         }
1554     }
1555 
testKeyStore_SetEntry_CAEntry_Overwrites_CAEntry_Unencrypted_Success()1556     public void testKeyStore_SetEntry_CAEntry_Overwrites_CAEntry_Unencrypted_Success()
1557             throws Exception {
1558         mKeyStore.load(null, null);
1559 
1560         final CertificateFactory f = CertificateFactory.getInstance("X.509");
1561 
1562         // Insert TrustedCertificateEntry
1563         {
1564             final Certificate caCert = f
1565                     .generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1566 
1567             TrustedCertificateEntry expectedCertEntry = new TrustedCertificateEntry(caCert);
1568             mKeyStore.setEntry(TEST_ALIAS_1, expectedCertEntry, null);
1569 
1570             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1571             assertNotNull("Retrieved entry should exist", actualEntry);
1572             assertTrue("Retrieved entry should be of type TrustedCertificateEntry",
1573                     actualEntry instanceof TrustedCertificateEntry);
1574             TrustedCertificateEntry actualCertEntry = (TrustedCertificateEntry) actualEntry;
1575             assertEquals("Stored and retrieved certificates should be the same",
1576                     expectedCertEntry.getTrustedCertificate(),
1577                     actualCertEntry.getTrustedCertificate());
1578         }
1579 
1580         // Replace with TrustedCertificateEntry of USER
1581         {
1582             final Certificate userCert = f.generateCertificate(new ByteArrayInputStream(
1583                     FAKE_RSA_USER_1));
1584 
1585             TrustedCertificateEntry expectedUserEntry = new TrustedCertificateEntry(userCert);
1586             mKeyStore.setEntry(TEST_ALIAS_1, expectedUserEntry, null);
1587 
1588             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1589             assertNotNull("Retrieved entry should exist", actualEntry);
1590             assertTrue("Retrieved entry should be of type TrustedCertificateEntry",
1591                     actualEntry instanceof TrustedCertificateEntry);
1592             TrustedCertificateEntry actualUserEntry = (TrustedCertificateEntry) actualEntry;
1593             assertEquals("Stored and retrieved certificates should be the same",
1594                     expectedUserEntry.getTrustedCertificate(),
1595                     actualUserEntry.getTrustedCertificate());
1596         }
1597     }
1598 
testKeyStore_SetKeyEntry_ProtectedKey_Unencrypted_Failure()1599     public void testKeyStore_SetKeyEntry_ProtectedKey_Unencrypted_Failure() throws Exception {
1600         mKeyStore.load(null, null);
1601 
1602         final CertificateFactory f = CertificateFactory.getInstance("X.509");
1603 
1604         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1605 
1606         KeyFactory keyFact = KeyFactory.getInstance("RSA");
1607         PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1608         final Certificate[] chain = new Certificate[2];
1609         chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1610         chain[1] = caCert;
1611 
1612         try {
1613             mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, "foo".toCharArray(), chain);
1614             fail("Should fail when a password is specified");
1615         } catch (KeyStoreException success) {
1616         }
1617     }
1618 
testKeyStore_SetKeyEntry_Unencrypted_Success()1619     public void testKeyStore_SetKeyEntry_Unencrypted_Success() throws Exception {
1620         mKeyStore.load(null, null);
1621 
1622         final CertificateFactory f = CertificateFactory.getInstance("X.509");
1623 
1624         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1625 
1626         KeyFactory keyFact = KeyFactory.getInstance("RSA");
1627         PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1628         final Certificate[] chain = new Certificate[2];
1629         chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1630         chain[1] = caCert;
1631 
1632         mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain);
1633 
1634         Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1635         assertNotNull("Retrieved entry should exist", actualEntry);
1636 
1637         assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1638                 actualEntry instanceof PrivateKeyEntry);
1639 
1640         PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
1641 
1642         assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1, FAKE_RSA_CA_1);
1643     }
1644 
testKeyStore_SetKeyEntry_Replaced_Unencrypted_Success()1645     public void testKeyStore_SetKeyEntry_Replaced_Unencrypted_Success() throws Exception {
1646         mKeyStore.load(null, null);
1647 
1648         final CertificateFactory f = CertificateFactory.getInstance("X.509");
1649 
1650         final Certificate caCert = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_CA_1));
1651 
1652         // Insert initial key
1653         {
1654             KeyFactory keyFact = KeyFactory.getInstance("RSA");
1655             PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1656             final Certificate[] chain = new Certificate[2];
1657             chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1658             chain[1] = caCert;
1659 
1660             mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain);
1661 
1662             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1663             assertNotNull("Retrieved entry should exist", actualEntry);
1664 
1665             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1666                     actualEntry instanceof PrivateKeyEntry);
1667 
1668             PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
1669 
1670             assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1,
1671                     FAKE_RSA_CA_1);
1672         }
1673 
1674         // TODO make a separate key
1675         // Replace key
1676         {
1677             KeyFactory keyFact = KeyFactory.getInstance("RSA");
1678             PrivateKey privKey = keyFact.generatePrivate(new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1));
1679             final Certificate[] chain = new Certificate[2];
1680             chain[0] = f.generateCertificate(new ByteArrayInputStream(FAKE_RSA_USER_1));
1681             chain[1] = caCert;
1682 
1683             mKeyStore.setKeyEntry(TEST_ALIAS_1, privKey, null, chain);
1684 
1685             Entry actualEntry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1686             assertNotNull("Retrieved entry should exist", actualEntry);
1687 
1688             assertTrue("Retrieved entry should be of type PrivateKeyEntry",
1689                     actualEntry instanceof PrivateKeyEntry);
1690 
1691             PrivateKeyEntry actual = (PrivateKeyEntry) actualEntry;
1692 
1693             assertPrivateKeyEntryEquals(actual, "RSA", FAKE_RSA_KEY_1, FAKE_RSA_USER_1,
1694                     FAKE_RSA_CA_1);
1695         }
1696     }
1697 
testKeyStore_SetKeyEntry_ReplacedChain_Unencrypted_Success()1698     public void testKeyStore_SetKeyEntry_ReplacedChain_Unencrypted_Success() throws Exception {
1699         mKeyStore.load(null, null);
1700 
1701         // Create key #1
1702         {
1703             KeyStore.PrivateKeyEntry privEntry = makeUserRsaKey1();
1704             mKeyStore.setEntry(TEST_ALIAS_1, privEntry, null);
1705 
1706             Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1707 
1708             assertTrue(entry instanceof PrivateKeyEntry);
1709 
1710             PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
1711 
1712             ArrayList<Certificate> chain = new ArrayList<Certificate>();
1713             chain.add(generateCertificate(FAKE_RSA_CA_1));
1714             assertPrivateKeyEntryEquals(keyEntry, privEntry.getPrivateKey(),
1715                     privEntry.getCertificate(), chain);
1716         }
1717 
1718         // Replace key #1 with new chain
1719         {
1720             Key key = mKeyStore.getKey(TEST_ALIAS_1, null);
1721 
1722             assertTrue(key instanceof PrivateKey);
1723 
1724             PrivateKey expectedKey = (PrivateKey) key;
1725 
1726             Certificate expectedCert = generateCertificate(FAKE_RSA_USER_1);
1727 
1728             mKeyStore.setKeyEntry(TEST_ALIAS_1, expectedKey, null,
1729                     new Certificate[] { expectedCert });
1730 
1731             Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1732 
1733             assertTrue(entry instanceof PrivateKeyEntry);
1734 
1735             PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
1736 
1737             assertPrivateKeyEntryEquals(keyEntry, expectedKey, expectedCert, null);
1738         }
1739     }
1740 
testKeyStore_SetKeyEntry_ReplacedChain_DifferentPrivateKey_Unencrypted_Failure()1741     public void testKeyStore_SetKeyEntry_ReplacedChain_DifferentPrivateKey_Unencrypted_Failure()
1742             throws Exception {
1743         mKeyStore.load(null, null);
1744 
1745         // Create key #1
1746         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1747 
1748         // Create key #2
1749         mKeyStore.setEntry(TEST_ALIAS_2, makeUserRsaKey1(), null);
1750 
1751 
1752         // Replace key #1 with key #2
1753         {
1754             Key key1 = mKeyStore.getKey(TEST_ALIAS_2, null);
1755 
1756             Certificate cert = generateCertificate(FAKE_RSA_USER_1);
1757 
1758             try {
1759                 mKeyStore.setKeyEntry(TEST_ALIAS_1, key1, null, new Certificate[] { cert });
1760                 fail("Should not allow setting of KeyEntry with wrong PrivaetKey");
1761             } catch (KeyStoreException success) {
1762             }
1763         }
1764     }
1765 
testKeyStore_SetKeyEntry_ReplacedWithSame_UnencryptedToUnencrypted_Failure()1766     public void testKeyStore_SetKeyEntry_ReplacedWithSame_UnencryptedToUnencrypted_Failure()
1767             throws Exception {
1768         mKeyStore.load(null, null);
1769 
1770         // Create key #1
1771         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1772 
1773         // Replace with same
1774         Entry entry = mKeyStore.getEntry(TEST_ALIAS_1, null);
1775         mKeyStore.setEntry(TEST_ALIAS_1, entry, null);
1776     }
1777 
testKeyStore_Size_Unencrypted_Success()1778     public void testKeyStore_Size_Unencrypted_Success() throws Exception {
1779         mKeyStore.load(null, null);
1780 
1781         mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_RSA_CA_1));
1782 
1783         assertEquals("The keystore size should match expected", 1, mKeyStore.size());
1784         assertAliases(new String[] { TEST_ALIAS_1 });
1785 
1786         mKeyStore.setCertificateEntry(TEST_ALIAS_2, generateCertificate(FAKE_RSA_CA_1));
1787 
1788         assertEquals("The keystore size should match expected", 2, mKeyStore.size());
1789         assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2 });
1790 
1791         mKeyStore.setEntry(TEST_ALIAS_3, makeUserRsaKey1(), null);
1792 
1793         assertEquals("The keystore size should match expected", 3, mKeyStore.size());
1794         assertAliases(new String[] { TEST_ALIAS_1, TEST_ALIAS_2, TEST_ALIAS_3 });
1795 
1796         mKeyStore.deleteEntry(TEST_ALIAS_1);
1797 
1798         assertEquals("The keystore size should match expected", 2, mKeyStore.size());
1799         assertAliases(new String[] { TEST_ALIAS_2, TEST_ALIAS_3 });
1800 
1801         mKeyStore.deleteEntry(TEST_ALIAS_3);
1802 
1803         assertEquals("The keystore size should match expected", 1, mKeyStore.size());
1804         assertAliases(new String[] { TEST_ALIAS_2 });
1805     }
1806 
testKeyStore_Store_LoadStoreParam_Unencrypted_Failure()1807     public void testKeyStore_Store_LoadStoreParam_Unencrypted_Failure() throws Exception {
1808         mKeyStore.load(null, null);
1809 
1810         try {
1811             mKeyStore.store(null);
1812             fail("Should throw UnsupportedOperationException when trying to store");
1813         } catch (UnsupportedOperationException success) {
1814         }
1815     }
1816 
testKeyStore_Load_InputStreamSupplied_Unencrypted_Failure()1817     public void testKeyStore_Load_InputStreamSupplied_Unencrypted_Failure() throws Exception {
1818         byte[] buf = "FAKE KEYSTORE".getBytes();
1819         ByteArrayInputStream is = new ByteArrayInputStream(buf);
1820 
1821         try {
1822             mKeyStore.load(is, null);
1823             fail("Should throw IllegalArgumentException when InputStream is supplied");
1824         } catch (IllegalArgumentException success) {
1825         }
1826     }
1827 
testKeyStore_Load_PasswordSupplied_Unencrypted_Failure()1828     public void testKeyStore_Load_PasswordSupplied_Unencrypted_Failure() throws Exception {
1829         try {
1830             mKeyStore.load(null, "password".toCharArray());
1831             fail("Should throw IllegalArgumentException when password is supplied");
1832         } catch (IllegalArgumentException success) {
1833         }
1834     }
1835 
testKeyStore_Store_OutputStream_Unencrypted_Failure()1836     public void testKeyStore_Store_OutputStream_Unencrypted_Failure() throws Exception {
1837         mKeyStore.load(null, null);
1838 
1839         OutputStream sink = new ByteArrayOutputStream();
1840         try {
1841             mKeyStore.store(sink, null);
1842             fail("Should throw UnsupportedOperationException when trying to store");
1843         } catch (UnsupportedOperationException success) {
1844         }
1845 
1846         try {
1847             mKeyStore.store(sink, "blah".toCharArray());
1848             fail("Should throw UnsupportedOperationException when trying to store");
1849         } catch (UnsupportedOperationException success) {
1850         }
1851     }
1852 
testKeyStore_KeyOperations_Wrap_Unencrypted_Success()1853     public void testKeyStore_KeyOperations_Wrap_Unencrypted_Success() throws Exception {
1854         mKeyStore.load(null, null);
1855 
1856         mKeyStore.setEntry(TEST_ALIAS_1, makeUserRsaKey1(), null);
1857 
1858         // Test key usage
1859         Entry e = mKeyStore.getEntry(TEST_ALIAS_1, null);
1860         assertNotNull(e);
1861         assertTrue(e instanceof PrivateKeyEntry);
1862 
1863         PrivateKeyEntry privEntry = (PrivateKeyEntry) e;
1864         PrivateKey privKey = privEntry.getPrivateKey();
1865         assertNotNull(privKey);
1866 
1867         PublicKey pubKey = privEntry.getCertificate().getPublicKey();
1868 
1869         Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
1870         c.init(Cipher.WRAP_MODE, pubKey);
1871 
1872         byte[] expectedKey = new byte[] {
1873                 0x00, 0x05, (byte) 0xAA, (byte) 0x0A5, (byte) 0xFF, 0x55, 0x0A
1874         };
1875 
1876         SecretKey expectedSecret = new TransparentSecretKey(expectedKey, "AES");
1877 
1878         byte[] wrappedExpected = c.wrap(expectedSecret);
1879 
1880         c.init(Cipher.UNWRAP_MODE, privKey);
1881         SecretKey actualSecret = (SecretKey) c.unwrap(wrappedExpected, "AES", Cipher.SECRET_KEY);
1882 
1883         assertEquals(Arrays.toString(expectedSecret.getEncoded()),
1884                 Arrays.toString(actualSecret.getEncoded()));
1885     }
1886 
testKeyStore_Encrypting_RSA_NONE_NOPADDING()1887     public void testKeyStore_Encrypting_RSA_NONE_NOPADDING() throws Exception {
1888 
1889         String alias = "MyKey";
1890         KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
1891         assertNotNull(ks);
1892         ks.load(null);
1893 
1894         Calendar cal = Calendar.getInstance();
1895         cal.set(1944, 5, 6);
1896         Date now = cal.getTime();
1897         cal.clear();
1898 
1899         cal.set(1945, 8, 2);
1900         Date end = cal.getTime();
1901 
1902         KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
1903         assertNotNull(kpg);
1904         kpg.initialize(new KeyPairGeneratorSpec.Builder(mContext)
1905                 .setAlias(alias)
1906                 .setStartDate(now)
1907                 .setEndDate(end)
1908                 .setSerialNumber(BigInteger.valueOf(1))
1909                 .setSubject(new X500Principal("CN=test1"))
1910                 .build());
1911 
1912         kpg.generateKeyPair();
1913 
1914         PrivateKey privateKey = (PrivateKey) ks.getKey(alias, null);
1915         assertNotNull(privateKey);
1916         PublicKey publicKey = ks.getCertificate(alias).getPublicKey();
1917         assertNotNull(publicKey);
1918         String cipher = privateKey.getAlgorithm() + "/NONE/NOPADDING";
1919         Cipher encrypt = Cipher.getInstance(cipher);
1920         assertNotNull(encrypt);
1921         encrypt.init(Cipher.ENCRYPT_MODE, privateKey);
1922 
1923         int modulusSizeBytes = (((RSAKey) publicKey).getModulus().bitLength() + 7) / 8;
1924         byte[] plainText = new byte[modulusSizeBytes];
1925         Arrays.fill(plainText, (byte) 0xFF);
1926 
1927         // We expect a BadPaddingException here as the message size (plaintext)
1928         // is bigger than the modulus.
1929         try {
1930             encrypt.doFinal(plainText);
1931             fail("Expected BadPaddingException or IllegalBlockSizeException");
1932         } catch (BadPaddingException e) {
1933             // pass on exception as it is expected
1934         } catch (IllegalBlockSizeException e) {
1935             // pass on exception as it is expected
1936         }
1937     }
1938 
testKeyStore_PrivateKeyEntry_RSA_PublicKeyWorksWithCrypto()1939     public void testKeyStore_PrivateKeyEntry_RSA_PublicKeyWorksWithCrypto()
1940             throws Exception {
1941         mKeyStore.load(null, null);
1942         mKeyStore.setKeyEntry(TEST_ALIAS_2,
1943                 KeyFactory.getInstance("RSA").generatePrivate(
1944                         new PKCS8EncodedKeySpec(FAKE_RSA_KEY_1)),
1945                 null, // no password (it's not even supported)
1946                 new Certificate[] {generateCertificate(FAKE_RSA_USER_1)});
1947         PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_2).getPublicKey();
1948         assertNotNull(publicKey);
1949 
1950         Signature.getInstance("SHA256withRSA").initVerify(publicKey);
1951         Signature.getInstance("NONEwithRSA").initVerify(publicKey);
1952         Signature.getInstance("SHA256withRSA/PSS").initVerify(publicKey);
1953 
1954         Cipher.getInstance("RSA/ECB/PKCS1Padding").init(Cipher.ENCRYPT_MODE, publicKey);
1955         Cipher.getInstance("RSA/ECB/NoPadding").init(Cipher.ENCRYPT_MODE, publicKey);
1956         Cipher.getInstance("RSA/ECB/OAEPPadding").init(Cipher.ENCRYPT_MODE, publicKey);
1957     }
1958 
testKeyStore_PrivateKeyEntry_EC_PublicKeyWorksWithCrypto()1959     public void testKeyStore_PrivateKeyEntry_EC_PublicKeyWorksWithCrypto()
1960             throws Exception {
1961         mKeyStore.load(null, null);
1962         mKeyStore.setKeyEntry(TEST_ALIAS_1,
1963                 KeyFactory.getInstance("EC").generatePrivate(
1964                         new PKCS8EncodedKeySpec(FAKE_EC_KEY_1)),
1965                 null, // no password (it's not even supported)
1966                 new Certificate[] {generateCertificate(FAKE_EC_USER_1)});
1967         PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_1).getPublicKey();
1968         assertNotNull(publicKey);
1969 
1970         Signature.getInstance("SHA256withECDSA").initVerify(publicKey);
1971         Signature.getInstance("NONEwithECDSA").initVerify(publicKey);
1972     }
1973 
testKeyStore_TrustedCertificateEntry_RSA_PublicKeyWorksWithCrypto()1974     public void testKeyStore_TrustedCertificateEntry_RSA_PublicKeyWorksWithCrypto()
1975             throws Exception {
1976         mKeyStore.load(null, null);
1977         mKeyStore.setCertificateEntry(TEST_ALIAS_2, generateCertificate(FAKE_RSA_USER_1));
1978         PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_2).getPublicKey();
1979         assertNotNull(publicKey);
1980 
1981         Signature.getInstance("SHA256withRSA").initVerify(publicKey);
1982         Signature.getInstance("NONEwithRSA").initVerify(publicKey);
1983 
1984         Cipher.getInstance("RSA/ECB/PKCS1Padding").init(Cipher.ENCRYPT_MODE, publicKey);
1985         Cipher.getInstance("RSA/ECB/NoPadding").init(Cipher.ENCRYPT_MODE, publicKey);
1986     }
1987 
testKeyStore_TrustedCertificateEntry_EC_PublicKeyWorksWithCrypto()1988     public void testKeyStore_TrustedCertificateEntry_EC_PublicKeyWorksWithCrypto()
1989             throws Exception {
1990         mKeyStore.load(null, null);
1991         mKeyStore.setCertificateEntry(TEST_ALIAS_1, generateCertificate(FAKE_EC_USER_1));
1992         PublicKey publicKey = mKeyStore.getCertificate(TEST_ALIAS_1).getPublicKey();
1993         assertNotNull(publicKey);
1994 
1995         Signature.getInstance("SHA256withECDSA").initVerify(publicKey);
1996         Signature.getInstance("NONEwithECDSA").initVerify(publicKey);
1997     }
1998 
1999     private static final int MIN_SUPPORTED_KEY_COUNT = 1500;
2000     private static final long MINUTE_IN_MILLIS = 1000 * 60;
2001     private static final long LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_MILLIS = 4 * MINUTE_IN_MILLIS;
2002     private static final long LARGE_NUMBER_OF_KEYS_TEST_MAX_DURATION_WATCH_MILLIS = 6 * MINUTE_IN_MILLIS;
2003 
isDeadlineReached(long startTimeMillis, long durationMillis)2004     private static boolean isDeadlineReached(long startTimeMillis, long durationMillis) {
2005         long nowMillis = System.currentTimeMillis();
2006         if (nowMillis < startTimeMillis) {
2007             return true;
2008         }
2009         return nowMillis - startTimeMillis > durationMillis;
2010     }
2011 
2012     @LargeTest
testKeyStore_LargeNumberOfKeysSupported_RSA()2013     public void testKeyStore_LargeNumberOfKeysSupported_RSA() throws Exception {
2014         // This test imports key1, then lots of other keys, then key2, and then confirms that
2015         // key1 and key2 backed by Android Keystore work fine. The assumption is that if the
2016         // underlying implementation has a limit on the number of keys, it'll either delete the
2017         // oldest key (key1), or will refuse to add keys (key2).
2018         // The test imports as many keys as it can in a fixed amount of time instead of stopping
2019         // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys
2020         // with the constraints on how long the test can run and performance differences of hardware
2021         // under test.
2022 
2023         long testStartTimeMillis = System.currentTimeMillis();
2024 
2025         Certificate cert1 = TestUtils.getRawResX509Certificate(getContext(), R.raw.rsa_key1_cert);
2026         PrivateKey privateKey1 = TestUtils.getRawResPrivateKey(getContext(), R.raw.rsa_key1_pkcs8);
2027         String entryName1 = "test0";
2028 
2029         Certificate cert2 = TestUtils.getRawResX509Certificate(getContext(), R.raw.rsa_key2_cert);
2030         PrivateKey privateKey2 = TestUtils.getRawResPrivateKey(getContext(), R.raw.rsa_key2_pkcs8);
2031 
2032         Certificate cert3 = generateCertificate(FAKE_RSA_USER_1);
2033         PrivateKey privateKey3 = generatePrivateKey("RSA", FAKE_RSA_KEY_1);
2034 
2035         mKeyStore.load(null);
2036         int latestImportedEntryNumber = 0;
2037         try {
2038             KeyProtection protectionParams = new KeyProtection.Builder(
2039                     KeyProperties.PURPOSE_SIGN)
2040                     .setDigests(KeyProperties.DIGEST_SHA256)
2041                     .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1)
2042                     .build();
2043             mKeyStore.setEntry(entryName1,
2044                     new KeyStore.PrivateKeyEntry(privateKey1, new Certificate[] {cert1}),
2045                     protectionParams);
2046 
2047             // Import key3 lots of times, under different aliases.
2048             while (!isDeadlineReached(testStartTimeMillis, mMaxTestDurationMillis)) {
2049                 latestImportedEntryNumber++;
2050                 if ((latestImportedEntryNumber % 1000) == 0) {
2051                     Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys");
2052                 }
2053                 String entryAlias = "test" + latestImportedEntryNumber;
2054                 try {
2055                     mKeyStore.setEntry(entryAlias,
2056                             new KeyStore.PrivateKeyEntry(privateKey3, new Certificate[] {cert3}),
2057                             protectionParams);
2058                 } catch (Throwable e) {
2059                     throw new RuntimeException("Entry " + entryAlias + " import failed", e);
2060                 }
2061             }
2062             Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys");
2063             if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) {
2064                 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in "
2065                         + (System.currentTimeMillis() - testStartTimeMillis)
2066                         + " ms. Imported: " + latestImportedEntryNumber + " keys");
2067             }
2068 
2069             latestImportedEntryNumber++;
2070             String entryName2 = "test" + latestImportedEntryNumber;
2071             mKeyStore.setEntry(entryName2,
2072                     new KeyStore.PrivateKeyEntry(privateKey2, new Certificate[] {cert2}),
2073                     protectionParams);
2074             PrivateKey keystorePrivateKey2 = (PrivateKey) mKeyStore.getKey(entryName2, null);
2075             PrivateKey keystorePrivateKey1 = (PrivateKey) mKeyStore.getKey(entryName1, null);
2076 
2077             byte[] message = "This is a test".getBytes("UTF-8");
2078 
2079             Signature sig = Signature.getInstance("SHA256withRSA");
2080             sig.initSign(keystorePrivateKey1);
2081             sig.update(message);
2082             byte[] signature = sig.sign();
2083             sig = Signature.getInstance(sig.getAlgorithm());
2084             sig.initVerify(cert1.getPublicKey());
2085             sig.update(message);
2086             assertTrue(sig.verify(signature));
2087 
2088             sig = Signature.getInstance(sig.getAlgorithm());
2089             sig.initSign(keystorePrivateKey2);
2090             sig.update(message);
2091             signature = sig.sign();
2092             sig = Signature.getInstance(sig.getAlgorithm());
2093             sig.initVerify(cert2.getPublicKey());
2094             sig.update(message);
2095             assertTrue(sig.verify(signature));
2096         } finally {
2097             // Clean up Keystore without using KeyStore.aliases() which can't handle this many
2098             // entries.
2099             Log.i(TAG, "Deleting imported keys");
2100             for (int i = 0; i <= latestImportedEntryNumber; i++) {
2101                 if ((i > 0) && ((i % 1000) == 0)) {
2102                     Log.i(TAG, "Deleted " + i + " keys");
2103                 }
2104                 mKeyStore.deleteEntry("test" + i);
2105             }
2106             Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys");
2107         }
2108     }
2109 
2110     @LargeTest
testKeyStore_LargeNumberOfKeysSupported_EC()2111     public void testKeyStore_LargeNumberOfKeysSupported_EC() throws Exception {
2112         // This test imports key1, then lots of other keys, then key2, and then confirms that
2113         // key1 and key2 backed by Android Keystore work fine. The assumption is that if the
2114         // underlying implementation has a limit on the number of keys, it'll either delete the
2115         // oldest key (key1), or will refuse to add keys (key2).
2116         // The test imports as many keys as it can in a fixed amount of time instead of stopping
2117         // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys
2118         // with the constraints on how long the test can run and performance differences of hardware
2119         // under test.
2120 
2121         long testStartTimeMillis = System.currentTimeMillis();
2122 
2123         Certificate cert1 = TestUtils.getRawResX509Certificate(getContext(), R.raw.ec_key1_cert);
2124         PrivateKey privateKey1 = TestUtils.getRawResPrivateKey(getContext(), R.raw.ec_key1_pkcs8);
2125         String entryName1 = "test0";
2126 
2127         Certificate cert2 = TestUtils.getRawResX509Certificate(getContext(), R.raw.ec_key2_cert);
2128         PrivateKey privateKey2 = TestUtils.getRawResPrivateKey(getContext(), R.raw.ec_key2_pkcs8);
2129 
2130         Certificate cert3 = generateCertificate(FAKE_EC_USER_1);
2131         PrivateKey privateKey3 = generatePrivateKey("EC", FAKE_EC_KEY_1);
2132 
2133         mKeyStore.load(null);
2134         int latestImportedEntryNumber = 0;
2135         try {
2136             KeyProtection protectionParams = new KeyProtection.Builder(
2137                     KeyProperties.PURPOSE_SIGN)
2138                     .setDigests(KeyProperties.DIGEST_SHA256)
2139                     .build();
2140             mKeyStore.setEntry(entryName1,
2141                     new KeyStore.PrivateKeyEntry(privateKey1, new Certificate[] {cert1}),
2142                     protectionParams);
2143 
2144             // Import key3 lots of times, under different aliases.
2145             while (!isDeadlineReached(
2146                     testStartTimeMillis, mMaxTestDurationMillis)) {
2147                 latestImportedEntryNumber++;
2148                 if ((latestImportedEntryNumber % 1000) == 0) {
2149                     Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys");
2150                 }
2151                 String entryAlias = "test" + latestImportedEntryNumber;
2152                 try {
2153                     mKeyStore.setEntry(entryAlias,
2154                             new KeyStore.PrivateKeyEntry(privateKey3, new Certificate[] {cert3}),
2155                             protectionParams);
2156                 } catch (Throwable e) {
2157                     throw new RuntimeException("Entry " + entryAlias + " import failed", e);
2158                 }
2159             }
2160             Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys");
2161             if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) {
2162                 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in "
2163                         + (System.currentTimeMillis() - testStartTimeMillis)
2164                         + " ms. Imported: " + latestImportedEntryNumber + " keys");
2165             }
2166 
2167             latestImportedEntryNumber++;
2168             String entryName2 = "test" + latestImportedEntryNumber;
2169             mKeyStore.setEntry(entryName2,
2170                     new KeyStore.PrivateKeyEntry(privateKey2, new Certificate[] {cert2}),
2171                     protectionParams);
2172             PrivateKey keystorePrivateKey2 = (PrivateKey) mKeyStore.getKey(entryName2, null);
2173             PrivateKey keystorePrivateKey1 = (PrivateKey) mKeyStore.getKey(entryName1, null);
2174 
2175             byte[] message = "This is a test".getBytes("UTF-8");
2176 
2177             Signature sig = Signature.getInstance("SHA256withECDSA");
2178             sig.initSign(keystorePrivateKey1);
2179             sig.update(message);
2180             byte[] signature = sig.sign();
2181             sig = Signature.getInstance(sig.getAlgorithm());
2182             sig.initVerify(cert1.getPublicKey());
2183             sig.update(message);
2184             assertTrue(sig.verify(signature));
2185 
2186             sig = Signature.getInstance(sig.getAlgorithm());
2187             sig.initSign(keystorePrivateKey2);
2188             sig.update(message);
2189             signature = sig.sign();
2190             sig = Signature.getInstance(sig.getAlgorithm());
2191             sig.initVerify(cert2.getPublicKey());
2192             sig.update(message);
2193             assertTrue(sig.verify(signature));
2194         } finally {
2195             // Clean up Keystore without using KeyStore.aliases() which can't handle this many
2196             // entries.
2197             Log.i(TAG, "Deleting imported keys");
2198             for (int i = 0; i <= latestImportedEntryNumber; i++) {
2199                 if ((i > 0) && ((i % 1000) == 0)) {
2200                     Log.i(TAG, "Deleted " + i + " keys");
2201                 }
2202                 mKeyStore.deleteEntry("test" + i);
2203             }
2204             Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys");
2205         }
2206     }
2207 
2208     @LargeTest
testKeyStore_LargeNumberOfKeysSupported_AES()2209     public void testKeyStore_LargeNumberOfKeysSupported_AES() throws Exception {
2210         // This test imports key1, then lots of other keys, then key2, and then confirms that
2211         // key1 and key2 backed by Android Keystore work fine. The assumption is that if the
2212         // underlying implementation has a limit on the number of keys, it'll either delete the
2213         // oldest key (key1), or will refuse to add keys (key2).
2214         // The test imports as many keys as it can in a fixed amount of time instead of stopping
2215         // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys
2216         // with the constraints on how long the test can run and performance differences of hardware
2217         // under test.
2218 
2219         long testStartTimeMillis = System.currentTimeMillis();
2220 
2221         SecretKey key1 = new TransparentSecretKey(
2222                 HexEncoding.decode("010203040506070809fafbfcfdfeffcc"), "AES");
2223         String entryName1 = "test0";
2224 
2225         SecretKey key2 = new TransparentSecretKey(
2226                 HexEncoding.decode("808182838485868788897a7b7c7d7e7f"), "AES");
2227 
2228         SecretKey key3 = new TransparentSecretKey(
2229                 HexEncoding.decode("33333333333333333333777777777777"), "AES");
2230 
2231         mKeyStore.load(null);
2232         int latestImportedEntryNumber = 0;
2233         try {
2234             KeyProtection protectionParams = new KeyProtection.Builder(
2235                     KeyProperties.PURPOSE_ENCRYPT)
2236                     .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
2237                     .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
2238                     .build();
2239             mKeyStore.setEntry(entryName1, new KeyStore.SecretKeyEntry(key1), protectionParams);
2240 
2241             // Import key3 lots of times, under different aliases.
2242             while (!isDeadlineReached(testStartTimeMillis, mMaxTestDurationMillis)) {
2243                 latestImportedEntryNumber++;
2244                 if ((latestImportedEntryNumber % 1000) == 0) {
2245                     Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys");
2246                 }
2247                 String entryAlias = "test" + latestImportedEntryNumber;
2248                 try {
2249                     mKeyStore.setEntry(entryAlias,
2250                             new KeyStore.SecretKeyEntry(key3), protectionParams);
2251                 } catch (Throwable e) {
2252                     throw new RuntimeException("Entry " + entryAlias + " import failed", e);
2253                 }
2254             }
2255             Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys");
2256             if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) {
2257                 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in "
2258                         + (System.currentTimeMillis() - testStartTimeMillis)
2259                         + " ms. Imported: " + latestImportedEntryNumber + " keys");
2260             }
2261 
2262             latestImportedEntryNumber++;
2263             String entryName2 = "test" + latestImportedEntryNumber;
2264             mKeyStore.setEntry(entryName2, new KeyStore.SecretKeyEntry(key2), protectionParams);
2265             SecretKey keystoreKey2 = (SecretKey) mKeyStore.getKey(entryName2, null);
2266             SecretKey keystoreKey1 = (SecretKey) mKeyStore.getKey(entryName1, null);
2267 
2268             byte[] plaintext = "This is a test".getBytes("UTF-8");
2269             Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
2270             cipher.init(Cipher.ENCRYPT_MODE, keystoreKey1);
2271             byte[] ciphertext = cipher.doFinal(plaintext);
2272             AlgorithmParameters cipherParams = cipher.getParameters();
2273             cipher = Cipher.getInstance(cipher.getAlgorithm());
2274             cipher.init(Cipher.DECRYPT_MODE, key1, cipherParams);
2275             MoreAsserts.assertEquals(plaintext, cipher.doFinal(ciphertext));
2276 
2277             cipher = Cipher.getInstance(cipher.getAlgorithm());
2278             cipher.init(Cipher.ENCRYPT_MODE, keystoreKey2);
2279             ciphertext = cipher.doFinal(plaintext);
2280             cipherParams = cipher.getParameters();
2281             cipher = Cipher.getInstance(cipher.getAlgorithm());
2282             cipher.init(Cipher.DECRYPT_MODE, key2, cipherParams);
2283             MoreAsserts.assertEquals(plaintext, cipher.doFinal(ciphertext));
2284         } finally {
2285             // Clean up Keystore without using KeyStore.aliases() which can't handle this many
2286             // entries.
2287             Log.i(TAG, "Deleting imported keys");
2288             for (int i = 0; i <= latestImportedEntryNumber; i++) {
2289                 if ((i > 0) && ((i % 1000) == 0)) {
2290                     Log.i(TAG, "Deleted " + i + " keys");
2291                 }
2292                 mKeyStore.deleteEntry("test" + i);
2293             }
2294             Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys");
2295         }
2296     }
2297 
2298     @LargeTest
testKeyStore_LargeNumberOfKeysSupported_HMAC()2299     public void testKeyStore_LargeNumberOfKeysSupported_HMAC() throws Exception {
2300         // This test imports key1, then lots of other keys, then key2, and then confirms that
2301         // key1 and key2 backed by Android Keystore work fine. The assumption is that if the
2302         // underlying implementation has a limit on the number of keys, it'll either delete the
2303         // oldest key (key1), or will refuse to add keys (key2).
2304         // The test imports as many keys as it can in a fixed amount of time instead of stopping
2305         // at MIN_SUPPORTED_KEY_COUNT to balance the desire to support an unlimited number of keys
2306         // with the constraints on how long the test can run and performance differences of hardware
2307         // under test.
2308 
2309         long testStartTimeMillis = System.currentTimeMillis();
2310 
2311         SecretKey key1 = new TransparentSecretKey(
2312                 HexEncoding.decode("010203040506070809fafbfcfdfeffcc"), "HmacSHA256");
2313         String entryName1 = "test0";
2314 
2315         SecretKey key2 = new TransparentSecretKey(
2316                 HexEncoding.decode("808182838485868788897a7b7c7d7e7f"), "HmacSHA256");
2317 
2318         SecretKey key3 = new TransparentSecretKey(
2319                 HexEncoding.decode("33333333333333333333777777777777"), "HmacSHA256");
2320 
2321         mKeyStore.load(null);
2322         int latestImportedEntryNumber = 0;
2323         try {
2324             KeyProtection protectionParams = new KeyProtection.Builder(
2325                     KeyProperties.PURPOSE_SIGN)
2326                     .build();
2327             mKeyStore.setEntry(entryName1, new KeyStore.SecretKeyEntry(key1), protectionParams);
2328 
2329             // Import key3 lots of times, under different aliases.
2330             while (!isDeadlineReached(testStartTimeMillis, mMaxTestDurationMillis)) {
2331                 latestImportedEntryNumber++;
2332                 if ((latestImportedEntryNumber % 1000) == 0) {
2333                     Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys");
2334                 }
2335                 String entryAlias = "test" + latestImportedEntryNumber;
2336                 try {
2337                     mKeyStore.setEntry(entryAlias,
2338                             new KeyStore.SecretKeyEntry(key3), protectionParams);
2339                 } catch (Throwable e) {
2340                     throw new RuntimeException("Entry " + entryAlias + " import failed", e);
2341                 }
2342             }
2343             Log.i(TAG, "Imported " + latestImportedEntryNumber + " keys");
2344             if (latestImportedEntryNumber < MIN_SUPPORTED_KEY_COUNT) {
2345                 fail("Failed to import " + MIN_SUPPORTED_KEY_COUNT + " keys in "
2346                         + (System.currentTimeMillis() - testStartTimeMillis)
2347                         + " ms. Imported: " + latestImportedEntryNumber + " keys");
2348             }
2349 
2350             latestImportedEntryNumber++;
2351             String entryName2 = "test" + latestImportedEntryNumber;
2352             mKeyStore.setEntry(entryName2, new KeyStore.SecretKeyEntry(key2), protectionParams);
2353             SecretKey keystoreKey2 = (SecretKey) mKeyStore.getKey(entryName2, null);
2354             SecretKey keystoreKey1 = (SecretKey) mKeyStore.getKey(entryName1, null);
2355 
2356             byte[] message = "This is a test".getBytes("UTF-8");
2357             Mac mac = Mac.getInstance(key1.getAlgorithm());
2358             mac.init(keystoreKey1);
2359             MoreAsserts.assertEquals(
2360                     HexEncoding.decode(
2361                             "905e36f5a175f4ca54ad56b860b46f6502f883a90628dca2d33a953fb7224eaf"),
2362                     mac.doFinal(message));
2363 
2364             mac = Mac.getInstance(key2.getAlgorithm());
2365             mac.init(keystoreKey2);
2366             MoreAsserts.assertEquals(
2367                     HexEncoding.decode(
2368                             "59b57e77e4e2cb36b5c7b84af198ac004327bc549de6931a1b5505372dd8c957"),
2369                     mac.doFinal(message));
2370         } finally {
2371             // Clean up Keystore without using KeyStore.aliases() which can't handle this many
2372             // entries.
2373             Log.i(TAG, "Deleting imported keys");
2374             for (int i = 0; i <= latestImportedEntryNumber; i++) {
2375                 if ((i > 0) && ((i % 1000) == 0)) {
2376                     Log.i(TAG, "Deleted " + i + " keys");
2377                 }
2378                 mKeyStore.deleteEntry("test" + i);
2379             }
2380             Log.i(TAG, "Deleted " + (latestImportedEntryNumber + 1) + " keys");
2381         }
2382     }
2383 
testKeyStore_OnlyOneDigestCanBeAuthorized_HMAC()2384     public void testKeyStore_OnlyOneDigestCanBeAuthorized_HMAC() throws Exception {
2385         mKeyStore.load(null);
2386 
2387         for (String algorithm : KeyGeneratorTest.EXPECTED_ALGORITHMS) {
2388             if (!TestUtils.isHmacAlgorithm(algorithm)) {
2389                 continue;
2390             }
2391             try {
2392                 String digest = TestUtils.getHmacAlgorithmDigest(algorithm);
2393                 assertNotNull(digest);
2394                 SecretKey keyBeingImported = new TransparentSecretKey(new byte[16], algorithm);
2395 
2396                 KeyProtection.Builder goodSpec =
2397                         new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN);
2398 
2399                 // Digests authorization not specified in import parameters
2400                 assertFalse(goodSpec.build().isDigestsSpecified());
2401                 mKeyStore.setEntry(TEST_ALIAS_1,
2402                         new KeyStore.SecretKeyEntry(keyBeingImported),
2403                         goodSpec.build());
2404                 SecretKey key = (SecretKey) mKeyStore.getKey(TEST_ALIAS_1, null);
2405                 TestUtils.assertContentsInAnyOrder(
2406                         Arrays.asList(TestUtils.getKeyInfo(key).getDigests()), digest);
2407 
2408                 // The same digest is specified in import parameters
2409                 mKeyStore.setEntry(TEST_ALIAS_1,
2410                         new KeyStore.SecretKeyEntry(keyBeingImported),
2411                         TestUtils.buildUpon(goodSpec).setDigests(digest).build());
2412                 key = (SecretKey) mKeyStore.getKey(TEST_ALIAS_1, null);
2413                 TestUtils.assertContentsInAnyOrder(
2414                         Arrays.asList(TestUtils.getKeyInfo(key).getDigests()), digest);
2415 
2416                 // Empty set of digests specified in import parameters
2417                 try {
2418                     mKeyStore.setEntry(TEST_ALIAS_1,
2419                             new KeyStore.SecretKeyEntry(keyBeingImported),
2420                             TestUtils.buildUpon(goodSpec).setDigests().build());
2421                     fail();
2422                 } catch (KeyStoreException expected) {}
2423 
2424                 // A different digest specified in import parameters
2425                 String anotherDigest = "SHA-256".equalsIgnoreCase(digest) ? "SHA-384" : "SHA-256";
2426                 try {
2427                     mKeyStore.setEntry(TEST_ALIAS_1,
2428                             new KeyStore.SecretKeyEntry(keyBeingImported),
2429                             TestUtils.buildUpon(goodSpec).setDigests(anotherDigest).build());
2430                     fail();
2431                 } catch (KeyStoreException expected) {}
2432                 try {
2433                     mKeyStore.setEntry(TEST_ALIAS_1,
2434                             new KeyStore.SecretKeyEntry(keyBeingImported),
2435                             TestUtils.buildUpon(goodSpec)
2436                                     .setDigests(digest, anotherDigest)
2437                                     .build());
2438                     fail();
2439                 } catch (KeyStoreException expected) {}
2440             } catch (Throwable e) {
2441                 throw new RuntimeException("Failed for " + algorithm, e);
2442             }
2443         }
2444     }
2445 
testKeyStore_ImportSupportedSizes_AES()2446     public void testKeyStore_ImportSupportedSizes_AES() throws Exception {
2447         mKeyStore.load(null);
2448 
2449         KeyProtection params = new KeyProtection.Builder(
2450                 KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
2451                 .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
2452                 .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
2453                 .build();
2454         String alias = "test1";
2455         mKeyStore.deleteEntry(alias);
2456         assertFalse(mKeyStore.containsAlias(alias));
2457         for (int keySizeBytes = 0; keySizeBytes <= 512 / 8; keySizeBytes++) {
2458             int keySizeBits = keySizeBytes * 8;
2459             try {
2460                 KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry(
2461                         new TransparentSecretKey(new byte[keySizeBytes], "AES"));
2462                 if (TestUtils.contains(KeyGeneratorTest.AES_SUPPORTED_KEY_SIZES, keySizeBits)) {
2463                     mKeyStore.setEntry(alias, entry, params);
2464                     SecretKey key = (SecretKey) mKeyStore.getKey(alias, null);
2465                     assertEquals("AES", key.getAlgorithm());
2466                     assertEquals(keySizeBits, TestUtils.getKeyInfo(key).getKeySize());
2467                 } else {
2468                     mKeyStore.deleteEntry(alias);
2469                     assertFalse(mKeyStore.containsAlias(alias));
2470                     try {
2471                         mKeyStore.setEntry(alias, entry, params);
2472                         fail();
2473                     } catch (KeyStoreException expected) {}
2474                     assertFalse(mKeyStore.containsAlias(alias));
2475                 }
2476             } catch (Throwable e) {
2477                 throw new RuntimeException("Failed for key size " + keySizeBits, e);
2478             }
2479         }
2480     }
2481 
testKeyStore_ImportSupportedSizes_HMAC()2482     public void testKeyStore_ImportSupportedSizes_HMAC() throws Exception {
2483         mKeyStore.load(null);
2484 
2485         KeyProtection params = new KeyProtection.Builder(KeyProperties.PURPOSE_SIGN).build();
2486         String alias = "test1";
2487         mKeyStore.deleteEntry(alias);
2488         assertFalse(mKeyStore.containsAlias(alias));
2489         for (String algorithm : KeyGeneratorTest.EXPECTED_ALGORITHMS) {
2490             if (!TestUtils.isHmacAlgorithm(algorithm)) {
2491                 continue;
2492             }
2493             for (int keySizeBytes = 8; keySizeBytes <= 1024 / 8; keySizeBytes++) {
2494                 try {
2495                     KeyStore.SecretKeyEntry entry = new KeyStore.SecretKeyEntry(
2496                             new TransparentSecretKey(new byte[keySizeBytes], algorithm));
2497                     if (keySizeBytes > 0) {
2498                         mKeyStore.setEntry(alias, entry, params);
2499                         SecretKey key = (SecretKey) mKeyStore.getKey(alias, null);
2500                         assertEquals(algorithm, key.getAlgorithm());
2501                         assertEquals(keySizeBytes * 8, TestUtils.getKeyInfo(key).getKeySize());
2502                     } else {
2503                         mKeyStore.deleteEntry(alias);
2504                         assertFalse(mKeyStore.containsAlias(alias));
2505                         try {
2506                             mKeyStore.setEntry(alias, entry, params);
2507                             fail();
2508                         } catch (KeyStoreException expected) {}
2509                     }
2510                 } catch (Throwable e) {
2511                     throw new RuntimeException(
2512                             "Failed for " + algorithm + " with key size " + (keySizeBytes * 8), e);
2513                 }
2514             }
2515         }
2516     }
2517 
testKeyStore_ImportSupportedSizes_EC()2518     public void testKeyStore_ImportSupportedSizes_EC() throws Exception {
2519         mKeyStore.load(null);
2520         KeyProtection params =
2521                 TestUtils.getMinimalWorkingImportParametersForSigningingWith("SHA256withECDSA");
2522         checkKeyPairImportSucceeds(
2523                 "secp224r1", R.raw.ec_key3_secp224r1_pkcs8, R.raw.ec_key3_secp224r1_cert, params);
2524         checkKeyPairImportSucceeds(
2525                 "secp256r1", R.raw.ec_key4_secp256r1_pkcs8, R.raw.ec_key4_secp256r1_cert, params);
2526         checkKeyPairImportSucceeds(
2527                 "secp384r1", R.raw.ec_key5_secp384r1_pkcs8, R.raw.ec_key5_secp384r1_cert, params);
2528         checkKeyPairImportSucceeds(
2529                 "secp512r1", R.raw.ec_key6_secp521r1_pkcs8, R.raw.ec_key6_secp521r1_cert, params);
2530     }
2531 
testKeyStore_ImportSupportedSizes_RSA()2532     public void testKeyStore_ImportSupportedSizes_RSA() throws Exception {
2533         mKeyStore.load(null);
2534         KeyProtection params =
2535                 TestUtils.getMinimalWorkingImportParametersForSigningingWith("SHA256withRSA");
2536         checkKeyPairImportSucceeds(
2537                 "512", R.raw.rsa_key5_512_pkcs8, R.raw.rsa_key5_512_cert, params);
2538         checkKeyPairImportSucceeds(
2539                 "768", R.raw.rsa_key6_768_pkcs8, R.raw.rsa_key6_768_cert, params);
2540         checkKeyPairImportSucceeds(
2541                 "1024", R.raw.rsa_key3_1024_pkcs8, R.raw.rsa_key3_1024_cert, params);
2542         checkKeyPairImportSucceeds(
2543                 "2048", R.raw.rsa_key8_2048_pkcs8, R.raw.rsa_key8_2048_cert, params);
2544         checkKeyPairImportSucceeds(
2545                 "3072", R.raw.rsa_key7_3072_pksc8, R.raw.rsa_key7_3072_cert, params);
2546         checkKeyPairImportSucceeds(
2547                 "4096", R.raw.rsa_key4_4096_pkcs8, R.raw.rsa_key4_4096_cert, params);
2548     }
2549 
checkKeyPairImportSucceeds( String alias, int privateResId, int certResId, KeyProtection params)2550     private void checkKeyPairImportSucceeds(
2551             String alias, int privateResId, int certResId, KeyProtection params) throws Exception {
2552         try {
2553             mKeyStore.deleteEntry(alias);
2554             TestUtils.importIntoAndroidKeyStore(
2555                     alias, getContext(), privateResId, certResId, params);
2556         } catch (Throwable e) {
2557             throw new RuntimeException("Failed for " + alias, e);
2558         } finally {
2559             try {
2560                 mKeyStore.deleteEntry(alias);
2561             } catch (Exception ignored) {}
2562         }
2563     }
2564 }
2565