1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "KeymasterHidlTest.h"
18
19 #include <chrono>
20 #include <vector>
21
22 #include <android-base/logging.h>
23 #include <android/hidl/manager/1.0/IServiceManager.h>
24
25 #include <keymasterV4_0/key_param_output.h>
26
27 namespace android {
28 namespace hardware {
29 namespace keymaster {
30 namespace V4_0 {
31
operator <<(::std::ostream & os,const AuthorizationSet & set)32 ::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) {
33 if (set.size() == 0)
34 os << "(Empty)" << ::std::endl;
35 else {
36 os << "\n";
37 for (size_t i = 0; i < set.size(); ++i) os << set[i] << ::std::endl;
38 }
39 return os;
40 }
41
42 namespace test {
43
44 sp<IKeymasterDevice> KeymasterHidlTest::keymaster_;
45 std::vector<sp<IKeymasterDevice>> KeymasterHidlTest::all_keymasters_;
46 uint32_t KeymasterHidlTest::os_version_;
47 uint32_t KeymasterHidlTest::os_patch_level_;
48 SecurityLevel KeymasterHidlTest::securityLevel_;
49 hidl_string KeymasterHidlTest::name_;
50 hidl_string KeymasterHidlTest::author_;
51
SetUpTestCase()52 void KeymasterHidlTest::SetUpTestCase() {
53 string service_name = KeymasterHidlEnvironment::Instance()->getServiceName<IKeymasterDevice>();
54 keymaster_ = ::testing::VtsHalHidlTargetTestBase::getService<IKeymasterDevice>(service_name);
55 ASSERT_NE(keymaster_, nullptr);
56
57 ASSERT_TRUE(keymaster_
58 ->getHardwareInfo([&](SecurityLevel securityLevel, const hidl_string& name,
59 const hidl_string& author) {
60 securityLevel_ = securityLevel;
61 name_ = name;
62 author_ = author;
63 })
64 .isOk());
65
66 os_version_ = ::keymaster::GetOsVersion();
67 os_patch_level_ = ::keymaster::GetOsPatchlevel();
68
69 auto service_manager = android::hidl::manager::V1_0::IServiceManager::getService();
70 ASSERT_NE(nullptr, service_manager.get());
71
72 all_keymasters_.push_back(keymaster_);
73 service_manager->listByInterface(
74 IKeymasterDevice::descriptor, [&](const hidl_vec<hidl_string>& names) {
75 for (auto& name : names) {
76 if (name == service_name) continue;
77 auto keymaster =
78 ::testing::VtsHalHidlTargetTestBase::getService<IKeymasterDevice>(name);
79 ASSERT_NE(keymaster, nullptr);
80 all_keymasters_.push_back(keymaster);
81 }
82 });
83 }
84
GenerateKey(const AuthorizationSet & key_desc,HidlBuf * key_blob,KeyCharacteristics * key_characteristics)85 ErrorCode KeymasterHidlTest::GenerateKey(const AuthorizationSet& key_desc, HidlBuf* key_blob,
86 KeyCharacteristics* key_characteristics) {
87 EXPECT_NE(key_blob, nullptr) << "Key blob pointer must not be null. Test bug";
88 EXPECT_EQ(0U, key_blob->size()) << "Key blob not empty before generating key. Test bug.";
89 EXPECT_NE(key_characteristics, nullptr)
90 << "Previous characteristics not deleted before generating key. Test bug.";
91
92 ErrorCode error;
93 EXPECT_TRUE(keymaster_
94 ->generateKey(key_desc.hidl_data(),
95 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
96 const KeyCharacteristics& hidl_key_characteristics) {
97 error = hidl_error;
98 *key_blob = hidl_key_blob;
99 *key_characteristics = hidl_key_characteristics;
100 })
101 .isOk());
102 // On error, blob & characteristics should be empty.
103 if (error != ErrorCode::OK) {
104 EXPECT_EQ(0U, key_blob->size());
105 EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() +
106 key_characteristics->hardwareEnforced.size()));
107 }
108 return error;
109 }
110
GenerateKey(const AuthorizationSet & key_desc)111 ErrorCode KeymasterHidlTest::GenerateKey(const AuthorizationSet& key_desc) {
112 return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
113 }
114
ImportKey(const AuthorizationSet & key_desc,KeyFormat format,const string & key_material,HidlBuf * key_blob,KeyCharacteristics * key_characteristics)115 ErrorCode KeymasterHidlTest::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
116 const string& key_material, HidlBuf* key_blob,
117 KeyCharacteristics* key_characteristics) {
118 ErrorCode error;
119 EXPECT_TRUE(keymaster_
120 ->importKey(key_desc.hidl_data(), format, HidlBuf(key_material),
121 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
122 const KeyCharacteristics& hidl_key_characteristics) {
123 error = hidl_error;
124 *key_blob = hidl_key_blob;
125 *key_characteristics = hidl_key_characteristics;
126 })
127 .isOk());
128 // On error, blob & characteristics should be empty.
129 if (error != ErrorCode::OK) {
130 EXPECT_EQ(0U, key_blob->size());
131 EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() +
132 key_characteristics->hardwareEnforced.size()));
133 }
134 return error;
135 }
136
ImportKey(const AuthorizationSet & key_desc,KeyFormat format,const string & key_material)137 ErrorCode KeymasterHidlTest::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
138 const string& key_material) {
139 return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_);
140 }
141
ImportWrappedKey(string wrapped_key,string wrapping_key,const AuthorizationSet & wrapping_key_desc,string masking_key,const AuthorizationSet & unwrapping_params)142 ErrorCode KeymasterHidlTest::ImportWrappedKey(string wrapped_key, string wrapping_key,
143 const AuthorizationSet& wrapping_key_desc,
144 string masking_key,
145 const AuthorizationSet& unwrapping_params) {
146 ErrorCode error;
147 ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key);
148 EXPECT_TRUE(keymaster_
149 ->importWrappedKey(HidlBuf(wrapped_key), key_blob_, HidlBuf(masking_key),
150 unwrapping_params.hidl_data(), 0 /* passwordSid */,
151 0 /* biometricSid */,
152 [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
153 const KeyCharacteristics& hidl_key_characteristics) {
154 error = hidl_error;
155 key_blob_ = hidl_key_blob;
156 key_characteristics_ = hidl_key_characteristics;
157 })
158 .isOk());
159 return error;
160 }
161
ExportKey(KeyFormat format,const HidlBuf & key_blob,const HidlBuf & client_id,const HidlBuf & app_data,HidlBuf * key_material)162 ErrorCode KeymasterHidlTest::ExportKey(KeyFormat format, const HidlBuf& key_blob,
163 const HidlBuf& client_id, const HidlBuf& app_data,
164 HidlBuf* key_material) {
165 ErrorCode error;
166 EXPECT_TRUE(keymaster_
167 ->exportKey(format, key_blob, client_id, app_data,
168 [&](ErrorCode hidl_error_code, const HidlBuf& hidl_key_material) {
169 error = hidl_error_code;
170 *key_material = hidl_key_material;
171 })
172 .isOk());
173 // On error, blob should be empty.
174 if (error != ErrorCode::OK) {
175 EXPECT_EQ(0U, key_material->size());
176 }
177 return error;
178 }
179
ExportKey(KeyFormat format,HidlBuf * key_material)180 ErrorCode KeymasterHidlTest::ExportKey(KeyFormat format, HidlBuf* key_material) {
181 HidlBuf client_id, app_data;
182 return ExportKey(format, key_blob_, client_id, app_data, key_material);
183 }
184
DeleteKey(HidlBuf * key_blob,bool keep_key_blob)185 ErrorCode KeymasterHidlTest::DeleteKey(HidlBuf* key_blob, bool keep_key_blob) {
186 auto rc = keymaster_->deleteKey(*key_blob);
187 if (!keep_key_blob) *key_blob = HidlBuf();
188 if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR;
189 return rc;
190 }
191
DeleteKey(bool keep_key_blob)192 ErrorCode KeymasterHidlTest::DeleteKey(bool keep_key_blob) {
193 return DeleteKey(&key_blob_, keep_key_blob);
194 }
195
DeleteAllKeys()196 ErrorCode KeymasterHidlTest::DeleteAllKeys() {
197 ErrorCode error = keymaster_->deleteAllKeys();
198 return error;
199 }
200
CheckedDeleteKey(HidlBuf * key_blob,bool keep_key_blob)201 void KeymasterHidlTest::CheckedDeleteKey(HidlBuf* key_blob, bool keep_key_blob) {
202 auto rc = DeleteKey(key_blob, keep_key_blob);
203 EXPECT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
204 }
205
CheckedDeleteKey()206 void KeymasterHidlTest::CheckedDeleteKey() {
207 CheckedDeleteKey(&key_blob_);
208 }
209
CheckCreationDateTime(const AuthorizationSet & sw_enforced,std::chrono::time_point<std::chrono::system_clock> creation)210 void KeymasterHidlTest::CheckCreationDateTime(
211 const AuthorizationSet& sw_enforced,
212 std::chrono::time_point<std::chrono::system_clock> creation) {
213 for (int i = 0; i < sw_enforced.size(); i++) {
214 if (sw_enforced[i].tag == TAG_CREATION_DATETIME) {
215 std::chrono::time_point<std::chrono::system_clock> now =
216 std::chrono::system_clock::now();
217 std::chrono::time_point<std::chrono::system_clock> reported_time{
218 std::chrono::milliseconds(sw_enforced[i].f.dateTime)};
219 // The test is flaky for EC keys, so a buffer time of 120 seconds will be added.
220 EXPECT_LE(creation - 120s, reported_time);
221 EXPECT_LE(reported_time, now + 1s);
222 }
223 }
224 }
225
CheckGetCharacteristics(const HidlBuf & key_blob,const HidlBuf & client_id,const HidlBuf & app_data,KeyCharacteristics * key_characteristics)226 void KeymasterHidlTest::CheckGetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id,
227 const HidlBuf& app_data,
228 KeyCharacteristics* key_characteristics) {
229 HidlBuf empty_buf = {};
230 EXPECT_EQ(ErrorCode::OK,
231 GetCharacteristics(key_blob, client_id, app_data, key_characteristics));
232 EXPECT_GT(key_characteristics->hardwareEnforced.size(), 0);
233 EXPECT_GT(key_characteristics->softwareEnforced.size(), 0);
234
235 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
236 GetCharacteristics(key_blob, empty_buf, app_data, key_characteristics));
237 EXPECT_EQ(key_characteristics->hardwareEnforced.size(), 0);
238 EXPECT_EQ(key_characteristics->softwareEnforced.size(), 0);
239
240 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
241 GetCharacteristics(key_blob, client_id, empty_buf, key_characteristics));
242 EXPECT_EQ(key_characteristics->hardwareEnforced.size(), 0);
243 EXPECT_EQ(key_characteristics->softwareEnforced.size(), 0);
244
245 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
246 GetCharacteristics(key_blob, empty_buf, empty_buf, key_characteristics));
247 EXPECT_EQ(key_characteristics->hardwareEnforced.size(), 0);
248 EXPECT_EQ(key_characteristics->softwareEnforced.size(), 0);
249 }
250
GetCharacteristics(const HidlBuf & key_blob,const HidlBuf & client_id,const HidlBuf & app_data,KeyCharacteristics * key_characteristics)251 ErrorCode KeymasterHidlTest::GetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id,
252 const HidlBuf& app_data,
253 KeyCharacteristics* key_characteristics) {
254 ErrorCode error = ErrorCode::UNKNOWN_ERROR;
255 EXPECT_TRUE(
256 keymaster_
257 ->getKeyCharacteristics(
258 key_blob, client_id, app_data,
259 [&](ErrorCode hidl_error, const KeyCharacteristics& hidl_key_characteristics) {
260 error = hidl_error, *key_characteristics = hidl_key_characteristics;
261 })
262 .isOk());
263 return error;
264 }
265
GetCharacteristics(const HidlBuf & key_blob,KeyCharacteristics * key_characteristics)266 ErrorCode KeymasterHidlTest::GetCharacteristics(const HidlBuf& key_blob,
267 KeyCharacteristics* key_characteristics) {
268 HidlBuf client_id, app_data;
269 return GetCharacteristics(key_blob, client_id, app_data, key_characteristics);
270 }
271
Begin(KeyPurpose purpose,const HidlBuf & key_blob,const AuthorizationSet & in_params,AuthorizationSet * out_params,OperationHandle * op_handle)272 ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const HidlBuf& key_blob,
273 const AuthorizationSet& in_params, AuthorizationSet* out_params,
274 OperationHandle* op_handle) {
275 SCOPED_TRACE("Begin");
276 ErrorCode error;
277 OperationHandle saved_handle = *op_handle;
278 EXPECT_TRUE(keymaster_
279 ->begin(purpose, key_blob, in_params.hidl_data(), HardwareAuthToken(),
280 [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params,
281 uint64_t hidl_op_handle) {
282 error = hidl_error;
283 *out_params = hidl_out_params;
284 *op_handle = hidl_op_handle;
285 })
286 .isOk());
287 if (error != ErrorCode::OK) {
288 // Some implementations may modify *op_handle on error.
289 *op_handle = saved_handle;
290 }
291 return error;
292 }
293
Begin(KeyPurpose purpose,const AuthorizationSet & in_params,AuthorizationSet * out_params)294 ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const AuthorizationSet& in_params,
295 AuthorizationSet* out_params) {
296 SCOPED_TRACE("Begin");
297 EXPECT_EQ(kOpHandleSentinel, op_handle_);
298 return Begin(purpose, key_blob_, in_params, out_params, &op_handle_);
299 }
300
Begin(KeyPurpose purpose,const AuthorizationSet & in_params)301 ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const AuthorizationSet& in_params) {
302 SCOPED_TRACE("Begin");
303 AuthorizationSet out_params;
304 ErrorCode error = Begin(purpose, in_params, &out_params);
305 EXPECT_TRUE(out_params.empty());
306 return error;
307 }
308
Update(OperationHandle op_handle,const AuthorizationSet & in_params,const string & input,AuthorizationSet * out_params,string * output,size_t * input_consumed)309 ErrorCode KeymasterHidlTest::Update(OperationHandle op_handle, const AuthorizationSet& in_params,
310 const string& input, AuthorizationSet* out_params,
311 string* output, size_t* input_consumed) {
312 SCOPED_TRACE("Update");
313 ErrorCode error;
314 EXPECT_TRUE(keymaster_
315 ->update(op_handle, in_params.hidl_data(), HidlBuf(input), HardwareAuthToken(),
316 VerificationToken(),
317 [&](ErrorCode hidl_error, uint32_t hidl_input_consumed,
318 const hidl_vec<KeyParameter>& hidl_out_params,
319 const HidlBuf& hidl_output) {
320 error = hidl_error;
321 out_params->push_back(AuthorizationSet(hidl_out_params));
322 output->append(hidl_output.to_string());
323 *input_consumed = hidl_input_consumed;
324 })
325 .isOk());
326 return error;
327 }
328
Update(const string & input,string * out,size_t * input_consumed)329 ErrorCode KeymasterHidlTest::Update(const string& input, string* out, size_t* input_consumed) {
330 SCOPED_TRACE("Update");
331 AuthorizationSet out_params;
332 ErrorCode error = Update(op_handle_, AuthorizationSet() /* in_params */, input, &out_params,
333 out, input_consumed);
334 EXPECT_TRUE(out_params.empty());
335 return error;
336 }
337
Finish(OperationHandle op_handle,const AuthorizationSet & in_params,const string & input,const string & signature,AuthorizationSet * out_params,string * output)338 ErrorCode KeymasterHidlTest::Finish(OperationHandle op_handle, const AuthorizationSet& in_params,
339 const string& input, const string& signature,
340 AuthorizationSet* out_params, string* output) {
341 SCOPED_TRACE("Finish");
342 ErrorCode error;
343 EXPECT_TRUE(
344 keymaster_
345 ->finish(op_handle, in_params.hidl_data(), HidlBuf(input), HidlBuf(signature),
346 HardwareAuthToken(), VerificationToken(),
347 [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params,
348 const HidlBuf& hidl_output) {
349 error = hidl_error;
350 *out_params = hidl_out_params;
351 output->append(hidl_output.to_string());
352 })
353 .isOk());
354 op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort().
355 return error;
356 }
357
Finish(const string & message,string * output)358 ErrorCode KeymasterHidlTest::Finish(const string& message, string* output) {
359 SCOPED_TRACE("Finish");
360 AuthorizationSet out_params;
361 string finish_output;
362 ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message,
363 "" /* signature */, &out_params, output);
364 if (error != ErrorCode::OK) {
365 return error;
366 }
367 EXPECT_EQ(0U, out_params.size());
368 return error;
369 }
370
Finish(const string & message,const string & signature,string * output)371 ErrorCode KeymasterHidlTest::Finish(const string& message, const string& signature,
372 string* output) {
373 SCOPED_TRACE("Finish");
374 AuthorizationSet out_params;
375 ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, signature,
376 &out_params, output);
377 op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort().
378 if (error != ErrorCode::OK) {
379 return error;
380 }
381 EXPECT_EQ(0U, out_params.size());
382 return error;
383 }
384
Abort(OperationHandle op_handle)385 ErrorCode KeymasterHidlTest::Abort(OperationHandle op_handle) {
386 SCOPED_TRACE("Abort");
387 auto retval = keymaster_->abort(op_handle);
388 EXPECT_TRUE(retval.isOk());
389 return retval;
390 }
391
AbortIfNeeded()392 void KeymasterHidlTest::AbortIfNeeded() {
393 SCOPED_TRACE("AbortIfNeeded");
394 if (op_handle_ != kOpHandleSentinel) {
395 EXPECT_EQ(ErrorCode::OK, Abort(op_handle_));
396 op_handle_ = kOpHandleSentinel;
397 }
398 }
399
AttestKey(const HidlBuf & key_blob,const AuthorizationSet & attest_params,hidl_vec<hidl_vec<uint8_t>> * cert_chain)400 ErrorCode KeymasterHidlTest::AttestKey(const HidlBuf& key_blob,
401 const AuthorizationSet& attest_params,
402 hidl_vec<hidl_vec<uint8_t>>* cert_chain) {
403 SCOPED_TRACE("AttestKey");
404 ErrorCode error;
405 auto rc = keymaster_->attestKey(
406 key_blob, attest_params.hidl_data(),
407 [&](ErrorCode hidl_error, const hidl_vec<hidl_vec<uint8_t>>& hidl_cert_chain) {
408 error = hidl_error;
409 *cert_chain = hidl_cert_chain;
410 });
411
412 EXPECT_TRUE(rc.isOk()) << rc.description();
413 if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR;
414
415 return error;
416 }
417
AttestKey(const AuthorizationSet & attest_params,hidl_vec<hidl_vec<uint8_t>> * cert_chain)418 ErrorCode KeymasterHidlTest::AttestKey(const AuthorizationSet& attest_params,
419 hidl_vec<hidl_vec<uint8_t>>* cert_chain) {
420 SCOPED_TRACE("AttestKey");
421 return AttestKey(key_blob_, attest_params, cert_chain);
422 }
423
ProcessMessage(const HidlBuf & key_blob,KeyPurpose operation,const string & message,const AuthorizationSet & in_params,AuthorizationSet * out_params)424 string KeymasterHidlTest::ProcessMessage(const HidlBuf& key_blob, KeyPurpose operation,
425 const string& message, const AuthorizationSet& in_params,
426 AuthorizationSet* out_params) {
427 SCOPED_TRACE("ProcessMessage");
428 AuthorizationSet begin_out_params;
429 EXPECT_EQ(ErrorCode::OK, Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_));
430
431 string output;
432 size_t consumed = 0;
433 AuthorizationSet update_params;
434 AuthorizationSet update_out_params;
435 EXPECT_EQ(ErrorCode::OK,
436 Update(op_handle_, update_params, message, &update_out_params, &output, &consumed));
437
438 string unused;
439 AuthorizationSet finish_params;
440 AuthorizationSet finish_out_params;
441 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), unused,
442 &finish_out_params, &output));
443 op_handle_ = kOpHandleSentinel;
444
445 out_params->push_back(begin_out_params);
446 out_params->push_back(finish_out_params);
447 return output;
448 }
449
SignMessage(const HidlBuf & key_blob,const string & message,const AuthorizationSet & params)450 string KeymasterHidlTest::SignMessage(const HidlBuf& key_blob, const string& message,
451 const AuthorizationSet& params) {
452 SCOPED_TRACE("SignMessage");
453 AuthorizationSet out_params;
454 string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params);
455 EXPECT_TRUE(out_params.empty());
456 return signature;
457 }
458
SignMessage(const string & message,const AuthorizationSet & params)459 string KeymasterHidlTest::SignMessage(const string& message, const AuthorizationSet& params) {
460 SCOPED_TRACE("SignMessage");
461 return SignMessage(key_blob_, message, params);
462 }
463
MacMessage(const string & message,Digest digest,size_t mac_length)464 string KeymasterHidlTest::MacMessage(const string& message, Digest digest, size_t mac_length) {
465 SCOPED_TRACE("MacMessage");
466 return SignMessage(
467 key_blob_, message,
468 AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length));
469 }
470
CheckHmacTestVector(const string & key,const string & message,Digest digest,const string & expected_mac)471 void KeymasterHidlTest::CheckHmacTestVector(const string& key, const string& message, Digest digest,
472 const string& expected_mac) {
473 SCOPED_TRACE("CheckHmacTestVector");
474 ASSERT_EQ(ErrorCode::OK,
475 ImportKey(AuthorizationSetBuilder()
476 .Authorization(TAG_NO_AUTH_REQUIRED)
477 .HmacKey(key.size() * 8)
478 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8)
479 .Digest(digest),
480 KeyFormat::RAW, key));
481 string signature = MacMessage(message, digest, expected_mac.size() * 8);
482 EXPECT_EQ(expected_mac, signature)
483 << "Test vector didn't match for key of size " << key.size() << " message of size "
484 << message.size() << " and digest " << digest;
485 CheckedDeleteKey();
486 }
487
CheckAesCtrTestVector(const string & key,const string & nonce,const string & message,const string & expected_ciphertext)488 void KeymasterHidlTest::CheckAesCtrTestVector(const string& key, const string& nonce,
489 const string& message,
490 const string& expected_ciphertext) {
491 SCOPED_TRACE("CheckAesCtrTestVector");
492 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
493 .Authorization(TAG_NO_AUTH_REQUIRED)
494 .AesEncryptionKey(key.size() * 8)
495 .BlockMode(BlockMode::CTR)
496 .Authorization(TAG_CALLER_NONCE)
497 .Padding(PaddingMode::NONE),
498 KeyFormat::RAW, key));
499
500 auto params = AuthorizationSetBuilder()
501 .Authorization(TAG_NONCE, nonce.data(), nonce.size())
502 .BlockMode(BlockMode::CTR)
503 .Padding(PaddingMode::NONE);
504 AuthorizationSet out_params;
505 string ciphertext = EncryptMessage(key_blob_, message, params, &out_params);
506 EXPECT_EQ(expected_ciphertext, ciphertext);
507 }
508
CheckTripleDesTestVector(KeyPurpose purpose,BlockMode block_mode,PaddingMode padding_mode,const string & key,const string & iv,const string & input,const string & expected_output)509 void KeymasterHidlTest::CheckTripleDesTestVector(KeyPurpose purpose, BlockMode block_mode,
510 PaddingMode padding_mode, const string& key,
511 const string& iv, const string& input,
512 const string& expected_output) {
513 auto authset = AuthorizationSetBuilder()
514 .TripleDesEncryptionKey(key.size() * 7)
515 .BlockMode(block_mode)
516 .Authorization(TAG_NO_AUTH_REQUIRED)
517 .Padding(padding_mode);
518 if (iv.size()) authset.Authorization(TAG_CALLER_NONCE);
519 ASSERT_EQ(ErrorCode::OK, ImportKey(authset, KeyFormat::RAW, key));
520 auto begin_params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
521 if (iv.size()) begin_params.Authorization(TAG_NONCE, iv.data(), iv.size());
522 AuthorizationSet output_params;
523 string output = ProcessMessage(key_blob_, purpose, input, begin_params, &output_params);
524 EXPECT_EQ(expected_output, output);
525 }
526
VerifyMessage(const HidlBuf & key_blob,const string & message,const string & signature,const AuthorizationSet & params)527 void KeymasterHidlTest::VerifyMessage(const HidlBuf& key_blob, const string& message,
528 const string& signature, const AuthorizationSet& params) {
529 SCOPED_TRACE("VerifyMessage");
530 AuthorizationSet begin_out_params;
531 ASSERT_EQ(ErrorCode::OK,
532 Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_));
533
534 string output;
535 AuthorizationSet update_params;
536 AuthorizationSet update_out_params;
537 size_t consumed;
538 ASSERT_EQ(ErrorCode::OK,
539 Update(op_handle_, update_params, message, &update_out_params, &output, &consumed));
540 EXPECT_TRUE(output.empty());
541 EXPECT_GT(consumed, 0U);
542
543 string unused;
544 AuthorizationSet finish_params;
545 AuthorizationSet finish_out_params;
546 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), signature,
547 &finish_out_params, &output));
548 op_handle_ = kOpHandleSentinel;
549 EXPECT_TRUE(output.empty());
550 }
551
VerifyMessage(const string & message,const string & signature,const AuthorizationSet & params)552 void KeymasterHidlTest::VerifyMessage(const string& message, const string& signature,
553 const AuthorizationSet& params) {
554 SCOPED_TRACE("VerifyMessage");
555 VerifyMessage(key_blob_, message, signature, params);
556 }
557
EncryptMessage(const HidlBuf & key_blob,const string & message,const AuthorizationSet & in_params,AuthorizationSet * out_params)558 string KeymasterHidlTest::EncryptMessage(const HidlBuf& key_blob, const string& message,
559 const AuthorizationSet& in_params,
560 AuthorizationSet* out_params) {
561 SCOPED_TRACE("EncryptMessage");
562 return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params);
563 }
564
EncryptMessage(const string & message,const AuthorizationSet & params,AuthorizationSet * out_params)565 string KeymasterHidlTest::EncryptMessage(const string& message, const AuthorizationSet& params,
566 AuthorizationSet* out_params) {
567 SCOPED_TRACE("EncryptMessage");
568 return EncryptMessage(key_blob_, message, params, out_params);
569 }
570
EncryptMessage(const string & message,const AuthorizationSet & params)571 string KeymasterHidlTest::EncryptMessage(const string& message, const AuthorizationSet& params) {
572 SCOPED_TRACE("EncryptMessage");
573 AuthorizationSet out_params;
574 string ciphertext = EncryptMessage(message, params, &out_params);
575 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
576 return ciphertext;
577 }
578
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding)579 string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode,
580 PaddingMode padding) {
581 SCOPED_TRACE("EncryptMessage");
582 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
583 AuthorizationSet out_params;
584 string ciphertext = EncryptMessage(message, params, &out_params);
585 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
586 return ciphertext;
587 }
588
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding,HidlBuf * iv_out)589 string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode,
590 PaddingMode padding, HidlBuf* iv_out) {
591 SCOPED_TRACE("EncryptMessage");
592 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
593 AuthorizationSet out_params;
594 string ciphertext = EncryptMessage(message, params, &out_params);
595 EXPECT_EQ(1U, out_params.size());
596 auto ivVal = out_params.GetTagValue(TAG_NONCE);
597 EXPECT_TRUE(ivVal.isOk());
598 if (ivVal.isOk()) *iv_out = ivVal.value();
599 return ciphertext;
600 }
601
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding,const HidlBuf & iv_in)602 string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode,
603 PaddingMode padding, const HidlBuf& iv_in) {
604 SCOPED_TRACE("EncryptMessage");
605 auto params = AuthorizationSetBuilder()
606 .BlockMode(block_mode)
607 .Padding(padding)
608 .Authorization(TAG_NONCE, iv_in);
609 AuthorizationSet out_params;
610 string ciphertext = EncryptMessage(message, params, &out_params);
611 return ciphertext;
612 }
613
DecryptMessage(const HidlBuf & key_blob,const string & ciphertext,const AuthorizationSet & params)614 string KeymasterHidlTest::DecryptMessage(const HidlBuf& key_blob, const string& ciphertext,
615 const AuthorizationSet& params) {
616 SCOPED_TRACE("DecryptMessage");
617 AuthorizationSet out_params;
618 string plaintext =
619 ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params);
620 EXPECT_TRUE(out_params.empty());
621 return plaintext;
622 }
623
DecryptMessage(const string & ciphertext,const AuthorizationSet & params)624 string KeymasterHidlTest::DecryptMessage(const string& ciphertext, const AuthorizationSet& params) {
625 SCOPED_TRACE("DecryptMessage");
626 return DecryptMessage(key_blob_, ciphertext, params);
627 }
628
DecryptMessage(const string & ciphertext,BlockMode block_mode,PaddingMode padding_mode,const HidlBuf & iv)629 string KeymasterHidlTest::DecryptMessage(const string& ciphertext, BlockMode block_mode,
630 PaddingMode padding_mode, const HidlBuf& iv) {
631 SCOPED_TRACE("DecryptMessage");
632 auto params = AuthorizationSetBuilder()
633 .BlockMode(block_mode)
634 .Padding(padding_mode)
635 .Authorization(TAG_NONCE, iv);
636 return DecryptMessage(key_blob_, ciphertext, params);
637 }
638
UpgradeKey(const HidlBuf & key_blob)639 std::pair<ErrorCode, HidlBuf> KeymasterHidlTest::UpgradeKey(const HidlBuf& key_blob) {
640 std::pair<ErrorCode, HidlBuf> retval;
641 keymaster_->upgradeKey(key_blob, hidl_vec<KeyParameter>(),
642 [&](ErrorCode error, const hidl_vec<uint8_t>& upgraded_blob) {
643 retval = std::tie(error, upgraded_blob);
644 });
645 return retval;
646 }
ValidKeySizes(Algorithm algorithm)647 std::vector<uint32_t> KeymasterHidlTest::ValidKeySizes(Algorithm algorithm) {
648 switch (algorithm) {
649 case Algorithm::RSA:
650 switch (SecLevel()) {
651 case SecurityLevel::TRUSTED_ENVIRONMENT:
652 return {2048, 3072, 4096};
653 case SecurityLevel::STRONGBOX:
654 return {2048};
655 default:
656 CHECK(false) << "Invalid security level " << uint32_t(SecLevel());
657 break;
658 }
659 break;
660 case Algorithm::EC:
661 switch (SecLevel()) {
662 case SecurityLevel::TRUSTED_ENVIRONMENT:
663 return {224, 256, 384, 521};
664 case SecurityLevel::STRONGBOX:
665 return {256};
666 default:
667 CHECK(false) << "Invalid security level " << uint32_t(SecLevel());
668 break;
669 }
670 break;
671 case Algorithm::AES:
672 return {128, 256};
673 case Algorithm::TRIPLE_DES:
674 return {168};
675 case Algorithm::HMAC: {
676 std::vector<uint32_t> retval((512 - 64) / 8 + 1);
677 uint32_t size = 64 - 8;
678 std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); });
679 return retval;
680 }
681 default:
682 CHECK(false) << "Invalid Algorithm: " << algorithm;
683 return {};
684 }
685 CHECK(false) << "Should be impossible to get here";
686 return {};
687 }
InvalidKeySizes(Algorithm algorithm)688 std::vector<uint32_t> KeymasterHidlTest::InvalidKeySizes(Algorithm algorithm) {
689 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {};
690 CHECK(SecLevel() == SecurityLevel::STRONGBOX);
691 switch (algorithm) {
692 case Algorithm::RSA:
693 return {3072, 4096};
694 case Algorithm::EC:
695 return {224, 384, 521};
696 case Algorithm::AES:
697 return {192};
698 default:
699 return {};
700 }
701 }
702
ValidCurves()703 std::vector<EcCurve> KeymasterHidlTest::ValidCurves() {
704 if (securityLevel_ == SecurityLevel::STRONGBOX) {
705 return {EcCurve::P_256};
706 } else {
707 return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521};
708 }
709 }
710
InvalidCurves()711 std::vector<EcCurve> KeymasterHidlTest::InvalidCurves() {
712 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {};
713 CHECK(SecLevel() == SecurityLevel::STRONGBOX);
714 return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521};
715 }
716
ValidDigests(bool withNone,bool withMD5)717 std::vector<Digest> KeymasterHidlTest::ValidDigests(bool withNone, bool withMD5) {
718 switch (SecLevel()) {
719 case SecurityLevel::TRUSTED_ENVIRONMENT:
720 if (withNone) {
721 if (withMD5)
722 return {Digest::NONE, Digest::MD5, Digest::SHA1,
723 Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
724 Digest::SHA_2_512};
725 else
726 return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224,
727 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
728 } else {
729 if (withMD5)
730 return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
731 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
732 else
733 return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
734 Digest::SHA_2_512};
735 }
736 break;
737 case SecurityLevel::STRONGBOX:
738 if (withNone)
739 return {Digest::NONE, Digest::SHA_2_256};
740 else
741 return {Digest::SHA_2_256};
742 break;
743 default:
744 CHECK(false) << "Invalid security level " << uint32_t(SecLevel());
745 break;
746 }
747 CHECK(false) << "Should be impossible to get here";
748 return {};
749 }
750
InvalidDigests()751 std::vector<Digest> KeymasterHidlTest::InvalidDigests() {
752 return {};
753 }
754
755 } // namespace test
756 } // namespace V4_0
757 } // namespace keymaster
758 } // namespace hardware
759 } // namespace android
760