1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <fstream>
18 #include <memory>
19 #include <string>
20 #include <vector>
21
22 #include <openssl/evp.h>
23 #include <openssl/x509.h>
24
25 #include <keymaster/android_keymaster.h>
26 #include <keymaster/contexts/pure_soft_keymaster_context.h>
27 #include <keymaster/contexts/soft_keymaster_context.h>
28 #include <keymaster/key_factory.h>
29 #include <keymaster/km_openssl/attestation_record.h>
30 #include <keymaster/km_openssl/hmac_key.h>
31 #include <keymaster/km_openssl/openssl_utils.h>
32 #include <keymaster/km_openssl/soft_keymaster_enforcement.h>
33 #include <keymaster/soft_keymaster_device.h>
34
35 #include "android_keymaster_test_utils.h"
36 #include "test_keys.h"
37
38 using std::ifstream;
39 using std::istreambuf_iterator;
40 using std::ofstream;
41 using std::string;
42 using std::unique_ptr;
43 using std::vector;
44
45 extern "C" {
46 int __android_log_print(int prio, const char* tag, const char* fmt);
__android_log_print(int prio,const char * tag,const char * fmt)47 int __android_log_print(int prio, const char* tag, const char* fmt) {
48 (void)prio, (void)tag, (void)fmt;
49 return 0;
50 }
51 } // extern "C"
52
53 namespace {
54
55 // For some reason std::make_unique isn't available. Define make_unique.
make_unique(Args &&...args)56 template <typename T, typename... Args> std::unique_ptr<T> make_unique(Args&&... args) {
57 return std::unique_ptr<T>(new T(std::forward<Args>(args)...));
58 }
59
60 } // namespace
61
62 namespace keymaster {
63 namespace test {
64
65 const uint32_t kOsVersion = 060000;
66 const uint32_t kOsPatchLevel = 201603;
67
68 StdoutLogger logger;
69
make_vector(const T * array,size_t len)70 template <typename T> vector<T> make_vector(const T* array, size_t len) {
71 return vector<T>(array, array + len);
72 }
73
74 /**
75 * KeymasterEnforcement class for use in testing. It's permissive in the sense that it doesn't
76 * check cryptoperiods, but restrictive in the sense that the clock never advances (so rate-limited
77 * keys will only work once).
78 */
79 class TestKeymasterEnforcement : public SoftKeymasterEnforcement {
80 public:
TestKeymasterEnforcement()81 TestKeymasterEnforcement() : SoftKeymasterEnforcement(3, 3) {}
82
activation_date_valid(uint64_t) const83 virtual bool activation_date_valid(uint64_t /* activation_date */) const { return true; }
expiration_date_passed(uint64_t) const84 virtual bool expiration_date_passed(uint64_t /* expiration_date */) const { return false; }
auth_token_timed_out(const hw_auth_token_t &,uint32_t) const85 virtual bool auth_token_timed_out(const hw_auth_token_t& /* token */,
86 uint32_t /* timeout */) const {
87 return false;
88 }
get_current_time() const89 virtual uint32_t get_current_time() const { return 0; }
ValidateTokenSignature(const hw_auth_token_t &) const90 virtual bool ValidateTokenSignature(const hw_auth_token_t& /* token */) const { return true; }
91 };
92
93 /**
94 * Variant of SoftKeymasterContext that provides a TestKeymasterEnforcement.
95 */
96 class TestKeymasterContext : public SoftKeymasterContext {
97 public:
TestKeymasterContext()98 TestKeymasterContext() : SoftKeymasterContext(kCurrentKmVersion) {}
TestKeymasterContext(KmVersion version)99 TestKeymasterContext(KmVersion version) : SoftKeymasterContext(version) {}
TestKeymasterContext(const string & root_of_trust)100 explicit TestKeymasterContext(const string& root_of_trust)
101 : SoftKeymasterContext(kCurrentKmVersion, root_of_trust) {}
TestKeymasterContext(KmVersion version,const string & root_of_trust)102 explicit TestKeymasterContext(KmVersion version, const string& root_of_trust)
103 : SoftKeymasterContext(version, root_of_trust) {}
104
enforcement_policy()105 KeymasterEnforcement* enforcement_policy() override { return &test_policy_; }
106
107 private:
108 TestKeymasterEnforcement test_policy_;
109 };
110
111 /**
112 * Test instance creator that builds a pure software keymaster2 implementation.
113 */
114 class SoftKeymasterTestInstanceCreator : public Keymaster2TestInstanceCreator {
115 public:
CreateDevice() const116 keymaster2_device_t* CreateDevice() const override {
117 std::cerr << "Creating software-only device" << std::endl;
118 context_ = new TestKeymasterContext(KmVersion::KEYMASTER_4_1);
119 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
120 AuthorizationSet version_info(AuthorizationSetBuilder()
121 .Authorization(TAG_OS_VERSION, kOsVersion)
122 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
123 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info);
124 return device->keymaster2_device();
125 }
126
is_keymaster1_hw() const127 bool is_keymaster1_hw() const override { return false; }
keymaster_context() const128 KeymasterContext* keymaster_context() const override { return context_; }
name() const129 string name() const override { return "Soft Keymaster2"; }
km_version() const130 KmVersion km_version() const override { return KmVersion::KEYMASTER_4_1; }
131
132 private:
133 mutable TestKeymasterContext* context_;
134 };
135
136 /**
137 * Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1
138 * instance, with minimal digest support.
139 */
140 class Sha256OnlyKeymaster1TestInstanceCreator : public Keymaster2TestInstanceCreator {
CreateDevice() const141 keymaster2_device_t* CreateDevice() const override {
142 std::cerr << "Creating keymaster1-backed device that supports only SHA256";
143
144 // fake_device doesn't leak because device (below) takes ownership of it.
145 keymaster1_device_t* fake_device =
146 make_device_sha256_only((new SoftKeymasterDevice(new TestKeymasterContext(
147 KmVersion::KEYMASTER_4_1, "PseudoHW")))
148 ->keymaster_device());
149
150 // device doesn't leak; it's cleaned up by device->keymaster_device()->common.close().
151 context_ = new TestKeymasterContext(KmVersion::KEYMASTER_4_1);
152 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
153 device->SetHardwareDevice(fake_device);
154
155 AuthorizationSet version_info(AuthorizationSetBuilder()
156 .Authorization(TAG_OS_VERSION, kOsVersion)
157 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
158 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info);
159 return device->keymaster2_device();
160 }
161
minimal_digest_set() const162 int minimal_digest_set() const override { return true; }
is_keymaster1_hw() const163 bool is_keymaster1_hw() const override { return true; }
keymaster_context() const164 KeymasterContext* keymaster_context() const override { return context_; }
name() const165 string name() const override { return "Wrapped fake keymaster1 w/minimal digests"; }
km_version() const166 KmVersion km_version() const override { return KmVersion::KEYMASTER_4_1; }
167
168 private:
169 mutable TestKeymasterContext* context_;
170 };
171
172 /**
173 * Test instance creator that builds a SoftKeymasterDevice which wraps a fake hardware keymaster1
174 * instance, with full digest support
175 */
176 class Keymaster1TestInstanceCreator : public Keymaster2TestInstanceCreator {
CreateDevice() const177 keymaster2_device_t* CreateDevice() const override {
178 std::cerr << "Creating keymaster1-backed device";
179
180 // fake_device doesn't leak because device (below) takes ownership of it.
181 keymaster1_device_t* fake_device = (new SoftKeymasterDevice(new TestKeymasterContext(
182 KmVersion::KEYMASTER_4_1, "PseudoHW")))
183 ->keymaster_device();
184
185 // device doesn't leak; it's cleaned up by device->keymaster_device()->common.close().
186 context_ = new TestKeymasterContext(KmVersion::KEYMASTER_4_1);
187 SoftKeymasterDevice* device = new SoftKeymasterDevice(context_);
188 device->SetHardwareDevice(fake_device);
189
190 AuthorizationSet version_info(AuthorizationSetBuilder()
191 .Authorization(TAG_OS_VERSION, kOsVersion)
192 .Authorization(TAG_OS_PATCHLEVEL, kOsPatchLevel));
193 device->keymaster2_device()->configure(device->keymaster2_device(), &version_info);
194 return device->keymaster2_device();
195 }
196
minimal_digest_set() const197 int minimal_digest_set() const override { return false; }
is_keymaster1_hw() const198 bool is_keymaster1_hw() const override { return true; }
keymaster_context() const199 KeymasterContext* keymaster_context() const override { return context_; }
name() const200 string name() const override { return "Wrapped fake keymaster1 w/full digests"; }
km_version() const201 KmVersion km_version() const override { return KmVersion::KEYMASTER_4_1; }
202
203 private:
204 mutable TestKeymasterContext* context_;
205 };
206
207 static auto test_params =
208 testing::Values(InstanceCreatorPtr(new SoftKeymasterTestInstanceCreator),
209 InstanceCreatorPtr(new Keymaster1TestInstanceCreator),
210 InstanceCreatorPtr(new Sha256OnlyKeymaster1TestInstanceCreator));
211
212 class NewKeyGeneration : public Keymaster2Test {
213 protected:
CheckBaseParams()214 void CheckBaseParams() {
215 AuthorizationSet auths = sw_enforced();
216 EXPECT_GT(auths.SerializedSize(), 12U);
217
218 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_SIGN));
219 EXPECT_TRUE(contains(auths, TAG_PURPOSE, KM_PURPOSE_VERIFY));
220 EXPECT_TRUE(contains(auths, TAG_USER_ID, 7));
221 EXPECT_TRUE(contains(auths, TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD));
222 EXPECT_TRUE(contains(auths, TAG_AUTH_TIMEOUT, 300));
223
224 // Verify that App ID, App data and ROT are NOT included.
225 EXPECT_FALSE(contains(auths, TAG_ROOT_OF_TRUST));
226 EXPECT_FALSE(contains(auths, TAG_APPLICATION_ID));
227 EXPECT_FALSE(contains(auths, TAG_APPLICATION_DATA));
228
229 // Just for giggles, check that some unexpected tags/values are NOT present.
230 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_ENCRYPT));
231 EXPECT_FALSE(contains(auths, TAG_PURPOSE, KM_PURPOSE_DECRYPT));
232 EXPECT_FALSE(contains(auths, TAG_AUTH_TIMEOUT, 301));
233
234 // Now check that unspecified, defaulted tags are correct.
235 EXPECT_TRUE(contains(auths, KM_TAG_CREATION_DATETIME));
236 if (GetParam()->is_keymaster1_hw()) {
237 // If the underlying (faked) HW is KM1, it will not have version info.
238 EXPECT_FALSE(auths.Contains(TAG_OS_VERSION));
239 EXPECT_FALSE(auths.Contains(TAG_OS_PATCHLEVEL));
240 } else {
241 // In all othe cases; SoftKeymasterDevice keys, or keymaster0 keys wrapped by
242 // SoftKeymasterDevice, version information will be present and up to date.
243 EXPECT_TRUE(contains(auths, TAG_OS_VERSION, kOsVersion));
244 EXPECT_TRUE(contains(auths, TAG_OS_PATCHLEVEL, kOsPatchLevel));
245 }
246 }
247 };
248 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, NewKeyGeneration, test_params);
249
TEST_P(NewKeyGeneration,Rsa)250 TEST_P(NewKeyGeneration, Rsa) {
251 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
252 .RsaSigningKey(256, 3)
253 .Digest(KM_DIGEST_NONE)
254 .Padding(KM_PAD_NONE)));
255 CheckBaseParams();
256
257 // Check specified tags are all present, and in the right set.
258 AuthorizationSet crypto_params;
259 AuthorizationSet non_crypto_params;
260 EXPECT_EQ(0U, hw_enforced().size());
261 EXPECT_NE(0U, sw_enforced().size());
262 crypto_params.push_back(sw_enforced());
263
264 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
265 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_RSA));
266 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 256));
267 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 256));
268 EXPECT_TRUE(contains(crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
269 EXPECT_FALSE(contains(non_crypto_params, TAG_RSA_PUBLIC_EXPONENT, 3));
270
271 EXPECT_EQ(KM_ERROR_OK, DeleteKey());
272 }
273
TEST_P(NewKeyGeneration,RsaDefaultSize)274 TEST_P(NewKeyGeneration, RsaDefaultSize) {
275 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
276 GenerateKey(AuthorizationSetBuilder()
277 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_RSA)
278 .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
279 .SigningKey()));
280 }
281
TEST_P(NewKeyGeneration,Ecdsa)282 TEST_P(NewKeyGeneration, Ecdsa) {
283 ASSERT_EQ(KM_ERROR_OK,
284 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
285 CheckBaseParams();
286
287 // Check specified tags are all present, and in the right set.
288 AuthorizationSet crypto_params;
289 AuthorizationSet non_crypto_params;
290 EXPECT_EQ(0U, hw_enforced().size());
291 EXPECT_NE(0U, sw_enforced().size());
292 crypto_params.push_back(sw_enforced());
293
294 EXPECT_TRUE(contains(crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
295 EXPECT_FALSE(contains(non_crypto_params, TAG_ALGORITHM, KM_ALGORITHM_EC));
296 EXPECT_TRUE(contains(crypto_params, TAG_KEY_SIZE, 224));
297 EXPECT_FALSE(contains(non_crypto_params, TAG_KEY_SIZE, 224));
298 }
299
TEST_P(NewKeyGeneration,EcdsaDefaultSize)300 TEST_P(NewKeyGeneration, EcdsaDefaultSize) {
301 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
302 GenerateKey(AuthorizationSetBuilder()
303 .Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC)
304 .SigningKey()
305 .Digest(KM_DIGEST_NONE)));
306 }
307
TEST_P(NewKeyGeneration,EcdsaInvalidSize)308 TEST_P(NewKeyGeneration, EcdsaInvalidSize) {
309 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
310 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(KM_DIGEST_NONE)));
311 }
312
TEST_P(NewKeyGeneration,EcdsaMismatchKeySize)313 TEST_P(NewKeyGeneration, EcdsaMismatchKeySize) {
314 ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT,
315 GenerateKey(AuthorizationSetBuilder()
316 .EcdsaSigningKey(224)
317 .Authorization(TAG_EC_CURVE, KM_EC_CURVE_P_256)
318 .Digest(KM_DIGEST_NONE)));
319 }
320
TEST_P(NewKeyGeneration,EcdsaAllValidSizes)321 TEST_P(NewKeyGeneration, EcdsaAllValidSizes) {
322 size_t valid_sizes[] = {224, 256, 384, 521};
323 for (size_t size : valid_sizes) {
324 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(
325 KM_DIGEST_NONE)))
326 << "Failed to generate size: " << size;
327 }
328 }
329
TEST_P(NewKeyGeneration,HmacSha256)330 TEST_P(NewKeyGeneration, HmacSha256) {
331 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
332 .HmacKey(128)
333 .Digest(KM_DIGEST_SHA_2_256)
334 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
335 }
336
TEST_P(NewKeyGeneration,CheckKeySizes)337 TEST_P(NewKeyGeneration, CheckKeySizes) {
338 for (size_t key_size = 0; key_size <= kMaxHmacKeyLengthBits + 10; ++key_size) {
339 if (key_size < kMinHmacKeyLengthBits || key_size > kMaxHmacKeyLengthBits ||
340 key_size % 8 != 0) {
341 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_SIZE,
342 GenerateKey(AuthorizationSetBuilder()
343 .HmacKey(key_size)
344 .Digest(KM_DIGEST_SHA_2_256)
345 .Authorization(TAG_MIN_MAC_LENGTH, 256)))
346 << "HMAC key size " << key_size << " invalid.";
347 } else {
348 EXPECT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
349 .HmacKey(key_size)
350 .Digest(KM_DIGEST_SHA_2_256)
351 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
352 }
353 }
354 }
355
TEST_P(NewKeyGeneration,HmacMultipleDigests)356 TEST_P(NewKeyGeneration, HmacMultipleDigests) {
357 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
358 GenerateKey(AuthorizationSetBuilder()
359 .HmacKey(128)
360 .Digest(KM_DIGEST_SHA1)
361 .Digest(KM_DIGEST_SHA_2_256)
362 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
363 }
364
TEST_P(NewKeyGeneration,HmacDigestNone)365 TEST_P(NewKeyGeneration, HmacDigestNone) {
366 ASSERT_EQ(KM_ERROR_UNSUPPORTED_DIGEST,
367 GenerateKey(AuthorizationSetBuilder()
368 .HmacKey(128)
369 .Digest(KM_DIGEST_NONE)
370 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
371 }
372
TEST_P(NewKeyGeneration,HmacSha256TooShortMacLength)373 TEST_P(NewKeyGeneration, HmacSha256TooShortMacLength) {
374 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
375 GenerateKey(AuthorizationSetBuilder()
376 .HmacKey(128)
377 .Digest(KM_DIGEST_SHA_2_256)
378 .Authorization(TAG_MIN_MAC_LENGTH, 48)));
379 }
380
TEST_P(NewKeyGeneration,HmacSha256NonIntegralOctetMacLength)381 TEST_P(NewKeyGeneration, HmacSha256NonIntegralOctetMacLength) {
382 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
383 GenerateKey(AuthorizationSetBuilder()
384 .HmacKey(128)
385 .Digest(KM_DIGEST_SHA_2_256)
386 .Authorization(TAG_MIN_MAC_LENGTH, 130)));
387 }
388
TEST_P(NewKeyGeneration,HmacSha256TooLongMacLength)389 TEST_P(NewKeyGeneration, HmacSha256TooLongMacLength) {
390 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH,
391 GenerateKey(AuthorizationSetBuilder()
392 .HmacKey(128)
393 .Digest(KM_DIGEST_SHA_2_256)
394 .Authorization(TAG_MIN_MAC_LENGTH, 384)));
395 }
396
397 typedef Keymaster2Test GetKeyCharacteristics;
398 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, GetKeyCharacteristics, test_params);
399
TEST_P(GetKeyCharacteristics,SimpleRsa)400 TEST_P(GetKeyCharacteristics, SimpleRsa) {
401 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
402 .RsaSigningKey(256, 3)
403 .Digest(KM_DIGEST_NONE)
404 .Padding(KM_PAD_NONE)));
405 AuthorizationSet original(sw_enforced());
406
407 ASSERT_EQ(KM_ERROR_OK, GetCharacteristics());
408 EXPECT_EQ(original, sw_enforced());
409 }
410
411 typedef Keymaster2Test SigningOperationsTest;
412 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, SigningOperationsTest, test_params);
413
TEST_P(SigningOperationsTest,RsaSuccess)414 TEST_P(SigningOperationsTest, RsaSuccess) {
415 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
416 .RsaSigningKey(256, 3)
417 .Digest(KM_DIGEST_NONE)
418 .Padding(KM_PAD_NONE)));
419 string message = "12345678901234567890123456789012";
420 string signature;
421 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
422 }
423
TEST_P(SigningOperationsTest,RsaPssSha256Success)424 TEST_P(SigningOperationsTest, RsaPssSha256Success) {
425 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
426 .RsaSigningKey(768, 3)
427 .Digest(KM_DIGEST_SHA_2_256)
428 .Padding(KM_PAD_RSA_PSS)));
429 // Use large message, which won't work without digesting.
430 string message(1024, 'a');
431 string signature;
432 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
433 }
434
TEST_P(SigningOperationsTest,RsaPaddingNoneDoesNotAllowOther)435 TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
436 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
437 .RsaSigningKey(512, 3)
438 .Digest(KM_DIGEST_NONE)
439 .Padding(KM_PAD_NONE)));
440 string message = "12345678901234567890123456789012";
441 string signature;
442
443 AuthorizationSet begin_params(client_params());
444 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
445 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
446 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
447 }
448
TEST_P(SigningOperationsTest,RsaPkcs1Sha256Success)449 TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
450 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
451 .RsaSigningKey(512, 3)
452 .Digest(KM_DIGEST_SHA_2_256)
453 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
454 string message(1024, 'a');
455 string signature;
456 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
457 }
458
TEST_P(SigningOperationsTest,RsaPkcs1NoDigestSuccess)459 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
460 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
461 .RsaSigningKey(512, 3)
462 .Digest(KM_DIGEST_NONE)
463 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
464 string message(53, 'a');
465 string signature;
466 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_RSA_PKCS1_1_5_SIGN);
467 }
468
TEST_P(SigningOperationsTest,RsaPkcs1NoDigestTooLarge)469 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLarge) {
470 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
471 .RsaSigningKey(512, 3)
472 .Digest(KM_DIGEST_NONE)
473 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
474 string message(54, 'a');
475
476 AuthorizationSet begin_params(client_params());
477 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
478 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
479 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
480 string result;
481 string signature;
482 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(message, "", &signature));
483 }
484
TEST_P(SigningOperationsTest,RsaPssSha256TooSmallKey)485 TEST_P(SigningOperationsTest, RsaPssSha256TooSmallKey) {
486 // Key must be at least 10 bytes larger than hash, to provide eight bytes of random salt, so
487 // verify that nine bytes larger than hash won't work.
488 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
489 .RsaSigningKey(256 + 9 * 8, 3)
490 .Digest(KM_DIGEST_SHA_2_256)
491 .Padding(KM_PAD_RSA_PSS)));
492 string message(1024, 'a');
493 string signature;
494
495 AuthorizationSet begin_params(client_params());
496 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
497 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
498 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
499 }
500
TEST_P(SigningOperationsTest,RsaNoPaddingHugeData)501 TEST_P(SigningOperationsTest, RsaNoPaddingHugeData) {
502 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
503 .RsaSigningKey(256, 3)
504 .Digest(KM_DIGEST_NONE)
505 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
506 string message(64 * 1024, 'a');
507 string signature;
508 AuthorizationSet begin_params(client_params());
509 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
510 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
511 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
512 string result;
513 size_t input_consumed;
514 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
515 }
516
TEST_P(SigningOperationsTest,RsaAbort)517 TEST_P(SigningOperationsTest, RsaAbort) {
518 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
519 .RsaSigningKey(256, 3)
520 .Digest(KM_DIGEST_NONE)
521 .Padding(KM_PAD_NONE)));
522 AuthorizationSet begin_params(client_params());
523 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
524 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
525 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
526 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
527 // Another abort should fail
528 EXPECT_EQ(KM_ERROR_INVALID_OPERATION_HANDLE, AbortOperation());
529 }
530
TEST_P(SigningOperationsTest,RsaUnsupportedPadding)531 TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
532 GenerateKey(AuthorizationSetBuilder()
533 .RsaSigningKey(256, 3)
534 .Digest(KM_DIGEST_SHA_2_256 /* supported digest */)
535 .Padding(KM_PAD_PKCS7));
536 AuthorizationSet begin_params(client_params());
537 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
538 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
539 }
540
TEST_P(SigningOperationsTest,RsaNoDigest)541 TEST_P(SigningOperationsTest, RsaNoDigest) {
542 // PSS requires a digest.
543 GenerateKey(AuthorizationSetBuilder()
544 .RsaSigningKey(256, 3)
545 .Digest(KM_DIGEST_NONE)
546 .Padding(KM_PAD_RSA_PSS));
547 AuthorizationSet begin_params(client_params());
548 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
549 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
550 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_SIGN, begin_params));
551 }
552
TEST_P(SigningOperationsTest,RsaNoPadding)553 TEST_P(SigningOperationsTest, RsaNoPadding) {
554 // Padding must be specified
555 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaKey(256, 3).SigningKey().Digest(
556 KM_DIGEST_NONE)));
557 AuthorizationSet begin_params(client_params());
558 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
559 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
560 }
561
TEST_P(SigningOperationsTest,RsaTooShortMessage)562 TEST_P(SigningOperationsTest, RsaTooShortMessage) {
563 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
564 .RsaSigningKey(256, 3)
565 .Digest(KM_DIGEST_NONE)
566 .Padding(KM_PAD_NONE)));
567 string message = "1234567890123456789012345678901";
568 string signature;
569 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
570 }
571
TEST_P(SigningOperationsTest,RsaSignWithEncryptionKey)572 TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
573 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
574 .RsaEncryptionKey(256, 3)
575 .Digest(KM_DIGEST_NONE)
576 .Padding(KM_PAD_NONE)));
577 AuthorizationSet begin_params(client_params());
578 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
579 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
580 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
581 }
582
TEST_P(SigningOperationsTest,RsaSignTooLargeMessage)583 TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
584 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
585 .RsaSigningKey(256, 3)
586 .Digest(KM_DIGEST_NONE)
587 .Padding(KM_PAD_NONE)));
588 string message(256 / 8, static_cast<char>(0xff));
589 string signature;
590 AuthorizationSet begin_params(client_params());
591 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
592 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
593 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
594 string result;
595 size_t input_consumed;
596 ASSERT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
597 ASSERT_EQ(message.size(), input_consumed);
598 string output;
599 ASSERT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&output));
600 }
601
TEST_P(SigningOperationsTest,EcdsaSuccess)602 TEST_P(SigningOperationsTest, EcdsaSuccess) {
603 ASSERT_EQ(KM_ERROR_OK,
604 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
605 string message(224 / 8, 'a');
606 string signature;
607 SignMessage(message, &signature, KM_DIGEST_NONE);
608 }
609
TEST_P(SigningOperationsTest,EcdsaSha256Success)610 TEST_P(SigningOperationsTest, EcdsaSha256Success) {
611 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
612 KM_DIGEST_SHA_2_256)));
613 string message(1024, 'a');
614 string signature;
615 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
616 }
617
TEST_P(SigningOperationsTest,EcdsaSha384Success)618 TEST_P(SigningOperationsTest, EcdsaSha384Success) {
619 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(
620 KM_DIGEST_SHA_2_384)));
621 string message(1024, 'a');
622 string signature;
623 SignMessage(message, &signature, KM_DIGEST_SHA_2_384);
624 }
625
TEST_P(SigningOperationsTest,EcdsaNoPaddingHugeData)626 TEST_P(SigningOperationsTest, EcdsaNoPaddingHugeData) {
627 ASSERT_EQ(KM_ERROR_OK,
628 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
629 string message(64 * 1024, 'a');
630 string signature;
631 AuthorizationSet begin_params(client_params());
632 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
633 ASSERT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
634 string result;
635 size_t input_consumed;
636 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
637 }
638
TEST_P(SigningOperationsTest,EcdsaAllSizesAndHashes)639 TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) {
640 vector<int> key_sizes = {224, 256, 384, 521};
641 vector<keymaster_digest_t> digests = {
642 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256,
643 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
644 };
645
646 for (int key_size : key_sizes) {
647 for (keymaster_digest_t digest : digests) {
648 ASSERT_EQ(
649 KM_ERROR_OK,
650 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(digest)));
651
652 string message(1024, 'a');
653 string signature;
654 if (digest == KM_DIGEST_NONE) message.resize(key_size / 8);
655 SignMessage(message, &signature, digest);
656 }
657 }
658 }
659
TEST_P(SigningOperationsTest,AesEcbSign)660 TEST_P(SigningOperationsTest, AesEcbSign) {
661 ASSERT_EQ(KM_ERROR_OK,
662 GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128).Authorization(
663 TAG_BLOCK_MODE, KM_MODE_ECB)));
664 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_SIGN));
665 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_VERIFY));
666 }
667
TEST_P(SigningOperationsTest,HmacSha1Success)668 TEST_P(SigningOperationsTest, HmacSha1Success) {
669 GenerateKey(AuthorizationSetBuilder()
670 .HmacKey(128)
671 .Digest(KM_DIGEST_SHA1)
672 .Authorization(TAG_MIN_MAC_LENGTH, 160));
673 string message = "12345678901234567890123456789012";
674 string signature;
675 MacMessage(message, &signature, 160);
676 ASSERT_EQ(20U, signature.size());
677 }
678
TEST_P(SigningOperationsTest,HmacSha224Success)679 TEST_P(SigningOperationsTest, HmacSha224Success) {
680 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
681 .HmacKey(128)
682 .Digest(KM_DIGEST_SHA_2_224)
683 .Authorization(TAG_MIN_MAC_LENGTH, 160)));
684 string message = "12345678901234567890123456789012";
685 string signature;
686 MacMessage(message, &signature, 224);
687 ASSERT_EQ(28U, signature.size());
688 }
689
TEST_P(SigningOperationsTest,HmacSha256Success)690 TEST_P(SigningOperationsTest, HmacSha256Success) {
691 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
692 .HmacKey(128)
693 .Digest(KM_DIGEST_SHA_2_256)
694 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
695 string message = "12345678901234567890123456789012";
696 string signature;
697 MacMessage(message, &signature, 256);
698 ASSERT_EQ(32U, signature.size());
699 }
700
TEST_P(SigningOperationsTest,HmacSha384Success)701 TEST_P(SigningOperationsTest, HmacSha384Success) {
702 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
703 .HmacKey(128)
704 .Digest(KM_DIGEST_SHA_2_384)
705 .Authorization(TAG_MIN_MAC_LENGTH, 384)));
706
707 string message = "12345678901234567890123456789012";
708 string signature;
709 MacMessage(message, &signature, 384);
710 ASSERT_EQ(48U, signature.size());
711 }
712
TEST_P(SigningOperationsTest,HmacSha512Success)713 TEST_P(SigningOperationsTest, HmacSha512Success) {
714 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
715 .HmacKey(128)
716 .Digest(KM_DIGEST_SHA_2_512)
717 .Authorization(TAG_MIN_MAC_LENGTH, 384)));
718 string message = "12345678901234567890123456789012";
719 string signature;
720 MacMessage(message, &signature, 512);
721 ASSERT_EQ(64U, signature.size());
722 }
723
TEST_P(SigningOperationsTest,HmacLengthInKey)724 TEST_P(SigningOperationsTest, HmacLengthInKey) {
725 // TODO(swillden): unified API should generate an error on key generation.
726 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
727 .HmacKey(128)
728 .Digest(KM_DIGEST_SHA_2_256)
729 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
730 string message = "12345678901234567890123456789012";
731 string signature;
732 MacMessage(message, &signature, 160);
733 ASSERT_EQ(20U, signature.size());
734 }
735
TEST_P(SigningOperationsTest,HmacRfc4231TestCase3)736 TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
737 string key(20, 0xaa);
738 string message(50, 0xdd);
739 uint8_t sha_224_expected[] = {
740 0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
741 0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
742 };
743 uint8_t sha_256_expected[] = {
744 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
745 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
746 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
747 };
748 uint8_t sha_384_expected[] = {
749 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
750 0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
751 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
752 0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
753 };
754 uint8_t sha_512_expected[] = {
755 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
756 0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
757 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
758 0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
759 0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
760 };
761
762 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
763 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
764 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
765 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
766 }
767
TEST_P(SigningOperationsTest,HmacRfc4231TestCase4)768 TEST_P(SigningOperationsTest, HmacRfc4231TestCase4) {
769 uint8_t key_data[25] = {
770 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
771 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
772 };
773 string key = make_string(key_data);
774 string message(50, 0xcd);
775 uint8_t sha_224_expected[] = {
776 0x6c, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3c, 0xac, 0x6a, 0x2a, 0xbc, 0x1b, 0xb3, 0x82,
777 0x62, 0x7c, 0xec, 0x6a, 0x90, 0xd8, 0x6e, 0xfc, 0x01, 0x2d, 0xe7, 0xaf, 0xec, 0x5a,
778 };
779 uint8_t sha_256_expected[] = {
780 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81,
781 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78,
782 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b,
783 };
784 uint8_t sha_384_expected[] = {
785 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85, 0x19, 0x33, 0xab, 0x62,
786 0x90, 0xaf, 0x6c, 0xa7, 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c,
787 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e, 0x68, 0x01, 0xdd, 0x23,
788 0xc4, 0xa7, 0xd6, 0x79, 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb,
789 };
790 uint8_t sha_512_expected[] = {
791 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69, 0x90, 0xe5, 0xa8, 0xc5, 0xf6,
792 0x1d, 0x4a, 0xf7, 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d, 0xe7, 0x6f,
793 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb, 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e,
794 0xb4, 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63, 0xa5, 0xf1, 0x97, 0x41,
795 0x12, 0x0c, 0x4f, 0x2d, 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd,
796 };
797
798 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
799 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
800 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
801 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
802 }
803
TEST_P(SigningOperationsTest,HmacRfc4231TestCase5)804 TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
805 string key(20, 0x0c);
806 string message = "Test With Truncation";
807
808 uint8_t sha_224_expected[] = {
809 0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
810 0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
811 };
812 uint8_t sha_256_expected[] = {
813 0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
814 0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
815 };
816 uint8_t sha_384_expected[] = {
817 0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
818 0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
819 };
820 uint8_t sha_512_expected[] = {
821 0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
822 0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
823 };
824
825 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
826 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
827 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
828 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
829 }
830
TEST_P(SigningOperationsTest,HmacRfc4231TestCase6)831 TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) {
832 string key(131, 0xaa);
833 string message = "Test Using Larger Than Block-Size Key - Hash Key First";
834
835 uint8_t sha_224_expected[] = {
836 0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d,
837 0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e,
838 };
839 uint8_t sha_256_expected[] = {
840 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26,
841 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28,
842 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54,
843 };
844 uint8_t sha_384_expected[] = {
845 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a,
846 0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
847 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab,
848 0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52,
849 };
850 uint8_t sha_512_expected[] = {
851 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd,
852 0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b,
853 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25,
854 0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73,
855 0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,
856 };
857
858 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
859 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
860 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
861 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
862 }
863
TEST_P(SigningOperationsTest,HmacRfc4231TestCase7)864 TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) {
865 string key(131, 0xaa);
866 string message = "This is a test using a larger than block-size key and a larger than "
867 "block-size data. The key needs to be hashed before being used by the HMAC "
868 "algorithm.";
869
870 uint8_t sha_224_expected[] = {
871 0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3,
872 0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1,
873 };
874 uint8_t sha_256_expected[] = {
875 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f,
876 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07,
877 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2,
878 };
879 uint8_t sha_384_expected[] = {
880 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25,
881 0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
882 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31,
883 0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e,
884 };
885 uint8_t sha_512_expected[] = {
886 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e,
887 0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5,
888 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82,
889 0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb,
890 0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,
891 };
892
893 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_224, make_string(sha_224_expected));
894 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_256, make_string(sha_256_expected));
895 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_384, make_string(sha_384_expected));
896 CheckHmacTestVector(key, message, KM_DIGEST_SHA_2_512, make_string(sha_512_expected));
897 }
898
TEST_P(SigningOperationsTest,HmacSha256TooLargeMacLength)899 TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
900 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
901 .HmacKey(128)
902 .Digest(KM_DIGEST_SHA_2_256)
903 .Authorization(TAG_MIN_MAC_LENGTH, 256)));
904 AuthorizationSet begin_params(client_params());
905 begin_params.push_back(TAG_MAC_LENGTH, 264);
906 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
907 ASSERT_EQ(KM_ERROR_UNSUPPORTED_MAC_LENGTH,
908 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
909 }
910
TEST_P(SigningOperationsTest,HmacSha256TooSmallMacLength)911 TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
912 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
913 .HmacKey(128)
914 .Digest(KM_DIGEST_SHA_2_256)
915 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
916 AuthorizationSet begin_params(client_params());
917 begin_params.push_back(TAG_MAC_LENGTH, 120);
918 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
919 ASSERT_EQ(KM_ERROR_INVALID_MAC_LENGTH,
920 BeginOperation(KM_PURPOSE_SIGN, begin_params, nullptr /* output_params */));
921 }
922
923 // TODO(swillden): Add more verification failure tests.
924
925 typedef Keymaster2Test VerificationOperationsTest;
926 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, VerificationOperationsTest, test_params);
927
TEST_P(VerificationOperationsTest,RsaSuccess)928 TEST_P(VerificationOperationsTest, RsaSuccess) {
929 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
930 .RsaSigningKey(256, 3)
931 .Digest(KM_DIGEST_NONE)
932 .Padding(KM_PAD_NONE)));
933 string message = "12345678901234567890123456789012";
934 string signature;
935 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
936 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
937 }
938
TEST_P(VerificationOperationsTest,RsaPssSha256Success)939 TEST_P(VerificationOperationsTest, RsaPssSha256Success) {
940 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
941 .RsaSigningKey(768, 3)
942 .Digest(KM_DIGEST_SHA_2_256)
943 .Padding(KM_PAD_RSA_PSS)));
944 // Use large message, which won't work without digesting.
945 string message(1024, 'a');
946 string signature;
947 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
948 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
949 }
950
TEST_P(VerificationOperationsTest,RsaPssSha224Success)951 TEST_P(VerificationOperationsTest, RsaPssSha224Success) {
952 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
953 .RsaSigningKey(512, 3)
954 .Digest(KM_DIGEST_SHA_2_224)
955 .Padding(KM_PAD_RSA_PSS)));
956 // Use large message, which won't work without digesting.
957 string message(1024, 'a');
958 string signature;
959 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
960 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PSS);
961
962 // Verify with OpenSSL.
963 string pubkey;
964 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
965
966 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
967 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
968 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
969 ASSERT_TRUE(pkey.get());
970
971 EVP_MD_CTX digest_ctx;
972 EVP_MD_CTX_init(&digest_ctx);
973 EVP_PKEY_CTX* pkey_ctx;
974 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
975 pkey.get()));
976 EXPECT_EQ(1, EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING));
977 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
978 EXPECT_EQ(1,
979 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
980 signature.size()));
981 EVP_MD_CTX_cleanup(&digest_ctx);
982 }
983
TEST_P(VerificationOperationsTest,RsaPssSha256CorruptSignature)984 TEST_P(VerificationOperationsTest, RsaPssSha256CorruptSignature) {
985 GenerateKey(AuthorizationSetBuilder()
986 .RsaSigningKey(768, 3)
987 .Digest(KM_DIGEST_SHA_2_256)
988 .Padding(KM_PAD_RSA_PSS));
989 string message(1024, 'a');
990 string signature;
991 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
992 ++signature[signature.size() / 2];
993
994 AuthorizationSet begin_params(client_params());
995 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
996 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
997 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
998
999 string result;
1000 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result));
1001 }
1002
TEST_P(VerificationOperationsTest,RsaPssSha256CorruptInput)1003 TEST_P(VerificationOperationsTest, RsaPssSha256CorruptInput) {
1004 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1005 .RsaSigningKey(768, 3)
1006 .Digest(KM_DIGEST_SHA_2_256)
1007 .Padding(KM_PAD_RSA_PSS)));
1008 // Use large message, which won't work without digesting.
1009 string message(1024, 'a');
1010 string signature;
1011 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PSS);
1012 ++message[message.size() / 2];
1013
1014 AuthorizationSet begin_params(client_params());
1015 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1016 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PSS);
1017 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1018
1019 string result;
1020 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result));
1021 }
1022
TEST_P(VerificationOperationsTest,RsaPkcs1Sha256Success)1023 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256Success) {
1024 GenerateKey(AuthorizationSetBuilder()
1025 .RsaSigningKey(512, 3)
1026 .Digest(KM_DIGEST_SHA_2_256)
1027 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
1028 string message(1024, 'a');
1029 string signature;
1030 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1031 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1032 }
1033
TEST_P(VerificationOperationsTest,RsaPks1Sha224Success)1034 TEST_P(VerificationOperationsTest, RsaPks1Sha224Success) {
1035 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1036 .RsaSigningKey(512, 3)
1037 .Digest(KM_DIGEST_SHA_2_224)
1038 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
1039 // Use large message, which won't work without digesting.
1040 string message(1024, 'a');
1041 string signature;
1042 SignMessage(message, &signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
1043 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224, KM_PAD_RSA_PKCS1_1_5_SIGN);
1044
1045 // Verify with OpenSSL.
1046 string pubkey;
1047 EXPECT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &pubkey));
1048
1049 const uint8_t* p = reinterpret_cast<const uint8_t*>(pubkey.data());
1050 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
1051 d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
1052 ASSERT_TRUE(pkey.get());
1053
1054 EVP_MD_CTX digest_ctx;
1055 EVP_MD_CTX_init(&digest_ctx);
1056 EVP_PKEY_CTX* pkey_ctx;
1057 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, EVP_sha224(), nullptr /* engine */,
1058 pkey.get()));
1059 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
1060 EXPECT_EQ(1,
1061 EVP_DigestVerifyFinal(&digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
1062 signature.size()));
1063 EVP_MD_CTX_cleanup(&digest_ctx);
1064 }
1065
TEST_P(VerificationOperationsTest,RsaPkcs1Sha256CorruptSignature)1066 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptSignature) {
1067 GenerateKey(AuthorizationSetBuilder()
1068 .RsaSigningKey(512, 3)
1069 .Digest(KM_DIGEST_SHA_2_256)
1070 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN));
1071 string message(1024, 'a');
1072 string signature;
1073 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1074 ++signature[signature.size() / 2];
1075
1076 AuthorizationSet begin_params(client_params());
1077 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1078 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1079 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1080
1081 string result;
1082 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result));
1083 }
1084
TEST_P(VerificationOperationsTest,RsaPkcs1Sha256CorruptInput)1085 TEST_P(VerificationOperationsTest, RsaPkcs1Sha256CorruptInput) {
1086 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1087 .RsaSigningKey(512, 3)
1088 .Digest(KM_DIGEST_SHA_2_256)
1089 .Padding(KM_PAD_RSA_PKCS1_1_5_SIGN)));
1090 // Use large message, which won't work without digesting.
1091 string message(1024, 'a');
1092 string signature;
1093 SignMessage(message, &signature, KM_DIGEST_SHA_2_256, KM_PAD_RSA_PKCS1_1_5_SIGN);
1094 ++message[message.size() / 2];
1095
1096 AuthorizationSet begin_params(client_params());
1097 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
1098 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_SIGN);
1099 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1100
1101 string result;
1102 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result));
1103 }
1104
TEST_P(VerificationOperationsTest,RsaAllDigestAndPadCombinations)1105 TEST_P(VerificationOperationsTest, RsaAllDigestAndPadCombinations) {
1106 vector<keymaster_digest_t> digests = {
1107 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
1108 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
1109 };
1110
1111 vector<keymaster_padding_t> padding_modes{
1112 KM_PAD_NONE,
1113 KM_PAD_RSA_PKCS1_1_5_SIGN,
1114 KM_PAD_RSA_PSS,
1115 };
1116
1117 int trial_count = 0;
1118 for (keymaster_padding_t padding_mode : padding_modes) {
1119 for (keymaster_digest_t digest : digests) {
1120 if (digest != KM_DIGEST_NONE && padding_mode == KM_PAD_NONE)
1121 // Digesting requires padding
1122 continue;
1123
1124 // Compute key & message size that will work.
1125 size_t key_bits = 0;
1126 size_t message_len = 1000;
1127
1128 if (digest == KM_DIGEST_NONE) {
1129 key_bits = 256;
1130 switch (padding_mode) {
1131 case KM_PAD_NONE:
1132 // Match key size.
1133 message_len = key_bits / 8;
1134 break;
1135 case KM_PAD_RSA_PKCS1_1_5_SIGN:
1136 message_len = key_bits / 8 - 11;
1137 break;
1138 case KM_PAD_RSA_PSS:
1139 // PSS requires a digest.
1140 continue;
1141 default:
1142 FAIL() << "Missing padding";
1143 break;
1144 }
1145 } else {
1146 size_t digest_bits;
1147 switch (digest) {
1148 case KM_DIGEST_MD5:
1149 digest_bits = 128;
1150 break;
1151 case KM_DIGEST_SHA1:
1152 digest_bits = 160;
1153 break;
1154 case KM_DIGEST_SHA_2_224:
1155 digest_bits = 224;
1156 break;
1157 case KM_DIGEST_SHA_2_256:
1158 digest_bits = 256;
1159 break;
1160 case KM_DIGEST_SHA_2_384:
1161 digest_bits = 384;
1162 break;
1163 case KM_DIGEST_SHA_2_512:
1164 digest_bits = 512;
1165 break;
1166 default:
1167 FAIL() << "Missing digest";
1168 }
1169
1170 switch (padding_mode) {
1171 case KM_PAD_RSA_PKCS1_1_5_SIGN:
1172 key_bits = digest_bits + 8 * (11 + 19);
1173 break;
1174 case KM_PAD_RSA_PSS:
1175 key_bits = digest_bits * 2 + 2 * 8;
1176 break;
1177 default:
1178 FAIL() << "Missing padding";
1179 break;
1180 }
1181 }
1182
1183 // Round up to the nearest multiple of 128.
1184 key_bits = (key_bits + 127) / 128 * 128;
1185
1186 GenerateKey(AuthorizationSetBuilder()
1187 .RsaSigningKey(key_bits, 3)
1188 .Digest(digest)
1189 .Padding(padding_mode));
1190 string message(message_len, 'a');
1191 string signature;
1192 SignMessage(message, &signature, digest, padding_mode);
1193 VerifyMessage(message, signature, digest, padding_mode);
1194 ++trial_count;
1195 }
1196 }
1197 }
1198
TEST_P(VerificationOperationsTest,EcdsaSuccess)1199 TEST_P(VerificationOperationsTest, EcdsaSuccess) {
1200 ASSERT_EQ(KM_ERROR_OK,
1201 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
1202 string message = "12345678901234567890123456789012";
1203 string signature;
1204 SignMessage(message, &signature, KM_DIGEST_NONE);
1205 VerifyMessage(message, signature, KM_DIGEST_NONE);
1206 }
1207
TEST_P(VerificationOperationsTest,EcdsaTooShort)1208 TEST_P(VerificationOperationsTest, EcdsaTooShort) {
1209 ASSERT_EQ(KM_ERROR_OK,
1210 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE)));
1211 string message = "12345678901234567890";
1212 string signature;
1213 SignMessage(message, &signature, KM_DIGEST_NONE);
1214 VerifyMessage(message, signature, KM_DIGEST_NONE);
1215 }
1216
TEST_P(VerificationOperationsTest,EcdsaSlightlyTooLong)1217 TEST_P(VerificationOperationsTest, EcdsaSlightlyTooLong) {
1218 ASSERT_EQ(KM_ERROR_OK,
1219 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(521).Digest(KM_DIGEST_NONE)));
1220
1221 string message(66, 'a');
1222 string signature;
1223 SignMessage(message, &signature, KM_DIGEST_NONE);
1224 VerifyMessage(message, signature, KM_DIGEST_NONE);
1225
1226 // Modifying low-order bits doesn't matter, because they didn't get signed. Ugh.
1227 message[65] ^= 7;
1228 VerifyMessage(message, signature, KM_DIGEST_NONE);
1229 }
1230
TEST_P(VerificationOperationsTest,EcdsaSha256Success)1231 TEST_P(VerificationOperationsTest, EcdsaSha256Success) {
1232 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1233 .EcdsaSigningKey(256)
1234 .Digest(KM_DIGEST_SHA_2_256)
1235 .Digest(KM_DIGEST_NONE)));
1236 string message = "12345678901234567890123456789012";
1237 string signature;
1238 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
1239 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
1240
1241 // Just for giggles, try verifying with the wrong digest.
1242 AuthorizationSet begin_params(client_params());
1243 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
1244 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1245
1246 string result;
1247 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result));
1248 }
1249
TEST_P(VerificationOperationsTest,EcdsaSha224Success)1250 TEST_P(VerificationOperationsTest, EcdsaSha224Success) {
1251 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
1252 KM_DIGEST_SHA_2_224)));
1253
1254 string message = "12345678901234567890123456789012";
1255 string signature;
1256 SignMessage(message, &signature, KM_DIGEST_SHA_2_224);
1257 VerifyMessage(message, signature, KM_DIGEST_SHA_2_224);
1258
1259 // Just for giggles, try verifying with the wrong digest.
1260 AuthorizationSet begin_params(client_params());
1261 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
1262 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1263
1264 string result;
1265 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(message, signature, &result));
1266 }
1267
TEST_P(VerificationOperationsTest,EcdsaAllDigestsAndKeySizes)1268 TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndKeySizes) {
1269 keymaster_digest_t digests[] = {
1270 KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224, KM_DIGEST_SHA_2_256,
1271 KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
1272 };
1273 size_t key_sizes[] = {224, 256, 384, 521};
1274
1275 string message = "1234567890";
1276 string signature;
1277
1278 for (auto key_size : key_sizes) {
1279 SCOPED_TRACE(testing::Message() << "Key size: " << key_size);
1280 AuthorizationSetBuilder builder;
1281 builder.EcdsaSigningKey(key_size);
1282 for (auto digest : digests)
1283 builder.Digest(digest);
1284 ASSERT_EQ(KM_ERROR_OK, GenerateKey(builder));
1285
1286 for (auto digest : digests) {
1287 SCOPED_TRACE(testing::Message() << "Digest: " << digest);
1288 SignMessage(message, &signature, digest);
1289 VerifyMessage(message, signature, digest);
1290 }
1291 }
1292 }
1293
TEST_P(VerificationOperationsTest,HmacSha1Success)1294 TEST_P(VerificationOperationsTest, HmacSha1Success) {
1295 GenerateKey(AuthorizationSetBuilder()
1296 .HmacKey(128)
1297 .Digest(KM_DIGEST_SHA1)
1298 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1299 string message = "123456789012345678901234567890123456789012345678";
1300 string signature;
1301 MacMessage(message, &signature, 160);
1302 VerifyMac(message, signature);
1303 }
1304
TEST_P(VerificationOperationsTest,HmacSha224Success)1305 TEST_P(VerificationOperationsTest, HmacSha224Success) {
1306 GenerateKey(AuthorizationSetBuilder()
1307 .HmacKey(128)
1308 .Digest(KM_DIGEST_SHA_2_224)
1309 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1310 string message = "123456789012345678901234567890123456789012345678";
1311 string signature;
1312 MacMessage(message, &signature, 224);
1313 VerifyMac(message, signature);
1314 }
1315
TEST_P(VerificationOperationsTest,HmacSha256Success)1316 TEST_P(VerificationOperationsTest, HmacSha256Success) {
1317 GenerateKey(AuthorizationSetBuilder()
1318 .HmacKey(128)
1319 .Digest(KM_DIGEST_SHA_2_256)
1320 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1321 string message = "123456789012345678901234567890123456789012345678";
1322 string signature;
1323 MacMessage(message, &signature, 256);
1324 VerifyMac(message, signature);
1325 }
1326
TEST_P(VerificationOperationsTest,HmacSha256TooShortMac)1327 TEST_P(VerificationOperationsTest, HmacSha256TooShortMac) {
1328 GenerateKey(AuthorizationSetBuilder()
1329 .HmacKey(128)
1330 .Digest(KM_DIGEST_SHA_2_256)
1331 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1332 string message = "123456789012345678901234567890123456789012345678";
1333 string signature;
1334 MacMessage(message, &signature, 256);
1335
1336 // Shorten to 128 bits, should still work.
1337 signature.resize(128 / 8);
1338 VerifyMac(message, signature);
1339
1340 // Drop one more byte.
1341 signature.resize(signature.length() - 1);
1342
1343 AuthorizationSet begin_params(client_params());
1344 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_VERIFY, begin_params));
1345 string result;
1346 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, FinishOperation(message, signature, &result));
1347 }
1348
TEST_P(VerificationOperationsTest,HmacSha384Success)1349 TEST_P(VerificationOperationsTest, HmacSha384Success) {
1350 GenerateKey(AuthorizationSetBuilder()
1351 .HmacKey(128)
1352 .Digest(KM_DIGEST_SHA_2_384)
1353 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1354 string message = "123456789012345678901234567890123456789012345678";
1355 string signature;
1356 MacMessage(message, &signature, 384);
1357 VerifyMac(message, signature);
1358 }
1359
TEST_P(VerificationOperationsTest,HmacSha512Success)1360 TEST_P(VerificationOperationsTest, HmacSha512Success) {
1361 GenerateKey(AuthorizationSetBuilder()
1362 .HmacKey(128)
1363 .Digest(KM_DIGEST_SHA_2_512)
1364 .Authorization(TAG_MIN_MAC_LENGTH, 128));
1365 string message = "123456789012345678901234567890123456789012345678";
1366 string signature;
1367 MacMessage(message, &signature, 512);
1368 VerifyMac(message, signature);
1369 }
1370
1371 typedef Keymaster2Test ExportKeyTest;
1372 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ExportKeyTest, test_params);
1373
TEST_P(ExportKeyTest,RsaSuccess)1374 TEST_P(ExportKeyTest, RsaSuccess) {
1375 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1376 .RsaSigningKey(256, 3)
1377 .Digest(KM_DIGEST_NONE)
1378 .Padding(KM_PAD_NONE)));
1379 string export_data;
1380 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1381 EXPECT_GT(export_data.length(), 0U);
1382
1383 // TODO(swillden): Verify that the exported key is actually usable to verify signatures.
1384 }
1385
TEST_P(ExportKeyTest,EcdsaSuccess)1386 TEST_P(ExportKeyTest, EcdsaSuccess) {
1387 ASSERT_EQ(KM_ERROR_OK,
1388 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
1389 string export_data;
1390 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1391 EXPECT_GT(export_data.length(), 0U);
1392
1393 // TODO(swillden): Verify that the exported key is actually usable to verify signatures.
1394 }
1395
TEST_P(ExportKeyTest,RsaUnsupportedKeyFormat)1396 TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) {
1397 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1398 .RsaSigningKey(256, 3)
1399 .Digest(KM_DIGEST_NONE)
1400 .Padding(KM_PAD_NONE)));
1401 string export_data;
1402 ASSERT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
1403 }
1404
TEST_P(ExportKeyTest,RsaCorruptedKeyBlob)1405 TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) {
1406 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1407 .RsaSigningKey(256, 3)
1408 .Digest(KM_DIGEST_NONE)
1409 .Padding(KM_PAD_NONE)));
1410 corrupt_key_blob();
1411 string export_data;
1412 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1413 }
1414
TEST_P(ExportKeyTest,AesKeyExportFails)1415 TEST_P(ExportKeyTest, AesKeyExportFails) {
1416 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().AesEncryptionKey(128)));
1417 string export_data;
1418
1419 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_X509, &export_data));
1420 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_PKCS8, &export_data));
1421 EXPECT_EQ(KM_ERROR_UNSUPPORTED_KEY_FORMAT, ExportKey(KM_KEY_FORMAT_RAW, &export_data));
1422 }
1423
1424 typedef Keymaster2Test ImportKeyTest;
1425 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, ImportKeyTest, test_params);
1426
TEST_P(ImportKeyTest,RsaSuccess)1427 TEST_P(ImportKeyTest, RsaSuccess) {
1428 string pk8_key(reinterpret_cast<char*>(&rsa_privkey_pk8_der[0]), rsa_privkey_pk8_der_len);
1429 ASSERT_EQ(633U, pk8_key.size());
1430
1431 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
1432 .RsaSigningKey(1024, 65537)
1433 .Digest(KM_DIGEST_NONE)
1434 .Padding(KM_PAD_NONE),
1435 KM_KEY_FORMAT_PKCS8, pk8_key));
1436
1437 // Check values derived from the key.
1438 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_RSA));
1439 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 1024));
1440 EXPECT_TRUE(contains(sw_enforced(), TAG_RSA_PUBLIC_EXPONENT, 65537U));
1441
1442 // And values provided by AndroidKeymaster
1443 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1444 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1445
1446 string message(1024 / 8, 'a');
1447 string signature;
1448 SignMessage(message, &signature, KM_DIGEST_NONE, KM_PAD_NONE);
1449 VerifyMessage(message, signature, KM_DIGEST_NONE, KM_PAD_NONE);
1450 }
1451
TEST_P(ImportKeyTest,RsaKeySizeMismatch)1452 TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
1453 string pk8_key(reinterpret_cast<char*>(&rsa_privkey_pk8_der[0]), rsa_privkey_pk8_der_len);
1454 ASSERT_EQ(633U, pk8_key.size());
1455 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1456 ImportKey(AuthorizationSetBuilder()
1457 .RsaSigningKey(2048 /* Doesn't match key */, 3)
1458 .Digest(KM_DIGEST_NONE)
1459 .Padding(KM_PAD_NONE),
1460 KM_KEY_FORMAT_PKCS8, pk8_key));
1461 }
1462
TEST_P(ImportKeyTest,RsaPublicExponenMismatch)1463 TEST_P(ImportKeyTest, RsaPublicExponenMismatch) {
1464 string pk8_key(reinterpret_cast<char*>(&rsa_privkey_pk8_der[0]), rsa_privkey_pk8_der_len);
1465 ASSERT_EQ(633U, pk8_key.size());
1466 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1467 ImportKey(AuthorizationSetBuilder()
1468 .RsaSigningKey(256, 3 /* Doesnt' match key */)
1469 .Digest(KM_DIGEST_NONE)
1470 .Padding(KM_PAD_NONE),
1471 KM_KEY_FORMAT_PKCS8, pk8_key));
1472 }
1473
TEST_P(ImportKeyTest,EcdsaSuccess)1474 TEST_P(ImportKeyTest, EcdsaSuccess) {
1475 string pk8_key(reinterpret_cast<char*>(&ec_privkey_pk8_der[0]), ec_privkey_pk8_der_len);
1476 ASSERT_EQ(138U, pk8_key.size());
1477
1478 ASSERT_EQ(KM_ERROR_OK,
1479 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
1480 KM_KEY_FORMAT_PKCS8, pk8_key));
1481
1482 // Check values derived from the key.
1483 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_EC));
1484 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 256));
1485
1486 // And values provided by AndroidKeymaster
1487 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1488 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1489
1490 string message(32, 'a');
1491 string signature;
1492 SignMessage(message, &signature, KM_DIGEST_NONE);
1493 VerifyMessage(message, signature, KM_DIGEST_NONE);
1494 }
1495
TEST_P(ImportKeyTest,EcdsaSizeSpecified)1496 TEST_P(ImportKeyTest, EcdsaSizeSpecified) {
1497 string pk8_key(reinterpret_cast<char*>(&ec_privkey_pk8_der[0]), ec_privkey_pk8_der_len);
1498 ASSERT_EQ(138U, pk8_key.size());
1499
1500 ASSERT_EQ(KM_ERROR_OK,
1501 ImportKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(KM_DIGEST_NONE),
1502 KM_KEY_FORMAT_PKCS8, pk8_key));
1503
1504 // Check values derived from the key.
1505 EXPECT_TRUE(contains(sw_enforced(), TAG_ALGORITHM, KM_ALGORITHM_EC));
1506 EXPECT_TRUE(contains(sw_enforced(), TAG_KEY_SIZE, 256));
1507
1508 // And values provided by AndroidKeymaster
1509 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1510 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1511
1512 string message(32, 'a');
1513 string signature;
1514 SignMessage(message, &signature, KM_DIGEST_NONE);
1515 VerifyMessage(message, signature, KM_DIGEST_NONE);
1516 }
1517
TEST_P(ImportKeyTest,EcdsaSizeMismatch)1518 TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
1519 string pk8_key(reinterpret_cast<char*>(&ec_privkey_pk8_der[0]), ec_privkey_pk8_der_len);
1520 ASSERT_EQ(138U, pk8_key.size());
1521 ASSERT_EQ(KM_ERROR_IMPORT_PARAMETER_MISMATCH,
1522 ImportKey(AuthorizationSetBuilder()
1523 .EcdsaSigningKey(224 /* Doesn't match key */)
1524 .Digest(KM_DIGEST_NONE),
1525 KM_KEY_FORMAT_PKCS8, pk8_key));
1526 }
1527
TEST_P(ImportKeyTest,AesKeySuccess)1528 TEST_P(ImportKeyTest, AesKeySuccess) {
1529 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1530 string key(key_data, sizeof(key_data));
1531 ASSERT_EQ(KM_ERROR_OK,
1532 ImportKey(AuthorizationSetBuilder().AesEncryptionKey(128).EcbMode().Authorization(
1533 TAG_PADDING, KM_PAD_PKCS7),
1534 KM_KEY_FORMAT_RAW, key));
1535
1536 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1537 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1538
1539 string message = "Hello World!";
1540 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
1541 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
1542 EXPECT_EQ(message, plaintext);
1543 }
1544
TEST_P(ImportKeyTest,HmacSha256KeySuccess)1545 TEST_P(ImportKeyTest, HmacSha256KeySuccess) {
1546 char key_data[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
1547 string key(key_data, sizeof(key_data));
1548 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
1549 .HmacKey(sizeof(key_data) * 8)
1550 .Digest(KM_DIGEST_SHA_2_256)
1551 .Authorization(TAG_MIN_MAC_LENGTH, 256),
1552 KM_KEY_FORMAT_RAW, key));
1553
1554 EXPECT_TRUE(contains(sw_enforced(), TAG_ORIGIN, KM_ORIGIN_IMPORTED));
1555 EXPECT_TRUE(contains(sw_enforced(), KM_TAG_CREATION_DATETIME));
1556
1557 string message = "Hello World!";
1558 string signature;
1559 MacMessage(message, &signature, 256);
1560 VerifyMac(message, signature);
1561 }
1562
1563 auto wrapped_key = hex2str(
1564 "3082017902010004820100934bf94e2aa28a3f83c9f79297250262fbe3276b5a1c91159bbfa3ef8957aac84b59b30b"
1565 "455a79c2973480823d8b3863c3deef4a8e243590268d80e18751a0e130f67ce6a1ace9f79b95e097474febc981195b"
1566 "1d13a69086c0863f66a7b7fdb48792227b1ac5e2489febdf087ab5486483033a6f001ca5d1ec1e27f5c30f4cec2642"
1567 "074a39ae68aee552e196627a8e3d867e67a8c01b11e75f13cca0a97ab668b50cda07a8ecb7cd8e3dd7009c9636534f"
1568 "6f239cffe1fc8daa466f78b676c7119efb96bce4e69ca2a25d0b34ed9c3ff999b801597d5220e307eaa5bee507fb94"
1569 "d1fa69f9e519b2de315bac92c36f2ea1fa1df4478c0ddedeae8c70e0233cd098040cd796b02c370f1fa4cc0124f130"
1570 "2e0201033029a1083106020100020101a203020120a30402020100a4053103020101a6053103020140bf8377020500"
1571 "0420ccd540855f833a5e1480bfd2d36faf3aeee15df5beabe2691bc82dde2a7aa910041064c9f689c60ff6223ab6e6"
1572 "999e0eb6e5");
1573
1574 auto wrapped_key_masked = hex2str(
1575 "3082017902010004820100aad93ed5924f283b4bb5526fbe7a1412f9d9749ec30db9062b29e574a8546f33c8873245"
1576 "2f5b8e6a391ee76c39ed1712c61d8df6213dec1cffbc17a8c6d04c7b30893d8daa9b2015213e21946821553207f8f9"
1577 "931c4caba23ed3bee28b36947e47f10e0a5c3dc51c988a628daad3e5e1f4005e79c2d5a96c284b4b8d7e4948f331e5"
1578 "b85dd5a236f85579f3ea1d1b848487470bdb0ab4f81a12bee42c99fe0df4bee3759453e69ad1d68a809ce06b949f76"
1579 "94a990429b2fe81e066ff43e56a21602db70757922a4bcc23ab89f1e35da77586775f423e519c2ea394caf48a28d0c"
1580 "8020f1dcf6b3a68ec246f615ae96dae9a079b1f6eb959033c1af5c125fd94168040c6d9721d08589581ab49204a330"
1581 "2e0201033029a1083106020100020101a203020120a30402020100a4053103020101a6053103020140bf8377020500"
1582 "0420a61c6e247e25b3e6e69aa78eb03c2d4ac20d1f99a9a024a76f35c8e2cab9b68d04102560c70109ae67c030f00b"
1583 "98b512a670");
1584
1585 auto wrapping_key = hex2str(
1586 "308204be020100300d06092a864886f70d0101010500048204a8308204a40201000282010100aec367931d8900ce56"
1587 "b0067f7d70e1fc653f3f34d194c1fed50018fb43db937b06e673a837313d56b1c725150a3fef86acbddc41bb759c28"
1588 "54eae32d35841efb5c18d82bc90a1cb5c1d55adf245b02911f0b7cda88c421ff0ebafe7c0d23be312d7bd5921ffaea"
1589 "1347c157406fef718f682643e4e5d33c6703d61c0cf7ac0bf4645c11f5c1374c3886427411c449796792e0bef75dec"
1590 "858a2123c36753e02a95a96d7c454b504de385a642e0dfc3e60ac3a7ee4991d0d48b0172a95f9536f02ba13cecccb9"
1591 "2b727db5c27e5b2f5cec09600b286af5cf14c42024c61ddfe71c2a8d7458f185234cb00e01d282f10f8fc6721d2aed"
1592 "3f4833cca2bd8fa62821dd55020301000102820100431447b6251908112b1ee76f99f3711a52b6630960046c2de70d"
1593 "e188d833f8b8b91e4d785caeeeaf4f0f74414e2cda40641f7fe24f14c67a88959bdb27766df9e710b630a03adc683b"
1594 "5d2c43080e52bee71e9eaeb6de297a5fea1072070d181c822bccff087d63c940ba8a45f670feb29fb4484d1c95e6d2"
1595 "579ba02aae0a00900c3ebf490e3d2cd7ee8d0e20c536e4dc5a5097272888cddd7e91f228b1c4d7474c55b8fcd618c4"
1596 "a957bbddd5ad7407cc312d8d98a5caf7e08f4a0d6b45bb41c652659d5a5ba05b663737a8696281865ba20fbdd7f851"
1597 "e6c56e8cbe0ddbbf24dc03b2d2cb4c3d540fb0af52e034a2d06698b128e5f101e3b51a34f8d8b4f8618102818100de"
1598 "392e18d682c829266cc3454e1d6166242f32d9a1d10577753e904ea7d08bff841be5bac82a164c5970007047b8c517"
1599 "db8f8f84e37bd5988561bdf503d4dc2bdb38f885434ae42c355f725c9a60f91f0788e1f1a97223b524b5357fdf72e2"
1600 "f696bab7d78e32bf92ba8e1864eab1229e91346130748a6e3c124f9149d71c743502818100c95387c0f9d35f137b57"
1601 "d0d65c397c5e21cc251e47008ed62a542409c8b6b6ac7f8967b3863ca645fcce49582a9aa17349db6c4a95affdae0d"
1602 "ae612e1afac99ed39a2d934c880440aed8832f9843163a47f27f392199dc1202f9a0f9bd08308007cb1e4e7f583093"
1603 "66a7de25f7c3c9b880677c068e1be936e81288815252a8a102818057ff8ca1895080b2cae486ef0adfd791fb0235c0"
1604 "b8b36cd6c136e52e4085f4ea5a063212a4f105a3764743e53281988aba073f6e0027298e1c4378556e0efca0e14ece"
1605 "1af76ad0b030f27af6f0ab35fb73a060d8b1a0e142fa2647e93b32e36d8282ae0a4de50ab7afe85500a16f43a64719"
1606 "d6e2b9439823719cd08bcd03178102818100ba73b0bb28e3f81e9bd1c568713b101241acc607976c4ddccc90e65b65"
1607 "56ca31516058f92b6e09f3b160ff0e374ec40d78ae4d4979fde6ac06a1a400c61dd31254186af30b22c10582a8a43e"
1608 "34fe949c5f3b9755bae7baa7b7b7a6bd03b38cef55c86885fc6c1978b9cee7ef33da507c9df6b9277cff1e6aaa5d57"
1609 "aca528466102818100c931617c77829dfb1270502be9195c8f2830885f57dba869536811e6864236d0c4736a0008a1"
1610 "45af36b8357a7c3d139966d04c4e00934ea1aede3bb6b8ec841dc95e3f579751e2bfdfe27ae778983f959356210723"
1611 "287b0affcc9f727044d48c373f1babde0724fa17a4fd4da0902c7c9b9bf27ba61be6ad02dfddda8f4e6822");
1612
1613 string zero_masking_key =
1614 hex2str("0000000000000000000000000000000000000000000000000000000000000000");
1615 string masking_key = hex2str("D796B02C370F1FA4CC0124F14EC8CBEBE987E825246265050F399A51FD477DFC");
1616
1617 class ImportWrappedKeyTest : public testing::Test {
1618 public:
ImportWrappedKeyTest()1619 ImportWrappedKeyTest() : keymaster_(new PureSoftKeymasterContext(kCurrentKmVersion), 16) {}
1620
1621 protected:
SetUp()1622 void SetUp() override {
1623 ConfigureRequest configReq(kMaxMessageVersion);
1624 configReq.os_version = kOsVersion;
1625 configReq.os_patchlevel = kOsPatchLevel;
1626 ConfigureResponse configRsp(kMaxMessageVersion);
1627 keymaster_.Configure(configReq, &configRsp);
1628 EXPECT_EQ(KM_ERROR_OK, configRsp.error);
1629 }
1630
BeginOperation(keymaster_purpose_t purpose,const AuthorizationSet & input_set)1631 keymaster_error_t BeginOperation(keymaster_purpose_t purpose,
1632 const AuthorizationSet& input_set) {
1633 BeginOperationRequest req(kMaxMessageVersion);
1634 req.purpose = purpose;
1635 req.SetKeyMaterial(blob_);
1636 req.additional_params = input_set;
1637
1638 BeginOperationResponse rsp(kMaxMessageVersion);
1639 keymaster_.BeginOperation(req, &rsp);
1640 op_handle_ = rsp.op_handle;
1641
1642 return rsp.error;
1643 }
1644
FinishOperation(const string & input,string * output)1645 keymaster_error_t FinishOperation(const string& input, string* output) {
1646 FinishOperationRequest req(kMaxMessageVersion);
1647 req.op_handle = op_handle_;
1648 req.input.Reinitialize(input.data(), input.size());
1649
1650 FinishOperationResponse rsp(kMaxMessageVersion);
1651 keymaster_.FinishOperation(req, &rsp);
1652
1653 if (output) {
1654 *output = string(reinterpret_cast<const char*>(rsp.output.peek_read()),
1655 rsp.output.available_read());
1656 }
1657
1658 return rsp.error;
1659 }
1660
ProcessMessage(keymaster_purpose_t purpose,const string & message,const AuthorizationSet & begin_params)1661 string ProcessMessage(keymaster_purpose_t purpose, const string& message,
1662 const AuthorizationSet& begin_params) {
1663 EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, begin_params));
1664
1665 string result;
1666 EXPECT_EQ(KM_ERROR_OK, FinishOperation(message, &result));
1667 return result;
1668 }
1669
1670 AndroidKeymaster keymaster_;
1671 KeymasterKeyBlob blob_;
1672 uint64_t op_handle_;
1673 };
1674
TEST_F(ImportWrappedKeyTest,GoldenKeySuccess)1675 TEST_F(ImportWrappedKeyTest, GoldenKeySuccess) {
1676 ImportKeyRequest import_request(kMaxMessageVersion);
1677
1678 auto import_params = AuthorizationSetBuilder()
1679 .RsaEncryptionKey(2048, 65537)
1680 .Digest(KM_DIGEST_SHA_2_256)
1681 .Padding(KM_PAD_RSA_OAEP)
1682 .Authorization(TAG_PURPOSE, KM_PURPOSE_WRAP)
1683 .build();
1684 import_request.key_description.Reinitialize(import_params);
1685 import_request.key_data = KeymasterKeyBlob(
1686 reinterpret_cast<const uint8_t*>(wrapping_key.c_str()), wrapping_key.size());
1687 import_request.key_format = KM_KEY_FORMAT_PKCS8;
1688 ImportKeyResponse import_response(kMaxMessageVersion);
1689 keymaster_.ImportKey(import_request, &import_response);
1690 ASSERT_EQ(import_response.error, KM_ERROR_OK);
1691
1692 ImportWrappedKeyRequest request(kMaxMessageVersion);
1693 KeymasterKeyBlob wrapped_key_blob(reinterpret_cast<const uint8_t*>(wrapped_key.c_str()),
1694 wrapped_key.size());
1695 request.SetKeyMaterial(wrapped_key_blob, import_response.key_blob);
1696 request.SetMaskingKeyMaterial(reinterpret_cast<const uint8_t*>(zero_masking_key.c_str()),
1697 zero_masking_key.size());
1698 ImportWrappedKeyResponse response(kMaxMessageVersion);
1699
1700 keymaster_.ImportWrappedKey(request, &response);
1701
1702 EXPECT_EQ(response.error, KM_ERROR_OK);
1703 // Check that the tags from the wrapped auth list were imported correctly
1704 ASSERT_EQ(response.key_blob.key_material_size > 0, true);
1705 ASSERT_EQ(response.unenforced.Contains(TAG_ALGORITHM), true);
1706 ASSERT_EQ(response.unenforced.Contains(TAG_KEY_SIZE), true);
1707 ASSERT_EQ(response.unenforced.Contains(TAG_PURPOSE), true);
1708 ASSERT_EQ(response.unenforced.Contains(TAG_BLOCK_MODE), true);
1709
1710 blob_ = move(response.key_blob);
1711
1712 string message = "Hello World!";
1713 auto params = AuthorizationSetBuilder().BlockMode(KM_MODE_ECB).Padding(KM_PAD_PKCS7).build();
1714 string ciphertext = ProcessMessage(KM_PURPOSE_ENCRYPT, message, params);
1715 string plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, params);
1716
1717 EXPECT_EQ(message, plaintext);
1718 }
1719
TEST_F(ImportWrappedKeyTest,SuccessMaskingKey)1720 TEST_F(ImportWrappedKeyTest, SuccessMaskingKey) {
1721 ImportKeyRequest import_request(kMaxMessageVersion);
1722
1723 auto import_params = AuthorizationSetBuilder()
1724 .RsaEncryptionKey(2048, 65537)
1725 .Digest(KM_DIGEST_SHA_2_256)
1726 .Padding(KM_PAD_RSA_OAEP)
1727 .Authorization(TAG_PURPOSE, KM_PURPOSE_WRAP)
1728 .build();
1729 import_request.key_description.Reinitialize(import_params);
1730 import_request.key_data = KeymasterKeyBlob(
1731 reinterpret_cast<const uint8_t*>(wrapping_key.c_str()), wrapping_key.size());
1732
1733 import_request.key_format = KM_KEY_FORMAT_PKCS8;
1734 ImportKeyResponse import_response(kMaxMessageVersion);
1735 keymaster_.ImportKey(import_request, &import_response);
1736 EXPECT_EQ(import_response.error, KM_ERROR_OK);
1737
1738 if (import_response.error != KM_ERROR_OK) return;
1739
1740 ImportWrappedKeyRequest request(kMaxMessageVersion);
1741 KeymasterKeyBlob wrapped_key_blob(reinterpret_cast<const uint8_t*>(wrapped_key_masked.c_str()),
1742 wrapped_key_masked.size());
1743 request.SetKeyMaterial(wrapped_key_blob, import_response.key_blob);
1744 request.SetMaskingKeyMaterial(reinterpret_cast<const uint8_t*>(masking_key.c_str()),
1745 masking_key.size());
1746 ImportWrappedKeyResponse response(kMaxMessageVersion);
1747
1748 keymaster_.ImportWrappedKey(request, &response);
1749 EXPECT_EQ(response.error, KM_ERROR_OK);
1750 }
1751
TEST_F(ImportWrappedKeyTest,WrongMaskingKey)1752 TEST_F(ImportWrappedKeyTest, WrongMaskingKey) {
1753 ImportKeyRequest import_request(kMaxMessageVersion);
1754
1755 auto import_params = AuthorizationSetBuilder()
1756 .RsaEncryptionKey(2048, 65537)
1757 .Digest(KM_DIGEST_SHA_2_256)
1758 .Padding(KM_PAD_RSA_OAEP)
1759 .Authorization(TAG_PURPOSE, KM_PURPOSE_WRAP)
1760 .build();
1761 import_request.key_description.Reinitialize(import_params);
1762 import_request.key_data = KeymasterKeyBlob(
1763 reinterpret_cast<const uint8_t*>(wrapping_key.c_str()), wrapping_key.size());
1764
1765 import_request.key_format = KM_KEY_FORMAT_PKCS8;
1766 ImportKeyResponse import_response(kMaxMessageVersion);
1767 keymaster_.ImportKey(import_request, &import_response);
1768 EXPECT_EQ(import_response.error, KM_ERROR_OK);
1769
1770 if (import_response.error != KM_ERROR_OK) return;
1771
1772 ImportWrappedKeyRequest request(kMaxMessageVersion);
1773 KeymasterKeyBlob wrapped_key_blob(reinterpret_cast<const uint8_t*>(wrapped_key_masked.c_str()),
1774 wrapped_key_masked.size());
1775 request.SetKeyMaterial(wrapped_key_blob, import_response.key_blob);
1776 request.SetMaskingKeyMaterial(reinterpret_cast<const uint8_t*>(zero_masking_key.c_str()),
1777 zero_masking_key.size());
1778 ImportWrappedKeyResponse response(kMaxMessageVersion);
1779
1780 keymaster_.ImportWrappedKey(request, &response);
1781 EXPECT_EQ(response.error, KM_ERROR_VERIFICATION_FAILED);
1782 }
1783
TEST_F(ImportWrappedKeyTest,WrongPurpose)1784 TEST_F(ImportWrappedKeyTest, WrongPurpose) {
1785 ImportKeyRequest import_request(kMaxMessageVersion);
1786
1787 auto import_params = AuthorizationSetBuilder()
1788 .RsaEncryptionKey(2048, 65537)
1789 .Digest(KM_DIGEST_SHA1)
1790 .Padding(KM_PAD_RSA_OAEP)
1791 .build();
1792 import_request.key_description.Reinitialize(import_params);
1793 import_request.key_data = KeymasterKeyBlob(
1794 reinterpret_cast<const uint8_t*>(wrapping_key.c_str()), wrapping_key.size());
1795 import_request.key_format = KM_KEY_FORMAT_PKCS8;
1796 ImportKeyResponse import_response(kMaxMessageVersion);
1797 keymaster_.ImportKey(import_request, &import_response);
1798 EXPECT_EQ(import_response.error, KM_ERROR_OK);
1799
1800 if (import_response.error != KM_ERROR_OK) return;
1801
1802 ImportWrappedKeyRequest request(kMaxMessageVersion);
1803 KeymasterKeyBlob wrapped_key_blob(reinterpret_cast<const uint8_t*>(wrapped_key.c_str()),
1804 wrapped_key.size());
1805 request.SetKeyMaterial(wrapped_key_blob, import_response.key_blob);
1806 ImportWrappedKeyResponse response(kMaxMessageVersion);
1807
1808 keymaster_.ImportWrappedKey(request, &response);
1809 EXPECT_EQ(response.error, KM_ERROR_INCOMPATIBLE_PURPOSE);
1810 }
1811
1812 typedef Keymaster2Test EncryptionOperationsTest;
1813 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, EncryptionOperationsTest, test_params);
1814
TEST_P(EncryptionOperationsTest,RsaNoPaddingSuccess)1815 TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
1816 ASSERT_EQ(KM_ERROR_OK,
1817 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1818
1819 string message = "12345678901234567890123456789012";
1820 string ciphertext1 = EncryptMessage(string(message), KM_PAD_NONE);
1821 EXPECT_EQ(256U / 8, ciphertext1.size());
1822
1823 string ciphertext2 = EncryptMessage(string(message), KM_PAD_NONE);
1824 EXPECT_EQ(256U / 8, ciphertext2.size());
1825
1826 // Unpadded RSA is deterministic
1827 EXPECT_EQ(ciphertext1, ciphertext2);
1828 }
1829
TEST_P(EncryptionOperationsTest,RsaNoPaddingTooShort)1830 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooShort) {
1831 ASSERT_EQ(KM_ERROR_OK,
1832 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1833
1834 string message = "1";
1835
1836 string ciphertext = EncryptMessage(message, KM_PAD_NONE);
1837 EXPECT_EQ(256U / 8, ciphertext.size());
1838
1839 string expected_plaintext = string(256 / 8 - 1, 0) + message;
1840 string plaintext = DecryptMessage(ciphertext, KM_PAD_NONE);
1841
1842 EXPECT_EQ(expected_plaintext, plaintext);
1843 }
1844
TEST_P(EncryptionOperationsTest,RsaNoPaddingTooLong)1845 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) {
1846 ASSERT_EQ(KM_ERROR_OK,
1847 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1848
1849 string message = "123456789012345678901234567890123";
1850
1851 AuthorizationSet begin_params(client_params());
1852 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
1853 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
1854
1855 string result;
1856 size_t input_consumed;
1857 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, UpdateOperation(message, &result, &input_consumed));
1858 }
1859
TEST_P(EncryptionOperationsTest,RsaNoPaddingLargerThanModulus)1860 TEST_P(EncryptionOperationsTest, RsaNoPaddingLargerThanModulus) {
1861 ASSERT_EQ(KM_ERROR_OK,
1862 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
1863
1864 string exported;
1865 ASSERT_EQ(KM_ERROR_OK, ExportKey(KM_KEY_FORMAT_X509, &exported));
1866
1867 const uint8_t* p = reinterpret_cast<const uint8_t*>(exported.data());
1868 unique_ptr<EVP_PKEY, EVP_PKEY_Delete> pkey(
1869 d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size()));
1870 unique_ptr<RSA, RSA_Delete> rsa(EVP_PKEY_get1_RSA(pkey.get()));
1871
1872 size_t modulus_len = BN_num_bytes(rsa->n);
1873 ASSERT_EQ(256U / 8, modulus_len);
1874 unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]);
1875 BN_bn2bin(rsa->n, modulus_buf.get());
1876
1877 // The modulus is too big to encrypt.
1878 string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
1879
1880 AuthorizationSet begin_params(client_params());
1881 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
1882 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
1883
1884 string result;
1885 size_t input_consumed;
1886 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
1887 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&result));
1888
1889 // One smaller than the modulus is okay.
1890 BN_sub(rsa->n, rsa->n, BN_value_one());
1891 modulus_len = BN_num_bytes(rsa->n);
1892 ASSERT_EQ(256U / 8, modulus_len);
1893 BN_bn2bin(rsa->n, modulus_buf.get());
1894 message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
1895 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
1896 EXPECT_EQ(KM_ERROR_OK, FinishOperation(message, "", &result));
1897 }
1898
TEST_P(EncryptionOperationsTest,RsaOaepSuccess)1899 TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
1900 size_t key_size = 768;
1901 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1902 .RsaEncryptionKey(key_size, 3)
1903 .Padding(KM_PAD_RSA_OAEP)
1904 .Digest(KM_DIGEST_SHA_2_256)));
1905
1906 string message = "Hello";
1907 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
1908 EXPECT_EQ(key_size / 8, ciphertext1.size());
1909
1910 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
1911 EXPECT_EQ(key_size / 8, ciphertext2.size());
1912
1913 // OAEP randomizes padding so every result should be different.
1914 EXPECT_NE(ciphertext1, ciphertext2);
1915 }
1916
TEST_P(EncryptionOperationsTest,RsaOaepWithMgf224Success)1917 TEST_P(EncryptionOperationsTest, RsaOaepWithMgf224Success) {
1918 size_t key_size = 768;
1919 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1920 .RsaEncryptionKey(key_size, 3)
1921 .Padding(KM_PAD_RSA_OAEP)
1922 .Digest(KM_DIGEST_SHA_2_256)
1923 .OaepMgfDigest(KM_DIGEST_SHA_2_224)));
1924
1925 string message = "Hello";
1926 string ciphertext1 =
1927 EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
1928 EXPECT_EQ(key_size / 8, ciphertext1.size());
1929
1930 string ciphertext2 =
1931 EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
1932 EXPECT_EQ(key_size / 8, ciphertext2.size());
1933
1934 // OAEP randomizes padding so every result should be different.
1935 EXPECT_NE(ciphertext1, ciphertext2);
1936 }
1937
TEST_P(EncryptionOperationsTest,RsaOaepWithMgfMD5Success)1938 TEST_P(EncryptionOperationsTest, RsaOaepWithMgfMD5Success) {
1939 size_t key_size = 768;
1940 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1941 .RsaEncryptionKey(key_size, 3)
1942 .Padding(KM_PAD_RSA_OAEP)
1943 .Digest(KM_DIGEST_SHA_2_256)
1944 .OaepMgfDigest(KM_DIGEST_MD5)));
1945
1946 string message = "Hello";
1947 string ciphertext1 =
1948 EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_DIGEST_MD5, KM_PAD_RSA_OAEP);
1949 EXPECT_EQ(key_size / 8, ciphertext1.size());
1950
1951 string ciphertext2 =
1952 EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_DIGEST_MD5, KM_PAD_RSA_OAEP);
1953 EXPECT_EQ(key_size / 8, ciphertext2.size());
1954
1955 // OAEP randomizes padding so every result should be different.
1956 EXPECT_NE(ciphertext1, ciphertext2);
1957 }
1958
TEST_P(EncryptionOperationsTest,RsaOaepSha224Success)1959 TEST_P(EncryptionOperationsTest, RsaOaepSha224Success) {
1960 size_t key_size = 768;
1961 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1962 .RsaEncryptionKey(key_size, 3)
1963 .Padding(KM_PAD_RSA_OAEP)
1964 .Digest(KM_DIGEST_SHA_2_224)));
1965
1966 string message = "Hello";
1967 string ciphertext1 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
1968 EXPECT_EQ(key_size / 8, ciphertext1.size());
1969
1970 string ciphertext2 = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
1971 EXPECT_EQ(key_size / 8, ciphertext2.size());
1972
1973 // OAEP randomizes padding so every result should be different.
1974 EXPECT_NE(ciphertext1, ciphertext2);
1975 }
1976
TEST_P(EncryptionOperationsTest,RsaOaepRoundTrip)1977 TEST_P(EncryptionOperationsTest, RsaOaepRoundTrip) {
1978 size_t key_size = 768;
1979 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1980 .RsaEncryptionKey(key_size, 3)
1981 .Padding(KM_PAD_RSA_OAEP)
1982 .Digest(KM_DIGEST_SHA_2_256)));
1983 string message = "Hello World!";
1984 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
1985 EXPECT_EQ(key_size / 8, ciphertext.size());
1986
1987 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
1988 EXPECT_EQ(message, plaintext);
1989 }
1990
TEST_P(EncryptionOperationsTest,RsaOaepWithMgfSha256RoundTrip)1991 TEST_P(EncryptionOperationsTest, RsaOaepWithMgfSha256RoundTrip) {
1992 size_t key_size = 768;
1993 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
1994 .RsaEncryptionKey(key_size, 3)
1995 .Padding(KM_PAD_RSA_OAEP)
1996 .Digest(KM_DIGEST_SHA_2_256)
1997 .OaepMgfDigest(KM_DIGEST_SHA_2_256)));
1998 string message = "Hello World!";
1999 string ciphertext =
2000 EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2001 EXPECT_EQ(key_size / 8, ciphertext.size());
2002
2003 string plaintext =
2004 DecryptMessage(ciphertext, KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2005 EXPECT_EQ(message, plaintext);
2006 }
2007
TEST_P(EncryptionOperationsTest,RsaOaepSha224RoundTrip)2008 TEST_P(EncryptionOperationsTest, RsaOaepSha224RoundTrip) {
2009 size_t key_size = 768;
2010 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2011 .RsaEncryptionKey(key_size, 3)
2012 .Padding(KM_PAD_RSA_OAEP)
2013 .Digest(KM_DIGEST_SHA_2_224)));
2014 string message = "Hello World!";
2015 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2016 EXPECT_EQ(key_size / 8, ciphertext.size());
2017
2018 string plaintext = DecryptMessage(ciphertext, KM_DIGEST_SHA_2_224, KM_PAD_RSA_OAEP);
2019 EXPECT_EQ(message, plaintext);
2020 }
2021
TEST_P(EncryptionOperationsTest,RsaOaepInvalidDigest)2022 TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
2023 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2024 .RsaEncryptionKey(512, 3)
2025 .Padding(KM_PAD_RSA_OAEP)
2026 .Digest(KM_DIGEST_NONE)));
2027 string message = "Hello World!";
2028
2029 AuthorizationSet begin_params(client_params());
2030 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2031 begin_params.push_back(TAG_DIGEST, KM_DIGEST_NONE);
2032 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2033 }
2034
TEST_P(EncryptionOperationsTest,RsaOaepWithMgfInvalidDigest)2035 TEST_P(EncryptionOperationsTest, RsaOaepWithMgfInvalidDigest) {
2036 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2037 .RsaEncryptionKey(512, 3)
2038 .Padding(KM_PAD_RSA_OAEP)
2039 .Digest(KM_DIGEST_SHA_2_256)
2040 .OaepMgfDigest(KM_DIGEST_SHA_2_256)));
2041 string message = "Hello World!";
2042
2043 AuthorizationSet begin_params(client_params());
2044 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2045 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
2046 begin_params.push_back(TAG_RSA_OAEP_MGF_DIGEST, KM_DIGEST_SHA_2_224);
2047 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_MGF_DIGEST, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2048 }
2049
TEST_P(EncryptionOperationsTest,RsaOaepUnauthorizedDigest)2050 TEST_P(EncryptionOperationsTest, RsaOaepUnauthorizedDigest) {
2051 if (GetParam()->minimal_digest_set())
2052 // We don't have two supported digests, so we can't try authorizing one and using another.
2053 return;
2054
2055 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2056 .RsaEncryptionKey(512, 3)
2057 .Padding(KM_PAD_RSA_OAEP)
2058 .Digest(KM_DIGEST_SHA_2_256)));
2059 string message = "Hello World!";
2060 // Works because encryption is a public key operation.
2061 EncryptMessage(string(message), KM_DIGEST_SHA1, KM_PAD_RSA_OAEP);
2062
2063 AuthorizationSet begin_params(client_params());
2064 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2065 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
2066 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_DIGEST, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2067 }
2068
TEST_P(EncryptionOperationsTest,RsaOaepDecryptWithWrongDigest)2069 TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
2070 if (GetParam()->minimal_digest_set())
2071 // We don't have two supported digests, so we can't try encrypting with one and decrypting
2072 // with another.
2073 return;
2074
2075 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2076 .RsaEncryptionKey(768, 3)
2077 .Padding(KM_PAD_RSA_OAEP)
2078 .Digest(KM_DIGEST_SHA_2_256)
2079 .Digest(KM_DIGEST_SHA_2_384)));
2080 string message = "Hello World!";
2081 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2082
2083 string result;
2084 size_t input_consumed;
2085 AuthorizationSet begin_params(client_params());
2086 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2087 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_384);
2088 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2089 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2090 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2091 EXPECT_EQ(0U, result.size());
2092 }
2093
TEST_P(EncryptionOperationsTest,RsaOaepTooLarge)2094 TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) {
2095 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2096 .RsaEncryptionKey(512, 3)
2097 .Padding(KM_PAD_RSA_OAEP)
2098 .Digest(KM_DIGEST_SHA1)));
2099 string message = "12345678901234567890123";
2100 string result;
2101 size_t input_consumed;
2102
2103 AuthorizationSet begin_params(client_params());
2104 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2105 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA1);
2106 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2107 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2108 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result));
2109 EXPECT_EQ(0U, result.size());
2110 }
2111
TEST_P(EncryptionOperationsTest,RsaOaepCorruptedDecrypt)2112 TEST_P(EncryptionOperationsTest, RsaOaepCorruptedDecrypt) {
2113 size_t key_size = 768;
2114 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2115 .RsaEncryptionKey(768, 3)
2116 .Padding(KM_PAD_RSA_OAEP)
2117 .Digest(KM_DIGEST_SHA_2_256)));
2118 string message = "Hello World!";
2119 string ciphertext = EncryptMessage(string(message), KM_DIGEST_SHA_2_256, KM_PAD_RSA_OAEP);
2120 EXPECT_EQ(key_size / 8, ciphertext.size());
2121
2122 // Corrupt the ciphertext
2123 ciphertext[key_size / 8 / 2]++;
2124
2125 string result;
2126 size_t input_consumed;
2127 AuthorizationSet begin_params(client_params());
2128 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_OAEP);
2129 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
2130 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2131 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2132 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2133 EXPECT_EQ(0U, result.size());
2134 }
2135
TEST_P(EncryptionOperationsTest,RsaPkcs1Success)2136 TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
2137 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2138 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2139 string message = "Hello World!";
2140 string ciphertext1 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2141 EXPECT_EQ(512U / 8, ciphertext1.size());
2142
2143 string ciphertext2 = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2144 EXPECT_EQ(512U / 8, ciphertext2.size());
2145
2146 // PKCS1 v1.5 randomizes padding so every result should be different.
2147 EXPECT_NE(ciphertext1, ciphertext2);
2148 }
2149
TEST_P(EncryptionOperationsTest,RsaPkcs1RoundTrip)2150 TEST_P(EncryptionOperationsTest, RsaPkcs1RoundTrip) {
2151 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2152 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2153 string message = "Hello World!";
2154 string ciphertext = EncryptMessage(message, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2155 EXPECT_EQ(512U / 8, ciphertext.size());
2156
2157 string plaintext = DecryptMessage(ciphertext, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2158 EXPECT_EQ(message, plaintext);
2159 }
2160
TEST_P(EncryptionOperationsTest,RsaRoundTripAllCombinations)2161 TEST_P(EncryptionOperationsTest, RsaRoundTripAllCombinations) {
2162 size_t key_size = 2048;
2163 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2164 .RsaEncryptionKey(key_size, 3)
2165 .Padding(KM_PAD_RSA_PKCS1_1_5_ENCRYPT)
2166 .Padding(KM_PAD_RSA_OAEP)
2167 .Digest(KM_DIGEST_NONE)
2168 .Digest(KM_DIGEST_MD5)
2169 .Digest(KM_DIGEST_SHA1)
2170 .Digest(KM_DIGEST_SHA_2_224)
2171 .Digest(KM_DIGEST_SHA_2_256)
2172 .Digest(KM_DIGEST_SHA_2_384)
2173 .Digest(KM_DIGEST_SHA_2_512)));
2174
2175 string message = "Hello World!";
2176
2177 keymaster_padding_t padding_modes[] = {KM_PAD_RSA_OAEP, KM_PAD_RSA_PKCS1_1_5_ENCRYPT};
2178 keymaster_digest_t digests[] = {
2179 KM_DIGEST_NONE, KM_DIGEST_MD5, KM_DIGEST_SHA1, KM_DIGEST_SHA_2_224,
2180 KM_DIGEST_SHA_2_256, KM_DIGEST_SHA_2_384, KM_DIGEST_SHA_2_512,
2181 };
2182
2183 for (auto padding : padding_modes)
2184 for (auto digest : digests) {
2185 if (padding == KM_PAD_RSA_OAEP && digest == KM_DIGEST_NONE)
2186 // OAEP requires a digest.
2187 continue;
2188
2189 string ciphertext = EncryptMessage(message, digest, padding);
2190 EXPECT_EQ(key_size / 8, ciphertext.size());
2191
2192 string plaintext = DecryptMessage(ciphertext, digest, padding);
2193 EXPECT_EQ(message, plaintext);
2194 }
2195 }
2196
TEST_P(EncryptionOperationsTest,RsaPkcs1TooLarge)2197 TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) {
2198 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2199 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2200 string message = "123456789012345678901234567890123456789012345678901234";
2201 string result;
2202 size_t input_consumed;
2203
2204 AuthorizationSet begin_params(client_params());
2205 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2206 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2207 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
2208 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(&result));
2209 EXPECT_EQ(0U, result.size());
2210 }
2211
TEST_P(EncryptionOperationsTest,RsaPkcs1CorruptedDecrypt)2212 TEST_P(EncryptionOperationsTest, RsaPkcs1CorruptedDecrypt) {
2213 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(512, 3).Padding(
2214 KM_PAD_RSA_PKCS1_1_5_ENCRYPT)));
2215 string message = "Hello World!";
2216 string ciphertext = EncryptMessage(string(message), KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2217 EXPECT_EQ(512U / 8, ciphertext.size());
2218
2219 // Corrupt the ciphertext
2220 ciphertext[512 / 8 / 2]++;
2221
2222 string result;
2223 size_t input_consumed;
2224 AuthorizationSet begin_params(client_params());
2225 begin_params.push_back(TAG_PADDING, KM_PAD_RSA_PKCS1_1_5_ENCRYPT);
2226 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2227 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &result, &input_consumed));
2228 EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, FinishOperation(&result));
2229 EXPECT_EQ(0U, result.size());
2230 }
2231
TEST_P(EncryptionOperationsTest,RsaEncryptWithSigningKey)2232 TEST_P(EncryptionOperationsTest, RsaEncryptWithSigningKey) {
2233 ASSERT_EQ(KM_ERROR_OK,
2234 GenerateKey(AuthorizationSetBuilder().RsaSigningKey(256, 3).Padding(KM_PAD_NONE)));
2235
2236 AuthorizationSet begin_params(client_params());
2237 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2238 ASSERT_EQ(KM_ERROR_INCOMPATIBLE_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2239 }
2240
TEST_P(EncryptionOperationsTest,EcdsaEncrypt)2241 TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
2242 ASSERT_EQ(KM_ERROR_OK,
2243 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(224).Digest(KM_DIGEST_NONE)));
2244 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT));
2245 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT));
2246 }
2247
TEST_P(EncryptionOperationsTest,HmacEncrypt)2248 TEST_P(EncryptionOperationsTest, HmacEncrypt) {
2249 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2250 .HmacKey(128)
2251 .Digest(KM_DIGEST_SHA_2_256)
2252 .Padding(KM_PAD_NONE)
2253 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2254 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_ENCRYPT));
2255 ASSERT_EQ(KM_ERROR_UNSUPPORTED_PURPOSE, BeginOperation(KM_PURPOSE_DECRYPT));
2256 }
2257
TEST_P(EncryptionOperationsTest,AesEcbRoundTripSuccess)2258 TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
2259 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2260 .AesEncryptionKey(128)
2261 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2262 .Padding(KM_PAD_NONE)));
2263 // Two-block message.
2264 string message = "12345678901234567890123456789012";
2265 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
2266 EXPECT_EQ(message.size(), ciphertext1.size());
2267
2268 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE);
2269 EXPECT_EQ(message.size(), ciphertext2.size());
2270
2271 // ECB is deterministic.
2272 EXPECT_EQ(ciphertext1, ciphertext2);
2273
2274 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE);
2275 EXPECT_EQ(message, plaintext);
2276 }
2277
TEST_P(EncryptionOperationsTest,AesEcbNotAuthorized)2278 TEST_P(EncryptionOperationsTest, AesEcbNotAuthorized) {
2279 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2280 .AesEncryptionKey(128)
2281 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2282 .Padding(KM_PAD_NONE)));
2283 // Two-block message.
2284 string message = "12345678901234567890123456789012";
2285 AuthorizationSet begin_params(client_params());
2286 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2287 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2288 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2289 }
2290
TEST_P(EncryptionOperationsTest,AesEcbNoPaddingWrongInputSize)2291 TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) {
2292 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2293 .AesEncryptionKey(128)
2294 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2295 .Padding(KM_PAD_NONE)));
2296 // Message is slightly shorter than two blocks.
2297 string message = "1234567890123456789012345678901";
2298
2299 AuthorizationSet begin_params(client_params());
2300 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2301 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2302 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2303 string ciphertext;
2304 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(message, "", &ciphertext));
2305 }
2306
TEST_P(EncryptionOperationsTest,AesEcbPkcs7Padding)2307 TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
2308 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2309 .AesEncryptionKey(128)
2310 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2311 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2312
2313 // Try various message lengths; all should work.
2314 for (size_t i = 0; i < 32; ++i) {
2315 string message(i, 'a');
2316 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
2317 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2318 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
2319 EXPECT_EQ(message, plaintext);
2320 }
2321 }
2322
TEST_P(EncryptionOperationsTest,AesEcbNoPaddingKeyWithPkcs7Padding)2323 TEST_P(EncryptionOperationsTest, AesEcbNoPaddingKeyWithPkcs7Padding) {
2324 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2325 .AesEncryptionKey(128)
2326 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2327 .Authorization(TAG_PADDING, KM_PAD_NONE)));
2328
2329 // Try various message lengths; all should fail.
2330 for (size_t i = 0; i < 32; ++i) {
2331 AuthorizationSet begin_params(client_params());
2332 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2333 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
2334 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE,
2335 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2336 }
2337 }
2338
TEST_P(EncryptionOperationsTest,AesEcbPkcs7PaddingCorrupted)2339 TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
2340 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2341 .AesEncryptionKey(128)
2342 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
2343 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2344
2345 string message = "a";
2346 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
2347 EXPECT_EQ(16U, ciphertext.size());
2348 EXPECT_NE(ciphertext, message);
2349 ++ciphertext[ciphertext.size() / 2];
2350
2351 AuthorizationSet begin_params(client_params());
2352 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
2353 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
2354 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2355 string plaintext;
2356 size_t input_consumed;
2357 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed));
2358 EXPECT_EQ(ciphertext.size(), input_consumed);
2359 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext));
2360 }
2361
TEST_P(EncryptionOperationsTest,AesCtrRoundTripSuccess)2362 TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
2363 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2364 .AesEncryptionKey(128)
2365 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2366 .Padding(KM_PAD_NONE)));
2367 string message = "123";
2368 string iv1;
2369 string ciphertext1 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv1);
2370 EXPECT_EQ(message.size(), ciphertext1.size());
2371 EXPECT_EQ(16U, iv1.size());
2372
2373 string iv2;
2374 string ciphertext2 = EncryptMessage(message, KM_MODE_CTR, KM_PAD_NONE, &iv2);
2375 EXPECT_EQ(message.size(), ciphertext2.size());
2376 EXPECT_EQ(16U, iv2.size());
2377
2378 // IVs should be random, so ciphertexts should differ.
2379 EXPECT_NE(iv1, iv2);
2380 EXPECT_NE(ciphertext1, ciphertext2);
2381
2382 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CTR, KM_PAD_NONE, iv1);
2383 EXPECT_EQ(message, plaintext);
2384 }
2385
TEST_P(EncryptionOperationsTest,AesCtrIncremental)2386 TEST_P(EncryptionOperationsTest, AesCtrIncremental) {
2387 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2388 .AesEncryptionKey(128)
2389 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2390 .Padding(KM_PAD_NONE)));
2391
2392 int increment = 15;
2393 string message(239, 'a');
2394 AuthorizationSet input_params(client_params());
2395 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2396 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2397 AuthorizationSet output_params;
2398 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2399
2400 string ciphertext;
2401 size_t input_consumed;
2402 for (size_t i = 0; i < message.size(); i += increment)
2403 EXPECT_EQ(KM_ERROR_OK,
2404 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed));
2405 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2406 EXPECT_EQ(message.size(), ciphertext.size());
2407
2408 // Move TAG_NONCE into input_params
2409 input_params.Reinitialize(output_params);
2410 input_params.push_back(client_params());
2411 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2412 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2413 output_params.Clear();
2414
2415 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params));
2416 string plaintext;
2417 for (size_t i = 0; i < ciphertext.size(); i += increment)
2418 EXPECT_EQ(KM_ERROR_OK,
2419 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed));
2420 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2421 EXPECT_EQ(ciphertext.size(), plaintext.size());
2422 EXPECT_EQ(message, plaintext);
2423 }
2424
2425 struct AesCtrSp80038aTestVector {
2426 const char* key;
2427 const char* nonce;
2428 const char* plaintext;
2429 const char* ciphertext;
2430 };
2431
2432 // These test vectors are taken from
2433 // http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
2434 static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
2435 // AES-128
2436 {
2437 "2b7e151628aed2a6abf7158809cf4f3c",
2438 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2439 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2440 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2441 "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
2442 "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
2443 },
2444 // AES-192
2445 {
2446 "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
2447 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2448 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2449 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2450 "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
2451 "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
2452 },
2453 // AES-256
2454 {
2455 "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
2456 "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
2457 "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
2458 "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
2459 "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
2460 "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
2461 },
2462 };
2463
TEST_P(EncryptionOperationsTest,AesCtrSp80038aTestVector)2464 TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
2465 for (size_t i = 0; i < 3; i++) {
2466 const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
2467 const string key = hex2str(test.key);
2468 const string nonce = hex2str(test.nonce);
2469 const string plaintext = hex2str(test.plaintext);
2470 const string ciphertext = hex2str(test.ciphertext);
2471 CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
2472 }
2473 }
2474
TEST_P(EncryptionOperationsTest,AesCtrInvalidPaddingMode)2475 TEST_P(EncryptionOperationsTest, AesCtrInvalidPaddingMode) {
2476 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2477 .AesEncryptionKey(128)
2478 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2479 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2480 AuthorizationSet begin_params(client_params());
2481 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2482 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2483 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
2484 }
2485
TEST_P(EncryptionOperationsTest,AesCtrInvalidCallerNonce)2486 TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
2487 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2488 .AesEncryptionKey(128)
2489 .Authorization(TAG_BLOCK_MODE, KM_MODE_CTR)
2490 .Authorization(TAG_CALLER_NONCE)
2491 .Padding(KM_PAD_NONE)));
2492
2493 AuthorizationSet input_params(client_params());
2494 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CTR);
2495 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2496 input_params.push_back(TAG_NONCE, "123", 3);
2497 EXPECT_EQ(KM_ERROR_INVALID_NONCE, BeginOperation(KM_PURPOSE_ENCRYPT, input_params));
2498 }
2499
TEST_P(EncryptionOperationsTest,AesCbcRoundTripSuccess)2500 TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
2501 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2502 .AesEncryptionKey(128)
2503 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2504 .Padding(KM_PAD_NONE)));
2505 // Two-block message.
2506 string message = "12345678901234567890123456789012";
2507 string iv1;
2508 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2509 EXPECT_EQ(message.size(), ciphertext1.size());
2510
2511 string iv2;
2512 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2);
2513 EXPECT_EQ(message.size(), ciphertext2.size());
2514
2515 // IVs should be random, so ciphertexts should differ.
2516 EXPECT_NE(iv1, iv2);
2517 EXPECT_NE(ciphertext1, ciphertext2);
2518
2519 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2520 EXPECT_EQ(message, plaintext);
2521 }
2522
TEST_P(EncryptionOperationsTest,AesCallerNonce)2523 TEST_P(EncryptionOperationsTest, AesCallerNonce) {
2524 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2525 .AesEncryptionKey(128)
2526 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2527 .Authorization(TAG_CALLER_NONCE)
2528 .Padding(KM_PAD_NONE)));
2529 string message = "12345678901234567890123456789012";
2530 string iv1;
2531 // Don't specify nonce, should get a random one.
2532 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2533 EXPECT_EQ(message.size(), ciphertext1.size());
2534 EXPECT_EQ(16U, iv1.size());
2535
2536 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2537 EXPECT_EQ(message, plaintext);
2538
2539 // Now specify a nonce, should also work.
2540 AuthorizationSet input_params(client_params());
2541 AuthorizationSet update_params;
2542 AuthorizationSet output_params;
2543 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16);
2544 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2545 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2546 string ciphertext2 =
2547 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params);
2548
2549 // Decrypt with correct nonce.
2550 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
2551 &output_params);
2552 EXPECT_EQ(message, plaintext);
2553
2554 // Now try with wrong nonce.
2555 input_params.Reinitialize(client_params());
2556 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2557 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2558 input_params.push_back(TAG_NONCE, "aaaaaaaaaaaaaaaa", 16);
2559 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
2560 &output_params);
2561 EXPECT_NE(message, plaintext);
2562 }
2563
TEST_P(EncryptionOperationsTest,AesCallerNonceProhibited)2564 TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
2565 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2566 .AesEncryptionKey(128)
2567 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2568 .Padding(KM_PAD_NONE)));
2569
2570 string message = "12345678901234567890123456789012";
2571 string iv1;
2572 // Don't specify nonce, should get a random one.
2573 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
2574 EXPECT_EQ(message.size(), ciphertext1.size());
2575 EXPECT_EQ(16U, iv1.size());
2576
2577 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
2578 EXPECT_EQ(message, plaintext);
2579
2580 // Now specify a nonce, should fail.
2581 AuthorizationSet input_params(client_params());
2582 AuthorizationSet update_params;
2583 AuthorizationSet output_params;
2584 input_params.push_back(TAG_NONCE, "abcdefghijklmnop", 16);
2585 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2586 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2587
2588 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED,
2589 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2590 }
2591
TEST_P(EncryptionOperationsTest,AesCbcIncrementalNoPadding)2592 TEST_P(EncryptionOperationsTest, AesCbcIncrementalNoPadding) {
2593 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2594 .AesEncryptionKey(128)
2595 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2596 .Padding(KM_PAD_NONE)));
2597
2598 int increment = 15;
2599 string message(240, 'a');
2600 AuthorizationSet input_params(client_params());
2601 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2602 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2603 AuthorizationSet output_params;
2604 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
2605
2606 string ciphertext;
2607 size_t input_consumed;
2608 for (size_t i = 0; i < message.size(); i += increment)
2609 EXPECT_EQ(KM_ERROR_OK,
2610 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed));
2611 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2612 EXPECT_EQ(message.size(), ciphertext.size());
2613
2614 // Move TAG_NONCE into input_params
2615 input_params.Reinitialize(output_params);
2616 input_params.push_back(client_params());
2617 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
2618 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
2619 output_params.Clear();
2620
2621 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params));
2622 string plaintext;
2623 for (size_t i = 0; i < ciphertext.size(); i += increment)
2624 EXPECT_EQ(KM_ERROR_OK,
2625 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed));
2626 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2627 EXPECT_EQ(ciphertext.size(), plaintext.size());
2628 EXPECT_EQ(message, plaintext);
2629 }
2630
TEST_P(EncryptionOperationsTest,AesCbcPkcs7Padding)2631 TEST_P(EncryptionOperationsTest, AesCbcPkcs7Padding) {
2632 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2633 .AesEncryptionKey(128)
2634 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
2635 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
2636
2637 // Try various message lengths; all should work.
2638 for (size_t i = 0; i < 32; ++i) {
2639 string message(i, 'a');
2640 string iv;
2641 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv);
2642 EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2643 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv);
2644 EXPECT_EQ(message, plaintext);
2645 }
2646 }
2647
TEST_P(EncryptionOperationsTest,AesGcmRoundTripSuccess)2648 TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
2649 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2650 .AesEncryptionKey(128)
2651 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2652 .Authorization(TAG_PADDING, KM_PAD_NONE)
2653 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2654 string aad = "foobar";
2655 string message = "123456789012345678901234567890123456";
2656 AuthorizationSet begin_params(client_params());
2657 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2658 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2659 begin_params.push_back(TAG_MAC_LENGTH, 128);
2660
2661 AuthorizationSet update_params;
2662 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2663
2664 // Encrypt
2665 AuthorizationSet begin_out_params;
2666 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2667 string ciphertext;
2668 size_t input_consumed;
2669 AuthorizationSet update_out_params;
2670 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2671 &input_consumed));
2672 EXPECT_EQ(message.size(), input_consumed);
2673 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2674
2675 // Grab nonce
2676 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2677 begin_params.push_back(begin_out_params);
2678
2679 // Decrypt.
2680 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2681 string plaintext;
2682 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
2683 &plaintext, &input_consumed));
2684 EXPECT_EQ(ciphertext.size(), input_consumed);
2685 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2686
2687 EXPECT_EQ(message, plaintext);
2688 }
2689
TEST_P(EncryptionOperationsTest,AesGcmTooShortTag)2690 TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
2691 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2692 .AesEncryptionKey(128)
2693 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2694 .Authorization(TAG_PADDING, KM_PAD_NONE)
2695 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2696 string aad = "foobar";
2697 string message = "123456789012345678901234567890123456";
2698 AuthorizationSet begin_params(client_params());
2699 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2700 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2701 begin_params.push_back(TAG_MAC_LENGTH, 96);
2702
2703 AuthorizationSet update_params;
2704 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2705
2706 AuthorizationSet begin_out_params;
2707 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH,
2708 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2709 }
2710
TEST_P(EncryptionOperationsTest,AesGcmTooShortTagOnDecrypt)2711 TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
2712 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2713 .AesEncryptionKey(128)
2714 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2715 .Authorization(TAG_PADDING, KM_PAD_NONE)
2716 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2717 string aad = "foobar";
2718 string message = "123456789012345678901234567890123456";
2719 AuthorizationSet begin_params(client_params());
2720 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2721 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2722 begin_params.push_back(TAG_MAC_LENGTH, 128);
2723
2724 AuthorizationSet update_params;
2725 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2726
2727 // Encrypt
2728 AuthorizationSet begin_out_params;
2729 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2730 string ciphertext;
2731 size_t input_consumed;
2732 AuthorizationSet update_out_params;
2733 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2734 &input_consumed));
2735 EXPECT_EQ(message.size(), input_consumed);
2736 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2737
2738 // Grab nonce
2739 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2740 begin_params.Reinitialize(client_params());
2741 begin_params.push_back(begin_out_params);
2742 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2743 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2744 begin_params.push_back(TAG_MAC_LENGTH, 96);
2745
2746 // Decrypt.
2747 EXPECT_EQ(KM_ERROR_INVALID_MAC_LENGTH, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2748 }
2749
TEST_P(EncryptionOperationsTest,AesGcmCorruptKey)2750 TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
2751 uint8_t nonce[] = {
2752 0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
2753 };
2754 uint8_t ciphertext[] = {
2755 0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16,
2756 0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a,
2757 0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76,
2758 0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
2759 0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
2760 };
2761 string ciphertext_str(reinterpret_cast<char*>(ciphertext), sizeof(ciphertext));
2762
2763 AuthorizationSet begin_params(client_params());
2764 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2765 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2766 begin_params.push_back(TAG_MAC_LENGTH, 128);
2767 begin_params.push_back(TAG_NONCE, nonce, sizeof(nonce));
2768
2769 string plaintext;
2770 size_t input_consumed;
2771
2772 // Import correct key and decrypt
2773 uint8_t good_key[] = {
2774 0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
2775 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
2776 };
2777 string good_key_str(reinterpret_cast<char*>(good_key), sizeof(good_key));
2778 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
2779 .AesEncryptionKey(128)
2780 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2781 .Authorization(TAG_PADDING, KM_PAD_NONE)
2782 .Authorization(TAG_CALLER_NONCE)
2783 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2784 KM_KEY_FORMAT_RAW, good_key_str));
2785 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2786 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed));
2787 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2788
2789 // Import bad key and decrypt
2790 uint8_t bad_key[] = {
2791 0xbb, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
2792 0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
2793 };
2794 string bad_key_str(reinterpret_cast<char*>(bad_key), sizeof(bad_key));
2795 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
2796 .AesEncryptionKey(128)
2797 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2798 .Authorization(TAG_PADDING, KM_PAD_NONE)
2799 .Authorization(TAG_MIN_MAC_LENGTH, 128),
2800 KM_KEY_FORMAT_RAW, bad_key_str));
2801 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2802 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext_str, &plaintext, &input_consumed));
2803 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
2804 }
2805
TEST_P(EncryptionOperationsTest,AesGcmAadNoData)2806 TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
2807 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2808 .AesEncryptionKey(128)
2809 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2810 .Authorization(TAG_PADDING, KM_PAD_NONE)
2811 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2812 string aad = "123456789012345678";
2813 string empty_message;
2814 AuthorizationSet begin_params(client_params());
2815 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2816 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2817 begin_params.push_back(TAG_MAC_LENGTH, 128);
2818
2819 AuthorizationSet update_params;
2820 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
2821
2822 // Encrypt
2823 AuthorizationSet begin_out_params;
2824 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2825 string ciphertext;
2826 size_t input_consumed;
2827 AuthorizationSet update_out_params;
2828 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, empty_message, &update_out_params,
2829 &ciphertext, &input_consumed));
2830 EXPECT_EQ(0U, input_consumed);
2831 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2832
2833 // Grab nonce
2834 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2835 begin_params.push_back(begin_out_params);
2836
2837 // Decrypt.
2838 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2839 string plaintext;
2840 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
2841 &plaintext, &input_consumed));
2842 EXPECT_EQ(ciphertext.size(), input_consumed);
2843 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2844
2845 EXPECT_EQ(empty_message, plaintext);
2846 }
2847
TEST_P(EncryptionOperationsTest,AesGcmIncremental)2848 TEST_P(EncryptionOperationsTest, AesGcmIncremental) {
2849 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2850 .AesEncryptionKey(128)
2851 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2852 .Authorization(TAG_PADDING, KM_PAD_NONE)
2853 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2854 AuthorizationSet begin_params(client_params());
2855 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2856 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2857 begin_params.push_back(TAG_MAC_LENGTH, 128);
2858
2859 AuthorizationSet update_params;
2860 update_params.push_back(TAG_ASSOCIATED_DATA, "b", 1);
2861
2862 // Encrypt
2863 AuthorizationSet begin_out_params;
2864 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2865 string ciphertext;
2866 size_t input_consumed;
2867 AuthorizationSet update_out_params;
2868
2869 // Send AAD, incrementally
2870 for (int i = 0; i < 1000; ++i) {
2871 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &ciphertext,
2872 &input_consumed));
2873 EXPECT_EQ(0U, input_consumed);
2874 EXPECT_EQ(0U, ciphertext.size());
2875 }
2876
2877 // Now send data, incrementally, no data.
2878 AuthorizationSet empty_params;
2879 for (int i = 0; i < 1000; ++i) {
2880 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, "a", &update_out_params, &ciphertext,
2881 &input_consumed));
2882 EXPECT_EQ(1U, input_consumed);
2883 }
2884 EXPECT_EQ(1000U, ciphertext.size());
2885
2886 // And finish.
2887 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2888 EXPECT_EQ(1016U, ciphertext.size());
2889
2890 // Grab nonce
2891 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2892 begin_params.push_back(begin_out_params);
2893
2894 // Decrypt.
2895 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2896 string plaintext;
2897
2898 // Send AAD, incrementally, no data
2899 for (int i = 0; i < 1000; ++i) {
2900 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "", &update_out_params, &plaintext,
2901 &input_consumed));
2902 EXPECT_EQ(0U, input_consumed);
2903 EXPECT_EQ(0U, plaintext.size());
2904 }
2905
2906 // Now send data, incrementally.
2907 for (size_t i = 0; i < ciphertext.length(); ++i) {
2908 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(empty_params, string(ciphertext.data() + i, 1),
2909 &update_out_params, &plaintext, &input_consumed));
2910 EXPECT_EQ(1U, input_consumed);
2911 }
2912 EXPECT_EQ(1000U, plaintext.size());
2913 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2914 }
2915
TEST_P(EncryptionOperationsTest,AesGcmMultiPartAad)2916 TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
2917 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2918 .AesEncryptionKey(128)
2919 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2920 .Authorization(TAG_PADDING, KM_PAD_NONE)
2921 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2922 string message = "123456789012345678901234567890123456";
2923 AuthorizationSet begin_params(client_params());
2924 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2925 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2926 begin_params.push_back(TAG_MAC_LENGTH, 128);
2927 AuthorizationSet begin_out_params;
2928
2929 AuthorizationSet update_params;
2930 update_params.push_back(TAG_ASSOCIATED_DATA, "foo", 3);
2931
2932 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2933
2934 // No data, AAD only.
2935 string ciphertext;
2936 size_t input_consumed;
2937 AuthorizationSet update_out_params;
2938 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, "" /* message */, &update_out_params,
2939 &ciphertext, &input_consumed));
2940 EXPECT_EQ(0U, input_consumed);
2941
2942 // AAD and data.
2943 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2944 &input_consumed));
2945 EXPECT_EQ(message.size(), input_consumed);
2946 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2947
2948 // Grab nonce.
2949 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2950 begin_params.push_back(begin_out_params);
2951
2952 // Decrypt
2953 update_params.Clear();
2954 update_params.push_back(TAG_ASSOCIATED_DATA, "foofoo", 6);
2955
2956 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
2957 string plaintext;
2958 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
2959 &plaintext, &input_consumed));
2960 EXPECT_EQ(ciphertext.size(), input_consumed);
2961 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
2962
2963 EXPECT_EQ(message, plaintext);
2964 }
2965
TEST_P(EncryptionOperationsTest,AesGcmBadAad)2966 TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
2967 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
2968 .AesEncryptionKey(128)
2969 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
2970 .Authorization(TAG_PADDING, KM_PAD_NONE)
2971 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2972 string message = "12345678901234567890123456789012";
2973 AuthorizationSet begin_params(client_params());
2974 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
2975 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
2976 begin_params.push_back(TAG_MAC_LENGTH, 128);
2977
2978 AuthorizationSet update_params;
2979 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6);
2980
2981 AuthorizationSet finish_params;
2982 AuthorizationSet finish_out_params;
2983
2984 // Encrypt
2985 AuthorizationSet begin_out_params;
2986 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
2987 AuthorizationSet update_out_params;
2988 string ciphertext;
2989 size_t input_consumed;
2990 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
2991 &input_consumed));
2992 EXPECT_EQ(message.size(), input_consumed);
2993 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
2994
2995 // Grab nonce
2996 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
2997 begin_params.push_back(begin_out_params);
2998
2999 update_params.Clear();
3000 update_params.push_back(TAG_ASSOCIATED_DATA, "barfoo" /* Wrong AAD */, 6);
3001
3002 // Decrypt.
3003 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3004 string plaintext;
3005 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3006 &plaintext, &input_consumed));
3007 EXPECT_EQ(ciphertext.size(), input_consumed);
3008 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3009 }
3010
TEST_P(EncryptionOperationsTest,AesGcmWrongNonce)3011 TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
3012 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3013 .AesEncryptionKey(128)
3014 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3015 .Authorization(TAG_PADDING, KM_PAD_NONE)
3016 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3017 string message = "12345678901234567890123456789012";
3018 AuthorizationSet begin_params(client_params());
3019 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3020 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3021 begin_params.push_back(TAG_MAC_LENGTH, 128);
3022
3023 AuthorizationSet update_params;
3024 update_params.push_back(TAG_ASSOCIATED_DATA, "foobar", 6);
3025
3026 // Encrypt
3027 AuthorizationSet begin_out_params;
3028 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3029 AuthorizationSet update_out_params;
3030 string ciphertext;
3031 size_t input_consumed;
3032 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3033 &input_consumed));
3034 EXPECT_EQ(message.size(), input_consumed);
3035 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3036
3037 begin_params.push_back(TAG_NONCE, "123456789012", 12);
3038
3039 // Decrypt
3040 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3041 string plaintext;
3042 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3043 &plaintext, &input_consumed));
3044 EXPECT_EQ(ciphertext.size(), input_consumed);
3045 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3046
3047 // With wrong nonce, should have gotten garbage plaintext.
3048 EXPECT_NE(message, plaintext);
3049 }
3050
TEST_P(EncryptionOperationsTest,AesGcmCorruptTag)3051 TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
3052 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3053 .AesEncryptionKey(128)
3054 .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
3055 .Authorization(TAG_PADDING, KM_PAD_NONE)
3056 .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3057 string aad = "foobar";
3058 string message = "123456789012345678901234567890123456";
3059 AuthorizationSet begin_params(client_params());
3060 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_GCM);
3061 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3062 begin_params.push_back(TAG_MAC_LENGTH, 128);
3063 AuthorizationSet begin_out_params;
3064
3065 AuthorizationSet update_params;
3066 update_params.push_back(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
3067
3068 // Encrypt
3069 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &begin_out_params));
3070 AuthorizationSet update_out_params;
3071 string ciphertext;
3072 size_t input_consumed;
3073 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &update_out_params, &ciphertext,
3074 &input_consumed));
3075 EXPECT_EQ(message.size(), input_consumed);
3076 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3077
3078 // Corrupt tag
3079 (*ciphertext.rbegin())++;
3080
3081 // Grab nonce.
3082 EXPECT_NE(-1, begin_out_params.find(TAG_NONCE));
3083 begin_params.push_back(begin_out_params);
3084
3085 // Decrypt.
3086 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params, &begin_out_params));
3087 string plaintext;
3088 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, ciphertext, &update_out_params,
3089 &plaintext, &input_consumed));
3090 EXPECT_EQ(ciphertext.size(), input_consumed);
3091 EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, FinishOperation(&plaintext));
3092
3093 EXPECT_EQ(message, plaintext);
3094 }
3095
TEST_P(EncryptionOperationsTest,TripleDesEcbRoundTripSuccess)3096 TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
3097 auto auths = AuthorizationSetBuilder()
3098 .TripleDesEncryptionKey(112)
3099 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3100 .Padding(KM_PAD_NONE);
3101
3102 ASSERT_EQ(KM_ERROR_OK, GenerateKey(auths));
3103 // Two-block message.
3104 string message = "1234567890123456";
3105 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3106 EXPECT_EQ(message.size(), ciphertext1.size());
3107
3108 string ciphertext2 = EncryptMessage(string(message), KM_MODE_ECB, KM_PAD_NONE);
3109 EXPECT_EQ(message.size(), ciphertext2.size());
3110
3111 // ECB is deterministic.
3112 EXPECT_EQ(ciphertext1, ciphertext2);
3113
3114 string plaintext = DecryptMessage(ciphertext1, KM_MODE_ECB, KM_PAD_NONE);
3115 EXPECT_EQ(message, plaintext);
3116 }
3117
TEST_P(EncryptionOperationsTest,TripleDesEcbNotAuthorized)3118 TEST_P(EncryptionOperationsTest, TripleDesEcbNotAuthorized) {
3119 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3120 .TripleDesEncryptionKey(112)
3121 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
3122 .Padding(KM_PAD_NONE)));
3123 // Two-block message.
3124 string message = "1234567890123456";
3125 AuthorizationSet begin_params(client_params());
3126 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3127 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3128 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3129 }
3130
TEST_P(EncryptionOperationsTest,TripleDesEcbNoPaddingWrongInputSize)3131 TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingWrongInputSize) {
3132 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3133 .TripleDesEncryptionKey(112)
3134 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3135 .Padding(KM_PAD_NONE)));
3136 // Message is slightly shorter than two blocks.
3137 string message = "123456789012345";
3138
3139 AuthorizationSet begin_params(client_params());
3140 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3141 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3142 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3143 string ciphertext;
3144 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(message, "", &ciphertext));
3145 }
3146
TEST_P(EncryptionOperationsTest,TripleDesEcbPkcs7Padding)3147 TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7Padding) {
3148 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3149 .TripleDesEncryptionKey(112)
3150 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3151 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
3152
3153 // Try various message lengths; all should work.
3154 for (size_t i = 0; i < 32; ++i) {
3155 string message(i, 'a');
3156 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
3157 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
3158 string plaintext = DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_PKCS7);
3159 EXPECT_EQ(message, plaintext);
3160 }
3161 }
3162
TEST_P(EncryptionOperationsTest,TripleDesEcbNoPaddingKeyWithPkcs7Padding)3163 TEST_P(EncryptionOperationsTest, TripleDesEcbNoPaddingKeyWithPkcs7Padding) {
3164 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3165 .TripleDesEncryptionKey(112)
3166 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3167 .Authorization(TAG_PADDING, KM_PAD_NONE)));
3168
3169 // Try various message lengths; all should fail.
3170 for (size_t i = 0; i < 32; ++i) {
3171 AuthorizationSet begin_params(client_params());
3172 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3173 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
3174 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE,
3175 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3176 }
3177 }
3178
TEST_P(EncryptionOperationsTest,TripleDesEcbPkcs7PaddingCorrupted)3179 TEST_P(EncryptionOperationsTest, TripleDesEcbPkcs7PaddingCorrupted) {
3180 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3181 .TripleDesEncryptionKey(112)
3182 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3183 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
3184
3185 string message = "a";
3186 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_PKCS7);
3187 EXPECT_EQ(8U, ciphertext.size());
3188 EXPECT_NE(ciphertext, message);
3189 ++ciphertext[ciphertext.size() / 2];
3190
3191 AuthorizationSet begin_params(client_params());
3192 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3193 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
3194 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3195 string plaintext;
3196 size_t input_consumed;
3197 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed));
3198 EXPECT_EQ(ciphertext.size(), input_consumed);
3199 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext));
3200 }
3201
3202 struct TripleDesTestVector {
3203 const char* name;
3204 const keymaster_purpose_t purpose;
3205 const keymaster_block_mode_t block_mode;
3206 const keymaster_padding_t padding_mode;
3207 const char* key;
3208 const char* iv;
3209 const char* input;
3210 const char* output;
3211 };
3212
3213 // These test vectors are from NIST CAVP, plus a few custom variants to test padding, since all of
3214 // the NIST vectors are multiples of the block size.
3215 static const TripleDesTestVector kTripleDesTestVectors[] = {
3216 {
3217 "TECBMMT2 Encrypt 0", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_NONE,
3218 "ad192fd064b5579e7a4fb3c8f794f22a", // key
3219 "", // IV
3220 "13bad542f3652d67", // input
3221 "908e543cf2cb254f", // output
3222 },
3223 {
3224 "TECBMMT2 Encrypt 0 PKCS7", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_PKCS7,
3225 "ad192fd064b5579e7a4fb3c8f794f22a", // key
3226 "", // IV
3227 "13bad542f3652d6700", // input
3228 "908e543cf2cb254fc40165289a89008c", // output
3229 },
3230 {
3231 "TECBMMT2 Encrypt 0 PKCS7 decrypted", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_PKCS7,
3232 "ad192fd064b5579e7a4fb3c8f794f22a", // key
3233 "", // IV
3234 "908e543cf2cb254fc40165289a89008c", // input
3235 "13bad542f3652d6700", // output
3236 },
3237 {
3238 "TECBMMT2 Encrypt 1", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_NONE,
3239 "259df16e7af804fe83b90e9bf7c7e557", // key
3240 "", // IV
3241 "a4619c433bbd6787c07c81728f9ac9fa", // input
3242 "9e06de155c483c6bcfd834dbc8bd5830", // output
3243 },
3244 {
3245 "TECBMMT2 Decrypt 0", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_NONE,
3246 "b32ff42092024adf2076b9d3d9f19e6d", // key
3247 "", // IV
3248 "2f3f2a49bba807a5", // input
3249 "2249973fa135fb52", // output
3250 },
3251 {
3252 "TECBMMT2 Decrypt 1", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_NONE,
3253 "023dfbe6621aa17cc219eae9cdecd923", // key
3254 "", // IV
3255 "54045dc71d8d565b227ec19f06fef912", // input
3256 "9b071622181e6412de6066429401410d", // output
3257 },
3258 {
3259 "TECBMMT3 Encrypt 0", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_NONE,
3260 "a2b5bc67da13dc92cd9d344aa238544a0e1fa79ef76810cd", // key
3261 "", // IV
3262 "329d86bdf1bc5af4", // input
3263 "d946c2756d78633f", // output
3264 },
3265 {
3266 "TECBMMT3 Encrypt 1", KM_PURPOSE_ENCRYPT, KM_MODE_ECB, KM_PAD_NONE,
3267 "49e692290d2a5e46bace79b9648a4c5d491004c262dc9d49", // key
3268 "", // IV
3269 "6b1540781b01ce1997adae102dbf3c5b", // input
3270 "4d0dc182d6e481ac4a3dc6ab6976ccae", // output
3271 },
3272 {
3273 "TECBMMT3 Decrypt 0", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_NONE,
3274 "52daec2ac7dc1958377392682f37860b2cc1ea2304bab0e9", // key
3275 "", // IV
3276 "6daad94ce08acfe7", // input
3277 "660e7d32dcc90e79", // output
3278 },
3279 {
3280 "TECBMMT3 Decrypt 1", KM_PURPOSE_DECRYPT, KM_MODE_ECB, KM_PAD_NONE,
3281 "7f8fe3d3f4a48394fb682c2919926d6ddfce8932529229ce", // key
3282 "", // IV
3283 "e9653a0a1f05d31b9acd12d73aa9879d", // input
3284 "9b2ae9d998efe62f1b592e7e1df8ff38", // output
3285 },
3286 {
3287 "TCBCMMT2 Encrypt 0", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_NONE,
3288 "34a41a8c293176c1b30732ecfe38ae8a", // key
3289 "f55b4855228bd0b4", // IV
3290 "7dd880d2a9ab411c", // input
3291 "c91892948b6cadb4", // output
3292 },
3293 {
3294 "TCBCMMT2 Encrypt 1", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_NONE,
3295 "70a88fa1dfb9942fa77f40157ffef2ad", // key
3296 "ece08ce2fdc6ce80", // IV
3297 "bc225304d5a3a5c9918fc5006cbc40cc", // input
3298 "27f67dc87af7ddb4b68f63fa7c2d454a", // output
3299 },
3300 {
3301 "TCBCMMT2 Decrypt 0", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_NONE,
3302 "4ff47fda89209bda8c85f7fe80192007", // key
3303 "d5bc4891dabe48b9", // IV
3304 "7e154b28c353adef", // input
3305 "712b961ea9a1d0af", // output
3306 },
3307 {
3308 "TCBCMMT2 Decrypt 1", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_NONE,
3309 "464092cdbf736d38fb1fe6a12a94ae0e", // key
3310 "5423455f00023b01", // IV
3311 "3f6050b74ed64416bc23d53b0469ed7a", // input
3312 "9cbe7d1b5cdd1864c3095ba810575960", // output
3313 },
3314 {
3315 "TCBCMMT3 Encrypt 0", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_NONE,
3316 "b5cb1504802326c73df186e3e352a20de643b0d63ee30e37", // key
3317 "43f791134c5647ba", // IV
3318 "dcc153cef81d6f24", // input
3319 "92538bd8af18d3ba", // output
3320 },
3321 {
3322 "TCBCMMT3 Encrypt 1", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_NONE,
3323 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
3324 "c2e999cb6249023c", // IV
3325 "c689aee38a301bb316da75db36f110b5", // input
3326 "e9afaba5ec75ea1bbe65506655bb4ecb", // output
3327 },
3328 {
3329 "TCBCMMT3 Encrypt 1 PKCS7 variant", KM_PURPOSE_ENCRYPT, KM_MODE_CBC, KM_PAD_PKCS7,
3330 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
3331 "c2e999cb6249023c", // IV
3332 "c689aee38a301bb316da75db36f110b500", // input
3333 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // output
3334 },
3335 {
3336 "TCBCMMT3 Encrypt 1 PKCS7 decrypted", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_PKCS7,
3337 "a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358", // key
3338 "c2e999cb6249023c", // IV
3339 "e9afaba5ec75ea1bbe65506655bb4ecb825aa27ec0656156", // input
3340 "c689aee38a301bb316da75db36f110b500", // output
3341 },
3342 {
3343 "TCBCMMT3 Decrypt 0", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_NONE,
3344 "5eb6040d46082c7aa7d06dfd08dfeac8c18364c1548c3ba1", // key
3345 "41746c7e442d3681", // IV
3346 "c53a7b0ec40600fe", // input
3347 "d4f00eb455de1034", // output
3348 },
3349 {
3350 "TCBCMMT3 Decrypt 1", KM_PURPOSE_DECRYPT, KM_MODE_CBC, KM_PAD_NONE,
3351 "5b1cce7c0dc1ec49130dfb4af45785ab9179e567f2c7d549", // key
3352 "3982bc02c3727d45", // IV
3353 "6006f10adef52991fcc777a1238bbb65", // input
3354 "edae09288e9e3bc05746d872b48e3b29", // output
3355 },
3356 };
3357
TEST_P(EncryptionOperationsTest,TripleDesTestVector)3358 TEST_P(EncryptionOperationsTest, TripleDesTestVector) {
3359 for (auto& test : array_range(kTripleDesTestVectors)) {
3360 SCOPED_TRACE(test.name);
3361 CheckTripleDesTestVector(test.purpose, test.block_mode, test.padding_mode,
3362 hex2str(test.key), hex2str(test.iv), hex2str(test.input),
3363 hex2str(test.output));
3364 }
3365 }
3366
TEST_P(EncryptionOperationsTest,TripleDesCbcRoundTripSuccess)3367 TEST_P(EncryptionOperationsTest, TripleDesCbcRoundTripSuccess) {
3368 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3369 .TripleDesEncryptionKey(112)
3370 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
3371 .Padding(KM_PAD_NONE)));
3372 // Two-block message.
3373 string message = "1234567890123456";
3374 string iv1;
3375 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
3376 EXPECT_EQ(message.size(), ciphertext1.size());
3377
3378 string iv2;
3379 string ciphertext2 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv2);
3380 EXPECT_EQ(message.size(), ciphertext2.size());
3381
3382 // IVs should be random, so ciphertexts should differ.
3383 EXPECT_NE(iv1, iv2);
3384 EXPECT_NE(ciphertext1, ciphertext2);
3385
3386 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
3387 EXPECT_EQ(message, plaintext);
3388 }
3389
TEST_P(EncryptionOperationsTest,TripleDesCallerIv)3390 TEST_P(EncryptionOperationsTest, TripleDesCallerIv) {
3391 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3392 .TripleDesEncryptionKey(112)
3393 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
3394 .Authorization(TAG_CALLER_NONCE)
3395 .Padding(KM_PAD_NONE)));
3396 string message = "1234567890123456";
3397 string iv1;
3398 // Don't specify IV, should get a random one.
3399 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
3400 EXPECT_EQ(message.size(), ciphertext1.size());
3401 EXPECT_EQ(8U, iv1.size());
3402
3403 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
3404 EXPECT_EQ(message, plaintext);
3405
3406 // Now specify an IV, should also work.
3407 AuthorizationSet input_params(client_params());
3408 AuthorizationSet update_params;
3409 AuthorizationSet output_params;
3410 input_params.push_back(TAG_NONCE, "abcdefgh", 8);
3411 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
3412 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
3413 string ciphertext2 =
3414 ProcessMessage(KM_PURPOSE_ENCRYPT, message, input_params, update_params, &output_params);
3415
3416 // Decrypt with correct IV.
3417 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
3418 &output_params);
3419 EXPECT_EQ(message, plaintext);
3420
3421 // Now try with wrong IV.
3422 input_params.Reinitialize(client_params());
3423 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
3424 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
3425 input_params.push_back(TAG_NONCE, "aaaaaaaa", 8);
3426 plaintext = ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext2, input_params, update_params,
3427 &output_params);
3428 EXPECT_NE(message, plaintext);
3429 }
3430
TEST_P(EncryptionOperationsTest,TripleDesCallerNonceProhibited)3431 TEST_P(EncryptionOperationsTest, TripleDesCallerNonceProhibited) {
3432 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3433 .TripleDesEncryptionKey(112)
3434 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
3435 .Padding(KM_PAD_NONE)));
3436
3437 string message = "12345678901234567890123456789012";
3438 string iv1;
3439 // Don't specify nonce, should get a random one.
3440 string ciphertext1 = EncryptMessage(message, KM_MODE_CBC, KM_PAD_NONE, &iv1);
3441 EXPECT_EQ(message.size(), ciphertext1.size());
3442 EXPECT_EQ(8U, iv1.size());
3443
3444 string plaintext = DecryptMessage(ciphertext1, KM_MODE_CBC, KM_PAD_NONE, iv1);
3445 EXPECT_EQ(message, plaintext);
3446
3447 // Now specify a nonce, should fail.
3448 AuthorizationSet input_params(client_params());
3449 AuthorizationSet update_params;
3450 AuthorizationSet output_params;
3451 input_params.push_back(TAG_NONCE, "abcdefgh", 8);
3452 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
3453 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
3454
3455 EXPECT_EQ(KM_ERROR_CALLER_NONCE_PROHIBITED,
3456 BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
3457 }
3458
TEST_P(EncryptionOperationsTest,TripleDesCbcNotAuthorized)3459 TEST_P(EncryptionOperationsTest, TripleDesCbcNotAuthorized) {
3460 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3461 .TripleDesEncryptionKey(112)
3462 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3463 .Padding(KM_PAD_NONE)));
3464 // Two-block message.
3465 string message = "1234567890123456";
3466 AuthorizationSet begin_params(client_params());
3467 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
3468 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3469 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3470 }
3471
TEST_P(EncryptionOperationsTest,TripleDesCbcNoPaddingWrongInputSize)3472 TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingWrongInputSize) {
3473 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3474 .TripleDesEncryptionKey(112)
3475 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
3476 .Padding(KM_PAD_NONE)));
3477 // Message is slightly shorter than two blocks.
3478 string message = "123456789012345";
3479
3480 AuthorizationSet begin_params(client_params());
3481 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
3482 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3483 AuthorizationSet output_params;
3484 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params, &output_params));
3485 string ciphertext;
3486 EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, FinishOperation(message, "", &ciphertext));
3487 }
3488
TEST_P(EncryptionOperationsTest,TripleDesCbcPkcs7Padding)3489 TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7Padding) {
3490 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3491 .TripleDesEncryptionKey(112)
3492 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
3493 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
3494
3495 // Try various message lengths; all should work.
3496 for (size_t i = 0; i < 32; ++i) {
3497 string message(i, 'a');
3498 string iv;
3499 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv);
3500 EXPECT_EQ(i + 8 - (i % 8), ciphertext.size());
3501 string plaintext = DecryptMessage(ciphertext, KM_MODE_CBC, KM_PAD_PKCS7, iv);
3502 EXPECT_EQ(message, plaintext);
3503 }
3504 }
3505
TEST_P(EncryptionOperationsTest,TripleDesCbcNoPaddingKeyWithPkcs7Padding)3506 TEST_P(EncryptionOperationsTest, TripleDesCbcNoPaddingKeyWithPkcs7Padding) {
3507 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3508 .TripleDesEncryptionKey(112)
3509 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
3510 .Authorization(TAG_PADDING, KM_PAD_NONE)));
3511
3512 // Try various message lengths; all should fail.
3513 for (size_t i = 0; i < 32; ++i) {
3514 AuthorizationSet begin_params(client_params());
3515 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
3516 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
3517 EXPECT_EQ(KM_ERROR_INCOMPATIBLE_PADDING_MODE,
3518 BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3519 }
3520 }
3521
TEST_P(EncryptionOperationsTest,TripleDesCbcPkcs7PaddingCorrupted)3522 TEST_P(EncryptionOperationsTest, TripleDesCbcPkcs7PaddingCorrupted) {
3523 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3524 .TripleDesEncryptionKey(112)
3525 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
3526 .Authorization(TAG_PADDING, KM_PAD_PKCS7)));
3527
3528 string message = "a";
3529 string iv;
3530 string ciphertext = EncryptMessage(message, KM_MODE_CBC, KM_PAD_PKCS7, &iv);
3531 EXPECT_EQ(8U, ciphertext.size());
3532 EXPECT_NE(ciphertext, message);
3533 ++ciphertext[ciphertext.size() / 2];
3534
3535 AuthorizationSet begin_params(client_params());
3536 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
3537 begin_params.push_back(TAG_PADDING, KM_PAD_PKCS7);
3538 begin_params.push_back(TAG_NONCE, iv.data(), iv.size());
3539 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, begin_params));
3540 string plaintext;
3541 size_t input_consumed;
3542 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(ciphertext, &plaintext, &input_consumed));
3543 EXPECT_EQ(ciphertext.size(), input_consumed);
3544 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, FinishOperation(&plaintext));
3545 }
3546
TEST_P(EncryptionOperationsTest,TripleDesCbcIncrementalNoPadding)3547 TEST_P(EncryptionOperationsTest, TripleDesCbcIncrementalNoPadding) {
3548 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3549 .TripleDesEncryptionKey(112)
3550 .Authorization(TAG_BLOCK_MODE, KM_MODE_CBC)
3551 .Padding(KM_PAD_NONE)));
3552
3553 int increment = 7;
3554 string message(240, 'a');
3555 AuthorizationSet input_params(client_params());
3556 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
3557 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
3558 AuthorizationSet output_params;
3559 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, input_params, &output_params));
3560
3561 string ciphertext;
3562 size_t input_consumed;
3563 for (size_t i = 0; i < message.size(); i += increment)
3564 EXPECT_EQ(KM_ERROR_OK,
3565 UpdateOperation(message.substr(i, increment), &ciphertext, &input_consumed));
3566 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&ciphertext));
3567 EXPECT_EQ(message.size(), ciphertext.size());
3568
3569 // Move TAG_NONCE into input_params
3570 input_params.Reinitialize(output_params);
3571 input_params.push_back(client_params());
3572 input_params.push_back(TAG_BLOCK_MODE, KM_MODE_CBC);
3573 input_params.push_back(TAG_PADDING, KM_PAD_NONE);
3574 output_params.Clear();
3575
3576 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_DECRYPT, input_params, &output_params));
3577 string plaintext;
3578 for (size_t i = 0; i < ciphertext.size(); i += increment)
3579 EXPECT_EQ(KM_ERROR_OK,
3580 UpdateOperation(ciphertext.substr(i, increment), &plaintext, &input_consumed));
3581 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&plaintext));
3582 EXPECT_EQ(ciphertext.size(), plaintext.size());
3583 EXPECT_EQ(message, plaintext);
3584 }
3585
3586 typedef Keymaster2Test MaxOperationsTest;
3587 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, MaxOperationsTest, test_params);
3588
TEST_P(MaxOperationsTest,TestLimit)3589 TEST_P(MaxOperationsTest, TestLimit) {
3590 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3591 .AesEncryptionKey(128)
3592 .EcbMode()
3593 .Authorization(TAG_PADDING, KM_PAD_NONE)
3594 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3595
3596 string message = "1234567890123456";
3597 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3598 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3599 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3600
3601 // Fourth time should fail.
3602 AuthorizationSet begin_params(client_params());
3603 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3604 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3605 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3606 }
3607
TEST_P(MaxOperationsTest,TestAbort)3608 TEST_P(MaxOperationsTest, TestAbort) {
3609 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3610 .AesEncryptionKey(128)
3611 .EcbMode()
3612 .Authorization(TAG_PADDING, KM_PAD_NONE)
3613 .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3614
3615 string message = "1234567890123456";
3616 string ciphertext1 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3617 string ciphertext2 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3618 string ciphertext3 = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3619
3620 // Fourth time should fail.
3621 AuthorizationSet begin_params(client_params());
3622 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3623 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3624 EXPECT_EQ(KM_ERROR_KEY_MAX_OPS_EXCEEDED, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3625 }
3626
3627 typedef Keymaster2Test AddEntropyTest;
3628 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AddEntropyTest, test_params);
3629
TEST_P(AddEntropyTest,AddEntropy)3630 TEST_P(AddEntropyTest, AddEntropy) {
3631 // There's no obvious way to test that entropy is actually added, but we can test that the API
3632 // doesn't blow up or return an error.
3633 EXPECT_EQ(KM_ERROR_OK,
3634 device()->add_rng_entropy(device(), reinterpret_cast<const uint8_t*>("foo"), 3));
3635 }
3636
3637 typedef Keymaster2Test AttestationTest;
3638 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, AttestationTest, test_params);
3639
parse_cert_blob(const keymaster_blob_t & blob)3640 static X509* parse_cert_blob(const keymaster_blob_t& blob) {
3641 const uint8_t* p = blob.data;
3642 return d2i_X509(nullptr, &p, blob.data_length);
3643 }
3644
verify_chain(const keymaster_cert_chain_t & chain)3645 static bool verify_chain(const keymaster_cert_chain_t& chain) {
3646 for (size_t i = 0; i < chain.entry_count - 1; ++i) {
3647 keymaster_blob_t& key_cert_blob = chain.entries[i];
3648 keymaster_blob_t& signing_cert_blob = chain.entries[i + 1];
3649
3650 X509_Ptr key_cert(parse_cert_blob(key_cert_blob));
3651 X509_Ptr signing_cert(parse_cert_blob(signing_cert_blob));
3652 EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get());
3653 if (!key_cert.get() || !signing_cert.get()) return false;
3654
3655 EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
3656 EXPECT_TRUE(!!signing_pubkey.get());
3657 if (!signing_pubkey.get()) return false;
3658
3659 EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get()))
3660 << "Verification of certificate " << i << " failed";
3661 }
3662
3663 return true;
3664 }
3665
3666 // Extract attestation record from cert. Returned object is still part of cert; don't free it
3667 // separately.
get_attestation_record(X509 * certificate,const char * oid_string)3668 static ASN1_OCTET_STRING* get_attestation_record(X509* certificate, const char* oid_string) {
3669 ASN1_OBJECT_Ptr oid(OBJ_txt2obj(oid_string, 1 /* dotted string format */));
3670 EXPECT_TRUE(!!oid.get());
3671 if (!oid.get()) return nullptr;
3672
3673 int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */);
3674 EXPECT_NE(-1, location);
3675 if (location == -1) return nullptr;
3676
3677 X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location);
3678 EXPECT_TRUE(!!attest_rec_ext);
3679 if (!attest_rec_ext) return nullptr;
3680
3681 ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext);
3682 EXPECT_TRUE(!!attest_rec);
3683 return attest_rec;
3684 }
3685
verify_attestation_record(const string & challenge,const string & attestation_app_id,AuthorizationSet expected_sw_enforced,AuthorizationSet expected_tee_enforced,uint32_t expected_keymaster_version,keymaster_security_level_t expected_keymaster_security_level,const keymaster_blob_t & attestation_cert)3686 static bool verify_attestation_record(const string& challenge, const string& attestation_app_id,
3687 AuthorizationSet expected_sw_enforced,
3688 AuthorizationSet expected_tee_enforced,
3689 uint32_t expected_keymaster_version,
3690 keymaster_security_level_t expected_keymaster_security_level,
3691 const keymaster_blob_t& attestation_cert) {
3692
3693 X509_Ptr cert(parse_cert_blob(attestation_cert));
3694 EXPECT_TRUE(!!cert.get());
3695 if (!cert.get()) return false;
3696
3697 const char* oid =
3698 expected_keymaster_version >= (uint32_t)KmVersion::KEYMINT_1 ? kEatTokenOid : kAsn1TokenOid;
3699 uint32_t expected_attestation_version =
3700 expected_keymaster_version >= (uint32_t)KmVersion::KEYMINT_1 ? 5u : 4u;
3701 ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get(), oid);
3702 EXPECT_TRUE(!!attest_rec);
3703 if (!attest_rec) return false;
3704
3705 AuthorizationSet att_sw_enforced;
3706 AuthorizationSet att_tee_enforced;
3707 uint32_t att_attestation_version;
3708 uint32_t att_keymaster_version;
3709 keymaster_security_level_t att_attestation_security_level;
3710 keymaster_security_level_t att_keymaster_security_level;
3711 keymaster_blob_t att_challenge = {};
3712 keymaster_blob_t att_unique_id = {};
3713 keymaster_blob_t att_boot_key = {};
3714 keymaster_verified_boot_t att_boot_state;
3715 bool att_dev_locked;
3716 std::vector<int64_t> unexpected_eat_claims;
3717 if (expected_keymaster_version >= (uint32_t)KmVersion::KEYMINT_1) {
3718 EXPECT_EQ(KM_ERROR_OK,
3719 parse_eat_record(attest_rec->data, attest_rec->length, &att_attestation_version,
3720 &att_attestation_security_level, &att_keymaster_version,
3721 &att_keymaster_security_level, &att_challenge, &att_sw_enforced,
3722 &att_tee_enforced, &att_unique_id, &att_boot_key,
3723 &att_boot_state, &att_dev_locked, &unexpected_eat_claims));
3724 } else {
3725 EXPECT_EQ(KM_ERROR_OK, parse_attestation_record(
3726 attest_rec->data, attest_rec->length, &att_attestation_version,
3727 &att_attestation_security_level, &att_keymaster_version,
3728 &att_keymaster_security_level, &att_challenge, &att_sw_enforced,
3729 &att_tee_enforced, &att_unique_id));
3730 }
3731
3732 EXPECT_EQ(std::vector<int64_t>(), unexpected_eat_claims);
3733 EXPECT_EQ(expected_attestation_version, att_attestation_version);
3734 EXPECT_EQ(KM_SECURITY_LEVEL_SOFTWARE, att_attestation_security_level);
3735 EXPECT_EQ(expected_keymaster_version, att_keymaster_version);
3736 EXPECT_EQ(expected_keymaster_security_level, att_keymaster_security_level);
3737
3738 EXPECT_EQ(challenge.length(), att_challenge.data_length);
3739 EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data, challenge.length()));
3740
3741 // Add TAG_USER_ID to the relevant attestation list, because user IDs are not included in
3742 // attestations, since they're meaningless off-device.
3743 uint32_t user_id;
3744 if (expected_sw_enforced.GetTagValue(TAG_USER_ID, &user_id))
3745 att_sw_enforced.push_back(TAG_USER_ID, user_id);
3746 if (expected_tee_enforced.GetTagValue(TAG_USER_ID, &user_id))
3747 att_tee_enforced.push_back(TAG_USER_ID, user_id);
3748
3749 // Add TAG_INCLUDE_UNIQUE_ID to the relevant attestation list, because that tag is not included
3750 // in the attestation.
3751 if (expected_sw_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID))
3752 att_sw_enforced.push_back(TAG_INCLUDE_UNIQUE_ID);
3753 if (expected_tee_enforced.GetTagValue(TAG_INCLUDE_UNIQUE_ID))
3754 att_tee_enforced.push_back(TAG_INCLUDE_UNIQUE_ID);
3755
3756 // Add TAG_ATTESTATION_APPLICATION_ID to the expected sw-enforced list.
3757 expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID, attestation_app_id.data(),
3758 attestation_app_id.size());
3759
3760 att_sw_enforced.Sort();
3761 expected_sw_enforced.Sort();
3762 EXPECT_EQ(expected_sw_enforced, att_sw_enforced);
3763
3764 att_tee_enforced.Sort();
3765 expected_tee_enforced.Sort();
3766 EXPECT_EQ(expected_tee_enforced, att_tee_enforced);
3767
3768 delete[] att_challenge.data;
3769 delete[] att_unique_id.data;
3770
3771 return true;
3772 }
3773
TEST_P(AttestationTest,RsaAttestationKeymaster)3774 TEST_P(AttestationTest, RsaAttestationKeymaster) {
3775 // We can't test KeyMint attestation here because these tests are architected to use the
3776 // Keymaster2 API (an old-style C-struct HAL, pre-HIDL), which doesn't have a way to return the
3777 // certificates. For now, we'll have to rely on the KeyMint VTS tests to validate KeyMint
3778 // attestation.
3779 //
3780 // TODO: Refactor this test suite to use the HIDL/AIDL interfaces.
3781 if (GetParam()->is_keymint()) return;
3782 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3783 .RsaSigningKey(256, 3)
3784 .Digest(KM_DIGEST_NONE)
3785 .Padding(KM_PAD_NONE)
3786 .Authorization(TAG_INCLUDE_UNIQUE_ID)));
3787
3788 keymaster_cert_chain_t cert_chain;
3789 EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", "attest_app_id", &cert_chain));
3790 ASSERT_EQ(3U, cert_chain.entry_count);
3791 EXPECT_TRUE(verify_chain(cert_chain));
3792
3793 uint32_t expected_keymaster_version;
3794 keymaster_security_level_t expected_keymaster_security_level;
3795 // TODO(swillden): Add a test KM1 that claims to be hardware.
3796 expected_keymaster_version = (uint32_t)GetParam()->km_version();
3797 expected_keymaster_security_level = KM_SECURITY_LEVEL_SOFTWARE;
3798
3799 EXPECT_TRUE(verify_attestation_record(
3800 "challenge", "attest_app_id", sw_enforced(), hw_enforced(), expected_keymaster_version,
3801 expected_keymaster_security_level, cert_chain.entries[0]));
3802
3803 keymaster_free_cert_chain(&cert_chain);
3804 }
3805
TEST_P(AttestationTest,EcAttestation)3806 TEST_P(AttestationTest, EcAttestation) {
3807 // We can't test KeyMint attestation here because these tests are architected to use the
3808 // Keymaster2 API (an old-style C-struct HAL, pre-HIDL), which doesn't have a way to return the
3809 // certificates. For now, we'll have to rely on the KeyMint VTS tests to validate KeyMint
3810 // attestation.
3811 //
3812 // TODO: Refactor this test suite to use the HIDL/AIDL interfaces.
3813 if (GetParam()->is_keymint()) return;
3814 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
3815 KM_DIGEST_SHA_2_256)));
3816
3817 uint32_t expected_keymaster_version;
3818 keymaster_security_level_t expected_keymaster_security_level;
3819 // TODO(swillden): Add a test KM1 that claims to be hardware.
3820 expected_keymaster_version = (uint32_t)GetParam()->km_version();
3821 expected_keymaster_security_level = KM_SECURITY_LEVEL_SOFTWARE;
3822
3823 keymaster_cert_chain_t cert_chain;
3824 EXPECT_EQ(KM_ERROR_OK, AttestKey("challenge", "attest_app_id", &cert_chain));
3825 ASSERT_EQ(3U, cert_chain.entry_count);
3826 EXPECT_TRUE(verify_chain(cert_chain));
3827 EXPECT_TRUE(verify_attestation_record(
3828 "challenge", "attest_app_id", sw_enforced(), hw_enforced(), expected_keymaster_version,
3829 expected_keymaster_security_level, cert_chain.entries[0]));
3830
3831 keymaster_free_cert_chain(&cert_chain);
3832 }
3833
3834 typedef Keymaster2Test KeyUpgradeTest;
3835 INSTANTIATE_TEST_CASE_P(AndroidKeymasterTest, KeyUpgradeTest, test_params);
3836
TEST_P(KeyUpgradeTest,AesVersionUpgrade)3837 TEST_P(KeyUpgradeTest, AesVersionUpgrade) {
3838 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3839
3840 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder()
3841 .AesEncryptionKey(128)
3842 .Authorization(TAG_BLOCK_MODE, KM_MODE_ECB)
3843 .Padding(KM_PAD_NONE)));
3844
3845 // Key should operate fine.
3846 string message = "1234567890123456";
3847 string ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3848 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE));
3849
3850 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3851 GetParam()->keymaster_context()->SetSystemVersion(1, 2);
3852 AuthorizationSet begin_params(client_params());
3853 begin_params.push_back(TAG_BLOCK_MODE, KM_MODE_ECB);
3854 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3855 if (GetParam()->is_keymaster1_hw()) {
3856 // Keymaster1 hardware can't support version binding. The key will work regardless
3857 // of system version. Just abort the remainder of the test.
3858 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3859 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3860 return;
3861 }
3862 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3863
3864 // Getting characteristics should also fail
3865 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3866
3867 // Upgrade key.
3868 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3869
3870 // Key should work again
3871 ciphertext = EncryptMessage(message, KM_MODE_ECB, KM_PAD_NONE);
3872 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_MODE_ECB, KM_PAD_NONE));
3873
3874 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3875 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3876 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3877 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3878
3879 // Upgrade should fail
3880 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3881 }
3882
TEST_P(KeyUpgradeTest,RsaVersionUpgrade)3883 TEST_P(KeyUpgradeTest, RsaVersionUpgrade) {
3884 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3885
3886 ASSERT_EQ(KM_ERROR_OK,
3887 GenerateKey(AuthorizationSetBuilder().RsaEncryptionKey(256, 3).Padding(KM_PAD_NONE)));
3888
3889 // Key should operate fine.
3890 string message = "12345678901234567890123456789012";
3891 string ciphertext = EncryptMessage(message, KM_PAD_NONE);
3892 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE));
3893
3894 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3895 GetParam()->keymaster_context()->SetSystemVersion(1, 2);
3896 AuthorizationSet begin_params(client_params());
3897 begin_params.push_back(TAG_PADDING, KM_PAD_NONE);
3898 if (GetParam()->is_keymaster1_hw()) {
3899 // Keymaster1 hardware can't support version binding. The key will work regardless
3900 // of system version. Just abort the remainder of the test.
3901 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3902 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3903 return;
3904 }
3905 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3906
3907 // Getting characteristics should also fail
3908 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3909
3910 // Upgrade key.
3911 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3912
3913 // Key should work again
3914 ciphertext = EncryptMessage(message, KM_PAD_NONE);
3915 EXPECT_EQ(message, DecryptMessage(ciphertext, KM_PAD_NONE));
3916
3917 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3918 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3919 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3920 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3921
3922 // Upgrade should fail
3923 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3924 }
3925
TEST_P(KeyUpgradeTest,EcVersionUpgrade)3926 TEST_P(KeyUpgradeTest, EcVersionUpgrade) {
3927 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3928
3929 ASSERT_EQ(KM_ERROR_OK, GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(256).Digest(
3930 KM_DIGEST_SHA_2_256)));
3931
3932 // Key should operate fine.
3933 string message = "1234567890123456";
3934 string signature;
3935 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
3936 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
3937
3938 // Increase patch level. Key usage should fail with KM_ERROR_KEY_REQUIRES_UPGRADE.
3939 GetParam()->keymaster_context()->SetSystemVersion(1, 2);
3940 AuthorizationSet begin_params(client_params());
3941 begin_params.push_back(TAG_DIGEST, KM_DIGEST_SHA_2_256);
3942 if (GetParam()->is_keymaster1_hw()) {
3943 // Keymaster1 hardware can't support version binding. The key will work regardless
3944 // of system version. Just abort the remainder of the test.
3945 EXPECT_EQ(KM_ERROR_OK, BeginOperation(KM_PURPOSE_SIGN, begin_params));
3946 EXPECT_EQ(KM_ERROR_OK, AbortOperation());
3947 return;
3948 }
3949 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, BeginOperation(KM_PURPOSE_SIGN, begin_params));
3950
3951 // Getting characteristics should also fail
3952 EXPECT_EQ(KM_ERROR_KEY_REQUIRES_UPGRADE, GetCharacteristics());
3953
3954 // Upgrade key.
3955 EXPECT_EQ(KM_ERROR_OK, UpgradeKey(client_params()));
3956
3957 // Key should work again
3958 SignMessage(message, &signature, KM_DIGEST_SHA_2_256);
3959 VerifyMessage(message, signature, KM_DIGEST_SHA_2_256);
3960
3961 // Decrease patch level. Key usage should fail with KM_ERROR_INVALID_KEY_BLOB.
3962 GetParam()->keymaster_context()->SetSystemVersion(1, 1);
3963 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, BeginOperation(KM_PURPOSE_ENCRYPT, begin_params));
3964 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, GetCharacteristics());
3965
3966 // Upgrade should fail
3967 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, UpgradeKey(client_params()));
3968 }
3969
TEST(SoftKeymasterWrapperTest,CheckKeymaster2Device)3970 TEST(SoftKeymasterWrapperTest, CheckKeymaster2Device) {
3971 // Make a good fake device, and wrap it.
3972 SoftKeymasterDevice* good_fake(
3973 new SoftKeymasterDevice(new TestKeymasterContext(KmVersion::KEYMASTER_4_1)));
3974
3975 // Wrap it and check it.
3976 SoftKeymasterDevice* good_fake_wrapper(
3977 new SoftKeymasterDevice(new TestKeymasterContext(KmVersion::KEYMASTER_4_1)));
3978 good_fake_wrapper->SetHardwareDevice(good_fake->keymaster_device());
3979 EXPECT_TRUE(good_fake_wrapper->Keymaster1DeviceIsGood());
3980
3981 // Close and clean up wrapper and wrapped
3982 good_fake_wrapper->keymaster_device()->common.close(good_fake_wrapper->hw_device());
3983
3984 // Make a "bad" (doesn't support all digests) device;
3985 keymaster1_device_t* sha256_only_fake = make_device_sha256_only(
3986 (new SoftKeymasterDevice(new TestKeymasterContext(KmVersion::KEYMASTER_4_1, "256")))
3987 ->keymaster_device());
3988
3989 // Wrap it and check it.
3990 SoftKeymasterDevice* sha256_only_fake_wrapper(
3991 (new SoftKeymasterDevice(new TestKeymasterContext(KmVersion::KEYMASTER_4_1))));
3992 sha256_only_fake_wrapper->SetHardwareDevice(sha256_only_fake);
3993 EXPECT_FALSE(sha256_only_fake_wrapper->Keymaster1DeviceIsGood());
3994
3995 // Close and clean up wrapper and wrapped
3996 sha256_only_fake_wrapper->keymaster_device()->common.close(
3997 sha256_only_fake_wrapper->hw_device());
3998 }
3999
4000 class HmacKeySharingTest : public ::testing::Test {
4001 protected:
4002 using KeymasterVec = std::vector<std::unique_ptr<AndroidKeymaster>>;
4003 using ParamsVec = std::vector<HmacSharingParameters>;
4004 using ByteString = std::basic_string<uint8_t>;
4005 using NonceVec = std::vector<ByteString>;
4006 using ResponseVec = std::vector<ComputeSharedHmacResponse>;
4007
CreateKeymasters(size_t count)4008 KeymasterVec CreateKeymasters(size_t count) {
4009 KeymasterVec keymasters;
4010 for (size_t i = 0; i < count; ++i) {
4011 keymasters.push_back(make_unique<AndroidKeymaster>(new TestKeymasterContext, 16));
4012 }
4013 return keymasters;
4014 }
4015
GetHmacSharingParameters(const KeymasterVec & keymasters)4016 ParamsVec GetHmacSharingParameters(const KeymasterVec& keymasters) {
4017 ParamsVec paramsVec;
4018 for (auto& keymaster : keymasters) {
4019 auto result = keymaster->GetHmacSharingParameters();
4020 EXPECT_EQ(KM_ERROR_OK, result.error);
4021 if (result.error == KM_ERROR_OK) paramsVec.push_back(move(result.params));
4022 }
4023 return paramsVec;
4024 }
4025
ToByteString(const uint8_t (& a)[N])4026 template <size_t N> ByteString ToByteString(const uint8_t (&a)[N]) { return ByteString(a, N); }
4027
ToByteString(const keymaster_blob_t & b)4028 ByteString ToByteString(const keymaster_blob_t& b) { return ByteString(b.data, b.data_length); }
4029
CopyNonces(const ParamsVec & paramsVec)4030 NonceVec CopyNonces(const ParamsVec& paramsVec) {
4031 NonceVec nonces;
4032 for (auto& param : paramsVec) {
4033 nonces.push_back(ToByteString(param.nonce));
4034 }
4035 return nonces;
4036 }
4037
ComputeSharedHmac(const KeymasterVec & keymasters,const ParamsVec & paramsVec)4038 ResponseVec ComputeSharedHmac(const KeymasterVec& keymasters, const ParamsVec& paramsVec) {
4039 ComputeSharedHmacRequest req(kMaxMessageVersion);
4040 req.params_array.params_array = const_cast<HmacSharingParameters*>(paramsVec.data());
4041 auto prevent_deletion_of_paramsVec_data =
4042 finally([&]() { req.params_array.params_array = nullptr; });
4043 req.params_array.num_params = paramsVec.size();
4044
4045 ResponseVec responses;
4046 for (auto& keymaster : keymasters) {
4047 responses.push_back(keymaster->ComputeSharedHmac(req));
4048 }
4049
4050 return responses;
4051 }
4052
VerifyResponses(const ByteString & expected,const ResponseVec & responses)4053 bool VerifyResponses(const ByteString& expected, const ResponseVec& responses) {
4054 for (auto& response : responses) {
4055 EXPECT_EQ(KM_ERROR_OK, response.error);
4056 auto this_sharing_check = ToByteString(response.sharing_check);
4057 EXPECT_EQ(expected, this_sharing_check) << "Sharing check values should match.";
4058 if (response.error != KM_ERROR_OK || expected != this_sharing_check) {
4059 return false;
4060 }
4061 }
4062 return true;
4063 }
4064 };
4065
TEST_F(HmacKeySharingTest,GetParametersIdempotency)4066 TEST_F(HmacKeySharingTest, GetParametersIdempotency) {
4067 AndroidKeymaster keymaster(new TestKeymasterContext, 16);
4068
4069 ParamsVec paramsVec;
4070
4071 auto result1 = keymaster.GetHmacSharingParameters();
4072 EXPECT_EQ(KM_ERROR_OK, result1.error);
4073 paramsVec.push_back(std::move(result1.params));
4074
4075 auto result2 = keymaster.GetHmacSharingParameters();
4076 EXPECT_EQ(KM_ERROR_OK, result2.error);
4077 paramsVec.push_back(std::move(result2.params));
4078
4079 ASSERT_EQ(ToByteString(paramsVec[0].seed), ToByteString(paramsVec[1].seed))
4080 << "A given keymaster should always return the same seed.";
4081 EXPECT_EQ(ToByteString(paramsVec[0].nonce), ToByteString(paramsVec[1].nonce))
4082 << "A given keymaster should always return the same nonce until restart.";
4083 }
4084
TEST_F(HmacKeySharingTest,ComputeSharedHmac)4085 TEST_F(HmacKeySharingTest, ComputeSharedHmac) {
4086 // ComputeSharedHmac should work with any number of participants; we just test 1 through 4.
4087 for (size_t keymaster_count = 1; keymaster_count <= 4; ++keymaster_count) {
4088 SCOPED_TRACE(testing::Message() << keymaster_count << " keymaster instances");
4089
4090 auto keymasters = CreateKeymasters(keymaster_count);
4091 auto params = GetHmacSharingParameters(keymasters);
4092 ASSERT_EQ(keymaster_count, params.size())
4093 << "One or more keymasters failed to provide parameters.";
4094
4095 auto nonces = CopyNonces(params);
4096 EXPECT_EQ(keymaster_count, nonces.size()) << "We should have a nonce per keymaster.";
4097 std::sort(nonces.begin(), nonces.end());
4098 std::unique(nonces.begin(), nonces.end());
4099 EXPECT_EQ(keymaster_count, nonces.size()) << "Nonces should all be unique.";
4100
4101 auto responses = ComputeSharedHmac(keymasters, params);
4102 ASSERT_EQ(keymaster_count, responses.size());
4103
4104 ASSERT_TRUE(VerifyResponses(ToByteString(responses[0].sharing_check), responses));
4105 }
4106 }
4107
TEST_F(HmacKeySharingTest,ComputeSharedHmacTwice)4108 TEST_F(HmacKeySharingTest, ComputeSharedHmacTwice) {
4109 for (size_t keymaster_count = 1; keymaster_count <= 4; ++keymaster_count) {
4110 SCOPED_TRACE(testing::Message() << keymaster_count << " keymaster instances");
4111
4112 auto keymasters = CreateKeymasters(keymaster_count);
4113 auto params = GetHmacSharingParameters(keymasters);
4114 ASSERT_EQ(keymaster_count, params.size())
4115 << "One or more keymasters failed to provide parameters.";
4116
4117 auto responses = ComputeSharedHmac(keymasters, params);
4118 ASSERT_EQ(keymaster_count, responses.size());
4119
4120 ByteString sharing_check_value = ToByteString(responses[0].sharing_check);
4121 ASSERT_TRUE(VerifyResponses(sharing_check_value, responses));
4122
4123 params = GetHmacSharingParameters(keymasters);
4124 ASSERT_EQ(keymaster_count, params.size())
4125 << "One or more keymasters failed to provide parameters.";
4126 responses = ComputeSharedHmac(keymasters, params);
4127
4128 // Verify against first check value; we should get the same one every time, because each
4129 // keymaster instance returns the same seed every time, and the same nonce until restart.
4130 ASSERT_TRUE(VerifyResponses(sharing_check_value, responses));
4131 }
4132 }
4133
TEST_F(HmacKeySharingTest,ComputeSharedHmacCorruptNonce)4134 TEST_F(HmacKeySharingTest, ComputeSharedHmacCorruptNonce) {
4135 constexpr size_t keymaster_count = 4;
4136 auto keymasters = CreateKeymasters(keymaster_count);
4137
4138 auto params = GetHmacSharingParameters(keymasters);
4139 ASSERT_EQ(keymaster_count, params.size())
4140 << "One or more keymasters failed to provide parameters.";
4141
4142 // All should be well in the normal case
4143 auto responses = ComputeSharedHmac(keymasters, params);
4144 ASSERT_EQ(keymaster_count, responses.size());
4145 ByteString sharing_check_value = ToByteString(responses[0].sharing_check);
4146 ASSERT_TRUE(VerifyResponses(sharing_check_value, responses));
4147
4148 // Pick a random param, a random byte within the param's nonce, and a random bit within
4149 // the byte. Flip that bit.
4150 size_t param_to_tweak = rand() % params.size();
4151 uint8_t byte_to_tweak = rand() % sizeof(params[param_to_tweak].nonce);
4152 uint8_t bit_to_tweak = rand() % 8;
4153 params[param_to_tweak].nonce[byte_to_tweak] ^= (1 << bit_to_tweak);
4154
4155 responses = ComputeSharedHmac(keymasters, params);
4156 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, responses[param_to_tweak].error)
4157 << "Keymaster that provided tweaked response should fail to compute HMAC key";
4158 for (size_t i = 0; i < responses.size(); ++i) {
4159 if (i != param_to_tweak) {
4160 EXPECT_EQ(KM_ERROR_OK, responses[i].error) << "Others should succeed";
4161 EXPECT_NE(sharing_check_value, ToByteString(responses[i].sharing_check))
4162 << "Others should calculate a different HMAC key, due to the tweaked nonce.";
4163 }
4164 }
4165 }
4166
TEST_F(HmacKeySharingTest,ComputeSharedHmacCorruptSeed)4167 TEST_F(HmacKeySharingTest, ComputeSharedHmacCorruptSeed) {
4168 constexpr size_t keymaster_count = 4;
4169 auto keymasters = CreateKeymasters(keymaster_count);
4170
4171 auto params = GetHmacSharingParameters(keymasters);
4172 ASSERT_EQ(keymaster_count, params.size())
4173 << "One or more keymasters failed to provide parameters.";
4174
4175 // All should be well in the normal case
4176 auto responses = ComputeSharedHmac(keymasters, params);
4177 ASSERT_EQ(keymaster_count, responses.size());
4178 ByteString sharing_check_value = ToByteString(responses[0].sharing_check);
4179 ASSERT_TRUE(VerifyResponses(sharing_check_value, responses));
4180
4181 // Pick a random param and modify the seed.
4182 auto param_to_tweak = rand() % params.size();
4183 constexpr uint8_t wrong_seed_value[] = {0xF, 0x0, 0x0};
4184 params[param_to_tweak].SetSeed({wrong_seed_value, sizeof(wrong_seed_value)});
4185 auto prevent_deletion_of_wrong_seed =
4186 finally([&]() { params[param_to_tweak].seed.data = nullptr; });
4187
4188 responses = ComputeSharedHmac(keymasters, params);
4189 EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT, responses[param_to_tweak].error)
4190 << "Keymaster that provided tweaked response should fail to compute HMAC key";
4191 for (size_t i = 0; i < responses.size(); ++i) {
4192 if (i != param_to_tweak) {
4193 EXPECT_EQ(KM_ERROR_OK, responses[i].error) << "Others should succeed";
4194 EXPECT_NE(sharing_check_value, ToByteString(responses[i].sharing_check))
4195 << "Others should calculate a different HMAC key, due to the tweaked seed.";
4196 }
4197 }
4198 }
4199
4200 } // namespace test
4201 } // namespace keymaster
4202