1 /*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "KeyMintAidlTestBase.h"
18
19 #include <chrono>
20 #include <fstream>
21 #include <unordered_set>
22 #include <vector>
23
24 #include <android-base/logging.h>
25 #include <android/binder_manager.h>
26 #include <android/content/pm/IPackageManagerNative.h>
27 #include <cppbor_parse.h>
28 #include <cutils/properties.h>
29 #include <gmock/gmock.h>
30 #include <openssl/evp.h>
31 #include <openssl/mem.h>
32 #include <remote_prov/remote_prov_utils.h>
33
34 #include <keymaster/cppcose/cppcose.h>
35 #include <keymint_support/key_param_output.h>
36 #include <keymint_support/keymint_utils.h>
37 #include <keymint_support/openssl_utils.h>
38
39 namespace aidl::android::hardware::security::keymint {
40
41 using namespace cppcose;
42 using namespace std::literals::chrono_literals;
43 using std::endl;
44 using std::optional;
45 using std::unique_ptr;
46 using ::testing::AssertionFailure;
47 using ::testing::AssertionResult;
48 using ::testing::AssertionSuccess;
49 using ::testing::ElementsAreArray;
50 using ::testing::MatchesRegex;
51 using ::testing::Not;
52
operator <<(::std::ostream & os,const AuthorizationSet & set)53 ::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) {
54 if (set.size() == 0)
55 os << "(Empty)" << ::std::endl;
56 else {
57 os << "\n";
58 for (auto& entry : set) os << entry << ::std::endl;
59 }
60 return os;
61 }
62
63 namespace test {
64
65 namespace {
66
67 // Invalid value for a patchlevel (which is of form YYYYMMDD).
68 const uint32_t kInvalidPatchlevel = 99998877;
69
70 // Overhead for PKCS#1 v1.5 signature padding of undigested messages. Digested messages have
71 // additional overhead, for the digest algorithmIdentifier required by PKCS#1.
72 const size_t kPkcs1UndigestedSignaturePaddingOverhead = 11;
73
74 typedef KeyMintAidlTestBase::KeyData KeyData;
75 // Predicate for testing basic characteristics validity in generation or import.
KeyCharacteristicsBasicallyValid(SecurityLevel secLevel,const vector<KeyCharacteristics> & key_characteristics)76 bool KeyCharacteristicsBasicallyValid(SecurityLevel secLevel,
77 const vector<KeyCharacteristics>& key_characteristics) {
78 if (key_characteristics.empty()) return false;
79
80 std::unordered_set<SecurityLevel> levels_seen;
81 for (auto& entry : key_characteristics) {
82 if (entry.authorizations.empty()) {
83 GTEST_LOG_(ERROR) << "empty authorizations for " << entry.securityLevel;
84 return false;
85 }
86
87 // Just ignore the SecurityLevel::KEYSTORE as the KM won't do any enforcement on this.
88 if (entry.securityLevel == SecurityLevel::KEYSTORE) continue;
89
90 if (levels_seen.find(entry.securityLevel) != levels_seen.end()) {
91 GTEST_LOG_(ERROR) << "duplicate authorizations for " << entry.securityLevel;
92 return false;
93 }
94 levels_seen.insert(entry.securityLevel);
95
96 // Generally, we should only have one entry, at the same security level as the KM
97 // instance. There is an exception: StrongBox KM can have some authorizations that are
98 // enforced by the TEE.
99 bool isExpectedSecurityLevel = secLevel == entry.securityLevel ||
100 (secLevel == SecurityLevel::STRONGBOX &&
101 entry.securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT);
102
103 if (!isExpectedSecurityLevel) {
104 GTEST_LOG_(ERROR) << "Unexpected security level " << entry.securityLevel;
105 return false;
106 }
107 }
108 return true;
109 }
110
check_crl_distribution_points_extension_not_present(X509 * certificate)111 void check_crl_distribution_points_extension_not_present(X509* certificate) {
112 ASN1_OBJECT_Ptr crl_dp_oid(OBJ_txt2obj(kCrlDPOid, 1 /* dotted string format */));
113 ASSERT_TRUE(crl_dp_oid.get());
114
115 int location =
116 X509_get_ext_by_OBJ(certificate, crl_dp_oid.get(), -1 /* search from beginning */);
117 ASSERT_EQ(location, -1);
118 }
119
check_attestation_version(uint32_t attestation_version,int32_t aidl_version)120 void check_attestation_version(uint32_t attestation_version, int32_t aidl_version) {
121 // Version numbers in attestation extensions should be a multiple of 100.
122 EXPECT_EQ(attestation_version % 100, 0);
123
124 // The multiplier should never be higher than the AIDL version, but can be less
125 // (for example, if the implementation is from an earlier version but the HAL service
126 // uses the default libraries and so reports the current AIDL version).
127 EXPECT_TRUE((attestation_version / 100) <= aidl_version);
128 }
129
avb_verification_enabled()130 bool avb_verification_enabled() {
131 char value[PROPERTY_VALUE_MAX];
132 return property_get("ro.boot.vbmeta.device_state", value, "") != 0;
133 }
134
135 char nibble2hex[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
136 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
137
138 // Attestations don't contain everything in key authorization lists, so we need to filter the key
139 // lists to produce the lists that we expect to match the attestations.
140 auto kTagsToFilter = {
141 Tag::CREATION_DATETIME,
142 Tag::HARDWARE_TYPE,
143 Tag::INCLUDE_UNIQUE_ID,
144 };
145
filtered_tags(const AuthorizationSet & set)146 AuthorizationSet filtered_tags(const AuthorizationSet& set) {
147 AuthorizationSet filtered;
148 std::remove_copy_if(
149 set.begin(), set.end(), std::back_inserter(filtered), [](const auto& entry) -> bool {
150 return std::find(kTagsToFilter.begin(), kTagsToFilter.end(), entry.tag) !=
151 kTagsToFilter.end();
152 });
153 return filtered;
154 }
155
156 // Remove any SecurityLevel::KEYSTORE entries from a list of key characteristics.
strip_keystore_tags(vector<KeyCharacteristics> * characteristics)157 void strip_keystore_tags(vector<KeyCharacteristics>* characteristics) {
158 characteristics->erase(std::remove_if(characteristics->begin(), characteristics->end(),
159 [](const auto& entry) {
160 return entry.securityLevel == SecurityLevel::KEYSTORE;
161 }),
162 characteristics->end());
163 }
164
x509NameToStr(X509_NAME * name)165 string x509NameToStr(X509_NAME* name) {
166 char* s = X509_NAME_oneline(name, nullptr, 0);
167 string retval(s);
168 OPENSSL_free(s);
169 return retval;
170 }
171
172 } // namespace
173
174 bool KeyMintAidlTestBase::arm_deleteAllKeys = false;
175 bool KeyMintAidlTestBase::dump_Attestations = false;
176 std::string KeyMintAidlTestBase::keyblob_dir;
177
boot_patch_level(const vector<KeyCharacteristics> & key_characteristics)178 uint32_t KeyMintAidlTestBase::boot_patch_level(
179 const vector<KeyCharacteristics>& key_characteristics) {
180 // The boot patchlevel is not available as a property, but should be present
181 // in the key characteristics of any created key.
182 AuthorizationSet allAuths;
183 for (auto& entry : key_characteristics) {
184 allAuths.push_back(AuthorizationSet(entry.authorizations));
185 }
186 auto patchlevel = allAuths.GetTagValue(TAG_BOOT_PATCHLEVEL);
187 if (patchlevel.has_value()) {
188 return patchlevel.value();
189 } else {
190 // No boot patchlevel is available. Return a value that won't match anything
191 // and so will trigger test failures.
192 return kInvalidPatchlevel;
193 }
194 }
195
boot_patch_level()196 uint32_t KeyMintAidlTestBase::boot_patch_level() {
197 return boot_patch_level(key_characteristics_);
198 }
199
200 /**
201 * An API to determine device IDs attestation is required or not,
202 * which is mandatory for KeyMint version 2 or first_api_level 33 or greater.
203 */
isDeviceIdAttestationRequired()204 bool KeyMintAidlTestBase::isDeviceIdAttestationRequired() {
205 return AidlVersion() >= 2 || property_get_int32("ro.vendor.api_level", 0) >= __ANDROID_API_T__;
206 }
207
208 /**
209 * An API to determine second IMEI ID attestation is required or not,
210 * which is supported for KeyMint version 3 or first_api_level greater than 33.
211 */
isSecondImeiIdAttestationRequired()212 bool KeyMintAidlTestBase::isSecondImeiIdAttestationRequired() {
213 return AidlVersion() >= 3 && property_get_int32("ro.vendor.api_level", 0) > __ANDROID_API_T__;
214 }
215
Curve25519Supported()216 bool KeyMintAidlTestBase::Curve25519Supported() {
217 // Strongbox never supports curve 25519.
218 if (SecLevel() == SecurityLevel::STRONGBOX) {
219 return false;
220 }
221
222 // Curve 25519 was included in version 2 of the KeyMint interface.
223 int32_t version = 0;
224 auto status = keymint_->getInterfaceVersion(&version);
225 if (!status.isOk()) {
226 ADD_FAILURE() << "Failed to determine interface version";
227 }
228 return version >= 2;
229 }
230
GetReturnErrorCode(const Status & result)231 ErrorCode KeyMintAidlTestBase::GetReturnErrorCode(const Status& result) {
232 if (result.isOk()) return ErrorCode::OK;
233
234 if (result.getExceptionCode() == EX_SERVICE_SPECIFIC) {
235 return static_cast<ErrorCode>(result.getServiceSpecificError());
236 }
237
238 return ErrorCode::UNKNOWN_ERROR;
239 }
240
InitializeKeyMint(std::shared_ptr<IKeyMintDevice> keyMint)241 void KeyMintAidlTestBase::InitializeKeyMint(std::shared_ptr<IKeyMintDevice> keyMint) {
242 ASSERT_NE(keyMint, nullptr);
243 keymint_ = std::move(keyMint);
244
245 KeyMintHardwareInfo info;
246 ASSERT_TRUE(keymint_->getHardwareInfo(&info).isOk());
247
248 securityLevel_ = info.securityLevel;
249 name_.assign(info.keyMintName.begin(), info.keyMintName.end());
250 author_.assign(info.keyMintAuthorName.begin(), info.keyMintAuthorName.end());
251 timestamp_token_required_ = info.timestampTokenRequired;
252
253 os_version_ = getOsVersion();
254 os_patch_level_ = getOsPatchlevel();
255 vendor_patch_level_ = getVendorPatchlevel();
256 }
257
AidlVersion()258 int32_t KeyMintAidlTestBase::AidlVersion() {
259 int32_t version = 0;
260 auto status = keymint_->getInterfaceVersion(&version);
261 if (!status.isOk()) {
262 ADD_FAILURE() << "Failed to determine interface version";
263 }
264 return version;
265 }
266
SetUp()267 void KeyMintAidlTestBase::SetUp() {
268 if (AServiceManager_isDeclared(GetParam().c_str())) {
269 ::ndk::SpAIBinder binder(AServiceManager_waitForService(GetParam().c_str()));
270 InitializeKeyMint(IKeyMintDevice::fromBinder(binder));
271 } else {
272 InitializeKeyMint(nullptr);
273 }
274 }
275
GenerateKey(const AuthorizationSet & key_desc,const optional<AttestationKey> & attest_key,vector<uint8_t> * key_blob,vector<KeyCharacteristics> * key_characteristics,vector<Certificate> * cert_chain)276 ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
277 const optional<AttestationKey>& attest_key,
278 vector<uint8_t>* key_blob,
279 vector<KeyCharacteristics>* key_characteristics,
280 vector<Certificate>* cert_chain) {
281 EXPECT_NE(key_blob, nullptr) << "Key blob pointer must not be null. Test bug";
282 EXPECT_NE(key_characteristics, nullptr)
283 << "Previous characteristics not deleted before generating key. Test bug.";
284
285 KeyCreationResult creationResult;
286 Status result = keymint_->generateKey(key_desc.vector_data(), attest_key, &creationResult);
287 if (result.isOk()) {
288 EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
289 creationResult.keyCharacteristics);
290 EXPECT_GT(creationResult.keyBlob.size(), 0);
291 *key_blob = std::move(creationResult.keyBlob);
292 *key_characteristics = std::move(creationResult.keyCharacteristics);
293 *cert_chain = std::move(creationResult.certificateChain);
294
295 auto algorithm = key_desc.GetTagValue(TAG_ALGORITHM);
296 EXPECT_TRUE(algorithm);
297 if (algorithm &&
298 (algorithm.value() == Algorithm::RSA || algorithm.value() == Algorithm::EC)) {
299 EXPECT_GE(cert_chain->size(), 1);
300 if (key_desc.Contains(TAG_ATTESTATION_CHALLENGE)) {
301 if (attest_key) {
302 EXPECT_EQ(cert_chain->size(), 1);
303 } else {
304 EXPECT_GT(cert_chain->size(), 1);
305 }
306 }
307 } else {
308 // For symmetric keys there should be no certificates.
309 EXPECT_EQ(cert_chain->size(), 0);
310 }
311 }
312
313 return GetReturnErrorCode(result);
314 }
315
GenerateKey(const AuthorizationSet & key_desc,const optional<AttestationKey> & attest_key)316 ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
317 const optional<AttestationKey>& attest_key) {
318 return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
319 }
320
GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet & attest_key_desc,const AuthorizationSet & key_desc,vector<uint8_t> * key_blob,vector<KeyCharacteristics> * key_characteristics,vector<Certificate> * cert_chain)321 ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
322 const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
323 vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
324 vector<Certificate>* cert_chain) {
325 skipAttestKeyTest();
326 AttestationKey attest_key;
327 vector<Certificate> attest_cert_chain;
328 vector<KeyCharacteristics> attest_key_characteristics;
329 // Generate a key with self signed attestation.
330 auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
331 &attest_key_characteristics, &attest_cert_chain);
332 if (error != ErrorCode::OK) {
333 return error;
334 }
335
336 attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
337 // Generate a key, by passing the above self signed attestation key as attest key.
338 error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
339 if (error == ErrorCode::OK) {
340 // Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
341 cert_chain->push_back(attest_cert_chain[0]);
342 }
343 return error;
344 }
345
ImportKey(const AuthorizationSet & key_desc,KeyFormat format,const string & key_material,vector<uint8_t> * key_blob,vector<KeyCharacteristics> * key_characteristics)346 ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
347 const string& key_material, vector<uint8_t>* key_blob,
348 vector<KeyCharacteristics>* key_characteristics) {
349 Status result;
350
351 cert_chain_.clear();
352 key_characteristics->clear();
353 key_blob->clear();
354
355 KeyCreationResult creationResult;
356 result = keymint_->importKey(key_desc.vector_data(), format,
357 vector<uint8_t>(key_material.begin(), key_material.end()),
358 {} /* attestationSigningKeyBlob */, &creationResult);
359
360 if (result.isOk()) {
361 EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
362 creationResult.keyCharacteristics);
363 EXPECT_GT(creationResult.keyBlob.size(), 0);
364
365 *key_blob = std::move(creationResult.keyBlob);
366 *key_characteristics = std::move(creationResult.keyCharacteristics);
367 cert_chain_ = std::move(creationResult.certificateChain);
368
369 auto algorithm = key_desc.GetTagValue(TAG_ALGORITHM);
370 EXPECT_TRUE(algorithm);
371 if (algorithm &&
372 (algorithm.value() == Algorithm::RSA || algorithm.value() == Algorithm::EC)) {
373 EXPECT_GE(cert_chain_.size(), 1);
374 if (key_desc.Contains(TAG_ATTESTATION_CHALLENGE)) EXPECT_GT(cert_chain_.size(), 1);
375 } else {
376 // For symmetric keys there should be no certificates.
377 EXPECT_EQ(cert_chain_.size(), 0);
378 }
379 }
380
381 return GetReturnErrorCode(result);
382 }
383
ImportKey(const AuthorizationSet & key_desc,KeyFormat format,const string & key_material)384 ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
385 const string& key_material) {
386 return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_);
387 }
388
ImportWrappedKey(string wrapped_key,string wrapping_key,const AuthorizationSet & wrapping_key_desc,string masking_key,const AuthorizationSet & unwrapping_params,int64_t password_sid,int64_t biometric_sid)389 ErrorCode KeyMintAidlTestBase::ImportWrappedKey(string wrapped_key, string wrapping_key,
390 const AuthorizationSet& wrapping_key_desc,
391 string masking_key,
392 const AuthorizationSet& unwrapping_params,
393 int64_t password_sid, int64_t biometric_sid) {
394 EXPECT_EQ(ErrorCode::OK, ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key));
395
396 key_characteristics_.clear();
397
398 KeyCreationResult creationResult;
399 Status result = keymint_->importWrappedKey(
400 vector<uint8_t>(wrapped_key.begin(), wrapped_key.end()), key_blob_,
401 vector<uint8_t>(masking_key.begin(), masking_key.end()),
402 unwrapping_params.vector_data(), password_sid, biometric_sid, &creationResult);
403
404 if (result.isOk()) {
405 EXPECT_PRED2(KeyCharacteristicsBasicallyValid, SecLevel(),
406 creationResult.keyCharacteristics);
407 EXPECT_GT(creationResult.keyBlob.size(), 0);
408
409 key_blob_ = std::move(creationResult.keyBlob);
410 key_characteristics_ = std::move(creationResult.keyCharacteristics);
411 cert_chain_ = std::move(creationResult.certificateChain);
412
413 AuthorizationSet allAuths;
414 for (auto& entry : key_characteristics_) {
415 allAuths.push_back(AuthorizationSet(entry.authorizations));
416 }
417 auto algorithm = allAuths.GetTagValue(TAG_ALGORITHM);
418 EXPECT_TRUE(algorithm);
419 if (algorithm &&
420 (algorithm.value() == Algorithm::RSA || algorithm.value() == Algorithm::EC)) {
421 EXPECT_GE(cert_chain_.size(), 1);
422 } else {
423 // For symmetric keys there should be no certificates.
424 EXPECT_EQ(cert_chain_.size(), 0);
425 }
426 }
427
428 return GetReturnErrorCode(result);
429 }
430
GetCharacteristics(const vector<uint8_t> & key_blob,const vector<uint8_t> & app_id,const vector<uint8_t> & app_data,vector<KeyCharacteristics> * key_characteristics)431 ErrorCode KeyMintAidlTestBase::GetCharacteristics(const vector<uint8_t>& key_blob,
432 const vector<uint8_t>& app_id,
433 const vector<uint8_t>& app_data,
434 vector<KeyCharacteristics>* key_characteristics) {
435 Status result =
436 keymint_->getKeyCharacteristics(key_blob, app_id, app_data, key_characteristics);
437 return GetReturnErrorCode(result);
438 }
439
GetCharacteristics(const vector<uint8_t> & key_blob,vector<KeyCharacteristics> * key_characteristics)440 ErrorCode KeyMintAidlTestBase::GetCharacteristics(const vector<uint8_t>& key_blob,
441 vector<KeyCharacteristics>* key_characteristics) {
442 vector<uint8_t> empty_app_id, empty_app_data;
443 return GetCharacteristics(key_blob, empty_app_id, empty_app_data, key_characteristics);
444 }
445
CheckCharacteristics(const vector<uint8_t> & key_blob,const vector<KeyCharacteristics> & generate_characteristics)446 void KeyMintAidlTestBase::CheckCharacteristics(
447 const vector<uint8_t>& key_blob,
448 const vector<KeyCharacteristics>& generate_characteristics) {
449 // Any key characteristics that were in SecurityLevel::KEYSTORE when returned from
450 // generateKey() should be excluded, as KeyMint will have no record of them.
451 // This applies to CREATION_DATETIME in particular.
452 vector<KeyCharacteristics> expected_characteristics(generate_characteristics);
453 strip_keystore_tags(&expected_characteristics);
454
455 vector<KeyCharacteristics> retrieved;
456 ASSERT_EQ(ErrorCode::OK, GetCharacteristics(key_blob, &retrieved));
457 EXPECT_EQ(expected_characteristics, retrieved);
458 }
459
CheckAppIdCharacteristics(const vector<uint8_t> & key_blob,std::string_view app_id_string,std::string_view app_data_string,const vector<KeyCharacteristics> & generate_characteristics)460 void KeyMintAidlTestBase::CheckAppIdCharacteristics(
461 const vector<uint8_t>& key_blob, std::string_view app_id_string,
462 std::string_view app_data_string,
463 const vector<KeyCharacteristics>& generate_characteristics) {
464 // Exclude any SecurityLevel::KEYSTORE characteristics for comparisons.
465 vector<KeyCharacteristics> expected_characteristics(generate_characteristics);
466 strip_keystore_tags(&expected_characteristics);
467
468 vector<uint8_t> app_id(app_id_string.begin(), app_id_string.end());
469 vector<uint8_t> app_data(app_data_string.begin(), app_data_string.end());
470 vector<KeyCharacteristics> retrieved;
471 ASSERT_EQ(ErrorCode::OK, GetCharacteristics(key_blob, app_id, app_data, &retrieved));
472 EXPECT_EQ(expected_characteristics, retrieved);
473
474 // Check that key characteristics can't be retrieved if the app ID or app data is missing.
475 vector<uint8_t> empty;
476 vector<KeyCharacteristics> not_retrieved;
477 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
478 GetCharacteristics(key_blob, empty, app_data, ¬_retrieved));
479 EXPECT_EQ(not_retrieved.size(), 0);
480
481 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
482 GetCharacteristics(key_blob, app_id, empty, ¬_retrieved));
483 EXPECT_EQ(not_retrieved.size(), 0);
484
485 EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
486 GetCharacteristics(key_blob, empty, empty, ¬_retrieved));
487 EXPECT_EQ(not_retrieved.size(), 0);
488 }
489
DeleteKey(vector<uint8_t> * key_blob,bool keep_key_blob)490 ErrorCode KeyMintAidlTestBase::DeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
491 Status result = keymint_->deleteKey(*key_blob);
492 if (!keep_key_blob) {
493 *key_blob = vector<uint8_t>();
494 }
495
496 EXPECT_TRUE(result.isOk()) << result.getServiceSpecificError() << endl;
497 return GetReturnErrorCode(result);
498 }
499
DeleteKey(bool keep_key_blob)500 ErrorCode KeyMintAidlTestBase::DeleteKey(bool keep_key_blob) {
501 return DeleteKey(&key_blob_, keep_key_blob);
502 }
503
DeleteAllKeys()504 ErrorCode KeyMintAidlTestBase::DeleteAllKeys() {
505 Status result = keymint_->deleteAllKeys();
506 EXPECT_TRUE(result.isOk()) << result.getServiceSpecificError() << endl;
507 return GetReturnErrorCode(result);
508 }
509
DestroyAttestationIds()510 ErrorCode KeyMintAidlTestBase::DestroyAttestationIds() {
511 Status result = keymint_->destroyAttestationIds();
512 return GetReturnErrorCode(result);
513 }
514
CheckedDeleteKey(vector<uint8_t> * key_blob,bool keep_key_blob)515 void KeyMintAidlTestBase::CheckedDeleteKey(vector<uint8_t>* key_blob, bool keep_key_blob) {
516 ErrorCode result = DeleteKey(key_blob, keep_key_blob);
517 EXPECT_TRUE(result == ErrorCode::OK || result == ErrorCode::UNIMPLEMENTED) << result << endl;
518 }
519
CheckedDeleteKey()520 void KeyMintAidlTestBase::CheckedDeleteKey() {
521 CheckedDeleteKey(&key_blob_);
522 }
523
Begin(KeyPurpose purpose,const vector<uint8_t> & key_blob,const AuthorizationSet & in_params,AuthorizationSet * out_params,std::shared_ptr<IKeyMintOperation> & op)524 ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
525 const AuthorizationSet& in_params,
526 AuthorizationSet* out_params,
527 std::shared_ptr<IKeyMintOperation>& op) {
528 SCOPED_TRACE("Begin");
529 Status result;
530 BeginResult out;
531 result = keymint_->begin(purpose, key_blob, in_params.vector_data(), std::nullopt, &out);
532
533 if (result.isOk()) {
534 *out_params = out.params;
535 challenge_ = out.challenge;
536 op = out.operation;
537 }
538
539 return GetReturnErrorCode(result);
540 }
541
Begin(KeyPurpose purpose,const vector<uint8_t> & key_blob,const AuthorizationSet & in_params,AuthorizationSet * out_params,std::optional<HardwareAuthToken> hat)542 ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const vector<uint8_t>& key_blob,
543 const AuthorizationSet& in_params,
544 AuthorizationSet* out_params,
545 std::optional<HardwareAuthToken> hat) {
546 SCOPED_TRACE("Begin");
547 Status result;
548 BeginResult out;
549
550 result = keymint_->begin(purpose, key_blob, in_params.vector_data(), hat, &out);
551
552 if (result.isOk()) {
553 *out_params = out.params;
554 challenge_ = out.challenge;
555 op_ = out.operation;
556 }
557
558 return GetReturnErrorCode(result);
559 }
560
Begin(KeyPurpose purpose,const AuthorizationSet & in_params,AuthorizationSet * out_params)561 ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const AuthorizationSet& in_params,
562 AuthorizationSet* out_params) {
563 SCOPED_TRACE("Begin");
564 EXPECT_EQ(nullptr, op_);
565 return Begin(purpose, key_blob_, in_params, out_params);
566 }
567
Begin(KeyPurpose purpose,const AuthorizationSet & in_params)568 ErrorCode KeyMintAidlTestBase::Begin(KeyPurpose purpose, const AuthorizationSet& in_params) {
569 SCOPED_TRACE("Begin");
570 AuthorizationSet out_params;
571 ErrorCode result = Begin(purpose, in_params, &out_params);
572 EXPECT_TRUE(out_params.empty());
573 return result;
574 }
575
UpdateAad(const string & input)576 ErrorCode KeyMintAidlTestBase::UpdateAad(const string& input) {
577 return GetReturnErrorCode(op_->updateAad(vector<uint8_t>(input.begin(), input.end()),
578 {} /* hardwareAuthToken */,
579 {} /* verificationToken */));
580 }
581
Update(const string & input,string * output)582 ErrorCode KeyMintAidlTestBase::Update(const string& input, string* output) {
583 SCOPED_TRACE("Update");
584
585 Status result;
586 if (!output) return ErrorCode::UNEXPECTED_NULL_POINTER;
587
588 EXPECT_NE(op_, nullptr);
589 if (!op_) return ErrorCode::UNEXPECTED_NULL_POINTER;
590
591 std::vector<uint8_t> o_put;
592 result = op_->update(vector<uint8_t>(input.begin(), input.end()), {}, {}, &o_put);
593
594 if (result.isOk()) {
595 output->append(o_put.begin(), o_put.end());
596 } else {
597 // Failure always terminates the operation.
598 op_ = {};
599 }
600
601 return GetReturnErrorCode(result);
602 }
603
Finish(const string & input,const string & signature,string * output,std::optional<HardwareAuthToken> hat,std::optional<secureclock::TimeStampToken> time_token)604 ErrorCode KeyMintAidlTestBase::Finish(const string& input, const string& signature, string* output,
605 std::optional<HardwareAuthToken> hat,
606 std::optional<secureclock::TimeStampToken> time_token) {
607 SCOPED_TRACE("Finish");
608 Status result;
609
610 EXPECT_NE(op_, nullptr);
611 if (!op_) return ErrorCode::UNEXPECTED_NULL_POINTER;
612
613 vector<uint8_t> oPut;
614 result = op_->finish(vector<uint8_t>(input.begin(), input.end()),
615 vector<uint8_t>(signature.begin(), signature.end()), hat, time_token,
616 {} /* confirmationToken */, &oPut);
617
618 if (result.isOk()) output->append(oPut.begin(), oPut.end());
619
620 op_ = {};
621 return GetReturnErrorCode(result);
622 }
623
Abort(const std::shared_ptr<IKeyMintOperation> & op)624 ErrorCode KeyMintAidlTestBase::Abort(const std::shared_ptr<IKeyMintOperation>& op) {
625 SCOPED_TRACE("Abort");
626
627 EXPECT_NE(op, nullptr);
628 if (!op) return ErrorCode::UNEXPECTED_NULL_POINTER;
629
630 Status retval = op->abort();
631 EXPECT_TRUE(retval.isOk());
632 return static_cast<ErrorCode>(retval.getServiceSpecificError());
633 }
634
Abort()635 ErrorCode KeyMintAidlTestBase::Abort() {
636 SCOPED_TRACE("Abort");
637
638 EXPECT_NE(op_, nullptr);
639 if (!op_) return ErrorCode::UNEXPECTED_NULL_POINTER;
640
641 Status retval = op_->abort();
642 return static_cast<ErrorCode>(retval.getServiceSpecificError());
643 }
644
AbortIfNeeded()645 void KeyMintAidlTestBase::AbortIfNeeded() {
646 SCOPED_TRACE("AbortIfNeeded");
647 if (op_) {
648 EXPECT_EQ(ErrorCode::OK, Abort());
649 op_.reset();
650 }
651 }
652
ProcessMessage(const vector<uint8_t> & key_blob,KeyPurpose operation,const string & message,const AuthorizationSet & in_params)653 auto KeyMintAidlTestBase::ProcessMessage(const vector<uint8_t>& key_blob, KeyPurpose operation,
654 const string& message, const AuthorizationSet& in_params)
655 -> std::tuple<ErrorCode, string> {
656 AuthorizationSet begin_out_params;
657 ErrorCode result = Begin(operation, key_blob, in_params, &begin_out_params);
658 if (result != ErrorCode::OK) return {result, {}};
659
660 string output;
661 return {Finish(message, &output), output};
662 }
663
ProcessMessage(const vector<uint8_t> & key_blob,KeyPurpose operation,const string & message,const AuthorizationSet & in_params,AuthorizationSet * out_params)664 string KeyMintAidlTestBase::ProcessMessage(const vector<uint8_t>& key_blob, KeyPurpose operation,
665 const string& message, const AuthorizationSet& in_params,
666 AuthorizationSet* out_params) {
667 SCOPED_TRACE("ProcessMessage");
668 AuthorizationSet begin_out_params;
669 ErrorCode result = Begin(operation, key_blob, in_params, out_params);
670 EXPECT_EQ(ErrorCode::OK, result);
671 if (result != ErrorCode::OK) {
672 return "";
673 }
674
675 string output;
676 EXPECT_EQ(ErrorCode::OK, Finish(message, &output));
677 return output;
678 }
679
SignMessage(const vector<uint8_t> & key_blob,const string & message,const AuthorizationSet & params)680 string KeyMintAidlTestBase::SignMessage(const vector<uint8_t>& key_blob, const string& message,
681 const AuthorizationSet& params) {
682 SCOPED_TRACE("SignMessage");
683 AuthorizationSet out_params;
684 string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params);
685 EXPECT_TRUE(out_params.empty());
686 return signature;
687 }
688
SignMessage(const string & message,const AuthorizationSet & params)689 string KeyMintAidlTestBase::SignMessage(const string& message, const AuthorizationSet& params) {
690 SCOPED_TRACE("SignMessage");
691 return SignMessage(key_blob_, message, params);
692 }
693
MacMessage(const string & message,Digest digest,size_t mac_length)694 string KeyMintAidlTestBase::MacMessage(const string& message, Digest digest, size_t mac_length) {
695 SCOPED_TRACE("MacMessage");
696 return SignMessage(
697 key_blob_, message,
698 AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length));
699 }
700
CheckAesIncrementalEncryptOperation(BlockMode block_mode,int message_size)701 void KeyMintAidlTestBase::CheckAesIncrementalEncryptOperation(BlockMode block_mode,
702 int message_size) {
703 auto builder = AuthorizationSetBuilder()
704 .Authorization(TAG_NO_AUTH_REQUIRED)
705 .AesEncryptionKey(128)
706 .BlockMode(block_mode)
707 .Padding(PaddingMode::NONE);
708 if (block_mode == BlockMode::GCM) {
709 builder.Authorization(TAG_MIN_MAC_LENGTH, 128);
710 }
711 ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
712
713 for (int increment = 1; increment <= message_size; ++increment) {
714 string message(message_size, 'a');
715 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(PaddingMode::NONE);
716 if (block_mode == BlockMode::GCM) {
717 params.Authorization(TAG_MAC_LENGTH, 128) /* for GCM */;
718 }
719
720 AuthorizationSet output_params;
721 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &output_params));
722
723 string ciphertext;
724 string to_send;
725 for (size_t i = 0; i < message.size(); i += increment) {
726 EXPECT_EQ(ErrorCode::OK, Update(message.substr(i, increment), &ciphertext));
727 }
728 EXPECT_EQ(ErrorCode::OK, Finish(to_send, &ciphertext))
729 << "Error sending " << to_send << " with block mode " << block_mode;
730
731 switch (block_mode) {
732 case BlockMode::GCM:
733 EXPECT_EQ(message.size() + 16, ciphertext.size());
734 break;
735 case BlockMode::CTR:
736 EXPECT_EQ(message.size(), ciphertext.size());
737 break;
738 case BlockMode::CBC:
739 case BlockMode::ECB:
740 EXPECT_EQ(message.size() + message.size() % 16, ciphertext.size());
741 break;
742 }
743
744 auto iv = output_params.GetTagValue(TAG_NONCE);
745 switch (block_mode) {
746 case BlockMode::CBC:
747 case BlockMode::GCM:
748 case BlockMode::CTR:
749 ASSERT_TRUE(iv) << "No IV for block mode " << block_mode;
750 EXPECT_EQ(block_mode == BlockMode::GCM ? 12U : 16U, iv->get().size());
751 params.push_back(TAG_NONCE, iv->get());
752 break;
753
754 case BlockMode::ECB:
755 EXPECT_FALSE(iv) << "ECB mode should not generate IV";
756 break;
757 }
758
759 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params))
760 << "Decrypt begin() failed for block mode " << block_mode;
761
762 string plaintext;
763 for (size_t i = 0; i < ciphertext.size(); i += increment) {
764 EXPECT_EQ(ErrorCode::OK, Update(ciphertext.substr(i, increment), &plaintext));
765 }
766 ErrorCode error = Finish(to_send, &plaintext);
767 ASSERT_EQ(ErrorCode::OK, error) << "Decryption failed for block mode " << block_mode
768 << " and increment " << increment;
769 if (error == ErrorCode::OK) {
770 ASSERT_EQ(message, plaintext) << "Decryption didn't match for block mode " << block_mode
771 << " and increment " << increment;
772 }
773 }
774 }
775
AesCheckEncryptOneByteAtATime(const string & key,BlockMode block_mode,PaddingMode padding_mode,const string & iv,const string & plaintext,const string & exp_cipher_text)776 void KeyMintAidlTestBase::AesCheckEncryptOneByteAtATime(const string& key, BlockMode block_mode,
777 PaddingMode padding_mode, const string& iv,
778 const string& plaintext,
779 const string& exp_cipher_text) {
780 bool is_authenticated_cipher = (block_mode == BlockMode::GCM);
781 auto auth_set = AuthorizationSetBuilder()
782 .Authorization(TAG_NO_AUTH_REQUIRED)
783 .AesEncryptionKey(key.size() * 8)
784 .BlockMode(block_mode)
785 .Padding(padding_mode);
786 if (iv.size() > 0) auth_set.Authorization(TAG_CALLER_NONCE);
787 if (is_authenticated_cipher) auth_set.Authorization(TAG_MIN_MAC_LENGTH, 128);
788 ASSERT_EQ(ErrorCode::OK, ImportKey(auth_set, KeyFormat::RAW, key));
789
790 CheckEncryptOneByteAtATime(block_mode, 16 /*block_size*/, padding_mode, iv, plaintext,
791 exp_cipher_text);
792 }
793
CheckEncryptOneByteAtATime(BlockMode block_mode,const int block_size,PaddingMode padding_mode,const string & iv,const string & plaintext,const string & exp_cipher_text)794 void KeyMintAidlTestBase::CheckEncryptOneByteAtATime(BlockMode block_mode, const int block_size,
795 PaddingMode padding_mode, const string& iv,
796 const string& plaintext,
797 const string& exp_cipher_text) {
798 bool is_stream_cipher = (block_mode == BlockMode::CTR || block_mode == BlockMode::GCM);
799 bool is_authenticated_cipher = (block_mode == BlockMode::GCM);
800 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
801 if (iv.size() > 0) params.Authorization(TAG_NONCE, iv.data(), iv.size());
802 if (is_authenticated_cipher) params.Authorization(TAG_MAC_LENGTH, 128);
803
804 AuthorizationSet output_params;
805 EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &output_params));
806
807 string actual_ciphertext;
808 if (is_stream_cipher) {
809 // Assert that a 1 byte of output is produced for 1 byte of input.
810 // Every input byte produces an output byte.
811 for (int plaintext_index = 0; plaintext_index < plaintext.size(); plaintext_index++) {
812 string ciphertext;
813 EXPECT_EQ(ErrorCode::OK, Update(plaintext.substr(plaintext_index, 1), &ciphertext));
814 // Some StrongBox implementations cannot support 1:1 input:output lengths, so
815 // we relax this API restriction for them.
816 if (SecLevel() != SecurityLevel::STRONGBOX) {
817 EXPECT_EQ(1, ciphertext.size()) << "plaintext index: " << plaintext_index;
818 }
819 actual_ciphertext.append(ciphertext);
820 }
821 string ciphertext;
822 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
823 if (SecLevel() != SecurityLevel::STRONGBOX) {
824 string expected_final_output;
825 if (is_authenticated_cipher) {
826 expected_final_output = exp_cipher_text.substr(plaintext.size());
827 }
828 EXPECT_EQ(expected_final_output, ciphertext);
829 }
830 actual_ciphertext.append(ciphertext);
831 } else {
832 // Assert that a block of output is produced once a full block of input is provided.
833 // Every input block produces an output block.
834 bool compare_output = true;
835 string additional_information;
836 int vendor_api_level = property_get_int32("ro.vendor.api_level", 0);
837 if (SecLevel() == SecurityLevel::STRONGBOX) {
838 // This is known to be broken on older vendor implementations.
839 if (vendor_api_level < __ANDROID_API_T__) {
840 compare_output = false;
841 } else {
842 additional_information = " (b/194134359) ";
843 }
844 }
845 for (int plaintext_index = 0; plaintext_index < plaintext.size(); plaintext_index++) {
846 string ciphertext;
847 EXPECT_EQ(ErrorCode::OK, Update(plaintext.substr(plaintext_index, 1), &ciphertext));
848 if (compare_output) {
849 if ((plaintext_index % block_size) == block_size - 1) {
850 // Update is expected to have output a new block
851 EXPECT_EQ(block_size, ciphertext.size())
852 << "plaintext index: " << plaintext_index << additional_information;
853 } else {
854 // Update is expected to have produced no output
855 EXPECT_EQ(0, ciphertext.size())
856 << "plaintext index: " << plaintext_index << additional_information;
857 }
858 }
859 actual_ciphertext.append(ciphertext);
860 }
861 string ciphertext;
862 EXPECT_EQ(ErrorCode::OK, Finish(&ciphertext));
863 actual_ciphertext.append(ciphertext);
864 }
865 // Regardless of how the completed ciphertext got accumulated, it should match the expected
866 // ciphertext.
867 EXPECT_EQ(exp_cipher_text, actual_ciphertext);
868 }
869
CheckHmacTestVector(const string & key,const string & message,Digest digest,const string & expected_mac)870 void KeyMintAidlTestBase::CheckHmacTestVector(const string& key, const string& message,
871 Digest digest, const string& expected_mac) {
872 SCOPED_TRACE("CheckHmacTestVector");
873 ASSERT_EQ(ErrorCode::OK,
874 ImportKey(AuthorizationSetBuilder()
875 .Authorization(TAG_NO_AUTH_REQUIRED)
876 .HmacKey(key.size() * 8)
877 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8)
878 .Digest(digest),
879 KeyFormat::RAW, key));
880 string signature = MacMessage(message, digest, expected_mac.size() * 8);
881 EXPECT_EQ(expected_mac, signature)
882 << "Test vector didn't match for key of size " << key.size() << " message of size "
883 << message.size() << " and digest " << digest;
884 CheckedDeleteKey();
885 }
886
CheckAesCtrTestVector(const string & key,const string & nonce,const string & message,const string & expected_ciphertext)887 void KeyMintAidlTestBase::CheckAesCtrTestVector(const string& key, const string& nonce,
888 const string& message,
889 const string& expected_ciphertext) {
890 SCOPED_TRACE("CheckAesCtrTestVector");
891 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
892 .Authorization(TAG_NO_AUTH_REQUIRED)
893 .AesEncryptionKey(key.size() * 8)
894 .BlockMode(BlockMode::CTR)
895 .Authorization(TAG_CALLER_NONCE)
896 .Padding(PaddingMode::NONE),
897 KeyFormat::RAW, key));
898
899 auto params = AuthorizationSetBuilder()
900 .Authorization(TAG_NONCE, nonce.data(), nonce.size())
901 .BlockMode(BlockMode::CTR)
902 .Padding(PaddingMode::NONE);
903 AuthorizationSet out_params;
904 string ciphertext = EncryptMessage(key_blob_, message, params, &out_params);
905 EXPECT_EQ(expected_ciphertext, ciphertext);
906 }
907
CheckTripleDesTestVector(KeyPurpose purpose,BlockMode block_mode,PaddingMode padding_mode,const string & key,const string & iv,const string & input,const string & expected_output)908 void KeyMintAidlTestBase::CheckTripleDesTestVector(KeyPurpose purpose, BlockMode block_mode,
909 PaddingMode padding_mode, const string& key,
910 const string& iv, const string& input,
911 const string& expected_output) {
912 auto authset = AuthorizationSetBuilder()
913 .TripleDesEncryptionKey(key.size() * 7)
914 .BlockMode(block_mode)
915 .Authorization(TAG_NO_AUTH_REQUIRED)
916 .Padding(padding_mode);
917 if (iv.size()) authset.Authorization(TAG_CALLER_NONCE);
918 ASSERT_EQ(ErrorCode::OK, ImportKey(authset, KeyFormat::RAW, key));
919 ASSERT_GT(key_blob_.size(), 0U);
920
921 auto begin_params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode);
922 if (iv.size()) begin_params.Authorization(TAG_NONCE, iv.data(), iv.size());
923 AuthorizationSet output_params;
924 string output = ProcessMessage(key_blob_, purpose, input, begin_params, &output_params);
925 EXPECT_EQ(expected_output, output);
926 }
927
VerifyMessage(const vector<uint8_t> & key_blob,const string & message,const string & signature,const AuthorizationSet & params)928 void KeyMintAidlTestBase::VerifyMessage(const vector<uint8_t>& key_blob, const string& message,
929 const string& signature, const AuthorizationSet& params) {
930 SCOPED_TRACE("VerifyMessage");
931 AuthorizationSet begin_out_params;
932 ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params));
933
934 string output;
935 EXPECT_EQ(ErrorCode::OK, Finish(message, signature, &output));
936 EXPECT_TRUE(output.empty());
937 op_ = {};
938 }
939
VerifyMessage(const string & message,const string & signature,const AuthorizationSet & params)940 void KeyMintAidlTestBase::VerifyMessage(const string& message, const string& signature,
941 const AuthorizationSet& params) {
942 SCOPED_TRACE("VerifyMessage");
943 VerifyMessage(key_blob_, message, signature, params);
944 }
945
LocalVerifyMessage(const string & message,const string & signature,const AuthorizationSet & params)946 void KeyMintAidlTestBase::LocalVerifyMessage(const string& message, const string& signature,
947 const AuthorizationSet& params) {
948 SCOPED_TRACE("LocalVerifyMessage");
949
950 ASSERT_GT(cert_chain_.size(), 0);
951 LocalVerifyMessage(cert_chain_[0].encodedCertificate, message, signature, params);
952 }
953
LocalVerifyMessage(const vector<uint8_t> & der_cert,const string & message,const string & signature,const AuthorizationSet & params)954 void KeyMintAidlTestBase::LocalVerifyMessage(const vector<uint8_t>& der_cert, const string& message,
955 const string& signature,
956 const AuthorizationSet& params) {
957 // Retrieve the public key from the leaf certificate.
958 X509_Ptr key_cert(parse_cert_blob(der_cert));
959 ASSERT_TRUE(key_cert.get());
960 EVP_PKEY_Ptr pub_key(X509_get_pubkey(key_cert.get()));
961 ASSERT_TRUE(pub_key.get());
962
963 Digest digest = params.GetTagValue(TAG_DIGEST).value();
964 PaddingMode padding = PaddingMode::NONE;
965 auto tag = params.GetTagValue(TAG_PADDING);
966 if (tag.has_value()) {
967 padding = tag.value();
968 }
969
970 if (digest == Digest::NONE) {
971 switch (EVP_PKEY_id(pub_key.get())) {
972 case EVP_PKEY_ED25519: {
973 ASSERT_EQ(64, signature.size());
974 uint8_t pub_keydata[32];
975 size_t pub_len = sizeof(pub_keydata);
976 ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(pub_key.get(), pub_keydata, &pub_len));
977 ASSERT_EQ(sizeof(pub_keydata), pub_len);
978 ASSERT_EQ(1, ED25519_verify(reinterpret_cast<const uint8_t*>(message.data()),
979 message.size(),
980 reinterpret_cast<const uint8_t*>(signature.data()),
981 pub_keydata));
982 break;
983 }
984
985 case EVP_PKEY_EC: {
986 vector<uint8_t> data((EVP_PKEY_bits(pub_key.get()) + 7) / 8);
987 size_t data_size = std::min(data.size(), message.size());
988 memcpy(data.data(), message.data(), data_size);
989 EC_KEY_Ptr ecdsa(EVP_PKEY_get1_EC_KEY(pub_key.get()));
990 ASSERT_TRUE(ecdsa.get());
991 ASSERT_EQ(1,
992 ECDSA_verify(0, reinterpret_cast<const uint8_t*>(data.data()), data_size,
993 reinterpret_cast<const uint8_t*>(signature.data()),
994 signature.size(), ecdsa.get()));
995 break;
996 }
997 case EVP_PKEY_RSA: {
998 vector<uint8_t> data(EVP_PKEY_size(pub_key.get()));
999 size_t data_size = std::min(data.size(), message.size());
1000 memcpy(data.data(), message.data(), data_size);
1001
1002 RSA_Ptr rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(pub_key.get())));
1003 ASSERT_TRUE(rsa.get());
1004
1005 size_t key_len = RSA_size(rsa.get());
1006 int openssl_padding = RSA_NO_PADDING;
1007 switch (padding) {
1008 case PaddingMode::NONE:
1009 ASSERT_TRUE(data_size <= key_len);
1010 ASSERT_EQ(key_len, signature.size());
1011 openssl_padding = RSA_NO_PADDING;
1012 break;
1013 case PaddingMode::RSA_PKCS1_1_5_SIGN:
1014 ASSERT_TRUE(data_size + kPkcs1UndigestedSignaturePaddingOverhead <=
1015 key_len);
1016 openssl_padding = RSA_PKCS1_PADDING;
1017 break;
1018 default:
1019 ADD_FAILURE() << "Unsupported RSA padding mode " << padding;
1020 }
1021
1022 vector<uint8_t> decrypted_data(key_len);
1023 int bytes_decrypted = RSA_public_decrypt(
1024 signature.size(), reinterpret_cast<const uint8_t*>(signature.data()),
1025 decrypted_data.data(), rsa.get(), openssl_padding);
1026 ASSERT_GE(bytes_decrypted, 0);
1027
1028 const uint8_t* compare_pos = decrypted_data.data();
1029 size_t bytes_to_compare = bytes_decrypted;
1030 uint8_t zero_check_result = 0;
1031 if (padding == PaddingMode::NONE && data_size < bytes_to_compare) {
1032 // If the data is short, for "unpadded" signing we zero-pad to the left. So
1033 // during verification we should have zeros on the left of the decrypted data.
1034 // Do a constant-time check.
1035 const uint8_t* zero_end = compare_pos + bytes_to_compare - data_size;
1036 while (compare_pos < zero_end) zero_check_result |= *compare_pos++;
1037 ASSERT_EQ(0, zero_check_result);
1038 bytes_to_compare = data_size;
1039 }
1040 ASSERT_EQ(0, memcmp(compare_pos, data.data(), bytes_to_compare));
1041 break;
1042 }
1043 default:
1044 ADD_FAILURE() << "Unknown public key type";
1045 }
1046 } else {
1047 EVP_MD_CTX digest_ctx;
1048 EVP_MD_CTX_init(&digest_ctx);
1049 EVP_PKEY_CTX* pkey_ctx;
1050 const EVP_MD* md = openssl_digest(digest);
1051 ASSERT_NE(md, nullptr);
1052 ASSERT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md, nullptr, pub_key.get()));
1053
1054 if (padding == PaddingMode::RSA_PSS) {
1055 EXPECT_GT(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING), 0);
1056 EXPECT_GT(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, EVP_MD_size(md)), 0);
1057 EXPECT_GT(EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, md), 0);
1058 }
1059
1060 ASSERT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx,
1061 reinterpret_cast<const uint8_t*>(message.data()),
1062 message.size()));
1063 ASSERT_EQ(1, EVP_DigestVerifyFinal(&digest_ctx,
1064 reinterpret_cast<const uint8_t*>(signature.data()),
1065 signature.size()));
1066 EVP_MD_CTX_cleanup(&digest_ctx);
1067 }
1068 }
1069
LocalRsaEncryptMessage(const string & message,const AuthorizationSet & params)1070 string KeyMintAidlTestBase::LocalRsaEncryptMessage(const string& message,
1071 const AuthorizationSet& params) {
1072 SCOPED_TRACE("LocalRsaEncryptMessage");
1073
1074 // Retrieve the public key from the leaf certificate.
1075 if (cert_chain_.empty()) {
1076 ADD_FAILURE() << "No public key available";
1077 return "Failure";
1078 }
1079 X509_Ptr key_cert(parse_cert_blob(cert_chain_[0].encodedCertificate));
1080 if (key_cert.get() == nullptr) {
1081 ADD_FAILURE() << "Failed to parse cert";
1082 return "Failure";
1083 }
1084 EVP_PKEY_Ptr pub_key(X509_get_pubkey(key_cert.get()));
1085 if (pub_key.get() == nullptr) {
1086 ADD_FAILURE() << "Failed to retrieve public key";
1087 return "Failure";
1088 }
1089 RSA_Ptr rsa(EVP_PKEY_get1_RSA(const_cast<EVP_PKEY*>(pub_key.get())));
1090 if (rsa.get() == nullptr) {
1091 ADD_FAILURE() << "Failed to retrieve RSA public key";
1092 return "Failure";
1093 }
1094
1095 // Retrieve relevant tags.
1096 Digest digest = Digest::NONE;
1097 Digest mgf_digest = Digest::SHA1;
1098 PaddingMode padding = PaddingMode::NONE;
1099
1100 auto digest_tag = params.GetTagValue(TAG_DIGEST);
1101 if (digest_tag.has_value()) digest = digest_tag.value();
1102 auto pad_tag = params.GetTagValue(TAG_PADDING);
1103 if (pad_tag.has_value()) padding = pad_tag.value();
1104 auto mgf_tag = params.GetTagValue(TAG_RSA_OAEP_MGF_DIGEST);
1105 if (mgf_tag.has_value()) mgf_digest = mgf_tag.value();
1106
1107 const EVP_MD* md = openssl_digest(digest);
1108 const EVP_MD* mgf_md = openssl_digest(mgf_digest);
1109
1110 // Set up encryption context.
1111 EVP_PKEY_CTX_Ptr ctx(EVP_PKEY_CTX_new(pub_key.get(), /* engine= */ nullptr));
1112 if (EVP_PKEY_encrypt_init(ctx.get()) <= 0) {
1113 ADD_FAILURE() << "Encryption init failed: " << ERR_peek_last_error();
1114 return "Failure";
1115 }
1116
1117 int rc = -1;
1118 switch (padding) {
1119 case PaddingMode::NONE:
1120 rc = EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_NO_PADDING);
1121 break;
1122 case PaddingMode::RSA_PKCS1_1_5_ENCRYPT:
1123 rc = EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_PKCS1_PADDING);
1124 break;
1125 case PaddingMode::RSA_OAEP:
1126 rc = EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_PKCS1_OAEP_PADDING);
1127 break;
1128 default:
1129 break;
1130 }
1131 if (rc <= 0) {
1132 ADD_FAILURE() << "Set padding failed: " << ERR_peek_last_error();
1133 return "Failure";
1134 }
1135 if (padding == PaddingMode::RSA_OAEP) {
1136 if (!EVP_PKEY_CTX_set_rsa_oaep_md(ctx.get(), md)) {
1137 ADD_FAILURE() << "Set digest failed: " << ERR_peek_last_error();
1138 return "Failure";
1139 }
1140 if (!EVP_PKEY_CTX_set_rsa_mgf1_md(ctx.get(), mgf_md)) {
1141 ADD_FAILURE() << "Set MGF digest failed: " << ERR_peek_last_error();
1142 return "Failure";
1143 }
1144 }
1145
1146 // Determine output size.
1147 size_t outlen;
1148 if (EVP_PKEY_encrypt(ctx.get(), nullptr /* out */, &outlen,
1149 reinterpret_cast<const uint8_t*>(message.data()), message.size()) <= 0) {
1150 ADD_FAILURE() << "Determine output size failed: " << ERR_peek_last_error();
1151 return "Failure";
1152 }
1153
1154 // Left-zero-pad the input if necessary.
1155 const uint8_t* to_encrypt = reinterpret_cast<const uint8_t*>(message.data());
1156 size_t to_encrypt_len = message.size();
1157
1158 std::unique_ptr<string> zero_padded_message;
1159 if (padding == PaddingMode::NONE && to_encrypt_len < outlen) {
1160 zero_padded_message.reset(new string(outlen, '\0'));
1161 memcpy(zero_padded_message->data() + (outlen - to_encrypt_len), message.data(),
1162 message.size());
1163 to_encrypt = reinterpret_cast<const uint8_t*>(zero_padded_message->data());
1164 to_encrypt_len = outlen;
1165 }
1166
1167 // Do the encryption.
1168 string output(outlen, '\0');
1169 if (EVP_PKEY_encrypt(ctx.get(), reinterpret_cast<uint8_t*>(output.data()), &outlen, to_encrypt,
1170 to_encrypt_len) <= 0) {
1171 ADD_FAILURE() << "Encryption failed: " << ERR_peek_last_error();
1172 return "Failure";
1173 }
1174 return output;
1175 }
1176
EncryptMessage(const vector<uint8_t> & key_blob,const string & message,const AuthorizationSet & in_params,AuthorizationSet * out_params)1177 string KeyMintAidlTestBase::EncryptMessage(const vector<uint8_t>& key_blob, const string& message,
1178 const AuthorizationSet& in_params,
1179 AuthorizationSet* out_params) {
1180 SCOPED_TRACE("EncryptMessage");
1181 return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params);
1182 }
1183
EncryptMessage(const string & message,const AuthorizationSet & params,AuthorizationSet * out_params)1184 string KeyMintAidlTestBase::EncryptMessage(const string& message, const AuthorizationSet& params,
1185 AuthorizationSet* out_params) {
1186 SCOPED_TRACE("EncryptMessage");
1187 return EncryptMessage(key_blob_, message, params, out_params);
1188 }
1189
EncryptMessage(const string & message,const AuthorizationSet & params)1190 string KeyMintAidlTestBase::EncryptMessage(const string& message, const AuthorizationSet& params) {
1191 SCOPED_TRACE("EncryptMessage");
1192 AuthorizationSet out_params;
1193 string ciphertext = EncryptMessage(message, params, &out_params);
1194 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
1195 return ciphertext;
1196 }
1197
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding)1198 string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
1199 PaddingMode padding) {
1200 SCOPED_TRACE("EncryptMessage");
1201 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
1202 AuthorizationSet out_params;
1203 string ciphertext = EncryptMessage(message, params, &out_params);
1204 EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params;
1205 return ciphertext;
1206 }
1207
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding,vector<uint8_t> * iv_out)1208 string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
1209 PaddingMode padding, vector<uint8_t>* iv_out) {
1210 SCOPED_TRACE("EncryptMessage");
1211 auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding);
1212 AuthorizationSet out_params;
1213 string ciphertext = EncryptMessage(message, params, &out_params);
1214 EXPECT_EQ(1U, out_params.size());
1215 auto ivVal = out_params.GetTagValue(TAG_NONCE);
1216 EXPECT_TRUE(ivVal);
1217 if (ivVal) *iv_out = *ivVal;
1218 return ciphertext;
1219 }
1220
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding,const vector<uint8_t> & iv_in)1221 string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
1222 PaddingMode padding, const vector<uint8_t>& iv_in) {
1223 SCOPED_TRACE("EncryptMessage");
1224 auto params = AuthorizationSetBuilder()
1225 .BlockMode(block_mode)
1226 .Padding(padding)
1227 .Authorization(TAG_NONCE, iv_in);
1228 AuthorizationSet out_params;
1229 string ciphertext = EncryptMessage(message, params, &out_params);
1230 return ciphertext;
1231 }
1232
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding,uint8_t mac_length_bits,const vector<uint8_t> & iv_in)1233 string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
1234 PaddingMode padding, uint8_t mac_length_bits,
1235 const vector<uint8_t>& iv_in) {
1236 SCOPED_TRACE("EncryptMessage");
1237 auto params = AuthorizationSetBuilder()
1238 .BlockMode(block_mode)
1239 .Padding(padding)
1240 .Authorization(TAG_MAC_LENGTH, mac_length_bits)
1241 .Authorization(TAG_NONCE, iv_in);
1242 AuthorizationSet out_params;
1243 string ciphertext = EncryptMessage(message, params, &out_params);
1244 return ciphertext;
1245 }
1246
EncryptMessage(const string & message,BlockMode block_mode,PaddingMode padding,uint8_t mac_length_bits)1247 string KeyMintAidlTestBase::EncryptMessage(const string& message, BlockMode block_mode,
1248 PaddingMode padding, uint8_t mac_length_bits) {
1249 SCOPED_TRACE("EncryptMessage");
1250 auto params = AuthorizationSetBuilder()
1251 .BlockMode(block_mode)
1252 .Padding(padding)
1253 .Authorization(TAG_MAC_LENGTH, mac_length_bits);
1254 AuthorizationSet out_params;
1255 string ciphertext = EncryptMessage(message, params, &out_params);
1256 return ciphertext;
1257 }
1258
DecryptMessage(const vector<uint8_t> & key_blob,const string & ciphertext,const AuthorizationSet & params)1259 string KeyMintAidlTestBase::DecryptMessage(const vector<uint8_t>& key_blob,
1260 const string& ciphertext,
1261 const AuthorizationSet& params) {
1262 SCOPED_TRACE("DecryptMessage");
1263 AuthorizationSet out_params;
1264 string plaintext =
1265 ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params);
1266 EXPECT_TRUE(out_params.empty());
1267 return plaintext;
1268 }
1269
DecryptMessage(const string & ciphertext,const AuthorizationSet & params)1270 string KeyMintAidlTestBase::DecryptMessage(const string& ciphertext,
1271 const AuthorizationSet& params) {
1272 SCOPED_TRACE("DecryptMessage");
1273 return DecryptMessage(key_blob_, ciphertext, params);
1274 }
1275
DecryptMessage(const string & ciphertext,BlockMode block_mode,PaddingMode padding_mode,const vector<uint8_t> & iv)1276 string KeyMintAidlTestBase::DecryptMessage(const string& ciphertext, BlockMode block_mode,
1277 PaddingMode padding_mode, const vector<uint8_t>& iv) {
1278 SCOPED_TRACE("DecryptMessage");
1279 auto params = AuthorizationSetBuilder()
1280 .BlockMode(block_mode)
1281 .Padding(padding_mode)
1282 .Authorization(TAG_NONCE, iv);
1283 return DecryptMessage(key_blob_, ciphertext, params);
1284 }
1285
UpgradeKey(const vector<uint8_t> & key_blob)1286 std::pair<ErrorCode, vector<uint8_t>> KeyMintAidlTestBase::UpgradeKey(
1287 const vector<uint8_t>& key_blob) {
1288 std::pair<ErrorCode, vector<uint8_t>> retval;
1289 vector<uint8_t> outKeyBlob;
1290 Status result = keymint_->upgradeKey(key_blob, vector<KeyParameter>(), &outKeyBlob);
1291 ErrorCode errorcode = GetReturnErrorCode(result);
1292 retval = std::tie(errorcode, outKeyBlob);
1293
1294 return retval;
1295 }
1296
IsRkpSupportRequired() const1297 bool KeyMintAidlTestBase::IsRkpSupportRequired() const {
1298 // This is technically not a match to the requirements for S chipsets,
1299 // however when S shipped there was a bug in the test that skipped the
1300 // tests if KeyMint 2 was not on the system. So we allowed many chipests
1301 // to ship without RKP support. In T we hardened the requirements around
1302 // support for RKP, so relax the test to match.
1303 return get_vsr_api_level() >= __ANDROID_API_T__;
1304 }
1305
ValidKeySizes(Algorithm algorithm)1306 vector<uint32_t> KeyMintAidlTestBase::ValidKeySizes(Algorithm algorithm) {
1307 switch (algorithm) {
1308 case Algorithm::RSA:
1309 switch (SecLevel()) {
1310 case SecurityLevel::SOFTWARE:
1311 case SecurityLevel::TRUSTED_ENVIRONMENT:
1312 return {2048, 3072, 4096};
1313 case SecurityLevel::STRONGBOX:
1314 return {2048};
1315 default:
1316 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
1317 break;
1318 }
1319 break;
1320 case Algorithm::EC:
1321 ADD_FAILURE() << "EC keys must be specified by curve not size";
1322 break;
1323 case Algorithm::AES:
1324 return {128, 256};
1325 case Algorithm::TRIPLE_DES:
1326 return {168};
1327 case Algorithm::HMAC: {
1328 vector<uint32_t> retval((512 - 64) / 8 + 1);
1329 uint32_t size = 64 - 8;
1330 std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); });
1331 return retval;
1332 }
1333 default:
1334 ADD_FAILURE() << "Invalid Algorithm: " << algorithm;
1335 return {};
1336 }
1337 ADD_FAILURE() << "Should be impossible to get here";
1338 return {};
1339 }
1340
InvalidKeySizes(Algorithm algorithm)1341 vector<uint32_t> KeyMintAidlTestBase::InvalidKeySizes(Algorithm algorithm) {
1342 if (SecLevel() == SecurityLevel::STRONGBOX) {
1343 switch (algorithm) {
1344 case Algorithm::RSA:
1345 return {3072, 4096};
1346 case Algorithm::EC:
1347 return {224, 384, 521};
1348 case Algorithm::AES:
1349 return {192};
1350 case Algorithm::TRIPLE_DES:
1351 return {56};
1352 default:
1353 return {};
1354 }
1355 } else {
1356 switch (algorithm) {
1357 case Algorithm::AES:
1358 return {64, 96, 131, 512};
1359 case Algorithm::TRIPLE_DES:
1360 return {56};
1361 default:
1362 return {};
1363 }
1364 }
1365 return {};
1366 }
1367
ValidBlockModes(Algorithm algorithm)1368 vector<BlockMode> KeyMintAidlTestBase::ValidBlockModes(Algorithm algorithm) {
1369 switch (algorithm) {
1370 case Algorithm::AES:
1371 return {
1372 BlockMode::CBC,
1373 BlockMode::CTR,
1374 BlockMode::ECB,
1375 BlockMode::GCM,
1376 };
1377 case Algorithm::TRIPLE_DES:
1378 return {
1379 BlockMode::CBC,
1380 BlockMode::ECB,
1381 };
1382 default:
1383 return {};
1384 }
1385 }
1386
ValidPaddingModes(Algorithm algorithm,BlockMode blockMode)1387 vector<PaddingMode> KeyMintAidlTestBase::ValidPaddingModes(Algorithm algorithm,
1388 BlockMode blockMode) {
1389 switch (algorithm) {
1390 case Algorithm::AES:
1391 switch (blockMode) {
1392 case BlockMode::CBC:
1393 case BlockMode::ECB:
1394 return {PaddingMode::NONE, PaddingMode::PKCS7};
1395 case BlockMode::CTR:
1396 case BlockMode::GCM:
1397 return {PaddingMode::NONE};
1398 default:
1399 return {};
1400 };
1401 case Algorithm::TRIPLE_DES:
1402 switch (blockMode) {
1403 case BlockMode::CBC:
1404 case BlockMode::ECB:
1405 return {PaddingMode::NONE, PaddingMode::PKCS7};
1406 default:
1407 return {};
1408 };
1409 default:
1410 return {};
1411 }
1412 }
1413
InvalidPaddingModes(Algorithm algorithm,BlockMode blockMode)1414 vector<PaddingMode> KeyMintAidlTestBase::InvalidPaddingModes(Algorithm algorithm,
1415 BlockMode blockMode) {
1416 switch (algorithm) {
1417 case Algorithm::AES:
1418 switch (blockMode) {
1419 case BlockMode::CTR:
1420 case BlockMode::GCM:
1421 return {PaddingMode::PKCS7};
1422 default:
1423 return {};
1424 };
1425 default:
1426 return {};
1427 }
1428 }
1429
ValidCurves()1430 vector<EcCurve> KeyMintAidlTestBase::ValidCurves() {
1431 if (securityLevel_ == SecurityLevel::STRONGBOX) {
1432 return {EcCurve::P_256};
1433 } else if (Curve25519Supported()) {
1434 return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521,
1435 EcCurve::CURVE_25519};
1436 } else {
1437 return {
1438 EcCurve::P_224,
1439 EcCurve::P_256,
1440 EcCurve::P_384,
1441 EcCurve::P_521,
1442 };
1443 }
1444 }
1445
InvalidCurves()1446 vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() {
1447 if (SecLevel() == SecurityLevel::STRONGBOX) {
1448 // Curve 25519 is not supported, either because:
1449 // - KeyMint v1: it's an unknown enum value
1450 // - KeyMint v2+: it's not supported by StrongBox.
1451 return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521, EcCurve::CURVE_25519};
1452 } else {
1453 if (Curve25519Supported()) {
1454 return {};
1455 } else {
1456 return {EcCurve::CURVE_25519};
1457 }
1458 }
1459 }
1460
ValidExponents()1461 vector<uint64_t> KeyMintAidlTestBase::ValidExponents() {
1462 if (SecLevel() == SecurityLevel::STRONGBOX) {
1463 return {65537};
1464 } else {
1465 return {3, 65537};
1466 }
1467 }
1468
ValidDigests(bool withNone,bool withMD5)1469 vector<Digest> KeyMintAidlTestBase::ValidDigests(bool withNone, bool withMD5) {
1470 switch (SecLevel()) {
1471 case SecurityLevel::SOFTWARE:
1472 case SecurityLevel::TRUSTED_ENVIRONMENT:
1473 if (withNone) {
1474 if (withMD5)
1475 return {Digest::NONE, Digest::MD5, Digest::SHA1,
1476 Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
1477 Digest::SHA_2_512};
1478 else
1479 return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224,
1480 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
1481 } else {
1482 if (withMD5)
1483 return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
1484 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
1485 else
1486 return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
1487 Digest::SHA_2_512};
1488 }
1489 break;
1490 case SecurityLevel::STRONGBOX:
1491 if (withNone)
1492 return {Digest::NONE, Digest::SHA_2_256};
1493 else
1494 return {Digest::SHA_2_256};
1495 break;
1496 default:
1497 ADD_FAILURE() << "Invalid security level " << uint32_t(SecLevel());
1498 break;
1499 }
1500 ADD_FAILURE() << "Should be impossible to get here";
1501 return {};
1502 }
1503
1504 static const vector<KeyParameter> kEmptyAuthList{};
1505
SecLevelAuthorizations(const vector<KeyCharacteristics> & key_characteristics)1506 const vector<KeyParameter>& KeyMintAidlTestBase::SecLevelAuthorizations(
1507 const vector<KeyCharacteristics>& key_characteristics) {
1508 auto found = std::find_if(key_characteristics.begin(), key_characteristics.end(),
1509 [this](auto& entry) { return entry.securityLevel == SecLevel(); });
1510 return (found == key_characteristics.end()) ? kEmptyAuthList : found->authorizations;
1511 }
1512
SecLevelAuthorizations(const vector<KeyCharacteristics> & key_characteristics,SecurityLevel securityLevel)1513 const vector<KeyParameter>& KeyMintAidlTestBase::SecLevelAuthorizations(
1514 const vector<KeyCharacteristics>& key_characteristics, SecurityLevel securityLevel) {
1515 auto found = std::find_if(
1516 key_characteristics.begin(), key_characteristics.end(),
1517 [securityLevel](auto& entry) { return entry.securityLevel == securityLevel; });
1518 return (found == key_characteristics.end()) ? kEmptyAuthList : found->authorizations;
1519 }
1520
UseAesKey(const vector<uint8_t> & aesKeyBlob)1521 ErrorCode KeyMintAidlTestBase::UseAesKey(const vector<uint8_t>& aesKeyBlob) {
1522 auto [result, ciphertext] = ProcessMessage(
1523 aesKeyBlob, KeyPurpose::ENCRYPT, "1234567890123456",
1524 AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE));
1525 return result;
1526 }
1527
UseHmacKey(const vector<uint8_t> & hmacKeyBlob)1528 ErrorCode KeyMintAidlTestBase::UseHmacKey(const vector<uint8_t>& hmacKeyBlob) {
1529 auto [result, mac] = ProcessMessage(
1530 hmacKeyBlob, KeyPurpose::SIGN, "1234567890123456",
1531 AuthorizationSetBuilder().Authorization(TAG_MAC_LENGTH, 128).Digest(Digest::SHA_2_256));
1532 return result;
1533 }
1534
UseRsaKey(const vector<uint8_t> & rsaKeyBlob)1535 ErrorCode KeyMintAidlTestBase::UseRsaKey(const vector<uint8_t>& rsaKeyBlob) {
1536 std::string message(2048 / 8, 'a');
1537 auto [result, signature] = ProcessMessage(
1538 rsaKeyBlob, KeyPurpose::SIGN, message,
1539 AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1540 return result;
1541 }
1542
UseEcdsaKey(const vector<uint8_t> & ecdsaKeyBlob)1543 ErrorCode KeyMintAidlTestBase::UseEcdsaKey(const vector<uint8_t>& ecdsaKeyBlob) {
1544 auto [result, signature] = ProcessMessage(ecdsaKeyBlob, KeyPurpose::SIGN, "a",
1545 AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
1546 return result;
1547 }
1548
GenerateAttestKey(const AuthorizationSet & key_desc,const optional<AttestationKey> & attest_key,vector<uint8_t> * key_blob,vector<KeyCharacteristics> * key_characteristics,vector<Certificate> * cert_chain)1549 ErrorCode KeyMintAidlTestBase::GenerateAttestKey(const AuthorizationSet& key_desc,
1550 const optional<AttestationKey>& attest_key,
1551 vector<uint8_t>* key_blob,
1552 vector<KeyCharacteristics>* key_characteristics,
1553 vector<Certificate>* cert_chain) {
1554 // The original specification for KeyMint v1 required ATTEST_KEY not be combined
1555 // with any other key purpose, but the original VTS tests incorrectly did exactly that.
1556 // This means that a device that launched prior to Android T (API level 33) may
1557 // accept or even require KeyPurpose::SIGN too.
1558 if (property_get_int32("ro.board.first_api_level", 0) < __ANDROID_API_T__) {
1559 AuthorizationSet key_desc_plus_sign = key_desc;
1560 key_desc_plus_sign.push_back(TAG_PURPOSE, KeyPurpose::SIGN);
1561
1562 auto result = GenerateKey(key_desc_plus_sign, attest_key, key_blob, key_characteristics,
1563 cert_chain);
1564 if (result == ErrorCode::OK) {
1565 return result;
1566 }
1567 // If the key generation failed, it may be because the device is (correctly)
1568 // rejecting the combination of ATTEST_KEY+SIGN. Fall through to try again with
1569 // just ATTEST_KEY.
1570 }
1571 return GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
1572 }
1573
1574 // Check if ATTEST_KEY feature is disabled
is_attest_key_feature_disabled(void) const1575 bool KeyMintAidlTestBase::is_attest_key_feature_disabled(void) const {
1576 if (!check_feature(FEATURE_KEYSTORE_APP_ATTEST_KEY)) {
1577 GTEST_LOG_(INFO) << "Feature " + FEATURE_KEYSTORE_APP_ATTEST_KEY + " is disabled";
1578 return true;
1579 }
1580
1581 return false;
1582 }
1583
1584 // Check if StrongBox KeyStore is enabled
is_strongbox_enabled(void) const1585 bool KeyMintAidlTestBase::is_strongbox_enabled(void) const {
1586 if (check_feature(FEATURE_STRONGBOX_KEYSTORE)) {
1587 GTEST_LOG_(INFO) << "Feature " + FEATURE_STRONGBOX_KEYSTORE + " is enabled";
1588 return true;
1589 }
1590
1591 return false;
1592 }
1593
1594 // Check if chipset has received a waiver allowing it to be launched with Android S or T with
1595 // Keymaster 4.0 in StrongBox.
is_chipset_allowed_km4_strongbox(void) const1596 bool KeyMintAidlTestBase::is_chipset_allowed_km4_strongbox(void) const {
1597 std::array<char, PROPERTY_VALUE_MAX> buffer;
1598
1599 const int32_t first_api_level = property_get_int32("ro.board.first_api_level", 0);
1600 if (first_api_level <= 0 || first_api_level > __ANDROID_API_T__) return false;
1601
1602 auto res = property_get("ro.vendor.qti.soc_model", buffer.data(), nullptr);
1603 if (res <= 0) return false;
1604
1605 const string allowed_soc_models[] = {"SM8450", "SM8475", "SM8550", "SXR2230P"};
1606
1607 for (const string model : allowed_soc_models) {
1608 if (model.compare(buffer.data()) == 0) {
1609 GTEST_LOG_(INFO) << "QTI SOC Model " + model + " is allowed SB KM 4.0";
1610 return true;
1611 }
1612 }
1613
1614 return false;
1615 }
1616
1617 // Indicate whether a test that involves use of the ATTEST_KEY feature should be
1618 // skipped.
1619 //
1620 // In general, every KeyMint implementation should support ATTEST_KEY;
1621 // however, there is a waiver for some specific devices that ship with a
1622 // combination of Keymaster/StrongBox and KeyMint/TEE. On these devices, the
1623 // ATTEST_KEY feature is disabled in the KeyMint/TEE implementation so that
1624 // the device has consistent ATTEST_KEY behavior (ie. UNIMPLEMENTED) across both
1625 // HAL implementations.
1626 //
1627 // This means that a test involving ATTEST_KEY test should be skipped if all of
1628 // the following conditions hold:
1629 // 1. The device is running one of the chipsets that have received a waiver
1630 // allowing it to be launched with Android S or T with Keymaster 4.0
1631 // in StrongBox
1632 // 2. The device has a STRONGBOX implementation present.
1633 // 3. ATTEST_KEY feature is advertised as disabled.
1634 //
1635 // Note that in this scenario, ATTEST_KEY tests should be skipped for both
1636 // the StrongBox implementation (which is Keymaster, therefore not tested here)
1637 // and for the TEE implementation (which is adjusted to return UNIMPLEMENTED
1638 // specifically for this waiver).
shouldSkipAttestKeyTest(void) const1639 bool KeyMintAidlTestBase::shouldSkipAttestKeyTest(void) const {
1640 // Check the chipset first as that doesn't require a round-trip to Package Manager.
1641 return (is_chipset_allowed_km4_strongbox() && is_strongbox_enabled() &&
1642 is_attest_key_feature_disabled());
1643 }
1644
1645 // Skip a test that involves use of the ATTEST_KEY feature in specific configurations
1646 // where ATTEST_KEY is not supported (for either StrongBox or TEE).
skipAttestKeyTest(void) const1647 void KeyMintAidlTestBase::skipAttestKeyTest(void) const {
1648 if (shouldSkipAttestKeyTest()) {
1649 GTEST_SKIP() << "Test using ATTEST_KEY is not applicable on waivered device";
1650 }
1651 }
1652
verify_serial(X509 * cert,const uint64_t expected_serial)1653 void verify_serial(X509* cert, const uint64_t expected_serial) {
1654 BIGNUM_Ptr ser(BN_new());
1655 EXPECT_TRUE(ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), ser.get()));
1656
1657 uint64_t serial;
1658 EXPECT_TRUE(BN_get_u64(ser.get(), &serial));
1659 EXPECT_EQ(serial, expected_serial);
1660 }
1661
1662 // Please set self_signed to true for fake certificates or self signed
1663 // certificates
verify_subject(const X509 * cert,const string & subject,bool self_signed)1664 void verify_subject(const X509* cert, //
1665 const string& subject, //
1666 bool self_signed) {
1667 char* cert_issuer = //
1668 X509_NAME_oneline(X509_get_issuer_name(cert), nullptr, 0);
1669
1670 char* cert_subj = X509_NAME_oneline(X509_get_subject_name(cert), nullptr, 0);
1671
1672 string expected_subject("/CN=");
1673 if (subject.empty()) {
1674 expected_subject.append("Android Keystore Key");
1675 } else {
1676 expected_subject.append(subject);
1677 }
1678
1679 EXPECT_STREQ(expected_subject.c_str(), cert_subj) << "Cert has wrong subject." << cert_subj;
1680
1681 if (self_signed) {
1682 EXPECT_STREQ(cert_issuer, cert_subj)
1683 << "Cert issuer and subject mismatch for self signed certificate.";
1684 }
1685
1686 OPENSSL_free(cert_subj);
1687 OPENSSL_free(cert_issuer);
1688 }
1689
get_vsr_api_level()1690 int get_vsr_api_level() {
1691 int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
1692 if (vendor_api_level != -1) {
1693 return vendor_api_level;
1694 }
1695
1696 // Android S and older devices do not define ro.vendor.api_level
1697 vendor_api_level = ::android::base::GetIntProperty("ro.board.api_level", -1);
1698 if (vendor_api_level == -1) {
1699 vendor_api_level = ::android::base::GetIntProperty("ro.board.first_api_level", -1);
1700 }
1701
1702 int product_api_level = ::android::base::GetIntProperty("ro.product.first_api_level", -1);
1703 if (product_api_level == -1) {
1704 product_api_level = ::android::base::GetIntProperty("ro.build.version.sdk", -1);
1705 EXPECT_NE(product_api_level, -1) << "Could not find ro.build.version.sdk";
1706 }
1707
1708 // VSR API level is the minimum of vendor_api_level and product_api_level.
1709 if (vendor_api_level == -1 || vendor_api_level > product_api_level) {
1710 return product_api_level;
1711 }
1712 return vendor_api_level;
1713 }
1714
is_gsi_image()1715 bool is_gsi_image() {
1716 std::ifstream ifs("/system/system_ext/etc/init/init.gsi.rc");
1717 return ifs.good();
1718 }
1719
build_serial_blob(const uint64_t serial_int)1720 vector<uint8_t> build_serial_blob(const uint64_t serial_int) {
1721 BIGNUM_Ptr serial(BN_new());
1722 EXPECT_TRUE(BN_set_u64(serial.get(), serial_int));
1723
1724 int len = BN_num_bytes(serial.get());
1725 vector<uint8_t> serial_blob(len);
1726 if (BN_bn2bin(serial.get(), serial_blob.data()) != len) {
1727 return {};
1728 }
1729
1730 if (serial_blob.empty() || serial_blob[0] & 0x80) {
1731 // An empty blob is OpenSSL's encoding of the zero value; we need single zero byte.
1732 // Top bit being set indicates a negative number in two's complement, but our input
1733 // was positive.
1734 // In either case, prepend a zero byte.
1735 serial_blob.insert(serial_blob.begin(), 0x00);
1736 }
1737
1738 return serial_blob;
1739 }
1740
verify_subject_and_serial(const Certificate & certificate,const uint64_t expected_serial,const string & subject,bool self_signed)1741 void verify_subject_and_serial(const Certificate& certificate, //
1742 const uint64_t expected_serial, //
1743 const string& subject, bool self_signed) {
1744 X509_Ptr cert(parse_cert_blob(certificate.encodedCertificate));
1745 ASSERT_TRUE(!!cert.get());
1746
1747 verify_serial(cert.get(), expected_serial);
1748 verify_subject(cert.get(), subject, self_signed);
1749 }
1750
verify_root_of_trust(const vector<uint8_t> & verified_boot_key,bool device_locked,VerifiedBoot verified_boot_state,const vector<uint8_t> & verified_boot_hash)1751 void verify_root_of_trust(const vector<uint8_t>& verified_boot_key, bool device_locked,
1752 VerifiedBoot verified_boot_state,
1753 const vector<uint8_t>& verified_boot_hash) {
1754 char property_value[PROPERTY_VALUE_MAX] = {};
1755
1756 if (avb_verification_enabled()) {
1757 EXPECT_NE(property_get("ro.boot.vbmeta.digest", property_value, ""), 0);
1758 string prop_string(property_value);
1759 EXPECT_EQ(prop_string.size(), 64);
1760 EXPECT_EQ(prop_string, bin2hex(verified_boot_hash));
1761
1762 EXPECT_NE(property_get("ro.boot.vbmeta.device_state", property_value, ""), 0);
1763 if (!strcmp(property_value, "unlocked")) {
1764 EXPECT_FALSE(device_locked);
1765 } else {
1766 EXPECT_TRUE(device_locked);
1767 }
1768
1769 // Check that the device is locked if not debuggable, e.g., user build
1770 // images in CTS. For VTS, debuggable images are used to allow adb root
1771 // and the device is unlocked.
1772 if (!property_get_bool("ro.debuggable", false)) {
1773 EXPECT_TRUE(device_locked);
1774 } else {
1775 EXPECT_FALSE(device_locked);
1776 }
1777 }
1778
1779 // Verified boot key should be all 0's if the boot state is not verified or self signed
1780 std::string empty_boot_key(32, '\0');
1781 std::string verified_boot_key_str((const char*)verified_boot_key.data(),
1782 verified_boot_key.size());
1783 EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0);
1784 if (!strcmp(property_value, "green")) {
1785 EXPECT_EQ(verified_boot_state, VerifiedBoot::VERIFIED);
1786 EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
1787 verified_boot_key.size()));
1788 } else if (!strcmp(property_value, "yellow")) {
1789 EXPECT_EQ(verified_boot_state, VerifiedBoot::SELF_SIGNED);
1790 EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
1791 verified_boot_key.size()));
1792 } else if (!strcmp(property_value, "orange")) {
1793 EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);
1794 EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
1795 verified_boot_key.size()));
1796 } else if (!strcmp(property_value, "red")) {
1797 EXPECT_EQ(verified_boot_state, VerifiedBoot::FAILED);
1798 } else {
1799 EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);
1800 EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
1801 verified_boot_key.size()));
1802 }
1803 }
1804
verify_attestation_record(int32_t aidl_version,const string & challenge,const string & app_id,AuthorizationSet expected_sw_enforced,AuthorizationSet expected_hw_enforced,SecurityLevel security_level,const vector<uint8_t> & attestation_cert,vector<uint8_t> * unique_id)1805 bool verify_attestation_record(int32_t aidl_version, //
1806 const string& challenge, //
1807 const string& app_id, //
1808 AuthorizationSet expected_sw_enforced, //
1809 AuthorizationSet expected_hw_enforced, //
1810 SecurityLevel security_level,
1811 const vector<uint8_t>& attestation_cert,
1812 vector<uint8_t>* unique_id) {
1813 X509_Ptr cert(parse_cert_blob(attestation_cert));
1814 EXPECT_TRUE(!!cert.get());
1815 if (!cert.get()) return false;
1816
1817 // Make sure CRL Distribution Points extension is not present in a certificate
1818 // containing attestation record.
1819 check_crl_distribution_points_extension_not_present(cert.get());
1820
1821 ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());
1822 EXPECT_TRUE(!!attest_rec);
1823 if (!attest_rec) return false;
1824
1825 AuthorizationSet att_sw_enforced;
1826 AuthorizationSet att_hw_enforced;
1827 uint32_t att_attestation_version;
1828 uint32_t att_keymint_version;
1829 SecurityLevel att_attestation_security_level;
1830 SecurityLevel att_keymint_security_level;
1831 vector<uint8_t> att_challenge;
1832 vector<uint8_t> att_unique_id;
1833 vector<uint8_t> att_app_id;
1834
1835 auto error = parse_attestation_record(attest_rec->data, //
1836 attest_rec->length, //
1837 &att_attestation_version, //
1838 &att_attestation_security_level, //
1839 &att_keymint_version, //
1840 &att_keymint_security_level, //
1841 &att_challenge, //
1842 &att_sw_enforced, //
1843 &att_hw_enforced, //
1844 &att_unique_id);
1845 EXPECT_EQ(ErrorCode::OK, error);
1846 if (error != ErrorCode::OK) return false;
1847
1848 check_attestation_version(att_attestation_version, aidl_version);
1849 vector<uint8_t> appId(app_id.begin(), app_id.end());
1850
1851 // check challenge and app id only if we expects a non-fake certificate
1852 if (challenge.length() > 0) {
1853 EXPECT_EQ(challenge.length(), att_challenge.size());
1854 EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data(), challenge.length()));
1855
1856 expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID, appId);
1857 }
1858
1859 check_attestation_version(att_keymint_version, aidl_version);
1860 EXPECT_EQ(security_level, att_keymint_security_level);
1861 EXPECT_EQ(security_level, att_attestation_security_level);
1862
1863 for (int i = 0; i < att_hw_enforced.size(); i++) {
1864 if (att_hw_enforced[i].tag == TAG_BOOT_PATCHLEVEL ||
1865 att_hw_enforced[i].tag == TAG_VENDOR_PATCHLEVEL) {
1866 std::string date =
1867 std::to_string(att_hw_enforced[i].value.get<KeyParameterValue::integer>());
1868
1869 // strptime seems to require delimiters, but the tag value will
1870 // be YYYYMMDD
1871 if (date.size() != 8) {
1872 ADD_FAILURE() << "Tag " << att_hw_enforced[i].tag
1873 << " with invalid format (not YYYYMMDD): " << date;
1874 return false;
1875 }
1876 date.insert(6, "-");
1877 date.insert(4, "-");
1878 struct tm time;
1879 strptime(date.c_str(), "%Y-%m-%d", &time);
1880
1881 // Day of the month (0-31)
1882 EXPECT_GE(time.tm_mday, 0);
1883 EXPECT_LT(time.tm_mday, 32);
1884 // Months since Jan (0-11)
1885 EXPECT_GE(time.tm_mon, 0);
1886 EXPECT_LT(time.tm_mon, 12);
1887 // Years since 1900
1888 EXPECT_GT(time.tm_year, 110);
1889 EXPECT_LT(time.tm_year, 200);
1890 }
1891 }
1892
1893 // Check to make sure boolean values are properly encoded. Presence of a boolean tag
1894 // indicates true. A provided boolean tag that can be pulled back out of the certificate
1895 // indicates correct encoding. No need to check if it's in both lists, since the
1896 // AuthorizationSet compare below will handle mismatches of tags.
1897 if (security_level == SecurityLevel::SOFTWARE) {
1898 EXPECT_TRUE(expected_sw_enforced.Contains(TAG_NO_AUTH_REQUIRED));
1899 } else {
1900 EXPECT_TRUE(expected_hw_enforced.Contains(TAG_NO_AUTH_REQUIRED));
1901 }
1902
1903 if (att_hw_enforced.Contains(TAG_ALGORITHM, Algorithm::EC)) {
1904 // For ECDSA keys, either an EC_CURVE or a KEY_SIZE can be specified, but one must be.
1905 EXPECT_TRUE(att_hw_enforced.Contains(TAG_EC_CURVE) ||
1906 att_hw_enforced.Contains(TAG_KEY_SIZE));
1907 }
1908
1909 // Test root of trust elements
1910 vector<uint8_t> verified_boot_key;
1911 VerifiedBoot verified_boot_state;
1912 bool device_locked;
1913 vector<uint8_t> verified_boot_hash;
1914 error = parse_root_of_trust(attest_rec->data, attest_rec->length, &verified_boot_key,
1915 &verified_boot_state, &device_locked, &verified_boot_hash);
1916 EXPECT_EQ(ErrorCode::OK, error);
1917 verify_root_of_trust(verified_boot_key, device_locked, verified_boot_state, verified_boot_hash);
1918
1919 att_sw_enforced.Sort();
1920 expected_sw_enforced.Sort();
1921 EXPECT_EQ(filtered_tags(expected_sw_enforced), filtered_tags(att_sw_enforced));
1922
1923 att_hw_enforced.Sort();
1924 expected_hw_enforced.Sort();
1925 EXPECT_EQ(filtered_tags(expected_hw_enforced), filtered_tags(att_hw_enforced));
1926
1927 if (unique_id != nullptr) {
1928 *unique_id = att_unique_id;
1929 }
1930
1931 return true;
1932 }
1933
bin2hex(const vector<uint8_t> & data)1934 string bin2hex(const vector<uint8_t>& data) {
1935 string retval;
1936 retval.reserve(data.size() * 2 + 1);
1937 for (uint8_t byte : data) {
1938 retval.push_back(nibble2hex[0x0F & (byte >> 4)]);
1939 retval.push_back(nibble2hex[0x0F & byte]);
1940 }
1941 return retval;
1942 }
1943
HwEnforcedAuthorizations(const vector<KeyCharacteristics> & key_characteristics)1944 AuthorizationSet HwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics) {
1945 AuthorizationSet authList;
1946 for (auto& entry : key_characteristics) {
1947 if (entry.securityLevel == SecurityLevel::STRONGBOX ||
1948 entry.securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT) {
1949 authList.push_back(AuthorizationSet(entry.authorizations));
1950 }
1951 }
1952 return authList;
1953 }
1954
SwEnforcedAuthorizations(const vector<KeyCharacteristics> & key_characteristics)1955 AuthorizationSet SwEnforcedAuthorizations(const vector<KeyCharacteristics>& key_characteristics) {
1956 AuthorizationSet authList;
1957 for (auto& entry : key_characteristics) {
1958 if (entry.securityLevel == SecurityLevel::SOFTWARE ||
1959 entry.securityLevel == SecurityLevel::KEYSTORE) {
1960 authList.push_back(AuthorizationSet(entry.authorizations));
1961 }
1962 }
1963 return authList;
1964 }
1965
ChainSignaturesAreValid(const vector<Certificate> & chain,bool strict_issuer_check)1966 AssertionResult ChainSignaturesAreValid(const vector<Certificate>& chain,
1967 bool strict_issuer_check) {
1968 std::stringstream cert_data;
1969
1970 for (size_t i = 0; i < chain.size(); ++i) {
1971 cert_data << bin2hex(chain[i].encodedCertificate) << std::endl;
1972
1973 X509_Ptr key_cert(parse_cert_blob(chain[i].encodedCertificate));
1974 X509_Ptr signing_cert;
1975 if (i < chain.size() - 1) {
1976 signing_cert = parse_cert_blob(chain[i + 1].encodedCertificate);
1977 } else {
1978 signing_cert = parse_cert_blob(chain[i].encodedCertificate);
1979 }
1980 if (!key_cert.get() || !signing_cert.get()) return AssertionFailure() << cert_data.str();
1981
1982 EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
1983 if (!signing_pubkey.get()) return AssertionFailure() << cert_data.str();
1984
1985 if (!X509_verify(key_cert.get(), signing_pubkey.get())) {
1986 return AssertionFailure()
1987 << "Verification of certificate " << i << " failed "
1988 << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL) << '\n'
1989 << cert_data.str();
1990 }
1991
1992 string cert_issuer = x509NameToStr(X509_get_issuer_name(key_cert.get()));
1993 string signer_subj = x509NameToStr(X509_get_subject_name(signing_cert.get()));
1994 if (cert_issuer != signer_subj && strict_issuer_check) {
1995 return AssertionFailure() << "Cert " << i << " has wrong issuer.\n"
1996 << " Signer subject is " << signer_subj
1997 << " Issuer subject is " << cert_issuer << endl
1998 << cert_data.str();
1999 }
2000 }
2001
2002 if (KeyMintAidlTestBase::dump_Attestations) std::cout << cert_data.str();
2003 return AssertionSuccess();
2004 }
2005
parse_cert_blob(const vector<uint8_t> & blob)2006 X509_Ptr parse_cert_blob(const vector<uint8_t>& blob) {
2007 const uint8_t* p = blob.data();
2008 return X509_Ptr(d2i_X509(nullptr /* allocate new */, &p, blob.size()));
2009 }
2010
2011 // Extract attestation record from cert. Returned object is still part of cert; don't free it
2012 // separately.
get_attestation_record(X509 * certificate)2013 ASN1_OCTET_STRING* get_attestation_record(X509* certificate) {
2014 ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */));
2015 EXPECT_TRUE(!!oid.get());
2016 if (!oid.get()) return nullptr;
2017
2018 int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */);
2019 EXPECT_NE(-1, location) << "Attestation extension not found in certificate";
2020 if (location == -1) return nullptr;
2021
2022 X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location);
2023 EXPECT_TRUE(!!attest_rec_ext)
2024 << "Found attestation extension but couldn't retrieve it? Probably a BoringSSL bug.";
2025 if (!attest_rec_ext) return nullptr;
2026
2027 ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext);
2028 EXPECT_TRUE(!!attest_rec) << "Attestation extension contained no data";
2029 return attest_rec;
2030 }
2031
make_name_from_str(const string & name)2032 vector<uint8_t> make_name_from_str(const string& name) {
2033 X509_NAME_Ptr x509_name(X509_NAME_new());
2034 EXPECT_TRUE(x509_name.get() != nullptr);
2035 if (!x509_name) return {};
2036
2037 EXPECT_EQ(1, X509_NAME_add_entry_by_txt(x509_name.get(), //
2038 "CN", //
2039 MBSTRING_ASC,
2040 reinterpret_cast<const uint8_t*>(name.c_str()),
2041 -1, // len
2042 -1, // loc
2043 0 /* set */));
2044
2045 int len = i2d_X509_NAME(x509_name.get(), nullptr /* only return length */);
2046 EXPECT_GT(len, 0);
2047
2048 vector<uint8_t> retval(len);
2049 uint8_t* p = retval.data();
2050 i2d_X509_NAME(x509_name.get(), &p);
2051
2052 return retval;
2053 }
2054
2055 namespace {
2056
check_cose_key(const vector<uint8_t> & data,bool testMode)2057 void check_cose_key(const vector<uint8_t>& data, bool testMode) {
2058 auto [parsedPayload, __, payloadParseErr] = cppbor::parse(data);
2059 ASSERT_TRUE(parsedPayload) << "Key parse failed: " << payloadParseErr;
2060
2061 // The following check assumes that canonical CBOR encoding is used for the COSE_Key.
2062 if (testMode) {
2063 EXPECT_THAT(
2064 cppbor::prettyPrint(parsedPayload.get()),
2065 MatchesRegex("\\{\n"
2066 " 1 : 2,\n" // kty: EC2
2067 " 3 : -7,\n" // alg: ES256
2068 " -1 : 1,\n" // EC id: P256
2069 // The regex {(0x[0-9a-f]{2}, ){31}0x[0-9a-f]{2}} matches a
2070 // sequence of 32 hexadecimal bytes, enclosed in braces and
2071 // separated by commas. In this case, some Ed25519 public key.
2072 " -2 : \\{(0x[0-9a-f]{2}, ){31}0x[0-9a-f]{2}\\},\n" // pub_x: data
2073 " -3 : \\{(0x[0-9a-f]{2}, ){31}0x[0-9a-f]{2}\\},\n" // pub_y: data
2074 " -70000 : null,\n" // test marker
2075 "\\}"));
2076 } else {
2077 EXPECT_THAT(
2078 cppbor::prettyPrint(parsedPayload.get()),
2079 MatchesRegex("\\{\n"
2080 " 1 : 2,\n" // kty: EC2
2081 " 3 : -7,\n" // alg: ES256
2082 " -1 : 1,\n" // EC id: P256
2083 // The regex {(0x[0-9a-f]{2}, ){31}0x[0-9a-f]{2}} matches a
2084 // sequence of 32 hexadecimal bytes, enclosed in braces and
2085 // separated by commas. In this case, some Ed25519 public key.
2086 " -2 : \\{(0x[0-9a-f]{2}, ){31}0x[0-9a-f]{2}\\},\n" // pub_x: data
2087 " -3 : \\{(0x[0-9a-f]{2}, ){31}0x[0-9a-f]{2}\\},\n" // pub_y: data
2088 "\\}"));
2089 }
2090 }
2091
2092 } // namespace
2093
check_maced_pubkey(const MacedPublicKey & macedPubKey,bool testMode,vector<uint8_t> * payload_value)2094 void check_maced_pubkey(const MacedPublicKey& macedPubKey, bool testMode,
2095 vector<uint8_t>* payload_value) {
2096 auto [coseMac0, _, mac0ParseErr] = cppbor::parse(macedPubKey.macedKey);
2097 ASSERT_TRUE(coseMac0) << "COSE Mac0 parse failed " << mac0ParseErr;
2098
2099 ASSERT_NE(coseMac0->asArray(), nullptr);
2100 ASSERT_EQ(coseMac0->asArray()->size(), kCoseMac0EntryCount);
2101
2102 auto protParms = coseMac0->asArray()->get(kCoseMac0ProtectedParams)->asBstr();
2103 ASSERT_NE(protParms, nullptr);
2104
2105 // Header label:value of 'alg': HMAC-256
2106 ASSERT_EQ(cppbor::prettyPrint(protParms->value()), "{\n 1 : 5,\n}");
2107
2108 auto unprotParms = coseMac0->asArray()->get(kCoseMac0UnprotectedParams)->asMap();
2109 ASSERT_NE(unprotParms, nullptr);
2110 ASSERT_EQ(unprotParms->size(), 0);
2111
2112 // The payload is a bstr holding an encoded COSE_Key
2113 auto payload = coseMac0->asArray()->get(kCoseMac0Payload)->asBstr();
2114 ASSERT_NE(payload, nullptr);
2115 check_cose_key(payload->value(), testMode);
2116
2117 auto coseMac0Tag = coseMac0->asArray()->get(kCoseMac0Tag)->asBstr();
2118 ASSERT_TRUE(coseMac0Tag);
2119 auto extractedTag = coseMac0Tag->value();
2120 EXPECT_EQ(extractedTag.size(), 32U);
2121
2122 // Compare with tag generated with kTestMacKey. Should only match in test mode
2123 auto macFunction = [](const cppcose::bytevec& input) {
2124 return cppcose::generateHmacSha256(remote_prov::kTestMacKey, input);
2125 };
2126 auto testTag =
2127 cppcose::generateCoseMac0Mac(macFunction, {} /* external_aad */, payload->value());
2128 ASSERT_TRUE(testTag) << "Tag calculation failed: " << testTag.message();
2129
2130 if (testMode) {
2131 EXPECT_THAT(*testTag, ElementsAreArray(extractedTag));
2132 } else {
2133 EXPECT_THAT(*testTag, Not(ElementsAreArray(extractedTag)));
2134 }
2135 if (payload_value != nullptr) {
2136 *payload_value = payload->value();
2137 }
2138 }
2139
p256_pub_key(const vector<uint8_t> & coseKeyData,EVP_PKEY_Ptr * signingKey)2140 void p256_pub_key(const vector<uint8_t>& coseKeyData, EVP_PKEY_Ptr* signingKey) {
2141 // Extract x and y affine coordinates from the encoded Cose_Key.
2142 auto [parsedPayload, __, payloadParseErr] = cppbor::parse(coseKeyData);
2143 ASSERT_TRUE(parsedPayload) << "Key parse failed: " << payloadParseErr;
2144 auto coseKey = parsedPayload->asMap();
2145 const std::unique_ptr<cppbor::Item>& xItem = coseKey->get(cppcose::CoseKey::PUBKEY_X);
2146 ASSERT_NE(xItem->asBstr(), nullptr);
2147 vector<uint8_t> x = xItem->asBstr()->value();
2148 const std::unique_ptr<cppbor::Item>& yItem = coseKey->get(cppcose::CoseKey::PUBKEY_Y);
2149 ASSERT_NE(yItem->asBstr(), nullptr);
2150 vector<uint8_t> y = yItem->asBstr()->value();
2151
2152 // Concatenate: 0x04 (uncompressed form marker) | x | y
2153 vector<uint8_t> pubKeyData{0x04};
2154 pubKeyData.insert(pubKeyData.end(), x.begin(), x.end());
2155 pubKeyData.insert(pubKeyData.end(), y.begin(), y.end());
2156
2157 EC_KEY_Ptr ecKey = EC_KEY_Ptr(EC_KEY_new());
2158 ASSERT_NE(ecKey, nullptr);
2159 EC_GROUP_Ptr group = EC_GROUP_Ptr(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
2160 ASSERT_NE(group, nullptr);
2161 ASSERT_EQ(EC_KEY_set_group(ecKey.get(), group.get()), 1);
2162 EC_POINT_Ptr point = EC_POINT_Ptr(EC_POINT_new(group.get()));
2163 ASSERT_NE(point, nullptr);
2164 ASSERT_EQ(EC_POINT_oct2point(group.get(), point.get(), pubKeyData.data(), pubKeyData.size(),
2165 nullptr),
2166 1);
2167 ASSERT_EQ(EC_KEY_set_public_key(ecKey.get(), point.get()), 1);
2168
2169 EVP_PKEY_Ptr pubKey = EVP_PKEY_Ptr(EVP_PKEY_new());
2170 ASSERT_NE(pubKey, nullptr);
2171 EVP_PKEY_assign_EC_KEY(pubKey.get(), ecKey.release());
2172 *signingKey = std::move(pubKey);
2173 }
2174
2175 // Check the error code from an attempt to perform device ID attestation with an invalid value.
device_id_attestation_check_acceptable_error(Tag tag,const ErrorCode & result)2176 void device_id_attestation_check_acceptable_error(Tag tag, const ErrorCode& result) {
2177 if (result == ErrorCode::CANNOT_ATTEST_IDS) {
2178 // Standard/default error code for ID mismatch.
2179 } else if (result == ErrorCode::INVALID_TAG) {
2180 // Depending on the situation, other error codes may be acceptable. First, allow older
2181 // implementations to use INVALID_TAG.
2182 ASSERT_FALSE(get_vsr_api_level() > __ANDROID_API_T__)
2183 << "It is a specification violation for INVALID_TAG to be returned due to ID "
2184 << "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "
2185 << "be used for a case where updateAad() is called after update(). As of "
2186 << "VSR-14, this is now enforced as an error.";
2187 } else if (result == ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED) {
2188 // If the device is not a phone, it will not have IMEI/MEID values available. Allow
2189 // ATTESTATION_IDS_NOT_PROVISIONED in this case.
2190 ASSERT_TRUE((tag == TAG_ATTESTATION_ID_IMEI || tag == TAG_ATTESTATION_ID_MEID ||
2191 tag == TAG_ATTESTATION_ID_SECOND_IMEI))
2192 << "incorrect error code on attestation ID mismatch";
2193 } else {
2194 ADD_FAILURE() << "Error code " << result
2195 << " returned on attestation ID mismatch, should be CANNOT_ATTEST_IDS";
2196 }
2197 }
2198
2199 // Check whether the given named feature is available.
check_feature(const std::string & name)2200 bool check_feature(const std::string& name) {
2201 ::android::sp<::android::IServiceManager> sm(::android::defaultServiceManager());
2202 ::android::sp<::android::IBinder> binder(
2203 sm->waitForService(::android::String16("package_native")));
2204 if (binder == nullptr) {
2205 GTEST_LOG_(ERROR) << "waitForService package_native failed";
2206 return false;
2207 }
2208 ::android::sp<::android::content::pm::IPackageManagerNative> packageMgr =
2209 ::android::interface_cast<::android::content::pm::IPackageManagerNative>(binder);
2210 if (packageMgr == nullptr) {
2211 GTEST_LOG_(ERROR) << "Cannot find package manager";
2212 return false;
2213 }
2214 bool hasFeature = false;
2215 auto status = packageMgr->hasSystemFeature(::android::String16(name.c_str()), 0, &hasFeature);
2216 if (!status.isOk()) {
2217 GTEST_LOG_(ERROR) << "hasSystemFeature('" << name << "') failed: " << status;
2218 return false;
2219 }
2220 return hasFeature;
2221 }
2222
2223 } // namespace test
2224
2225 } // namespace aidl::android::hardware::security::keymint
2226