1 /* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security; 18 19 import android.app.Activity; 20 import android.os.Binder; 21 import android.os.IBinder; 22 import android.os.Process; 23 import android.security.keymaster.ExportResult; 24 import android.security.keymaster.KeyCharacteristics; 25 import android.security.keymaster.KeymasterArguments; 26 import android.security.keymaster.KeymasterBlob; 27 import android.security.keymaster.KeymasterDefs; 28 import android.security.keymaster.OperationResult; 29 import android.test.ActivityUnitTestCase; 30 import android.test.AssertionFailedError; 31 import android.test.MoreAsserts; 32 import android.test.suitebuilder.annotation.MediumTest; 33 import com.android.org.conscrypt.NativeConstants; 34 import java.nio.charset.StandardCharsets; 35 import java.util.Arrays; 36 import java.util.HashSet; 37 import java.security.spec.RSAKeyGenParameterSpec; 38 39 /** 40 * Junit / Instrumentation test case for KeyStore class 41 * 42 * Running the test suite: 43 * 44 * runtest keystore-unit 45 * 46 * Or this individual test case: 47 * 48 * runtest --path frameworks/base/keystore/tests/src/android/security/KeyStoreTest.java 49 */ 50 @MediumTest 51 public class KeyStoreTest extends ActivityUnitTestCase<Activity> { 52 private static final String TEST_PASSWD = "12345678"; 53 private static final String TEST_PASSWD2 = "87654321"; 54 private static final String TEST_KEYNAME = "test-key"; 55 private static final String TEST_KEYNAME1 = "test-key.1"; 56 private static final String TEST_KEYNAME2 = "test-key\02"; 57 private static final byte[] TEST_KEYVALUE = "test value".getBytes(StandardCharsets.UTF_8); 58 59 // "Hello, World" in Chinese 60 private static final String TEST_I18N_KEY = "\u4F60\u597D, \u4E16\u754C"; 61 private static final byte[] TEST_I18N_VALUE = TEST_I18N_KEY.getBytes(StandardCharsets.UTF_8); 62 63 // Test vector data for signatures 64 private static final int RSA_KEY_SIZE = 1024; 65 private static final byte[] TEST_DATA = new byte[RSA_KEY_SIZE / 8]; 66 static { 67 for (int i = 0; i < TEST_DATA.length; i++) { 68 TEST_DATA[i] = (byte) i; 69 } 70 } 71 72 private KeyStore mKeyStore = null; 73 KeyStoreTest()74 public KeyStoreTest() { 75 super(Activity.class); 76 } 77 78 private static final byte[] PRIVKEY_BYTES = hexToBytes( 79 "308204BE020100300D06092A864886F70D0101010500048204A8308204A4020100028201" + 80 "0100E0473E8AB8F2284FEB9E742FF9748FA118ED98633C92F52AEB7A2EBE0D3BE60329BE" + 81 "766AD10EB6A515D0D2CFD9BEA7930F0C306537899F7958CD3E85B01F8818524D312584A9" + 82 "4B251E3625B54141EDBFEE198808E1BB97FC7CB49B9EAAAF68E9C98D7D0EDC53BBC0FA00" + 83 "34356D6305FBBCC3C7001405386ABBC873CB0F3EF7425F3D33DF7B315AE036D2A0B66AFD" + 84 "47503B169BF36E3B5162515B715FDA83DEAF2C58AEB9ABFB3097C3CC9DD9DBE5EF296C17" + 85 "6139028E8A671E63056D45F40188D2C4133490845DE52C2534E9C6B2478C07BDAE928823" + 86 "B62D066C7770F9F63F3DBA247F530844747BE7AAA85D853B8BD244ACEC3DE3C89AB46453" + 87 "AB4D24C3AC6902030100010282010037784776A5F17698F5AC960DFB83A1B67564E648BD" + 88 "0597CF8AB8087186F2669C27A9ECBDD480F0197A80D07309E6C6A96F925331E57F8B4AC6" + 89 "F4D45EDA45A23269C09FC428C07A4E6EDF738A15DEC97FABD2F2BB47A14F20EA72FCFE4C" + 90 "36E01ADA77BD137CD8D4DA10BB162E94A4662971F175F985FA188F056CB97EE2816F43AB" + 91 "9D3747612486CDA8C16196C30818A995EC85D38467791267B3BF21F273710A6925862576" + 92 "841C5B6712C12D4BD20A2F3299ADB7C135DA5E9515ABDA76E7CAF2A3BE80551D073B78BF" + 93 "1162C48AD2B7F4743A0238EE4D252F7D5E7E6533CCAE64CCB39360075A2FD1E034EC3AE5" + 94 "CE9C408CCBF0E25E4114021687B3DD4754AE8102818100F541884BC3737B2922D4119EF4" + 95 "5E2DEE2CD4CBB75F45505A157AA5009F99C73A2DF0724AC46024306332EA898177634546" + 96 "5DC6DF1E0A6F140AFF3B7396E6A8994AC5DAA96873472FE37749D14EB3E075E629DBEB35" + 97 "83338A6F3649D0A2654A7A42FD9AB6BFA4AC4D481D390BB229B064BDC311CC1BE1B63189" + 98 "DA7C40CDECF2B102818100EA1A742DDB881CEDB7288C87E38D868DD7A409D15A43F445D5" + 99 "377A0B5731DDBFCA2DAF28A8E13CD5C0AFCEC3347D74A39E235A3CD9633F274DE2B94F92" + 100 "DF43833911D9E9F1CF58F27DE2E08FF45964C720D3EC2139DC7CAFC912953CDECB2F355A" + 101 "2E2C35A50FAD754CB3B23166424BA3B6E3112A2B898C38C5C15EDB238693390281805182" + 102 "8F1EC6FD996029901BAF1D7E337BA5F0AF27E984EAD895ACE62BD7DF4EE45A224089F2CC" + 103 "151AF3CD173FCE0474BCB04F386A2CDCC0E0036BA2419F54579262D47100BE931984A3EF" + 104 "A05BECF141574DC079B3A95C4A83E6C43F3214D6DF32D512DE198085E531E616B83FD7DD" + 105 "9D1F4E2607C3333D07C55D107D1D3893587102818100DB4FB50F50DE8EDB53FF34C80931" + 106 "88A0512867DA2CCA04897759E587C244010DAF8664D59E8083D16C164789301F67A9F078" + 107 "060D834A2ADBD367575B68A8A842C2B02A89B3F31FCCEC8A22FE395795C5C6C7422B4E5D" + 108 "74A1E9A8F30E7759B9FC2D639C1F15673E84E93A5EF1506F4315383C38D45CBD1B14048F" + 109 "4721DC82326102818100D8114593AF415FB612DBF1923710D54D07486205A76A3B431949" + 110 "68C0DFF1F11EF0F61A4A337D5FD3741BBC9640E447B8B6B6C47C3AC1204357D3B0C55BA9" + 111 "286BDA73F629296F5FA9146D8976357D3C751E75148696A40B74685C82CE30902D639D72" + 112 "4FF24D5E2E9407EE34EDED2E3B4DF65AA9BCFEB6DF28D07BA6903F165768"); 113 114 private static final byte[] AES256_BYTES = hexToBytes( 115 "0CC175B9C0F1B6A831C399E269772661CEC520EA51EA0A47E87295FA3245A605"); 116 hexToBytes(String s)117 private static byte[] hexToBytes(String s) { 118 int len = s.length(); 119 byte[] data = new byte[len / 2]; 120 for (int i = 0; i < len; i += 2) { 121 data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit( 122 s.charAt(i + 1), 16)); 123 } 124 return data; 125 } 126 127 @Override setUp()128 protected void setUp() throws Exception { 129 mKeyStore = KeyStore.getInstance(); 130 if (mKeyStore.state() != KeyStore.State.UNINITIALIZED) { 131 mKeyStore.reset(); 132 } 133 assertEquals("KeyStore should be in an uninitialized state", 134 KeyStore.State.UNINITIALIZED, mKeyStore.state()); 135 super.setUp(); 136 } 137 138 @Override tearDown()139 protected void tearDown() throws Exception { 140 mKeyStore.reset(); 141 super.tearDown(); 142 } 143 testState()144 public void testState() throws Exception { 145 assertEquals(KeyStore.State.UNINITIALIZED, mKeyStore.state()); 146 } 147 testPassword()148 public void testPassword() throws Exception { 149 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 150 assertEquals(KeyStore.State.UNLOCKED, mKeyStore.state()); 151 } 152 testGet()153 public void testGet() throws Exception { 154 assertNull(mKeyStore.get(TEST_KEYNAME)); 155 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 156 assertNull(mKeyStore.get(TEST_KEYNAME)); 157 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 158 KeyStore.FLAG_ENCRYPTED)); 159 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 160 } 161 testPut()162 public void testPut() throws Exception { 163 assertNull(mKeyStore.get(TEST_KEYNAME)); 164 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 165 KeyStore.FLAG_ENCRYPTED)); 166 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 167 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 168 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 169 KeyStore.FLAG_ENCRYPTED)); 170 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 171 } 172 testPut_grantedUid_Wifi()173 public void testPut_grantedUid_Wifi() throws Exception { 174 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 175 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.WIFI_UID, 176 KeyStore.FLAG_ENCRYPTED)); 177 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 178 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 179 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.WIFI_UID, 180 KeyStore.FLAG_ENCRYPTED)); 181 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 182 } 183 testPut_ungrantedUid_Bluetooth()184 public void testPut_ungrantedUid_Bluetooth() throws Exception { 185 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 186 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.BLUETOOTH_UID, 187 KeyStore.FLAG_ENCRYPTED)); 188 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 189 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 190 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.BLUETOOTH_UID, 191 KeyStore.FLAG_ENCRYPTED)); 192 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 193 } 194 testI18n()195 public void testI18n() throws Exception { 196 assertFalse(mKeyStore.put(TEST_I18N_KEY, TEST_I18N_VALUE, KeyStore.UID_SELF, 197 KeyStore.FLAG_ENCRYPTED)); 198 assertFalse(mKeyStore.contains(TEST_I18N_KEY)); 199 mKeyStore.onUserPasswordChanged(TEST_I18N_KEY); 200 assertTrue(mKeyStore.put(TEST_I18N_KEY, TEST_I18N_VALUE, KeyStore.UID_SELF, 201 KeyStore.FLAG_ENCRYPTED)); 202 assertTrue(mKeyStore.contains(TEST_I18N_KEY)); 203 } 204 testDelete()205 public void testDelete() throws Exception { 206 assertFalse(mKeyStore.delete(TEST_KEYNAME)); 207 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 208 assertFalse(mKeyStore.delete(TEST_KEYNAME)); 209 210 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 211 KeyStore.FLAG_ENCRYPTED)); 212 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 213 assertTrue(mKeyStore.delete(TEST_KEYNAME)); 214 assertNull(mKeyStore.get(TEST_KEYNAME)); 215 } 216 testDelete_grantedUid_Wifi()217 public void testDelete_grantedUid_Wifi() throws Exception { 218 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.WIFI_UID)); 219 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 220 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.WIFI_UID)); 221 222 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.WIFI_UID, 223 KeyStore.FLAG_ENCRYPTED)); 224 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 225 assertTrue(mKeyStore.delete(TEST_KEYNAME, Process.WIFI_UID)); 226 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 227 } 228 testDelete_ungrantedUid_Bluetooth()229 public void testDelete_ungrantedUid_Bluetooth() throws Exception { 230 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.BLUETOOTH_UID)); 231 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 232 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.BLUETOOTH_UID)); 233 234 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.BLUETOOTH_UID, 235 KeyStore.FLAG_ENCRYPTED)); 236 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 237 assertFalse(mKeyStore.delete(TEST_KEYNAME, Process.BLUETOOTH_UID)); 238 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 239 } 240 testContains()241 public void testContains() throws Exception { 242 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 243 244 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 245 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 246 247 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 248 KeyStore.FLAG_ENCRYPTED)); 249 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 250 } 251 testContains_grantedUid_Wifi()252 public void testContains_grantedUid_Wifi() throws Exception { 253 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 254 255 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 256 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 257 258 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.WIFI_UID, 259 KeyStore.FLAG_ENCRYPTED)); 260 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 261 } 262 testContains_grantedUid_Bluetooth()263 public void testContains_grantedUid_Bluetooth() throws Exception { 264 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 265 266 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 267 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 268 269 assertFalse(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, Process.BLUETOOTH_UID, 270 KeyStore.FLAG_ENCRYPTED)); 271 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 272 } 273 testList()274 public void testList() throws Exception { 275 String[] emptyResult = mKeyStore.list(TEST_KEYNAME); 276 assertNotNull(emptyResult); 277 assertEquals(0, emptyResult.length); 278 279 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 280 mKeyStore.put(TEST_KEYNAME1, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 281 mKeyStore.put(TEST_KEYNAME2, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 282 283 String[] results = mKeyStore.list(TEST_KEYNAME); 284 assertEquals(new HashSet(Arrays.asList(TEST_KEYNAME1.substring(TEST_KEYNAME.length()), 285 TEST_KEYNAME2.substring(TEST_KEYNAME.length()))), 286 new HashSet(Arrays.asList(results))); 287 } 288 testList_ungrantedUid_Bluetooth()289 public void testList_ungrantedUid_Bluetooth() throws Exception { 290 String[] results1 = mKeyStore.list(TEST_KEYNAME, Process.BLUETOOTH_UID); 291 assertEquals(0, results1.length); 292 293 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 294 mKeyStore.put(TEST_KEYNAME1, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 295 mKeyStore.put(TEST_KEYNAME2, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 296 297 String[] results2 = mKeyStore.list(TEST_KEYNAME, Process.BLUETOOTH_UID); 298 assertEquals(0, results2.length); 299 } 300 testList_grantedUid_Wifi()301 public void testList_grantedUid_Wifi() throws Exception { 302 String[] results1 = mKeyStore.list(TEST_KEYNAME, Process.WIFI_UID); 303 assertNotNull(results1); 304 assertEquals(0, results1.length); 305 306 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 307 mKeyStore.put(TEST_KEYNAME1, TEST_KEYVALUE, Process.WIFI_UID, KeyStore.FLAG_ENCRYPTED); 308 mKeyStore.put(TEST_KEYNAME2, TEST_KEYVALUE, Process.WIFI_UID, KeyStore.FLAG_ENCRYPTED); 309 310 String[] results2 = mKeyStore.list(TEST_KEYNAME, Process.WIFI_UID); 311 assertEquals(new HashSet(Arrays.asList(TEST_KEYNAME1.substring(TEST_KEYNAME.length()), 312 TEST_KEYNAME2.substring(TEST_KEYNAME.length()))), 313 new HashSet(Arrays.asList(results2))); 314 } 315 testList_grantedUid_Vpn()316 public void testList_grantedUid_Vpn() throws Exception { 317 String[] results1 = mKeyStore.list(TEST_KEYNAME, Process.VPN_UID); 318 assertNotNull(results1); 319 assertEquals(0, results1.length); 320 321 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 322 mKeyStore.put(TEST_KEYNAME1, TEST_KEYVALUE, Process.VPN_UID, KeyStore.FLAG_ENCRYPTED); 323 mKeyStore.put(TEST_KEYNAME2, TEST_KEYVALUE, Process.VPN_UID, KeyStore.FLAG_ENCRYPTED); 324 325 String[] results2 = mKeyStore.list(TEST_KEYNAME, Process.VPN_UID); 326 assertEquals(new HashSet(Arrays.asList(TEST_KEYNAME1.substring(TEST_KEYNAME.length()), 327 TEST_KEYNAME2.substring(TEST_KEYNAME.length()))), 328 new HashSet(Arrays.asList(results2))); 329 } 330 testLock()331 public void testLock() throws Exception { 332 assertFalse(mKeyStore.lock()); 333 334 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 335 assertEquals(KeyStore.State.UNLOCKED, mKeyStore.state()); 336 337 assertTrue(mKeyStore.lock()); 338 assertEquals(KeyStore.State.LOCKED, mKeyStore.state()); 339 } 340 testUnlock()341 public void testUnlock() throws Exception { 342 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 343 assertEquals(KeyStore.State.UNLOCKED, mKeyStore.state()); 344 mKeyStore.lock(); 345 346 assertFalse(mKeyStore.unlock(TEST_PASSWD2)); 347 assertTrue(mKeyStore.unlock(TEST_PASSWD)); 348 } 349 testIsEmpty()350 public void testIsEmpty() throws Exception { 351 assertTrue(mKeyStore.isEmpty()); 352 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 353 assertTrue(mKeyStore.isEmpty()); 354 mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED); 355 assertFalse(mKeyStore.isEmpty()); 356 mKeyStore.reset(); 357 assertTrue(mKeyStore.isEmpty()); 358 } 359 testGenerate_NotInitialized_Fail()360 public void testGenerate_NotInitialized_Fail() throws Exception { 361 assertFalse("Should fail when keystore is not initialized", 362 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 363 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 364 } 365 testGenerate_Locked_Fail()366 public void testGenerate_Locked_Fail() throws Exception { 367 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 368 mKeyStore.lock(); 369 assertFalse("Should fail when keystore is locked", 370 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 371 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 372 } 373 testGenerate_Success()374 public void testGenerate_Success() throws Exception { 375 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 376 377 assertTrue("Should be able to generate key when unlocked", 378 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 379 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 380 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 381 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 382 } 383 testGenerate_grantedUid_Wifi_Success()384 public void testGenerate_grantedUid_Wifi_Success() throws Exception { 385 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 386 387 assertTrue("Should be able to generate key when unlocked", 388 mKeyStore.generate(TEST_KEYNAME, Process.WIFI_UID, NativeConstants.EVP_PKEY_RSA, 389 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 390 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 391 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 392 } 393 testGenerate_ungrantedUid_Bluetooth_Failure()394 public void testGenerate_ungrantedUid_Bluetooth_Failure() throws Exception { 395 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 396 397 assertFalse(mKeyStore.generate(TEST_KEYNAME, Process.BLUETOOTH_UID, 398 NativeConstants.EVP_PKEY_RSA, RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 399 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 400 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 401 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 402 } 403 testImport_Success()404 public void testImport_Success() throws Exception { 405 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 406 407 assertTrue("Should be able to import key when unlocked", mKeyStore.importKey(TEST_KEYNAME, 408 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 409 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 410 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 411 } 412 testImport_grantedUid_Wifi_Success()413 public void testImport_grantedUid_Wifi_Success() throws Exception { 414 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 415 416 assertTrue("Should be able to import key when unlocked", mKeyStore.importKey(TEST_KEYNAME, 417 PRIVKEY_BYTES, Process.WIFI_UID, KeyStore.FLAG_ENCRYPTED)); 418 assertTrue(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 419 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 420 } 421 testImport_ungrantedUid_Bluetooth_Failure()422 public void testImport_ungrantedUid_Bluetooth_Failure() throws Exception { 423 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 424 425 assertFalse(mKeyStore.importKey(TEST_KEYNAME, PRIVKEY_BYTES, Process.BLUETOOTH_UID, 426 KeyStore.FLAG_ENCRYPTED)); 427 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 428 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 429 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 430 } 431 testImport_Failure_BadEncoding()432 public void testImport_Failure_BadEncoding() throws Exception { 433 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 434 435 assertFalse("Invalid DER-encoded key should not be imported", mKeyStore.importKey( 436 TEST_KEYNAME, TEST_DATA, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 437 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 438 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 439 } 440 testSign_Success()441 public void testSign_Success() throws Exception { 442 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 443 444 assertTrue(mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 445 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 446 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 447 final byte[] signature = mKeyStore.sign(TEST_KEYNAME, TEST_DATA); 448 449 assertNotNull("Signature should not be null", signature); 450 } 451 testVerify_Success()452 public void testVerify_Success() throws Exception { 453 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 454 455 assertTrue(mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 456 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 457 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 458 final byte[] signature = mKeyStore.sign(TEST_KEYNAME, TEST_DATA); 459 460 assertNotNull("Signature should not be null", signature); 461 462 assertTrue("Signature should verify with same data", 463 mKeyStore.verify(TEST_KEYNAME, TEST_DATA, signature)); 464 } 465 testSign_NotInitialized_Failure()466 public void testSign_NotInitialized_Failure() throws Exception { 467 assertNull("Should not be able to sign without first initializing the keystore", 468 mKeyStore.sign(TEST_KEYNAME, TEST_DATA)); 469 } 470 testSign_NotGenerated_Failure()471 public void testSign_NotGenerated_Failure() throws Exception { 472 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 473 474 assertNull("Should not be able to sign without first generating keys", 475 mKeyStore.sign(TEST_KEYNAME, TEST_DATA)); 476 } 477 testGrant_Generated_Success()478 public void testGrant_Generated_Success() throws Exception { 479 assertTrue("Password should work for keystore", 480 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 481 482 assertTrue("Should be able to generate key for testcase", 483 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 484 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 485 486 assertTrue("Should be able to grant key to other user", 487 mKeyStore.grant(TEST_KEYNAME, 0)); 488 } 489 testGrant_Imported_Success()490 public void testGrant_Imported_Success() throws Exception { 491 assertTrue("Password should work for keystore", mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 492 493 assertTrue("Should be able to import key for testcase", mKeyStore.importKey(TEST_KEYNAME, 494 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 495 496 assertTrue("Should be able to grant key to other user", mKeyStore.grant(TEST_KEYNAME, 0)); 497 } 498 testGrant_NoKey_Failure()499 public void testGrant_NoKey_Failure() throws Exception { 500 assertTrue("Should be able to unlock keystore for test", 501 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 502 503 assertFalse("Should not be able to grant without first initializing the keystore", 504 mKeyStore.grant(TEST_KEYNAME, 0)); 505 } 506 testGrant_NotInitialized_Failure()507 public void testGrant_NotInitialized_Failure() throws Exception { 508 assertFalse("Should not be able to grant without first initializing the keystore", 509 mKeyStore.grant(TEST_KEYNAME, 0)); 510 } 511 testUngrant_Generated_Success()512 public void testUngrant_Generated_Success() throws Exception { 513 assertTrue("Password should work for keystore", 514 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 515 516 assertTrue("Should be able to generate key for testcase", 517 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 518 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 519 520 assertTrue("Should be able to grant key to other user", 521 mKeyStore.grant(TEST_KEYNAME, 0)); 522 523 assertTrue("Should be able to ungrant key to other user", 524 mKeyStore.ungrant(TEST_KEYNAME, 0)); 525 } 526 testUngrant_Imported_Success()527 public void testUngrant_Imported_Success() throws Exception { 528 assertTrue("Password should work for keystore", 529 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 530 531 assertTrue("Should be able to import key for testcase", mKeyStore.importKey(TEST_KEYNAME, 532 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 533 534 assertTrue("Should be able to grant key to other user", 535 mKeyStore.grant(TEST_KEYNAME, 0)); 536 537 assertTrue("Should be able to ungrant key to other user", 538 mKeyStore.ungrant(TEST_KEYNAME, 0)); 539 } 540 testUngrant_NotInitialized_Failure()541 public void testUngrant_NotInitialized_Failure() throws Exception { 542 assertFalse("Should fail to ungrant key when keystore not initialized", 543 mKeyStore.ungrant(TEST_KEYNAME, 0)); 544 } 545 testUngrant_NoGrant_Failure()546 public void testUngrant_NoGrant_Failure() throws Exception { 547 assertTrue("Password should work for keystore", 548 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 549 550 assertTrue("Should be able to generate key for testcase", 551 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 552 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 553 554 assertFalse("Should not be able to revoke not existent grant", 555 mKeyStore.ungrant(TEST_KEYNAME, 0)); 556 } 557 testUngrant_DoubleUngrant_Failure()558 public void testUngrant_DoubleUngrant_Failure() throws Exception { 559 assertTrue("Password should work for keystore", 560 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 561 562 assertTrue("Should be able to generate key for testcase", 563 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 564 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 565 566 assertTrue("Should be able to grant key to other user", 567 mKeyStore.grant(TEST_KEYNAME, 0)); 568 569 assertTrue("Should be able to ungrant key to other user", 570 mKeyStore.ungrant(TEST_KEYNAME, 0)); 571 572 assertFalse("Should fail to ungrant key to other user second time", 573 mKeyStore.ungrant(TEST_KEYNAME, 0)); 574 } 575 testUngrant_DoubleGrantUngrant_Failure()576 public void testUngrant_DoubleGrantUngrant_Failure() throws Exception { 577 assertTrue("Password should work for keystore", 578 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 579 580 assertTrue("Should be able to generate key for testcase", 581 mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 582 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 583 584 assertTrue("Should be able to grant key to other user", 585 mKeyStore.grant(TEST_KEYNAME, 0)); 586 587 assertTrue("Should be able to grant key to other user a second time", 588 mKeyStore.grant(TEST_KEYNAME, 0)); 589 590 assertTrue("Should be able to ungrant key to other user", 591 mKeyStore.ungrant(TEST_KEYNAME, 0)); 592 593 assertFalse("Should fail to ungrant key to other user second time", 594 mKeyStore.ungrant(TEST_KEYNAME, 0)); 595 } 596 testDuplicate_grantedUid_Wifi_Success()597 public void testDuplicate_grantedUid_Wifi_Success() throws Exception { 598 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 599 600 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 601 602 assertTrue(mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 603 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 604 605 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 606 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 607 608 // source doesn't exist 609 assertFalse(mKeyStore.duplicate(TEST_KEYNAME1, -1, TEST_KEYNAME1, Process.WIFI_UID)); 610 assertFalse(mKeyStore.contains(TEST_KEYNAME1, Process.WIFI_UID)); 611 612 // Copy from current UID to granted UID 613 assertTrue(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME1, Process.WIFI_UID)); 614 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 615 assertFalse(mKeyStore.contains(TEST_KEYNAME1)); 616 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 617 assertTrue(mKeyStore.contains(TEST_KEYNAME1, Process.WIFI_UID)); 618 assertFalse(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME1, Process.WIFI_UID)); 619 620 // Copy from granted UID to same granted UID 621 assertTrue(mKeyStore.duplicate(TEST_KEYNAME1, Process.WIFI_UID, TEST_KEYNAME2, 622 Process.WIFI_UID)); 623 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.WIFI_UID)); 624 assertTrue(mKeyStore.contains(TEST_KEYNAME1, Process.WIFI_UID)); 625 assertTrue(mKeyStore.contains(TEST_KEYNAME2, Process.WIFI_UID)); 626 assertFalse(mKeyStore.duplicate(TEST_KEYNAME1, Process.WIFI_UID, TEST_KEYNAME2, 627 Process.WIFI_UID)); 628 629 assertTrue(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME2, -1)); 630 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 631 assertFalse(mKeyStore.contains(TEST_KEYNAME1)); 632 assertTrue(mKeyStore.contains(TEST_KEYNAME2)); 633 assertFalse(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME2, -1)); 634 } 635 testDuplicate_ungrantedUid_Bluetooth_Failure()636 public void testDuplicate_ungrantedUid_Bluetooth_Failure() throws Exception { 637 assertTrue(mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 638 639 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 640 641 assertTrue(mKeyStore.generate(TEST_KEYNAME, KeyStore.UID_SELF, NativeConstants.EVP_PKEY_RSA, 642 RSA_KEY_SIZE, KeyStore.FLAG_ENCRYPTED, null)); 643 644 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 645 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 646 647 assertFalse(mKeyStore.duplicate(TEST_KEYNAME, -1, TEST_KEYNAME2, Process.BLUETOOTH_UID)); 648 assertFalse(mKeyStore.duplicate(TEST_KEYNAME, Process.BLUETOOTH_UID, TEST_KEYNAME2, 649 Process.BLUETOOTH_UID)); 650 651 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 652 assertFalse(mKeyStore.contains(TEST_KEYNAME, Process.BLUETOOTH_UID)); 653 } 654 655 /** 656 * The amount of time to allow before and after expected time for variance 657 * in timing tests. 658 */ 659 private static final long SLOP_TIME_MILLIS = 15000L; 660 testGetmtime_Success()661 public void testGetmtime_Success() throws Exception { 662 assertTrue("Password should work for keystore", 663 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 664 665 assertTrue("Should be able to import key when unlocked", mKeyStore.importKey(TEST_KEYNAME, 666 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 667 668 long now = System.currentTimeMillis(); 669 long actual = mKeyStore.getmtime(TEST_KEYNAME); 670 671 long expectedAfter = now - SLOP_TIME_MILLIS; 672 long expectedBefore = now + SLOP_TIME_MILLIS; 673 674 assertLessThan("Time should be close to current time", expectedBefore, actual); 675 assertGreaterThan("Time should be close to current time", expectedAfter, actual); 676 } 677 assertLessThan(String explanation, long expectedBefore, long actual)678 private static void assertLessThan(String explanation, long expectedBefore, long actual) { 679 if (actual >= expectedBefore) { 680 throw new AssertionFailedError(explanation + ": actual=" + actual 681 + ", expected before: " + expectedBefore); 682 } 683 } 684 assertGreaterThan(String explanation, long expectedAfter, long actual)685 private static void assertGreaterThan(String explanation, long expectedAfter, long actual) { 686 if (actual <= expectedAfter) { 687 throw new AssertionFailedError(explanation + ": actual=" + actual 688 + ", expected after: " + expectedAfter); 689 } 690 } 691 testGetmtime_NonExist_Failure()692 public void testGetmtime_NonExist_Failure() throws Exception { 693 assertTrue("Password should work for keystore", 694 mKeyStore.onUserPasswordChanged(TEST_PASSWD)); 695 696 assertTrue("Should be able to import key when unlocked", mKeyStore.importKey(TEST_KEYNAME, 697 PRIVKEY_BYTES, KeyStore.UID_SELF, KeyStore.FLAG_ENCRYPTED)); 698 699 assertEquals("-1 should be returned for non-existent key", 700 -1L, mKeyStore.getmtime(TEST_KEYNAME2)); 701 } 702 generateRsaKey(String name)703 private KeyCharacteristics generateRsaKey(String name) throws Exception { 704 KeymasterArguments args = new KeymasterArguments(); 705 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 706 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 707 args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); 708 args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 709 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 710 args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, 2048); 711 args.addUnsignedLong(KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, RSAKeyGenParameterSpec.F4); 712 713 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 714 int result = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 715 assertEquals("generateRsaKey should succeed", KeyStore.NO_ERROR, result); 716 return outCharacteristics; 717 } 718 testGenerateKey()719 public void testGenerateKey() throws Exception { 720 generateRsaKey("test"); 721 mKeyStore.delete("test"); 722 } 723 testGenerateRsaWithEntropy()724 public void testGenerateRsaWithEntropy() throws Exception { 725 byte[] entropy = new byte[] {1,2,3,4,5}; 726 String name = "test"; 727 KeymasterArguments args = new KeymasterArguments(); 728 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 729 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 730 args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); 731 args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 732 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 733 args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, 2048); 734 args.addUnsignedLong(KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, RSAKeyGenParameterSpec.F4); 735 736 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 737 int result = mKeyStore.generateKey(name, args, entropy, 0, outCharacteristics); 738 assertEquals("generateKey should succeed", KeyStore.NO_ERROR, result); 739 } 740 testGenerateAndDelete()741 public void testGenerateAndDelete() throws Exception { 742 generateRsaKey("test"); 743 assertTrue("delete should succeed", mKeyStore.delete("test")); 744 } 745 testGetKeyCharacteristicsSuccess()746 public void testGetKeyCharacteristicsSuccess() throws Exception { 747 mKeyStore.onUserPasswordChanged(TEST_PASSWD); 748 String name = "test"; 749 KeyCharacteristics gen = generateRsaKey(name); 750 KeyCharacteristics call = new KeyCharacteristics(); 751 int result = mKeyStore.getKeyCharacteristics(name, null, null, call); 752 assertEquals("getKeyCharacteristics should succeed", KeyStore.NO_ERROR, result); 753 mKeyStore.delete("test"); 754 } 755 testAppId()756 public void testAppId() throws Exception { 757 String name = "test"; 758 byte[] id = new byte[] {0x01, 0x02, 0x03}; 759 KeymasterArguments args = new KeymasterArguments(); 760 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 761 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 762 args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_RSA); 763 args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 764 args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, 2048); 765 args.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_ECB); 766 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 767 args.addBytes(KeymasterDefs.KM_TAG_APPLICATION_ID, id); 768 args.addUnsignedLong(KeymasterDefs.KM_TAG_RSA_PUBLIC_EXPONENT, RSAKeyGenParameterSpec.F4); 769 770 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 771 int result = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 772 assertEquals("generateRsaKey should succeed", KeyStore.NO_ERROR, result); 773 assertEquals("getKeyCharacteristics should fail without application ID", 774 KeymasterDefs.KM_ERROR_INVALID_KEY_BLOB, 775 mKeyStore.getKeyCharacteristics(name, null, null, outCharacteristics)); 776 assertEquals("getKeyCharacteristics should succeed with application ID", 777 KeyStore.NO_ERROR, 778 mKeyStore.getKeyCharacteristics(name, new KeymasterBlob(id), null, 779 outCharacteristics)); 780 } 781 782 testExportRsa()783 public void testExportRsa() throws Exception { 784 String name = "test"; 785 generateRsaKey(name); 786 ExportResult result = mKeyStore.exportKey(name, KeymasterDefs.KM_KEY_FORMAT_X509, null, 787 null); 788 assertEquals("Export success", KeyStore.NO_ERROR, result.resultCode); 789 // TODO: Verify we have an RSA public key that's well formed. 790 } 791 testAesGcmEncryptSuccess()792 public void testAesGcmEncryptSuccess() throws Exception { 793 String name = "test"; 794 KeymasterArguments args = new KeymasterArguments(); 795 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 796 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 797 args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 798 args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 799 args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, 256); 800 args.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_GCM); 801 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 802 803 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 804 int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 805 assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc); 806 807 args = new KeymasterArguments(); 808 args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 809 args.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_GCM); 810 args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 811 args.addUnsignedInt(KeymasterDefs.KM_TAG_MAC_LENGTH, 128); 812 OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, 813 true, args, null); 814 IBinder token = result.token; 815 assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode); 816 result = mKeyStore.update(token, null, new byte[] {0x01, 0x02, 0x03, 0x04}); 817 assertEquals("Update should succeed", KeyStore.NO_ERROR, result.resultCode); 818 assertEquals("Finish should succeed", KeyStore.NO_ERROR, 819 mKeyStore.finish(token, null, null).resultCode); 820 // TODO: Assert that an AEAD tag was returned by finish 821 } 822 testBadToken()823 public void testBadToken() throws Exception { 824 IBinder token = new Binder(); 825 OperationResult result = mKeyStore.update(token, null, new byte[] {0x01}); 826 assertEquals("Update with invalid token should fail", 827 KeymasterDefs.KM_ERROR_INVALID_OPERATION_HANDLE, result.resultCode); 828 } 829 importAesKey(String name, byte[] key, int size, int mode)830 private int importAesKey(String name, byte[] key, int size, int mode) { 831 KeymasterArguments args = new KeymasterArguments(); 832 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 833 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 834 args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 835 args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 836 args.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, mode); 837 args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, size); 838 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 839 return mKeyStore.importKey(name, args, KeymasterDefs.KM_KEY_FORMAT_RAW, key, 0, 840 new KeyCharacteristics()); 841 } doOperation(String name, int purpose, byte[] in, KeymasterArguments beginArgs)842 private byte[] doOperation(String name, int purpose, byte[] in, KeymasterArguments beginArgs) { 843 OperationResult result = mKeyStore.begin(name, purpose, 844 true, beginArgs, null); 845 assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode); 846 IBinder token = result.token; 847 result = mKeyStore.update(token, null, in); 848 assertEquals("Update should succeed", KeyStore.NO_ERROR, result.resultCode); 849 assertEquals("All data should be consumed", in.length, result.inputConsumed); 850 assertEquals("Finish should succeed", KeyStore.NO_ERROR, 851 mKeyStore.finish(token, null, null).resultCode); 852 return result.output; 853 } 854 testImportAes()855 public void testImportAes() throws Exception { 856 int result = importAesKey("aes", AES256_BYTES, 256, KeymasterDefs.KM_MODE_ECB); 857 assertEquals("import should succeed", KeyStore.NO_ERROR, result); 858 mKeyStore.delete("aes"); 859 } 860 testAes256Ecb()861 public void testAes256Ecb() throws Exception { 862 byte[] key = 863 hexToBytes("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"); 864 String name = "aes"; 865 assertEquals(KeyStore.NO_ERROR, importAesKey(name, key, 256, KeymasterDefs.KM_MODE_ECB)); 866 byte[][] testVectors = new byte[][] { 867 hexToBytes("6bc1bee22e409f96e93d7e117393172a"), 868 hexToBytes("ae2d8a571e03ac9c9eb76fac45af8e51"), 869 hexToBytes("30c81c46a35ce411e5fbc1191a0a52ef"), 870 hexToBytes("f69f2445df4f9b17ad2b417be66c3710")}; 871 byte[][] cipherVectors = new byte[][] { 872 hexToBytes("f3eed1bdb5d2a03c064b5a7e3db181f8"), 873 hexToBytes("591ccb10d410ed26dc5ba74a31362870"), 874 hexToBytes("b6ed21b99ca6f4f9f153e7b1beafed1d"), 875 hexToBytes("23304b7a39f9f3ff067d8d8f9e24ecc7")}; 876 KeymasterArguments beginArgs = new KeymasterArguments(); 877 beginArgs.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 878 beginArgs.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_ECB); 879 beginArgs.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 880 for (int i = 0; i < testVectors.length; i++) { 881 byte[] cipherText = doOperation(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, testVectors[i], 882 beginArgs); 883 MoreAsserts.assertEquals(cipherVectors[i], cipherText); 884 } 885 for (int i = 0; i < testVectors.length; i++) { 886 byte[] plainText = doOperation(name, KeymasterDefs.KM_PURPOSE_DECRYPT, 887 cipherVectors[i], beginArgs); 888 MoreAsserts.assertEquals(testVectors[i], plainText); 889 } 890 } 891 892 // This is a very implementation specific test and should be thrown out eventually, however it 893 // is nice for now to test that keystore is properly pruning operations. testOperationPruning()894 public void testOperationPruning() throws Exception { 895 String name = "test"; 896 KeymasterArguments args = new KeymasterArguments(); 897 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 898 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 899 args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 900 args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 901 args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, 256); 902 args.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_CTR); 903 args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED); 904 905 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 906 int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 907 assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc); 908 909 args = new KeymasterArguments(); 910 args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 911 args.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_CTR); 912 args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_NONE); 913 OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, 914 true, args, null); 915 assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode); 916 IBinder first = result.token; 917 // Implementation detail: softkeymaster supports 16 concurrent operations 918 for (int i = 0; i < 16; i++) { 919 result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, true, args, null); 920 assertEquals("Begin should succeed", KeyStore.NO_ERROR, result.resultCode); 921 } 922 // At this point the first operation should be pruned. 923 assertEquals("Operation should be pruned", KeymasterDefs.KM_ERROR_INVALID_OPERATION_HANDLE, 924 mKeyStore.update(first, null, new byte[] {0x01}).resultCode); 925 } 926 testAuthNeeded()927 public void testAuthNeeded() throws Exception { 928 String name = "test"; 929 KeymasterArguments args = new KeymasterArguments(); 930 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_ENCRYPT); 931 args.addEnum(KeymasterDefs.KM_TAG_PURPOSE, KeymasterDefs.KM_PURPOSE_DECRYPT); 932 args.addEnum(KeymasterDefs.KM_TAG_ALGORITHM, KeymasterDefs.KM_ALGORITHM_AES); 933 args.addEnum(KeymasterDefs.KM_TAG_PADDING, KeymasterDefs.KM_PAD_PKCS7); 934 args.addUnsignedInt(KeymasterDefs.KM_TAG_KEY_SIZE, 256); 935 args.addEnum(KeymasterDefs.KM_TAG_BLOCK_MODE, KeymasterDefs.KM_MODE_ECB); 936 args.addEnum(KeymasterDefs.KM_TAG_USER_AUTH_TYPE, 1); 937 938 KeyCharacteristics outCharacteristics = new KeyCharacteristics(); 939 int rc = mKeyStore.generateKey(name, args, null, 0, outCharacteristics); 940 assertEquals("Generate should succeed", KeyStore.NO_ERROR, rc); 941 OperationResult result = mKeyStore.begin(name, KeymasterDefs.KM_PURPOSE_ENCRYPT, 942 true, args, null); 943 assertEquals("Begin should expect authorization", KeyStore.OP_AUTH_NEEDED, 944 result.resultCode); 945 IBinder token = result.token; 946 result = mKeyStore.update(token, null, new byte[] {0x01, 0x02, 0x03, 0x04}); 947 assertEquals("Update should require authorization", 948 KeymasterDefs.KM_ERROR_KEY_USER_NOT_AUTHENTICATED, result.resultCode); 949 } 950 testPasswordRemovalEncryptedEntry()951 public void testPasswordRemovalEncryptedEntry() throws Exception { 952 mKeyStore.onUserPasswordChanged("test"); 953 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 954 KeyStore.FLAG_ENCRYPTED)); 955 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 956 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 957 mKeyStore.onUserPasswordChanged(""); 958 // Removing the password should have deleted all entries using FLAG_ENCRYPTED 959 assertNull(mKeyStore.get(TEST_KEYNAME)); 960 assertFalse(mKeyStore.contains(TEST_KEYNAME)); 961 } 962 testPasswordRemovalUnencryptedEntry()963 public void testPasswordRemovalUnencryptedEntry() throws Exception { 964 mKeyStore.onUserPasswordChanged("test"); 965 assertTrue(mKeyStore.put(TEST_KEYNAME, TEST_KEYVALUE, KeyStore.UID_SELF, 966 KeyStore.FLAG_NONE)); 967 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 968 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 969 mKeyStore.onUserPasswordChanged(""); 970 // Removing the password should not delete unencrypted entries. 971 assertTrue(mKeyStore.contains(TEST_KEYNAME)); 972 assertTrue(Arrays.equals(TEST_KEYVALUE, mKeyStore.get(TEST_KEYNAME))); 973 } 974 } 975