1 /*
2  * Copyright (C) 2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "keymaster_hidl_hal_test"
18 #include <cutils/log.h>
19 
20 #include <iostream>
21 
22 #include <openssl/evp.h>
23 #include <openssl/mem.h>
24 #include <openssl/x509.h>
25 
26 #include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
27 #include <android/hardware/keymaster/3.0/types.h>
28 #include <cutils/properties.h>
29 #include <gtest/gtest.h>
30 #include <hidl/GtestPrinter.h>
31 #include <hidl/ServiceManagement.h>
32 #include <keymaster/keymaster_configuration.h>
33 
34 #include "authorization_set.h"
35 #include "key_param_output.h"
36 
37 #include "attestation_record.h"
38 #include "openssl_utils.h"
39 
40 using ::android::sp;
41 using ::std::string;
42 
43 static bool arm_deleteAllKeys = false;
44 static bool dump_Attestations = false;
45 
46 namespace android {
47 namespace hardware {
48 
operator ==(const hidl_vec<T> & a,const hidl_vec<T> & b)49 template <typename T> bool operator==(const hidl_vec<T>& a, const hidl_vec<T>& b) {
50     if (a.size() != b.size()) {
51         return false;
52     }
53     for (size_t i = 0; i < a.size(); ++i) {
54         if (a[i] != b[i]) {
55             return false;
56         }
57     }
58     return true;
59 }
60 
61 namespace keymaster {
62 namespace V3_0 {
63 
operator ==(const KeyParameter & a,const KeyParameter & b)64 bool operator==(const KeyParameter& a, const KeyParameter& b) {
65     if (a.tag != b.tag) {
66         return false;
67     }
68 
69     switch (a.tag) {
70 
71     /* Boolean tags */
72     case Tag::INVALID:
73     case Tag::CALLER_NONCE:
74     case Tag::INCLUDE_UNIQUE_ID:
75     case Tag::ECIES_SINGLE_HASH_MODE:
76     case Tag::BOOTLOADER_ONLY:
77     case Tag::NO_AUTH_REQUIRED:
78     case Tag::ALLOW_WHILE_ON_BODY:
79     case Tag::EXPORTABLE:
80     case Tag::ALL_APPLICATIONS:
81     case Tag::ROLLBACK_RESISTANT:
82     case Tag::RESET_SINCE_ID_ROTATION:
83         return true;
84 
85     /* Integer tags */
86     case Tag::KEY_SIZE:
87     case Tag::MIN_MAC_LENGTH:
88     case Tag::MIN_SECONDS_BETWEEN_OPS:
89     case Tag::MAX_USES_PER_BOOT:
90     case Tag::ALL_USERS:
91     case Tag::USER_ID:
92     case Tag::OS_VERSION:
93     case Tag::OS_PATCHLEVEL:
94     case Tag::MAC_LENGTH:
95     case Tag::AUTH_TIMEOUT:
96         return a.f.integer == b.f.integer;
97 
98     /* Long integer tags */
99     case Tag::RSA_PUBLIC_EXPONENT:
100     case Tag::USER_SECURE_ID:
101         return a.f.longInteger == b.f.longInteger;
102 
103     /* Date-time tags */
104     case Tag::ACTIVE_DATETIME:
105     case Tag::ORIGINATION_EXPIRE_DATETIME:
106     case Tag::USAGE_EXPIRE_DATETIME:
107     case Tag::CREATION_DATETIME:
108         return a.f.dateTime == b.f.dateTime;
109 
110     /* Bytes tags */
111     case Tag::APPLICATION_ID:
112     case Tag::APPLICATION_DATA:
113     case Tag::ROOT_OF_TRUST:
114     case Tag::UNIQUE_ID:
115     case Tag::ATTESTATION_CHALLENGE:
116     case Tag::ATTESTATION_APPLICATION_ID:
117     case Tag::ATTESTATION_ID_BRAND:
118     case Tag::ATTESTATION_ID_DEVICE:
119     case Tag::ATTESTATION_ID_PRODUCT:
120     case Tag::ATTESTATION_ID_SERIAL:
121     case Tag::ATTESTATION_ID_IMEI:
122     case Tag::ATTESTATION_ID_MEID:
123     case Tag::ATTESTATION_ID_MANUFACTURER:
124     case Tag::ATTESTATION_ID_MODEL:
125     case Tag::ASSOCIATED_DATA:
126     case Tag::NONCE:
127     case Tag::AUTH_TOKEN:
128         return a.blob == b.blob;
129 
130     /* Enum tags */
131     case Tag::PURPOSE:
132         return a.f.purpose == b.f.purpose;
133     case Tag::ALGORITHM:
134         return a.f.algorithm == b.f.algorithm;
135     case Tag::BLOCK_MODE:
136         return a.f.blockMode == b.f.blockMode;
137     case Tag::DIGEST:
138         return a.f.digest == b.f.digest;
139     case Tag::PADDING:
140         return a.f.paddingMode == b.f.paddingMode;
141     case Tag::EC_CURVE:
142         return a.f.ecCurve == b.f.ecCurve;
143     case Tag::BLOB_USAGE_REQUIREMENTS:
144         return a.f.keyBlobUsageRequirements == b.f.keyBlobUsageRequirements;
145     case Tag::USER_AUTH_TYPE:
146         return a.f.integer == b.f.integer;
147     case Tag::ORIGIN:
148         return a.f.origin == b.f.origin;
149 
150     /* Unsupported tags */
151     case Tag::KDF:
152         return false;
153     }
154 }
155 
operator ==(const AuthorizationSet & a,const AuthorizationSet & b)156 bool operator==(const AuthorizationSet& a, const AuthorizationSet& b) {
157     return a.size() == b.size() && std::equal(a.begin(), a.end(), b.begin());
158 }
159 
operator ==(const KeyCharacteristics & a,const KeyCharacteristics & b)160 bool operator==(const KeyCharacteristics& a, const KeyCharacteristics& b) {
161     // This isn't very efficient. Oh, well.
162     AuthorizationSet a_sw(a.softwareEnforced);
163     AuthorizationSet b_sw(b.softwareEnforced);
164     AuthorizationSet a_tee(b.teeEnforced);
165     AuthorizationSet b_tee(b.teeEnforced);
166 
167     a_sw.Sort();
168     b_sw.Sort();
169     a_tee.Sort();
170     b_tee.Sort();
171 
172     return a_sw == b_sw && a_tee == b_sw;
173 }
174 
operator <<(::std::ostream & os,const AuthorizationSet & set)175 ::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) {
176     if (set.size() == 0)
177         os << "(Empty)" << ::std::endl;
178     else {
179         os << "\n";
180         for (size_t i = 0; i < set.size(); ++i)
181             os << set[i] << ::std::endl;
182     }
183     return os;
184 }
185 
186 namespace test {
187 namespace {
188 
189 template <TagType tag_type, Tag tag, typename ValueT>
contains(hidl_vec<KeyParameter> & set,TypedTag<tag_type,tag> ttag,ValueT expected_value)190 bool contains(hidl_vec<KeyParameter>& set, TypedTag<tag_type, tag> ttag, ValueT expected_value) {
191     size_t count = std::count_if(set.begin(), set.end(), [&](const KeyParameter& param) {
192         return param.tag == tag && accessTagValue(ttag, param) == expected_value;
193     });
194     return count == 1;
195 }
196 
197 template <TagType tag_type, Tag tag>
contains(hidl_vec<KeyParameter> & set,TypedTag<tag_type,tag>)198 bool contains(hidl_vec<KeyParameter>& set, TypedTag<tag_type, tag>) {
199     size_t count = std::count_if(set.begin(), set.end(),
200                                  [&](const KeyParameter& param) { return param.tag == tag; });
201     return count > 0;
202 }
203 
204 constexpr char hex_value[256] = {0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
205                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
206                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
207                                  0, 1,  2,  3,  4,  5,  6,  7, 8, 9, 0, 0, 0, 0, 0, 0,  // '0'..'9'
208                                  0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0,  // 'A'..'F'
209                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
210                                  0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0,  // 'a'..'f'
211                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
212                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
213                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
214                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
215                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
216                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
217                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
218                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0,  //
219                                  0, 0,  0,  0,  0,  0,  0,  0, 0, 0, 0, 0, 0, 0, 0, 0};
220 
hex2str(string a)221 string hex2str(string a) {
222     string b;
223     size_t num = a.size() / 2;
224     b.resize(num);
225     for (size_t i = 0; i < num; i++) {
226         b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
227     }
228     return b;
229 }
230 
231 char nibble2hex[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
232                        '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
233 
bin2hex(const hidl_vec<uint8_t> & data)234 string bin2hex(const hidl_vec<uint8_t>& data) {
235     string retval;
236     retval.reserve(data.size() * 2 + 1);
237     for (uint8_t byte : data) {
238         retval.push_back(nibble2hex[0x0F & (byte >> 4)]);
239         retval.push_back(nibble2hex[0x0F & byte]);
240     }
241     return retval;
242 }
243 
244 string rsa_key = hex2str(
245     "30820275020100300d06092a864886f70d01010105000482025f3082025b"
246     "02010002818100c6095409047d8634812d5a218176e45c41d60a75b13901"
247     "f234226cffe776521c5a77b9e389417b71c0b6a44d13afe4e4a2805d46c9"
248     "da2935adb1ff0c1f24ea06e62b20d776430a4d435157233c6f916783c30e"
249     "310fcbd89b85c2d56771169785ac12bca244abda72bfb19fc44d27c81e1d"
250     "92de284f4061edfd99280745ea6d2502030100010281801be0f04d9cae37"
251     "18691f035338308e91564b55899ffb5084d2460e6630257e05b3ceab0297"
252     "2dfabcd6ce5f6ee2589eb67911ed0fac16e43a444b8c861e544a05933657"
253     "72f8baf6b22fc9e3c5f1024b063ac080a7b2234cf8aee8f6c47bbf4fd3ac"
254     "e7240290bef16c0b3f7f3cdd64ce3ab5912cf6e32f39ab188358afcccd80"
255     "81024100e4b49ef50f765d3b24dde01aceaaf130f2c76670a91a61ae08af"
256     "497b4a82be6dee8fcdd5e3f7ba1cfb1f0c926b88f88c92bfab137fba2285"
257     "227b83c342ff7c55024100ddabb5839c4c7f6bf3d4183231f005b31aa58a"
258     "ffdda5c79e4cce217f6bc930dbe563d480706c24e9ebfcab28a6cdefd324"
259     "b77e1bf7251b709092c24ff501fd91024023d4340eda3445d8cd26c14411"
260     "da6fdca63c1ccd4b80a98ad52b78cc8ad8beb2842c1d280405bc2f6c1bea"
261     "214a1d742ab996b35b63a82a5e470fa88dbf823cdd02401b7b57449ad30d"
262     "1518249a5f56bb98294d4b6ac12ffc86940497a5a5837a6cf946262b4945"
263     "26d328c11e1126380fde04c24f916dec250892db09a6d77cdba351024077"
264     "62cd8f4d050da56bd591adb515d24d7ccd32cca0d05f866d583514bd7324"
265     "d5f33645e8ed8b4a1cb3cc4a1d67987399f2a09f5b3fb68c88d5e5d90ac3"
266     "3492d6");
267 
268 string ec_256_key = hex2str(
269     "308187020100301306072a8648ce3d020106082a8648ce3d030107046d30"
270     "6b0201010420737c2ecd7b8d1940bf2930aa9b4ed3ff941eed09366bc032"
271     "99986481f3a4d859a14403420004bf85d7720d07c25461683bc648b4778a"
272     "9a14dd8a024e3bdd8c7ddd9ab2b528bbc7aa1b51f14ebbbb0bd0ce21bcc4"
273     "1c6eb00083cf3376d11fd44949e0b2183bfe");
274 
275 string ec_521_key = hex2str(
276     "3081EE020100301006072A8648CE3D020106052B810400230481D63081D3"
277     "02010104420011458C586DB5DAA92AFAB03F4FE46AA9D9C3CE9A9B7A006A"
278     "8384BEC4C78E8E9D18D7D08B5BCFA0E53C75B064AD51C449BAE0258D54B9"
279     "4B1E885DED08ED4FB25CE9A1818903818600040149EC11C6DF0FA122C6A9"
280     "AFD9754A4FA9513A627CA329E349535A5629875A8ADFBE27DCB932C05198"
281     "6377108D054C28C6F39B6F2C9AF81802F9F326B842FF2E5F3C00AB7635CF"
282     "B36157FC0882D574A10D839C1A0C049DC5E0D775E2EE50671A208431BB45"
283     "E78E70BEFE930DB34818EE4D5C26259F5C6B8E28A652950F9F88D7B4B2C9"
284     "D9");
285 
286 struct RSA_Delete {
operator ()android::hardware::keymaster::V3_0::test::__anon93d6503a0111::RSA_Delete287     void operator()(RSA* p) { RSA_free(p); }
288 };
289 
parse_cert_blob(const hidl_vec<uint8_t> & blob)290 X509* parse_cert_blob(const hidl_vec<uint8_t>& blob) {
291     const uint8_t* p = blob.data();
292     return d2i_X509(nullptr, &p, blob.size());
293 }
294 
verify_chain(const hidl_vec<hidl_vec<uint8_t>> & chain)295 bool verify_chain(const hidl_vec<hidl_vec<uint8_t>>& chain) {
296     for (size_t i = 0; i < chain.size(); ++i) {
297         X509_Ptr key_cert(parse_cert_blob(chain[i]));
298         X509_Ptr signing_cert;
299         if (i < chain.size() - 1) {
300             signing_cert.reset(parse_cert_blob(chain[i + 1]));
301         } else {
302             signing_cert.reset(parse_cert_blob(chain[i]));
303         }
304         EXPECT_TRUE(!!key_cert.get() && !!signing_cert.get());
305         if (!key_cert.get() || !signing_cert.get()) return false;
306 
307         EVP_PKEY_Ptr signing_pubkey(X509_get_pubkey(signing_cert.get()));
308         EXPECT_TRUE(!!signing_pubkey.get());
309         if (!signing_pubkey.get()) return false;
310 
311         EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get()))
312             << "Verification of certificate " << i << " failed";
313 
314         char* cert_issuer =  //
315             X509_NAME_oneline(X509_get_issuer_name(key_cert.get()), nullptr, 0);
316         char* signer_subj =
317             X509_NAME_oneline(X509_get_subject_name(signing_cert.get()), nullptr, 0);
318         EXPECT_STREQ(cert_issuer, signer_subj) << "Cert " << i
319                                                << " has wrong issuer.  (Possibly b/38394614)";
320         if (i == 0) {
321             char* cert_sub = X509_NAME_oneline(X509_get_subject_name(key_cert.get()), nullptr, 0);
322             EXPECT_STREQ("/CN=Android Keystore Key", cert_sub)
323                 << "Cert " << i << " has wrong subject.  (Possibly b/38394614)";
324             OPENSSL_free(cert_sub);
325         }
326 
327         OPENSSL_free(cert_issuer);
328         OPENSSL_free(signer_subj);
329 
330         if (dump_Attestations) std::cout << bin2hex(chain[i]) << std::endl;
331     }
332 
333     return true;
334 }
335 
336 // Extract attestation record from cert. Returned object is still part of cert; don't free it
337 // separately.
get_attestation_record(X509 * certificate)338 ASN1_OCTET_STRING* get_attestation_record(X509* certificate) {
339     ASN1_OBJECT_Ptr oid(OBJ_txt2obj(kAttestionRecordOid, 1 /* dotted string format */));
340     EXPECT_TRUE(!!oid.get());
341     if (!oid.get()) return nullptr;
342 
343     int location = X509_get_ext_by_OBJ(certificate, oid.get(), -1 /* search from beginning */);
344     EXPECT_NE(-1, location);
345     if (location == -1) return nullptr;
346 
347     X509_EXTENSION* attest_rec_ext = X509_get_ext(certificate, location);
348     EXPECT_TRUE(!!attest_rec_ext);
349     if (!attest_rec_ext) return nullptr;
350 
351     ASN1_OCTET_STRING* attest_rec = X509_EXTENSION_get_data(attest_rec_ext);
352     EXPECT_TRUE(!!attest_rec);
353     return attest_rec;
354 }
355 
tag_in_list(const KeyParameter & entry)356 bool tag_in_list(const KeyParameter& entry) {
357     // Attestations don't contain everything in key authorization lists, so we need to filter
358     // the key lists to produce the lists that we expect to match the attestations.
359     auto tag_list = {
360         Tag::USER_ID, Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS,
361         Tag::EC_CURVE /* Tag::EC_CURVE will be included by KM2 implementations */,
362     };
363     return std::find(tag_list.begin(), tag_list.end(), entry.tag) != tag_list.end();
364 }
365 
filter_tags(const AuthorizationSet & set)366 AuthorizationSet filter_tags(const AuthorizationSet& set) {
367     AuthorizationSet filtered;
368     std::remove_copy_if(set.begin(), set.end(), std::back_inserter(filtered), tag_in_list);
369     return filtered;
370 }
371 
make_string(const uint8_t * data,size_t length)372 std::string make_string(const uint8_t* data, size_t length) {
373     return std::string(reinterpret_cast<const char*>(data), length);
374 }
375 
make_string(const uint8_t (& a)[N])376 template <size_t N> std::string make_string(const uint8_t (&a)[N]) {
377     return make_string(a, N);
378 }
379 
380 class HidlBuf : public hidl_vec<uint8_t> {
381     typedef hidl_vec<uint8_t> super;
382 
383   public:
HidlBuf()384     HidlBuf() {}
HidlBuf(const super & other)385     HidlBuf(const super& other) : super(other) {}
HidlBuf(super && other)386     HidlBuf(super&& other) : super(std::move(other)) {}
HidlBuf(const std::string & other)387     explicit HidlBuf(const std::string& other) : HidlBuf() { *this = other; }
388 
operator =(const super & other)389     HidlBuf& operator=(const super& other) {
390         super::operator=(other);
391         return *this;
392     }
393 
operator =(super && other)394     HidlBuf& operator=(super&& other) {
395         super::operator=(std::move(other));
396         return *this;
397     }
398 
operator =(const string & other)399     HidlBuf& operator=(const string& other) {
400         resize(other.size());
401         for (size_t i = 0; i < other.size(); ++i) {
402             (*this)[i] = static_cast<uint8_t>(other[i]);
403         }
404         return *this;
405     }
406 
to_string() const407     string to_string() const { return string(reinterpret_cast<const char*>(data()), size()); }
408 };
409 
410 constexpr uint64_t kOpHandleSentinel = 0xFFFFFFFFFFFFFFFF;
411 
412 }  // namespace
413 
414 class KeymasterHidlTest : public ::testing::TestWithParam<std::string> {
415   public:
TearDown()416     void TearDown() override {
417         if (key_blob_.size()) {
418             CheckedDeleteKey();
419         }
420         AbortIfNeeded();
421 
422         keymaster_.clear();
423     }
424 
SetUp()425     void SetUp() override {
426         keymaster_ = IKeymasterDevice::getService(GetParam());
427         ASSERT_NE(keymaster_, nullptr);
428 
429         ASSERT_TRUE(
430             keymaster_
431                 ->getHardwareFeatures([&](bool isSecure, bool supportsEc, bool supportsSymmetric,
432                                           bool supportsAttestation, bool supportsAllDigests,
433                                           const hidl_string& name, const hidl_string& author) {
434                     is_secure_ = isSecure;
435                     supports_ec_ = supportsEc;
436                     supports_symmetric_ = supportsSymmetric;
437                     supports_attestation_ = supportsAttestation;
438                     supports_all_digests_ = supportsAllDigests;
439                     name_ = name;
440                     author_ = author;
441                 })
442                 .isOk());
443 
444         os_version_ = ::keymaster::GetOsVersion();
445         os_patch_level_ = ::keymaster::GetOsPatchlevel();
446     }
447 
keymaster()448     IKeymasterDevice& keymaster() { return *keymaster_; }
os_version()449     uint32_t os_version() { return os_version_; }
os_patch_level()450     uint32_t os_patch_level() { return os_patch_level_; }
451 
UserAuths()452     AuthorizationSet UserAuths() { return AuthorizationSetBuilder().Authorization(TAG_USER_ID, 7); }
453 
GenerateKey(const AuthorizationSet & key_desc,HidlBuf * key_blob,KeyCharacteristics * key_characteristics)454     ErrorCode GenerateKey(const AuthorizationSet& key_desc, HidlBuf* key_blob,
455                           KeyCharacteristics* key_characteristics) {
456         EXPECT_NE(key_blob, nullptr);
457         EXPECT_NE(key_characteristics, nullptr);
458         EXPECT_EQ(0U, key_blob->size());
459 
460         ErrorCode error;
461         EXPECT_TRUE(keymaster_
462                         ->generateKey(key_desc.hidl_data(),
463                                       [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
464                                           const KeyCharacteristics& hidl_key_characteristics) {
465                                           error = hidl_error;
466                                           *key_blob = hidl_key_blob;
467                                           *key_characteristics = hidl_key_characteristics;
468                                       })
469                         .isOk());
470         // On error, blob & characteristics should be empty.
471         if (error != ErrorCode::OK) {
472             EXPECT_EQ(0U, key_blob->size());
473             EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() +
474                            key_characteristics->teeEnforced.size()));
475         }
476         return error;
477     }
478 
GenerateKey(const AuthorizationSet & key_desc)479     ErrorCode GenerateKey(const AuthorizationSet& key_desc) {
480         return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
481     }
482 
ImportKey(const AuthorizationSet & key_desc,KeyFormat format,const string & key_material,HidlBuf * key_blob,KeyCharacteristics * key_characteristics)483     ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
484                         const string& key_material, HidlBuf* key_blob,
485                         KeyCharacteristics* key_characteristics) {
486         ErrorCode error;
487         EXPECT_TRUE(keymaster_
488                         ->importKey(key_desc.hidl_data(), format, HidlBuf(key_material),
489                                     [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob,
490                                         const KeyCharacteristics& hidl_key_characteristics) {
491                                         error = hidl_error;
492                                         *key_blob = hidl_key_blob;
493                                         *key_characteristics = hidl_key_characteristics;
494                                     })
495                         .isOk());
496         // On error, blob & characteristics should be empty.
497         if (error != ErrorCode::OK) {
498             EXPECT_EQ(0U, key_blob->size());
499             EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() +
500                            key_characteristics->teeEnforced.size()));
501         }
502         return error;
503     }
504 
ImportKey(const AuthorizationSet & key_desc,KeyFormat format,const string & key_material)505     ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
506                         const string& key_material) {
507         return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_);
508     }
509 
ExportKey(KeyFormat format,const HidlBuf & key_blob,const HidlBuf & client_id,const HidlBuf & app_data,HidlBuf * key_material)510     ErrorCode ExportKey(KeyFormat format, const HidlBuf& key_blob, const HidlBuf& client_id,
511                         const HidlBuf& app_data, HidlBuf* key_material) {
512         ErrorCode error;
513         EXPECT_TRUE(
514             keymaster_
515                 ->exportKey(format, key_blob, client_id, app_data,
516                             [&](ErrorCode hidl_error_code, const HidlBuf& hidl_key_material) {
517                                 error = hidl_error_code;
518                                 *key_material = hidl_key_material;
519                             })
520                 .isOk());
521         // On error, blob should be empty.
522         if (error != ErrorCode::OK) {
523             EXPECT_EQ(0U, key_material->size());
524         }
525         return error;
526     }
527 
ExportKey(KeyFormat format,HidlBuf * key_material)528     ErrorCode ExportKey(KeyFormat format, HidlBuf* key_material) {
529         HidlBuf client_id, app_data;
530         return ExportKey(format, key_blob_, client_id, app_data, key_material);
531     }
532 
DeleteKey(HidlBuf * key_blob,bool keep_key_blob=false)533     ErrorCode DeleteKey(HidlBuf* key_blob, bool keep_key_blob = false) {
534         auto rc = keymaster_->deleteKey(*key_blob);
535         if (!keep_key_blob) *key_blob = HidlBuf();
536         if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR;
537         return rc;
538     }
539 
DeleteKey(bool keep_key_blob=false)540     ErrorCode DeleteKey(bool keep_key_blob = false) {
541         return DeleteKey(&key_blob_, keep_key_blob);
542     }
543 
DeleteAllKeys()544     ErrorCode DeleteAllKeys() {
545         ErrorCode error = keymaster_->deleteAllKeys();
546         return error;
547     }
548 
CheckedDeleteKey(HidlBuf * key_blob,bool keep_key_blob=false)549     void CheckedDeleteKey(HidlBuf* key_blob, bool keep_key_blob = false) {
550         auto rc = DeleteKey(key_blob, keep_key_blob);
551         EXPECT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
552     }
553 
CheckedDeleteKey()554     void CheckedDeleteKey() { CheckedDeleteKey(&key_blob_); }
555 
GetCharacteristics(const HidlBuf & key_blob,const HidlBuf & client_id,const HidlBuf & app_data,KeyCharacteristics * key_characteristics)556     ErrorCode GetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id,
557                                  const HidlBuf& app_data, KeyCharacteristics* key_characteristics) {
558         ErrorCode error = ErrorCode::UNKNOWN_ERROR;
559         EXPECT_TRUE(
560             keymaster_
561                 ->getKeyCharacteristics(
562                     key_blob, client_id, app_data,
563                     [&](ErrorCode hidl_error, const KeyCharacteristics& hidl_key_characteristics) {
564                         error = hidl_error, *key_characteristics = hidl_key_characteristics;
565                     })
566                 .isOk());
567         return error;
568     }
569 
GetCharacteristics(const HidlBuf & key_blob,KeyCharacteristics * key_characteristics)570     ErrorCode GetCharacteristics(const HidlBuf& key_blob, KeyCharacteristics* key_characteristics) {
571         HidlBuf client_id, app_data;
572         return GetCharacteristics(key_blob, client_id, app_data, key_characteristics);
573     }
574 
Begin(KeyPurpose purpose,const HidlBuf & key_blob,const AuthorizationSet & in_params,AuthorizationSet * out_params,OperationHandle * op_handle)575     ErrorCode Begin(KeyPurpose purpose, const HidlBuf& key_blob, const AuthorizationSet& in_params,
576                     AuthorizationSet* out_params, OperationHandle* op_handle) {
577         SCOPED_TRACE("Begin");
578         ErrorCode error;
579         OperationHandle saved_handle = *op_handle;
580         EXPECT_TRUE(
581             keymaster_
582                 ->begin(purpose, key_blob, in_params.hidl_data(),
583                         [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params,
584                             uint64_t hidl_op_handle) {
585                             error = hidl_error;
586                             *out_params = hidl_out_params;
587                             *op_handle = hidl_op_handle;
588                         })
589                 .isOk());
590         if (error != ErrorCode::OK) {
591             // Some implementations may modify *op_handle on error.
592             *op_handle = saved_handle;
593         }
594         return error;
595     }
596 
Begin(KeyPurpose purpose,const AuthorizationSet & in_params,AuthorizationSet * out_params)597     ErrorCode Begin(KeyPurpose purpose, const AuthorizationSet& in_params,
598                     AuthorizationSet* out_params) {
599         SCOPED_TRACE("Begin");
600         EXPECT_EQ(kOpHandleSentinel, op_handle_);
601         return Begin(purpose, key_blob_, in_params, out_params, &op_handle_);
602     }
603 
Begin(KeyPurpose purpose,const AuthorizationSet & in_params)604     ErrorCode Begin(KeyPurpose purpose, const AuthorizationSet& in_params) {
605         SCOPED_TRACE("Begin");
606         AuthorizationSet out_params;
607         ErrorCode error = Begin(purpose, in_params, &out_params);
608         EXPECT_TRUE(out_params.empty());
609         return error;
610     }
611 
Update(OperationHandle op_handle,const AuthorizationSet & in_params,const string & input,AuthorizationSet * out_params,string * output,size_t * input_consumed)612     ErrorCode Update(OperationHandle op_handle, const AuthorizationSet& in_params,
613                      const string& input, AuthorizationSet* out_params, string* output,
614                      size_t* input_consumed) {
615         SCOPED_TRACE("Update");
616         ErrorCode error;
617         EXPECT_TRUE(keymaster_
618                         ->update(op_handle, in_params.hidl_data(), HidlBuf(input),
619                                  [&](ErrorCode hidl_error, uint32_t hidl_input_consumed,
620                                      const hidl_vec<KeyParameter>& hidl_out_params,
621                                      const HidlBuf& hidl_output) {
622                                      error = hidl_error;
623                                      out_params->push_back(AuthorizationSet(hidl_out_params));
624                                      output->append(hidl_output.to_string());
625                                      *input_consumed = hidl_input_consumed;
626                                  })
627                         .isOk());
628         return error;
629     }
630 
Update(const string & input,string * out,size_t * input_consumed)631     ErrorCode Update(const string& input, string* out, size_t* input_consumed) {
632         SCOPED_TRACE("Update");
633         AuthorizationSet out_params;
634         ErrorCode error = Update(op_handle_, AuthorizationSet() /* in_params */, input, &out_params,
635                                  out, input_consumed);
636         EXPECT_TRUE(out_params.empty());
637         return error;
638     }
639 
Finish(OperationHandle op_handle,const AuthorizationSet & in_params,const string & input,const string & signature,AuthorizationSet * out_params,string * output)640     ErrorCode Finish(OperationHandle op_handle, const AuthorizationSet& in_params,
641                      const string& input, const string& signature, AuthorizationSet* out_params,
642                      string* output) {
643         SCOPED_TRACE("Finish");
644         ErrorCode error;
645         EXPECT_TRUE(
646             keymaster_
647                 ->finish(op_handle, in_params.hidl_data(), HidlBuf(input), HidlBuf(signature),
648                          [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params,
649                              const HidlBuf& hidl_output) {
650                              error = hidl_error;
651                              *out_params = hidl_out_params;
652                              output->append(hidl_output.to_string());
653                          })
654                 .isOk());
655         op_handle_ = kOpHandleSentinel;  // So dtor doesn't Abort().
656         return error;
657     }
658 
Finish(const string & message,string * output)659     ErrorCode Finish(const string& message, string* output) {
660         SCOPED_TRACE("Finish");
661         AuthorizationSet out_params;
662         string finish_output;
663         ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message,
664                                  "" /* signature */, &out_params, output);
665         if (error != ErrorCode::OK) {
666             return error;
667         }
668         EXPECT_EQ(0U, out_params.size());
669         return error;
670     }
671 
Finish(const string & message,const string & signature,string * output)672     ErrorCode Finish(const string& message, const string& signature, string* output) {
673         SCOPED_TRACE("Finish");
674         AuthorizationSet out_params;
675         ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, signature,
676                                  &out_params, output);
677         op_handle_ = kOpHandleSentinel;  // So dtor doesn't Abort().
678         if (error != ErrorCode::OK) {
679             return error;
680         }
681         EXPECT_EQ(0U, out_params.size());
682         return error;
683     }
684 
Abort(OperationHandle op_handle)685     ErrorCode Abort(OperationHandle op_handle) {
686         SCOPED_TRACE("Abort");
687         auto retval = keymaster_->abort(op_handle);
688         EXPECT_TRUE(retval.isOk());
689         return retval;
690     }
691 
AbortIfNeeded()692     void AbortIfNeeded() {
693         SCOPED_TRACE("AbortIfNeeded");
694         if (op_handle_ != kOpHandleSentinel) {
695             EXPECT_EQ(ErrorCode::OK, Abort(op_handle_));
696             op_handle_ = kOpHandleSentinel;
697         }
698     }
699 
AttestKey(const HidlBuf & key_blob,const AuthorizationSet & attest_params,hidl_vec<hidl_vec<uint8_t>> * cert_chain)700     ErrorCode AttestKey(const HidlBuf& key_blob, const AuthorizationSet& attest_params,
701                         hidl_vec<hidl_vec<uint8_t>>* cert_chain) {
702         SCOPED_TRACE("AttestKey");
703         ErrorCode error;
704         auto rc = keymaster_->attestKey(
705             key_blob, attest_params.hidl_data(),
706             [&](ErrorCode hidl_error, const hidl_vec<hidl_vec<uint8_t>>& hidl_cert_chain) {
707                 error = hidl_error;
708                 *cert_chain = hidl_cert_chain;
709             });
710 
711         EXPECT_TRUE(rc.isOk()) << rc.description();
712         if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR;
713 
714         return error;
715     }
716 
AttestKey(const AuthorizationSet & attest_params,hidl_vec<hidl_vec<uint8_t>> * cert_chain)717     ErrorCode AttestKey(const AuthorizationSet& attest_params,
718                         hidl_vec<hidl_vec<uint8_t>>* cert_chain) {
719         SCOPED_TRACE("AttestKey");
720         return AttestKey(key_blob_, attest_params, cert_chain);
721     }
722 
ProcessMessage(const HidlBuf & key_blob,KeyPurpose operation,const string & message,const AuthorizationSet & in_params,AuthorizationSet * out_params)723     string ProcessMessage(const HidlBuf& key_blob, KeyPurpose operation, const string& message,
724                           const AuthorizationSet& in_params, AuthorizationSet* out_params) {
725         SCOPED_TRACE("ProcessMessage");
726         AuthorizationSet begin_out_params;
727         EXPECT_EQ(ErrorCode::OK,
728                   Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_));
729 
730         string unused;
731         AuthorizationSet finish_params;
732         AuthorizationSet finish_out_params;
733         string output;
734         EXPECT_EQ(ErrorCode::OK,
735                   Finish(op_handle_, finish_params, message, unused, &finish_out_params, &output));
736         op_handle_ = kOpHandleSentinel;
737 
738         out_params->push_back(begin_out_params);
739         out_params->push_back(finish_out_params);
740         return output;
741     }
742 
SignMessage(const HidlBuf & key_blob,const string & message,const AuthorizationSet & params)743     string SignMessage(const HidlBuf& key_blob, const string& message,
744                        const AuthorizationSet& params) {
745         SCOPED_TRACE("SignMessage");
746         AuthorizationSet out_params;
747         string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params);
748         EXPECT_TRUE(out_params.empty());
749         return signature;
750     }
751 
SignMessage(const string & message,const AuthorizationSet & params)752     string SignMessage(const string& message, const AuthorizationSet& params) {
753         SCOPED_TRACE("SignMessage");
754         return SignMessage(key_blob_, message, params);
755     }
756 
MacMessage(const string & message,Digest digest,size_t mac_length)757     string MacMessage(const string& message, Digest digest, size_t mac_length) {
758         SCOPED_TRACE("MacMessage");
759         return SignMessage(
760             key_blob_, message,
761             AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length));
762     }
763 
CheckHmacTestVector(const string & key,const string & message,Digest digest,const string & expected_mac)764     void CheckHmacTestVector(const string& key, const string& message, Digest digest,
765                              const string& expected_mac) {
766         SCOPED_TRACE("CheckHmacTestVector");
767         ASSERT_EQ(ErrorCode::OK,
768                   ImportKey(AuthorizationSetBuilder()
769                                 .Authorization(TAG_NO_AUTH_REQUIRED)
770                                 .HmacKey(key.size() * 8)
771                                 .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8)
772                                 .Digest(digest),
773                             KeyFormat::RAW, key));
774         string signature = MacMessage(message, digest, expected_mac.size() * 8);
775         EXPECT_EQ(expected_mac, signature) << "Test vector didn't match for digest " << (int)digest;
776         CheckedDeleteKey();
777     }
778 
CheckAesCtrTestVector(const string & key,const string & nonce,const string & message,const string & expected_ciphertext)779     void CheckAesCtrTestVector(const string& key, const string& nonce, const string& message,
780                                const string& expected_ciphertext) {
781         SCOPED_TRACE("CheckAesCtrTestVector");
782         ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
783                                                .Authorization(TAG_NO_AUTH_REQUIRED)
784                                                .AesEncryptionKey(key.size() * 8)
785                                                .BlockMode(BlockMode::CTR)
786                                                .Authorization(TAG_CALLER_NONCE)
787                                                .Padding(PaddingMode::NONE),
788                                            KeyFormat::RAW, key));
789 
790         auto params = AuthorizationSetBuilder()
791                           .Authorization(TAG_NONCE, nonce.data(), nonce.size())
792                           .BlockMode(BlockMode::CTR)
793                           .Padding(PaddingMode::NONE);
794         AuthorizationSet out_params;
795         string ciphertext = EncryptMessage(key_blob_, message, params, &out_params);
796         EXPECT_EQ(expected_ciphertext, ciphertext);
797     }
798 
VerifyMessage(const HidlBuf & key_blob,const string & message,const string & signature,const AuthorizationSet & params)799     void VerifyMessage(const HidlBuf& key_blob, const string& message, const string& signature,
800                        const AuthorizationSet& params) {
801         SCOPED_TRACE("VerifyMessage");
802         AuthorizationSet begin_out_params;
803         ASSERT_EQ(ErrorCode::OK,
804                   Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_));
805 
806         string unused;
807         AuthorizationSet finish_params;
808         AuthorizationSet finish_out_params;
809         string output;
810         EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, signature,
811                                         &finish_out_params, &output));
812         op_handle_ = kOpHandleSentinel;
813         EXPECT_TRUE(output.empty());
814     }
815 
VerifyMessage(const string & message,const string & signature,const AuthorizationSet & params)816     void VerifyMessage(const string& message, const string& signature,
817                        const AuthorizationSet& params) {
818         SCOPED_TRACE("VerifyMessage");
819         VerifyMessage(key_blob_, message, signature, params);
820     }
821 
EncryptMessage(const HidlBuf & key_blob,const string & message,const AuthorizationSet & in_params,AuthorizationSet * out_params)822     string EncryptMessage(const HidlBuf& key_blob, const string& message,
823                           const AuthorizationSet& in_params, AuthorizationSet* out_params) {
824         SCOPED_TRACE("EncryptMessage");
825         return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params);
826     }
827 
EncryptMessage(const string & message,const AuthorizationSet & params,AuthorizationSet * out_params)828     string EncryptMessage(const string& message, const AuthorizationSet& params,
829                           AuthorizationSet* out_params) {
830         SCOPED_TRACE("EncryptMessage");
831         return EncryptMessage(key_blob_, message, params, out_params);
832     }
833 
EncryptMessage(const string & message,const AuthorizationSet & params)834     string EncryptMessage(const string& message, const AuthorizationSet& params) {
835         SCOPED_TRACE("EncryptMessage");
836         AuthorizationSet out_params;
837         string ciphertext = EncryptMessage(message, params, &out_params);
838         EXPECT_TRUE(out_params.empty())
839             << "Output params should be empty. Contained: " << out_params;
840         return ciphertext;
841     }
842 
DecryptMessage(const HidlBuf & key_blob,const string & ciphertext,const AuthorizationSet & params)843     string DecryptMessage(const HidlBuf& key_blob, const string& ciphertext,
844                           const AuthorizationSet& params) {
845         SCOPED_TRACE("DecryptMessage");
846         AuthorizationSet out_params;
847         string plaintext =
848             ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params);
849         EXPECT_TRUE(out_params.empty());
850         return plaintext;
851     }
852 
DecryptMessage(const string & ciphertext,const AuthorizationSet & params)853     string DecryptMessage(const string& ciphertext, const AuthorizationSet& params) {
854         SCOPED_TRACE("DecryptMessage");
855         return DecryptMessage(key_blob_, ciphertext, params);
856     }
857 
858     template <TagType tag_type, Tag tag, typename ValueT>
CheckKm0CryptoParam(TypedTag<tag_type,tag> ttag,ValueT expected)859     void CheckKm0CryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
860         SCOPED_TRACE("CheckKm0CryptoParam");
861         if (is_secure_) {
862             EXPECT_TRUE(contains(key_characteristics_.teeEnforced, ttag, expected));
863             EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag));
864         } else {
865             EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected));
866             EXPECT_FALSE(contains(key_characteristics_.teeEnforced, ttag));
867         }
868     }
869 
870     template <TagType tag_type, Tag tag, typename ValueT>
CheckKm1CryptoParam(TypedTag<tag_type,tag> ttag,ValueT expected)871     void CheckKm1CryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
872         SCOPED_TRACE("CheckKm1CryptoParam");
873         if (is_secure_ && supports_symmetric_) {
874             EXPECT_TRUE(contains(key_characteristics_.teeEnforced, ttag, expected));
875             EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag));
876         } else {
877             EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected));
878             EXPECT_FALSE(contains(key_characteristics_.teeEnforced, ttag));
879         }
880     }
881 
882     template <TagType tag_type, Tag tag, typename ValueT>
CheckKm2CryptoParam(TypedTag<tag_type,tag> ttag,ValueT expected)883     void CheckKm2CryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
884         SCOPED_TRACE("CheckKm2CryptoParam");
885         if (supports_attestation_) {
886             EXPECT_TRUE(contains(key_characteristics_.teeEnforced, ttag, expected));
887             EXPECT_FALSE(contains(key_characteristics_.softwareEnforced, ttag));
888         } else if (!supports_symmetric_ /* KM version < 1 or SW */) {
889             EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, ttag, expected));
890             EXPECT_FALSE(contains(key_characteristics_.teeEnforced, ttag));
891         }
892     }
893 
CheckOrigin(bool asymmetric=false)894     void CheckOrigin(bool asymmetric = false) {
895         SCOPED_TRACE("CheckOrigin");
896         if (is_secure_ && supports_symmetric_) {
897             EXPECT_TRUE(
898                 contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));
899         } else if (is_secure_) {
900             // wrapped KM0
901             if (asymmetric) {
902                 EXPECT_TRUE(
903                     contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN));
904             } else {
905                 EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, TAG_ORIGIN,
906                                      KeyOrigin::IMPORTED));
907             }
908         } else {
909             EXPECT_TRUE(
910                 contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));
911         }
912     }
913 
IsSecure()914     bool IsSecure() { return is_secure_; }
SupportsEc()915     bool SupportsEc() { return supports_ec_; }
SupportsSymmetric()916     bool SupportsSymmetric() { return supports_symmetric_; }
SupportsAllDigests()917     bool SupportsAllDigests() { return supports_all_digests_; }
SupportsAttestation()918     bool SupportsAttestation() { return supports_attestation_; }
919 
Km2Profile()920     bool Km2Profile() {
921         return SupportsAttestation() && SupportsAllDigests() && SupportsSymmetric() &&
922                SupportsEc() && IsSecure();
923     }
924 
Km1Profile()925     bool Km1Profile() {
926         return !SupportsAttestation() && SupportsSymmetric() && SupportsEc() && IsSecure();
927     }
928 
Km0Profile()929     bool Km0Profile() {
930         return !SupportsAttestation() && !SupportsAllDigests() && !SupportsSymmetric() &&
931                IsSecure();
932     }
933 
SwOnlyProfile()934     bool SwOnlyProfile() {
935         return !SupportsAttestation() && !SupportsAllDigests() && !SupportsSymmetric() &&
936                !SupportsEc() && !IsSecure();
937     }
938 
verify_attestation_record(const string & challenge,const string & app_id,AuthorizationSet expected_sw_enforced,AuthorizationSet expected_tee_enforced,const hidl_vec<uint8_t> & attestation_cert)939     bool verify_attestation_record(const string& challenge, const string& app_id,
940                                    AuthorizationSet expected_sw_enforced,
941                                    AuthorizationSet expected_tee_enforced,
942                                    const hidl_vec<uint8_t>& attestation_cert) {
943         X509_Ptr cert(parse_cert_blob(attestation_cert));
944         EXPECT_TRUE(!!cert.get());
945         if (!cert.get()) return false;
946 
947         ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());
948         EXPECT_TRUE(!!attest_rec);
949         if (!attest_rec) return false;
950 
951         AuthorizationSet att_sw_enforced;
952         AuthorizationSet att_tee_enforced;
953         uint32_t att_attestation_version;
954         uint32_t att_keymaster_version;
955         SecurityLevel att_attestation_security_level;
956         SecurityLevel att_keymaster_security_level;
957         HidlBuf att_challenge;
958         HidlBuf att_unique_id;
959         HidlBuf att_app_id;
960         EXPECT_EQ(ErrorCode::OK,
961                   parse_attestation_record(attest_rec->data,                 //
962                                            attest_rec->length,               //
963                                            &att_attestation_version,         //
964                                            &att_attestation_security_level,  //
965                                            &att_keymaster_version,           //
966                                            &att_keymaster_security_level,    //
967                                            &att_challenge,                   //
968                                            &att_sw_enforced,                 //
969                                            &att_tee_enforced,                //
970                                            &att_unique_id));
971 
972         EXPECT_TRUE(att_attestation_version == 1 || att_attestation_version == 2);
973 
974         expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID, HidlBuf(app_id));
975 
976         if (!IsSecure()) {
977             // SW is KM3
978             EXPECT_EQ(att_keymaster_version, 3U);
979         }
980 
981         if (SupportsSymmetric()) {
982             EXPECT_GE(att_keymaster_version, 1U);
983         }
984 
985         if (SupportsAttestation()) {
986             EXPECT_GE(att_keymaster_version, 2U);
987         }
988 
989         EXPECT_EQ(IsSecure() ? SecurityLevel::TRUSTED_ENVIRONMENT : SecurityLevel::SOFTWARE,
990                   att_keymaster_security_level);
991         EXPECT_EQ(SupportsAttestation() ? SecurityLevel::TRUSTED_ENVIRONMENT
992                                         : SecurityLevel::SOFTWARE,
993                   att_attestation_security_level);
994 
995         EXPECT_EQ(challenge.length(), att_challenge.size());
996         EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data(), challenge.length()));
997 
998         att_sw_enforced.Sort();
999         expected_sw_enforced.Sort();
1000         EXPECT_EQ(filter_tags(expected_sw_enforced), filter_tags(att_sw_enforced))
1001                 << "(Possibly b/38394619)";
1002 
1003         att_tee_enforced.Sort();
1004         expected_tee_enforced.Sort();
1005         EXPECT_EQ(filter_tags(expected_tee_enforced), filter_tags(att_tee_enforced))
1006                 << "(Possibly b/38394619)";
1007 
1008         return true;
1009     }
1010 
1011     HidlBuf key_blob_;
1012     KeyCharacteristics key_characteristics_;
1013     OperationHandle op_handle_ = kOpHandleSentinel;
1014 
1015   private:
1016     sp<IKeymasterDevice> keymaster_;
1017     uint32_t os_version_;
1018     uint32_t os_patch_level_;
1019 
1020     bool is_secure_;
1021     bool supports_ec_;
1022     bool supports_symmetric_;
1023     bool supports_attestation_;
1024     bool supports_all_digests_;
1025     hidl_string name_;
1026     hidl_string author_;
1027 };
1028 
1029 typedef KeymasterHidlTest KeymasterVersionTest;
1030 
1031 /*
1032  * KeymasterVersionTest.SensibleFeatures:
1033  *
1034  * Queries keymaster to find the set of features it supports. Fails if the combination doesn't
1035  * correspond to any well-defined keymaster version.
1036  */
TEST_P(KeymasterVersionTest,SensibleFeatures)1037 TEST_P(KeymasterVersionTest, SensibleFeatures) {
1038     EXPECT_TRUE(Km2Profile() || Km1Profile() || Km0Profile() || SwOnlyProfile())
1039         << "Keymaster feature set doesn't fit any reasonable profile.  Reported features:"
1040         << "SupportsAttestation [" << SupportsAttestation() << "], "
1041         << "SupportsSymmetric [" << SupportsSymmetric() << "], "
1042         << "SupportsAllDigests [" << SupportsAllDigests() << "], "
1043         << "SupportsEc [" << SupportsEc() << "], "
1044         << "IsSecure [" << IsSecure() << "]";
1045 }
1046 
1047 class NewKeyGenerationTest : public KeymasterHidlTest {
1048   protected:
CheckBaseParams(const KeyCharacteristics & keyCharacteristics,bool asymmetric=false)1049     void CheckBaseParams(const KeyCharacteristics& keyCharacteristics, bool asymmetric = false) {
1050         // TODO(swillden): Distinguish which params should be in which auth list.
1051 
1052         AuthorizationSet auths(keyCharacteristics.teeEnforced);
1053         auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced));
1054 
1055         if (IsSecure() && !SupportsSymmetric() && asymmetric) {
1056             EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::UNKNOWN));
1057         } else {
1058             EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));
1059         }
1060 
1061         EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
1062         EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
1063         EXPECT_TRUE(auths.Contains(TAG_USER_ID, 7))
1064             << "User ID should be 7, was " << auths.GetTagValue(TAG_USER_ID);
1065 
1066         // Verify that App ID, App data and ROT are NOT included.
1067         EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
1068         EXPECT_FALSE(auths.Contains(TAG_APPLICATION_ID));
1069         EXPECT_FALSE(auths.Contains(TAG_APPLICATION_DATA));
1070 
1071         // Check that some unexpected tags/values are NOT present.
1072         EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
1073         EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));
1074         EXPECT_FALSE(auths.Contains(TAG_AUTH_TIMEOUT, 301));
1075 
1076         // Now check that unspecified, defaulted tags are correct.
1077         EXPECT_TRUE(auths.Contains(TAG_CREATION_DATETIME));
1078 
1079         if (SupportsAttestation()) {
1080             EXPECT_TRUE(auths.Contains(TAG_OS_VERSION, os_version()))
1081                 << "OS version is " << os_version() << " key reported "
1082                 << auths.GetTagValue(TAG_OS_VERSION);
1083             EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, os_patch_level()))
1084                 << "OS patch level is " << os_patch_level() << " key reported "
1085                 << auths.GetTagValue(TAG_OS_PATCHLEVEL);
1086         }
1087     }
1088 };
1089 
1090 /*
1091  * NewKeyGenerationTest.Rsa
1092  *
1093  * Verifies that keymaster can generate all required RSA key sizes, and that the resulting keys have
1094  * correct characteristics.
1095  */
TEST_P(NewKeyGenerationTest,Rsa)1096 TEST_P(NewKeyGenerationTest, Rsa) {
1097     for (auto key_size : {1024, 2048, 3072, 4096}) {
1098         HidlBuf key_blob;
1099         KeyCharacteristics key_characteristics;
1100         ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1101                                                  .RsaSigningKey(key_size, 3)
1102                                                  .Digest(Digest::NONE)
1103                                                  .Padding(PaddingMode::NONE)
1104                                                  .Authorizations(UserAuths()),
1105                                              &key_blob, &key_characteristics));
1106 
1107         ASSERT_GT(key_blob.size(), 0U);
1108         CheckBaseParams(key_characteristics, true /* asymmetric */);
1109 
1110         AuthorizationSet crypto_params;
1111         if (IsSecure()) {
1112             crypto_params = key_characteristics.teeEnforced;
1113         } else {
1114             crypto_params = key_characteristics.softwareEnforced;
1115         }
1116 
1117         EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, KM_ALGORITHM_RSA));
1118         EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size));
1119         EXPECT_TRUE(crypto_params.Contains(TAG_RSA_PUBLIC_EXPONENT, 3));
1120 
1121         CheckedDeleteKey(&key_blob);
1122     }
1123 }
1124 
1125 /*
1126  * NewKeyGenerationTest.RsaNoDefaultSize
1127  *
1128  * Verifies that failing to specify a key size for RSA key generation returns UNSUPPORTED_KEY_SIZE.
1129  */
TEST_P(NewKeyGenerationTest,RsaNoDefaultSize)1130 TEST_P(NewKeyGenerationTest, RsaNoDefaultSize) {
1131     ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1132               GenerateKey(AuthorizationSetBuilder()
1133                               .Authorization(TAG_ALGORITHM, Algorithm::RSA)
1134                               .Authorization(TAG_RSA_PUBLIC_EXPONENT, 3)
1135                               .SigningKey()));
1136 }
1137 
1138 /*
1139  * NewKeyGenerationTest.Ecdsa
1140  *
1141  * Verifies that keymaster can generate all required EC key sizes, and that the resulting keys have
1142  * correct characteristics.
1143  */
TEST_P(NewKeyGenerationTest,Ecdsa)1144 TEST_P(NewKeyGenerationTest, Ecdsa) {
1145     for (auto key_size : {224, 256, 384, 521}) {
1146         HidlBuf key_blob;
1147         KeyCharacteristics key_characteristics;
1148         ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1149                                                  .EcdsaSigningKey(key_size)
1150                                                  .Digest(Digest::NONE)
1151                                                  .Authorizations(UserAuths()),
1152                                              &key_blob, &key_characteristics));
1153         ASSERT_GT(key_blob.size(), 0U);
1154         CheckBaseParams(key_characteristics, true /* asymmetric */);
1155 
1156         AuthorizationSet crypto_params;
1157         if (IsSecure()) {
1158             crypto_params = key_characteristics.teeEnforced;
1159         } else {
1160             crypto_params = key_characteristics.softwareEnforced;
1161         }
1162 
1163         EXPECT_TRUE(crypto_params.Contains(TAG_ALGORITHM, Algorithm::EC));
1164         EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size));
1165 
1166         CheckedDeleteKey(&key_blob);
1167     }
1168 }
1169 
1170 /*
1171  * NewKeyGenerationTest.EcdsaDefaultSize
1172  *
1173  * Verifies that failing to specify a key size for EC key generation returns UNSUPPORTED_KEY_SIZE.
1174  */
TEST_P(NewKeyGenerationTest,EcdsaDefaultSize)1175 TEST_P(NewKeyGenerationTest, EcdsaDefaultSize) {
1176     ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1177               GenerateKey(AuthorizationSetBuilder()
1178                               .Authorization(TAG_ALGORITHM, Algorithm::EC)
1179                               .SigningKey()
1180                               .Digest(Digest::NONE)));
1181 }
1182 
1183 /*
1184  * NewKeyGenerationTest.EcdsaInvalidSize
1185  *
1186  * Verifies that failing to specify an invalid key size for EC key generation returns
1187  * UNSUPPORTED_KEY_SIZE.
1188  */
TEST_P(NewKeyGenerationTest,EcdsaInvalidSize)1189 TEST_P(NewKeyGenerationTest, EcdsaInvalidSize) {
1190     ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1191               GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(Digest::NONE)));
1192 }
1193 
1194 /*
1195  * NewKeyGenerationTest.EcdsaMismatchKeySize
1196  *
1197  * Verifies that specifying mismatched key size and curve for EC key generation returns
1198  * INVALID_ARGUMENT.
1199  */
TEST_P(NewKeyGenerationTest,EcdsaMismatchKeySize)1200 TEST_P(NewKeyGenerationTest, EcdsaMismatchKeySize) {
1201     ASSERT_EQ(ErrorCode::INVALID_ARGUMENT,
1202               GenerateKey(AuthorizationSetBuilder()
1203                               .EcdsaSigningKey(224)
1204                               .Authorization(TAG_EC_CURVE, EcCurve::P_256)
1205                               .Digest(Digest::NONE)))
1206         << "(Possibly b/36233343)";
1207 }
1208 
TEST_P(NewKeyGenerationTest,EcdsaAllValidSizes)1209 TEST_P(NewKeyGenerationTest, EcdsaAllValidSizes) {
1210     size_t valid_sizes[] = {224, 256, 384, 521};
1211     for (size_t size : valid_sizes) {
1212         EXPECT_EQ(ErrorCode::OK,
1213                   GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(Digest::NONE)))
1214             << "Failed to generate size: " << size;
1215         CheckedDeleteKey();
1216     }
1217 }
1218 
1219 /*
1220  * NewKeyGenerationTest.EcdsaAllValidCurves
1221  *
1222  * Verifies that keymaster supports all required EC curves.
1223  */
TEST_P(NewKeyGenerationTest,EcdsaAllValidCurves)1224 TEST_P(NewKeyGenerationTest, EcdsaAllValidCurves) {
1225     EcCurve curves[] = {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521};
1226     for (auto curve : curves) {
1227         EXPECT_EQ(
1228             ErrorCode::OK,
1229             GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(Digest::SHA_2_512)))
1230             << "Failed to generate key on curve: " << curve;
1231         CheckedDeleteKey();
1232     }
1233 }
1234 
1235 /*
1236  * NewKeyGenerationTest.Hmac
1237  *
1238  * Verifies that keymaster supports all required digests, and that the resulting keys have correct
1239  * characteristics.
1240  */
TEST_P(NewKeyGenerationTest,Hmac)1241 TEST_P(NewKeyGenerationTest, Hmac) {
1242     for (auto digest : {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256,
1243                         Digest::SHA_2_384, Digest::SHA_2_512}) {
1244         HidlBuf key_blob;
1245         KeyCharacteristics key_characteristics;
1246         constexpr size_t key_size = 128;
1247         ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1248                                                  .HmacKey(key_size)
1249                                                  .Digest(digest)
1250                                                  .Authorization(TAG_MIN_MAC_LENGTH, 128)
1251                                                  .Authorizations(UserAuths()),
1252                                              &key_blob, &key_characteristics));
1253 
1254         ASSERT_GT(key_blob.size(), 0U);
1255         CheckBaseParams(key_characteristics);
1256 
1257         AuthorizationSet teeEnforced = key_characteristics.teeEnforced;
1258         AuthorizationSet softwareEnforced = key_characteristics.softwareEnforced;
1259         if (SupportsAttestation() || SupportsAllDigests()) {
1260             // Either KM2, which must support all, or KM1 that claims full support
1261             EXPECT_TRUE(teeEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
1262             EXPECT_TRUE(teeEnforced.Contains(TAG_KEY_SIZE, key_size));
1263         } else if (SupportsSymmetric()) {
1264             if (digest == Digest::SHA1 || digest == Digest::SHA_2_256) {
1265                 // KM1 must support SHA1 and SHA256 in hardware
1266                 EXPECT_TRUE(teeEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
1267                 EXPECT_TRUE(teeEnforced.Contains(TAG_KEY_SIZE, key_size));
1268             } else {
1269                 // Othere digests may or may not be supported
1270                 EXPECT_TRUE(teeEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC) ||
1271                             softwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
1272                 EXPECT_TRUE(teeEnforced.Contains(TAG_KEY_SIZE, key_size) ||
1273                             softwareEnforced.Contains(TAG_KEY_SIZE, key_size));
1274             }
1275         } else {
1276             // KM0 and SW KM do all digests in SW.
1277             EXPECT_TRUE(softwareEnforced.Contains(TAG_ALGORITHM, Algorithm::HMAC));
1278             EXPECT_TRUE(softwareEnforced.Contains(TAG_KEY_SIZE, key_size));
1279         }
1280 
1281         CheckedDeleteKey(&key_blob);
1282     }
1283 }
1284 
1285 /*
1286  * NewKeyGenerationTest.HmacCheckKeySizes
1287  *
1288  * Verifies that keymaster supports all key sizes, and rejects all invalid key sizes.
1289  */
TEST_P(NewKeyGenerationTest,HmacCheckKeySizes)1290 TEST_P(NewKeyGenerationTest, HmacCheckKeySizes) {
1291     for (size_t key_size = 0; key_size <= 512; ++key_size) {
1292         if (key_size < 64 || key_size % 8 != 0) {
1293             // To keep this test from being very slow, we only test a random fraction of non-byte
1294             // key sizes.  We test only ~10% of such cases. Since there are 392 of them, we expect
1295             // to run ~40 of them in each run.
1296             if (key_size % 8 == 0 || random() % 10 == 0) {
1297                 EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
1298                           GenerateKey(AuthorizationSetBuilder()
1299                                           .HmacKey(key_size)
1300                                           .Digest(Digest::SHA_2_256)
1301                                           .Authorization(TAG_MIN_MAC_LENGTH, 256)))
1302                     << "HMAC key size " << key_size << " invalid (Possibly b/33462346)";
1303             }
1304         } else {
1305             EXPECT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1306                                                      .HmacKey(key_size)
1307                                                      .Digest(Digest::SHA_2_256)
1308                                                      .Authorization(TAG_MIN_MAC_LENGTH, 256)));
1309             CheckedDeleteKey();
1310         }
1311     }
1312 }
1313 
1314 /*
1315  * NewKeyGenerationTest.HmacCheckMinMacLengths
1316  *
1317  * Verifies that keymaster supports all required MAC lengths and rejects all invalid lengths.  This
1318  * test is probabilistic in order to keep the runtime down, but any failure prints out the specific
1319  * MAC length that failed, so reproducing a failed run will be easy.
1320  */
TEST_P(NewKeyGenerationTest,HmacCheckMinMacLengths)1321 TEST_P(NewKeyGenerationTest, HmacCheckMinMacLengths) {
1322     for (size_t min_mac_length = 0; min_mac_length <= 256; ++min_mac_length) {
1323         if (min_mac_length < 64 || min_mac_length % 8 != 0) {
1324             // To keep this test from being very long, we only test a random fraction of non-byte
1325             // lengths.  We test only ~10% of such cases. Since there are 172 of them, we expect to
1326             // run ~17 of them in each run.
1327             if (min_mac_length % 8 == 0 || random() % 10 == 0) {
1328                 EXPECT_EQ(ErrorCode::UNSUPPORTED_MIN_MAC_LENGTH,
1329                           GenerateKey(AuthorizationSetBuilder()
1330                                           .HmacKey(128)
1331                                           .Digest(Digest::SHA_2_256)
1332                                           .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)))
1333                     << "HMAC min mac length " << min_mac_length << " invalid.";
1334             }
1335         } else {
1336             EXPECT_EQ(ErrorCode::OK,
1337                       GenerateKey(AuthorizationSetBuilder()
1338                                       .HmacKey(128)
1339                                       .Digest(Digest::SHA_2_256)
1340                                       .Authorization(TAG_MIN_MAC_LENGTH, min_mac_length)));
1341             CheckedDeleteKey();
1342         }
1343     }
1344 }
1345 
1346 /*
1347  * NewKeyGenerationTest.HmacMultipleDigests
1348  *
1349  * Verifies that keymaster rejects HMAC key generation with multiple specified digest algorithms.
1350  */
TEST_P(NewKeyGenerationTest,HmacMultipleDigests)1351 TEST_P(NewKeyGenerationTest, HmacMultipleDigests) {
1352     ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
1353               GenerateKey(AuthorizationSetBuilder()
1354                               .HmacKey(128)
1355                               .Digest(Digest::SHA1)
1356                               .Digest(Digest::SHA_2_256)
1357                               .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1358 }
1359 
1360 /*
1361  * NewKeyGenerationTest.HmacDigestNone
1362  *
1363  * Verifies that keymaster rejects HMAC key generation with no digest or Digest::NONE
1364  */
TEST_P(NewKeyGenerationTest,HmacDigestNone)1365 TEST_P(NewKeyGenerationTest, HmacDigestNone) {
1366     ASSERT_EQ(
1367         ErrorCode::UNSUPPORTED_DIGEST,
1368         GenerateKey(AuthorizationSetBuilder().HmacKey(128).Authorization(TAG_MIN_MAC_LENGTH, 128)));
1369 
1370     ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
1371               GenerateKey(AuthorizationSetBuilder()
1372                               .HmacKey(128)
1373                               .Digest(Digest::NONE)
1374                               .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1375 }
1376 
1377 typedef KeymasterHidlTest GetKeyCharacteristicsTest;
1378 
1379 /*
1380  * GetKeyCharacteristicsTest.HmacDigestNone
1381  *
1382  * Verifies that getKeyCharacteristics functions, and that generated and retrieved key
1383  * characteristics match.
1384  */
TEST_P(GetKeyCharacteristicsTest,SimpleRsa)1385 TEST_P(GetKeyCharacteristicsTest, SimpleRsa) {
1386     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1387                                              .RsaSigningKey(1024, 3)
1388                                              .Digest(Digest::NONE)
1389                                              .Padding(PaddingMode::NONE)));
1390 
1391     KeyCharacteristics retrieved_chars;
1392     ASSERT_EQ(ErrorCode::OK, GetCharacteristics(key_blob_, &retrieved_chars));
1393 
1394     AuthorizationSet gen_sw = key_characteristics_.softwareEnforced;
1395     AuthorizationSet gen_tee = key_characteristics_.teeEnforced;
1396     AuthorizationSet retrieved_sw = retrieved_chars.softwareEnforced;
1397     AuthorizationSet retrieved_tee = retrieved_chars.teeEnforced;
1398 
1399     EXPECT_EQ(gen_sw, retrieved_sw);
1400     EXPECT_EQ(gen_tee, retrieved_tee);
1401 }
1402 
1403 typedef KeymasterHidlTest SigningOperationsTest;
1404 
1405 /*
1406  * SigningOperationsTest.RsaSuccess
1407  *
1408  * Verifies that raw RSA signature operations succeed.
1409  */
TEST_P(SigningOperationsTest,RsaSuccess)1410 TEST_P(SigningOperationsTest, RsaSuccess) {
1411     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1412                                              .RsaSigningKey(1024, 3)
1413                                              .Digest(Digest::NONE)
1414                                              .Padding(PaddingMode::NONE)
1415                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
1416     string message = "12345678901234567890123456789012";
1417     string signature = SignMessage(
1418         message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1419 }
1420 
1421 /*
1422  * SigningOperationsTest.RsaPssSha256Success
1423  *
1424  * Verifies that RSA-PSS signature operations succeed.
1425  */
TEST_P(SigningOperationsTest,RsaPssSha256Success)1426 TEST_P(SigningOperationsTest, RsaPssSha256Success) {
1427     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1428                                              .RsaSigningKey(1024, 3)
1429                                              .Digest(Digest::SHA_2_256)
1430                                              .Padding(PaddingMode::RSA_PSS)
1431                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
1432     // Use large message, which won't work without digesting.
1433     string message(1024, 'a');
1434     string signature = SignMessage(
1435         message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS));
1436 }
1437 
1438 /*
1439  * SigningOperationsTest.RsaPaddingNoneDoesNotAllowOther
1440  *
1441  * Verifies that keymaster rejects signature operations that specify a padding mode when the key
1442  * supports only unpadded operations.
1443  */
TEST_P(SigningOperationsTest,RsaPaddingNoneDoesNotAllowOther)1444 TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
1445     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1446                                              .RsaSigningKey(1024, 3)
1447                                              .Digest(Digest::NONE)
1448                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1449                                              .Padding(PaddingMode::NONE)));
1450     string message = "12345678901234567890123456789012";
1451     string signature;
1452 
1453     EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE,
1454               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1455                                           .Digest(Digest::NONE)
1456                                           .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1457 }
1458 
1459 /*
1460  * SigningOperationsTest.RsaPkcs1Sha256Success
1461  *
1462  * Verifies that digested RSA-PKCS1 signature operations succeed.
1463  */
TEST_P(SigningOperationsTest,RsaPkcs1Sha256Success)1464 TEST_P(SigningOperationsTest, RsaPkcs1Sha256Success) {
1465     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1466                                              .RsaSigningKey(1024, 3)
1467                                              .Digest(Digest::SHA_2_256)
1468                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1469                                              .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1470     string message(1024, 'a');
1471     string signature = SignMessage(message, AuthorizationSetBuilder()
1472                                                 .Digest(Digest::SHA_2_256)
1473                                                 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
1474 }
1475 
1476 /*
1477  * SigningOperationsTest.RsaPkcs1NoDigestSuccess
1478  *
1479  * Verifies that undigested RSA-PKCS1 signature operations succeed.
1480  */
TEST_P(SigningOperationsTest,RsaPkcs1NoDigestSuccess)1481 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestSuccess) {
1482     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1483                                              .RsaSigningKey(1024, 3)
1484                                              .Digest(Digest::NONE)
1485                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1486                                              .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1487     string message(53, 'a');
1488     string signature = SignMessage(
1489         message,
1490         AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PKCS1_1_5_SIGN));
1491 }
1492 
1493 /*
1494  * SigningOperationsTest.RsaPkcs1NoDigestTooLarge
1495  *
1496  * Verifies that undigested RSA-PKCS1 signature operations fail with the correct error code when
1497  * given a too-long message.
1498  */
TEST_P(SigningOperationsTest,RsaPkcs1NoDigestTooLong)1499 TEST_P(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
1500     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1501                                              .RsaSigningKey(1024, 3)
1502                                              .Digest(Digest::NONE)
1503                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1504                                              .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1505     string message(129, 'a');
1506 
1507     EXPECT_EQ(ErrorCode::OK,
1508               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1509                                           .Digest(Digest::NONE)
1510                                           .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1511     string signature;
1512     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &signature));
1513 }
1514 
1515 /*
1516  * SigningOperationsTest.RsaPssSha512TooSmallKey
1517  *
1518  * Verifies that undigested RSA-PSS signature operations fail with the correct error code when
1519  * used with a key that is too small for the message.
1520  *
1521  * A PSS-padded message is of length salt_size + digest_size + 16 (sizes in bits), and the keymaster
1522  * specification requires that salt_size == digest_size, so the message will be digest_size * 2 +
1523  * 16. Such a message can only be signed by a given key if the key is at least that size. This test
1524  * uses SHA512, which has a digest_size == 512, so the message size is 1040 bits, too large for a
1525  * 1024-bit key.
1526  */
TEST_P(SigningOperationsTest,RsaPssSha512TooSmallKey)1527 TEST_P(SigningOperationsTest, RsaPssSha512TooSmallKey) {
1528     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1529                                              .RsaSigningKey(1024, 3)
1530                                              .Digest(Digest::SHA_2_512)
1531                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1532                                              .Padding(PaddingMode::RSA_PSS)));
1533     EXPECT_EQ(
1534         ErrorCode::INCOMPATIBLE_DIGEST,
1535         Begin(KeyPurpose::SIGN,
1536               AuthorizationSetBuilder().Digest(Digest::SHA_2_512).Padding(PaddingMode::RSA_PSS)))
1537         << "(Possibly b/33346750)";
1538 }
1539 
1540 /*
1541  * SigningOperationsTest.RsaNoPaddingTooLong
1542  *
1543  * Verifies that raw RSA signature operations fail with the correct error code when
1544  * given a too-long message.
1545  */
TEST_P(SigningOperationsTest,RsaNoPaddingTooLong)1546 TEST_P(SigningOperationsTest, RsaNoPaddingTooLong) {
1547     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1548                                              .RsaSigningKey(1024, 3)
1549                                              .Digest(Digest::NONE)
1550                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1551                                              .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1552     // One byte too long
1553     string message(1024 / 8 + 1, 'a');
1554     ASSERT_EQ(ErrorCode::OK,
1555               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1556                                           .Digest(Digest::NONE)
1557                                           .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1558     string result;
1559     ErrorCode finish_error_code = Finish(message, &result);
1560     EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
1561                 finish_error_code == ErrorCode::INVALID_ARGUMENT);
1562 
1563     // Very large message that should exceed the transfer buffer size of any reasonable TEE.
1564     message = string(128 * 1024, 'a');
1565     ASSERT_EQ(ErrorCode::OK,
1566               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1567                                           .Digest(Digest::NONE)
1568                                           .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
1569     finish_error_code = Finish(message, &result);
1570     EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||
1571                 finish_error_code == ErrorCode::INVALID_ARGUMENT);
1572 }
1573 
1574 /*
1575  * SigningOperationsTest.RsaAbort
1576  *
1577  * Verifies that operations can be aborted correctly.  Uses an RSA signing operation for the test,
1578  * but the behavior should be algorithm and purpose-independent.
1579  */
TEST_P(SigningOperationsTest,RsaAbort)1580 TEST_P(SigningOperationsTest, RsaAbort) {
1581     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1582                                              .RsaSigningKey(1024, 3)
1583                                              .Digest(Digest::NONE)
1584                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1585                                              .Padding(PaddingMode::NONE)));
1586 
1587     ASSERT_EQ(ErrorCode::OK,
1588               Begin(KeyPurpose::SIGN,
1589                     AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
1590     EXPECT_EQ(ErrorCode::OK, Abort(op_handle_));
1591 
1592     // Another abort should fail
1593     EXPECT_EQ(ErrorCode::INVALID_OPERATION_HANDLE, Abort(op_handle_));
1594 
1595     // Set to sentinel, so TearDown() doesn't try to abort again.
1596     op_handle_ = kOpHandleSentinel;
1597 }
1598 
1599 /*
1600  * SigningOperationsTest.RsaUnsupportedPadding
1601  *
1602  * Verifies that RSA operations fail with the correct error (but key gen succeeds) when used with a
1603  * padding mode inappropriate for RSA.
1604  */
TEST_P(SigningOperationsTest,RsaUnsupportedPadding)1605 TEST_P(SigningOperationsTest, RsaUnsupportedPadding) {
1606     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1607                                              .RsaSigningKey(1024, 3)
1608                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1609                                              .Digest(Digest::SHA_2_256 /* supported digest */)
1610                                              .Padding(PaddingMode::PKCS7)));
1611     ASSERT_EQ(
1612         ErrorCode::UNSUPPORTED_PADDING_MODE,
1613         Begin(KeyPurpose::SIGN,
1614               AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::PKCS7)));
1615 }
1616 
1617 /*
1618  * SigningOperationsTest.RsaPssNoDigest
1619  *
1620  * Verifies that RSA PSS operations fail when no digest is used.  PSS requires a digest.
1621  */
TEST_P(SigningOperationsTest,RsaNoDigest)1622 TEST_P(SigningOperationsTest, RsaNoDigest) {
1623     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1624                                              .RsaSigningKey(1024, 3)
1625                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1626                                              .Digest(Digest::NONE)
1627                                              .Padding(PaddingMode::RSA_PSS)));
1628     ASSERT_EQ(ErrorCode::INCOMPATIBLE_DIGEST,
1629               Begin(KeyPurpose::SIGN,
1630                     AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::RSA_PSS)));
1631 
1632     ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
1633               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Padding(PaddingMode::RSA_PSS)));
1634 }
1635 
1636 /*
1637  * SigningOperationsTest.RsaPssNoDigest
1638  *
1639  * Verifies that RSA operations fail when no padding mode is specified.  PaddingMode::NONE is
1640  * supported in some cases (as validated in other tests), but a mode must be specified.
1641  */
TEST_P(SigningOperationsTest,RsaNoPadding)1642 TEST_P(SigningOperationsTest, RsaNoPadding) {
1643     // Padding must be specified
1644     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1645                                              .RsaKey(1024, 3)
1646                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1647                                              .SigningKey()
1648                                              .Digest(Digest::NONE)));
1649     ASSERT_EQ(ErrorCode::UNSUPPORTED_PADDING_MODE,
1650               Begin(KeyPurpose::SIGN, AuthorizationSetBuilder().Digest(Digest::NONE)));
1651 }
1652 
1653 /*
1654  * SigningOperationsTest.RsaShortMessage
1655  *
1656  * Verifies that raw RSA signatures succeed with a message shorter than the key size.
1657  */
TEST_P(SigningOperationsTest,RsaTooShortMessage)1658 TEST_P(SigningOperationsTest, RsaTooShortMessage) {
1659     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1660                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1661                                              .RsaSigningKey(1024, 3)
1662                                              .Digest(Digest::NONE)
1663                                              .Padding(PaddingMode::NONE)));
1664 
1665     // Barely shorter
1666     string message(1024 / 8 - 1, 'a');
1667     SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1668 
1669     // Much shorter
1670     message = "a";
1671     SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
1672 }
1673 
1674 /*
1675  * SigningOperationsTest.RsaSignWithEncryptionKey
1676  *
1677  * Verifies that RSA encryption keys cannot be used to sign.
1678  */
TEST_P(SigningOperationsTest,RsaSignWithEncryptionKey)1679 TEST_P(SigningOperationsTest, RsaSignWithEncryptionKey) {
1680     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1681                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1682                                              .RsaEncryptionKey(1024, 3)
1683                                              .Digest(Digest::NONE)
1684                                              .Padding(PaddingMode::NONE)));
1685     ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
1686               Begin(KeyPurpose::SIGN,
1687                     AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE)));
1688 }
1689 
1690 /*
1691  * SigningOperationsTest.RsaSignTooLargeMessage
1692  *
1693  * Verifies that attempting a raw signature of a message which is the same length as the key, but
1694  * numerically larger than the public modulus, fails with the correct error.
1695  */
TEST_P(SigningOperationsTest,RsaSignTooLargeMessage)1696 TEST_P(SigningOperationsTest, RsaSignTooLargeMessage) {
1697     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1698                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1699                                              .RsaSigningKey(1024, 3)
1700                                              .Digest(Digest::NONE)
1701                                              .Padding(PaddingMode::NONE)));
1702 
1703     // Largest possible message will always be larger than the public modulus.
1704     string message(1024 / 8, static_cast<char>(0xff));
1705     ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()
1706                                                          .Authorization(TAG_NO_AUTH_REQUIRED)
1707                                                          .Digest(Digest::NONE)
1708                                                          .Padding(PaddingMode::NONE)));
1709     string signature;
1710     ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &signature));
1711 }
1712 
1713 /*
1714  * SigningOperationsTest.EcdsaAllSizesAndHashes
1715  *
1716  * Verifies that ECDSA operations succeed with all possible key sizes and hashes.
1717  */
TEST_P(SigningOperationsTest,EcdsaAllSizesAndHashes)1718 TEST_P(SigningOperationsTest, EcdsaAllSizesAndHashes) {
1719     for (auto key_size : {224, 256, 384, 521}) {
1720         for (auto digest : {
1721                  Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
1722                  Digest::SHA_2_512,
1723              }) {
1724             ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1725                                               .Authorization(TAG_NO_AUTH_REQUIRED)
1726                                               .EcdsaSigningKey(key_size)
1727                                               .Digest(digest));
1728             EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with size " << key_size
1729                                             << " and digest " << digest;
1730             if (error != ErrorCode::OK) continue;
1731 
1732             string message(1024, 'a');
1733             if (digest == Digest::NONE) message.resize(key_size / 8);
1734             SignMessage(message, AuthorizationSetBuilder().Digest(digest));
1735             CheckedDeleteKey();
1736         }
1737     }
1738 }
1739 
1740 /*
1741  * SigningOperationsTest.EcdsaAllCurves
1742  *
1743  * Verifies that ECDSA operations succeed with all possible curves.
1744  */
TEST_P(SigningOperationsTest,EcdsaAllCurves)1745 TEST_P(SigningOperationsTest, EcdsaAllCurves) {
1746     for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) {
1747         ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1748                                           .Authorization(TAG_NO_AUTH_REQUIRED)
1749                                           .EcdsaSigningKey(curve)
1750                                           .Digest(Digest::SHA_2_256));
1751         EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate ECDSA key with curve " << curve;
1752         if (error != ErrorCode::OK) continue;
1753 
1754         string message(1024, 'a');
1755         SignMessage(message, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
1756         CheckedDeleteKey();
1757     }
1758 }
1759 
1760 /*
1761  * SigningOperationsTest.EcdsaNoDigestHugeData
1762  *
1763  * Verifies that ECDSA operations support very large messages, even without digesting.  This should
1764  * work because ECDSA actually only signs the leftmost L_n bits of the message, however large it may
1765  * be.  Not using digesting is a bad idea, but in some cases digesting is done by the framework.
1766  */
TEST_P(SigningOperationsTest,EcdsaNoDigestHugeData)1767 TEST_P(SigningOperationsTest, EcdsaNoDigestHugeData) {
1768     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1769                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1770                                              .EcdsaSigningKey(224)
1771                                              .Digest(Digest::NONE)));
1772     string message(2 * 1024, 'a');
1773     SignMessage(message, AuthorizationSetBuilder().Digest(Digest::NONE));
1774 }
1775 
1776 /*
1777  * SigningOperationsTest.AesEcbSign
1778  *
1779  * Verifies that attempts to use AES keys to sign fail in the correct way.
1780  */
TEST_P(SigningOperationsTest,AesEcbSign)1781 TEST_P(SigningOperationsTest, AesEcbSign) {
1782     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1783                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1784                                              .SigningKey()
1785                                              .AesEncryptionKey(128)
1786                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)))
1787         << "(Possibly b/36252957)";
1788 
1789     AuthorizationSet out_params;
1790     EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
1791               Begin(KeyPurpose::SIGN, AuthorizationSet() /* in_params */, &out_params))
1792         << "(Possibly b/36233187)";
1793 
1794     EXPECT_EQ(ErrorCode::UNSUPPORTED_PURPOSE,
1795               Begin(KeyPurpose::VERIFY, AuthorizationSet() /* in_params */, &out_params))
1796         << "(Possibly b/36233187)";
1797 }
1798 
1799 /*
1800  * SigningOperationsTest.HmacAllDigests
1801  *
1802  * Verifies that HMAC works with all digests.
1803  */
TEST_P(SigningOperationsTest,HmacAllDigests)1804 TEST_P(SigningOperationsTest, HmacAllDigests) {
1805     for (auto digest : {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
1806                         Digest::SHA_2_512}) {
1807         ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1808                                                  .Authorization(TAG_NO_AUTH_REQUIRED)
1809                                                  .HmacKey(128)
1810                                                  .Digest(digest)
1811                                                  .Authorization(TAG_MIN_MAC_LENGTH, 160)))
1812             << "Failed to create HMAC key with digest " << digest;
1813         string message = "12345678901234567890123456789012";
1814         string signature = MacMessage(message, digest, 160);
1815         EXPECT_EQ(160U / 8U, signature.size())
1816             << "Failed to sign with HMAC key with digest " << digest;
1817         CheckedDeleteKey();
1818     }
1819 }
1820 
1821 /*
1822  * SigningOperationsTest.HmacSha256TooLargeMacLength
1823  *
1824  * Verifies that HMAC fails in the correct way when asked to generate a MAC larger than the digest
1825  * size.
1826  */
TEST_P(SigningOperationsTest,HmacSha256TooLargeMacLength)1827 TEST_P(SigningOperationsTest, HmacSha256TooLargeMacLength) {
1828     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1829                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1830                                              .HmacKey(128)
1831                                              .Digest(Digest::SHA_2_256)
1832                                              .Authorization(TAG_MIN_MAC_LENGTH, 256)));
1833     AuthorizationSet output_params;
1834     EXPECT_EQ(
1835         ErrorCode::UNSUPPORTED_MAC_LENGTH,
1836         Begin(
1837             KeyPurpose::SIGN, key_blob_,
1838             AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 264),
1839             &output_params, &op_handle_));
1840 }
1841 
1842 /*
1843  * SigningOperationsTest.HmacSha256TooSmallMacLength
1844  *
1845  * Verifies that HMAC fails in the correct way when asked to generate a MAC smaller than the
1846  * specified minimum MAC length.
1847  */
TEST_P(SigningOperationsTest,HmacSha256TooSmallMacLength)1848 TEST_P(SigningOperationsTest, HmacSha256TooSmallMacLength) {
1849     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1850                                              .Authorization(TAG_NO_AUTH_REQUIRED)
1851                                              .HmacKey(128)
1852                                              .Digest(Digest::SHA_2_256)
1853                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
1854     AuthorizationSet output_params;
1855     EXPECT_EQ(
1856         ErrorCode::INVALID_MAC_LENGTH,
1857         Begin(
1858             KeyPurpose::SIGN, key_blob_,
1859             AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 120),
1860             &output_params, &op_handle_));
1861 }
1862 
1863 /*
1864  * SigningOperationsTest.HmacRfc4231TestCase3
1865  *
1866  * Validates against the test vectors from RFC 4231 test case 3.
1867  */
TEST_P(SigningOperationsTest,HmacRfc4231TestCase3)1868 TEST_P(SigningOperationsTest, HmacRfc4231TestCase3) {
1869     string key(20, 0xaa);
1870     string message(50, 0xdd);
1871     uint8_t sha_224_expected[] = {
1872         0x7f, 0xb3, 0xcb, 0x35, 0x88, 0xc6, 0xc1, 0xf6, 0xff, 0xa9, 0x69, 0x4d, 0x7d, 0x6a,
1873         0xd2, 0x64, 0x93, 0x65, 0xb0, 0xc1, 0xf6, 0x5d, 0x69, 0xd1, 0xec, 0x83, 0x33, 0xea,
1874     };
1875     uint8_t sha_256_expected[] = {
1876         0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8,
1877         0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8,
1878         0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe,
1879     };
1880     uint8_t sha_384_expected[] = {
1881         0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a, 0x0a, 0xa2, 0xac, 0xe0,
1882         0x14, 0xc8, 0xa8, 0x6f, 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
1883         0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b, 0x2a, 0x5a, 0xb3, 0x9d,
1884         0xc1, 0x38, 0x14, 0xb9, 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27,
1885     };
1886     uint8_t sha_512_expected[] = {
1887         0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84, 0xef, 0xb0, 0xf0, 0x75, 0x6c,
1888         0x89, 0x0b, 0xe9, 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36, 0x55, 0xf8,
1889         0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39, 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22,
1890         0xc8, 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07, 0xb9, 0x46, 0xa3, 0x37,
1891         0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
1892     };
1893 
1894     CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
1895     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
1896     CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
1897     CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
1898 }
1899 
1900 /*
1901  * SigningOperationsTest.HmacRfc4231TestCase5
1902  *
1903  * Validates against the test vectors from RFC 4231 test case 5.
1904  */
TEST_P(SigningOperationsTest,HmacRfc4231TestCase5)1905 TEST_P(SigningOperationsTest, HmacRfc4231TestCase5) {
1906     string key(20, 0x0c);
1907     string message = "Test With Truncation";
1908 
1909     uint8_t sha_224_expected[] = {
1910         0x0e, 0x2a, 0xea, 0x68, 0xa9, 0x0c, 0x8d, 0x37,
1911         0xc9, 0x88, 0xbc, 0xdb, 0x9f, 0xca, 0x6f, 0xa8,
1912     };
1913     uint8_t sha_256_expected[] = {
1914         0xa3, 0xb6, 0x16, 0x74, 0x73, 0x10, 0x0e, 0xe0,
1915         0x6e, 0x0c, 0x79, 0x6c, 0x29, 0x55, 0x55, 0x2b,
1916     };
1917     uint8_t sha_384_expected[] = {
1918         0x3a, 0xbf, 0x34, 0xc3, 0x50, 0x3b, 0x2a, 0x23,
1919         0xa4, 0x6e, 0xfc, 0x61, 0x9b, 0xae, 0xf8, 0x97,
1920     };
1921     uint8_t sha_512_expected[] = {
1922         0x41, 0x5f, 0xad, 0x62, 0x71, 0x58, 0x0a, 0x53,
1923         0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
1924     };
1925 
1926     CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
1927     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
1928     CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
1929     CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
1930 }
1931 
1932 /*
1933  * SigningOperationsTest.HmacRfc4231TestCase6
1934  *
1935  * Validates against the test vectors from RFC 4231 test case 6.
1936  */
TEST_P(SigningOperationsTest,HmacRfc4231TestCase6)1937 TEST_P(SigningOperationsTest, HmacRfc4231TestCase6) {
1938     string key(131, 0xaa);
1939     string message = "Test Using Larger Than Block-Size Key - Hash Key First";
1940 
1941     uint8_t sha_224_expected[] = {
1942         0x95, 0xe9, 0xa0, 0xdb, 0x96, 0x20, 0x95, 0xad, 0xae, 0xbe, 0x9b, 0x2d, 0x6f, 0x0d,
1943         0xbc, 0xe2, 0xd4, 0x99, 0xf1, 0x12, 0xf2, 0xd2, 0xb7, 0x27, 0x3f, 0xa6, 0x87, 0x0e,
1944     };
1945     uint8_t sha_256_expected[] = {
1946         0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26,
1947         0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28,
1948         0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54,
1949     };
1950     uint8_t sha_384_expected[] = {
1951         0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90, 0x88, 0xd2, 0xc6, 0x3a,
1952         0x04, 0x1b, 0xc5, 0xb4, 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
1953         0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6, 0x0c, 0x2e, 0xf6, 0xab,
1954         0x40, 0x30, 0xfe, 0x82, 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52,
1955     };
1956     uint8_t sha_512_expected[] = {
1957         0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb, 0xb7, 0x14, 0x93, 0xc1, 0xdd,
1958         0x7b, 0xe8, 0xb4, 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1, 0x12, 0x1b,
1959         0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52, 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25,
1960         0x98, 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52, 0x95, 0xe6, 0x4f, 0x73,
1961         0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,
1962     };
1963 
1964     CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
1965     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
1966     CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
1967     CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
1968 }
1969 
1970 /*
1971  * SigningOperationsTest.HmacRfc4231TestCase7
1972  *
1973  * Validates against the test vectors from RFC 4231 test case 7.
1974  */
TEST_P(SigningOperationsTest,HmacRfc4231TestCase7)1975 TEST_P(SigningOperationsTest, HmacRfc4231TestCase7) {
1976     string key(131, 0xaa);
1977     string message = "This is a test using a larger than block-size key and a larger than "
1978                      "block-size data. The key needs to be hashed before being used by the HMAC "
1979                      "algorithm.";
1980 
1981     uint8_t sha_224_expected[] = {
1982         0x3a, 0x85, 0x41, 0x66, 0xac, 0x5d, 0x9f, 0x02, 0x3f, 0x54, 0xd5, 0x17, 0xd0, 0xb3,
1983         0x9d, 0xbd, 0x94, 0x67, 0x70, 0xdb, 0x9c, 0x2b, 0x95, 0xc9, 0xf6, 0xf5, 0x65, 0xd1,
1984     };
1985     uint8_t sha_256_expected[] = {
1986         0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f,
1987         0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07,
1988         0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2,
1989     };
1990     uint8_t sha_384_expected[] = {
1991         0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d, 0x35, 0x1e, 0x2f, 0x25,
1992         0x4e, 0x8f, 0xd3, 0x2c, 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
1993         0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5, 0xa6, 0x78, 0xcc, 0x31,
1994         0xe7, 0x99, 0x17, 0x6d, 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e,
1995     };
1996     uint8_t sha_512_expected[] = {
1997         0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba, 0xa4, 0xdf, 0xa9, 0xf9, 0x6e,
1998         0x5e, 0x3f, 0xfd, 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86, 0x5d, 0xf5,
1999         0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44, 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82,
2000         0xb1, 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15, 0x13, 0x46, 0x76, 0xfb,
2001         0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,
2002     };
2003 
2004     CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
2005     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
2006     CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
2007     CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
2008 }
2009 
2010 typedef KeymasterHidlTest VerificationOperationsTest;
2011 
2012 /*
2013  * VerificationOperationsTest.RsaSuccess
2014  *
2015  * Verifies that a simple RSA signature/verification sequence succeeds.
2016  */
TEST_P(VerificationOperationsTest,RsaSuccess)2017 TEST_P(VerificationOperationsTest, RsaSuccess) {
2018     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2019                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2020                                              .RsaSigningKey(1024, 3)
2021                                              .Digest(Digest::NONE)
2022                                              .Padding(PaddingMode::NONE)));
2023     string message = "12345678901234567890123456789012";
2024     string signature = SignMessage(
2025         message, AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2026     VerifyMessage(message, signature,
2027                   AuthorizationSetBuilder().Digest(Digest::NONE).Padding(PaddingMode::NONE));
2028 }
2029 
2030 /*
2031  * VerificationOperationsTest.RsaSuccess
2032  *
2033  * Verifies RSA signature/verification for all padding modes and digests.
2034  */
TEST_P(VerificationOperationsTest,RsaAllPaddingsAndDigests)2035 TEST_P(VerificationOperationsTest, RsaAllPaddingsAndDigests) {
2036     ASSERT_EQ(ErrorCode::OK,
2037               GenerateKey(AuthorizationSetBuilder()
2038                               .Authorization(TAG_NO_AUTH_REQUIRED)
2039                               .RsaSigningKey(2048, 3)
2040                               .Digest(Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
2041                                       Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512)
2042                               .Padding(PaddingMode::NONE)
2043                               .Padding(PaddingMode::RSA_PSS)
2044                               .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));
2045 
2046     string message(128, 'a');
2047     string corrupt_message(message);
2048     ++corrupt_message[corrupt_message.size() / 2];
2049 
2050     for (auto padding :
2051          {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
2052 
2053         for (auto digest : {Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
2054                             Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}) {
2055             if (padding == PaddingMode::NONE && digest != Digest::NONE) {
2056                 // Digesting only makes sense with padding.
2057                 continue;
2058             }
2059 
2060             if (padding == PaddingMode::RSA_PSS && digest == Digest::NONE) {
2061                 // PSS requires digesting.
2062                 continue;
2063             }
2064 
2065             string signature =
2066                 SignMessage(message, AuthorizationSetBuilder().Digest(digest).Padding(padding));
2067             VerifyMessage(message, signature,
2068                           AuthorizationSetBuilder().Digest(digest).Padding(padding));
2069 
2070             if (digest != Digest::NONE) {
2071                 // Verify with OpenSSL.
2072                 HidlBuf pubkey;
2073                 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey));
2074 
2075                 const uint8_t* p = pubkey.data();
2076                 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
2077                 ASSERT_TRUE(pkey.get());
2078 
2079                 EVP_MD_CTX digest_ctx;
2080                 EVP_MD_CTX_init(&digest_ctx);
2081                 EVP_PKEY_CTX* pkey_ctx;
2082                 const EVP_MD* md = openssl_digest(digest);
2083                 ASSERT_NE(md, nullptr);
2084                 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md, nullptr /* engine */,
2085                                                   pkey.get()));
2086 
2087                 switch (padding) {
2088                 case PaddingMode::RSA_PSS:
2089                     EXPECT_GT(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING), 0);
2090                     EXPECT_GT(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, EVP_MD_size(md)), 0);
2091                     break;
2092                 case PaddingMode::RSA_PKCS1_1_5_SIGN:
2093                     // PKCS1 is the default; don't need to set anything.
2094                     break;
2095                 default:
2096                     FAIL();
2097                     break;
2098                 }
2099 
2100                 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()));
2101                 EXPECT_EQ(1, EVP_DigestVerifyFinal(
2102                                  &digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
2103                                  signature.size()));
2104                 EVP_MD_CTX_cleanup(&digest_ctx);
2105             }
2106 
2107             // Corrupt signature shouldn't verify.
2108             string corrupt_signature(signature);
2109             ++corrupt_signature[corrupt_signature.size() / 2];
2110 
2111             EXPECT_EQ(ErrorCode::OK,
2112                       Begin(KeyPurpose::VERIFY,
2113                             AuthorizationSetBuilder().Digest(digest).Padding(padding)));
2114             string result;
2115             EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result));
2116 
2117             // Corrupt message shouldn't verify
2118             EXPECT_EQ(ErrorCode::OK,
2119                       Begin(KeyPurpose::VERIFY,
2120                             AuthorizationSetBuilder().Digest(digest).Padding(padding)));
2121             EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result));
2122         }
2123     }
2124 }
2125 
2126 /*
2127  * VerificationOperationsTest.RsaSuccess
2128  *
2129  * Verifies ECDSA signature/verification for all digests and curves.
2130  */
TEST_P(VerificationOperationsTest,EcdsaAllDigestsAndCurves)2131 TEST_P(VerificationOperationsTest, EcdsaAllDigestsAndCurves) {
2132     auto digests = {
2133         Digest::NONE,      Digest::SHA1,      Digest::SHA_2_224,
2134         Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512,
2135     };
2136 
2137     string message = "1234567890";
2138     string corrupt_message = "2234567890";
2139     for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) {
2140         ErrorCode error = GenerateKey(AuthorizationSetBuilder()
2141                                           .Authorization(TAG_NO_AUTH_REQUIRED)
2142                                           .EcdsaSigningKey(curve)
2143                                           .Digest(digests));
2144         EXPECT_EQ(ErrorCode::OK, error) << "Failed to generate key for EC curve " << curve;
2145         if (error != ErrorCode::OK) {
2146             continue;
2147         }
2148 
2149         for (auto digest : digests) {
2150             string signature = SignMessage(message, AuthorizationSetBuilder().Digest(digest));
2151             VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(digest));
2152 
2153             // Verify with OpenSSL
2154             if (digest != Digest::NONE) {
2155                 HidlBuf pubkey;
2156                 ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &pubkey))
2157                     << curve << ' ' << digest;
2158 
2159                 const uint8_t* p = pubkey.data();
2160                 EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr /* alloc new */, &p, pubkey.size()));
2161                 ASSERT_TRUE(pkey.get());
2162 
2163                 EVP_MD_CTX digest_ctx;
2164                 EVP_MD_CTX_init(&digest_ctx);
2165                 EVP_PKEY_CTX* pkey_ctx;
2166                 const EVP_MD* md = openssl_digest(digest);
2167 
2168                 EXPECT_EQ(1, EVP_DigestVerifyInit(&digest_ctx, &pkey_ctx, md, nullptr /* engine */,
2169                                                   pkey.get()))
2170                     << curve << ' ' << digest;
2171 
2172                 EXPECT_EQ(1, EVP_DigestVerifyUpdate(&digest_ctx, message.data(), message.size()))
2173                     << curve << ' ' << digest;
2174 
2175                 EXPECT_EQ(1, EVP_DigestVerifyFinal(
2176                                  &digest_ctx, reinterpret_cast<const uint8_t*>(signature.data()),
2177                                  signature.size()))
2178                     << curve << ' ' << digest;
2179 
2180                 EVP_MD_CTX_cleanup(&digest_ctx);
2181             }
2182 
2183             // Corrupt signature shouldn't verify.
2184             string corrupt_signature(signature);
2185             ++corrupt_signature[corrupt_signature.size() / 2];
2186 
2187             EXPECT_EQ(ErrorCode::OK,
2188                       Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest)))
2189                 << curve << ' ' << digest;
2190 
2191             string result;
2192             EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(message, corrupt_signature, &result))
2193                 << curve << ' ' << digest;
2194 
2195             // Corrupt message shouldn't verify
2196             EXPECT_EQ(ErrorCode::OK,
2197                       Begin(KeyPurpose::VERIFY, AuthorizationSetBuilder().Digest(digest)))
2198                 << curve << ' ' << digest;
2199 
2200             EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(corrupt_message, signature, &result))
2201                 << curve << ' ' << digest;
2202         }
2203 
2204         auto rc = DeleteKey();
2205         ASSERT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED);
2206     }
2207 }
2208 
2209 /*
2210  * VerificationOperationsTest.HmacSigningKeyCannotVerify
2211  *
2212  * Verifies HMAC signing and verification, but that a signing key cannot be used to verify.
2213  */
TEST_P(VerificationOperationsTest,HmacSigningKeyCannotVerify)2214 TEST_P(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
2215     string key_material = "HelloThisIsAKey";
2216 
2217     HidlBuf signing_key, verification_key;
2218     KeyCharacteristics signing_key_chars, verification_key_chars;
2219     EXPECT_EQ(ErrorCode::OK,
2220               ImportKey(AuthorizationSetBuilder()
2221                             .Authorization(TAG_NO_AUTH_REQUIRED)
2222                             .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
2223                             .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
2224                             .Digest(Digest::SHA1)
2225                             .Authorization(TAG_MIN_MAC_LENGTH, 160),
2226                         KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
2227     EXPECT_EQ(ErrorCode::OK,
2228               ImportKey(AuthorizationSetBuilder()
2229                             .Authorization(TAG_NO_AUTH_REQUIRED)
2230                             .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
2231                             .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
2232                             .Digest(Digest::SHA1)
2233                             .Authorization(TAG_MIN_MAC_LENGTH, 160),
2234                         KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
2235 
2236     string message = "This is a message.";
2237     string signature = SignMessage(
2238         signing_key, message,
2239         AuthorizationSetBuilder().Digest(Digest::SHA1).Authorization(TAG_MAC_LENGTH, 160));
2240 
2241     // Signing key should not work.
2242     AuthorizationSet out_params;
2243     EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
2244               Begin(KeyPurpose::VERIFY, signing_key, AuthorizationSetBuilder().Digest(Digest::SHA1),
2245                     &out_params, &op_handle_));
2246 
2247     // Verification key should work.
2248     VerifyMessage(verification_key, message, signature,
2249                   AuthorizationSetBuilder().Digest(Digest::SHA1));
2250 
2251     CheckedDeleteKey(&signing_key);
2252     CheckedDeleteKey(&verification_key);
2253 }
2254 
2255 typedef KeymasterHidlTest ExportKeyTest;
2256 
2257 /*
2258  * ExportKeyTest.RsaUnsupportedKeyFormat
2259  *
2260  * Verifies that attempting to export RSA keys in PKCS#8 format fails with the correct error.
2261  */
TEST_P(ExportKeyTest,RsaUnsupportedKeyFormat)2262 TEST_P(ExportKeyTest, RsaUnsupportedKeyFormat) {
2263     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2264                                              .RsaSigningKey(1024, 3)
2265                                              .Digest(Digest::NONE)
2266                                              .Padding(PaddingMode::NONE)));
2267     HidlBuf export_data;
2268     ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::PKCS8, &export_data));
2269 }
2270 
2271 /*
2272  * ExportKeyTest.RsaCorruptedKeyBlob
2273  *
2274  * Verifies that attempting to export RSA keys from corrupted key blobs fails.  This is essentially
2275  * a poor-man's key blob fuzzer.
2276  */
TEST_P(ExportKeyTest,RsaCorruptedKeyBlob)2277 TEST_P(ExportKeyTest, RsaCorruptedKeyBlob) {
2278     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2279                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2280                                              .RsaSigningKey(1024, 3)
2281                                              .Digest(Digest::NONE)
2282                                              .Padding(PaddingMode::NONE)));
2283     for (size_t i = 0; i < key_blob_.size(); ++i) {
2284         HidlBuf corrupted(key_blob_);
2285         ++corrupted[i];
2286 
2287         HidlBuf export_data;
2288         EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2289                   ExportKey(KeyFormat::X509, corrupted, HidlBuf(), HidlBuf(), &export_data))
2290             << "Blob corrupted at offset " << i << " erroneously accepted as valid";
2291     }
2292 }
2293 
2294 /*
2295  * ExportKeyTest.RsaCorruptedKeyBlob
2296  *
2297  * Verifies that attempting to export ECDSA keys from corrupted key blobs fails.  This is
2298  * essentially a poor-man's key blob fuzzer.
2299  */
TEST_P(ExportKeyTest,EcCorruptedKeyBlob)2300 TEST_P(ExportKeyTest, EcCorruptedKeyBlob) {
2301     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2302                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2303                                              .EcdsaSigningKey(EcCurve::P_256)
2304                                              .Digest(Digest::NONE)));
2305     for (size_t i = 0; i < key_blob_.size(); ++i) {
2306         HidlBuf corrupted(key_blob_);
2307         ++corrupted[i];
2308 
2309         HidlBuf export_data;
2310         EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB,
2311                   ExportKey(KeyFormat::X509, corrupted, HidlBuf(), HidlBuf(), &export_data))
2312             << "Blob corrupted at offset " << i << " erroneously accepted as valid";
2313     }
2314 }
2315 
2316 /*
2317  * ExportKeyTest.AesKeyUnexportable
2318  *
2319  * Verifies that attempting to export AES keys fails in the expected way.
2320  */
TEST_P(ExportKeyTest,AesKeyUnexportable)2321 TEST_P(ExportKeyTest, AesKeyUnexportable) {
2322     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2323                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2324                                              .AesEncryptionKey(128)
2325                                              .EcbMode()
2326                                              .Padding(PaddingMode::NONE)));
2327 
2328     HidlBuf export_data;
2329     EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::X509, &export_data));
2330     EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::PKCS8, &export_data));
2331     EXPECT_EQ(ErrorCode::UNSUPPORTED_KEY_FORMAT, ExportKey(KeyFormat::RAW, &export_data));
2332 }
2333 typedef KeymasterHidlTest ImportKeyTest;
2334 
2335 /*
2336  * ImportKeyTest.RsaSuccess
2337  *
2338  * Verifies that importing and using an RSA key pair works correctly.
2339  */
TEST_P(ImportKeyTest,RsaSuccess)2340 TEST_P(ImportKeyTest, RsaSuccess) {
2341     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
2342                                            .Authorization(TAG_NO_AUTH_REQUIRED)
2343                                            .RsaSigningKey(1024, 65537)
2344                                            .Digest(Digest::SHA_2_256)
2345                                            .Padding(PaddingMode::RSA_PSS),
2346                                        KeyFormat::PKCS8, rsa_key));
2347 
2348     CheckKm0CryptoParam(TAG_ALGORITHM, Algorithm::RSA);
2349     CheckKm0CryptoParam(TAG_KEY_SIZE, 1024U);
2350     CheckKm0CryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);
2351     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
2352     CheckKm1CryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);
2353     CheckOrigin(true /* asymmetric */);
2354 
2355     string message(1024 / 8, 'a');
2356     auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
2357     string signature = SignMessage(message, params);
2358     VerifyMessage(message, signature, params);
2359 }
2360 
2361 /*
2362  * ImportKeyTest.RsaKeySizeMismatch
2363  *
2364  * Verifies that importing an RSA key pair with a size that doesn't match the key fails in the
2365  * correct way.
2366  */
TEST_P(ImportKeyTest,RsaKeySizeMismatch)2367 TEST_P(ImportKeyTest, RsaKeySizeMismatch) {
2368     ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
2369               ImportKey(AuthorizationSetBuilder()
2370                             .RsaSigningKey(2048 /* Doesn't match key */, 65537)
2371                             .Digest(Digest::NONE)
2372                             .Padding(PaddingMode::NONE),
2373                         KeyFormat::PKCS8, rsa_key));
2374 }
2375 
2376 /*
2377  * ImportKeyTest.RsaPublicExponentMismatch
2378  *
2379  * Verifies that importing an RSA key pair with a public exponent that doesn't match the key fails
2380  * in the correct way.
2381  */
TEST_P(ImportKeyTest,RsaPublicExponentMismatch)2382 TEST_P(ImportKeyTest, RsaPublicExponentMismatch) {
2383     ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
2384               ImportKey(AuthorizationSetBuilder()
2385                             .RsaSigningKey(1024, 3 /* Doesn't match key */)
2386                             .Digest(Digest::NONE)
2387                             .Padding(PaddingMode::NONE),
2388                         KeyFormat::PKCS8, rsa_key));
2389 }
2390 
2391 /*
2392  * ImportKeyTest.EcdsaSuccess
2393  *
2394  * Verifies that importing and using an ECDSA P-256 key pair works correctly.
2395  */
TEST_P(ImportKeyTest,EcdsaSuccess)2396 TEST_P(ImportKeyTest, EcdsaSuccess) {
2397     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
2398                                            .Authorization(TAG_NO_AUTH_REQUIRED)
2399                                            .EcdsaSigningKey(256)
2400                                            .Digest(Digest::SHA_2_256),
2401                                        KeyFormat::PKCS8, ec_256_key))
2402         << "(Possibly b/33945114)";
2403 
2404     CheckKm0CryptoParam(TAG_ALGORITHM, Algorithm::EC);
2405     CheckKm0CryptoParam(TAG_KEY_SIZE, 256U);
2406     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
2407     CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_256);
2408 
2409     CheckOrigin(true /* asymmetric */);
2410 
2411     string message(32, 'a');
2412     auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
2413     string signature = SignMessage(message, params);
2414     VerifyMessage(message, signature, params);
2415 }
2416 
2417 /*
2418  * ImportKeyTest.Ecdsa521Success
2419  *
2420  * Verifies that importing and using an ECDSA P-521 key pair works correctly.
2421  */
TEST_P(ImportKeyTest,Ecdsa521Success)2422 TEST_P(ImportKeyTest, Ecdsa521Success) {
2423     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
2424                                            .Authorization(TAG_NO_AUTH_REQUIRED)
2425                                            .EcdsaSigningKey(521)
2426                                            .Digest(Digest::SHA_2_256),
2427                                        KeyFormat::PKCS8, ec_521_key))
2428         << "(Possibly b/33945114)";
2429 
2430     CheckKm0CryptoParam(TAG_ALGORITHM, Algorithm::EC);
2431     CheckKm0CryptoParam(TAG_KEY_SIZE, 521U);
2432     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
2433     CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_521);
2434 
2435     CheckOrigin(true /* asymmetric */);
2436 
2437     string message(32, 'a');
2438     auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
2439     string signature = SignMessage(message, params);
2440     VerifyMessage(message, signature, params);
2441 }
2442 
2443 /*
2444  * ImportKeyTest.EcdsaSizeMismatch
2445  *
2446  * Verifies that importing an ECDSA key pair with a size that doesn't match the key fails in the
2447  * correct way.
2448  */
TEST_P(ImportKeyTest,EcdsaSizeMismatch)2449 TEST_P(ImportKeyTest, EcdsaSizeMismatch) {
2450     ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
2451               ImportKey(AuthorizationSetBuilder()
2452                             .EcdsaSigningKey(224 /* Doesn't match key */)
2453                             .Digest(Digest::NONE),
2454                         KeyFormat::PKCS8, ec_256_key));
2455 }
2456 
2457 /*
2458  * ImportKeyTest.EcdsaCurveMismatch
2459  *
2460  * Verifies that importing an ECDSA key pair with a curve that doesn't match the key fails in the
2461  * correct way.
2462  */
TEST_P(ImportKeyTest,EcdsaCurveMismatch)2463 TEST_P(ImportKeyTest, EcdsaCurveMismatch) {
2464     if (SupportsSymmetric() && !SupportsAttestation()) {
2465         // KM1 hardware doesn't know about curves
2466         return;
2467     }
2468 
2469     ASSERT_EQ(ErrorCode::IMPORT_PARAMETER_MISMATCH,
2470               ImportKey(AuthorizationSetBuilder()
2471                             .EcdsaSigningKey(EcCurve::P_224 /* Doesn't match key */)
2472                             .Digest(Digest::NONE),
2473                         KeyFormat::PKCS8, ec_256_key))
2474         << "(Possibly b/36233241)";
2475 }
2476 
2477 /*
2478  * ImportKeyTest.AesSuccess
2479  *
2480  * Verifies that importing and using an AES key works.
2481  */
TEST_P(ImportKeyTest,AesSuccess)2482 TEST_P(ImportKeyTest, AesSuccess) {
2483     string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
2484     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
2485                                            .Authorization(TAG_NO_AUTH_REQUIRED)
2486                                            .AesEncryptionKey(key.size() * 8)
2487                                            .EcbMode()
2488                                            .Padding(PaddingMode::PKCS7),
2489                                        KeyFormat::RAW, key));
2490 
2491     CheckKm1CryptoParam(TAG_ALGORITHM, Algorithm::AES);
2492     CheckKm1CryptoParam(TAG_KEY_SIZE, 128U);
2493     CheckKm1CryptoParam(TAG_PADDING, PaddingMode::PKCS7);
2494     CheckKm1CryptoParam(TAG_BLOCK_MODE, BlockMode::ECB);
2495     CheckOrigin();
2496 
2497     string message = "Hello World!";
2498     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2499     string ciphertext = EncryptMessage(message, params);
2500     string plaintext = DecryptMessage(ciphertext, params);
2501     EXPECT_EQ(message, plaintext);
2502 }
2503 
2504 /*
2505  * ImportKeyTest.AesSuccess
2506  *
2507  * Verifies that importing and using an HMAC key works.
2508  */
TEST_P(ImportKeyTest,HmacKeySuccess)2509 TEST_P(ImportKeyTest, HmacKeySuccess) {
2510     string key = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
2511     ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
2512                                            .Authorization(TAG_NO_AUTH_REQUIRED)
2513                                            .HmacKey(key.size() * 8)
2514                                            .Digest(Digest::SHA_2_256)
2515                                            .Authorization(TAG_MIN_MAC_LENGTH, 256),
2516                                        KeyFormat::RAW, key));
2517 
2518     CheckKm1CryptoParam(TAG_ALGORITHM, Algorithm::HMAC);
2519     CheckKm1CryptoParam(TAG_KEY_SIZE, 128U);
2520     CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);
2521     CheckOrigin();
2522 
2523     string message = "Hello World!";
2524     string signature = MacMessage(message, Digest::SHA_2_256, 256);
2525     VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
2526 }
2527 
2528 typedef KeymasterHidlTest EncryptionOperationsTest;
2529 
2530 /*
2531  * EncryptionOperationsTest.RsaNoPaddingSuccess
2532  *
2533  * Verifies that raw RSA encryption works.
2534  */
TEST_P(EncryptionOperationsTest,RsaNoPaddingSuccess)2535 TEST_P(EncryptionOperationsTest, RsaNoPaddingSuccess) {
2536     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2537                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2538                                              .RsaEncryptionKey(1024, 3)
2539                                              .Padding(PaddingMode::NONE)));
2540 
2541     string message = string(1024 / 8, 'a');
2542     auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2543     string ciphertext1 = EncryptMessage(message, params);
2544     EXPECT_EQ(1024U / 8, ciphertext1.size());
2545 
2546     string ciphertext2 = EncryptMessage(message, params);
2547     EXPECT_EQ(1024U / 8, ciphertext2.size());
2548 
2549     // Unpadded RSA is deterministic
2550     EXPECT_EQ(ciphertext1, ciphertext2);
2551 }
2552 
2553 /*
2554  * EncryptionOperationsTest.RsaNoPaddingShortMessage
2555  *
2556  * Verifies that raw RSA encryption of short messages works.
2557  */
TEST_P(EncryptionOperationsTest,RsaNoPaddingShortMessage)2558 TEST_P(EncryptionOperationsTest, RsaNoPaddingShortMessage) {
2559     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2560                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2561                                              .RsaEncryptionKey(1024, 3)
2562                                              .Padding(PaddingMode::NONE)));
2563 
2564     string message = "1";
2565     auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2566 
2567     string ciphertext = EncryptMessage(message, params);
2568     EXPECT_EQ(1024U / 8, ciphertext.size());
2569 
2570     string expected_plaintext = string(1024 / 8 - 1, 0) + message;
2571     string plaintext = DecryptMessage(ciphertext, params);
2572 
2573     EXPECT_EQ(expected_plaintext, plaintext);
2574 
2575     // Degenerate case, encrypting a numeric 1 yields 0x00..01 as the ciphertext.
2576     message = static_cast<char>(1);
2577     ciphertext = EncryptMessage(message, params);
2578     EXPECT_EQ(1024U / 8, ciphertext.size());
2579     EXPECT_EQ(ciphertext, string(1024 / 8 - 1, 0) + message);
2580 }
2581 
2582 /*
2583  * EncryptionOperationsTest.RsaNoPaddingTooLong
2584  *
2585  * Verifies that raw RSA encryption of too-long messages fails in the expected way.
2586  */
TEST_P(EncryptionOperationsTest,RsaNoPaddingTooLong)2587 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLong) {
2588     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2589                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2590                                              .RsaEncryptionKey(1024, 3)
2591                                              .Padding(PaddingMode::NONE)));
2592 
2593     string message(1024 / 8 + 1, 'a');
2594 
2595     auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2596     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2597 
2598     string result;
2599     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));
2600 }
2601 
2602 /*
2603  * EncryptionOperationsTest.RsaNoPaddingTooLarge
2604  *
2605  * Verifies that raw RSA encryption of too-large (numerically) messages fails in the expected way.
2606  */
TEST_P(EncryptionOperationsTest,RsaNoPaddingTooLarge)2607 TEST_P(EncryptionOperationsTest, RsaNoPaddingTooLarge) {
2608     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2609                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2610                                              .RsaEncryptionKey(1024, 3)
2611                                              .Padding(PaddingMode::NONE)));
2612 
2613     HidlBuf exported;
2614     ASSERT_EQ(ErrorCode::OK, ExportKey(KeyFormat::X509, &exported));
2615 
2616     const uint8_t* p = exported.data();
2617     EVP_PKEY_Ptr pkey(d2i_PUBKEY(nullptr /* alloc new */, &p, exported.size()));
2618     RSA_Ptr rsa(EVP_PKEY_get1_RSA(pkey.get()));
2619 
2620     size_t modulus_len = BN_num_bytes(rsa->n);
2621     ASSERT_EQ(1024U / 8, modulus_len);
2622     std::unique_ptr<uint8_t[]> modulus_buf(new uint8_t[modulus_len]);
2623     BN_bn2bin(rsa->n, modulus_buf.get());
2624 
2625     // The modulus is too big to encrypt.
2626     string message(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
2627 
2628     auto params = AuthorizationSetBuilder().Padding(PaddingMode::NONE);
2629     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2630 
2631     string result;
2632     EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &result));
2633 
2634     // One smaller than the modulus is okay.
2635     BN_sub(rsa->n, rsa->n, BN_value_one());
2636     modulus_len = BN_num_bytes(rsa->n);
2637     ASSERT_EQ(1024U / 8, modulus_len);
2638     BN_bn2bin(rsa->n, modulus_buf.get());
2639     message = string(reinterpret_cast<const char*>(modulus_buf.get()), modulus_len);
2640     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2641     EXPECT_EQ(ErrorCode::OK, Finish(message, &result));
2642 }
2643 
2644 /*
2645  * EncryptionOperationsTest.RsaOaepSuccess
2646  *
2647  * Verifies that RSA-OAEP encryption operations work, with all digests.
2648  */
TEST_P(EncryptionOperationsTest,RsaOaepSuccess)2649 TEST_P(EncryptionOperationsTest, RsaOaepSuccess) {
2650     auto digests = {Digest::MD5,       Digest::SHA1,      Digest::SHA_2_224,
2651                     Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
2652 
2653     size_t key_size = 2048;  // Need largish key for SHA-512 test.
2654     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2655                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2656                                              .RsaEncryptionKey(key_size, 3)
2657                                              .Padding(PaddingMode::RSA_OAEP)
2658                                              .Digest(digests)));
2659 
2660     string message = "Hello";
2661 
2662     for (auto digest : digests) {
2663         auto params = AuthorizationSetBuilder().Digest(digest).Padding(PaddingMode::RSA_OAEP);
2664         string ciphertext1 = EncryptMessage(message, params);
2665         if (HasNonfatalFailure()) std::cout << "-->" << digest << std::endl;
2666         EXPECT_EQ(key_size / 8, ciphertext1.size());
2667 
2668         string ciphertext2 = EncryptMessage(message, params);
2669         EXPECT_EQ(key_size / 8, ciphertext2.size());
2670 
2671         // OAEP randomizes padding so every result should be different (with astronomically high
2672         // probability).
2673         EXPECT_NE(ciphertext1, ciphertext2);
2674 
2675         string plaintext1 = DecryptMessage(ciphertext1, params);
2676         EXPECT_EQ(message, plaintext1) << "RSA-OAEP failed with digest " << digest;
2677         string plaintext2 = DecryptMessage(ciphertext2, params);
2678         EXPECT_EQ(message, plaintext2) << "RSA-OAEP failed with digest " << digest;
2679 
2680         // Decrypting corrupted ciphertext should fail.
2681         size_t offset_to_corrupt = random() % ciphertext1.size();
2682         char corrupt_byte;
2683         do {
2684             corrupt_byte = static_cast<char>(random() % 256);
2685         } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
2686         ciphertext1[offset_to_corrupt] = corrupt_byte;
2687 
2688         EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2689         string result;
2690         EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
2691         EXPECT_EQ(0U, result.size());
2692     }
2693 }
2694 
2695 /*
2696  * EncryptionOperationsTest.RsaOaepInvalidDigest
2697  *
2698  * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to operate
2699  * without a digest.
2700  */
TEST_P(EncryptionOperationsTest,RsaOaepInvalidDigest)2701 TEST_P(EncryptionOperationsTest, RsaOaepInvalidDigest) {
2702     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2703                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2704                                              .RsaEncryptionKey(1024, 3)
2705                                              .Padding(PaddingMode::RSA_OAEP)
2706                                              .Digest(Digest::NONE)));
2707     string message = "Hello World!";
2708 
2709     auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::NONE);
2710     EXPECT_EQ(ErrorCode::INCOMPATIBLE_DIGEST, Begin(KeyPurpose::ENCRYPT, params));
2711 }
2712 
2713 /*
2714  * EncryptionOperationsTest.RsaOaepInvalidDigest
2715  *
2716  * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to decrypt with a
2717  * different digest than was used to encrypt.
2718  */
TEST_P(EncryptionOperationsTest,RsaOaepDecryptWithWrongDigest)2719 TEST_P(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
2720     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2721                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2722                                              .RsaEncryptionKey(1024, 3)
2723                                              .Padding(PaddingMode::RSA_OAEP)
2724                                              .Digest(Digest::SHA_2_256, Digest::SHA_2_224)));
2725     string message = "Hello World!";
2726     string ciphertext = EncryptMessage(
2727         message,
2728         AuthorizationSetBuilder().Digest(Digest::SHA_2_224).Padding(PaddingMode::RSA_OAEP));
2729 
2730     EXPECT_EQ(
2731         ErrorCode::OK,
2732         Begin(KeyPurpose::DECRYPT,
2733               AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP)));
2734     string result;
2735     EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext, &result));
2736     EXPECT_EQ(0U, result.size());
2737 }
2738 
2739 /*
2740  * EncryptionOperationsTest.RsaOaepTooLarge
2741  *
2742  * Verifies that RSA-OAEP encryption operations fail in the correct way when asked to encrypt a
2743  * too-large message.
2744  */
TEST_P(EncryptionOperationsTest,RsaOaepTooLarge)2745 TEST_P(EncryptionOperationsTest, RsaOaepTooLarge) {
2746     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2747                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2748                                              .RsaEncryptionKey(1024, 3)
2749                                              .Padding(PaddingMode::RSA_OAEP)
2750                                              .Digest(Digest::SHA1)));
2751     constexpr size_t digest_size = 160 /* SHA1 */ / 8;
2752     constexpr size_t oaep_overhead = 2 * digest_size + 2;
2753     string message(1024 / 8 - oaep_overhead + 1, 'a');
2754     EXPECT_EQ(ErrorCode::OK,
2755               Begin(KeyPurpose::ENCRYPT,
2756                     AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::SHA1)));
2757     string result;
2758     auto error = Finish(message, &result);
2759     EXPECT_TRUE(error == ErrorCode::INVALID_INPUT_LENGTH || error == ErrorCode::INVALID_ARGUMENT);
2760     EXPECT_EQ(0U, result.size());
2761 }
2762 
2763 /*
2764  * EncryptionOperationsTest.RsaPkcs1Success
2765  *
2766  * Verifies that RSA PKCS encryption/decrypts works.
2767  */
TEST_P(EncryptionOperationsTest,RsaPkcs1Success)2768 TEST_P(EncryptionOperationsTest, RsaPkcs1Success) {
2769     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2770                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2771                                              .RsaEncryptionKey(1024, 3)
2772                                              .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)));
2773 
2774     string message = "Hello World!";
2775     auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
2776     string ciphertext1 = EncryptMessage(message, params);
2777     EXPECT_EQ(1024U / 8, ciphertext1.size());
2778 
2779     string ciphertext2 = EncryptMessage(message, params);
2780     EXPECT_EQ(1024U / 8, ciphertext2.size());
2781 
2782     // PKCS1 v1.5 randomizes padding so every result should be different.
2783     EXPECT_NE(ciphertext1, ciphertext2);
2784 
2785     string plaintext = DecryptMessage(ciphertext1, params);
2786     EXPECT_EQ(message, plaintext);
2787 
2788     // Decrypting corrupted ciphertext should fail.
2789     size_t offset_to_corrupt = random() % ciphertext1.size();
2790     char corrupt_byte;
2791     do {
2792         corrupt_byte = static_cast<char>(random() % 256);
2793     } while (corrupt_byte == ciphertext1[offset_to_corrupt]);
2794     ciphertext1[offset_to_corrupt] = corrupt_byte;
2795 
2796     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2797     string result;
2798     EXPECT_EQ(ErrorCode::UNKNOWN_ERROR, Finish(ciphertext1, &result));
2799     EXPECT_EQ(0U, result.size());
2800 }
2801 
2802 /*
2803  * EncryptionOperationsTest.RsaPkcs1TooLarge
2804  *
2805  * Verifies that RSA PKCS encryption fails in the correct way when the mssage is too large.
2806  */
TEST_P(EncryptionOperationsTest,RsaPkcs1TooLarge)2807 TEST_P(EncryptionOperationsTest, RsaPkcs1TooLarge) {
2808     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2809                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2810                                              .RsaEncryptionKey(1024, 3)
2811                                              .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT)));
2812     string message(1024 / 8 - 10, 'a');
2813 
2814     auto params = AuthorizationSetBuilder().Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT);
2815     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2816     string result;
2817     auto error = Finish(message, &result);
2818     EXPECT_TRUE(error == ErrorCode::INVALID_INPUT_LENGTH || error == ErrorCode::INVALID_ARGUMENT);
2819     EXPECT_EQ(0U, result.size());
2820 }
2821 
2822 /*
2823  * EncryptionOperationsTest.EcdsaEncrypt
2824  *
2825  * Verifies that attempting to use ECDSA keys to encrypt fails in the correct way.
2826  */
TEST_P(EncryptionOperationsTest,EcdsaEncrypt)2827 TEST_P(EncryptionOperationsTest, EcdsaEncrypt) {
2828     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2829                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2830                                              .EcdsaSigningKey(224)
2831                                              .Digest(Digest::NONE)));
2832     auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
2833     ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params))
2834         << "(Possibly b/33543625)";
2835     ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params))
2836         << "(Possibly b/33543625)";
2837 }
2838 
2839 /*
2840  * EncryptionOperationsTest.HmacEncrypt
2841  *
2842  * Verifies that attempting to use HMAC keys to encrypt fails in the correct way.
2843  */
TEST_P(EncryptionOperationsTest,HmacEncrypt)2844 TEST_P(EncryptionOperationsTest, HmacEncrypt) {
2845     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2846                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2847                                              .HmacKey(128)
2848                                              .Digest(Digest::SHA_2_256)
2849                                              .Padding(PaddingMode::NONE)
2850                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
2851     auto params = AuthorizationSetBuilder()
2852                       .Digest(Digest::SHA_2_256)
2853                       .Padding(PaddingMode::NONE)
2854                       .Authorization(TAG_MAC_LENGTH, 128);
2855     ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params))
2856         << "(Possibly b/33543625)";
2857     ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::DECRYPT, params))
2858         << "(Possibly b/33543625)";
2859 }
2860 
2861 /*
2862  * EncryptionOperationsTest.AesEcbRoundTripSuccess
2863  *
2864  * Verifies that AES ECB mode works.
2865  */
TEST_P(EncryptionOperationsTest,AesEcbRoundTripSuccess)2866 TEST_P(EncryptionOperationsTest, AesEcbRoundTripSuccess) {
2867     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2868                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2869                                              .AesEncryptionKey(128)
2870                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2871                                              .Padding(PaddingMode::NONE)));
2872 
2873     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
2874 
2875     // Two-block message.
2876     string message = "12345678901234567890123456789012";
2877     string ciphertext1 = EncryptMessage(message, params);
2878     EXPECT_EQ(message.size(), ciphertext1.size());
2879 
2880     string ciphertext2 = EncryptMessage(string(message), params);
2881     EXPECT_EQ(message.size(), ciphertext2.size());
2882 
2883     // ECB is deterministic.
2884     EXPECT_EQ(ciphertext1, ciphertext2);
2885 
2886     string plaintext = DecryptMessage(ciphertext1, params);
2887     EXPECT_EQ(message, plaintext);
2888 }
2889 
2890 /*
2891  * EncryptionOperationsTest.AesEcbRoundTripSuccess
2892  *
2893  * Verifies that AES encryption fails in the correct way when an unauthorized mode is specified.
2894  */
TEST_P(EncryptionOperationsTest,AesWrongMode)2895 TEST_P(EncryptionOperationsTest, AesWrongMode) {
2896     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2897                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2898                                              .AesEncryptionKey(128)
2899                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
2900                                              .Padding(PaddingMode::NONE)));
2901     // Two-block message.
2902     string message = "12345678901234567890123456789012";
2903     EXPECT_EQ(
2904         ErrorCode::INCOMPATIBLE_BLOCK_MODE,
2905         Begin(KeyPurpose::ENCRYPT,
2906               AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE)));
2907 }
2908 
2909 /*
2910  * EncryptionOperationsTest.AesEcbNoPaddingWrongInputSize
2911  *
2912  * Verifies that AES encryption fails in the correct way when provided an input that is not a
2913  * multiple of the block size and no padding is specified.
2914  */
TEST_P(EncryptionOperationsTest,AesEcbNoPaddingWrongInputSize)2915 TEST_P(EncryptionOperationsTest, AesEcbNoPaddingWrongInputSize) {
2916     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2917                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2918                                              .AesEncryptionKey(128)
2919                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2920                                              .Padding(PaddingMode::NONE)));
2921     // Message is slightly shorter than two blocks.
2922     string message(16 * 2 - 1, 'a');
2923 
2924     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
2925     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params));
2926     string ciphertext;
2927     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &ciphertext));
2928     EXPECT_EQ(0U, ciphertext.size());
2929 }
2930 
2931 /*
2932  * EncryptionOperationsTest.AesEcbPkcs7Padding
2933  *
2934  * Verifies that AES PKCS7 padding works for any message length.
2935  */
TEST_P(EncryptionOperationsTest,AesEcbPkcs7Padding)2936 TEST_P(EncryptionOperationsTest, AesEcbPkcs7Padding) {
2937     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2938                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2939                                              .AesEncryptionKey(128)
2940                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2941                                              .Padding(PaddingMode::PKCS7)));
2942 
2943     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2944 
2945     // Try various message lengths; all should work.
2946     for (size_t i = 0; i < 32; ++i) {
2947         string message(i, 'a');
2948         string ciphertext = EncryptMessage(message, params);
2949         EXPECT_EQ(i + 16 - (i % 16), ciphertext.size());
2950         string plaintext = DecryptMessage(ciphertext, params);
2951         EXPECT_EQ(message, plaintext);
2952     }
2953 }
2954 
2955 /*
2956  * EncryptionOperationsTest.AesEcbWrongPadding
2957  *
2958  * Verifies that AES enryption fails in the correct way when an unauthorized padding mode is
2959  * specified.
2960  */
TEST_P(EncryptionOperationsTest,AesEcbWrongPadding)2961 TEST_P(EncryptionOperationsTest, AesEcbWrongPadding) {
2962     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2963                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2964                                              .AesEncryptionKey(128)
2965                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2966                                              .Padding(PaddingMode::NONE)));
2967 
2968     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2969 
2970     // Try various message lengths; all should fail
2971     for (size_t i = 0; i < 32; ++i) {
2972         string message(i, 'a');
2973         EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
2974     }
2975 }
2976 
2977 /*
2978  * EncryptionOperationsTest.AesEcbPkcs7PaddingCorrupted
2979  *
2980  * Verifies that AES decryption fails in the correct way when the padding is corrupted.
2981  */
TEST_P(EncryptionOperationsTest,AesEcbPkcs7PaddingCorrupted)2982 TEST_P(EncryptionOperationsTest, AesEcbPkcs7PaddingCorrupted) {
2983     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2984                                              .Authorization(TAG_NO_AUTH_REQUIRED)
2985                                              .AesEncryptionKey(128)
2986                                              .Authorization(TAG_BLOCK_MODE, BlockMode::ECB)
2987                                              .Padding(PaddingMode::PKCS7)));
2988 
2989     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
2990 
2991     string message = "a";
2992     string ciphertext = EncryptMessage(message, params);
2993     EXPECT_EQ(16U, ciphertext.size());
2994     EXPECT_NE(ciphertext, message);
2995     ++ciphertext[ciphertext.size() / 2];
2996 
2997     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
2998     string plaintext;
2999     EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &plaintext));
3000 }
3001 
CopyIv(const AuthorizationSet & set)3002 HidlBuf CopyIv(const AuthorizationSet& set) {
3003     auto iv = set.GetTagValue(TAG_NONCE);
3004     EXPECT_TRUE(iv.isOk());
3005     return iv.value();
3006 }
3007 
3008 /*
3009  * EncryptionOperationsTest.AesCtrRoundTripSuccess
3010  *
3011  * Verifies that AES CTR mode works.
3012  */
TEST_P(EncryptionOperationsTest,AesCtrRoundTripSuccess)3013 TEST_P(EncryptionOperationsTest, AesCtrRoundTripSuccess) {
3014     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3015                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3016                                              .AesEncryptionKey(128)
3017                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
3018                                              .Padding(PaddingMode::NONE)));
3019 
3020     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
3021 
3022     string message = "123";
3023     AuthorizationSet out_params;
3024     string ciphertext1 = EncryptMessage(message, params, &out_params);
3025     HidlBuf iv1 = CopyIv(out_params);
3026     EXPECT_EQ(16U, iv1.size());
3027 
3028     EXPECT_EQ(message.size(), ciphertext1.size());
3029 
3030     out_params.Clear();
3031     string ciphertext2 = EncryptMessage(message, params, &out_params);
3032     HidlBuf iv2 = CopyIv(out_params);
3033     EXPECT_EQ(16U, iv2.size());
3034 
3035     // IVs should be random, so ciphertexts should differ.
3036     EXPECT_NE(ciphertext1, ciphertext2);
3037 
3038     auto params_iv1 =
3039         AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv1);
3040     auto params_iv2 =
3041         AuthorizationSetBuilder().Authorizations(params).Authorization(TAG_NONCE, iv2);
3042 
3043     string plaintext = DecryptMessage(ciphertext1, params_iv1);
3044     EXPECT_EQ(message, plaintext);
3045     plaintext = DecryptMessage(ciphertext2, params_iv2);
3046     EXPECT_EQ(message, plaintext);
3047 
3048     // Using the wrong IV will result in a "valid" decryption, but the data will be garbage.
3049     plaintext = DecryptMessage(ciphertext1, params_iv2);
3050     EXPECT_NE(message, plaintext);
3051     plaintext = DecryptMessage(ciphertext2, params_iv1);
3052     EXPECT_NE(message, plaintext);
3053 }
3054 
3055 /*
3056  * EncryptionOperationsTest.AesIncremental
3057  *
3058  * Verifies that AES works, all modes, when provided data in various size increments.
3059  */
TEST_P(EncryptionOperationsTest,AesIncremental)3060 TEST_P(EncryptionOperationsTest, AesIncremental) {
3061     auto block_modes = {
3062         BlockMode::ECB, BlockMode::CBC, BlockMode::CTR, BlockMode::GCM,
3063     };
3064 
3065     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3066                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3067                                              .AesEncryptionKey(128)
3068                                              .BlockMode(block_modes)
3069                                              .Padding(PaddingMode::NONE)
3070                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3071 
3072     for (int increment = 1; increment <= 240; ++increment) {
3073         for (auto block_mode : block_modes) {
3074             string message(240, 'a');
3075             auto params = AuthorizationSetBuilder()
3076                               .BlockMode(block_mode)
3077                               .Padding(PaddingMode::NONE)
3078                               .Authorization(TAG_MAC_LENGTH, 128) /* for GCM */;
3079 
3080             AuthorizationSet output_params;
3081             EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &output_params));
3082 
3083             string ciphertext;
3084             size_t input_consumed;
3085             string to_send;
3086             for (size_t i = 0; i < message.size(); i += increment) {
3087                 to_send.append(message.substr(i, increment));
3088                 EXPECT_EQ(ErrorCode::OK, Update(to_send, &ciphertext, &input_consumed));
3089                 to_send = to_send.substr(input_consumed);
3090 
3091                 switch (block_mode) {
3092                 case BlockMode::ECB:
3093                 case BlockMode::CBC:
3094                     // Implementations must take as many blocks as possible, leaving less than
3095                     // a block.
3096                     EXPECT_LE(to_send.length(), 16U);
3097                     break;
3098                 case BlockMode::GCM:
3099                 case BlockMode::CTR:
3100                     // Implementations must always take all the data.
3101                     EXPECT_EQ(0U, to_send.length());
3102                     break;
3103                 }
3104             }
3105             EXPECT_EQ(ErrorCode::OK, Finish(to_send, &ciphertext)) << "Error sending " << to_send;
3106 
3107             switch (block_mode) {
3108             case BlockMode::GCM:
3109                 EXPECT_EQ(message.size() + 16, ciphertext.size());
3110                 break;
3111             case BlockMode::CTR:
3112                 EXPECT_EQ(message.size(), ciphertext.size());
3113                 break;
3114             case BlockMode::CBC:
3115             case BlockMode::ECB:
3116                 EXPECT_EQ(message.size() + message.size() % 16, ciphertext.size());
3117                 break;
3118             }
3119 
3120             auto iv = output_params.GetTagValue(TAG_NONCE);
3121             switch (block_mode) {
3122             case BlockMode::CBC:
3123             case BlockMode::GCM:
3124             case BlockMode::CTR:
3125                 ASSERT_TRUE(iv.isOk()) << "No IV for block mode " << block_mode;
3126                 EXPECT_EQ(block_mode == BlockMode::GCM ? 12U : 16U, iv.value().size());
3127                 params.push_back(TAG_NONCE, iv.value());
3128                 break;
3129 
3130             case BlockMode::ECB:
3131                 EXPECT_FALSE(iv.isOk()) << "ECB mode should not generate IV";
3132                 break;
3133             }
3134 
3135             EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params))
3136                 << "Decrypt begin() failed for block mode " << block_mode;
3137 
3138             string plaintext;
3139             for (size_t i = 0; i < ciphertext.size(); i += increment) {
3140                 to_send.append(ciphertext.substr(i, increment));
3141                 EXPECT_EQ(ErrorCode::OK, Update(to_send, &plaintext, &input_consumed));
3142                 to_send = to_send.substr(input_consumed);
3143             }
3144             ErrorCode error = Finish(to_send, &plaintext);
3145             ASSERT_EQ(ErrorCode::OK, error)
3146                 << "Decryption failed for block mode " << block_mode << " and increment "
3147                 << increment << " (Possibly b/33584622)";
3148             if (error == ErrorCode::OK) {
3149                 ASSERT_EQ(message, plaintext) << "Decryption didn't match for block mode "
3150                                               << block_mode << " and increment " << increment;
3151             }
3152         }
3153     }
3154 }
3155 
3156 struct AesCtrSp80038aTestVector {
3157     const char* key;
3158     const char* nonce;
3159     const char* plaintext;
3160     const char* ciphertext;
3161 };
3162 
3163 // These test vectors are taken from
3164 // http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, section F.5.
3165 static const AesCtrSp80038aTestVector kAesCtrSp80038aTestVectors[] = {
3166     // AES-128
3167     {
3168         "2b7e151628aed2a6abf7158809cf4f3c", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
3169         "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
3170         "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
3171         "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff"
3172         "5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee",
3173     },
3174     // AES-192
3175     {
3176         "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
3177         "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
3178         "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
3179         "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e94"
3180         "1e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050",
3181     },
3182     // AES-256
3183     {
3184         "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4",
3185         "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
3186         "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"
3187         "30c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710",
3188         "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c5"
3189         "2b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6",
3190     },
3191 };
3192 
3193 /*
3194  * EncryptionOperationsTest.AesCtrSp80038aTestVector
3195  *
3196  * Verifies AES CTR implementation against SP800-38A test vectors.
3197  */
TEST_P(EncryptionOperationsTest,AesCtrSp80038aTestVector)3198 TEST_P(EncryptionOperationsTest, AesCtrSp80038aTestVector) {
3199     for (size_t i = 0; i < 3; i++) {
3200         const AesCtrSp80038aTestVector& test(kAesCtrSp80038aTestVectors[i]);
3201         const string key = hex2str(test.key);
3202         const string nonce = hex2str(test.nonce);
3203         const string plaintext = hex2str(test.plaintext);
3204         const string ciphertext = hex2str(test.ciphertext);
3205         CheckAesCtrTestVector(key, nonce, plaintext, ciphertext);
3206     }
3207 }
3208 
3209 /*
3210  * EncryptionOperationsTest.AesCtrIncompatiblePaddingMode
3211  *
3212  * Verifies that keymaster rejects use of CTR mode with PKCS7 padding in the correct way.
3213  */
TEST_P(EncryptionOperationsTest,AesCtrIncompatiblePaddingMode)3214 TEST_P(EncryptionOperationsTest, AesCtrIncompatiblePaddingMode) {
3215     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3216                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3217                                              .AesEncryptionKey(128)
3218                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
3219                                              .Padding(PaddingMode::PKCS7)));
3220     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CTR).Padding(PaddingMode::NONE);
3221     EXPECT_EQ(ErrorCode::INCOMPATIBLE_PADDING_MODE, Begin(KeyPurpose::ENCRYPT, params));
3222 }
3223 
3224 /*
3225  * EncryptionOperationsTest.AesCtrInvalidCallerNonce
3226  *
3227  * Verifies that keymaster fails correctly when the user supplies an incorrect-size nonce.
3228  */
TEST_P(EncryptionOperationsTest,AesCtrInvalidCallerNonce)3229 TEST_P(EncryptionOperationsTest, AesCtrInvalidCallerNonce) {
3230     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3231                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3232                                              .AesEncryptionKey(128)
3233                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CTR)
3234                                              .Authorization(TAG_CALLER_NONCE)
3235                                              .Padding(PaddingMode::NONE)));
3236 
3237     auto params = AuthorizationSetBuilder()
3238                       .BlockMode(BlockMode::CTR)
3239                       .Padding(PaddingMode::NONE)
3240                       .Authorization(TAG_NONCE, HidlBuf(string(1, 'a')));
3241     EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
3242 
3243     params = AuthorizationSetBuilder()
3244                  .BlockMode(BlockMode::CTR)
3245                  .Padding(PaddingMode::NONE)
3246                  .Authorization(TAG_NONCE, HidlBuf(string(15, 'a')));
3247     EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
3248 
3249     params = AuthorizationSetBuilder()
3250                  .BlockMode(BlockMode::CTR)
3251                  .Padding(PaddingMode::NONE)
3252                  .Authorization(TAG_NONCE, HidlBuf(string(17, 'a')));
3253     EXPECT_EQ(ErrorCode::INVALID_NONCE, Begin(KeyPurpose::ENCRYPT, params));
3254 }
3255 
3256 /*
3257  * EncryptionOperationsTest.AesCtrInvalidCallerNonce
3258  *
3259  * Verifies that keymaster fails correctly when the user supplies an incorrect-size nonce.
3260  */
TEST_P(EncryptionOperationsTest,AesCbcRoundTripSuccess)3261 TEST_P(EncryptionOperationsTest, AesCbcRoundTripSuccess) {
3262     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3263                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3264                                              .AesEncryptionKey(128)
3265                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
3266                                              .Padding(PaddingMode::NONE)));
3267     // Two-block message.
3268     string message = "12345678901234567890123456789012";
3269     auto params = AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3270     AuthorizationSet out_params;
3271     string ciphertext1 = EncryptMessage(message, params, &out_params);
3272     HidlBuf iv1 = CopyIv(out_params);
3273     EXPECT_EQ(message.size(), ciphertext1.size());
3274 
3275     out_params.Clear();
3276 
3277     string ciphertext2 = EncryptMessage(message, params, &out_params);
3278     HidlBuf iv2 = CopyIv(out_params);
3279     EXPECT_EQ(message.size(), ciphertext2.size());
3280 
3281     // IVs should be random, so ciphertexts should differ.
3282     EXPECT_NE(ciphertext1, ciphertext2);
3283 
3284     params.push_back(TAG_NONCE, iv1);
3285     string plaintext = DecryptMessage(ciphertext1, params);
3286     EXPECT_EQ(message, plaintext);
3287 }
3288 
3289 /*
3290  * EncryptionOperationsTest.AesCallerNonce
3291  *
3292  * Verifies that AES caller-provided nonces work correctly.
3293  */
TEST_P(EncryptionOperationsTest,AesCallerNonce)3294 TEST_P(EncryptionOperationsTest, AesCallerNonce) {
3295     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3296                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3297                                              .AesEncryptionKey(128)
3298                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
3299                                              .Authorization(TAG_CALLER_NONCE)
3300                                              .Padding(PaddingMode::NONE)));
3301 
3302     string message = "12345678901234567890123456789012";
3303 
3304     // Don't specify nonce, should get a random one.
3305     AuthorizationSetBuilder params =
3306         AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3307     AuthorizationSet out_params;
3308     string ciphertext = EncryptMessage(message, params, &out_params);
3309     EXPECT_EQ(message.size(), ciphertext.size());
3310     EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE).value().size());
3311 
3312     params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE).value());
3313     string plaintext = DecryptMessage(ciphertext, params);
3314     EXPECT_EQ(message, plaintext);
3315 
3316     // Now specify a nonce, should also work.
3317     params = AuthorizationSetBuilder()
3318                  .BlockMode(BlockMode::CBC)
3319                  .Padding(PaddingMode::NONE)
3320                  .Authorization(TAG_NONCE, HidlBuf("abcdefghijklmnop"));
3321     out_params.Clear();
3322     ciphertext = EncryptMessage(message, params, &out_params);
3323 
3324     // Decrypt with correct nonce.
3325     plaintext = DecryptMessage(ciphertext, params);
3326     EXPECT_EQ(message, plaintext);
3327 
3328     // Try with wrong nonce.
3329     params = AuthorizationSetBuilder()
3330                  .BlockMode(BlockMode::CBC)
3331                  .Padding(PaddingMode::NONE)
3332                  .Authorization(TAG_NONCE, HidlBuf("aaaaaaaaaaaaaaaa"));
3333     plaintext = DecryptMessage(ciphertext, params);
3334     EXPECT_NE(message, plaintext);
3335 }
3336 
3337 /*
3338  * EncryptionOperationsTest.AesCallerNonceProhibited
3339  *
3340  * Verifies that caller-provided nonces are not permitted when not specified in the key
3341  * authorizations.
3342  */
TEST_P(EncryptionOperationsTest,AesCallerNonceProhibited)3343 TEST_P(EncryptionOperationsTest, AesCallerNonceProhibited) {
3344     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3345                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3346                                              .AesEncryptionKey(128)
3347                                              .Authorization(TAG_BLOCK_MODE, BlockMode::CBC)
3348                                              .Padding(PaddingMode::NONE)));
3349 
3350     string message = "12345678901234567890123456789012";
3351 
3352     // Don't specify nonce, should get a random one.
3353     AuthorizationSetBuilder params =
3354         AuthorizationSetBuilder().BlockMode(BlockMode::CBC).Padding(PaddingMode::NONE);
3355     AuthorizationSet out_params;
3356     string ciphertext = EncryptMessage(message, params, &out_params);
3357     EXPECT_EQ(message.size(), ciphertext.size());
3358     EXPECT_EQ(16U, out_params.GetTagValue(TAG_NONCE).value().size());
3359 
3360     params.push_back(TAG_NONCE, out_params.GetTagValue(TAG_NONCE).value());
3361     string plaintext = DecryptMessage(ciphertext, params);
3362     EXPECT_EQ(message, plaintext);
3363 
3364     // Now specify a nonce, should fail
3365     params = AuthorizationSetBuilder()
3366                  .BlockMode(BlockMode::CBC)
3367                  .Padding(PaddingMode::NONE)
3368                  .Authorization(TAG_NONCE, HidlBuf("abcdefghijklmnop"));
3369     out_params.Clear();
3370     EXPECT_EQ(ErrorCode::CALLER_NONCE_PROHIBITED, Begin(KeyPurpose::ENCRYPT, params, &out_params));
3371 }
3372 
3373 /*
3374  * EncryptionOperationsTest.AesGcmRoundTripSuccess
3375  *
3376  * Verifies that AES GCM mode works.
3377  */
TEST_P(EncryptionOperationsTest,AesGcmRoundTripSuccess)3378 TEST_P(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
3379     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3380                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3381                                              .AesEncryptionKey(128)
3382                                              .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
3383                                              .Padding(PaddingMode::NONE)
3384                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3385 
3386     string aad = "foobar";
3387     string message = "123456789012345678901234567890123456";
3388 
3389     auto begin_params = AuthorizationSetBuilder()
3390                             .BlockMode(BlockMode::GCM)
3391                             .Padding(PaddingMode::NONE)
3392                             .Authorization(TAG_MAC_LENGTH, 128);
3393 
3394     auto update_params =
3395         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
3396 
3397     // Encrypt
3398     AuthorizationSet begin_out_params;
3399     ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params))
3400         << "Begin encrypt";
3401     string ciphertext;
3402     AuthorizationSet update_out_params;
3403     ASSERT_EQ(ErrorCode::OK,
3404               Finish(op_handle_, update_params, message, "", &update_out_params, &ciphertext));
3405 
3406     // Grab nonce
3407     begin_params.push_back(begin_out_params);
3408 
3409     // Decrypt.
3410     ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params)) << "Begin decrypt";
3411     string plaintext;
3412     size_t input_consumed;
3413     ASSERT_EQ(ErrorCode::OK, Update(op_handle_, update_params, ciphertext, &update_out_params,
3414                                     &plaintext, &input_consumed));
3415     EXPECT_EQ(ciphertext.size(), input_consumed);
3416     EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
3417 
3418     EXPECT_EQ(message, plaintext);
3419 }
3420 
3421 /*
3422  * EncryptionOperationsTest.AesGcmTooShortTag
3423  *
3424  * Verifies that AES GCM mode fails correctly when a too-short tag length is specified.
3425  */
TEST_P(EncryptionOperationsTest,AesGcmTooShortTag)3426 TEST_P(EncryptionOperationsTest, AesGcmTooShortTag) {
3427     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3428                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3429                                              .AesEncryptionKey(128)
3430                                              .BlockMode(BlockMode::GCM)
3431                                              .Padding(PaddingMode::NONE)
3432                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3433     string message = "123456789012345678901234567890123456";
3434     auto params = AuthorizationSetBuilder()
3435                       .BlockMode(BlockMode::GCM)
3436                       .Padding(PaddingMode::NONE)
3437                       .Authorization(TAG_MAC_LENGTH, 96);
3438 
3439     EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::ENCRYPT, params));
3440 }
3441 
3442 /*
3443  * EncryptionOperationsTest.AesGcmTooShortTagOnDecrypt
3444  *
3445  * Verifies that AES GCM mode fails correctly when a too-short tag is provided to decryption.
3446  */
TEST_P(EncryptionOperationsTest,AesGcmTooShortTagOnDecrypt)3447 TEST_P(EncryptionOperationsTest, AesGcmTooShortTagOnDecrypt) {
3448     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3449                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3450                                              .AesEncryptionKey(128)
3451                                              .BlockMode(BlockMode::GCM)
3452                                              .Padding(PaddingMode::NONE)
3453                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3454     string aad = "foobar";
3455     string message = "123456789012345678901234567890123456";
3456     auto params = AuthorizationSetBuilder()
3457                       .BlockMode(BlockMode::GCM)
3458                       .Padding(PaddingMode::NONE)
3459                       .Authorization(TAG_MAC_LENGTH, 128);
3460 
3461     auto finish_params =
3462         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
3463 
3464     // Encrypt
3465     AuthorizationSet begin_out_params;
3466     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
3467     EXPECT_EQ(1U, begin_out_params.size());
3468     ASSERT_TRUE(begin_out_params.GetTagValue(TAG_NONCE).isOk());
3469 
3470     AuthorizationSet finish_out_params;
3471     string ciphertext;
3472     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */,
3473                                     &finish_out_params, &ciphertext));
3474 
3475     params = AuthorizationSetBuilder()
3476                  .Authorizations(begin_out_params)
3477                  .BlockMode(BlockMode::GCM)
3478                  .Padding(PaddingMode::NONE)
3479                  .Authorization(TAG_MAC_LENGTH, 96);
3480 
3481     // Decrypt.
3482     EXPECT_EQ(ErrorCode::INVALID_MAC_LENGTH, Begin(KeyPurpose::DECRYPT, params));
3483 }
3484 
3485 /*
3486  * EncryptionOperationsTest.AesGcmCorruptKey
3487  *
3488  * Verifies that AES GCM mode fails correctly when the decryption key is incorrect.
3489  */
TEST_P(EncryptionOperationsTest,AesGcmCorruptKey)3490 TEST_P(EncryptionOperationsTest, AesGcmCorruptKey) {
3491     const uint8_t nonce_bytes[] = {
3492         0xb7, 0x94, 0x37, 0xae, 0x08, 0xff, 0x35, 0x5d, 0x7d, 0x8a, 0x4d, 0x0f,
3493     };
3494     string nonce = make_string(nonce_bytes);
3495     const uint8_t ciphertext_bytes[] = {
3496         0xb3, 0xf6, 0x79, 0x9e, 0x8f, 0x93, 0x26, 0xf2, 0xdf, 0x1e, 0x80, 0xfc, 0xd2, 0xcb, 0x16,
3497         0xd7, 0x8c, 0x9d, 0xc7, 0xcc, 0x14, 0xbb, 0x67, 0x78, 0x62, 0xdc, 0x6c, 0x63, 0x9b, 0x3a,
3498         0x63, 0x38, 0xd2, 0x4b, 0x31, 0x2d, 0x39, 0x89, 0xe5, 0x92, 0x0b, 0x5d, 0xbf, 0xc9, 0x76,
3499         0x76, 0x5e, 0xfb, 0xfe, 0x57, 0xbb, 0x38, 0x59, 0x40, 0xa7, 0xa4, 0x3b, 0xdf, 0x05, 0xbd,
3500         0xda, 0xe3, 0xc9, 0xd6, 0xa2, 0xfb, 0xbd, 0xfc, 0xc0, 0xcb, 0xa0,
3501     };
3502     string ciphertext = make_string(ciphertext_bytes);
3503 
3504     auto params = AuthorizationSetBuilder()
3505                       .BlockMode(BlockMode::GCM)
3506                       .Padding(PaddingMode::NONE)
3507                       .Authorization(TAG_MAC_LENGTH, 128)
3508                       .Authorization(TAG_NONCE, nonce.data(), nonce.size());
3509 
3510     auto import_params = AuthorizationSetBuilder()
3511                              .Authorization(TAG_NO_AUTH_REQUIRED)
3512                              .AesEncryptionKey(128)
3513                              .BlockMode(BlockMode::GCM)
3514                              .Padding(PaddingMode::NONE)
3515                              .Authorization(TAG_CALLER_NONCE)
3516                              .Authorization(TAG_MIN_MAC_LENGTH, 128);
3517 
3518     // Import correct key and decrypt
3519     const uint8_t key_bytes[] = {
3520         0xba, 0x76, 0x35, 0x4f, 0x0a, 0xed, 0x6e, 0x8d,
3521         0x91, 0xf4, 0x5c, 0x4f, 0xf5, 0xa0, 0x62, 0xdb,
3522     };
3523     string key = make_string(key_bytes);
3524     ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
3525     string plaintext = DecryptMessage(ciphertext, params);
3526     CheckedDeleteKey();
3527 
3528     // Corrupt key and attempt to decrypt
3529     key[0] = 0;
3530     ASSERT_EQ(ErrorCode::OK, ImportKey(import_params, KeyFormat::RAW, key));
3531     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
3532     EXPECT_EQ(ErrorCode::VERIFICATION_FAILED, Finish(ciphertext, &plaintext));
3533     CheckedDeleteKey();
3534 }
3535 
3536 /*
3537  * EncryptionOperationsTest.AesGcmAadNoData
3538  *
3539  * Verifies that AES GCM mode works when provided additional authenticated data, but no data to
3540  * encrypt.
3541  */
TEST_P(EncryptionOperationsTest,AesGcmAadNoData)3542 TEST_P(EncryptionOperationsTest, AesGcmAadNoData) {
3543     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3544                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3545                                              .AesEncryptionKey(128)
3546                                              .BlockMode(BlockMode::GCM)
3547                                              .Padding(PaddingMode::NONE)
3548                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3549 
3550     string aad = "1234567890123456";
3551     auto params = AuthorizationSetBuilder()
3552                       .BlockMode(BlockMode::GCM)
3553                       .Padding(PaddingMode::NONE)
3554                       .Authorization(TAG_MAC_LENGTH, 128);
3555 
3556     auto finish_params =
3557         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
3558 
3559     // Encrypt
3560     AuthorizationSet begin_out_params;
3561     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
3562     string ciphertext;
3563     AuthorizationSet finish_out_params;
3564     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, "" /* input */, "" /* signature */,
3565                                     &finish_out_params, &ciphertext));
3566     EXPECT_TRUE(finish_out_params.empty());
3567 
3568     // Grab nonce
3569     params.push_back(begin_out_params);
3570 
3571     // Decrypt.
3572     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
3573     string plaintext;
3574     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, ciphertext, "" /* signature */,
3575                                     &finish_out_params, &plaintext))
3576         << "(Possibly b/33615032)";
3577 
3578     EXPECT_TRUE(finish_out_params.empty());
3579 
3580     EXPECT_EQ("", plaintext);
3581 }
3582 
3583 /*
3584  * EncryptionOperationsTest.AesGcmMultiPartAad
3585  *
3586  * Verifies that AES GCM mode works when provided additional authenticated data in multiple chunks.
3587  */
TEST_P(EncryptionOperationsTest,AesGcmMultiPartAad)3588 TEST_P(EncryptionOperationsTest, AesGcmMultiPartAad) {
3589     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3590                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3591                                              .AesEncryptionKey(128)
3592                                              .BlockMode(BlockMode::GCM)
3593                                              .Padding(PaddingMode::NONE)
3594                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3595 
3596     string message = "123456789012345678901234567890123456";
3597     auto begin_params = AuthorizationSetBuilder()
3598                             .BlockMode(BlockMode::GCM)
3599                             .Padding(PaddingMode::NONE)
3600                             .Authorization(TAG_MAC_LENGTH, 128);
3601     AuthorizationSet begin_out_params;
3602 
3603     auto update_params =
3604         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foo", (size_t)3);
3605 
3606     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
3607 
3608     // No data, AAD only.
3609     string ciphertext;
3610     size_t input_consumed;
3611     AuthorizationSet update_out_params;
3612     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, "" /* input */, &update_out_params,
3613                                     &ciphertext, &input_consumed));
3614     EXPECT_EQ(0U, input_consumed);
3615     EXPECT_EQ(0U, ciphertext.size());
3616     EXPECT_TRUE(update_out_params.empty());
3617 
3618     // AAD and data.
3619     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params,
3620                                     &ciphertext, &input_consumed));
3621     EXPECT_EQ(message.size(), input_consumed);
3622     EXPECT_EQ(message.size(), ciphertext.size());
3623     EXPECT_TRUE(update_out_params.empty());
3624 
3625     EXPECT_EQ(ErrorCode::OK, Finish("" /* input */, &ciphertext));
3626 
3627     // Grab nonce.
3628     begin_params.push_back(begin_out_params);
3629 
3630     // Decrypt
3631     update_params =
3632         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foofoo", (size_t)6);
3633 
3634     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params));
3635     string plaintext;
3636     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, update_params, ciphertext, "" /* signature */,
3637                                     &update_out_params, &plaintext));
3638     EXPECT_TRUE(update_out_params.empty());
3639     EXPECT_EQ(message, plaintext);
3640 }
3641 
3642 /*
3643  * EncryptionOperationsTest.AesGcmAadOutOfOrder
3644  *
3645  * Verifies that AES GCM mode fails correctly when given AAD after data to encipher.
3646  */
TEST_P(EncryptionOperationsTest,AesGcmAadOutOfOrder)3647 TEST_P(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
3648     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3649                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3650                                              .AesEncryptionKey(128)
3651                                              .BlockMode(BlockMode::GCM)
3652                                              .Padding(PaddingMode::NONE)
3653                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3654 
3655     string message = "123456789012345678901234567890123456";
3656     auto begin_params = AuthorizationSetBuilder()
3657                             .BlockMode(BlockMode::GCM)
3658                             .Padding(PaddingMode::NONE)
3659                             .Authorization(TAG_MAC_LENGTH, 128);
3660     AuthorizationSet begin_out_params;
3661 
3662     auto update_params =
3663         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foo", (size_t)3);
3664 
3665     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
3666 
3667     // No data, AAD only.
3668     string ciphertext;
3669     size_t input_consumed;
3670     AuthorizationSet update_out_params;
3671     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, "" /* input */, &update_out_params,
3672                                     &ciphertext, &input_consumed));
3673     EXPECT_EQ(0U, input_consumed);
3674     EXPECT_EQ(0U, ciphertext.size());
3675     EXPECT_TRUE(update_out_params.empty());
3676 
3677     // AAD and data.
3678     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params,
3679                                     &ciphertext, &input_consumed));
3680     EXPECT_EQ(message.size(), input_consumed);
3681     EXPECT_EQ(message.size(), ciphertext.size());
3682     EXPECT_TRUE(update_out_params.empty());
3683 
3684     // More AAD
3685     EXPECT_EQ(ErrorCode::INVALID_TAG, Update(op_handle_, update_params, "", &update_out_params,
3686                                              &ciphertext, &input_consumed));
3687 
3688     op_handle_ = kOpHandleSentinel;
3689 }
3690 
3691 /*
3692  * EncryptionOperationsTest.AesGcmBadAad
3693  *
3694  * Verifies that AES GCM decryption fails correctly when additional authenticated date is wrong.
3695  */
TEST_P(EncryptionOperationsTest,AesGcmBadAad)3696 TEST_P(EncryptionOperationsTest, AesGcmBadAad) {
3697     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3698                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3699                                              .AesEncryptionKey(128)
3700                                              .BlockMode(BlockMode::GCM)
3701                                              .Padding(PaddingMode::NONE)
3702                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3703 
3704     string message = "12345678901234567890123456789012";
3705     auto begin_params = AuthorizationSetBuilder()
3706                             .BlockMode(BlockMode::GCM)
3707                             .Padding(PaddingMode::NONE)
3708                             .Authorization(TAG_MAC_LENGTH, 128);
3709 
3710     auto finish_params =
3711         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foobar", (size_t)6);
3712 
3713     // Encrypt
3714     AuthorizationSet begin_out_params;
3715     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
3716     string ciphertext;
3717     AuthorizationSet finish_out_params;
3718     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */,
3719                                     &finish_out_params, &ciphertext));
3720 
3721     // Grab nonce
3722     begin_params.push_back(begin_out_params);
3723 
3724     finish_params = AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA,
3725                                                             "barfoo" /* Wrong AAD */, (size_t)6);
3726 
3727     // Decrypt.
3728     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
3729     string plaintext;
3730     EXPECT_EQ(ErrorCode::VERIFICATION_FAILED,
3731               Finish(op_handle_, finish_params, ciphertext, "" /* signature */, &finish_out_params,
3732                      &plaintext));
3733 }
3734 
3735 /*
3736  * EncryptionOperationsTest.AesGcmWrongNonce
3737  *
3738  * Verifies that AES GCM decryption fails correctly when the nonce is incorrect.
3739  */
TEST_P(EncryptionOperationsTest,AesGcmWrongNonce)3740 TEST_P(EncryptionOperationsTest, AesGcmWrongNonce) {
3741     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3742                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3743                                              .AesEncryptionKey(128)
3744                                              .BlockMode(BlockMode::GCM)
3745                                              .Padding(PaddingMode::NONE)
3746                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3747 
3748     string message = "12345678901234567890123456789012";
3749     auto begin_params = AuthorizationSetBuilder()
3750                             .BlockMode(BlockMode::GCM)
3751                             .Padding(PaddingMode::NONE)
3752                             .Authorization(TAG_MAC_LENGTH, 128);
3753 
3754     auto finish_params =
3755         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, "foobar", (size_t)6);
3756 
3757     // Encrypt
3758     AuthorizationSet begin_out_params;
3759     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, begin_params, &begin_out_params));
3760     string ciphertext;
3761     AuthorizationSet finish_out_params;
3762     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */,
3763                                     &finish_out_params, &ciphertext));
3764 
3765     // Wrong nonce
3766     begin_params.push_back(TAG_NONCE, HidlBuf("123456789012"));
3767 
3768     // Decrypt.
3769     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, begin_params, &begin_out_params));
3770     string plaintext;
3771     EXPECT_EQ(ErrorCode::VERIFICATION_FAILED,
3772               Finish(op_handle_, finish_params, ciphertext, "" /* signature */, &finish_out_params,
3773                      &plaintext));
3774 
3775     // With wrong nonce, should have gotten garbage plaintext (or none).
3776     EXPECT_NE(message, plaintext);
3777 }
3778 
3779 /*
3780  * EncryptionOperationsTest.AesGcmCorruptTag
3781  *
3782  * Verifies that AES GCM decryption fails correctly when the tag is wrong.
3783  */
TEST_P(EncryptionOperationsTest,AesGcmCorruptTag)3784 TEST_P(EncryptionOperationsTest, AesGcmCorruptTag) {
3785     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3786                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3787                                              .AesEncryptionKey(128)
3788                                              .BlockMode(BlockMode::GCM)
3789                                              .Padding(PaddingMode::NONE)
3790                                              .Authorization(TAG_MIN_MAC_LENGTH, 128)));
3791 
3792     string aad = "1234567890123456";
3793     string message = "123456789012345678901234567890123456";
3794 
3795     auto params = AuthorizationSetBuilder()
3796                       .BlockMode(BlockMode::GCM)
3797                       .Padding(PaddingMode::NONE)
3798                       .Authorization(TAG_MAC_LENGTH, 128);
3799 
3800     auto finish_params =
3801         AuthorizationSetBuilder().Authorization(TAG_ASSOCIATED_DATA, aad.data(), aad.size());
3802 
3803     // Encrypt
3804     AuthorizationSet begin_out_params;
3805     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, params, &begin_out_params));
3806     string ciphertext;
3807     AuthorizationSet finish_out_params;
3808     EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message, "" /* signature */,
3809                                     &finish_out_params, &ciphertext));
3810     EXPECT_TRUE(finish_out_params.empty());
3811 
3812     // Corrupt tag
3813     ++(*ciphertext.rbegin());
3814 
3815     // Grab nonce
3816     params.push_back(begin_out_params);
3817 
3818     // Decrypt.
3819     EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::DECRYPT, params));
3820     string plaintext;
3821     EXPECT_EQ(ErrorCode::VERIFICATION_FAILED,
3822               Finish(op_handle_, finish_params, ciphertext, "" /* signature */, &finish_out_params,
3823                      &plaintext));
3824     EXPECT_TRUE(finish_out_params.empty());
3825 }
3826 
3827 typedef KeymasterHidlTest MaxOperationsTest;
3828 
3829 /*
3830  * MaxOperationsTest.TestLimitAes
3831  *
3832  * Verifies that the max uses per boot tag works correctly with AES keys.
3833  */
TEST_P(MaxOperationsTest,TestLimitAes)3834 TEST_P(MaxOperationsTest, TestLimitAes) {
3835     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3836                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3837                                              .AesEncryptionKey(128)
3838                                              .EcbMode()
3839                                              .Padding(PaddingMode::NONE)
3840                                              .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3841 
3842     string message = "1234567890123456";
3843 
3844     auto params = AuthorizationSetBuilder().EcbMode().Padding(PaddingMode::NONE);
3845 
3846     EncryptMessage(message, params);
3847     EncryptMessage(message, params);
3848     EncryptMessage(message, params);
3849 
3850     // Fourth time should fail.
3851     EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::ENCRYPT, params));
3852 }
3853 
3854 /*
3855  * MaxOperationsTest.TestLimitAes
3856  *
3857  * Verifies that the max uses per boot tag works correctly with RSA keys.
3858  */
TEST_P(MaxOperationsTest,TestLimitRsa)3859 TEST_P(MaxOperationsTest, TestLimitRsa) {
3860     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3861                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3862                                              .RsaSigningKey(1024, 3)
3863                                              .NoDigestOrPadding()
3864                                              .Authorization(TAG_MAX_USES_PER_BOOT, 3)));
3865 
3866     string message = "1234567890123456";
3867 
3868     auto params = AuthorizationSetBuilder().NoDigestOrPadding();
3869 
3870     SignMessage(message, params);
3871     SignMessage(message, params);
3872     SignMessage(message, params);
3873 
3874     // Fourth time should fail.
3875     EXPECT_EQ(ErrorCode::KEY_MAX_OPS_EXCEEDED, Begin(KeyPurpose::SIGN, params));
3876 }
3877 
3878 typedef KeymasterHidlTest AddEntropyTest;
3879 
3880 /*
3881  * AddEntropyTest.AddEntropy
3882  *
3883  * Verifies that the addRngEntropy method doesn't blow up.  There's no way to test that entropy is
3884  * actually added.
3885  */
TEST_P(AddEntropyTest,AddEntropy)3886 TEST_P(AddEntropyTest, AddEntropy) {
3887     EXPECT_EQ(ErrorCode::OK, keymaster().addRngEntropy(HidlBuf("foo")));
3888 }
3889 
3890 /*
3891  * AddEntropyTest.AddEmptyEntropy
3892  *
3893  * Verifies that the addRngEntropy method doesn't blow up when given an empty buffer.
3894  */
TEST_P(AddEntropyTest,AddEmptyEntropy)3895 TEST_P(AddEntropyTest, AddEmptyEntropy) {
3896     EXPECT_EQ(ErrorCode::OK, keymaster().addRngEntropy(HidlBuf()));
3897 }
3898 
3899 /*
3900  * AddEntropyTest.AddLargeEntropy
3901  *
3902  * Verifies that the addRngEntropy method doesn't blow up when given a largish amount of data.
3903  */
TEST_P(AddEntropyTest,AddLargeEntropy)3904 TEST_P(AddEntropyTest, AddLargeEntropy) {
3905     EXPECT_EQ(ErrorCode::OK, keymaster().addRngEntropy(HidlBuf(string(2 * 1024, 'a'))));
3906 }
3907 
3908 typedef KeymasterHidlTest AttestationTest;
3909 
3910 /*
3911  * AttestationTest.RsaAttestation
3912  *
3913  * Verifies that attesting to RSA keys works and generates the expected output.
3914  */
TEST_P(AttestationTest,RsaAttestation)3915 TEST_P(AttestationTest, RsaAttestation) {
3916     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3917                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3918                                              .RsaSigningKey(1024, 3)
3919                                              .Digest(Digest::NONE)
3920                                              .Padding(PaddingMode::NONE)
3921                                              .Authorization(TAG_INCLUDE_UNIQUE_ID)));
3922 
3923     hidl_vec<hidl_vec<uint8_t>> cert_chain;
3924     ASSERT_EQ(ErrorCode::OK,
3925               AttestKey(AuthorizationSetBuilder()
3926                             .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
3927                             .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
3928                         &cert_chain));
3929     EXPECT_GE(cert_chain.size(), 2U);
3930     EXPECT_TRUE(verify_chain(cert_chain));
3931     EXPECT_TRUE(
3932         verify_attestation_record("challenge", "foo",                     //
3933                                   key_characteristics_.softwareEnforced,  //
3934                                   key_characteristics_.teeEnforced,       //
3935                                   cert_chain[0]));
3936 }
3937 
3938 /*
3939  * AttestationTest.RsaAttestationRequiresAppId
3940  *
3941  * Verifies that attesting to RSA requires app ID.
3942  */
TEST_P(AttestationTest,RsaAttestationRequiresAppId)3943 TEST_P(AttestationTest, RsaAttestationRequiresAppId) {
3944     ASSERT_EQ(ErrorCode::OK,
3945               GenerateKey(AuthorizationSetBuilder()
3946                               .Authorization(TAG_NO_AUTH_REQUIRED)
3947                               .RsaSigningKey(1024, 3)
3948                               .Digest(Digest::NONE)
3949                               .Padding(PaddingMode::NONE)
3950                               .Authorization(TAG_INCLUDE_UNIQUE_ID)));
3951 
3952     hidl_vec<hidl_vec<uint8_t>> cert_chain;
3953     EXPECT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
3954               AttestKey(AuthorizationSetBuilder().Authorization(
3955                             TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")),
3956                         &cert_chain));
3957 }
3958 
3959 /*
3960  * AttestationTest.EcAttestation
3961  *
3962  * Verifies that attesting to EC keys works and generates the expected output.
3963  */
TEST_P(AttestationTest,EcAttestation)3964 TEST_P(AttestationTest, EcAttestation) {
3965     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3966                                              .Authorization(TAG_NO_AUTH_REQUIRED)
3967                                              .EcdsaSigningKey(EcCurve::P_256)
3968                                              .Digest(Digest::SHA_2_256)
3969                                              .Authorization(TAG_INCLUDE_UNIQUE_ID)));
3970 
3971     hidl_vec<hidl_vec<uint8_t>> cert_chain;
3972     ASSERT_EQ(ErrorCode::OK,
3973               AttestKey(AuthorizationSetBuilder()
3974                             .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
3975                             .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
3976                         &cert_chain));
3977     EXPECT_GE(cert_chain.size(), 2U);
3978     EXPECT_TRUE(verify_chain(cert_chain));
3979 
3980     EXPECT_TRUE(
3981         verify_attestation_record("challenge", "foo",                     //
3982                                   key_characteristics_.softwareEnforced,  //
3983                                   key_characteristics_.teeEnforced,       //
3984                                   cert_chain[0]));
3985 }
3986 
3987 /*
3988  * AttestationTest.EcAttestationRequiresAttestationAppId
3989  *
3990  * Verifies that attesting to EC keys requires app ID
3991  */
TEST_P(AttestationTest,EcAttestationRequiresAttestationAppId)3992 TEST_P(AttestationTest, EcAttestationRequiresAttestationAppId) {
3993     ASSERT_EQ(ErrorCode::OK,
3994               GenerateKey(AuthorizationSetBuilder()
3995                               .Authorization(TAG_NO_AUTH_REQUIRED)
3996                               .EcdsaSigningKey(EcCurve::P_256)
3997                               .Digest(Digest::SHA_2_256)
3998                               .Authorization(TAG_INCLUDE_UNIQUE_ID)));
3999 
4000     hidl_vec<hidl_vec<uint8_t>> cert_chain;
4001     EXPECT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING,
4002               AttestKey(AuthorizationSetBuilder().Authorization(
4003                             TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")),
4004                         &cert_chain));
4005 }
4006 
4007 /*
4008  * AttestationTest.AesAttestation
4009  *
4010  * Verifies that attesting to AES keys fails in the expected way.
4011  */
TEST_P(AttestationTest,AesAttestation)4012 TEST_P(AttestationTest, AesAttestation) {
4013     ASSERT_EQ(ErrorCode::OK,
4014               GenerateKey(AuthorizationSetBuilder()
4015                               .Authorization(TAG_NO_AUTH_REQUIRED)
4016                               .AesEncryptionKey(128)
4017                               .EcbMode()
4018                               .Padding(PaddingMode::PKCS7)));
4019 
4020     hidl_vec<hidl_vec<uint8_t>> cert_chain;
4021     EXPECT_EQ(
4022         ErrorCode::INCOMPATIBLE_ALGORITHM,
4023         AttestKey(
4024             AuthorizationSetBuilder()
4025                 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
4026                 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
4027             &cert_chain));
4028 }
4029 
4030 /*
4031  * AttestationTest.HmacAttestation
4032  *
4033  * Verifies that attesting to HMAC keys fails in the expected way.
4034  */
TEST_P(AttestationTest,HmacAttestation)4035 TEST_P(AttestationTest, HmacAttestation) {
4036     ASSERT_EQ(ErrorCode::OK,
4037               GenerateKey(AuthorizationSetBuilder()
4038                               .Authorization(TAG_NO_AUTH_REQUIRED)
4039                               .HmacKey(128)
4040                               .EcbMode()
4041                               .Digest(Digest::SHA_2_256)
4042                               .Authorization(TAG_MIN_MAC_LENGTH, 128)));
4043 
4044     hidl_vec<hidl_vec<uint8_t>> cert_chain;
4045     EXPECT_EQ(
4046         ErrorCode::INCOMPATIBLE_ALGORITHM,
4047         AttestKey(
4048             AuthorizationSetBuilder()
4049                 .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge"))
4050                 .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")),
4051             &cert_chain));
4052 }
4053 
4054 typedef KeymasterHidlTest KeyDeletionTest;
4055 
4056 /**
4057  * KeyDeletionTest.DeleteKey
4058  *
4059  * This test checks that if rollback protection is implemented, DeleteKey invalidates a formerly
4060  * valid key blob.
4061  */
TEST_P(KeyDeletionTest,DeleteKey)4062 TEST_P(KeyDeletionTest, DeleteKey) {
4063     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4064                                              .RsaSigningKey(1024, 3)
4065                                              .Digest(Digest::NONE)
4066                                              .Padding(PaddingMode::NONE)
4067                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
4068 
4069     // Delete must work if rollback protection is implemented
4070     AuthorizationSet teeEnforced(key_characteristics_.teeEnforced);
4071     bool rollback_protected = teeEnforced.Contains(TAG_ROLLBACK_RESISTANT);
4072 
4073     if (rollback_protected) {
4074         ASSERT_EQ(ErrorCode::OK, DeleteKey(true /* keep key blob */));
4075     } else {
4076         auto delete_result = DeleteKey(true /* keep key blob */);
4077         ASSERT_TRUE(delete_result == ErrorCode::OK | delete_result == ErrorCode::UNIMPLEMENTED);
4078     }
4079 
4080     string message = "12345678901234567890123456789012";
4081     AuthorizationSet begin_out_params;
4082 
4083     if (rollback_protected) {
4084         EXPECT_EQ(
4085             ErrorCode::INVALID_KEY_BLOB,
4086             Begin(KeyPurpose::SIGN, key_blob_, AuthorizationSetBuilder()
4087                                                    .Digest(Digest::NONE)
4088                                                    .Padding(PaddingMode::NONE),
4089                   &begin_out_params, &op_handle_))
4090             << " (Possibly b/37623742)";
4091     } else {
4092         EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_,
4093                                        AuthorizationSetBuilder()
4094                                            .Digest(Digest::NONE)
4095                                            .Padding(PaddingMode::NONE),
4096                                        &begin_out_params, &op_handle_));
4097     }
4098     AbortIfNeeded();
4099     key_blob_ = HidlBuf();
4100 }
4101 
4102 /**
4103  * KeyDeletionTest.DeleteInvalidKey
4104  *
4105  * This test checks that the HAL excepts invalid key blobs.
4106  */
TEST_P(KeyDeletionTest,DeleteInvalidKey)4107 TEST_P(KeyDeletionTest, DeleteInvalidKey) {
4108     // Generate key just to check if rollback protection is implemented
4109     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4110                                              .RsaSigningKey(1024, 3)
4111                                              .Digest(Digest::NONE)
4112                                              .Padding(PaddingMode::NONE)
4113                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
4114 
4115     // Delete must work if rollback protection is implemented
4116     AuthorizationSet teeEnforced(key_characteristics_.teeEnforced);
4117     bool rollback_protected = teeEnforced.Contains(TAG_ROLLBACK_RESISTANT);
4118 
4119     // Delete the key we don't care about the result at this point.
4120     DeleteKey();
4121 
4122     // Now create an invalid key blob and delete it.
4123     key_blob_ = HidlBuf("just some garbage data which is not a valid key blob");
4124 
4125     if (rollback_protected) {
4126         ASSERT_EQ(ErrorCode::OK, DeleteKey());
4127     } else {
4128         auto delete_result = DeleteKey();
4129         ASSERT_TRUE(delete_result == ErrorCode::OK | delete_result == ErrorCode::UNIMPLEMENTED);
4130     }
4131 }
4132 
4133 /**
4134  * KeyDeletionTest.DeleteAllKeys
4135  *
4136  * This test is disarmed by default. To arm it use --arm_deleteAllKeys.
4137  *
4138  * BEWARE: This test has serious side effects. All user keys will be lost! This includes
4139  * FBE/FDE encryption keys, which means that the device will not even boot until after the
4140  * device has been wiped manually (e.g., fastboot flashall -w), and new FBE/FDE keys have
4141  * been provisioned. Use this test only on dedicated testing devices that have no valuable
4142  * credentials stored in Keystore/Keymaster.
4143  */
TEST_P(KeyDeletionTest,DeleteAllKeys)4144 TEST_P(KeyDeletionTest, DeleteAllKeys) {
4145     if (!arm_deleteAllKeys) return;
4146     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
4147                                              .RsaSigningKey(1024, 3)
4148                                              .Digest(Digest::NONE)
4149                                              .Padding(PaddingMode::NONE)
4150                                              .Authorization(TAG_NO_AUTH_REQUIRED)));
4151 
4152     // Delete must work if rollback protection is implemented
4153     AuthorizationSet teeEnforced(key_characteristics_.teeEnforced);
4154     bool rollback_protected = teeEnforced.Contains(TAG_ROLLBACK_RESISTANT);
4155 
4156     ASSERT_EQ(ErrorCode::OK, DeleteAllKeys());
4157 
4158     string message = "12345678901234567890123456789012";
4159     AuthorizationSet begin_out_params;
4160 
4161     if (rollback_protected) {
4162         EXPECT_EQ(
4163             ErrorCode::INVALID_KEY_BLOB,
4164             Begin(KeyPurpose::SIGN, key_blob_, AuthorizationSetBuilder()
4165                                                    .Digest(Digest::NONE)
4166                                                    .Padding(PaddingMode::NONE),
4167                   &begin_out_params, &op_handle_));
4168     } else {
4169         EXPECT_EQ(ErrorCode::OK, Begin(KeyPurpose::SIGN, key_blob_,
4170                                        AuthorizationSetBuilder()
4171                                            .Digest(Digest::NONE)
4172                                            .Padding(PaddingMode::NONE),
4173                                        &begin_out_params, &op_handle_));
4174     }
4175     AbortIfNeeded();
4176     key_blob_ = HidlBuf();
4177 }
4178 
4179 static const auto kKeymasterDeviceChoices =
4180         testing::ValuesIn(android::hardware::getAllHalInstanceNames(IKeymasterDevice::descriptor));
4181 
4182 INSTANTIATE_TEST_SUITE_P(PerInstance, NewKeyGenerationTest, kKeymasterDeviceChoices,
4183                          android::hardware::PrintInstanceNameToString);
4184 
4185 INSTANTIATE_TEST_SUITE_P(PerInstance, KeymasterVersionTest, kKeymasterDeviceChoices,
4186                          android::hardware::PrintInstanceNameToString);
4187 
4188 INSTANTIATE_TEST_SUITE_P(PerInstance, GetKeyCharacteristicsTest, kKeymasterDeviceChoices,
4189                          android::hardware::PrintInstanceNameToString);
4190 
4191 INSTANTIATE_TEST_SUITE_P(PerInstance, SigningOperationsTest, kKeymasterDeviceChoices,
4192                          android::hardware::PrintInstanceNameToString);
4193 
4194 INSTANTIATE_TEST_SUITE_P(PerInstance, VerificationOperationsTest, kKeymasterDeviceChoices,
4195                          android::hardware::PrintInstanceNameToString);
4196 
4197 INSTANTIATE_TEST_SUITE_P(PerInstance, ExportKeyTest, kKeymasterDeviceChoices,
4198                          android::hardware::PrintInstanceNameToString);
4199 
4200 INSTANTIATE_TEST_SUITE_P(PerInstance, ImportKeyTest, kKeymasterDeviceChoices,
4201                          android::hardware::PrintInstanceNameToString);
4202 
4203 INSTANTIATE_TEST_SUITE_P(PerInstance, EncryptionOperationsTest, kKeymasterDeviceChoices,
4204                          android::hardware::PrintInstanceNameToString);
4205 
4206 INSTANTIATE_TEST_SUITE_P(PerInstance, MaxOperationsTest, kKeymasterDeviceChoices,
4207                          android::hardware::PrintInstanceNameToString);
4208 
4209 INSTANTIATE_TEST_SUITE_P(PerInstance, AddEntropyTest, kKeymasterDeviceChoices,
4210                          android::hardware::PrintInstanceNameToString);
4211 
4212 INSTANTIATE_TEST_SUITE_P(PerInstance, AttestationTest, kKeymasterDeviceChoices,
4213                          android::hardware::PrintInstanceNameToString);
4214 
4215 INSTANTIATE_TEST_SUITE_P(PerInstance, KeyDeletionTest, kKeymasterDeviceChoices,
4216                          android::hardware::PrintInstanceNameToString);
4217 
4218 }  // namespace test
4219 }  // namespace V3_0
4220 }  // namespace keymaster
4221 }  // namespace hardware
4222 }  // namespace android
4223 
main(int argc,char ** argv)4224 int main(int argc, char** argv) {
4225     ::testing::InitGoogleTest(&argc, argv);
4226     for (int i = 1; i < argc; ++i) {
4227         if (argv[i][0] == '-') {
4228             if (std::string(argv[i]) == "--arm_deleteAllKeys") {
4229                 arm_deleteAllKeys = true;
4230             }
4231             if (std::string(argv[i]) == "--dump_attestations") {
4232                 dump_Attestations = true;
4233             }
4234         }
4235     }
4236     int status = RUN_ALL_TESTS();
4237     ALOGI("Test result = %d", status);
4238     return status;
4239 }
4240