Gitiles
Code Review Sign In
gerrit.openfyde.cn / android.googlesource.com / platform / system / keymaster / 95dda36620149d1b8de57d175df9ba34a64e895d / . / google_keymaster_test_utils.cpp
blob: 7cda08a4380e7ed5d8afed87bc6930f98a4d3c17 [file] [log] [blame]
Shawn Willden76364712014-08-11 17:48:04 -0600[diff] [blame]1/*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "google_keymaster_test_utils.h"
18
Shawn Willden95dda362015-02-27 10:58:37 -0700[diff] [blame^]19#include <algorithm>
20
21#include <openssl/rand.h>
22
23#include <keymaster/google_keymaster_messages.h>
24#include <keymaster/google_keymaster_utils.h>
25
26using std::is_permutation;
27using std::ostream;
28using std::string;
29using std::vector;
30
Shawn Willden76364712014-08-11 17:48:04 -0600[diff] [blame]31std::ostream& operator<<(std::ostream& os, const keymaster_key_param_t& param) {
32 os << "Tag: " << keymaster_tag_mask_type(param.tag);
33 switch (keymaster_tag_get_type(param.tag)) {
34 case KM_INVALID:
35 os << " Invalid";
36 break;
37 case KM_INT_REP:
38 os << " (Rep)";
39 /* Falls through */
40 case KM_INT:
41 os << " Int: " << param.integer;
42 break;
43 case KM_ENUM_REP:
44 os << " (Rep)";
45 /* Falls through */
46 case KM_ENUM:
47 os << " Enum: " << param.enumerated;
48 break;
49 case KM_LONG:
50 os << " Long: " << param.long_integer;
51 break;
52 case KM_DATE:
53 os << " Date: " << param.date_time;
54 break;
55 case KM_BOOL:
56 os << " Bool: " << param.boolean;
57 break;
58 case KM_BIGNUM:
59 os << " Bignum: ";
60 break;
61 case KM_BYTES:
62 os << " Bytes: ";
63 break;
64 }
65 return os;
66}
67
68bool operator==(const keymaster_key_param_t& a, const keymaster_key_param_t& b) {
69 if (a.tag != b.tag) {
70 return false;
71 }
72
73 switch (keymaster_tag_get_type(a.tag)) {
74 default:
75 return false;
76 case KM_INVALID:
77 return true;
78 case KM_INT_REP:
79 case KM_INT:
80 return a.integer == b.integer;
81 case KM_ENUM_REP:
82 case KM_ENUM:
83 return a.enumerated == b.enumerated;
84 case KM_LONG:
85 return a.long_integer == b.long_integer;
86 case KM_DATE:
87 return a.date_time == b.date_time;
88 case KM_BOOL:
89 return a.boolean == b.boolean;
90 case KM_BIGNUM:
91 case KM_BYTES:
92 if ((a.blob.data == NULL || b.blob.data == NULL) && a.blob.data != b.blob.data)
93 return false;
94 return a.blob.data_length == b.blob.data_length &&
95 (memcmp(a.blob.data, b.blob.data, a.blob.data_length) == 0);
96 }
97}
98
99namespace keymaster {
100
101bool operator==(const AuthorizationSet& a, const AuthorizationSet& b) {
102 if (a.size() != b.size())
103 return false;
104
105 for (size_t i = 0; i < a.size(); ++i)
106 if (!(a[i] == b[i]))
107 return false;
108 return true;
109}
110
Shawn Willden2c242002015-02-27 07:01:02 -0700[diff] [blame]111bool operator!=(const AuthorizationSet& a, const AuthorizationSet& b) {
112 return !(a == b);
113}
114
Shawn Willden76364712014-08-11 17:48:04 -0600[diff] [blame]115std::ostream& operator<<(std::ostream& os, const AuthorizationSet& set) {
116 if (set.size() == 0)
117 os << "(Empty)" << std::endl;
118 for (size_t i = 0; i < set.size(); ++i) {
119 os << set[i] << std::endl;
120 }
121 return os;
122}
123
Shawn Willden95dda362015-02-27 10:58:37 -0700[diff] [blame^]124namespace test {
125
126Keymaster1Test::Keymaster1Test()
127 : device_(NULL), op_handle_(OP_HANDLE_SENTINEL), characteristics_(NULL) {
128 blob_.key_material = NULL;
129 RAND_seed("foobar", 6);
130 blob_.key_material = 0;
131}
132
133Keymaster1Test::~Keymaster1Test() {
134 FreeCharacteristics();
135 FreeKeyBlob();
136 device_->common.close(reinterpret_cast<hw_device_t*>(device_));
137}
138
139keymaster1_device_t* Keymaster1Test::device() {
140 return device_;
141}
142
143keymaster_error_t Keymaster1Test::GenerateKey(const AuthorizationSetBuilder& builder) {
144 AuthorizationSet params(builder.build());
145 params.push_back(UserAuthParams());
146 params.push_back(ClientParams());
147
148 FreeKeyBlob();
149 FreeCharacteristics();
150 return device()->generate_key(device(), params.data(), params.size(), &blob_,
151 &characteristics_);
152}
153
154keymaster_error_t Keymaster1Test::ImportKey(const AuthorizationSetBuilder& builder,
155 keymaster_key_format_t format,
156 const string& key_material) {
157 AuthorizationSet params(builder.build());
158 params.push_back(UserAuthParams());
159 params.push_back(ClientParams());
160
161 FreeKeyBlob();
162 FreeCharacteristics();
163 return device()->import_key(device(), params.data(), params.size(), format,
164 reinterpret_cast<const uint8_t*>(key_material.c_str()),
165 key_material.length(), &blob_, &characteristics_);
166}
167
168AuthorizationSet Keymaster1Test::UserAuthParams() {
169 AuthorizationSet set;
170 set.push_back(TAG_USER_ID, 7);
171 set.push_back(TAG_USER_AUTH_ID, 8);
172 set.push_back(TAG_AUTH_TIMEOUT, 300);
173 return set;
174}
175
176AuthorizationSet Keymaster1Test::ClientParams() {
177 AuthorizationSet set;
178 set.push_back(TAG_APPLICATION_ID, "app_id", 6);
179 return set;
180}
181
182keymaster_error_t Keymaster1Test::BeginOperation(keymaster_purpose_t purpose) {
183 keymaster_key_param_t* out_params = NULL;
184 size_t out_params_count = 0;
185 keymaster_error_t error =
186 device()->begin(device(), purpose, &blob_, client_params_, array_length(client_params_),
187 &out_params, &out_params_count, &op_handle_);
188 EXPECT_EQ(0, out_params_count);
189 EXPECT_TRUE(out_params == NULL);
190 return error;
191}
192
193keymaster_error_t Keymaster1Test::BeginOperation(keymaster_purpose_t purpose,
194 const AuthorizationSet& input_set,
195 AuthorizationSet* output_set) {
196 AuthorizationSet additional_params(client_params_, array_length(client_params_));
197 additional_params.push_back(input_set);
198
199 keymaster_key_param_t* out_params;
200 size_t out_params_count;
201 keymaster_error_t error =
202 device()->begin(device(), purpose, &blob_, additional_params.data(),
203 additional_params.size(), &out_params, &out_params_count, &op_handle_);
204 if (error == KM_ERROR_OK) {
205 if (output_set) {
206 output_set->Reinitialize(out_params, out_params_count);
207 } else {
208 EXPECT_EQ(0, out_params_count);
209 EXPECT_TRUE(out_params == NULL);
210 }
211 keymaster_free_param_values(out_params, out_params_count);
212 free(out_params);
213 }
214 return error;
215}
216
217keymaster_error_t Keymaster1Test::UpdateOperation(const string& message, string* output,
218 size_t* input_consumed) {
219 uint8_t* out_tmp = NULL;
220 size_t out_length;
221 EXPECT_NE(op_handle_, OP_HANDLE_SENTINEL);
222 keymaster_error_t error =
223 device()->update(device(), op_handle_, NULL /* params */, 0 /* params_count */,
224 reinterpret_cast<const uint8_t*>(message.c_str()), message.length(),
225 input_consumed, &out_tmp, &out_length);
226 if (error == KM_ERROR_OK && out_tmp)
227 output->append(reinterpret_cast<char*>(out_tmp), out_length);
228 free(out_tmp);
229 return error;
230}
231
232keymaster_error_t Keymaster1Test::UpdateOperation(const AuthorizationSet& additional_params,
233 const string& message, string* output,
234 size_t* input_consumed) {
235 uint8_t* out_tmp = NULL;
236 size_t out_length;
237 EXPECT_NE(op_handle_, OP_HANDLE_SENTINEL);
238 keymaster_error_t error =
239 device()->update(device(), op_handle_, additional_params.data(), additional_params.size(),
240 reinterpret_cast<const uint8_t*>(message.c_str()), message.length(),
241 input_consumed, &out_tmp, &out_length);
242 if (error == KM_ERROR_OK && out_tmp)
243 output->append(reinterpret_cast<char*>(out_tmp), out_length);
244 free(out_tmp);
245 return error;
246}
247
248keymaster_error_t Keymaster1Test::FinishOperation(string* output) {
249 return FinishOperation("", output);
250}
251
252keymaster_error_t Keymaster1Test::FinishOperation(const string& signature, string* output) {
253 AuthorizationSet additional_params;
254 return FinishOperation(additional_params, signature, output);
255}
256
257keymaster_error_t Keymaster1Test::FinishOperation(const AuthorizationSet& additional_params,
258 const string& signature, string* output) {
259 uint8_t* out_tmp = NULL;
260 size_t out_length;
261 keymaster_error_t error =
262 device()->finish(device(), op_handle_, additional_params.data(), additional_params.size(),
263 reinterpret_cast<const uint8_t*>(signature.c_str()), signature.length(),
264 &out_tmp, &out_length);
265 if (out_tmp)
266 output->append(reinterpret_cast<char*>(out_tmp), out_length);
267 free(out_tmp);
268 return error;
269}
270
271keymaster_error_t Keymaster1Test::AbortOperation() {
272 return device()->abort(device(), op_handle_);
273}
274
275string Keymaster1Test::ProcessMessage(keymaster_purpose_t purpose, const string& message) {
276 AuthorizationSet input_params;
277 EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, input_params, NULL /* output_params */));
278
279 string result;
280 size_t input_consumed;
281 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
282 EXPECT_EQ(message.size(), input_consumed);
283 EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result));
284 return result;
285}
286
287string Keymaster1Test::ProcessMessage(keymaster_purpose_t purpose, const string& message,
288 const AuthorizationSet& begin_params,
289 const AuthorizationSet& update_params,
290 AuthorizationSet* output_params) {
291 EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, begin_params, output_params));
292
293 string result;
294 size_t input_consumed;
295 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &result, &input_consumed));
296 EXPECT_EQ(message.size(), input_consumed);
297 EXPECT_EQ(KM_ERROR_OK, FinishOperation(update_params, "", &result));
298 return result;
299}
300
301string Keymaster1Test::ProcessMessage(keymaster_purpose_t purpose, const string& message,
302 const string& signature) {
303 AuthorizationSet input_params;
304 EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, input_params, NULL /* output_params */));
305
306 string result;
307 size_t input_consumed;
308 EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
309 EXPECT_EQ(message.size(), input_consumed);
310 EXPECT_EQ(KM_ERROR_OK, FinishOperation(signature, &result));
311 return result;
312}
313
314void Keymaster1Test::SignMessage(const string& message, string* signature) {
315 SCOPED_TRACE("SignMessage");
316 *signature = ProcessMessage(KM_PURPOSE_SIGN, message);
317 EXPECT_GT(signature->size(), 0);
318}
319
320void Keymaster1Test::VerifyMessage(const string& message, const string& signature) {
321 SCOPED_TRACE("VerifyMessage");
322 ProcessMessage(KM_PURPOSE_VERIFY, message, signature);
323}
324
325string Keymaster1Test::EncryptMessage(const string& message, string* generated_nonce) {
326 AuthorizationSet update_params;
327 return EncryptMessage(update_params, message, generated_nonce);
328}
329
330string Keymaster1Test::EncryptMessage(const AuthorizationSet& update_params, const string& message,
331 string* generated_nonce) {
332 SCOPED_TRACE("EncryptMessage");
333 AuthorizationSet begin_params, output_params;
334 string ciphertext =
335 ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params, &output_params);
336 if (generated_nonce) {
337 keymaster_blob_t nonce_blob;
338 EXPECT_TRUE(output_params.GetTagValue(TAG_NONCE, &nonce_blob));
339 *generated_nonce = make_string(nonce_blob.data, nonce_blob.data_length);
340 } else {
341 EXPECT_EQ(-1, output_params.find(TAG_NONCE));
342 }
343 return ciphertext;
344}
345
346string Keymaster1Test::EncryptMessageWithParams(const string& message,
347 const AuthorizationSet& begin_params,
348 const AuthorizationSet& update_params,
349 AuthorizationSet* output_params) {
350 SCOPED_TRACE("EncryptMessageWithParams");
351 return ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params, output_params);
352}
353
354string Keymaster1Test::DecryptMessage(const string& ciphertext) {
355 SCOPED_TRACE("DecryptMessage");
356 return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext);
357}
358
359string Keymaster1Test::DecryptMessage(const string& ciphertext, const string& nonce) {
360 SCOPED_TRACE("DecryptMessage");
361 AuthorizationSet update_params;
362 return DecryptMessage(update_params, ciphertext, nonce);
363}
364
365string Keymaster1Test::DecryptMessage(const AuthorizationSet& update_params,
366 const string& ciphertext, const string& nonce) {
367 SCOPED_TRACE("DecryptMessage");
368 AuthorizationSet begin_params;
369 begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
370 return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
371}
372
373keymaster_error_t Keymaster1Test::GetCharacteristics() {
374 FreeCharacteristics();
375 return device()->get_key_characteristics(device(), &blob_, &client_id_, NULL /* app_data */,
376 &characteristics_);
377}
378
379keymaster_error_t Keymaster1Test::ExportKey(keymaster_key_format_t format, string* export_data) {
380 uint8_t* export_data_tmp;
381 size_t export_data_length;
382
383 keymaster_error_t error =
384 device()->export_key(device(), format, &blob_, &client_id_, NULL /* app_data */,
385 &export_data_tmp, &export_data_length);
386
387 if (error != KM_ERROR_OK)
388 return error;
389
390 *export_data = string(reinterpret_cast<char*>(export_data_tmp), export_data_length);
391 free(export_data_tmp);
392 return error;
393}
394
395keymaster_error_t
396Keymaster1Test::Rescope(const AuthorizationSet& new_params, keymaster_key_blob_t* rescoped_blob,
397 keymaster_key_characteristics_t** rescoped_characteristics) {
398 return device()->rescope(device(), new_params.data(), new_params.size(), &blob_, &client_id_,
399 NULL /* app data */, rescoped_blob, rescoped_characteristics);
400}
401
402void Keymaster1Test::CheckHmacTestVector(string key, string message, keymaster_digest_t digest,
403 string expected_mac) {
404 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder().HmacKey(key.size() * 8, digest,
405 expected_mac.size()),
406 KM_KEY_FORMAT_RAW, key));
407 string signature;
408 SignMessage(message, &signature);
409 EXPECT_EQ(expected_mac, signature) << "Test vector didn't match for digest " << digest;
410}
411
412void Keymaster1Test::CheckAesOcbTestVector(const string& key, const string& nonce,
413 const string& associated_data, const string& message,
414 const string& expected_ciphertext) {
415 ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
416 .AesEncryptionKey(key.size() * 8)
417 .OcbMode(4096 /* chunk length */, 16 /* tag length */)
418 .Authorization(TAG_CALLER_NONCE),
419 KM_KEY_FORMAT_RAW, key));
420
421 AuthorizationSet begin_params, update_params, output_params;
422 begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
423 update_params.push_back(TAG_ASSOCIATED_DATA, associated_data.data(), associated_data.size());
424 string ciphertext =
425 EncryptMessageWithParams(message, begin_params, update_params, &output_params);
426 EXPECT_EQ(expected_ciphertext, ciphertext);
427}
428
429AuthorizationSet Keymaster1Test::hw_enforced() {
430 EXPECT_TRUE(characteristics_ != NULL);
431 return AuthorizationSet(characteristics_->hw_enforced);
432}
433
434AuthorizationSet Keymaster1Test::sw_enforced() {
435 EXPECT_TRUE(characteristics_ != NULL);
436 return AuthorizationSet(characteristics_->sw_enforced);
437}
438
439void Keymaster1Test::FreeCharacteristics() {
440 keymaster_free_characteristics(characteristics_);
441 free(characteristics_);
442 characteristics_ = NULL;
443}
444
445void Keymaster1Test::FreeKeyBlob() {
446 free(const_cast<uint8_t*>(blob_.key_material));
447 blob_.key_material = NULL;
448}
449
450void Keymaster1Test::corrupt_key_blob() {
451 assert(blob_.key_material);
452 uint8_t* tmp = const_cast<uint8_t*>(blob_.key_material);
453 ++tmp[blob_.key_material_size / 2];
454}
455
456} // namespace test
Shawn Willden76364712014-08-11 17:48:04 -0600[diff] [blame]457} // namespace keymaster