summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorandroid-build-team Robot2018-06-18 18:34:41 -0500
committerandroid-build-team Robot2018-06-18 18:34:41 -0500
commit8bc26926ffe0c2b385b3c162f5aefd18b4ce9d69 (patch)
treee2babb5396e6e6aa4c086f69f2c30ef92f7c5db2
parent99f439b26692e1fc27932550fbf802a35430c8c6 (diff)
parent8a678bca72cd4ce498da57c33bb651862de7eceb (diff)
downloadplatform-hardware-interfaces-8bc26926ffe0c2b385b3c162f5aefd18b4ce9d69.tar.gz
platform-hardware-interfaces-8bc26926ffe0c2b385b3c162f5aefd18b4ce9d69.tar.xz
platform-hardware-interfaces-8bc26926ffe0c2b385b3c162f5aefd18b4ce9d69.zip
Merge cherrypicks of [4368877, 4369031, 4369032, 4369033, 4369034, 4368878, 4369035, 4369036, 4369008] into pi-release
Change-Id: Ic608620596e708c1aa2b344833883e470877b7d5
-rw-r--r--keymaster/4.0/vts/functional/KeymasterHidlTest.cpp135
-rw-r--r--keymaster/4.0/vts/functional/KeymasterHidlTest.h9
-rw-r--r--keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp103
3 files changed, 203 insertions, 44 deletions
diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp
index e266a86e..c89abd90 100644
--- a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp
+++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp
@@ -16,6 +16,9 @@
16 16
17#include "KeymasterHidlTest.h" 17#include "KeymasterHidlTest.h"
18 18
19#include <vector>
20
21#include <android-base/logging.h>
19#include <android/hidl/manager/1.0/IServiceManager.h> 22#include <android/hidl/manager/1.0/IServiceManager.h>
20 23
21#include <keymasterV4_0/key_param_output.h> 24#include <keymasterV4_0/key_param_output.h>
@@ -383,12 +386,18 @@ string KeymasterHidlTest::ProcessMessage(const HidlBuf& key_blob, KeyPurpose ope
383 AuthorizationSet begin_out_params; 386 AuthorizationSet begin_out_params;
384 EXPECT_EQ(ErrorCode::OK, Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_)); 387 EXPECT_EQ(ErrorCode::OK, Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_));
385 388
389 string output;
390 size_t consumed = 0;
391 AuthorizationSet update_params;
392 AuthorizationSet update_out_params;
393 EXPECT_EQ(ErrorCode::OK,
394 Update(op_handle_, update_params, message, &update_out_params, &output, &consumed));
395
386 string unused; 396 string unused;
387 AuthorizationSet finish_params; 397 AuthorizationSet finish_params;
388 AuthorizationSet finish_out_params; 398 AuthorizationSet finish_out_params;
389 string output; 399 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), unused,
390 EXPECT_EQ(ErrorCode::OK, 400 &finish_out_params, &output));
391 Finish(op_handle_, finish_params, message, unused, &finish_out_params, &output));
392 op_handle_ = kOpHandleSentinel; 401 op_handle_ = kOpHandleSentinel;
393 402
394 out_params->push_back(begin_out_params); 403 out_params->push_back(begin_out_params);
@@ -480,12 +489,20 @@ void KeymasterHidlTest::VerifyMessage(const HidlBuf& key_blob, const string& mes
480 ASSERT_EQ(ErrorCode::OK, 489 ASSERT_EQ(ErrorCode::OK,
481 Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_)); 490 Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_));
482 491
492 string output;
493 AuthorizationSet update_params;
494 AuthorizationSet update_out_params;
495 size_t consumed;
496 ASSERT_EQ(ErrorCode::OK,
497 Update(op_handle_, update_params, message, &update_out_params, &output, &consumed));
498 EXPECT_TRUE(output.empty());
499 EXPECT_GT(consumed, 0U);
500
483 string unused; 501 string unused;
484 AuthorizationSet finish_params; 502 AuthorizationSet finish_params;
485 AuthorizationSet finish_out_params; 503 AuthorizationSet finish_out_params;
486 string output; 504 EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), signature,
487 EXPECT_EQ(ErrorCode::OK, 505 &finish_out_params, &output));
488 Finish(op_handle_, finish_params, message, signature, &finish_out_params, &output));
489 op_handle_ = kOpHandleSentinel; 506 op_handle_ = kOpHandleSentinel;
490 EXPECT_TRUE(output.empty()); 507 EXPECT_TRUE(output.empty());
491} 508}
@@ -585,6 +602,112 @@ std::pair<ErrorCode, HidlBuf> KeymasterHidlTest::UpgradeKey(const HidlBuf& key_b
585 }); 602 });
586 return retval; 603 return retval;
587} 604}
605std::vector<uint32_t> KeymasterHidlTest::ValidKeySizes(Algorithm algorithm) {
606 switch (algorithm) {
607 case Algorithm::RSA:
608 switch (SecLevel()) {
609 case SecurityLevel::TRUSTED_ENVIRONMENT:
610 return {2048, 3072, 4096};
611 case SecurityLevel::STRONGBOX:
612 return {2048};
613 default:
614 CHECK(false) << "Invalid security level " << uint32_t(SecLevel());
615 break;
616 }
617 break;
618 case Algorithm::EC:
619 switch (SecLevel()) {
620 case SecurityLevel::TRUSTED_ENVIRONMENT:
621 return {224, 256, 384, 521};
622 case SecurityLevel::STRONGBOX:
623 return {256};
624 default:
625 CHECK(false) << "Invalid security level " << uint32_t(SecLevel());
626 break;
627 }
628 break;
629 case Algorithm::AES:
630 return {128, 256};
631 case Algorithm::TRIPLE_DES:
632 return {168};
633 case Algorithm::HMAC: {
634 std::vector<uint32_t> retval((512 - 64) / 8 + 1);
635 uint32_t size = 64 - 8;
636 std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); });
637 return retval;
638 }
639 default:
640 CHECK(false) << "Invalid Algorithm: " << algorithm;
641 return {};
642 }
643 CHECK(false) << "Should be impossible to get here";
644 return {};
645}
646std::vector<uint32_t> KeymasterHidlTest::InvalidKeySizes(Algorithm algorithm) {
647 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {};
648 CHECK(SecLevel() == SecurityLevel::STRONGBOX);
649 switch (algorithm) {
650 case Algorithm::RSA:
651 return {3072, 4096};
652 case Algorithm::EC:
653 return {224, 384, 521};
654 default:
655 return {};
656 }
657}
658
659std::vector<EcCurve> KeymasterHidlTest::ValidCurves() {
660 if (securityLevel_ == SecurityLevel::STRONGBOX) {
661 return {EcCurve::P_256};
662 } else {
663 return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521};
664 }
665}
666
667std::vector<EcCurve> KeymasterHidlTest::InvalidCurves() {
668 if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {};
669 CHECK(SecLevel() == SecurityLevel::STRONGBOX);
670 return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521};
671}
672
673std::initializer_list<Digest> KeymasterHidlTest::ValidDigests(bool withNone, bool withMD5) {
674 std::vector<Digest> result;
675 switch (SecLevel()) {
676 case SecurityLevel::TRUSTED_ENVIRONMENT:
677 if (withNone) {
678 if (withMD5)
679 return {Digest::NONE, Digest::MD5, Digest::SHA1,
680 Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
681 Digest::SHA_2_512};
682 else
683 return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224,
684 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
685 } else {
686 if (withMD5)
687 return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224,
688 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
689 else
690 return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
691 Digest::SHA_2_512};
692 }
693 break;
694 case SecurityLevel::STRONGBOX:
695 if (withNone)
696 return {Digest::NONE, Digest::SHA_2_256};
697 else
698 return {Digest::SHA_2_256};
699 break;
700 default:
701 CHECK(false) << "Invalid security level " << uint32_t(SecLevel());
702 break;
703 }
704 CHECK(false) << "Should be impossible to get here";
705 return {};
706}
707
708std::vector<Digest> KeymasterHidlTest::InvalidDigests() {
709 return {};
710}
588 711
589} // namespace test 712} // namespace test
590} // namespace V4_0 713} // namespace V4_0
diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.h b/keymaster/4.0/vts/functional/KeymasterHidlTest.h
index 36d3fc21..94beb21d 100644
--- a/keymaster/4.0/vts/functional/KeymasterHidlTest.h
+++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.h
@@ -208,6 +208,15 @@ class KeymasterHidlTest : public ::testing::VtsHalHidlTargetTestBase {
208 static bool IsSecure() { return securityLevel_ != SecurityLevel::SOFTWARE; } 208 static bool IsSecure() { return securityLevel_ != SecurityLevel::SOFTWARE; }
209 static SecurityLevel SecLevel() { return securityLevel_; } 209 static SecurityLevel SecLevel() { return securityLevel_; }
210 210
211 std::vector<uint32_t> ValidKeySizes(Algorithm algorithm);
212 std::vector<uint32_t> InvalidKeySizes(Algorithm algorithm);
213
214 std::vector<EcCurve> ValidCurves();
215 std::vector<EcCurve> InvalidCurves();
216
217 std::initializer_list<Digest> ValidDigests(bool withNone, bool withMD5);
218 std::vector<Digest> InvalidDigests();
219
211 HidlBuf key_blob_; 220 HidlBuf key_blob_;
212 KeyCharacteristics key_characteristics_; 221 KeyCharacteristics key_characteristics_;
213 OperationHandle op_handle_ = kOpHandleSentinel; 222 OperationHandle op_handle_ = kOpHandleSentinel;
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index bc33b2bf..854c7168 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -375,7 +375,7 @@ class NewKeyGenerationTest : public KeymasterHidlTest {
375 * correct characteristics. 375 * correct characteristics.
376 */ 376 */
377TEST_F(NewKeyGenerationTest, Rsa) { 377TEST_F(NewKeyGenerationTest, Rsa) {
378 for (uint32_t key_size : {1024, 2048, 3072, 4096}) { 378 for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
379 HidlBuf key_blob; 379 HidlBuf key_blob;
380 KeyCharacteristics key_characteristics; 380 KeyCharacteristics key_characteristics;
381 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 381 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
@@ -405,6 +405,23 @@ TEST_F(NewKeyGenerationTest, Rsa) {
405} 405}
406 406
407/* 407/*
408 * NewKeyGenerationTest.NoInvalidRsaSizes
409 *
410 * Verifies that keymaster cannot generate any RSA key sizes that are designated as invalid.
411 */
412TEST_F(NewKeyGenerationTest, NoInvalidRsaSizes) {
413 for (auto key_size : InvalidKeySizes(Algorithm::RSA)) {
414 HidlBuf key_blob;
415 KeyCharacteristics key_characteristics;
416 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder()
417 .RsaSigningKey(key_size, 3)
418 .Digest(Digest::NONE)
419 .Padding(PaddingMode::NONE),
420 &key_blob, &key_characteristics));
421 }
422}
423
424/*
408 * NewKeyGenerationTest.RsaNoDefaultSize 425 * NewKeyGenerationTest.RsaNoDefaultSize
409 * 426 *
410 * Verifies that failing to specify a key size for RSA key generation returns UNSUPPORTED_KEY_SIZE. 427 * Verifies that failing to specify a key size for RSA key generation returns UNSUPPORTED_KEY_SIZE.
@@ -424,7 +441,7 @@ TEST_F(NewKeyGenerationTest, RsaNoDefaultSize) {
424 * correct characteristics. 441 * correct characteristics.
425 */ 442 */
426TEST_F(NewKeyGenerationTest, Ecdsa) { 443TEST_F(NewKeyGenerationTest, Ecdsa) {
427 for (uint32_t key_size : {224, 256, 384, 521}) { 444 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
428 HidlBuf key_blob; 445 HidlBuf key_blob;
429 KeyCharacteristics key_characteristics; 446 KeyCharacteristics key_characteristics;
430 ASSERT_EQ( 447 ASSERT_EQ(
@@ -466,10 +483,18 @@ TEST_F(NewKeyGenerationTest, EcdsaDefaultSize) {
466/* 483/*
467 * NewKeyGenerationTest.EcdsaInvalidSize 484 * NewKeyGenerationTest.EcdsaInvalidSize
468 * 485 *
469 * Verifies that failing to specify an invalid key size for EC key generation returns 486 * Verifies that specifying an invalid key size for EC key generation returns UNSUPPORTED_KEY_SIZE.
470 * UNSUPPORTED_KEY_SIZE.
471 */ 487 */
472TEST_F(NewKeyGenerationTest, EcdsaInvalidSize) { 488TEST_F(NewKeyGenerationTest, EcdsaInvalidSize) {
489 for (auto key_size : InvalidKeySizes(Algorithm::EC)) {
490 HidlBuf key_blob;
491 KeyCharacteristics key_characteristics;
492 ASSERT_EQ(
493 ErrorCode::UNSUPPORTED_KEY_SIZE,
494 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(Digest::NONE),
495 &key_blob, &key_characteristics));
496 }
497
473 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, 498 ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
474 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(Digest::NONE))); 499 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(Digest::NONE)));
475} 500}
@@ -481,6 +506,8 @@ TEST_F(NewKeyGenerationTest, EcdsaInvalidSize) {
481 * INVALID_ARGUMENT. 506 * INVALID_ARGUMENT.
482 */ 507 */
483TEST_F(NewKeyGenerationTest, EcdsaMismatchKeySize) { 508TEST_F(NewKeyGenerationTest, EcdsaMismatchKeySize) {
509 if (SecLevel() == SecurityLevel::STRONGBOX) return;
510
484 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, 511 ASSERT_EQ(ErrorCode::INVALID_ARGUMENT,
485 GenerateKey(AuthorizationSetBuilder() 512 GenerateKey(AuthorizationSetBuilder()
486 .EcdsaSigningKey(224) 513 .EcdsaSigningKey(224)
@@ -494,7 +521,7 @@ TEST_F(NewKeyGenerationTest, EcdsaMismatchKeySize) {
494 * Verifies that keymaster supports all required EC key sizes. 521 * Verifies that keymaster supports all required EC key sizes.
495 */ 522 */
496TEST_F(NewKeyGenerationTest, EcdsaAllValidSizes) { 523TEST_F(NewKeyGenerationTest, EcdsaAllValidSizes) {
497 size_t valid_sizes[] = {224, 256, 384, 521}; 524 auto valid_sizes = ValidKeySizes(Algorithm::EC);
498 for (size_t size : valid_sizes) { 525 for (size_t size : valid_sizes) {
499 EXPECT_EQ(ErrorCode::OK, 526 EXPECT_EQ(ErrorCode::OK,
500 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(Digest::NONE))) 527 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(Digest::NONE)))
@@ -505,13 +532,12 @@ TEST_F(NewKeyGenerationTest, EcdsaAllValidSizes) {
505} 532}
506 533
507/* 534/*
508 * NewKeyGenerationTest.EcdsaAllValidCurves 535 * NewKeyGenerationTest.EcdsaInvalidCurves
509 * 536 *
510 * Verifies that keymaster supports all required EC curves. 537 * Verifies that keymaster does not support any curve designated as unsupported.
511 */ 538 */
512TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) { 539TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) {
513 V4_0::EcCurve curves[] = {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}; 540 for (auto curve : ValidCurves()) {
514 for (V4_0::EcCurve curve : curves) {
515 EXPECT_EQ( 541 EXPECT_EQ(
516 ErrorCode::OK, 542 ErrorCode::OK,
517 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(Digest::SHA_2_512))) 543 GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(Digest::SHA_2_512)))
@@ -528,8 +554,7 @@ TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) {
528 * characteristics. 554 * characteristics.
529 */ 555 */
530TEST_F(NewKeyGenerationTest, Hmac) { 556TEST_F(NewKeyGenerationTest, Hmac) {
531 for (auto digest : {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, 557 for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) {
532 Digest::SHA_2_384, Digest::SHA_2_512}) {
533 HidlBuf key_blob; 558 HidlBuf key_blob;
534 KeyCharacteristics key_characteristics; 559 KeyCharacteristics key_characteristics;
535 constexpr size_t key_size = 128; 560 constexpr size_t key_size = 128;
@@ -630,6 +655,8 @@ TEST_F(NewKeyGenerationTest, HmacCheckMinMacLengths) {
630 * Verifies that keymaster rejects HMAC key generation with multiple specified digest algorithms. 655 * Verifies that keymaster rejects HMAC key generation with multiple specified digest algorithms.
631 */ 656 */
632TEST_F(NewKeyGenerationTest, HmacMultipleDigests) { 657TEST_F(NewKeyGenerationTest, HmacMultipleDigests) {
658 if (SecLevel() == SecurityLevel::STRONGBOX) return;
659
633 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, 660 ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST,
634 GenerateKey(AuthorizationSetBuilder() 661 GenerateKey(AuthorizationSetBuilder()
635 .HmacKey(128) 662 .HmacKey(128)
@@ -664,7 +691,7 @@ typedef KeymasterHidlTest SigningOperationsTest;
664 */ 691 */
665TEST_F(SigningOperationsTest, RsaSuccess) { 692TEST_F(SigningOperationsTest, RsaSuccess) {
666 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 693 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
667 .RsaSigningKey(1024, 65537) 694 .RsaSigningKey(2048, 65537)
668 .Digest(Digest::NONE) 695 .Digest(Digest::NONE)
669 .Padding(PaddingMode::NONE) 696 .Padding(PaddingMode::NONE)
670 .Authorization(TAG_NO_AUTH_REQUIRED))); 697 .Authorization(TAG_NO_AUTH_REQUIRED)));
@@ -680,7 +707,7 @@ TEST_F(SigningOperationsTest, RsaSuccess) {
680 */ 707 */
681TEST_F(SigningOperationsTest, RsaPssSha256Success) { 708TEST_F(SigningOperationsTest, RsaPssSha256Success) {
682 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 709 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
683 .RsaSigningKey(1024, 65537) 710 .RsaSigningKey(2048, 65537)
684 .Digest(Digest::SHA_2_256) 711 .Digest(Digest::SHA_2_256)
685 .Padding(PaddingMode::RSA_PSS) 712 .Padding(PaddingMode::RSA_PSS)
686 .Authorization(TAG_NO_AUTH_REQUIRED))); 713 .Authorization(TAG_NO_AUTH_REQUIRED)));
@@ -698,7 +725,7 @@ TEST_F(SigningOperationsTest, RsaPssSha256Success) {
698 */ 725 */
699TEST_F(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { 726TEST_F(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) {
700 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 727 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
701 .RsaSigningKey(1024, 65537) 728 .RsaSigningKey(2048, 65537)
702 .Digest(Digest::NONE) 729 .Digest(Digest::NONE)
703 .Authorization(TAG_NO_AUTH_REQUIRED) 730 .Authorization(TAG_NO_AUTH_REQUIRED)
704 .Padding(PaddingMode::NONE))); 731 .Padding(PaddingMode::NONE)));
@@ -993,11 +1020,8 @@ TEST_F(SigningOperationsTest, RsaSignTooLargeMessage) {
993 * Verifies that ECDSA operations succeed with all possible key sizes and hashes. 1020 * Verifies that ECDSA operations succeed with all possible key sizes and hashes.
994 */ 1021 */
995TEST_F(SigningOperationsTest, EcdsaAllSizesAndHashes) { 1022TEST_F(SigningOperationsTest, EcdsaAllSizesAndHashes) {
996 for (auto key_size : {224, 256, 384, 521}) { 1023 for (auto key_size : ValidKeySizes(Algorithm::EC)) {
997 for (auto digest : { 1024 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
998 Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384,
999 Digest::SHA_2_512,
1000 }) {
1001 ErrorCode error = GenerateKey(AuthorizationSetBuilder() 1025 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1002 .Authorization(TAG_NO_AUTH_REQUIRED) 1026 .Authorization(TAG_NO_AUTH_REQUIRED)
1003 .EcdsaSigningKey(key_size) 1027 .EcdsaSigningKey(key_size)
@@ -1020,7 +1044,7 @@ TEST_F(SigningOperationsTest, EcdsaAllSizesAndHashes) {
1020 * Verifies that ECDSA operations succeed with all possible curves. 1044 * Verifies that ECDSA operations succeed with all possible curves.
1021 */ 1045 */
1022TEST_F(SigningOperationsTest, EcdsaAllCurves) { 1046TEST_F(SigningOperationsTest, EcdsaAllCurves) {
1023 for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) { 1047 for (auto curve : ValidCurves()) {
1024 ErrorCode error = GenerateKey(AuthorizationSetBuilder() 1048 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1025 .Authorization(TAG_NO_AUTH_REQUIRED) 1049 .Authorization(TAG_NO_AUTH_REQUIRED)
1026 .EcdsaSigningKey(curve) 1050 .EcdsaSigningKey(curve)
@@ -1075,8 +1099,7 @@ TEST_F(SigningOperationsTest, AesEcbSign) {
1075 * Verifies that HMAC works with all digests. 1099 * Verifies that HMAC works with all digests.
1076 */ 1100 */
1077TEST_F(SigningOperationsTest, HmacAllDigests) { 1101TEST_F(SigningOperationsTest, HmacAllDigests) {
1078 for (auto digest : {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, 1102 for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) {
1079 Digest::SHA_2_512}) {
1080 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 1103 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
1081 .Authorization(TAG_NO_AUTH_REQUIRED) 1104 .Authorization(TAG_NO_AUTH_REQUIRED)
1082 .HmacKey(128) 1105 .HmacKey(128)
@@ -1307,15 +1330,15 @@ TEST_F(VerificationOperationsTest, RsaSuccess) {
1307 * Verifies RSA signature/verification for all padding modes and digests. 1330 * Verifies RSA signature/verification for all padding modes and digests.
1308 */ 1331 */
1309TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) { 1332TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) {
1310 ASSERT_EQ(ErrorCode::OK, 1333 auto authorizations = AuthorizationSetBuilder()
1311 GenerateKey(AuthorizationSetBuilder()
1312 .Authorization(TAG_NO_AUTH_REQUIRED) 1334 .Authorization(TAG_NO_AUTH_REQUIRED)
1313 .RsaSigningKey(2048, 65537) 1335 .RsaSigningKey(2048, 65537)
1314 .Digest(Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224, 1336 .Digest(ValidDigests(true /* withNone */, true /* withMD5 */))
1315 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512)
1316 .Padding(PaddingMode::NONE) 1337 .Padding(PaddingMode::NONE)
1317 .Padding(PaddingMode::RSA_PSS) 1338 .Padding(PaddingMode::RSA_PSS)
1318 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); 1339 .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN);
1340
1341 ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations));
1319 1342
1320 string message(128, 'a'); 1343 string message(128, 'a');
1321 string corrupt_message(message); 1344 string corrupt_message(message);
@@ -1323,8 +1346,7 @@ TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) {
1323 1346
1324 for (auto padding : 1347 for (auto padding :
1325 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) { 1348 {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) {
1326 for (auto digest : {Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224, 1349 for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) {
1327 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}) {
1328 if (padding == PaddingMode::NONE && digest != Digest::NONE) { 1350 if (padding == PaddingMode::NONE && digest != Digest::NONE) {
1329 // Digesting only makes sense with padding. 1351 // Digesting only makes sense with padding.
1330 continue; 1352 continue;
@@ -1402,14 +1424,11 @@ TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) {
1402 * Verifies ECDSA signature/verification for all digests and curves. 1424 * Verifies ECDSA signature/verification for all digests and curves.
1403 */ 1425 */
1404TEST_F(VerificationOperationsTest, EcdsaAllDigestsAndCurves) { 1426TEST_F(VerificationOperationsTest, EcdsaAllDigestsAndCurves) {
1405 auto digests = { 1427 auto digests = ValidDigests(true /* withNone */, false /* withMD5 */);
1406 Digest::NONE, Digest::SHA1, Digest::SHA_2_224,
1407 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512,
1408 };
1409 1428
1410 string message = "1234567890"; 1429 string message = "1234567890";
1411 string corrupt_message = "2234567890"; 1430 string corrupt_message = "2234567890";
1412 for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) { 1431 for (auto curve : ValidCurves()) {
1413 ErrorCode error = GenerateKey(AuthorizationSetBuilder() 1432 ErrorCode error = GenerateKey(AuthorizationSetBuilder()
1414 .Authorization(TAG_NO_AUTH_REQUIRED) 1433 .Authorization(TAG_NO_AUTH_REQUIRED)
1415 .EcdsaSigningKey(curve) 1434 .EcdsaSigningKey(curve)
@@ -1721,6 +1740,7 @@ TEST_F(ImportKeyTest, EcdsaSuccess) {
1721 * Verifies that importing and using an ECDSA P-521 key pair works correctly. 1740 * Verifies that importing and using an ECDSA P-521 key pair works correctly.
1722 */ 1741 */
1723TEST_F(ImportKeyTest, Ecdsa521Success) { 1742TEST_F(ImportKeyTest, Ecdsa521Success) {
1743 if (SecLevel() == SecurityLevel::STRONGBOX) return;
1724 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() 1744 ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
1725 .Authorization(TAG_NO_AUTH_REQUIRED) 1745 .Authorization(TAG_NO_AUTH_REQUIRED)
1726 .EcdsaSigningKey(521) 1746 .EcdsaSigningKey(521)
@@ -2053,8 +2073,7 @@ TEST_F(EncryptionOperationsTest, RsaNoPaddingTooLarge) {
2053 * Verifies that RSA-OAEP encryption operations work, with all digests. 2073 * Verifies that RSA-OAEP encryption operations work, with all digests.
2054 */ 2074 */
2055TEST_F(EncryptionOperationsTest, RsaOaepSuccess) { 2075TEST_F(EncryptionOperationsTest, RsaOaepSuccess) {
2056 auto digests = {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, 2076 auto digests = ValidDigests(false /* withNone */, true /* withMD5 */);
2057 Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512};
2058 2077
2059 size_t key_size = 2048; // Need largish key for SHA-512 test. 2078 size_t key_size = 2048; // Need largish key for SHA-512 test.
2060 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2079 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
@@ -2231,7 +2250,7 @@ TEST_F(EncryptionOperationsTest, RsaPkcs1TooLarge) {
2231TEST_F(EncryptionOperationsTest, EcdsaEncrypt) { 2250TEST_F(EncryptionOperationsTest, EcdsaEncrypt) {
2232 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 2251 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
2233 .Authorization(TAG_NO_AUTH_REQUIRED) 2252 .Authorization(TAG_NO_AUTH_REQUIRED)
2234 .EcdsaSigningKey(224) 2253 .EcdsaSigningKey(256)
2235 .Digest(Digest::NONE))); 2254 .Digest(Digest::NONE)));
2236 auto params = AuthorizationSetBuilder().Digest(Digest::NONE); 2255 auto params = AuthorizationSetBuilder().Digest(Digest::NONE);
2237 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params)); 2256 ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params));
@@ -2486,7 +2505,9 @@ TEST_F(EncryptionOperationsTest, AesIncremental) {
2486 for (size_t i = 0; i < message.size(); i += increment) { 2505 for (size_t i = 0; i < message.size(); i += increment) {
2487 to_send.append(message.substr(i, increment)); 2506 to_send.append(message.substr(i, increment));
2488 EXPECT_EQ(ErrorCode::OK, Update(to_send, &ciphertext, &input_consumed)); 2507 EXPECT_EQ(ErrorCode::OK, Update(to_send, &ciphertext, &input_consumed));
2508 EXPECT_EQ(to_send.length(), input_consumed);
2489 to_send = to_send.substr(input_consumed); 2509 to_send = to_send.substr(input_consumed);
2510 EXPECT_EQ(0U, to_send.length());
2490 2511
2491 switch (block_mode) { 2512 switch (block_mode) {
2492 case BlockMode::ECB: 2513 case BlockMode::ECB:
@@ -2802,6 +2823,8 @@ TEST_F(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
2802 ASSERT_EQ(ErrorCode::OK, 2823 ASSERT_EQ(ErrorCode::OK,
2803 Finish(op_handle_, update_params, message, "", &update_out_params, &ciphertext)); 2824 Finish(op_handle_, update_params, message, "", &update_out_params, &ciphertext));
2804 2825
2826 ASSERT_EQ(ciphertext.length(), message.length() + 16);
2827
2805 // Grab nonce 2828 // Grab nonce
2806 begin_params.push_back(begin_out_params); 2829 begin_params.push_back(begin_out_params);
2807 2830
@@ -2813,7 +2836,7 @@ TEST_F(EncryptionOperationsTest, AesGcmRoundTripSuccess) {
2813 &plaintext, &input_consumed)); 2836 &plaintext, &input_consumed));
2814 EXPECT_EQ(ciphertext.size(), input_consumed); 2837 EXPECT_EQ(ciphertext.size(), input_consumed);
2815 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext)); 2838 EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext));
2816 2839 EXPECT_EQ(message.length(), plaintext.length());
2817 EXPECT_EQ(message, plaintext); 2840 EXPECT_EQ(message, plaintext);
2818} 2841}
2819 2842
@@ -3700,6 +3723,8 @@ typedef KeymasterHidlTest MaxOperationsTest;
3700 * Verifies that the max uses per boot tag works correctly with AES keys. 3723 * Verifies that the max uses per boot tag works correctly with AES keys.
3701 */ 3724 */
3702TEST_F(MaxOperationsTest, TestLimitAes) { 3725TEST_F(MaxOperationsTest, TestLimitAes) {
3726 if (SecLevel() == SecurityLevel::STRONGBOX) return;
3727
3703 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3728 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3704 .Authorization(TAG_NO_AUTH_REQUIRED) 3729 .Authorization(TAG_NO_AUTH_REQUIRED)
3705 .AesEncryptionKey(128) 3730 .AesEncryptionKey(128)
@@ -3725,6 +3750,8 @@ TEST_F(MaxOperationsTest, TestLimitAes) {
3725 * Verifies that the max uses per boot tag works correctly with RSA keys. 3750 * Verifies that the max uses per boot tag works correctly with RSA keys.
3726 */ 3751 */
3727TEST_F(MaxOperationsTest, TestLimitRsa) { 3752TEST_F(MaxOperationsTest, TestLimitRsa) {
3753 if (SecLevel() == SecurityLevel::STRONGBOX) return;
3754
3728 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3755 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3729 .Authorization(TAG_NO_AUTH_REQUIRED) 3756 .Authorization(TAG_NO_AUTH_REQUIRED)
3730 .RsaSigningKey(1024, 65537) 3757 .RsaSigningKey(1024, 65537)