diff options
author | android-build-team Robot | 2018-06-18 18:34:41 -0500 |
---|---|---|
committer | android-build-team Robot | 2018-06-18 18:34:41 -0500 |
commit | 8bc26926ffe0c2b385b3c162f5aefd18b4ce9d69 (patch) | |
tree | e2babb5396e6e6aa4c086f69f2c30ef92f7c5db2 | |
parent | 99f439b26692e1fc27932550fbf802a35430c8c6 (diff) | |
parent | 8a678bca72cd4ce498da57c33bb651862de7eceb (diff) | |
download | platform-hardware-interfaces-8bc26926ffe0c2b385b3c162f5aefd18b4ce9d69.tar.gz platform-hardware-interfaces-8bc26926ffe0c2b385b3c162f5aefd18b4ce9d69.tar.xz platform-hardware-interfaces-8bc26926ffe0c2b385b3c162f5aefd18b4ce9d69.zip |
Merge cherrypicks of [4368877, 4369031, 4369032, 4369033, 4369034, 4368878, 4369035, 4369036, 4369008] into pi-release
Change-Id: Ic608620596e708c1aa2b344833883e470877b7d5
-rw-r--r-- | keymaster/4.0/vts/functional/KeymasterHidlTest.cpp | 135 | ||||
-rw-r--r-- | keymaster/4.0/vts/functional/KeymasterHidlTest.h | 9 | ||||
-rw-r--r-- | keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp | 103 |
3 files changed, 203 insertions, 44 deletions
diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp index e266a86e..c89abd90 100644 --- a/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp +++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp | |||
@@ -16,6 +16,9 @@ | |||
16 | 16 | ||
17 | #include "KeymasterHidlTest.h" | 17 | #include "KeymasterHidlTest.h" |
18 | 18 | ||
19 | #include <vector> | ||
20 | |||
21 | #include <android-base/logging.h> | ||
19 | #include <android/hidl/manager/1.0/IServiceManager.h> | 22 | #include <android/hidl/manager/1.0/IServiceManager.h> |
20 | 23 | ||
21 | #include <keymasterV4_0/key_param_output.h> | 24 | #include <keymasterV4_0/key_param_output.h> |
@@ -383,12 +386,18 @@ string KeymasterHidlTest::ProcessMessage(const HidlBuf& key_blob, KeyPurpose ope | |||
383 | AuthorizationSet begin_out_params; | 386 | AuthorizationSet begin_out_params; |
384 | EXPECT_EQ(ErrorCode::OK, Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_)); | 387 | EXPECT_EQ(ErrorCode::OK, Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_)); |
385 | 388 | ||
389 | string output; | ||
390 | size_t consumed = 0; | ||
391 | AuthorizationSet update_params; | ||
392 | AuthorizationSet update_out_params; | ||
393 | EXPECT_EQ(ErrorCode::OK, | ||
394 | Update(op_handle_, update_params, message, &update_out_params, &output, &consumed)); | ||
395 | |||
386 | string unused; | 396 | string unused; |
387 | AuthorizationSet finish_params; | 397 | AuthorizationSet finish_params; |
388 | AuthorizationSet finish_out_params; | 398 | AuthorizationSet finish_out_params; |
389 | string output; | 399 | EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), unused, |
390 | EXPECT_EQ(ErrorCode::OK, | 400 | &finish_out_params, &output)); |
391 | Finish(op_handle_, finish_params, message, unused, &finish_out_params, &output)); | ||
392 | op_handle_ = kOpHandleSentinel; | 401 | op_handle_ = kOpHandleSentinel; |
393 | 402 | ||
394 | out_params->push_back(begin_out_params); | 403 | out_params->push_back(begin_out_params); |
@@ -480,12 +489,20 @@ void KeymasterHidlTest::VerifyMessage(const HidlBuf& key_blob, const string& mes | |||
480 | ASSERT_EQ(ErrorCode::OK, | 489 | ASSERT_EQ(ErrorCode::OK, |
481 | Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_)); | 490 | Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_)); |
482 | 491 | ||
492 | string output; | ||
493 | AuthorizationSet update_params; | ||
494 | AuthorizationSet update_out_params; | ||
495 | size_t consumed; | ||
496 | ASSERT_EQ(ErrorCode::OK, | ||
497 | Update(op_handle_, update_params, message, &update_out_params, &output, &consumed)); | ||
498 | EXPECT_TRUE(output.empty()); | ||
499 | EXPECT_GT(consumed, 0U); | ||
500 | |||
483 | string unused; | 501 | string unused; |
484 | AuthorizationSet finish_params; | 502 | AuthorizationSet finish_params; |
485 | AuthorizationSet finish_out_params; | 503 | AuthorizationSet finish_out_params; |
486 | string output; | 504 | EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), signature, |
487 | EXPECT_EQ(ErrorCode::OK, | 505 | &finish_out_params, &output)); |
488 | Finish(op_handle_, finish_params, message, signature, &finish_out_params, &output)); | ||
489 | op_handle_ = kOpHandleSentinel; | 506 | op_handle_ = kOpHandleSentinel; |
490 | EXPECT_TRUE(output.empty()); | 507 | EXPECT_TRUE(output.empty()); |
491 | } | 508 | } |
@@ -585,6 +602,112 @@ std::pair<ErrorCode, HidlBuf> KeymasterHidlTest::UpgradeKey(const HidlBuf& key_b | |||
585 | }); | 602 | }); |
586 | return retval; | 603 | return retval; |
587 | } | 604 | } |
605 | std::vector<uint32_t> KeymasterHidlTest::ValidKeySizes(Algorithm algorithm) { | ||
606 | switch (algorithm) { | ||
607 | case Algorithm::RSA: | ||
608 | switch (SecLevel()) { | ||
609 | case SecurityLevel::TRUSTED_ENVIRONMENT: | ||
610 | return {2048, 3072, 4096}; | ||
611 | case SecurityLevel::STRONGBOX: | ||
612 | return {2048}; | ||
613 | default: | ||
614 | CHECK(false) << "Invalid security level " << uint32_t(SecLevel()); | ||
615 | break; | ||
616 | } | ||
617 | break; | ||
618 | case Algorithm::EC: | ||
619 | switch (SecLevel()) { | ||
620 | case SecurityLevel::TRUSTED_ENVIRONMENT: | ||
621 | return {224, 256, 384, 521}; | ||
622 | case SecurityLevel::STRONGBOX: | ||
623 | return {256}; | ||
624 | default: | ||
625 | CHECK(false) << "Invalid security level " << uint32_t(SecLevel()); | ||
626 | break; | ||
627 | } | ||
628 | break; | ||
629 | case Algorithm::AES: | ||
630 | return {128, 256}; | ||
631 | case Algorithm::TRIPLE_DES: | ||
632 | return {168}; | ||
633 | case Algorithm::HMAC: { | ||
634 | std::vector<uint32_t> retval((512 - 64) / 8 + 1); | ||
635 | uint32_t size = 64 - 8; | ||
636 | std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); }); | ||
637 | return retval; | ||
638 | } | ||
639 | default: | ||
640 | CHECK(false) << "Invalid Algorithm: " << algorithm; | ||
641 | return {}; | ||
642 | } | ||
643 | CHECK(false) << "Should be impossible to get here"; | ||
644 | return {}; | ||
645 | } | ||
646 | std::vector<uint32_t> KeymasterHidlTest::InvalidKeySizes(Algorithm algorithm) { | ||
647 | if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {}; | ||
648 | CHECK(SecLevel() == SecurityLevel::STRONGBOX); | ||
649 | switch (algorithm) { | ||
650 | case Algorithm::RSA: | ||
651 | return {3072, 4096}; | ||
652 | case Algorithm::EC: | ||
653 | return {224, 384, 521}; | ||
654 | default: | ||
655 | return {}; | ||
656 | } | ||
657 | } | ||
658 | |||
659 | std::vector<EcCurve> KeymasterHidlTest::ValidCurves() { | ||
660 | if (securityLevel_ == SecurityLevel::STRONGBOX) { | ||
661 | return {EcCurve::P_256}; | ||
662 | } else { | ||
663 | return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}; | ||
664 | } | ||
665 | } | ||
666 | |||
667 | std::vector<EcCurve> KeymasterHidlTest::InvalidCurves() { | ||
668 | if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {}; | ||
669 | CHECK(SecLevel() == SecurityLevel::STRONGBOX); | ||
670 | return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521}; | ||
671 | } | ||
672 | |||
673 | std::initializer_list<Digest> KeymasterHidlTest::ValidDigests(bool withNone, bool withMD5) { | ||
674 | std::vector<Digest> result; | ||
675 | switch (SecLevel()) { | ||
676 | case SecurityLevel::TRUSTED_ENVIRONMENT: | ||
677 | if (withNone) { | ||
678 | if (withMD5) | ||
679 | return {Digest::NONE, Digest::MD5, Digest::SHA1, | ||
680 | Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, | ||
681 | Digest::SHA_2_512}; | ||
682 | else | ||
683 | return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224, | ||
684 | Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; | ||
685 | } else { | ||
686 | if (withMD5) | ||
687 | return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, | ||
688 | Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; | ||
689 | else | ||
690 | return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, | ||
691 | Digest::SHA_2_512}; | ||
692 | } | ||
693 | break; | ||
694 | case SecurityLevel::STRONGBOX: | ||
695 | if (withNone) | ||
696 | return {Digest::NONE, Digest::SHA_2_256}; | ||
697 | else | ||
698 | return {Digest::SHA_2_256}; | ||
699 | break; | ||
700 | default: | ||
701 | CHECK(false) << "Invalid security level " << uint32_t(SecLevel()); | ||
702 | break; | ||
703 | } | ||
704 | CHECK(false) << "Should be impossible to get here"; | ||
705 | return {}; | ||
706 | } | ||
707 | |||
708 | std::vector<Digest> KeymasterHidlTest::InvalidDigests() { | ||
709 | return {}; | ||
710 | } | ||
588 | 711 | ||
589 | } // namespace test | 712 | } // namespace test |
590 | } // namespace V4_0 | 713 | } // namespace V4_0 |
diff --git a/keymaster/4.0/vts/functional/KeymasterHidlTest.h b/keymaster/4.0/vts/functional/KeymasterHidlTest.h index 36d3fc21..94beb21d 100644 --- a/keymaster/4.0/vts/functional/KeymasterHidlTest.h +++ b/keymaster/4.0/vts/functional/KeymasterHidlTest.h | |||
@@ -208,6 +208,15 @@ class KeymasterHidlTest : public ::testing::VtsHalHidlTargetTestBase { | |||
208 | static bool IsSecure() { return securityLevel_ != SecurityLevel::SOFTWARE; } | 208 | static bool IsSecure() { return securityLevel_ != SecurityLevel::SOFTWARE; } |
209 | static SecurityLevel SecLevel() { return securityLevel_; } | 209 | static SecurityLevel SecLevel() { return securityLevel_; } |
210 | 210 | ||
211 | std::vector<uint32_t> ValidKeySizes(Algorithm algorithm); | ||
212 | std::vector<uint32_t> InvalidKeySizes(Algorithm algorithm); | ||
213 | |||
214 | std::vector<EcCurve> ValidCurves(); | ||
215 | std::vector<EcCurve> InvalidCurves(); | ||
216 | |||
217 | std::initializer_list<Digest> ValidDigests(bool withNone, bool withMD5); | ||
218 | std::vector<Digest> InvalidDigests(); | ||
219 | |||
211 | HidlBuf key_blob_; | 220 | HidlBuf key_blob_; |
212 | KeyCharacteristics key_characteristics_; | 221 | KeyCharacteristics key_characteristics_; |
213 | OperationHandle op_handle_ = kOpHandleSentinel; | 222 | OperationHandle op_handle_ = kOpHandleSentinel; |
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp index bc33b2bf..854c7168 100644 --- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp | |||
@@ -375,7 +375,7 @@ class NewKeyGenerationTest : public KeymasterHidlTest { | |||
375 | * correct characteristics. | 375 | * correct characteristics. |
376 | */ | 376 | */ |
377 | TEST_F(NewKeyGenerationTest, Rsa) { | 377 | TEST_F(NewKeyGenerationTest, Rsa) { |
378 | for (uint32_t key_size : {1024, 2048, 3072, 4096}) { | 378 | for (auto key_size : ValidKeySizes(Algorithm::RSA)) { |
379 | HidlBuf key_blob; | 379 | HidlBuf key_blob; |
380 | KeyCharacteristics key_characteristics; | 380 | KeyCharacteristics key_characteristics; |
381 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 381 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
@@ -405,6 +405,23 @@ TEST_F(NewKeyGenerationTest, Rsa) { | |||
405 | } | 405 | } |
406 | 406 | ||
407 | /* | 407 | /* |
408 | * NewKeyGenerationTest.NoInvalidRsaSizes | ||
409 | * | ||
410 | * Verifies that keymaster cannot generate any RSA key sizes that are designated as invalid. | ||
411 | */ | ||
412 | TEST_F(NewKeyGenerationTest, NoInvalidRsaSizes) { | ||
413 | for (auto key_size : InvalidKeySizes(Algorithm::RSA)) { | ||
414 | HidlBuf key_blob; | ||
415 | KeyCharacteristics key_characteristics; | ||
416 | ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, GenerateKey(AuthorizationSetBuilder() | ||
417 | .RsaSigningKey(key_size, 3) | ||
418 | .Digest(Digest::NONE) | ||
419 | .Padding(PaddingMode::NONE), | ||
420 | &key_blob, &key_characteristics)); | ||
421 | } | ||
422 | } | ||
423 | |||
424 | /* | ||
408 | * NewKeyGenerationTest.RsaNoDefaultSize | 425 | * NewKeyGenerationTest.RsaNoDefaultSize |
409 | * | 426 | * |
410 | * Verifies that failing to specify a key size for RSA key generation returns UNSUPPORTED_KEY_SIZE. | 427 | * Verifies that failing to specify a key size for RSA key generation returns UNSUPPORTED_KEY_SIZE. |
@@ -424,7 +441,7 @@ TEST_F(NewKeyGenerationTest, RsaNoDefaultSize) { | |||
424 | * correct characteristics. | 441 | * correct characteristics. |
425 | */ | 442 | */ |
426 | TEST_F(NewKeyGenerationTest, Ecdsa) { | 443 | TEST_F(NewKeyGenerationTest, Ecdsa) { |
427 | for (uint32_t key_size : {224, 256, 384, 521}) { | 444 | for (auto key_size : ValidKeySizes(Algorithm::EC)) { |
428 | HidlBuf key_blob; | 445 | HidlBuf key_blob; |
429 | KeyCharacteristics key_characteristics; | 446 | KeyCharacteristics key_characteristics; |
430 | ASSERT_EQ( | 447 | ASSERT_EQ( |
@@ -466,10 +483,18 @@ TEST_F(NewKeyGenerationTest, EcdsaDefaultSize) { | |||
466 | /* | 483 | /* |
467 | * NewKeyGenerationTest.EcdsaInvalidSize | 484 | * NewKeyGenerationTest.EcdsaInvalidSize |
468 | * | 485 | * |
469 | * Verifies that failing to specify an invalid key size for EC key generation returns | 486 | * Verifies that specifying an invalid key size for EC key generation returns UNSUPPORTED_KEY_SIZE. |
470 | * UNSUPPORTED_KEY_SIZE. | ||
471 | */ | 487 | */ |
472 | TEST_F(NewKeyGenerationTest, EcdsaInvalidSize) { | 488 | TEST_F(NewKeyGenerationTest, EcdsaInvalidSize) { |
489 | for (auto key_size : InvalidKeySizes(Algorithm::EC)) { | ||
490 | HidlBuf key_blob; | ||
491 | KeyCharacteristics key_characteristics; | ||
492 | ASSERT_EQ( | ||
493 | ErrorCode::UNSUPPORTED_KEY_SIZE, | ||
494 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(key_size).Digest(Digest::NONE), | ||
495 | &key_blob, &key_characteristics)); | ||
496 | } | ||
497 | |||
473 | ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, | 498 | ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE, |
474 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(Digest::NONE))); | 499 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(190).Digest(Digest::NONE))); |
475 | } | 500 | } |
@@ -481,6 +506,8 @@ TEST_F(NewKeyGenerationTest, EcdsaInvalidSize) { | |||
481 | * INVALID_ARGUMENT. | 506 | * INVALID_ARGUMENT. |
482 | */ | 507 | */ |
483 | TEST_F(NewKeyGenerationTest, EcdsaMismatchKeySize) { | 508 | TEST_F(NewKeyGenerationTest, EcdsaMismatchKeySize) { |
509 | if (SecLevel() == SecurityLevel::STRONGBOX) return; | ||
510 | |||
484 | ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, | 511 | ASSERT_EQ(ErrorCode::INVALID_ARGUMENT, |
485 | GenerateKey(AuthorizationSetBuilder() | 512 | GenerateKey(AuthorizationSetBuilder() |
486 | .EcdsaSigningKey(224) | 513 | .EcdsaSigningKey(224) |
@@ -494,7 +521,7 @@ TEST_F(NewKeyGenerationTest, EcdsaMismatchKeySize) { | |||
494 | * Verifies that keymaster supports all required EC key sizes. | 521 | * Verifies that keymaster supports all required EC key sizes. |
495 | */ | 522 | */ |
496 | TEST_F(NewKeyGenerationTest, EcdsaAllValidSizes) { | 523 | TEST_F(NewKeyGenerationTest, EcdsaAllValidSizes) { |
497 | size_t valid_sizes[] = {224, 256, 384, 521}; | 524 | auto valid_sizes = ValidKeySizes(Algorithm::EC); |
498 | for (size_t size : valid_sizes) { | 525 | for (size_t size : valid_sizes) { |
499 | EXPECT_EQ(ErrorCode::OK, | 526 | EXPECT_EQ(ErrorCode::OK, |
500 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(Digest::NONE))) | 527 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(size).Digest(Digest::NONE))) |
@@ -505,13 +532,12 @@ TEST_F(NewKeyGenerationTest, EcdsaAllValidSizes) { | |||
505 | } | 532 | } |
506 | 533 | ||
507 | /* | 534 | /* |
508 | * NewKeyGenerationTest.EcdsaAllValidCurves | 535 | * NewKeyGenerationTest.EcdsaInvalidCurves |
509 | * | 536 | * |
510 | * Verifies that keymaster supports all required EC curves. | 537 | * Verifies that keymaster does not support any curve designated as unsupported. |
511 | */ | 538 | */ |
512 | TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) { | 539 | TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) { |
513 | V4_0::EcCurve curves[] = {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}; | 540 | for (auto curve : ValidCurves()) { |
514 | for (V4_0::EcCurve curve : curves) { | ||
515 | EXPECT_EQ( | 541 | EXPECT_EQ( |
516 | ErrorCode::OK, | 542 | ErrorCode::OK, |
517 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(Digest::SHA_2_512))) | 543 | GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(Digest::SHA_2_512))) |
@@ -528,8 +554,7 @@ TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) { | |||
528 | * characteristics. | 554 | * characteristics. |
529 | */ | 555 | */ |
530 | TEST_F(NewKeyGenerationTest, Hmac) { | 556 | TEST_F(NewKeyGenerationTest, Hmac) { |
531 | for (auto digest : {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, | 557 | for (auto digest : ValidDigests(false /* withNone */, true /* withMD5 */)) { |
532 | Digest::SHA_2_384, Digest::SHA_2_512}) { | ||
533 | HidlBuf key_blob; | 558 | HidlBuf key_blob; |
534 | KeyCharacteristics key_characteristics; | 559 | KeyCharacteristics key_characteristics; |
535 | constexpr size_t key_size = 128; | 560 | constexpr size_t key_size = 128; |
@@ -630,6 +655,8 @@ TEST_F(NewKeyGenerationTest, HmacCheckMinMacLengths) { | |||
630 | * Verifies that keymaster rejects HMAC key generation with multiple specified digest algorithms. | 655 | * Verifies that keymaster rejects HMAC key generation with multiple specified digest algorithms. |
631 | */ | 656 | */ |
632 | TEST_F(NewKeyGenerationTest, HmacMultipleDigests) { | 657 | TEST_F(NewKeyGenerationTest, HmacMultipleDigests) { |
658 | if (SecLevel() == SecurityLevel::STRONGBOX) return; | ||
659 | |||
633 | ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, | 660 | ASSERT_EQ(ErrorCode::UNSUPPORTED_DIGEST, |
634 | GenerateKey(AuthorizationSetBuilder() | 661 | GenerateKey(AuthorizationSetBuilder() |
635 | .HmacKey(128) | 662 | .HmacKey(128) |
@@ -664,7 +691,7 @@ typedef KeymasterHidlTest SigningOperationsTest; | |||
664 | */ | 691 | */ |
665 | TEST_F(SigningOperationsTest, RsaSuccess) { | 692 | TEST_F(SigningOperationsTest, RsaSuccess) { |
666 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 693 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
667 | .RsaSigningKey(1024, 65537) | 694 | .RsaSigningKey(2048, 65537) |
668 | .Digest(Digest::NONE) | 695 | .Digest(Digest::NONE) |
669 | .Padding(PaddingMode::NONE) | 696 | .Padding(PaddingMode::NONE) |
670 | .Authorization(TAG_NO_AUTH_REQUIRED))); | 697 | .Authorization(TAG_NO_AUTH_REQUIRED))); |
@@ -680,7 +707,7 @@ TEST_F(SigningOperationsTest, RsaSuccess) { | |||
680 | */ | 707 | */ |
681 | TEST_F(SigningOperationsTest, RsaPssSha256Success) { | 708 | TEST_F(SigningOperationsTest, RsaPssSha256Success) { |
682 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 709 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
683 | .RsaSigningKey(1024, 65537) | 710 | .RsaSigningKey(2048, 65537) |
684 | .Digest(Digest::SHA_2_256) | 711 | .Digest(Digest::SHA_2_256) |
685 | .Padding(PaddingMode::RSA_PSS) | 712 | .Padding(PaddingMode::RSA_PSS) |
686 | .Authorization(TAG_NO_AUTH_REQUIRED))); | 713 | .Authorization(TAG_NO_AUTH_REQUIRED))); |
@@ -698,7 +725,7 @@ TEST_F(SigningOperationsTest, RsaPssSha256Success) { | |||
698 | */ | 725 | */ |
699 | TEST_F(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { | 726 | TEST_F(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { |
700 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 727 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
701 | .RsaSigningKey(1024, 65537) | 728 | .RsaSigningKey(2048, 65537) |
702 | .Digest(Digest::NONE) | 729 | .Digest(Digest::NONE) |
703 | .Authorization(TAG_NO_AUTH_REQUIRED) | 730 | .Authorization(TAG_NO_AUTH_REQUIRED) |
704 | .Padding(PaddingMode::NONE))); | 731 | .Padding(PaddingMode::NONE))); |
@@ -993,11 +1020,8 @@ TEST_F(SigningOperationsTest, RsaSignTooLargeMessage) { | |||
993 | * Verifies that ECDSA operations succeed with all possible key sizes and hashes. | 1020 | * Verifies that ECDSA operations succeed with all possible key sizes and hashes. |
994 | */ | 1021 | */ |
995 | TEST_F(SigningOperationsTest, EcdsaAllSizesAndHashes) { | 1022 | TEST_F(SigningOperationsTest, EcdsaAllSizesAndHashes) { |
996 | for (auto key_size : {224, 256, 384, 521}) { | 1023 | for (auto key_size : ValidKeySizes(Algorithm::EC)) { |
997 | for (auto digest : { | 1024 | for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) { |
998 | Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, | ||
999 | Digest::SHA_2_512, | ||
1000 | }) { | ||
1001 | ErrorCode error = GenerateKey(AuthorizationSetBuilder() | 1025 | ErrorCode error = GenerateKey(AuthorizationSetBuilder() |
1002 | .Authorization(TAG_NO_AUTH_REQUIRED) | 1026 | .Authorization(TAG_NO_AUTH_REQUIRED) |
1003 | .EcdsaSigningKey(key_size) | 1027 | .EcdsaSigningKey(key_size) |
@@ -1020,7 +1044,7 @@ TEST_F(SigningOperationsTest, EcdsaAllSizesAndHashes) { | |||
1020 | * Verifies that ECDSA operations succeed with all possible curves. | 1044 | * Verifies that ECDSA operations succeed with all possible curves. |
1021 | */ | 1045 | */ |
1022 | TEST_F(SigningOperationsTest, EcdsaAllCurves) { | 1046 | TEST_F(SigningOperationsTest, EcdsaAllCurves) { |
1023 | for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) { | 1047 | for (auto curve : ValidCurves()) { |
1024 | ErrorCode error = GenerateKey(AuthorizationSetBuilder() | 1048 | ErrorCode error = GenerateKey(AuthorizationSetBuilder() |
1025 | .Authorization(TAG_NO_AUTH_REQUIRED) | 1049 | .Authorization(TAG_NO_AUTH_REQUIRED) |
1026 | .EcdsaSigningKey(curve) | 1050 | .EcdsaSigningKey(curve) |
@@ -1075,8 +1099,7 @@ TEST_F(SigningOperationsTest, AesEcbSign) { | |||
1075 | * Verifies that HMAC works with all digests. | 1099 | * Verifies that HMAC works with all digests. |
1076 | */ | 1100 | */ |
1077 | TEST_F(SigningOperationsTest, HmacAllDigests) { | 1101 | TEST_F(SigningOperationsTest, HmacAllDigests) { |
1078 | for (auto digest : {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, | 1102 | for (auto digest : ValidDigests(false /* withNone */, false /* withMD5 */)) { |
1079 | Digest::SHA_2_512}) { | ||
1080 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 1103 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
1081 | .Authorization(TAG_NO_AUTH_REQUIRED) | 1104 | .Authorization(TAG_NO_AUTH_REQUIRED) |
1082 | .HmacKey(128) | 1105 | .HmacKey(128) |
@@ -1307,15 +1330,15 @@ TEST_F(VerificationOperationsTest, RsaSuccess) { | |||
1307 | * Verifies RSA signature/verification for all padding modes and digests. | 1330 | * Verifies RSA signature/verification for all padding modes and digests. |
1308 | */ | 1331 | */ |
1309 | TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) { | 1332 | TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) { |
1310 | ASSERT_EQ(ErrorCode::OK, | 1333 | auto authorizations = AuthorizationSetBuilder() |
1311 | GenerateKey(AuthorizationSetBuilder() | ||
1312 | .Authorization(TAG_NO_AUTH_REQUIRED) | 1334 | .Authorization(TAG_NO_AUTH_REQUIRED) |
1313 | .RsaSigningKey(2048, 65537) | 1335 | .RsaSigningKey(2048, 65537) |
1314 | .Digest(Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224, | 1336 | .Digest(ValidDigests(true /* withNone */, true /* withMD5 */)) |
1315 | Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512) | ||
1316 | .Padding(PaddingMode::NONE) | 1337 | .Padding(PaddingMode::NONE) |
1317 | .Padding(PaddingMode::RSA_PSS) | 1338 | .Padding(PaddingMode::RSA_PSS) |
1318 | .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); | 1339 | .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN); |
1340 | |||
1341 | ASSERT_EQ(ErrorCode::OK, GenerateKey(authorizations)); | ||
1319 | 1342 | ||
1320 | string message(128, 'a'); | 1343 | string message(128, 'a'); |
1321 | string corrupt_message(message); | 1344 | string corrupt_message(message); |
@@ -1323,8 +1346,7 @@ TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) { | |||
1323 | 1346 | ||
1324 | for (auto padding : | 1347 | for (auto padding : |
1325 | {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) { | 1348 | {PaddingMode::NONE, PaddingMode::RSA_PSS, PaddingMode::RSA_PKCS1_1_5_SIGN}) { |
1326 | for (auto digest : {Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224, | 1349 | for (auto digest : ValidDigests(true /* withNone */, true /* withMD5 */)) { |
1327 | Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}) { | ||
1328 | if (padding == PaddingMode::NONE && digest != Digest::NONE) { | 1350 | if (padding == PaddingMode::NONE && digest != Digest::NONE) { |
1329 | // Digesting only makes sense with padding. | 1351 | // Digesting only makes sense with padding. |
1330 | continue; | 1352 | continue; |
@@ -1402,14 +1424,11 @@ TEST_F(VerificationOperationsTest, RsaAllPaddingsAndDigests) { | |||
1402 | * Verifies ECDSA signature/verification for all digests and curves. | 1424 | * Verifies ECDSA signature/verification for all digests and curves. |
1403 | */ | 1425 | */ |
1404 | TEST_F(VerificationOperationsTest, EcdsaAllDigestsAndCurves) { | 1426 | TEST_F(VerificationOperationsTest, EcdsaAllDigestsAndCurves) { |
1405 | auto digests = { | 1427 | auto digests = ValidDigests(true /* withNone */, false /* withMD5 */); |
1406 | Digest::NONE, Digest::SHA1, Digest::SHA_2_224, | ||
1407 | Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512, | ||
1408 | }; | ||
1409 | 1428 | ||
1410 | string message = "1234567890"; | 1429 | string message = "1234567890"; |
1411 | string corrupt_message = "2234567890"; | 1430 | string corrupt_message = "2234567890"; |
1412 | for (auto curve : {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}) { | 1431 | for (auto curve : ValidCurves()) { |
1413 | ErrorCode error = GenerateKey(AuthorizationSetBuilder() | 1432 | ErrorCode error = GenerateKey(AuthorizationSetBuilder() |
1414 | .Authorization(TAG_NO_AUTH_REQUIRED) | 1433 | .Authorization(TAG_NO_AUTH_REQUIRED) |
1415 | .EcdsaSigningKey(curve) | 1434 | .EcdsaSigningKey(curve) |
@@ -1721,6 +1740,7 @@ TEST_F(ImportKeyTest, EcdsaSuccess) { | |||
1721 | * Verifies that importing and using an ECDSA P-521 key pair works correctly. | 1740 | * Verifies that importing and using an ECDSA P-521 key pair works correctly. |
1722 | */ | 1741 | */ |
1723 | TEST_F(ImportKeyTest, Ecdsa521Success) { | 1742 | TEST_F(ImportKeyTest, Ecdsa521Success) { |
1743 | if (SecLevel() == SecurityLevel::STRONGBOX) return; | ||
1724 | ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() | 1744 | ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() |
1725 | .Authorization(TAG_NO_AUTH_REQUIRED) | 1745 | .Authorization(TAG_NO_AUTH_REQUIRED) |
1726 | .EcdsaSigningKey(521) | 1746 | .EcdsaSigningKey(521) |
@@ -2053,8 +2073,7 @@ TEST_F(EncryptionOperationsTest, RsaNoPaddingTooLarge) { | |||
2053 | * Verifies that RSA-OAEP encryption operations work, with all digests. | 2073 | * Verifies that RSA-OAEP encryption operations work, with all digests. |
2054 | */ | 2074 | */ |
2055 | TEST_F(EncryptionOperationsTest, RsaOaepSuccess) { | 2075 | TEST_F(EncryptionOperationsTest, RsaOaepSuccess) { |
2056 | auto digests = {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, | 2076 | auto digests = ValidDigests(false /* withNone */, true /* withMD5 */); |
2057 | Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; | ||
2058 | 2077 | ||
2059 | size_t key_size = 2048; // Need largish key for SHA-512 test. | 2078 | size_t key_size = 2048; // Need largish key for SHA-512 test. |
2060 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 2079 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
@@ -2231,7 +2250,7 @@ TEST_F(EncryptionOperationsTest, RsaPkcs1TooLarge) { | |||
2231 | TEST_F(EncryptionOperationsTest, EcdsaEncrypt) { | 2250 | TEST_F(EncryptionOperationsTest, EcdsaEncrypt) { |
2232 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 2251 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
2233 | .Authorization(TAG_NO_AUTH_REQUIRED) | 2252 | .Authorization(TAG_NO_AUTH_REQUIRED) |
2234 | .EcdsaSigningKey(224) | 2253 | .EcdsaSigningKey(256) |
2235 | .Digest(Digest::NONE))); | 2254 | .Digest(Digest::NONE))); |
2236 | auto params = AuthorizationSetBuilder().Digest(Digest::NONE); | 2255 | auto params = AuthorizationSetBuilder().Digest(Digest::NONE); |
2237 | ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params)); | 2256 | ASSERT_EQ(ErrorCode::UNSUPPORTED_PURPOSE, Begin(KeyPurpose::ENCRYPT, params)); |
@@ -2486,7 +2505,9 @@ TEST_F(EncryptionOperationsTest, AesIncremental) { | |||
2486 | for (size_t i = 0; i < message.size(); i += increment) { | 2505 | for (size_t i = 0; i < message.size(); i += increment) { |
2487 | to_send.append(message.substr(i, increment)); | 2506 | to_send.append(message.substr(i, increment)); |
2488 | EXPECT_EQ(ErrorCode::OK, Update(to_send, &ciphertext, &input_consumed)); | 2507 | EXPECT_EQ(ErrorCode::OK, Update(to_send, &ciphertext, &input_consumed)); |
2508 | EXPECT_EQ(to_send.length(), input_consumed); | ||
2489 | to_send = to_send.substr(input_consumed); | 2509 | to_send = to_send.substr(input_consumed); |
2510 | EXPECT_EQ(0U, to_send.length()); | ||
2490 | 2511 | ||
2491 | switch (block_mode) { | 2512 | switch (block_mode) { |
2492 | case BlockMode::ECB: | 2513 | case BlockMode::ECB: |
@@ -2802,6 +2823,8 @@ TEST_F(EncryptionOperationsTest, AesGcmRoundTripSuccess) { | |||
2802 | ASSERT_EQ(ErrorCode::OK, | 2823 | ASSERT_EQ(ErrorCode::OK, |
2803 | Finish(op_handle_, update_params, message, "", &update_out_params, &ciphertext)); | 2824 | Finish(op_handle_, update_params, message, "", &update_out_params, &ciphertext)); |
2804 | 2825 | ||
2826 | ASSERT_EQ(ciphertext.length(), message.length() + 16); | ||
2827 | |||
2805 | // Grab nonce | 2828 | // Grab nonce |
2806 | begin_params.push_back(begin_out_params); | 2829 | begin_params.push_back(begin_out_params); |
2807 | 2830 | ||
@@ -2813,7 +2836,7 @@ TEST_F(EncryptionOperationsTest, AesGcmRoundTripSuccess) { | |||
2813 | &plaintext, &input_consumed)); | 2836 | &plaintext, &input_consumed)); |
2814 | EXPECT_EQ(ciphertext.size(), input_consumed); | 2837 | EXPECT_EQ(ciphertext.size(), input_consumed); |
2815 | EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext)); | 2838 | EXPECT_EQ(ErrorCode::OK, Finish("", &plaintext)); |
2816 | 2839 | EXPECT_EQ(message.length(), plaintext.length()); | |
2817 | EXPECT_EQ(message, plaintext); | 2840 | EXPECT_EQ(message, plaintext); |
2818 | } | 2841 | } |
2819 | 2842 | ||
@@ -3700,6 +3723,8 @@ typedef KeymasterHidlTest MaxOperationsTest; | |||
3700 | * Verifies that the max uses per boot tag works correctly with AES keys. | 3723 | * Verifies that the max uses per boot tag works correctly with AES keys. |
3701 | */ | 3724 | */ |
3702 | TEST_F(MaxOperationsTest, TestLimitAes) { | 3725 | TEST_F(MaxOperationsTest, TestLimitAes) { |
3726 | if (SecLevel() == SecurityLevel::STRONGBOX) return; | ||
3727 | |||
3703 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 3728 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
3704 | .Authorization(TAG_NO_AUTH_REQUIRED) | 3729 | .Authorization(TAG_NO_AUTH_REQUIRED) |
3705 | .AesEncryptionKey(128) | 3730 | .AesEncryptionKey(128) |
@@ -3725,6 +3750,8 @@ TEST_F(MaxOperationsTest, TestLimitAes) { | |||
3725 | * Verifies that the max uses per boot tag works correctly with RSA keys. | 3750 | * Verifies that the max uses per boot tag works correctly with RSA keys. |
3726 | */ | 3751 | */ |
3727 | TEST_F(MaxOperationsTest, TestLimitRsa) { | 3752 | TEST_F(MaxOperationsTest, TestLimitRsa) { |
3753 | if (SecLevel() == SecurityLevel::STRONGBOX) return; | ||
3754 | |||
3728 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 3755 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
3729 | .Authorization(TAG_NO_AUTH_REQUIRED) | 3756 | .Authorization(TAG_NO_AUTH_REQUIRED) |
3730 | .RsaSigningKey(1024, 65537) | 3757 | .RsaSigningKey(1024, 65537) |