diff options
Diffstat (limited to 'keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp')
-rw-r--r-- | keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp | 47 |
1 files changed, 30 insertions, 17 deletions
diff --git a/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp index e7b222a1..6abd9bf2 100644 --- a/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp +++ b/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp | |||
@@ -898,13 +898,20 @@ class KeymasterHidlTest : public ::testing::VtsHalHidlTargetTestBase { | |||
898 | } | 898 | } |
899 | } | 899 | } |
900 | 900 | ||
901 | void CheckOrigin() { | 901 | void CheckOrigin(bool asymmetric = false) { |
902 | SCOPED_TRACE("CheckOrigin"); | 902 | SCOPED_TRACE("CheckOrigin"); |
903 | if (is_secure_ && supports_symmetric_) { | 903 | if (is_secure_ && supports_symmetric_) { |
904 | EXPECT_TRUE( | 904 | EXPECT_TRUE( |
905 | contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED)); | 905 | contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED)); |
906 | } else if (is_secure_) { | 906 | } else if (is_secure_) { |
907 | EXPECT_TRUE(contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN)); | 907 | // wrapped KM0 |
908 | if (asymmetric) { | ||
909 | EXPECT_TRUE( | ||
910 | contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN)); | ||
911 | } else { | ||
912 | EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, | ||
913 | KeyOrigin::IMPORTED)); | ||
914 | } | ||
908 | } else { | 915 | } else { |
909 | EXPECT_TRUE( | 916 | EXPECT_TRUE( |
910 | contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED)); | 917 | contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED)); |
@@ -993,8 +1000,8 @@ bool verify_attestation_record(const string& challenge, const string& app_id, | |||
993 | HidlBuf(app_id)); | 1000 | HidlBuf(app_id)); |
994 | 1001 | ||
995 | if (!KeymasterHidlTest::IsSecure()) { | 1002 | if (!KeymasterHidlTest::IsSecure()) { |
996 | // SW is KM2 | 1003 | // SW is KM3 |
997 | EXPECT_EQ(att_keymaster_version, 2U); | 1004 | EXPECT_EQ(att_keymaster_version, 3U); |
998 | } | 1005 | } |
999 | 1006 | ||
1000 | if (KeymasterHidlTest::SupportsSymmetric()) { | 1007 | if (KeymasterHidlTest::SupportsSymmetric()) { |
@@ -1059,13 +1066,17 @@ TEST_F(KeymasterVersionTest, SensibleFeatures) { | |||
1059 | 1066 | ||
1060 | class NewKeyGenerationTest : public KeymasterHidlTest { | 1067 | class NewKeyGenerationTest : public KeymasterHidlTest { |
1061 | protected: | 1068 | protected: |
1062 | void CheckBaseParams(const KeyCharacteristics& keyCharacteristics) { | 1069 | void CheckBaseParams(const KeyCharacteristics& keyCharacteristics, bool asymmetric = false) { |
1063 | // TODO(swillden): Distinguish which params should be in which auth list. | 1070 | // TODO(swillden): Distinguish which params should be in which auth list. |
1064 | 1071 | ||
1065 | AuthorizationSet auths(keyCharacteristics.teeEnforced); | 1072 | AuthorizationSet auths(keyCharacteristics.teeEnforced); |
1066 | auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced)); | 1073 | auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced)); |
1067 | 1074 | ||
1068 | EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED)); | 1075 | if (!SupportsSymmetric() && asymmetric) { |
1076 | EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::UNKNOWN)); | ||
1077 | } else { | ||
1078 | EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED)); | ||
1079 | } | ||
1069 | 1080 | ||
1070 | EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN)); | 1081 | EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN)); |
1071 | EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY)); | 1082 | EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY)); |
@@ -1114,7 +1125,7 @@ TEST_F(NewKeyGenerationTest, Rsa) { | |||
1114 | &key_blob, &key_characteristics)); | 1125 | &key_blob, &key_characteristics)); |
1115 | 1126 | ||
1116 | ASSERT_GT(key_blob.size(), 0U); | 1127 | ASSERT_GT(key_blob.size(), 0U); |
1117 | CheckBaseParams(key_characteristics); | 1128 | CheckBaseParams(key_characteristics, true /* asymmetric */); |
1118 | 1129 | ||
1119 | AuthorizationSet crypto_params; | 1130 | AuthorizationSet crypto_params; |
1120 | if (IsSecure()) { | 1131 | if (IsSecure()) { |
@@ -1160,7 +1171,7 @@ TEST_F(NewKeyGenerationTest, Ecdsa) { | |||
1160 | .Authorizations(UserAuths()), | 1171 | .Authorizations(UserAuths()), |
1161 | &key_blob, &key_characteristics)); | 1172 | &key_blob, &key_characteristics)); |
1162 | ASSERT_GT(key_blob.size(), 0U); | 1173 | ASSERT_GT(key_blob.size(), 0U); |
1163 | CheckBaseParams(key_characteristics); | 1174 | CheckBaseParams(key_characteristics, true /* asymmetric */); |
1164 | 1175 | ||
1165 | AuthorizationSet crypto_params; | 1176 | AuthorizationSet crypto_params; |
1166 | if (IsSecure()) { | 1177 | if (IsSecure()) { |
@@ -1565,7 +1576,9 @@ TEST_F(SigningOperationsTest, RsaNoPaddingTooLong) { | |||
1565 | .Digest(Digest::NONE) | 1576 | .Digest(Digest::NONE) |
1566 | .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); | 1577 | .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); |
1567 | string result; | 1578 | string result; |
1568 | EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result)); | 1579 | ErrorCode finish_error_code = Finish(message, &result); |
1580 | EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH || | ||
1581 | finish_error_code == ErrorCode::INVALID_ARGUMENT); | ||
1569 | 1582 | ||
1570 | // Very large message that should exceed the transfer buffer size of any reasonable TEE. | 1583 | // Very large message that should exceed the transfer buffer size of any reasonable TEE. |
1571 | message = string(128 * 1024, 'a'); | 1584 | message = string(128 * 1024, 'a'); |
@@ -1573,7 +1586,9 @@ TEST_F(SigningOperationsTest, RsaNoPaddingTooLong) { | |||
1573 | Begin(KeyPurpose::SIGN, AuthorizationSetBuilder() | 1586 | Begin(KeyPurpose::SIGN, AuthorizationSetBuilder() |
1574 | .Digest(Digest::NONE) | 1587 | .Digest(Digest::NONE) |
1575 | .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); | 1588 | .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN))); |
1576 | EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result)); | 1589 | finish_error_code = Finish(message, &result); |
1590 | EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH || | ||
1591 | finish_error_code == ErrorCode::INVALID_ARGUMENT); | ||
1577 | } | 1592 | } |
1578 | 1593 | ||
1579 | /* | 1594 | /* |
@@ -2279,8 +2294,7 @@ TEST_F(ExportKeyTest, RsaUnsupportedKeyFormat) { | |||
2279 | * Verifies that attempting to export RSA keys from corrupted key blobs fails. This is essentially | 2294 | * Verifies that attempting to export RSA keys from corrupted key blobs fails. This is essentially |
2280 | * a poor-man's key blob fuzzer. | 2295 | * a poor-man's key blob fuzzer. |
2281 | */ | 2296 | */ |
2282 | // Disabled due to b/33385206 | 2297 | TEST_F(ExportKeyTest, RsaCorruptedKeyBlob) { |
2283 | TEST_F(ExportKeyTest, DISABLED_RsaCorruptedKeyBlob) { | ||
2284 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 2298 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
2285 | .Authorization(TAG_NO_AUTH_REQUIRED) | 2299 | .Authorization(TAG_NO_AUTH_REQUIRED) |
2286 | .RsaSigningKey(1024, 3) | 2300 | .RsaSigningKey(1024, 3) |
@@ -2303,8 +2317,7 @@ TEST_F(ExportKeyTest, DISABLED_RsaCorruptedKeyBlob) { | |||
2303 | * Verifies that attempting to export ECDSA keys from corrupted key blobs fails. This is | 2317 | * Verifies that attempting to export ECDSA keys from corrupted key blobs fails. This is |
2304 | * essentially a poor-man's key blob fuzzer. | 2318 | * essentially a poor-man's key blob fuzzer. |
2305 | */ | 2319 | */ |
2306 | // Disabled due to b/33385206 | 2320 | TEST_F(ExportKeyTest, EcCorruptedKeyBlob) { |
2307 | TEST_F(ExportKeyTest, DISABLED_EcCorruptedKeyBlob) { | ||
2308 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() | 2321 | ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() |
2309 | .Authorization(TAG_NO_AUTH_REQUIRED) | 2322 | .Authorization(TAG_NO_AUTH_REQUIRED) |
2310 | .EcdsaSigningKey(EcCurve::P_256) | 2323 | .EcdsaSigningKey(EcCurve::P_256) |
@@ -2357,7 +2370,7 @@ TEST_F(ImportKeyTest, RsaSuccess) { | |||
2357 | CheckKm0CryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U); | 2370 | CheckKm0CryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U); |
2358 | CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); | 2371 | CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); |
2359 | CheckKm1CryptoParam(TAG_PADDING, PaddingMode::RSA_PSS); | 2372 | CheckKm1CryptoParam(TAG_PADDING, PaddingMode::RSA_PSS); |
2360 | CheckOrigin(); | 2373 | CheckOrigin(true /* asymmetric */); |
2361 | 2374 | ||
2362 | string message(1024 / 8, 'a'); | 2375 | string message(1024 / 8, 'a'); |
2363 | auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS); | 2376 | auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS); |
@@ -2413,7 +2426,7 @@ TEST_F(ImportKeyTest, EcdsaSuccess) { | |||
2413 | CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); | 2426 | CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); |
2414 | CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_256); | 2427 | CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_256); |
2415 | 2428 | ||
2416 | CheckOrigin(); | 2429 | CheckOrigin(true /* asymmetric */); |
2417 | 2430 | ||
2418 | string message(32, 'a'); | 2431 | string message(32, 'a'); |
2419 | auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256); | 2432 | auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256); |
@@ -2439,7 +2452,7 @@ TEST_F(ImportKeyTest, Ecdsa521Success) { | |||
2439 | CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); | 2452 | CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256); |
2440 | CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_521); | 2453 | CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_521); |
2441 | 2454 | ||
2442 | CheckOrigin(); | 2455 | CheckOrigin(true /* asymmetric */); |
2443 | 2456 | ||
2444 | string message(32, 'a'); | 2457 | string message(32, 'a'); |
2445 | auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256); | 2458 | auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256); |