/* * Copyright (C) 2017 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include "KeymasterHidlTest.h" #include <chrono> #include <vector> #include <android-base/logging.h> #include <android/hidl/manager/1.0/IServiceManager.h> #include <keymasterV4_0/key_param_output.h> namespace android { namespace hardware { namespace keymaster { namespace V4_0 { ::std::ostream& operator<<(::std::ostream& os, const AuthorizationSet& set) { if (set.size() == 0) os << "(Empty)" << ::std::endl; else { os << "\n"; for (size_t i = 0; i < set.size(); ++i) os << set[i] << ::std::endl; } return os; } namespace test { sp<IKeymasterDevice> KeymasterHidlTest::keymaster_; std::vector<sp<IKeymasterDevice>> KeymasterHidlTest::all_keymasters_; uint32_t KeymasterHidlTest::os_version_; uint32_t KeymasterHidlTest::os_patch_level_; SecurityLevel KeymasterHidlTest::securityLevel_; hidl_string KeymasterHidlTest::name_; hidl_string KeymasterHidlTest::author_; void KeymasterHidlTest::SetUpTestCase() { string service_name = KeymasterHidlEnvironment::Instance()->getServiceName<IKeymasterDevice>(); keymaster_ = ::testing::VtsHalHidlTargetTestBase::getService<IKeymasterDevice>(service_name); ASSERT_NE(keymaster_, nullptr); ASSERT_TRUE(keymaster_ ->getHardwareInfo([&](SecurityLevel securityLevel, const hidl_string& name, const hidl_string& author) { securityLevel_ = securityLevel; name_ = name; author_ = author; }) .isOk()); os_version_ = ::keymaster::GetOsVersion(); os_patch_level_ = ::keymaster::GetOsPatchlevel(); auto service_manager = android::hidl::manager::V1_0::IServiceManager::getService(); ASSERT_NE(nullptr, service_manager.get()); all_keymasters_.push_back(keymaster_); service_manager->listByInterface( IKeymasterDevice::descriptor, [&](const hidl_vec<hidl_string>& names) { for (auto& name : names) { if (name == service_name) continue; auto keymaster = ::testing::VtsHalHidlTargetTestBase::getService<IKeymasterDevice>(name); ASSERT_NE(keymaster, nullptr); all_keymasters_.push_back(keymaster); } }); } ErrorCode KeymasterHidlTest::GenerateKey(const AuthorizationSet& key_desc, HidlBuf* key_blob, KeyCharacteristics* key_characteristics) { EXPECT_NE(key_blob, nullptr) << "Key blob pointer must not be null. Test bug"; EXPECT_EQ(0U, key_blob->size()) << "Key blob not empty before generating key. Test bug."; EXPECT_NE(key_characteristics, nullptr) << "Previous characteristics not deleted before generating key. Test bug."; ErrorCode error; EXPECT_TRUE(keymaster_ ->generateKey(key_desc.hidl_data(), [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob, const KeyCharacteristics& hidl_key_characteristics) { error = hidl_error; *key_blob = hidl_key_blob; *key_characteristics = hidl_key_characteristics; }) .isOk()); // On error, blob & characteristics should be empty. if (error != ErrorCode::OK) { EXPECT_EQ(0U, key_blob->size()); EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() + key_characteristics->hardwareEnforced.size())); } return error; } ErrorCode KeymasterHidlTest::GenerateKey(const AuthorizationSet& key_desc) { return GenerateKey(key_desc, &key_blob_, &key_characteristics_); } ErrorCode KeymasterHidlTest::ImportKey(const AuthorizationSet& key_desc, KeyFormat format, const string& key_material, HidlBuf* key_blob, KeyCharacteristics* key_characteristics) { ErrorCode error; EXPECT_TRUE(keymaster_ ->importKey(key_desc.hidl_data(), format, HidlBuf(key_material), [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob, const KeyCharacteristics& hidl_key_characteristics) { error = hidl_error; *key_blob = hidl_key_blob; *key_characteristics = hidl_key_characteristics; }) .isOk()); // On error, blob & characteristics should be empty. if (error != ErrorCode::OK) { EXPECT_EQ(0U, key_blob->size()); EXPECT_EQ(0U, (key_characteristics->softwareEnforced.size() + key_characteristics->hardwareEnforced.size())); } return error; } ErrorCode KeymasterHidlTest::ImportKey(const AuthorizationSet& key_desc, KeyFormat format, const string& key_material) { return ImportKey(key_desc, format, key_material, &key_blob_, &key_characteristics_); } ErrorCode KeymasterHidlTest::ImportWrappedKey(string wrapped_key, string wrapping_key, const AuthorizationSet& wrapping_key_desc, string masking_key, const AuthorizationSet& unwrapping_params) { ErrorCode error; ImportKey(wrapping_key_desc, KeyFormat::PKCS8, wrapping_key); EXPECT_TRUE(keymaster_ ->importWrappedKey(HidlBuf(wrapped_key), key_blob_, HidlBuf(masking_key), unwrapping_params.hidl_data(), 0 /* passwordSid */, 0 /* biometricSid */, [&](ErrorCode hidl_error, const HidlBuf& hidl_key_blob, const KeyCharacteristics& hidl_key_characteristics) { error = hidl_error; key_blob_ = hidl_key_blob; key_characteristics_ = hidl_key_characteristics; }) .isOk()); return error; } ErrorCode KeymasterHidlTest::ExportKey(KeyFormat format, const HidlBuf& key_blob, const HidlBuf& client_id, const HidlBuf& app_data, HidlBuf* key_material) { ErrorCode error; EXPECT_TRUE(keymaster_ ->exportKey(format, key_blob, client_id, app_data, [&](ErrorCode hidl_error_code, const HidlBuf& hidl_key_material) { error = hidl_error_code; *key_material = hidl_key_material; }) .isOk()); // On error, blob should be empty. if (error != ErrorCode::OK) { EXPECT_EQ(0U, key_material->size()); } return error; } ErrorCode KeymasterHidlTest::ExportKey(KeyFormat format, HidlBuf* key_material) { HidlBuf client_id, app_data; return ExportKey(format, key_blob_, client_id, app_data, key_material); } ErrorCode KeymasterHidlTest::DeleteKey(HidlBuf* key_blob, bool keep_key_blob) { auto rc = keymaster_->deleteKey(*key_blob); if (!keep_key_blob) *key_blob = HidlBuf(); if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR; return rc; } ErrorCode KeymasterHidlTest::DeleteKey(bool keep_key_blob) { return DeleteKey(&key_blob_, keep_key_blob); } ErrorCode KeymasterHidlTest::DeleteAllKeys() { ErrorCode error = keymaster_->deleteAllKeys(); return error; } void KeymasterHidlTest::CheckedDeleteKey(HidlBuf* key_blob, bool keep_key_blob) { auto rc = DeleteKey(key_blob, keep_key_blob); EXPECT_TRUE(rc == ErrorCode::OK || rc == ErrorCode::UNIMPLEMENTED); } void KeymasterHidlTest::CheckedDeleteKey() { CheckedDeleteKey(&key_blob_); } void KeymasterHidlTest::CheckCreationDateTime( const AuthorizationSet& sw_enforced, std::chrono::time_point<std::chrono::system_clock> creation) { for (int i = 0; i < sw_enforced.size(); i++) { if (sw_enforced[i].tag == TAG_CREATION_DATETIME) { std::chrono::time_point<std::chrono::system_clock> now = std::chrono::system_clock::now(); std::chrono::time_point<std::chrono::system_clock> reported_time{ std::chrono::milliseconds(sw_enforced[i].f.dateTime)}; // The test is flaky for EC keys, so a buffer time of 120 seconds will be added. EXPECT_LE(creation - 120s, reported_time); EXPECT_LE(reported_time, now + 1s); } } } void KeymasterHidlTest::CheckGetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id, const HidlBuf& app_data, KeyCharacteristics* key_characteristics) { HidlBuf empty_buf = {}; EXPECT_EQ(ErrorCode::OK, GetCharacteristics(key_blob, client_id, app_data, key_characteristics)); EXPECT_GT(key_characteristics->hardwareEnforced.size(), 0); EXPECT_GT(key_characteristics->softwareEnforced.size(), 0); EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, GetCharacteristics(key_blob, empty_buf, app_data, key_characteristics)); EXPECT_EQ(key_characteristics->hardwareEnforced.size(), 0); EXPECT_EQ(key_characteristics->softwareEnforced.size(), 0); EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, GetCharacteristics(key_blob, client_id, empty_buf, key_characteristics)); EXPECT_EQ(key_characteristics->hardwareEnforced.size(), 0); EXPECT_EQ(key_characteristics->softwareEnforced.size(), 0); EXPECT_EQ(ErrorCode::INVALID_KEY_BLOB, GetCharacteristics(key_blob, empty_buf, empty_buf, key_characteristics)); EXPECT_EQ(key_characteristics->hardwareEnforced.size(), 0); EXPECT_EQ(key_characteristics->softwareEnforced.size(), 0); } ErrorCode KeymasterHidlTest::GetCharacteristics(const HidlBuf& key_blob, const HidlBuf& client_id, const HidlBuf& app_data, KeyCharacteristics* key_characteristics) { ErrorCode error = ErrorCode::UNKNOWN_ERROR; EXPECT_TRUE( keymaster_ ->getKeyCharacteristics( key_blob, client_id, app_data, [&](ErrorCode hidl_error, const KeyCharacteristics& hidl_key_characteristics) { error = hidl_error, *key_characteristics = hidl_key_characteristics; }) .isOk()); return error; } ErrorCode KeymasterHidlTest::GetCharacteristics(const HidlBuf& key_blob, KeyCharacteristics* key_characteristics) { HidlBuf client_id, app_data; return GetCharacteristics(key_blob, client_id, app_data, key_characteristics); } ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const HidlBuf& key_blob, const AuthorizationSet& in_params, AuthorizationSet* out_params, OperationHandle* op_handle) { SCOPED_TRACE("Begin"); ErrorCode error; OperationHandle saved_handle = *op_handle; EXPECT_TRUE(keymaster_ ->begin(purpose, key_blob, in_params.hidl_data(), HardwareAuthToken(), [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params, uint64_t hidl_op_handle) { error = hidl_error; *out_params = hidl_out_params; *op_handle = hidl_op_handle; }) .isOk()); if (error != ErrorCode::OK) { // Some implementations may modify *op_handle on error. *op_handle = saved_handle; } return error; } ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const AuthorizationSet& in_params, AuthorizationSet* out_params) { SCOPED_TRACE("Begin"); EXPECT_EQ(kOpHandleSentinel, op_handle_); return Begin(purpose, key_blob_, in_params, out_params, &op_handle_); } ErrorCode KeymasterHidlTest::Begin(KeyPurpose purpose, const AuthorizationSet& in_params) { SCOPED_TRACE("Begin"); AuthorizationSet out_params; ErrorCode error = Begin(purpose, in_params, &out_params); EXPECT_TRUE(out_params.empty()); return error; } ErrorCode KeymasterHidlTest::Update(OperationHandle op_handle, const AuthorizationSet& in_params, const string& input, AuthorizationSet* out_params, string* output, size_t* input_consumed) { SCOPED_TRACE("Update"); ErrorCode error; EXPECT_TRUE(keymaster_ ->update(op_handle, in_params.hidl_data(), HidlBuf(input), HardwareAuthToken(), VerificationToken(), [&](ErrorCode hidl_error, uint32_t hidl_input_consumed, const hidl_vec<KeyParameter>& hidl_out_params, const HidlBuf& hidl_output) { error = hidl_error; out_params->push_back(AuthorizationSet(hidl_out_params)); output->append(hidl_output.to_string()); *input_consumed = hidl_input_consumed; }) .isOk()); return error; } ErrorCode KeymasterHidlTest::Update(const string& input, string* out, size_t* input_consumed) { SCOPED_TRACE("Update"); AuthorizationSet out_params; ErrorCode error = Update(op_handle_, AuthorizationSet() /* in_params */, input, &out_params, out, input_consumed); EXPECT_TRUE(out_params.empty()); return error; } ErrorCode KeymasterHidlTest::Finish(OperationHandle op_handle, const AuthorizationSet& in_params, const string& input, const string& signature, AuthorizationSet* out_params, string* output) { SCOPED_TRACE("Finish"); ErrorCode error; EXPECT_TRUE( keymaster_ ->finish(op_handle, in_params.hidl_data(), HidlBuf(input), HidlBuf(signature), HardwareAuthToken(), VerificationToken(), [&](ErrorCode hidl_error, const hidl_vec<KeyParameter>& hidl_out_params, const HidlBuf& hidl_output) { error = hidl_error; *out_params = hidl_out_params; output->append(hidl_output.to_string()); }) .isOk()); op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort(). return error; } ErrorCode KeymasterHidlTest::Finish(const string& message, string* output) { SCOPED_TRACE("Finish"); AuthorizationSet out_params; string finish_output; ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, "" /* signature */, &out_params, output); if (error != ErrorCode::OK) { return error; } EXPECT_EQ(0U, out_params.size()); return error; } ErrorCode KeymasterHidlTest::Finish(const string& message, const string& signature, string* output) { SCOPED_TRACE("Finish"); AuthorizationSet out_params; ErrorCode error = Finish(op_handle_, AuthorizationSet() /* in_params */, message, signature, &out_params, output); op_handle_ = kOpHandleSentinel; // So dtor doesn't Abort(). if (error != ErrorCode::OK) { return error; } EXPECT_EQ(0U, out_params.size()); return error; } ErrorCode KeymasterHidlTest::Abort(OperationHandle op_handle) { SCOPED_TRACE("Abort"); auto retval = keymaster_->abort(op_handle); EXPECT_TRUE(retval.isOk()); return retval; } void KeymasterHidlTest::AbortIfNeeded() { SCOPED_TRACE("AbortIfNeeded"); if (op_handle_ != kOpHandleSentinel) { EXPECT_EQ(ErrorCode::OK, Abort(op_handle_)); op_handle_ = kOpHandleSentinel; } } ErrorCode KeymasterHidlTest::AttestKey(const HidlBuf& key_blob, const AuthorizationSet& attest_params, hidl_vec<hidl_vec<uint8_t>>* cert_chain) { SCOPED_TRACE("AttestKey"); ErrorCode error; auto rc = keymaster_->attestKey( key_blob, attest_params.hidl_data(), [&](ErrorCode hidl_error, const hidl_vec<hidl_vec<uint8_t>>& hidl_cert_chain) { error = hidl_error; *cert_chain = hidl_cert_chain; }); EXPECT_TRUE(rc.isOk()) << rc.description(); if (!rc.isOk()) return ErrorCode::UNKNOWN_ERROR; return error; } ErrorCode KeymasterHidlTest::AttestKey(const AuthorizationSet& attest_params, hidl_vec<hidl_vec<uint8_t>>* cert_chain) { SCOPED_TRACE("AttestKey"); return AttestKey(key_blob_, attest_params, cert_chain); } string KeymasterHidlTest::ProcessMessage(const HidlBuf& key_blob, KeyPurpose operation, const string& message, const AuthorizationSet& in_params, AuthorizationSet* out_params) { SCOPED_TRACE("ProcessMessage"); AuthorizationSet begin_out_params; EXPECT_EQ(ErrorCode::OK, Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_)); string output; size_t consumed = 0; AuthorizationSet update_params; AuthorizationSet update_out_params; EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, &output, &consumed)); string unused; AuthorizationSet finish_params; AuthorizationSet finish_out_params; EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), unused, &finish_out_params, &output)); op_handle_ = kOpHandleSentinel; out_params->push_back(begin_out_params); out_params->push_back(finish_out_params); return output; } string KeymasterHidlTest::SignMessage(const HidlBuf& key_blob, const string& message, const AuthorizationSet& params) { SCOPED_TRACE("SignMessage"); AuthorizationSet out_params; string signature = ProcessMessage(key_blob, KeyPurpose::SIGN, message, params, &out_params); EXPECT_TRUE(out_params.empty()); return signature; } string KeymasterHidlTest::SignMessage(const string& message, const AuthorizationSet& params) { SCOPED_TRACE("SignMessage"); return SignMessage(key_blob_, message, params); } string KeymasterHidlTest::MacMessage(const string& message, Digest digest, size_t mac_length) { SCOPED_TRACE("MacMessage"); return SignMessage( key_blob_, message, AuthorizationSetBuilder().Digest(digest).Authorization(TAG_MAC_LENGTH, mac_length)); } void KeymasterHidlTest::CheckHmacTestVector(const string& key, const string& message, Digest digest, const string& expected_mac) { SCOPED_TRACE("CheckHmacTestVector"); ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .HmacKey(key.size() * 8) .Authorization(TAG_MIN_MAC_LENGTH, expected_mac.size() * 8) .Digest(digest), KeyFormat::RAW, key)); string signature = MacMessage(message, digest, expected_mac.size() * 8); EXPECT_EQ(expected_mac, signature) << "Test vector didn't match for key of size " << key.size() << " message of size " << message.size() << " and digest " << digest; CheckedDeleteKey(); } void KeymasterHidlTest::CheckAesCtrTestVector(const string& key, const string& nonce, const string& message, const string& expected_ciphertext) { SCOPED_TRACE("CheckAesCtrTestVector"); ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .AesEncryptionKey(key.size() * 8) .BlockMode(BlockMode::CTR) .Authorization(TAG_CALLER_NONCE) .Padding(PaddingMode::NONE), KeyFormat::RAW, key)); auto params = AuthorizationSetBuilder() .Authorization(TAG_NONCE, nonce.data(), nonce.size()) .BlockMode(BlockMode::CTR) .Padding(PaddingMode::NONE); AuthorizationSet out_params; string ciphertext = EncryptMessage(key_blob_, message, params, &out_params); EXPECT_EQ(expected_ciphertext, ciphertext); } void KeymasterHidlTest::CheckTripleDesTestVector(KeyPurpose purpose, BlockMode block_mode, PaddingMode padding_mode, const string& key, const string& iv, const string& input, const string& expected_output) { auto authset = AuthorizationSetBuilder() .TripleDesEncryptionKey(key.size() * 7) .BlockMode(block_mode) .Authorization(TAG_NO_AUTH_REQUIRED) .Padding(padding_mode); if (iv.size()) authset.Authorization(TAG_CALLER_NONCE); ASSERT_EQ(ErrorCode::OK, ImportKey(authset, KeyFormat::RAW, key)); auto begin_params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding_mode); if (iv.size()) begin_params.Authorization(TAG_NONCE, iv.data(), iv.size()); AuthorizationSet output_params; string output = ProcessMessage(key_blob_, purpose, input, begin_params, &output_params); EXPECT_EQ(expected_output, output); } void KeymasterHidlTest::VerifyMessage(const HidlBuf& key_blob, const string& message, const string& signature, const AuthorizationSet& params) { SCOPED_TRACE("VerifyMessage"); AuthorizationSet begin_out_params; ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::VERIFY, key_blob, params, &begin_out_params, &op_handle_)); string output; AuthorizationSet update_params; AuthorizationSet update_out_params; size_t consumed; ASSERT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, &output, &consumed)); EXPECT_TRUE(output.empty()); EXPECT_GT(consumed, 0U); string unused; AuthorizationSet finish_params; AuthorizationSet finish_out_params; EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), signature, &finish_out_params, &output)); op_handle_ = kOpHandleSentinel; EXPECT_TRUE(output.empty()); } void KeymasterHidlTest::VerifyMessage(const string& message, const string& signature, const AuthorizationSet& params) { SCOPED_TRACE("VerifyMessage"); VerifyMessage(key_blob_, message, signature, params); } string KeymasterHidlTest::EncryptMessage(const HidlBuf& key_blob, const string& message, const AuthorizationSet& in_params, AuthorizationSet* out_params) { SCOPED_TRACE("EncryptMessage"); return ProcessMessage(key_blob, KeyPurpose::ENCRYPT, message, in_params, out_params); } string KeymasterHidlTest::EncryptMessage(const string& message, const AuthorizationSet& params, AuthorizationSet* out_params) { SCOPED_TRACE("EncryptMessage"); return EncryptMessage(key_blob_, message, params, out_params); } string KeymasterHidlTest::EncryptMessage(const string& message, const AuthorizationSet& params) { SCOPED_TRACE("EncryptMessage"); AuthorizationSet out_params; string ciphertext = EncryptMessage(message, params, &out_params); EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params; return ciphertext; } string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding) { SCOPED_TRACE("EncryptMessage"); auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding); AuthorizationSet out_params; string ciphertext = EncryptMessage(message, params, &out_params); EXPECT_TRUE(out_params.empty()) << "Output params should be empty. Contained: " << out_params; return ciphertext; } string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding, HidlBuf* iv_out) { SCOPED_TRACE("EncryptMessage"); auto params = AuthorizationSetBuilder().BlockMode(block_mode).Padding(padding); AuthorizationSet out_params; string ciphertext = EncryptMessage(message, params, &out_params); EXPECT_EQ(1U, out_params.size()); auto ivVal = out_params.GetTagValue(TAG_NONCE); EXPECT_TRUE(ivVal.isOk()); if (ivVal.isOk()) *iv_out = ivVal.value(); return ciphertext; } string KeymasterHidlTest::EncryptMessage(const string& message, BlockMode block_mode, PaddingMode padding, const HidlBuf& iv_in) { SCOPED_TRACE("EncryptMessage"); auto params = AuthorizationSetBuilder() .BlockMode(block_mode) .Padding(padding) .Authorization(TAG_NONCE, iv_in); AuthorizationSet out_params; string ciphertext = EncryptMessage(message, params, &out_params); return ciphertext; } string KeymasterHidlTest::DecryptMessage(const HidlBuf& key_blob, const string& ciphertext, const AuthorizationSet& params) { SCOPED_TRACE("DecryptMessage"); AuthorizationSet out_params; string plaintext = ProcessMessage(key_blob, KeyPurpose::DECRYPT, ciphertext, params, &out_params); EXPECT_TRUE(out_params.empty()); return plaintext; } string KeymasterHidlTest::DecryptMessage(const string& ciphertext, const AuthorizationSet& params) { SCOPED_TRACE("DecryptMessage"); return DecryptMessage(key_blob_, ciphertext, params); } string KeymasterHidlTest::DecryptMessage(const string& ciphertext, BlockMode block_mode, PaddingMode padding_mode, const HidlBuf& iv) { SCOPED_TRACE("DecryptMessage"); auto params = AuthorizationSetBuilder() .BlockMode(block_mode) .Padding(padding_mode) .Authorization(TAG_NONCE, iv); return DecryptMessage(key_blob_, ciphertext, params); } std::pair<ErrorCode, HidlBuf> KeymasterHidlTest::UpgradeKey(const HidlBuf& key_blob) { std::pair<ErrorCode, HidlBuf> retval; keymaster_->upgradeKey(key_blob, hidl_vec<KeyParameter>(), [&](ErrorCode error, const hidl_vec<uint8_t>& upgraded_blob) { retval = std::tie(error, upgraded_blob); }); return retval; } std::vector<uint32_t> KeymasterHidlTest::ValidKeySizes(Algorithm algorithm) { switch (algorithm) { case Algorithm::RSA: switch (SecLevel()) { case SecurityLevel::TRUSTED_ENVIRONMENT: return {2048, 3072, 4096}; case SecurityLevel::STRONGBOX: return {2048}; default: CHECK(false) << "Invalid security level " << uint32_t(SecLevel()); break; } break; case Algorithm::EC: switch (SecLevel()) { case SecurityLevel::TRUSTED_ENVIRONMENT: return {224, 256, 384, 521}; case SecurityLevel::STRONGBOX: return {256}; default: CHECK(false) << "Invalid security level " << uint32_t(SecLevel()); break; } break; case Algorithm::AES: return {128, 256}; case Algorithm::TRIPLE_DES: return {168}; case Algorithm::HMAC: { std::vector<uint32_t> retval((512 - 64) / 8 + 1); uint32_t size = 64 - 8; std::generate(retval.begin(), retval.end(), [&]() { return (size += 8); }); return retval; } default: CHECK(false) << "Invalid Algorithm: " << algorithm; return {}; } CHECK(false) << "Should be impossible to get here"; return {}; } std::vector<uint32_t> KeymasterHidlTest::InvalidKeySizes(Algorithm algorithm) { if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {}; CHECK(SecLevel() == SecurityLevel::STRONGBOX); switch (algorithm) { case Algorithm::RSA: return {3072, 4096}; case Algorithm::EC: return {224, 384, 521}; case Algorithm::AES: return {192}; default: return {}; } } std::vector<EcCurve> KeymasterHidlTest::ValidCurves() { if (securityLevel_ == SecurityLevel::STRONGBOX) { return {EcCurve::P_256}; } else { return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521}; } } std::vector<EcCurve> KeymasterHidlTest::InvalidCurves() { if (SecLevel() == SecurityLevel::TRUSTED_ENVIRONMENT) return {}; CHECK(SecLevel() == SecurityLevel::STRONGBOX); return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521}; } std::vector<Digest> KeymasterHidlTest::ValidDigests(bool withNone, bool withMD5) { switch (SecLevel()) { case SecurityLevel::TRUSTED_ENVIRONMENT: if (withNone) { if (withMD5) return {Digest::NONE, Digest::MD5, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; else return {Digest::NONE, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; } else { if (withMD5) return {Digest::MD5, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; else return {Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_256, Digest::SHA_2_384, Digest::SHA_2_512}; } break; case SecurityLevel::STRONGBOX: if (withNone) return {Digest::NONE, Digest::SHA_2_256}; else return {Digest::SHA_2_256}; break; default: CHECK(false) << "Invalid security level " << uint32_t(SecLevel()); break; } CHECK(false) << "Should be impossible to get here"; return {}; } std::vector<Digest> KeymasterHidlTest::InvalidDigests() { return {}; } } // namespace test } // namespace V4_0 } // namespace keymaster } // namespace hardware } // namespace android