You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
362 lines
16 KiB
362 lines
16 KiB
/*
|
|
* Copyright 2014 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
/*
|
|
* Utilities used to help with testing. Not used in production code.
|
|
*/
|
|
|
|
#include <stdarg.h>
|
|
|
|
#include <algorithm>
|
|
#include <memory>
|
|
#include <ostream>
|
|
#include <string>
|
|
#include <vector>
|
|
|
|
#include <gtest/gtest.h>
|
|
|
|
#include <hardware/keymaster1.h>
|
|
#include <hardware/keymaster2.h>
|
|
#include <hardware/keymaster_defs.h>
|
|
|
|
#include <keymaster/android_keymaster_utils.h>
|
|
#include <keymaster/authorization_set.h>
|
|
#include <keymaster/keymaster_context.h>
|
|
#include <keymaster/km_version.h>
|
|
#include <keymaster/logger.h>
|
|
|
|
std::ostream& operator<<(std::ostream& os, const keymaster_key_param_t& param);
|
|
bool operator==(const keymaster_key_param_t& a, const keymaster_key_param_t& b);
|
|
std::string hex2str(std::string);
|
|
|
|
namespace keymaster {
|
|
|
|
bool operator==(const AuthorizationSet& a, const AuthorizationSet& b);
|
|
bool operator!=(const AuthorizationSet& a, const AuthorizationSet& b);
|
|
|
|
std::ostream& operator<<(std::ostream& os, const AuthorizationSet& set);
|
|
|
|
namespace test {
|
|
|
|
template <keymaster_tag_t Tag, typename KeymasterEnum>
|
|
bool contains(const AuthorizationSet& set, TypedEnumTag<KM_ENUM, Tag, KeymasterEnum> tag,
|
|
KeymasterEnum val) {
|
|
int pos = set.find(tag);
|
|
return pos != -1 && static_cast<KeymasterEnum>(set[pos].enumerated) == val;
|
|
}
|
|
|
|
template <keymaster_tag_t Tag, typename KeymasterEnum>
|
|
bool contains(const AuthorizationSet& set, TypedEnumTag<KM_ENUM_REP, Tag, KeymasterEnum> tag,
|
|
KeymasterEnum val) {
|
|
int pos = -1;
|
|
while ((pos = set.find(tag, pos)) != -1)
|
|
if (static_cast<KeymasterEnum>(set[pos].enumerated) == val) return true;
|
|
return false;
|
|
}
|
|
|
|
template <keymaster_tag_t Tag>
|
|
bool contains(const AuthorizationSet& set, TypedTag<KM_UINT, Tag> tag, uint32_t val) {
|
|
int pos = set.find(tag);
|
|
return pos != -1 && set[pos].integer == val;
|
|
}
|
|
|
|
template <keymaster_tag_t Tag>
|
|
bool contains(const AuthorizationSet& set, TypedTag<KM_UINT_REP, Tag> tag, uint32_t val) {
|
|
int pos = -1;
|
|
while ((pos = set.find(tag, pos)) != -1)
|
|
if (set[pos].integer == val) return true;
|
|
return false;
|
|
}
|
|
|
|
template <keymaster_tag_t Tag>
|
|
bool contains(const AuthorizationSet& set, TypedTag<KM_ULONG, Tag> tag, uint64_t val) {
|
|
int pos = set.find(tag);
|
|
return pos != -1 && set[pos].long_integer == val;
|
|
}
|
|
|
|
template <keymaster_tag_t Tag>
|
|
bool contains(const AuthorizationSet& set, TypedTag<KM_BYTES, Tag> tag, const std::string& val) {
|
|
int pos = set.find(tag);
|
|
return pos != -1 && std::string(reinterpret_cast<const char*>(set[pos].blob.data),
|
|
set[pos].blob.data_length) == val;
|
|
}
|
|
|
|
template <keymaster_tag_t Tag>
|
|
bool contains(const AuthorizationSet& set, TypedTag<KM_BIGNUM, Tag> tag, const std::string& val) {
|
|
int pos = set.find(tag);
|
|
return pos != -1 && std::string(reinterpret_cast<const char*>(set[pos].blob.data),
|
|
set[pos].blob.data_length) == val;
|
|
}
|
|
|
|
inline bool contains(const AuthorizationSet& set, keymaster_tag_t tag) {
|
|
return set.find(tag) != -1;
|
|
}
|
|
|
|
class StdoutLogger : public Logger {
|
|
public:
|
|
StdoutLogger() { set_instance(this); }
|
|
|
|
int log_msg(LogLevel level, const char* fmt, va_list args) const {
|
|
int output_len = 0;
|
|
switch (level) {
|
|
case DEBUG_LVL:
|
|
output_len = printf("DEBUG: ");
|
|
break;
|
|
case INFO_LVL:
|
|
output_len = printf("INFO: ");
|
|
break;
|
|
case WARNING_LVL:
|
|
output_len = printf("WARNING: ");
|
|
break;
|
|
case ERROR_LVL:
|
|
output_len = printf("ERROR: ");
|
|
break;
|
|
case SEVERE_LVL:
|
|
output_len = printf("SEVERE: ");
|
|
break;
|
|
}
|
|
|
|
output_len += vprintf(fmt, args);
|
|
output_len += printf("\n");
|
|
return output_len;
|
|
}
|
|
};
|
|
|
|
inline std::string make_string(const uint8_t* data, size_t length) {
|
|
return std::string(reinterpret_cast<const char*>(data), length);
|
|
}
|
|
|
|
template <size_t N> std::string make_string(const uint8_t (&a)[N]) {
|
|
return make_string(a, N);
|
|
}
|
|
|
|
/**
|
|
* Keymaster2TestInstance is used to parameterize Keymaster2Tests. Its main function is to create a
|
|
* keymaster2_device_t to which test calls can be directed. It also provides a place to specify
|
|
* various bits of alternative behavior, in cases where different devices are expected to behave
|
|
* differently (any such cases are a potential bug, but sometimes they may make sense).
|
|
*/
|
|
class Keymaster2TestInstanceCreator {
|
|
public:
|
|
virtual ~Keymaster2TestInstanceCreator(){};
|
|
virtual keymaster2_device_t* CreateDevice() const = 0;
|
|
|
|
virtual int minimal_digest_set() const { return false; }
|
|
virtual bool is_keymaster1_hw() const = 0;
|
|
virtual bool is_keymint() const { return false; }
|
|
virtual KeymasterContext* keymaster_context() const = 0;
|
|
virtual KmVersion km_version() const = 0;
|
|
|
|
virtual std::string name() const = 0;
|
|
};
|
|
|
|
// Use a shared_ptr because it's copyable.
|
|
typedef std::shared_ptr<Keymaster2TestInstanceCreator> InstanceCreatorPtr;
|
|
|
|
std::ostream& operator<<(std::ostream& os, const InstanceCreatorPtr& instance_creator);
|
|
|
|
const uint64_t OP_HANDLE_SENTINEL = 0xFFFFFFFFFFFFFFFF;
|
|
class Keymaster2Test : public testing::TestWithParam<InstanceCreatorPtr> {
|
|
protected:
|
|
Keymaster2Test();
|
|
~Keymaster2Test();
|
|
|
|
keymaster2_device_t* device();
|
|
|
|
keymaster_error_t GenerateKey(const AuthorizationSetBuilder& builder);
|
|
|
|
keymaster_error_t DeleteKey();
|
|
|
|
keymaster_error_t ImportKey(const AuthorizationSetBuilder& builder,
|
|
keymaster_key_format_t format, const std::string& key_material);
|
|
|
|
keymaster_error_t ExportKey(keymaster_key_format_t format, std::string* export_data);
|
|
|
|
keymaster_error_t GetCharacteristics();
|
|
|
|
keymaster_error_t BeginOperation(keymaster_purpose_t purpose);
|
|
keymaster_error_t BeginOperation(keymaster_purpose_t purpose, const AuthorizationSet& input_set,
|
|
AuthorizationSet* output_set = nullptr);
|
|
|
|
keymaster_error_t UpdateOperation(const std::string& message, std::string* output,
|
|
size_t* input_consumed);
|
|
keymaster_error_t UpdateOperation(const AuthorizationSet& additional_params,
|
|
const std::string& message, AuthorizationSet* output_params,
|
|
std::string* output, size_t* input_consumed);
|
|
|
|
keymaster_error_t FinishOperation(std::string* output);
|
|
keymaster_error_t FinishOperation(const std::string& input, const std::string& signature,
|
|
std::string* output);
|
|
keymaster_error_t FinishOperation(const AuthorizationSet& additional_params,
|
|
const std::string& input, const std::string& signature,
|
|
std::string* output) {
|
|
return FinishOperation(additional_params, input, signature, nullptr /* output_params */,
|
|
output);
|
|
}
|
|
keymaster_error_t FinishOperation(const AuthorizationSet& additional_params,
|
|
const std::string& input, const std::string& signature,
|
|
AuthorizationSet* output_params, std::string* output);
|
|
|
|
keymaster_error_t AbortOperation();
|
|
|
|
keymaster_error_t AttestKey(const std::string& attest_challenge,
|
|
const std::string& attest_app_id, keymaster_cert_chain_t* chain);
|
|
|
|
keymaster_error_t UpgradeKey(const AuthorizationSet& upgrade_params);
|
|
|
|
keymaster_error_t GetVersion(uint8_t* major, uint8_t* minor, uint8_t* subminor);
|
|
std::string ProcessMessage(keymaster_purpose_t purpose, const std::string& message);
|
|
std::string ProcessMessage(keymaster_purpose_t purpose, const std::string& message,
|
|
const AuthorizationSet& begin_params,
|
|
const AuthorizationSet& update_params,
|
|
AuthorizationSet* output_params = nullptr);
|
|
std::string ProcessMessage(keymaster_purpose_t purpose, const std::string& message,
|
|
const std::string& signature, const AuthorizationSet& begin_params,
|
|
const AuthorizationSet& update_params,
|
|
AuthorizationSet* output_params = nullptr);
|
|
std::string ProcessMessage(keymaster_purpose_t purpose, const std::string& message,
|
|
const std::string& signature);
|
|
|
|
void SignMessage(const std::string& message, std::string* signature, keymaster_digest_t digest);
|
|
void SignMessage(const std::string& message, std::string* signature, keymaster_digest_t digest,
|
|
keymaster_padding_t padding);
|
|
void MacMessage(const std::string& message, std::string* signature, size_t mac_length);
|
|
|
|
void VerifyMessage(const std::string& message, const std::string& signature,
|
|
keymaster_digest_t digest);
|
|
void VerifyMessage(const std::string& message, const std::string& signature,
|
|
keymaster_digest_t digest, keymaster_padding_t padding);
|
|
void VerifyMac(const std::string& message, const std::string& signature);
|
|
|
|
std::string EncryptMessage(const std::string& message, keymaster_padding_t padding,
|
|
std::string* generated_nonce = nullptr);
|
|
std::string EncryptMessage(const std::string& message, keymaster_digest_t digest,
|
|
keymaster_digest_t mgf_digest, keymaster_padding_t padding,
|
|
std::string* generated_nonce = nullptr);
|
|
std::string EncryptMessage(const std::string& message, keymaster_digest_t digest,
|
|
keymaster_padding_t padding, std::string* generated_nonce = nullptr);
|
|
std::string EncryptMessage(const std::string& message, keymaster_block_mode_t block_mode,
|
|
keymaster_padding_t padding, std::string* generated_nonce = nullptr);
|
|
std::string EncryptMessage(const AuthorizationSet& update_params, const std::string& message,
|
|
keymaster_digest_t digest, keymaster_digest_t mgf_digest,
|
|
keymaster_padding_t padding, std::string* generated_nonce = nullptr);
|
|
std::string EncryptMessage(const AuthorizationSet& update_params, const std::string& message,
|
|
keymaster_digest_t digest, keymaster_padding_t padding,
|
|
std::string* generated_nonce = nullptr);
|
|
std::string EncryptMessage(const AuthorizationSet& update_params, const std::string& message,
|
|
keymaster_block_mode_t block_mode, keymaster_padding_t padding,
|
|
std::string* generated_nonce = nullptr);
|
|
std::string EncryptMessageWithParams(const std::string& message,
|
|
const AuthorizationSet& begin_params,
|
|
const AuthorizationSet& update_params,
|
|
AuthorizationSet* output_params);
|
|
|
|
std::string DecryptMessage(const std::string& ciphertext, keymaster_padding_t padding);
|
|
std::string DecryptMessage(const std::string& ciphertext, keymaster_digest_t digest,
|
|
keymaster_padding_t padding);
|
|
std::string DecryptMessage(const std::string& ciphertext, keymaster_block_mode_t block_mode,
|
|
keymaster_padding_t padding);
|
|
std::string DecryptMessage(const std::string& ciphertext, keymaster_digest_t digest,
|
|
keymaster_padding_t padding, const std::string& nonce);
|
|
std::string DecryptMessage(const std::string& ciphertext, keymaster_digest_t digest,
|
|
keymaster_digest_t mgf_digest, keymaster_padding_t padding);
|
|
std::string DecryptMessage(const std::string& ciphertext, keymaster_block_mode_t block_mode,
|
|
keymaster_padding_t padding, const std::string& nonce);
|
|
std::string DecryptMessage(const AuthorizationSet& update_params, const std::string& ciphertext,
|
|
keymaster_digest_t digest, keymaster_padding_t padding,
|
|
const std::string& nonce);
|
|
std::string DecryptMessage(const AuthorizationSet& update_params, const std::string& ciphertext,
|
|
keymaster_block_mode_t block_mode, keymaster_padding_t padding,
|
|
const std::string& nonce);
|
|
std::string DecryptMessageWithParams(const std::string& message,
|
|
const AuthorizationSet& begin_params,
|
|
const AuthorizationSet& update_params,
|
|
AuthorizationSet* output_params);
|
|
|
|
void CheckHmacTestVector(const std::string& key, const std::string& message,
|
|
keymaster_digest_t digest, std::string expected_mac);
|
|
void CheckAesOcbTestVector(const std::string& key, const std::string& nonce,
|
|
const std::string& associated_data, const std::string& message,
|
|
const std::string& expected_ciphertext);
|
|
void CheckAesCtrTestVector(const std::string& key, const std::string& nonce,
|
|
const std::string& message, const std::string& expected_ciphertext);
|
|
void CheckTripleDesTestVector(keymaster_purpose_t purpose, keymaster_block_mode_t mode,
|
|
keymaster_padding_t padding, const std::string& key,
|
|
const std::string& iv, const std::string& message,
|
|
const std::string& expected_ciphertext);
|
|
AuthorizationSet UserAuthParams();
|
|
AuthorizationSet ClientParams();
|
|
|
|
template <typename T>
|
|
bool ResponseContains(const std::vector<T>& expected, const T* values, size_t len) {
|
|
return expected.size() == len &&
|
|
std::is_permutation(values, values + len, expected.begin());
|
|
}
|
|
|
|
template <typename T> bool ResponseContains(T expected, const T* values, size_t len) {
|
|
return (len == 1 && *values == expected);
|
|
}
|
|
|
|
AuthorizationSet hw_enforced();
|
|
AuthorizationSet sw_enforced();
|
|
|
|
void FreeCharacteristics();
|
|
void FreeKeyBlob();
|
|
|
|
void corrupt_key_blob();
|
|
|
|
void set_key_blob(const uint8_t* key, size_t key_length) {
|
|
FreeKeyBlob();
|
|
blob_.key_material = key;
|
|
blob_.key_material_size = key_length;
|
|
}
|
|
|
|
void set_key_blob(KeymasterKeyBlob blob) { blob_ = blob.release(); }
|
|
void set_key_characteristics(const AuthorizationSet& hw_enforced,
|
|
const AuthorizationSet& sw_enforced) {
|
|
FreeCharacteristics();
|
|
hw_enforced.CopyToParamSet(&characteristics_.hw_enforced);
|
|
sw_enforced.CopyToParamSet(&characteristics_.sw_enforced);
|
|
}
|
|
|
|
AuthorizationSet client_params() {
|
|
return AuthorizationSet(client_params_, sizeof(client_params_) / sizeof(client_params_[0]));
|
|
}
|
|
|
|
private:
|
|
keymaster2_device_t* device_;
|
|
keymaster_blob_t client_id_ = {.data = reinterpret_cast<const uint8_t*>("app_id"),
|
|
.data_length = 6};
|
|
keymaster_key_param_t client_params_[1] = {
|
|
Authorization(TAG_APPLICATION_ID, client_id_.data, client_id_.data_length)};
|
|
|
|
uint64_t op_handle_;
|
|
|
|
keymaster_key_blob_t blob_;
|
|
keymaster_key_characteristics_t characteristics_;
|
|
};
|
|
|
|
/**
|
|
* This function takes a keymaster1_device_t and wraps it in an adapter that supports only
|
|
* KM_DIGEST_SHA_2_256.
|
|
*/
|
|
keymaster1_device_t* make_device_sha256_only(keymaster1_device_t* device);
|
|
|
|
} // namespace test
|
|
} // namespace keymaster
|