Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4af9762e authored by David Drysdale's avatar David Drysdale Committed by Gerrit Code Review
Browse files

Merge changes Ibfb6a54c,Ifa0f95fd 

* changes:
  KeyMint VTS: police Ed25519 msg size limit
  KeyMint VTS: test curve 25519 functionality
parents 1c7c6b69 feab5d93

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

+3 −1
Original line number Original line Diff line number Diff line
@@ -96,7 +96,9 @@ import android.hardware.security.secureclock.TimeStampToken; 
 *      - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519,

 *      - TRUSTED_ENVRIONMENT IKeyMintDevices must support curve 25519 for Purpose::SIGN (Ed25519,

 *        as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY

 *        as specified in RFC 8032), Purpose::ATTEST_KEY (Ed25519) or for KeyPurpose::AGREE_KEY

 *        (X25519, as specified in RFC 7748).  However, a key must have exactly one of these

 *        (X25519, as specified in RFC 7748).  However, a key must have exactly one of these

 *        purpose values; the same key cannot be used for multiple purposes.

 *        purpose values; the same key cannot be used for multiple purposes. Signing operations

 *        (Purpose::SIGN) have a message size limit of 16 KiB; operations on messages longer than

 *        this limit must fail with ErrorCode::INVALID_INPUT_LENGTH.

 *        STRONGBOX IKeyMintDevices do not support curve 25519.

 *        STRONGBOX IKeyMintDevices do not support curve 25519.

 *

 *

 * o   AES

 * o   AES

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+53 −4
Original line number Original line Diff line number Diff line
@@ -25,6 +25,7 @@ 
#include <cppbor_parse.h>

#include <cppbor_parse.h>

#include <cutils/properties.h>

#include <cutils/properties.h>

#include <gmock/gmock.h>

#include <gmock/gmock.h>

#include <openssl/evp.h>

#include <openssl/mem.h>

#include <openssl/mem.h>

#include <remote_prov/remote_prov_utils.h>

#include <remote_prov/remote_prov_utils.h>
@@ -206,6 +207,21 @@ uint32_t KeyMintAidlTestBase::boot_patch_level() { 
    return boot_patch_level(key_characteristics_);

    return boot_patch_level(key_characteristics_);

}

}





bool KeyMintAidlTestBase::Curve25519Supported() {

    // Strongbox never supports curve 25519.

    if (SecLevel() == SecurityLevel::STRONGBOX) {

        return false;

    }



    // Curve 25519 was included in version 2 of the KeyMint interface.

    int32_t version = 0;

    auto status = keymint_->getInterfaceVersion(&version);

    if (!status.isOk()) {

        ADD_FAILURE() << "Failed to determine interface version";

    }

    return version >= 2;

}



ErrorCode KeyMintAidlTestBase::GetReturnErrorCode(const Status& result) {

ErrorCode KeyMintAidlTestBase::GetReturnErrorCode(const Status& result) {

    if (result.isOk()) return ErrorCode::OK;

    if (result.isOk()) return ErrorCode::OK;
@@ -543,7 +559,12 @@ ErrorCode KeyMintAidlTestBase::Update(const string& input, string* output) { 
    std::vector<uint8_t> o_put;

    std::vector<uint8_t> o_put;

    result = op_->update(vector<uint8_t>(input.begin(), input.end()), {}, {}, &o_put);

    result = op_->update(vector<uint8_t>(input.begin(), input.end()), {}, {}, &o_put);





    if (result.isOk()) output->append(o_put.begin(), o_put.end());

    if (result.isOk()) {

        output->append(o_put.begin(), o_put.end());

    } else {

        // Failure always terminates the operation.

        op_ = {};

    }





    return GetReturnErrorCode(result);

    return GetReturnErrorCode(result);

}

}
@@ -740,6 +761,19 @@ void KeyMintAidlTestBase::LocalVerifyMessage(const string& message, const string 




    if (digest == Digest::NONE) {

    if (digest == Digest::NONE) {

        switch (EVP_PKEY_id(pub_key.get())) {

        switch (EVP_PKEY_id(pub_key.get())) {

            case EVP_PKEY_ED25519: {

                ASSERT_EQ(64, signature.size());

                uint8_t pub_keydata[32];

                size_t pub_len = sizeof(pub_keydata);

                ASSERT_EQ(1, EVP_PKEY_get_raw_public_key(pub_key.get(), pub_keydata, &pub_len));

                ASSERT_EQ(sizeof(pub_keydata), pub_len);

                ASSERT_EQ(1, ED25519_verify(reinterpret_cast<const uint8_t*>(message.data()),

                                            message.size(),

                                            reinterpret_cast<const uint8_t*>(signature.data()),

                                            pub_keydata));

                break;

            }



            case EVP_PKEY_EC: {

            case EVP_PKEY_EC: {

                vector<uint8_t> data((EVP_PKEY_bits(pub_key.get()) + 7) / 8);

                vector<uint8_t> data((EVP_PKEY_bits(pub_key.get()) + 7) / 8);

                size_t data_size = std::min(data.size(), message.size());

                size_t data_size = std::min(data.size(), message.size());
@@ -1166,16 +1200,31 @@ vector<PaddingMode> KeyMintAidlTestBase::InvalidPaddingModes(Algorithm algorithm 
vector<EcCurve> KeyMintAidlTestBase::ValidCurves() {

vector<EcCurve> KeyMintAidlTestBase::ValidCurves() {

    if (securityLevel_ == SecurityLevel::STRONGBOX) {

    if (securityLevel_ == SecurityLevel::STRONGBOX) {

        return {EcCurve::P_256};

        return {EcCurve::P_256};

    } else if (Curve25519Supported()) {

        return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521,

                EcCurve::CURVE_25519};

    } else {

    } else {

        return {EcCurve::P_224, EcCurve::P_256, EcCurve::P_384, EcCurve::P_521};

        return {

                EcCurve::P_224,

                EcCurve::P_256,

                EcCurve::P_384,

                EcCurve::P_521,

        };

    }

    }

}

}





vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() {

vector<EcCurve> KeyMintAidlTestBase::InvalidCurves() {

    if (SecLevel() == SecurityLevel::STRONGBOX) {

    if (SecLevel() == SecurityLevel::STRONGBOX) {

        return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521};

        // Curve 25519 is not supported, either because:

        // - KeyMint v1: it's an unknown enum value

        // - KeyMint v2+: it's not supported by StrongBox.

        return {EcCurve::P_224, EcCurve::P_384, EcCurve::P_521, EcCurve::CURVE_25519};

    } else {

    } else {

        if (Curve25519Supported()) {

            return {};

            return {};

        } else {

            return {EcCurve::CURVE_25519};

        }

    }

    }

}

}

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+2 −0
Original line number Original line Diff line number Diff line
@@ -80,6 +80,8 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { 
    uint32_t boot_patch_level(const vector<KeyCharacteristics>& key_characteristics);

    uint32_t boot_patch_level(const vector<KeyCharacteristics>& key_characteristics);

    uint32_t boot_patch_level();

    uint32_t boot_patch_level();





    bool Curve25519Supported();



    ErrorCode GetReturnErrorCode(const Status& result);

    ErrorCode GetReturnErrorCode(const Status& result);





    ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector<uint8_t>* key_blob,

    ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector<uint8_t>* key_blob,

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+864 −78

File changed.

Preview size limit exceeded, changes collapsed.