Merge "Verify that imported keys have the correct characteristics." am: a5468b5127 am: 820eda6b7f (60e20187) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+65 −5

Original line number	Original line	Diff line number	Diff line
	@@ -613,7 +613,7 @@ bool matching_rp_instance(const string& km_name,
	class NewKeyGenerationTest : public KeyMintAidlTestBase {		class NewKeyGenerationTest : public KeyMintAidlTestBase {
	protected:		protected:
	void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {		void CheckBaseParams(const vector<KeyCharacteristics>& keyCharacteristics) {
	AuthorizationSet auths = CheckCommonParams(keyCharacteristics);		AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
	EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));		EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));

	// Check that some unexpected tags/values are NOT present.		// Check that some unexpected tags/values are NOT present.
	@@ -622,20 +622,21 @@ class NewKeyGenerationTest : public KeyMintAidlTestBase {
	}		}

	void CheckSymmetricParams(const vector<KeyCharacteristics>& keyCharacteristics) {		void CheckSymmetricParams(const vector<KeyCharacteristics>& keyCharacteristics) {
	AuthorizationSet auths = CheckCommonParams(keyCharacteristics);		AuthorizationSet auths = CheckCommonParams(keyCharacteristics, KeyOrigin::GENERATED);
	EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));		EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::ENCRYPT));
	EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));		EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::DECRYPT));

	EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));		EXPECT_FALSE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));
	}		}

	AuthorizationSet CheckCommonParams(const vector<KeyCharacteristics>& keyCharacteristics) {		AuthorizationSet CheckCommonParams(const vector<KeyCharacteristics>& keyCharacteristics,
			const KeyOrigin expectedKeyOrigin) {
	// TODO(swillden): Distinguish which params should be in which auth list.		// TODO(swillden): Distinguish which params should be in which auth list.
	AuthorizationSet auths;		AuthorizationSet auths;
	for (auto& entry : keyCharacteristics) {		for (auto& entry : keyCharacteristics) {
	auths.push_back(AuthorizationSet(entry.authorizations));		auths.push_back(AuthorizationSet(entry.authorizations));
	}		}
	EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));		EXPECT_TRUE(auths.Contains(TAG_ORIGIN, expectedKeyOrigin));

	// Verify that App data, ROT and auth timeout are NOT included.		// Verify that App data, ROT and auth timeout are NOT included.
	EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));		EXPECT_FALSE(auths.Contains(TAG_ROOT_OF_TRUST));
	@@ -3801,7 +3802,7 @@ typedef KeyMintAidlTestBase ExportKeyTest;
	// TODO(seleneh) add ExportKey to GenerateKey		// TODO(seleneh) add ExportKey to GenerateKey
	// check result		// check result

	class ImportKeyTest : public KeyMintAidlTestBase {		class ImportKeyTest : public NewKeyGenerationTest {
	public:		public:
	template <TagType tag_type, Tag tag, typename ValueT>		template <TagType tag_type, Tag tag, typename ValueT>
	void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {		void CheckCryptoParam(TypedTag<tag_type, tag> ttag, ValueT expected) {
	@@ -4511,6 +4512,65 @@ TEST_P(ImportKeyTest, HmacKeySuccess) {
	VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));		VerifyMessage(message, signature, AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
	}		}

			/*
			* ImportKeyTest.GetKeyCharacteristics
			*
			* Verifies that imported keys have the correct characteristics.
			*/
			TEST_P(ImportKeyTest, GetKeyCharacteristics) {
			vector<uint8_t> key_blob;
			vector<KeyCharacteristics> key_characteristics;
			auto base_builder = AuthorizationSetBuilder()
			.Padding(PaddingMode::NONE)
			.Authorization(TAG_NO_AUTH_REQUIRED)
			.SetDefaultValidity();
			vector<Algorithm> algorithms = {Algorithm::RSA, Algorithm::EC, Algorithm::HMAC, Algorithm::AES,
			Algorithm::TRIPLE_DES};
			ErrorCode result;
			string symKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98"); // 128 bits
			string tdesKey = hex2str("a49d7564199e97cb529d2c9d97bf2f98d35edf57ba1f7358"); // 192 bits
			for (auto alg : algorithms) {
			SCOPED_TRACE(testing::Message() << "Algorithm-" << alg);
			AuthorizationSetBuilder builder(base_builder);
			switch (alg) {
			case Algorithm::RSA:
			builder.RsaSigningKey(2048, 65537).Digest(Digest::NONE);

			result = ImportKey(builder, KeyFormat::PKCS8, rsa_2048_key, &key_blob,
			&key_characteristics);
			break;
			case Algorithm::EC:
			builder.EcdsaSigningKey(EcCurve::P_256).Digest(Digest::NONE);
			result = ImportKey(builder, KeyFormat::PKCS8, ec_256_key, &key_blob,
			&key_characteristics);
			break;
			case Algorithm::HMAC:
			builder.HmacKey(128)
			.Digest(Digest::SHA_2_256)
			.Authorization(TAG_MIN_MAC_LENGTH, 128);
			result =
			ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
			break;
			case Algorithm::AES:
			builder.AesEncryptionKey(128).BlockMode(BlockMode::ECB);
			result =
			ImportKey(builder, KeyFormat::RAW, symKey, &key_blob, &key_characteristics);
			break;
			case Algorithm::TRIPLE_DES:
			builder.TripleDesEncryptionKey(168).BlockMode(BlockMode::ECB);
			result = ImportKey(builder, KeyFormat::RAW, tdesKey, &key_blob,
			&key_characteristics);
			break;
			default:
			ADD_FAILURE() << "Invalid Algorithm " << uint32_t(alg);
			continue;
			}
			ASSERT_EQ(ErrorCode::OK, result);
			CheckCharacteristics(key_blob, key_characteristics);
			CheckCommonParams(key_characteristics, KeyOrigin::IMPORTED);
			}
			}

	INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);		INSTANTIATE_KEYMINT_AIDL_TEST(ImportKeyTest);

	auto wrapped_key = hex2str(		auto wrapped_key = hex2str(