Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 91305341 authored Jul 23, 2018 by nagendra modadugu Committed by Keun Soo Yim Aug 28, 2018

keymaster: skip SHA2 digest tests for strongbox

Strongbox is not required to support SHA-2 digests,
so skip the related tests.

Bug: 109771020
Merged-In: I5f877b2a1ac66026a876e145416ba078d486e4b5
Change-Id: I5f877b2a1ac66026a876e145416ba078d486e4b5
(cherry picked from commit 8cec80be)

parent 8414fb85

keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp

+49 −31

Original line number	Original line	Diff line number	Diff line
	@@ -198,7 +198,8 @@ bool verify_chain(const hidl_vec<hidl_vec<uint8_t>>& chain) {
	if (!signing_pubkey.get()) return false;		if (!signing_pubkey.get()) return false;

	EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get()))		EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get()))
	<< "Verification of certificate " << i << " failed";		<< "Verification of certificate " << i << " failed "
			<< "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);

	char* cert_issuer = //		char* cert_issuer = //
	X509_NAME_oneline(X509_get_issuer_name(key_cert.get()), nullptr, 0);		X509_NAME_oneline(X509_get_issuer_name(key_cert.get()), nullptr, 0);
	@@ -535,10 +536,16 @@ TEST_F(NewKeyGenerationTest, EcdsaAllValidSizes) {
	* Verifies that keymaster does not support any curve designated as unsupported.		* Verifies that keymaster does not support any curve designated as unsupported.
	*/		*/
	TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) {		TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) {
			Digest digest;
			if (SecLevel() == SecurityLevel::STRONGBOX) {
			digest = Digest::SHA_2_256;
			} else {
			digest = Digest::SHA_2_512;
			}
	for (auto curve : ValidCurves()) {		for (auto curve : ValidCurves()) {
	EXPECT_EQ(		EXPECT_EQ(
	ErrorCode::OK,		ErrorCode::OK,
	GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(Digest::SHA_2_512)))		GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(digest)))
	<< "Failed to generate key on curve: " << curve;		<< "Failed to generate key on curve: " << curve;
	CheckCharacteristics(key_blob_, key_characteristics_);		CheckCharacteristics(key_blob_, key_characteristics_);
	CheckedDeleteKey();		CheckedDeleteKey();
	@@ -828,6 +835,7 @@ TEST_F(SigningOperationsTest, RsaPkcs1NoDigestTooLong) {
	* 1024-bit key.		* 1024-bit key.
	*/		*/
	TEST_F(SigningOperationsTest, RsaPssSha512TooSmallKey) {		TEST_F(SigningOperationsTest, RsaPssSha512TooSmallKey) {
			if (SecLevel() == SecurityLevel::STRONGBOX) return;
	ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
	.RsaSigningKey(1024, 65537)		.RsaSigningKey(1024, 65537)
	.Digest(Digest::SHA_2_512)		.Digest(Digest::SHA_2_512)
	@@ -1185,11 +1193,13 @@ TEST_F(SigningOperationsTest, HmacRfc4231TestCase3) {
	0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,		0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
	};		};

	CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
			if (SecLevel() != SecurityLevel::STRONGBOX) {
			CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
	}		}
			}

	/*		/*
	* SigningOperationsTest.HmacRfc4231TestCase5		* SigningOperationsTest.HmacRfc4231TestCase5
	@@ -1217,11 +1227,13 @@ TEST_F(SigningOperationsTest, HmacRfc4231TestCase5) {
	0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,		0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
	};		};

	CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
			if (SecLevel() != SecurityLevel::STRONGBOX) {
			CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
	}		}
			}

	/*		/*
	* SigningOperationsTest.HmacRfc4231TestCase6		* SigningOperationsTest.HmacRfc4231TestCase6
	@@ -1255,11 +1267,13 @@ TEST_F(SigningOperationsTest, HmacRfc4231TestCase6) {
	0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,		0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,
	};		};

	CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
			if (SecLevel() != SecurityLevel::STRONGBOX) {
			CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
	}		}
			}

	/*		/*
	* SigningOperationsTest.HmacRfc4231TestCase7		* SigningOperationsTest.HmacRfc4231TestCase7
	@@ -1296,11 +1310,13 @@ TEST_F(SigningOperationsTest, HmacRfc4231TestCase7) {
	0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,		0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,
	};		};

	CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
			if (SecLevel() != SecurityLevel::STRONGBOX) {
			CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
	CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));		CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
	}		}
			}

	typedef KeymasterHidlTest VerificationOperationsTest;		typedef KeymasterHidlTest VerificationOperationsTest;

	@@ -1511,7 +1527,7 @@ TEST_F(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.Authorization(TAG_ALGORITHM, Algorithm::HMAC)		.Authorization(TAG_ALGORITHM, Algorithm::HMAC)
	.Authorization(TAG_PURPOSE, KeyPurpose::SIGN)		.Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
	.Digest(Digest::SHA1)		.Digest(Digest::SHA_2_256)
	.Authorization(TAG_MIN_MAC_LENGTH, 160),		.Authorization(TAG_MIN_MAC_LENGTH, 160),
	KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));		KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
	EXPECT_EQ(ErrorCode::OK,		EXPECT_EQ(ErrorCode::OK,
	@@ -1519,24 +1535,24 @@ TEST_F(VerificationOperationsTest, HmacSigningKeyCannotVerify) {
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.Authorization(TAG_ALGORITHM, Algorithm::HMAC)		.Authorization(TAG_ALGORITHM, Algorithm::HMAC)
	.Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)		.Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
	.Digest(Digest::SHA1)		.Digest(Digest::SHA_2_256)
	.Authorization(TAG_MIN_MAC_LENGTH, 160),		.Authorization(TAG_MIN_MAC_LENGTH, 160),
	KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));		KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));

	string message = "This is a message.";		string message = "This is a message.";
	string signature = SignMessage(		string signature = SignMessage(
	signing_key, message,		signing_key, message,
	AuthorizationSetBuilder().Digest(Digest::SHA1).Authorization(TAG_MAC_LENGTH, 160));		AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));

	// Signing key should not work.		// Signing key should not work.
	AuthorizationSet out_params;		AuthorizationSet out_params;
	EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,		EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
	Begin(KeyPurpose::VERIFY, signing_key, AuthorizationSetBuilder().Digest(Digest::SHA1),		Begin(KeyPurpose::VERIFY, signing_key, AuthorizationSetBuilder().Digest(Digest::SHA_2_256),
	&out_params, &op_handle_));		&out_params, &op_handle_));

	// Verification key should work.		// Verification key should work.
	VerifyMessage(verification_key, message, signature,		VerifyMessage(verification_key, message, signature,
	AuthorizationSetBuilder().Digest(Digest::SHA1));		AuthorizationSetBuilder().Digest(Digest::SHA_2_256));

	CheckedDeleteKey(&signing_key);		CheckedDeleteKey(&signing_key);
	CheckedDeleteKey(&verification_key);		CheckedDeleteKey(&verification_key);
	@@ -1895,14 +1911,14 @@ class ImportWrappedKeyTest : public KeymasterHidlTest {};
	TEST_F(ImportWrappedKeyTest, Success) {		TEST_F(ImportWrappedKeyTest, Success) {
	auto wrapping_key_desc = AuthorizationSetBuilder()		auto wrapping_key_desc = AuthorizationSetBuilder()
	.RsaEncryptionKey(2048, 65537)		.RsaEncryptionKey(2048, 65537)
	.Digest(Digest::SHA1)		.Digest(Digest::SHA_2_256)
	.Padding(PaddingMode::RSA_OAEP)		.Padding(PaddingMode::RSA_OAEP)
	.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);		.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);

	ASSERT_EQ(ErrorCode::OK,		ASSERT_EQ(ErrorCode::OK,
	ImportWrappedKey(		ImportWrappedKey(
	wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,		wrapped_key, wrapping_key, wrapping_key_desc, zero_masking_key,
	AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP)));		AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP)));

	string message = "Hello World!";		string message = "Hello World!";
	auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);		auto params = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::PKCS7);
	@@ -1914,39 +1930,39 @@ TEST_F(ImportWrappedKeyTest, Success) {
	TEST_F(ImportWrappedKeyTest, SuccessMasked) {		TEST_F(ImportWrappedKeyTest, SuccessMasked) {
	auto wrapping_key_desc = AuthorizationSetBuilder()		auto wrapping_key_desc = AuthorizationSetBuilder()
	.RsaEncryptionKey(2048, 65537)		.RsaEncryptionKey(2048, 65537)
	.Digest(Digest::SHA1)		.Digest(Digest::SHA_2_256)
	.Padding(PaddingMode::RSA_OAEP)		.Padding(PaddingMode::RSA_OAEP)
	.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);		.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);

	ASSERT_EQ(ErrorCode::OK,		ASSERT_EQ(ErrorCode::OK,
	ImportWrappedKey(		ImportWrappedKey(
	wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,		wrapped_key_masked, wrapping_key, wrapping_key_desc, masking_key,
	AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP)));		AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP)));
	}		}

	TEST_F(ImportWrappedKeyTest, WrongMask) {		TEST_F(ImportWrappedKeyTest, WrongMask) {
	auto wrapping_key_desc = AuthorizationSetBuilder()		auto wrapping_key_desc = AuthorizationSetBuilder()
	.RsaEncryptionKey(2048, 65537)		.RsaEncryptionKey(2048, 65537)
	.Digest(Digest::SHA1)		.Digest(Digest::SHA_2_256)
	.Padding(PaddingMode::RSA_OAEP)		.Padding(PaddingMode::RSA_OAEP)
	.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);		.Authorization(TAG_PURPOSE, KeyPurpose::WRAP_KEY);

	ASSERT_EQ(ErrorCode::VERIFICATION_FAILED,		ASSERT_EQ(ErrorCode::VERIFICATION_FAILED,
	ImportWrappedKey(		ImportWrappedKey(
	wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,		wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
	AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP)));		AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP)));
	}		}

	TEST_F(ImportWrappedKeyTest, WrongPurpose) {		TEST_F(ImportWrappedKeyTest, WrongPurpose) {
	auto wrapping_key_desc = AuthorizationSetBuilder()		auto wrapping_key_desc = AuthorizationSetBuilder()
	.RsaEncryptionKey(2048, 65537)		.RsaEncryptionKey(2048, 65537)
	.Digest(Digest::SHA1)		.Digest(Digest::SHA_2_256)
	.Padding(PaddingMode::RSA_OAEP);		.Padding(PaddingMode::RSA_OAEP);

	ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,		ASSERT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
	ImportWrappedKey(		ImportWrappedKey(
	wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,		wrapped_key_masked, wrapping_key, wrapping_key_desc, zero_masking_key,
	AuthorizationSetBuilder().Digest(Digest::SHA1).Padding(PaddingMode::RSA_OAEP)));		AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_OAEP)));
	}		}

	typedef KeymasterHidlTest EncryptionOperationsTest;		typedef KeymasterHidlTest EncryptionOperationsTest;
	@@ -2140,11 +2156,13 @@ TEST_F(EncryptionOperationsTest, RsaOaepInvalidDigest) {
	* different digest than was used to encrypt.		* different digest than was used to encrypt.
	*/		*/
	TEST_F(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {		TEST_F(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
			if (SecLevel() == SecurityLevel::STRONGBOX) return;

	ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()		ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.RsaEncryptionKey(1024, 65537)		.RsaEncryptionKey(1024, 65537)
	.Padding(PaddingMode::RSA_OAEP)		.Padding(PaddingMode::RSA_OAEP)
	.Digest(Digest::SHA_2_256, Digest::SHA_2_224)));		.Digest(Digest::SHA_2_224, Digest::SHA_2_256)));
	string message = "Hello World!";		string message = "Hello World!";
	string ciphertext = EncryptMessage(		string ciphertext = EncryptMessage(
	message,		message,
	@@ -2170,13 +2188,13 @@ TEST_F(EncryptionOperationsTest, RsaOaepTooLarge) {
	.Authorization(TAG_NO_AUTH_REQUIRED)		.Authorization(TAG_NO_AUTH_REQUIRED)
	.RsaEncryptionKey(1024, 65537)		.RsaEncryptionKey(1024, 65537)
	.Padding(PaddingMode::RSA_OAEP)		.Padding(PaddingMode::RSA_OAEP)
	.Digest(Digest::SHA1)));		.Digest(Digest::SHA_2_256)));
	constexpr size_t digest_size = 160 /* SHA1 */ / 8;		constexpr size_t digest_size = 256 /* SHA_2_256 */ / 8;
	constexpr size_t oaep_overhead = 2 * digest_size + 2;		constexpr size_t oaep_overhead = 2 * digest_size + 2;
	string message(1024 / 8 - oaep_overhead + 1, 'a');		string message(1024 / 8 - oaep_overhead + 1, 'a');
	EXPECT_EQ(ErrorCode::OK,		EXPECT_EQ(ErrorCode::OK,
	Begin(KeyPurpose::ENCRYPT,		Begin(KeyPurpose::ENCRYPT,
	AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::SHA1)));		AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::SHA_2_256)));
	string result;		string result;
	EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &result));		EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &result));
	EXPECT_EQ(0U, result.size());		EXPECT_EQ(0U, result.size());