diff options
| author | Kenny Root <kroot@google.com> | 2013-09-03 07:11:08 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2013-09-03 07:11:08 +0000 |
| commit | bd5015e0f3b79d8b8e7f9b1926bbf76985ac8c61 (patch) | |
| tree | b1ce01ba014947c20f1e3b1c4a06b8a509dc9d5e | |
| parent | cb7f5b94a3d683f297ddf839ca4aa897e0927139 (diff) | |
| parent | 6e1683f5d508a4c1ff761a9a3508619ac5ac6ed7 (diff) | |
| download | libhardware-tools_r22.2.tar.gz | |
Merge "Add support for DSA and ECDSA key types"tools_r22.2
| -rw-r--r-- | include/hardware/keymaster.h | 50 | ||||
| -rw-r--r-- | tests/keymaster/keymaster_test.cpp | 378 |
2 files changed, 386 insertions, 42 deletions
diff --git a/include/hardware/keymaster.h b/include/hardware/keymaster.h index e0014c8a..968beb96 100644 --- a/include/hardware/keymaster.h +++ b/include/hardware/keymaster.h @@ -37,7 +37,7 @@ __BEGIN_DECLS * module to recognize which API level of the client it is dealing with in * the case of pre-compiled binary clients. */ -#define KEYMASTER_API_VERSION 1 +#define KEYMASTER_API_VERSION 2 /** * Flags for keymaster_device::flags @@ -62,6 +62,8 @@ struct keystore_module { */ typedef enum { TYPE_RSA = 1, + TYPE_DSA = 2, + TYPE_EC = 3, } keymaster_keypair_t; /** @@ -73,11 +75,42 @@ typedef struct { } keymaster_rsa_keygen_params_t; /** - * Digest type used for RSA operations. + * Parameters needed to generate a DSA key. + */ +typedef struct { + uint32_t key_size; + uint32_t generator_len; + uint32_t prime_p_len; + uint32_t prime_q_len; + const uint8_t* generator; + const uint8_t* prime_p; + const uint8_t* prime_q; +} keymaster_dsa_keygen_params_t; + +/** + * Parameters needed to generate an EC key. + * + * Field size is the only parameter in version 2. The sizes correspond to these required curves: + * + * 192 = NIST P-192 + * 224 = NIST P-224 + * 256 = NIST P-256 + * 384 = NIST P-384 + * 521 = NIST P-521 + * + * The parameters for these curves are available at: http://www.nsa.gov/ia/_files/nist-routines.pdf + * in Chapter 4. + */ +typedef struct { + uint32_t field_size; +} keymaster_ec_keygen_params_t; + +/** + * Digest type. */ typedef enum { DIGEST_NONE, -} keymaster_rsa_digest_t; +} keymaster_digest_t; /** * Type of padding used for RSA operations. @@ -86,8 +119,17 @@ typedef enum { PADDING_NONE, } keymaster_rsa_padding_t; + +typedef struct { + keymaster_digest_t digest_type; +} keymaster_dsa_sign_params_t; + +typedef struct { + keymaster_digest_t digest_type; +} keymaster_ec_sign_params_t; + typedef struct { - keymaster_rsa_digest_t digest_type; + keymaster_digest_t digest_type; keymaster_rsa_padding_t padding_type; } keymaster_rsa_sign_params_t; diff --git a/tests/keymaster/keymaster_test.cpp b/tests/keymaster/keymaster_test.cpp index 0046ea48..b3d3f359 100644 --- a/tests/keymaster/keymaster_test.cpp +++ b/tests/keymaster/keymaster_test.cpp @@ -186,12 +186,20 @@ struct RSA_Delete { }; typedef UniquePtr<RSA, RSA_Delete> Unique_RSA; +struct EC_KEY_Delete { + void operator()(EC_KEY* p) const { + EC_KEY_free(p); + } +}; +typedef UniquePtr<EC_KEY, EC_KEY_Delete> Unique_EC_KEY; + + /* * DER-encoded PKCS#8 format RSA key. Generated using: * * openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | recode ../x1 */ -static uint8_t TEST_KEY_1[] = { +static uint8_t TEST_RSA_KEY_1[] = { 0x30, 0x82, 0x04, 0xBE, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x04, 0xA8, 0x30, 0x82, 0x04, 0xA4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, @@ -297,6 +305,27 @@ static uint8_t TEST_KEY_1[] = { }; /* + * DER-encoded PKCS#8 format EC key. Generated using: + * + * openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -nocrypt -outform der | recode ../x1 + */ +static uint8_t TEST_EC_KEY_1[] = { + 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, + 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, + 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02, 0x01, 0x01, 0x04, 0x20, + 0x25, 0xAC, 0x77, 0x2B, 0x04, 0x33, 0xC8, 0x16, 0x59, 0xA3, 0xC7, 0xE7, + 0x11, 0x42, 0xD0, 0x11, 0x71, 0x30, 0x7B, 0xB8, 0xD2, 0x67, 0xFF, 0x9C, + 0x5F, 0x50, 0x2E, 0xAB, 0x67, 0xD4, 0x17, 0x51, 0xA1, 0x44, 0x03, 0x42, + 0x00, 0x04, 0xCF, 0xCE, 0xB8, 0x7F, 0x88, 0x36, 0xC4, 0xF8, 0x51, 0x29, + 0xE2, 0xA7, 0x21, 0xC3, 0x3B, 0xFF, 0x88, 0xE3, 0x87, 0x98, 0xD1, 0xA6, + 0x4B, 0xB3, 0x4B, 0xD5, 0x44, 0xF8, 0xE0, 0x43, 0x6B, 0x50, 0x74, 0xFB, + 0xB0, 0xAD, 0x41, 0x1C, 0x11, 0x9D, 0xC6, 0x1E, 0x83, 0x8C, 0x49, 0xCA, + 0xBE, 0xC6, 0xCE, 0xB6, 0xC9, 0xA1, 0xBF, 0x69, 0xA9, 0xA0, 0xA3, 0x80, + 0x14, 0x39, 0x57, 0x94, 0xDA, 0x5D +}; + + +/* * Generated using keys on the keyboard and lack of imagination. */ static unsigned char BOGUS_KEY_1[] = { 0xFF, 0xFF, 0xFF, 0xFF }; @@ -314,6 +343,9 @@ public: ASSERT_EQ(0, keymaster_open(mod, &sDevice)) << "Should be able to open the keymaster device"; + ASSERT_EQ(2U, sDevice->client_version) + << "Keymaster should implement API version 2"; + ASSERT_TRUE(sDevice->generate_keypair != NULL) << "Should implement generate_keypair"; @@ -343,11 +375,23 @@ keymaster_device_t* KeymasterBaseTest::sDevice = NULL; class KeymasterTest : public KeymasterBaseTest { }; -class KeymasterGenerateTest : public KeymasterBaseTest, +class KeymasterAllTypesTest : public KeymasterBaseTest, + public ::testing::WithParamInterface<keymaster_keypair_t> { +}; + +class KeymasterGenerateRSATest : public KeymasterBaseTest, public ::testing::WithParamInterface<uint32_t> { }; -TEST_P(KeymasterGenerateTest, GenerateKeyPair_RSA_Success) { +class KeymasterGenerateDSATest : public KeymasterBaseTest, + public ::testing::WithParamInterface<uint32_t> { +}; + +class KeymasterGenerateECTest : public KeymasterBaseTest, + public ::testing::WithParamInterface<uint32_t> { +}; + +TEST_P(KeymasterGenerateRSATest, GenerateKeyPair_RSA_Success) { keymaster_keypair_t key_type = TYPE_RSA; keymaster_rsa_keygen_params_t params = { modulus_size: GetParam(), @@ -359,7 +403,7 @@ TEST_P(KeymasterGenerateTest, GenerateKeyPair_RSA_Success) { ASSERT_EQ(0, sDevice->generate_keypair(sDevice, key_type, ¶ms, &key_blob, &key_blob_length)) - << "Should generate an RSA key with 512 bit modulus size"; + << "Should generate an RSA key with " << GetParam() << " bit modulus size"; UniqueKey key(&sDevice, key_blob, key_blob_length); uint8_t* x509_data = NULL; @@ -386,25 +430,77 @@ TEST_P(KeymasterGenerateTest, GenerateKeyPair_RSA_Success) { ASSERT_EQ(static_cast<unsigned long>(RSA_F4), BN_get_word(rsa.get()->e)) << "Exponent should be RSA_F4"; - ASSERT_EQ(GetParam() / 8, static_cast<uint32_t>(RSA_size(rsa.get()))) + ASSERT_EQ((GetParam() + 7) / 8, static_cast<uint32_t>(RSA_size(rsa.get()))) << "Modulus size should be the specified parameter"; } INSTANTIATE_TEST_CASE_P(RSA, - KeymasterGenerateTest, + KeymasterGenerateRSATest, ::testing::Values(512U, 1024U, 2048U, 3072U, 4096U)); -TEST_F(KeymasterTest, GenerateKeyPair_RSA_NullParams_Failure) { - keymaster_keypair_t key_type = TYPE_RSA; + +TEST_P(KeymasterGenerateECTest, GenerateKeyPair_EC_Success) { + keymaster_keypair_t key_type = TYPE_EC; + keymaster_ec_keygen_params_t params = { + field_size: GetParam(), + }; + + uint8_t* key_blob; + size_t key_blob_length; + + ASSERT_EQ(0, + sDevice->generate_keypair(sDevice, key_type, ¶ms, &key_blob, &key_blob_length)) + << "Should generate an EC key with " << GetParam() << " field size"; + UniqueKey key(&sDevice, key_blob, key_blob_length); + + uint8_t* x509_data = NULL; + size_t x509_data_length; + ASSERT_EQ(0, + sDevice->get_keypair_public(sDevice, key_blob, key_blob_length, + &x509_data, &x509_data_length)) + << "Should be able to retrieve EC public key successfully"; + UniqueBlob x509_blob(x509_data, x509_data_length); + ASSERT_FALSE(x509_blob.get() == NULL) + << "X509 data should be allocated"; + + const unsigned char *tmp = static_cast<const unsigned char*>(x509_blob.get()); + Unique_EVP_PKEY actual(d2i_PUBKEY((EVP_PKEY**) NULL, &tmp, + static_cast<long>(x509_blob.length()))); + + ASSERT_EQ(EVP_PKEY_EC, EVP_PKEY_type(actual.get()->type)) + << "Generated key type should be of type EC"; + + Unique_EC_KEY ecKey(EVP_PKEY_get1_EC_KEY(actual.get())); + ASSERT_FALSE(ecKey.get() == NULL) + << "Should be able to extract EC key from EVP_PKEY"; + + ASSERT_FALSE(EC_KEY_get0_group(ecKey.get()) == NULL) + << "EC key should have a EC_GROUP"; + + ASSERT_TRUE(EC_KEY_check_key(ecKey.get())) + << "EC key should check correctly"; +} + +INSTANTIATE_TEST_CASE_P(EC, + KeymasterGenerateECTest, + ::testing::Values(192U, 224U, 256U, 384U, 521U)); + + +TEST_P(KeymasterAllTypesTest, GenerateKeyPair_NullParams_Failure) { + keymaster_keypair_t key_type = GetParam(); uint8_t* key_blob; size_t key_blob_length; ASSERT_EQ(-1, sDevice->generate_keypair(sDevice, key_type, NULL, &key_blob, &key_blob_length)) - << "Should not be able to generate an RSA key with null params"; + << "Should not be able to generate a key with null params"; } +INSTANTIATE_TEST_CASE_P(Types, + KeymasterAllTypesTest, + ::testing::Values(TYPE_RSA, TYPE_DSA, TYPE_EC)); + TEST_F(KeymasterTest, GenerateKeyPair_UnknownType_Failure) { keymaster_keypair_t key_type = static_cast<keymaster_keypair_t>(0xFFFF); @@ -421,7 +517,7 @@ TEST_F(KeymasterTest, ImportKeyPair_RSA_Success) { size_t key_blob_length; ASSERT_EQ(0, - sDevice->import_keypair(sDevice, TEST_KEY_1, sizeof(TEST_KEY_1), + sDevice->import_keypair(sDevice, TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1), &key_blob, &key_blob_length)) << "Should successfully import an RSA key"; UniqueKey key(&sDevice, key_blob, key_blob_length); @@ -441,10 +537,46 @@ TEST_F(KeymasterTest, ImportKeyPair_RSA_Success) { ASSERT_EQ(EVP_PKEY_type(actual.get()->type), EVP_PKEY_RSA) << "Generated key type should be of type RSA"; - const unsigned char *expectedTmp = static_cast<const unsigned char*>(TEST_KEY_1); + const unsigned char *expectedTmp = static_cast<const unsigned char*>(TEST_RSA_KEY_1); Unique_PKCS8_PRIV_KEY_INFO expectedPkcs8( d2i_PKCS8_PRIV_KEY_INFO((PKCS8_PRIV_KEY_INFO**) NULL, &expectedTmp, - sizeof(TEST_KEY_1))); + sizeof(TEST_RSA_KEY_1))); + + Unique_EVP_PKEY expected(EVP_PKCS82PKEY(expectedPkcs8.get())); + + ASSERT_EQ(1, EVP_PKEY_cmp(expected.get(), actual.get())) + << "Expected and actual keys should match"; +} + +TEST_F(KeymasterTest, ImportKeyPair_EC_Success) { + uint8_t* key_blob; + size_t key_blob_length; + + ASSERT_EQ(0, + sDevice->import_keypair(sDevice, TEST_EC_KEY_1, sizeof(TEST_EC_KEY_1), + &key_blob, &key_blob_length)) + << "Should successfully import an EC key"; + UniqueKey key(&sDevice, key_blob, key_blob_length); + + uint8_t* x509_data; + size_t x509_data_length; + ASSERT_EQ(0, + sDevice->get_keypair_public(sDevice, key_blob, key_blob_length, + &x509_data, &x509_data_length)) + << "Should be able to retrieve EC public key successfully"; + UniqueBlob x509_blob(x509_data, x509_data_length); + + const unsigned char *tmp = static_cast<const unsigned char*>(x509_blob.get()); + Unique_EVP_PKEY actual(d2i_PUBKEY((EVP_PKEY**) NULL, &tmp, + static_cast<long>(x509_blob.length()))); + + ASSERT_EQ(EVP_PKEY_type(actual.get()->type), EVP_PKEY_EC) + << "Generated key type should be of type EC"; + + const unsigned char *expectedTmp = static_cast<const unsigned char*>(TEST_EC_KEY_1); + Unique_PKCS8_PRIV_KEY_INFO expectedPkcs8( + d2i_PKCS8_PRIV_KEY_INFO((PKCS8_PRIV_KEY_INFO**) NULL, &expectedTmp, + sizeof(TEST_EC_KEY_1))); Unique_EVP_PKEY expected(EVP_PKCS82PKEY(expectedPkcs8.get())); @@ -476,7 +608,7 @@ TEST_F(KeymasterTest, GetKeypairPublic_RSA_Success) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_KEY_1, sizeof(TEST_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -494,7 +626,29 @@ TEST_F(KeymasterTest, GetKeypairPublic_RSA_Success) { UniqueBlob x509_blob(x509_data, x509_data_length); } -TEST_F(KeymasterTest, GetKeypairPublic_RSA_NullKey_Failure) { +TEST_F(KeymasterTest, GetKeypairPublic_EC_Success) { + uint8_t* key_blob; + size_t key_blob_length; + + UniqueReadOnlyBlob testKey(TEST_EC_KEY_1, sizeof(TEST_EC_KEY_1)); + ASSERT_TRUE(testKey.get() != NULL); + + ASSERT_EQ(0, + sDevice->import_keypair(sDevice, testKey.get(), testKey.length(), + &key_blob, &key_blob_length)) + << "Should successfully import an EC key"; + UniqueKey key(&sDevice, key_blob, key_blob_length); + + uint8_t* x509_data; + size_t x509_data_length; + ASSERT_EQ(0, + sDevice->get_keypair_public(sDevice, key_blob, key_blob_length, + &x509_data, &x509_data_length)) + << "Should be able to retrieve EC public key successfully"; + UniqueBlob x509_blob(x509_data, x509_data_length); +} + +TEST_F(KeymasterTest, GetKeypairPublic_NullKey_Failure) { uint8_t* key_blob; size_t key_blob_length; @@ -503,7 +657,7 @@ TEST_F(KeymasterTest, GetKeypairPublic_RSA_NullKey_Failure) { ASSERT_EQ(-1, sDevice->get_keypair_public(sDevice, NULL, 0, &x509_data, &x509_data_length)) - << "Should not be able to retrieve RSA public key from null key"; + << "Should not be able to retrieve public key from null key"; UniqueBlob x509_blob(x509_data, x509_data_length); } @@ -511,7 +665,26 @@ TEST_F(KeymasterTest, GetKeypairPublic_RSA_NullDestination_Failure) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_KEY_1, sizeof(TEST_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1)); + ASSERT_TRUE(testKey.get() != NULL); + + ASSERT_EQ(0, + sDevice->import_keypair(sDevice, testKey.get(), testKey.length(), + &key_blob, &key_blob_length)) + << "Should successfully import an RSA key"; + UniqueKey key(&sDevice, key_blob, key_blob_length); + + ASSERT_EQ(-1, + sDevice->get_keypair_public(sDevice, key.get(), key.length(), + NULL, NULL)) + << "Should not be able to succeed with NULL destination blob"; +} + +TEST_F(KeymasterTest, GetKeypairPublic_EC_NullDestination_Failure) { + uint8_t* key_blob; + size_t key_blob_length; + + UniqueReadOnlyBlob testKey(TEST_EC_KEY_1, sizeof(TEST_EC_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -530,7 +703,7 @@ TEST_F(KeymasterTest, DeleteKeyPair_RSA_Success) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_KEY_1, sizeof(TEST_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -544,7 +717,7 @@ TEST_F(KeymasterTest, DeleteKeyPair_RSA_DoubleDelete_Failure) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_KEY_1, sizeof(TEST_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); /* @@ -582,7 +755,7 @@ TEST_F(KeymasterTest, DeleteKeyPair_RSA_NullKey_Failure) { * * openssl genrsa 512 | openssl pkcs8 -topk8 -nocrypt -outform der | recode ../x1 */ -static uint8_t TEST_SIGN_KEY_1[] = { +static uint8_t TEST_SIGN_RSA_KEY_1[] = { 0x30, 0x82, 0x01, 0x56, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x40, 0x30, 0x82, 0x01, 0x3C, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00, @@ -615,6 +788,26 @@ static uint8_t TEST_SIGN_KEY_1[] = { }; /* + * DER-encoded PKCS#8 format EC key. Generated using: + * + * openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -nocrypt -outform der | recode ../x1 + */ +static uint8_t TEST_SIGN_EC_KEY_1[] = { + 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, + 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, + 0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02, 0x01, 0x01, 0x04, 0x20, + 0x9E, 0x66, 0x11, 0x6A, 0x89, 0xF5, 0x78, 0x57, 0xF3, 0x35, 0xA2, 0x46, + 0x09, 0x06, 0x4B, 0x4D, 0x81, 0xEC, 0xD3, 0x9B, 0x0A, 0xC4, 0x68, 0x06, + 0xB8, 0x42, 0x24, 0x5E, 0x74, 0x2C, 0x62, 0x79, 0xA1, 0x44, 0x03, 0x42, + 0x00, 0x04, 0x35, 0xB5, 0x9A, 0x5C, 0xE5, 0x52, 0x35, 0xF2, 0x10, 0x6C, + 0xD9, 0x98, 0x67, 0xED, 0x5E, 0xCB, 0x6B, 0xB8, 0x96, 0x5E, 0x54, 0x7C, + 0x34, 0x2A, 0xA3, 0x3B, 0xF3, 0xD1, 0x39, 0x48, 0x36, 0x7A, 0xEA, 0xD8, + 0xCA, 0xDD, 0x40, 0x8F, 0xE9, 0xE0, 0x95, 0x2E, 0x3F, 0x95, 0x0F, 0x14, + 0xD6, 0x14, 0x78, 0xB5, 0xAD, 0x17, 0xD2, 0x5A, 0x41, 0x96, 0x99, 0x20, + 0xC7, 0x5B, 0x0F, 0x60, 0xFD, 0xBA +}; + +/* * PKCS#1 v1.5 padded raw "Hello, world" Can be generated be generated by verifying * the signature below in no padding mode: * @@ -630,11 +823,11 @@ static uint8_t TEST_SIGN_DATA_1[] = { }; /* - * Signature of TEST_SIGN_DATA_1 using TEST_SIGN_KEY_1. Generated using: + * Signature of TEST_SIGN_DATA_1 using TEST_SIGN_RSA_KEY_1. Generated using: * * echo 'Hello, world' | openssl rsautl -keyform der -inkey rsa.der -sign | recode ../x1 */ -static uint8_t TEST_SIGN_SIGNATURE_1[] = { +static uint8_t TEST_SIGN_RSA_SIGNATURE_1[] = { 0xA4, 0xBB, 0x76, 0x87, 0xFE, 0x61, 0x0C, 0x9D, 0xD6, 0xFF, 0x4B, 0x76, 0x96, 0x08, 0x36, 0x23, 0x11, 0xC6, 0x44, 0x3F, 0x88, 0x77, 0x97, 0xB2, 0xA8, 0x3B, 0xFB, 0x9C, 0x3C, 0xD3, 0x20, 0x65, 0xFD, 0x26, 0x3B, 0x2A, @@ -644,7 +837,7 @@ static uint8_t TEST_SIGN_SIGNATURE_1[] = { }; /* - * Identical to TEST_SIGN_SIGNATURE_1 except the last octet is '1' instead of '0' + * Identical to TEST_SIGN_RSA_SIGNATURE_1 except the last octet is '1' instead of '0' * This should fail any test. */ static uint8_t TEST_SIGN_SIGNATURE_BOGUS_1[] = { @@ -660,7 +853,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_Success) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -687,7 +880,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_Success) { << "Should sign data successfully"; UniqueBlob sig_blob(sig, sig_length); - UniqueBlob expected_sig(TEST_SIGN_SIGNATURE_1, sizeof(TEST_SIGN_SIGNATURE_1)); + UniqueBlob expected_sig(TEST_SIGN_RSA_SIGNATURE_1, sizeof(TEST_SIGN_RSA_SIGNATURE_1)); ASSERT_EQ(expected_sig, sig_blob) << "Generated signature should match expected signature"; @@ -696,11 +889,59 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_Success) { uint8_t* unused __attribute__((unused)) = expected_sig.release(); } +TEST_F(KeymasterTest, SignData_EC_Success) { + uint8_t* key_blob; + size_t key_blob_length; + + UniqueReadOnlyBlob testKey(TEST_SIGN_EC_KEY_1, sizeof(TEST_SIGN_EC_KEY_1)); + ASSERT_TRUE(testKey.get() != NULL); + + ASSERT_EQ(0, + sDevice->import_keypair(sDevice, testKey.get(), testKey.length(), + &key_blob, &key_blob_length)) + << "Should successfully import an EC key"; + UniqueKey key(&sDevice, key_blob, key_blob_length); + + keymaster_ec_sign_params_t params = { + digest_type: DIGEST_NONE, + }; + + uint8_t* sig; + size_t sig_length; + + UniqueReadOnlyBlob testData(TEST_SIGN_DATA_1, sizeof(TEST_SIGN_DATA_1)); + ASSERT_TRUE(testData.get() != NULL); + + ASSERT_EQ(0, + sDevice->sign_data(sDevice, ¶ms, key_blob, key_blob_length, + testData.get(), testData.length(), + &sig, &sig_length)) + << "Should sign data successfully"; + UniqueBlob sig_blob(sig, sig_length); + + uint8_t* x509_data; + size_t x509_data_length; + ASSERT_EQ(0, + sDevice->get_keypair_public(sDevice, key_blob, key_blob_length, + &x509_data, &x509_data_length)) + << "Should be able to retrieve RSA public key successfully"; + UniqueBlob x509_blob(x509_data, x509_data_length); + + const unsigned char *tmp = static_cast<const unsigned char*>(x509_blob.get()); + Unique_EVP_PKEY expected(d2i_PUBKEY((EVP_PKEY**) NULL, &tmp, + static_cast<long>(x509_blob.length()))); + + Unique_EC_KEY ecKey(EVP_PKEY_get1_EC_KEY(expected.get())); + + ASSERT_EQ(1, ECDSA_verify(0, testData.get(), testData.length(), sig_blob.get(), sig_blob.length(), ecKey.get())) + << "Signature should verify"; +} + TEST_F(KeymasterTest, SignData_RSA_Raw_InvalidSizeInput_Failure) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -717,7 +958,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_InvalidSizeInput_Failure) { uint8_t* sig; size_t sig_length; - UniqueReadOnlyBlob testData(TEST_KEY_1, sizeof(TEST_KEY_1)); + UniqueReadOnlyBlob testData(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1)); ASSERT_TRUE(testData.get() != NULL); ASSERT_EQ(-1, @@ -736,7 +977,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_NullKey_Failure) { uint8_t* sig; size_t sig_length; - UniqueReadOnlyBlob testData(TEST_KEY_1, sizeof(TEST_KEY_1)); + UniqueReadOnlyBlob testData(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1)); ASSERT_TRUE(testData.get() != NULL); ASSERT_EQ(-1, @@ -750,7 +991,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_NullInput_Failure) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -778,7 +1019,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_NullOutput_Failure) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -795,7 +1036,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_NullOutput_Failure) { uint8_t* sig; size_t sig_length; - UniqueReadOnlyBlob testData(TEST_KEY_1, sizeof(TEST_KEY_1)); + UniqueReadOnlyBlob testData(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1)); ASSERT_TRUE(testData.get() != NULL); ASSERT_EQ(-1, @@ -809,7 +1050,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_Raw_Success) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -826,7 +1067,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_Raw_Success) { UniqueReadOnlyBlob testData(TEST_SIGN_DATA_1, sizeof(TEST_SIGN_DATA_1)); ASSERT_TRUE(testData.get() != NULL); - UniqueReadOnlyBlob testSig(TEST_SIGN_SIGNATURE_1, sizeof(TEST_SIGN_SIGNATURE_1)); + UniqueReadOnlyBlob testSig(TEST_SIGN_RSA_SIGNATURE_1, sizeof(TEST_SIGN_RSA_SIGNATURE_1)); ASSERT_TRUE(testSig.get() != NULL); ASSERT_EQ(0, @@ -836,11 +1077,48 @@ TEST_F(KeymasterTest, VerifyData_RSA_Raw_Success) { << "Should verify data successfully"; } +TEST_F(KeymasterTest, VerifyData_EC_Raw_Success) { + uint8_t* key_blob; + size_t key_blob_length; + + UniqueReadOnlyBlob testKey(TEST_SIGN_EC_KEY_1, sizeof(TEST_SIGN_EC_KEY_1)); + ASSERT_TRUE(testKey.get() != NULL); + + ASSERT_EQ(0, + sDevice->import_keypair(sDevice, testKey.get(), testKey.length(), + &key_blob, &key_blob_length)) + << "Should successfully import an RSA key"; + UniqueKey key(&sDevice, key_blob, key_blob_length); + + keymaster_ec_sign_params_t params = { + digest_type: DIGEST_NONE, + }; + + uint8_t* sig; + size_t sig_length; + + UniqueReadOnlyBlob testData(TEST_SIGN_DATA_1, sizeof(TEST_SIGN_DATA_1)); + ASSERT_TRUE(testData.get() != NULL); + + ASSERT_EQ(0, + sDevice->sign_data(sDevice, ¶ms, key_blob, key_blob_length, + testData.get(), testData.length(), + &sig, &sig_length)) + << "Should sign data successfully"; + UniqueBlob sig_blob(sig, sig_length); + + ASSERT_EQ(0, + sDevice->verify_data(sDevice, ¶ms, key_blob, key_blob_length, + testData.get(), testData.length(), + sig_blob.get(), sig_blob.length())) + << "Should verify data successfully"; +} + TEST_F(KeymasterTest, VerifyData_RSA_Raw_BadSignature_Failure) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -861,6 +1139,30 @@ TEST_F(KeymasterTest, VerifyData_RSA_Raw_BadSignature_Failure) { << "Should sign data successfully"; } +TEST_F(KeymasterTest, VerifyData_EC_Raw_BadSignature_Failure) { + uint8_t* key_blob; + size_t key_blob_length; + + UniqueReadOnlyBlob testKey(TEST_SIGN_EC_KEY_1, sizeof(TEST_SIGN_EC_KEY_1)); + ASSERT_TRUE(testKey.get() != NULL); + + ASSERT_EQ(0, + sDevice->import_keypair(sDevice, testKey.get(), testKey.length(), + &key_blob, &key_blob_length)) + << "Should successfully import an RSA key"; + UniqueKey key(&sDevice, key_blob, key_blob_length); + + keymaster_ec_sign_params_t params = { + digest_type: DIGEST_NONE, + }; + + ASSERT_EQ(-1, + sDevice->verify_data(sDevice, ¶ms, key_blob, key_blob_length, + TEST_SIGN_DATA_1, sizeof(TEST_SIGN_DATA_1), + TEST_SIGN_SIGNATURE_BOGUS_1, sizeof(TEST_SIGN_SIGNATURE_BOGUS_1))) + << "Should sign data successfully"; +} + TEST_F(KeymasterTest, VerifyData_RSA_Raw_NullKey_Failure) { keymaster_rsa_sign_params_t params = { digest_type: DIGEST_NONE, @@ -885,7 +1187,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_NullInput_Failure) { size_t key_blob_length; ASSERT_EQ(0, - sDevice->import_keypair(sDevice, TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1), + sDevice->import_keypair(sDevice, TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1), &key_blob, &key_blob_length)) << "Should successfully import an RSA key"; UniqueKey key(&sDevice, key_blob, key_blob_length); @@ -895,7 +1197,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_NullInput_Failure) { padding_type: PADDING_NONE, }; - UniqueReadOnlyBlob testSig(TEST_SIGN_SIGNATURE_1, sizeof(TEST_SIGN_SIGNATURE_1)); + UniqueReadOnlyBlob testSig(TEST_SIGN_RSA_SIGNATURE_1, sizeof(TEST_SIGN_RSA_SIGNATURE_1)); ASSERT_TRUE(testSig.get() != NULL); ASSERT_EQ(-1, @@ -909,7 +1211,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_NullSignature_Failure) { uint8_t* key_blob; size_t key_blob_length; - UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -942,7 +1244,7 @@ TEST_F(KeymasterTest, EraseAll_Success) { return; } - UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1)); + UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1)); ASSERT_TRUE(testKey.get() != NULL); ASSERT_EQ(0, @@ -951,7 +1253,7 @@ TEST_F(KeymasterTest, EraseAll_Success) { << "Should successfully import an RSA key"; UniqueKey key1(&sDevice, key1_blob, key1_blob_length); - UniqueReadOnlyBlob testKey2(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1)); + UniqueReadOnlyBlob testKey2(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1)); ASSERT_TRUE(testKey2.get() != NULL); ASSERT_EQ(0, |