am bd5015e0: Merge "Add support for DSA and ECDSA key types"

* commit 'bd5015e0f3b79d8b8e7f9b1926bbf76985ac8c61':
  Add support for DSA and ECDSA key types
This commit is contained in:
Kenny Root 2013-09-03 00:14:20 -07:00 committed by Android Git Automerger
commit a928d816a4
2 changed files with 386 additions and 42 deletions

View file

@ -37,7 +37,7 @@ __BEGIN_DECLS
* module to recognize which API level of the client it is dealing with in
* the case of pre-compiled binary clients.
*/
#define KEYMASTER_API_VERSION 1
#define KEYMASTER_API_VERSION 2
/**
* Flags for keymaster_device::flags
@ -62,6 +62,8 @@ struct keystore_module {
*/
typedef enum {
TYPE_RSA = 1,
TYPE_DSA = 2,
TYPE_EC = 3,
} keymaster_keypair_t;
/**
@ -73,11 +75,42 @@ typedef struct {
} keymaster_rsa_keygen_params_t;
/**
* Digest type used for RSA operations.
* Parameters needed to generate a DSA key.
*/
typedef struct {
uint32_t key_size;
uint32_t generator_len;
uint32_t prime_p_len;
uint32_t prime_q_len;
const uint8_t* generator;
const uint8_t* prime_p;
const uint8_t* prime_q;
} keymaster_dsa_keygen_params_t;
/**
* Parameters needed to generate an EC key.
*
* Field size is the only parameter in version 2. The sizes correspond to these required curves:
*
* 192 = NIST P-192
* 224 = NIST P-224
* 256 = NIST P-256
* 384 = NIST P-384
* 521 = NIST P-521
*
* The parameters for these curves are available at: http://www.nsa.gov/ia/_files/nist-routines.pdf
* in Chapter 4.
*/
typedef struct {
uint32_t field_size;
} keymaster_ec_keygen_params_t;
/**
* Digest type.
*/
typedef enum {
DIGEST_NONE,
} keymaster_rsa_digest_t;
} keymaster_digest_t;
/**
* Type of padding used for RSA operations.
@ -86,8 +119,17 @@ typedef enum {
PADDING_NONE,
} keymaster_rsa_padding_t;
typedef struct {
keymaster_rsa_digest_t digest_type;
keymaster_digest_t digest_type;
} keymaster_dsa_sign_params_t;
typedef struct {
keymaster_digest_t digest_type;
} keymaster_ec_sign_params_t;
typedef struct {
keymaster_digest_t digest_type;
keymaster_rsa_padding_t padding_type;
} keymaster_rsa_sign_params_t;

View file

@ -186,12 +186,20 @@ struct RSA_Delete {
};
typedef UniquePtr<RSA, RSA_Delete> Unique_RSA;
struct EC_KEY_Delete {
void operator()(EC_KEY* p) const {
EC_KEY_free(p);
}
};
typedef UniquePtr<EC_KEY, EC_KEY_Delete> Unique_EC_KEY;
/*
* DER-encoded PKCS#8 format RSA key. Generated using:
*
* openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -outform der | recode ../x1
*/
static uint8_t TEST_KEY_1[] = {
static uint8_t TEST_RSA_KEY_1[] = {
0x30, 0x82, 0x04, 0xBE, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A,
0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
0x04, 0xA8, 0x30, 0x82, 0x04, 0xA4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01,
@ -296,6 +304,27 @@ static uint8_t TEST_KEY_1[] = {
0xDE, 0x3B, 0xF1, 0x70, 0x23, 0xE5,
};
/*
* DER-encoded PKCS#8 format EC key. Generated using:
*
* openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -nocrypt -outform der | recode ../x1
*/
static uint8_t TEST_EC_KEY_1[] = {
0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86,
0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D,
0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02, 0x01, 0x01, 0x04, 0x20,
0x25, 0xAC, 0x77, 0x2B, 0x04, 0x33, 0xC8, 0x16, 0x59, 0xA3, 0xC7, 0xE7,
0x11, 0x42, 0xD0, 0x11, 0x71, 0x30, 0x7B, 0xB8, 0xD2, 0x67, 0xFF, 0x9C,
0x5F, 0x50, 0x2E, 0xAB, 0x67, 0xD4, 0x17, 0x51, 0xA1, 0x44, 0x03, 0x42,
0x00, 0x04, 0xCF, 0xCE, 0xB8, 0x7F, 0x88, 0x36, 0xC4, 0xF8, 0x51, 0x29,
0xE2, 0xA7, 0x21, 0xC3, 0x3B, 0xFF, 0x88, 0xE3, 0x87, 0x98, 0xD1, 0xA6,
0x4B, 0xB3, 0x4B, 0xD5, 0x44, 0xF8, 0xE0, 0x43, 0x6B, 0x50, 0x74, 0xFB,
0xB0, 0xAD, 0x41, 0x1C, 0x11, 0x9D, 0xC6, 0x1E, 0x83, 0x8C, 0x49, 0xCA,
0xBE, 0xC6, 0xCE, 0xB6, 0xC9, 0xA1, 0xBF, 0x69, 0xA9, 0xA0, 0xA3, 0x80,
0x14, 0x39, 0x57, 0x94, 0xDA, 0x5D
};
/*
* Generated using keys on the keyboard and lack of imagination.
*/
@ -314,6 +343,9 @@ public:
ASSERT_EQ(0, keymaster_open(mod, &sDevice))
<< "Should be able to open the keymaster device";
ASSERT_EQ(2U, sDevice->client_version)
<< "Keymaster should implement API version 2";
ASSERT_TRUE(sDevice->generate_keypair != NULL)
<< "Should implement generate_keypair";
@ -343,11 +375,23 @@ keymaster_device_t* KeymasterBaseTest::sDevice = NULL;
class KeymasterTest : public KeymasterBaseTest {
};
class KeymasterGenerateTest : public KeymasterBaseTest,
class KeymasterAllTypesTest : public KeymasterBaseTest,
public ::testing::WithParamInterface<keymaster_keypair_t> {
};
class KeymasterGenerateRSATest : public KeymasterBaseTest,
public ::testing::WithParamInterface<uint32_t> {
};
TEST_P(KeymasterGenerateTest, GenerateKeyPair_RSA_Success) {
class KeymasterGenerateDSATest : public KeymasterBaseTest,
public ::testing::WithParamInterface<uint32_t> {
};
class KeymasterGenerateECTest : public KeymasterBaseTest,
public ::testing::WithParamInterface<uint32_t> {
};
TEST_P(KeymasterGenerateRSATest, GenerateKeyPair_RSA_Success) {
keymaster_keypair_t key_type = TYPE_RSA;
keymaster_rsa_keygen_params_t params = {
modulus_size: GetParam(),
@ -359,7 +403,7 @@ TEST_P(KeymasterGenerateTest, GenerateKeyPair_RSA_Success) {
ASSERT_EQ(0,
sDevice->generate_keypair(sDevice, key_type, &params, &key_blob, &key_blob_length))
<< "Should generate an RSA key with 512 bit modulus size";
<< "Should generate an RSA key with " << GetParam() << " bit modulus size";
UniqueKey key(&sDevice, key_blob, key_blob_length);
uint8_t* x509_data = NULL;
@ -386,25 +430,77 @@ TEST_P(KeymasterGenerateTest, GenerateKeyPair_RSA_Success) {
ASSERT_EQ(static_cast<unsigned long>(RSA_F4), BN_get_word(rsa.get()->e))
<< "Exponent should be RSA_F4";
ASSERT_EQ(GetParam() / 8, static_cast<uint32_t>(RSA_size(rsa.get())))
ASSERT_EQ((GetParam() + 7) / 8, static_cast<uint32_t>(RSA_size(rsa.get())))
<< "Modulus size should be the specified parameter";
}
INSTANTIATE_TEST_CASE_P(RSA,
KeymasterGenerateTest,
KeymasterGenerateRSATest,
::testing::Values(512U, 1024U, 2048U, 3072U, 4096U));
TEST_F(KeymasterTest, GenerateKeyPair_RSA_NullParams_Failure) {
keymaster_keypair_t key_type = TYPE_RSA;
TEST_P(KeymasterGenerateECTest, GenerateKeyPair_EC_Success) {
keymaster_keypair_t key_type = TYPE_EC;
keymaster_ec_keygen_params_t params = {
field_size: GetParam(),
};
uint8_t* key_blob;
size_t key_blob_length;
ASSERT_EQ(0,
sDevice->generate_keypair(sDevice, key_type, &params, &key_blob, &key_blob_length))
<< "Should generate an EC key with " << GetParam() << " field size";
UniqueKey key(&sDevice, key_blob, key_blob_length);
uint8_t* x509_data = NULL;
size_t x509_data_length;
ASSERT_EQ(0,
sDevice->get_keypair_public(sDevice, key_blob, key_blob_length,
&x509_data, &x509_data_length))
<< "Should be able to retrieve EC public key successfully";
UniqueBlob x509_blob(x509_data, x509_data_length);
ASSERT_FALSE(x509_blob.get() == NULL)
<< "X509 data should be allocated";
const unsigned char *tmp = static_cast<const unsigned char*>(x509_blob.get());
Unique_EVP_PKEY actual(d2i_PUBKEY((EVP_PKEY**) NULL, &tmp,
static_cast<long>(x509_blob.length())));
ASSERT_EQ(EVP_PKEY_EC, EVP_PKEY_type(actual.get()->type))
<< "Generated key type should be of type EC";
Unique_EC_KEY ecKey(EVP_PKEY_get1_EC_KEY(actual.get()));
ASSERT_FALSE(ecKey.get() == NULL)
<< "Should be able to extract EC key from EVP_PKEY";
ASSERT_FALSE(EC_KEY_get0_group(ecKey.get()) == NULL)
<< "EC key should have a EC_GROUP";
ASSERT_TRUE(EC_KEY_check_key(ecKey.get()))
<< "EC key should check correctly";
}
INSTANTIATE_TEST_CASE_P(EC,
KeymasterGenerateECTest,
::testing::Values(192U, 224U, 256U, 384U, 521U));
TEST_P(KeymasterAllTypesTest, GenerateKeyPair_NullParams_Failure) {
keymaster_keypair_t key_type = GetParam();
uint8_t* key_blob;
size_t key_blob_length;
ASSERT_EQ(-1,
sDevice->generate_keypair(sDevice, key_type, NULL, &key_blob, &key_blob_length))
<< "Should not be able to generate an RSA key with null params";
<< "Should not be able to generate a key with null params";
}
INSTANTIATE_TEST_CASE_P(Types,
KeymasterAllTypesTest,
::testing::Values(TYPE_RSA, TYPE_DSA, TYPE_EC));
TEST_F(KeymasterTest, GenerateKeyPair_UnknownType_Failure) {
keymaster_keypair_t key_type = static_cast<keymaster_keypair_t>(0xFFFF);
@ -421,7 +517,7 @@ TEST_F(KeymasterTest, ImportKeyPair_RSA_Success) {
size_t key_blob_length;
ASSERT_EQ(0,
sDevice->import_keypair(sDevice, TEST_KEY_1, sizeof(TEST_KEY_1),
sDevice->import_keypair(sDevice, TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1),
&key_blob, &key_blob_length))
<< "Should successfully import an RSA key";
UniqueKey key(&sDevice, key_blob, key_blob_length);
@ -441,10 +537,46 @@ TEST_F(KeymasterTest, ImportKeyPair_RSA_Success) {
ASSERT_EQ(EVP_PKEY_type(actual.get()->type), EVP_PKEY_RSA)
<< "Generated key type should be of type RSA";
const unsigned char *expectedTmp = static_cast<const unsigned char*>(TEST_KEY_1);
const unsigned char *expectedTmp = static_cast<const unsigned char*>(TEST_RSA_KEY_1);
Unique_PKCS8_PRIV_KEY_INFO expectedPkcs8(
d2i_PKCS8_PRIV_KEY_INFO((PKCS8_PRIV_KEY_INFO**) NULL, &expectedTmp,
sizeof(TEST_KEY_1)));
sizeof(TEST_RSA_KEY_1)));
Unique_EVP_PKEY expected(EVP_PKCS82PKEY(expectedPkcs8.get()));
ASSERT_EQ(1, EVP_PKEY_cmp(expected.get(), actual.get()))
<< "Expected and actual keys should match";
}
TEST_F(KeymasterTest, ImportKeyPair_EC_Success) {
uint8_t* key_blob;
size_t key_blob_length;
ASSERT_EQ(0,
sDevice->import_keypair(sDevice, TEST_EC_KEY_1, sizeof(TEST_EC_KEY_1),
&key_blob, &key_blob_length))
<< "Should successfully import an EC key";
UniqueKey key(&sDevice, key_blob, key_blob_length);
uint8_t* x509_data;
size_t x509_data_length;
ASSERT_EQ(0,
sDevice->get_keypair_public(sDevice, key_blob, key_blob_length,
&x509_data, &x509_data_length))
<< "Should be able to retrieve EC public key successfully";
UniqueBlob x509_blob(x509_data, x509_data_length);
const unsigned char *tmp = static_cast<const unsigned char*>(x509_blob.get());
Unique_EVP_PKEY actual(d2i_PUBKEY((EVP_PKEY**) NULL, &tmp,
static_cast<long>(x509_blob.length())));
ASSERT_EQ(EVP_PKEY_type(actual.get()->type), EVP_PKEY_EC)
<< "Generated key type should be of type EC";
const unsigned char *expectedTmp = static_cast<const unsigned char*>(TEST_EC_KEY_1);
Unique_PKCS8_PRIV_KEY_INFO expectedPkcs8(
d2i_PKCS8_PRIV_KEY_INFO((PKCS8_PRIV_KEY_INFO**) NULL, &expectedTmp,
sizeof(TEST_EC_KEY_1)));
Unique_EVP_PKEY expected(EVP_PKCS82PKEY(expectedPkcs8.get()));
@ -476,7 +608,7 @@ TEST_F(KeymasterTest, GetKeypairPublic_RSA_Success) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_KEY_1, sizeof(TEST_KEY_1));
UniqueReadOnlyBlob testKey(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -494,7 +626,29 @@ TEST_F(KeymasterTest, GetKeypairPublic_RSA_Success) {
UniqueBlob x509_blob(x509_data, x509_data_length);
}
TEST_F(KeymasterTest, GetKeypairPublic_RSA_NullKey_Failure) {
TEST_F(KeymasterTest, GetKeypairPublic_EC_Success) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_EC_KEY_1, sizeof(TEST_EC_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
sDevice->import_keypair(sDevice, testKey.get(), testKey.length(),
&key_blob, &key_blob_length))
<< "Should successfully import an EC key";
UniqueKey key(&sDevice, key_blob, key_blob_length);
uint8_t* x509_data;
size_t x509_data_length;
ASSERT_EQ(0,
sDevice->get_keypair_public(sDevice, key_blob, key_blob_length,
&x509_data, &x509_data_length))
<< "Should be able to retrieve EC public key successfully";
UniqueBlob x509_blob(x509_data, x509_data_length);
}
TEST_F(KeymasterTest, GetKeypairPublic_NullKey_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
@ -503,7 +657,7 @@ TEST_F(KeymasterTest, GetKeypairPublic_RSA_NullKey_Failure) {
ASSERT_EQ(-1,
sDevice->get_keypair_public(sDevice, NULL, 0,
&x509_data, &x509_data_length))
<< "Should not be able to retrieve RSA public key from null key";
<< "Should not be able to retrieve public key from null key";
UniqueBlob x509_blob(x509_data, x509_data_length);
}
@ -511,7 +665,26 @@ TEST_F(KeymasterTest, GetKeypairPublic_RSA_NullDestination_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_KEY_1, sizeof(TEST_KEY_1));
UniqueReadOnlyBlob testKey(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
sDevice->import_keypair(sDevice, testKey.get(), testKey.length(),
&key_blob, &key_blob_length))
<< "Should successfully import an RSA key";
UniqueKey key(&sDevice, key_blob, key_blob_length);
ASSERT_EQ(-1,
sDevice->get_keypair_public(sDevice, key.get(), key.length(),
NULL, NULL))
<< "Should not be able to succeed with NULL destination blob";
}
TEST_F(KeymasterTest, GetKeypairPublic_EC_NullDestination_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_EC_KEY_1, sizeof(TEST_EC_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -530,7 +703,7 @@ TEST_F(KeymasterTest, DeleteKeyPair_RSA_Success) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_KEY_1, sizeof(TEST_KEY_1));
UniqueReadOnlyBlob testKey(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -544,7 +717,7 @@ TEST_F(KeymasterTest, DeleteKeyPair_RSA_DoubleDelete_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_KEY_1, sizeof(TEST_KEY_1));
UniqueReadOnlyBlob testKey(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
/*
@ -582,7 +755,7 @@ TEST_F(KeymasterTest, DeleteKeyPair_RSA_NullKey_Failure) {
*
* openssl genrsa 512 | openssl pkcs8 -topk8 -nocrypt -outform der | recode ../x1
*/
static uint8_t TEST_SIGN_KEY_1[] = {
static uint8_t TEST_SIGN_RSA_KEY_1[] = {
0x30, 0x82, 0x01, 0x56, 0x02, 0x01, 0x00, 0x30, 0x0D, 0x06, 0x09, 0x2A,
0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
0x01, 0x40, 0x30, 0x82, 0x01, 0x3C, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00,
@ -614,6 +787,26 @@ static uint8_t TEST_SIGN_KEY_1[] = {
0x68, 0x68, 0xC8, 0x60, 0xB3, 0x66, 0xC8, 0xF9, 0x08, 0x9A,
};
/*
* DER-encoded PKCS#8 format EC key. Generated using:
*
* openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -nocrypt -outform der | recode ../x1
*/
static uint8_t TEST_SIGN_EC_KEY_1[] = {
0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86,
0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D,
0x03, 0x01, 0x07, 0x04, 0x6D, 0x30, 0x6B, 0x02, 0x01, 0x01, 0x04, 0x20,
0x9E, 0x66, 0x11, 0x6A, 0x89, 0xF5, 0x78, 0x57, 0xF3, 0x35, 0xA2, 0x46,
0x09, 0x06, 0x4B, 0x4D, 0x81, 0xEC, 0xD3, 0x9B, 0x0A, 0xC4, 0x68, 0x06,
0xB8, 0x42, 0x24, 0x5E, 0x74, 0x2C, 0x62, 0x79, 0xA1, 0x44, 0x03, 0x42,
0x00, 0x04, 0x35, 0xB5, 0x9A, 0x5C, 0xE5, 0x52, 0x35, 0xF2, 0x10, 0x6C,
0xD9, 0x98, 0x67, 0xED, 0x5E, 0xCB, 0x6B, 0xB8, 0x96, 0x5E, 0x54, 0x7C,
0x34, 0x2A, 0xA3, 0x3B, 0xF3, 0xD1, 0x39, 0x48, 0x36, 0x7A, 0xEA, 0xD8,
0xCA, 0xDD, 0x40, 0x8F, 0xE9, 0xE0, 0x95, 0x2E, 0x3F, 0x95, 0x0F, 0x14,
0xD6, 0x14, 0x78, 0xB5, 0xAD, 0x17, 0xD2, 0x5A, 0x41, 0x96, 0x99, 0x20,
0xC7, 0x5B, 0x0F, 0x60, 0xFD, 0xBA
};
/*
* PKCS#1 v1.5 padded raw "Hello, world" Can be generated be generated by verifying
* the signature below in no padding mode:
@ -630,11 +823,11 @@ static uint8_t TEST_SIGN_DATA_1[] = {
};
/*
* Signature of TEST_SIGN_DATA_1 using TEST_SIGN_KEY_1. Generated using:
* Signature of TEST_SIGN_DATA_1 using TEST_SIGN_RSA_KEY_1. Generated using:
*
* echo 'Hello, world' | openssl rsautl -keyform der -inkey rsa.der -sign | recode ../x1
*/
static uint8_t TEST_SIGN_SIGNATURE_1[] = {
static uint8_t TEST_SIGN_RSA_SIGNATURE_1[] = {
0xA4, 0xBB, 0x76, 0x87, 0xFE, 0x61, 0x0C, 0x9D, 0xD6, 0xFF, 0x4B, 0x76,
0x96, 0x08, 0x36, 0x23, 0x11, 0xC6, 0x44, 0x3F, 0x88, 0x77, 0x97, 0xB2,
0xA8, 0x3B, 0xFB, 0x9C, 0x3C, 0xD3, 0x20, 0x65, 0xFD, 0x26, 0x3B, 0x2A,
@ -644,7 +837,7 @@ static uint8_t TEST_SIGN_SIGNATURE_1[] = {
};
/*
* Identical to TEST_SIGN_SIGNATURE_1 except the last octet is '1' instead of '0'
* Identical to TEST_SIGN_RSA_SIGNATURE_1 except the last octet is '1' instead of '0'
* This should fail any test.
*/
static uint8_t TEST_SIGN_SIGNATURE_BOGUS_1[] = {
@ -660,7 +853,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_Success) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1));
UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -687,7 +880,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_Success) {
<< "Should sign data successfully";
UniqueBlob sig_blob(sig, sig_length);
UniqueBlob expected_sig(TEST_SIGN_SIGNATURE_1, sizeof(TEST_SIGN_SIGNATURE_1));
UniqueBlob expected_sig(TEST_SIGN_RSA_SIGNATURE_1, sizeof(TEST_SIGN_RSA_SIGNATURE_1));
ASSERT_EQ(expected_sig, sig_blob)
<< "Generated signature should match expected signature";
@ -696,11 +889,59 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_Success) {
uint8_t* unused __attribute__((unused)) = expected_sig.release();
}
TEST_F(KeymasterTest, SignData_EC_Success) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_EC_KEY_1, sizeof(TEST_SIGN_EC_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
sDevice->import_keypair(sDevice, testKey.get(), testKey.length(),
&key_blob, &key_blob_length))
<< "Should successfully import an EC key";
UniqueKey key(&sDevice, key_blob, key_blob_length);
keymaster_ec_sign_params_t params = {
digest_type: DIGEST_NONE,
};
uint8_t* sig;
size_t sig_length;
UniqueReadOnlyBlob testData(TEST_SIGN_DATA_1, sizeof(TEST_SIGN_DATA_1));
ASSERT_TRUE(testData.get() != NULL);
ASSERT_EQ(0,
sDevice->sign_data(sDevice, &params, key_blob, key_blob_length,
testData.get(), testData.length(),
&sig, &sig_length))
<< "Should sign data successfully";
UniqueBlob sig_blob(sig, sig_length);
uint8_t* x509_data;
size_t x509_data_length;
ASSERT_EQ(0,
sDevice->get_keypair_public(sDevice, key_blob, key_blob_length,
&x509_data, &x509_data_length))
<< "Should be able to retrieve RSA public key successfully";
UniqueBlob x509_blob(x509_data, x509_data_length);
const unsigned char *tmp = static_cast<const unsigned char*>(x509_blob.get());
Unique_EVP_PKEY expected(d2i_PUBKEY((EVP_PKEY**) NULL, &tmp,
static_cast<long>(x509_blob.length())));
Unique_EC_KEY ecKey(EVP_PKEY_get1_EC_KEY(expected.get()));
ASSERT_EQ(1, ECDSA_verify(0, testData.get(), testData.length(), sig_blob.get(), sig_blob.length(), ecKey.get()))
<< "Signature should verify";
}
TEST_F(KeymasterTest, SignData_RSA_Raw_InvalidSizeInput_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1));
UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -717,7 +958,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_InvalidSizeInput_Failure) {
uint8_t* sig;
size_t sig_length;
UniqueReadOnlyBlob testData(TEST_KEY_1, sizeof(TEST_KEY_1));
UniqueReadOnlyBlob testData(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1));
ASSERT_TRUE(testData.get() != NULL);
ASSERT_EQ(-1,
@ -736,7 +977,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_NullKey_Failure) {
uint8_t* sig;
size_t sig_length;
UniqueReadOnlyBlob testData(TEST_KEY_1, sizeof(TEST_KEY_1));
UniqueReadOnlyBlob testData(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1));
ASSERT_TRUE(testData.get() != NULL);
ASSERT_EQ(-1,
@ -750,7 +991,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_NullInput_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1));
UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -778,7 +1019,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_NullOutput_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1));
UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -795,7 +1036,7 @@ TEST_F(KeymasterTest, SignData_RSA_Raw_NullOutput_Failure) {
uint8_t* sig;
size_t sig_length;
UniqueReadOnlyBlob testData(TEST_KEY_1, sizeof(TEST_KEY_1));
UniqueReadOnlyBlob testData(TEST_RSA_KEY_1, sizeof(TEST_RSA_KEY_1));
ASSERT_TRUE(testData.get() != NULL);
ASSERT_EQ(-1,
@ -809,7 +1050,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_Raw_Success) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1));
UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -826,7 +1067,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_Raw_Success) {
UniqueReadOnlyBlob testData(TEST_SIGN_DATA_1, sizeof(TEST_SIGN_DATA_1));
ASSERT_TRUE(testData.get() != NULL);
UniqueReadOnlyBlob testSig(TEST_SIGN_SIGNATURE_1, sizeof(TEST_SIGN_SIGNATURE_1));
UniqueReadOnlyBlob testSig(TEST_SIGN_RSA_SIGNATURE_1, sizeof(TEST_SIGN_RSA_SIGNATURE_1));
ASSERT_TRUE(testSig.get() != NULL);
ASSERT_EQ(0,
@ -836,11 +1077,48 @@ TEST_F(KeymasterTest, VerifyData_RSA_Raw_Success) {
<< "Should verify data successfully";
}
TEST_F(KeymasterTest, VerifyData_EC_Raw_Success) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_EC_KEY_1, sizeof(TEST_SIGN_EC_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
sDevice->import_keypair(sDevice, testKey.get(), testKey.length(),
&key_blob, &key_blob_length))
<< "Should successfully import an RSA key";
UniqueKey key(&sDevice, key_blob, key_blob_length);
keymaster_ec_sign_params_t params = {
digest_type: DIGEST_NONE,
};
uint8_t* sig;
size_t sig_length;
UniqueReadOnlyBlob testData(TEST_SIGN_DATA_1, sizeof(TEST_SIGN_DATA_1));
ASSERT_TRUE(testData.get() != NULL);
ASSERT_EQ(0,
sDevice->sign_data(sDevice, &params, key_blob, key_blob_length,
testData.get(), testData.length(),
&sig, &sig_length))
<< "Should sign data successfully";
UniqueBlob sig_blob(sig, sig_length);
ASSERT_EQ(0,
sDevice->verify_data(sDevice, &params, key_blob, key_blob_length,
testData.get(), testData.length(),
sig_blob.get(), sig_blob.length()))
<< "Should verify data successfully";
}
TEST_F(KeymasterTest, VerifyData_RSA_Raw_BadSignature_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1));
UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -861,6 +1139,30 @@ TEST_F(KeymasterTest, VerifyData_RSA_Raw_BadSignature_Failure) {
<< "Should sign data successfully";
}
TEST_F(KeymasterTest, VerifyData_EC_Raw_BadSignature_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_EC_KEY_1, sizeof(TEST_SIGN_EC_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
sDevice->import_keypair(sDevice, testKey.get(), testKey.length(),
&key_blob, &key_blob_length))
<< "Should successfully import an RSA key";
UniqueKey key(&sDevice, key_blob, key_blob_length);
keymaster_ec_sign_params_t params = {
digest_type: DIGEST_NONE,
};
ASSERT_EQ(-1,
sDevice->verify_data(sDevice, &params, key_blob, key_blob_length,
TEST_SIGN_DATA_1, sizeof(TEST_SIGN_DATA_1),
TEST_SIGN_SIGNATURE_BOGUS_1, sizeof(TEST_SIGN_SIGNATURE_BOGUS_1)))
<< "Should sign data successfully";
}
TEST_F(KeymasterTest, VerifyData_RSA_Raw_NullKey_Failure) {
keymaster_rsa_sign_params_t params = {
digest_type: DIGEST_NONE,
@ -885,7 +1187,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_NullInput_Failure) {
size_t key_blob_length;
ASSERT_EQ(0,
sDevice->import_keypair(sDevice, TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1),
sDevice->import_keypair(sDevice, TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1),
&key_blob, &key_blob_length))
<< "Should successfully import an RSA key";
UniqueKey key(&sDevice, key_blob, key_blob_length);
@ -895,7 +1197,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_NullInput_Failure) {
padding_type: PADDING_NONE,
};
UniqueReadOnlyBlob testSig(TEST_SIGN_SIGNATURE_1, sizeof(TEST_SIGN_SIGNATURE_1));
UniqueReadOnlyBlob testSig(TEST_SIGN_RSA_SIGNATURE_1, sizeof(TEST_SIGN_RSA_SIGNATURE_1));
ASSERT_TRUE(testSig.get() != NULL);
ASSERT_EQ(-1,
@ -909,7 +1211,7 @@ TEST_F(KeymasterTest, VerifyData_RSA_NullSignature_Failure) {
uint8_t* key_blob;
size_t key_blob_length;
UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1));
UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -942,7 +1244,7 @@ TEST_F(KeymasterTest, EraseAll_Success) {
return;
}
UniqueReadOnlyBlob testKey(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1));
UniqueReadOnlyBlob testKey(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1));
ASSERT_TRUE(testKey.get() != NULL);
ASSERT_EQ(0,
@ -951,7 +1253,7 @@ TEST_F(KeymasterTest, EraseAll_Success) {
<< "Should successfully import an RSA key";
UniqueKey key1(&sDevice, key1_blob, key1_blob_length);
UniqueReadOnlyBlob testKey2(TEST_SIGN_KEY_1, sizeof(TEST_SIGN_KEY_1));
UniqueReadOnlyBlob testKey2(TEST_SIGN_RSA_KEY_1, sizeof(TEST_SIGN_RSA_KEY_1));
ASSERT_TRUE(testKey2.get() != NULL);
ASSERT_EQ(0,