diff --git a/trusty/keymaster/Android.bp b/trusty/keymaster/Android.bp index f32a69ea8..6840baa54 100644 --- a/trusty/keymaster/Android.bp +++ b/trusty/keymaster/Android.bp @@ -14,70 +14,6 @@ // limitations under the License. // -// WARNING: Everything listed here will be built on ALL platforms, -// including x86, the emulator, and the SDK. Modules must be uniquely -// named (liblights.panda), and must build everywhere, or limit themselves -// to only building on ARM if they include assembly. Individual makefiles -// are responsible for having their own logic, for fine-grained control. - -// trusty_keymaster is a binary used only for on-device testing. It -// runs Trusty Keymaster through a basic set of operations with RSA -// and ECDSA keys. -cc_binary { - name: "trusty_keymaster_tipc", - vendor: true, - srcs: [ - "ipc/trusty_keymaster_ipc.cpp", - "legacy/trusty_keymaster_device.cpp", - "legacy/trusty_keymaster_main.cpp", - ], - cflags: [ - "-Wall", - "-Werror", - ], - - local_include_dirs: ["include"], - - shared_libs: [ - "libcrypto", - "libcutils", - "libkeymaster_portable", - "libtrusty", - "libkeymaster_messages", - "libsoftkeymasterdevice", - "liblog", - ], -} - -// keystore.trusty is the HAL used by keystore on Trusty devices. -cc_library_shared { - name: "keystore.trusty", - vendor: true, - relative_install_path: "hw", - srcs: [ - "ipc/trusty_keymaster_ipc.cpp", - "legacy/module.cpp", - "legacy/trusty_keymaster_device.cpp", - ], - - cflags: [ - "-fvisibility=hidden", - "-Wall", - "-Werror", - ], - - local_include_dirs: ["include"], - - shared_libs: [ - "libcrypto", - "libkeymaster_messages", - "libtrusty", - "liblog", - "libcutils", - ], - header_libs: ["libhardware_headers"], -} - cc_binary { name: "android.hardware.keymaster@3.0-service.trusty", defaults: ["hidl_defaults"], diff --git a/trusty/keymaster/legacy/Makefile b/trusty/keymaster/legacy/Makefile deleted file mode 100644 index f57538189..000000000 --- a/trusty/keymaster/legacy/Makefile +++ /dev/null @@ -1,199 +0,0 @@ -##### -# Local unit test Makefile -# -# This makefile builds and runs the trusty_keymaster unit tests locally on the development -# machine, not on an Android device. -# -# To build and run these tests, one pre-requisite must be manually installed: BoringSSL. -# This Makefile expects to find BoringSSL in a directory adjacent to $ANDROID_BUILD_TOP. -# To get and build it, first install the Ninja build tool (e.g. apt-get install -# ninja-build), then do: -# -# cd $ANDROID_BUILD_TOP/.. -# git clone https://boringssl.googlesource.com/boringssl -# cd boringssl -# mdkir build -# cd build -# cmake -GNinja .. -# ninja -# -# Then return to $ANDROID_BUILD_TOP/system/keymaster and run "make". -##### - -BASE=../../../.. -SUBS=system/core \ - system/keymaster \ - hardware/libhardware \ - external/gtest -GTEST=$(BASE)/external/gtest -KM=$(BASE)/system/keymaster - -INCLUDES=$(foreach dir,$(SUBS),-I $(BASE)/$(dir)/include) \ - -I $(BASE)/libnativehelper/include/nativehelper \ - -I ../tipc/include \ - -I $(BASE)/system/keymaster \ - -I $(GTEST) \ - -I$(BASE)/../boringssl/include - -ifdef USE_CLANG -CC=/usr/bin/clang -CXX=/usr/bin/clang -CLANG_TEST_DEFINE=-DKEYMASTER_CLANG_TEST_BUILD -COMPILER_SPECIFIC_ARGS=-std=c++11 $(CLANG_TEST_DEFINE) -else -COMPILER_SPECIFIC_ARGS=-std=c++0x -fprofile-arcs -endif - -CPPFLAGS=$(INCLUDES) -g -O0 -MD -CXXFLAGS=-Wall -Werror -Wno-unused -Winit-self -Wpointer-arith -Wunused-parameter \ - -Wmissing-declarations -ftest-coverage \ - -Wno-deprecated-declarations -fno-exceptions -DKEYMASTER_NAME_TAGS \ - $(COMPILER_SPECIFIC_ARGS) -LDLIBS=-L$(BASE)/../boringssl/build/crypto -lcrypto -lpthread -lstdc++ - -CPPSRCS=\ - $(KM)/aead_mode_operation.cpp \ - $(KM)/aes_key.cpp \ - $(KM)/aes_operation.cpp \ - $(KM)/android_keymaster.cpp \ - $(KM)/android_keymaster_messages.cpp \ - $(KM)/android_keymaster_messages_test.cpp \ - $(KM)/android_keymaster_test.cpp \ - $(KM)/android_keymaster_test_utils.cpp \ - $(KM)/android_keymaster_utils.cpp \ - $(KM)/asymmetric_key.cpp \ - $(KM)/auth_encrypted_key_blob.cpp \ - $(KM)/auth_encrypted_key_blob.cpp \ - $(KM)/authorization_set.cpp \ - $(KM)/authorization_set_test.cpp \ - $(KM)/ec_key.cpp \ - $(KM)/ec_keymaster0_key.cpp \ - $(KM)/ecdsa_operation.cpp \ - $(KM)/hmac_key.cpp \ - $(KM)/hmac_operation.cpp \ - $(KM)/integrity_assured_key_blob.cpp \ - $(KM)/key.cpp \ - $(KM)/key_blob_test.cpp \ - $(KM)/keymaster0_engine.cpp \ - $(KM)/logger.cpp \ - $(KM)/ocb_utils.cpp \ - $(KM)/openssl_err.cpp \ - $(KM)/openssl_utils.cpp \ - $(KM)/operation.cpp \ - $(KM)/operation_table.cpp \ - $(KM)/rsa_key.cpp \ - $(KM)/rsa_keymaster0_key.cpp \ - $(KM)/rsa_operation.cpp \ - $(KM)/serializable.cpp \ - $(KM)/soft_keymaster_context.cpp \ - $(KM)/symmetric_key.cpp \ - $(KM)/unencrypted_key_blob.cpp \ - trusty_keymaster_device.cpp \ - trusty_keymaster_device_test.cpp -CCSRCS=$(GTEST)/src/gtest-all.cc -CSRCS=ocb.c - -OBJS=$(CPPSRCS:.cpp=.o) $(CCSRCS:.cc=.o) $(CSRCS:.c=.o) -DEPS=$(CPPSRCS:.cpp=.d) $(CCSRCS:.cc=.d) $(CSRCS:.c=.d) -GCDA=$(CPPSRCS:.cpp=.gcda) $(CCSRCS:.cc=.gcda) $(CSRCS:.c=.gcda) -GCNO=$(CPPSRCS:.cpp=.gcno) $(CCSRCS:.cc=.gcno) $(CSRCS:.c=.gcno) - -LINK.o=$(LINK.cc) - -BINARIES=trusty_keymaster_device_test - -ifdef TRUSTY -BINARIES += trusty_keymaster_device_test -endif # TRUSTY - -.PHONY: coverage memcheck massif clean run - -%.run: % - ./$< - touch $@ - -run: $(BINARIES:=.run) - -coverage: coverage.info - genhtml coverage.info --output-directory coverage - -coverage.info: run - lcov --capture --directory=. --output-file coverage.info - -%.coverage : % - $(MAKE) clean && $(MAKE) $< - ./$< - lcov --capture --directory=. --output-file coverage.info - genhtml coverage.info --output-directory coverage - -#UNINIT_OPTS=--track-origins=yes -UNINIT_OPTS=--undef-value-errors=no - -MEMCHECK_OPTS=--leak-check=full \ - --show-reachable=yes \ - --vgdb=full \ - $(UNINIT_OPTS) \ - --error-exitcode=1 - -MASSIF_OPTS=--tool=massif \ - --stacks=yes - -%.memcheck : % - valgrind $(MEMCHECK_OPTS) ./$< && \ - touch $@ - -%.massif : % - valgrind $(MASSIF_OPTS) --massif-out-file=$@ ./$< - -memcheck: $(BINARIES:=.memcheck) - -massif: $(BINARIES:=.massif) - -trusty_keymaster_device_test: trusty_keymaster_device_test.o \ - trusty_keymaster_device.o \ - $(KM)/aead_mode_operation.o \ - $(KM)/aes_key.o \ - $(KM)/aes_operation.o \ - $(KM)/android_keymaster.o \ - $(KM)/android_keymaster_messages.o \ - $(KM)/android_keymaster_test_utils.o \ - $(KM)/android_keymaster_utils.o \ - $(KM)/asymmetric_key.o \ - $(KM)/auth_encrypted_key_blob.o \ - $(KM)/auth_encrypted_key_blob.o \ - $(KM)/authorization_set.o \ - $(KM)/ec_key.o \ - $(KM)/ec_keymaster0_key.cpp \ - $(KM)/ecdsa_operation.o \ - $(KM)/hmac_key.o \ - $(KM)/hmac_operation.o \ - $(KM)/integrity_assured_key_blob.o \ - $(KM)/key.o \ - $(KM)/keymaster0_engine.o \ - $(KM)/logger.o \ - $(KM)/ocb.o \ - $(KM)/ocb_utils.o \ - $(KM)/openssl_err.o \ - $(KM)/openssl_utils.o \ - $(KM)/operation.o \ - $(KM)/operation_table.o \ - $(KM)/rsa_key.o \ - $(KM)/rsa_keymaster0_key.o \ - $(KM)/rsa_operation.o \ - $(KM)/serializable.o \ - $(KM)/soft_keymaster_context.o \ - $(KM)/symmetric_key.o \ - $(GTEST)/src/gtest-all.o - -$(GTEST)/src/gtest-all.o: CXXFLAGS:=$(subst -Wmissing-declarations,,$(CXXFLAGS)) -ocb.o: CFLAGS=$(CLANG_TEST_DEFINE) - -clean: - rm -f $(OBJS) $(DEPS) $(GCDA) $(GCNO) $(BINARIES) \ - $(BINARIES:=.run) $(BINARIES:=.memcheck) $(BINARIES:=.massif) \ - coverage.info - rm -rf coverage - --include $(CPPSRCS:.cpp=.d) --include $(CCSRCS:.cc=.d) - diff --git a/trusty/keymaster/legacy/module.cpp b/trusty/keymaster/legacy/module.cpp deleted file mode 100644 index 7aa1a4eaa..000000000 --- a/trusty/keymaster/legacy/module.cpp +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright (C) 2014 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include -#include - -#include -#include - -#include - -using keymaster::TrustyKeymasterDevice; - -/* - * Generic device handling - */ -static int trusty_keymaster_open(const hw_module_t* module, const char* name, - hw_device_t** device) { - if (strcmp(name, KEYSTORE_KEYMASTER) != 0) { - return -EINVAL; - } - - TrustyKeymasterDevice* dev = new TrustyKeymasterDevice(module); - if (dev == NULL) { - return -ENOMEM; - } - *device = dev->hw_device(); - // Do not delete dev; it will get cleaned up when the caller calls device->close(), and must - // exist until then. - return 0; -} - -static struct hw_module_methods_t keystore_module_methods = { - .open = trusty_keymaster_open, -}; - -struct keystore_module HAL_MODULE_INFO_SYM __attribute__((visibility("default"))) = { - .common = - { - .tag = HARDWARE_MODULE_TAG, - .module_api_version = KEYMASTER_MODULE_API_VERSION_2_0, - .hal_api_version = HARDWARE_HAL_API_VERSION, - .id = KEYSTORE_HARDWARE_MODULE_ID, - .name = "Trusty Keymaster HAL", - .author = "The Android Open Source Project", - .methods = &keystore_module_methods, - .dso = 0, - .reserved = {}, - }, -}; diff --git a/trusty/keymaster/legacy/trusty_keymaster_device.cpp b/trusty/keymaster/legacy/trusty_keymaster_device.cpp deleted file mode 100644 index 88c3e7bbd..000000000 --- a/trusty/keymaster/legacy/trusty_keymaster_device.cpp +++ /dev/null @@ -1,761 +0,0 @@ -/* - * Copyright 2014 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#define LOG_TAG "TrustyKeymaster" - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include - -#include -#include -#include - -#include -#include -#include - -const size_t kMaximumAttestationChallengeLength = 128; -const size_t kMaximumFinishInputLength = 2048; - -namespace keymaster { - -TrustyKeymasterDevice::TrustyKeymasterDevice(const hw_module_t* module) { - static_assert(std::is_standard_layout::value, - "TrustyKeymasterDevice must be standard layout"); - static_assert(offsetof(TrustyKeymasterDevice, device_) == 0, - "device_ must be the first member of TrustyKeymasterDevice"); - static_assert(offsetof(TrustyKeymasterDevice, device_.common) == 0, - "common must be the first member of keymaster2_device"); - - ALOGI("Creating device"); - ALOGD("Device address: %p", this); - - device_ = {}; - - device_.common.tag = HARDWARE_DEVICE_TAG; - device_.common.version = 1; - device_.common.module = const_cast(module); - device_.common.close = close_device; - - device_.flags = KEYMASTER_SUPPORTS_EC; - - device_.configure = configure; - device_.add_rng_entropy = add_rng_entropy; - device_.generate_key = generate_key; - device_.get_key_characteristics = get_key_characteristics; - device_.import_key = import_key; - device_.export_key = export_key; - device_.attest_key = attest_key; - device_.upgrade_key = upgrade_key; - device_.delete_key = delete_key; - device_.delete_all_keys = delete_all_keys; - device_.begin = begin; - device_.update = update; - device_.finish = finish; - device_.abort = abort; - - int rc = trusty_keymaster_connect(); - error_ = translate_error(rc); - if (rc < 0) { - ALOGE("failed to connect to keymaster (%d)", rc); - return; - } - - GetVersionRequest version_request; - GetVersionResponse version_response; - error_ = trusty_keymaster_send(KM_GET_VERSION, version_request, &version_response); - if (error_ == KM_ERROR_INVALID_ARGUMENT || error_ == KM_ERROR_UNIMPLEMENTED) { - ALOGE("\"Bad parameters\" error on GetVersion call. Version 0 is not supported."); - error_ = KM_ERROR_VERSION_MISMATCH; - return; - } - message_version_ = MessageVersion(version_response.major_ver, version_response.minor_ver, - version_response.subminor_ver); - if (message_version_ < 0) { - // Can't translate version? Keymaster implementation must be newer. - ALOGE("Keymaster version %d.%d.%d not supported.", version_response.major_ver, - version_response.minor_ver, version_response.subminor_ver); - error_ = KM_ERROR_VERSION_MISMATCH; - } -} - -TrustyKeymasterDevice::~TrustyKeymasterDevice() { - trusty_keymaster_disconnect(); -} - -namespace { - -// Allocates a new buffer with malloc and copies the contents of |buffer| to it. Caller takes -// ownership of the returned buffer. -uint8_t* DuplicateBuffer(const uint8_t* buffer, size_t size) { - uint8_t* tmp = reinterpret_cast(malloc(size)); - if (tmp) { - memcpy(tmp, buffer, size); - } - return tmp; -} - -template -void AddClientAndAppData(const keymaster_blob_t* client_id, const keymaster_blob_t* app_data, - RequestType* request) { - request->additional_params.Clear(); - if (client_id && client_id->data_length > 0) { - request->additional_params.push_back(TAG_APPLICATION_ID, *client_id); - } - if (app_data && app_data->data_length > 0) { - request->additional_params.push_back(TAG_APPLICATION_DATA, *app_data); - } -} - -} // unnamed namespace - -keymaster_error_t TrustyKeymasterDevice::configure(const keymaster_key_param_set_t* params) { - ALOGD("Device received configure\n"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (!params) { - return KM_ERROR_UNEXPECTED_NULL_POINTER; - } - - AuthorizationSet params_copy(*params); - ConfigureRequest request(message_version_); - if (!params_copy.GetTagValue(TAG_OS_VERSION, &request.os_version) || - !params_copy.GetTagValue(TAG_OS_PATCHLEVEL, &request.os_patchlevel)) { - ALOGD("Configuration parameters must contain OS version and patch level"); - return KM_ERROR_INVALID_ARGUMENT; - } - - ConfigureResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_CONFIGURE, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::add_rng_entropy(const uint8_t* data, size_t data_length) { - ALOGD("Device received add_rng_entropy"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - - AddEntropyRequest request(message_version_); - request.random_data.Reinitialize(data, data_length); - AddEntropyResponse response(message_version_); - return trusty_keymaster_send(KM_ADD_RNG_ENTROPY, request, &response); -} - -keymaster_error_t TrustyKeymasterDevice::generate_key( - const keymaster_key_param_set_t* params, keymaster_key_blob_t* key_blob, - keymaster_key_characteristics_t* characteristics) { - ALOGD("Device received generate_key"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (!params) { - return KM_ERROR_UNEXPECTED_NULL_POINTER; - } - if (!key_blob) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - GenerateKeyRequest request(message_version_); - request.key_description.Reinitialize(*params); - request.key_description.push_back(TAG_CREATION_DATETIME, java_time(time(NULL))); - - GenerateKeyResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_GENERATE_KEY, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - key_blob->key_material_size = response.key_blob.key_material_size; - key_blob->key_material = - DuplicateBuffer(response.key_blob.key_material, response.key_blob.key_material_size); - if (!key_blob->key_material) { - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - - if (characteristics) { - response.enforced.CopyToParamSet(&characteristics->hw_enforced); - response.unenforced.CopyToParamSet(&characteristics->sw_enforced); - } - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::get_key_characteristics( - const keymaster_key_blob_t* key_blob, const keymaster_blob_t* client_id, - const keymaster_blob_t* app_data, keymaster_key_characteristics_t* characteristics) { - ALOGD("Device received get_key_characteristics"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (!key_blob || !key_blob->key_material) { - return KM_ERROR_UNEXPECTED_NULL_POINTER; - } - if (!characteristics) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - GetKeyCharacteristicsRequest request(message_version_); - request.SetKeyMaterial(*key_blob); - AddClientAndAppData(client_id, app_data, &request); - - GetKeyCharacteristicsResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_GET_KEY_CHARACTERISTICS, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - response.enforced.CopyToParamSet(&characteristics->hw_enforced); - response.unenforced.CopyToParamSet(&characteristics->sw_enforced); - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::import_key( - const keymaster_key_param_set_t* params, keymaster_key_format_t key_format, - const keymaster_blob_t* key_data, keymaster_key_blob_t* key_blob, - keymaster_key_characteristics_t* characteristics) { - ALOGD("Device received import_key"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (!params || !key_data) { - return KM_ERROR_UNEXPECTED_NULL_POINTER; - } - if (!key_blob) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - ImportKeyRequest request(message_version_); - request.key_description.Reinitialize(*params); - request.key_description.push_back(TAG_CREATION_DATETIME, java_time(time(NULL))); - - request.key_format = key_format; - request.SetKeyMaterial(key_data->data, key_data->data_length); - - ImportKeyResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_IMPORT_KEY, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - key_blob->key_material_size = response.key_blob.key_material_size; - key_blob->key_material = - DuplicateBuffer(response.key_blob.key_material, response.key_blob.key_material_size); - if (!key_blob->key_material) { - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - - if (characteristics) { - response.enforced.CopyToParamSet(&characteristics->hw_enforced); - response.unenforced.CopyToParamSet(&characteristics->sw_enforced); - } - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::export_key(keymaster_key_format_t export_format, - const keymaster_key_blob_t* key_to_export, - const keymaster_blob_t* client_id, - const keymaster_blob_t* app_data, - keymaster_blob_t* export_data) { - ALOGD("Device received export_key"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (!key_to_export || !key_to_export->key_material) { - return KM_ERROR_UNEXPECTED_NULL_POINTER; - } - if (!export_data) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - export_data->data = nullptr; - export_data->data_length = 0; - - ExportKeyRequest request(message_version_); - request.key_format = export_format; - request.SetKeyMaterial(*key_to_export); - AddClientAndAppData(client_id, app_data, &request); - - ExportKeyResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_EXPORT_KEY, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - export_data->data_length = response.key_data_length; - export_data->data = DuplicateBuffer(response.key_data, response.key_data_length); - if (!export_data->data) { - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::attest_key(const keymaster_key_blob_t* key_to_attest, - const keymaster_key_param_set_t* attest_params, - keymaster_cert_chain_t* cert_chain) { - ALOGD("Device received attest_key"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (!key_to_attest || !attest_params) { - return KM_ERROR_UNEXPECTED_NULL_POINTER; - } - if (!cert_chain) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - cert_chain->entry_count = 0; - cert_chain->entries = nullptr; - - AttestKeyRequest request(message_version_); - request.SetKeyMaterial(*key_to_attest); - request.attest_params.Reinitialize(*attest_params); - - keymaster_blob_t attestation_challenge = {}; - request.attest_params.GetTagValue(TAG_ATTESTATION_CHALLENGE, &attestation_challenge); - if (attestation_challenge.data_length > kMaximumAttestationChallengeLength) { - ALOGE("%zu-byte attestation challenge; only %zu bytes allowed", - attestation_challenge.data_length, kMaximumAttestationChallengeLength); - return KM_ERROR_INVALID_INPUT_LENGTH; - } - - AttestKeyResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_ATTEST_KEY, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - // Allocate and clear storage for cert_chain. - keymaster_cert_chain_t& rsp_chain = response.certificate_chain; - cert_chain->entries = reinterpret_cast( - malloc(rsp_chain.entry_count * sizeof(*cert_chain->entries))); - if (!cert_chain->entries) { - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - cert_chain->entry_count = rsp_chain.entry_count; - for (keymaster_blob_t& entry : array_range(cert_chain->entries, cert_chain->entry_count)) { - entry = {}; - } - - // Copy cert_chain contents - size_t i = 0; - for (keymaster_blob_t& entry : array_range(rsp_chain.entries, rsp_chain.entry_count)) { - cert_chain->entries[i].data = DuplicateBuffer(entry.data, entry.data_length); - if (!cert_chain->entries[i].data) { - keymaster_free_cert_chain(cert_chain); - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - cert_chain->entries[i].data_length = entry.data_length; - ++i; - } - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::upgrade_key( - const keymaster_key_blob_t* key_to_upgrade, const keymaster_key_param_set_t* upgrade_params, - keymaster_key_blob_t* upgraded_key) { - ALOGD("Device received upgrade_key"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (!key_to_upgrade || !upgrade_params) { - return KM_ERROR_UNEXPECTED_NULL_POINTER; - } - if (!upgraded_key) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - UpgradeKeyRequest request(message_version_); - request.SetKeyMaterial(*key_to_upgrade); - request.upgrade_params.Reinitialize(*upgrade_params); - - UpgradeKeyResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_UPGRADE_KEY, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - upgraded_key->key_material_size = response.upgraded_key.key_material_size; - upgraded_key->key_material = DuplicateBuffer(response.upgraded_key.key_material, - response.upgraded_key.key_material_size); - if (!upgraded_key->key_material) { - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::begin(keymaster_purpose_t purpose, - const keymaster_key_blob_t* key, - const keymaster_key_param_set_t* in_params, - keymaster_key_param_set_t* out_params, - keymaster_operation_handle_t* operation_handle) { - ALOGD("Device received begin"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (!key || !key->key_material) { - return KM_ERROR_UNEXPECTED_NULL_POINTER; - } - if (!operation_handle) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - if (out_params) { - *out_params = {}; - } - - BeginOperationRequest request(message_version_); - request.purpose = purpose; - request.SetKeyMaterial(*key); - request.additional_params.Reinitialize(*in_params); - - BeginOperationResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_BEGIN_OPERATION, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - if (response.output_params.size() > 0) { - if (out_params) { - response.output_params.CopyToParamSet(out_params); - } else { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - } - *operation_handle = response.op_handle; - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::update(keymaster_operation_handle_t operation_handle, - const keymaster_key_param_set_t* in_params, - const keymaster_blob_t* input, - size_t* input_consumed, - keymaster_key_param_set_t* out_params, - keymaster_blob_t* output) { - ALOGD("Device received update"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (!input) { - return KM_ERROR_UNEXPECTED_NULL_POINTER; - } - if (!input_consumed) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - if (out_params) { - *out_params = {}; - } - if (output) { - *output = {}; - } - - UpdateOperationRequest request(message_version_); - request.op_handle = operation_handle; - if (in_params) { - request.additional_params.Reinitialize(*in_params); - } - if (input && input->data_length > 0) { - size_t max_input_size = TRUSTY_KEYMASTER_SEND_BUF_SIZE - request.SerializedSize(); - request.input.Reinitialize(input->data, std::min(input->data_length, max_input_size)); - } - - UpdateOperationResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_UPDATE_OPERATION, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - if (response.output_params.size() > 0) { - if (out_params) { - response.output_params.CopyToParamSet(out_params); - } else { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - } - *input_consumed = response.input_consumed; - if (output) { - output->data_length = response.output.available_read(); - output->data = DuplicateBuffer(response.output.peek_read(), output->data_length); - if (!output->data) { - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - } else if (response.output.available_read() > 0) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::finish(keymaster_operation_handle_t operation_handle, - const keymaster_key_param_set_t* in_params, - const keymaster_blob_t* input, - const keymaster_blob_t* signature, - keymaster_key_param_set_t* out_params, - keymaster_blob_t* output) { - ALOGD("Device received finish"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - if (input && input->data_length > kMaximumFinishInputLength) { - ALOGE("%zu-byte input to finish; only %zu bytes allowed", input->data_length, - kMaximumFinishInputLength); - return KM_ERROR_INVALID_INPUT_LENGTH; - } - - if (out_params) { - *out_params = {}; - } - if (output) { - *output = {}; - } - - FinishOperationRequest request(message_version_); - request.op_handle = operation_handle; - if (signature && signature->data && signature->data_length > 0) { - request.signature.Reinitialize(signature->data, signature->data_length); - } - if (input && input->data && input->data_length) { - request.input.Reinitialize(input->data, input->data_length); - } - if (in_params) { - request.additional_params.Reinitialize(*in_params); - } - - FinishOperationResponse response(message_version_); - keymaster_error_t err = trusty_keymaster_send(KM_FINISH_OPERATION, request, &response); - if (err != KM_ERROR_OK) { - return err; - } - - if (response.output_params.size() > 0) { - if (out_params) { - response.output_params.CopyToParamSet(out_params); - } else { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - } - if (output) { - output->data_length = response.output.available_read(); - output->data = DuplicateBuffer(response.output.peek_read(), output->data_length); - if (!output->data) { - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - } else if (response.output.available_read() > 0) { - return KM_ERROR_OUTPUT_PARAMETER_NULL; - } - - return KM_ERROR_OK; -} - -keymaster_error_t TrustyKeymasterDevice::abort(keymaster_operation_handle_t operation_handle) { - ALOGD("Device received abort"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - - AbortOperationRequest request(message_version_); - request.op_handle = operation_handle; - AbortOperationResponse response(message_version_); - return trusty_keymaster_send(KM_ABORT_OPERATION, request, &response); -} - -keymaster_error_t TrustyKeymasterDevice::delete_key(const keymaster_key_blob_t* key) { - ALOGD("Device received delete_key"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - - if (!key || !key->key_material) - return KM_ERROR_UNEXPECTED_NULL_POINTER; - - DeleteKeyRequest request(message_version_); - request.SetKeyMaterial(*key); - DeleteKeyResponse response(message_version_); - return trusty_keymaster_send(KM_DELETE_KEY, request, &response); -} - -keymaster_error_t TrustyKeymasterDevice::delete_all_keys() { - ALOGD("Device received delete_all_key"); - - if (error_ != KM_ERROR_OK) { - return error_; - } - - DeleteAllKeysRequest request(message_version_); - DeleteAllKeysResponse response(message_version_); - return trusty_keymaster_send(KM_DELETE_ALL_KEYS, request, &response); -} - -hw_device_t* TrustyKeymasterDevice::hw_device() { - return &device_.common; -} - -static inline TrustyKeymasterDevice* convert_device(const keymaster2_device_t* dev) { - return reinterpret_cast(const_cast(dev)); -} - -/* static */ -int TrustyKeymasterDevice::close_device(hw_device_t* dev) { - delete reinterpret_cast(dev); - return 0; -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::configure(const keymaster2_device_t* dev, - const keymaster_key_param_set_t* params) { - return convert_device(dev)->configure(params); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::add_rng_entropy(const keymaster2_device_t* dev, - const uint8_t* data, size_t data_length) { - return convert_device(dev)->add_rng_entropy(data, data_length); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::generate_key( - const keymaster2_device_t* dev, const keymaster_key_param_set_t* params, - keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t* characteristics) { - return convert_device(dev)->generate_key(params, key_blob, characteristics); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::get_key_characteristics( - const keymaster2_device_t* dev, const keymaster_key_blob_t* key_blob, - const keymaster_blob_t* client_id, const keymaster_blob_t* app_data, - keymaster_key_characteristics_t* characteristics) { - return convert_device(dev)->get_key_characteristics(key_blob, client_id, app_data, - characteristics); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::import_key( - const keymaster2_device_t* dev, const keymaster_key_param_set_t* params, - keymaster_key_format_t key_format, const keymaster_blob_t* key_data, - keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t* characteristics) { - return convert_device(dev)->import_key(params, key_format, key_data, key_blob, characteristics); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::export_key(const keymaster2_device_t* dev, - keymaster_key_format_t export_format, - const keymaster_key_blob_t* key_to_export, - const keymaster_blob_t* client_id, - const keymaster_blob_t* app_data, - keymaster_blob_t* export_data) { - return convert_device(dev)->export_key(export_format, key_to_export, client_id, app_data, - export_data); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::attest_key(const keymaster2_device_t* dev, - const keymaster_key_blob_t* key_to_attest, - const keymaster_key_param_set_t* attest_params, - keymaster_cert_chain_t* cert_chain) { - return convert_device(dev)->attest_key(key_to_attest, attest_params, cert_chain); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::upgrade_key( - const keymaster2_device_t* dev, const keymaster_key_blob_t* key_to_upgrade, - const keymaster_key_param_set_t* upgrade_params, keymaster_key_blob_t* upgraded_key) { - return convert_device(dev)->upgrade_key(key_to_upgrade, upgrade_params, upgraded_key); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::begin(const keymaster2_device_t* dev, - keymaster_purpose_t purpose, - const keymaster_key_blob_t* key, - const keymaster_key_param_set_t* in_params, - keymaster_key_param_set_t* out_params, - keymaster_operation_handle_t* operation_handle) { - return convert_device(dev)->begin(purpose, key, in_params, out_params, operation_handle); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::update( - const keymaster2_device_t* dev, keymaster_operation_handle_t operation_handle, - const keymaster_key_param_set_t* in_params, const keymaster_blob_t* input, - size_t* input_consumed, keymaster_key_param_set_t* out_params, keymaster_blob_t* output) { - return convert_device(dev)->update(operation_handle, in_params, input, input_consumed, - out_params, output); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::finish(const keymaster2_device_t* dev, - keymaster_operation_handle_t operation_handle, - const keymaster_key_param_set_t* in_params, - const keymaster_blob_t* input, - const keymaster_blob_t* signature, - keymaster_key_param_set_t* out_params, - keymaster_blob_t* output) { - return convert_device(dev)->finish(operation_handle, in_params, input, signature, out_params, - output); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::abort(const keymaster2_device_t* dev, - keymaster_operation_handle_t operation_handle) { - return convert_device(dev)->abort(operation_handle); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::delete_key(const keymaster2_device_t* dev, - const keymaster_key_blob_t* key) { - return convert_device(dev)->delete_key(key); -} - -/* static */ -keymaster_error_t TrustyKeymasterDevice::delete_all_keys(const keymaster2_device_t* dev) { - return convert_device(dev)->delete_all_keys(); -} - -} // namespace keymaster diff --git a/trusty/keymaster/legacy/trusty_keymaster_device_test.cpp b/trusty/keymaster/legacy/trusty_keymaster_device_test.cpp deleted file mode 100644 index 68def5872..000000000 --- a/trusty/keymaster/legacy/trusty_keymaster_device_test.cpp +++ /dev/null @@ -1,561 +0,0 @@ -/* - * Copyright (C) 2014 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include -#include -#include - -#include -#include - -#include - -#include -#include -#include -#include -#include - -#include -#include "android_keymaster_test_utils.h" -#include "openssl_utils.h" - -using std::ifstream; -using std::istreambuf_iterator; -using std::string; - -static keymaster::AndroidKeymaster* impl_ = nullptr; - -extern "C" { -int __android_log_print(); -} - -int __android_log_print() { - return 0; -} - -int main(int argc, char** argv) { - ::testing::InitGoogleTest(&argc, argv); - int result = RUN_ALL_TESTS(); - // Clean up stuff OpenSSL leaves around, so Valgrind doesn't complain. - CRYPTO_cleanup_all_ex_data(); - ERR_free_strings(); - return result; -} - -int trusty_keymaster_connect() { - impl_ = new keymaster::AndroidKeymaster(new keymaster::SoftKeymasterContext(nullptr), 16); -} - -void trusty_keymaster_disconnect() { - delete static_cast(priv_); -} - -template -static int fake_call(keymaster::AndroidKeymaster* device, - void (keymaster::AndroidKeymaster::*method)(const Req&, Rsp*), void* in_buf, - uint32_t in_size, void* out_buf, uint32_t* out_size) { - Req req; - const uint8_t* in = static_cast(in_buf); - req.Deserialize(&in, in + in_size); - Rsp rsp; - (device->*method)(req, &rsp); - - *out_size = rsp.SerializedSize(); - uint8_t* out = static_cast(out_buf); - rsp.Serialize(out, out + *out_size); - return 0; -} - -int trusty_keymaster_call(uint32_t cmd, void* in_buf, uint32_t in_size, void* out_buf, - uint32_t* out_size) { - switch (cmd) { - case KM_GENERATE_KEY: - return fake_call(impl_, &keymaster::AndroidKeymaster::GenerateKey, in_buf, in_size, - out_buf, out_size); - case KM_BEGIN_OPERATION: - return fake_call(impl_, &keymaster::AndroidKeymaster::BeginOperation, in_buf, in_size, - out_buf, out_size); - case KM_UPDATE_OPERATION: - return fake_call(impl_, &keymaster::AndroidKeymaster::UpdateOperation, in_buf, in_size, - out_buf, out_size); - case KM_FINISH_OPERATION: - return fake_call(impl_, &keymaster::AndroidKeymaster::FinishOperation, in_buf, in_size, - out_buf, out_size); - case KM_IMPORT_KEY: - return fake_call(impl_, &keymaster::AndroidKeymaster::ImportKey, in_buf, in_size, - out_buf, out_size); - case KM_EXPORT_KEY: - return fake_call(impl_, &keymaster::AndroidKeymaster::ExportKey, in_buf, in_size, - out_buf, out_size); - } - return -EINVAL; -} - -namespace keymaster { -namespace test { - -class TrustyKeymasterTest : public testing::Test { - protected: - TrustyKeymasterTest() : device(NULL) {} - - keymaster_rsa_keygen_params_t build_rsa_params() { - keymaster_rsa_keygen_params_t rsa_params; - rsa_params.public_exponent = 65537; - rsa_params.modulus_size = 2048; - return rsa_params; - } - - uint8_t* build_message(size_t length) { - uint8_t* msg = new uint8_t[length]; - memset(msg, 'a', length); - return msg; - } - - size_t dsa_message_len(const keymaster_dsa_keygen_params_t& params) { - switch (params.key_size) { - case 256: - case 1024: - return 48; - case 2048: - case 4096: - return 72; - default: - // Oops. - return 0; - } - } - - TrustyKeymasterDevice device; -}; - -class Malloc_Delete { - public: - Malloc_Delete(void* p) : p_(p) {} - ~Malloc_Delete() { free(p_); } - - private: - void* p_; -}; - -typedef TrustyKeymasterTest KeyGenTest; -TEST_F(KeyGenTest, RsaSuccess) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); -} - -TEST_F(KeyGenTest, EcdsaSuccess) { - keymaster_ec_keygen_params_t ec_params = {256}; - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_EC, &ec_params, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); -} - -typedef TrustyKeymasterTest SigningTest; -TEST_F(SigningTest, RsaSuccess) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_len = params.modulus_size / 8; - std::unique_ptr message(build_message(message_len)); - uint8_t* signature; - size_t siglen; - EXPECT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message.get(), message_len, - &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_EQ(message_len, siglen); -} - -TEST_F(SigningTest, RsaShortMessage) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_len = params.modulus_size / 8 - 1; - std::unique_ptr message(build_message(message_len)); - uint8_t* signature; - size_t siglen; - EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, device.sign_data(&sig_params, ptr, size, message.get(), - message_len, &signature, &siglen)); -} - -TEST_F(SigningTest, RsaLongMessage) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_len = params.modulus_size / 8 + 1; - std::unique_ptr message(build_message(message_len)); - uint8_t* signature; - size_t siglen; - EXPECT_EQ(KM_ERROR_UNKNOWN_ERROR, device.sign_data(&sig_params, ptr, size, message.get(), - message_len, &signature, &siglen)); -} - -TEST_F(SigningTest, EcdsaSuccess) { - keymaster_ec_keygen_params_t params = {256}; - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_EC, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_ec_sign_params_t sig_params = {DIGEST_NONE}; - uint8_t message[] = "12345678901234567890123456789012"; - uint8_t* signature; - size_t siglen; - ASSERT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message, - array_size(message) - 1, &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_GT(siglen, 69U); - EXPECT_LT(siglen, 73U); -} - -TEST_F(SigningTest, EcdsaEmptyMessageSuccess) { - keymaster_ec_keygen_params_t params = {256}; - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_EC, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_ec_sign_params_t sig_params = {DIGEST_NONE}; - uint8_t message[] = ""; - uint8_t* signature; - size_t siglen; - ASSERT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message, - array_size(message) - 1, &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_GT(siglen, 69U); - EXPECT_LT(siglen, 73U); -} - -TEST_F(SigningTest, EcdsaLargeMessageSuccess) { - keymaster_ec_keygen_params_t params = {256}; - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_EC, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_ec_sign_params_t sig_params = {DIGEST_NONE}; - size_t message_len = 1024 * 7; - std::unique_ptr message(new uint8_t[message_len]); - // contents of message don't matter. - uint8_t* signature; - size_t siglen; - ASSERT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message.get(), message_len, - &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_GT(siglen, 69U); - EXPECT_LT(siglen, 73U); -} - -typedef TrustyKeymasterTest VerificationTest; -TEST_F(VerificationTest, RsaSuccess) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_len = params.modulus_size / 8; - std::unique_ptr message(build_message(message_len)); - uint8_t* signature; - size_t siglen; - EXPECT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message.get(), message_len, - &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - - EXPECT_EQ(KM_ERROR_OK, device.verify_data(&sig_params, ptr, size, message.get(), message_len, - signature, siglen)); -} - -TEST_F(VerificationTest, RsaBadSignature) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_len = params.modulus_size / 8; - std::unique_ptr message(build_message(message_len)); - uint8_t* signature; - size_t siglen; - EXPECT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message.get(), message_len, - &signature, &siglen)); - - Malloc_Delete sig_deleter(signature); - signature[siglen / 2]++; - EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, - device.verify_data(&sig_params, ptr, size, message.get(), message_len, signature, - siglen)); -} - -TEST_F(VerificationTest, RsaBadMessage) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_len = params.modulus_size / 8; - std::unique_ptr message(build_message(message_len)); - uint8_t* signature; - size_t siglen; - EXPECT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message.get(), message_len, - &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - message[0]++; - EXPECT_EQ(KM_ERROR_VERIFICATION_FAILED, - device.verify_data(&sig_params, ptr, size, message.get(), message_len, signature, - siglen)); -} - -TEST_F(VerificationTest, RsaShortMessage) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_len = params.modulus_size / 8; - std::unique_ptr message(build_message(message_len)); - uint8_t* signature; - size_t siglen; - EXPECT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message.get(), message_len, - &signature, &siglen)); - - Malloc_Delete sig_deleter(signature); - EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, - device.verify_data(&sig_params, ptr, size, message.get(), message_len - 1, signature, - siglen)); -} - -TEST_F(VerificationTest, RsaLongMessage) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_len = params.modulus_size / 8; - std::unique_ptr message(build_message(message_len + 1)); - uint8_t* signature; - size_t siglen; - EXPECT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message.get(), message_len, - &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_EQ(KM_ERROR_INVALID_INPUT_LENGTH, - device.verify_data(&sig_params, ptr, size, message.get(), message_len + 1, signature, - siglen)); -} - -TEST_F(VerificationTest, EcdsaSuccess) { - keymaster_ec_keygen_params_t params = {256}; - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_EC, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_ec_sign_params_t sig_params = {DIGEST_NONE}; - uint8_t message[] = "12345678901234567890123456789012"; - uint8_t* signature; - size_t siglen; - ASSERT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message, - array_size(message) - 1, &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_EQ(KM_ERROR_OK, device.verify_data(&sig_params, ptr, size, message, - array_size(message) - 1, signature, siglen)); -} - -TEST_F(VerificationTest, EcdsaLargeMessageSuccess) { - keymaster_ec_keygen_params_t params = {256}; - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_EC, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - keymaster_ec_sign_params_t sig_params = {DIGEST_NONE}; - size_t message_len = 1024 * 7; - std::unique_ptr message(new uint8_t[message_len]); - // contents of message don't matter. - uint8_t* signature; - size_t siglen; - ASSERT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message.get(), message_len, - &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_EQ(KM_ERROR_OK, device.verify_data(&sig_params, ptr, size, message.get(), message_len, - signature, siglen)); -} - -static string read_file(const string& file_name) { - ifstream file_stream(file_name, std::ios::binary); - istreambuf_iterator file_begin(file_stream); - istreambuf_iterator file_end; - return string(file_begin, file_end); -} - -typedef TrustyKeymasterTest ImportKeyTest; -TEST_F(ImportKeyTest, RsaSuccess) { - string pk8_key = read_file("../../../../system/keymaster/rsa_privkey_pk8.der"); - ASSERT_EQ(633U, pk8_key.size()); - - uint8_t* key = NULL; - size_t size; - ASSERT_EQ(KM_ERROR_OK, device.import_keypair(reinterpret_cast(pk8_key.data()), - pk8_key.size(), &key, &size)); - Malloc_Delete key_deleter(key); - - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_size = 1024 /* key size */ / 8; - std::unique_ptr message(new uint8_t[message_size]); - memset(message.get(), 'a', message_size); - uint8_t* signature; - size_t siglen; - ASSERT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, key, size, message.get(), message_size, - &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_EQ(KM_ERROR_OK, device.verify_data(&sig_params, key, size, message.get(), message_size, - signature, siglen)); -} - -TEST_F(ImportKeyTest, EcdsaSuccess) { - string pk8_key = read_file("../../../../system/keymaster/ec_privkey_pk8.der"); - ASSERT_EQ(138U, pk8_key.size()); - - uint8_t* key = NULL; - size_t size; - ASSERT_EQ(KM_ERROR_OK, device.import_keypair(reinterpret_cast(pk8_key.data()), - pk8_key.size(), &key, &size)); - Malloc_Delete key_deleter(key); - - keymaster_ec_sign_params_t sig_params = {DIGEST_NONE}; - uint8_t message[] = "12345678901234567890123456789012"; - uint8_t* signature; - size_t siglen; - ASSERT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, key, size, message, - array_size(message) - 1, &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_EQ(KM_ERROR_OK, device.verify_data(&sig_params, key, size, message, - array_size(message) - 1, signature, siglen)); -} - -struct EVP_PKEY_CTX_Delete { - void operator()(EVP_PKEY_CTX* p) { EVP_PKEY_CTX_free(p); } -}; - -static void VerifySignature(const uint8_t* key, size_t key_len, const uint8_t* signature, - size_t signature_len, const uint8_t* message, size_t message_len) { - std::unique_ptr pkey(d2i_PUBKEY(NULL, &key, key_len)); - ASSERT_TRUE(pkey.get() != NULL); - std::unique_ptr ctx(EVP_PKEY_CTX_new(pkey.get(), NULL)); - ASSERT_TRUE(ctx.get() != NULL); - ASSERT_EQ(1, EVP_PKEY_verify_init(ctx.get())); - if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) - ASSERT_EQ(1, EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_NO_PADDING)); - EXPECT_EQ(1, EVP_PKEY_verify(ctx.get(), signature, signature_len, message, message_len)); -} - -typedef TrustyKeymasterTest ExportKeyTest; -TEST_F(ExportKeyTest, RsaSuccess) { - keymaster_rsa_keygen_params_t params = build_rsa_params(); - uint8_t* ptr = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_RSA, ¶ms, &ptr, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(ptr); - - uint8_t* exported; - size_t exported_size; - EXPECT_EQ(KM_ERROR_OK, device.get_keypair_public(ptr, size, &exported, &exported_size)); - Malloc_Delete exported_deleter(exported); - - // Sign a message so we can verify it with the exported pubkey. - keymaster_rsa_sign_params_t sig_params = {DIGEST_NONE, PADDING_NONE}; - size_t message_len = params.modulus_size / 8; - std::unique_ptr message(build_message(message_len)); - uint8_t* signature; - size_t siglen; - EXPECT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, ptr, size, message.get(), message_len, - &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_EQ(message_len, siglen); - const uint8_t* tmp = exported; - - VerifySignature(exported, exported_size, signature, siglen, message.get(), message_len); -} - -typedef TrustyKeymasterTest ExportKeyTest; -TEST_F(ExportKeyTest, EcdsaSuccess) { - keymaster_ec_keygen_params_t params = {256}; - uint8_t* key = NULL; - size_t size; - ASSERT_EQ(0, device.generate_keypair(TYPE_EC, ¶ms, &key, &size)); - EXPECT_GT(size, 0U); - Malloc_Delete key_deleter(key); - - uint8_t* exported; - size_t exported_size; - EXPECT_EQ(KM_ERROR_OK, device.get_keypair_public(key, size, &exported, &exported_size)); - Malloc_Delete exported_deleter(exported); - - // Sign a message so we can verify it with the exported pubkey. - keymaster_ec_sign_params_t sig_params = {DIGEST_NONE}; - uint8_t message[] = "12345678901234567890123456789012"; - uint8_t* signature; - size_t siglen; - ASSERT_EQ(KM_ERROR_OK, device.sign_data(&sig_params, key, size, message, - array_size(message) - 1, &signature, &siglen)); - Malloc_Delete sig_deleter(signature); - EXPECT_EQ(KM_ERROR_OK, device.verify_data(&sig_params, key, size, message, - array_size(message) - 1, signature, siglen)); - - VerifySignature(exported, exported_size, signature, siglen, message, array_size(message) - 1); -} - -} // namespace test -} // namespace keymaster diff --git a/trusty/keymaster/legacy/trusty_keymaster_main.cpp b/trusty/keymaster/legacy/trusty_keymaster_main.cpp deleted file mode 100644 index e3e70e66e..000000000 --- a/trusty/keymaster/legacy/trusty_keymaster_main.cpp +++ /dev/null @@ -1,408 +0,0 @@ -/* - * Copyright 2014 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include - -#include -#include - -#include -#include - -#include - -using keymaster::TrustyKeymasterDevice; - -unsigned char rsa_privkey_pk8_der[] = { - 0x30, 0x82, 0x02, 0x75, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x02, 0x5f, 0x30, 0x82, 0x02, 0x5b, - 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xc6, 0x09, 0x54, 0x09, 0x04, 0x7d, 0x86, 0x34, - 0x81, 0x2d, 0x5a, 0x21, 0x81, 0x76, 0xe4, 0x5c, 0x41, 0xd6, 0x0a, 0x75, 0xb1, 0x39, 0x01, - 0xf2, 0x34, 0x22, 0x6c, 0xff, 0xe7, 0x76, 0x52, 0x1c, 0x5a, 0x77, 0xb9, 0xe3, 0x89, 0x41, - 0x7b, 0x71, 0xc0, 0xb6, 0xa4, 0x4d, 0x13, 0xaf, 0xe4, 0xe4, 0xa2, 0x80, 0x5d, 0x46, 0xc9, - 0xda, 0x29, 0x35, 0xad, 0xb1, 0xff, 0x0c, 0x1f, 0x24, 0xea, 0x06, 0xe6, 0x2b, 0x20, 0xd7, - 0x76, 0x43, 0x0a, 0x4d, 0x43, 0x51, 0x57, 0x23, 0x3c, 0x6f, 0x91, 0x67, 0x83, 0xc3, 0x0e, - 0x31, 0x0f, 0xcb, 0xd8, 0x9b, 0x85, 0xc2, 0xd5, 0x67, 0x71, 0x16, 0x97, 0x85, 0xac, 0x12, - 0xbc, 0xa2, 0x44, 0xab, 0xda, 0x72, 0xbf, 0xb1, 0x9f, 0xc4, 0x4d, 0x27, 0xc8, 0x1e, 0x1d, - 0x92, 0xde, 0x28, 0x4f, 0x40, 0x61, 0xed, 0xfd, 0x99, 0x28, 0x07, 0x45, 0xea, 0x6d, 0x25, - 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x81, 0x80, 0x1b, 0xe0, 0xf0, 0x4d, 0x9c, 0xae, 0x37, - 0x18, 0x69, 0x1f, 0x03, 0x53, 0x38, 0x30, 0x8e, 0x91, 0x56, 0x4b, 0x55, 0x89, 0x9f, 0xfb, - 0x50, 0x84, 0xd2, 0x46, 0x0e, 0x66, 0x30, 0x25, 0x7e, 0x05, 0xb3, 0xce, 0xab, 0x02, 0x97, - 0x2d, 0xfa, 0xbc, 0xd6, 0xce, 0x5f, 0x6e, 0xe2, 0x58, 0x9e, 0xb6, 0x79, 0x11, 0xed, 0x0f, - 0xac, 0x16, 0xe4, 0x3a, 0x44, 0x4b, 0x8c, 0x86, 0x1e, 0x54, 0x4a, 0x05, 0x93, 0x36, 0x57, - 0x72, 0xf8, 0xba, 0xf6, 0xb2, 0x2f, 0xc9, 0xe3, 0xc5, 0xf1, 0x02, 0x4b, 0x06, 0x3a, 0xc0, - 0x80, 0xa7, 0xb2, 0x23, 0x4c, 0xf8, 0xae, 0xe8, 0xf6, 0xc4, 0x7b, 0xbf, 0x4f, 0xd3, 0xac, - 0xe7, 0x24, 0x02, 0x90, 0xbe, 0xf1, 0x6c, 0x0b, 0x3f, 0x7f, 0x3c, 0xdd, 0x64, 0xce, 0x3a, - 0xb5, 0x91, 0x2c, 0xf6, 0xe3, 0x2f, 0x39, 0xab, 0x18, 0x83, 0x58, 0xaf, 0xcc, 0xcd, 0x80, - 0x81, 0x02, 0x41, 0x00, 0xe4, 0xb4, 0x9e, 0xf5, 0x0f, 0x76, 0x5d, 0x3b, 0x24, 0xdd, 0xe0, - 0x1a, 0xce, 0xaa, 0xf1, 0x30, 0xf2, 0xc7, 0x66, 0x70, 0xa9, 0x1a, 0x61, 0xae, 0x08, 0xaf, - 0x49, 0x7b, 0x4a, 0x82, 0xbe, 0x6d, 0xee, 0x8f, 0xcd, 0xd5, 0xe3, 0xf7, 0xba, 0x1c, 0xfb, - 0x1f, 0x0c, 0x92, 0x6b, 0x88, 0xf8, 0x8c, 0x92, 0xbf, 0xab, 0x13, 0x7f, 0xba, 0x22, 0x85, - 0x22, 0x7b, 0x83, 0xc3, 0x42, 0xff, 0x7c, 0x55, 0x02, 0x41, 0x00, 0xdd, 0xab, 0xb5, 0x83, - 0x9c, 0x4c, 0x7f, 0x6b, 0xf3, 0xd4, 0x18, 0x32, 0x31, 0xf0, 0x05, 0xb3, 0x1a, 0xa5, 0x8a, - 0xff, 0xdd, 0xa5, 0xc7, 0x9e, 0x4c, 0xce, 0x21, 0x7f, 0x6b, 0xc9, 0x30, 0xdb, 0xe5, 0x63, - 0xd4, 0x80, 0x70, 0x6c, 0x24, 0xe9, 0xeb, 0xfc, 0xab, 0x28, 0xa6, 0xcd, 0xef, 0xd3, 0x24, - 0xb7, 0x7e, 0x1b, 0xf7, 0x25, 0x1b, 0x70, 0x90, 0x92, 0xc2, 0x4f, 0xf5, 0x01, 0xfd, 0x91, - 0x02, 0x40, 0x23, 0xd4, 0x34, 0x0e, 0xda, 0x34, 0x45, 0xd8, 0xcd, 0x26, 0xc1, 0x44, 0x11, - 0xda, 0x6f, 0xdc, 0xa6, 0x3c, 0x1c, 0xcd, 0x4b, 0x80, 0xa9, 0x8a, 0xd5, 0x2b, 0x78, 0xcc, - 0x8a, 0xd8, 0xbe, 0xb2, 0x84, 0x2c, 0x1d, 0x28, 0x04, 0x05, 0xbc, 0x2f, 0x6c, 0x1b, 0xea, - 0x21, 0x4a, 0x1d, 0x74, 0x2a, 0xb9, 0x96, 0xb3, 0x5b, 0x63, 0xa8, 0x2a, 0x5e, 0x47, 0x0f, - 0xa8, 0x8d, 0xbf, 0x82, 0x3c, 0xdd, 0x02, 0x40, 0x1b, 0x7b, 0x57, 0x44, 0x9a, 0xd3, 0x0d, - 0x15, 0x18, 0x24, 0x9a, 0x5f, 0x56, 0xbb, 0x98, 0x29, 0x4d, 0x4b, 0x6a, 0xc1, 0x2f, 0xfc, - 0x86, 0x94, 0x04, 0x97, 0xa5, 0xa5, 0x83, 0x7a, 0x6c, 0xf9, 0x46, 0x26, 0x2b, 0x49, 0x45, - 0x26, 0xd3, 0x28, 0xc1, 0x1e, 0x11, 0x26, 0x38, 0x0f, 0xde, 0x04, 0xc2, 0x4f, 0x91, 0x6d, - 0xec, 0x25, 0x08, 0x92, 0xdb, 0x09, 0xa6, 0xd7, 0x7c, 0xdb, 0xa3, 0x51, 0x02, 0x40, 0x77, - 0x62, 0xcd, 0x8f, 0x4d, 0x05, 0x0d, 0xa5, 0x6b, 0xd5, 0x91, 0xad, 0xb5, 0x15, 0xd2, 0x4d, - 0x7c, 0xcd, 0x32, 0xcc, 0xa0, 0xd0, 0x5f, 0x86, 0x6d, 0x58, 0x35, 0x14, 0xbd, 0x73, 0x24, - 0xd5, 0xf3, 0x36, 0x45, 0xe8, 0xed, 0x8b, 0x4a, 0x1c, 0xb3, 0xcc, 0x4a, 0x1d, 0x67, 0x98, - 0x73, 0x99, 0xf2, 0xa0, 0x9f, 0x5b, 0x3f, 0xb6, 0x8c, 0x88, 0xd5, 0xe5, 0xd9, 0x0a, 0xc3, - 0x34, 0x92, 0xd6}; -unsigned int rsa_privkey_pk8_der_len = 633; - -unsigned char dsa_privkey_pk8_der[] = { - 0x30, 0x82, 0x01, 0x4b, 0x02, 0x01, 0x00, 0x30, 0x82, 0x01, 0x2b, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x38, 0x04, 0x01, 0x30, 0x82, 0x01, 0x1e, 0x02, 0x81, 0x81, 0x00, 0xa3, 0xf3, - 0xe9, 0xb6, 0x7e, 0x7d, 0x88, 0xf6, 0xb7, 0xe5, 0xf5, 0x1f, 0x3b, 0xee, 0xac, 0xd7, 0xad, - 0xbc, 0xc9, 0xd1, 0x5a, 0xf8, 0x88, 0xc4, 0xef, 0x6e, 0x3d, 0x74, 0x19, 0x74, 0xe7, 0xd8, - 0xe0, 0x26, 0x44, 0x19, 0x86, 0xaf, 0x19, 0xdb, 0x05, 0xe9, 0x3b, 0x8b, 0x58, 0x58, 0xde, - 0xe5, 0x4f, 0x48, 0x15, 0x01, 0xea, 0xe6, 0x83, 0x52, 0xd7, 0xc1, 0x21, 0xdf, 0xb9, 0xb8, - 0x07, 0x66, 0x50, 0xfb, 0x3a, 0x0c, 0xb3, 0x85, 0xee, 0xbb, 0x04, 0x5f, 0xc2, 0x6d, 0x6d, - 0x95, 0xfa, 0x11, 0x93, 0x1e, 0x59, 0x5b, 0xb1, 0x45, 0x8d, 0xe0, 0x3d, 0x73, 0xaa, 0xf2, - 0x41, 0x14, 0x51, 0x07, 0x72, 0x3d, 0xa2, 0xf7, 0x58, 0xcd, 0x11, 0xa1, 0x32, 0xcf, 0xda, - 0x42, 0xb7, 0xcc, 0x32, 0x80, 0xdb, 0x87, 0x82, 0xec, 0x42, 0xdb, 0x5a, 0x55, 0x24, 0x24, - 0xa2, 0xd1, 0x55, 0x29, 0xad, 0xeb, 0x02, 0x15, 0x00, 0xeb, 0xea, 0x17, 0xd2, 0x09, 0xb3, - 0xd7, 0x21, 0x9a, 0x21, 0x07, 0x82, 0x8f, 0xab, 0xfe, 0x88, 0x71, 0x68, 0xf7, 0xe3, 0x02, - 0x81, 0x80, 0x19, 0x1c, 0x71, 0xfd, 0xe0, 0x03, 0x0c, 0x43, 0xd9, 0x0b, 0xf6, 0xcd, 0xd6, - 0xa9, 0x70, 0xe7, 0x37, 0x86, 0x3a, 0x78, 0xe9, 0xa7, 0x47, 0xa7, 0x47, 0x06, 0x88, 0xb1, - 0xaf, 0xd7, 0xf3, 0xf1, 0xa1, 0xd7, 0x00, 0x61, 0x28, 0x88, 0x31, 0x48, 0x60, 0xd8, 0x11, - 0xef, 0xa5, 0x24, 0x1a, 0x81, 0xc4, 0x2a, 0xe2, 0xea, 0x0e, 0x36, 0xd2, 0xd2, 0x05, 0x84, - 0x37, 0xcf, 0x32, 0x7d, 0x09, 0xe6, 0x0f, 0x8b, 0x0c, 0xc8, 0xc2, 0xa4, 0xb1, 0xdc, 0x80, - 0xca, 0x68, 0xdf, 0xaf, 0xd2, 0x90, 0xc0, 0x37, 0x58, 0x54, 0x36, 0x8f, 0x49, 0xb8, 0x62, - 0x75, 0x8b, 0x48, 0x47, 0xc0, 0xbe, 0xf7, 0x9a, 0x92, 0xa6, 0x68, 0x05, 0xda, 0x9d, 0xaf, - 0x72, 0x9a, 0x67, 0xb3, 0xb4, 0x14, 0x03, 0xae, 0x4f, 0x4c, 0x76, 0xb9, 0xd8, 0x64, 0x0a, - 0xba, 0x3b, 0xa8, 0x00, 0x60, 0x4d, 0xae, 0x81, 0xc3, 0xc5, 0x04, 0x17, 0x02, 0x15, 0x00, - 0x81, 0x9d, 0xfd, 0x53, 0x0c, 0xc1, 0x8f, 0xbe, 0x8b, 0xea, 0x00, 0x26, 0x19, 0x29, 0x33, - 0x91, 0x84, 0xbe, 0xad, 0x81}; -unsigned int dsa_privkey_pk8_der_len = 335; - -unsigned char ec_privkey_pk8_der[] = { - 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, - 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x04, - 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20, 0x73, 0x7c, 0x2e, 0xcd, 0x7b, 0x8d, - 0x19, 0x40, 0xbf, 0x29, 0x30, 0xaa, 0x9b, 0x4e, 0xd3, 0xff, 0x94, 0x1e, 0xed, 0x09, - 0x36, 0x6b, 0xc0, 0x32, 0x99, 0x98, 0x64, 0x81, 0xf3, 0xa4, 0xd8, 0x59, 0xa1, 0x44, - 0x03, 0x42, 0x00, 0x04, 0xbf, 0x85, 0xd7, 0x72, 0x0d, 0x07, 0xc2, 0x54, 0x61, 0x68, - 0x3b, 0xc6, 0x48, 0xb4, 0x77, 0x8a, 0x9a, 0x14, 0xdd, 0x8a, 0x02, 0x4e, 0x3b, 0xdd, - 0x8c, 0x7d, 0xdd, 0x9a, 0xb2, 0xb5, 0x28, 0xbb, 0xc7, 0xaa, 0x1b, 0x51, 0xf1, 0x4e, - 0xbb, 0xbb, 0x0b, 0xd0, 0xce, 0x21, 0xbc, 0xc4, 0x1c, 0x6e, 0xb0, 0x00, 0x83, 0xcf, - 0x33, 0x76, 0xd1, 0x1f, 0xd4, 0x49, 0x49, 0xe0, 0xb2, 0x18, 0x3b, 0xfe}; -unsigned int ec_privkey_pk8_der_len = 138; - -keymaster_key_param_t ec_params[] = { - keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_EC), - keymaster_param_long(KM_TAG_EC_CURVE, KM_EC_CURVE_P_521), - keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN), - keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_VERIFY), - keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), - keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED), -}; -keymaster_key_param_set_t ec_param_set = {ec_params, sizeof(ec_params) / sizeof(*ec_params)}; - -keymaster_key_param_t rsa_params[] = { - keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA), - keymaster_param_int(KM_TAG_KEY_SIZE, 1024), - keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, 65537), - keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN), - keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_VERIFY), - keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), - keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), - keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED), -}; -keymaster_key_param_set_t rsa_param_set = {rsa_params, sizeof(rsa_params) / sizeof(*rsa_params)}; - -struct EVP_PKEY_Delete { - void operator()(EVP_PKEY* p) const { EVP_PKEY_free(p); } -}; - -struct EVP_PKEY_CTX_Delete { - void operator()(EVP_PKEY_CTX* p) { EVP_PKEY_CTX_free(p); } -}; - -static bool do_operation(TrustyKeymasterDevice* device, keymaster_purpose_t purpose, - keymaster_key_blob_t* key, keymaster_blob_t* input, - keymaster_blob_t* signature, keymaster_blob_t* output) { - keymaster_key_param_t params[] = { - keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), - keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), - }; - keymaster_key_param_set_t param_set = {params, sizeof(params) / sizeof(*params)}; - keymaster_operation_handle_t op_handle; - keymaster_error_t error = device->begin(purpose, key, ¶m_set, nullptr, &op_handle); - if (error != KM_ERROR_OK) { - printf("Keymaster begin() failed: %d\n", error); - return false; - } - size_t input_consumed; - error = device->update(op_handle, nullptr, input, &input_consumed, nullptr, nullptr); - if (error != KM_ERROR_OK) { - printf("Keymaster update() failed: %d\n", error); - return false; - } - if (input_consumed != input->data_length) { - // This should never happen. If it does, it's a bug in the keymaster implementation. - printf("Keymaster update() did not consume all data.\n"); - device->abort(op_handle); - return false; - } - error = device->finish(op_handle, nullptr, nullptr, signature, nullptr, output); - if (error != KM_ERROR_OK) { - printf("Keymaster finish() failed: %d\n", error); - return false; - } - return true; -} - -static bool test_import_rsa(TrustyKeymasterDevice* device) { - printf("===================\n"); - printf("= RSA Import Test =\n"); - printf("===================\n\n"); - - printf("=== Importing RSA keypair === \n"); - keymaster_key_blob_t key; - keymaster_blob_t private_key = {rsa_privkey_pk8_der, rsa_privkey_pk8_der_len}; - int error = - device->import_key(&rsa_param_set, KM_KEY_FORMAT_PKCS8, &private_key, &key, nullptr); - if (error != KM_ERROR_OK) { - printf("Error importing RSA key: %d\n\n", error); - return false; - } - std::unique_ptr key_deleter(key.key_material); - - printf("=== Signing with imported RSA key ===\n"); - size_t message_len = 1024 / 8; - std::unique_ptr message(new uint8_t[message_len]); - memset(message.get(), 'a', message_len); - keymaster_blob_t input = {message.get(), message_len}, signature; - - if (!do_operation(device, KM_PURPOSE_SIGN, &key, &input, nullptr, &signature)) { - printf("Error signing data with imported RSA key\n\n"); - return false; - } - std::unique_ptr signature_deleter(signature.data); - - printf("=== Verifying with imported RSA key === \n"); - if (!do_operation(device, KM_PURPOSE_VERIFY, &key, &input, &signature, nullptr)) { - printf("Error verifying data with imported RSA key\n\n"); - return false; - } - - printf("\n"); - return true; -} - -static bool test_rsa(TrustyKeymasterDevice* device) { - printf("============\n"); - printf("= RSA Test =\n"); - printf("============\n\n"); - - printf("=== Generating RSA key pair ===\n"); - keymaster_key_blob_t key; - int error = device->generate_key(&rsa_param_set, &key, nullptr); - if (error != KM_ERROR_OK) { - printf("Error generating RSA key pair: %d\n\n", error); - return false; - } - std::unique_ptr key_deleter(key.key_material); - - printf("=== Signing with RSA key === \n"); - size_t message_len = 1024 / 8; - std::unique_ptr message(new uint8_t[message_len]); - memset(message.get(), 'a', message_len); - keymaster_blob_t input = {message.get(), message_len}, signature; - - if (!do_operation(device, KM_PURPOSE_SIGN, &key, &input, nullptr, &signature)) { - printf("Error signing data with RSA key\n\n"); - return false; - } - std::unique_ptr signature_deleter(signature.data); - - printf("=== Verifying with RSA key === \n"); - if (!do_operation(device, KM_PURPOSE_VERIFY, &key, &input, &signature, nullptr)) { - printf("Error verifying data with RSA key\n\n"); - return false; - } - - printf("=== Exporting RSA public key ===\n"); - keymaster_blob_t exported_key; - error = device->export_key(KM_KEY_FORMAT_X509, &key, nullptr, nullptr, &exported_key); - if (error != KM_ERROR_OK) { - printf("Error exporting RSA public key: %d\n\n", error); - return false; - } - - printf("=== Verifying with exported key ===\n"); - const uint8_t* tmp = exported_key.data; - std::unique_ptr pkey( - d2i_PUBKEY(NULL, &tmp, exported_key.data_length)); - std::unique_ptr ctx(EVP_PKEY_CTX_new(pkey.get(), NULL)); - if (EVP_PKEY_verify_init(ctx.get()) != 1) { - printf("Error initializing openss EVP context\n\n"); - return false; - } - if (EVP_PKEY_type(pkey->type) != EVP_PKEY_RSA) { - printf("Exported key was the wrong type?!?\n\n"); - return false; - } - - EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_NO_PADDING); - if (EVP_PKEY_verify(ctx.get(), signature.data, signature.data_length, message.get(), - message_len) != 1) { - printf("Verification with exported pubkey failed.\n\n"); - return false; - } else { - printf("Verification succeeded\n"); - } - - printf("\n"); - return true; -} - -static bool test_import_ecdsa(TrustyKeymasterDevice* device) { - printf("=====================\n"); - printf("= ECDSA Import Test =\n"); - printf("=====================\n\n"); - - printf("=== Importing ECDSA keypair === \n"); - keymaster_key_blob_t key; - keymaster_blob_t private_key = {ec_privkey_pk8_der, ec_privkey_pk8_der_len}; - int error = device->import_key(&ec_param_set, KM_KEY_FORMAT_PKCS8, &private_key, &key, nullptr); - if (error != KM_ERROR_OK) { - printf("Error importing ECDSA key: %d\n\n", error); - return false; - } - std::unique_ptr deleter(key.key_material); - - printf("=== Signing with imported ECDSA key ===\n"); - size_t message_len = 30 /* arbitrary */; - std::unique_ptr message(new uint8_t[message_len]); - memset(message.get(), 'a', message_len); - keymaster_blob_t input = {message.get(), message_len}, signature; - - if (!do_operation(device, KM_PURPOSE_SIGN, &key, &input, nullptr, &signature)) { - printf("Error signing data with imported ECDSA key\n\n"); - return false; - } - std::unique_ptr signature_deleter(signature.data); - - printf("=== Verifying with imported ECDSA key === \n"); - if (!do_operation(device, KM_PURPOSE_VERIFY, &key, &input, &signature, nullptr)) { - printf("Error verifying data with imported ECDSA key\n\n"); - return false; - } - - printf("\n"); - return true; -} - -static bool test_ecdsa(TrustyKeymasterDevice* device) { - printf("==============\n"); - printf("= ECDSA Test =\n"); - printf("==============\n\n"); - - printf("=== Generating ECDSA key pair ===\n"); - keymaster_key_blob_t key; - int error = device->generate_key(&ec_param_set, &key, nullptr); - if (error != KM_ERROR_OK) { - printf("Error generating ECDSA key pair: %d\n\n", error); - return false; - } - std::unique_ptr key_deleter(key.key_material); - - printf("=== Signing with ECDSA key === \n"); - size_t message_len = 30 /* arbitrary */; - std::unique_ptr message(new uint8_t[message_len]); - memset(message.get(), 'a', message_len); - keymaster_blob_t input = {message.get(), message_len}, signature; - - if (!do_operation(device, KM_PURPOSE_SIGN, &key, &input, nullptr, &signature)) { - printf("Error signing data with ECDSA key\n\n"); - return false; - } - std::unique_ptr signature_deleter(signature.data); - - printf("=== Verifying with ECDSA key === \n"); - if (!do_operation(device, KM_PURPOSE_VERIFY, &key, &input, &signature, nullptr)) { - printf("Error verifying data with ECDSA key\n\n"); - return false; - } - - printf("=== Exporting ECDSA public key ===\n"); - keymaster_blob_t exported_key; - error = device->export_key(KM_KEY_FORMAT_X509, &key, nullptr, nullptr, &exported_key); - if (error != KM_ERROR_OK) { - printf("Error exporting ECDSA public key: %d\n\n", error); - return false; - } - - printf("=== Verifying with exported key ===\n"); - const uint8_t* tmp = exported_key.data; - std::unique_ptr pkey( - d2i_PUBKEY(NULL, &tmp, exported_key.data_length)); - std::unique_ptr ctx(EVP_PKEY_CTX_new(pkey.get(), NULL)); - if (EVP_PKEY_verify_init(ctx.get()) != 1) { - printf("Error initializing openssl EVP context\n\n"); - return false; - } - if (EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) { - printf("Exported key was the wrong type?!?\n\n"); - return false; - } - - if (EVP_PKEY_verify(ctx.get(), signature.data, signature.data_length, message.get(), - message_len) != 1) { - printf("Verification with exported pubkey failed.\n\n"); - return false; - } else { - printf("Verification succeeded\n"); - } - - printf("\n"); - return true; -} - -int main(void) { - TrustyKeymasterDevice device(NULL); - keymaster::ConfigureDevice(reinterpret_cast(&device)); - if (device.session_error() != KM_ERROR_OK) { - printf("Failed to initialize Trusty session: %d\n", device.session_error()); - return 1; - } - printf("Trusty session initialized\n"); - - bool success = true; - success &= test_rsa(&device); - success &= test_import_rsa(&device); - success &= test_ecdsa(&device); - success &= test_import_ecdsa(&device); - - if (success) { - printf("\nTESTS PASSED!\n"); - } else { - printf("\n!!!!TESTS FAILED!!!\n"); - } - - return success ? 0 : 1; -}