Move keymaster test fixture to utils, so we can reuse it.
Change-Id: I7e080326a97712bc1b6810e7231ecf78b7d4e28f
diff --git a/google_keymaster_test.cpp b/google_keymaster_test.cpp
index aaf7425..931a9e1 100644
--- a/google_keymaster_test.cpp
+++ b/google_keymaster_test.cpp
@@ -14,13 +14,10 @@
* limitations under the License.
*/
-#include <algorithm>
#include <fstream>
#include <string>
#include <vector>
-#include <gtest/gtest.h>
-
#include <openssl/engine.h>
#include <keymaster/google_keymaster_utils.h>
@@ -60,378 +57,14 @@
namespace keymaster {
namespace test {
-inline string make_string(const uint8_t* data, size_t length) {
- return string(reinterpret_cast<const char*>(data), length);
-}
-
-template <size_t N> string make_string(const uint8_t(&a)[N]) {
- return make_string(a, N);
-}
-
-static string make_string(const uint8_t(&)[0]) {
- return string();
-}
-
StdoutLogger logger;
-const uint64_t OP_HANDLE_SENTINEL = 0xFFFFFFFFFFFFFFFF;
-class KeymasterTest : public testing::Test {
+class KeymasterTest : public Keymaster1Test {
protected:
- KeymasterTest() : op_handle_(OP_HANDLE_SENTINEL), characteristics_(NULL) {
- blob_.key_material = NULL;
- RAND_seed("foobar", 6);
- blob_.key_material = 0;
+ KeymasterTest() {
+ SoftKeymasterDevice* device = new SoftKeymasterDevice;
+ init(device->keymaster_device());
}
-
- ~KeymasterTest() {
- FreeCharacteristics();
- FreeKeyBlob();
- }
-
- keymaster1_device_t* device() {
- return reinterpret_cast<keymaster1_device_t*>(device_.hw_device());
- }
-
- keymaster_error_t GenerateKey(const AuthorizationSetBuilder& builder) {
- AuthorizationSet params(builder.build());
- params.push_back(UserAuthParams());
- params.push_back(ClientParams());
-
- FreeKeyBlob();
- FreeCharacteristics();
- return device()->generate_key(device(), params.data(), params.size(), &blob_,
- &characteristics_);
- }
-
- keymaster_error_t ImportKey(const AuthorizationSetBuilder& builder,
- keymaster_key_format_t format, const string& key_material) {
- AuthorizationSet params(builder.build());
- params.push_back(UserAuthParams());
- params.push_back(ClientParams());
-
- FreeKeyBlob();
- FreeCharacteristics();
- return device()->import_key(device(), params.data(), params.size(), format,
- reinterpret_cast<const uint8_t*>(key_material.c_str()),
- key_material.length(), &blob_, &characteristics_);
- }
-
- AuthorizationSet UserAuthParams() {
- AuthorizationSet set;
- set.push_back(TAG_USER_ID, 7);
- set.push_back(TAG_USER_AUTH_ID, 8);
- set.push_back(TAG_AUTH_TIMEOUT, 300);
- return set;
- }
-
- AuthorizationSet ClientParams() {
- AuthorizationSet set;
- set.push_back(TAG_APPLICATION_ID, "app_id", 6);
- return set;
- }
-
- keymaster_error_t BeginOperation(keymaster_purpose_t purpose) {
- keymaster_key_param_t* out_params = NULL;
- size_t out_params_count = 0;
- keymaster_error_t error =
- device()->begin(device(), purpose, &blob_, client_params_, array_length(client_params_),
- &out_params, &out_params_count, &op_handle_);
- EXPECT_EQ(0, out_params_count);
- EXPECT_TRUE(out_params == NULL);
- return error;
- }
-
- keymaster_error_t BeginOperation(keymaster_purpose_t purpose, const AuthorizationSet& input_set,
- AuthorizationSet* output_set = NULL) {
- AuthorizationSet additional_params(client_params_, array_length(client_params_));
- additional_params.push_back(input_set);
-
- keymaster_key_param_t* out_params;
- size_t out_params_count;
- keymaster_error_t error =
- device()->begin(device(), purpose, &blob_, additional_params.data(),
- additional_params.size(), &out_params, &out_params_count, &op_handle_);
- if (output_set) {
- output_set->Reinitialize(out_params, out_params_count);
- } else {
- EXPECT_EQ(0, out_params_count);
- EXPECT_TRUE(out_params == NULL);
- }
- keymaster_free_param_values(out_params, out_params_count);
- free(out_params);
- return error;
- }
-
- keymaster_error_t UpdateOperation(const string& message, string* output,
- size_t* input_consumed) {
- uint8_t* out_tmp = NULL;
- size_t out_length;
- EXPECT_NE(op_handle_, OP_HANDLE_SENTINEL);
- keymaster_error_t error =
- device()->update(device(), op_handle_, NULL /* params */, 0 /* params_count */,
- reinterpret_cast<const uint8_t*>(message.c_str()), message.length(),
- input_consumed, &out_tmp, &out_length);
- if (out_tmp)
- output->append(reinterpret_cast<char*>(out_tmp), out_length);
- free(out_tmp);
- return error;
- }
-
- keymaster_error_t UpdateOperation(const AuthorizationSet& additional_params,
- const string& message, string* output,
- size_t* input_consumed) {
- uint8_t* out_tmp = NULL;
- size_t out_length;
- EXPECT_NE(op_handle_, OP_HANDLE_SENTINEL);
- keymaster_error_t error = device()->update(
- device(), op_handle_, additional_params.data(), additional_params.size(),
- reinterpret_cast<const uint8_t*>(message.c_str()), message.length(), input_consumed,
- &out_tmp, &out_length);
- if (out_tmp)
- output->append(reinterpret_cast<char*>(out_tmp), out_length);
- free(out_tmp);
- return error;
- }
-
- keymaster_error_t FinishOperation(string* output) { return FinishOperation("", output); }
-
- keymaster_error_t FinishOperation(const string& signature, string* output) {
- AuthorizationSet additional_params;
- return FinishOperation(additional_params, signature, output);
- }
-
- keymaster_error_t FinishOperation(const AuthorizationSet& additional_params,
- const string& signature, string* output) {
- uint8_t* out_tmp = NULL;
- size_t out_length;
- keymaster_error_t error = device()->finish(
- device(), op_handle_, additional_params.data(), additional_params.size(),
- reinterpret_cast<const uint8_t*>(signature.c_str()), signature.length(), &out_tmp,
- &out_length);
- if (out_tmp)
- output->append(reinterpret_cast<char*>(out_tmp), out_length);
- free(out_tmp);
- return error;
- }
-
- template <typename T>
- bool ResponseContains(const vector<T>& expected, const T* values, size_t len) {
- return expected.size() == len &&
- std::is_permutation(values, values + len, expected.begin());
- }
-
- template <typename T> bool ResponseContains(T expected, const T* values, size_t len) {
- return (len == 1 && *values == expected);
- }
-
- keymaster_error_t AbortOperation() { return device()->abort(device(), op_handle_); }
-
- string ProcessMessage(keymaster_purpose_t purpose, const string& message) {
- AuthorizationSet input_params;
- EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, input_params, NULL /* output_params */));
-
- string result;
- size_t input_consumed;
- EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
- EXPECT_EQ(message.size(), input_consumed);
- EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result));
- return result;
- }
-
- string ProcessMessage(keymaster_purpose_t purpose, const string& message,
- const AuthorizationSet& begin_params,
- const AuthorizationSet& update_params,
- AuthorizationSet* output_params = NULL) {
- EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, begin_params, output_params));
-
- string result;
- size_t input_consumed;
- EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &result, &input_consumed));
- EXPECT_EQ(message.size(), input_consumed);
- EXPECT_EQ(KM_ERROR_OK, FinishOperation(update_params, "", &result));
- return result;
- }
-
- string ProcessMessage(keymaster_purpose_t purpose, const string& message,
- const string& signature) {
- AuthorizationSet input_params;
- EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, input_params, NULL /* output_params */));
-
- string result;
- size_t input_consumed;
- EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
- EXPECT_EQ(message.size(), input_consumed);
- EXPECT_EQ(KM_ERROR_OK, FinishOperation(signature, &result));
- return result;
- }
-
- void SignMessage(const string& message, string* signature) {
- SCOPED_TRACE("SignMessage");
- *signature = ProcessMessage(KM_PURPOSE_SIGN, message);
- EXPECT_GT(signature->size(), 0);
- }
-
- void VerifyMessage(const string& message, const string& signature) {
- SCOPED_TRACE("VerifyMessage");
- ProcessMessage(KM_PURPOSE_VERIFY, message, signature);
- }
-
- string EncryptMessage(const string& message, string* generated_nonce = NULL) {
- AuthorizationSet update_params;
- return EncryptMessage(update_params, message, generated_nonce);
- }
-
- string EncryptMessage(const AuthorizationSet& update_params, const string& message,
- string* generated_nonce = NULL) {
- SCOPED_TRACE("EncryptMessage");
- AuthorizationSet begin_params, output_params;
- string ciphertext = ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params,
- &output_params);
- if (generated_nonce) {
- keymaster_blob_t nonce_blob;
- EXPECT_TRUE(output_params.GetTagValue(TAG_NONCE, &nonce_blob));
- *generated_nonce = make_string(nonce_blob.data, nonce_blob.data_length);
- } else {
- EXPECT_EQ(-1, output_params.find(TAG_NONCE));
- }
- return ciphertext;
- }
-
- string EncryptMessageWithParams(const string& message, const AuthorizationSet& begin_params,
- const AuthorizationSet& update_params,
- AuthorizationSet* output_params) {
- SCOPED_TRACE("EncryptMessageWithParams");
- return ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params,
- output_params);
- }
-
- string DecryptMessage(const string& ciphertext) {
- SCOPED_TRACE("DecryptMessage");
- return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext);
- }
-
- string DecryptMessage(const string& ciphertext, const string& nonce) {
- SCOPED_TRACE("DecryptMessage");
- AuthorizationSet update_params;
- return DecryptMessage(update_params, ciphertext, nonce);
- }
-
- string DecryptMessage(const AuthorizationSet& update_params, const string& ciphertext,
- const string& nonce) {
- SCOPED_TRACE("DecryptMessage");
- AuthorizationSet begin_params;
- begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
- return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
- }
-
- keymaster_error_t GetCharacteristics() {
- FreeCharacteristics();
- return device()->get_key_characteristics(device(), &blob_, &client_id_, NULL /* app_data */,
- &characteristics_);
- }
-
- keymaster_error_t ExportKey(keymaster_key_format_t format, string* export_data) {
- uint8_t* export_data_tmp;
- size_t export_data_length;
-
- keymaster_error_t error =
- device()->export_key(device(), format, &blob_, &client_id_, NULL /* app_data */,
- &export_data_tmp, &export_data_length);
-
- if (error != KM_ERROR_OK)
- return error;
-
- *export_data = string(reinterpret_cast<char*>(export_data_tmp), export_data_length);
- free(export_data_tmp);
- return error;
- }
-
- keymaster_error_t GetVersion(uint8_t* major, uint8_t* minor, uint8_t* subminor) {
- GetVersionRequest request;
- GetVersionResponse response;
- device_.GetVersion(request, &response);
- if (response.error != KM_ERROR_OK)
- return response.error;
- *major = response.major_ver;
- *minor = response.minor_ver;
- *subminor = response.subminor_ver;
- return response.error;
- }
-
- keymaster_error_t Rescope(const AuthorizationSet& new_params,
- keymaster_key_blob_t* rescoped_blob,
- keymaster_key_characteristics_t** rescoped_characteristics) {
- return device()->rescope(device(), new_params.data(), new_params.size(), &blob_,
- &client_id_, NULL /* app data */, rescoped_blob,
- rescoped_characteristics);
- }
-
- void CheckHmacTestVector(string key, string message, keymaster_digest_t digest,
- string expected_mac) {
- ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder().HmacKey(key.size() * 8, digest,
- expected_mac.size()),
- KM_KEY_FORMAT_RAW, key));
- string signature;
- SignMessage(message, &signature);
- EXPECT_EQ(expected_mac, signature) << "Test vector didn't match for digest " << digest;
- }
-
- void CheckAesOcbTestVector(const string& key, const string& nonce,
- const string& associated_data, const string& message,
- const string& expected_ciphertext) {
- ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
- .AesEncryptionKey(key.size() * 8)
- .OcbMode(4096 /* chunk length */, 16 /* tag length */)
- .Authorization(TAG_CALLER_NONCE),
- KM_KEY_FORMAT_RAW, key));
-
- AuthorizationSet begin_params, update_params, output_params;
- begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
- update_params.push_back(TAG_ASSOCIATED_DATA, associated_data.data(),
- associated_data.size());
- string ciphertext =
- EncryptMessageWithParams(message, begin_params, update_params, &output_params);
- EXPECT_EQ(expected_ciphertext, ciphertext);
- }
-
- AuthorizationSet hw_enforced() {
- EXPECT_TRUE(characteristics_ != NULL);
- return AuthorizationSet(characteristics_->hw_enforced);
- }
-
- AuthorizationSet sw_enforced() {
- EXPECT_TRUE(characteristics_ != NULL);
- return AuthorizationSet(characteristics_->sw_enforced);
- }
-
- void FreeCharacteristics() {
- keymaster_free_characteristics(characteristics_);
- free(characteristics_);
- characteristics_ = NULL;
- }
-
- void FreeKeyBlob() {
- free(const_cast<uint8_t*>(blob_.key_material));
- blob_.key_material = NULL;
- }
-
- void corrupt_key_blob() {
- assert(blob_.key_material);
- uint8_t* tmp = const_cast<uint8_t*>(blob_.key_material);
- ++tmp[blob_.key_material_size / 2];
- }
-
- private:
- SoftKeymasterDevice device_;
- keymaster_blob_t client_id_ = {.data = reinterpret_cast<const uint8_t*>("app_id"),
- .data_length = 6};
- keymaster_key_param_t client_params_[1] = {
- Authorization(TAG_APPLICATION_ID, client_id_.data, client_id_.data_length)};
-
- uint64_t op_handle_;
-
- keymaster_key_blob_t blob_;
- keymaster_key_characteristics_t* characteristics_;
};
typedef KeymasterTest CheckSupported;
@@ -1561,15 +1194,6 @@
VerifyMessage(message, signature);
}
-typedef KeymasterTest VersionTest;
-TEST_F(VersionTest, GetVersion) {
- uint8_t major, minor, subminor;
- ASSERT_EQ(KM_ERROR_OK, GetVersion(&major, &minor, &subminor));
- EXPECT_EQ(1, major);
- EXPECT_EQ(0, minor);
- EXPECT_EQ(0, subminor);
-}
-
typedef KeymasterTest EncryptionOperationsTest;
TEST_F(EncryptionOperationsTest, RsaOaepSuccess) {
ASSERT_EQ(KM_ERROR_OK,
diff --git a/google_keymaster_test_utils.cpp b/google_keymaster_test_utils.cpp
index ce14330..7cda08a 100644
--- a/google_keymaster_test_utils.cpp
+++ b/google_keymaster_test_utils.cpp
@@ -16,6 +16,18 @@
#include "google_keymaster_test_utils.h"
+#include <algorithm>
+
+#include <openssl/rand.h>
+
+#include <keymaster/google_keymaster_messages.h>
+#include <keymaster/google_keymaster_utils.h>
+
+using std::is_permutation;
+using std::ostream;
+using std::string;
+using std::vector;
+
std::ostream& operator<<(std::ostream& os, const keymaster_key_param_t& param) {
os << "Tag: " << keymaster_tag_mask_type(param.tag);
switch (keymaster_tag_get_type(param.tag)) {
@@ -109,4 +121,337 @@
return os;
}
+namespace test {
+
+Keymaster1Test::Keymaster1Test()
+ : device_(NULL), op_handle_(OP_HANDLE_SENTINEL), characteristics_(NULL) {
+ blob_.key_material = NULL;
+ RAND_seed("foobar", 6);
+ blob_.key_material = 0;
+}
+
+Keymaster1Test::~Keymaster1Test() {
+ FreeCharacteristics();
+ FreeKeyBlob();
+ device_->common.close(reinterpret_cast<hw_device_t*>(device_));
+}
+
+keymaster1_device_t* Keymaster1Test::device() {
+ return device_;
+}
+
+keymaster_error_t Keymaster1Test::GenerateKey(const AuthorizationSetBuilder& builder) {
+ AuthorizationSet params(builder.build());
+ params.push_back(UserAuthParams());
+ params.push_back(ClientParams());
+
+ FreeKeyBlob();
+ FreeCharacteristics();
+ return device()->generate_key(device(), params.data(), params.size(), &blob_,
+ &characteristics_);
+}
+
+keymaster_error_t Keymaster1Test::ImportKey(const AuthorizationSetBuilder& builder,
+ keymaster_key_format_t format,
+ const string& key_material) {
+ AuthorizationSet params(builder.build());
+ params.push_back(UserAuthParams());
+ params.push_back(ClientParams());
+
+ FreeKeyBlob();
+ FreeCharacteristics();
+ return device()->import_key(device(), params.data(), params.size(), format,
+ reinterpret_cast<const uint8_t*>(key_material.c_str()),
+ key_material.length(), &blob_, &characteristics_);
+}
+
+AuthorizationSet Keymaster1Test::UserAuthParams() {
+ AuthorizationSet set;
+ set.push_back(TAG_USER_ID, 7);
+ set.push_back(TAG_USER_AUTH_ID, 8);
+ set.push_back(TAG_AUTH_TIMEOUT, 300);
+ return set;
+}
+
+AuthorizationSet Keymaster1Test::ClientParams() {
+ AuthorizationSet set;
+ set.push_back(TAG_APPLICATION_ID, "app_id", 6);
+ return set;
+}
+
+keymaster_error_t Keymaster1Test::BeginOperation(keymaster_purpose_t purpose) {
+ keymaster_key_param_t* out_params = NULL;
+ size_t out_params_count = 0;
+ keymaster_error_t error =
+ device()->begin(device(), purpose, &blob_, client_params_, array_length(client_params_),
+ &out_params, &out_params_count, &op_handle_);
+ EXPECT_EQ(0, out_params_count);
+ EXPECT_TRUE(out_params == NULL);
+ return error;
+}
+
+keymaster_error_t Keymaster1Test::BeginOperation(keymaster_purpose_t purpose,
+ const AuthorizationSet& input_set,
+ AuthorizationSet* output_set) {
+ AuthorizationSet additional_params(client_params_, array_length(client_params_));
+ additional_params.push_back(input_set);
+
+ keymaster_key_param_t* out_params;
+ size_t out_params_count;
+ keymaster_error_t error =
+ device()->begin(device(), purpose, &blob_, additional_params.data(),
+ additional_params.size(), &out_params, &out_params_count, &op_handle_);
+ if (error == KM_ERROR_OK) {
+ if (output_set) {
+ output_set->Reinitialize(out_params, out_params_count);
+ } else {
+ EXPECT_EQ(0, out_params_count);
+ EXPECT_TRUE(out_params == NULL);
+ }
+ keymaster_free_param_values(out_params, out_params_count);
+ free(out_params);
+ }
+ return error;
+}
+
+keymaster_error_t Keymaster1Test::UpdateOperation(const string& message, string* output,
+ size_t* input_consumed) {
+ uint8_t* out_tmp = NULL;
+ size_t out_length;
+ EXPECT_NE(op_handle_, OP_HANDLE_SENTINEL);
+ keymaster_error_t error =
+ device()->update(device(), op_handle_, NULL /* params */, 0 /* params_count */,
+ reinterpret_cast<const uint8_t*>(message.c_str()), message.length(),
+ input_consumed, &out_tmp, &out_length);
+ if (error == KM_ERROR_OK && out_tmp)
+ output->append(reinterpret_cast<char*>(out_tmp), out_length);
+ free(out_tmp);
+ return error;
+}
+
+keymaster_error_t Keymaster1Test::UpdateOperation(const AuthorizationSet& additional_params,
+ const string& message, string* output,
+ size_t* input_consumed) {
+ uint8_t* out_tmp = NULL;
+ size_t out_length;
+ EXPECT_NE(op_handle_, OP_HANDLE_SENTINEL);
+ keymaster_error_t error =
+ device()->update(device(), op_handle_, additional_params.data(), additional_params.size(),
+ reinterpret_cast<const uint8_t*>(message.c_str()), message.length(),
+ input_consumed, &out_tmp, &out_length);
+ if (error == KM_ERROR_OK && out_tmp)
+ output->append(reinterpret_cast<char*>(out_tmp), out_length);
+ free(out_tmp);
+ return error;
+}
+
+keymaster_error_t Keymaster1Test::FinishOperation(string* output) {
+ return FinishOperation("", output);
+}
+
+keymaster_error_t Keymaster1Test::FinishOperation(const string& signature, string* output) {
+ AuthorizationSet additional_params;
+ return FinishOperation(additional_params, signature, output);
+}
+
+keymaster_error_t Keymaster1Test::FinishOperation(const AuthorizationSet& additional_params,
+ const string& signature, string* output) {
+ uint8_t* out_tmp = NULL;
+ size_t out_length;
+ keymaster_error_t error =
+ device()->finish(device(), op_handle_, additional_params.data(), additional_params.size(),
+ reinterpret_cast<const uint8_t*>(signature.c_str()), signature.length(),
+ &out_tmp, &out_length);
+ if (out_tmp)
+ output->append(reinterpret_cast<char*>(out_tmp), out_length);
+ free(out_tmp);
+ return error;
+}
+
+keymaster_error_t Keymaster1Test::AbortOperation() {
+ return device()->abort(device(), op_handle_);
+}
+
+string Keymaster1Test::ProcessMessage(keymaster_purpose_t purpose, const string& message) {
+ AuthorizationSet input_params;
+ EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, input_params, NULL /* output_params */));
+
+ string result;
+ size_t input_consumed;
+ EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
+ EXPECT_EQ(message.size(), input_consumed);
+ EXPECT_EQ(KM_ERROR_OK, FinishOperation(&result));
+ return result;
+}
+
+string Keymaster1Test::ProcessMessage(keymaster_purpose_t purpose, const string& message,
+ const AuthorizationSet& begin_params,
+ const AuthorizationSet& update_params,
+ AuthorizationSet* output_params) {
+ EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, begin_params, output_params));
+
+ string result;
+ size_t input_consumed;
+ EXPECT_EQ(KM_ERROR_OK, UpdateOperation(update_params, message, &result, &input_consumed));
+ EXPECT_EQ(message.size(), input_consumed);
+ EXPECT_EQ(KM_ERROR_OK, FinishOperation(update_params, "", &result));
+ return result;
+}
+
+string Keymaster1Test::ProcessMessage(keymaster_purpose_t purpose, const string& message,
+ const string& signature) {
+ AuthorizationSet input_params;
+ EXPECT_EQ(KM_ERROR_OK, BeginOperation(purpose, input_params, NULL /* output_params */));
+
+ string result;
+ size_t input_consumed;
+ EXPECT_EQ(KM_ERROR_OK, UpdateOperation(message, &result, &input_consumed));
+ EXPECT_EQ(message.size(), input_consumed);
+ EXPECT_EQ(KM_ERROR_OK, FinishOperation(signature, &result));
+ return result;
+}
+
+void Keymaster1Test::SignMessage(const string& message, string* signature) {
+ SCOPED_TRACE("SignMessage");
+ *signature = ProcessMessage(KM_PURPOSE_SIGN, message);
+ EXPECT_GT(signature->size(), 0);
+}
+
+void Keymaster1Test::VerifyMessage(const string& message, const string& signature) {
+ SCOPED_TRACE("VerifyMessage");
+ ProcessMessage(KM_PURPOSE_VERIFY, message, signature);
+}
+
+string Keymaster1Test::EncryptMessage(const string& message, string* generated_nonce) {
+ AuthorizationSet update_params;
+ return EncryptMessage(update_params, message, generated_nonce);
+}
+
+string Keymaster1Test::EncryptMessage(const AuthorizationSet& update_params, const string& message,
+ string* generated_nonce) {
+ SCOPED_TRACE("EncryptMessage");
+ AuthorizationSet begin_params, output_params;
+ string ciphertext =
+ ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params, &output_params);
+ if (generated_nonce) {
+ keymaster_blob_t nonce_blob;
+ EXPECT_TRUE(output_params.GetTagValue(TAG_NONCE, &nonce_blob));
+ *generated_nonce = make_string(nonce_blob.data, nonce_blob.data_length);
+ } else {
+ EXPECT_EQ(-1, output_params.find(TAG_NONCE));
+ }
+ return ciphertext;
+}
+
+string Keymaster1Test::EncryptMessageWithParams(const string& message,
+ const AuthorizationSet& begin_params,
+ const AuthorizationSet& update_params,
+ AuthorizationSet* output_params) {
+ SCOPED_TRACE("EncryptMessageWithParams");
+ return ProcessMessage(KM_PURPOSE_ENCRYPT, message, begin_params, update_params, output_params);
+}
+
+string Keymaster1Test::DecryptMessage(const string& ciphertext) {
+ SCOPED_TRACE("DecryptMessage");
+ return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext);
+}
+
+string Keymaster1Test::DecryptMessage(const string& ciphertext, const string& nonce) {
+ SCOPED_TRACE("DecryptMessage");
+ AuthorizationSet update_params;
+ return DecryptMessage(update_params, ciphertext, nonce);
+}
+
+string Keymaster1Test::DecryptMessage(const AuthorizationSet& update_params,
+ const string& ciphertext, const string& nonce) {
+ SCOPED_TRACE("DecryptMessage");
+ AuthorizationSet begin_params;
+ begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
+ return ProcessMessage(KM_PURPOSE_DECRYPT, ciphertext, begin_params, update_params);
+}
+
+keymaster_error_t Keymaster1Test::GetCharacteristics() {
+ FreeCharacteristics();
+ return device()->get_key_characteristics(device(), &blob_, &client_id_, NULL /* app_data */,
+ &characteristics_);
+}
+
+keymaster_error_t Keymaster1Test::ExportKey(keymaster_key_format_t format, string* export_data) {
+ uint8_t* export_data_tmp;
+ size_t export_data_length;
+
+ keymaster_error_t error =
+ device()->export_key(device(), format, &blob_, &client_id_, NULL /* app_data */,
+ &export_data_tmp, &export_data_length);
+
+ if (error != KM_ERROR_OK)
+ return error;
+
+ *export_data = string(reinterpret_cast<char*>(export_data_tmp), export_data_length);
+ free(export_data_tmp);
+ return error;
+}
+
+keymaster_error_t
+Keymaster1Test::Rescope(const AuthorizationSet& new_params, keymaster_key_blob_t* rescoped_blob,
+ keymaster_key_characteristics_t** rescoped_characteristics) {
+ return device()->rescope(device(), new_params.data(), new_params.size(), &blob_, &client_id_,
+ NULL /* app data */, rescoped_blob, rescoped_characteristics);
+}
+
+void Keymaster1Test::CheckHmacTestVector(string key, string message, keymaster_digest_t digest,
+ string expected_mac) {
+ ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder().HmacKey(key.size() * 8, digest,
+ expected_mac.size()),
+ KM_KEY_FORMAT_RAW, key));
+ string signature;
+ SignMessage(message, &signature);
+ EXPECT_EQ(expected_mac, signature) << "Test vector didn't match for digest " << digest;
+}
+
+void Keymaster1Test::CheckAesOcbTestVector(const string& key, const string& nonce,
+ const string& associated_data, const string& message,
+ const string& expected_ciphertext) {
+ ASSERT_EQ(KM_ERROR_OK, ImportKey(AuthorizationSetBuilder()
+ .AesEncryptionKey(key.size() * 8)
+ .OcbMode(4096 /* chunk length */, 16 /* tag length */)
+ .Authorization(TAG_CALLER_NONCE),
+ KM_KEY_FORMAT_RAW, key));
+
+ AuthorizationSet begin_params, update_params, output_params;
+ begin_params.push_back(TAG_NONCE, nonce.data(), nonce.size());
+ update_params.push_back(TAG_ASSOCIATED_DATA, associated_data.data(), associated_data.size());
+ string ciphertext =
+ EncryptMessageWithParams(message, begin_params, update_params, &output_params);
+ EXPECT_EQ(expected_ciphertext, ciphertext);
+}
+
+AuthorizationSet Keymaster1Test::hw_enforced() {
+ EXPECT_TRUE(characteristics_ != NULL);
+ return AuthorizationSet(characteristics_->hw_enforced);
+}
+
+AuthorizationSet Keymaster1Test::sw_enforced() {
+ EXPECT_TRUE(characteristics_ != NULL);
+ return AuthorizationSet(characteristics_->sw_enforced);
+}
+
+void Keymaster1Test::FreeCharacteristics() {
+ keymaster_free_characteristics(characteristics_);
+ free(characteristics_);
+ characteristics_ = NULL;
+}
+
+void Keymaster1Test::FreeKeyBlob() {
+ free(const_cast<uint8_t*>(blob_.key_material));
+ blob_.key_material = NULL;
+}
+
+void Keymaster1Test::corrupt_key_blob() {
+ assert(blob_.key_material);
+ uint8_t* tmp = const_cast<uint8_t*>(blob_.key_material);
+ ++tmp[blob_.key_material_size / 2];
+}
+
+} // namespace test
} // namespace keymaster
diff --git a/google_keymaster_test_utils.h b/google_keymaster_test_utils.h
index ee59c6e..c4856f3 100644
--- a/google_keymaster_test_utils.h
+++ b/google_keymaster_test_utils.h
@@ -23,8 +23,14 @@
#include <stdarg.h>
+#include <algorithm>
#include <ostream>
+#include <string>
+#include <vector>
+#include <gtest/gtest.h>
+
+#include <hardware/keymaster1.h>
#include <hardware/keymaster_defs.h>
#include <keymaster/authorization_set.h>
#include <keymaster/logger.h>
@@ -129,6 +135,120 @@
}
};
+inline std::string make_string(const uint8_t* data, size_t length) {
+ return std::string(reinterpret_cast<const char*>(data), length);
+}
+
+template <size_t N> std::string make_string(const uint8_t(&a)[N]) {
+ return make_string(a, N);
+}
+
+const uint64_t OP_HANDLE_SENTINEL = 0xFFFFFFFFFFFFFFFF;
+class Keymaster1Test : public testing::Test {
+ protected:
+ Keymaster1Test();
+ ~Keymaster1Test();
+
+ void init(keymaster1_device_t* device) { device_ = device; }
+
+ keymaster1_device_t* device();
+
+ keymaster_error_t GenerateKey(const AuthorizationSetBuilder& builder);
+
+ keymaster_error_t ImportKey(const AuthorizationSetBuilder& builder,
+ keymaster_key_format_t format, const std::string& key_material);
+
+ keymaster_error_t ExportKey(keymaster_key_format_t format, std::string* export_data);
+
+ keymaster_error_t GetCharacteristics();
+
+ keymaster_error_t BeginOperation(keymaster_purpose_t purpose);
+ keymaster_error_t BeginOperation(keymaster_purpose_t purpose, const AuthorizationSet& input_set,
+ AuthorizationSet* output_set = NULL);
+
+ keymaster_error_t UpdateOperation(const std::string& message, std::string* output,
+ size_t* input_consumed);
+ keymaster_error_t UpdateOperation(const AuthorizationSet& additional_params,
+ const std::string& message, std::string* output,
+ size_t* input_consumed);
+
+ keymaster_error_t FinishOperation(std::string* output);
+ keymaster_error_t FinishOperation(const std::string& signature, std::string* output);
+ keymaster_error_t FinishOperation(const AuthorizationSet& additional_params,
+ const std::string& signature, std::string* output);
+
+ keymaster_error_t AbortOperation();
+
+ keymaster_error_t GetVersion(uint8_t* major, uint8_t* minor, uint8_t* subminor);
+
+ keymaster_error_t Rescope(const AuthorizationSet& new_params,
+ keymaster_key_blob_t* rescoped_blob,
+ keymaster_key_characteristics_t** rescoped_characteristics);
+ std::string ProcessMessage(keymaster_purpose_t purpose, const std::string& message);
+ std::string ProcessMessage(keymaster_purpose_t purpose, const std::string& message,
+ const AuthorizationSet& begin_params,
+ const AuthorizationSet& update_params,
+ AuthorizationSet* output_params = NULL);
+ std::string ProcessMessage(keymaster_purpose_t purpose, const std::string& message,
+ const std::string& signature);
+
+ void SignMessage(const std::string& message, std::string* signature);
+
+ void VerifyMessage(const std::string& message, const std::string& signature);
+
+ std::string EncryptMessage(const std::string& message, std::string* generated_nonce = NULL);
+ std::string EncryptMessage(const AuthorizationSet& update_params, const std::string& message,
+ std::string* generated_nonce = NULL);
+ std::string EncryptMessageWithParams(const std::string& message,
+ const AuthorizationSet& begin_params,
+ const AuthorizationSet& update_params,
+ AuthorizationSet* output_params);
+
+ std::string DecryptMessage(const std::string& ciphertext);
+ std::string DecryptMessage(const std::string& ciphertext, const std::string& nonce);
+ std::string DecryptMessage(const AuthorizationSet& update_params, const std::string& ciphertext,
+ const std::string& nonce);
+
+ void CheckHmacTestVector(std::string key, std::string message, keymaster_digest_t digest,
+ std::string expected_mac);
+ void CheckAesOcbTestVector(const std::string& key, const std::string& nonce,
+ const std::string& associated_data, const std::string& message,
+ const std::string& expected_ciphertext);
+
+ AuthorizationSet UserAuthParams();
+ AuthorizationSet ClientParams();
+
+ template <typename T>
+ bool ResponseContains(const std::vector<T>& expected, const T* values, size_t len) {
+ return expected.size() == len &&
+ std::is_permutation(values, values + len, expected.begin());
+ }
+
+ template <typename T> bool ResponseContains(T expected, const T* values, size_t len) {
+ return (len == 1 && *values == expected);
+ }
+
+ AuthorizationSet hw_enforced();
+ AuthorizationSet sw_enforced();
+
+ void FreeCharacteristics();
+ void FreeKeyBlob();
+
+ void corrupt_key_blob();
+
+ private:
+ keymaster1_device_t* device_;
+ keymaster_blob_t client_id_ = {.data = reinterpret_cast<const uint8_t*>("app_id"),
+ .data_length = 6};
+ keymaster_key_param_t client_params_[1] = {
+ Authorization(TAG_APPLICATION_ID, client_id_.data, client_id_.data_length)};
+
+ uint64_t op_handle_;
+
+ keymaster_key_blob_t blob_;
+ keymaster_key_characteristics_t* characteristics_;
+};
+
} // namespace test
} // namespace keymaster
diff --git a/include/keymaster/soft_keymaster_device.h b/include/keymaster/soft_keymaster_device.h
index 565210c..0a1e2f3 100644
--- a/include/keymaster/soft_keymaster_device.h
+++ b/include/keymaster/soft_keymaster_device.h
@@ -43,6 +43,7 @@
SoftKeymasterDevice();
hw_device_t* hw_device();
+ keymaster1_device_t* keymaster_device();
// Public only for testing
void GetVersion(const GetVersionRequest& req, GetVersionResponse* rsp) {
diff --git a/soft_keymaster_device.cpp b/soft_keymaster_device.cpp
index c3ad466..e5c3e5d 100644
--- a/soft_keymaster_device.cpp
+++ b/soft_keymaster_device.cpp
@@ -118,6 +118,10 @@
return &device_.common;
}
+keymaster1_device_t* SoftKeymasterDevice::keymaster_device() {
+ return &device_;
+}
+
static keymaster_key_characteristics_t* BuildCharacteristics(const AuthorizationSet& hw_enforced,
const AuthorizationSet& sw_enforced) {
keymaster_key_characteristics_t* characteristics =