Defer AES OCB parameter checking to usage time, not generation.
It would be nice to thoroughly validate that a key is fully functional
and usable as specified during generation, but this introduces a lot
of additional complexity to generation, and will likely never be
complete.
Change-Id: I15938d1e507dc8d373ec9098d6afa5cacbcd141b
diff --git a/google_keymaster_test.cpp b/google_keymaster_test.cpp
index f5a9f6b..bd3553c 100644
--- a/google_keymaster_test.cpp
+++ b/google_keymaster_test.cpp
@@ -469,60 +469,6 @@
}
}
-TEST_F(NewKeyGeneration, AesOcbNoChunkLength) {
- keymaster_key_param_t params[] = {
- Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT),
- Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT),
- Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES), Authorization(TAG_KEY_SIZE, 128),
- Authorization(TAG_BLOCK_MODE, KM_MODE_OCB), Authorization(TAG_PADDING, KM_PAD_NONE),
- };
- params_.Reinitialize(params, array_length(params));
- EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT,
- device()->generate_key(device(), params_.data(), params_.size(), &blob_,
- &characteristics_));
-}
-
-TEST_F(NewKeyGeneration, AesEcbUnsupported) {
- keymaster_key_param_t params[] = {
- Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT),
- Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT),
- Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES), Authorization(TAG_KEY_SIZE, 128),
- Authorization(TAG_BLOCK_MODE, KM_MODE_ECB), Authorization(TAG_PADDING, KM_PAD_NONE),
- };
- params_.Reinitialize(params, array_length(params));
- EXPECT_EQ(KM_ERROR_UNSUPPORTED_BLOCK_MODE,
- device()->generate_key(device(), params_.data(), params_.size(), &blob_,
- &characteristics_));
-}
-
-TEST_F(NewKeyGeneration, AesOcbPaddingUnsupported) {
- keymaster_key_param_t params[] = {
- Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT),
- Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT),
- Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES), Authorization(TAG_KEY_SIZE, 128),
- Authorization(TAG_BLOCK_MODE, KM_MODE_OCB), Authorization(TAG_CHUNK_LENGTH, 4096),
- Authorization(TAG_PADDING, KM_PAD_ZERO),
- };
- params_.Reinitialize(params, array_length(params));
- EXPECT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE,
- device()->generate_key(device(), params_.data(), params_.size(), &blob_,
- &characteristics_));
-}
-
-TEST_F(NewKeyGeneration, AesOcbInvalidMacLength) {
- keymaster_key_param_t params[] = {
- Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT),
- Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT),
- Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES), Authorization(TAG_KEY_SIZE, 128),
- Authorization(TAG_BLOCK_MODE, KM_MODE_OCB), Authorization(TAG_CHUNK_LENGTH, 4096),
- Authorization(TAG_MAC_LENGTH, 17), Authorization(TAG_PADDING, KM_PAD_NONE),
- };
- params_.Reinitialize(params, array_length(params));
- EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT,
- device()->generate_key(device(), params_.data(), params_.size(), &blob_,
- &characteristics_));
-}
-
typedef KeymasterTest GetKeyCharacteristics;
TEST_F(GetKeyCharacteristics, SimpleRsa) {
keymaster_key_param_t params[] = {
@@ -923,6 +869,14 @@
*/
class EncryptionOperationsTest : public KeymasterTest {
protected:
+ void GenerateKey(AuthorizationSet* params) {
+ FreeKeyBlob();
+ FreeCharacteristics();
+ AddClientParams(params);
+ EXPECT_EQ(KM_ERROR_OK, device()->generate_key(device(), params->data(), params->size(),
+ &blob_, &characteristics_));
+ }
+
void GenerateKey(keymaster_algorithm_t algorithm, keymaster_padding_t padding,
uint32_t key_size) {
params_.Clear();
@@ -932,15 +886,11 @@
params_.push_back(Authorization(TAG_KEY_SIZE, key_size));
params_.push_back(Authorization(TAG_USER_ID, 7));
params_.push_back(Authorization(TAG_USER_AUTH_ID, 8));
- params_.push_back(Authorization(TAG_APPLICATION_ID, "app_id", 6));
params_.push_back(Authorization(TAG_AUTH_TIMEOUT, 300));
if (static_cast<int>(padding) != -1)
params_.push_back(TAG_PADDING, padding);
- FreeKeyBlob();
- FreeCharacteristics();
- EXPECT_EQ(KM_ERROR_OK, device()->generate_key(device(), params_.data(), params_.size(),
- &blob_, &characteristics_));
+ GenerateKey(¶ms_);
}
void GenerateSymmetricKey(keymaster_algorithm_t algorithm, uint32_t key_size,
@@ -955,13 +905,9 @@
params_.push_back(Authorization(TAG_MAC_LENGTH, 16));
params_.push_back(Authorization(TAG_USER_ID, 7));
params_.push_back(Authorization(TAG_USER_AUTH_ID, 8));
- params_.push_back(Authorization(TAG_APPLICATION_ID, "app_id", 6));
params_.push_back(Authorization(TAG_AUTH_TIMEOUT, 300));
- FreeKeyBlob();
- FreeCharacteristics();
- EXPECT_EQ(KM_ERROR_OK, device()->generate_key(device(), params_.data(), params_.size(),
- &blob_, &characteristics_));
+ GenerateKey(¶ms_);
}
keymaster_error_t BeginOperation(keymaster_purpose_t purpose,
@@ -1289,5 +1235,66 @@
EXPECT_EQ(KM_ERROR_OK, device()->abort(device(), op_handle));
}
+TEST_F(EncryptionOperationsTest, AesOcbNoChunkLength) {
+ params_.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT));
+ params_.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT));
+ params_.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES));
+ params_.push_back(Authorization(TAG_KEY_SIZE, 128));
+ params_.push_back(Authorization(TAG_MAC_LENGTH, 16));
+ params_.push_back(Authorization(TAG_BLOCK_MODE, KM_MODE_OCB));
+ params_.push_back(Authorization(TAG_PADDING, KM_PAD_NONE));
+
+ GenerateKey(¶ms_);
+ uint64_t op_handle;
+ EXPECT_EQ(KM_ERROR_INVALID_ARGUMENT,
+ BeginOperation(KM_PURPOSE_ENCRYPT, key_blob(), &op_handle));
+}
+
+TEST_F(EncryptionOperationsTest, AesEcbUnsupported) {
+ params_.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT));
+ params_.push_back(Authorization(TAG_MAC_LENGTH, 16));
+ params_.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT));
+ params_.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES));
+ params_.push_back(Authorization(TAG_KEY_SIZE, 128));
+ params_.push_back(Authorization(TAG_BLOCK_MODE, KM_MODE_ECB));
+ params_.push_back(Authorization(TAG_PADDING, KM_PAD_NONE));
+
+ GenerateKey(¶ms_);
+ uint64_t op_handle;
+ EXPECT_EQ(KM_ERROR_UNSUPPORTED_BLOCK_MODE,
+ BeginOperation(KM_PURPOSE_ENCRYPT, key_blob(), &op_handle));
+}
+
+TEST_F(EncryptionOperationsTest, AesOcbPaddingUnsupported) {
+ params_.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT));
+ params_.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT));
+ params_.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES));
+ params_.push_back(Authorization(TAG_KEY_SIZE, 128));
+ params_.push_back(Authorization(TAG_MAC_LENGTH, 16));
+ params_.push_back(Authorization(TAG_BLOCK_MODE, KM_MODE_OCB));
+ params_.push_back(Authorization(TAG_CHUNK_LENGTH, 4096));
+ params_.push_back(Authorization(TAG_PADDING, KM_PAD_ZERO));
+
+ GenerateKey(¶ms_);
+ uint64_t op_handle;
+ EXPECT_EQ(KM_ERROR_UNSUPPORTED_PADDING_MODE,
+ BeginOperation(KM_PURPOSE_ENCRYPT, key_blob(), &op_handle));
+}
+
+TEST_F(EncryptionOperationsTest, AesOcbInvalidMacLength) {
+ params_.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_ENCRYPT));
+ params_.push_back(Authorization(TAG_PURPOSE, KM_PURPOSE_DECRYPT));
+ params_.push_back(Authorization(TAG_ALGORITHM, KM_ALGORITHM_AES));
+ params_.push_back(Authorization(TAG_KEY_SIZE, 128));
+ params_.push_back(Authorization(TAG_MAC_LENGTH, 17));
+ params_.push_back(Authorization(TAG_BLOCK_MODE, KM_MODE_OCB));
+ params_.push_back(Authorization(TAG_CHUNK_LENGTH, 4096));
+
+ GenerateKey(¶ms_);
+ uint64_t op_handle;
+ EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
+ BeginOperation(KM_PURPOSE_ENCRYPT, key_blob(), &op_handle));
+}
+
} // namespace test
} // namespace keymaster