Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 1 | // Copyright 2015 The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | #include <cstdio> |
| 16 | #include <memory> |
| 17 | #include <string> |
| 18 | #include <vector> |
| 19 | |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 20 | #include <base/command_line.h> |
| 21 | #include <base/files/file_util.h> |
| 22 | #include <base/strings/string_util.h> |
| 23 | #include <keystore/keymaster_types.h> |
| 24 | #include <keystore/keystore_client_impl.h> |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 25 | |
| 26 | using base::CommandLine; |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 27 | using keystore::KeystoreClient; |
| 28 | |
| 29 | namespace { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 30 | using namespace keystore; |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 31 | |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 32 | struct TestCase { |
| 33 | std::string name; |
| 34 | bool required_for_brillo_pts; |
| 35 | AuthorizationSet parameters; |
| 36 | }; |
| 37 | |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 38 | void PrintUsageAndExit() { |
| 39 | printf("Usage: keystore_client_v2 <command> [options]\n"); |
Darren Krahn | 82f4f5b | 2016-03-03 16:21:07 -0800 | [diff] [blame] | 40 | printf("Commands: brillo-platform-test [--prefix=<test_name_prefix>] [--test_for_0_3]\n" |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 41 | " list-brillo-tests\n" |
| 42 | " add-entropy --input=<entropy>\n" |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 43 | " generate --name=<key_name>\n" |
| 44 | " get-chars --name=<key_name>\n" |
| 45 | " export --name=<key_name>\n" |
| 46 | " delete --name=<key_name>\n" |
| 47 | " delete-all\n" |
| 48 | " exists --name=<key_name>\n" |
| 49 | " list [--prefix=<key_name_prefix>]\n" |
Darren Krahn | 251cb28 | 2015-09-28 08:51:18 -0700 | [diff] [blame] | 50 | " sign-verify --name=<key_name>\n" |
| 51 | " [en|de]crypt --name=<key_name> --in=<file> --out=<file>\n"); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 52 | exit(1); |
| 53 | } |
| 54 | |
| 55 | std::unique_ptr<KeystoreClient> CreateKeystoreInstance() { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 56 | return std::unique_ptr<KeystoreClient>( |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 57 | static_cast<KeystoreClient*>(new keystore::KeystoreClientImpl)); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 58 | } |
| 59 | |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 60 | void PrintTags(const AuthorizationSet& parameters) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 61 | for (auto iter = parameters.begin(); iter != parameters.end(); ++iter) { |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 62 | auto tag_str = toString(iter->tag); |
| 63 | printf(" %s\n", tag_str.c_str()); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 64 | } |
| 65 | } |
| 66 | |
| 67 | void PrintKeyCharacteristics(const AuthorizationSet& hardware_enforced_characteristics, |
| 68 | const AuthorizationSet& software_enforced_characteristics) { |
| 69 | printf("Hardware:\n"); |
| 70 | PrintTags(hardware_enforced_characteristics); |
| 71 | printf("Software:\n"); |
| 72 | PrintTags(software_enforced_characteristics); |
| 73 | } |
| 74 | |
| 75 | bool TestKey(const std::string& name, bool required, const AuthorizationSet& parameters) { |
| 76 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 77 | AuthorizationSet hardware_enforced_characteristics; |
| 78 | AuthorizationSet software_enforced_characteristics; |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 79 | auto result = keystore->generateKey("tmp", parameters, &hardware_enforced_characteristics, |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 80 | &software_enforced_characteristics); |
Darren Krahn | 82f4f5b | 2016-03-03 16:21:07 -0800 | [diff] [blame] | 81 | const char kBoldRedAbort[] = "\033[1;31mABORT\033[0m"; |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 82 | if (!result.isOk()) { |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 83 | LOG(ERROR) << "Failed to generate key: " << result; |
Darren Krahn | 82f4f5b | 2016-03-03 16:21:07 -0800 | [diff] [blame] | 84 | printf("[%s] %s\n", kBoldRedAbort, name.c_str()); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 85 | return false; |
| 86 | } |
| 87 | result = keystore->deleteKey("tmp"); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 88 | if (!result.isOk()) { |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 89 | LOG(ERROR) << "Failed to delete key: " << result; |
Darren Krahn | 82f4f5b | 2016-03-03 16:21:07 -0800 | [diff] [blame] | 90 | printf("[%s] %s\n", kBoldRedAbort, name.c_str()); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 91 | return false; |
| 92 | } |
| 93 | printf("===============================================================\n"); |
| 94 | printf("%s Key Characteristics:\n", name.c_str()); |
| 95 | PrintKeyCharacteristics(hardware_enforced_characteristics, software_enforced_characteristics); |
| 96 | bool hardware_backed = (hardware_enforced_characteristics.size() > 0); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 97 | if (software_enforced_characteristics.GetTagCount(TAG_ALGORITHM) > 0 || |
| 98 | software_enforced_characteristics.GetTagCount(TAG_KEY_SIZE) > 0 || |
| 99 | software_enforced_characteristics.GetTagCount(TAG_RSA_PUBLIC_EXPONENT) > 0) { |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 100 | VLOG(1) << "Hardware-backed key but required characteristics enforced in software."; |
| 101 | hardware_backed = false; |
| 102 | } |
| 103 | const char kBoldRedFail[] = "\033[1;31mFAIL\033[0m"; |
| 104 | const char kBoldGreenPass[] = "\033[1;32mPASS\033[0m"; |
| 105 | const char kBoldYellowWarn[] = "\033[1;33mWARN\033[0m"; |
| 106 | printf("[%s] %s\n", |
| 107 | hardware_backed ? kBoldGreenPass : (required ? kBoldRedFail : kBoldYellowWarn), |
| 108 | name.c_str()); |
| 109 | |
| 110 | return (hardware_backed || !required); |
| 111 | } |
| 112 | |
| 113 | AuthorizationSet GetRSASignParameters(uint32_t key_size, bool sha256_only) { |
| 114 | AuthorizationSetBuilder parameters; |
| 115 | parameters.RsaSigningKey(key_size, 65537) |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 116 | .Digest(Digest::SHA_2_256) |
| 117 | .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN) |
| 118 | .Padding(PaddingMode::RSA_PSS) |
| 119 | .Authorization(TAG_NO_AUTH_REQUIRED); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 120 | if (!sha256_only) { |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 121 | parameters.Digest(Digest::SHA_2_224).Digest(Digest::SHA_2_384).Digest(Digest::SHA_2_512); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 122 | } |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 123 | return parameters; |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 124 | } |
| 125 | |
| 126 | AuthorizationSet GetRSAEncryptParameters(uint32_t key_size) { |
| 127 | AuthorizationSetBuilder parameters; |
| 128 | parameters.RsaEncryptionKey(key_size, 65537) |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 129 | .Padding(PaddingMode::RSA_PKCS1_1_5_ENCRYPT) |
| 130 | .Padding(PaddingMode::RSA_OAEP) |
| 131 | .Authorization(TAG_NO_AUTH_REQUIRED); |
| 132 | return parameters; |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 133 | } |
| 134 | |
| 135 | AuthorizationSet GetECDSAParameters(uint32_t key_size, bool sha256_only) { |
| 136 | AuthorizationSetBuilder parameters; |
| 137 | parameters.EcdsaSigningKey(key_size) |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 138 | .Digest(Digest::SHA_2_256) |
| 139 | .Authorization(TAG_NO_AUTH_REQUIRED); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 140 | if (!sha256_only) { |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 141 | parameters.Digest(Digest::SHA_2_224).Digest(Digest::SHA_2_384).Digest(Digest::SHA_2_512); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 142 | } |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 143 | return parameters; |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 144 | } |
| 145 | |
| 146 | AuthorizationSet GetAESParameters(uint32_t key_size, bool with_gcm_mode) { |
| 147 | AuthorizationSetBuilder parameters; |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 148 | parameters.AesEncryptionKey(key_size).Authorization(TAG_NO_AUTH_REQUIRED); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 149 | if (with_gcm_mode) { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 150 | parameters.Authorization(TAG_BLOCK_MODE, BlockMode::GCM) |
| 151 | .Authorization(TAG_MIN_MAC_LENGTH, 128); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 152 | } else { |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 153 | parameters.Authorization(TAG_BLOCK_MODE, BlockMode::ECB); |
| 154 | parameters.Authorization(TAG_BLOCK_MODE, BlockMode::CBC); |
| 155 | parameters.Authorization(TAG_BLOCK_MODE, BlockMode::CTR); |
| 156 | parameters.Padding(PaddingMode::NONE); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 157 | } |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 158 | return parameters; |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 159 | } |
| 160 | |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 161 | AuthorizationSet GetHMACParameters(uint32_t key_size, Digest digest) { |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 162 | AuthorizationSetBuilder parameters; |
| 163 | parameters.HmacKey(key_size) |
| 164 | .Digest(digest) |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 165 | .Authorization(TAG_MIN_MAC_LENGTH, 224) |
| 166 | .Authorization(TAG_NO_AUTH_REQUIRED); |
| 167 | return parameters; |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 168 | } |
| 169 | |
| 170 | std::vector<TestCase> GetTestCases() { |
| 171 | TestCase test_cases[] = { |
| 172 | {"RSA-2048 Sign", true, GetRSASignParameters(2048, true)}, |
| 173 | {"RSA-2048 Sign (more digests)", false, GetRSASignParameters(2048, false)}, |
| 174 | {"RSA-3072 Sign", false, GetRSASignParameters(3072, false)}, |
| 175 | {"RSA-4096 Sign", false, GetRSASignParameters(4096, false)}, |
| 176 | {"RSA-2048 Encrypt", true, GetRSAEncryptParameters(2048)}, |
| 177 | {"RSA-3072 Encrypt", false, GetRSAEncryptParameters(3072)}, |
| 178 | {"RSA-4096 Encrypt", false, GetRSAEncryptParameters(4096)}, |
| 179 | {"ECDSA-P256 Sign", true, GetECDSAParameters(256, true)}, |
| 180 | {"ECDSA-P256 Sign (more digests)", false, GetECDSAParameters(256, false)}, |
| 181 | {"ECDSA-P224 Sign", false, GetECDSAParameters(224, false)}, |
| 182 | {"ECDSA-P384 Sign", false, GetECDSAParameters(384, false)}, |
| 183 | {"ECDSA-P521 Sign", false, GetECDSAParameters(521, false)}, |
| 184 | {"AES-128", true, GetAESParameters(128, false)}, |
| 185 | {"AES-256", true, GetAESParameters(256, false)}, |
| 186 | {"AES-128-GCM", false, GetAESParameters(128, true)}, |
| 187 | {"AES-256-GCM", false, GetAESParameters(256, true)}, |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 188 | {"HMAC-SHA256-16", true, GetHMACParameters(16, Digest::SHA_2_256)}, |
| 189 | {"HMAC-SHA256-32", true, GetHMACParameters(32, Digest::SHA_2_256)}, |
| 190 | {"HMAC-SHA256-64", false, GetHMACParameters(64, Digest::SHA_2_256)}, |
| 191 | {"HMAC-SHA224-32", false, GetHMACParameters(32, Digest::SHA_2_224)}, |
| 192 | {"HMAC-SHA384-32", false, GetHMACParameters(32, Digest::SHA_2_384)}, |
| 193 | {"HMAC-SHA512-32", false, GetHMACParameters(32, Digest::SHA_2_512)}, |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 194 | }; |
| 195 | return std::vector<TestCase>(&test_cases[0], &test_cases[arraysize(test_cases)]); |
| 196 | } |
| 197 | |
Darren Krahn | 82f4f5b | 2016-03-03 16:21:07 -0800 | [diff] [blame] | 198 | int BrilloPlatformTest(const std::string& prefix, bool test_for_0_3) { |
| 199 | const char kBoldYellowWarning[] = "\033[1;33mWARNING\033[0m"; |
| 200 | if (test_for_0_3) { |
| 201 | printf("%s: Testing for keymaster v0.3. " |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 202 | "This does not meet Brillo requirements.\n", |
| 203 | kBoldYellowWarning); |
Darren Krahn | 82f4f5b | 2016-03-03 16:21:07 -0800 | [diff] [blame] | 204 | } |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 205 | int test_count = 0; |
| 206 | int fail_count = 0; |
| 207 | std::vector<TestCase> test_cases = GetTestCases(); |
| 208 | for (const auto& test_case : test_cases) { |
Darren Krahn | 82f4f5b | 2016-03-03 16:21:07 -0800 | [diff] [blame] | 209 | if (!prefix.empty() && |
| 210 | !base::StartsWith(test_case.name, prefix, base::CompareCase::SENSITIVE)) { |
| 211 | continue; |
| 212 | } |
| 213 | if (test_for_0_3 && |
| 214 | (base::StartsWith(test_case.name, "AES", base::CompareCase::SENSITIVE) || |
| 215 | base::StartsWith(test_case.name, "HMAC", base::CompareCase::SENSITIVE))) { |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 216 | continue; |
| 217 | } |
| 218 | ++test_count; |
| 219 | if (!TestKey(test_case.name, test_case.required_for_brillo_pts, test_case.parameters)) { |
| 220 | VLOG(1) << "Test failed: " << test_case.name; |
| 221 | ++fail_count; |
| 222 | } |
| 223 | } |
| 224 | return fail_count; |
| 225 | } |
| 226 | |
| 227 | int ListTestCases() { |
| 228 | const char kBoldGreenRequired[] = "\033[1;32mREQUIRED\033[0m"; |
| 229 | const char kBoldYellowRecommended[] = "\033[1;33mRECOMMENDED\033[0m"; |
| 230 | std::vector<TestCase> test_cases = GetTestCases(); |
| 231 | for (const auto& test_case : test_cases) { |
| 232 | printf("%s : %s\n", test_case.name.c_str(), |
| 233 | test_case.required_for_brillo_pts ? kBoldGreenRequired : kBoldYellowRecommended); |
| 234 | } |
| 235 | return 0; |
| 236 | } |
| 237 | |
Darren Krahn | 251cb28 | 2015-09-28 08:51:18 -0700 | [diff] [blame] | 238 | std::string ReadFile(const std::string& filename) { |
| 239 | std::string content; |
| 240 | base::FilePath path(filename); |
| 241 | if (!base::ReadFileToString(path, &content)) { |
| 242 | printf("Failed to read file: %s\n", filename.c_str()); |
| 243 | exit(1); |
| 244 | } |
| 245 | return content; |
| 246 | } |
| 247 | |
| 248 | void WriteFile(const std::string& filename, const std::string& content) { |
| 249 | base::FilePath path(filename); |
| 250 | int size = content.size(); |
| 251 | if (base::WriteFile(path, content.data(), size) != size) { |
| 252 | printf("Failed to write file: %s\n", filename.c_str()); |
| 253 | exit(1); |
| 254 | } |
| 255 | } |
| 256 | |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 257 | int AddEntropy(const std::string& input) { |
| 258 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 259 | int32_t result = keystore->addRandomNumberGeneratorEntropy(input); |
| 260 | printf("AddEntropy: %d\n", result); |
| 261 | return result; |
| 262 | } |
| 263 | |
| 264 | int GenerateKey(const std::string& name) { |
| 265 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 266 | AuthorizationSetBuilder params; |
| 267 | params.RsaSigningKey(2048, 65537) |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 268 | .Digest(Digest::SHA_2_224) |
| 269 | .Digest(Digest::SHA_2_256) |
| 270 | .Digest(Digest::SHA_2_384) |
| 271 | .Digest(Digest::SHA_2_512) |
| 272 | .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN) |
| 273 | .Padding(PaddingMode::RSA_PSS) |
| 274 | .Authorization(TAG_NO_AUTH_REQUIRED); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 275 | AuthorizationSet hardware_enforced_characteristics; |
| 276 | AuthorizationSet software_enforced_characteristics; |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 277 | auto result = keystore->generateKey(name, params, &hardware_enforced_characteristics, |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 278 | &software_enforced_characteristics); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 279 | printf("GenerateKey: %d\n", int32_t(result)); |
| 280 | if (result.isOk()) { |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 281 | PrintKeyCharacteristics(hardware_enforced_characteristics, |
| 282 | software_enforced_characteristics); |
| 283 | } |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 284 | return result; |
| 285 | } |
| 286 | |
| 287 | int GetCharacteristics(const std::string& name) { |
| 288 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 289 | AuthorizationSet hardware_enforced_characteristics; |
| 290 | AuthorizationSet software_enforced_characteristics; |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 291 | auto result = keystore->getKeyCharacteristics(name, &hardware_enforced_characteristics, |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 292 | &software_enforced_characteristics); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 293 | printf("GetCharacteristics: %d\n", int32_t(result)); |
| 294 | if (result.isOk()) { |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 295 | PrintKeyCharacteristics(hardware_enforced_characteristics, |
| 296 | software_enforced_characteristics); |
| 297 | } |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 298 | return result; |
| 299 | } |
| 300 | |
| 301 | int ExportKey(const std::string& name) { |
| 302 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 303 | std::string data; |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 304 | int32_t result = keystore->exportKey(KeyFormat::X509, name, &data); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 305 | printf("ExportKey: %d (%zu)\n", result, data.size()); |
| 306 | return result; |
| 307 | } |
| 308 | |
| 309 | int DeleteKey(const std::string& name) { |
| 310 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 311 | int32_t result = keystore->deleteKey(name); |
| 312 | printf("DeleteKey: %d\n", result); |
| 313 | return result; |
| 314 | } |
| 315 | |
| 316 | int DeleteAllKeys() { |
| 317 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 318 | int32_t result = keystore->deleteAllKeys(); |
| 319 | printf("DeleteAllKeys: %d\n", result); |
| 320 | return result; |
| 321 | } |
| 322 | |
| 323 | int DoesKeyExist(const std::string& name) { |
| 324 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 325 | printf("DoesKeyExist: %s\n", keystore->doesKeyExist(name) ? "yes" : "no"); |
| 326 | return 0; |
| 327 | } |
| 328 | |
| 329 | int List(const std::string& prefix) { |
| 330 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 331 | std::vector<std::string> key_list; |
| 332 | if (!keystore->listKeys(prefix, &key_list)) { |
| 333 | printf("ListKeys failed.\n"); |
| 334 | return 1; |
| 335 | } |
| 336 | printf("Keys:\n"); |
| 337 | for (const auto& key_name : key_list) { |
| 338 | printf(" %s\n", key_name.c_str()); |
| 339 | } |
| 340 | return 0; |
| 341 | } |
| 342 | |
| 343 | int SignAndVerify(const std::string& name) { |
| 344 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 345 | AuthorizationSetBuilder sign_params; |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 346 | sign_params.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN); |
| 347 | sign_params.Digest(Digest::SHA_2_256); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 348 | AuthorizationSet output_params; |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 349 | uint64_t handle; |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 350 | auto result = |
| 351 | keystore->beginOperation(KeyPurpose::SIGN, name, sign_params, &output_params, &handle); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 352 | if (!result.isOk()) { |
| 353 | printf("Sign: BeginOperation failed: %d\n", int32_t(result)); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 354 | return result; |
| 355 | } |
| 356 | AuthorizationSet empty_params; |
| 357 | size_t num_input_bytes_consumed; |
| 358 | std::string output_data; |
| 359 | result = keystore->updateOperation(handle, empty_params, "data_to_sign", |
| 360 | &num_input_bytes_consumed, &output_params, &output_data); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 361 | if (!result.isOk()) { |
| 362 | printf("Sign: UpdateOperation failed: %d\n", int32_t(result)); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 363 | return result; |
| 364 | } |
| 365 | result = keystore->finishOperation(handle, empty_params, std::string() /*signature_to_verify*/, |
| 366 | &output_params, &output_data); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 367 | if (!result.isOk()) { |
| 368 | printf("Sign: FinishOperation failed: %d\n", int32_t(result)); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 369 | return result; |
| 370 | } |
| 371 | printf("Sign: %zu bytes.\n", output_data.size()); |
| 372 | // We have a signature, now verify it. |
| 373 | std::string signature_to_verify = output_data; |
Darren Krahn | 251cb28 | 2015-09-28 08:51:18 -0700 | [diff] [blame] | 374 | output_data.clear(); |
Shawn Willden | bb22a6c | 2017-12-06 19:35:28 -0700 | [diff] [blame^] | 375 | result = |
| 376 | keystore->beginOperation(KeyPurpose::VERIFY, name, sign_params, &output_params, &handle); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 377 | if (!result.isOk()) { |
| 378 | printf("Verify: BeginOperation failed: %d\n", int32_t(result)); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 379 | return result; |
| 380 | } |
| 381 | result = keystore->updateOperation(handle, empty_params, "data_to_sign", |
| 382 | &num_input_bytes_consumed, &output_params, &output_data); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 383 | if (!result.isOk()) { |
| 384 | printf("Verify: UpdateOperation failed: %d\n", int32_t(result)); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 385 | return result; |
| 386 | } |
| 387 | result = keystore->finishOperation(handle, empty_params, signature_to_verify, &output_params, |
| 388 | &output_data); |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 389 | if (result == ErrorCode::VERIFICATION_FAILED) { |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 390 | printf("Verify: Failed to verify signature.\n"); |
| 391 | return result; |
| 392 | } |
Janis Danisevskis | c7a9fa2 | 2016-10-13 18:43:45 +0100 | [diff] [blame] | 393 | if (!result.isOk()) { |
| 394 | printf("Verify: FinishOperation failed: %d\n", int32_t(result)); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 395 | return result; |
| 396 | } |
| 397 | printf("Verify: OK\n"); |
| 398 | return 0; |
| 399 | } |
| 400 | |
Darren Krahn | 251cb28 | 2015-09-28 08:51:18 -0700 | [diff] [blame] | 401 | int Encrypt(const std::string& key_name, const std::string& input_filename, |
| 402 | const std::string& output_filename) { |
| 403 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 404 | std::string input = ReadFile(input_filename); |
| 405 | std::string output; |
| 406 | if (!keystore->encryptWithAuthentication(key_name, input, &output)) { |
| 407 | printf("EncryptWithAuthentication failed.\n"); |
| 408 | return 1; |
| 409 | } |
| 410 | WriteFile(output_filename, output); |
| 411 | return 0; |
| 412 | } |
| 413 | |
| 414 | int Decrypt(const std::string& key_name, const std::string& input_filename, |
| 415 | const std::string& output_filename) { |
| 416 | std::unique_ptr<KeystoreClient> keystore = CreateKeystoreInstance(); |
| 417 | std::string input = ReadFile(input_filename); |
| 418 | std::string output; |
| 419 | if (!keystore->decryptWithAuthentication(key_name, input, &output)) { |
| 420 | printf("DecryptWithAuthentication failed.\n"); |
| 421 | return 1; |
| 422 | } |
| 423 | WriteFile(output_filename, output); |
| 424 | return 0; |
| 425 | } |
| 426 | |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 427 | } // namespace |
| 428 | |
| 429 | int main(int argc, char** argv) { |
| 430 | CommandLine::Init(argc, argv); |
| 431 | CommandLine* command_line = CommandLine::ForCurrentProcess(); |
| 432 | CommandLine::StringVector args = command_line->GetArgs(); |
| 433 | if (args.empty()) { |
| 434 | PrintUsageAndExit(); |
| 435 | } |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 436 | if (args[0] == "brillo-platform-test") { |
Darren Krahn | 82f4f5b | 2016-03-03 16:21:07 -0800 | [diff] [blame] | 437 | return BrilloPlatformTest(command_line->GetSwitchValueASCII("prefix"), |
| 438 | command_line->HasSwitch("test_for_0_3")); |
Darren Krahn | a9474ab | 2015-11-03 14:38:53 -0800 | [diff] [blame] | 439 | } else if (args[0] == "list-brillo-tests") { |
| 440 | return ListTestCases(); |
| 441 | } else if (args[0] == "add-entropy") { |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 442 | return AddEntropy(command_line->GetSwitchValueASCII("input")); |
| 443 | } else if (args[0] == "generate") { |
| 444 | return GenerateKey(command_line->GetSwitchValueASCII("name")); |
| 445 | } else if (args[0] == "get-chars") { |
| 446 | return GetCharacteristics(command_line->GetSwitchValueASCII("name")); |
| 447 | } else if (args[0] == "export") { |
| 448 | return ExportKey(command_line->GetSwitchValueASCII("name")); |
| 449 | } else if (args[0] == "delete") { |
| 450 | return DeleteKey(command_line->GetSwitchValueASCII("name")); |
| 451 | } else if (args[0] == "delete-all") { |
| 452 | return DeleteAllKeys(); |
| 453 | } else if (args[0] == "exists") { |
| 454 | return DoesKeyExist(command_line->GetSwitchValueASCII("name")); |
| 455 | } else if (args[0] == "list") { |
| 456 | return List(command_line->GetSwitchValueASCII("prefix")); |
| 457 | } else if (args[0] == "sign-verify") { |
| 458 | return SignAndVerify(command_line->GetSwitchValueASCII("name")); |
Darren Krahn | 251cb28 | 2015-09-28 08:51:18 -0700 | [diff] [blame] | 459 | } else if (args[0] == "encrypt") { |
| 460 | return Encrypt(command_line->GetSwitchValueASCII("name"), |
| 461 | command_line->GetSwitchValueASCII("in"), |
| 462 | command_line->GetSwitchValueASCII("out")); |
| 463 | } else if (args[0] == "decrypt") { |
| 464 | return Decrypt(command_line->GetSwitchValueASCII("name"), |
| 465 | command_line->GetSwitchValueASCII("in"), |
| 466 | command_line->GetSwitchValueASCII("out")); |
Darren Krahn | 69a3dbc | 2015-09-22 16:21:04 -0700 | [diff] [blame] | 467 | } else { |
| 468 | PrintUsageAndExit(); |
| 469 | } |
| 470 | return 0; |
| 471 | } |