1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <algorithm>
18
19 #include <gtest/gtest.h>
20
21 #include <openssl/engine.h>
22 #include <openssl/rand.h>
23
24 #include <keymaster/android_keymaster_utils.h>
25 #include <keymaster/authorization_set.h>
26 #include <keymaster/key_blob_utils/auth_encrypted_key_blob.h>
27 #include <keymaster/key_blob_utils/integrity_assured_key_blob.h>
28 #include <keymaster/keymaster_tags.h>
29 #include <keymaster/km_openssl/software_random_source.h>
30
31 #include "android_keymaster_test_utils.h"
32
33 namespace keymaster {
34
35 namespace test {
36
37 namespace {
38
39 const uint8_t master_key_data[16] = {};
40 const uint8_t key_data[5] = {21, 22, 23, 24, 25};
41
42 } // namespace
43
44 class KeyBlobTest : public testing::Test, public SoftwareRandomSource {
45 protected:
KeyBlobTest()46 KeyBlobTest()
47 : key_material_(key_data, array_length(key_data)),
48 master_key_(master_key_data, array_length(master_key_data)) {
49 hw_enforced_.push_back(TAG_ALGORITHM, KM_ALGORITHM_RSA);
50 hw_enforced_.push_back(TAG_KEY_SIZE, 256);
51 hw_enforced_.push_back(TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE);
52 hw_enforced_.push_back(TAG_MIN_SECONDS_BETWEEN_OPS, 10);
53 hw_enforced_.push_back(TAG_ALL_USERS);
54 hw_enforced_.push_back(TAG_NO_AUTH_REQUIRED);
55 hw_enforced_.push_back(TAG_ORIGIN, KM_ORIGIN_GENERATED);
56
57 sw_enforced_.push_back(TAG_ACTIVE_DATETIME, 10);
58 sw_enforced_.push_back(TAG_ORIGINATION_EXPIRE_DATETIME, 100);
59 sw_enforced_.push_back(TAG_CREATION_DATETIME, 10);
60
61 hidden_.push_back(TAG_ROOT_OF_TRUST, "foo", 3);
62 hidden_.push_back(TAG_APPLICATION_ID, "my_app", 6);
63 }
64
Encrypt(AuthEncryptedBlobFormat format=AES_GCM_WITH_SW_ENFORCED)65 keymaster_error_t Encrypt(AuthEncryptedBlobFormat format = AES_GCM_WITH_SW_ENFORCED) {
66 keymaster_error_t error;
67 encrypted_key_ = EncryptKey(key_material_, format, hw_enforced_, sw_enforced_, hidden_,
68 master_key_, *this, &error);
69 return error;
70 }
71
Decrypt()72 keymaster_error_t Decrypt() {
73 keymaster_error_t error;
74 decrypted_plaintext_ = DecryptKey(move(deserialized_key_), hidden_, master_key_, &error);
75 return error;
76 }
77
Serialize()78 keymaster_error_t Serialize() {
79 keymaster_error_t error;
80 serialized_blob_ =
81 SerializeAuthEncryptedBlob(encrypted_key_, hw_enforced_, sw_enforced_, &error);
82 return error;
83 }
84
Deserialize()85 keymaster_error_t Deserialize() {
86 keymaster_error_t error;
87 deserialized_key_ = DeserializeAuthEncryptedBlob(serialized_blob_, &error);
88 return error;
89 }
90
91 // Encryption inputs
92 AuthorizationSet hw_enforced_;
93 AuthorizationSet sw_enforced_;
94 AuthorizationSet hidden_;
95 KeymasterKeyBlob key_material_;
96 KeymasterKeyBlob master_key_;
97
98 // Encryption output
99 EncryptedKey encrypted_key_;
100
101 // Serialization output
102 KeymasterKeyBlob serialized_blob_;
103
104 // Deserialization output
105 DeserializedKey deserialized_key_;
106
107 // Decryption output.
108 KeymasterKeyBlob decrypted_plaintext_;
109 };
110
TEST_F(KeyBlobTest,EncryptDecrypt)111 TEST_F(KeyBlobTest, EncryptDecrypt) {
112 for (auto format : {AES_OCB, AES_GCM_WITH_SW_ENFORCED}) {
113 ASSERT_EQ(KM_ERROR_OK, Encrypt(format));
114 ASSERT_EQ(KM_ERROR_OK, Serialize());
115
116 // key_data shouldn't be anywhere in the blob, ciphertext should.
117 EXPECT_EQ(serialized_blob_.end(),
118 std::search(serialized_blob_.begin(), serialized_blob_.end(),
119 key_material_.begin(), key_material_.end()));
120 EXPECT_NE(serialized_blob_.end(),
121 std::search(serialized_blob_.begin(), serialized_blob_.end(),
122 encrypted_key_.ciphertext.begin(), encrypted_key_.ciphertext.end()));
123
124 keymaster_error_t error;
125 DeserializedKey deserialized = DeserializeAuthEncryptedBlob(serialized_blob_, &error);
126 ASSERT_EQ(KM_ERROR_OK, error);
127 EXPECT_EQ(hw_enforced_, deserialized.hw_enforced);
128 switch (format) {
129 case AES_OCB:
130 case AES_GCM_WITH_SW_ENFORCED:
131 EXPECT_EQ(sw_enforced_, deserialized.sw_enforced);
132 break;
133 }
134
135 KeymasterKeyBlob plaintext = DecryptKey(move(deserialized), hidden_, master_key_, &error);
136
137 ASSERT_EQ(key_material_.size(), plaintext.size());
138 EXPECT_TRUE(std::equal(key_material_.begin(), key_material_.end(), plaintext.begin()));
139 }
140 }
141
TEST_F(KeyBlobTest,WrongKeyLength)142 TEST_F(KeyBlobTest, WrongKeyLength) {
143 ASSERT_EQ(KM_ERROR_OK, Encrypt());
144 ASSERT_EQ(KM_ERROR_OK, Serialize());
145
146 // Modify the key length, shouldn't be able to parse.
147 serialized_blob_.writable_data()[1 /* version */ + 4 /* nonce len */ + 12 /* nonce */ + 3]++;
148
149 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Deserialize());
150 }
151
TEST_F(KeyBlobTest,WrongNonce)152 TEST_F(KeyBlobTest, WrongNonce) {
153 ASSERT_EQ(KM_ERROR_OK, Encrypt());
154 ASSERT_EQ(KM_ERROR_OK, Serialize());
155
156 // Find the nonce, then modify it.
157 auto nonce_ptr = std::search(serialized_blob_.begin(), serialized_blob_.end(),
158 encrypted_key_.nonce.begin(), encrypted_key_.nonce.end());
159 ASSERT_NE(nonce_ptr, serialized_blob_.end());
160 (*const_cast<uint8_t*>(nonce_ptr))++;
161
162 // Deserialization shouldn't be affected, but decryption should fail.
163 ASSERT_EQ(KM_ERROR_OK, Deserialize());
164 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
165 }
166
TEST_F(KeyBlobTest,WrongTag)167 TEST_F(KeyBlobTest, WrongTag) {
168 ASSERT_EQ(KM_ERROR_OK, Encrypt());
169 ASSERT_EQ(KM_ERROR_OK, Serialize());
170
171 // Find the tag, then modify it.
172 auto tag_ptr = std::search(serialized_blob_.begin(), serialized_blob_.end(),
173 encrypted_key_.tag.begin(), encrypted_key_.tag.end());
174 ASSERT_NE(tag_ptr, serialized_blob_.end());
175 (*const_cast<uint8_t*>(tag_ptr))++;
176
177 // Deserialization shouldn't be affected, but decryption should fail.
178 ASSERT_EQ(KM_ERROR_OK, Deserialize());
179 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
180 }
181
TEST_F(KeyBlobTest,WrongCiphertext)182 TEST_F(KeyBlobTest, WrongCiphertext) {
183 ASSERT_EQ(KM_ERROR_OK, Encrypt());
184 ASSERT_EQ(KM_ERROR_OK, Serialize());
185
186 // Find the ciphertext, then modify it.
187 auto ciphertext_ptr =
188 std::search(serialized_blob_.begin(), serialized_blob_.end(),
189 encrypted_key_.ciphertext.begin(), encrypted_key_.ciphertext.end());
190 ASSERT_NE(ciphertext_ptr, serialized_blob_.end());
191 (*const_cast<uint8_t*>(ciphertext_ptr))++;
192
193 // Deserialization shouldn't be affected, but decryption should fail.
194 ASSERT_EQ(KM_ERROR_OK, Deserialize());
195 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
196 }
197
TEST_F(KeyBlobTest,WrongMasterKey)198 TEST_F(KeyBlobTest, WrongMasterKey) {
199 ASSERT_EQ(KM_ERROR_OK, Encrypt());
200 ASSERT_EQ(KM_ERROR_OK, Serialize());
201
202 uint8_t wrong_master_data[] = {1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
203 KeymasterKeyBlob wrong_master(wrong_master_data, array_length(wrong_master_data));
204
205 // Decrypting with wrong master key should fail.
206 ASSERT_EQ(KM_ERROR_OK, Deserialize());
207 keymaster_error_t error;
208 DecryptKey(move(deserialized_key_), hidden_, wrong_master, &error);
209
210 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, error);
211 }
212
TEST_F(KeyBlobTest,WrongHwEnforced)213 TEST_F(KeyBlobTest, WrongHwEnforced) {
214 ASSERT_EQ(KM_ERROR_OK, Encrypt());
215 ASSERT_EQ(KM_ERROR_OK, Serialize());
216
217 // Find enforced serialization data and modify it.
218 size_t hw_enforced_size = hw_enforced_.SerializedSize();
219 UniquePtr<uint8_t[]> hw_enforced_data(new uint8_t[hw_enforced_size]);
220 hw_enforced_.Serialize(hw_enforced_data.get(), hw_enforced_data.get() + hw_enforced_size);
221
222 auto hw_enforced_ptr =
223 std::search(serialized_blob_.begin(), serialized_blob_.end(), hw_enforced_data.get(),
224 hw_enforced_data.get() + hw_enforced_size);
225 ASSERT_NE(serialized_blob_.end(), hw_enforced_ptr);
226 (*(const_cast<uint8_t*>(hw_enforced_ptr) + hw_enforced_size - 1))++;
227
228 // Deserialization shouldn't be affected, but decryption should fail.
229 ASSERT_EQ(KM_ERROR_OK, Deserialize());
230 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
231 }
232
TEST_F(KeyBlobTest,WrongSwEnforced)233 TEST_F(KeyBlobTest, WrongSwEnforced) {
234 for (auto format : {AES_OCB, AES_GCM_WITH_SW_ENFORCED}) {
235 ASSERT_EQ(KM_ERROR_OK, Encrypt(format));
236 ASSERT_EQ(KM_ERROR_OK, Serialize());
237
238 // Find enforced serialization data and modify it.
239 size_t sw_enforced_size = sw_enforced_.SerializedSize();
240 UniquePtr<uint8_t[]> sw_enforced_data(new uint8_t[sw_enforced_size]);
241 sw_enforced_.Serialize(sw_enforced_data.get(), sw_enforced_data.get() + sw_enforced_size);
242
243 auto sw_enforced_ptr =
244 std::search(serialized_blob_.begin(), serialized_blob_.end(), sw_enforced_data.get(),
245 sw_enforced_data.get() + sw_enforced_size);
246 ASSERT_NE(serialized_blob_.end(), sw_enforced_ptr);
247 (*(const_cast<uint8_t*>(sw_enforced_ptr) + sw_enforced_size - 1))++;
248
249 // Deserialization shouldn't be affected, but decryption should fail.
250 ASSERT_EQ(KM_ERROR_OK, Deserialize());
251 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, Decrypt());
252 }
253 }
254
TEST_F(KeyBlobTest,EmptyHidden)255 TEST_F(KeyBlobTest, EmptyHidden) {
256 ASSERT_EQ(KM_ERROR_OK, Encrypt());
257 ASSERT_EQ(KM_ERROR_OK, Serialize());
258
259 AuthorizationSet wrong_hidden;
260
261 // Deserialization shouldn't be affected, but decryption should fail.
262 ASSERT_EQ(KM_ERROR_OK, Deserialize());
263 keymaster_error_t error;
264 DecryptKey(move(deserialized_key_), wrong_hidden, master_key_, &error);
265 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, error);
266 }
267
TEST_F(KeyBlobTest,WrongRootOfTrust)268 TEST_F(KeyBlobTest, WrongRootOfTrust) {
269 ASSERT_EQ(KM_ERROR_OK, Encrypt());
270 ASSERT_EQ(KM_ERROR_OK, Serialize());
271
272 AuthorizationSet wrong_hidden;
273 wrong_hidden.push_back(TAG_ROOT_OF_TRUST, "bar", 2);
274 wrong_hidden.push_back(TAG_APPLICATION_ID, "my_app", 6);
275
276 // Deserialization shouldn't be affected, but decryption should fail.
277 ASSERT_EQ(KM_ERROR_OK, Deserialize());
278 keymaster_error_t error;
279 DecryptKey(move(deserialized_key_), wrong_hidden, master_key_, &error);
280 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, error);
281 }
282
TEST_F(KeyBlobTest,WrongAppId)283 TEST_F(KeyBlobTest, WrongAppId) {
284 ASSERT_EQ(KM_ERROR_OK, Encrypt());
285 ASSERT_EQ(KM_ERROR_OK, Serialize());
286
287 AuthorizationSet wrong_hidden;
288 wrong_hidden.push_back(TAG_ROOT_OF_TRUST, "foo", 3);
289 wrong_hidden.push_back(TAG_APPLICATION_ID, "your_app", 7);
290
291 // Deserialization shouldn't be affected, but decryption should fail.
292 ASSERT_EQ(KM_ERROR_OK, Deserialize());
293 keymaster_error_t error;
294 DecryptKey(move(deserialized_key_), wrong_hidden, master_key_, &error);
295 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, error);
296 }
297
298 // This test is especially useful when compiled for 32-bit mode and run under valgrind.
TEST_F(KeyBlobTest,FuzzTest)299 TEST_F(KeyBlobTest, FuzzTest) {
300 time_t now = time(NULL);
301 std::cout << "Seeding rand() with " << now << " for fuzz test." << std::endl;
302 srand(now);
303
304 // Fill large buffer with random bytes.
305 const int kBufSize = 10000;
306 UniquePtr<uint8_t[]> buf(new uint8_t[kBufSize]);
307 for (size_t i = 0; i < kBufSize; ++i)
308 buf[i] = static_cast<uint8_t>(rand());
309
310 // Try to deserialize every offset with multiple methods.
311 size_t deserialize_auth_encrypted_success = 0;
312 for (size_t i = 0; i < kBufSize; ++i) {
313 keymaster_key_blob_t blob = {buf.get() + i, kBufSize - i};
314 KeymasterKeyBlob key_blob(blob);
315
316 // Integrity-assured blob.
317 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB,
318 DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_,
319 &sw_enforced_));
320
321 // Auth-encrypted blob.
322 keymaster_error_t error;
323 auto deserialized = DeserializeAuthEncryptedBlob(key_blob, &error);
324 if (error == KM_ERROR_OK) {
325 // It's possible to deserialize successfully. Decryption should always fail.
326 ++deserialize_auth_encrypted_success;
327 DecryptKey(move(deserialized), hidden_, master_key_, &error);
328 }
329 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB, error)
330 << "Somehow sucessfully parsed a blob with seed " << now << " at offset " << i;
331 }
332 }
333
TEST_F(KeyBlobTest,UnderflowTest)334 TEST_F(KeyBlobTest, UnderflowTest) {
335 uint8_t buf[0];
336 keymaster_key_blob_t blob = {buf, 0};
337 KeymasterKeyBlob key_blob(blob);
338 EXPECT_NE(nullptr, key_blob.key_material);
339 EXPECT_EQ(0U, key_blob.key_material_size);
340
341 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
342 DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_,
343 &sw_enforced_));
344
345 keymaster_error_t error;
346 DeserializeAuthEncryptedBlob(key_blob, &error);
347 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, error);
348 }
349
TEST_F(KeyBlobTest,DupBufferToolarge)350 TEST_F(KeyBlobTest, DupBufferToolarge) {
351 uint8_t buf[0];
352 keymaster_key_blob_t blob = {buf, 0};
353 blob.key_material_size = 16 * 1024 * 1024 + 1;
354 KeymasterKeyBlob key_blob(blob);
355 EXPECT_EQ(nullptr, key_blob.key_material);
356 EXPECT_EQ(0U, key_blob.key_material_size);
357
358 ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB,
359 DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_,
360 &sw_enforced_));
361
362 keymaster_error_t error;
363 DeserializeAuthEncryptedBlob(key_blob, &error);
364 EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB, error);
365 }
366
367 } // namespace test
368 } // namespace keymaster
369