__attribute__((visibility("default"))) int openssl_generate_keypair(
const keymaster0_device_t*, const keymaster_keypair_t key_type, const void* key_params,
uint8_t** keyBlob, size_t* keyBlobLength) {
Unique_EVP_PKEY pkey(EVP_PKEY_new());
if (pkey.get() == NULL) {
logOpenSSLError("openssl_generate_keypair");
return -1;
}
if (key_params == NULL) {
ALOGW("key_params == null");
return -1;
} else if (key_type == TYPE_DSA) {
const keymaster_dsa_keygen_params_t* dsa_params =
(const keymaster_dsa_keygen_params_t*)key_params;
generate_dsa_keypair(pkey.get(), dsa_params);
} else if (key_type == TYPE_EC) {
const keymaster_ec_keygen_params_t* ec_params =
(const keymaster_ec_keygen_params_t*)key_params;
generate_ec_keypair(pkey.get(), ec_params);
} else if (key_type == TYPE_RSA) {
const keymaster_rsa_keygen_params_t* rsa_params =
(const keymaster_rsa_keygen_params_t*)key_params;
generate_rsa_keypair(pkey.get(), rsa_params);
} else {
ALOGW("Unsupported key type %d", key_type);
return -1;
}
if (wrap_key(pkey.get(), EVP_PKEY_type(pkey->type), keyBlob, keyBlobLength)) {
return -1;
}
return 0;
}
END_TEST
START_TEST(check_ec_sha_signatures)
{
EC_KEY *key;
unsigned char *rdata, *sigdata;
size_t dlens[] = { 16, 128, 1024, 65535 };
size_t rsize, siglen, last_min = 1;
unsigned int shabits;
int res;
res = crypto_init();
ck_assert_msg(!res, "Crypto initialization routine failed.\n");
key = generate_ec_keypair(0);
ck_assert_msg((key != NULL), "EC SHA signature/verification check failed: could not generate key pair.\n");
for (size_t i = 0; i < (sizeof(dlens) / sizeof(dlens[0])); i++) {
for (size_t j = 0; j < N_SIGNATURE_TIER_TESTS; j++) {
for (size_t k = 0; k < 3; k++) {
if (!k) {
shabits = 160;
} else if (k == 1) {
shabits = 256;
} else {
shabits = 512;
}
rdata = gen_random_data(last_min, dlens[i], &rsize);
ck_assert_msg((rdata != NULL), "EC SHA signature/verification check failed: could not generate random data.\n");
sigdata = ec_sign_sha_data(rdata, rsize, shabits, key, &siglen);
ck_assert_msg((sigdata != NULL), "EC SHA signature/verification check failed: could not sign data.\n");
ck_assert_msg((siglen > 0), "EC SHA signature/verification check failed: signature result had bad length.\n");
res = verify_ec_sha_signature(rdata, rsize, shabits, sigdata, siglen, key);
ck_assert_msg((res == 1), "EC SHA signature/verification check failed: signature verification failed (%d).\n", res);
free(sigdata);
free(rdata);
}
last_min = dlens[i];
}
}
free_ec_key(key);
fprintf(stderr, "EC SHA signature/verification check completed.\n");
}
END_TEST
START_TEST(check_signet_multi_signkey)
{
EC_KEY *eckey;
ED25519_KEY *keys[5], **fetched;
int res;
signet_t *signet;
_crypto_init();
for(int i = 0; i < 5; ++i) {
keys[i] = generate_ed25519_keypair();
}
eckey = generate_ec_keypair(0);
signet = dime_sgnt_signet_create(SIGNET_TYPE_ORG);
ck_assert_msg(signet != NULL, "Failed to create organizational signet.\n");
res = dime_sgnt_signkey_set(signet, keys[0], SIGNKEY_DEFAULT_FORMAT);
ck_assert_msg(res == 0, "Failed to set signet POK.\n");
res += dime_sgnt_sok_create(signet, keys[1], SIGNKEY_DEFAULT_FORMAT, SIGNET_SOK_SIGNET);
ck_assert_msg(res == 0, "Failed to create SOK 1.\n");
res += dime_sgnt_sok_create(signet, keys[2], SIGNKEY_DEFAULT_FORMAT, SIGNET_SOK_MSG);
ck_assert_msg(res == 0, "Failed to create SOK 2.\n");
res += dime_sgnt_sok_create(signet, keys[3], SIGNKEY_DEFAULT_FORMAT, SIGNET_SOK_TLS);
ck_assert_msg(res == 0, "Failed to create SOK 3.\n");
res += dime_sgnt_sok_create(signet, keys[4], SIGNKEY_DEFAULT_FORMAT, SIGNET_SOK_SOFTWARE);
ck_assert_msg(res == 0, "Failed to create SOK 4.\n");
res = dime_sgnt_enckey_set(signet, eckey, 0);
ck_assert_msg(res == 0, "Failed to set signet encryption key.\n");
free_ec_key(eckey);
res = dime_sgnt_sig_crypto_sign(signet, keys[0]);
ck_assert_msg(res == 0, "Failed to sign organizational signet with its private POK.\n");
fetched = dime_sgnt_signkeys_signet_fetch(signet);
ck_assert_msg( (fetched != NULL), "Failed to fetch signing keys.\n");
ck_assert_msg( (fetched[0] != NULL), "Failed to fetch signing keys.\n");
ck_assert_msg( (fetched[1] != NULL), "Failed to fetch signing keys.\n");
ck_assert_msg( (fetched[2] == NULL), "Failed to fetch signing keys.\n");
res = memcmp(fetched[0]->public_key, keys[0]->public_key, ED25519_KEY_SIZE);
ck_assert_msg(res == 0, "POK was corrupted.\n");
res = memcmp(fetched[1]->public_key, keys[1]->public_key, ED25519_KEY_SIZE);
ck_assert_msg(res == 0, "SOK 1 was corrupted.\n");
free_ed25519_key_chain(fetched);
fetched = NULL;
fetched = dime_sgnt_signkeys_msg_fetch(signet);
ck_assert_msg( (fetched != NULL) &&
(fetched[0] != NULL) &&
(fetched[1] != NULL) &&
(fetched[2] == NULL), "Failed to fetch signing keys.\n");
res = memcmp(fetched[0]->public_key, keys[0]->public_key, ED25519_KEY_SIZE);
ck_assert_msg(res == 0, "POK was corrupted.\n");
res = memcmp(fetched[1]->public_key, keys[2]->public_key, ED25519_KEY_SIZE);
ck_assert_msg(res == 0, "SOK 2 was corrupted.\n");
free_ed25519_key_chain(fetched);
fetched = NULL;
fetched = dime_sgnt_signkeys_tls_fetch(signet);
ck_assert_msg( (fetched != NULL) &&
(fetched[0] != NULL) &&
(fetched[1] != NULL) &&
(fetched[2] == NULL), "Failed to fetch signing keys.\n");
res = memcmp(fetched[0]->public_key, keys[0]->public_key, ED25519_KEY_SIZE);
ck_assert_msg(res == 0, "POK was corrupted.\n");
res = memcmp(fetched[1]->public_key, keys[3]->public_key, ED25519_KEY_SIZE);
ck_assert_msg(res == 0, "SOK 3 was corrupted.\n");
free_ed25519_key_chain(fetched);
fetched = NULL;
fetched = dime_sgnt_signkeys_software_fetch(signet);
ck_assert_msg( (fetched != NULL) &&
(fetched[0] != NULL) &&
(fetched[1] != NULL) &&
(fetched[2] == NULL), "Failed to fetch signing keys.\n");
res = memcmp(fetched[0]->public_key, keys[0]->public_key, ED25519_KEY_SIZE);
ck_assert_msg(res == 0, "POK was corrupted.\n");
res = memcmp(fetched[1]->public_key, keys[4]->public_key, ED25519_KEY_SIZE);
ck_assert_msg(res == 0, "SOK 4 was corrupted.\n");
free_ed25519_key_chain(fetched);
fetched = NULL;
for(int i = 0; i < 5; ++i) {
free_ed25519_key(keys[i]);
}
dime_sgnt_signet_destroy(signet);
fprintf(stderr, "Signet selective signing key multi-fetching check complete.\n");
}
