Adding tests using AES algorithm.
- Generate AES keys with block modes [ECB, CBC] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with these
generated keys.
- Generate AES keys with block modes [CTR, GCM] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with padding
mode NONE. With PKCS7 padding mode creation of an operation should
fail with incompatible padding mode.
- Try to generate a key and create an operation with invalid inputs, it
should fail with proper error codes.
- with unsupported key size
- with GCM block mode without providing min-mac-length
- with multiple block modes
- with multiple padding modes
- with incompatible padding modes
- with incompatible block modes
- with missing mac-length
- with invalid mac-length
- with unsupported mac-length
- With AES-CBC-PKCS7 key without `CALLER_NONCE` authorization, Try to
set nonce while creating an operation.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ibf1b8460317b4c99d9060d5889c8b3778a80ca5b
diff --git a/keystore2/test_utils/authorizations.rs b/keystore2/test_utils/authorizations.rs
index 5876c09..c2f0279 100644
--- a/keystore2/test_utils/authorizations.rs
+++ b/keystore2/test_utils/authorizations.rs
@@ -142,6 +142,25 @@
});
self
}
+
+ /// Add nonce.
+ pub fn nonce(mut self, b: Vec<u8>) -> Self {
+ self.0.push(KeyParameter { tag: Tag::NONCE, value: KeyParameterValue::Blob(b) });
+ self
+ }
+
+ /// Add MAC length.
+ pub fn mac_length(mut self, l: i32) -> Self {
+ self.0.push(KeyParameter { tag: Tag::MAC_LENGTH, value: KeyParameterValue::Integer(l) });
+ self
+ }
+
+ /// Add min MAC length.
+ pub fn min_mac_length(mut self, l: i32) -> Self {
+ self.0
+ .push(KeyParameter { tag: Tag::MIN_MAC_LENGTH, value: KeyParameterValue::Integer(l) });
+ self
+ }
}
impl Deref for AuthSetBuilder {
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index 36986ec..047df28 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -253,3 +253,46 @@
Ok(key_metadata)
}
+
+/// Generate AES key.
+pub fn generate_aes_key(
+ sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ size: i32,
+ alias: &str,
+ padding_mode: &PaddingMode,
+ block_mode: &BlockMode,
+ min_mac_len: Option<i32>,
+) -> binder::Result<KeyMetadata> {
+ let mut gen_params = AuthSetBuilder::new()
+ .no_auth_required()
+ .algorithm(Algorithm::AES)
+ .purpose(KeyPurpose::ENCRYPT)
+ .purpose(KeyPurpose::DECRYPT)
+ .key_size(size)
+ .padding_mode(*padding_mode)
+ .block_mode(*block_mode);
+
+ if let Some(val) = min_mac_len {
+ gen_params = gen_params.min_mac_length(val);
+ }
+
+ let key_metadata = sec_level.generateKey(
+ &KeyDescriptor {
+ domain: Domain::APP,
+ nspace: -1,
+ alias: Some(alias.to_string()),
+ blob: None,
+ },
+ None,
+ &gen_params,
+ 0,
+ b"entropy",
+ )?;
+
+ // Should not have public certificate.
+ assert!(key_metadata.certificate.is_none());
+
+ // Should not have an attestation record.
+ assert!(key_metadata.certificateChain.is_none());
+ Ok(key_metadata)
+}