Cope with mixed KeyMint/Keymaster-4.x devices
The keystore2_client_tests have an implicit assumption that any
StrongBox implementation on the device is of the same type (KeyMint or
Keymaster) as the TEE implementation on the device.
However, waivers have been issued for some device types that allow a
mixed combination: StrongBox implementing Keymaster, TEE implementing
KeyMint.
Coping with this requires a pervasive change to use a new `SecLevel`
struct that holds the security level enum value that's associated
with an `IKeystoreSecurityLevel` object, so it's possible to perform
different behaviour for Keymaster/KeyMint on a per-security level basis.
- Add and use `SecLevel::tee()` and `SecLevel::strongbox()`
constructors.
- Move test utilities to take and use `&SecLevel` throughout.
- Canonicalize import ordering along the way.
Then use the `SecLevel::is_keymaster()` and `is_keymint()` methods
to ensure that test behaviour is specific to the device under test,
not just the default device.
Also, device unique attestation was only introduced in KeyMaster 4.1,
so skip those tests if the StrongBox device is not of that level.
Bug: 336695416
Test: keystore2_client_tests
Test: keystore2_test_utils_test
Test: legacykeystore_test
Change-Id: Ie470ec293fcca0cae772a529d8d38ef2d81f2710
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index a733be3..fdb2afb 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -14,14 +14,12 @@
//! This module implements test utils to generate various types of keys.
-use anyhow::Result;
-use core::ops::Range;
-use nix::unistd::getuid;
-use std::collections::HashSet;
-use std::fmt::Write;
-
-use binder::ThreadState;
-
+use crate::authorizations::AuthSetBuilder;
+use crate::ffi_test_utils::{
+ get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel,
+ validate_certchain_with_strict_issuer_check,
+};
+use crate::SecLevel;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
@@ -30,18 +28,16 @@
};
use android_system_keystore2::aidl::android::system::keystore2::{
AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization,
- CreateOperationResponse::CreateOperationResponse, Domain::Domain,
- IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
+ CreateOperationResponse::CreateOperationResponse, Domain::Domain, KeyDescriptor::KeyDescriptor,
KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
};
-
-use crate::authorizations::AuthSetBuilder;
use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
-
-use crate::ffi_test_utils::{
- get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel,
- validate_certchain_with_strict_issuer_check,
-};
+use anyhow::Result;
+use binder::ThreadState;
+use core::ops::Range;
+use nix::unistd::getuid;
+use std::collections::HashSet;
+use std::fmt::Write;
/// Shell namespace.
pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
@@ -391,12 +387,6 @@
})
}
-/// Indicate whether the default device is KeyMint (rather than Keymaster).
-pub fn has_default_keymint() -> bool {
- binder::is_declared("android.hardware.security.keymint.IKeyMintDevice/default")
- .expect("Could not check for declared keymint interface")
-}
-
/// Verify that given key param is listed in given authorizations list.
pub fn check_key_param(authorizations: &[Authorization], key_param: &KeyParameter) -> bool {
authorizations.iter().any(|auth| &auth.keyParameter == key_param)
@@ -404,6 +394,7 @@
/// Verify the given key authorizations with the expected authorizations.
pub fn check_key_authorizations(
+ sl: &SecLevel,
authorizations: &[Authorization],
expected_params: &[KeyParameter],
expected_key_origin: KeyOrigin,
@@ -412,7 +403,7 @@
authorizations.iter().all(|auth| {
// Ignore `INVALID` tag if the backend is Keymaster and not KeyMint.
// Keymaster allows INVALID tag for unsupported key parameters.
- if !has_default_keymint() && auth.keyParameter.tag == Tag::INVALID {
+ if sl.is_keymaster() && auth.keyParameter.tag == Tag::INVALID {
return true;
}
assert!(
@@ -423,7 +414,7 @@
true
});
- //Check allowed-expected-key-parameters are present in given key authorizations list.
+ // Check allowed-expected-key-parameters are present in given key authorizations list.
expected_params.iter().all(|key_param| {
// `INCLUDE_UNIQUE_ID` is not strictly expected to be in key authorizations but has been
// put there by some implementations so cope with that.
@@ -436,7 +427,7 @@
// Ignore below parameters if the backend is Keymaster and not KeyMint.
// Keymaster does not support these parameters. These key parameters are introduced in
// KeyMint1.0.
- if !has_default_keymint() {
+ if sl.is_keymaster() {
if matches!(key_param.tag, Tag::RSA_OAEP_MGF_DIGEST | Tag::USAGE_COUNT_LIMIT) {
return true;
}
@@ -457,11 +448,15 @@
true
});
- check_common_auths(authorizations, expected_key_origin);
+ check_common_auths(sl, authorizations, expected_key_origin);
}
/// Verify common key authorizations.
-fn check_common_auths(authorizations: &[Authorization], expected_key_origin: KeyOrigin) {
+fn check_common_auths(
+ sl: &SecLevel,
+ authorizations: &[Authorization],
+ expected_key_origin: KeyOrigin,
+) {
assert!(check_key_param(
authorizations,
&KeyParameter {
@@ -505,7 +500,7 @@
}
));
- if has_default_keymint() {
+ if sl.is_keymint() {
assert!(authorizations
.iter()
.map(|auth| &auth.keyParameter)
@@ -532,7 +527,7 @@
/// Digest: SHA_2_256
/// Curve: P_256
pub fn generate_ec_p256_signing_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -552,7 +547,7 @@
gen_params = gen_params.clone().attestation_challenge(challenge.to_vec());
}
- match sec_level.generateKey(
+ match sl.binder.generateKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&gen_params,
@@ -569,6 +564,7 @@
}
check_key_authorizations(
+ sl,
&key_metadata.authorizations,
&gen_params,
KeyOrigin::GENERATED,
@@ -581,7 +577,7 @@
/// Generate EC signing key.
pub fn generate_ec_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -596,7 +592,7 @@
.digest(digest)
.ec_curve(ec_curve);
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&gen_params,
@@ -615,13 +611,13 @@
} else {
assert!(key_metadata.key.blob.is_none());
}
- check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Ok(key_metadata)
}
/// Generate a RSA key with the given key parameters, alias, domain and namespace.
pub fn generate_rsa_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -653,7 +649,7 @@
gen_params = gen_params.attestation_challenge(value.to_vec())
}
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
attest_key,
&gen_params,
@@ -677,7 +673,7 @@
|| key_metadata.key.blob.is_none()
);
- check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
// If `RSA_OAEP_MGF_DIGEST` tag is not mentioned explicitly while generating/importing a key,
// then make sure `RSA_OAEP_MGF_DIGEST` tag with default value (SHA1) must not be included in
// key authorization list.
@@ -695,7 +691,7 @@
/// Generate AES/3DES key.
pub fn generate_sym_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
algorithm: Algorithm,
size: i32,
alias: &str,
@@ -716,7 +712,7 @@
gen_params = gen_params.min_mac_length(val);
}
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -734,13 +730,13 @@
// Should not have an attestation record.
assert!(key_metadata.certificateChain.is_none());
- check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Ok(key_metadata)
}
/// Generate HMAC key.
pub fn generate_hmac_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
key_size: i32,
min_mac_len: i32,
@@ -755,7 +751,7 @@
.min_mac_length(min_mac_len)
.digest(digest);
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -774,7 +770,7 @@
// Should not have an attestation record.
assert!(key_metadata.certificateChain.is_none());
- check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Ok(key_metadata)
}
@@ -785,7 +781,7 @@
/// RSA-Key-Size: 2048
/// EC-Curve: EcCurve::P_256
pub fn generate_attestation_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
algorithm: Algorithm,
att_challenge: &[u8],
) -> binder::Result<KeyMetadata> {
@@ -794,7 +790,7 @@
if algorithm == Algorithm::RSA {
let alias = "ks_rsa_attest_test_key";
let metadata = generate_rsa_key(
- sec_level,
+ sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -812,13 +808,9 @@
.unwrap();
Ok(metadata)
} else {
- let metadata = generate_ec_attestation_key(
- sec_level,
- att_challenge,
- Digest::SHA_2_256,
- EcCurve::P_256,
- )
- .unwrap();
+ let metadata =
+ generate_ec_attestation_key(sl, att_challenge, Digest::SHA_2_256, EcCurve::P_256)
+ .unwrap();
Ok(metadata)
}
@@ -827,7 +819,7 @@
/// Generate EC attestation key with the given
/// curve, attestation-challenge and attestation-app-id.
pub fn generate_ec_attestation_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
att_challenge: &[u8],
digest: Digest,
ec_curve: EcCurve,
@@ -841,7 +833,7 @@
.digest(digest)
.attestation_challenge(att_challenge.to_vec());
- let attestation_key_metadata = sec_level.generateKey(
+ let attestation_key_metadata = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -860,6 +852,7 @@
assert!(attestation_key_metadata.certificateChain.is_some());
check_key_authorizations(
+ sl,
&attestation_key_metadata.authorizations,
&gen_params,
KeyOrigin::GENERATED,
@@ -869,7 +862,7 @@
/// Generate EC-P-256 key and attest it with given attestation key.
pub fn generate_ec_256_attested_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: Option<String>,
att_challenge: &[u8],
attest_key: &KeyDescriptor,
@@ -883,7 +876,8 @@
.ec_curve(EcCurve::P_256)
.attestation_challenge(att_challenge.to_vec());
- let ec_key_metadata = sec_level
+ let ec_key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
Some(attest_key),
@@ -898,19 +892,25 @@
// Shouldn't have an attestation record.
assert!(ec_key_metadata.certificateChain.is_none());
- check_key_authorizations(&ec_key_metadata.authorizations, &ec_gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(
+ sl,
+ &ec_key_metadata.authorizations,
+ &ec_gen_params,
+ KeyOrigin::GENERATED,
+ );
Ok(ec_key_metadata)
}
/// Imports above defined RSA key - `RSA_2048_KEY` and validates imported key parameters.
pub fn import_rsa_2048_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
import_params: AuthSetBuilder,
) -> binder::Result<KeyMetadata> {
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
@@ -923,7 +923,7 @@
assert!(key_metadata.certificate.is_some());
assert!(key_metadata.certificateChain.is_none());
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -967,13 +967,14 @@
/// Imports above defined EC key - `EC_P_256_KEY` and validates imported key parameters.
pub fn import_ec_p_256_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
import_params: AuthSetBuilder,
) -> binder::Result<KeyMetadata> {
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
@@ -986,7 +987,7 @@
assert!(key_metadata.certificate.is_some());
assert!(key_metadata.certificateChain.is_none());
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -1013,7 +1014,7 @@
/// Import sample AES key and validate its key parameters.
pub fn import_aes_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -1030,7 +1031,7 @@
.purpose(KeyPurpose::DECRYPT)
.padding_mode(PaddingMode::PKCS7);
- let key_metadata = sec_level.importKey(
+ let key_metadata = sl.binder.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&import_params,
@@ -1038,7 +1039,7 @@
AES_KEY,
)?;
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -1070,7 +1071,7 @@
/// Import sample 3DES key and validate its key parameters.
pub fn import_3des_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -1089,7 +1090,7 @@
.purpose(KeyPurpose::DECRYPT)
.padding_mode(PaddingMode::PKCS7);
- let key_metadata = sec_level.importKey(
+ let key_metadata = sl.binder.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&import_params,
@@ -1097,7 +1098,7 @@
TRIPLE_DES_KEY,
)?;
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -1132,7 +1133,7 @@
/// Import sample HMAC key and validate its key parameters.
pub fn import_hmac_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -1149,7 +1150,7 @@
.digest(Digest::SHA_2_256)
.min_mac_length(256);
- let key_metadata = sec_level.importKey(
+ let key_metadata = sl.binder.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&import_params,
@@ -1157,7 +1158,7 @@
HMAC_KEY,
)?;
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -1182,7 +1183,7 @@
/// Imports RSA encryption key with WRAP_KEY purpose.
pub fn import_wrapping_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
wrapping_key_data: &[u8],
wrapping_key_alias: Option<String>,
) -> binder::Result<KeyMetadata> {
@@ -1199,7 +1200,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- sec_level.importKey(
+ sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: wrapping_key_alias, blob: None },
None,
&wrapping_key_params,
@@ -1210,7 +1211,7 @@
/// Import wrapped key using given wrapping key.
pub fn import_wrapped_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: Option<String>,
wrapping_key_metadata: &KeyMetadata,
wrapped_key: Option<Vec<u8>>,
@@ -1223,7 +1224,7 @@
authenticatorId: 0,
}];
- let key_metadata = sec_level.importWrappedKey(
+ let key_metadata = sl.binder.importWrappedKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: wrapped_key },
&wrapping_key_metadata.key,
None,
@@ -1236,14 +1237,14 @@
/// Import wrapping key and then import wrapped key using wrapping key.
pub fn import_wrapping_key_and_wrapped_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
wrapping_key_alias: Option<String>,
wrapping_key_params: AuthSetBuilder,
) -> binder::Result<KeyMetadata> {
- let wrapping_key_metadata = sec_level.importKey(
+ let wrapping_key_metadata = sl.binder.importKey(
&KeyDescriptor { domain, nspace, alias: wrapping_key_alias, blob: None },
None,
&wrapping_key_params,
@@ -1251,12 +1252,12 @@
WRAPPING_KEY,
)?;
- import_wrapped_key(sec_level, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
+ import_wrapped_key(sl, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
}
/// Import given key material as AES-256-GCM-NONE transport key.
pub fn import_transport_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
transport_key_alias: Option<String>,
transport_key: &[u8],
) -> binder::Result<KeyMetadata> {
@@ -1271,7 +1272,7 @@
.purpose(KeyPurpose::ENCRYPT)
.purpose(KeyPurpose::DECRYPT);
- sec_level.importKey(
+ sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: transport_key_alias, blob: None },
None,
&transport_key_params,
@@ -1282,7 +1283,7 @@
/// Generate EC key with purpose AGREE_KEY.
pub fn generate_ec_agree_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
ec_curve: EcCurve,
digest: Digest,
domain: Domain,
@@ -1296,7 +1297,7 @@
.digest(digest)
.ec_curve(ec_curve);
- match sec_level.generateKey(
+ match sl.binder.generateKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&gen_params,
@@ -1310,6 +1311,7 @@
}
check_key_authorizations(
+ sl,
&key_metadata.authorizations,
&gen_params,
KeyOrigin::GENERATED,
@@ -1322,7 +1324,7 @@
/// Helper method to import AES keys `total_count` of times.
pub fn import_aes_keys(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias_prefix: String,
total_count: Range<i32>,
) -> binder::Result<HashSet<String>> {
@@ -1334,7 +1336,7 @@
write!(alias, "{}_{}", alias_prefix, count).unwrap();
imported_key_aliases.insert(alias.clone());
- import_aes_key(sec_level, Domain::APP, -1, Some(alias))?;
+ import_aes_key(sl, Domain::APP, -1, Some(alias))?;
}
Ok(imported_key_aliases)
@@ -1342,7 +1344,7 @@
/// Generate attested EC-P_256 key with device id attestation.
pub fn generate_key_with_attest_id(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
algorithm: Algorithm,
alias: Option<String>,
att_challenge: &[u8],
@@ -1405,7 +1407,7 @@
}
}
- sec_level.generateKey(
+ sl.binder.generateKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
Some(attest_key),
&ec_gen_params,
@@ -1416,11 +1418,11 @@
/// Generate Key and validate key characteristics.
pub fn generate_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
gen_params: &AuthSetBuilder,
alias: &str,
) -> binder::Result<KeyMetadata> {
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -1474,19 +1476,19 @@
assert!(!att_app_id.is_empty());
}
}
- check_key_authorizations(&key_metadata.authorizations, gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, gen_params, KeyOrigin::GENERATED);
Ok(key_metadata)
}
/// Generate a key using given authorizations and create an operation using the generated key.
pub fn create_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
gen_params: &AuthSetBuilder,
op_params: &AuthSetBuilder,
alias: &str,
) -> binder::Result<CreateOperationResponse> {
- let key_metadata = generate_key(sec_level, gen_params, alias)?;
+ let key_metadata = generate_key(sl, gen_params, alias)?;
- sec_level.createOperation(&key_metadata.key, op_params, false)
+ sl.binder.createOperation(&key_metadata.key, op_params, false)
}
diff --git a/keystore2/test_utils/lib.rs b/keystore2/test_utils/lib.rs
index 8394ca1..8b766dd 100644
--- a/keystore2/test_utils/lib.rs
+++ b/keystore2/test_utils/lib.rs
@@ -19,7 +19,13 @@
use std::path::{Path, PathBuf};
use std::{env::temp_dir, ops::Deref};
-use android_system_keystore2::aidl::android::system::keystore2::IKeystoreService::IKeystoreService;
+use android_system_keystore2::aidl::android::system::keystore2::{
+ IKeystoreService::IKeystoreService,
+ IKeystoreSecurityLevel::IKeystoreSecurityLevel,
+};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ ErrorCode::ErrorCode, SecurityLevel::SecurityLevel,
+};
use android_security_authorization::aidl::android::security::authorization::IKeystoreAuthorization::IKeystoreAuthorization;
pub mod authorizations;
@@ -123,3 +129,51 @@
pub fn get_keystore_auth_service() -> binder::Strong<dyn IKeystoreAuthorization> {
binder::get_interface(AUTH_SERVICE_NAME).unwrap()
}
+
+/// Security level-specific data.
+pub struct SecLevel {
+ /// Binder connection for the top-level service.
+ pub keystore2: binder::Strong<dyn IKeystoreService>,
+ /// Binder connection for the security level.
+ pub binder: binder::Strong<dyn IKeystoreSecurityLevel>,
+ /// Security level.
+ pub level: SecurityLevel,
+}
+
+impl SecLevel {
+ /// Return security level data for TEE.
+ pub fn tee() -> Self {
+ let level = SecurityLevel::TRUSTED_ENVIRONMENT;
+ let keystore2 = get_keystore_service();
+ let binder =
+ keystore2.getSecurityLevel(level).expect("TEE security level should always be present");
+ Self { keystore2, binder, level }
+ }
+ /// Return security level data for StrongBox, if present.
+ pub fn strongbox() -> Option<Self> {
+ let level = SecurityLevel::STRONGBOX;
+ let keystore2 = get_keystore_service();
+ match key_generations::map_ks_error(keystore2.getSecurityLevel(level)) {
+ Ok(binder) => Some(Self { keystore2, binder, level }),
+ Err(e) => {
+ assert_eq!(e, key_generations::Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE));
+ None
+ }
+ }
+ }
+ /// Indicate whether this security level is a KeyMint implementation (not Keymaster).
+ pub fn is_keymint(&self) -> bool {
+ let instance = match self.level {
+ SecurityLevel::TRUSTED_ENVIRONMENT => "default",
+ SecurityLevel::STRONGBOX => "strongbox",
+ l => panic!("unexpected level {l:?}"),
+ };
+ let name = format!("android.hardware.security.keymint.IKeyMintDevice/{instance}");
+ binder::is_declared(&name).expect("Could not check for declared keymint interface")
+ }
+
+ /// Indicate whether this security level is a Keymaster implementation (not KeyMint).
+ pub fn is_keymaster(&self) -> bool {
+ !self.is_keymint()
+ }
+}
diff --git a/keystore2/tests/keystore2_client_3des_key_tests.rs b/keystore2/tests/keystore2_client_3des_key_tests.rs
index eda24db..29f1617 100644
--- a/keystore2/tests/keystore2_client_3des_key_tests.rs
+++ b/keystore2/tests/keystore2_client_3des_key_tests.rs
@@ -12,26 +12,21 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, BlockMode::BlockMode, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
- PaddingMode::PaddingMode, SecurityLevel::SecurityLevel,
-};
-
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
use crate::keystore2_client_test_utils::{
perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, BlockMode::BlockMode, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
+ PaddingMode::PaddingMode,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor,
+};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// Generate a 3DES key. Create encryption and decryption operations using the generated key.
fn create_3des_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
padding_mode: PaddingMode,
block_mode: BlockMode,
nonce: &mut Option<Vec<u8>>,
@@ -39,7 +34,7 @@
let alias = format!("ks_3des_test_key_{}{}", block_mode.0, padding_mode.0);
let key_metadata = key_generations::generate_sym_key(
- sec_level,
+ sl,
Algorithm::TRIPLE_DES,
168,
&alias,
@@ -50,7 +45,7 @@
// Encrypts `SAMPLE_PLAIN_TEXT` whose length is multiple of DES block size.
let cipher_text = perform_sample_sym_key_encrypt_op(
- sec_level,
+ &sl.binder,
padding_mode,
block_mode,
nonce,
@@ -60,7 +55,7 @@
assert!(cipher_text.is_some());
let plain_text = perform_sample_sym_key_decrypt_op(
- sec_level,
+ &sl.binder,
&cipher_text.unwrap(),
padding_mode,
block_mode,
@@ -80,16 +75,15 @@
/// Test should generate keys and perform operation successfully.
#[test]
fn keystore2_3des_ecb_cbc_generate_key_success() {
- let keystore2 = get_keystore_service();
let block_modes = [BlockMode::ECB, BlockMode::CBC];
let padding_modes = [PaddingMode::PKCS7, PaddingMode::NONE];
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for block_mode in block_modes {
for padding_mode in padding_modes {
assert_eq!(
Ok(()),
- create_3des_key_and_operation(&sec_level, padding_mode, block_mode, &mut None)
+ create_3des_key_and_operation(&sl, padding_mode, block_mode, &mut None)
);
}
}
@@ -99,13 +93,12 @@
/// an error code `UNSUPPORTED_KEY_SIZE`.
#[test]
fn keystore2_3des_key_fails_unsupported_key_size() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "3des_key_test_invalid_1";
let invalid_key_size = 128;
let result = key_generations::map_ks_error(key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::TRIPLE_DES,
invalid_key_size,
alias,
@@ -122,8 +115,7 @@
/// `UNSUPPORTED_PADDING_MODE`.
#[test]
fn keystore2_3des_key_fails_missing_padding() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "3des_key_test_missing_padding";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -134,7 +126,8 @@
.key_size(168)
.block_mode(BlockMode::ECB);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -153,7 +146,7 @@
.purpose(KeyPurpose::ENCRYPT)
.block_mode(BlockMode::ECB);
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&op_params,
false,
@@ -166,12 +159,11 @@
/// multiple of the DES block size.
#[test]
fn keystore2_3des_key_encrypt_fails_invalid_input_length() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "3des_key_test_invalid_input_len";
let key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::TRIPLE_DES,
168,
alias,
@@ -186,7 +178,8 @@
.padding_mode(PaddingMode::NONE)
.block_mode(BlockMode::ECB);
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(&key_metadata.key, &op_params, false)
.expect("Error in creation of operation using rebound key.");
assert!(op_response.iOperation.is_some());
@@ -204,11 +197,10 @@
/// error code `UNSUPPORTED_BLOCK_MODE`.
#[test]
fn keystore2_3des_key_fails_unsupported_block_mode() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = key_generations::map_ks_error(create_3des_key_and_operation(
- &sec_level,
+ &sl,
PaddingMode::NONE,
BlockMode::CTR,
&mut None,
diff --git a/keystore2/tests/keystore2_client_aes_key_tests.rs b/keystore2/tests/keystore2_client_aes_key_tests.rs
index 313f596..9f85c38 100644
--- a/keystore2/tests/keystore2_client_aes_key_tests.rs
+++ b/keystore2/tests/keystore2_client_aes_key_tests.rs
@@ -12,26 +12,21 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, BlockMode::BlockMode, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
- PaddingMode::PaddingMode, SecurityLevel::SecurityLevel,
-};
-
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
use crate::keystore2_client_test_utils::{
perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, BlockMode::BlockMode, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
+ PaddingMode::PaddingMode,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor,
+};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// Generate a AES key. Create encrypt and decrypt operations using the generated key.
fn create_aes_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
key_size: i32,
padding_mode: PaddingMode,
block_mode: BlockMode,
@@ -42,7 +37,7 @@
let alias = format!("ks_aes_test_key_{}{}{}", key_size, block_mode.0, padding_mode.0);
let key_metadata = key_generations::generate_sym_key(
- sec_level,
+ sl,
Algorithm::AES,
key_size,
&alias,
@@ -52,7 +47,7 @@
)?;
let cipher_text = perform_sample_sym_key_encrypt_op(
- sec_level,
+ &sl.binder,
padding_mode,
block_mode,
nonce,
@@ -63,7 +58,7 @@
assert!(cipher_text.is_some());
let plain_text = perform_sample_sym_key_decrypt_op(
- sec_level,
+ &sl.binder,
&cipher_text.unwrap(),
padding_mode,
block_mode,
@@ -83,19 +78,18 @@
/// Test should generate keys and perform operation successfully.
#[test]
fn keystore2_aes_ecb_cbc_generate_key() {
- let keystore2 = get_keystore_service();
let key_sizes = [128, 256];
let block_modes = [BlockMode::ECB, BlockMode::CBC];
let padding_modes = [PaddingMode::PKCS7, PaddingMode::NONE];
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for key_size in key_sizes {
for block_mode in block_modes {
for padding_mode in padding_modes {
assert_eq!(
Ok(()),
create_aes_key_and_operation(
- &sec_level,
+ &sl,
key_size,
padding_mode,
block_mode,
@@ -115,16 +109,14 @@
/// Test should generate keys and perform operation successfully.
#[test]
fn keystore2_aes_ctr_gcm_generate_key_success() {
- let keystore2 = get_keystore_service();
let key_sizes = [128, 256];
let key_params = [(BlockMode::CTR, None, None), (BlockMode::GCM, Some(128), Some(128))];
-
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for key_size in key_sizes {
for (block_mode, mac_len, min_mac_len) in key_params {
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
key_size,
PaddingMode::NONE,
block_mode,
@@ -145,16 +137,14 @@
/// with an error code `INCOMPATIBLE_PADDING_MODE`.
#[test]
fn keystore2_aes_ctr_gcm_generate_key_fails_incompatible() {
- let keystore2 = get_keystore_service();
let key_sizes = [128, 256];
let key_params = [(BlockMode::CTR, None, None), (BlockMode::GCM, Some(128), Some(128))];
-
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for key_size in key_sizes {
for (block_mode, mac_len, min_mac_len) in key_params {
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
key_size,
PaddingMode::PKCS7,
block_mode,
@@ -173,12 +163,11 @@
/// an error code `UNSUPPORTED_KEY_SIZE`.
#[test]
fn keystore2_aes_key_fails_unsupported_key_size() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let result = key_generations::map_ks_error(key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
1024,
alias,
@@ -194,12 +183,11 @@
/// Test should fail to generate a key with an error code `MISSING_MIN_MAC_LENGTH`.
#[test]
fn keystore2_aes_gcm_key_fails_missing_min_mac_len() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let result = key_generations::map_ks_error(key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -215,8 +203,7 @@
/// an operation with `UNSUPPORTED_BLOCK_MODE` error code.
#[test]
fn keystore2_aes_key_op_fails_multi_block_modes() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -229,7 +216,8 @@
.block_mode(BlockMode::CBC)
.padding_mode(PaddingMode::NONE);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -250,7 +238,7 @@
.block_mode(BlockMode::CBC)
.padding_mode(PaddingMode::NONE);
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&op_params,
false,
@@ -263,8 +251,7 @@
/// an operation with `UNSUPPORTED_PADDING_MODE` error code.
#[test]
fn keystore2_aes_key_op_fails_multi_padding_modes() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -277,7 +264,8 @@
.padding_mode(PaddingMode::PKCS7)
.padding_mode(PaddingMode::NONE);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -298,7 +286,7 @@
.padding_mode(PaddingMode::PKCS7)
.padding_mode(PaddingMode::NONE);
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&op_params,
false,
@@ -312,12 +300,11 @@
/// `INCOMPATIBLE_PADDING_MODE` error code.
#[test]
fn keystore2_aes_key_op_fails_incompatible_padding() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -328,7 +315,7 @@
.unwrap();
let result = key_generations::map_ks_error(perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::PKCS7,
BlockMode::ECB,
&mut None,
@@ -344,12 +331,11 @@
/// `INCOMPATIBLE_BLOCK_MODE` error code.
#[test]
fn keystore2_aes_key_op_fails_incompatible_blockmode() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -360,7 +346,7 @@
.unwrap();
let result = key_generations::map_ks_error(perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::NONE,
BlockMode::CBC,
&mut None,
@@ -376,13 +362,12 @@
/// `MISSING_MAC_LENGTH` error code.
#[test]
fn keystore2_aes_gcm_op_fails_missing_mac_len() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let mac_len = None;
let min_mac_len = Some(128);
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
128,
PaddingMode::NONE,
BlockMode::GCM,
@@ -404,13 +389,12 @@
/// an operation with `INVALID_MAC_LENGTH` error code.
#[test]
fn keystore2_aes_gcm_op_fails_invalid_mac_len() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let mac_len = Some(96);
let min_mac_len = Some(104);
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
128,
PaddingMode::NONE,
BlockMode::GCM,
@@ -427,11 +411,10 @@
/// `UNSUPPORTED_MAC_LENGTH` error code.
#[test]
fn keystore2_aes_gcm_op_fails_unsupported_mac_len() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
128,
PaddingMode::NONE,
BlockMode::GCM,
@@ -448,13 +431,12 @@
/// `CALLER_NONCE_PROHIBITED` error code.
#[test]
fn keystore2_aes_key_op_fails_nonce_prohibited() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_nonce_1";
let mut nonce = Some(vec![0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
let key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -465,7 +447,7 @@
.unwrap();
let result = key_generations::map_ks_error(perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::NONE,
BlockMode::CBC,
&mut nonce,
diff --git a/keystore2/tests/keystore2_client_attest_key_tests.rs b/keystore2/tests/keystore2_client_attest_key_tests.rs
index 454248a..4787a81 100644
--- a/keystore2/tests/keystore2_client_attest_key_tests.rs
+++ b/keystore2/tests/keystore2_client_attest_key_tests.rs
@@ -12,8 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::getuid;
-
+use crate::keystore2_client_test_utils::{
+ app_attest_key_feature_exists, device_id_attestation_feature_exists, get_attest_id_value,
+ is_second_imei_id_attestation_required, skip_device_id_attest_tests,
+};
+use crate::{
+ skip_device_id_attestation_tests, skip_test_if_no_app_attest_key_feature,
+ skip_test_if_no_device_id_attestation_feature,
+};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
@@ -23,22 +29,9 @@
Domain::Domain, IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor,
ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
use keystore2_test_utils::ffi_test_utils::{get_value_from_attest_record, validate_certchain};
-
-use crate::{
- skip_device_id_attestation_tests, skip_test_if_no_app_attest_key_feature,
- skip_test_if_no_device_id_attestation_feature,
-};
-
-use crate::keystore2_client_test_utils::{
- app_attest_key_feature_exists, device_id_attestation_feature_exists, get_attest_id_value,
- is_second_imei_id_attestation_required, skip_device_id_attest_tests,
-};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
+use nix::unistd::getuid;
/// Generate RSA and EC attestation keys and use them for signing RSA-signing keys.
/// Test should be able to generate attestation keys and use them successfully.
@@ -46,14 +39,13 @@
fn keystore2_attest_rsa_signing_key_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
for algo in [Algorithm::RSA, Algorithm::EC] {
// Create attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, algo, att_challenge).unwrap();
+ key_generations::generate_attestation_key(&sl, algo, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -63,7 +55,7 @@
// Create RSA signing key and use attestation key to sign it.
let sign_key_alias = format!("ks_attest_rsa_signing_key_{}", getuid());
let sign_key_metadata = key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -94,14 +86,13 @@
fn keystore2_attest_rsa_encrypt_key_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
for algo in [Algorithm::RSA, Algorithm::EC] {
// Create attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, algo, att_challenge).unwrap();
+ key_generations::generate_attestation_key(&sl, algo, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -111,7 +102,7 @@
// Create RSA encrypt/decrypt key and use attestation key to sign it.
let decrypt_key_alias = format!("ks_attest_rsa_encrypt_key_{}", getuid());
let decrypt_key_metadata = key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(decrypt_key_alias),
@@ -143,14 +134,13 @@
fn keystore2_attest_ec_key_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
for algo in [Algorithm::RSA, Algorithm::EC] {
// Create attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, algo, att_challenge).unwrap();
+ key_generations::generate_attestation_key(&sl, algo, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -160,7 +150,7 @@
// Create EC key and use attestation key to sign it.
let ec_key_alias = format!("ks_ec_attested_test_key_{}", getuid());
let ec_key_metadata = key_generations::generate_ec_256_attested_key(
- &sec_level,
+ &sl,
Some(ec_key_alias),
att_challenge,
&attestation_key_metadata.key,
@@ -183,13 +173,12 @@
fn keystore2_attest_rsa_signing_key_with_ec_25519_key_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
// Create EcCurve::CURVE_25519 attestation key.
let attestation_key_metadata = key_generations::generate_ec_attestation_key(
- &sec_level,
+ &sl,
att_challenge,
Digest::NONE,
EcCurve::CURVE_25519,
@@ -204,7 +193,7 @@
// Create RSA signing key and use attestation key to sign it.
let sign_key_alias = format!("ksrsa_attested_sign_test_key_{}", getuid());
let sign_key_metadata = key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -233,9 +222,7 @@
#[test]
fn keystore2_generate_rsa_attest_key_with_multi_purpose_fail() {
skip_test_if_no_app_attest_key_feature!();
-
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let digest = Digest::SHA_2_256;
let padding = PaddingMode::RSA_PKCS1_1_5_SIGN;
@@ -255,7 +242,7 @@
.rsa_public_exponent(65537)
.padding_mode(padding);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -276,9 +263,7 @@
#[test]
fn keystore2_ec_attest_key_with_multi_purpose_fail() {
skip_test_if_no_app_attest_key_feature!();
-
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let attest_key_alias = format!("ks_ec_attest_multipurpose_key_{}", getuid());
@@ -291,7 +276,7 @@
.digest(Digest::SHA_2_256)
.ec_curve(EcCurve::P_256);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -314,14 +299,12 @@
fn keystore2_attest_key_fails_missing_challenge() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
// Create RSA attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, Algorithm::RSA, att_challenge)
- .unwrap();
+ key_generations::generate_attestation_key(&sl, Algorithm::RSA, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -331,7 +314,7 @@
// Try to attest RSA signing key without providing attestation challenge.
let sign_key_alias = format!("ksrsa_attested_test_key_missing_challenge{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -357,24 +340,18 @@
fn keystore2_attest_rsa_key_with_non_attest_key_fails_incompat_purpose_error() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
let alias = format!("non_attest_key_{}", getuid());
- let non_attest_key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias),
- None,
- )
- .unwrap();
+ let non_attest_key_metadata =
+ key_generations::generate_ec_p256_signing_key(&sl, Domain::APP, -1, Some(alias), None)
+ .unwrap();
// Try to generate RSA signing key with non-attestation key to sign it.
let sign_key_alias = format!("ksrsa_attested_sign_test_key_non_attest_{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -399,13 +376,12 @@
fn keystore2_attest_rsa_key_with_symmetric_key_fails_sys_error() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
let alias = "aes_attest_key";
let sym_key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -418,7 +394,7 @@
// Try to generate RSA signing key with symmetric key as attestation key.
let sign_key_alias = format!("ksrsa_attested_sign_test_key_sym_attest_{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -444,14 +420,12 @@
fn keystore2_attest_symmetric_key_fail_sys_error() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
// Create attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, Algorithm::RSA, att_challenge)
- .unwrap();
+ key_generations::generate_attestation_key(&sl, Algorithm::RSA, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -470,7 +444,8 @@
.attestation_challenge(att_challenge.to_vec());
let alias = format!("ks_test_sym_key_attest_{}", getuid());
- let aes_key_metadata = sec_level
+ let aes_key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
Some(&attestation_key_metadata.key),
@@ -525,22 +500,21 @@
skip_test_if_no_device_id_attestation_feature!();
skip_device_id_attestation_tests!();
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
let attest_key_metadata =
- key_generations::generate_attestation_key(&sec_level, algorithm, att_challenge).unwrap();
+ key_generations::generate_attestation_key(&sl, algorithm, att_challenge).unwrap();
- let attest_id_params = get_attestation_ids(&keystore2);
+ let attest_id_params = get_attestation_ids(&sl.keystore2);
for (attest_id, value) in attest_id_params {
// Create RSA/EC key and use attestation key to sign it.
let key_alias = format!("ks_attested_test_key_{}", getuid());
let key_metadata =
key_generations::map_ks_error(key_generations::generate_key_with_attest_id(
- &sec_level,
+ &sl,
algorithm,
Some(key_alias),
att_challenge,
@@ -585,20 +559,15 @@
fn keystore2_attest_key_fails_with_invalid_attestation_id() {
skip_test_if_no_device_id_attestation_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let digest = Digest::SHA_2_256;
let att_challenge: &[u8] = b"foo";
// Create EC-Attestation key.
- let attest_key_metadata = key_generations::generate_ec_attestation_key(
- &sec_level,
- att_challenge,
- digest,
- EcCurve::P_256,
- )
- .unwrap();
+ let attest_key_metadata =
+ key_generations::generate_ec_attestation_key(&sl, att_challenge, digest, EcCurve::P_256)
+ .unwrap();
let attest_id_params = vec![
(Tag::ATTESTATION_ID_BRAND, b"invalid-brand".to_vec()),
@@ -614,7 +583,7 @@
// Create EC key and use attestation key to sign it.
let ec_key_alias = format!("ks_ec_attested_test_key_fail_{}{}", getuid(), digest.0);
let result = key_generations::map_ks_error(key_generations::generate_key_with_attest_id(
- &sec_level,
+ &sl,
Algorithm::EC,
Some(ec_key_alias),
att_challenge,
@@ -638,20 +607,18 @@
return;
}
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
let attest_key_metadata =
- key_generations::generate_attestation_key(&sec_level, Algorithm::RSA, att_challenge)
- .unwrap();
+ key_generations::generate_attestation_key(&sl, Algorithm::RSA, att_challenge).unwrap();
- let attest_id_params = get_attestation_ids(&keystore2);
+ let attest_id_params = get_attestation_ids(&sl.keystore2);
for (attest_id, value) in attest_id_params {
// Create RSA/EC key and use attestation key to sign it.
let key_alias = format!("ks_attested_test_key_{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_key_with_attest_id(
- &sec_level,
+ &sl,
Algorithm::RSA,
Some(key_alias),
att_challenge,
diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs
index 32be99e..0981783 100644
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@@ -12,49 +12,39 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use std::time::SystemTime;
-
-use openssl::bn::{BigNum, MsbOption};
-use openssl::x509::X509NameBuilder;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
- ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
- SecurityLevel::SecurityLevel, Tag::Tag,
-};
-
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
- KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
-};
-
-use aconfig_android_hardware_biometrics_rust;
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- HardwareAuthToken::HardwareAuthToken,
- HardwareAuthenticatorType::HardwareAuthenticatorType
-};
-use android_hardware_security_secureclock::aidl::android::hardware::security::secureclock::Timestamp::Timestamp;
-
-use keystore2_test_utils::{
- authorizations, get_keystore_auth_service, get_keystore_service, key_generations,
- key_generations::Error,
-};
-
use crate::keystore2_client_test_utils::{
app_attest_key_feature_exists, delete_app_key, perform_sample_asym_sign_verify_op,
perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op,
perform_sample_sym_key_encrypt_op, verify_certificate_serial_num,
verify_certificate_subject_name, SAMPLE_PLAIN_TEXT,
};
-
-use crate::{skip_test_if_no_app_attest_key_feature, skip_tests_if_keymaster_impl_present};
-
+use crate::{require_keymint, skip_test_if_no_app_attest_key_feature};
+use aconfig_android_hardware_biometrics_rust;
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
+ ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
+ SecurityLevel::SecurityLevel, Tag::Tag,
+};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ HardwareAuthToken::HardwareAuthToken, HardwareAuthenticatorType::HardwareAuthenticatorType,
+};
+use android_hardware_security_secureclock::aidl::android::hardware::security::secureclock::{
+ Timestamp::Timestamp
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor, KeyMetadata::KeyMetadata,
+ ResponseCode::ResponseCode,
+};
use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
+use keystore2_test_utils::{
+ authorizations, get_keystore_auth_service, key_generations,
+ key_generations::Error, SecLevel,
+};
+use openssl::bn::{BigNum, MsbOption};
+use openssl::x509::X509NameBuilder;
+use std::time::SystemTime;
-fn gen_key_including_unique_id(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
- alias: &str,
-) -> Vec<u8> {
+fn gen_key_including_unique_id(sl: &SecLevel, alias: &str) -> Vec<u8> {
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::EC)
@@ -65,7 +55,7 @@
.attestation_challenge(b"foo".to_vec())
.include_unique_id();
- let key_metadata = key_generations::generate_key(sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(sl, &gen_params, alias).unwrap();
let unique_id = get_value_from_attest_record(
key_metadata.certificate.as_ref().unwrap(),
@@ -78,16 +68,21 @@
}
fn generate_key_and_perform_sign_verify_op_max_times(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
gen_params: &authorizations::AuthSetBuilder,
alias: &str,
max_usage_count: i32,
) -> binder::Result<KeyMetadata> {
- let key_metadata = key_generations::generate_key(sec_level, gen_params, alias)?;
+ let key_metadata = key_generations::generate_key(sl, gen_params, alias)?;
// Use above generated key `max_usage_count` times.
for _ in 0..max_usage_count {
- perform_sample_asym_sign_verify_op(sec_level, &key_metadata, None, Some(Digest::SHA_2_256));
+ perform_sample_asym_sign_verify_op(
+ &sl.binder,
+ &key_metadata,
+ None,
+ Some(Digest::SHA_2_256),
+ );
}
Ok(key_metadata)
@@ -98,24 +93,20 @@
/// times subsequent attempts to use the key in test should fail with response code `KEY_NOT_FOUND`.
/// Test should also verify that the attest record includes `USAGE_COUNT_LIMIT` for attested keys.
fn generate_key_and_perform_op_with_max_usage_limit(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
gen_params: &authorizations::AuthSetBuilder,
alias: &str,
max_usage_count: i32,
check_attestation: bool,
) {
// Generate a key and use the key for `max_usage_count` times.
- let key_metadata = generate_key_and_perform_sign_verify_op_max_times(
- sec_level,
- gen_params,
- alias,
- max_usage_count,
- )
- .unwrap();
+ let key_metadata =
+ generate_key_and_perform_sign_verify_op_max_times(sl, gen_params, alias, max_usage_count)
+ .unwrap();
let auth = key_generations::get_key_auth(&key_metadata.authorizations, Tag::USAGE_COUNT_LIMIT)
.unwrap();
- if check_attestation && key_generations::has_default_keymint() {
+ if check_attestation && sl.is_keymint() {
// Check usage-count-limit is included in attest-record.
// `USAGE_COUNT_LIMIT` is supported from KeyMint1.0
assert_ne!(
@@ -142,7 +133,7 @@
}
// Try to use the key one more time.
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -156,8 +147,7 @@
/// the generated key successfully.
#[test]
fn keystore2_gen_key_auth_active_datetime_test_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let active_datetime = duration_since_epoch.as_millis();
@@ -173,13 +163,13 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `ACTIVE_DATETIME` set to future date and time. Test should successfully
@@ -188,8 +178,7 @@
/// `KEY_NOT_YET_VALID`.
#[test]
fn keystore2_gen_key_auth_future_active_datetime_test_op_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let future_active_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
@@ -205,14 +194,14 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_NOT_YET_VALID), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `ORIGINATION_EXPIRE_DATETIME` set to future date and time. Test should
@@ -220,8 +209,7 @@
/// sign operation using the generated key successfully.
#[test]
fn keystore2_gen_key_auth_future_origination_expire_datetime_test_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let origination_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
@@ -237,13 +225,13 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `ORIGINATION_EXPIRE_DATETIME` set to current date and time. Test should
@@ -252,8 +240,7 @@
/// `KEY_EXPIRED`.
#[test]
fn keystore2_gen_key_auth_origination_expire_datetime_test_op_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let origination_expire_datetime = duration_since_epoch.as_millis();
@@ -269,14 +256,14 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a HMAC key with `USAGE_EXPIRE_DATETIME` set to future date and time. Test should
@@ -284,8 +271,7 @@
/// sign and verify operations using the generated key successfully.
#[test]
fn keystore2_gen_key_auth_future_usage_expire_datetime_hmac_verify_op_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let usage_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
@@ -300,10 +286,10 @@
.usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_hmac_verify_success";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
- perform_sample_hmac_sign_verify_op(&sec_level, &key_metadata.key);
- delete_app_key(&keystore2, alias).unwrap();
+ perform_sample_hmac_sign_verify_op(&sl.binder, &key_metadata.key);
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `USAGE_EXPIRE_DATETIME` set to current date and time. Test should
@@ -312,8 +298,7 @@
/// `KEY_EXPIRED`.
#[test]
fn keystore2_gen_key_auth_usage_expire_datetime_hmac_verify_op_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let usage_expire_datetime = duration_since_epoch.as_millis();
@@ -328,10 +313,10 @@
.usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_hamc_verify_fail";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
let result = key_generations::map_ks_error(
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::VERIFY)
@@ -341,7 +326,7 @@
);
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate AES key with `USAGE_EXPIRE_DATETIME` set to future date and time. Test should
@@ -349,8 +334,7 @@
/// Encrypt and Decrypt operations successfully.
#[test]
fn keystore2_gen_key_auth_usage_future_expire_datetime_decrypt_op_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let usage_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
@@ -365,9 +349,9 @@
.usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_test";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
let cipher_text = perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::PKCS7,
BlockMode::ECB,
&mut None,
@@ -379,7 +363,7 @@
assert!(cipher_text.is_some());
let plain_text = perform_sample_sym_key_decrypt_op(
- &sec_level,
+ &sl.binder,
&cipher_text.unwrap(),
PaddingMode::PKCS7,
BlockMode::ECB,
@@ -390,7 +374,7 @@
.unwrap();
assert!(plain_text.is_some());
assert_eq!(plain_text.unwrap(), SAMPLE_PLAIN_TEXT.to_vec());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate AES key with `USAGE_EXPIRE_DATETIME` set to current date and time. Test should
@@ -399,8 +383,7 @@
/// `KEY_EXPIRED`.
#[test]
fn keystore2_gen_key_auth_usage_expire_datetime_decrypt_op_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let usage_expire_datetime = duration_since_epoch.as_millis();
@@ -415,9 +398,9 @@
.usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_test";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
let cipher_text = perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::PKCS7,
BlockMode::ECB,
&mut None,
@@ -429,7 +412,7 @@
assert!(cipher_text.is_some());
let result = key_generations::map_ks_error(perform_sample_sym_key_decrypt_op(
- &sec_level,
+ &sl.binder,
&cipher_text.unwrap(),
PaddingMode::PKCS7,
BlockMode::ECB,
@@ -439,7 +422,7 @@
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `EARLY_BOOT_ONLY`. Test should successfully generate
@@ -447,9 +430,8 @@
/// during creation of an operation using this key.
#[test]
fn keystore2_gen_key_auth_early_boot_only_op_fail() {
- skip_tests_if_keymaster_impl_present!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
+ require_keymint!(sl);
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -463,14 +445,14 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::EARLY_BOOT_ENDED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `MAX_USES_PER_BOOT`. Test should successfully generate
@@ -479,8 +461,7 @@
/// subsequent attempts to use the key in test should fail with error code MAX_OPS_EXCEEDED.
#[test]
fn keystore2_gen_key_auth_max_uses_per_boot() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
const MAX_USES_COUNT: i32 = 3;
let gen_params = authorizations::AuthSetBuilder::new()
@@ -495,23 +476,19 @@
let alias = "ks_test_auth_tags_test";
// Generate a key and use the key for `MAX_USES_COUNT` times.
- let key_metadata = generate_key_and_perform_sign_verify_op_max_times(
- &sec_level,
- &gen_params,
- alias,
- MAX_USES_COUNT,
- )
- .unwrap();
+ let key_metadata =
+ generate_key_and_perform_sign_verify_op_max_times(&sl, &gen_params, alias, MAX_USES_COUNT)
+ .unwrap();
// Try to use the key one more time.
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_MAX_OPS_EXCEEDED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `USAGE_COUNT_LIMIT`. Test should successfully generate
@@ -521,8 +498,7 @@
/// Test should also verify that the attest record includes `USAGE_COUNT_LIMIT`.
#[test]
fn keystore2_gen_key_auth_usage_count_limit() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
const MAX_USES_COUNT: i32 = 3;
let gen_params = authorizations::AuthSetBuilder::new()
@@ -536,13 +512,7 @@
.usage_count_limit(MAX_USES_COUNT);
let alias = "ks_test_auth_tags_test";
- generate_key_and_perform_op_with_max_usage_limit(
- &sec_level,
- &gen_params,
- alias,
- MAX_USES_COUNT,
- true,
- );
+ generate_key_and_perform_op_with_max_usage_limit(&sl, &gen_params, alias, MAX_USES_COUNT, true);
}
/// Generate a key with `USAGE_COUNT_LIMIT`. Test should successfully generate
@@ -552,8 +522,7 @@
/// Test should also verify that the attest record includes `USAGE_COUNT_LIMIT`.
#[test]
fn keystore2_gen_key_auth_usage_count_limit_one() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
const MAX_USES_COUNT: i32 = 1;
let gen_params = authorizations::AuthSetBuilder::new()
@@ -567,13 +536,7 @@
.usage_count_limit(MAX_USES_COUNT);
let alias = "ks_test_auth_tags_test";
- generate_key_and_perform_op_with_max_usage_limit(
- &sec_level,
- &gen_params,
- alias,
- MAX_USES_COUNT,
- true,
- );
+ generate_key_and_perform_op_with_max_usage_limit(&sl, &gen_params, alias, MAX_USES_COUNT, true);
}
/// Generate a non-attested key with `USAGE_COUNT_LIMIT`. Test should successfully generate
@@ -582,8 +545,7 @@
/// subsequent attempts to use the key in test should fail with response code `KEY_NOT_FOUND`.
#[test]
fn keystore2_gen_non_attested_key_auth_usage_count_limit() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
const MAX_USES_COUNT: i32 = 2;
let gen_params = authorizations::AuthSetBuilder::new()
@@ -597,7 +559,7 @@
let alias = "ks_test_auth_tags_test";
generate_key_and_perform_op_with_max_usage_limit(
- &sec_level,
+ &sl,
&gen_params,
alias,
MAX_USES_COUNT,
@@ -610,8 +572,7 @@
/// specify `CREATION_DATETIME`.
#[test]
fn keystore2_gen_key_auth_creation_date_time_test_fail_with_invalid_arg_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let creation_datetime = duration_since_epoch.as_millis();
@@ -626,7 +587,7 @@
.creation_date_time(creation_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_test";
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -647,27 +608,25 @@
/// included in attest record and it remains the same for new keys generated.
#[test]
fn keystore2_gen_key_auth_include_unique_id_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias_first = "ks_test_auth_tags_test_1";
- let unique_id_first = gen_key_including_unique_id(&sec_level, alias_first);
+ let unique_id_first = gen_key_including_unique_id(&sl, alias_first);
let alias_second = "ks_test_auth_tags_test_2";
- let unique_id_second = gen_key_including_unique_id(&sec_level, alias_second);
+ let unique_id_second = gen_key_including_unique_id(&sl, alias_second);
assert_eq!(unique_id_first, unique_id_second);
- delete_app_key(&keystore2, alias_first).unwrap();
- delete_app_key(&keystore2, alias_second).unwrap();
+ delete_app_key(&sl.keystore2, alias_first).unwrap();
+ delete_app_key(&sl.keystore2, alias_second).unwrap();
}
/// Generate a key with `APPLICATION_DATA`. Test should create an operation using the
/// same `APPLICATION_DATA` successfully.
#[test]
fn keystore2_gen_key_auth_app_data_test_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -680,7 +639,7 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -689,7 +648,7 @@
alias,
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `APPLICATION_DATA`. Try to create an operation using the
@@ -697,8 +656,7 @@
/// `INVALID_KEY_BLOB`.
#[test]
fn keystore2_gen_key_auth_app_data_test_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -711,7 +669,7 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -721,15 +679,14 @@
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `APPLICATION_ID`. Test should create an operation using the
/// same `APPLICATION_ID` successfully.
#[test]
fn keystore2_gen_key_auth_app_id_test_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -742,7 +699,7 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -751,7 +708,7 @@
alias,
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `APPLICATION_ID`. Try to create an operation using the
@@ -759,8 +716,7 @@
/// `INVALID_KEY_BLOB`.
#[test]
fn keystore2_gen_key_auth_app_id_test_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -773,7 +729,7 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -783,7 +739,7 @@
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate an attestation-key without specifying `APPLICATION_ID` and `APPLICATION_DATA`.
@@ -792,8 +748,7 @@
#[test]
fn keystore2_gen_attested_key_auth_app_id_app_data_test_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Generate attestation key.
let attest_gen_params = authorizations::AuthSetBuilder::new()
@@ -805,7 +760,7 @@
.attestation_challenge(b"foo".to_vec());
let attest_alias = "ks_test_auth_tags_attest_key";
let attest_key_metadata =
- key_generations::generate_key(&sec_level, &attest_gen_params, attest_alias).unwrap();
+ key_generations::generate_key(&sl, &attest_gen_params, attest_alias).unwrap();
// Generate attested key.
let alias = "ks_test_auth_tags_attested_key";
@@ -820,7 +775,7 @@
.app_id(b"app-id".to_vec())
.app_data(b"app-data".to_vec());
- let result = sec_level.generateKey(
+ let result = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -834,8 +789,8 @@
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
- delete_app_key(&keystore2, attest_alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, attest_alias).unwrap();
}
/// Generate an attestation-key with specifying `APPLICATION_ID` and `APPLICATION_DATA`.
@@ -847,8 +802,7 @@
#[test]
fn keystore2_gen_attestation_key_with_auth_app_id_app_data_test_fail() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Generate attestation key.
let attest_gen_params = authorizations::AuthSetBuilder::new()
@@ -862,7 +816,7 @@
.app_data(b"app-data".to_vec());
let attest_alias = "ks_test_auth_tags_attest_key";
let attest_key_metadata =
- key_generations::generate_key(&sec_level, &attest_gen_params, attest_alias).unwrap();
+ key_generations::generate_key(&sl, &attest_gen_params, attest_alias).unwrap();
// Generate new key using above generated attestation key without providing app-id and app-data.
let alias = "ks_test_auth_tags_attested_key";
@@ -875,7 +829,7 @@
.ec_curve(EcCurve::P_256)
.attestation_challenge(b"foo".to_vec());
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -890,7 +844,7 @@
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
- delete_app_key(&keystore2, attest_alias).unwrap();
+ delete_app_key(&sl.keystore2, attest_alias).unwrap();
}
fn add_hardware_token(auth_type: HardwareAuthenticatorType) {
@@ -951,9 +905,8 @@
/// generate a key successfully and verify the specified key parameters.
#[test]
fn keystore2_gen_key_auth_serial_number_subject_test_success() {
- skip_tests_if_keymaster_impl_present!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
+ require_keymint!(sl);
let cert_subject = "test cert subject";
let mut x509_name = X509NameBuilder::new().unwrap();
@@ -975,11 +928,11 @@
.cert_serial(serial.to_vec());
let alias = "ks_test_auth_tags_test";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
verify_certificate_subject_name(
key_metadata.certificate.as_ref().unwrap(),
cert_subject.as_bytes(),
);
verify_certificate_serial_num(key_metadata.certificate.as_ref().unwrap(), &serial);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
diff --git a/keystore2/tests/keystore2_client_delete_key_tests.rs b/keystore2/tests/keystore2_client_delete_key_tests.rs
index 2a06edb..a0fb9c2 100644
--- a/keystore2/tests/keystore2_client_delete_key_tests.rs
+++ b/keystore2/tests/keystore2_client_delete_key_tests.rs
@@ -12,27 +12,24 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::getuid;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- ErrorCode::ErrorCode, SecurityLevel::SecurityLevel,
-};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::ErrorCode::ErrorCode;
use android_system_keystore2::aidl::android::system::keystore2::{
Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{get_keystore_service, key_generations, key_generations::Error};
+use keystore2_test_utils::{
+ get_keystore_service, key_generations, key_generations::Error, SecLevel,
+};
+use nix::unistd::getuid;
/// Generate a key and delete it using keystore2 service `deleteKey` API. Test should successfully
/// delete the generated key.
#[test]
fn keystore2_delete_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "delete_key_success_key";
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -40,10 +37,10 @@
)
.unwrap();
- keystore2.deleteKey(&key_metadata.key).expect("Failed to delete a key.");
+ sl.keystore2.deleteKey(&key_metadata.key).expect("Failed to delete a key.");
// Check wehther deleted key is removed from keystore.
- let result = key_generations::map_ks_error(keystore2.getKeyEntry(&key_metadata.key));
+ let result = key_generations::map_ks_error(sl.keystore2.getKeyEntry(&key_metadata.key));
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err());
}
@@ -70,12 +67,11 @@
/// `INVALID_ARGUMENT`.
#[test]
fn keystore2_delete_key_with_blob_domain_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "delete_key_blob_fail_key";
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -83,7 +79,7 @@
)
.unwrap();
- let result = key_generations::map_ks_error(keystore2.deleteKey(&key_metadata.key));
+ let result = key_generations::map_ks_error(sl.keystore2.deleteKey(&key_metadata.key));
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::INVALID_ARGUMENT), result.unwrap_err());
}
@@ -92,12 +88,11 @@
/// security level `deleteKey` API. Test should delete the key successfully.
#[test]
fn keystore2_delete_key_blob_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "delete_key_blob_success_key";
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -105,7 +100,7 @@
)
.unwrap();
- let result = sec_level.deleteKey(&key_metadata.key);
+ let result = sl.binder.deleteKey(&key_metadata.key);
assert!(result.is_ok());
}
@@ -113,10 +108,9 @@
/// key with error code `INVALID_ARGUMENT`.
#[test]
fn keystore2_delete_key_fails_with_missing_key_blob() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
- let result = key_generations::map_ks_error(sec_level.deleteKey(&KeyDescriptor {
+ let result = key_generations::map_ks_error(sl.binder.deleteKey(&KeyDescriptor {
domain: Domain::BLOB,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
alias: None,
@@ -131,20 +125,14 @@
/// with error code `INVALID_ARGUMENT`.
#[test]
fn keystore2_delete_key_blob_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_delete_keyblob_test_key_{}", getuid());
- let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias),
- None,
- )
- .unwrap();
+ let key_metadata =
+ key_generations::generate_ec_p256_signing_key(&sl, Domain::APP, -1, Some(alias), None)
+ .unwrap();
- let result = key_generations::map_ks_error(sec_level.deleteKey(&key_metadata.key));
+ let result = key_generations::map_ks_error(sl.binder.deleteKey(&key_metadata.key));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err());
}
diff --git a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
index b784adf..cc5d85c 100644
--- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
+++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
@@ -11,23 +11,18 @@
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode,
- KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, SecurityLevel::SecurityLevel, Tag::Tag,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
-use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
use crate::keystore2_client_test_utils::{
delete_app_key, get_attest_id_value, is_second_imei_id_attestation_required,
- perform_sample_asym_sign_verify_op,
+ perform_sample_asym_sign_verify_op, skip_device_unique_attestation_tests,
};
-
-use crate::skip_tests_if_keymaster_impl_present;
+use crate::require_keymint;
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode,
+ KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag,
+};
+use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// This macro is used for generating device unique attested EC key with device id attestation.
macro_rules! test_ec_key_device_unique_attestation_id {
@@ -50,6 +45,9 @@
}
fn generate_ec_key_device_unique_attested_with_id_attest(attest_id_tag: Tag, prop_name: &str) {
+ if skip_device_unique_attestation_tests() {
+ return;
+ }
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::EC)
@@ -67,6 +65,9 @@
}
fn generate_rsa_key_device_unique_attested_with_id_attest(attest_id_tag: Tag, prop_name: &str) {
+ if skip_device_unique_attestation_tests() {
+ return;
+ }
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::RSA)
@@ -113,17 +114,10 @@
attest_id: Tag,
prop_name: &str,
) {
- let keystore2 = get_keystore_service();
- let result =
- key_generations::map_ks_error(keystore2.getSecurityLevel(SecurityLevel::STRONGBOX));
- if result.is_err() {
- assert_eq!(Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE), result.unwrap_err());
- return;
- }
- let sec_level = result.unwrap();
+ let Some(sl) = SecLevel::strongbox() else { return };
if attest_id == Tag::ATTESTATION_ID_SECOND_IMEI
- && !is_second_imei_id_attestation_required(&keystore2)
+ && !is_second_imei_id_attestation_required(&sl.keystore2)
{
return;
}
@@ -134,11 +128,8 @@
}
let gen_params = add_attest_id_auth(gen_params, attest_id, value.clone());
let alias = "ks_test_device_unique_attest_id_test";
- match key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- )) {
+ match key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias))
+ {
Ok(key_metadata) => {
let attest_id_value = get_value_from_attest_record(
key_metadata.certificate.as_ref().unwrap(),
@@ -147,7 +138,7 @@
)
.expect("Attest id verification failed.");
assert_eq!(attest_id_value, value);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
Err(e) => {
assert_eq!(e, Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
@@ -160,9 +151,8 @@
/// Test should fail to generate a key with error code `INVALID_ARGUMENT`
#[test]
fn keystore2_gen_key_device_unique_attest_with_default_sec_level_unimplemented() {
- skip_tests_if_keymaster_impl_present!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
+ require_keymint!(sl);
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -175,11 +165,8 @@
.device_unique_attestation();
let alias = "ks_test_auth_tags_test";
- let result = key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- ));
+ let result =
+ key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias));
assert!(result.is_err());
assert!(matches!(
result.unwrap_err(),
@@ -192,15 +179,11 @@
/// use it for performing an operation.
#[test]
fn keystore2_gen_ec_key_device_unique_attest_with_strongbox_sec_level_test_success() {
- let keystore2 = get_keystore_service();
- let result =
- key_generations::map_ks_error(keystore2.getSecurityLevel(SecurityLevel::STRONGBOX));
- if result.is_err() {
- assert_eq!(Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE), result.unwrap_err());
+ let Some(sl) = SecLevel::strongbox() else { return };
+ if skip_device_unique_attestation_tests() {
return;
}
- let sec_level = result.unwrap();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::EC)
@@ -212,19 +195,15 @@
.device_unique_attestation();
let alias = "ks_device_unique_ec_key_attest_test";
- match key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- )) {
+ match key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias)) {
Ok(key_metadata) => {
perform_sample_asym_sign_verify_op(
- &sec_level,
+ &sl.binder,
&key_metadata,
None,
Some(Digest::SHA_2_256),
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
Err(e) => {
assert_eq!(e, Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
@@ -237,15 +216,11 @@
/// use it for performing an operation.
#[test]
fn keystore2_gen_rsa_key_device_unique_attest_with_strongbox_sec_level_test_success() {
- let keystore2 = get_keystore_service();
- let result =
- key_generations::map_ks_error(keystore2.getSecurityLevel(SecurityLevel::STRONGBOX));
- if result.is_err() {
- assert_eq!(Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE), result.unwrap_err());
+ let Some(sl) = SecLevel::strongbox() else { return };
+ if skip_device_unique_attestation_tests() {
return;
}
- let sec_level = result.unwrap();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::RSA)
@@ -259,19 +234,15 @@
.device_unique_attestation();
let alias = "ks_device_unique_rsa_key_attest_test";
- match key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- )) {
+ match key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias)) {
Ok(key_metadata) => {
perform_sample_asym_sign_verify_op(
- &sec_level,
+ &sl.binder,
&key_metadata,
Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
Some(Digest::SHA_2_256),
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
Err(e) => {
assert_eq!(e, Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
@@ -283,15 +254,11 @@
/// Test should fail with error response code `CANNOT_ATTEST_IDS`.
#[test]
fn keystore2_device_unique_attest_key_fails_with_invalid_attestation_id() {
- let keystore2 = get_keystore_service();
- let result =
- key_generations::map_ks_error(keystore2.getSecurityLevel(SecurityLevel::STRONGBOX));
- if result.is_err() {
- assert_eq!(Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE), result.unwrap_err());
+ let Some(sl) = SecLevel::strongbox() else { return };
+ if skip_device_unique_attestation_tests() {
return;
}
- let sec_level = result.unwrap();
let attest_id_params = vec![
(Tag::ATTESTATION_ID_BRAND, b"invalid-brand".to_vec()),
(Tag::ATTESTATION_ID_DEVICE, b"invalid-device-name".to_vec()),
@@ -315,11 +282,8 @@
let alias = "ks_ec_device_unique_attested_test_key_fail";
let gen_params = add_attest_id_auth(gen_params, attest_id, value.clone());
- let result = key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- ));
+ let result =
+ key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias));
assert!(result.is_err());
assert!(matches!(result.unwrap_err(), Error::Km(ErrorCode::CANNOT_ATTEST_IDS)));
}
diff --git a/keystore2/tests/keystore2_client_ec_key_tests.rs b/keystore2/tests/keystore2_client_ec_key_tests.rs
index f2c6d0f..8aa9bc4 100644
--- a/keystore2/tests/keystore2_client_ec_key_tests.rs
+++ b/keystore2/tests/keystore2_client_ec_key_tests.rs
@@ -12,27 +12,23 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode,
- KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
-};
-use android_system_keystore2::aidl::android::system::keystore2::{
- CreateOperationResponse::CreateOperationResponse, Domain::Domain,
- IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
- ResponseCode::ResponseCode,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error, run_as,
-};
-
use crate::keystore2_client_test_utils::{
delete_app_key, execute_op_run_as_child, get_vsr_api_level, perform_sample_sign_operation,
BarrierReached, ForcedOp, TestOutcome,
};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode,
+ KeyPurpose::KeyPurpose,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ CreateOperationResponse::CreateOperationResponse, Domain::Domain, KeyDescriptor::KeyDescriptor,
+ ResponseCode::ResponseCode,
+};
+use keystore2_test_utils::{
+ authorizations, get_keystore_service, key_generations, key_generations::Error, run_as, SecLevel,
+};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
macro_rules! test_ec_sign_key_op_success {
( $test_name:ident, $digest:expr, $ec_curve:expr ) => {
@@ -57,7 +53,7 @@
}
fn create_ec_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -65,9 +61,9 @@
ec_curve: EcCurve,
) -> binder::Result<CreateOperationResponse> {
let key_metadata =
- key_generations::generate_ec_key(sec_level, domain, nspace, alias, ec_curve, digest)?;
+ key_generations::generate_ec_key(sl, domain, nspace, alias, ec_curve, digest)?;
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
false,
@@ -75,11 +71,10 @@
}
fn perform_ec_sign_key_op_success(alias: &str, digest: Digest, ec_curve: EcCurve) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let op_response = create_ec_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -96,15 +91,14 @@
))
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
fn perform_ec_sign_key_op_with_none_or_md5_digest(alias: &str, digest: Digest, ec_curve: EcCurve) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
match key_generations::map_ks_error(create_ec_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -126,7 +120,7 @@
}
}
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
// Below macros generate tests for generating EC keys with curves EcCurve::P_224, EcCurve::P_256,
@@ -199,12 +193,11 @@
/// INVALID_ARGUMENT error is expected.
#[test]
fn keystore2_get_key_entry_blob_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Generate a key with domain as BLOB.
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
key_generations::SELINUX_SHELL_NAMESPACE,
None,
@@ -213,23 +206,22 @@
.unwrap();
// Try to load the key using above generated KeyDescriptor.
- let result = key_generations::map_ks_error(keystore2.getKeyEntry(&key_metadata.key));
+ let result = key_generations::map_ks_error(sl.keystore2.getKeyEntry(&key_metadata.key));
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::INVALID_ARGUMENT), result.unwrap_err());
// Delete the generated key blob.
- sec_level.deleteKey(&key_metadata.key).unwrap();
+ sl.binder.deleteKey(&key_metadata.key).unwrap();
}
/// Try to generate a key with invalid Domain. `INVALID_ARGUMENT` error response is expected.
#[test]
fn keystore2_generate_key_invalid_domain() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_invalid_test_key_{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain(99), // Invalid domain.
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias),
@@ -244,8 +236,7 @@
/// `UNSUPPORTED_EC_CURVE or UNSUPPORTED_KEY_SIZE` error response is expected.
#[test]
fn keystore2_generate_ec_key_missing_curve() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_no_curve_test_key_{}", getuid());
// Don't provide EC curve.
@@ -256,7 +247,7 @@
.purpose(KeyPurpose::VERIFY)
.digest(Digest::SHA_2_256);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
@@ -280,8 +271,7 @@
/// `INCOMPATIBLE_PURPOSE` error response is expected.
#[test]
fn keystore2_generate_ec_key_25519_multi_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_no_curve_test_key_{}", getuid());
// Specify `SIGN and AGREE_KEY` purposes.
@@ -293,7 +283,7 @@
.purpose(KeyPurpose::AGREE_KEY)
.digest(Digest::SHA_2_256);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
@@ -314,12 +304,11 @@
/// able to create an operation successfully.
#[test]
fn keystore2_ec_25519_generate_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_25519_none_test_key_gen_{}", getuid());
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -328,7 +317,8 @@
)
.unwrap();
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::NONE),
@@ -350,8 +340,7 @@
/// `UNSUPPORTED_DIGEST`.
#[test]
fn keystore2_ec_25519_generate_key_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let digests = [
Digest::MD5,
@@ -365,7 +354,7 @@
for digest in digests {
let alias = format!("ks_ec_25519_test_key_gen_{}{}", getuid(), digest.0);
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -378,7 +367,7 @@
// Digest::NONE". However, this was not checked at the time so we can only be strict about
// checking this for more recent implementations.
if get_vsr_api_level() >= 35 {
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
false,
@@ -394,12 +383,11 @@
/// `INCOMPATIBLE_DIGEST` error as there is a mismatch of digest mode in key authorizations.
#[test]
fn keystore2_create_op_with_incompatible_key_digest() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_ec_test_incomp_key_digest";
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -412,7 +400,7 @@
[Digest::NONE, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_384, Digest::SHA_2_512];
for digest in digests {
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
false,
@@ -488,11 +476,10 @@
/// successfully.
#[test]
fn keystore2_generate_key_with_blob_domain() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::BLOB,
key_generations::SELINUX_SHELL_NAMESPACE,
None,
@@ -507,7 +494,7 @@
// Must have the key blob.
assert!(key_metadata.key.blob.is_some());
- let op_response = key_generations::map_ks_error(sec_level.createOperation(
+ let op_response = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -522,5 +509,5 @@
);
// Delete the generated key blob.
- sec_level.deleteKey(&key_metadata.key).unwrap();
+ sl.binder.deleteKey(&key_metadata.key).unwrap();
}
diff --git a/keystore2/tests/keystore2_client_grant_key_tests.rs b/keystore2/tests/keystore2_client_grant_key_tests.rs
index 516869a..50b87b9 100644
--- a/keystore2/tests/keystore2_client_grant_key_tests.rs
+++ b/keystore2/tests/keystore2_client_grant_key_tests.rs
@@ -12,37 +12,32 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Digest::Digest, KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
-};
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
- IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
- ResponseCode::ResponseCode,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error, run_as,
-};
-
use crate::keystore2_client_test_utils::{
generate_ec_key_and_grant_to_users, perform_sample_sign_operation,
};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Digest::Digest, KeyPurpose::KeyPurpose,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
+ ResponseCode::ResponseCode,
+};
+use keystore2_test_utils::{
+ authorizations, get_keystore_service, key_generations, key_generations::Error, run_as, SecLevel,
+};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
/// Generate an EC signing key and grant it to the user with given access vector.
fn generate_ec_key_and_grant_to_user(
grantee_uid: i32,
access_vector: i32,
) -> binder::Result<KeyDescriptor> {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("{}{}", "ks_grant_test_key_1", getuid());
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias),
@@ -50,15 +45,14 @@
)
.unwrap();
- keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
+ sl.keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
}
fn load_grant_key_and_perform_sign_operation(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
grant_key_nspace: i64,
) -> Result<(), binder::Status> {
- let key_entry_response = keystore2.getKeyEntry(&KeyDescriptor {
+ let key_entry_response = sl.keystore2.getKeyEntry(&KeyDescriptor {
domain: Domain::GRANT,
nspace: grant_key_nspace,
alias: None,
@@ -66,7 +60,7 @@
})?;
// Perform sample crypto operation using granted key.
- let op_response = sec_level.createOperation(
+ let op_response = sl.binder.createOperation(
&key_entry_response.metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -195,12 +189,11 @@
Uid::from_raw(GRANTEE_UID),
Gid::from_raw(GRANTEE_GID),
move || {
- let keystore2 = get_keystore_service();
- let sec_level =
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Load the granted key.
- let key_entry_response = keystore2
+ let key_entry_response = sl
+ .keystore2
.getKeyEntry(&KeyDescriptor {
domain: Domain::GRANT,
nspace: grant_key_nspace,
@@ -210,7 +203,8 @@
.unwrap();
// Perform sample crypto operation using granted key.
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&key_entry_response.metadata.key,
&authorizations::AuthSetBuilder::new()
@@ -228,12 +222,13 @@
);
// Try to delete the key, it is expected to be fail with permission denied error.
- let result = key_generations::map_ks_error(keystore2.deleteKey(&KeyDescriptor {
- domain: Domain::GRANT,
- nspace: grant_key_nspace,
- alias: None,
- blob: None,
- }));
+ let result =
+ key_generations::map_ks_error(sl.keystore2.deleteKey(&KeyDescriptor {
+ domain: Domain::GRANT,
+ nspace: grant_key_nspace,
+ alias: None,
+ blob: None,
+ }));
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::PERMISSION_DENIED), result.unwrap_err());
},
@@ -258,12 +253,10 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let access_vector = KeyPermission::DELETE.0;
let mut grant_keys = generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(ALIAS.to_string()),
vec![GRANTEE_UID.try_into().unwrap()],
access_vector,
@@ -335,13 +328,11 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let access_vector = KeyPermission::GET_INFO.0;
let alias = format!("ks_grant_perm_denied_key_{}", getuid());
let mut grant_keys = generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias),
vec![GRANTEE_UID.try_into().unwrap()],
access_vector,
@@ -411,8 +402,7 @@
/// `GRANT` access. Test should fail to grant a key with `PERMISSION_DENIED` error response code.
#[test]
fn keystore2_grant_key_fails_with_grant_perm_expect_perm_denied() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let access_vector = KeyPermission::GRANT.0;
let alias = format!("ks_grant_access_vec_key_{}", getuid());
let user_id = 98;
@@ -420,8 +410,7 @@
let grantee_uid = user_id * AID_USER_OFFSET + application_id;
let result = key_generations::map_ks_error(generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias),
vec![grantee_uid.try_into().unwrap()],
access_vector,
@@ -470,13 +459,11 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ungrant_test_key_1{}", getuid());
let access_vector = KeyPermission::GET_INFO.0;
let mut grant_keys = generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias.to_string()),
vec![GRANTEE_UID.try_into().unwrap()],
access_vector,
@@ -485,8 +472,8 @@
let grant_key_nspace = grant_keys.remove(0);
- //Ungrant above granted key.
- keystore2
+ // Ungrant above granted key.
+ sl.keystore2
.ungrant(
&KeyDescriptor {
domain: Domain::APP,
@@ -542,12 +529,11 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("{}{}", "ks_grant_delete_ungrant_test_key_1", getuid());
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -556,17 +542,18 @@
.unwrap();
let access_vector = KeyPermission::GET_INFO.0;
- let grant_key = keystore2
+ let grant_key = sl
+ .keystore2
.grant(&key_metadata.key, GRANTEE_UID.try_into().unwrap(), access_vector)
.unwrap();
assert_eq!(grant_key.domain, Domain::GRANT);
// Delete above granted key.
- keystore2.deleteKey(&key_metadata.key).unwrap();
+ sl.keystore2.deleteKey(&key_metadata.key).unwrap();
// Try to ungrant above granted key.
let result = key_generations::map_ks_error(
- keystore2.ungrant(&key_metadata.key, GRANTEE_UID.try_into().unwrap()),
+ sl.keystore2.ungrant(&key_metadata.key, GRANTEE_UID.try_into().unwrap()),
);
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err());
@@ -574,7 +561,7 @@
// Generate a new key with the same alias and try to access the earlier granted key
// in grantee context.
let result = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias),
@@ -631,14 +618,12 @@
// SAFETY: The test is run in a separate process with no other threads.
let mut grant_keys = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_grant_test_key_2{}", getuid());
let access_vector = KeyPermission::GET_INFO.0 | KeyPermission::USE.0;
generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias),
vec![GRANTEE_1_UID.try_into().unwrap(), GRANTEE_2_UID.try_into().unwrap()],
access_vector,
@@ -658,15 +643,12 @@
Uid::from_raw(*grantee_uid),
Gid::from_raw(*grantee_gid),
move || {
- let keystore2 = get_keystore_service();
- let sec_level =
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
assert_eq!(
Ok(()),
key_generations::map_ks_error(load_grant_key_and_perform_sign_operation(
- &keystore2,
- &sec_level,
+ &sl,
grant_key_nspace
))
);
@@ -697,15 +679,13 @@
// SAFETY: The test is run in a separate process with no other threads.
let mut grant_keys = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_grant_test_key_2{}", getuid());
let access_vector =
KeyPermission::GET_INFO.0 | KeyPermission::USE.0 | KeyPermission::DELETE.0;
generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias),
vec![GRANTEE_1_UID.try_into().unwrap(), GRANTEE_2_UID.try_into().unwrap()],
access_vector,
@@ -723,21 +703,18 @@
Uid::from_raw(GRANTEE_1_UID),
Gid::from_raw(GRANTEE_1_GID),
move || {
- let keystore2 = get_keystore_service();
- let sec_level =
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
assert_eq!(
Ok(()),
key_generations::map_ks_error(load_grant_key_and_perform_sign_operation(
- &keystore2,
- &sec_level,
+ &sl,
grant_key1_nspace
))
);
// Delete the granted key.
- keystore2
+ sl.keystore2
.deleteKey(&KeyDescriptor {
domain: Domain::GRANT,
nspace: grant_key1_nspace,
diff --git a/keystore2/tests/keystore2_client_hmac_key_tests.rs b/keystore2/tests/keystore2_client_hmac_key_tests.rs
index 6bb8001..76780a0 100644
--- a/keystore2/tests/keystore2_client_hmac_key_tests.rs
+++ b/keystore2/tests/keystore2_client_hmac_key_tests.rs
@@ -12,23 +12,18 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+use crate::keystore2_client_test_utils::perform_sample_sign_operation;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, Digest::Digest, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
- SecurityLevel::SecurityLevel,
};
use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
+ Domain::Domain, KeyDescriptor::KeyDescriptor,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
-use crate::keystore2_client_test_utils::perform_sample_sign_operation;
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// Generate HMAC key with given parameters and perform a sample operation using generated key.
fn create_hmac_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
key_size: i32,
mac_len: i32,
@@ -36,9 +31,9 @@
digest: Digest,
) -> Result<(), binder::Status> {
let key_metadata =
- key_generations::generate_hmac_key(sec_level, alias, key_size, min_mac_len, digest)?;
+ key_generations::generate_hmac_key(sl, alias, key_size, min_mac_len, digest)?;
- let op_response = sec_level.createOperation(
+ let op_response = sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -69,22 +64,14 @@
let mac_len = 128;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for digest in digests {
let alias = format!("ks_hmac_test_key_{}", digest.0);
assert_eq!(
Ok(()),
- create_hmac_key_and_operation(
- &sec_level,
- &alias,
- key_size,
- mac_len,
- min_mac_len,
- digest,
- )
+ create_hmac_key_and_operation(&sl, &alias, key_size, mac_len, min_mac_len, digest,)
);
}
}
@@ -96,13 +83,12 @@
let min_mac_len = 256;
let digest = Digest::SHA_2_256;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for key_size in 0..513 {
let alias = format!("ks_hmac_test_key_{}", key_size);
let result = key_generations::map_ks_error(key_generations::generate_hmac_key(
- &sec_level,
+ &sl,
&alias,
key_size,
min_mac_len,
@@ -128,13 +114,12 @@
let digest = Digest::SHA_2_256;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for min_mac_len in 0..257 {
let alias = format!("ks_hmac_test_key_mml_{}", min_mac_len);
match key_generations::map_ks_error(key_generations::generate_hmac_key(
- &sec_level,
+ &sl,
&alias,
key_size,
min_mac_len,
@@ -159,8 +144,7 @@
/// Test fails to generate a key with multiple digests with an error code `UNSUPPORTED_DIGEST`.
#[test]
fn keystore2_hmac_gen_key_multi_digests_fails_expect_unsupported_digest() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_hmac_test_key_multi_dig";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -173,7 +157,7 @@
.digest(Digest::SHA1)
.digest(Digest::SHA_2_256);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -193,8 +177,7 @@
/// no digest should fail with an error code `UNSUPPORTED_DIGEST`.
#[test]
fn keystore2_hmac_gen_key_no_digests_fails_expect_unsupported_digest() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_hmac_test_key_no_dig";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -205,7 +188,7 @@
.key_size(128)
.min_mac_length(128);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -227,12 +210,11 @@
fn keystore2_hmac_gen_key_with_none_digest_fails_expect_unsupported_digest() {
let min_mac_len = 128;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_hmac_test_key_fail";
let result = key_generations::map_ks_error(key_generations::generate_hmac_key(
- &sec_level,
+ &sl,
alias,
key_size,
min_mac_len,
@@ -253,14 +235,13 @@
let mac_len = 256;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for digest in digests {
let alias = format!("ks_hmac_test_key_{}", digest.0);
let result = key_generations::map_ks_error(create_hmac_key_and_operation(
- &sec_level,
+ &sl,
&alias,
key_size,
mac_len,
@@ -284,14 +265,13 @@
let mac_len = 64;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for digest in digests {
let alias = format!("ks_hmac_test_key_{}", digest.0);
let result = key_generations::map_ks_error(create_hmac_key_and_operation(
- &sec_level,
+ &sl,
&alias,
key_size,
mac_len,
diff --git a/keystore2/tests/keystore2_client_import_keys_tests.rs b/keystore2/tests/keystore2_client_import_keys_tests.rs
index bf787d2..b06303e 100644
--- a/keystore2/tests/keystore2_client_import_keys_tests.rs
+++ b/keystore2/tests/keystore2_client_import_keys_tests.rs
@@ -12,49 +12,41 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::getuid;
-
-use openssl::rand::rand_bytes;
-use openssl::x509::X509;
-
+use crate::keystore2_client_test_utils::{
+ encrypt_secure_key, encrypt_transport_key, get_vsr_api_level,
+ perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
+ perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
- KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, SecurityLevel::SecurityLevel,
+ KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
};
use android_system_keystore2::aidl::android::system::keystore2::{
AuthenticatorSpec::AuthenticatorSpec, Domain::Domain,
IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
use keystore2_test_utils::ffi_test_utils::{
create_wrapped_key, create_wrapped_key_additional_auth_data,
};
-
-use crate::keystore2_client_test_utils::{
- encrypt_secure_key, encrypt_transport_key, get_vsr_api_level,
- perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
- perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
-};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
+use nix::unistd::getuid;
+use openssl::rand::rand_bytes;
+use openssl::x509::X509;
pub fn import_rsa_sign_key_and_perform_sample_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
import_params: authorizations::AuthSetBuilder,
) {
let key_metadata =
- key_generations::import_rsa_2048_key(sec_level, domain, nspace, alias, import_params)
- .unwrap();
+ key_generations::import_rsa_2048_key(sl, domain, nspace, alias, import_params).unwrap();
perform_sample_asym_sign_verify_op(
- sec_level,
+ &sl.binder,
&key_metadata,
Some(PaddingMode::RSA_PSS),
Some(Digest::SHA_2_256),
@@ -93,7 +85,7 @@
}
fn build_secure_key_wrapper(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
secure_key: &[u8],
transport_key: &[u8],
nonce: &[u8],
@@ -103,10 +95,10 @@
// Encrypt secure key with transport key.
let transport_key_alias = format!("ks_transport_key_aes_256_key_test_{}", getuid());
let transport_key_metadata =
- key_generations::import_transport_key(sec_level, Some(transport_key_alias), transport_key)
+ key_generations::import_transport_key(sl, Some(transport_key_alias), transport_key)
.unwrap();
let encrypted_secure_key = encrypt_secure_key(
- sec_level,
+ &sl.binder,
secure_key,
aad,
nonce.to_vec(),
@@ -135,8 +127,7 @@
/// imported key. Test should be able to create an operation successfully.
#[test]
fn keystore2_rsa_import_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_1_{}{}", getuid(), 2048);
@@ -153,7 +144,7 @@
.cert_not_after(253402300799000);
import_rsa_sign_key_and_perform_sample_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -167,8 +158,7 @@
/// able to create an operation successfully.
#[test]
fn keystore2_rsa_import_key_determine_key_size_and_pub_exponent() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_2_{}{}", getuid(), 2048);
@@ -184,7 +174,7 @@
.cert_not_after(253402300799000);
import_rsa_sign_key_and_perform_sample_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -196,8 +186,7 @@
/// a key with `IMPORT_PARAMETER_MISMATCH` error code.
#[test]
fn keystore2_rsa_import_key_fails_with_keysize_param_mismatch_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_3_{}{}", getuid(), 2048);
@@ -213,7 +202,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let result = key_generations::map_ks_error(sec_level.importKey(
+ let result = key_generations::map_ks_error(sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
None,
&import_params,
@@ -229,8 +218,7 @@
/// Test should fail to import a key with `IMPORT_PARAMETER_MISMATCH` error code.
#[test]
fn keystore2_rsa_import_key_fails_with_public_exponent_param_mismatch_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_4_{}{}", getuid(), 2048);
@@ -246,7 +234,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let result = key_generations::map_ks_error(sec_level.importKey(
+ let result = key_generations::map_ks_error(sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
None,
&import_params,
@@ -263,8 +251,7 @@
/// successful.
#[test]
fn keystore2_rsa_import_key_with_multipurpose_fails_incompt_purpose_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_5_{}{}", getuid(), 2048);
@@ -280,7 +267,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let result = key_generations::map_ks_error(sec_level.importKey(
+ let result = key_generations::map_ks_error(sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
None,
&import_params,
@@ -288,7 +275,7 @@
key_generations::RSA_2048_KEY,
));
- if key_generations::has_default_keymint() {
+ if sl.is_keymint() {
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_PURPOSE), result.unwrap_err());
} else {
@@ -301,8 +288,7 @@
/// able to create an operation successfully.
#[test]
fn keystore2_import_ec_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256);
@@ -323,24 +309,18 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let key_metadata = key_generations::import_ec_p_256_key(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias),
- import_params,
- )
- .expect("Failed to import EC key.");
+ let key_metadata =
+ key_generations::import_ec_p_256_key(&sl, Domain::APP, -1, Some(alias), import_params)
+ .expect("Failed to import EC key.");
- perform_sample_asym_sign_verify_op(&sec_level, &key_metadata, None, Some(Digest::SHA_2_256));
+ perform_sample_asym_sign_verify_op(&sl.binder, &key_metadata, None, Some(Digest::SHA_2_256));
}
/// Try to import EC key with wrong ec-curve as import-key-parameter. Test should fail to import a
/// key with `IMPORT_PARAMETER_MISMATCH` error code.
#[test]
fn keystore2_ec_import_key_fails_with_mismatch_curve_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256);
@@ -354,7 +334,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let result = key_generations::map_ks_error(sec_level.importKey(
+ let result = key_generations::map_ks_error(sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
None,
&import_params,
@@ -369,47 +349,41 @@
/// Test should be able to create an operation successfully.
#[test]
fn keystore2_import_aes_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_aes_key_test_import_1_{}{}", getuid(), 256);
- let key_metadata = key_generations::import_aes_key(&sec_level, Domain::APP, -1, Some(alias))
+ let key_metadata = key_generations::import_aes_key(&sl, Domain::APP, -1, Some(alias))
.expect("Failed to import AES key.");
- perform_sym_key_encrypt_decrypt_op(&sec_level, &key_metadata);
+ perform_sym_key_encrypt_decrypt_op(&sl.binder, &key_metadata);
}
/// Import 3DES key and verify key parameters. Try to create an operation using the imported key.
/// Test should be able to create an operation successfully.
#[test]
fn keystore2_import_3des_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = key_generations::map_ks_error(
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT),
- )
- .unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_3des_key_test_import_1_{}{}", getuid(), 168);
- let key_metadata = key_generations::import_3des_key(&sec_level, Domain::APP, -1, Some(alias))
+ let key_metadata = key_generations::import_3des_key(&sl, Domain::APP, -1, Some(alias))
.expect("Failed to import 3DES key.");
- perform_sym_key_encrypt_decrypt_op(&sec_level, &key_metadata);
+ perform_sym_key_encrypt_decrypt_op(&sl.binder, &key_metadata);
}
/// Import HMAC key and verify key parameters. Try to create an operation using the imported key.
/// Test should be able to create an operation successfully.
#[test]
fn keystore2_import_hmac_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_hmac_key_test_import_1_{}", getuid());
- let key_metadata = key_generations::import_hmac_key(&sec_level, Domain::APP, -1, Some(alias))
+ let key_metadata = key_generations::import_hmac_key(&sl, Domain::APP, -1, Some(alias))
.expect("Failed to import HMAC key.");
- perform_sample_hmac_sign_verify_op(&sec_level, &key_metadata.key);
+ perform_sample_hmac_sign_verify_op(&sl.binder, &key_metadata.key);
}
/// This test creates a wrapped key data and imports it. Validates the imported wrapped key.
@@ -419,8 +393,7 @@
/// Test should successfully import the wrapped key and perform crypto operations.
#[test]
fn keystore2_create_wrapped_key_and_import_wrapped_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let mut secure_key = [0; 32];
rand_bytes(&mut secure_key).unwrap();
@@ -434,7 +407,7 @@
// Import wrapping key.
let wrapping_key_alias = format!("ks_wrapping_key_test_import_2_{}_2048", getuid());
let wrapping_key_metadata = key_generations::import_wrapping_key(
- &sec_level,
+ &sl,
key_generations::RSA_2048_KEY,
Some(wrapping_key_alias),
)
@@ -446,7 +419,7 @@
// Build ASN.1 DER-encoded wrapped key material as described in `SecureKeyWrapper` schema.
let wrapped_key_data = build_secure_key_wrapper(
- &sec_level,
+ &sl,
&secure_key,
&transport_key,
&nonce,
@@ -458,14 +431,14 @@
// Unwrap the key. Import wrapped key.
let secured_key_alias = format!("ks_wrapped_aes_key_{}", getuid());
let secured_key_metadata = key_generations::import_wrapped_key(
- &sec_level,
+ &sl,
Some(secured_key_alias),
&wrapping_key_metadata,
Some(wrapped_key_data.to_vec()),
)
.unwrap();
- perform_sym_key_encrypt_decrypt_op(&sec_level, &secured_key_metadata);
+ perform_sym_key_encrypt_decrypt_op(&sl.binder, &secured_key_metadata);
}
/// Create a wrapped key data with invalid Additional Authenticated Data (AAD) and
@@ -476,8 +449,7 @@
/// Test should fail to import the wrapped key with error code `VERIFICATION_FAILED`.
#[test]
fn keystore2_create_wrapped_key_with_invalid_aad_and_import_wrapped_key_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let mut secure_key = [0; 32];
rand_bytes(&mut secure_key).unwrap();
@@ -491,7 +463,7 @@
// Import wrapping key.
let wrapping_key_alias = format!("ks_wrapping_key_test_import_2_{}_2048", getuid());
let wrapping_key_metadata = key_generations::import_wrapping_key(
- &sec_level,
+ &sl,
key_generations::RSA_2048_KEY,
Some(wrapping_key_alias),
)
@@ -502,7 +474,7 @@
// Build ASN.1 DER-encoded wrapped key material as described in `SecureKeyWrapper` schema.
let wrapped_key_data = build_secure_key_wrapper(
- &sec_level,
+ &sl,
&secure_key,
&transport_key,
&nonce,
@@ -514,7 +486,7 @@
// Unwrap the key. Import wrapped key.
let secured_key_alias = format!("ks_wrapped_aes_key_{}", getuid());
let result = key_generations::map_ks_error(key_generations::import_wrapped_key(
- &sec_level,
+ &sl,
Some(secured_key_alias),
&wrapping_key_metadata,
Some(wrapped_key_data.to_vec()),
@@ -528,8 +500,7 @@
/// perform crypto operations successfully.
#[test]
fn keystore2_import_wrapped_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_wrapped_key_test_import_1_{}_256", getuid());
let wrapping_key_alias = format!("ks_wrapping_key_test_import_1_{}_2048", getuid());
@@ -548,7 +519,7 @@
.cert_not_after(253402300799000);
let key_metadata = key_generations::import_wrapping_key_and_wrapped_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -558,7 +529,7 @@
.expect("Failed to import wrapped key.");
// Try to perform operations using wrapped key.
- perform_sym_key_encrypt_decrypt_op(&sec_level, &key_metadata);
+ perform_sym_key_encrypt_decrypt_op(&sl.binder, &key_metadata);
}
/// Import wrapping-key without specifying KeyPurpose::WRAP_KEY in import key parameters. Try to
@@ -567,8 +538,7 @@
/// `WRAP_KEY` purpose.
#[test]
fn keystore2_import_wrapped_key_fails_with_wrong_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let wrapping_key_alias = format!("ks_wrapping_key_test_import_2_{}_2048", getuid());
let alias = format!("ks_wrapped_key_test_import_2_{}_256", getuid());
@@ -588,7 +558,7 @@
let result =
key_generations::map_ks_error(key_generations::import_wrapping_key_and_wrapped_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -604,8 +574,7 @@
/// Test should fail to import wrapped key with `ResponseCode::KEY_NOT_FOUND`.
#[test]
fn keystore2_import_wrapped_key_fails_with_missing_wrapping_key() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let unwrap_params = authorizations::AuthSetBuilder::new()
.digest(Digest::SHA_2_256)
@@ -621,7 +590,7 @@
// Wrapping key with this alias doesn't exist.
let wrapping_key_alias = format!("ks_wrapping_key_not_exist_{}_2048", getuid());
- let result = key_generations::map_ks_error(sec_level.importWrappedKey(
+ let result = key_generations::map_ks_error(sl.binder.importWrappedKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
diff --git a/keystore2/tests/keystore2_client_key_agreement_tests.rs b/keystore2/tests/keystore2_client_key_agreement_tests.rs
index 6b2e3c2..19f6210 100644
--- a/keystore2/tests/keystore2_client_key_agreement_tests.rs
+++ b/keystore2/tests/keystore2_client_key_agreement_tests.rs
@@ -12,8 +12,15 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
+ KeyMetadata::KeyMetadata,
+};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
use nix::unistd::getuid;
-
use openssl::ec::{EcGroup, EcKey};
use openssl::error::ErrorStack;
use openssl::nid::Nid;
@@ -21,19 +28,6 @@
use openssl::pkey_ctx::PkeyCtx;
use openssl::x509::X509;
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
- SecurityLevel::SecurityLevel,
-};
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
- KeyMetadata::KeyMetadata,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
/// This macro is used to verify that the key agreement works for the given curve.
macro_rules! test_ec_key_agree {
( $test_name:ident, $ec_curve:expr ) => {
@@ -89,13 +83,12 @@
/// Generate two EC keys with given curve from KeyMint and OpeanSSL. Perform local ECDH between
/// them and verify that the derived secrets are the same.
fn perform_ec_key_agreement(ec_curve: EcCurve) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let openssl_ec_curve = ec_curve_to_openrssl_curve_name(&ec_curve);
let alias = format!("ks_ec_test_key_agree_{}", getuid());
let keymint_key = key_generations::generate_ec_agree_key(
- &sec_level,
+ &sl,
ec_curve,
Digest::SHA_2_256,
Domain::APP,
@@ -111,7 +104,7 @@
let local_key = PKey::from_ec_key(ec_key).unwrap();
let local_pub_key = local_key.public_key_to_der().unwrap();
- check_agreement(&sec_level, &keymint_key.key, &keymint_pub_key, &local_key, &local_pub_key);
+ check_agreement(&sl.binder, &keymint_key.key, &keymint_pub_key, &local_key, &local_pub_key);
}
test_ec_key_agree!(test_ec_p224_key_agreement, EcCurve::P_224);
@@ -123,12 +116,11 @@
/// Perform local ECDH between them and verify that the derived secrets are the same.
#[test]
fn keystore2_ec_25519_agree_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_25519_test_key_agree_{}", getuid());
let keymint_key = key_generations::generate_ec_agree_key(
- &sec_level,
+ &sl,
EcCurve::CURVE_25519,
Digest::NONE,
Domain::APP,
@@ -142,19 +134,18 @@
let local_key = PKey::generate_x25519().unwrap();
let local_pub_key = local_key.public_key_to_der().unwrap();
- check_agreement(&sec_level, &keymint_key.key, &keymint_pub_key, &local_key, &local_pub_key);
+ check_agreement(&sl.binder, &keymint_key.key, &keymint_pub_key, &local_key, &local_pub_key);
}
/// Generate two EC keys with different curves and try to perform local ECDH. Since keys are using
/// different curves operation should fail with `ErrorCode:INVALID_ARGUMENT`.
#[test]
fn keystore2_ec_agree_key_with_different_curves_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_test_key_agree_fail{}", getuid());
let keymint_key = key_generations::generate_ec_agree_key(
- &sec_level,
+ &sl,
EcCurve::P_256,
Digest::SHA_2_256,
Domain::APP,
@@ -169,7 +160,7 @@
// If the keys are using different curves KeyMint should fail with
// ErrorCode:INVALID_ARGUMENT.
let authorizations = authorizations::AuthSetBuilder::new().purpose(KeyPurpose::AGREE_KEY);
- let key_agree_op = sec_level.createOperation(&keymint_key.key, &authorizations, false).unwrap();
+ let key_agree_op = sl.binder.createOperation(&keymint_key.key, &authorizations, false).unwrap();
assert!(key_agree_op.iOperation.is_some());
let op = key_agree_op.iOperation.unwrap();
diff --git a/keystore2/tests/keystore2_client_key_id_domain_tests.rs b/keystore2/tests/keystore2_client_key_id_domain_tests.rs
index 09b1378..8f9191f 100644
--- a/keystore2/tests/keystore2_client_key_id_domain_tests.rs
+++ b/keystore2/tests/keystore2_client_key_id_domain_tests.rs
@@ -12,20 +12,15 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::getuid;
-
+use crate::keystore2_client_test_utils::perform_sample_sign_operation;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Digest::Digest, EcCurve::EcCurve, KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
+ Digest::Digest, EcCurve::EcCurve, KeyPurpose::KeyPurpose,
};
use android_system_keystore2::aidl::android::system::keystore2::{
Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
-use crate::keystore2_client_test_utils::perform_sample_sign_operation;
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
+use nix::unistd::getuid;
/// Try to generate a key with `Domain::KEY_ID`, test should fail with an error code
/// `SYSTEM_ERROR`. `Domain::KEY_ID` is not allowed to use for generating a key. Key id is returned
@@ -33,11 +28,10 @@
#[test]
fn keystore2_generate_key_with_key_id_domain_expect_sys_error() {
let alias = "ks_gen_key_id_test_key";
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = key_generations::map_ks_error(key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::KEY_ID,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -53,12 +47,11 @@
/// successfully.
#[test]
fn keystore2_find_key_with_key_id_as_domain() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_key_id_test_key";
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -68,7 +61,8 @@
.expect("Failed to generate a EC key.");
// Try to load the above generated key with KEY_ID as domain.
- let key_entry_response = keystore2
+ let key_entry_response = sl
+ .keystore2
.getKeyEntry(&KeyDescriptor {
domain: Domain::KEY_ID,
nspace: key_metadata.key.nspace,
@@ -85,7 +79,8 @@
// Try to create an operation using above loaded key, operation should be created
// successfully.
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&key_entry_response.metadata.key,
&authorizations::AuthSetBuilder::new()
@@ -110,12 +105,11 @@
/// create an operation using the rebound key.
#[test]
fn keystore2_key_id_alias_rebind_verify_by_alias() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_key_id_test_alias_rebind_1_{}", getuid());
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -127,7 +121,7 @@
// Generate a key with same alias as above generated key, so that alias will be rebound
// to this key.
let new_key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -142,7 +136,7 @@
// Try to create an operation using previously generated key_metadata.
// It should fail as previously generated key material is no longer remains valid.
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -152,7 +146,8 @@
// Try to create an operation using rebound key, operation should be created
// successfully.
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&new_key_metadata.key,
&authorizations::AuthSetBuilder::new()
@@ -177,12 +172,11 @@
/// Test should successfully create an operation using the rebound key.
#[test]
fn keystore2_key_id_alias_rebind_verify_by_key_id() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_key_id_test_alias_rebind_2_{}", getuid());
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -192,7 +186,8 @@
.expect("Failed to generate a EC key.");
// Load the above generated key with KEY_ID as domain.
- let key_entry_response = keystore2
+ let key_entry_response = sl
+ .keystore2
.getKeyEntry(&KeyDescriptor {
domain: Domain::KEY_ID,
nspace: key_metadata.key.nspace,
@@ -210,7 +205,7 @@
// Generate another key with same alias as above generated key, so that alias will be rebound
// to this key.
let new_key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -227,7 +222,7 @@
// Try to create an operation using previously loaded key_entry_response.
// It should fail as previously generated key material is no longer valid.
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_entry_response.metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -237,7 +232,8 @@
// Try to create an operation using rebound key, operation should be created
// successfully.
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&new_key_metadata.key,
&authorizations::AuthSetBuilder::new()
diff --git a/keystore2/tests/keystore2_client_keystore_engine_tests.rs b/keystore2/tests/keystore2_client_keystore_engine_tests.rs
index 4651931..01f8917 100644
--- a/keystore2/tests/keystore2_client_keystore_engine_tests.rs
+++ b/keystore2/tests/keystore2_client_keystore_engine_tests.rs
@@ -12,27 +12,24 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, KeyPurpose::KeyPurpose,
- PaddingMode::PaddingMode, SecurityLevel::SecurityLevel,
+ PaddingMode::PaddingMode,
};
use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
- IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
+ Domain::Domain, IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor,
+ KeyPermission::KeyPermission,
};
-
-use keystore2_test_utils::{authorizations::AuthSetBuilder, get_keystore_service, run_as};
-
use keystore2_test_utils::ffi_test_utils::perform_crypto_op_using_keystore_engine;
-
+use keystore2_test_utils::{
+ authorizations::AuthSetBuilder, get_keystore_service, run_as, SecLevel,
+};
+use nix::unistd::{Gid, Uid};
use openssl::x509::X509;
+use rustutils::users::AID_USER_OFFSET;
fn generate_rsa_key_and_grant_to_user(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
grantee_uid: i32,
access_vector: i32,
@@ -47,7 +44,8 @@
.padding_mode(PaddingMode::NONE)
.digest(Digest::NONE);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -64,12 +62,11 @@
assert!(key_metadata.certificate.is_some());
- keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
+ sl.keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
}
fn generate_ec_key_and_grant_to_user(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
grantee_uid: i32,
access_vector: i32,
@@ -82,7 +79,8 @@
.digest(Digest::NONE)
.ec_curve(EcCurve::P_256);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -99,12 +97,11 @@
assert!(key_metadata.certificate.is_some());
- keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
+ sl.keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
}
fn generate_key_and_grant_to_user(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
grantee_uid: u32,
algo: Algorithm,
@@ -115,16 +112,14 @@
let grant_key = match algo {
Algorithm::RSA => generate_rsa_key_and_grant_to_user(
- keystore2,
- sec_level,
+ sl,
alias,
grantee_uid.try_into().unwrap(),
access_vector,
)
.unwrap(),
Algorithm::EC => generate_ec_key_and_grant_to_user(
- keystore2,
- sec_level,
+ sl,
alias,
grantee_uid.try_into().unwrap(),
access_vector,
@@ -170,17 +165,9 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "keystore2_engine_rsa_key";
- generate_key_and_grant_to_user(
- &keystore2,
- &sec_level,
- alias,
- GRANTEE_UID,
- Algorithm::RSA,
- )
- .unwrap()
+ generate_key_and_grant_to_user(&sl, alias, GRANTEE_UID, Algorithm::RSA).unwrap()
})
};
@@ -213,17 +200,9 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "keystore2_engine_ec_test_key";
- generate_key_and_grant_to_user(
- &keystore2,
- &sec_level,
- alias,
- GRANTEE_UID,
- Algorithm::EC,
- )
- .unwrap()
+ generate_key_and_grant_to_user(&sl, alias, GRANTEE_UID, Algorithm::EC).unwrap()
})
};
@@ -257,20 +236,14 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "keystore2_engine_rsa_pem_pub_key";
- let grant_key_nspace = generate_key_and_grant_to_user(
- &keystore2,
- &sec_level,
- alias,
- GRANTEE_UID,
- Algorithm::RSA,
- )
- .unwrap();
+ let grant_key_nspace =
+ generate_key_and_grant_to_user(&sl, alias, GRANTEE_UID, Algorithm::RSA).unwrap();
// Update certificate with encodeed PEM data.
- let key_entry_response = keystore2
+ let key_entry_response = sl
+ .keystore2
.getKeyEntry(&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -281,7 +254,7 @@
let cert_bytes = key_entry_response.metadata.certificate.as_ref().unwrap();
let cert = X509::from_der(cert_bytes.as_ref()).unwrap();
let cert_pem = cert.to_pem().unwrap();
- keystore2
+ sl.keystore2
.updateSubcomponent(&key_entry_response.metadata.key, Some(&cert_pem), None)
.expect("updateSubcomponent failed.");
diff --git a/keystore2/tests/keystore2_client_list_entries_tests.rs b/keystore2/tests/keystore2_client_list_entries_tests.rs
index 8b3f700..539dac2 100644
--- a/keystore2/tests/keystore2_client_list_entries_tests.rs
+++ b/keystore2/tests/keystore2_client_list_entries_tests.rs
@@ -12,19 +12,18 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-use std::collections::HashSet;
-use std::fmt::Write;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
+use crate::keystore2_client_test_utils::{delete_all_entries, delete_app_key, verify_aliases};
use android_system_keystore2::aidl::android::system::keystore2::{
Domain::Domain, IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor,
KeyPermission::KeyPermission, ResponseCode::ResponseCode,
};
-
-use crate::keystore2_client_test_utils::{delete_all_entries, delete_app_key, verify_aliases};
-use keystore2_test_utils::{get_keystore_service, key_generations, key_generations::Error, run_as};
+use keystore2_test_utils::{
+ get_keystore_service, key_generations, key_generations::Error, run_as, SecLevel,
+};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
+use std::collections::HashSet;
+use std::fmt::Write;
/// Try to find a key with given key parameters using `listEntries` API.
fn key_alias_exists(
@@ -63,20 +62,19 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("list_entries_grant_key1_{}", getuid());
// Make sure there is no key exist with this `alias` in `SELINUX` domain and
// `SELINUX_SHELL_NAMESPACE` namespace.
if key_alias_exists(
- &keystore2,
+ &sl.keystore2,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
alias.to_string(),
) {
- keystore2
+ sl.keystore2
.deleteKey(&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
@@ -88,7 +86,7 @@
// Generate a key with above defined `alias`.
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -99,7 +97,7 @@
// Verify that above generated key entry is listed with domain SELINUX and
// namespace SELINUX_SHELL_NAMESPACE
assert!(key_alias_exists(
- &keystore2,
+ &sl.keystore2,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
alias,
@@ -107,7 +105,7 @@
// Grant a key with GET_INFO permission.
let access_vector = KeyPermission::GET_INFO.0;
- keystore2
+ sl.keystore2
.grant(&key_metadata.key, GRANTEE_UID.try_into().unwrap(), access_vector)
.unwrap();
})
@@ -121,13 +119,11 @@
Uid::from_raw(GRANTEE_UID),
Gid::from_raw(GRANTEE_GID),
move || {
- let keystore2 = get_keystore_service();
- let sec_level =
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("list_entries_success_key{}", getuid());
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -137,7 +133,7 @@
// Make sure there is only one key entry exist and that should be the same key
// generated in this user context. Granted key shouldn't be included in this list.
- let key_descriptors = keystore2.listEntries(Domain::APP, -1).unwrap();
+ let key_descriptors = sl.keystore2.listEntries(Domain::APP, -1).unwrap();
assert_eq!(1, key_descriptors.len());
let key = key_descriptors.first().unwrap();
@@ -145,9 +141,9 @@
assert_eq!(key.nspace, GRANTEE_UID.try_into().unwrap());
assert_eq!(key.domain, Domain::APP);
- keystore2.deleteKey(&key_metadata.key).unwrap();
+ sl.keystore2.deleteKey(&key_metadata.key).unwrap();
- let key_descriptors = keystore2.listEntries(Domain::APP, -1).unwrap();
+ let key_descriptors = sl.keystore2.listEntries(Domain::APP, -1).unwrap();
assert_eq!(0, key_descriptors.len());
},
)
@@ -204,14 +200,13 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Make sure there are no keystore entries exist before adding new entries.
- let key_descriptors = keystore2.listEntries(Domain::APP, -1).unwrap();
+ let key_descriptors = sl.keystore2.listEntries(Domain::APP, -1).unwrap();
if !key_descriptors.is_empty() {
key_descriptors.into_iter().map(|key| key.alias.unwrap()).for_each(|alias| {
- delete_app_key(&keystore2, &alias).unwrap();
+ delete_app_key(&sl.keystore2, &alias).unwrap();
});
}
@@ -223,8 +218,7 @@
write!(alias, "{}_{}", "X".repeat(6000), count).unwrap();
imported_key_aliases.insert(alias.clone());
- let result =
- key_generations::import_aes_key(&sec_level, Domain::APP, -1, Some(alias));
+ let result = key_generations::import_aes_key(&sl, Domain::APP, -1, Some(alias));
assert!(result.is_ok());
}
@@ -237,7 +231,7 @@
// list of key aliases
// - continue above steps till it cleanup all the imported keystore entries.
while !imported_key_aliases.is_empty() {
- let key_descriptors = keystore2.listEntries(Domain::APP, -1).unwrap();
+ let key_descriptors = sl.keystore2.listEntries(Domain::APP, -1).unwrap();
// Check retrieved key entries list is a subset of imported keys list.
assert!(key_descriptors
@@ -246,7 +240,7 @@
// Delete the listed key entries from Keystore as well as from imported keys list.
key_descriptors.into_iter().map(|key| key.alias.unwrap()).for_each(|alias| {
- delete_app_key(&keystore2, &alias).unwrap();
+ delete_app_key(&sl.keystore2, &alias).unwrap();
assert!(imported_key_aliases.remove(&alias));
});
}
@@ -271,17 +265,16 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Make sure there are no keystore entries exist before adding new entries.
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
// Import 100 keys with aliases of length 6000.
let mut imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, "X".repeat(6000), 1..101).unwrap();
+ key_generations::import_aes_keys(&sl, "X".repeat(6000), 1..101).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
100,
"Error while importing keys"
);
@@ -290,7 +283,7 @@
let mut alias;
while !imported_key_aliases.is_empty() {
let key_descriptors =
- keystore2.listEntriesBatched(Domain::APP, -1, start_past_alias).unwrap();
+ sl.keystore2.listEntriesBatched(Domain::APP, -1, start_past_alias).unwrap();
// Check retrieved key entries list is a subset of imported keys list.
assert!(key_descriptors
@@ -306,9 +299,9 @@
}
assert!(imported_key_aliases.is_empty());
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
0,
"Error while doing cleanup"
);
@@ -339,25 +332,23 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Make sure there are no keystore entries exist before adding new entries.
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
// Import 3 keys with below aliases -
// [key_test_batch_list_1, key_test_batch_list_2, key_test_batch_list_3]
let imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 1..4)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 1..4).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
3,
"Error while importing keys"
);
// List all entries in keystore for this user-id.
- let key_descriptors = keystore2.listEntriesBatched(Domain::APP, -1, None).unwrap();
+ let key_descriptors = sl.keystore2.listEntriesBatched(Domain::APP, -1, None).unwrap();
assert_eq!(key_descriptors.len(), 3);
// Makes sure all listed aliases are matching with imported keys aliases.
@@ -370,20 +361,18 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Import another 5 keys with below aliases -
// [ key_test_batch_list_4, key_test_batch_list_5, key_test_batch_list_6,
// key_test_batch_list_7, key_test_batch_list_8 ]
let mut imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 4..9)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 4..9).unwrap();
// Above context already 3 keys are imported, in this context 5 keys are imported,
// total 8 keystore entries are expected to be present in Keystore for this user-id.
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
8,
"Error while importing keys"
);
@@ -391,7 +380,8 @@
// List keystore entries with `start_past_alias` as "key_test_batch_list_3".
// `listEntriesBatched` should list all the keystore entries with
// alias > "key_test_batch_list_3".
- let key_descriptors = keystore2
+ let key_descriptors = sl
+ .keystore2
.listEntriesBatched(Domain::APP, -1, Some("key_test_batch_list_3"))
.unwrap();
assert_eq!(key_descriptors.len(), 5);
@@ -403,7 +393,7 @@
// List all keystore entries with `start_past_alias` as `None`.
// `listEntriesBatched` should list all the keystore entries.
- let key_descriptors = keystore2.listEntriesBatched(Domain::APP, -1, None).unwrap();
+ let key_descriptors = sl.keystore2.listEntriesBatched(Domain::APP, -1, None).unwrap();
assert_eq!(key_descriptors.len(), 8);
// Include previously imported keys aliases as well
@@ -416,9 +406,9 @@
.iter()
.all(|key| imported_key_aliases.contains(key.alias.as_ref().unwrap())));
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
0,
"Error while doing cleanup"
);
@@ -459,23 +449,23 @@
/// Test should successfully list the imported key.
#[test]
fn keystore2_list_entries_batched_with_selinux_domain_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "test_selinux_key_list_alias_batched";
- let _result = keystore2.deleteKey(&KeyDescriptor {
+ let _result = sl.keystore2.deleteKey(&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
alias: Some(alias.to_string()),
blob: None,
});
- let initial_count = keystore2
+ let initial_count = sl
+ .keystore2
.getNumberOfEntries(Domain::SELINUX, key_generations::SELINUX_SHELL_NAMESPACE)
.unwrap();
key_generations::import_aes_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -483,14 +473,15 @@
.unwrap();
assert_eq!(
- keystore2
+ sl.keystore2
.getNumberOfEntries(Domain::SELINUX, key_generations::SELINUX_SHELL_NAMESPACE)
.unwrap(),
initial_count + 1,
"Error while getting number of keystore entries accessible."
);
- let key_descriptors = keystore2
+ let key_descriptors = sl
+ .keystore2
.listEntriesBatched(Domain::SELINUX, key_generations::SELINUX_SHELL_NAMESPACE, None)
.unwrap();
assert_eq!(key_descriptors.len(), (initial_count + 1) as usize);
@@ -499,7 +490,7 @@
key_descriptors.into_iter().map(|key| key.alias.unwrap()).filter(|a| a == alias).count();
assert_eq!(count, 1);
- keystore2
+ sl.keystore2
.deleteKey(&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
@@ -522,11 +513,10 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Make sure there are no keystore entries exist before adding new entries.
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
// Import keys with below mentioned aliases -
// [
@@ -542,48 +532,49 @@
// key_test_batch_list_22,
// ]
let _imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 1..6)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 1..6).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
5,
"Error while importing keys"
);
let _imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 10..13)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 10..13).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
8,
"Error while importing keys"
);
let _imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 21..23)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 21..23).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
10,
"Error while importing keys"
);
// List the aliases using given `startingPastAlias` and verify the listed
// aliases with the expected list of aliases.
- verify_aliases(&keystore2, Some(format!("{}{}", ALIAS_PREFIX, "_5").as_str()), vec![]);
+ verify_aliases(
+ &sl.keystore2,
+ Some(format!("{}{}", ALIAS_PREFIX, "_5").as_str()),
+ vec![],
+ );
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(format!("{}{}", ALIAS_PREFIX, "_4").as_str()),
vec![ALIAS_PREFIX.to_owned() + "_5"],
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(format!("{}{}", ALIAS_PREFIX, "_3").as_str()),
vec![ALIAS_PREFIX.to_owned() + "_4", ALIAS_PREFIX.to_owned() + "_5"],
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(format!("{}{}", ALIAS_PREFIX, "_2").as_str()),
vec![
ALIAS_PREFIX.to_owned() + "_21",
@@ -595,7 +586,7 @@
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(format!("{}{}", ALIAS_PREFIX, "_1").as_str()),
vec![
ALIAS_PREFIX.to_owned() + "_10",
@@ -611,7 +602,7 @@
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(ALIAS_PREFIX),
vec![
ALIAS_PREFIX.to_owned() + "_1",
@@ -628,7 +619,7 @@
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
None,
vec![
ALIAS_PREFIX.to_owned() + "_1",
diff --git a/keystore2/tests/keystore2_client_operation_tests.rs b/keystore2/tests/keystore2_client_operation_tests.rs
index 89b5a31..95888a6 100644
--- a/keystore2/tests/keystore2_client_operation_tests.rs
+++ b/keystore2/tests/keystore2_client_operation_tests.rs
@@ -12,27 +12,24 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-use std::thread;
-use std::thread::JoinHandle;
-
+use crate::keystore2_client_test_utils::{
+ create_signing_operation, execute_op_run_as_child, perform_sample_sign_operation,
+ BarrierReached, ForcedOp, TestOutcome,
+};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Digest::Digest, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
+ Digest::Digest, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
};
use android_system_keystore2::aidl::android::system::keystore2::{
CreateOperationResponse::CreateOperationResponse, Domain::Domain,
IKeystoreOperation::IKeystoreOperation, ResponseCode::ResponseCode,
};
-
use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error, run_as,
+ authorizations, key_generations, key_generations::Error, run_as, SecLevel,
};
-
-use crate::keystore2_client_test_utils::{
- create_signing_operation, execute_op_run_as_child, perform_sample_sign_operation,
- BarrierReached, ForcedOp, TestOutcome,
-};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
+use std::thread;
+use std::thread::JoinHandle;
/// Create `max_ops` number child processes with the given context and perform an operation under each
/// child process.
@@ -312,11 +309,10 @@
child_handle.recv();
// Generate a key to use in below operations.
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_prune_op_test_key_{}", getuid());
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias),
@@ -327,7 +323,7 @@
// Create multiple operations in this process to trigger cannibalizing sibling operations.
let mut ops: Vec<binder::Result<CreateOperationResponse>> = (0..MAX_OPS)
.map(|_| {
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -353,7 +349,7 @@
// Create a new operation, it should trigger to cannibalize one of their own sibling
// operations.
ops.push(
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
diff --git a/keystore2/tests/keystore2_client_rsa_key_tests.rs b/keystore2/tests/keystore2_client_rsa_key_tests.rs
index ad176a4..1559008 100644
--- a/keystore2/tests/keystore2_client_rsa_key_tests.rs
+++ b/keystore2/tests/keystore2_client_rsa_key_tests.rs
@@ -12,20 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+use crate::keystore2_client_test_utils::{delete_app_key, perform_sample_sign_operation, ForcedOp};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Digest::Digest, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
- SecurityLevel::SecurityLevel,
};
use android_system_keystore2::aidl::android::system::keystore2::{
CreateOperationResponse::CreateOperationResponse, Domain::Domain,
- IKeystoreSecurityLevel::IKeystoreSecurityLevel,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
-use crate::keystore2_client_test_utils::{delete_app_key, perform_sample_sign_operation, ForcedOp};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// This macro is used for creating signing key operation tests using digests and paddings
/// for various key sizes.
@@ -77,7 +71,7 @@
/// Generate a RSA key and create an operation using the generated key.
fn create_rsa_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -86,7 +80,7 @@
forced_op: ForcedOp,
) -> binder::Result<CreateOperationResponse> {
let key_metadata =
- key_generations::generate_rsa_key(sec_level, domain, nspace, alias, key_params, None)?;
+ key_generations::generate_rsa_key(sl, domain, nspace, alias, key_params, None)?;
let mut op_params = authorizations::AuthSetBuilder::new().purpose(op_purpose);
@@ -103,7 +97,7 @@
op_params = op_params.block_mode(value)
}
- sec_level.createOperation(&key_metadata.key, &op_params, forced_op.0)
+ sl.binder.createOperation(&key_metadata.key, &op_params, forced_op.0)
}
/// Generate RSA signing key with given parameters and perform signing operation.
@@ -113,11 +107,10 @@
alias: &str,
padding: PaddingMode,
) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let op_response = create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -143,17 +136,16 @@
))
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate RSA signing key with given parameters and try to perform signing operation.
/// Error `INCOMPATIBLE_DIGEST | UNKNOWN_ERROR` is expected while creating an opearation.
fn perform_rsa_sign_key_op_failure(digest: Digest, alias: &str, padding: PaddingMode) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -176,7 +168,7 @@
e == Error::Km(ErrorCode::UNKNOWN_ERROR) || e == Error::Km(ErrorCode::INCOMPATIBLE_DIGEST)
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate RSA encrypt/decrypt key with given parameters and perform decrypt operation.
@@ -187,11 +179,10 @@
padding: PaddingMode,
mgf_digest: Option<Digest>,
) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -210,7 +201,7 @@
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
// Below macros generate tests for generating RSA signing keys with -
@@ -1533,12 +1524,11 @@
/// `INCOMPATIBLE_DIGEST` error code.
#[test]
fn keystore2_rsa_generate_signing_key_padding_pss_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_pss_none_key_op_test";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1565,12 +1555,11 @@
/// with an error code `INCOMPATIBLE_DIGEST`.
#[test]
fn keystore2_rsa_generate_key_with_oaep_padding_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_oaep_padding_fail_test";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1596,12 +1585,11 @@
/// `UNSUPPORTED_PADDING_MODE`.
#[test]
fn keystore2_rsa_generate_keys() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_unsupport_padding_test";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1625,12 +1613,11 @@
/// `INCOMPATIBLE_PURPOSE` is expected as the generated key doesn't support sign operation.
#[test]
fn keystore2_rsa_encrypt_key_op_invalid_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_test_key_1";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1654,12 +1641,11 @@
/// `INCOMPATIBLE_PURPOSE` is expected as the generated key doesn't support decrypt operation.
#[test]
fn keystore2_rsa_sign_key_op_invalid_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_test_key_2";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1683,12 +1669,11 @@
/// generated key, an error `UNSUPPORTED_PURPOSE` is expected as RSA doesn't support AGREE_KEY.
#[test]
fn keystore2_rsa_key_unsupported_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_test_3";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1713,14 +1698,13 @@
/// mode.
#[test]
fn keystore2_rsa_encrypt_key_unsupported_padding() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let paddings = [PaddingMode::RSA_PKCS1_1_5_SIGN, PaddingMode::RSA_PSS];
for padding in paddings {
let alias = format!("ks_rsa_encrypt_key_unsupported_pad_test{}", padding.0);
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1746,14 +1730,13 @@
/// unsupported padding mode.
#[test]
fn keystore2_rsa_signing_key_unsupported_padding() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let paddings = [PaddingMode::RSA_PKCS1_1_5_ENCRYPT, PaddingMode::RSA_OAEP];
for padding in paddings {
let alias = format!("ks_rsa_sign_key_unsupported_pad_test_4_{}", padding.0);
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1779,12 +1762,11 @@
/// with RSA key.
#[test]
fn keystore2_rsa_key_unsupported_op() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_test_5";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1810,12 +1792,11 @@
/// generated with decrypt purpose.
#[test]
fn keystore2_rsa_key_missing_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_test_6";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1840,12 +1821,11 @@
/// operation with generated key, unsupported digest error is expected.
#[test]
fn keystore2_rsa_gen_keys_with_oaep_paddings_without_digest() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_padding_fail";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1869,12 +1849,11 @@
/// Generate RSA keys with unsupported key size, an error `UNSUPPORTED_KEY_SIZE` is expected.
#[test]
fn keystore2_rsa_gen_keys_unsupported_size() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_padding_fail";
let result = key_generations::map_ks_error(key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
diff --git a/keystore2/tests/keystore2_client_test_utils.rs b/keystore2/tests/keystore2_client_test_utils.rs
index 7534da3..d4ca2ae 100644
--- a/keystore2/tests/keystore2_client_test_utils.rs
+++ b/keystore2/tests/keystore2_client_test_utils.rs
@@ -12,12 +12,22 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ BlockMode::BlockMode, Digest::Digest, ErrorCode::ErrorCode,
+ KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
+ Tag::Tag,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ CreateOperationResponse::CreateOperationResponse, Domain::Domain,
+ IKeystoreOperation::IKeystoreOperation, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
+ IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor, KeyMetadata::KeyMetadata,
+ KeyParameters::KeyParameters, ResponseCode::ResponseCode,
+};
+use binder::wait_for_interface;
+use keystore2_test_utils::{
+ authorizations, key_generations, key_generations::Error, run_as, SecLevel,
+};
use nix::unistd::{Gid, Uid};
-use serde::{Deserialize, Serialize};
-
-use std::path::PathBuf;
-use std::process::{Command, Output};
-
use openssl::bn::BigNum;
use openssl::encrypt::Encrypter;
use openssl::error::ErrorStack;
@@ -28,26 +38,10 @@
use openssl::rsa::Padding;
use openssl::sign::Verifier;
use openssl::x509::X509;
-
-use binder::wait_for_interface;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- BlockMode::BlockMode, Digest::Digest, ErrorCode::ErrorCode,
- KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
- SecurityLevel::SecurityLevel, Tag::Tag,
-};
-use android_system_keystore2::aidl::android::system::keystore2::{
- CreateOperationResponse::CreateOperationResponse, Domain::Domain,
- IKeystoreOperation::IKeystoreOperation, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
- IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor, KeyMetadata::KeyMetadata,
- KeyParameters::KeyParameters, ResponseCode::ResponseCode,
-};
-
use packagemanager_aidl::aidl::android::content::pm::IPackageManagerNative::IPackageManagerNative;
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error, run_as,
-};
+use serde::{Deserialize, Serialize};
+use std::path::PathBuf;
+use std::process::{Command, Output};
/// This enum is used to communicate between parent and child processes.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
@@ -70,8 +64,9 @@
pub const SAMPLE_PLAIN_TEXT: &[u8] = b"my message 11111";
pub const PACKAGE_MANAGER_NATIVE_SERVICE: &str = "package_native";
-pub const APP_ATTEST_KEY_FEATURE: &str = "android.hardware.keystore.app_attest_key";
-pub const DEVICE_ID_ATTESTATION_FEATURE: &str = "android.software.device_id_attestation";
+const APP_ATTEST_KEY_FEATURE: &str = "android.hardware.keystore.app_attest_key";
+const DEVICE_ID_ATTESTATION_FEATURE: &str = "android.software.device_id_attestation";
+const STRONGBOX_KEYSTORE_FEATURE: &str = "android.hardware.strongbox_keystore";
/// Determines whether app_attest_key_feature is supported or not.
pub fn app_attest_key_feature_exists() -> bool {
@@ -89,6 +84,15 @@
pm.hasSystemFeature(DEVICE_ID_ATTESTATION_FEATURE, 0).expect("hasSystemFeature failed.")
}
+/// Determines whether device-unique attestation might be supported by StrongBox.
+pub fn skip_device_unique_attestation_tests() -> bool {
+ let pm = wait_for_interface::<dyn IPackageManagerNative>(PACKAGE_MANAGER_NATIVE_SERVICE)
+ .expect("Failed to get package manager native service.");
+
+ // Device unique attestation was first included in Keymaster 4.1.
+ !pm.hasSystemFeature(STRONGBOX_KEYSTORE_FEATURE, 41).expect("hasSystemFeature failed.")
+}
+
/// Determines whether to skip device id attestation tests on GSI build with API level < 34.
pub fn skip_device_id_attest_tests() -> bool {
// b/298586194, there are some devices launched with Android T, and they will be receiving
@@ -130,9 +134,9 @@
}
#[macro_export]
-macro_rules! skip_tests_if_keymaster_impl_present {
- () => {
- if !key_generations::has_default_keymint() {
+macro_rules! require_keymint {
+ ($sl:ident) => {
+ if !$sl.is_keymint() {
return;
}
};
@@ -141,19 +145,18 @@
/// Generate EC key and grant it to the list of users with given access vector.
/// Returns the list of granted keys `nspace` values in the order of given grantee uids.
pub fn generate_ec_key_and_grant_to_users(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: Option<String>,
grantee_uids: Vec<i32>,
access_vector: i32,
) -> Result<Vec<i64>, binder::Status> {
let key_metadata =
- key_generations::generate_ec_p256_signing_key(sec_level, Domain::APP, -1, alias, None)?;
+ key_generations::generate_ec_p256_signing_key(sl, Domain::APP, -1, alias, None)?;
let mut granted_keys = Vec::new();
for uid in grantee_uids {
- let granted_key = keystore2.grant(&key_metadata.key, uid, access_vector)?;
+ let granted_key = sl.keystore2.grant(&key_metadata.key, uid, access_vector)?;
assert_eq!(granted_key.domain, Domain::GRANT);
granted_keys.push(granted_key.nspace);
}
@@ -171,14 +174,12 @@
nspace: i64,
alias: Option<String>,
) -> binder::Result<CreateOperationResponse> {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let key_metadata =
- key_generations::generate_ec_p256_signing_key(&sec_level, domain, nspace, alias, None)
- .unwrap();
+ key_generations::generate_ec_p256_signing_key(&sl, domain, nspace, alias, None).unwrap();
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(op_purpose).digest(op_digest),
forced_op.0,
diff --git a/keystore2/tests/keystore2_client_update_subcomponent_tests.rs b/keystore2/tests/keystore2_client_update_subcomponent_tests.rs
index d9576a8..e25e52a 100644
--- a/keystore2/tests/keystore2_client_update_subcomponent_tests.rs
+++ b/keystore2/tests/keystore2_client_update_subcomponent_tests.rs
@@ -12,9 +12,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
ErrorCode::ErrorCode, SecurityLevel::SecurityLevel,
};
@@ -22,8 +19,11 @@
Domain::Domain, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{get_keystore_service, key_generations, key_generations::Error, run_as};
+use keystore2_test_utils::{
+ get_keystore_service, key_generations, key_generations::Error, run_as, SecLevel,
+};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
/// Generate a key and update its public certificate and certificate chain. Test should be able to
/// load the key and able to verify whether its certificate and cert-chain are updated successfully.
@@ -31,11 +31,10 @@
fn keystore2_update_subcomponent_success() {
let alias = "update_subcomponent_success_key";
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -46,11 +45,11 @@
let other_cert: [u8; 32] = [123; 32];
let other_cert_chain: [u8; 32] = [12; 32];
- keystore2
+ sl.keystore2
.updateSubcomponent(&key_metadata.key, Some(&other_cert), Some(&other_cert_chain))
.expect("updateSubcomponent should have succeeded.");
- let key_entry_response = keystore2.getKeyEntry(&key_metadata.key).unwrap();
+ let key_entry_response = sl.keystore2.getKeyEntry(&key_metadata.key).unwrap();
assert_eq!(Some(other_cert.to_vec()), key_entry_response.metadata.certificate);
assert_eq!(Some(other_cert_chain.to_vec()), key_entry_response.metadata.certificateChain);
}
@@ -170,13 +169,12 @@
// SAFETY: The test is run in a separate process with no other threads.
let mut granted_keys = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_update_subcompo_test_1_{}", getuid());
let mut granted_keys = Vec::new();
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -186,7 +184,8 @@
// Grant a key without update permission.
let access_vector = KeyPermission::GET_INFO.0;
- let granted_key = keystore2
+ let granted_key = sl
+ .keystore2
.grant(&key_metadata.key, GRANTEE_1_UID.try_into().unwrap(), access_vector)
.unwrap();
assert_eq!(granted_key.domain, Domain::GRANT);
@@ -194,7 +193,8 @@
// Grant a key with update permission.
let access_vector = KeyPermission::GET_INFO.0 | KeyPermission::UPDATE.0;
- let granted_key = keystore2
+ let granted_key = sl
+ .keystore2
.grant(&key_metadata.key, GRANTEE_2_UID.try_into().unwrap(), access_vector)
.unwrap();
assert_eq!(granted_key.domain, Domain::GRANT);
diff --git a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
index 3be99ee..11a4c0b 100644
--- a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
+++ b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
@@ -12,35 +12,26 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-use serde::{Deserialize, Serialize};
-
-use std::ops::Deref;
-use std::path::PathBuf;
-
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel;
-
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, KeyDescriptor::KeyDescriptor,
-};
-
-use android_security_maintenance::aidl::android::security::maintenance::IKeystoreMaintenance::IKeystoreMaintenance;
-
use android_security_authorization::aidl::android::security::authorization::{
IKeystoreAuthorization::IKeystoreAuthorization,
};
-
+use android_security_maintenance::aidl::android::security::maintenance::IKeystoreMaintenance::IKeystoreMaintenance;
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor,
+};
use keystore2::key_parameter::KeyParameter as KsKeyparameter;
use keystore2::legacy_blob::test_utils::legacy_blob_test_vectors::*;
use keystore2::legacy_blob::test_utils::*;
use keystore2::legacy_blob::LegacyKeyCharacteristics;
use keystore2::utils::AesGcm;
use keystore2_crypto::{Password, ZVec};
-
-use keystore2_test_utils::get_keystore_service;
-use keystore2_test_utils::key_generations;
-use keystore2_test_utils::run_as;
+use keystore2_test_utils::{get_keystore_service, key_generations, run_as, SecLevel};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
+use serde::{Deserialize, Serialize};
+use std::ops::Deref;
+use std::path::PathBuf;
static USER_MANAGER_SERVICE_NAME: &str = "android.security.maintenance";
static AUTH_SERVICE_NAME: &str = "android.security.authorization";
@@ -160,15 +151,12 @@
println!("onUserRemoved error: {:#?}", e);
}
}
+ let sl = SecLevel::tee();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2
- .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT)
- .unwrap();
// Generate Key BLOB and prepare legacy keystore blob files.
let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") };
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
SELINUX_SHELL_NAMESPACE,
None,
@@ -412,14 +400,11 @@
}
}
- let keystore2 = get_keystore_service();
- let sec_level = keystore2
- .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT)
- .unwrap();
+ let sl = SecLevel::tee();
// Generate Key BLOB and prepare legacy keystore blob files.
let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") };
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
SELINUX_SHELL_NAMESPACE,
None,