Merge "Cope with mixed KeyMint/Keymaster-4.x devices" into main
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index a733be3..fdb2afb 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -14,14 +14,12 @@
//! This module implements test utils to generate various types of keys.
-use anyhow::Result;
-use core::ops::Range;
-use nix::unistd::getuid;
-use std::collections::HashSet;
-use std::fmt::Write;
-
-use binder::ThreadState;
-
+use crate::authorizations::AuthSetBuilder;
+use crate::ffi_test_utils::{
+ get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel,
+ validate_certchain_with_strict_issuer_check,
+};
+use crate::SecLevel;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
@@ -30,18 +28,16 @@
};
use android_system_keystore2::aidl::android::system::keystore2::{
AuthenticatorSpec::AuthenticatorSpec, Authorization::Authorization,
- CreateOperationResponse::CreateOperationResponse, Domain::Domain,
- IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
+ CreateOperationResponse::CreateOperationResponse, Domain::Domain, KeyDescriptor::KeyDescriptor,
KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
};
-
-use crate::authorizations::AuthSetBuilder;
use android_system_keystore2::binder::{ExceptionCode, Result as BinderResult};
-
-use crate::ffi_test_utils::{
- get_os_patchlevel, get_os_version, get_value_from_attest_record, get_vendor_patchlevel,
- validate_certchain_with_strict_issuer_check,
-};
+use anyhow::Result;
+use binder::ThreadState;
+use core::ops::Range;
+use nix::unistd::getuid;
+use std::collections::HashSet;
+use std::fmt::Write;
/// Shell namespace.
pub const SELINUX_SHELL_NAMESPACE: i64 = 1;
@@ -391,12 +387,6 @@
})
}
-/// Indicate whether the default device is KeyMint (rather than Keymaster).
-pub fn has_default_keymint() -> bool {
- binder::is_declared("android.hardware.security.keymint.IKeyMintDevice/default")
- .expect("Could not check for declared keymint interface")
-}
-
/// Verify that given key param is listed in given authorizations list.
pub fn check_key_param(authorizations: &[Authorization], key_param: &KeyParameter) -> bool {
authorizations.iter().any(|auth| &auth.keyParameter == key_param)
@@ -404,6 +394,7 @@
/// Verify the given key authorizations with the expected authorizations.
pub fn check_key_authorizations(
+ sl: &SecLevel,
authorizations: &[Authorization],
expected_params: &[KeyParameter],
expected_key_origin: KeyOrigin,
@@ -412,7 +403,7 @@
authorizations.iter().all(|auth| {
// Ignore `INVALID` tag if the backend is Keymaster and not KeyMint.
// Keymaster allows INVALID tag for unsupported key parameters.
- if !has_default_keymint() && auth.keyParameter.tag == Tag::INVALID {
+ if sl.is_keymaster() && auth.keyParameter.tag == Tag::INVALID {
return true;
}
assert!(
@@ -423,7 +414,7 @@
true
});
- //Check allowed-expected-key-parameters are present in given key authorizations list.
+ // Check allowed-expected-key-parameters are present in given key authorizations list.
expected_params.iter().all(|key_param| {
// `INCLUDE_UNIQUE_ID` is not strictly expected to be in key authorizations but has been
// put there by some implementations so cope with that.
@@ -436,7 +427,7 @@
// Ignore below parameters if the backend is Keymaster and not KeyMint.
// Keymaster does not support these parameters. These key parameters are introduced in
// KeyMint1.0.
- if !has_default_keymint() {
+ if sl.is_keymaster() {
if matches!(key_param.tag, Tag::RSA_OAEP_MGF_DIGEST | Tag::USAGE_COUNT_LIMIT) {
return true;
}
@@ -457,11 +448,15 @@
true
});
- check_common_auths(authorizations, expected_key_origin);
+ check_common_auths(sl, authorizations, expected_key_origin);
}
/// Verify common key authorizations.
-fn check_common_auths(authorizations: &[Authorization], expected_key_origin: KeyOrigin) {
+fn check_common_auths(
+ sl: &SecLevel,
+ authorizations: &[Authorization],
+ expected_key_origin: KeyOrigin,
+) {
assert!(check_key_param(
authorizations,
&KeyParameter {
@@ -505,7 +500,7 @@
}
));
- if has_default_keymint() {
+ if sl.is_keymint() {
assert!(authorizations
.iter()
.map(|auth| &auth.keyParameter)
@@ -532,7 +527,7 @@
/// Digest: SHA_2_256
/// Curve: P_256
pub fn generate_ec_p256_signing_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -552,7 +547,7 @@
gen_params = gen_params.clone().attestation_challenge(challenge.to_vec());
}
- match sec_level.generateKey(
+ match sl.binder.generateKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&gen_params,
@@ -569,6 +564,7 @@
}
check_key_authorizations(
+ sl,
&key_metadata.authorizations,
&gen_params,
KeyOrigin::GENERATED,
@@ -581,7 +577,7 @@
/// Generate EC signing key.
pub fn generate_ec_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -596,7 +592,7 @@
.digest(digest)
.ec_curve(ec_curve);
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&gen_params,
@@ -615,13 +611,13 @@
} else {
assert!(key_metadata.key.blob.is_none());
}
- check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Ok(key_metadata)
}
/// Generate a RSA key with the given key parameters, alias, domain and namespace.
pub fn generate_rsa_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -653,7 +649,7 @@
gen_params = gen_params.attestation_challenge(value.to_vec())
}
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
attest_key,
&gen_params,
@@ -677,7 +673,7 @@
|| key_metadata.key.blob.is_none()
);
- check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
// If `RSA_OAEP_MGF_DIGEST` tag is not mentioned explicitly while generating/importing a key,
// then make sure `RSA_OAEP_MGF_DIGEST` tag with default value (SHA1) must not be included in
// key authorization list.
@@ -695,7 +691,7 @@
/// Generate AES/3DES key.
pub fn generate_sym_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
algorithm: Algorithm,
size: i32,
alias: &str,
@@ -716,7 +712,7 @@
gen_params = gen_params.min_mac_length(val);
}
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -734,13 +730,13 @@
// Should not have an attestation record.
assert!(key_metadata.certificateChain.is_none());
- check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Ok(key_metadata)
}
/// Generate HMAC key.
pub fn generate_hmac_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
key_size: i32,
min_mac_len: i32,
@@ -755,7 +751,7 @@
.min_mac_length(min_mac_len)
.digest(digest);
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -774,7 +770,7 @@
// Should not have an attestation record.
assert!(key_metadata.certificateChain.is_none());
- check_key_authorizations(&key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &gen_params, KeyOrigin::GENERATED);
Ok(key_metadata)
}
@@ -785,7 +781,7 @@
/// RSA-Key-Size: 2048
/// EC-Curve: EcCurve::P_256
pub fn generate_attestation_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
algorithm: Algorithm,
att_challenge: &[u8],
) -> binder::Result<KeyMetadata> {
@@ -794,7 +790,7 @@
if algorithm == Algorithm::RSA {
let alias = "ks_rsa_attest_test_key";
let metadata = generate_rsa_key(
- sec_level,
+ sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -812,13 +808,9 @@
.unwrap();
Ok(metadata)
} else {
- let metadata = generate_ec_attestation_key(
- sec_level,
- att_challenge,
- Digest::SHA_2_256,
- EcCurve::P_256,
- )
- .unwrap();
+ let metadata =
+ generate_ec_attestation_key(sl, att_challenge, Digest::SHA_2_256, EcCurve::P_256)
+ .unwrap();
Ok(metadata)
}
@@ -827,7 +819,7 @@
/// Generate EC attestation key with the given
/// curve, attestation-challenge and attestation-app-id.
pub fn generate_ec_attestation_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
att_challenge: &[u8],
digest: Digest,
ec_curve: EcCurve,
@@ -841,7 +833,7 @@
.digest(digest)
.attestation_challenge(att_challenge.to_vec());
- let attestation_key_metadata = sec_level.generateKey(
+ let attestation_key_metadata = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -860,6 +852,7 @@
assert!(attestation_key_metadata.certificateChain.is_some());
check_key_authorizations(
+ sl,
&attestation_key_metadata.authorizations,
&gen_params,
KeyOrigin::GENERATED,
@@ -869,7 +862,7 @@
/// Generate EC-P-256 key and attest it with given attestation key.
pub fn generate_ec_256_attested_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: Option<String>,
att_challenge: &[u8],
attest_key: &KeyDescriptor,
@@ -883,7 +876,8 @@
.ec_curve(EcCurve::P_256)
.attestation_challenge(att_challenge.to_vec());
- let ec_key_metadata = sec_level
+ let ec_key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
Some(attest_key),
@@ -898,19 +892,25 @@
// Shouldn't have an attestation record.
assert!(ec_key_metadata.certificateChain.is_none());
- check_key_authorizations(&ec_key_metadata.authorizations, &ec_gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(
+ sl,
+ &ec_key_metadata.authorizations,
+ &ec_gen_params,
+ KeyOrigin::GENERATED,
+ );
Ok(ec_key_metadata)
}
/// Imports above defined RSA key - `RSA_2048_KEY` and validates imported key parameters.
pub fn import_rsa_2048_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
import_params: AuthSetBuilder,
) -> binder::Result<KeyMetadata> {
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
@@ -923,7 +923,7 @@
assert!(key_metadata.certificate.is_some());
assert!(key_metadata.certificateChain.is_none());
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -967,13 +967,14 @@
/// Imports above defined EC key - `EC_P_256_KEY` and validates imported key parameters.
pub fn import_ec_p_256_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
import_params: AuthSetBuilder,
) -> binder::Result<KeyMetadata> {
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
@@ -986,7 +987,7 @@
assert!(key_metadata.certificate.is_some());
assert!(key_metadata.certificateChain.is_none());
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -1013,7 +1014,7 @@
/// Import sample AES key and validate its key parameters.
pub fn import_aes_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -1030,7 +1031,7 @@
.purpose(KeyPurpose::DECRYPT)
.padding_mode(PaddingMode::PKCS7);
- let key_metadata = sec_level.importKey(
+ let key_metadata = sl.binder.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&import_params,
@@ -1038,7 +1039,7 @@
AES_KEY,
)?;
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -1070,7 +1071,7 @@
/// Import sample 3DES key and validate its key parameters.
pub fn import_3des_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -1089,7 +1090,7 @@
.purpose(KeyPurpose::DECRYPT)
.padding_mode(PaddingMode::PKCS7);
- let key_metadata = sec_level.importKey(
+ let key_metadata = sl.binder.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&import_params,
@@ -1097,7 +1098,7 @@
TRIPLE_DES_KEY,
)?;
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -1132,7 +1133,7 @@
/// Import sample HMAC key and validate its key parameters.
pub fn import_hmac_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -1149,7 +1150,7 @@
.digest(Digest::SHA_2_256)
.min_mac_length(256);
- let key_metadata = sec_level.importKey(
+ let key_metadata = sl.binder.importKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&import_params,
@@ -1157,7 +1158,7 @@
HMAC_KEY,
)?;
- check_key_authorizations(&key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
+ check_key_authorizations(sl, &key_metadata.authorizations, &import_params, KeyOrigin::IMPORTED);
// Check below auths explicitly, they might not be addd in import parameters.
assert!(check_key_param(
@@ -1182,7 +1183,7 @@
/// Imports RSA encryption key with WRAP_KEY purpose.
pub fn import_wrapping_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
wrapping_key_data: &[u8],
wrapping_key_alias: Option<String>,
) -> binder::Result<KeyMetadata> {
@@ -1199,7 +1200,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- sec_level.importKey(
+ sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: wrapping_key_alias, blob: None },
None,
&wrapping_key_params,
@@ -1210,7 +1211,7 @@
/// Import wrapped key using given wrapping key.
pub fn import_wrapped_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: Option<String>,
wrapping_key_metadata: &KeyMetadata,
wrapped_key: Option<Vec<u8>>,
@@ -1223,7 +1224,7 @@
authenticatorId: 0,
}];
- let key_metadata = sec_level.importWrappedKey(
+ let key_metadata = sl.binder.importWrappedKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: wrapped_key },
&wrapping_key_metadata.key,
None,
@@ -1236,14 +1237,14 @@
/// Import wrapping key and then import wrapped key using wrapping key.
pub fn import_wrapping_key_and_wrapped_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
wrapping_key_alias: Option<String>,
wrapping_key_params: AuthSetBuilder,
) -> binder::Result<KeyMetadata> {
- let wrapping_key_metadata = sec_level.importKey(
+ let wrapping_key_metadata = sl.binder.importKey(
&KeyDescriptor { domain, nspace, alias: wrapping_key_alias, blob: None },
None,
&wrapping_key_params,
@@ -1251,12 +1252,12 @@
WRAPPING_KEY,
)?;
- import_wrapped_key(sec_level, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
+ import_wrapped_key(sl, alias, &wrapping_key_metadata, Some(WRAPPED_KEY.to_vec()))
}
/// Import given key material as AES-256-GCM-NONE transport key.
pub fn import_transport_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
transport_key_alias: Option<String>,
transport_key: &[u8],
) -> binder::Result<KeyMetadata> {
@@ -1271,7 +1272,7 @@
.purpose(KeyPurpose::ENCRYPT)
.purpose(KeyPurpose::DECRYPT);
- sec_level.importKey(
+ sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: transport_key_alias, blob: None },
None,
&transport_key_params,
@@ -1282,7 +1283,7 @@
/// Generate EC key with purpose AGREE_KEY.
pub fn generate_ec_agree_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
ec_curve: EcCurve,
digest: Digest,
domain: Domain,
@@ -1296,7 +1297,7 @@
.digest(digest)
.ec_curve(ec_curve);
- match sec_level.generateKey(
+ match sl.binder.generateKey(
&KeyDescriptor { domain, nspace, alias, blob: None },
None,
&gen_params,
@@ -1310,6 +1311,7 @@
}
check_key_authorizations(
+ sl,
&key_metadata.authorizations,
&gen_params,
KeyOrigin::GENERATED,
@@ -1322,7 +1324,7 @@
/// Helper method to import AES keys `total_count` of times.
pub fn import_aes_keys(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias_prefix: String,
total_count: Range<i32>,
) -> binder::Result<HashSet<String>> {
@@ -1334,7 +1336,7 @@
write!(alias, "{}_{}", alias_prefix, count).unwrap();
imported_key_aliases.insert(alias.clone());
- import_aes_key(sec_level, Domain::APP, -1, Some(alias))?;
+ import_aes_key(sl, Domain::APP, -1, Some(alias))?;
}
Ok(imported_key_aliases)
@@ -1342,7 +1344,7 @@
/// Generate attested EC-P_256 key with device id attestation.
pub fn generate_key_with_attest_id(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
algorithm: Algorithm,
alias: Option<String>,
att_challenge: &[u8],
@@ -1405,7 +1407,7 @@
}
}
- sec_level.generateKey(
+ sl.binder.generateKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias, blob: None },
Some(attest_key),
&ec_gen_params,
@@ -1416,11 +1418,11 @@
/// Generate Key and validate key characteristics.
pub fn generate_key(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
gen_params: &AuthSetBuilder,
alias: &str,
) -> binder::Result<KeyMetadata> {
- let key_metadata = sec_level.generateKey(
+ let key_metadata = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -1474,19 +1476,19 @@
assert!(!att_app_id.is_empty());
}
}
- check_key_authorizations(&key_metadata.authorizations, gen_params, KeyOrigin::GENERATED);
+ check_key_authorizations(sl, &key_metadata.authorizations, gen_params, KeyOrigin::GENERATED);
Ok(key_metadata)
}
/// Generate a key using given authorizations and create an operation using the generated key.
pub fn create_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
gen_params: &AuthSetBuilder,
op_params: &AuthSetBuilder,
alias: &str,
) -> binder::Result<CreateOperationResponse> {
- let key_metadata = generate_key(sec_level, gen_params, alias)?;
+ let key_metadata = generate_key(sl, gen_params, alias)?;
- sec_level.createOperation(&key_metadata.key, op_params, false)
+ sl.binder.createOperation(&key_metadata.key, op_params, false)
}
diff --git a/keystore2/test_utils/lib.rs b/keystore2/test_utils/lib.rs
index 8394ca1..8b766dd 100644
--- a/keystore2/test_utils/lib.rs
+++ b/keystore2/test_utils/lib.rs
@@ -19,7 +19,13 @@
use std::path::{Path, PathBuf};
use std::{env::temp_dir, ops::Deref};
-use android_system_keystore2::aidl::android::system::keystore2::IKeystoreService::IKeystoreService;
+use android_system_keystore2::aidl::android::system::keystore2::{
+ IKeystoreService::IKeystoreService,
+ IKeystoreSecurityLevel::IKeystoreSecurityLevel,
+};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ ErrorCode::ErrorCode, SecurityLevel::SecurityLevel,
+};
use android_security_authorization::aidl::android::security::authorization::IKeystoreAuthorization::IKeystoreAuthorization;
pub mod authorizations;
@@ -123,3 +129,51 @@
pub fn get_keystore_auth_service() -> binder::Strong<dyn IKeystoreAuthorization> {
binder::get_interface(AUTH_SERVICE_NAME).unwrap()
}
+
+/// Security level-specific data.
+pub struct SecLevel {
+ /// Binder connection for the top-level service.
+ pub keystore2: binder::Strong<dyn IKeystoreService>,
+ /// Binder connection for the security level.
+ pub binder: binder::Strong<dyn IKeystoreSecurityLevel>,
+ /// Security level.
+ pub level: SecurityLevel,
+}
+
+impl SecLevel {
+ /// Return security level data for TEE.
+ pub fn tee() -> Self {
+ let level = SecurityLevel::TRUSTED_ENVIRONMENT;
+ let keystore2 = get_keystore_service();
+ let binder =
+ keystore2.getSecurityLevel(level).expect("TEE security level should always be present");
+ Self { keystore2, binder, level }
+ }
+ /// Return security level data for StrongBox, if present.
+ pub fn strongbox() -> Option<Self> {
+ let level = SecurityLevel::STRONGBOX;
+ let keystore2 = get_keystore_service();
+ match key_generations::map_ks_error(keystore2.getSecurityLevel(level)) {
+ Ok(binder) => Some(Self { keystore2, binder, level }),
+ Err(e) => {
+ assert_eq!(e, key_generations::Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE));
+ None
+ }
+ }
+ }
+ /// Indicate whether this security level is a KeyMint implementation (not Keymaster).
+ pub fn is_keymint(&self) -> bool {
+ let instance = match self.level {
+ SecurityLevel::TRUSTED_ENVIRONMENT => "default",
+ SecurityLevel::STRONGBOX => "strongbox",
+ l => panic!("unexpected level {l:?}"),
+ };
+ let name = format!("android.hardware.security.keymint.IKeyMintDevice/{instance}");
+ binder::is_declared(&name).expect("Could not check for declared keymint interface")
+ }
+
+ /// Indicate whether this security level is a Keymaster implementation (not KeyMint).
+ pub fn is_keymaster(&self) -> bool {
+ !self.is_keymint()
+ }
+}
diff --git a/keystore2/tests/keystore2_client_3des_key_tests.rs b/keystore2/tests/keystore2_client_3des_key_tests.rs
index eda24db..29f1617 100644
--- a/keystore2/tests/keystore2_client_3des_key_tests.rs
+++ b/keystore2/tests/keystore2_client_3des_key_tests.rs
@@ -12,26 +12,21 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, BlockMode::BlockMode, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
- PaddingMode::PaddingMode, SecurityLevel::SecurityLevel,
-};
-
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
use crate::keystore2_client_test_utils::{
perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, BlockMode::BlockMode, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
+ PaddingMode::PaddingMode,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor,
+};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// Generate a 3DES key. Create encryption and decryption operations using the generated key.
fn create_3des_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
padding_mode: PaddingMode,
block_mode: BlockMode,
nonce: &mut Option<Vec<u8>>,
@@ -39,7 +34,7 @@
let alias = format!("ks_3des_test_key_{}{}", block_mode.0, padding_mode.0);
let key_metadata = key_generations::generate_sym_key(
- sec_level,
+ sl,
Algorithm::TRIPLE_DES,
168,
&alias,
@@ -50,7 +45,7 @@
// Encrypts `SAMPLE_PLAIN_TEXT` whose length is multiple of DES block size.
let cipher_text = perform_sample_sym_key_encrypt_op(
- sec_level,
+ &sl.binder,
padding_mode,
block_mode,
nonce,
@@ -60,7 +55,7 @@
assert!(cipher_text.is_some());
let plain_text = perform_sample_sym_key_decrypt_op(
- sec_level,
+ &sl.binder,
&cipher_text.unwrap(),
padding_mode,
block_mode,
@@ -80,16 +75,15 @@
/// Test should generate keys and perform operation successfully.
#[test]
fn keystore2_3des_ecb_cbc_generate_key_success() {
- let keystore2 = get_keystore_service();
let block_modes = [BlockMode::ECB, BlockMode::CBC];
let padding_modes = [PaddingMode::PKCS7, PaddingMode::NONE];
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for block_mode in block_modes {
for padding_mode in padding_modes {
assert_eq!(
Ok(()),
- create_3des_key_and_operation(&sec_level, padding_mode, block_mode, &mut None)
+ create_3des_key_and_operation(&sl, padding_mode, block_mode, &mut None)
);
}
}
@@ -99,13 +93,12 @@
/// an error code `UNSUPPORTED_KEY_SIZE`.
#[test]
fn keystore2_3des_key_fails_unsupported_key_size() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "3des_key_test_invalid_1";
let invalid_key_size = 128;
let result = key_generations::map_ks_error(key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::TRIPLE_DES,
invalid_key_size,
alias,
@@ -122,8 +115,7 @@
/// `UNSUPPORTED_PADDING_MODE`.
#[test]
fn keystore2_3des_key_fails_missing_padding() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "3des_key_test_missing_padding";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -134,7 +126,8 @@
.key_size(168)
.block_mode(BlockMode::ECB);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -153,7 +146,7 @@
.purpose(KeyPurpose::ENCRYPT)
.block_mode(BlockMode::ECB);
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&op_params,
false,
@@ -166,12 +159,11 @@
/// multiple of the DES block size.
#[test]
fn keystore2_3des_key_encrypt_fails_invalid_input_length() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "3des_key_test_invalid_input_len";
let key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::TRIPLE_DES,
168,
alias,
@@ -186,7 +178,8 @@
.padding_mode(PaddingMode::NONE)
.block_mode(BlockMode::ECB);
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(&key_metadata.key, &op_params, false)
.expect("Error in creation of operation using rebound key.");
assert!(op_response.iOperation.is_some());
@@ -204,11 +197,10 @@
/// error code `UNSUPPORTED_BLOCK_MODE`.
#[test]
fn keystore2_3des_key_fails_unsupported_block_mode() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = key_generations::map_ks_error(create_3des_key_and_operation(
- &sec_level,
+ &sl,
PaddingMode::NONE,
BlockMode::CTR,
&mut None,
diff --git a/keystore2/tests/keystore2_client_aes_key_tests.rs b/keystore2/tests/keystore2_client_aes_key_tests.rs
index 313f596..9f85c38 100644
--- a/keystore2/tests/keystore2_client_aes_key_tests.rs
+++ b/keystore2/tests/keystore2_client_aes_key_tests.rs
@@ -12,26 +12,21 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, BlockMode::BlockMode, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
- PaddingMode::PaddingMode, SecurityLevel::SecurityLevel,
-};
-
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
use crate::keystore2_client_test_utils::{
perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, BlockMode::BlockMode, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
+ PaddingMode::PaddingMode,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor,
+};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// Generate a AES key. Create encrypt and decrypt operations using the generated key.
fn create_aes_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
key_size: i32,
padding_mode: PaddingMode,
block_mode: BlockMode,
@@ -42,7 +37,7 @@
let alias = format!("ks_aes_test_key_{}{}{}", key_size, block_mode.0, padding_mode.0);
let key_metadata = key_generations::generate_sym_key(
- sec_level,
+ sl,
Algorithm::AES,
key_size,
&alias,
@@ -52,7 +47,7 @@
)?;
let cipher_text = perform_sample_sym_key_encrypt_op(
- sec_level,
+ &sl.binder,
padding_mode,
block_mode,
nonce,
@@ -63,7 +58,7 @@
assert!(cipher_text.is_some());
let plain_text = perform_sample_sym_key_decrypt_op(
- sec_level,
+ &sl.binder,
&cipher_text.unwrap(),
padding_mode,
block_mode,
@@ -83,19 +78,18 @@
/// Test should generate keys and perform operation successfully.
#[test]
fn keystore2_aes_ecb_cbc_generate_key() {
- let keystore2 = get_keystore_service();
let key_sizes = [128, 256];
let block_modes = [BlockMode::ECB, BlockMode::CBC];
let padding_modes = [PaddingMode::PKCS7, PaddingMode::NONE];
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for key_size in key_sizes {
for block_mode in block_modes {
for padding_mode in padding_modes {
assert_eq!(
Ok(()),
create_aes_key_and_operation(
- &sec_level,
+ &sl,
key_size,
padding_mode,
block_mode,
@@ -115,16 +109,14 @@
/// Test should generate keys and perform operation successfully.
#[test]
fn keystore2_aes_ctr_gcm_generate_key_success() {
- let keystore2 = get_keystore_service();
let key_sizes = [128, 256];
let key_params = [(BlockMode::CTR, None, None), (BlockMode::GCM, Some(128), Some(128))];
-
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for key_size in key_sizes {
for (block_mode, mac_len, min_mac_len) in key_params {
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
key_size,
PaddingMode::NONE,
block_mode,
@@ -145,16 +137,14 @@
/// with an error code `INCOMPATIBLE_PADDING_MODE`.
#[test]
fn keystore2_aes_ctr_gcm_generate_key_fails_incompatible() {
- let keystore2 = get_keystore_service();
let key_sizes = [128, 256];
let key_params = [(BlockMode::CTR, None, None), (BlockMode::GCM, Some(128), Some(128))];
-
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for key_size in key_sizes {
for (block_mode, mac_len, min_mac_len) in key_params {
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
key_size,
PaddingMode::PKCS7,
block_mode,
@@ -173,12 +163,11 @@
/// an error code `UNSUPPORTED_KEY_SIZE`.
#[test]
fn keystore2_aes_key_fails_unsupported_key_size() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let result = key_generations::map_ks_error(key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
1024,
alias,
@@ -194,12 +183,11 @@
/// Test should fail to generate a key with an error code `MISSING_MIN_MAC_LENGTH`.
#[test]
fn keystore2_aes_gcm_key_fails_missing_min_mac_len() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let result = key_generations::map_ks_error(key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -215,8 +203,7 @@
/// an operation with `UNSUPPORTED_BLOCK_MODE` error code.
#[test]
fn keystore2_aes_key_op_fails_multi_block_modes() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -229,7 +216,8 @@
.block_mode(BlockMode::CBC)
.padding_mode(PaddingMode::NONE);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -250,7 +238,7 @@
.block_mode(BlockMode::CBC)
.padding_mode(PaddingMode::NONE);
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&op_params,
false,
@@ -263,8 +251,7 @@
/// an operation with `UNSUPPORTED_PADDING_MODE` error code.
#[test]
fn keystore2_aes_key_op_fails_multi_padding_modes() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -277,7 +264,8 @@
.padding_mode(PaddingMode::PKCS7)
.padding_mode(PaddingMode::NONE);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -298,7 +286,7 @@
.padding_mode(PaddingMode::PKCS7)
.padding_mode(PaddingMode::NONE);
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&op_params,
false,
@@ -312,12 +300,11 @@
/// `INCOMPATIBLE_PADDING_MODE` error code.
#[test]
fn keystore2_aes_key_op_fails_incompatible_padding() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -328,7 +315,7 @@
.unwrap();
let result = key_generations::map_ks_error(perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::PKCS7,
BlockMode::ECB,
&mut None,
@@ -344,12 +331,11 @@
/// `INCOMPATIBLE_BLOCK_MODE` error code.
#[test]
fn keystore2_aes_key_op_fails_incompatible_blockmode() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_invalid_1";
let key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -360,7 +346,7 @@
.unwrap();
let result = key_generations::map_ks_error(perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::NONE,
BlockMode::CBC,
&mut None,
@@ -376,13 +362,12 @@
/// `MISSING_MAC_LENGTH` error code.
#[test]
fn keystore2_aes_gcm_op_fails_missing_mac_len() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let mac_len = None;
let min_mac_len = Some(128);
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
128,
PaddingMode::NONE,
BlockMode::GCM,
@@ -404,13 +389,12 @@
/// an operation with `INVALID_MAC_LENGTH` error code.
#[test]
fn keystore2_aes_gcm_op_fails_invalid_mac_len() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let mac_len = Some(96);
let min_mac_len = Some(104);
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
128,
PaddingMode::NONE,
BlockMode::GCM,
@@ -427,11 +411,10 @@
/// `UNSUPPORTED_MAC_LENGTH` error code.
#[test]
fn keystore2_aes_gcm_op_fails_unsupported_mac_len() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = key_generations::map_ks_error(create_aes_key_and_operation(
- &sec_level,
+ &sl,
128,
PaddingMode::NONE,
BlockMode::GCM,
@@ -448,13 +431,12 @@
/// `CALLER_NONCE_PROHIBITED` error code.
#[test]
fn keystore2_aes_key_op_fails_nonce_prohibited() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "aes_key_test_nonce_1";
let mut nonce = Some(vec![0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
let key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -465,7 +447,7 @@
.unwrap();
let result = key_generations::map_ks_error(perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::NONE,
BlockMode::CBC,
&mut nonce,
diff --git a/keystore2/tests/keystore2_client_attest_key_tests.rs b/keystore2/tests/keystore2_client_attest_key_tests.rs
index 454248a..4787a81 100644
--- a/keystore2/tests/keystore2_client_attest_key_tests.rs
+++ b/keystore2/tests/keystore2_client_attest_key_tests.rs
@@ -12,8 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::getuid;
-
+use crate::keystore2_client_test_utils::{
+ app_attest_key_feature_exists, device_id_attestation_feature_exists, get_attest_id_value,
+ is_second_imei_id_attestation_required, skip_device_id_attest_tests,
+};
+use crate::{
+ skip_device_id_attestation_tests, skip_test_if_no_app_attest_key_feature,
+ skip_test_if_no_device_id_attestation_feature,
+};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
@@ -23,22 +29,9 @@
Domain::Domain, IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor,
ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
use keystore2_test_utils::ffi_test_utils::{get_value_from_attest_record, validate_certchain};
-
-use crate::{
- skip_device_id_attestation_tests, skip_test_if_no_app_attest_key_feature,
- skip_test_if_no_device_id_attestation_feature,
-};
-
-use crate::keystore2_client_test_utils::{
- app_attest_key_feature_exists, device_id_attestation_feature_exists, get_attest_id_value,
- is_second_imei_id_attestation_required, skip_device_id_attest_tests,
-};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
+use nix::unistd::getuid;
/// Generate RSA and EC attestation keys and use them for signing RSA-signing keys.
/// Test should be able to generate attestation keys and use them successfully.
@@ -46,14 +39,13 @@
fn keystore2_attest_rsa_signing_key_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
for algo in [Algorithm::RSA, Algorithm::EC] {
// Create attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, algo, att_challenge).unwrap();
+ key_generations::generate_attestation_key(&sl, algo, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -63,7 +55,7 @@
// Create RSA signing key and use attestation key to sign it.
let sign_key_alias = format!("ks_attest_rsa_signing_key_{}", getuid());
let sign_key_metadata = key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -94,14 +86,13 @@
fn keystore2_attest_rsa_encrypt_key_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
for algo in [Algorithm::RSA, Algorithm::EC] {
// Create attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, algo, att_challenge).unwrap();
+ key_generations::generate_attestation_key(&sl, algo, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -111,7 +102,7 @@
// Create RSA encrypt/decrypt key and use attestation key to sign it.
let decrypt_key_alias = format!("ks_attest_rsa_encrypt_key_{}", getuid());
let decrypt_key_metadata = key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(decrypt_key_alias),
@@ -143,14 +134,13 @@
fn keystore2_attest_ec_key_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
for algo in [Algorithm::RSA, Algorithm::EC] {
// Create attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, algo, att_challenge).unwrap();
+ key_generations::generate_attestation_key(&sl, algo, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -160,7 +150,7 @@
// Create EC key and use attestation key to sign it.
let ec_key_alias = format!("ks_ec_attested_test_key_{}", getuid());
let ec_key_metadata = key_generations::generate_ec_256_attested_key(
- &sec_level,
+ &sl,
Some(ec_key_alias),
att_challenge,
&attestation_key_metadata.key,
@@ -183,13 +173,12 @@
fn keystore2_attest_rsa_signing_key_with_ec_25519_key_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
// Create EcCurve::CURVE_25519 attestation key.
let attestation_key_metadata = key_generations::generate_ec_attestation_key(
- &sec_level,
+ &sl,
att_challenge,
Digest::NONE,
EcCurve::CURVE_25519,
@@ -204,7 +193,7 @@
// Create RSA signing key and use attestation key to sign it.
let sign_key_alias = format!("ksrsa_attested_sign_test_key_{}", getuid());
let sign_key_metadata = key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -233,9 +222,7 @@
#[test]
fn keystore2_generate_rsa_attest_key_with_multi_purpose_fail() {
skip_test_if_no_app_attest_key_feature!();
-
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let digest = Digest::SHA_2_256;
let padding = PaddingMode::RSA_PKCS1_1_5_SIGN;
@@ -255,7 +242,7 @@
.rsa_public_exponent(65537)
.padding_mode(padding);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -276,9 +263,7 @@
#[test]
fn keystore2_ec_attest_key_with_multi_purpose_fail() {
skip_test_if_no_app_attest_key_feature!();
-
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let attest_key_alias = format!("ks_ec_attest_multipurpose_key_{}", getuid());
@@ -291,7 +276,7 @@
.digest(Digest::SHA_2_256)
.ec_curve(EcCurve::P_256);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -314,14 +299,12 @@
fn keystore2_attest_key_fails_missing_challenge() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
// Create RSA attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, Algorithm::RSA, att_challenge)
- .unwrap();
+ key_generations::generate_attestation_key(&sl, Algorithm::RSA, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -331,7 +314,7 @@
// Try to attest RSA signing key without providing attestation challenge.
let sign_key_alias = format!("ksrsa_attested_test_key_missing_challenge{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -357,24 +340,18 @@
fn keystore2_attest_rsa_key_with_non_attest_key_fails_incompat_purpose_error() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
let alias = format!("non_attest_key_{}", getuid());
- let non_attest_key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias),
- None,
- )
- .unwrap();
+ let non_attest_key_metadata =
+ key_generations::generate_ec_p256_signing_key(&sl, Domain::APP, -1, Some(alias), None)
+ .unwrap();
// Try to generate RSA signing key with non-attestation key to sign it.
let sign_key_alias = format!("ksrsa_attested_sign_test_key_non_attest_{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -399,13 +376,12 @@
fn keystore2_attest_rsa_key_with_symmetric_key_fails_sys_error() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
let alias = "aes_attest_key";
let sym_key_metadata = key_generations::generate_sym_key(
- &sec_level,
+ &sl,
Algorithm::AES,
128,
alias,
@@ -418,7 +394,7 @@
// Try to generate RSA signing key with symmetric key as attestation key.
let sign_key_alias = format!("ksrsa_attested_sign_test_key_sym_attest_{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(sign_key_alias),
@@ -444,14 +420,12 @@
fn keystore2_attest_symmetric_key_fail_sys_error() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
// Create attestation key.
let attestation_key_metadata =
- key_generations::generate_attestation_key(&sec_level, Algorithm::RSA, att_challenge)
- .unwrap();
+ key_generations::generate_attestation_key(&sl, Algorithm::RSA, att_challenge).unwrap();
let mut cert_chain: Vec<u8> = Vec::new();
cert_chain.extend(attestation_key_metadata.certificate.as_ref().unwrap());
@@ -470,7 +444,8 @@
.attestation_challenge(att_challenge.to_vec());
let alias = format!("ks_test_sym_key_attest_{}", getuid());
- let aes_key_metadata = sec_level
+ let aes_key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
Some(&attestation_key_metadata.key),
@@ -525,22 +500,21 @@
skip_test_if_no_device_id_attestation_feature!();
skip_device_id_attestation_tests!();
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
let attest_key_metadata =
- key_generations::generate_attestation_key(&sec_level, algorithm, att_challenge).unwrap();
+ key_generations::generate_attestation_key(&sl, algorithm, att_challenge).unwrap();
- let attest_id_params = get_attestation_ids(&keystore2);
+ let attest_id_params = get_attestation_ids(&sl.keystore2);
for (attest_id, value) in attest_id_params {
// Create RSA/EC key and use attestation key to sign it.
let key_alias = format!("ks_attested_test_key_{}", getuid());
let key_metadata =
key_generations::map_ks_error(key_generations::generate_key_with_attest_id(
- &sec_level,
+ &sl,
algorithm,
Some(key_alias),
att_challenge,
@@ -585,20 +559,15 @@
fn keystore2_attest_key_fails_with_invalid_attestation_id() {
skip_test_if_no_device_id_attestation_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let digest = Digest::SHA_2_256;
let att_challenge: &[u8] = b"foo";
// Create EC-Attestation key.
- let attest_key_metadata = key_generations::generate_ec_attestation_key(
- &sec_level,
- att_challenge,
- digest,
- EcCurve::P_256,
- )
- .unwrap();
+ let attest_key_metadata =
+ key_generations::generate_ec_attestation_key(&sl, att_challenge, digest, EcCurve::P_256)
+ .unwrap();
let attest_id_params = vec![
(Tag::ATTESTATION_ID_BRAND, b"invalid-brand".to_vec()),
@@ -614,7 +583,7 @@
// Create EC key and use attestation key to sign it.
let ec_key_alias = format!("ks_ec_attested_test_key_fail_{}{}", getuid(), digest.0);
let result = key_generations::map_ks_error(key_generations::generate_key_with_attest_id(
- &sec_level,
+ &sl,
Algorithm::EC,
Some(ec_key_alias),
att_challenge,
@@ -638,20 +607,18 @@
return;
}
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let att_challenge: &[u8] = b"foo";
let attest_key_metadata =
- key_generations::generate_attestation_key(&sec_level, Algorithm::RSA, att_challenge)
- .unwrap();
+ key_generations::generate_attestation_key(&sl, Algorithm::RSA, att_challenge).unwrap();
- let attest_id_params = get_attestation_ids(&keystore2);
+ let attest_id_params = get_attestation_ids(&sl.keystore2);
for (attest_id, value) in attest_id_params {
// Create RSA/EC key and use attestation key to sign it.
let key_alias = format!("ks_attested_test_key_{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_key_with_attest_id(
- &sec_level,
+ &sl,
Algorithm::RSA,
Some(key_alias),
att_challenge,
diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs
index 32be99e..0981783 100644
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@@ -12,49 +12,39 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use std::time::SystemTime;
-
-use openssl::bn::{BigNum, MsbOption};
-use openssl::x509::X509NameBuilder;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
- ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
- SecurityLevel::SecurityLevel, Tag::Tag,
-};
-
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
- KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
-};
-
-use aconfig_android_hardware_biometrics_rust;
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- HardwareAuthToken::HardwareAuthToken,
- HardwareAuthenticatorType::HardwareAuthenticatorType
-};
-use android_hardware_security_secureclock::aidl::android::hardware::security::secureclock::Timestamp::Timestamp;
-
-use keystore2_test_utils::{
- authorizations, get_keystore_auth_service, get_keystore_service, key_generations,
- key_generations::Error,
-};
-
use crate::keystore2_client_test_utils::{
app_attest_key_feature_exists, delete_app_key, perform_sample_asym_sign_verify_op,
perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op,
perform_sample_sym_key_encrypt_op, verify_certificate_serial_num,
verify_certificate_subject_name, SAMPLE_PLAIN_TEXT,
};
-
-use crate::{skip_test_if_no_app_attest_key_feature, skip_tests_if_keymaster_impl_present};
-
+use crate::{require_keymint, skip_test_if_no_app_attest_key_feature};
+use aconfig_android_hardware_biometrics_rust;
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
+ ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
+ SecurityLevel::SecurityLevel, Tag::Tag,
+};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ HardwareAuthToken::HardwareAuthToken, HardwareAuthenticatorType::HardwareAuthenticatorType,
+};
+use android_hardware_security_secureclock::aidl::android::hardware::security::secureclock::{
+ Timestamp::Timestamp
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor, KeyMetadata::KeyMetadata,
+ ResponseCode::ResponseCode,
+};
use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
+use keystore2_test_utils::{
+ authorizations, get_keystore_auth_service, key_generations,
+ key_generations::Error, SecLevel,
+};
+use openssl::bn::{BigNum, MsbOption};
+use openssl::x509::X509NameBuilder;
+use std::time::SystemTime;
-fn gen_key_including_unique_id(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
- alias: &str,
-) -> Vec<u8> {
+fn gen_key_including_unique_id(sl: &SecLevel, alias: &str) -> Vec<u8> {
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::EC)
@@ -65,7 +55,7 @@
.attestation_challenge(b"foo".to_vec())
.include_unique_id();
- let key_metadata = key_generations::generate_key(sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(sl, &gen_params, alias).unwrap();
let unique_id = get_value_from_attest_record(
key_metadata.certificate.as_ref().unwrap(),
@@ -78,16 +68,21 @@
}
fn generate_key_and_perform_sign_verify_op_max_times(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
gen_params: &authorizations::AuthSetBuilder,
alias: &str,
max_usage_count: i32,
) -> binder::Result<KeyMetadata> {
- let key_metadata = key_generations::generate_key(sec_level, gen_params, alias)?;
+ let key_metadata = key_generations::generate_key(sl, gen_params, alias)?;
// Use above generated key `max_usage_count` times.
for _ in 0..max_usage_count {
- perform_sample_asym_sign_verify_op(sec_level, &key_metadata, None, Some(Digest::SHA_2_256));
+ perform_sample_asym_sign_verify_op(
+ &sl.binder,
+ &key_metadata,
+ None,
+ Some(Digest::SHA_2_256),
+ );
}
Ok(key_metadata)
@@ -98,24 +93,20 @@
/// times subsequent attempts to use the key in test should fail with response code `KEY_NOT_FOUND`.
/// Test should also verify that the attest record includes `USAGE_COUNT_LIMIT` for attested keys.
fn generate_key_and_perform_op_with_max_usage_limit(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
gen_params: &authorizations::AuthSetBuilder,
alias: &str,
max_usage_count: i32,
check_attestation: bool,
) {
// Generate a key and use the key for `max_usage_count` times.
- let key_metadata = generate_key_and_perform_sign_verify_op_max_times(
- sec_level,
- gen_params,
- alias,
- max_usage_count,
- )
- .unwrap();
+ let key_metadata =
+ generate_key_and_perform_sign_verify_op_max_times(sl, gen_params, alias, max_usage_count)
+ .unwrap();
let auth = key_generations::get_key_auth(&key_metadata.authorizations, Tag::USAGE_COUNT_LIMIT)
.unwrap();
- if check_attestation && key_generations::has_default_keymint() {
+ if check_attestation && sl.is_keymint() {
// Check usage-count-limit is included in attest-record.
// `USAGE_COUNT_LIMIT` is supported from KeyMint1.0
assert_ne!(
@@ -142,7 +133,7 @@
}
// Try to use the key one more time.
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -156,8 +147,7 @@
/// the generated key successfully.
#[test]
fn keystore2_gen_key_auth_active_datetime_test_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let active_datetime = duration_since_epoch.as_millis();
@@ -173,13 +163,13 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `ACTIVE_DATETIME` set to future date and time. Test should successfully
@@ -188,8 +178,7 @@
/// `KEY_NOT_YET_VALID`.
#[test]
fn keystore2_gen_key_auth_future_active_datetime_test_op_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let future_active_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
@@ -205,14 +194,14 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_NOT_YET_VALID), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `ORIGINATION_EXPIRE_DATETIME` set to future date and time. Test should
@@ -220,8 +209,7 @@
/// sign operation using the generated key successfully.
#[test]
fn keystore2_gen_key_auth_future_origination_expire_datetime_test_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let origination_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
@@ -237,13 +225,13 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `ORIGINATION_EXPIRE_DATETIME` set to current date and time. Test should
@@ -252,8 +240,7 @@
/// `KEY_EXPIRED`.
#[test]
fn keystore2_gen_key_auth_origination_expire_datetime_test_op_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let origination_expire_datetime = duration_since_epoch.as_millis();
@@ -269,14 +256,14 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a HMAC key with `USAGE_EXPIRE_DATETIME` set to future date and time. Test should
@@ -284,8 +271,7 @@
/// sign and verify operations using the generated key successfully.
#[test]
fn keystore2_gen_key_auth_future_usage_expire_datetime_hmac_verify_op_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let usage_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
@@ -300,10 +286,10 @@
.usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_hmac_verify_success";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
- perform_sample_hmac_sign_verify_op(&sec_level, &key_metadata.key);
- delete_app_key(&keystore2, alias).unwrap();
+ perform_sample_hmac_sign_verify_op(&sl.binder, &key_metadata.key);
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `USAGE_EXPIRE_DATETIME` set to current date and time. Test should
@@ -312,8 +298,7 @@
/// `KEY_EXPIRED`.
#[test]
fn keystore2_gen_key_auth_usage_expire_datetime_hmac_verify_op_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let usage_expire_datetime = duration_since_epoch.as_millis();
@@ -328,10 +313,10 @@
.usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_hamc_verify_fail";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
let result = key_generations::map_ks_error(
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::VERIFY)
@@ -341,7 +326,7 @@
);
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate AES key with `USAGE_EXPIRE_DATETIME` set to future date and time. Test should
@@ -349,8 +334,7 @@
/// Encrypt and Decrypt operations successfully.
#[test]
fn keystore2_gen_key_auth_usage_future_expire_datetime_decrypt_op_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let usage_expire_datetime = duration_since_epoch.as_millis() + (24 * 60 * 60 * 1000);
@@ -365,9 +349,9 @@
.usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_test";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
let cipher_text = perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::PKCS7,
BlockMode::ECB,
&mut None,
@@ -379,7 +363,7 @@
assert!(cipher_text.is_some());
let plain_text = perform_sample_sym_key_decrypt_op(
- &sec_level,
+ &sl.binder,
&cipher_text.unwrap(),
PaddingMode::PKCS7,
BlockMode::ECB,
@@ -390,7 +374,7 @@
.unwrap();
assert!(plain_text.is_some());
assert_eq!(plain_text.unwrap(), SAMPLE_PLAIN_TEXT.to_vec());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate AES key with `USAGE_EXPIRE_DATETIME` set to current date and time. Test should
@@ -399,8 +383,7 @@
/// `KEY_EXPIRED`.
#[test]
fn keystore2_gen_key_auth_usage_expire_datetime_decrypt_op_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let usage_expire_datetime = duration_since_epoch.as_millis();
@@ -415,9 +398,9 @@
.usage_expire_date_time(usage_expire_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_test";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
let cipher_text = perform_sample_sym_key_encrypt_op(
- &sec_level,
+ &sl.binder,
PaddingMode::PKCS7,
BlockMode::ECB,
&mut None,
@@ -429,7 +412,7 @@
assert!(cipher_text.is_some());
let result = key_generations::map_ks_error(perform_sample_sym_key_decrypt_op(
- &sec_level,
+ &sl.binder,
&cipher_text.unwrap(),
PaddingMode::PKCS7,
BlockMode::ECB,
@@ -439,7 +422,7 @@
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_EXPIRED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `EARLY_BOOT_ONLY`. Test should successfully generate
@@ -447,9 +430,8 @@
/// during creation of an operation using this key.
#[test]
fn keystore2_gen_key_auth_early_boot_only_op_fail() {
- skip_tests_if_keymaster_impl_present!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
+ require_keymint!(sl);
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -463,14 +445,14 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
alias,
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::EARLY_BOOT_ENDED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `MAX_USES_PER_BOOT`. Test should successfully generate
@@ -479,8 +461,7 @@
/// subsequent attempts to use the key in test should fail with error code MAX_OPS_EXCEEDED.
#[test]
fn keystore2_gen_key_auth_max_uses_per_boot() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
const MAX_USES_COUNT: i32 = 3;
let gen_params = authorizations::AuthSetBuilder::new()
@@ -495,23 +476,19 @@
let alias = "ks_test_auth_tags_test";
// Generate a key and use the key for `MAX_USES_COUNT` times.
- let key_metadata = generate_key_and_perform_sign_verify_op_max_times(
- &sec_level,
- &gen_params,
- alias,
- MAX_USES_COUNT,
- )
- .unwrap();
+ let key_metadata =
+ generate_key_and_perform_sign_verify_op_max_times(&sl, &gen_params, alias, MAX_USES_COUNT)
+ .unwrap();
// Try to use the key one more time.
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::KEY_MAX_OPS_EXCEEDED), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `USAGE_COUNT_LIMIT`. Test should successfully generate
@@ -521,8 +498,7 @@
/// Test should also verify that the attest record includes `USAGE_COUNT_LIMIT`.
#[test]
fn keystore2_gen_key_auth_usage_count_limit() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
const MAX_USES_COUNT: i32 = 3;
let gen_params = authorizations::AuthSetBuilder::new()
@@ -536,13 +512,7 @@
.usage_count_limit(MAX_USES_COUNT);
let alias = "ks_test_auth_tags_test";
- generate_key_and_perform_op_with_max_usage_limit(
- &sec_level,
- &gen_params,
- alias,
- MAX_USES_COUNT,
- true,
- );
+ generate_key_and_perform_op_with_max_usage_limit(&sl, &gen_params, alias, MAX_USES_COUNT, true);
}
/// Generate a key with `USAGE_COUNT_LIMIT`. Test should successfully generate
@@ -552,8 +522,7 @@
/// Test should also verify that the attest record includes `USAGE_COUNT_LIMIT`.
#[test]
fn keystore2_gen_key_auth_usage_count_limit_one() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
const MAX_USES_COUNT: i32 = 1;
let gen_params = authorizations::AuthSetBuilder::new()
@@ -567,13 +536,7 @@
.usage_count_limit(MAX_USES_COUNT);
let alias = "ks_test_auth_tags_test";
- generate_key_and_perform_op_with_max_usage_limit(
- &sec_level,
- &gen_params,
- alias,
- MAX_USES_COUNT,
- true,
- );
+ generate_key_and_perform_op_with_max_usage_limit(&sl, &gen_params, alias, MAX_USES_COUNT, true);
}
/// Generate a non-attested key with `USAGE_COUNT_LIMIT`. Test should successfully generate
@@ -582,8 +545,7 @@
/// subsequent attempts to use the key in test should fail with response code `KEY_NOT_FOUND`.
#[test]
fn keystore2_gen_non_attested_key_auth_usage_count_limit() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
const MAX_USES_COUNT: i32 = 2;
let gen_params = authorizations::AuthSetBuilder::new()
@@ -597,7 +559,7 @@
let alias = "ks_test_auth_tags_test";
generate_key_and_perform_op_with_max_usage_limit(
- &sec_level,
+ &sl,
&gen_params,
alias,
MAX_USES_COUNT,
@@ -610,8 +572,7 @@
/// specify `CREATION_DATETIME`.
#[test]
fn keystore2_gen_key_auth_creation_date_time_test_fail_with_invalid_arg_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let duration_since_epoch = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap();
let creation_datetime = duration_since_epoch.as_millis();
@@ -626,7 +587,7 @@
.creation_date_time(creation_datetime.try_into().unwrap());
let alias = "ks_test_auth_tags_test";
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -647,27 +608,25 @@
/// included in attest record and it remains the same for new keys generated.
#[test]
fn keystore2_gen_key_auth_include_unique_id_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias_first = "ks_test_auth_tags_test_1";
- let unique_id_first = gen_key_including_unique_id(&sec_level, alias_first);
+ let unique_id_first = gen_key_including_unique_id(&sl, alias_first);
let alias_second = "ks_test_auth_tags_test_2";
- let unique_id_second = gen_key_including_unique_id(&sec_level, alias_second);
+ let unique_id_second = gen_key_including_unique_id(&sl, alias_second);
assert_eq!(unique_id_first, unique_id_second);
- delete_app_key(&keystore2, alias_first).unwrap();
- delete_app_key(&keystore2, alias_second).unwrap();
+ delete_app_key(&sl.keystore2, alias_first).unwrap();
+ delete_app_key(&sl.keystore2, alias_second).unwrap();
}
/// Generate a key with `APPLICATION_DATA`. Test should create an operation using the
/// same `APPLICATION_DATA` successfully.
#[test]
fn keystore2_gen_key_auth_app_data_test_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -680,7 +639,7 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -689,7 +648,7 @@
alias,
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `APPLICATION_DATA`. Try to create an operation using the
@@ -697,8 +656,7 @@
/// `INVALID_KEY_BLOB`.
#[test]
fn keystore2_gen_key_auth_app_data_test_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -711,7 +669,7 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -721,15 +679,14 @@
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `APPLICATION_ID`. Test should create an operation using the
/// same `APPLICATION_ID` successfully.
#[test]
fn keystore2_gen_key_auth_app_id_test_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -742,7 +699,7 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -751,7 +708,7 @@
alias,
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate a key with `APPLICATION_ID`. Try to create an operation using the
@@ -759,8 +716,7 @@
/// `INVALID_KEY_BLOB`.
#[test]
fn keystore2_gen_key_auth_app_id_test_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -773,7 +729,7 @@
let alias = "ks_test_auth_tags_test";
let result = key_generations::map_ks_error(key_generations::create_key_and_operation(
- &sec_level,
+ &sl,
&gen_params,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -783,7 +739,7 @@
));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate an attestation-key without specifying `APPLICATION_ID` and `APPLICATION_DATA`.
@@ -792,8 +748,7 @@
#[test]
fn keystore2_gen_attested_key_auth_app_id_app_data_test_success() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Generate attestation key.
let attest_gen_params = authorizations::AuthSetBuilder::new()
@@ -805,7 +760,7 @@
.attestation_challenge(b"foo".to_vec());
let attest_alias = "ks_test_auth_tags_attest_key";
let attest_key_metadata =
- key_generations::generate_key(&sec_level, &attest_gen_params, attest_alias).unwrap();
+ key_generations::generate_key(&sl, &attest_gen_params, attest_alias).unwrap();
// Generate attested key.
let alias = "ks_test_auth_tags_attested_key";
@@ -820,7 +775,7 @@
.app_id(b"app-id".to_vec())
.app_data(b"app-data".to_vec());
- let result = sec_level.generateKey(
+ let result = sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -834,8 +789,8 @@
);
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
- delete_app_key(&keystore2, attest_alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, attest_alias).unwrap();
}
/// Generate an attestation-key with specifying `APPLICATION_ID` and `APPLICATION_DATA`.
@@ -847,8 +802,7 @@
#[test]
fn keystore2_gen_attestation_key_with_auth_app_id_app_data_test_fail() {
skip_test_if_no_app_attest_key_feature!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Generate attestation key.
let attest_gen_params = authorizations::AuthSetBuilder::new()
@@ -862,7 +816,7 @@
.app_data(b"app-data".to_vec());
let attest_alias = "ks_test_auth_tags_attest_key";
let attest_key_metadata =
- key_generations::generate_key(&sec_level, &attest_gen_params, attest_alias).unwrap();
+ key_generations::generate_key(&sl, &attest_gen_params, attest_alias).unwrap();
// Generate new key using above generated attestation key without providing app-id and app-data.
let alias = "ks_test_auth_tags_attested_key";
@@ -875,7 +829,7 @@
.ec_curve(EcCurve::P_256)
.attestation_challenge(b"foo".to_vec());
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -890,7 +844,7 @@
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INVALID_KEY_BLOB), result.unwrap_err());
- delete_app_key(&keystore2, attest_alias).unwrap();
+ delete_app_key(&sl.keystore2, attest_alias).unwrap();
}
fn add_hardware_token(auth_type: HardwareAuthenticatorType) {
@@ -951,9 +905,8 @@
/// generate a key successfully and verify the specified key parameters.
#[test]
fn keystore2_gen_key_auth_serial_number_subject_test_success() {
- skip_tests_if_keymaster_impl_present!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
+ require_keymint!(sl);
let cert_subject = "test cert subject";
let mut x509_name = X509NameBuilder::new().unwrap();
@@ -975,11 +928,11 @@
.cert_serial(serial.to_vec());
let alias = "ks_test_auth_tags_test";
- let key_metadata = key_generations::generate_key(&sec_level, &gen_params, alias).unwrap();
+ let key_metadata = key_generations::generate_key(&sl, &gen_params, alias).unwrap();
verify_certificate_subject_name(
key_metadata.certificate.as_ref().unwrap(),
cert_subject.as_bytes(),
);
verify_certificate_serial_num(key_metadata.certificate.as_ref().unwrap(), &serial);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
diff --git a/keystore2/tests/keystore2_client_delete_key_tests.rs b/keystore2/tests/keystore2_client_delete_key_tests.rs
index 2a06edb..a0fb9c2 100644
--- a/keystore2/tests/keystore2_client_delete_key_tests.rs
+++ b/keystore2/tests/keystore2_client_delete_key_tests.rs
@@ -12,27 +12,24 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::getuid;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- ErrorCode::ErrorCode, SecurityLevel::SecurityLevel,
-};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::ErrorCode::ErrorCode;
use android_system_keystore2::aidl::android::system::keystore2::{
Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{get_keystore_service, key_generations, key_generations::Error};
+use keystore2_test_utils::{
+ get_keystore_service, key_generations, key_generations::Error, SecLevel,
+};
+use nix::unistd::getuid;
/// Generate a key and delete it using keystore2 service `deleteKey` API. Test should successfully
/// delete the generated key.
#[test]
fn keystore2_delete_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "delete_key_success_key";
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -40,10 +37,10 @@
)
.unwrap();
- keystore2.deleteKey(&key_metadata.key).expect("Failed to delete a key.");
+ sl.keystore2.deleteKey(&key_metadata.key).expect("Failed to delete a key.");
// Check wehther deleted key is removed from keystore.
- let result = key_generations::map_ks_error(keystore2.getKeyEntry(&key_metadata.key));
+ let result = key_generations::map_ks_error(sl.keystore2.getKeyEntry(&key_metadata.key));
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err());
}
@@ -70,12 +67,11 @@
/// `INVALID_ARGUMENT`.
#[test]
fn keystore2_delete_key_with_blob_domain_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "delete_key_blob_fail_key";
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -83,7 +79,7 @@
)
.unwrap();
- let result = key_generations::map_ks_error(keystore2.deleteKey(&key_metadata.key));
+ let result = key_generations::map_ks_error(sl.keystore2.deleteKey(&key_metadata.key));
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::INVALID_ARGUMENT), result.unwrap_err());
}
@@ -92,12 +88,11 @@
/// security level `deleteKey` API. Test should delete the key successfully.
#[test]
fn keystore2_delete_key_blob_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "delete_key_blob_success_key";
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -105,7 +100,7 @@
)
.unwrap();
- let result = sec_level.deleteKey(&key_metadata.key);
+ let result = sl.binder.deleteKey(&key_metadata.key);
assert!(result.is_ok());
}
@@ -113,10 +108,9 @@
/// key with error code `INVALID_ARGUMENT`.
#[test]
fn keystore2_delete_key_fails_with_missing_key_blob() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
- let result = key_generations::map_ks_error(sec_level.deleteKey(&KeyDescriptor {
+ let result = key_generations::map_ks_error(sl.binder.deleteKey(&KeyDescriptor {
domain: Domain::BLOB,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
alias: None,
@@ -131,20 +125,14 @@
/// with error code `INVALID_ARGUMENT`.
#[test]
fn keystore2_delete_key_blob_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_delete_keyblob_test_key_{}", getuid());
- let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias),
- None,
- )
- .unwrap();
+ let key_metadata =
+ key_generations::generate_ec_p256_signing_key(&sl, Domain::APP, -1, Some(alias), None)
+ .unwrap();
- let result = key_generations::map_ks_error(sec_level.deleteKey(&key_metadata.key));
+ let result = key_generations::map_ks_error(sl.binder.deleteKey(&key_metadata.key));
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INVALID_ARGUMENT), result.unwrap_err());
}
diff --git a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
index b784adf..cc5d85c 100644
--- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
+++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
@@ -11,23 +11,18 @@
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode,
- KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, SecurityLevel::SecurityLevel, Tag::Tag,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
-use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
use crate::keystore2_client_test_utils::{
delete_app_key, get_attest_id_value, is_second_imei_id_attestation_required,
- perform_sample_asym_sign_verify_op,
+ perform_sample_asym_sign_verify_op, skip_device_unique_attestation_tests,
};
-
-use crate::skip_tests_if_keymaster_impl_present;
+use crate::require_keymint;
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode,
+ KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, Tag::Tag,
+};
+use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// This macro is used for generating device unique attested EC key with device id attestation.
macro_rules! test_ec_key_device_unique_attestation_id {
@@ -50,6 +45,9 @@
}
fn generate_ec_key_device_unique_attested_with_id_attest(attest_id_tag: Tag, prop_name: &str) {
+ if skip_device_unique_attestation_tests() {
+ return;
+ }
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::EC)
@@ -67,6 +65,9 @@
}
fn generate_rsa_key_device_unique_attested_with_id_attest(attest_id_tag: Tag, prop_name: &str) {
+ if skip_device_unique_attestation_tests() {
+ return;
+ }
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::RSA)
@@ -113,17 +114,10 @@
attest_id: Tag,
prop_name: &str,
) {
- let keystore2 = get_keystore_service();
- let result =
- key_generations::map_ks_error(keystore2.getSecurityLevel(SecurityLevel::STRONGBOX));
- if result.is_err() {
- assert_eq!(Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE), result.unwrap_err());
- return;
- }
- let sec_level = result.unwrap();
+ let Some(sl) = SecLevel::strongbox() else { return };
if attest_id == Tag::ATTESTATION_ID_SECOND_IMEI
- && !is_second_imei_id_attestation_required(&keystore2)
+ && !is_second_imei_id_attestation_required(&sl.keystore2)
{
return;
}
@@ -134,11 +128,8 @@
}
let gen_params = add_attest_id_auth(gen_params, attest_id, value.clone());
let alias = "ks_test_device_unique_attest_id_test";
- match key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- )) {
+ match key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias))
+ {
Ok(key_metadata) => {
let attest_id_value = get_value_from_attest_record(
key_metadata.certificate.as_ref().unwrap(),
@@ -147,7 +138,7 @@
)
.expect("Attest id verification failed.");
assert_eq!(attest_id_value, value);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
Err(e) => {
assert_eq!(e, Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
@@ -160,9 +151,8 @@
/// Test should fail to generate a key with error code `INVALID_ARGUMENT`
#[test]
fn keystore2_gen_key_device_unique_attest_with_default_sec_level_unimplemented() {
- skip_tests_if_keymaster_impl_present!();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
+ require_keymint!(sl);
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
@@ -175,11 +165,8 @@
.device_unique_attestation();
let alias = "ks_test_auth_tags_test";
- let result = key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- ));
+ let result =
+ key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias));
assert!(result.is_err());
assert!(matches!(
result.unwrap_err(),
@@ -192,15 +179,11 @@
/// use it for performing an operation.
#[test]
fn keystore2_gen_ec_key_device_unique_attest_with_strongbox_sec_level_test_success() {
- let keystore2 = get_keystore_service();
- let result =
- key_generations::map_ks_error(keystore2.getSecurityLevel(SecurityLevel::STRONGBOX));
- if result.is_err() {
- assert_eq!(Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE), result.unwrap_err());
+ let Some(sl) = SecLevel::strongbox() else { return };
+ if skip_device_unique_attestation_tests() {
return;
}
- let sec_level = result.unwrap();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::EC)
@@ -212,19 +195,15 @@
.device_unique_attestation();
let alias = "ks_device_unique_ec_key_attest_test";
- match key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- )) {
+ match key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias)) {
Ok(key_metadata) => {
perform_sample_asym_sign_verify_op(
- &sec_level,
+ &sl.binder,
&key_metadata,
None,
Some(Digest::SHA_2_256),
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
Err(e) => {
assert_eq!(e, Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
@@ -237,15 +216,11 @@
/// use it for performing an operation.
#[test]
fn keystore2_gen_rsa_key_device_unique_attest_with_strongbox_sec_level_test_success() {
- let keystore2 = get_keystore_service();
- let result =
- key_generations::map_ks_error(keystore2.getSecurityLevel(SecurityLevel::STRONGBOX));
- if result.is_err() {
- assert_eq!(Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE), result.unwrap_err());
+ let Some(sl) = SecLevel::strongbox() else { return };
+ if skip_device_unique_attestation_tests() {
return;
}
- let sec_level = result.unwrap();
let gen_params = authorizations::AuthSetBuilder::new()
.no_auth_required()
.algorithm(Algorithm::RSA)
@@ -259,19 +234,15 @@
.device_unique_attestation();
let alias = "ks_device_unique_rsa_key_attest_test";
- match key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- )) {
+ match key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias)) {
Ok(key_metadata) => {
perform_sample_asym_sign_verify_op(
- &sec_level,
+ &sl.binder,
&key_metadata,
Some(PaddingMode::RSA_PKCS1_1_5_SIGN),
Some(Digest::SHA_2_256),
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
Err(e) => {
assert_eq!(e, Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
@@ -283,15 +254,11 @@
/// Test should fail with error response code `CANNOT_ATTEST_IDS`.
#[test]
fn keystore2_device_unique_attest_key_fails_with_invalid_attestation_id() {
- let keystore2 = get_keystore_service();
- let result =
- key_generations::map_ks_error(keystore2.getSecurityLevel(SecurityLevel::STRONGBOX));
- if result.is_err() {
- assert_eq!(Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE), result.unwrap_err());
+ let Some(sl) = SecLevel::strongbox() else { return };
+ if skip_device_unique_attestation_tests() {
return;
}
- let sec_level = result.unwrap();
let attest_id_params = vec![
(Tag::ATTESTATION_ID_BRAND, b"invalid-brand".to_vec()),
(Tag::ATTESTATION_ID_DEVICE, b"invalid-device-name".to_vec()),
@@ -315,11 +282,8 @@
let alias = "ks_ec_device_unique_attested_test_key_fail";
let gen_params = add_attest_id_auth(gen_params, attest_id, value.clone());
- let result = key_generations::map_ks_error(key_generations::generate_key(
- &sec_level,
- &gen_params,
- alias,
- ));
+ let result =
+ key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias));
assert!(result.is_err());
assert!(matches!(result.unwrap_err(), Error::Km(ErrorCode::CANNOT_ATTEST_IDS)));
}
diff --git a/keystore2/tests/keystore2_client_ec_key_tests.rs b/keystore2/tests/keystore2_client_ec_key_tests.rs
index f2c6d0f..8aa9bc4 100644
--- a/keystore2/tests/keystore2_client_ec_key_tests.rs
+++ b/keystore2/tests/keystore2_client_ec_key_tests.rs
@@ -12,27 +12,23 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode,
- KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
-};
-use android_system_keystore2::aidl::android::system::keystore2::{
- CreateOperationResponse::CreateOperationResponse, Domain::Domain,
- IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
- ResponseCode::ResponseCode,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error, run_as,
-};
-
use crate::keystore2_client_test_utils::{
delete_app_key, execute_op_run_as_child, get_vsr_api_level, perform_sample_sign_operation,
BarrierReached, ForcedOp, TestOutcome,
};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode,
+ KeyPurpose::KeyPurpose,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ CreateOperationResponse::CreateOperationResponse, Domain::Domain, KeyDescriptor::KeyDescriptor,
+ ResponseCode::ResponseCode,
+};
+use keystore2_test_utils::{
+ authorizations, get_keystore_service, key_generations, key_generations::Error, run_as, SecLevel,
+};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
macro_rules! test_ec_sign_key_op_success {
( $test_name:ident, $digest:expr, $ec_curve:expr ) => {
@@ -57,7 +53,7 @@
}
fn create_ec_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -65,9 +61,9 @@
ec_curve: EcCurve,
) -> binder::Result<CreateOperationResponse> {
let key_metadata =
- key_generations::generate_ec_key(sec_level, domain, nspace, alias, ec_curve, digest)?;
+ key_generations::generate_ec_key(sl, domain, nspace, alias, ec_curve, digest)?;
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
false,
@@ -75,11 +71,10 @@
}
fn perform_ec_sign_key_op_success(alias: &str, digest: Digest, ec_curve: EcCurve) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let op_response = create_ec_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -96,15 +91,14 @@
))
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
fn perform_ec_sign_key_op_with_none_or_md5_digest(alias: &str, digest: Digest, ec_curve: EcCurve) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
match key_generations::map_ks_error(create_ec_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -126,7 +120,7 @@
}
}
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
// Below macros generate tests for generating EC keys with curves EcCurve::P_224, EcCurve::P_256,
@@ -199,12 +193,11 @@
/// INVALID_ARGUMENT error is expected.
#[test]
fn keystore2_get_key_entry_blob_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Generate a key with domain as BLOB.
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
key_generations::SELINUX_SHELL_NAMESPACE,
None,
@@ -213,23 +206,22 @@
.unwrap();
// Try to load the key using above generated KeyDescriptor.
- let result = key_generations::map_ks_error(keystore2.getKeyEntry(&key_metadata.key));
+ let result = key_generations::map_ks_error(sl.keystore2.getKeyEntry(&key_metadata.key));
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::INVALID_ARGUMENT), result.unwrap_err());
// Delete the generated key blob.
- sec_level.deleteKey(&key_metadata.key).unwrap();
+ sl.binder.deleteKey(&key_metadata.key).unwrap();
}
/// Try to generate a key with invalid Domain. `INVALID_ARGUMENT` error response is expected.
#[test]
fn keystore2_generate_key_invalid_domain() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_invalid_test_key_{}", getuid());
let result = key_generations::map_ks_error(key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain(99), // Invalid domain.
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias),
@@ -244,8 +236,7 @@
/// `UNSUPPORTED_EC_CURVE or UNSUPPORTED_KEY_SIZE` error response is expected.
#[test]
fn keystore2_generate_ec_key_missing_curve() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_no_curve_test_key_{}", getuid());
// Don't provide EC curve.
@@ -256,7 +247,7 @@
.purpose(KeyPurpose::VERIFY)
.digest(Digest::SHA_2_256);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
@@ -280,8 +271,7 @@
/// `INCOMPATIBLE_PURPOSE` error response is expected.
#[test]
fn keystore2_generate_ec_key_25519_multi_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_no_curve_test_key_{}", getuid());
// Specify `SIGN and AGREE_KEY` purposes.
@@ -293,7 +283,7 @@
.purpose(KeyPurpose::AGREE_KEY)
.digest(Digest::SHA_2_256);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
@@ -314,12 +304,11 @@
/// able to create an operation successfully.
#[test]
fn keystore2_ec_25519_generate_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_25519_none_test_key_gen_{}", getuid());
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -328,7 +317,8 @@
)
.unwrap();
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::NONE),
@@ -350,8 +340,7 @@
/// `UNSUPPORTED_DIGEST`.
#[test]
fn keystore2_ec_25519_generate_key_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let digests = [
Digest::MD5,
@@ -365,7 +354,7 @@
for digest in digests {
let alias = format!("ks_ec_25519_test_key_gen_{}{}", getuid(), digest.0);
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -378,7 +367,7 @@
// Digest::NONE". However, this was not checked at the time so we can only be strict about
// checking this for more recent implementations.
if get_vsr_api_level() >= 35 {
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
false,
@@ -394,12 +383,11 @@
/// `INCOMPATIBLE_DIGEST` error as there is a mismatch of digest mode in key authorizations.
#[test]
fn keystore2_create_op_with_incompatible_key_digest() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_ec_test_incomp_key_digest";
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -412,7 +400,7 @@
[Digest::NONE, Digest::SHA1, Digest::SHA_2_224, Digest::SHA_2_384, Digest::SHA_2_512];
for digest in digests {
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(digest),
false,
@@ -488,11 +476,10 @@
/// successfully.
#[test]
fn keystore2_generate_key_with_blob_domain() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::BLOB,
key_generations::SELINUX_SHELL_NAMESPACE,
None,
@@ -507,7 +494,7 @@
// Must have the key blob.
assert!(key_metadata.key.blob.is_some());
- let op_response = key_generations::map_ks_error(sec_level.createOperation(
+ let op_response = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -522,5 +509,5 @@
);
// Delete the generated key blob.
- sec_level.deleteKey(&key_metadata.key).unwrap();
+ sl.binder.deleteKey(&key_metadata.key).unwrap();
}
diff --git a/keystore2/tests/keystore2_client_grant_key_tests.rs b/keystore2/tests/keystore2_client_grant_key_tests.rs
index 516869a..50b87b9 100644
--- a/keystore2/tests/keystore2_client_grant_key_tests.rs
+++ b/keystore2/tests/keystore2_client_grant_key_tests.rs
@@ -12,37 +12,32 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Digest::Digest, KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
-};
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
- IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
- ResponseCode::ResponseCode,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error, run_as,
-};
-
use crate::keystore2_client_test_utils::{
generate_ec_key_and_grant_to_users, perform_sample_sign_operation,
};
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Digest::Digest, KeyPurpose::KeyPurpose,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
+ ResponseCode::ResponseCode,
+};
+use keystore2_test_utils::{
+ authorizations, get_keystore_service, key_generations, key_generations::Error, run_as, SecLevel,
+};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
/// Generate an EC signing key and grant it to the user with given access vector.
fn generate_ec_key_and_grant_to_user(
grantee_uid: i32,
access_vector: i32,
) -> binder::Result<KeyDescriptor> {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("{}{}", "ks_grant_test_key_1", getuid());
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias),
@@ -50,15 +45,14 @@
)
.unwrap();
- keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
+ sl.keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
}
fn load_grant_key_and_perform_sign_operation(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
grant_key_nspace: i64,
) -> Result<(), binder::Status> {
- let key_entry_response = keystore2.getKeyEntry(&KeyDescriptor {
+ let key_entry_response = sl.keystore2.getKeyEntry(&KeyDescriptor {
domain: Domain::GRANT,
nspace: grant_key_nspace,
alias: None,
@@ -66,7 +60,7 @@
})?;
// Perform sample crypto operation using granted key.
- let op_response = sec_level.createOperation(
+ let op_response = sl.binder.createOperation(
&key_entry_response.metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -195,12 +189,11 @@
Uid::from_raw(GRANTEE_UID),
Gid::from_raw(GRANTEE_GID),
move || {
- let keystore2 = get_keystore_service();
- let sec_level =
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Load the granted key.
- let key_entry_response = keystore2
+ let key_entry_response = sl
+ .keystore2
.getKeyEntry(&KeyDescriptor {
domain: Domain::GRANT,
nspace: grant_key_nspace,
@@ -210,7 +203,8 @@
.unwrap();
// Perform sample crypto operation using granted key.
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&key_entry_response.metadata.key,
&authorizations::AuthSetBuilder::new()
@@ -228,12 +222,13 @@
);
// Try to delete the key, it is expected to be fail with permission denied error.
- let result = key_generations::map_ks_error(keystore2.deleteKey(&KeyDescriptor {
- domain: Domain::GRANT,
- nspace: grant_key_nspace,
- alias: None,
- blob: None,
- }));
+ let result =
+ key_generations::map_ks_error(sl.keystore2.deleteKey(&KeyDescriptor {
+ domain: Domain::GRANT,
+ nspace: grant_key_nspace,
+ alias: None,
+ blob: None,
+ }));
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::PERMISSION_DENIED), result.unwrap_err());
},
@@ -258,12 +253,10 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let access_vector = KeyPermission::DELETE.0;
let mut grant_keys = generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(ALIAS.to_string()),
vec![GRANTEE_UID.try_into().unwrap()],
access_vector,
@@ -335,13 +328,11 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let access_vector = KeyPermission::GET_INFO.0;
let alias = format!("ks_grant_perm_denied_key_{}", getuid());
let mut grant_keys = generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias),
vec![GRANTEE_UID.try_into().unwrap()],
access_vector,
@@ -411,8 +402,7 @@
/// `GRANT` access. Test should fail to grant a key with `PERMISSION_DENIED` error response code.
#[test]
fn keystore2_grant_key_fails_with_grant_perm_expect_perm_denied() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let access_vector = KeyPermission::GRANT.0;
let alias = format!("ks_grant_access_vec_key_{}", getuid());
let user_id = 98;
@@ -420,8 +410,7 @@
let grantee_uid = user_id * AID_USER_OFFSET + application_id;
let result = key_generations::map_ks_error(generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias),
vec![grantee_uid.try_into().unwrap()],
access_vector,
@@ -470,13 +459,11 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ungrant_test_key_1{}", getuid());
let access_vector = KeyPermission::GET_INFO.0;
let mut grant_keys = generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias.to_string()),
vec![GRANTEE_UID.try_into().unwrap()],
access_vector,
@@ -485,8 +472,8 @@
let grant_key_nspace = grant_keys.remove(0);
- //Ungrant above granted key.
- keystore2
+ // Ungrant above granted key.
+ sl.keystore2
.ungrant(
&KeyDescriptor {
domain: Domain::APP,
@@ -542,12 +529,11 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("{}{}", "ks_grant_delete_ungrant_test_key_1", getuid());
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -556,17 +542,18 @@
.unwrap();
let access_vector = KeyPermission::GET_INFO.0;
- let grant_key = keystore2
+ let grant_key = sl
+ .keystore2
.grant(&key_metadata.key, GRANTEE_UID.try_into().unwrap(), access_vector)
.unwrap();
assert_eq!(grant_key.domain, Domain::GRANT);
// Delete above granted key.
- keystore2.deleteKey(&key_metadata.key).unwrap();
+ sl.keystore2.deleteKey(&key_metadata.key).unwrap();
// Try to ungrant above granted key.
let result = key_generations::map_ks_error(
- keystore2.ungrant(&key_metadata.key, GRANTEE_UID.try_into().unwrap()),
+ sl.keystore2.ungrant(&key_metadata.key, GRANTEE_UID.try_into().unwrap()),
);
assert!(result.is_err());
assert_eq!(Error::Rc(ResponseCode::KEY_NOT_FOUND), result.unwrap_err());
@@ -574,7 +561,7 @@
// Generate a new key with the same alias and try to access the earlier granted key
// in grantee context.
let result = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias),
@@ -631,14 +618,12 @@
// SAFETY: The test is run in a separate process with no other threads.
let mut grant_keys = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_grant_test_key_2{}", getuid());
let access_vector = KeyPermission::GET_INFO.0 | KeyPermission::USE.0;
generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias),
vec![GRANTEE_1_UID.try_into().unwrap(), GRANTEE_2_UID.try_into().unwrap()],
access_vector,
@@ -658,15 +643,12 @@
Uid::from_raw(*grantee_uid),
Gid::from_raw(*grantee_gid),
move || {
- let keystore2 = get_keystore_service();
- let sec_level =
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
assert_eq!(
Ok(()),
key_generations::map_ks_error(load_grant_key_and_perform_sign_operation(
- &keystore2,
- &sec_level,
+ &sl,
grant_key_nspace
))
);
@@ -697,15 +679,13 @@
// SAFETY: The test is run in a separate process with no other threads.
let mut grant_keys = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_grant_test_key_2{}", getuid());
let access_vector =
KeyPermission::GET_INFO.0 | KeyPermission::USE.0 | KeyPermission::DELETE.0;
generate_ec_key_and_grant_to_users(
- &keystore2,
- &sec_level,
+ &sl,
Some(alias),
vec![GRANTEE_1_UID.try_into().unwrap(), GRANTEE_2_UID.try_into().unwrap()],
access_vector,
@@ -723,21 +703,18 @@
Uid::from_raw(GRANTEE_1_UID),
Gid::from_raw(GRANTEE_1_GID),
move || {
- let keystore2 = get_keystore_service();
- let sec_level =
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
assert_eq!(
Ok(()),
key_generations::map_ks_error(load_grant_key_and_perform_sign_operation(
- &keystore2,
- &sec_level,
+ &sl,
grant_key1_nspace
))
);
// Delete the granted key.
- keystore2
+ sl.keystore2
.deleteKey(&KeyDescriptor {
domain: Domain::GRANT,
nspace: grant_key1_nspace,
diff --git a/keystore2/tests/keystore2_client_hmac_key_tests.rs b/keystore2/tests/keystore2_client_hmac_key_tests.rs
index 6bb8001..76780a0 100644
--- a/keystore2/tests/keystore2_client_hmac_key_tests.rs
+++ b/keystore2/tests/keystore2_client_hmac_key_tests.rs
@@ -12,23 +12,18 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+use crate::keystore2_client_test_utils::perform_sample_sign_operation;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, Digest::Digest, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
- SecurityLevel::SecurityLevel,
};
use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
+ Domain::Domain, KeyDescriptor::KeyDescriptor,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
-use crate::keystore2_client_test_utils::perform_sample_sign_operation;
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// Generate HMAC key with given parameters and perform a sample operation using generated key.
fn create_hmac_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
key_size: i32,
mac_len: i32,
@@ -36,9 +31,9 @@
digest: Digest,
) -> Result<(), binder::Status> {
let key_metadata =
- key_generations::generate_hmac_key(sec_level, alias, key_size, min_mac_len, digest)?;
+ key_generations::generate_hmac_key(sl, alias, key_size, min_mac_len, digest)?;
- let op_response = sec_level.createOperation(
+ let op_response = sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -69,22 +64,14 @@
let mac_len = 128;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for digest in digests {
let alias = format!("ks_hmac_test_key_{}", digest.0);
assert_eq!(
Ok(()),
- create_hmac_key_and_operation(
- &sec_level,
- &alias,
- key_size,
- mac_len,
- min_mac_len,
- digest,
- )
+ create_hmac_key_and_operation(&sl, &alias, key_size, mac_len, min_mac_len, digest,)
);
}
}
@@ -96,13 +83,12 @@
let min_mac_len = 256;
let digest = Digest::SHA_2_256;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for key_size in 0..513 {
let alias = format!("ks_hmac_test_key_{}", key_size);
let result = key_generations::map_ks_error(key_generations::generate_hmac_key(
- &sec_level,
+ &sl,
&alias,
key_size,
min_mac_len,
@@ -128,13 +114,12 @@
let digest = Digest::SHA_2_256;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for min_mac_len in 0..257 {
let alias = format!("ks_hmac_test_key_mml_{}", min_mac_len);
match key_generations::map_ks_error(key_generations::generate_hmac_key(
- &sec_level,
+ &sl,
&alias,
key_size,
min_mac_len,
@@ -159,8 +144,7 @@
/// Test fails to generate a key with multiple digests with an error code `UNSUPPORTED_DIGEST`.
#[test]
fn keystore2_hmac_gen_key_multi_digests_fails_expect_unsupported_digest() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_hmac_test_key_multi_dig";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -173,7 +157,7 @@
.digest(Digest::SHA1)
.digest(Digest::SHA_2_256);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -193,8 +177,7 @@
/// no digest should fail with an error code `UNSUPPORTED_DIGEST`.
#[test]
fn keystore2_hmac_gen_key_no_digests_fails_expect_unsupported_digest() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_hmac_test_key_no_dig";
let gen_params = authorizations::AuthSetBuilder::new()
@@ -205,7 +188,7 @@
.key_size(128)
.min_mac_length(128);
- let result = key_generations::map_ks_error(sec_level.generateKey(
+ let result = key_generations::map_ks_error(sl.binder.generateKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -227,12 +210,11 @@
fn keystore2_hmac_gen_key_with_none_digest_fails_expect_unsupported_digest() {
let min_mac_len = 128;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_hmac_test_key_fail";
let result = key_generations::map_ks_error(key_generations::generate_hmac_key(
- &sec_level,
+ &sl,
alias,
key_size,
min_mac_len,
@@ -253,14 +235,13 @@
let mac_len = 256;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for digest in digests {
let alias = format!("ks_hmac_test_key_{}", digest.0);
let result = key_generations::map_ks_error(create_hmac_key_and_operation(
- &sec_level,
+ &sl,
&alias,
key_size,
mac_len,
@@ -284,14 +265,13 @@
let mac_len = 64;
let key_size = 128;
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
for digest in digests {
let alias = format!("ks_hmac_test_key_{}", digest.0);
let result = key_generations::map_ks_error(create_hmac_key_and_operation(
- &sec_level,
+ &sl,
&alias,
key_size,
mac_len,
diff --git a/keystore2/tests/keystore2_client_import_keys_tests.rs b/keystore2/tests/keystore2_client_import_keys_tests.rs
index bf787d2..b06303e 100644
--- a/keystore2/tests/keystore2_client_import_keys_tests.rs
+++ b/keystore2/tests/keystore2_client_import_keys_tests.rs
@@ -12,49 +12,41 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::getuid;
-
-use openssl::rand::rand_bytes;
-use openssl::x509::X509;
-
+use crate::keystore2_client_test_utils::{
+ encrypt_secure_key, encrypt_transport_key, get_vsr_api_level,
+ perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
+ perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
+};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
ErrorCode::ErrorCode, HardwareAuthenticatorType::HardwareAuthenticatorType,
- KeyPurpose::KeyPurpose, PaddingMode::PaddingMode, SecurityLevel::SecurityLevel,
+ KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
};
use android_system_keystore2::aidl::android::system::keystore2::{
AuthenticatorSpec::AuthenticatorSpec, Domain::Domain,
IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
KeyMetadata::KeyMetadata, ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
use keystore2_test_utils::ffi_test_utils::{
create_wrapped_key, create_wrapped_key_additional_auth_data,
};
-
-use crate::keystore2_client_test_utils::{
- encrypt_secure_key, encrypt_transport_key, get_vsr_api_level,
- perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
- perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op, SAMPLE_PLAIN_TEXT,
-};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
+use nix::unistd::getuid;
+use openssl::rand::rand_bytes;
+use openssl::x509::X509;
pub fn import_rsa_sign_key_and_perform_sample_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
import_params: authorizations::AuthSetBuilder,
) {
let key_metadata =
- key_generations::import_rsa_2048_key(sec_level, domain, nspace, alias, import_params)
- .unwrap();
+ key_generations::import_rsa_2048_key(sl, domain, nspace, alias, import_params).unwrap();
perform_sample_asym_sign_verify_op(
- sec_level,
+ &sl.binder,
&key_metadata,
Some(PaddingMode::RSA_PSS),
Some(Digest::SHA_2_256),
@@ -93,7 +85,7 @@
}
fn build_secure_key_wrapper(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
secure_key: &[u8],
transport_key: &[u8],
nonce: &[u8],
@@ -103,10 +95,10 @@
// Encrypt secure key with transport key.
let transport_key_alias = format!("ks_transport_key_aes_256_key_test_{}", getuid());
let transport_key_metadata =
- key_generations::import_transport_key(sec_level, Some(transport_key_alias), transport_key)
+ key_generations::import_transport_key(sl, Some(transport_key_alias), transport_key)
.unwrap();
let encrypted_secure_key = encrypt_secure_key(
- sec_level,
+ &sl.binder,
secure_key,
aad,
nonce.to_vec(),
@@ -135,8 +127,7 @@
/// imported key. Test should be able to create an operation successfully.
#[test]
fn keystore2_rsa_import_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_1_{}{}", getuid(), 2048);
@@ -153,7 +144,7 @@
.cert_not_after(253402300799000);
import_rsa_sign_key_and_perform_sample_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -167,8 +158,7 @@
/// able to create an operation successfully.
#[test]
fn keystore2_rsa_import_key_determine_key_size_and_pub_exponent() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_2_{}{}", getuid(), 2048);
@@ -184,7 +174,7 @@
.cert_not_after(253402300799000);
import_rsa_sign_key_and_perform_sample_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -196,8 +186,7 @@
/// a key with `IMPORT_PARAMETER_MISMATCH` error code.
#[test]
fn keystore2_rsa_import_key_fails_with_keysize_param_mismatch_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_3_{}{}", getuid(), 2048);
@@ -213,7 +202,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let result = key_generations::map_ks_error(sec_level.importKey(
+ let result = key_generations::map_ks_error(sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
None,
&import_params,
@@ -229,8 +218,7 @@
/// Test should fail to import a key with `IMPORT_PARAMETER_MISMATCH` error code.
#[test]
fn keystore2_rsa_import_key_fails_with_public_exponent_param_mismatch_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_4_{}{}", getuid(), 2048);
@@ -246,7 +234,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let result = key_generations::map_ks_error(sec_level.importKey(
+ let result = key_generations::map_ks_error(sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
None,
&import_params,
@@ -263,8 +251,7 @@
/// successful.
#[test]
fn keystore2_rsa_import_key_with_multipurpose_fails_incompt_purpose_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_rsa_key_test_import_5_{}{}", getuid(), 2048);
@@ -280,7 +267,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let result = key_generations::map_ks_error(sec_level.importKey(
+ let result = key_generations::map_ks_error(sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
None,
&import_params,
@@ -288,7 +275,7 @@
key_generations::RSA_2048_KEY,
));
- if key_generations::has_default_keymint() {
+ if sl.is_keymint() {
assert!(result.is_err());
assert_eq!(Error::Km(ErrorCode::INCOMPATIBLE_PURPOSE), result.unwrap_err());
} else {
@@ -301,8 +288,7 @@
/// able to create an operation successfully.
#[test]
fn keystore2_import_ec_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256);
@@ -323,24 +309,18 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let key_metadata = key_generations::import_ec_p_256_key(
- &sec_level,
- Domain::APP,
- -1,
- Some(alias),
- import_params,
- )
- .expect("Failed to import EC key.");
+ let key_metadata =
+ key_generations::import_ec_p_256_key(&sl, Domain::APP, -1, Some(alias), import_params)
+ .expect("Failed to import EC key.");
- perform_sample_asym_sign_verify_op(&sec_level, &key_metadata, None, Some(Digest::SHA_2_256));
+ perform_sample_asym_sign_verify_op(&sl.binder, &key_metadata, None, Some(Digest::SHA_2_256));
}
/// Try to import EC key with wrong ec-curve as import-key-parameter. Test should fail to import a
/// key with `IMPORT_PARAMETER_MISMATCH` error code.
#[test]
fn keystore2_ec_import_key_fails_with_mismatch_curve_error() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_key_test_import_1_{}{}", getuid(), 256);
@@ -354,7 +334,7 @@
.cert_not_before(0)
.cert_not_after(253402300799000);
- let result = key_generations::map_ks_error(sec_level.importKey(
+ let result = key_generations::map_ks_error(sl.binder.importKey(
&KeyDescriptor { domain: Domain::APP, nspace: -1, alias: Some(alias), blob: None },
None,
&import_params,
@@ -369,47 +349,41 @@
/// Test should be able to create an operation successfully.
#[test]
fn keystore2_import_aes_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_aes_key_test_import_1_{}{}", getuid(), 256);
- let key_metadata = key_generations::import_aes_key(&sec_level, Domain::APP, -1, Some(alias))
+ let key_metadata = key_generations::import_aes_key(&sl, Domain::APP, -1, Some(alias))
.expect("Failed to import AES key.");
- perform_sym_key_encrypt_decrypt_op(&sec_level, &key_metadata);
+ perform_sym_key_encrypt_decrypt_op(&sl.binder, &key_metadata);
}
/// Import 3DES key and verify key parameters. Try to create an operation using the imported key.
/// Test should be able to create an operation successfully.
#[test]
fn keystore2_import_3des_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = key_generations::map_ks_error(
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT),
- )
- .unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_3des_key_test_import_1_{}{}", getuid(), 168);
- let key_metadata = key_generations::import_3des_key(&sec_level, Domain::APP, -1, Some(alias))
+ let key_metadata = key_generations::import_3des_key(&sl, Domain::APP, -1, Some(alias))
.expect("Failed to import 3DES key.");
- perform_sym_key_encrypt_decrypt_op(&sec_level, &key_metadata);
+ perform_sym_key_encrypt_decrypt_op(&sl.binder, &key_metadata);
}
/// Import HMAC key and verify key parameters. Try to create an operation using the imported key.
/// Test should be able to create an operation successfully.
#[test]
fn keystore2_import_hmac_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_hmac_key_test_import_1_{}", getuid());
- let key_metadata = key_generations::import_hmac_key(&sec_level, Domain::APP, -1, Some(alias))
+ let key_metadata = key_generations::import_hmac_key(&sl, Domain::APP, -1, Some(alias))
.expect("Failed to import HMAC key.");
- perform_sample_hmac_sign_verify_op(&sec_level, &key_metadata.key);
+ perform_sample_hmac_sign_verify_op(&sl.binder, &key_metadata.key);
}
/// This test creates a wrapped key data and imports it. Validates the imported wrapped key.
@@ -419,8 +393,7 @@
/// Test should successfully import the wrapped key and perform crypto operations.
#[test]
fn keystore2_create_wrapped_key_and_import_wrapped_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let mut secure_key = [0; 32];
rand_bytes(&mut secure_key).unwrap();
@@ -434,7 +407,7 @@
// Import wrapping key.
let wrapping_key_alias = format!("ks_wrapping_key_test_import_2_{}_2048", getuid());
let wrapping_key_metadata = key_generations::import_wrapping_key(
- &sec_level,
+ &sl,
key_generations::RSA_2048_KEY,
Some(wrapping_key_alias),
)
@@ -446,7 +419,7 @@
// Build ASN.1 DER-encoded wrapped key material as described in `SecureKeyWrapper` schema.
let wrapped_key_data = build_secure_key_wrapper(
- &sec_level,
+ &sl,
&secure_key,
&transport_key,
&nonce,
@@ -458,14 +431,14 @@
// Unwrap the key. Import wrapped key.
let secured_key_alias = format!("ks_wrapped_aes_key_{}", getuid());
let secured_key_metadata = key_generations::import_wrapped_key(
- &sec_level,
+ &sl,
Some(secured_key_alias),
&wrapping_key_metadata,
Some(wrapped_key_data.to_vec()),
)
.unwrap();
- perform_sym_key_encrypt_decrypt_op(&sec_level, &secured_key_metadata);
+ perform_sym_key_encrypt_decrypt_op(&sl.binder, &secured_key_metadata);
}
/// Create a wrapped key data with invalid Additional Authenticated Data (AAD) and
@@ -476,8 +449,7 @@
/// Test should fail to import the wrapped key with error code `VERIFICATION_FAILED`.
#[test]
fn keystore2_create_wrapped_key_with_invalid_aad_and_import_wrapped_key_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let mut secure_key = [0; 32];
rand_bytes(&mut secure_key).unwrap();
@@ -491,7 +463,7 @@
// Import wrapping key.
let wrapping_key_alias = format!("ks_wrapping_key_test_import_2_{}_2048", getuid());
let wrapping_key_metadata = key_generations::import_wrapping_key(
- &sec_level,
+ &sl,
key_generations::RSA_2048_KEY,
Some(wrapping_key_alias),
)
@@ -502,7 +474,7 @@
// Build ASN.1 DER-encoded wrapped key material as described in `SecureKeyWrapper` schema.
let wrapped_key_data = build_secure_key_wrapper(
- &sec_level,
+ &sl,
&secure_key,
&transport_key,
&nonce,
@@ -514,7 +486,7 @@
// Unwrap the key. Import wrapped key.
let secured_key_alias = format!("ks_wrapped_aes_key_{}", getuid());
let result = key_generations::map_ks_error(key_generations::import_wrapped_key(
- &sec_level,
+ &sl,
Some(secured_key_alias),
&wrapping_key_metadata,
Some(wrapped_key_data.to_vec()),
@@ -528,8 +500,7 @@
/// perform crypto operations successfully.
#[test]
fn keystore2_import_wrapped_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_wrapped_key_test_import_1_{}_256", getuid());
let wrapping_key_alias = format!("ks_wrapping_key_test_import_1_{}_2048", getuid());
@@ -548,7 +519,7 @@
.cert_not_after(253402300799000);
let key_metadata = key_generations::import_wrapping_key_and_wrapped_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -558,7 +529,7 @@
.expect("Failed to import wrapped key.");
// Try to perform operations using wrapped key.
- perform_sym_key_encrypt_decrypt_op(&sec_level, &key_metadata);
+ perform_sym_key_encrypt_decrypt_op(&sl.binder, &key_metadata);
}
/// Import wrapping-key without specifying KeyPurpose::WRAP_KEY in import key parameters. Try to
@@ -567,8 +538,7 @@
/// `WRAP_KEY` purpose.
#[test]
fn keystore2_import_wrapped_key_fails_with_wrong_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let wrapping_key_alias = format!("ks_wrapping_key_test_import_2_{}_2048", getuid());
let alias = format!("ks_wrapped_key_test_import_2_{}_256", getuid());
@@ -588,7 +558,7 @@
let result =
key_generations::map_ks_error(key_generations::import_wrapping_key_and_wrapped_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -604,8 +574,7 @@
/// Test should fail to import wrapped key with `ResponseCode::KEY_NOT_FOUND`.
#[test]
fn keystore2_import_wrapped_key_fails_with_missing_wrapping_key() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let unwrap_params = authorizations::AuthSetBuilder::new()
.digest(Digest::SHA_2_256)
@@ -621,7 +590,7 @@
// Wrapping key with this alias doesn't exist.
let wrapping_key_alias = format!("ks_wrapping_key_not_exist_{}_2048", getuid());
- let result = key_generations::map_ks_error(sec_level.importWrappedKey(
+ let result = key_generations::map_ks_error(sl.binder.importWrappedKey(
&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
diff --git a/keystore2/tests/keystore2_client_key_agreement_tests.rs b/keystore2/tests/keystore2_client_key_agreement_tests.rs
index 6b2e3c2..19f6210 100644
--- a/keystore2/tests/keystore2_client_key_agreement_tests.rs
+++ b/keystore2/tests/keystore2_client_key_agreement_tests.rs
@@ -12,8 +12,15 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
+ KeyMetadata::KeyMetadata,
+};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
use nix::unistd::getuid;
-
use openssl::ec::{EcGroup, EcKey};
use openssl::error::ErrorStack;
use openssl::nid::Nid;
@@ -21,19 +28,6 @@
use openssl::pkey_ctx::PkeyCtx;
use openssl::x509::X509;
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Digest::Digest, EcCurve::EcCurve, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
- SecurityLevel::SecurityLevel,
-};
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
- KeyMetadata::KeyMetadata,
-};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
/// This macro is used to verify that the key agreement works for the given curve.
macro_rules! test_ec_key_agree {
( $test_name:ident, $ec_curve:expr ) => {
@@ -89,13 +83,12 @@
/// Generate two EC keys with given curve from KeyMint and OpeanSSL. Perform local ECDH between
/// them and verify that the derived secrets are the same.
fn perform_ec_key_agreement(ec_curve: EcCurve) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let openssl_ec_curve = ec_curve_to_openrssl_curve_name(&ec_curve);
let alias = format!("ks_ec_test_key_agree_{}", getuid());
let keymint_key = key_generations::generate_ec_agree_key(
- &sec_level,
+ &sl,
ec_curve,
Digest::SHA_2_256,
Domain::APP,
@@ -111,7 +104,7 @@
let local_key = PKey::from_ec_key(ec_key).unwrap();
let local_pub_key = local_key.public_key_to_der().unwrap();
- check_agreement(&sec_level, &keymint_key.key, &keymint_pub_key, &local_key, &local_pub_key);
+ check_agreement(&sl.binder, &keymint_key.key, &keymint_pub_key, &local_key, &local_pub_key);
}
test_ec_key_agree!(test_ec_p224_key_agreement, EcCurve::P_224);
@@ -123,12 +116,11 @@
/// Perform local ECDH between them and verify that the derived secrets are the same.
#[test]
fn keystore2_ec_25519_agree_key_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_ec_25519_test_key_agree_{}", getuid());
let keymint_key = key_generations::generate_ec_agree_key(
- &sec_level,
+ &sl,
EcCurve::CURVE_25519,
Digest::NONE,
Domain::APP,
@@ -142,19 +134,18 @@
let local_key = PKey::generate_x25519().unwrap();
let local_pub_key = local_key.public_key_to_der().unwrap();
- check_agreement(&sec_level, &keymint_key.key, &keymint_pub_key, &local_key, &local_pub_key);
+ check_agreement(&sl.binder, &keymint_key.key, &keymint_pub_key, &local_key, &local_pub_key);
}
/// Generate two EC keys with different curves and try to perform local ECDH. Since keys are using
/// different curves operation should fail with `ErrorCode:INVALID_ARGUMENT`.
#[test]
fn keystore2_ec_agree_key_with_different_curves_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_test_key_agree_fail{}", getuid());
let keymint_key = key_generations::generate_ec_agree_key(
- &sec_level,
+ &sl,
EcCurve::P_256,
Digest::SHA_2_256,
Domain::APP,
@@ -169,7 +160,7 @@
// If the keys are using different curves KeyMint should fail with
// ErrorCode:INVALID_ARGUMENT.
let authorizations = authorizations::AuthSetBuilder::new().purpose(KeyPurpose::AGREE_KEY);
- let key_agree_op = sec_level.createOperation(&keymint_key.key, &authorizations, false).unwrap();
+ let key_agree_op = sl.binder.createOperation(&keymint_key.key, &authorizations, false).unwrap();
assert!(key_agree_op.iOperation.is_some());
let op = key_agree_op.iOperation.unwrap();
diff --git a/keystore2/tests/keystore2_client_key_id_domain_tests.rs b/keystore2/tests/keystore2_client_key_id_domain_tests.rs
index 09b1378..8f9191f 100644
--- a/keystore2/tests/keystore2_client_key_id_domain_tests.rs
+++ b/keystore2/tests/keystore2_client_key_id_domain_tests.rs
@@ -12,20 +12,15 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::getuid;
-
+use crate::keystore2_client_test_utils::perform_sample_sign_operation;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Digest::Digest, EcCurve::EcCurve, KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
+ Digest::Digest, EcCurve::EcCurve, KeyPurpose::KeyPurpose,
};
use android_system_keystore2::aidl::android::system::keystore2::{
Domain::Domain, KeyDescriptor::KeyDescriptor, ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
-use crate::keystore2_client_test_utils::perform_sample_sign_operation;
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
+use nix::unistd::getuid;
/// Try to generate a key with `Domain::KEY_ID`, test should fail with an error code
/// `SYSTEM_ERROR`. `Domain::KEY_ID` is not allowed to use for generating a key. Key id is returned
@@ -33,11 +28,10 @@
#[test]
fn keystore2_generate_key_with_key_id_domain_expect_sys_error() {
let alias = "ks_gen_key_id_test_key";
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = key_generations::map_ks_error(key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::KEY_ID,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -53,12 +47,11 @@
/// successfully.
#[test]
fn keystore2_find_key_with_key_id_as_domain() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_key_id_test_key";
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -68,7 +61,8 @@
.expect("Failed to generate a EC key.");
// Try to load the above generated key with KEY_ID as domain.
- let key_entry_response = keystore2
+ let key_entry_response = sl
+ .keystore2
.getKeyEntry(&KeyDescriptor {
domain: Domain::KEY_ID,
nspace: key_metadata.key.nspace,
@@ -85,7 +79,8 @@
// Try to create an operation using above loaded key, operation should be created
// successfully.
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&key_entry_response.metadata.key,
&authorizations::AuthSetBuilder::new()
@@ -110,12 +105,11 @@
/// create an operation using the rebound key.
#[test]
fn keystore2_key_id_alias_rebind_verify_by_alias() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_key_id_test_alias_rebind_1_{}", getuid());
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -127,7 +121,7 @@
// Generate a key with same alias as above generated key, so that alias will be rebound
// to this key.
let new_key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -142,7 +136,7 @@
// Try to create an operation using previously generated key_metadata.
// It should fail as previously generated key material is no longer remains valid.
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -152,7 +146,8 @@
// Try to create an operation using rebound key, operation should be created
// successfully.
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&new_key_metadata.key,
&authorizations::AuthSetBuilder::new()
@@ -177,12 +172,11 @@
/// Test should successfully create an operation using the rebound key.
#[test]
fn keystore2_key_id_alias_rebind_verify_by_key_id() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_key_id_test_alias_rebind_2_{}", getuid());
let key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -192,7 +186,8 @@
.expect("Failed to generate a EC key.");
// Load the above generated key with KEY_ID as domain.
- let key_entry_response = keystore2
+ let key_entry_response = sl
+ .keystore2
.getKeyEntry(&KeyDescriptor {
domain: Domain::KEY_ID,
nspace: key_metadata.key.nspace,
@@ -210,7 +205,7 @@
// Generate another key with same alias as above generated key, so that alias will be rebound
// to this key.
let new_key_metadata = key_generations::generate_ec_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -227,7 +222,7 @@
// Try to create an operation using previously loaded key_entry_response.
// It should fail as previously generated key material is no longer valid.
- let result = key_generations::map_ks_error(sec_level.createOperation(
+ let result = key_generations::map_ks_error(sl.binder.createOperation(
&key_entry_response.metadata.key,
&authorizations::AuthSetBuilder::new().purpose(KeyPurpose::SIGN).digest(Digest::SHA_2_256),
false,
@@ -237,7 +232,8 @@
// Try to create an operation using rebound key, operation should be created
// successfully.
- let op_response = sec_level
+ let op_response = sl
+ .binder
.createOperation(
&new_key_metadata.key,
&authorizations::AuthSetBuilder::new()
diff --git a/keystore2/tests/keystore2_client_keystore_engine_tests.rs b/keystore2/tests/keystore2_client_keystore_engine_tests.rs
index 4651931..01f8917 100644
--- a/keystore2/tests/keystore2_client_keystore_engine_tests.rs
+++ b/keystore2/tests/keystore2_client_keystore_engine_tests.rs
@@ -12,27 +12,24 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, Digest::Digest, EcCurve::EcCurve, KeyPurpose::KeyPurpose,
- PaddingMode::PaddingMode, SecurityLevel::SecurityLevel,
+ PaddingMode::PaddingMode,
};
use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
- IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
+ Domain::Domain, IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor,
+ KeyPermission::KeyPermission,
};
-
-use keystore2_test_utils::{authorizations::AuthSetBuilder, get_keystore_service, run_as};
-
use keystore2_test_utils::ffi_test_utils::perform_crypto_op_using_keystore_engine;
-
+use keystore2_test_utils::{
+ authorizations::AuthSetBuilder, get_keystore_service, run_as, SecLevel,
+};
+use nix::unistd::{Gid, Uid};
use openssl::x509::X509;
+use rustutils::users::AID_USER_OFFSET;
fn generate_rsa_key_and_grant_to_user(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
grantee_uid: i32,
access_vector: i32,
@@ -47,7 +44,8 @@
.padding_mode(PaddingMode::NONE)
.digest(Digest::NONE);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -64,12 +62,11 @@
assert!(key_metadata.certificate.is_some());
- keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
+ sl.keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
}
fn generate_ec_key_and_grant_to_user(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
grantee_uid: i32,
access_vector: i32,
@@ -82,7 +79,8 @@
.digest(Digest::NONE)
.ec_curve(EcCurve::P_256);
- let key_metadata = sec_level
+ let key_metadata = sl
+ .binder
.generateKey(
&KeyDescriptor {
domain: Domain::APP,
@@ -99,12 +97,11 @@
assert!(key_metadata.certificate.is_some());
- keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
+ sl.keystore2.grant(&key_metadata.key, grantee_uid, access_vector)
}
fn generate_key_and_grant_to_user(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: &str,
grantee_uid: u32,
algo: Algorithm,
@@ -115,16 +112,14 @@
let grant_key = match algo {
Algorithm::RSA => generate_rsa_key_and_grant_to_user(
- keystore2,
- sec_level,
+ sl,
alias,
grantee_uid.try_into().unwrap(),
access_vector,
)
.unwrap(),
Algorithm::EC => generate_ec_key_and_grant_to_user(
- keystore2,
- sec_level,
+ sl,
alias,
grantee_uid.try_into().unwrap(),
access_vector,
@@ -170,17 +165,9 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "keystore2_engine_rsa_key";
- generate_key_and_grant_to_user(
- &keystore2,
- &sec_level,
- alias,
- GRANTEE_UID,
- Algorithm::RSA,
- )
- .unwrap()
+ generate_key_and_grant_to_user(&sl, alias, GRANTEE_UID, Algorithm::RSA).unwrap()
})
};
@@ -213,17 +200,9 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "keystore2_engine_ec_test_key";
- generate_key_and_grant_to_user(
- &keystore2,
- &sec_level,
- alias,
- GRANTEE_UID,
- Algorithm::EC,
- )
- .unwrap()
+ generate_key_and_grant_to_user(&sl, alias, GRANTEE_UID, Algorithm::EC).unwrap()
})
};
@@ -257,20 +236,14 @@
// SAFETY: The test is run in a separate process with no other threads.
let grant_key_nspace = unsafe {
run_as::run_as(TARGET_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "keystore2_engine_rsa_pem_pub_key";
- let grant_key_nspace = generate_key_and_grant_to_user(
- &keystore2,
- &sec_level,
- alias,
- GRANTEE_UID,
- Algorithm::RSA,
- )
- .unwrap();
+ let grant_key_nspace =
+ generate_key_and_grant_to_user(&sl, alias, GRANTEE_UID, Algorithm::RSA).unwrap();
// Update certificate with encodeed PEM data.
- let key_entry_response = keystore2
+ let key_entry_response = sl
+ .keystore2
.getKeyEntry(&KeyDescriptor {
domain: Domain::APP,
nspace: -1,
@@ -281,7 +254,7 @@
let cert_bytes = key_entry_response.metadata.certificate.as_ref().unwrap();
let cert = X509::from_der(cert_bytes.as_ref()).unwrap();
let cert_pem = cert.to_pem().unwrap();
- keystore2
+ sl.keystore2
.updateSubcomponent(&key_entry_response.metadata.key, Some(&cert_pem), None)
.expect("updateSubcomponent failed.");
diff --git a/keystore2/tests/keystore2_client_list_entries_tests.rs b/keystore2/tests/keystore2_client_list_entries_tests.rs
index 8b3f700..539dac2 100644
--- a/keystore2/tests/keystore2_client_list_entries_tests.rs
+++ b/keystore2/tests/keystore2_client_list_entries_tests.rs
@@ -12,19 +12,18 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-use std::collections::HashSet;
-use std::fmt::Write;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
+use crate::keystore2_client_test_utils::{delete_all_entries, delete_app_key, verify_aliases};
use android_system_keystore2::aidl::android::system::keystore2::{
Domain::Domain, IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor,
KeyPermission::KeyPermission, ResponseCode::ResponseCode,
};
-
-use crate::keystore2_client_test_utils::{delete_all_entries, delete_app_key, verify_aliases};
-use keystore2_test_utils::{get_keystore_service, key_generations, key_generations::Error, run_as};
+use keystore2_test_utils::{
+ get_keystore_service, key_generations, key_generations::Error, run_as, SecLevel,
+};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
+use std::collections::HashSet;
+use std::fmt::Write;
/// Try to find a key with given key parameters using `listEntries` API.
fn key_alias_exists(
@@ -63,20 +62,19 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("list_entries_grant_key1_{}", getuid());
// Make sure there is no key exist with this `alias` in `SELINUX` domain and
// `SELINUX_SHELL_NAMESPACE` namespace.
if key_alias_exists(
- &keystore2,
+ &sl.keystore2,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
alias.to_string(),
) {
- keystore2
+ sl.keystore2
.deleteKey(&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
@@ -88,7 +86,7 @@
// Generate a key with above defined `alias`.
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -99,7 +97,7 @@
// Verify that above generated key entry is listed with domain SELINUX and
// namespace SELINUX_SHELL_NAMESPACE
assert!(key_alias_exists(
- &keystore2,
+ &sl.keystore2,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
alias,
@@ -107,7 +105,7 @@
// Grant a key with GET_INFO permission.
let access_vector = KeyPermission::GET_INFO.0;
- keystore2
+ sl.keystore2
.grant(&key_metadata.key, GRANTEE_UID.try_into().unwrap(), access_vector)
.unwrap();
})
@@ -121,13 +119,11 @@
Uid::from_raw(GRANTEE_UID),
Gid::from_raw(GRANTEE_GID),
move || {
- let keystore2 = get_keystore_service();
- let sec_level =
- keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("list_entries_success_key{}", getuid());
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -137,7 +133,7 @@
// Make sure there is only one key entry exist and that should be the same key
// generated in this user context. Granted key shouldn't be included in this list.
- let key_descriptors = keystore2.listEntries(Domain::APP, -1).unwrap();
+ let key_descriptors = sl.keystore2.listEntries(Domain::APP, -1).unwrap();
assert_eq!(1, key_descriptors.len());
let key = key_descriptors.first().unwrap();
@@ -145,9 +141,9 @@
assert_eq!(key.nspace, GRANTEE_UID.try_into().unwrap());
assert_eq!(key.domain, Domain::APP);
- keystore2.deleteKey(&key_metadata.key).unwrap();
+ sl.keystore2.deleteKey(&key_metadata.key).unwrap();
- let key_descriptors = keystore2.listEntries(Domain::APP, -1).unwrap();
+ let key_descriptors = sl.keystore2.listEntries(Domain::APP, -1).unwrap();
assert_eq!(0, key_descriptors.len());
},
)
@@ -204,14 +200,13 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Make sure there are no keystore entries exist before adding new entries.
- let key_descriptors = keystore2.listEntries(Domain::APP, -1).unwrap();
+ let key_descriptors = sl.keystore2.listEntries(Domain::APP, -1).unwrap();
if !key_descriptors.is_empty() {
key_descriptors.into_iter().map(|key| key.alias.unwrap()).for_each(|alias| {
- delete_app_key(&keystore2, &alias).unwrap();
+ delete_app_key(&sl.keystore2, &alias).unwrap();
});
}
@@ -223,8 +218,7 @@
write!(alias, "{}_{}", "X".repeat(6000), count).unwrap();
imported_key_aliases.insert(alias.clone());
- let result =
- key_generations::import_aes_key(&sec_level, Domain::APP, -1, Some(alias));
+ let result = key_generations::import_aes_key(&sl, Domain::APP, -1, Some(alias));
assert!(result.is_ok());
}
@@ -237,7 +231,7 @@
// list of key aliases
// - continue above steps till it cleanup all the imported keystore entries.
while !imported_key_aliases.is_empty() {
- let key_descriptors = keystore2.listEntries(Domain::APP, -1).unwrap();
+ let key_descriptors = sl.keystore2.listEntries(Domain::APP, -1).unwrap();
// Check retrieved key entries list is a subset of imported keys list.
assert!(key_descriptors
@@ -246,7 +240,7 @@
// Delete the listed key entries from Keystore as well as from imported keys list.
key_descriptors.into_iter().map(|key| key.alias.unwrap()).for_each(|alias| {
- delete_app_key(&keystore2, &alias).unwrap();
+ delete_app_key(&sl.keystore2, &alias).unwrap();
assert!(imported_key_aliases.remove(&alias));
});
}
@@ -271,17 +265,16 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Make sure there are no keystore entries exist before adding new entries.
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
// Import 100 keys with aliases of length 6000.
let mut imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, "X".repeat(6000), 1..101).unwrap();
+ key_generations::import_aes_keys(&sl, "X".repeat(6000), 1..101).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
100,
"Error while importing keys"
);
@@ -290,7 +283,7 @@
let mut alias;
while !imported_key_aliases.is_empty() {
let key_descriptors =
- keystore2.listEntriesBatched(Domain::APP, -1, start_past_alias).unwrap();
+ sl.keystore2.listEntriesBatched(Domain::APP, -1, start_past_alias).unwrap();
// Check retrieved key entries list is a subset of imported keys list.
assert!(key_descriptors
@@ -306,9 +299,9 @@
}
assert!(imported_key_aliases.is_empty());
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
0,
"Error while doing cleanup"
);
@@ -339,25 +332,23 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Make sure there are no keystore entries exist before adding new entries.
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
// Import 3 keys with below aliases -
// [key_test_batch_list_1, key_test_batch_list_2, key_test_batch_list_3]
let imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 1..4)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 1..4).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
3,
"Error while importing keys"
);
// List all entries in keystore for this user-id.
- let key_descriptors = keystore2.listEntriesBatched(Domain::APP, -1, None).unwrap();
+ let key_descriptors = sl.keystore2.listEntriesBatched(Domain::APP, -1, None).unwrap();
assert_eq!(key_descriptors.len(), 3);
// Makes sure all listed aliases are matching with imported keys aliases.
@@ -370,20 +361,18 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Import another 5 keys with below aliases -
// [ key_test_batch_list_4, key_test_batch_list_5, key_test_batch_list_6,
// key_test_batch_list_7, key_test_batch_list_8 ]
let mut imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 4..9)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 4..9).unwrap();
// Above context already 3 keys are imported, in this context 5 keys are imported,
// total 8 keystore entries are expected to be present in Keystore for this user-id.
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
8,
"Error while importing keys"
);
@@ -391,7 +380,8 @@
// List keystore entries with `start_past_alias` as "key_test_batch_list_3".
// `listEntriesBatched` should list all the keystore entries with
// alias > "key_test_batch_list_3".
- let key_descriptors = keystore2
+ let key_descriptors = sl
+ .keystore2
.listEntriesBatched(Domain::APP, -1, Some("key_test_batch_list_3"))
.unwrap();
assert_eq!(key_descriptors.len(), 5);
@@ -403,7 +393,7 @@
// List all keystore entries with `start_past_alias` as `None`.
// `listEntriesBatched` should list all the keystore entries.
- let key_descriptors = keystore2.listEntriesBatched(Domain::APP, -1, None).unwrap();
+ let key_descriptors = sl.keystore2.listEntriesBatched(Domain::APP, -1, None).unwrap();
assert_eq!(key_descriptors.len(), 8);
// Include previously imported keys aliases as well
@@ -416,9 +406,9 @@
.iter()
.all(|key| imported_key_aliases.contains(key.alias.as_ref().unwrap())));
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
0,
"Error while doing cleanup"
);
@@ -459,23 +449,23 @@
/// Test should successfully list the imported key.
#[test]
fn keystore2_list_entries_batched_with_selinux_domain_success() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "test_selinux_key_list_alias_batched";
- let _result = keystore2.deleteKey(&KeyDescriptor {
+ let _result = sl.keystore2.deleteKey(&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
alias: Some(alias.to_string()),
blob: None,
});
- let initial_count = keystore2
+ let initial_count = sl
+ .keystore2
.getNumberOfEntries(Domain::SELINUX, key_generations::SELINUX_SHELL_NAMESPACE)
.unwrap();
key_generations::import_aes_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -483,14 +473,15 @@
.unwrap();
assert_eq!(
- keystore2
+ sl.keystore2
.getNumberOfEntries(Domain::SELINUX, key_generations::SELINUX_SHELL_NAMESPACE)
.unwrap(),
initial_count + 1,
"Error while getting number of keystore entries accessible."
);
- let key_descriptors = keystore2
+ let key_descriptors = sl
+ .keystore2
.listEntriesBatched(Domain::SELINUX, key_generations::SELINUX_SHELL_NAMESPACE, None)
.unwrap();
assert_eq!(key_descriptors.len(), (initial_count + 1) as usize);
@@ -499,7 +490,7 @@
key_descriptors.into_iter().map(|key| key.alias.unwrap()).filter(|a| a == alias).count();
assert_eq!(count, 1);
- keystore2
+ sl.keystore2
.deleteKey(&KeyDescriptor {
domain: Domain::SELINUX,
nspace: key_generations::SELINUX_SHELL_NAMESPACE,
@@ -522,11 +513,10 @@
// SAFETY: The test is run in a separate process with no other threads.
unsafe {
run_as::run_as(CLIENT_CTX, Uid::from_raw(CLIENT_UID), Gid::from_raw(CLIENT_GID), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
// Make sure there are no keystore entries exist before adding new entries.
- delete_all_entries(&keystore2);
+ delete_all_entries(&sl.keystore2);
// Import keys with below mentioned aliases -
// [
@@ -542,48 +532,49 @@
// key_test_batch_list_22,
// ]
let _imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 1..6)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 1..6).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
5,
"Error while importing keys"
);
let _imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 10..13)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 10..13).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
8,
"Error while importing keys"
);
let _imported_key_aliases =
- key_generations::import_aes_keys(&sec_level, ALIAS_PREFIX.to_string(), 21..23)
- .unwrap();
+ key_generations::import_aes_keys(&sl, ALIAS_PREFIX.to_string(), 21..23).unwrap();
assert_eq!(
- keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
+ sl.keystore2.getNumberOfEntries(Domain::APP, -1).unwrap(),
10,
"Error while importing keys"
);
// List the aliases using given `startingPastAlias` and verify the listed
// aliases with the expected list of aliases.
- verify_aliases(&keystore2, Some(format!("{}{}", ALIAS_PREFIX, "_5").as_str()), vec![]);
+ verify_aliases(
+ &sl.keystore2,
+ Some(format!("{}{}", ALIAS_PREFIX, "_5").as_str()),
+ vec![],
+ );
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(format!("{}{}", ALIAS_PREFIX, "_4").as_str()),
vec![ALIAS_PREFIX.to_owned() + "_5"],
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(format!("{}{}", ALIAS_PREFIX, "_3").as_str()),
vec![ALIAS_PREFIX.to_owned() + "_4", ALIAS_PREFIX.to_owned() + "_5"],
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(format!("{}{}", ALIAS_PREFIX, "_2").as_str()),
vec![
ALIAS_PREFIX.to_owned() + "_21",
@@ -595,7 +586,7 @@
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(format!("{}{}", ALIAS_PREFIX, "_1").as_str()),
vec![
ALIAS_PREFIX.to_owned() + "_10",
@@ -611,7 +602,7 @@
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
Some(ALIAS_PREFIX),
vec![
ALIAS_PREFIX.to_owned() + "_1",
@@ -628,7 +619,7 @@
);
verify_aliases(
- &keystore2,
+ &sl.keystore2,
None,
vec![
ALIAS_PREFIX.to_owned() + "_1",
diff --git a/keystore2/tests/keystore2_client_operation_tests.rs b/keystore2/tests/keystore2_client_operation_tests.rs
index 89b5a31..95888a6 100644
--- a/keystore2/tests/keystore2_client_operation_tests.rs
+++ b/keystore2/tests/keystore2_client_operation_tests.rs
@@ -12,27 +12,24 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-use std::thread;
-use std::thread::JoinHandle;
-
+use crate::keystore2_client_test_utils::{
+ create_signing_operation, execute_op_run_as_child, perform_sample_sign_operation,
+ BarrierReached, ForcedOp, TestOutcome,
+};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Digest::Digest, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
+ Digest::Digest, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose,
};
use android_system_keystore2::aidl::android::system::keystore2::{
CreateOperationResponse::CreateOperationResponse, Domain::Domain,
IKeystoreOperation::IKeystoreOperation, ResponseCode::ResponseCode,
};
-
use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error, run_as,
+ authorizations, key_generations, key_generations::Error, run_as, SecLevel,
};
-
-use crate::keystore2_client_test_utils::{
- create_signing_operation, execute_op_run_as_child, perform_sample_sign_operation,
- BarrierReached, ForcedOp, TestOutcome,
-};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
+use std::thread;
+use std::thread::JoinHandle;
/// Create `max_ops` number child processes with the given context and perform an operation under each
/// child process.
@@ -312,11 +309,10 @@
child_handle.recv();
// Generate a key to use in below operations.
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_prune_op_test_key_{}", getuid());
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias),
@@ -327,7 +323,7 @@
// Create multiple operations in this process to trigger cannibalizing sibling operations.
let mut ops: Vec<binder::Result<CreateOperationResponse>> = (0..MAX_OPS)
.map(|_| {
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
@@ -353,7 +349,7 @@
// Create a new operation, it should trigger to cannibalize one of their own sibling
// operations.
ops.push(
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new()
.purpose(KeyPurpose::SIGN)
diff --git a/keystore2/tests/keystore2_client_rsa_key_tests.rs b/keystore2/tests/keystore2_client_rsa_key_tests.rs
index ad176a4..1559008 100644
--- a/keystore2/tests/keystore2_client_rsa_key_tests.rs
+++ b/keystore2/tests/keystore2_client_rsa_key_tests.rs
@@ -12,20 +12,14 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+use crate::keystore2_client_test_utils::{delete_app_key, perform_sample_sign_operation, ForcedOp};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Digest::Digest, ErrorCode::ErrorCode, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
- SecurityLevel::SecurityLevel,
};
use android_system_keystore2::aidl::android::system::keystore2::{
CreateOperationResponse::CreateOperationResponse, Domain::Domain,
- IKeystoreSecurityLevel::IKeystoreSecurityLevel,
};
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error,
-};
-
-use crate::keystore2_client_test_utils::{delete_app_key, perform_sample_sign_operation, ForcedOp};
+use keystore2_test_utils::{authorizations, key_generations, key_generations::Error, SecLevel};
/// This macro is used for creating signing key operation tests using digests and paddings
/// for various key sizes.
@@ -77,7 +71,7 @@
/// Generate a RSA key and create an operation using the generated key.
fn create_rsa_key_and_operation(
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
domain: Domain,
nspace: i64,
alias: Option<String>,
@@ -86,7 +80,7 @@
forced_op: ForcedOp,
) -> binder::Result<CreateOperationResponse> {
let key_metadata =
- key_generations::generate_rsa_key(sec_level, domain, nspace, alias, key_params, None)?;
+ key_generations::generate_rsa_key(sl, domain, nspace, alias, key_params, None)?;
let mut op_params = authorizations::AuthSetBuilder::new().purpose(op_purpose);
@@ -103,7 +97,7 @@
op_params = op_params.block_mode(value)
}
- sec_level.createOperation(&key_metadata.key, &op_params, forced_op.0)
+ sl.binder.createOperation(&key_metadata.key, &op_params, forced_op.0)
}
/// Generate RSA signing key with given parameters and perform signing operation.
@@ -113,11 +107,10 @@
alias: &str,
padding: PaddingMode,
) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let op_response = create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -143,17 +136,16 @@
))
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate RSA signing key with given parameters and try to perform signing operation.
/// Error `INCOMPATIBLE_DIGEST | UNKNOWN_ERROR` is expected while creating an opearation.
fn perform_rsa_sign_key_op_failure(digest: Digest, alias: &str, padding: PaddingMode) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -176,7 +168,7 @@
e == Error::Km(ErrorCode::UNKNOWN_ERROR) || e == Error::Km(ErrorCode::INCOMPATIBLE_DIGEST)
);
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
/// Generate RSA encrypt/decrypt key with given parameters and perform decrypt operation.
@@ -187,11 +179,10 @@
padding: PaddingMode,
mgf_digest: Option<Digest>,
) {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let result = create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -210,7 +201,7 @@
assert!(result.is_ok());
- delete_app_key(&keystore2, alias).unwrap();
+ delete_app_key(&sl.keystore2, alias).unwrap();
}
// Below macros generate tests for generating RSA signing keys with -
@@ -1533,12 +1524,11 @@
/// `INCOMPATIBLE_DIGEST` error code.
#[test]
fn keystore2_rsa_generate_signing_key_padding_pss_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_pss_none_key_op_test";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1565,12 +1555,11 @@
/// with an error code `INCOMPATIBLE_DIGEST`.
#[test]
fn keystore2_rsa_generate_key_with_oaep_padding_fail() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_oaep_padding_fail_test";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1596,12 +1585,11 @@
/// `UNSUPPORTED_PADDING_MODE`.
#[test]
fn keystore2_rsa_generate_keys() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_unsupport_padding_test";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1625,12 +1613,11 @@
/// `INCOMPATIBLE_PURPOSE` is expected as the generated key doesn't support sign operation.
#[test]
fn keystore2_rsa_encrypt_key_op_invalid_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_test_key_1";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1654,12 +1641,11 @@
/// `INCOMPATIBLE_PURPOSE` is expected as the generated key doesn't support decrypt operation.
#[test]
fn keystore2_rsa_sign_key_op_invalid_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_test_key_2";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1683,12 +1669,11 @@
/// generated key, an error `UNSUPPORTED_PURPOSE` is expected as RSA doesn't support AGREE_KEY.
#[test]
fn keystore2_rsa_key_unsupported_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_test_3";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1713,14 +1698,13 @@
/// mode.
#[test]
fn keystore2_rsa_encrypt_key_unsupported_padding() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let paddings = [PaddingMode::RSA_PKCS1_1_5_SIGN, PaddingMode::RSA_PSS];
for padding in paddings {
let alias = format!("ks_rsa_encrypt_key_unsupported_pad_test{}", padding.0);
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1746,14 +1730,13 @@
/// unsupported padding mode.
#[test]
fn keystore2_rsa_signing_key_unsupported_padding() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let paddings = [PaddingMode::RSA_PKCS1_1_5_ENCRYPT, PaddingMode::RSA_OAEP];
for padding in paddings {
let alias = format!("ks_rsa_sign_key_unsupported_pad_test_4_{}", padding.0);
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1779,12 +1762,11 @@
/// with RSA key.
#[test]
fn keystore2_rsa_key_unsupported_op() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_test_5";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1810,12 +1792,11 @@
/// generated with decrypt purpose.
#[test]
fn keystore2_rsa_key_missing_purpose() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_test_6";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1840,12 +1821,11 @@
/// operation with generated key, unsupported digest error is expected.
#[test]
fn keystore2_rsa_gen_keys_with_oaep_paddings_without_digest() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_padding_fail";
let result = key_generations::map_ks_error(create_rsa_key_and_operation(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
@@ -1869,12 +1849,11 @@
/// Generate RSA keys with unsupported key size, an error `UNSUPPORTED_KEY_SIZE` is expected.
#[test]
fn keystore2_rsa_gen_keys_unsupported_size() {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = "ks_rsa_key_padding_fail";
let result = key_generations::map_ks_error(key_generations::generate_rsa_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias.to_string()),
diff --git a/keystore2/tests/keystore2_client_test_utils.rs b/keystore2/tests/keystore2_client_test_utils.rs
index 7534da3..d4ca2ae 100644
--- a/keystore2/tests/keystore2_client_test_utils.rs
+++ b/keystore2/tests/keystore2_client_test_utils.rs
@@ -12,12 +12,22 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ BlockMode::BlockMode, Digest::Digest, ErrorCode::ErrorCode,
+ KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
+ Tag::Tag,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+ CreateOperationResponse::CreateOperationResponse, Domain::Domain,
+ IKeystoreOperation::IKeystoreOperation, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
+ IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor, KeyMetadata::KeyMetadata,
+ KeyParameters::KeyParameters, ResponseCode::ResponseCode,
+};
+use binder::wait_for_interface;
+use keystore2_test_utils::{
+ authorizations, key_generations, key_generations::Error, run_as, SecLevel,
+};
use nix::unistd::{Gid, Uid};
-use serde::{Deserialize, Serialize};
-
-use std::path::PathBuf;
-use std::process::{Command, Output};
-
use openssl::bn::BigNum;
use openssl::encrypt::Encrypter;
use openssl::error::ErrorStack;
@@ -28,26 +38,10 @@
use openssl::rsa::Padding;
use openssl::sign::Verifier;
use openssl::x509::X509;
-
-use binder::wait_for_interface;
-
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- BlockMode::BlockMode, Digest::Digest, ErrorCode::ErrorCode,
- KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
- SecurityLevel::SecurityLevel, Tag::Tag,
-};
-use android_system_keystore2::aidl::android::system::keystore2::{
- CreateOperationResponse::CreateOperationResponse, Domain::Domain,
- IKeystoreOperation::IKeystoreOperation, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
- IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor, KeyMetadata::KeyMetadata,
- KeyParameters::KeyParameters, ResponseCode::ResponseCode,
-};
-
use packagemanager_aidl::aidl::android::content::pm::IPackageManagerNative::IPackageManagerNative;
-
-use keystore2_test_utils::{
- authorizations, get_keystore_service, key_generations, key_generations::Error, run_as,
-};
+use serde::{Deserialize, Serialize};
+use std::path::PathBuf;
+use std::process::{Command, Output};
/// This enum is used to communicate between parent and child processes.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
@@ -70,8 +64,9 @@
pub const SAMPLE_PLAIN_TEXT: &[u8] = b"my message 11111";
pub const PACKAGE_MANAGER_NATIVE_SERVICE: &str = "package_native";
-pub const APP_ATTEST_KEY_FEATURE: &str = "android.hardware.keystore.app_attest_key";
-pub const DEVICE_ID_ATTESTATION_FEATURE: &str = "android.software.device_id_attestation";
+const APP_ATTEST_KEY_FEATURE: &str = "android.hardware.keystore.app_attest_key";
+const DEVICE_ID_ATTESTATION_FEATURE: &str = "android.software.device_id_attestation";
+const STRONGBOX_KEYSTORE_FEATURE: &str = "android.hardware.strongbox_keystore";
/// Determines whether app_attest_key_feature is supported or not.
pub fn app_attest_key_feature_exists() -> bool {
@@ -89,6 +84,15 @@
pm.hasSystemFeature(DEVICE_ID_ATTESTATION_FEATURE, 0).expect("hasSystemFeature failed.")
}
+/// Determines whether device-unique attestation might be supported by StrongBox.
+pub fn skip_device_unique_attestation_tests() -> bool {
+ let pm = wait_for_interface::<dyn IPackageManagerNative>(PACKAGE_MANAGER_NATIVE_SERVICE)
+ .expect("Failed to get package manager native service.");
+
+ // Device unique attestation was first included in Keymaster 4.1.
+ !pm.hasSystemFeature(STRONGBOX_KEYSTORE_FEATURE, 41).expect("hasSystemFeature failed.")
+}
+
/// Determines whether to skip device id attestation tests on GSI build with API level < 34.
pub fn skip_device_id_attest_tests() -> bool {
// b/298586194, there are some devices launched with Android T, and they will be receiving
@@ -130,9 +134,9 @@
}
#[macro_export]
-macro_rules! skip_tests_if_keymaster_impl_present {
- () => {
- if !key_generations::has_default_keymint() {
+macro_rules! require_keymint {
+ ($sl:ident) => {
+ if !$sl.is_keymint() {
return;
}
};
@@ -141,19 +145,18 @@
/// Generate EC key and grant it to the list of users with given access vector.
/// Returns the list of granted keys `nspace` values in the order of given grantee uids.
pub fn generate_ec_key_and_grant_to_users(
- keystore2: &binder::Strong<dyn IKeystoreService>,
- sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ sl: &SecLevel,
alias: Option<String>,
grantee_uids: Vec<i32>,
access_vector: i32,
) -> Result<Vec<i64>, binder::Status> {
let key_metadata =
- key_generations::generate_ec_p256_signing_key(sec_level, Domain::APP, -1, alias, None)?;
+ key_generations::generate_ec_p256_signing_key(sl, Domain::APP, -1, alias, None)?;
let mut granted_keys = Vec::new();
for uid in grantee_uids {
- let granted_key = keystore2.grant(&key_metadata.key, uid, access_vector)?;
+ let granted_key = sl.keystore2.grant(&key_metadata.key, uid, access_vector)?;
assert_eq!(granted_key.domain, Domain::GRANT);
granted_keys.push(granted_key.nspace);
}
@@ -171,14 +174,12 @@
nspace: i64,
alias: Option<String>,
) -> binder::Result<CreateOperationResponse> {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let key_metadata =
- key_generations::generate_ec_p256_signing_key(&sec_level, domain, nspace, alias, None)
- .unwrap();
+ key_generations::generate_ec_p256_signing_key(&sl, domain, nspace, alias, None).unwrap();
- sec_level.createOperation(
+ sl.binder.createOperation(
&key_metadata.key,
&authorizations::AuthSetBuilder::new().purpose(op_purpose).digest(op_digest),
forced_op.0,
diff --git a/keystore2/tests/keystore2_client_update_subcomponent_tests.rs b/keystore2/tests/keystore2_client_update_subcomponent_tests.rs
index d9576a8..e25e52a 100644
--- a/keystore2/tests/keystore2_client_update_subcomponent_tests.rs
+++ b/keystore2/tests/keystore2_client_update_subcomponent_tests.rs
@@ -12,9 +12,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
ErrorCode::ErrorCode, SecurityLevel::SecurityLevel,
};
@@ -22,8 +19,11 @@
Domain::Domain, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
ResponseCode::ResponseCode,
};
-
-use keystore2_test_utils::{get_keystore_service, key_generations, key_generations::Error, run_as};
+use keystore2_test_utils::{
+ get_keystore_service, key_generations, key_generations::Error, run_as, SecLevel,
+};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
/// Generate a key and update its public certificate and certificate chain. Test should be able to
/// load the key and able to verify whether its certificate and cert-chain are updated successfully.
@@ -31,11 +31,10 @@
fn keystore2_update_subcomponent_success() {
let alias = "update_subcomponent_success_key";
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::SELINUX,
key_generations::SELINUX_SHELL_NAMESPACE,
Some(alias.to_string()),
@@ -46,11 +45,11 @@
let other_cert: [u8; 32] = [123; 32];
let other_cert_chain: [u8; 32] = [12; 32];
- keystore2
+ sl.keystore2
.updateSubcomponent(&key_metadata.key, Some(&other_cert), Some(&other_cert_chain))
.expect("updateSubcomponent should have succeeded.");
- let key_entry_response = keystore2.getKeyEntry(&key_metadata.key).unwrap();
+ let key_entry_response = sl.keystore2.getKeyEntry(&key_metadata.key).unwrap();
assert_eq!(Some(other_cert.to_vec()), key_entry_response.metadata.certificate);
assert_eq!(Some(other_cert_chain.to_vec()), key_entry_response.metadata.certificateChain);
}
@@ -170,13 +169,12 @@
// SAFETY: The test is run in a separate process with no other threads.
let mut granted_keys = unsafe {
run_as::run_as(GRANTOR_SU_CTX, Uid::from_raw(0), Gid::from_raw(0), || {
- let keystore2 = get_keystore_service();
- let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
+ let sl = SecLevel::tee();
let alias = format!("ks_update_subcompo_test_1_{}", getuid());
let mut granted_keys = Vec::new();
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::APP,
-1,
Some(alias),
@@ -186,7 +184,8 @@
// Grant a key without update permission.
let access_vector = KeyPermission::GET_INFO.0;
- let granted_key = keystore2
+ let granted_key = sl
+ .keystore2
.grant(&key_metadata.key, GRANTEE_1_UID.try_into().unwrap(), access_vector)
.unwrap();
assert_eq!(granted_key.domain, Domain::GRANT);
@@ -194,7 +193,8 @@
// Grant a key with update permission.
let access_vector = KeyPermission::GET_INFO.0 | KeyPermission::UPDATE.0;
- let granted_key = keystore2
+ let granted_key = sl
+ .keystore2
.grant(&key_metadata.key, GRANTEE_2_UID.try_into().unwrap(), access_vector)
.unwrap();
assert_eq!(granted_key.domain, Domain::GRANT);
diff --git a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
index 3be99ee..11a4c0b 100644
--- a/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
+++ b/keystore2/tests/legacy_blobs/keystore2_legacy_blob_tests.rs
@@ -12,35 +12,26 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-use nix::unistd::{getuid, Gid, Uid};
-use rustutils::users::AID_USER_OFFSET;
-use serde::{Deserialize, Serialize};
-
-use std::ops::Deref;
-use std::path::PathBuf;
-
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel;
-
-use android_system_keystore2::aidl::android::system::keystore2::{
- Domain::Domain, KeyDescriptor::KeyDescriptor,
-};
-
-use android_security_maintenance::aidl::android::security::maintenance::IKeystoreMaintenance::IKeystoreMaintenance;
-
use android_security_authorization::aidl::android::security::authorization::{
IKeystoreAuthorization::IKeystoreAuthorization,
};
-
+use android_security_maintenance::aidl::android::security::maintenance::IKeystoreMaintenance::IKeystoreMaintenance;
+use android_system_keystore2::aidl::android::system::keystore2::{
+ Domain::Domain, KeyDescriptor::KeyDescriptor,
+};
use keystore2::key_parameter::KeyParameter as KsKeyparameter;
use keystore2::legacy_blob::test_utils::legacy_blob_test_vectors::*;
use keystore2::legacy_blob::test_utils::*;
use keystore2::legacy_blob::LegacyKeyCharacteristics;
use keystore2::utils::AesGcm;
use keystore2_crypto::{Password, ZVec};
-
-use keystore2_test_utils::get_keystore_service;
-use keystore2_test_utils::key_generations;
-use keystore2_test_utils::run_as;
+use keystore2_test_utils::{get_keystore_service, key_generations, run_as, SecLevel};
+use nix::unistd::{getuid, Gid, Uid};
+use rustutils::users::AID_USER_OFFSET;
+use serde::{Deserialize, Serialize};
+use std::ops::Deref;
+use std::path::PathBuf;
static USER_MANAGER_SERVICE_NAME: &str = "android.security.maintenance";
static AUTH_SERVICE_NAME: &str = "android.security.authorization";
@@ -160,15 +151,12 @@
println!("onUserRemoved error: {:#?}", e);
}
}
+ let sl = SecLevel::tee();
- let keystore2 = get_keystore_service();
- let sec_level = keystore2
- .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT)
- .unwrap();
// Generate Key BLOB and prepare legacy keystore blob files.
let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") };
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
SELINUX_SHELL_NAMESPACE,
None,
@@ -412,14 +400,11 @@
}
}
- let keystore2 = get_keystore_service();
- let sec_level = keystore2
- .getSecurityLevel(SecurityLevel::SecurityLevel::TRUSTED_ENVIRONMENT)
- .unwrap();
+ let sl = SecLevel::tee();
// Generate Key BLOB and prepare legacy keystore blob files.
let att_challenge: Option<&[u8]> = if rkp_only() { None } else { Some(b"foo") };
let key_metadata = key_generations::generate_ec_p256_signing_key(
- &sec_level,
+ &sl,
Domain::BLOB,
SELINUX_SHELL_NAMESPACE,
None,