Adding key agreement [AGREE_KEY] tests.
1. Verify that key agreement works with curves `P_224, P_256, P_384 and
P_521`. Test should generate KeyMint EC key with purpose `AGREE_KEY`
and OpenSSL EC key with same curve as KeyMint key. Perform local ECDH
between these two keys and verify that derived secrets are the same.
2. Verify that key agreement works with CURVE_25519 curve.
Test should generate KeyMint EC-CURVE_25519 key with purpose
`AGREE_KEY` and OpenSSL EC key with same curve as KeyMint key.
Perform local ECDH between these two keys and verify that derived
secrets are the same.
3. Verify that key agreement doesn't work when EC keys are using
different curves. Generate a KeyMine EC key using P_256 curve and
OpenSSL EC key using CURVE_25519. Try to perform a local ECDH between
these keys and operation should fail with `INVALID_ARGUMENT` error
code.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I3da7af09908d6828ad617c833469bbd786b09e8f
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index f9aaabb..e4c4968 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -1047,3 +1047,38 @@
transport_key,
)
}
+
+/// Generate EC key with purpose AGREE_KEY.
+pub fn generate_ec_agree_key(
+ sec_level: &binder::Strong<dyn IKeystoreSecurityLevel>,
+ ec_curve: EcCurve,
+ digest: Digest,
+ domain: Domain,
+ nspace: i64,
+ alias: Option<String>,
+) -> binder::Result<KeyMetadata> {
+ let gen_params = AuthSetBuilder::new()
+ .no_auth_required()
+ .algorithm(Algorithm::EC)
+ .purpose(KeyPurpose::AGREE_KEY)
+ .digest(digest)
+ .ec_curve(ec_curve);
+
+ match sec_level.generateKey(
+ &KeyDescriptor { domain, nspace, alias, blob: None },
+ None,
+ &gen_params,
+ 0,
+ b"entropy",
+ ) {
+ Ok(key_metadata) => {
+ assert!(key_metadata.certificate.is_some());
+ if domain == Domain::BLOB {
+ assert!(key_metadata.key.blob.is_some());
+ }
+
+ Ok(key_metadata)
+ }
+ Err(e) => Err(e),
+ }
+}